Newer
Older
* the IUT sends a EtsiTs103097Data to the AA
* containing EtsiTs102941Data
* containing authorizationRequest
* containing ecSignature
* containing structure of type EtsiTs103097Data-SignedExternalPayload
Denis Filatov
committed
* containing tbsData
* containing payload
* containing extDataHash
Denis Filatov
committed
* indicating supported hash algorithm
* and indicating hash of sharedATRequest
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_11_BV
* @reference ETSI TS 102 941 [2], clause 6.2.3.3.1
*/
testcase TC_SECPKI_ITSS_AUTH_11_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
Denis Filatov
committed
var ItsPkiHttp v_aa;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
Denis Filatov
committed
f_cfMtcUp01(v_itss, v_aa);
Denis Filatov
committed
v_itss.start(f_TC_SECPKI_ITSS_AUTH_itss());
v_aa.start(f_TC_SECPKI_ITSS_AUTH_pki_simple(-, null, null,
refers(f_TC_SECPKI_ITSS_AUTH_11_BV_pki_check_authRequest)));
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
Denis Filatov
committed
f_cfMtcDown01(v_itss, v_aa);
} // End of testcase TC_SECPKI_ITSS_AUTH_11_BV
group f_TC_SECPKI_ITSS_AUTH_11_BV {
Denis Filatov
committed
function f_TC_SECPKI_ITSS_AUTH_11_BV_pki_check_authRequest (inout SECPKI_ITSS_TestData p_data, in EtsiTs102941Data p_value) runs on ItsPkiHttp return boolean {
var EtsiTs103097Data v_ecSignature;
var octetstring v_aes_enc_key;
if(ischosen(p_value.content.authorizationRequest.ecSignature.encryptedEcSignature)){
// contains encrypted signature
if( not f_decrypt(vc_eaPrivateEncKey, // EA private encryption key
p_value.content.authorizationRequest.ecSignature.encryptedEcSignature,
vc_eaWholeHash, // salt
v_ecSignature, // decrypted message
v_aes_enc_key)) {
return false;
Denis Filatov
committed
v_ecSignature := p_value.content.authorizationRequest.ecSignature.ecSignature;
Denis Filatov
committed
var template (present) EtsiTs103097Data mw :=
mw_etsiTs103097Data_signed(
mw_signedData( -,
mw_toBeSignedData(
mw_signedDataPayload_ext(mw_etsiTs103097SupportedAlgHashedData)
)
)
);
if(not match (v_ecSignature, mw)){
log("*** " & testcasename() & "_pki: FAIL: Wrong ecSignature format ***");
log(match(v_ecSignature, mw));
return false;
}
var HashedData v_extDataHash := v_ecSignature.content.signedData.tbsData.payload.extDataHash;
Denis Filatov
committed
// check that the hash is calculated well
var template (value) HashedData mw_hashedData;
Denis Filatov
committed
if(ischosen(v_extDataHash.sha256HashedData)){
mw_hashedData.sha256HashedData := f_hashWithSha256(bit2oct(encvalue(p_value.content.authorizationRequest.sharedAtRequest)));
}else if(ischosen(v_extDataHash.sha384HashedData)){
mw_hashedData.sha384HashedData := f_hashWithSha384(bit2oct(encvalue(p_value.content.authorizationRequest.sharedAtRequest)));
}else{
return false;
}
if( not match(v_extDataHash, mw_hashedData)){
log("*** " & testcasename() & "_pki: FAIL: SharedAtRequest hash mismatch ***");
log(match(v_extDataHash, mw_hashedData));
return false;
}
return true;
}
/*
function f_TC_SECPKI_ITSS_AUTH_11_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
Denis Filatov
committed
// Test component configuration
var SECPKI_ITSS_TestData v_data;
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
f_TC_SECPKI_ITSS_AUTH_pki(v_data, null, null,
refers(f_TC_SECPKI_ITSS_AUTH_11_BV_pki_check_authRequest));
Denis Filatov
committed
