ItsPki_TestCases.ttcn 1.05 MB
Newer Older
          var Headers v_headers;
          var HttpMessage v_request;
          var InnerEcResponse v_inner_ec_response;
          var InnerEcRequest v_inner_ec_request;

          // Test component configuration
          f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);

          // Test adapter configuration

          // Preamble
          f_init_default_headers_list(-, "inner_at_response", v_headers);
          if (PX_TRIGGER_EC_BEFORE_AT) {
            f_await_ec_request_send_error_response(v_request);
            log("*** " & testcasename() & ": INFO: Reply with 400 Bad Request error message ***");
          } else {
            f_selfOrClientSyncAndVerdict(c_prDone, e_success);
          }
          
          // Do not expect any repetition
          if (PX_TRIGGER_EC_BEFORE_AT) {
            if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) {
              log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
              f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
            } else {
              log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
              f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
            }
          }

          // Test Body
          tc_ac.start(PX_TAC * 1.1); // for different timer PIXIT_AUTH_TIMEOUT_TH2
          alt {
            [] a_await_at_http_request_from_iut(
                                                 mw_http_request(
                                                                 mw_http_request_post(
                                                                                      PICS_HTTP_POST_URI_AT,
                                                                                      -,
                                                                                      mw_http_message_body_binary(
                                                                                                                  mw_binary_body_ieee1609dot2_data(
                                                                                                                                                   mw_authorizationRequestMessage(
                                                                                                                                                                              mw_encryptedData(
                                                                                                                                                                                               { *, mw_recipientInfo_pskRecipInfo(vc_aaHashedId8), * },
                                                                                                                                                                                               mw_symmetricCiphertext_aes128ccm
                                                                                                                                                                                               )))))),
                                                 v_request
                                                 ) {
              var HttpMessage v_response;
              var integer v_result;
              var InnerAtRequest v_inner_at_request;
              var InnerAtResponse v_inner_at_response;

              tc_ac.stop;

              // Verify IUT response
              f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result);
              // Send response
              if (isvalue(v_response)) {
                httpPort.send(v_response);
              }
              // Set verdict
              if (v_result == 0) {
                var octetstring v_msg;
                var octetstring v_hashed_id8;
                log("*** " & testcasename() & ": PASS: InnerAtRequest received ***");
                v_msg := bit2oct(encvalue(v_inner_at_response.certificate));
                if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) {
                  v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg));
                } else {
                  v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg));
                }
                infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate });
                f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
              } else {
                log("*** " & testcasename() & ": FAIL: Failed to verify AA an AuthorizationRequestMessage ***");
                f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
              }
            }
            [] tc_ac.timeout {
              log("*** " & testcasename() & ": PASS: Expected no AuthorizationRequestMessage ***");
              f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
            }
          } // End of 'alt' statement

          // Postamble
          f_cfHttpDown();
        } // End of function f_TC_SECPKI_ITSS_AUTH_REP_05_BV_pki

      } // End of group f_TC_SECPKI_ITSS_AUTH_REP_05_BV

    } // End of group itss_authorization_request_repetition
    // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.3.4  Authorization using butterfly key expansion mechanism
    group itss_authorization_request_bfk {

      /**
       * @desc Check that the ITS-S send the EtsiTs103097Data to the Enrollment Authority (EA) to request a batch of authorization tickets
               Check that this message is encrypted and addressed to a single recipient.
       * <pre>
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SEC_BFK_AUTH
       * Initial conditions: 
       *     with {
       *         the IUT being in the "initial state" and
       *         the EA in 'operational' state
       *             authorized with enrollment certificate CERT_IUT_A_EA
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is triggered to request a new batch of authorization tickets
       *         }
       *         then {
       *             the IUT sends a EtsiTs103097Data to the EA
       *                 containing content.encryptedData
       *                     containing recipients
       *                         indicating size 1
       *                         and containing the instance of RecipientInfo
       *                             containing certRecipInfo
       *                             containing recipientId
       *                             indicating HashedId8 of the CERT_IUT_A_EA
       *         }
       *     }
       * </pre>
       * 
       * @see       ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_01_BV
       * @reference ETSI TS 102 941 [1], clause 6.2.3.5.1
       */
      testcase TC_SECPKI_ITSS_BFK_AUTH_01_BV() runs on ItsMtc system ItsPkiItssSystem {
        // Local variables
        var ItsPkiItss v_itss;
        var ItsPkiHttp v_ea;

