Newer
Older
Yann Garcia
committed
* @Author ETSI / STF545 / TTF T025
* @version $Url$
* $Id$
* @desc Testcases file for Security Protocol
* @reference ETSI TS ITS-00546v006
* @copyright ETSI Copyright Notification
* No part may be reproduced except as authorized by written permission.
* The copyright and the foregoing restriction extend to reproduction in all media.
* All rights reserved.
*/
module ItsPki_TestCases {
// Libcommon
import from LibCommon_Time all;
import from LibCommon_VerdictControl all;
import from LibCommon_Sync all;
import from LibCommon_BasicTypesAndValues all;
import from LibCommon_DataStrings all;
// LibIts
import from Ieee1609Dot2BaseTypes language "ASN.1:1997" all;
import from Ieee1609Dot2 language "ASN.1:1997" all;
import from EtsiTs102941BaseTypes language "ASN.1:1997" all;
import from EtsiTs102941TypesEnrolment language "ASN.1:1997" all;
import from EtsiTs102941TypesAuthorization language "ASN.1:1997" all;
import from EtsiTs102941TypesAuthorizationValidation language "ASN.1:1997" all;
import from EtsiTs102941MessagesCa language "ASN.1:1997" all;
import from EtsiTs102941TrustLists language "ASN.1:1997" all;
import from EtsiTs103097Module language "ASN.1:1997" all;
import from Ieee1609Dot2Dot1AcaRaInterface language "ASN.1:1997" all;
import from Ieee1609Dot2Dot1EeRaInterface language "ASN.1:1997" all;
import from ETSI_ITS_CDD language "ASN.1:1997" all;
// LibItsCommon
import from LibItsCommon_TypesAndValues all;
import from LibItsCommon_Functions all;
import from LibItsCommon_TypesAndValues all;
import from LibItsCommon_ASN1_NamedNumbers all;
// LibItsGeoNetworking
import from LibItsGeoNetworking_TypesAndValues all;
import from LibItsGeoNetworking_Functions all;
import from LibItsGeoNetworking_Templates all;
import from LibItsGeoNetworking_Pics all;
YannGarcia
committed
import from LibItsGeoNetworking_Pixits all;
YannGarcia
committed
// LibItsCam
import from LibItsCam_TypesAndValues all;
import from LibItsCam_Templates all;
// LibItsSecurity
import from LibItsSecurity_TypesAndValues all;
import from LibItsSecurity_TestSystem all;
import from LibItsSecurity_Templates all;
import from LibItsSecurity_Functions all;
import from LibItsSecurity_Pixits all;
import from LibItsSecurity_Pics all;
// LibHttp
import from LibHttp_TypesAndValues all;
import from LibHttp_Templates all;
import from LibHttp_Functions all;
import from LibHttp_TestSystem all;
import from LibHttp_Pics all;
import from LibHttp_BinaryTemplates all;
// LibHelpers
import from LibHelpers_Functions all;
// LibItsPki
import from LibItsPki_TypesAndValues all;
import from LibItsPki_Templates all;
import from LibItsPki_Functions all;
import from LibItsPki_TestSystem all;
import from LibItsPki_Pics all;
import from LibItsPki_Pixits all;
YannGarcia
committed
import from LibItsPki_EncdecDeclarations all;
YannGarcia
committed
* @desc 5.2 ITS-S behaviour
group itss_states {
const charstring c_stInitial := "initial";
const charstring c_stEnrolled := "enrolled";
const charstring c_stAuthorized := "authorized";
}
/**
* @desc Send an HTTP error message 500 Internal error.
