Newer
Older
Yann Garcia
committed
* @Author ETSI / STF545 / TTF T025
* @version $Url$
* $Id$
* @desc Testcases file for Security Protocol
* @reference ETSI TS ITS-00546v006
* @copyright ETSI Copyright Notification
* No part may be reproduced except as authorized by written permission.
* The copyright and the foregoing restriction extend to reproduction in all media.
* All rights reserved.
*/
module ItsPki_TestCases {
// Libcommon
import from LibCommon_Time all;
import from LibCommon_VerdictControl all;
import from LibCommon_Sync all;
import from LibCommon_BasicTypesAndValues all;
import from LibCommon_DataStrings all;
// LibIts
import from Ieee1609Dot2BaseTypes language "ASN.1:1997" all;
import from Ieee1609Dot2 language "ASN.1:1997" all;
import from EtsiTs102941BaseTypes language "ASN.1:1997" all;
import from EtsiTs102941TypesEnrolment language "ASN.1:1997" all;
import from EtsiTs102941TypesAuthorization language "ASN.1:1997" all;
import from EtsiTs102941TypesAuthorizationValidation language "ASN.1:1997" all;
import from EtsiTs102941MessagesCa language "ASN.1:1997" all;
import from EtsiTs102941TrustLists language "ASN.1:1997" all;
import from EtsiTs103097Module language "ASN.1:1997" all;
import from Ieee1609Dot2Dot1AcaRaInterface language "ASN.1:1997" all;
import from Ieee1609Dot2Dot1EeRaInterface language "ASN.1:1997" all;
import from ETSI_ITS_CDD language "ASN.1:1997" all;
// LibItsCommon
import from LibItsCommon_TypesAndValues all;
import from LibItsCommon_Functions all;
import from LibItsCommon_TypesAndValues all;
import from LibItsCommon_ASN1_NamedNumbers all;
// LibItsGeoNetworking
import from LibItsGeoNetworking_TypesAndValues all;
import from LibItsGeoNetworking_Functions all;
import from LibItsGeoNetworking_Templates all;
import from LibItsGeoNetworking_Pics all;
YannGarcia
committed
import from LibItsGeoNetworking_Pixits all;
YannGarcia
committed
// LibItsCam
import from LibItsCam_TypesAndValues all;
import from LibItsCam_Templates all;
// LibItsSecurity
import from LibItsSecurity_TypesAndValues all;
import from LibItsSecurity_TestSystem all;
import from LibItsSecurity_Templates all;
import from LibItsSecurity_Functions all;
import from LibItsSecurity_Pixits all;
import from LibItsSecurity_Pics all;
// LibHttp
import from LibHttp_TypesAndValues all;
import from LibHttp_Templates all;
import from LibHttp_Functions all;
import from LibHttp_TestSystem all;
import from LibHttp_Pics all;
import from LibHttp_BinaryTemplates all;
// LibHelpers
import from LibHelpers_Functions all;
// LibItsPki
import from LibItsPki_TypesAndValues all;
import from LibItsPki_Templates all;
import from LibItsPki_Functions all;
import from LibItsPki_TestSystem all;
import from LibItsPki_Pics all;
import from LibItsPki_Pixits all;
YannGarcia
committed
import from LibItsPki_EncdecDeclarations all;
YannGarcia
committed
* @desc 5.2 ITS-S behaviour
/**
* @desc Send an HTTP error message 500 Internal error.
