Newer
Older
in template (omit) octetstring p_caterpilar_compressed_key := omit,
out integer p_result,
out RaAcaCertRequest p_butterflyCertificateRequest,
out HttpMessage p_response
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var template (value) HttpMessage v_response;
var Oct16 v_request_hash;
var Oct16 v_aes_enc_key;
log(">>> f_verify_http_butterfly_cert_request_message_from_aa: ", p_request);
p_result := 0;
if (f_verify_pki_request_message( vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O,
omit,
p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -1;
} else {
var UInt64 v_current_time := f_getCurrentTimeUtc();
var UInt64 v_delta_time := 30;
Yann Garcia
committed
14030
14031
14032
14033
14034
14035
14036
14037
14038
14039
14040
14041
14042
14043
14044
14045
14046
14047
14048
14049
14050
14051
14052
14053
14054
14055
14056
log("f_verify_http_butterfly_cert_request_message_from_aa: match ", match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request((v_current_time - v_delta_time .. v_current_time + v_delta_time), explicit, '00000000'B/*butterflyExplicit*/, mw_bfk_to_be_signed_certificate))) == false) {
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -2;
} else {
if (p_checked_cocoon_keys_derivation == true) {
// FIXME FSCOM if (f_check_cocoon_keys_derivation(v_etsi_ts_102941_data.content.butterflyCertificateRequest.tbsCert.verifyKeyIndicator, ))
} else {
var AcaRaCertResponse v_aca_ra_cert_response;
var HashedId8 v_hashedId8;
var octetstring v_msg := bit2oct(encvalue(p_request.body.binary_body.ieee1609dot2_data));
v_hashedId8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg));
f_http_build_butterfly_cert_response(v_hashedId8, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_aca_ra_cert_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
p_butterflyCertificateRequest := v_etsi_ts_102941_data.content.butterflyCertificateRequest;
}
}
}
p_response := valueof(v_response);
log("<<< f_verify_http_butterfly_cert_request_message_from_aa: p_response: ", p_response);
log("<<< f_verify_http_butterfly_cert_request_message_from_aa: p_result: ", p_result);
} // End of function f_verify_http_butterfly_cert_request_message_from_aa
Yann Garcia
committed
} // End of group bfk_auth_request_helpers
/**
* @desc Check that the EA sends butterfly certificate request message after receiving of the butterfly authorization request
* Check that this message is encrypted for the AA
* Check that this message is signed with the EA certificate
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the AA is emulated by TS and
* authorized with CERT_AA certificate
* and EA is configured to use emulated AA to generate certificates
14071
14072
14073
14074
14075
14076
14077
14078
14079
14080
14081
14082
14083
14084
14085
14086
14087
14088
14089
14090
14091
14092
14093
14094
14095
14096
14097
14098
14099
14100
14101
14102
14103
14104
14105
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAuthorizationRequestMessage
* containing EtsiTs102941Data
* containing content.butterflyAuthorizationRequest
* }
* then {
* the IUT sends a EtsiTs103097Data to the AA
* containing content.encryptedData
* containing recipients
* indicating size 1
* and containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the CERT_AA
* and containing encrypted representation of EtsiTs103097Data
* containing signedData
* containing tbsData
* containing headerInfo
* containing psid
* indicating AID_PKI_CERT_REQUEST
* and containing payload.data
* containing EtsiTs102941Data
* containing version
* indicating ‘1’
* and containing content
* containing butterflyCertificateRequest
* and containing signer
* containing digest
* indicating HashedId8 of the CERT_EA
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_03_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.4
*/
testcase TC_SECPKI_EA_BFK_AUTH_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var boolean v_received_butterfly_authorization_response := false;
var boolean v_tb_done := false;
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var integer v_result;
var EeRaCertRequest v_ee_ra_cert_request;
var RaEeCertInfo p_ra_ee_cert_info;
var RaAcaCertRequest v_butterflyCertificateRequest;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, p_ra_ee_cert_info);
log("*** " & testcasename() & ": INFO: p_ra_ee_cert_info:", p_ra_ee_cert_info, " ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(
mw_http_request(
mw_http_request_post(
-, // URI
v_headers, // Headers
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyCertRequestMessage(
mw_encryptedData
14151
14152
14153
14154
14155
14156
14157
14158
14159
14160
14161
14162
14163
14164
14165
14166
14167
14168
14169
14170
14171
14172
14173
14174