* Note: To be refined
*/
function f_send_500_Internal_Error(
in Headers p_headers,
in template (omit) charstring p_error_message := omit
) runs on ItsPkiHttp {
f_http_send(
p_headers,
m_http_response(
m_http_response_500_internal_error(
p_headers
)));
} // End function f_send_500_Internal_Error
/**
* @desc The purpose of this function is verify the EC request and extract InnerEcRequest and build the InnerEcResponse for the HTTP response
* Note: This function accepts additional parameters to alter the reponse
*/
function f_verify_http_ec_request_from_iut_itss(
in Request p_request,
in Headers p_headers,
out InnerEcRequest p_inner_ec_request,
out InnerEcResponse p_inner_ec_response,
out HttpMessage p_response,
out integer p_result,
in template (present) octetstring p_its_id := PICS_ITS_S_CANONICAL_ID,
in template (present) SignerIdentifier p_signer := m_signerIdentifier_self,
in EnrolmentResponseCode p_force_response_code := ok
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Ieee1609Dot2Data v_ieee1609dot2_signed_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_request_hash;
var Oct16 v_aes_enc_key;
var template (value) HttpMessage v_response;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
var PublicVerificationKey v_canonical_key;
log(">>> f_verify_http_ec_request_from_iut_itss: ", p_request);
if(false == f_get_canonical_itss_key(v_canonical_key)){
log(">>> f_verify_http_ec_request_from_iut_itss: error getting canonical key");
v_response := m_http_response(m_http_response_500_internal_error(p_headers));
p_result := -1;
return;
}
if(not(f_read_pki_request_message(
p_request.body.binary_body.ieee1609dot2_data,
vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/,
v_request_hash, v_aes_enc_key,
v_ieee1609dot2_signed_data,
v_etsi_ts_102941_data
))) {
f_http_build_inner_ec_response(-, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
p_result := -1;
goto L_Done;
}
log("f_verify_http_ec_request_from_iut_itss: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer))))); // TODO In TITAN, this is the only way to get the unmatching in log
if (false == match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer))))) {
f_http_build_inner_ec_response(-, badcontenttype, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
p_result := -2;
goto L_Done;
}
// Verify signature of mw_innerEcRequestSignedForPop
if (false == f_verify_inner_ec_request_signed_for_pop(v_etsi_ts_102941_data, p_inner_ec_request)) {
// Send error message
f_http_build_inner_ec_response(p_inner_ec_request/*Not required*/, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -3;
goto L_Done;
}
log("f_verify_http_ec_request_from_iut_itss: matching: ", match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes({mw_appPermissions(c_its_aid_SCR, ?)})))); // TODO In TITAN, this is the only way to get the unmatching in log
if (false == match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes_optional_assuranceLevel({mw_appPermissions(c_its_aid_SCR, ?)})))) {
// Send error message: Not enrolmentrequest
f_http_build_inner_ec_response(p_inner_ec_request, badcontenttype, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -4;
goto L_Done;
}
// TODO Check ValidityPeriod
// Send OK message
log("f_verify_http_ec_request_from_iut_itss: Receive ", p_inner_ec_request);
if (p_force_response_code == ok) {
// Send EC certificate with code ok
log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter);
f_http_build_inner_ec_response(p_inner_ec_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256)) {
if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_0)) {
vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_0;
vc_ec_compressed_modes[vc_ec_keys_counter] := 0;
vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_1;
vc_ec_compressed_modes[vc_ec_keys_counter] := 1;
}
} else if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1)) {
if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_0)) {
vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_0;
vc_ec_compressed_modes[vc_ec_keys_counter] := 0;
vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_1;
vc_ec_compressed_modes[vc_ec_keys_counter] := 1;
} else {
log("*** " & testcasename() & ": FAIL: Not implemented yet ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_error);
vc_ec_hashed_id8[vc_ec_keys_counter] := v_ec_certificate_hashed_id8;
vc_ec_keys_counter := vc_ec_keys_counter + 1;
vc_ec_certificates[vc_ec_counter] := v_ec_certificate;
vc_ec_counter := vc_ec_counter + 1;
log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter);
} else {
log("f_verify_http_ec_request_from_iut_itss: Succeed but force error code ", p_force_response_code);
