Newer
Older
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_04_BV
/**
* @desc Check that the butterfly certificate request message contains expanded cocoon key
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the AA in 'operational' state
* authorized with CERT_AA certificate
* and EA is configured to use AA of the current configuration to generate certificates
15022
15023
15024
15025
15026
15027
15028
15029
15030
15031
15032
15033
15034
15035
15036
15037
15038
15039
15040
15041
15042
15043
15044
15045
15046
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAuthorizationRequestMessage
* containing EtsiTs102941Data
* containing content.butterflyAuthorizationRequest
* containing EeRaCertRequest
* containing tbsCert (TBS_CERT)
* containing verification key (CATERPILLAR_KEY)
* }
* then {
* the IUT sends to the AA the ButterflyCertRequestMessage
* containing EtsiTs102941Data
* containing content
* containing butterflyCertificateRequest
* containing RaAcaCertRequest
* containing tbsCert
* containing verificationKey
* containing “cocoon” key
* derived from the CATERPILLAR_KEY
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_05_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.4
*/
testcase TC_SECPKI_EA_BFK_AUTH_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var boolean v_received_butterfly_authorization_response := false;
var boolean v_tb_done := false;
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var integer v_result;
var EeRaCertRequest v_ee_ra_cert_request;
var RaEeCertInfo p_ra_ee_cert_info;
var RaAcaCertRequest v_butterflyCertificateRequest;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, p_ra_ee_cert_info);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(
mw_http_request(
mw_http_request_post(
-, // URI
v_headers, // Headers
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyCertRequestMessage(
mw_encryptedData
15091
15092
15093
15094
15095
15096
15097
15098
15099
15100
15101
15102
15103
15104
15105
15106
15107
15108
15109
15110
15111
15112
15113
15114
15115
15116
15117
15118
15119
15120
15121
15122
15123
15124
15125
15126
15127
15128
15129
15130
15131
15132
15133
15134
15135
15136
15137
15138
15139
15140
15141
15142
15143
15144
)))))) -> value v_request {
tc_ac.stop;
f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, true, -, v_result, v_butterflyCertificateRequest, v_response);
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
v_tb_done := true;
if (v_received_butterfly_authorization_response == false) {
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***");
tc_ac.start;
repeat;
}
}
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (v_tb_done == false) {
v_received_butterfly_authorization_response := true;
tc_ac.start;
repeat;
} // else, end on the test case
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_05_BV
} // End of group ea_bfk_cert_request
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.6.2 Authorization certificate download
group ea_bfk_auth_cert_download {
/**
* @desc Check that the butterfly certificate request message sent by EA to AA contains all required elements
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the EA already responded with ButterflyAuthorizationResponseMessage (MSG_RESPONSE)
* containing EtsiTs102941Data
* containing butterflyAuthorizationResponse
* containing nextDlTime
* indicating DNL_TIME
* and containing currentI
* indicating I_VALUE
* and containing requestHash
* indicating MSG_HASH
* and the EA already received from emullated AA one or more ButterflyCertResponse messages
* containing AcaEeCertResponsePrivateSpdu (CERT_RESPONSE)
15168
15169
15170
15171
15172
15173
15174
15175
15176
15177
15178
15179
15180
15181
15182
15183
15184
15185
15186
15187
15188
15189
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAtDownloadRequestMessage
* containing EtsiTs102941Data
* containing butterflyAtDownloadRequest
* indicating EeRaDownloadRequest
* containing generationTime
* indicating DNL_TIME + 1
* and containing filename
* indicating MSG_HASH + “_” + hex(I_VALUE) + ".zip"
* }
* then {
* the IUT sends the requested batch of certificates
* containing file hex(I_VALUE) + “.info”
* indicating COER encoding of MSG_RESPONSE
* and containing a set of files hex(I_VALUE) + “_” + (0..N)
* indicating COER encoding of AcaEeCertResponsePrivateSpdu (CERT_RESPONSE)
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_06_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.1, 6.2.3.5.3
*/
testcase TC_SECPKI_EA_BFK_AUTH_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var octetstring v_private_key;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EeRaCertRequest v_ee_ra_cert_request;
var RaEeCertInfo p_ra_ee_cert_info;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, p_ra_ee_cert_info);