14175
14176
14177
14178
14179
14180
14181
14182
14183
14184
14185
14186
14187
14188
14189
14190
14191
14192
14193
14194
14195
14196
14197
14198
14199
14200
14201
14202
14203
14204
14205
)))))) -> value v_request {
tc_ac.stop;
f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, -, -, v_result, v_butterflyCertificateRequest, v_response);
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
v_tb_done := true;
if (v_received_butterfly_authorization_response == false) {
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***");
tc_ac.start;
repeat;
}
}
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (v_tb_done == false) {
v_received_butterfly_authorization_response := true;
tc_ac.start;
repeat;
} // else, end on the test case
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_03_BV
/**
* @desc Check that the butterfly certificate request message sent by EA to AA contains all required elements
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the EA already received the ButterflyAuthorizationRequestMessage
* indicating the sha256 message hash MSG_HASH
* and the EA already responded with ButterflyAuthorizationResponseMessage
* containing EtsiTs102941Data
* containing butterflyAuthorizationResponse
* containing nextDlTime
* indicating DNL_TIME
14219
14220
14221
14222
14223
14224
14225
14226
14227
14228
14229
14230
14231
14232
14233
14234
14235
14236
14237
14238
14239
14240
14241
14242
14243
14244
14245
14246
14247
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAtDownloadRequestMessage
* containing EtsiTs102941Data
* containing butterflyAtDownloadRequest
* containing EeRaCertRequest
* containing generationTime
* indicating REQ_TIME
* }
* then {
* the IUT sends to the AA the ButterflyCertRequestMessage
* containing EtsiTs102941Data
* containing content
* containing butterflyCertificateRequest
* containing RaAcaCertRequest
* containing version
* indicating 2
* and containing generationTime
* indicating value between REQ_TIME and the current time
* and containing flags
* indicating empty bit string
* and containing certEncKey
* and containing tbsCert
* and not containing linkageInfo
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_04_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.4
*/
testcase TC_SECPKI_EA_BFK_AUTH_04_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var boolean v_received_butterfly_authorization_response := false;
var boolean v_tb_done := false;
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var integer v_result;
var EeRaCertRequest v_ee_ra_cert_request;
var RaEeCertInfo p_ra_ee_cert_info;
var RaAcaCertRequest v_butterflyCertificateRequest;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, p_ra_ee_cert_info);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(
mw_http_request(
mw_http_request_post(
-, // URI
v_headers, // Headers
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyCertRequestMessage(
mw_encryptedData
14292
14293
14294
14295
14296
14297
14298
14299
14300
14301
14302
14303
14304
14305
14306
14307
14308
14309
14310
14311
14312
14313
14314
14315
14316
14317
14318
14319
14320
14321
14322
14323
14324
14325
14326
14327
14328
14329
14330
14331
14332
14333
14334
14335
14336
14337
14338
14339
14340
14341
14342
14343
14344
14345
14346
14347
14348
14349
14350
14351
14352
14353
14354
14355
)))))) -> value v_request {
tc_ac.stop;
f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, -, -, v_result, v_butterflyCertificateRequest, v_response);
// TODO Check v_butterflyCertificateRequest
// FIXME Some check can be moved to f_verify_http_butterfly_cert_request_message_from_aa
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
v_tb_done := true;
if (v_received_butterfly_authorization_response == false) {
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***");
tc_ac.start;
repeat;
}
}
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (v_tb_done == false) {
v_received_butterfly_authorization_response := true;
tc_ac.start;
repeat;
} // else, end on the test case
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_04_BV
/**
* @desc Check that the butterfly certificate request message contains expanded cocoon key
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the AA in 'operational' state
* authorized with CERT_AA certificate
* and EA is configured to use AA of the current configuration to generate certificates
14361
14362
14363
14364
14365
14366
14367
14368
14369
14370
14371
14372
14373
14374
14375
14376
14377
14378
14379
14380
14381
14382
14383
14384
14385
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAuthorizationRequestMessage
* containing EtsiTs102941Data
* containing content.butterflyAuthorizationRequest
* containing EeRaCertRequest