f_http_build_inner_ec_response(p_inner_ec_request, p_force_response_code, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
label L_Done;
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
p_response := valueof(v_response);
log("<<< f_verify_http_ec_request_from_iut_itss: p_response: ", p_response);
log("<<< f_verify_http_ec_request_from_iut_itss: p_result: ", p_result);
} // End of function f_verify_http_ec_request_from_iut_itss
/**
* @desc The purpose of this function is verify the AT request and extract InnerAtRequest and build the InnerAtResponse for the HTTP response
* Note: This function accepts additional parameters to alter the reponse
*/
function f_verify_http_at_request_from_iut_itss(
in Request p_request,
in Headers p_headers,
in template (omit) EtsiTs103097Certificate p_ec_certificate,
out InnerAtRequest p_inner_at_request,
out InnerAtResponse p_inner_at_response,
out HttpMessage p_response,
out integer p_result,
in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID,
in AuthorizationResponseCode p_force_response_code := ok
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Ieee1609Dot2Data v_ieee1609dot2_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_request_hash;
var Oct16 v_aes_enc_key;
var template (value) HttpMessage v_response;
var octetstring v_msg;
log(">>> f_verify_http_at_request_from_iut_itss:", p_request);
// 1. Calculate the request Hash
v_msg := bit2oct(encvalue(p_request.body.binary_body.ieee1609dot2_data));
log(">>> f_verify_http_at_request_from_iut_itss: Encoded request: ", v_msg);
v_request_hash := substr(f_hashWithSha256(v_msg), 0, 16);
log(">>> f_verify_http_at_request_from_iut_itss: p_request_hash= ", v_request_hash);
// 2. Decrypt the InnerAtRequest
if (false == f_decrypt(vc_aaPrivateEncKey, // AA private encryption key
p_request.body.binary_body.ieee1609dot2_data , // data to be decrypted
vc_aaWholeHash, // salt
v_ieee1609dot2_data, // decrypted message
v_aes_enc_key)) {
log("f_verify_http_at_request_from_iut_itss: Failed to decrypt message");
// Send error message, unable to decypt it
p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request"))); // Initialize v_reponse with an error message
return;
}
// check if signed
var bitstring v_msg_bit;
if(ispresent(v_ieee1609dot2_data.content.signedData)) {
if(not ispresent(v_ieee1609dot2_data.content.signedData.tbsData.payload.data)
or not ispresent(v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData)) {
log("f_verify_http_at_request_from_iut_itss: Invalid message payload");
p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")));
p_result := -1;
return;
}
log("f_verify_http_at_request_from_iut_itss: v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData= ", v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData);
v_msg_bit := oct2bit(v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData);
if(not ispresent(v_ieee1609dot2_data.content.unsecuredData)) {
log("f_verify_http_at_request_from_iut_itss: Invalid message payload");
p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")));
p_result := -1;
return;
}
v_msg_bit := oct2bit(v_ieee1609dot2_data.content.unsecuredData);
}
if (decvalue(v_msg_bit, v_etsi_ts_102941_data) != 0) {
log("f_verify_http_at_request_from_iut_itss: Can not decode v_etsi_ts_102941_data");
p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")));
p_result := -1;
return;
}
if (match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest)) == false) {
// Send error message
f_http_build_authorization_response(-, its_aa_cantparse, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
// Set verdict
p_result := -2;
return;
}
if (f_verify_inner_at_request_signed_for_pop(v_etsi_ts_102941_data, p_ec_certificate, p_inner_at_request) == false) {
// Send error message
f_http_build_authorization_response(p_inner_at_request, its_aa_cantparse, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers)));
return;
}
log("f_verify_http_at_request_from_iut_itss: match ", match(p_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature)));
if (match(p_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature)) == false) { // TODO To be refined
// Send error message: No authorization request
f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers)));
return;
}
// Verify PoP signature of outer message
if(ispresent(v_ieee1609dot2_data.content.signedData)){
log("f_verify_http_at_request_from_iut_itss: v_ieee1609dot2_data.content.signedData.tbsData= ", v_ieee1609dot2_data.content.signedData.tbsData);
v_msg := bit2oct(encvalue(v_ieee1609dot2_data.content.signedData.tbsData));