} // End of function f_TC_SECPKI_ITSS_AUTH_10_BV_pki
*/
} // End of group f_TC_SECPKI_ITSS_AUTH_11_BV
Denis Filatov
committed
/**
5114
5115
5116
5117
5118
5119
5120
5121
5122
5123
5124
5125
5126
5127
5128
5129
5130
5131
5132
5133
5134
5135
5136
5137
5138
5139
5140
5141
5142
5143
5144
5145
5146
5147
5148
5149
* @desc Check that the ecSignature psid is set to the proper ITS_AID
* Check that the ecSignature generation time is present
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
* Initial conditions:
* with {
* the IUT in 'enrolled' state
* and the AA in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to request new Authorization Ticket (AT)
* }
* then {
* the IUT sends a EtsiTs103097Data to the AA
* containing EtsiTs102941Data
* containing authorizationRequest
* containing ecSignature
* containing structure of type EtsiTs103097Data-SignedExternalPayload
* containing tbsData
* containing headerInfo
* containing psid
* indicating AID_PKI_CERT_REQUEST
* and containing generationTime
* and not containing any other headers
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_12_BV
* @reference ETSI TS 102 941 [2], clause 6.2.3.3.1
*/
testcase TC_SECPKI_ITSS_AUTH_12_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
Denis Filatov
committed
var ItsPkiHttp v_aa;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
Denis Filatov
committed
f_cfMtcUp01(v_itss, v_aa);
Denis Filatov
committed
v_itss.start(f_TC_SECPKI_ITSS_AUTH_itss());
v_aa.start(f_TC_SECPKI_ITSS_AUTH_pki_simple(-, null, null,
refers(f_TC_SECPKI_ITSS_AUTH_12_BV_pki_check_authRequest))
);
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
Denis Filatov
committed
f_cfMtcDown01(v_itss, v_aa);
Denis Filatov
committed
} // End of testcase TC_SECPKI_ITSS_AUTH_11_BV
group f_TC_SECPKI_ITSS_AUTH_12_BV {
Denis Filatov
committed
5178
5179
5180
5181
5182
5183
5184
5185
5186
5187
5188
5189
5190
5191
5192
5193
5194
5195
5196
5197
5198
5199
5200
5201
5202
5203
5204
5205
5206
5207
5208
5209
5210
function f_TC_SECPKI_ITSS_AUTH_12_BV_pki_check_authRequest (inout SECPKI_ITSS_TestData p_data, in EtsiTs102941Data p_value) runs on ItsPkiHttp return boolean {
var EtsiTs103097Data v_ecSignature;
var octetstring v_aes_enc_key;
if(ischosen(p_value.content.authorizationRequest.ecSignature.encryptedEcSignature)){
// contains encrypted signature
if( not f_decrypt(vc_eaPrivateEncKey, // EA private encryption key
p_value.content.authorizationRequest.ecSignature.encryptedEcSignature,
vc_eaWholeHash, // salt
v_ecSignature, // decrypted message
v_aes_enc_key)) {
return false;
}
} else {
v_ecSignature := p_value.content.authorizationRequest.ecSignature.ecSignature;
}
var template (present) EtsiTs103097Data mw :=
mw_etsiTs103097Data_signed(
mw_signedData( -,
mw_toBeSignedData( -,
mw_headerInfo_ecSignature
)
)
);
if(not match (v_ecSignature, mw)){
log("*** " & testcasename() & "_pki: FAIL: Invalid header info in ecSignature received ***");
log(match (v_ecSignature, mw));
return false;
}
return true;
}
/*
function f_TC_SECPKI_ITSS_AUTH_12_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
// Test component configuration
Denis Filatov
committed
var SECPKI_ITSS_TestData v_data;
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
Denis Filatov
committed
f_TC_SECPKI_ITSS_AUTH_pki(v_data, null, null,
refers(f_TC_SECPKI_ITSS_AUTH_12_BV_pki_check_authRequest));
f_cfHttpDown();
} // End of function f_TC_SECPKI_ITSS_AUTH_10_BV_pki