        // Test control
        if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SEC_BFK_AUTH) {
          log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SEC_BFK_AUTH required for executing the TC ***");
          setverdict(inconc);
          stop;
        }

        // Test component configuration
        f_cfMtcUp01(v_itss, v_ea);

        // Start components
        v_itss.start(f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_itss());
        v_ea.start(f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_pki());

        // Synchronization
        f_serverSync2ClientsAndStop({c_prDone, c_tbDone});

        // Cleanup
        f_cfMtcDown01(v_itss, v_ea);

      } // End of testcase TC_SECPKI_ITSS_BFK_AUTH_01_BV

      group f_TC_SECPKI_ITSS_BFK_AUTH_01_BV {

        function f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem {
          // Local variables
          var HashedId8               v_certificate_digest;
          var EtsiTs103097Certificate v_certificate;
          var InfoPortData            v_info_port_data;
          var boolean                 v_start_awaiting := false;

          // Test component configuration
          vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE;
          f_cfUp_itss();

          // Test adapter configuration

          // Preamble
          // Initial state: No CAM shall be emitted
          geoNetworkingPort.clear;
          tc_noac.start;
          alt {
            [] geoNetworkingPort.receive {
              log("No CA message expected");
              f_selfOrClientSyncAndVerdict(c_prDone, e_error);
            }
            [] tc_noac.timeout {
              f_sendUtTriggerEnrolmentRequestPrimitive();
              tc_ac.start; // TDOD To refined, use altstep
              alt {
                [] utPort.receive(UtPkiTriggerInd: { state := 1 }) {
                  tc_ac.stop;
                  log("*** " & testcasename() & "_itss: INFO: IUT is in enrol state ***");
                }
                [] tc_ac.timeout {
                  log("*** " & testcasename() & "_itss: DBG: IUT state update not recieved ***");
                  f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
                }
              } // End of 'alt' statement
              log("*** " & testcasename() & "_itss: : INFO: No CA message received ***");
              f_selfOrClientSyncAndVerdict(c_prDone, e_success);
            }
          } // End of 'alt' statement

          // Test Body
          f_sendUtTriggerAuthorizationRequestPrimitive(); // TODO FSCOM Add BFK mode
          tc_ac.start;
          alt {
            [v_start_awaiting == true] a_await_cam_with_current_cert(
                                                                     v_info_port_data.at_certificate
            ) {
              log("*** " & testcasename() & ": PASS: IUT started to send CA message using new AT certificate ***");
              f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
            }
            [] geoNetworkingPort.receive { 
              log("*** " & testcasename() & ": FAIL: IUT started to send CA message using wrong AT certificate ***");
              f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
            }
            [] infoPort.receive(InfoPortData:?) -> value v_info_port_data {
              log("*** " & testcasename() & ": INFO: Received new AT certificate ***");
              v_start_awaiting := true;
              repeat;
            }
            [] tc_ac.timeout {
              log("*** " & testcasename() & "_itss: : PASS: No CA message received ***");
              f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
            }
          } // End of 'alt' statement

          // Postamble
          f_cfDown_itss();
        } // End of function f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_itss

        function f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
          // Local variable
          var Headers v_headers;
          var HttpMessage v_request;
          var InnerEcResponse v_inner_ec_response;
          var InnerEcRequest v_inner_ec_request;

          // Test component configuration
          f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);

          // Test adapter configuration

          // Preamble
          if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) {
            log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
            f_selfOrClientSyncAndVerdict(c_prDone, e_success);
          } else {
            log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
            f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
          }