log("f_verify_http_at_request_from_iut_itss: v_msg= ", v_msg);
if (false == f_verifyEcdsa(v_msg, int2oct(0, 32), v_ieee1609dot2_data.content.signedData.signature_, p_inner_at_request.publicKeys.verificationKey)) {
f_http_build_authorization_response(p_inner_at_request, invalidsignature, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers)));
// Set verdict
p_result := -6;
return;
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
var PublicVerificationKey v_verification_tag;
var octetstring v_encoded_tag;
var octetstring v_key_tag;
// Build the tag
v_encoded_tag := bit2oct(encvalue(p_inner_at_request.publicKeys.verificationKey));
if (ispresent(p_inner_at_request.publicKeys.encryptionKey)) {
v_encoded_tag := v_encoded_tag & bit2oct(encvalue(p_inner_at_request.publicKeys.encryptionKey));
}
// Verify HMAC-SHA256
log("f_verify_http_at_request_from_iut_itss: v_encoded_tag= ", v_encoded_tag);
v_key_tag := substr(
fx_hmac_sha256( // TODO Rename and use a wrapper function
p_inner_at_request.hmacKey,
v_encoded_tag
),
0,
16); // Leftmost 128 bits of the HMAC-SHA256 tag computed previously
log("f_verify_http_at_request_from_iut_itss: v_key_tag: ", v_key_tag);
log("f_verify_http_at_request_from_iut_itss: keyTag= ", p_inner_at_request.sharedAtRequest.keyTag);
log("f_verify_http_at_request_from_iut_itss: matching: ", match(p_inner_at_request.sharedAtRequest.keyTag, v_key_tag));
if (match(p_inner_at_request.sharedAtRequest.keyTag, v_key_tag) == false) {
// Send error message: No enrolment request
f_http_build_authorization_response(p_inner_at_request, its_aa_keysdontmatch, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers)));
// Set verdict
p_result := -5;
return;
}
// Send OK message
log("f_verify_http_at_request_from_iut_itss: Receive ", p_inner_at_request);
if (p_force_response_code == ok) {
f_http_build_authorization_response(p_inner_at_request, ok, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
} else {
log("f_verify_http_at_request_from_iut_itss: Succeed built force error code ", p_force_response_code);
f_http_build_authorization_response(p_inner_at_request, p_force_response_code, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
}
p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers)));
log("<<< f_verify_http_at_request_from_iut_itss: p_result: ", p_result);
log("<<< f_verify_http_at_request_from_iut_itss: p_response: ", p_response);
} // End of function f_verify_http_at_request_from_iut_itss
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
/**
* @desc The purpose of this function is verify the AT request and extract InnerAtRequest , verify ecSignature and build the InnerAtResponse for the HTTP response
* Note: This function accepts additional parameters to alter the response
*/
function f_verify_http_at_request_from_iut_itss_for_ecSignature(
in Request p_request,
in Headers p_headers,
in EtsiTs103097Certificate p_ec_certificate,
out InnerAtRequest p_inner_at_request,
out InnerAtResponse p_inner_at_response,
out HttpMessage p_response,
out integer p_result,
out boolean p_contains_ecsignature,
in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID,
in AuthorizationResponseCode p_force_response_code := ok
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Ieee1609Dot2Data v_ieee1609dot2_signed_data; //new variable
var HashedId8 v_ec_certificate_hashed_id8 //new variable
// var EcHashedId8 vc_ec_hashed_id8; Already defined in LibItsPki_TestSystem
var Oct16 v_request_hash;
var HashedId8 v_bfk_hashed_id8;
var Oct16 v_aes_enc_key;
var template (value) HttpMessage v_response;
log(">>> f_verify_http_at_request_from_iut_itss_for_ecSignature:", p_request);
p_result := 0;
// Do not verify the signature now because ATRequest is required to verify the POP signature ==> false
if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O, omit, p_request.body.binary_body.ieee1609dot2_data, false, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Only decryption
// Send error message, unable to decrypt it
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_response with an error message
// Set verdict
p_result := -1;
} else {
log("f_verify_http_at_request_from_iut_itss_for_ecSignature: matching: ", match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest))); // to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest)) == false) {
// Send error message
f_http_build_authorization_response(-, its_aa_cantparse, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
// Set verdict
p_result := -2;
} else {
// Extract InnerAtRequest and Verify signature of mw_innerATRequestSigned
var InnerAtRequest v_inner_at_request := v_etsi_ts_102941_data.content.authorizationRequest;