// Wait for v_ee_ra_cert_request.nextDlTime
var float v_timer := int2float(p_ra_ee_cert_info.nextDlTime - p_ra_ee_cert_info.generationTime + 2);
log("*** " & testcasename() & ": INFO: Start wailting for " & float2str(v_timer) & " seconds ***");
f_sleepIgnoreDef(v_timer);
log("*** " & testcasename() & ": INFO: timer of " & float2str(v_timer) & " seconds expierd message ***");
// FISME FSCOM In int2hex, 3 is arbitrary. Need to check the range of currentI to set the correct hex string length
f_http_build_butterfly_at_download_request_message(hex2str(oct2hex(p_ra_ee_cert_info.requestHash)) & "-" & hex2str(int2hex(p_ra_ee_cert_info.currentI, 3)) & ".zip", v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_at_download_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_BFK_AT_DOWNLOAD,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyCertResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_response(mw_ra_aca_cert_response)));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_response(mw_ra_aca_cert_response)) == true) {
15270
15271
15272
15273
15274
15275
15276
15277
15278
15279
15280
15281
15282
15283
15284
15285
15286
15287
15288
log("*** " & testcasename() & ": PASS: Well formated ButterflyAuthorizationResponseMessage received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Invalid ButterflyAuthorizationResponseMessage received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_06_BV
} // End of group ea_bfk_auth_cert_download
} // End of group ea_authorization_with_bfk
} // End of group ea_behavior
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5 AA behaviour
15296
15297
15298
15299
15300
15301
15302
15303
15304
15305
15306
15307
15308
15309
15310
15311
15312
15313
15314
15315
15316
15317
15318
15319
15320
15321
15322
15323
15324
15325
15326
15327
15328
15329
15330
15331
15332
15333
15334
15335
15336
15337
15338
15339
15340
15341
15342
15343
15344
15345
15346
15347
15348
15349
15350
15351
15352
15353
group aa_behavior {
group aa_helpers {
function f_verify_http_at_response_from_iut_aa(
in Response p_response,
in octetstring p_private_key,
in Oct16 p_aes_sym_key,
in Oct16 p_authentication_vector,
in Oct32 p_request_hash,
out InnerAtResponse p_authorization_response,
out integer p_result
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key;
var InnerEcResponse v_inner_ec_response;
log(">>> f_verify_http_at_response_from_iut_aa: p_response= ", p_response);
log(">>> f_verify_http_at_response_from_iut_aa: p_private_key= ", p_private_key);
log(">>> f_verify_http_at_response_from_iut_aa: p_aes_sym_key= ", p_aes_sym_key);
log(">>> f_verify_http_at_response_from_iut_aa: p_authentication_vector= ", p_authentication_vector);
log(">>> f_verify_http_at_response_from_iut_aa: p_request_hash= ", p_request_hash);
p_result := 0;
if (f_verify_pki_response_message(p_private_key, p_aes_sym_key, p_authentication_vector, vc_aaWholeHash, p_response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
// Set verdict
p_result := -1;
} else {
log("f_verify_http_at_response_from_iut_aa: Receive ", v_etsi_ts_102941_data);
p_authorization_response := v_etsi_ts_102941_data.content.authorizationResponse;
log(match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok(substr(p_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_at, -))))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok(substr(p_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_at, -)))) == false) {
log(match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ko)));
if (match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ko)) == false) {
// Set verdict
p_result := -2;
} else {
// Set verdict
p_result := -3;
}
} else {
// Verify AT Certificate signature
if (f_verifyCertificateSignatureWithIssuingCertificate(v_etsi_ts_102941_data.content.authorizationResponse.certificate, vc_aaCertificate) == false) {
// Set verdict
p_result := -4;
}
log("f_verify_http_at_response_from_iut_aa: Well-secured AT certificate received");
}
}
log("<<< f_verify_http_at_response_from_iut_aa: p_result: ", p_result);
} // End of function f_verify_http_at_response_from_iut_aa
} // End of group aa_helpers
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.1 Authorization request handling
group aa_authorization_request {
15356
15357
15358
15359
15360
15361
15362
15363
15364
15365
15366
15367
15368
15369
15370
15371
15372
15373
15374
15375
15376
15377
15378
15379
15380
15381
15382
15383
15384
15385
15386
15387
15388
15389
15390
15391
15392
15393
15394
15395
15396
15397
15398
15399
15400
15401
15402
15403
15404
15405
15406
15407
15408
15409
15410
15411
15412
15413
15414
15415
15416
/**
* @desc Check that the EA/AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate
* Check that the EA/AA is able to verify the inner signature