          // Test Body
          tc_ac.start;
          alt {
            [] a_await_ec_http_request_from_iut(
                                                mw_http_request(
                                                                mw_http_request_post(
                                                                                     PICS_HTTP_POST_URI_BFK_AUTH,
                                                                                     -,
                                                                                     mw_http_message_body_binary(
                                                                                                                 mw_binary_body_ieee1609dot2_data(
                                                                                                                                                  mw_enrolmentRequestMessage(
                                                                                                                                                                            mw_encryptedData(
                                                                                                                                                                                             { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
                                                                                                                                                                                             mw_symmetricCiphertext_aes128ccm
                                                                                                                                                                                             )))))),
                                                v_request
                                                ) {
              var HttpMessage v_response;
              var integer v_result;
              var EeRaCertRequest v_bfk_authorization_request;
              var RaEeCertInfo v_bfk_authorization_response;

              tc_ac.stop;

              // Verify IUT response
              f_verify_http_bfk_authorization_request(v_request.request, v_headers, v_inner_ec_response.certificate, v_bfk_authorization_request, v_bfk_authorization_response, v_response, v_result);
              // Send response
              if (isvalue(v_response)) {
                httpPort.send(v_response);
              } else { // Send HTTP error 500
                f_send_500_Internal_Error(v_headers);
              }
              // Set verdict
              if (v_result == 0) {
                log("*** " & testcasename() & ": PASS: InnerEcRequest received ***");
                f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
              } else {
                log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***");
                f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
              }
            }
            [] tc_ac.timeout {
              log("*** " & testcasename() & ": INCONC: Expected message not received ***");
              f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
            }
          } // End of 'alt' statement

          // Postamble
          f_cfHttpDown();
        } // End of function f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_pki

      } // End of group f_TC_SECPKI_ITSS_BFK_AUTH_01_BV

      /**
       * @desc Check that the ButterflyAuthorizationRequestMessage is signed using the EC certificate
       * <pre>
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SEC_BFK_AUTH
       * Initial conditions: 
       *     with {
       *         the IUT being in the 'enrolled' state
       *             with certificate CERT_EC
       *                 issued by CA authorized with CERT_IUT_A_EA
       *         and the EA in 'operational' state
       *             authorized with enrollment certificate CERT_IUT_A_EA
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is triggered to request a new batch of authorization tickets
       *         }
       *         then {
       *             the IUT sends a EtsiTs103097Data to the EA
       *                 containing content.encryptedData.cipherText
       *                     containing encrypted representation of EtsiTs103097Data
       *                         containing signedData
       *                             containing tbsData
       *                                 containing psid
       *                                     indicating AID_PKI_CERT_REQUEST
       *                                 and containing generationTime
       *                                 and not containing any other field
       *                                 and containing payload.data
       *                                     indicating EtsiTs102941Data
       *                                         containing version
       *                                             indicating ‘1’
       *                                         and containing content
       *                                             containing butterflyAuthorizationRequest
       *                                                 indicating EeRaCertRequest
       *                                 and containing signer
       *                                     containing digest
       *                                         indicating HashedId8 of the CERT_EC
       *         }
       *     }
       * </pre>
       * 
       * @see       ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_02_BV
       * @reference ETSI TS 102 941 [1], clause 6.2.3.5.2
       */
      testcase TC_SECPKI_ITSS_BFK_AUTH_02_BV() runs on ItsMtc system ItsPkiItssSystem {
        // Local variables
        var ItsPkiItss v_itss;
        var ItsPkiHttp v_ea;

        // Test control
        if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SEC_BFK_AUTH) {
          log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SEC_BFK_AUTH required for executing the TC ***");
          setverdict(inconc);
          stop;
        }

        // Test component configuration
        f_cfMtcUp01(v_itss, v_ea);

        // Start components
        v_itss.start(f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_itss());
        v_ea.start(f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_pki());

        // Synchronization
        f_serverSync2ClientsAndStop({c_prDone, c_tbDone});

        // Cleanup
        f_cfMtcDown01(v_itss, v_ea);