log("f_verify_http_at_request_from_iut_itss_for_ecSignature: match ", match(v_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature))); // to get the unmatching in log
if (match(v_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature)) == false) { // TODO To be refined
// Send error message: No authorization request
f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -3;
} else {
// Check ecSignature
if (ispresent(v_inner_at_request.ecSignature.ecSignature) == false) {
// Send error message: No signed external payload present
f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -4;
// Verify ecSignature of mw_ec_signature (encrypted)
} else {
p_contains_ecsignature := true;
v_ieee1609dot2_signed_data := v_inner_at_request.ecSignature.ecSignature;
log("f_verify_http_at_request_from_iut_itss_for_ecSignature: match ", match(v_inner_at_request.ecSignature,mw_ec_signature_ext_payload))
if (match(v_inner_at_request.ecSignature, mw_ec_signature_ext_payload) == false) {
// Send error message: Present signed external payload doesnot match mw_ec_signature_ext_payload template
f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -5;
} else {
// Check signer in ecSignature
if (isvalue(v_ieee1609dot2_signed_data.content.signedData)) {
// Verify digest of signerIdentifier_digest
if (match(v_ieee1609dot2_signed_data.content.signedData.signer,mw_signerIdentifier_digest) == false) {
var HashedId8 v_digest := v_ieee1609dot2_signed_data.content.signedData.signer.digest; // check if it is hashId8
//log("f_verify_http_at_request_from_iut_itss_for_ecSignature: match ", match(p_ec_certificate.issuer, v_digest));
var bitstring v_enc_value;
var octetstring v_ec_hash;
var Oct8 v_ec_hashed_id8;
v_enc_value := encvalue(p_ec_certificate);
if (ischosen(p_ec_certificate.issuer.sha256AndDigest)) {
v_ec_hash := f_hashWithSha256(bit2oct(v_enc_value));
v_ec_hashed_id8 := f_hashedId8FromSha256(v_ec_hash);
} else {
v_ec_hash := f_hashWithSha384(bit2oct(v_enc_value));
v_ec_hashed_id8 := f_hashedId8FromSha384(v_ec_hash);
}
if (match(v_ec_hashed_id8, v_digest) == false) {
// Send error message: Signer not contains HashedId8 of the CERT_EC certificate
f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -6;
} else {
// Check _signature in ecSignature
if (isvalue(v_ieee1609dot2_signed_data.content.signedData.signature_)) {
//
var EtsiTs103097Certificate v_certificate;
var EtsiTs102941Data v_etsi_ts_102941_ext_payload_data;
var octetstring v_encoded_tbsData
var Oct32 v_issuer;
v_certificate := v_ieee1609dot2_signed_data.content.signedData.signer.certificate[0];
v_encoded_tbsData := bit2oct(encvalue(v_ieee1609dot2_signed_data.content.signedData.tbsData));
var octetstring v_enc := bit2oct(encvalue(v_certificate));
v_issuer := f_hashWithSha256(v_enc);
if (f_verifyEcdsa(v_encoded_tbsData,v_issuer,v_ieee1609dot2_signed_data.content.signedData.signature_,v_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
// Send error message: Unable to verfy signature using EC's verification public key
f_http_build_authorization_response(p_inner_at_request, invalidsignature, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -7;
} else {
// Send OK message
log("f_verify_http_at_request_from_iut_itss_for_ecSignature: Receive ", p_inner_at_request);
if (p_force_response_code == ok) {
f_http_build_authorization_response(p_inner_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
} else {
log("f_verify_http_at_request_from_iut_itss_for_ecSignature: Succeed built force error code ", p_force_response_code);
f_http_build_authorization_response(p_inner_at_request, p_force_response_code, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
}
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
}
}
}
}
}
}
}
// Check
}
}
}
}
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
function f_verify_http_bfk_authorization_request(
in Request p_request,
in Headers p_headers,
in EtsiTs103097Certificate p_ec_certificate,
out EeRaCertRequest p_bfk_authorization_request,
out RaEeCertInfo p_ra_ee_cert_info,
out HttpMessage p_response,
out integer p_result,
in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID,
in template SignerIdentifier p_signer := m_signerIdentifier_self,
in EnrolmentResponseCode p_force_response_code := ok
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_request_hash;
var HashedId8 v_bfk_request_hash;
var Oct16 v_aes_enc_key;
var template (value) HttpMessage v_response;
log(">>> f_verify_http_bfk_authorization_request: ", p_request);
p_result := 0;
if (f_verify_pki_request_message_with_certificate(vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, p_ec_certificate, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -1;