*/
} // End of group f_TC_SECPKI_ITSS_AUTH_11_BV
/**
* @desc Check that ITS-S sends Authorization request containing EC signature
Denis Filatov
committed
* with supported hash algorithm
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
* Initial conditions:
* with {
* the IUT in 'enrolled' state
* and the AA in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to request new Authorization Ticket (AT)
* }
* then {
* the IUT sends a EtsiTs103097Data to the AA
* containing EtsiTs102941Data
* containing authorizationRequest
* containing ecSignature
* containing structure of type EtsiTs103097Data-SignedExternalPayload
* containing hashId
Denis Filatov
committed
* indicating supported hash algorithm
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_13_BV
* @reference ETSI TS 102 941 [2], clause 6.2.3.3.1
*/
Denis Filatov
committed
testcase TC_SECPKI_ITSS_AUTH_13_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start component
Denis Filatov
committed
v_itss.start(f_TC_SECPKI_ITSS_AUTH_itss());
v_ea.start(f_TC_SECPKI_ITSS_AUTH_pki_simple(-, null, null, refers(f_TC_SECPKI_ITSS_AUTH_13_BV_pki_check_authRequest)));
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
f_cfMtcDown01(v_itss, v_ea);
} // End of testcase TC_SECPKI_ITSS_AUTH_13_BV
Denis Filatov
committed
5281
5282
5283
5284
5285
5286
5287
5288
5289
5290
5291
5292
5293
5294
5295
5296
5297
5298
5299
5300
5301
5302
5303
5304
5305
5306
5307
5308
5309
5310
5311
5312
5313
5314
5315
5316
5317
5318
5319
5320
5321
group f_TC_SECPKI_ITSS_AUTH_13_BV {
function f_TC_SECPKI_ITSS_AUTH_13_BV_pki_check_authRequest (inout SECPKI_ITSS_TestData p_data, in EtsiTs102941Data p_value) runs on ItsPkiHttp return boolean {
var EtsiTs103097Data v_ecSignature;
var octetstring v_aes_enc_key;
if(ischosen(p_value.content.authorizationRequest.ecSignature.encryptedEcSignature)){
// contains encrypted signature
if( not f_decrypt(vc_eaPrivateEncKey, // EA private encryption key
p_value.content.authorizationRequest.ecSignature.encryptedEcSignature,
vc_eaWholeHash, // salt
v_ecSignature, // decrypted message
v_aes_enc_key)) {
return false;
}
} else {
v_ecSignature := p_value.content.authorizationRequest.ecSignature.ecSignature;
}
var template (present) EtsiTs103097Data mw := mw_etsiTs103097Data_signed( mw_signedData( mw_validEtsiTs103097HashAlgorithm) );
if(not match (v_ecSignature, mw)) {
log("*** " & testcasename() & "_pki: FAIL: Unsupported ecSignature hash algorithm ***");
log(match (v_ecSignature, mw));
return false;
}
return true;
}
/*
function f_TC_SECPKI_ITSS_AUTH_13_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
// Test component configuration
var SECPKI_ITSS_TestData v_data;
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
f_TC_SECPKI_ITSS_AUTH_pki(v_data, null, null,
refers(f_TC_SECPKI_ITSS_AUTH_13_BV_pki_check_authRequest));
f_cfHttpDown();
} // End of function f_TC_SECPKI_ITSS_AUTH_10_BV_pki
*/
} // End of group f_TC_SECPKI_ITSS_AUTH_11_BV
Yann Garcia
committed
5322
5323
5324
5325
5326
5327
5328
5329
5330
5331
5332
5333
5334
5335
5336
5337
5338
5339
5340
5341
5342
5343
5344
5345
5346
5347
5348
5349
5350
5351
5352
5353
5354
5355
5356
5357
/**
* @desc Check that the ecSignature of the Authorization request is signed with EC certificate
* Check that the signature over tbsData computed using the private key corresponding to
* the EC's verification public key.