      } // End of testcase TC_SECPKI_ITSS_BFK_AUTH_02_BV

      /**
       * @desc Check that the ButterflyAuthorizationRequestMessage contains all required elements
       * <pre>
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SEC_BFK_AUTH
       * Initial conditions: 
       *     with {
       *         the IUT being in the 'enrolled' state
       *         and the EA in 'operational' state
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT is triggered to request a new batch of authorization tickets (AT)
       *         }
       *         then {
       *             the IUT sends to the EA a EtsiTs103097Data
       *                 containing the EeRaCertRequest
       *                     containing version
       *                         indicating ‘2’
       *                     and containing generationTime
       *                         indicating current ITS timestamp
       *                     and containing certificateType
       *                         indicating ‘explicit”
       *                     and containing tbsCert
       *                         containing id
       *                             indicating ‘none’
       *                         and containing cracaId
       *                             indicating ‘000000’H
       *                         and containing crlSeries
       *                             indicating ‘0’
       *                     and containing additionalParams
       *                         containing original
       *                         or containing unified
       *         }
       *     }
       * </pre>
       * 
       * @see       ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_03_BV
       * @reference ETSI TS 102 941 [1], clause 6.2.3.5.2
       */
      testcase TC_SECPKI_ITSS_BFK_AUTH_03_BV() runs on ItsMtc system ItsPkiItssSystem {
        // Local variables
        var ItsPkiItss v_itss;
        var ItsPkiHttp v_ea;

        // Test control
        if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SEC_BFK_AUTH) {
          log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SEC_BFK_AUTH required for executing the TC ***");
          setverdict(inconc);
          stop;
        }
        // Test component configuration
        f_cfMtcUp01(v_itss, v_ea);

        // Start components
        v_itss.start(f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_itss());
        v_ea.start(f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_pki());

        // Synchronization
        f_serverSync2ClientsAndStop({c_prDone, c_tbDone});

        // Cleanup
        f_cfMtcDown01(v_itss, v_ea);