* Check that the EA/AA is able to verify the request authenticity using the hmacKey verification
* Check that the EA/AA sends the AuthorizationValidationRequest message to the correspondent EA
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE and not PICS_PKI_AUTH_POP
* Initial conditions:
* with {
* the EA/AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the certificate CERT_AA
* and containing encKey
* indicating symmetric key (S_KEY)
* encrypted with the private key correspondent to the AA_ENC_PUB_KEY
* and containing cyphertext (ENC_DATA)
* containing encrypted representation of the EtsiTs103097Data-Signed
* containing content.signedData
* containing hashId
* indicating valid hash algorythm
* and containing signer
* containing self
* and containing tbsData (SIGNED_DATA)
* containing payload
* containing EtsiTs102941Data
* containing content.authorizationRequest
* containing publicKeys.verificationKey (V_KEY)
* and containing hmacKey (HMAC)
* and containing sharedAtRequest
* containing keyTag (KEY_TAG)
* and containing eaId (EA_ID)
* indicating HashedId8 of the known EA certificate
* and containing signature (SIGNATURE)
* }
* then {
* the IUT is able to decrypt the S_KEY
* using the private key
* corresponding to the AA_ENC_PUB_KEY
* and the IUT is able to decrypt the cypthertext ENC_DATA
* using the S_KEY
* and the IUT is able to verify the signature SIGNATURE over the SIGNED_DATA
* using the V_KEY
* and the IUT is able to verify integrity of HMAC and KEY_TAG
* and the IUT sends the AuthorizationValidationRequest message to the EA
* identified by the EA_ID
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_01_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SECPKI_AA_AUTH_RCV_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
if (not PICS_IUT_AA_ROLE or not PICS_PKI_AUTH_POP) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and PICS_PKI_AUTH_POP required for executing the TC ***");
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
15467
15468
15469
15470
15471
15472
15473
15474
15475
15476
15477
15478
15479
15480
15481
15482
15483
15484
15485
15486
15487
15488
15489
15490
// Test Body
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_response;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationResponse= ", v_authorization_response, " ***");
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
var SharedAtRequest v_shared_at_request;
var Oct16 v_aes_sym_key_atv;
var Oct8 v_aes_sym_key_atv_hashed_id8;
var octetstring v_request_hash_atv;
var Oct16 v_aes_enc_key_atv;
var AuthorizationValidationResponse v_authorization_validation_response;
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key_atv, v_request_hash_atv, v_shared_at_request, v_result);
v_aes_sym_key_atv_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key_atv)); // Used to build the response
// Set verdict, don't care of the v_result, out if scope for this test
log("*** " & testcasename() & ": INFO: IUT has sent AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8;
log("*** " & testcasename() & ": v_ieee1609dot2_signed_and_encrypted_data with new pskRecipInfo: ", v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
log("*** " & testcasename() & ": INFO: AuthorizationValidation process done ***");
repeat;
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_01_BV
15566
15567
15568
15569
15570
15571
15572
15573
15574
15575
15576
15577
15578
15579
15580
15581
15582
15583
15584
15585
15586
15587
15588
15589
15590
15591
15592
15593
15594
15595
15596
15597
15598
15599
15600
15601
15602
15603
15604
15605
15606
15607
15608
15609
15610
15611
15612
15613
/**
* @desc Check that the AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate
* Check that the AA is able to verify the request authenticity using the hmacKey verification
* Check that the AA sends the AuthorizationValidationRequest message to the correspondent EA
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA/AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the certificate CERT_AA
* and containing encKey
* indicating symmetric key (S_KEY)
* encrypted with the private key correspondent to the AA_ENC_PUB_KEY
* and containing cyphertext (ENC_DATA)
* containing EtsiTs102941Data
* containing content.authorizationRequest
* containing publicKeys.verificationKey (V_KEY)
* and containing hmacKey (HMAC)
* and containing sharedAtRequest
* containing keyTag (KEY_TAG)
* and containing eaId (EA_ID)
* indicating HashedId8 of the known EA certificate
* }
* then {
* the IUT is able to decrypt the S_KEY
* using the private key
* corresponding to the AA_ENC_PUB_KEY
* and the IUT is able to decrypt the cypthertext ENC_DATA
* using the S_KEY
* and the IUT is able to verify integrity of HMAC and KEY_TAG