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
* Initial conditions:
* with {
* the IUT is enrolled with CERT_EC certificate
* and the AA in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to request new Authorization Ticket (AT)
* }
* then {
* the IUT sends EtsiTs103097Data to the AA
* containing EtsiTs102941Data
* containing authorizationRequest
* containing ecSignature
* containing structure of type EtsiTs103097Data-SignedExternalPayload
* containing signer
* indicating HashedId8 of the CERT_EC certificate
* containing signature
* indicating signature over sharedATRequest calculated with CERT_EC verificationKey
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_14_BV
* @reference ETSI TS 102 941 [2], clause 6.2.3.3.1
*/
testcase TC_SECPKI_ITSS_AUTH_14_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
Denis Filatov
committed
var ItsPkiHttp v_aa;
Yann Garcia
committed
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
Denis Filatov
committed
f_cfMtcUp01(v_itss, v_aa);
Yann Garcia
committed
// Start component
Denis Filatov
committed
v_itss.start(f_TC_SECPKI_ITSS_AUTH_itss(1, true)); // force enrollment
v_aa.start(f_TC_SECPKI_ITSS_AUTH_pki_simple(-, null, null,
refers(f_TC_SECPKI_ITSS_AUTH_14_BV_pki_check_authRequest),
-, true // force enrollment
)
);
Yann Garcia
committed
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
Denis Filatov
committed
f_cfMtcDown01(v_itss, v_aa);
Yann Garcia
committed
} // End of testcase TC_SECPKI_ITSS_AUTH_14_BV
group f_TC_SECPKI_ITSS_AUTH_14_BV {
Denis Filatov
committed
function f_TC_SECPKI_ITSS_AUTH_14_BV_pki_check_authRequest (inout SECPKI_ITSS_TestData p_data, in EtsiTs102941Data p_value) runs on ItsPkiHttp return boolean {
var EtsiTs103097Data v_ecSignature;
var octetstring v_aes_enc_key;
if(ischosen(p_value.content.authorizationRequest.ecSignature.encryptedEcSignature)){
// contains encrypted signature
if( not f_decrypt(vc_eaPrivateEncKey, // EA private encryption key
p_value.content.authorizationRequest.ecSignature.encryptedEcSignature,
vc_eaWholeHash, // salt
v_ecSignature, // decrypted message
v_aes_enc_key)) {
return false;
Yann Garcia
committed
}
} else {
Denis Filatov
committed
v_ecSignature := p_value.content.authorizationRequest.ecSignature.ecSignature;
}
var template (present) EtsiTs103097Data mw := mw_etsiTs103097Data_signed(
mw_signedData(-, -,
mw_signerIdentifier_digest( (all from(vc_ec_hashed_id8)) )
)
);
if(not match (v_ecSignature, mw)){
log("*** " & testcasename() & "_pki: FAIL: EC digest mismatch.***");
log(match (v_ecSignature, mw));
return false;
Yann Garcia
committed
}
Denis Filatov
committed
// check signature
for(var integer v_i := 0; v_i < vc_ec_counter; v_i := v_i + 1){
if(vc_ec_hashed_id8[v_i] == v_ecSignature.content.signedData.signer.digest){
var EtsiTs103097Certificate v_ec_cert := vc_ec_certificates[v_i];
if(not f_verifySignedMessageECDSA(v_ecSignature, vc_ec_certificates[v_i])){
log("*** " & testcasename() & "_pki: FAIL: EC signature verification failed.***");
return false;
Yann Garcia
committed
}
Denis Filatov
committed
break;
Yann Garcia
committed
}
Denis Filatov
committed
}
return true;
}
Yann Garcia
committed
} // End of group f_TC_SECPKI_ITSS_AUTH_14_BV
5430
5431
5432
5433
5434
5435
5436
5437
5438
5439
5440
5441
5442
5443
5444
5445
5446
5447
5448
5449
5450
5451
5452
5453
5454
5455
5456
5457
5458
5459
5460
5461
5462
5463
5464
5465
5466
5467
5468
5469
5470
5471
5472
/**
* @desc Check that the encrypted ecSignature of the Authorization request is encrypted using the EA encryptionKey
* Check that the encrypted ecSignature of the Authorization request was done from the
* EtsiTs103097Data-SignedExternalPayload structure
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE, PICS_SECPKI_AUTHORIZATION and PICS_SECPKI_AUTH_PRIVACY
* Initial conditions:
* with {
* the IUT in 'enrolled' state
* and the AA in 'operational' state
* and the EA in 'operational' state
* authorized with CERT_EA certificate
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to request new Authorization Ticket (AT)
* }
* then {
* the IUT sends EtsiTs103097Data to the AA
* containing EtsiTs102941Data