* Note: To be refined
*/
function f_send_500_Internal_Error(
in Headers p_headers,
in template (omit) charstring p_error_message := omit
) runs on ItsPkiHttp {
f_http_send(
p_headers,
m_http_response(
m_http_response_500_internal_error(
p_headers
)));
} // End function f_send_500_Internal_Error
/**
* @desc The purpose of this function is verify the EC request and extract InnerEcRequest and build the InnerEcResponse for the HTTP response
* Note: This function accepts additional parameters to alter the reponse
*/
function f_verify_http_ec_request_from_iut_itss(
in Request p_request,
in Headers p_headers,
out InnerEcRequest p_inner_ec_request,
out InnerEcResponse p_inner_ec_response,
out HttpMessage p_response,
out integer p_result,
in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID,
in template SignerIdentifier p_signer := m_signerIdentifier_self,
in EnrolmentResponseCode p_force_response_code := ok
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_request_hash;
var Oct16 v_aes_enc_key;
var template (value) HttpMessage v_response;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
log(">>> f_verify_http_ec_request_from_iut_itss: ", p_request);
if (f_verify_pki_request_message(vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, ''O, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -1;
} else {
log("f_verify_http_ec_request_from_iut_itss: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer))))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer)))) == false) {
// Send error message
f_http_build_inner_ec_response(p_inner_ec_request/*Not required*/, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
// Set verdict
p_result := -2;
} else {
// Verify signature of mw_innerEcRequestSignedForPop
if (f_verify_inner_ec_request_signed_for_pop(v_etsi_ts_102941_data, p_inner_ec_request) == false) {
// Send error message
f_http_build_inner_ec_response(p_inner_ec_request/*Not required*/, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -3;
} else {
log("f_verify_http_ec_request_from_iut_itss: matching: ", match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes({mw_appPermissions(c_its_aid_SCR, ?)})))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes_optional_assuranceLevel({mw_appPermissions(c_its_aid_SCR, ?)}))) == false) {
// Send error message: Not enrolmentrequest
f_http_build_inner_ec_response(p_inner_ec_request, badcontenttype, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -4;
} else {
// TODO Check ValidityPeriod
log("f_verify_http_ec_request_from_iut_itss: Receive ", p_inner_ec_request);
if (p_force_response_code == ok) {
// Send EC certificate with code ok
log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter);
f_http_build_inner_ec_response(p_inner_ec_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256)) {
if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_0)) {
vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_0;
vc_ec_compressed_modes[vc_ec_keys_counter] := 0;
vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_1;
vc_ec_compressed_modes[vc_ec_keys_counter] := 1;
} else if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1)) {
if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_0)) {
vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_0;
vc_ec_compressed_modes[vc_ec_keys_counter] := 0;
} else {
vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_1;
vc_ec_compressed_modes[vc_ec_keys_counter] := 1;
}
} else {
log("*** " & testcasename() & ": FAIL: Not implemented yet ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_error);
vc_ec_hashed_id8[vc_ec_keys_counter] := v_ec_certificate_hashed_id8;
vc_ec_keys_counter := vc_ec_keys_counter + 1;
vc_ec_certificates[vc_ec_counter] := v_ec_certificate;
vc_ec_counter := vc_ec_counter + 1;
log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter);
} else {
log("f_verify_http_ec_request_from_iut_itss: Succeed but force error code ", p_force_response_code);
f_http_build_inner_ec_response(p_inner_ec_request, p_force_response_code, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
}
}
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
}
}
p_response := valueof(v_response);
log("<<< f_verify_http_ec_request_from_iut_itss: p_response: ", p_response);
log("<<< f_verify_http_ec_request_from_iut_itss: p_result: ", p_result);
} // End of function f_verify_http_ec_request_from_iut_itss
/**
* @desc The purpose of this function is verify the AT request and extract InnerAtRequest and build the InnerAtResponse for the HTTP response
* Note: This function accepts additional parameters to alter the reponse
*/
function f_verify_http_at_request_from_iut_itss(
in Request p_request,
in Headers p_headers,
in EtsiTs103097Certificate p_ec_certificate,
out InnerAtRequest p_inner_at_request,
out InnerAtResponse p_inner_at_response,
out HttpMessage p_response,
out integer p_result,
in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID,
in AuthorizationResponseCode p_force_response_code := ok
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_request_hash;
var Oct16 v_aes_enc_key;