* containing tbsCert (TBS_CERT)
* containing verification key (CATERPILLAR_KEY)
* }
* then {
* the IUT sends to the AA the ButterflyCertRequestMessage
* containing EtsiTs102941Data
* containing content
* containing butterflyCertificateRequest
* containing RaAcaCertRequest
* containing tbsCert
* containing verificationKey
* containing “cocoon” key
* derived from the CATERPILLAR_KEY
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_05_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.4
*/
testcase TC_SECPKI_EA_BFK_AUTH_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var boolean v_received_butterfly_authorization_response := false;
var boolean v_tb_done := false;
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var integer v_result;
var EeRaCertRequest v_ee_ra_cert_request;
var RaEeCertInfo p_ra_ee_cert_info;
var RaAcaCertRequest v_butterflyCertificateRequest;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, p_ra_ee_cert_info);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(
mw_http_request(
mw_http_request_post(
-, // URI
v_headers, // Headers
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyCertRequestMessage(
mw_encryptedData
14430
14431
14432
14433
14434
14435
14436
14437
14438
14439
14440
14441
14442
14443
14444
14445
14446
14447
14448
14449
14450
14451
14452
14453
14454
14455
14456
14457
14458
14459
14460
14461
14462
14463
14464
14465
14466
14467
14468
14469
14470
14471
14472
14473
14474
14475
14476
14477
14478
14479
14480
14481
14482
14483
)))))) -> value v_request {
tc_ac.stop;
f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, true, -, v_result, v_butterflyCertificateRequest, v_response);
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
v_tb_done := true;
if (v_received_butterfly_authorization_response == false) {
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***");
tc_ac.start;
repeat;
}
}
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (v_tb_done == false) {
v_received_butterfly_authorization_response := true;
tc_ac.start;
repeat;
} // else, end on the test case
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_05_BV
} // End of group ea_bfk_cert_request
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.6.2 Authorization certificate download
group ea_bfk_auth_cert_download {
/**
* @desc Check that the butterfly certificate request message sent by EA to AA contains all required elements
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the EA already responded with ButterflyAuthorizationResponseMessage (MSG_RESPONSE)
* containing EtsiTs102941Data
* containing butterflyAuthorizationResponse
* containing nextDlTime
* indicating DNL_TIME
* and containing currentI
* indicating I_VALUE
* and containing requestHash
* indicating MSG_HASH
* and the EA already received from emullated AA one or more ButterflyCertResponse messages
* containing AcaEeCertResponsePrivateSpdu (CERT_RESPONSE)
14507
14508
14509
14510
14511
14512
14513
14514
14515
14516
14517
14518
14519
14520
14521
14522
14523
14524
14525
14526
14527
14528
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAtDownloadRequestMessage
* containing EtsiTs102941Data
* containing butterflyAtDownloadRequest
* indicating EeRaDownloadRequest
* containing generationTime
* indicating DNL_TIME + 1
* and containing filename
* indicating MSG_HASH + “_” + hex(I_VALUE) + ".zip"
* }
* then {
* the IUT sends the requested batch of certificates
* containing file hex(I_VALUE) + “.info”
* indicating COER encoding of MSG_RESPONSE
* and containing a set of files hex(I_VALUE) + “_” + (0..N)
* indicating COER encoding of AcaEeCertResponsePrivateSpdu (CERT_RESPONSE)
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_06_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.1, 6.2.3.5.3
*/
testcase TC_SECPKI_EA_BFK_AUTH_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var octetstring v_private_key;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EeRaCertRequest v_ee_ra_cert_request;
var RaEeCertInfo p_ra_ee_cert_info;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, p_ra_ee_cert_info);
// Wait for v_ee_ra_cert_request.nextDlTime
var float v_timer := int2float(p_ra_ee_cert_info.nextDlTime - p_ra_ee_cert_info.generationTime + 2);
log("*** " & testcasename() & ": INFO: Start wailting for " & float2str(v_timer) & " seconds ***");
f_sleepIgnoreDef(v_timer);
log("*** " & testcasename() & ": INFO: timer of " & float2str(v_timer) & " seconds expierd message ***");
// FISME FSCOM In int2hex, 3 is arbitrary. Need to check the range of currentI to set the correct hex string length