      } // End of testcase TC_SECPKI_ITSS_BFK_AUTH_04_BV
       * @desc Check that the ButterflyAuthorizationRequestMessage contains newlly generated caterpillar public key
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SEC_BFK_AUTH
       * Initial conditions: 
       *     with {
       *         the IUT being in the 'authorized' state
       *         and the IUT already sent one or more Butterfly Authorization Requests
       *         and the EA in 'operational' state
       *             the IUT is triggered to request a new batch of authorization tickets (AT)
       *             the IUT sends to the EA a EtsiTs103097Data
       *                 containing the EeRaCertRequest
       *                     containing version
       *                         indicating ‘2’
       *                     and containing generationTime
       *                         indicating current ITS timestamp
       *                     and containing certificateType
       *                         indicating ‘explicit”
       *                     and containing tbsCert
       *                         containing id
       *                             indicating ‘none’
       *                         and containing cracaId
       *                             indicating ‘000000’H
       *                         and containing crlSeries
       *                             indicating ‘0’
       *                     and containing additionalParams
       *                         containing original
       *                         or containing unified
       * @see       ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_03_BV
       * @reference ETSI TS 102 941 [1], clause 6.2.3.5.2
      testcase TC_SECPKI_ITSS_BFK_AUTH_04_BV() runs on ItsMtc system ItsPkiItssSystem {
        // Local variables
        var ItsPkiItss v_itss;
        var ItsPkiHttp v_ea;
        if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SEC_BFK_AUTH) {
          log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SEC_BFK_AUTH required for executing the TC ***");
        // Test component configuration
        f_cfMtcUp01(v_itss, v_ea);
        // Start components
        v_itss.start(f_TC_SECPKI_ITSS_BFK_AUTH_04_BV_itss());
        v_ea.start(f_TC_SECPKI_ITSS_BFK_AUTH_04_BV_pki());
        // Synchronization
        f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
      } // End of testcase TC_SECPKI_ITSS_BFK_AUTH_04_BV
      group f_TC_SECPKI_ITSS_BFK_AUTH_04_BV {
        function f_TC_SECPKI_ITSS_BFK_AUTH_04_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem {
          // Local variables
          var HashedId8               v_certificate_digest;
          var EtsiTs103097Certificate v_certificate;
          var InfoPortData            v_info_port_data;
          var boolean                 v_start_awaiting := false;
          // Test component configuration
          vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE;
          f_cfUp_itss();
          // Preamble
          // Initial state: No CAM shall be emitted
          geoNetworkingPort.clear;
          tc_noac.start;
          alt {
            [] geoNetworkingPort.receive {
              log("No CA message expected");
              f_selfOrClientSyncAndVerdict(c_prDone, e_error);
            }
            [] tc_noac.timeout {
              f_sendUtTriggerEnrolmentRequestPrimitive();
              tc_ac.start; // TDOD To refined, use altstep
              alt {
                [] utPort.receive(UtPkiTriggerInd: { state := 1 }) {
                  tc_ac.stop;
                  log("*** " & testcasename() & "_itss: INFO: IUT is in enrol state ***");
                }
                [] tc_ac.timeout {
                  log("*** " & testcasename() & "_itss: DBG: IUT state update not recieved ***");
                  f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
                }
              } // End of 'alt' statement
              log("*** " & testcasename() & "_itss: : INFO: No CA message received ***");
              f_selfOrClientSyncAndVerdict(c_prDone, e_success);
            }
          } // End of 'alt' statement
          f_sendUtTriggerAuthorizationRequestPrimitive(); // TODO FSCOM Add BFK mode
            [v_start_awaiting == true] a_await_cam_with_current_cert(
                                                                     v_info_port_data.at_certificate
            ) {
              log("*** " & testcasename() & ": PASS: IUT started to send CA message using new AT certificate ***");
              f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
            }
            [] geoNetworkingPort.receive { 
              log("*** " & testcasename() & ": FAIL: IUT started to send CA message using wrong AT certificate ***");
              f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
            }
            [] infoPort.receive(InfoPortData:?) -> value v_info_port_data {
              log("*** " & testcasename() & ": INFO: Received new AT certificate ***");
              v_start_awaiting := true;
              repeat;
              log("*** " & testcasename() & "_itss: : PASS: No CA message received ***");
              f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
        } // End of function f_TC_SECPKI_ITSS_BFK_AUTH_04_BV_itss
        function f_TC_SECPKI_ITSS_BFK_AUTH_04_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
          // Local variable
          var Headers v_headers;
          var HttpMessage v_request;
          var InnerEcResponse v_inner_ec_response;
          var InnerEcRequest v_inner_ec_request;

          // Test component configuration
          f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
          if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) {
            log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
            f_selfOrClientSyncAndVerdict(c_prDone, e_success);
            log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
            f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
          // Test Body
          tc_ac.start;
          alt {
            [] a_await_ec_http_request_from_iut(
                                                mw_http_request(
                                                                mw_http_request_post(
                                                                                     PICS_HTTP_POST_URI_EC,
                                                                                     -,
                                                                                     mw_http_message_body_binary(
                                                                                                                 mw_binary_body_ieee1609dot2_data(
                                                                                                                                                  mw_enrolmentRequestMessage(
                                                                                                                                                                            mw_encryptedData(
                                                                                                                                                                                             { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
                                                                                                                                                                                             mw_symmetricCiphertext_aes128ccm
                                                                                                                                                                                             )))))),
                                                v_request
                                                ) {
              var HttpMessage v_response;
              var integer v_result;
              var EeRaCertRequest v_bfk_authorization_request;
              var RaEeCertInfo v_bfk_authorization_response;

              tc_ac.stop;

              // Verify IUT response
              f_verify_http_bfk_authorization_request(v_request.request, v_headers, v_inner_ec_response.certificate, v_bfk_authorization_request, v_bfk_authorization_response, v_response, v_result);
              // Send response
              if (isvalue(v_response)) {
                httpPort.send(v_response);
              } else { // Send HTTP error 500
                f_send_500_Internal_Error(v_headers);
              }
              // Set verdict
              if (v_result == 0) {
                log("*** " & testcasename() & ": PASS: InnerEcRequest received ***");
                f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
              } else {
                log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***");
                f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
              }
            }
            [] tc_ac.timeout {
              log("*** " & testcasename() & ": INCONC: Expected message not received ***");
              f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
            }
          } // End of 'alt' statement