var template (value) HttpMessage v_response;
log(">>> f_verify_http_at_request_from_iut_itss:", p_request);
// Do not verify the signature now because ATRequest is required to verify the POP signature ==> false
if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O, p_request.body.binary_body.ieee1609dot2_data, false, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Only decryption
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
// Send error message, unable to decypt it
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -1;
} else {
log("f_verify_http_at_request_from_iut_itss: matching: ", match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest)) == false) {
// Send error message
f_http_build_authorization_response(-, its_aa_cantparse, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
// Set verdict
p_result := -2;
} else {
// Extract InnerAtRequest and Verify signature of mw_innerATRequestSignedForPop
if (f_verify_inner_at_request_signed_for_pop(v_etsi_ts_102941_data, p_ec_certificate, p_inner_at_request) == false) {
// Send error message
f_http_build_authorization_response(p_inner_at_request, its_aa_cantparse, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -3;
} else {
log("f_verify_http_at_request_from_iut_itss: match ", match(p_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(p_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature)) == false) { // TODO To be refined
// Send error message: No enrolment request
f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -4;
} else {
var PublicVerificationKey v_verification_tag;
var octetstring v_encoded_tag;
var octetstring v_key_tag;
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
// Build the tag
v_encoded_tag := bit2oct(encvalue(p_inner_at_request.publicKeys.verificationKey));
if (ispresent(p_inner_at_request.publicKeys.encryptionKey)) {
v_encoded_tag := v_encoded_tag & bit2oct(encvalue(p_inner_at_request.publicKeys.encryptionKey));
}
// Verify HMAC-SHA256
log("f_verify_http_at_request_from_iut_itss: v_encoded_tag= ", v_encoded_tag);
v_key_tag := substr(
fx_hmac_sha256( // TODO Rename and use a wrapper function
p_inner_at_request.hmacKey,
v_encoded_tag
),
0,
16); // Leftmost 128 bits of the HMAC-SHA256 tag computed previously
log("f_verify_http_at_request_from_iut_itss: v_key_tag: ", v_key_tag);
log("f_verify_http_at_request_from_iut_itss: keyTag= ", p_inner_at_request.sharedAtRequest.keyTag);
log("f_verify_http_at_request_from_iut_itss: matching: ", match(p_inner_at_request.sharedAtRequest.keyTag, v_key_tag));
if (match(p_inner_at_request.sharedAtRequest.keyTag, v_key_tag) == false) {
// Send error message: No enrolment request
f_http_build_authorization_response(p_inner_at_request, its_aa_keysdontmatch, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// Set verdict
p_result := -5;
} else {
// Send OK message
log("f_verify_http_at_request_from_iut_itss: Receive ", p_inner_at_request);
if (p_force_response_code == ok) {
f_http_build_authorization_response(p_inner_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
} else {
log("f_verify_http_at_request_from_iut_itss: Succeed built force error code ", p_force_response_code);
f_http_build_authorization_response(p_inner_at_request, p_force_response_code, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
}
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
}
}
}
}
}
p_response := valueof(v_response);
log("<<< f_verify_http_at_request_from_iut_itss: p_result: ", p_result);
log("<<< f_verify_http_at_request_from_iut_itss: p_response: ", p_response);
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
} // End of function f_verify_http_at_request_from_iut_itss
function f_verify_http_bfk_authorization_request(
in Request p_request,
in Headers p_headers,
in EtsiTs103097Certificate p_ec_certificate,
out EeRaCertRequest p_bfk_authorization_request,
out RaEeCertInfo p_ra_ee_cert_info,
out HttpMessage p_response,
out integer p_result,
in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID,
in template SignerIdentifier p_signer := m_signerIdentifier_self,
in EnrolmentResponseCode p_force_response_code := ok
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_request_hash;
var HashedId8 v_bfk_request_hash;
var Oct16 v_aes_enc_key;
var template (value) HttpMessage v_response;
log(">>> f_verify_http_bfk_authorization_request: ", p_request);
p_result := 0;
if (f_verify_pki_request_message_with_certificate(vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, p_ec_certificate, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -1;
} else { // TODO Add checks on date,
log("f_verify_http_bfk_authorization_request: match ", match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationRequest(mw_ee_ra_cert_request))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationRequest(mw_ee_ra_cert_request)) == false) {
// Send error message
f_http_build_butterfly_authorization_response_message(p_bfk_authorization_request/*Not required*/, v_bfk_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, p_ra_ee_cert_info, v_ieee1609dot2_signed_and_encrypted_data);
// Set verdict
p_result := -2;
