Newer
Older
11001
11002
11003
11004
11005
11006
11007
11008
11009
11010
11011
11012
11013
11014
11015
11016
11017
11018
11019
11020
11021
11022
11023
11024
11025
11026
11027
11028
11029
11030
11031
11032
11033
11034
11035
11036
11037
11038
11039
11040
11041
11042
11043
11044
11045
11046
11047
11048
11049
11050
11051
11052
11053
11054
11055
11056
11057
11058
11059
11060
11061
11062
11063
11064
11065
11066
11067
11068
11069
11070
11071
11072
11073
11074
11075
11076
11077
11078
11079
11080
11081
11082
11083
11084
11085
11086
11087
11088
11089
11090
11091
11092
11093
11094
11095
11096
11097
11098
11099
11100
11101
11102
11103
11104
11105
11106
11107
11108
11109
11110
11111
11112
11113
11114
11115
11116
11117
11118
11119
11120
11121
11122
11123
11124
11125
11126
11127
11128
11129
11130
11131
11132
11133
11134
11135
11136
11137
11138
11139
11140
11141
/**
* @desc For the re-keying application to the RCA (CaCertificateRekeyingMessage), an EtsiTs103097Data-Signed structure is built, containing: hashId, tbsData, signer and signature
* The hashId shall indicate the hash algorithm to be used as specified in ETSI TS 103 097
* The signer declared as a digest, containing the hashedId8 of the EA certificate and the signature over tbsData is computed using the currently valid private key corresponding to the EA certificate (outer signature)
* <pre>
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to send a CACertificateRequestMessage
* }
* then {
* the IUT sends a CACertificateRequestMessage
* containing EtsiTs103097Data-Signed structure
* containing hashId
* indicating the hash algorithm to be used
* and containing tbsData
* and containing signer
* containing digest
* indicating HashedId8 of the SubCA certificate (CERT)
* and containing signature
* computed over tbsData
* using the private key corresponding to CERT
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v1.2.2 TP SECPKI_EA_CERTGEN_09_BV
* @reference ETSI TS 102 941, clause 6.2.1
* ETSI TS 103 097, clause 7
*/
testcase TC_SECPKI_EA_CERTGEN_09_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_09_BV
/**
* @desc The (outer) tbsData of the CACertificateRekeyingMessage shall contain the CaCertificateRequestMessage as payload
* <pre>
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to perform a CA certificate rekeying procedure
* }
* then {
* the IUT sends a CACertificateRekeyingMessage
* containing EtsiTs103097Data-Signed structure
* containing tbsData
* containing CaCertificateRequestMessage
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v1.2.2 TP SECPKI_EA_CERTGEN_10_BV
* @reference ETSI TS 102 941, clause 6.2.1
*/
testcase TC_SECPKI_EA_CERTGEN_10_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_10_BV
/**
* @desc The (outer) tbsData of the CACertificateRekeyingMessage shall contain a headerInfo containing psid and generationTime.