} else { // TODO Add checks on date,
log("f_verify_http_bfk_authorization_request: match ", match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationRequest(mw_ee_ra_cert_request))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationRequest(mw_ee_ra_cert_request)) == false) {
// Send error message
f_http_build_butterfly_authorization_response_message(p_bfk_authorization_request/*Not required*/, v_bfk_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, p_ra_ee_cert_info, v_ieee1609dot2_signed_and_encrypted_data);
// Set verdict
p_result := -2;
} else {
// TODO Add checks
p_bfk_authorization_request := v_etsi_ts_102941_data.content.butterflyAuthorizationRequest;
f_http_build_butterfly_authorization_response_message(p_bfk_authorization_request, v_bfk_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, p_ra_ee_cert_info, v_ieee1609dot2_signed_and_encrypted_data);
// vc_ec_hashed_id8[vc_ec_keys_counter] := v_ec_certificate_hashed_id8;
// vc_ec_keys_counter := vc_ec_keys_counter + 1;
// vc_ec_certificates[vc_ec_counter] := v_ec_certificate;
// vc_ec_counter := vc_ec_counter + 1;
// log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter);
//
// Verify signature of mw_innerEcRequestSignedForPop
// if (f_verify_inner_ec_request_signed_for_pop(v_etsi_ts_102941_data, p_inner_ec_request) == false) {
// // Send error message
// f_http_build_inner_ec_response(p_inner_ec_request/*Not required*/, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
// v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// // Set verdict
// p_result := -3;
// } else {
// log("f_verify_http_bfk_authorization_request: matching: ", match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes({mw_appPermissions(c_its_aid_SCR, ?)})))); // TODO In TITAN, this is the only way to get the unmatching in log
// if (match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes_optional_assuranceLevel({mw_appPermissions(c_its_aid_SCR, ?)}))) == false) {
// // Send error message: Not enrolmentrequest
// f_http_build_inner_ec_response(p_inner_ec_request, badcontenttype, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
// v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// // Set verdict
// p_result := -4;
// } else {
// // TODO Check ValidityPeriod
// // Send OK message
// log("f_verify_http_bfk_authorization_request: Receive ", p_inner_ec_request);
// if (p_force_response_code == ok) {
// // Send EC certificate with code ok
// log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter);
// f_http_build_inner_ec_response(p_inner_ec_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
// if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256)) {
// if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_0)) {
// vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_0;
// vc_ec_compressed_modes[vc_ec_keys_counter] := 0;
// } else {
// vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_1;
// vc_ec_compressed_modes[vc_ec_keys_counter] := 1;
// }
// } else if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1)) {
// if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_0)) {
// vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_0;
// vc_ec_compressed_modes[vc_ec_keys_counter] := 0;
// } else {
// vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_1;
// vc_ec_compressed_modes[vc_ec_keys_counter] := 1;
// }
// } else {
// log("*** " & testcasename() & ": FAIL: Not implemented yet ***");
// f_selfOrClientSyncAndVerdict(c_prDone, e_error);
// }
// vc_ec_hashed_id8[vc_ec_keys_counter] := v_ec_certificate_hashed_id8;
// vc_ec_keys_counter := vc_ec_keys_counter + 1;
// vc_ec_certificates[vc_ec_counter] := v_ec_certificate;
// vc_ec_counter := vc_ec_counter + 1;
// log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter);
// } else {
// log("f_verify_http_bfk_authorization_request: Succeed but force error code ", p_force_response_code);
// f_http_build_inner_ec_response(p_inner_ec_request, p_force_response_code, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
// }
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
}
}
p_response := valueof(v_response);
log("<<< f_verify_http_bfk_authorization_request: p_response: ", p_response);
log("<<< f_verify_http_bfk_authorization_request: p_result: ", p_result);
} // End of function f_verify_http_bfk_authorization_request
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
/**
* @desc Await ITS CA message using the default AT certificate
*/
altstep a_await_cam_with_current_cert(
in EtsiTs103097Certificate p_certificate