} else {
// TODO Add checks
p_bfk_authorization_request := v_etsi_ts_102941_data.content.butterflyAuthorizationRequest;
f_http_build_butterfly_authorization_response_message(p_bfk_authorization_request, v_bfk_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, p_ra_ee_cert_info, v_ieee1609dot2_signed_and_encrypted_data);
// vc_ec_hashed_id8[vc_ec_keys_counter] := v_ec_certificate_hashed_id8;
// vc_ec_keys_counter := vc_ec_keys_counter + 1;
// vc_ec_certificates[vc_ec_counter] := v_ec_certificate;
// vc_ec_counter := vc_ec_counter + 1;
// log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter);
//
// Verify signature of mw_innerEcRequestSignedForPop
// if (f_verify_inner_ec_request_signed_for_pop(v_etsi_ts_102941_data, p_inner_ec_request) == false) {
// // Send error message
// f_http_build_inner_ec_response(p_inner_ec_request/*Not required*/, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
// v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// // Set verdict
// p_result := -3;
// } else {
// log("f_verify_http_bfk_authorization_request: matching: ", match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes({mw_appPermissions(c_its_aid_SCR, ?)})))); // TODO In TITAN, this is the only way to get the unmatching in log
// if (match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes_optional_assuranceLevel({mw_appPermissions(c_its_aid_SCR, ?)}))) == false) {
// // Send error message: Not enrolmentrequest
// f_http_build_inner_ec_response(p_inner_ec_request, badcontenttype, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
// v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
// // Set verdict
// p_result := -4;
// } else {
// // TODO Check ValidityPeriod
// // Send OK message
// log("f_verify_http_bfk_authorization_request: Receive ", p_inner_ec_request);
// if (p_force_response_code == ok) {
// // Send EC certificate with code ok
// log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter);
// f_http_build_inner_ec_response(p_inner_ec_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
// if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256)) {
// if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_0)) {
// vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_0;
// vc_ec_compressed_modes[vc_ec_keys_counter] := 0;
// } else {
// vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_1;
// vc_ec_compressed_modes[vc_ec_keys_counter] := 1;
// }
// } else if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1)) {
// if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_0)) {
// vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_0;
// vc_ec_compressed_modes[vc_ec_keys_counter] := 0;
// } else {
// vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_1;
// vc_ec_compressed_modes[vc_ec_keys_counter] := 1;
// }
// } else {
// log("*** " & testcasename() & ": FAIL: Not implemented yet ***");
// f_selfOrClientSyncAndVerdict(c_prDone, e_error);
// }
// vc_ec_hashed_id8[vc_ec_keys_counter] := v_ec_certificate_hashed_id8;
// vc_ec_keys_counter := vc_ec_keys_counter + 1;
// vc_ec_certificates[vc_ec_counter] := v_ec_certificate;
// vc_ec_counter := vc_ec_counter + 1;
// log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter);
// } else {
// log("f_verify_http_bfk_authorization_request: Succeed but force error code ", p_force_response_code);
// f_http_build_inner_ec_response(p_inner_ec_request, p_force_response_code, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
// }
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
}
}
p_response := valueof(v_response);
log("<<< f_verify_http_bfk_authorization_request: p_response: ", p_response);
log("<<< f_verify_http_bfk_authorization_request: p_result: ", p_result);
} // End of function f_verify_http_bfk_authorization_request
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
/**
* @desc Await ITS CA message using the default AT certificate
*/
altstep a_await_cam_with_current_cert(
in EtsiTs103097Certificate p_certificate
) runs on ItsPkiItss {
[PICS_SEC_SHA256 == true] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mw_etsiTs103097Data_signed(
mw_signedData(
sha256,
mw_toBeSignedData(
mw_signedDataPayload,
mw_headerInfo_cam
),
mw_signerIdentifier_certificate(
mw_etsiTs103097Certificate(
mw_issuerIdentifier_sha256AndDigest(
p_certificate.issuer.sha256AndDigest
),
mw_toBeSignedCertificate_at(
-,
p_certificate.toBeSigned.verifyKeyIndicator
)
)
)
)
),
mw_geoNwShbPacket
))) {
}
[PICS_SEC_SHA384 == true] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mw_etsiTs103097Data_signed(
mw_signedData(
sha384,
mw_toBeSignedData(
mw_signedDataPayload,
mw_headerInfo_cam
),
mw_signerIdentifier_certificate(
mw_etsiTs103097Certificate(
mw_issuerIdentifier_sha384AndDigest(
p_certificate.issuer.sha384AndDigest
),
mw_toBeSignedCertificate_at(
-,
p_certificate.toBeSigned.verifyKeyIndicator
)
)
)
)
),
mw_geoNwShbPacket
))) {
}
} // End of altstep a_await_cam_with_current_cert
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.2.1 Enrollment request
/**
* @desc Check that IUT sends an enrolment request when triggered.
