Newer
Older
/**
* @desc Send an AT request, but the expiry date of the CSR is after now + maximum pre-loading period (considering values in C-ITS CP).
*/
testcase TC_SECPKI_AA_AUTH_RCV_16_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
18011
18012
18013
18014
18015
18016
18017
18018
18019
18020
18021
18022
18023
18024
18025
18026
18027
18028
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Preamble
if (PICS_SIMULATE_EA_ENTITY) {
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
} else {
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
v_ec_certificate := v_inner_ec_response.certificate;
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
}
18065
18066
18067
18068
18069
18070
18071
18072
18073
18074
18075
18076
18077
18078
18079
18080
18081
18082
18083
18084
18085
18086
18087
18088
// Test Body
f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, f_getCurrentTime() / 1000, m_duration_in_hours(15*24/* ts_102941v010301 Clause7.2.1*/), -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_validation_response;
18098
18099
18100
18101
18102
18103
18104
18105
18106
18107
18108
18109
18110
18111
18112
18113
18114
18115
18116
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***");
// Set verdict
if (v_result == -3) {
log("*** " & testcasename() & ": INFO: IUT has rejected the request ***");
if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, deniedpermissions)) == true) {
log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": FAIL: No response received from the IUT ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_16_BI
} // End of group aa_authorization_request
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.2 Authorization validation request
group aa_authorization_validation_request {
18136
18137
18138
18139
18140
18141
18142
18143
18144
18145
18146
18147
18148
18149
18150
18151
18152
18153
18154
18155
/**
* @desc Check that the AA sends AuthorizationValidationRequest after receiving of the AuthorizationRequest.
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA in "operational" state
* authorized with CERT_EA certificate
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT received the AuthorizationRequest
* }
* then {
* the IUT sends the EtsiTs103097Data message to the ITSS
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_01_BV
18159
18160
18161
18162
18163
18164
18165
18166
18167
18168
18169
18170
18171
18172
18173
18174
18175
18176
18177
18178
18179
18180
18181
testcase TC_SECPKI_AA_AUTHVAL_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
if (not PICS_IUT_AA_ROLE or not PICS_PKI_AUTH_POP) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and PICS_PKI_AUTH_POP required for executing the TC ***");
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Preamble
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
18206
18207
18208
18209
18210
18211
18212
18213
18214
18215
18216
18217
18218
18219
18220
18221
18222
18223
18224
18225
18226
18227
18228
18229
18230
18231
// Test Body
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
var SharedAtRequest v_shared_at_request;
var Oct16 v_aes_sym_key_atv;
var Oct8 v_aes_sym_key_atv_hashed_id8;
var octetstring v_request_hash_atv;
var Oct16 v_aes_enc_key_atv;
var AuthorizationValidationResponse v_authorization_validation_response;
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key_atv, v_request_hash_atv, v_shared_at_request, v_result);
v_aes_sym_key_atv_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key_atv)); // Used to build the response
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: IUT has sent AuthorizationValidation request ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Send AuthorizationValidation response to finalize the exchange
log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8;
log("*** " & testcasename() & ": v_ieee1609dot2_signed_and_encrypted_data with new pskRecipInfo: ", v_ieee1609dot2_signed_and_encrypted_data);
log("*** " & testcasename() & ": FAIL: IUT has sent AuthorizationValidation request ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
// Send AuthorizationValidation response to finalize the exchange
f_http_build_authorization_validation_response(v_shared_at_request, cantparse, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8;
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
tc_ac.start; // Continue to finalyze the process
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTHVAL_01_BV
18306
18307
18308
18309
18310
18311
18312
18313
18314
18315
18316
18317
18318
18319
18320
18321
18322
18323
18324
18325
18326
18327
18328
18329
18330
18331
18332
18333
18334
/**
* @desc Check that the AuthorizationValidationRequest message is encrypted using approved algorithm and sent to only one Enrolment Authority
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA in "operational" state
* authorized with CERT_EA certificate
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT received the AuthorizationRequest
* }
* then {
* the IUT sends the EtsiTs103097Data message
* containing content.encryptedData.recipients
* indicating size 1