) runs on ItsPkiItss {
[PICS_SEC_SHA256 == true] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mw_etsiTs103097Data_signed(
mw_signedData(
sha256,
mw_toBeSignedData(
mw_signedDataPayload,
mw_headerInfo_cam
),
mw_signerIdentifier_certificate(
mw_etsiTs103097Certificate(
mw_issuerIdentifier_sha256AndDigest(
p_certificate.issuer.sha256AndDigest
),
mw_toBeSignedCertificate_at(
-,
p_certificate.toBeSigned.verifyKeyIndicator
)
)
)
)
),
mw_geoNwShbPacket
))) {
}
[PICS_SEC_SHA384 == true] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mw_etsiTs103097Data_signed(
mw_signedData(
sha384,
mw_toBeSignedData(
mw_signedDataPayload,
mw_headerInfo_cam
),
mw_signerIdentifier_certificate(
mw_etsiTs103097Certificate(
mw_issuerIdentifier_sha384AndDigest(
p_certificate.issuer.sha384AndDigest
),
mw_toBeSignedCertificate_at(
-,
p_certificate.toBeSigned.verifyKeyIndicator
)
)
)
)
),
mw_geoNwShbPacket
))) {
}
} // End of altstep a_await_cam_with_current_cert
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.2.1 Enrollment request
/**
* @desc Check that IUT sends an enrolment request when triggered.
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
* Initial conditions:
* with {
* the IUT being in the "initial state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to requested a new Enrolment Certificate (EC)
* }
* then {
* the IUT sends to EA an EnrolmentRequestMessage
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_01_BV
* @reference ETSI TS 102 941 [2], clause 6.1.3
*/
testcase TC_SECPKI_ITSS_ENR_01_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start components
v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
function f_TC_SECPKI_ITSS_ENR_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem {
// Local variables
var HashedId8 v_certificate_digest;
var EtsiTs103097Certificate v_certificate;
vc_hashedId8ToBeUsed := ""; // No certificates //PX_IUT_DEFAULT_CERTIFICATE
// Preamble
// Initial state: No CAM shall be emitted
geoNetworkingPort.clear;
tc_noac.start;
alt {
[] geoNetworkingPort.receive {
log("No CA message expected");
f_selfOrClientSyncAndVerdict(c_prDone, e_error);
}
[] tc_noac.timeout {
log("*** " & testcasename() & ": INFO: No CA message received ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
}
} // End of 'alt' statement
tc_ac.start; // TDOD To refined, use altstep
alt {
[] utPort.receive(UtPkiTriggerInd: { state := 1 }) {
tc_ac.stop;
log("*** " & testcasename() & ": INFO: IUT is in enrolment state ***");
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": DBG: IUT state update not recieved ***");
//f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
tc_noac.start;
alt {
[] geoNetworkingPort.receive {
log("No CA message expected");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_noac.timeout {
log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
} // End of 'alt' statement
// Postamble
f_cfDown_itss();
} // End of function f_TC_SECPKI_ITSS_ENR_01_BV_itss
function f_TC_SECPKI_ITSS_ENR_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
// Local variable
var Headers v_headers;
var HttpMessage v_request;
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Preamble
f_init_default_headers_list(-, "inner_ec_response", v_headers);
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
[] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) {
var Oct16 v_request_hash;
var Oct16 v_aes_enc_key;
var Ieee1609Dot2Data v_outer_encrypted_message;
var Ieee1609Dot2Data v_decrypted_message;
var InnerEcRequest v_inner_ec_request;
var InnerEcResponse v_inner_ec_response;
var Ieee1609Dot2Data v_response_message;
var EtsiTs102941Data v_pki_request;
if (not(f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data,
v_request_hash, v_aes_enc_key,
v_decrypted_message,
v_pki_request,
v_inner_ec_request))) {
f_send_500_Internal_Error(v_headers);
log("*** " & testcasename() & ": INCONC: Canonical key is not set properly ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); // to emulate inconc
} else {
f_send_500_Internal_Error(v_headers); // we dont care about response
// Set verdict
log("*** " & testcasename() & ": PASS: InnerEcRequest received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of function f_TC_SECPKI_ITSS_ENR_01_BV_pki
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
/**
* @desc If the enrolment request of the IUT is an initial enrolment request, the itsId
* (contained in the InnerECRequest) shall be set to the canonical identifier, the
* signer (contained in the outer EtsiTs1030971Data-Signed) shall be set to self and
* the outer signature shall be computed using the canonical private key.