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
* Initial conditions:
* with {
* the IUT being in the "initial state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to requested a new Enrolment Certificate (EC)
* }
* then {
* the IUT sends to EA an EnrolmentRequestMessage
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_01_BV
* @reference ETSI TS 102 941 [2], clause 6.1.3
*/
testcase TC_SECPKI_ITSS_ENR_01_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start components
v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
function f_TC_SECPKI_ITSS_ENR_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem {
// Local variables
var HashedId8 v_certificate_digest;
var EtsiTs103097Certificate v_certificate;
vc_hashedId8ToBeUsed := ""; // No certificates //PX_IUT_DEFAULT_CERTIFICATE
// Preamble
// Initial state: No CAM shall be emitted
geoNetworkingPort.clear;
tc_noac.start;
alt {
[] geoNetworkingPort.receive {
log("No CA message expected");
f_selfOrClientSyncAndVerdict(c_prDone, e_error);
}
[] tc_noac.timeout {
log("*** " & testcasename() & ": INFO: No CA message received ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
}
} // End of 'alt' statement
tc_ac.start; // TDOD To refined, use altstep
alt {
[] utPort.receive(UtPkiTriggerInd: { state := 1 }) {
tc_ac.stop;
log("*** " & testcasename() & ": INFO: IUT is in enrolment state ***");
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": DBG: IUT state update not recieved ***");
//f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
tc_noac.start;
alt {
[] geoNetworkingPort.receive {
log("No CA message expected");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_noac.timeout {
log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
} // End of 'alt' statement
// Postamble
f_cfDown_itss();
} // End of function f_TC_SECPKI_ITSS_ENR_01_BV_itss
function f_TC_SECPKI_ITSS_ENR_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
// Local variable
var Headers v_headers;
var HttpMessage v_request;
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Preamble
f_init_default_headers_list(-, "inner_ec_response", v_headers);
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
[] a_await_ec_http_request_from_iut(
mw_http_request(
mw_http_request_post(
PICS_HTTP_POST_URI_EC,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
var HttpMessage v_response;
var integer v_result;
var InnerEcRequest v_inner_ec_request;
var InnerEcResponse v_inner_ec_response;
tc_ac.stop;
// Verify IUT response
f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_inner_ec_response, v_response, v_result);
// Send response
if (isvalue(v_response)) {
httpPort.send(v_response);
} else { // Send HTTP error 500
f_send_500_Internal_Error(v_headers);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: InnerEcRequest received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of function f_TC_SECPKI_ITSS_ENR_01_BV_pki
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
/**
* @desc If the enrolment request of the IUT is an initial enrolment request, the itsId
* (contained in the InnerECRequest) shall be set to the canonical identifier, the
* signer (contained in the outer EtsiTs1030971Data-Signed) shall be set to self and
* the outer signature shall be computed using the canonical private key.
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to send an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted
* containing an encrypted EtsiTs103097Data-Signed
* containing EtsiTs103097Data
* containing InnerECRequestSignedForPOP
* containing InnerEcRequest
* containing itsId
* indicating the canonical identifier of the ITS-S
* and containing signer
* declared as self
* and containing signature
* computed using the canonical private key
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_02_BV
* @reference ETSI TS 102 941, clause 6.1.3
*/
testcase TC_SECPKI_ITSS_ENR_02_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start components
v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
/**
* @desc In presence of a valid EC, the enrolment request of the IUT is a rekeying enrolment
request with the itsId (contained in the InnerECRequest) and the SignerIdentifier
(contained in the outer EtsiTs1030971Data-Signed) both declared as digest containing
the HashedId8 of the EC and the outer signature computed using the current valid EC
private key corresponding to the verification public key.