* The psid shall be set to "secured certificate request" as assigned in ETSI TS 102 965 and the generationTime shall be present
* All other components of the component tbsdata.headerInfo are not used and absent
* <pre>
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to perform a CA certificate rekeying procedure
* }
* then {
* the IUT sends a CACertificateRekeyingMessage
* containing tbsData
* containing psid
* indicating SEC_CERT_REQ
* and containing generationTime
* and not containing any other component of tbsdata.headerInfo
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v1.2.2 TP SECPKI_EA_CERTGEN_11_BV
* @reference ETSI TS 102 941, clause 6.2.1
*/
testcase TC_SECPKI_EA_CERTGEN_11_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_11_BV
/**
* @desc Check that the CaCertificateRekeyingMessage is permitted by CA certificate
* <pre>
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to perform a CA certificate rekeying procedure
* }
* then {
* the IUT sends a CACertificateRekeyingMessage
* containing EtsiTs103097Data-Signed structure
* containing tbsData
* and containing signer
* containing digest
* indicating HashedId8 of the CA certificate
* containing appPermissions
* containing an item of type PsidSsp
* containing psid
* indicating AID_CERT_REQ
* and containing ssp
* containing opaque[0] (version)
* indicating 1
* containing opaque[1] (value)
* indicating 'CA Certificate Response' (bit 6) set to 1
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v1.2.2 TP SECPKI_EA_CERTGEN_12_BV
* @reference ETSI TS 102 941, clause 6.2.1
*/
testcase TC_SECPKI_EA_CERTGEN_12_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_12_BV
} // End of group ca_certificate_request
group authorization_with_bfk {
group bfk_auth_response {
/**
* @desc Check that the EA sends the butterfly authorization respond message after receiving of the butterfly authorization request
* Check that this message is signed with EA certificate
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the ITS-S in 'enrolled' state
11145
11146
11147
11148
11149
11150
11151
11152
11153
11154
11155
11156
11157
11158
11159
11160
11161
11162
11163
11164
11165
11166
11167
11168
11169
11170
11171
11172
11173
11174
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a ButterflyAuthorizationRequestMessage message
* }
* then {
* the IUT send an EtsiTs103097Data to the ITS-S
* containing content.signedData
* containing tbsData
* containing headerInfo
* containing psid
* indicating AID_PKI_CERT_REQUEST
* and containing generationTime
* and not containing any other field
* and containing payload.data
* indicating EtsiTs102941Data
* containing version
* indicating ‘1’
* and containing content
* containing butterflyCertificateResponse
* and containing signer
* containing digest
* indicating HashedId8 of the CERT_EA
* and containing signature
* validated using CERT_EA verification public key
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v1.2.2 TP SECPKI_EA_BFK_AUTH_01_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.3
*/
testcase TC_SECPKI_EA_BFK_AUTH_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var octetstring v_caterpillar_private_key;
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
Yann Garcia
committed
var octetstring v_caterpillar_enc_private_key;
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
var EeRaCertRequest v_ee_ra_cert_request;
var octetstring v_private_key;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
Yann Garcia
committed
LibItsPki_Functions.f_initialiseSecuredMode("CERT_TS_A_EA", "CERT_TS_A_AA");
f_http_build_butterfly_authorization_request_message(v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash, v_ee_ra_cert_request);
stop;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
Yann Garcia
committed
f_http_build_butterfly_authorization_request_message(v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash, v_ee_ra_cert_request);
11217
11218
11219
11220
11221
11222
11223
11224
11225
11226
11227
11228
11229
11230
11231
11232
11233
11234
11235
11236
11237
11238
11239
11240
11241
11242
11243
11244
11245
11246
11247
11248
11249
11250
11251
11252
11253
11254
11255
11256
11257
11258
11259
11260
11261
11262
11263
11264
11265
11266
11267
11268
11269
11270
11271
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_auth_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyAuthorizationResponse(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ButterflyAuthorizationResponseMessage received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_01_BV
/**