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to send an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted
* containing an encrypted EtsiTs103097Data-Signed
* containing EtsiTs103097Data
* containing InnerECRequestSignedForPOP
* containing InnerEcRequest
* containing itsId
* indicating the canonical identifier of the ITS-S
* and containing signer
* declared as self
* and containing signature
* computed using the canonical private key
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_02_BV
* @reference ETSI TS 102 941, clause 6.1.3
*/
testcase TC_SECPKI_ITSS_ENR_02_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start components
v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_ENR_02_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
group f_TC_SECPKI_ITSS_ENR_02_BV {
function f_TC_SECPKI_ITSS_ENR_02_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
// Local variable
var Headers v_headers;
var HttpMessage v_request;
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_init_default_headers_list(-, "inner_ec_response", v_headers);
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request)
{
var Ieee1609Dot2Data v_decrypted_message;
var InnerEcRequest v_inner_ec_request;
var InnerEcResponse v_inner_ec_response;
var Ieee1609Dot2Data v_response_message;
var EtsiTs102941Data v_pki_request;
var Oct16 v_request_hash, v_aes_enc_key;
var PublicVerificationKey v_canonical_key;
tc_ac.stop;
f_send_500_Internal_Error(v_headers); // we don't care about response
if (not(f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data,
v_request_hash, v_aes_enc_key,
v_decrypted_message,
v_pki_request,
v_inner_ec_request))) {
log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
if (not(isvalue(v_inner_ec_request))) {
log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
if(not match(v_inner_ec_request.itsId, LibItsPki_Pics.PICS_ITS_S_CANONICAL_ID)){
log("*** " & testcasename() & ": FAIL: Canonical ID mismatched ***");
log("*** " & testcasename() & ": FAIL: ", match(v_inner_ec_request.itsId, LibItsPki_Pics.PICS_ITS_S_CANONICAL_ID));
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
if (not(ischosen(v_decrypted_message.content.signedData))) {
log("*** " & testcasename() & ": FAIL: EC request shall contain signed message ***");
log("*** " & testcasename() & ": FAIL: inner data content=", v_decrypted_message.content);
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
if (not(ischosen(v_decrypted_message.content.signedData.signer.self_))) {
log("*** " & testcasename() & ": FAIL: EC request shall be self-signed by cannonical key ***");
log("*** " & testcasename() & ": FAIL: signerInfo=", v_decrypted_message.content.signedData.signer);
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
if(false == f_get_canonical_itss_key(v_canonical_key)){
log("*** " & testcasename() & ": INCONC: Unknown ITS-S canonical public key ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); // emulate inconc
}
if (not(f_verifyEcdsa(bit2oct(encvalue(v_decrypted_message.content.signedData.tbsData)),
int2oct(0, 32), // issuer is emtpy string
v_decrypted_message.content.signedData.signature_,
v_canonical_key))){