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_REENROLMENT
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to send an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted
* containing an encrypted EtsiTs103097Data-Signed
* containing EtsiTs103097Data
* containing InnerECRequestSignedForPOP
* containing InnerEcRequest
* containing itsId
* declared as digest containing the HashedId8 of the EC identifier
* and containing signer
* declared as digest containing the HashedId8 of the EC identifier
* and containing signature
* computed using the current valid EC private key corresponding to the verification public key
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_03_BV
* @reference ETSI TS 102 941, clause 6.1.3
*/
testcase TC_SECPKI_ITSS_ENR_03_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_REENROLMENT) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_REENROLMENT required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start components
v_itss.start(f_TC_SECPKI_ITSS_ENR_03_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_ENR_03_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
function f_TC_SECPKI_ITSS_ENR_03_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem {
// Local variables
var HashedId8 v_certificate_digest;
var EtsiTs103097Certificate v_certificate;
// Test component configuration
vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE;
f_cfUp_itss();
// Preamble
// Initial state: No CAM shall be emitted
geoNetworkingPort.clear;
tc_noac.start;
alt {
[] geoNetworkingPort.receive {
log("No CA message expected");
f_selfOrClientSyncAndVerdict(c_prDone, e_error);
}
[] tc_noac.timeout {
// Trigger the first enrolment
f_sendUtTriggerEnrolmentRequestPrimitive();
log("*** " & testcasename() & "_itss: INFO: No CA message received ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
}
} // End of 'alt' statement
// Give time to the IUT to setup enrol state
tc_ac.start; // TDOD To refined, use altstep
alt {
[] utPort.receive(UtPkiTriggerInd: { state := 1 }) {
tc_ac.stop;
log("*** " & testcasename() & "_itss: INFO: IUT is in enrolment state ***");
}
[] tc_ac.timeout {
log("*** " & testcasename() & "_itss: DBG: IUT state update not recieved ***");
//f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Trigger the second enrolment
f_sendUtTriggerEnrolmentRequestPrimitive();
tc_noac.start;
alt {
[] geoNetworkingPort.receive {
log("*** " & testcasename() & "_itss: FAIL: No CA message expected ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_noac.timeout {
log("*** " & testcasename() & "_itss: PASS: Re-enrolment trigger sent succesfully ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
} // End of 'alt' statement
// Postamble
f_cfDown_itss();
} // End of function f_TC_SECPKI_ITSS_ENR_03_BV_itss
function f_TC_SECPKI_ITSS_ENR_03_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
// Local variable
var Headers v_headers;
var HttpMessage v_request;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Preamble
f_init_default_headers_list(-, "inner_ec_response", v_headers);
alt {
[] a_await_ec_http_request_from_iut(
mw_http_request(
mw_http_request_post(
PICS_HTTP_POST_URI_EC,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
var integer v_result;
var InnerEcRequest v_inner_ec_request;
var InnerEcResponse v_inner_ec_response;
var HttpMessage v_response;
tc_ac.stop;
// Verify IUT response
f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_inner_ec_response, v_response, v_result);
// Send response
if (isvalue(v_response)) {
httpPort.send(v_response);
} else { // Send HTTP error 500
f_send_500_Internal_Error(v_headers);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": INFO: First InnerEcRequest received ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_timeout);
}
} // End of 'alt' statement
[] a_await_ec_http_request_from_iut( // Re-enrolment request
mw_http_request(
mw_http_request_post(
PICS_HTTP_POST_URI_EC,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
var integer v_result;
var InnerEcRequest v_inner_ec_request;
var InnerEcResponse v_inner_ec_response;
var HttpMessage v_response;
log(">>>>>>>>>>>>>> DBG: vc_ec_keys_counter= ", vc_ec_keys_counter);
log(">>>>>>>>>>>>>> DBG: vc_ec_public_compressed_key[vc_ec_keys_counter - 1]= ", vc_ec_public_compressed_key[vc_ec_keys_counter - 1]);
log(">>>>>>>>>>>>>> DBG: vc_ec_compressed_modes[vc_ec_keys_counter - 1]= ", vc_ec_compressed_modes[vc_ec_keys_counter - 1]);
log(">>>>>>>>>>>>>> DBG: vc_ec_hashed_id8[vc_ec_keys_counter - 1]= ", vc_ec_hashed_id8[vc_ec_keys_counter - 1]);
f_verify_http_ec_request_from_iut_itss(
v_request.request,
v_headers,
v_inner_ec_request,
v_inner_ec_response,
v_response,
v_result,
vc_ec_hashed_id8[vc_ec_keys_counter - 1], // v_response...
// containing itsId declared as digest containing the HashedId8 of the EC identifier
m_signerIdentifier_digest(vc_ec_hashed_id8[vc_ec_keys_counter - 1] // containing signer declared as digest containing the HashedId8 of the EC identifier
// Send response
if (isvalue(v_response)) {
httpPort.send(v_response);
} else { // Send HTTP error 500
f_send_500_Internal_Error(v_headers);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: InnerEcRequest received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of function f_TC_SECPKI_ITSS_ENR_03_BV_pki
/**
* @desc If the EC is revoked, the IUT returns to the state 'initialized'.
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_CRL
* Expected behaviour:
* ensure that {
* when {
* the IUT is informed about a revocation of its EC
* }
* then {
* the IUT returns to the "initialized" state
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_04_BV
* @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1
*/
testcase TC_SECPKI_ITSS_ENR_04_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_key_x;
var Oct32 v_public_key_y;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_CRL) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_CRL required for executing the TC ***");