* containing authorizationRequest
* containing ecSignature
* containing encryptedEcSignature
* containing recipients
* containing only one element of type RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the CERT_EA
* and containing encKey
* indicating encryption key of supported type
* and containing cyphertext
* containing encrypted representation of structure EtsiTs103097Data-SignedExternalPayload
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_15_BV
* @reference ETSI TS 102 941 [2], clause 6.2.3.3.1
*/
testcase TC_SECPKI_ITSS_AUTH_15_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
Denis Filatov
committed
var ItsPkiHttp v_aa;
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION or not PICS_SECPKI_AUTH_PRIVACY) {
Denis Filatov
committed
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE, PICS_SECPKI_AUTHORIZATION are required for executing the TC ***");
setverdict(inconc);
stop;
}
if (not PICS_SECPKI_AUTH_PRIVACY) {
log("*** " & testcasename() & ": PICS_SECPKI_AUTH_PRIVACY is required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
Denis Filatov
committed
f_cfMtcUp01(v_itss, v_aa);
// Start component
Denis Filatov
committed
v_itss.start(f_TC_SECPKI_ITSS_AUTH_itss());
v_aa.start(f_TC_SECPKI_ITSS_AUTH_pki_simple(-, null, null,
refers(f_TC_SECPKI_ITSS_AUTH_15_BV_pki_check_authRequest)
)
);
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
Denis Filatov
committed
f_cfMtcDown01(v_itss, v_aa);
}
group f_TC_SECPKI_ITSS_AUTH_15_BV {
Denis Filatov
committed
5506
5507
5508
5509
5510
5511
5512
5513
5514
5515
5516
5517
5518
5519
5520
5521
5522
5523
5524
5525
5526
5527
function f_TC_SECPKI_ITSS_AUTH_15_BV_pki_check_authRequest (inout SECPKI_ITSS_TestData p_data, in EtsiTs102941Data p_value) runs on ItsPkiHttp return boolean {
var EtsiTs103097Data v_ecSignature;
var octetstring v_aes_enc_key;
template (present) EcSignature mw1 :=
mw_ec_signature ( // strange, but this is a signature with privace template
mw_etsiTs103097Data_encrypted(
mw_encryptedData(
{
mw_recipientInfo_certRecipInfo(
mw_pKRecipientInfo(vc_eaHashedId8)
)
},
mw_symmetricCiphertext_aes128ccm
)
)
);
if(not match(p_value.content.authorizationRequest.ecSignature, mw1)){
log("*** " & testcasename() & "_pki: FAIL: Invalid EC signature with mandatory privacy.***");
log(match(p_value.content.authorizationRequest.ecSignature, mw1));
return false;
Denis Filatov
committed
if( not f_decrypt(vc_eaPrivateEncKey, // EA private encryption key
p_value.content.authorizationRequest.ecSignature.encryptedEcSignature,
vc_eaWholeHash, // salt
v_ecSignature, // decrypted message
v_aes_enc_key)) {
return false;
}
Denis Filatov
committed
var template (present) EtsiTs103097Data mw2 :=
mw_etsiTs103097Data_signed(
mw_signedData( -,
mw_toBeSignedData(
mw_signedDataPayload_ext(mw_etsiTs103097SupportedAlgHashedData)
)
)
);
if(not match (v_ecSignature, mw2)){
log("*** " & testcasename() & "_pki: FAIL: Wrong ecSignature format ***");
log(match(v_ecSignature, mw2));
return false;
}
return true;
}
} // End of group f_TC_SECPKI_ITSS_AUTH_15_BV
Yann Garcia
committed
/**
* @desc Check that the ecSignature of the Authorization request is not encrypted
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE, PICS_SECPKI_AUTHORIZATION and not PICS_SECPKI_AUTH_PRIVACY
Yann Garcia
committed
5560
5561
5562
5563
5564
5565
5566
5567
5568
5569
5570
5571
5572
5573
5574
5575
5576
5577
5578
5579
5580
5581
5582
5583
5584
5585
* Initial conditions:
* with {
* the IUT in 'enrolled' state
* and the AA in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to request new Authorization Ticket (AT)
* }
* then {
* the IUT sends EtsiTs103097Data to the AA
* containing EtsiTs102941Data
* containing authorizationRequest
* containing ecSignature
* containing ecSignature
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_16_BV
* @reference ETSI TS 102 941 [2], clause 6.2.3.3.1
*/
testcase TC_SECPKI_ITSS_AUTH_16_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
Denis Filatov
committed
var ItsPkiHttp v_aa;
Yann Garcia
committed
// Test control
Denis Filatov
committed
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) {