* and the IUT sends the AuthorizationValidationRequest message to the EA
* identified by the EA_ID
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_02_BV
15615
15616
15617
15618
15619
15620
15621
15622
15623
15624
15625
15626
15627
15628
15629
15630
15631
15632
15633
15634
15635
15636
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SECPKI_AA_AUTH_RCV_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE or PICS_PKI_AUTH_POP) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and not PICS_PKI_AUTH_POP required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
15667
15668
15669
15670
15671
15672
15673
15674
15675
15676
15677
15678
15679
15680
15681
15682
15683
15684
15685
15686
15687
15688
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_response;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationResponse= ", v_authorization_response, " ***");
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
var SharedAtRequest v_shared_at_request;
var Oct16 v_aes_sym_key_atv;
var octetstring v_request_hash_atv;
var Oct8 v_aes_sym_key_atv_hashed_id8;
var Oct16 v_aes_enc_key_atv;
var AuthorizationValidationResponse v_authorization_validation_response;
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key_atv, v_request_hash_atv, v_shared_at_request, v_result);
v_aes_sym_key_atv_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key_atv)); // Used to build the response
// Set verdict, don't care of the v_result, out if scope for this test
log("*** " & testcasename() & ": INFO: IUT has sent AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8;
log("*** " & testcasename() & ": v_ieee1609dot2_signed_and_encrypted_data with new pskRecipInfo: ", v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
log("*** " & testcasename() & ": INFO: AuthorizationValidation process done ***");
repeat;
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_02_BV
15764
15765
15766
15767
15768
15769
15770
15771
15772
15773
15774
15775
15776
15777
15778
15779
15780
15781
15782
15783
15784
15785
15786
15787
15788
15789
15790
15791
15792
15793
/**
* @desc Check that the AA skips the AuthorizationRequest message if it is not addressed to this AA
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA/AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* NOT equal to the HashedId8 of the certificate CERT_AA
* and containing encKey
* indicating symmetric key (S_KEY)
* encrypted with the private key correspondent to the AA_ENC_PUB_KEY
* }
* then {
* the IUT does not send the AuthorizationValidationRequest message
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_03_BI
15795
15796
15797
15798
15799
15800
15801
15802
15803
15804
15805
15806
15807
15808
15809
15810
15811
15812
15813
15814
15815
15816
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SECPKI_AA_AUTH_RCV_03_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
f_http_build_authorization_request_with_wrong_parameters(v_ec_certificate, v_private_key_ec, -, -, -, true, -, -, -, -, -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
15846
15847
15848
15849
15850
15851
15852
15853
15854
15855
15856
15857
15858
15859
15860
15861
15862
15863
15864
15865
15866
15867
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key));
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_noac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_noac.stop;
log("*** " & testcasename() & ": PASS: IUT has rejected the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
tc_noac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_noac.timeout {
log("*** " & testcasename() & ": PASS: IUT has discarded the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_03_BI
15912
15913
15914
15915
15916
15917
15918
15919
15920
15921
15922
15923
15924
15925
15926
15927
15928
15929
15930
15931
15932
15933
15934
15935
15936
15937
15938
15939
15940
15941
15942
/**
* @desc Check that the AA skips the AuthorizationRequest message if it unable to decrypt the encKey
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA/AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating value
* equal to the HashedId8 of the certificate CERT_AA
* and containing encKey
* indicating symmetric key (S_KEY)
* encrypted with the OTHER private key correspondent to the AA_ENC_PUB_KEY
* }
* then {
* the IUT does not send the AuthorizationValidationRequest message
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_04_BI
15944
15945
15946
15947
15948
15949
15950
15951
15952
15953
15954
15955
15956
15957
15958
15959
15960
15961
15962
15963
15964
15965
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SECPKI_AA_AUTH_RCV_04_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
f_http_build_authorization_request_with_wrong_private_key(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(