        } // End of function f_TC_SECPKI_ITSS_BFK_AUTH_04_BV_pki
      } // End of group f_TC_SECPKI_ITSS_BFK_AUTH_04_BV
       * @desc Check that IUT downloads the AT certificates batch after receiving of positive ButterflyAuthorizationResponse message
       * <pre>
       * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SEC_BFK_AUTH
       * Initial conditions: 
       *     with {
       *         the IUT being in the 'enrolled' state
       *         and the EA in 'operational' state
       *         and the IUT has sent the ButterflyAuthorizationRequestMessage
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT receives an EtsiTs102941Data as an answer of the EA
       *                 containing butterflyAuthorizationResponse
       *                     indicating RaEeCertInfo
       *                         containing generationTime
       *                             indicating GEN_TIME
       *                         and containing currentI
       *                             indicating VALUE_I
       *                         and containing requestHash
       *                             indicating REQ_HASH
       *                         and containing nextDlTime
       *                             indicating time between GEN_TIME and current time 
       *         }
       *         then {
       *             the IUT send the ButterflyAtDownloadRequestMessage
       *                 containing butterflyAtDownloadRequest
       *                     indicating EeRaDownloadRequest
       *                         containing generationTime
       *                             indicating value more than GEN_TIME
       *                         and containing filename
       *                             indicating string REQ_HASH + “_” + VALUE_I + “.zip”
       *         }
       *     }
       * </pre>
       * 
       * @see       ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_BFK_CERTDNL_01_BV
       * @reference ETSI TS 102 941 [1], clauses 6.2.3.5.3 and 6.2.3.5.6
       */
      testcase TC_SECPKI_ITSS_BFK_CERTDNL_01_BV() runs on ItsMtc system ItsPkiItssSystem {
        // Local variables
        var ItsPkiItss v_itss;
        var ItsPkiHttp v_ea;

        // Test control
        if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SEC_BFK_AUTH) {
          log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SEC_BFK_AUTH required for executing the TC ***");
          setverdict(inconc);
          stop;
        }

        // Test component configuration
        f_cfMtcUp01(v_itss, v_ea);

        // Start components
        v_itss.start(TC_SECPKI_ITSS_BFK_CERTDNL_01_BV_itss());
        v_ea.start(TC_SECPKI_ITSS_BFK_CERTDNL_01_BV_pki());

        // Synchronization
        f_serverSync2ClientsAndStop({c_prDone, c_tbDone});

        // Cleanup
        f_cfMtcDown01(v_itss, v_ea);

      } // End of testcase TC_SECPKI_ITSS_BFK_CERTDNL_01_BV

      group f_TC_SECPKI_ITSS_BFK_CERTDNL_01_BV {

        function TC_SECPKI_ITSS_BFK_CERTDNL_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem {
          // FIXME TODO
        } // End of function TC_SECPKI_ITSS_BFK_CERTDNL_01_BV_itss

        function TC_SECPKI_ITSS_BFK_CERTDNL_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
          // FIXME TODO
        } // End of function TC_SECPKI_ITSS_BFK_CERTDNL_01_BV_pki

      } // End of group f_TC_SECPKI_ITSS_BFK_CERTDNL_01_BV
    } // End of group itss_authorization_request_bfk
    // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.4  CTL handling
      /**
       * @desc Check that the IUT trust the new RCA from the received ECTL
       * <pre>
       * Pics Selection:
       * Initial conditions: {
       *     the IUT does not trust the CERT_RCA_NEW
       *     the IUT has received the TLM CTL
       *         containing the CERT_RCA_NEW
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT received a CAM
       *                 signed with AT certificate
       *                     signed with AA certificate
       *                         signed with CERT_RCA_NEW
       *         }
       *         then {
       *             the IUT accepts this CAM
       *         }
       *     }
       * </pre>
       * 
       * @see       ETSI TS 103 525-2 TP SECPKI_ITSS_CTL_01_BV
       * @reference ETSI TS 102 941, clause 6.3.5
       */
      testcase TC_SECPKI_ITSS_CTL_01_BV() runs on ItsMtc system ItsPkiItssSystem {
        // Local variables
        var ItsPkiItss v_itss;
        var ItsPkiHttp v_cpoc;
        // Test control
        if (not PICS_IUT_ITS_S_ROLE) {
          log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE required for executing the TC ***");
          setverdict(inconc);
          stop;
        }
        // Test component configuration
        f_cfMtcUp03(v_itss, v_cpoc);