Yann Garcia
committed
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
Denis Filatov
committed
if (PICS_SECPKI_AUTH_PRIVACY) {
log("*** " & testcasename() & ": PICS_SECPKI_AUTH_PRIVACY should not be set for executing the TC ***");
setverdict(inconc);
stop;
}
Yann Garcia
committed
// Test component configuration
Denis Filatov
committed
f_cfMtcUp01(v_itss, v_aa);
Yann Garcia
committed
// Start component
Denis Filatov
committed
v_itss.start(f_TC_SECPKI_ITSS_AUTH_itss());
v_aa.start(f_TC_SECPKI_ITSS_AUTH_pki_simple(-, null, null,
refers(f_TC_SECPKI_ITSS_AUTH_16_BV_pki_check_authRequest)
)
);
Yann Garcia
committed
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
Denis Filatov
committed
f_cfMtcDown01(v_itss, v_aa);
Yann Garcia
committed
} // End of testcase TC_SECPKI_ITSS_AUTH_16_BV
group f_TC_SECPKI_ITSS_AUTH_16_BV {
Denis Filatov
committed
function f_TC_SECPKI_ITSS_AUTH_16_BV_pki_check_authRequest (inout SECPKI_ITSS_TestData p_data, in EtsiTs102941Data p_value) runs on ItsPkiHttp return boolean {
var EtsiTs103097Data v_ecSignature;
var octetstring v_aes_enc_key;
template (present) EcSignature mw :=
mw_ec_signature_ext_payload (
mw_etsiTs103097Data_signed(
mw_signedData( -,
mw_toBeSignedData(
mw_signedDataPayload_ext(mw_etsiTs103097SupportedAlgHashedData)
)
)
)
);
if(not match(p_value.content.authorizationRequest.ecSignature, mw)){
log("*** " & testcasename() & "_pki: FAIL: Invalid EC signature in no-privacy mode.***");
log(match(p_value.content.authorizationRequest.ecSignature, mw));
return false;
Yann Garcia
committed
}
Denis Filatov
committed
return true;
}
Yann Garcia
committed
5641
5642
5643
5644
5645
5646
5647
5648
5649
5650
5651
5652
5653
5654
5655
5656
5657
5658
5659
5660
5661
5662
5663
5664
5665
5666
5667
5668
5669
5670
5671
5672
5673
5674
5675
5676
5677
5678
5679
5680
5681
5682
} // End of group f_TC_SECPKI_ITSS_AUTH_16_BV
} // End of group itss_authorization_request
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.3.2 Authorization response handling
group itss_authorization_response {
// Void
} // End of group itss_authorization_response
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.3.3 Authorization request repetition
group itss_authorization_request_repetition {
/**
* @desc Check that IUT repeats an authorization request when response has not been received
* <pre>
* Pics Selection: PICS_SECPKI_AUTHORIZATION_RETRY
* Initial conditions: {
* the IUT being in the 'enrolled' state
* and the IUT already sent the Authorization Request at the time T1
* and the IUT has not yet received the Authorization Response
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT local time is reached the T1 + PIXIT_AUTH_TIMEOUT_TH1
* }
* then {
* the IUT sends to EA an AuthorizationRequestMessage
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 TP SECPKI_ITSS_AUTH_REP_01_BV
* @reference ETSI TS 103 601, clause 5.2
*/
testcase TC_SECPKI_ITSS_AUTH_REP_01_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION or not PICS_SECPKI_AUTHORIZATION_RETRY) {
Yann Garcia
committed
5684
5685
5686
5687
5688
5689
5690
5691
5692
5693
5694
5695
5696
5697
5698
5699
5700
5701
5702
5703
5704
5705
5706
5707
5708
5709
5710
5711
5712
5713
5714
5715
5716
5717
5718
5719
5720
5721
5722
5723
5724
5725
5726
5727
5728
5729
5730
5731
5732
5733
5734
5735
5736
5737
5738
5739
5740
5741
5742
5743
5744
5745
5746
5747
5748
5749
5750
5751
5752
5753
5754
5755
5756
5757
5758
5759
5760
5761
5762
5763
5764
5765
5766
5767
5768
5769
5770
5771
5772
5773
5774
5775
5776
5777
5778
5779
5780
5781
5782
5783
5784
5785
5786
5787
5788
5789
5790
5791
5792
5793
5794
5795
5796
5797
5798
5799
5800
5801
5802
5803
5804
5805
5806
5807
5808
5809
5810
5811
5812
5813
5814
5815
5816
5817
5818
5819
5820
5821
5822
5823
5824
5825
5826
5827
5828
5829
5830
5831
5832
5833
5834
5835
5836
5837
5838
5839
5840
5841
5842
5843
5844
5845
5846
5847
5848
5849
5850
5851
5852
5853
5854
5855
5856
5857
5858
5859
5860
5861
5862
5863
5864
5865
5866
5867
5868
5869
5870
5871
5872
5873
5874
5875
5876
5877
5878
5879
5880
5881
5882
5883
5884
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start component