* @desc Check that the butterfly authorization respond message, sent by EA, contains all necessary fields
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the ITS-S in 'enrolled' state
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a ButterflyAuthorizationRequestMessage message (REQ)
* }
* then {
* the IUT send to the ITS-S a ButterflyAuthorizationResponseMessage
11282
11283
11284
11285
11286
11287
11288
11289
11290
11291
11292
11293
11294
11295
11296
11297
11298
11299
11300
11301
11302
11303
11304
* containing butterflyCertificateResponse
* containing RaEeCertInfo
* containing version
* indicating 2
* and containing generationTime
* indicating value between REQ_TIME and the current time
* and containing currentI
* and containing requestHash
* indicating the left-most 16 octets of the SHA256 digest of the REQ
* and containing nextDlTime
* and not containing acpcTreeId
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v1.2.2 TP SECPKI_EA_BFK_AUTH_02_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.3
*/
testcase TC_SECPKI_EA_BFK_AUTH_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var octetstring v_caterpillar_private_key;
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
Yann Garcia
committed
var octetstring v_caterpillar_enc_private_key;
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
11308
11309
11310
11311
11312
11313
11314
11315
11316
11317
11318
11319
11320
11321
11322
11323
11324
11325
11326
11327
11328
11329
11330
11331
11332
11333
11334
var EeRaCertRequest v_ee_ra_cert_request;
var octetstring v_private_key;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
Yann Garcia
committed
f_http_build_butterfly_authorization_request_message(v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash, v_ee_ra_cert_request);
11336
11337
11338
11339
11340
11341
11342
11343
11344
11345
11346
11347
11348
11349
11350
11351
11352
11353
11354
11355
11356
11357
11358
11359
11360
11361
11362
11363
11364
11365
11366
11367
11368
11369
11370
11371
11372
11373
11374
11375
11376
11377
11378
11379
11380
11381
11382
11383
11384
11385
11386
11387
11388
11389
11390
11391
11392
11393
11394
11395
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_auth_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyAuthorizationResponse(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_ee_cert_info(mw_ra_ee_cert_info)));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_ee_cert_info(mw_ra_ee_cert_info)) == true) {
log("*** " & testcasename() & ": PASS: Well formated ButterflyAuthorizationResponseMessage received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Invalid ButterflyAuthorizationResponseMessage received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_02_BV
} // End of group bfk_auth_response
group bfk_cert_request {
Yann Garcia
committed
group bfk_auth_request_helpers {
function f_trigger_butterfly_authorization_request(
out HashedId8 p_aes_sym_key_hashed_id8,
out EeRaCertRequest p_ee_ra_cert_request
) runs on ItsPkiHttp {
// Local variables
var octetstring v_caterpillar_private_key;
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
Yann Garcia
committed
var octetstring v_caterpillar_enc_private_key;
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
var octetstring v_private_key;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
Yann Garcia
committed
f_http_build_butterfly_authorization_request_message(v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash, p_ee_ra_cert_request);
11422
11423
11424
11425
11426
11427
11428
11429
11430
11431
11432
11433
11434
11435
11436
11437
11438
11439
11440
11441
11442
11443
11444
11445
11446
11447
11448
11449
11450
11451
11452
11453
11454
11455
11456
11457
11458
11459
11460
11461
11462
11463
11464
p_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_auth_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_BFK_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
} // End of function f_trigger_butterfly_authorization_request
function f_verify_http_butterfly_cert_request_message_from_aa(
in Request p_request,
in Headers p_headers,
in boolean p_checked_cocoon_keys_derivation := false,
in template (omit) octetstring p_caterpilar_compressed_key := omit,
out integer p_result,
out RaAcaCertRequest p_butterflyCertificateRequest,
out HttpMessage p_response
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var template (value) HttpMessage v_response;
var Oct16 v_request_hash;
var Oct16 v_aes_enc_key;
log(">>> f_verify_http_butterfly_cert_request_message_from_aa: ", p_request);
p_result := 0;
if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -1;