        // Start components
        v_itss.start(f_TC_SECPKI_ITSS_CTL_01_BV_itss());
        v_cpoc.start(f_TC_SECPKI_ITSS_CTL_01_BV_pki());
        // Synchronization
        f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
      } // End of testcase TC_SECPKI_ITSS_CTL_01_BV
        function f_TC_SECPKI_ITSS_CTL_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem {
          // Local variables
          var GeoNetworkingPdu v_securedGnPdu;
          var integer i;
          // Test component configuration
          // Preamble
          geoNetworkingPort.clear;
          tc_ac.start;
          alt {
            [] geoNetworkingPort.receive(
                                         mw_geoNwInd(
                                                     mw_geoNwSecPdu(
                                                                    mw_etsiTs103097Data_signed(
                                                                                               mw_signedData
                                                                                               )))) {
              tc_ac.stop;
              f_sendUtTriggerUpdateEctl(""); // FIXME Create PIXIT for ETCL URI
              f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
            }
            [] tc_ac.timeout {
              log("*** " & testcasename() & ": INCONC: Expected message not received ***");
              f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
            }
          } // End of 'alt' statement
          // Test Body
          v_securedGnPdu := f_sendSecuredCam(cc_ectl_rca_new);
          // Check that the CAM message is forwarde to Facilies layer
          f_sleep(PX_TAC);
          for(i := 0; i < lengthof(vc_utInds) and not match(vc_utInds[i].rawPayload, valueof(v_securedGnPdu.gnPacket.packet.payload)); i := i + 1) {
            // empty on purpose 
          }
          if(i < lengthof(vc_utInds)) {
            log("*** " & testcasename() & ": PASS: CA message was transmitted to upper layer ***");
            f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
          } else {
            log("*** " & testcasename() & ": FAIL: CA message was not transmitted to upper layer ***");
            f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
          }
        } // End of function f_TC_SECPKI_ITSS_CTL_01_BV_itss

        function f_TC_SECPKI_ITSS_CTL_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
          // Local variable
          var HttpMessage v_response;
          var Headers v_headers;

          // Test component configuration
          f_cfHttpUp_tlm();
          // Preamble
          tc_ac.start;
          alt {
            [] a_await_cpoc_http_request_from_iut(
                                                  mw_http_request(
                                                                  mw_http_request_get(
                                                                                      PICS_HTTP_GET_URI_TLM
                                                                                      )),
                                                  v_response
                                                  ) {
              var HashedId8 v_rca_hashed_id8; // Used for signature
              var Oct32 v_rca_private_key;
              var EtsiTs103097Certificate v_rca_new; // The CERT_RCA_NEW
              var bitstring v_enc_msg;
              var ToBeSignedData v_tbs;
              var bitstring v_tbs_enc;
              var Oct32 v_tbs_signed;
              var Signature v_signature;
              var Ieee1609Dot2Data v_ieee1609dot2_signed_data;

              tc_ac.stop;