v_itss.start(f_TC_SECPKI_ITSS_AUTH_REP_01_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_AUTH_REP_01_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
f_cfMtcDown01(v_itss, v_ea);
} // End of testcase TC_SECPKI_ITSS_AUTH_REP_01_BV
group f_TC_SECPKI_ITSS_AUTH_REP_01_BV {
function f_TC_SECPKI_ITSS_AUTH_REP_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem {
// Local variables
var HashedId8 v_certificate_digest;
var EtsiTs103097Certificate v_certificate;
var InfoPortData v_info_port_data;
var boolean v_start_awaiting := false;
// Test component configuration
vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE;
f_cfUp_itss();
// Test adapter configuration
// Preamble
// Initial state: No CAM shall be emitted
geoNetworkingPort.clear;
tc_noac.start;
alt {
[] geoNetworkingPort.receive {
log("No CA message expected");
f_selfOrClientSyncAndVerdict(c_prDone, e_error);
}
[] tc_noac.timeout {
f_sendUtTriggerEnrolmentRequestPrimitive();
log("*** " & testcasename() & "_itss: : INFO: No CA message received ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
}
} // End of 'alt' statement
// Test Body
f_sendUtTriggerAuthorizationRequestPrimitive();
tc_ac.start;
alt {
[v_start_awaiting == true] a_await_cam_with_current_cert(
v_info_port_data.at_certificate
) {
log("*** " & testcasename() & ": PASS: IUT started to send CA message using new AT certificate ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
[] geoNetworkingPort.receive {
log("*** " & testcasename() & ": FAIL: IUT started to send CA message using wrong AT certificate ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] infoPort.receive(InfoPortData:?) -> value v_info_port_data {
log("*** " & testcasename() & ": INFO: Received new AT certificate ***");
v_start_awaiting := true;
repeat;
}
[] tc_ac.timeout {
log("*** " & testcasename() & "_itss: : PASS: No CA message received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfDown_itss();
} // End of function f_TC_SECPKI_ITSS_AUTH_REP_01_BV_itss
function f_TC_SECPKI_ITSS_AUTH_REP_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
// Local variable
var Headers v_headers;
var HttpMessage v_request;
var InnerEcRequest v_inner_ec_request;
var InnerEcResponse v_inner_ec_response;
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_init_default_headers_list(-, "inner_at_response", v_headers);
if (PX_TRIGGER_EC_BEFORE_AT) {
f_await_ec_request_send_error_response(v_request);
log("*** " & testcasename() & ": INFO: Reply with 400 Bad Request error message ***");
}
// Wait for the repetition
if (PX_TRIGGER_EC_BEFORE_AT) {
if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
} else {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
}
} else {
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
v_inner_ec_response.certificate := omit;
}
// Test Body
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_request(
mw_http_request_post(
PICS_HTTP_POST_URI_EC,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(vc_aaHashedId8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var HttpMessage v_response;
var integer v_result;
var InnerAtRequest v_inner_at_request;
var InnerAtResponse v_inner_at_response;
tc_ac.stop;
// Verify IUT response
f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result);
// Send response
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
var octetstring v_msg;
var octetstring v_hashed_id8;
log("*** " & testcasename() & ": PASS: InnerEcRequest received ***");
v_msg := bit2oct(encvalue(v_inner_at_response.certificate));
if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) {
v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg));
} else {
v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg));
}
infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate });
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of function f_TC_SECPKI_ITSS_AUTH_REP_01_BV_pki
} // End of group f_TC_SECPKI_ITSS_AUTH_REP_01_BV
/**
* @desc Check that IUT uses the same message to perform authorization retry
* <pre>
* Pics Selection: PICS_SECPKI_AUTHORIZATION_RETRY
* Initial conditions: {
* the IUT being in the 'enrolled' state