} else {
var UInt64 v_current_time := f_getCurrentTimeUtc();
var UInt64 v_delta_time := 30;
Yann Garcia
committed
11466
11467
11468
11469
11470
11471
11472
11473
11474
11475
11476
11477
11478
11479
11480
11481
11482
11483
11484
11485
11486
11487
11488
11489
11490
11491
11492
log("f_verify_http_butterfly_cert_request_message_from_aa: match ", match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request((v_current_time - v_delta_time .. v_current_time + v_delta_time), explicit, '00000000'B/*butterflyExplicit*/, mw_bfk_to_be_signed_certificate))) == false) {
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -2;
} else {
if (p_checked_cocoon_keys_derivation == true) {
// FIXME FSCOM if (f_check_cocoon_keys_derivation(v_etsi_ts_102941_data.content.butterflyCertificateRequest.tbsCert.verifyKeyIndicator, ))
} else {
var AcaRaCertResponse v_aca_ra_cert_response;
var HashedId8 v_hashedId8;
var octetstring v_msg := bit2oct(encvalue(p_request.body.binary_body.ieee1609dot2_data));
v_hashedId8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg));
f_http_build_butterfly_cert_response(v_hashedId8, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_aca_ra_cert_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
p_butterflyCertificateRequest := v_etsi_ts_102941_data.content.butterflyCertificateRequest;
}
}
}
p_response := valueof(v_response);
log("<<< f_verify_http_butterfly_cert_request_message_from_aa: p_response: ", p_response);
log("<<< f_verify_http_butterfly_cert_request_message_from_aa: p_result: ", p_result);
} // End of function f_verify_http_butterfly_cert_request_message_from_aa
Yann Garcia
committed
} // End of group bfk_auth_request_helpers
/**
* @desc Check that the EA sends butterfly certificate request message after receiving of the butterfly authorization request
* Check that this message is encrypted for the AA
* Check that this message is signed with the EA certificate
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the AA is emulated by TS and
* authorized with CERT_AA certificate
* and EA is configured to use emulated AA to generate certificates
11507
11508
11509
11510
11511
11512
11513
11514
11515
11516
11517
11518
11519
11520
11521
11522
11523
11524
11525
11526
11527
11528
11529
11530
11531
11532
11533
11534
11535
11536
11537
11538
11539
11540
11541
11542
11543
11544
11545
11546
11547
11548
11549
11550
11551
11552
11553
11554
11555
11556
11557
11558
11559
11560
11561
11562
11563
11564
11565
11566
11567
11568
11569
11570
11571
11572
11573
11574
11575
11576
11577
11578
11579
11580
11581
11582
11583
11584
11585
11586
11587
11588
11589
11590
11591
11592
11593
11594
11595
11596
11597
11598
11599
11600
11601
11602
11603
11604
11605
11606
11607
11608
11609
11610
11611
11612
11613
11614
11615
11616
11617
11618
11619
11620
11621
11622
11623
11624
11625
11626
11627
11628
11629
11630
11631
11632
11633
11634
11635
11636
11637
11638
11639
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAuthorizationRequestMessage
* containing EtsiTs102941Data
* containing content.butterflyAuthorizationRequest
* }
* then {
* the IUT sends a EtsiTs103097Data to the AA
* containing content.encryptedData
* containing recipients
* indicating size 1
* and containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the CERT_AA
* and containing encrypted representation of EtsiTs103097Data
* containing signedData
* containing tbsData
* containing headerInfo
* containing psid
* indicating AID_PKI_CERT_REQUEST
* and containing payload.data
* containing EtsiTs102941Data
* containing version
* indicating ‘1’
* and containing content
* containing butterflyCertificateRequest
* and containing signer
* containing digest
* indicating HashedId8 of the CERT_EA
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v1.2.2 TP SECPKI_EA_BFK_AUTH_03_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.4
*/
testcase TC_SECPKI_EA_BFK_AUTH_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var boolean v_received_butterfly_authorization_response := false;
var boolean v_tb_done := false;
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var integer v_result;
var EeRaCertRequest v_ee_ra_cert_request;
var RaAcaCertRequest v_butterflyCertificateRequest;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(
mw_http_request(
mw_http_request_post(
-, // URI
v_headers, // Headers
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterfly_cert_request(
mw_encryptedData
)))))) -> value v_request {
tc_ac.stop;
f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, -, -, v_result, v_butterflyCertificateRequest, v_response);