f_http_build_butterfly_at_download_request_message(hex2str(oct2hex(p_ra_ee_cert_info.requestHash)) & "-" & hex2str(int2hex(p_ra_ee_cert_info.currentI, 3)) & ".zip", v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_at_download_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_BFK_AT_DOWNLOAD,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyCertResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_response(mw_ra_aca_cert_response)));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_response(mw_ra_aca_cert_response)) == true) {
14609
14610
14611
14612
14613
14614
14615
14616
14617
14618
14619
14620
14621
14622
14623
14624
14625
14626
14627
log("*** " & testcasename() & ": PASS: Well formated ButterflyAuthorizationResponseMessage received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Invalid ButterflyAuthorizationResponseMessage received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_06_BV
} // End of group ea_bfk_auth_cert_download
} // End of group ea_authorization_with_bfk
} // End of group ea_behavior
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5 AA behaviour
14635
14636
14637
14638
14639
14640
14641
14642
14643
14644
14645
14646
14647
14648
14649
14650
14651
14652
14653
14654
14655
14656
14657
14658
14659
14660
14661
14662
14663
14664
14665
14666
14667
14668
14669
14670
14671
14672
14673
14674
14675
14676
14677
14678
14679
14680
14681
14682
14683
14684
14685
14686
14687
14688
14689
14690
14691
14692
group aa_behavior {
group aa_helpers {
function f_verify_http_at_response_from_iut_aa(
in Response p_response,
in octetstring p_private_key,
in Oct16 p_aes_sym_key,
in Oct16 p_authentication_vector,
in Oct32 p_request_hash,
out InnerAtResponse p_authorization_response,
out integer p_result
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key;
var InnerEcResponse v_inner_ec_response;
log(">>> f_verify_http_at_response_from_iut_aa: p_response= ", p_response);
log(">>> f_verify_http_at_response_from_iut_aa: p_private_key= ", p_private_key);
log(">>> f_verify_http_at_response_from_iut_aa: p_aes_sym_key= ", p_aes_sym_key);
log(">>> f_verify_http_at_response_from_iut_aa: p_authentication_vector= ", p_authentication_vector);
log(">>> f_verify_http_at_response_from_iut_aa: p_request_hash= ", p_request_hash);
p_result := 0;
if (f_verify_pki_response_message(p_private_key, p_aes_sym_key, p_authentication_vector, vc_aaWholeHash, p_response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
// Set verdict
p_result := -1;
} else {
log("f_verify_http_at_response_from_iut_aa: Receive ", v_etsi_ts_102941_data);
p_authorization_response := v_etsi_ts_102941_data.content.authorizationResponse;
log(match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok(substr(p_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_at, -))))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok(substr(p_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_at, -)))) == false) {
log(match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ko)));
if (match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ko)) == false) {
// Set verdict
p_result := -2;
} else {
// Set verdict
p_result := -3;
}
} else {
// Verify AT Certificate signature
if (f_verifyCertificateSignatureWithIssuingCertificate(v_etsi_ts_102941_data.content.authorizationResponse.certificate, vc_aaCertificate) == false) {
// Set verdict
p_result := -4;
}
log("f_verify_http_at_response_from_iut_aa: Well-secured AT certificate received");
}
}
log("<<< f_verify_http_at_response_from_iut_aa: p_result: ", p_result);
} // End of function f_verify_http_at_response_from_iut_aa
} // End of group aa_helpers
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.1 Authorization request handling
group aa_authorization_request {
14695
14696
14697
14698
14699
14700
14701
14702
14703
14704
14705
14706
14707
14708
14709
14710
14711
14712
14713
14714
14715
14716
14717
14718
14719
14720
14721
14722
14723
14724
14725
14726
14727
14728
14729
14730
14731
14732
14733
14734
14735
14736
14737
14738
14739
14740
14741
14742
14743
14744
14745
14746
14747
14748
14749
14750
14751
14752
14753
14754
14755
/**
* @desc Check that the EA/AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate
* Check that the EA/AA is able to verify the inner signature
* Check that the EA/AA is able to verify the request authenticity using the hmacKey verification
* Check that the EA/AA sends the AuthorizationValidationRequest message to the correspondent EA
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE and not PICS_PKI_AUTH_POP
* Initial conditions:
* with {
* the EA/AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the certificate CERT_AA
* and containing encKey
* indicating symmetric key (S_KEY)
* encrypted with the private key correspondent to the AA_ENC_PUB_KEY
* and containing cyphertext (ENC_DATA)
* containing encrypted representation of the EtsiTs103097Data-Signed