              // Read certificates
              f_getCertificateHash(PICS_IUT_CA_CERTIFICATE_ID, v_rca_hashed_id8);
              f_readSigningKey(PICS_IUT_CA_CERTIFICATE_ID, v_rca_private_key);
              f_readCertificate(cc_ectl_rca_new, v_rca_new);
              // Build the ToBeSignedTlmCtl data structure
              v_enc_msg := encvalue(
                                    valueof(
                                            m_to_be_signed_tlm_full_ctl(
                                                                        f_getCurrentTime() / 1000 + 3600,
                                                                        10,
                                                                        {
                                                                          m_ctrl_command_add(
                                                                                             m_ctl_entry_rca(
                                                                                                             m_root_ca_entry(
                                                                                                                             v_rca_new
                                                                                                                             )))
                                                                          }
                                                                        )));
              v_tbs := valueof(
                               m_toBeSignedData(
                                                m_signedDataPayload(
                                                                    m_etsiTs103097Data_unsecured(bit2oct(v_enc_msg))
                                                                    ),
                                                m_headerInfo_inner_pki_request(-, (f_getCurrentTime() * 1000)/*us*/)
                                                ));
              v_tbs_enc := encvalue(v_tbs);
              // Sign the certificate
              v_tbs_signed := f_signWithEcdsa(bit2oct(v_tbs_enc), v_rca_hashed_id8, v_rca_private_key);
              v_signature := valueof(
                                     m_signature_ecdsaNistP256(
                                                               m_ecdsaP256Signature(
                                                                                    m_eccP256CurvePoint_x_only(
                                                                                                               substr(v_tbs_signed, 0, 32)
                                                                                                               ),
                                                                                    substr(v_tbs_signed, 32, 32)
                                                                                    )));
              log(testcasename() & ": v_signature= ", v_signature);
              v_ieee1609dot2_signed_data := valueof(
                                                    m_etsiTs103097Data_signed(
                                                                              m_signedData(
                                                                                           sha256,
                                                                                           v_tbs,
                                                                                           m_signerIdentifier_digest(v_rca_hashed_id8),
                                                                                           v_signature
                                                                                           )));
              // Send response with CERT_RCA_NEW
              f_init_default_headers_list(-, "tlm_ectl", v_headers);
              f_http_send(
                          v_headers,
                          m_http_response(
                                          m_http_response_ok(
                                                             m_http_message_body_binary(
                                                                                        m_binary_body_ieee1609dot2_data(
                                                                                                                        v_ieee1609dot2_signed_data
                                                                                                                        )),
                                                             v_headers
                                                             )));
              log("*** " & testcasename() & ": INFO: CERT_RCA_NEW was sent to the IUT ***");
              f_selfOrClientSyncAndVerdict(c_prDone, e_success);
            }
            [] tc_ac.timeout {
              log("*** " & testcasename() & ": INCONC: Expected message not received ***");
              f_selfOrClientSyncAndVerdict(c_prDone, e_timeout);
            }
          } // End of 'alt' statement
          // Test Body
          f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
          // Postamble
          f_cfHttpDown_tlm();
        } // End of function f_TC_SECPKI_ITSS_CTL_01_BV_pki
      } // End of group f_TC_SECPKI_ITSS_CTL_01_BV

      /**
       * @desc Check that the IUT untrust the RCA when it is deleted from ECTL
       * <pre>
       * Pics Selection:
       * Initial conditions: {
       *     the IUT does not trust the CERT_RCA
       *     the IUT has received the TLM CTL
       *         not containing the CERT_RCA
       *     }
       * Expected behaviour:
       *     ensure that {
       *         when {
       *             the IUT received a CAM
       *                 signed with AT certificate
       *                     signed with AA certificate
       *                         signed with CERT_RCA
       *         }
       *         then {
       *             the IUT rejects this CAM
       *         }
       *     }
       * </pre>
       * 
       * @see       ETSI TS 103 525-2 TP SECPKI_ITSS_CTL_02_BV
       * @reference ETSI TS 102 941, clause 6.3.5
       */
      testcase TC_SECPKI_ITSS_CTL_02_BV() runs on ItsPkiItss system ItsPkiItssSystem {
        // Local variables
        var GeoNetworkingPdu v_securedGnPdu;
        var integer i;
        // Test control
        if (not PICS_IUT_ITS_S_ROLE) {
          log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE required for executing the TC ***");
          setverdict(inconc);
          stop;
        }
        // Preamble
        geoNetworkingPort.clear;
        tc_ac.start;
        alt {
          [] geoNetworkingPort.receive(
                                       mw_geoNwInd(
                                                   mw_geoNwSecPdu(
                                                                  mw_etsiTs103097Data_signed(
                                                                                             mw_signedData
                                                                                             )))) {