* and the IUT already sent the Authorization Request at the time T1
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to re-send an AuthorizationRequestMessage to AA
* }
* then {
* the IUT sends M to AA
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 TP SECPKI_ITSS_AUTH_REP_02_BV
* @reference ETSI TS 103 601, clause 5.1.2
*/
testcase TC_SECPKI_ITSS_AUTH_REP_02_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION or not PICS_SECPKI_AUTHORIZATION_RETRY) {
Yann Garcia
committed
5886
5887
5888
5889
5890
5891
5892
5893
5894
5895
5896
5897
5898
5899
5900
5901
5902
5903
5904
5905
5906
5907
5908
5909
5910
5911
5912
5913
5914
5915
5916
5917
5918
5919
5920
5921
5922
5923
5924
5925
5926
5927
5928
5929
5930
5931
5932
5933
5934
5935
5936
5937
5938
5939
5940
5941
5942
5943
5944
5945
5946
5947
5948
5949
5950
5951
5952
5953
5954
5955
5956
5957
5958
5959
5960
5961
5962
5963
5964
5965
5966
5967
5968
5969
5970
5971
5972
5973
5974
5975
5976
5977
5978
5979
5980
5981
5982
5983
5984
5985
5986
5987
5988
5989
5990
5991
5992
5993
5994
5995
5996
5997
5998
5999
6000
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start component
v_itss.start(f_TC_SECPKI_ITSS_AUTH_REP_02_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_AUTH_REP_02_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
f_cfMtcDown01(v_itss, v_ea);
} // End of testcase TC_SECPKI_ITSS_AUTH_REP_02_BV
group f_TC_SECPKI_ITSS_AUTH_REP_02_BV {
function f_TC_SECPKI_ITSS_AUTH_REP_02_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem {
// Local variables
var HashedId8 v_certificate_digest;
var EtsiTs103097Certificate v_certificate;
var InfoPortData v_info_port_data;
var boolean v_start_awaiting := false;
// Test component configuration
vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE;
f_cfUp_itss();
// Test adapter configuration
// Preamble
// Initial state: No CAM shall be emitted
geoNetworkingPort.clear;
tc_noac.start;
alt {
[] geoNetworkingPort.receive {
log("No CA message expected");
f_selfOrClientSyncAndVerdict(c_prDone, e_error);
}
[] tc_noac.timeout {
f_sendUtTriggerEnrolmentRequestPrimitive();
log("*** " & testcasename() & "_itss: : INFO: No CA message received ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
}
} // End of 'alt' statement
// Test Body
f_sendUtTriggerAuthorizationRequestPrimitive();
tc_ac.start;
alt {
[v_start_awaiting == true] a_await_cam_with_current_cert(
v_info_port_data.at_certificate
) {
log("*** " & testcasename() & ": PASS: IUT started to send CA message using new AT certificate ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
[] geoNetworkingPort.receive {
log("*** " & testcasename() & ": FAIL: IUT started to send CA message using wrong AT certificate ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] infoPort.receive(InfoPortData:?) -> value v_info_port_data {
log("*** " & testcasename() & ": INFO: Received new AT certificate ***");
v_start_awaiting := true;
repeat;
}
[] tc_ac.timeout {
log("*** " & testcasename() & "_itss: : PASS: No CA message received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfDown_itss();
} // End of function f_TC_SECPKI_ITSS_AUTH_REP_02_BV_itss
function f_TC_SECPKI_ITSS_AUTH_REP_02_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
// Local variable
var Headers v_headers;
var HttpMessage v_initial_request;
var HttpMessage v_request;
var InnerEcRequest v_inner_ec_request;
var InnerEcResponse v_inner_ec_response;
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_init_default_headers_list(-, "inner_at_response", v_headers);
if (PX_TRIGGER_EC_BEFORE_AT) {
f_await_ec_request_send_error_response(v_initial_request);
log("*** " & testcasename() & ": INFO: Reply with 400 Bad Request error message ***");
}
// Wait for the repetition
if (PX_TRIGGER_EC_BEFORE_AT) {
if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
} else {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
}
} else {
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
}
// Test Body
if (f_verify_repeated_request(v_request, v_initial_request) == false) {
log("*** " & testcasename() & ": FAIL: Repeatition request are different ***");