* containing content.signedData
* containing hashId
* indicating valid hash algorythm
* and containing signer
* containing self
* and containing tbsData (SIGNED_DATA)
* containing payload
* containing EtsiTs102941Data
* containing content.authorizationRequest
* containing publicKeys.verificationKey (V_KEY)
* and containing hmacKey (HMAC)
* and containing sharedAtRequest
* containing keyTag (KEY_TAG)
* and containing eaId (EA_ID)
* indicating HashedId8 of the known EA certificate
* and containing signature (SIGNATURE)
* }
* then {
* the IUT is able to decrypt the S_KEY
* using the private key
* corresponding to the AA_ENC_PUB_KEY
* and the IUT is able to decrypt the cypthertext ENC_DATA
* using the S_KEY
* and the IUT is able to verify the signature SIGNATURE over the SIGNED_DATA
* using the V_KEY
* and the IUT is able to verify integrity of HMAC and KEY_TAG
* and the IUT sends the AuthorizationValidationRequest message to the EA
* identified by the EA_ID
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_01_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SECPKI_AA_AUTH_RCV_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
if (not PICS_IUT_AA_ROLE or not PICS_PKI_AUTH_POP) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and PICS_PKI_AUTH_POP required for executing the TC ***");
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
14806
14807
14808
14809
14810
14811
14812
14813
14814
14815
14816
14817
14818
14819
14820
14821
14822
14823
14824
14825
14826
14827
14828
14829
// Test Body
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_response;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationResponse= ", v_authorization_response, " ***");
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
var SharedAtRequest v_shared_at_request;
var Oct16 v_aes_sym_key_atv;
var Oct8 v_aes_sym_key_atv_hashed_id8;
var octetstring v_request_hash_atv;
var Oct16 v_aes_enc_key_atv;
var AuthorizationValidationResponse v_authorization_validation_response;
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key_atv, v_request_hash_atv, v_shared_at_request, v_result);
v_aes_sym_key_atv_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key_atv)); // Used to build the response
// Set verdict, don't care of the v_result, out if scope for this test
log("*** " & testcasename() & ": INFO: IUT has sent AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8;
log("*** " & testcasename() & ": v_ieee1609dot2_signed_and_encrypted_data with new pskRecipInfo: ", v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
log("*** " & testcasename() & ": INFO: AuthorizationValidation process done ***");
repeat;
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_01_BV
14905
14906
14907
14908
14909
14910
14911
14912
14913
14914
14915
14916
14917
14918
14919
14920
14921
14922
14923
14924
14925
14926
14927
14928
14929
14930
14931
14932
14933
14934
14935
14936
14937
14938
14939
14940
14941
14942
14943
14944
14945
14946
14947
14948
14949
14950
14951
14952
/**
* @desc Check that the AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate
* Check that the AA is able to verify the request authenticity using the hmacKey verification
* Check that the AA sends the AuthorizationValidationRequest message to the correspondent EA
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA/AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the certificate CERT_AA
* and containing encKey
* indicating symmetric key (S_KEY)
* encrypted with the private key correspondent to the AA_ENC_PUB_KEY
* and containing cyphertext (ENC_DATA)
* containing EtsiTs102941Data
* containing content.authorizationRequest
* containing publicKeys.verificationKey (V_KEY)
* and containing hmacKey (HMAC)
* and containing sharedAtRequest
* containing keyTag (KEY_TAG)
* and containing eaId (EA_ID)
* indicating HashedId8 of the known EA certificate
* }
* then {
* the IUT is able to decrypt the S_KEY
* using the private key
* corresponding to the AA_ENC_PUB_KEY
* and the IUT is able to decrypt the cypthertext ENC_DATA
* using the S_KEY
* and the IUT is able to verify integrity of HMAC and KEY_TAG
* and the IUT sends the AuthorizationValidationRequest message to the EA
* identified by the EA_ID
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_02_BV
14954
14955
14956
14957
14958
14959
14960
14961
14962
14963
14964
14965
14966
14967
14968
14969
14970
14971
14972
14973
14974
14975
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SECPKI_AA_AUTH_RCV_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE or PICS_PKI_AUTH_POP) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and not PICS_PKI_AUTH_POP required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);