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
v_tb_done := true;
if (v_received_butterfly_authorization_response == false) {
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***");
tc_ac.start;
repeat;
}
}
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (v_tb_done == false) {
v_received_butterfly_authorization_response := true;
tc_ac.start;
repeat;
} // else, end on the test case
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_03_BV
/**
* @desc Check that the butterfly certificate request message sent by EA to AA contains all required elements
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the EA already received the ButterflyAuthorizationRequestMessage
* indicating the sha256 message hash MSG_HASH
* and the EA already responded with ButterflyAuthorizationResponseMessage
* containing EtsiTs102941Data
* containing butterflyAuthorizationResponse
* containing nextDlTime
* indicating DNL_TIME
11653
11654
11655
11656
11657
11658
11659
11660
11661
11662
11663
11664
11665
11666
11667
11668
11669
11670
11671
11672
11673
11674
11675
11676
11677
11678
11679
11680
11681
11682
11683
11684
11685
11686
11687
11688
11689
11690
11691
11692
11693
11694
11695
11696
11697
11698
11699
11700
11701
11702
11703
11704
11705
11706
11707
11708
11709
11710
11711
11712
11713
11714
11715
11716
11717
11718
11719
11720
11721
11722
11723
11724
11725
11726
11727
11728
11729
11730
11731
11732
11733
11734
11735
11736
11737
11738
11739
11740
11741
11742
11743
11744
11745
11746
11747
11748
11749
11750
11751
11752
11753
11754
11755
11756
11757
11758
11759
11760
11761
11762
11763
11764
11765
11766
11767
11768
11769
11770
11771
11772
11773
11774
11775
11776
11777
11778
11779
11780
11781
11782
11783
11784
11785
11786
11787
11788
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAtDownloadRequestMessage
* containing EtsiTs102941Data
* containing butterflyAtDownloadRequest
* containing EeRaCertRequest
* containing generationTime
* indicating REQ_TIME
* }
* then {
* the IUT sends to the AA the ButterflyCertRequestMessage
* containing EtsiTs102941Data
* containing content
* containing butterflyCertificateRequest
* containing RaAcaCertRequest
* containing version
* indicating 2
* and containing generationTime
* indicating value between REQ_TIME and the current time
* and containing flags
* indicating empty bit string
* and containing certEncKey
* and containing tbsCert
* and not containing linkageInfo
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v1.2.2 TP SECPKI_EA_BFK_AUTH_04_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.4
*/
testcase TC_SECPKI_EA_BFK_AUTH_04_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var boolean v_received_butterfly_authorization_response := false;
var boolean v_tb_done := false;
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var integer v_result;
var EeRaCertRequest v_ee_ra_cert_request;
var RaAcaCertRequest v_butterflyCertificateRequest;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(
mw_http_request(
mw_http_request_post(
-, // URI
v_headers, // Headers
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterfly_cert_request(
mw_encryptedData
)))))) -> value v_request {
tc_ac.stop;
f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, -, -, v_result, v_butterflyCertificateRequest, v_response);
// TODO Check v_butterflyCertificateRequest
// FIXME Some check can be moved to f_verify_http_butterfly_cert_request_message_from_aa
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
v_tb_done := true;
if (v_received_butterfly_authorization_response == false) {
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***");
tc_ac.start;
repeat;
}
}
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (v_tb_done == false) {
v_received_butterfly_authorization_response := true;
tc_ac.start;
repeat;
} // else, end on the test case
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_04_BV
/**
* @desc Check that the butterfly certificate request message contains expanded cocoon key
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the AA in 'operational' state
* authorized with CERT_AA certificate
* and EA is configured to use AA of the current configuration to generate certificates
11794
11795
11796
11797
11798
11799
11800
11801
11802
11803
11804
11805
11806
11807
11808
11809
11810
11811
11812
11813
11814
11815
11816
11817
11818
11819
11820
11821
11822
11823
11824
11825
11826
11827
11828
11829
11830
11831
11832
11833
11834
11835
11836
11837
11838
11839
11840
11841
11842
11843
11844
11845
11846
11847
11848
11849
11850
11851
11852
11853
11854
11855
11856
11857
11858
11859
11860
11861
11862
11863
11864
11865
11866
11867
11868
11869
11870
11871
11872
11873
11874
11875
11876
11877
11878
11879
11880
11881
11882
11883
11884
11885
11886
11887
11888
11889
11890
11891
11892
11893
11894
11895
11896
11897
11898
11899
11900
11901
11902
11903
11904
11905
11906
11907
11908
11909
11910
11911
11912
11913
11914
11915
11916
11917
11918
11919
11920
11921
11922
11923
11924
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAuthorizationRequestMessage
* containing EtsiTs102941Data
* containing content.butterflyAuthorizationRequest
* containing EeRaCertRequest
* containing tbsCert (TBS_CERT)
* containing verification key (CATERPILLAR_KEY)
* }
* then {
* the IUT sends to the AA the ButterflyCertRequestMessage
* containing EtsiTs102941Data
* containing content
* containing butterflyCertificateRequest
* containing RaAcaCertRequest
* containing tbsCert
* containing verificationKey
* containing “cocoon” key
* derived from the CATERPILLAR_KEY
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v1.2.2 TP SECPKI_EA_BFK_AUTH_05_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.4
*/
testcase TC_SECPKI_EA_BFK_AUTH_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var boolean v_received_butterfly_authorization_response := false;
var boolean v_tb_done := false;
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var integer v_result;
var EeRaCertRequest v_ee_ra_cert_request;
var RaAcaCertRequest v_butterflyCertificateRequest;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(
mw_http_request(
mw_http_request_post(
-, // URI
v_headers, // Headers
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterfly_cert_request(
mw_encryptedData
)))))) -> value v_request {
tc_ac.stop;
f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, true, -, v_result, v_butterflyCertificateRequest, v_response);
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
v_tb_done := true;
if (v_received_butterfly_authorization_response == false) {
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***");
tc_ac.start;
repeat;
}
}
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (v_tb_done == false) {
v_received_butterfly_authorization_response := true;
tc_ac.start;
repeat;
} // else, end on the test case
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_05_BV
} // End of group bfk_cert_request
group bfk_auth_cert_download {
/**
* @desc Check that the butterfly certificate request message sent by EA to AA contains all required elements
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the EA already responded with ButterflyAuthorizationResponseMessage (MSG_RESPONSE)
* containing EtsiTs102941Data
* containing butterflyAuthorizationResponse
* containing nextDlTime
* indicating DNL_TIME
* and containing currentI
* indicating I_VALUE
* and containing requestHash
* indicating MSG_HASH
* and the EA already received from emullated AA one or more ButterflyCertResponse messages
* containing AcaEeCertResponsePrivateSpdu (CERT_RESPONSE)
11938
11939
11940
11941
11942
11943
11944
11945
11946
11947
11948
11949
11950
11951
11952
11953
11954
11955
11956
11957
11958
11959
11960
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAtDownloadRequestMessage
* containing EtsiTs102941Data
* containing butterflyAtDownloadRequest
* indicating EeRaDownloadRequest
* containing generationTime
* indicating DNL_TIME + 1
* and containing filename
* indicating MSG_HASH + “_” + hex(I_VALUE) + ".zip"
* }
* then {
* the IUT sends the requested batch of certificates
* containing file hex(I_VALUE) + “.info”
* indicating COER encoding of MSG_RESPONSE
* and containing a set of files hex(I_VALUE) + “_” + (0..N)
* indicating COER encoding of AcaEeCertResponsePrivateSpdu (CERT_RESPONSE)
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v1.2.2 TP SECPKI_EA_BFK_AUTH_06_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.1, 6.2.3.5.3
11962
11963
11964
11965
11966
11967
11968
11969
11970
11971
11972
11973
11974
11975
11976
11977
11978
11979
11980
11981
11982
11983
11984
11985
11986
11987
11988
11989
11990
11991
11992
11993
11994
11995
11996
11997
11998
11999
12000
*/
testcase TC_SECPKI_EA_BFK_AUTH_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var octetstring v_private_key;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EeRaCertRequest v_ee_ra_cert_request;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request);
f_http_build_butterfly_at_download_request_message(""/*FIXME FSCOM*/, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_at_download_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,