* and containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the CERT_EA
* and containing encKey
* containing eciesNistP256
* or containing eciesBrainpoolP256r1
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_02_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
18338
18339
18340
18341
18342
18343
18344
18345
18346
18347
18348
18349
18350
18351
18352
18353
18354
18355
18356
18357
18358
18359
18360
testcase TC_SECPKI_AA_AUTHVAL_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
if (not PICS_IUT_AA_ROLE or not PICS_PKI_AUTH_POP) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and PICS_PKI_AUTH_POP required for executing the TC ***");
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Preamble
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
18385
18386
18387
18388
18389
18390
18391
18392
18393
18394
18395
18396
18397
18398
18399
18400
18401
18402
18403
18404
18405
18406
18407
18408
18409
18410
// Test Body
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
18412
18413
18414
18415
18416
18417
18418
18419
18420
18421
18422
18423
18424
18425
18426
18427
18428
18429
18430
18431
18432
18433
18434
18435
18436
18437
18438
18439
18440
18441
18442
18443
18444
18445
18446
18447
18448
18449
18450
18451
18452
18453
18454
18455
18456
18457
18458
)))))),
v_request
) {
var integer v_result;
var SharedAtRequest v_shared_at_request;
var Oct16 v_aes_sym_key_atv;
var Oct8 v_aes_sym_key_atv_hashed_id8;
var octetstring v_request_hash_atv;
var Oct16 v_aes_enc_key_atv;
var AuthorizationValidationResponse v_authorization_validation_response;
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key_atv, v_request_hash_atv, v_shared_at_request, v_result);
v_aes_sym_key_atv_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key_atv)); // Used to build the response
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: IUT has sent AuthorizationValidation request ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Send AuthorizationValidation response to finalize the exchange
log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8;
log("*** " & testcasename() & ": v_ieee1609dot2_signed_and_encrypted_data with new pskRecipInfo: ", v_ieee1609dot2_signed_and_encrypted_data);
} else {
log("*** " & testcasename() & ": FAIL: IUT has sent AuthorizationValidation request ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
// Send AuthorizationValidation response to finalize the exchange
f_http_build_authorization_validation_response(v_shared_at_request, cantparse, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8;
}
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
tc_ac.start; // Continue to finalyze the process
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTHVAL_02_BV
} // End of group aa_authorization_validation_request
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.3 Authorization validation response handling
group aa_authorization_validation_response {
18490
18491
18492
18493
18494
18495
18496
18497
18498
18499
18500
18501
18502
18503
18504
18505
18506
18507
18508
18509
18510
18511
18512
/**
* @desc Check that the AA sends AuthorizationResponse after receiving the AuthorizationRequest.
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the ITSS in "enrolled" state
* the EA in "operational" state
* and the IUT(AA) in "operational" state
* and the IUT had received the AuthorizationRequest from the ITSS
* and the IUT sent the AuthorizationValidationRequest
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT received the AuthorizationValidationResponseMessage
* }
* then {
* the IUT sends the EtsiTs103097Data message to the ITSS
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_RCV_01_BV
testcase TC_SECPKI_AA_AUTHVAL_RCV_01_BV() runs on ServerSyncComp system ItsPkiHttpSystem {
// Local variables
var ItsPkiHttp v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Start components
v_itss.start(f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss());
v_ea.start(f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
f_cfMtcDown02(v_itss, v_ea);
} // End of testcase TC_SECPKI_AA_AUTHVAL_RCV_01_BV
18543
18544
18545
18546
18547
18548
18549
18550
18551
18552
18553
18554
18555
18556
18557
18558
18559
18560
18561
18562
18563
18564
18565
18566
18567
18568
18569
18570
18571
18572
group f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV {
function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key;
var InnerAtRequest v_inner_at_request;
var InnerAtResponse v_inner_at_response;
var HashedId8 v_ec_certificate_hashed_id8;
// Test component configuration
f_cfHttpUp_itss(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
18579
18580
18581
18582
18583
18584
18585
18586
18587
18588
18589
18590
18591
18592
18593
18594
18595
18596
18597
18598
18599
18600
// Preamble
// Generate EC certificate
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
// Send AuthorizationRequest
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
// Test body
tc_ac.start;
alt { // Wait for AuthorizationResponse
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo, * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
if ((v_result != -2) and (v_result != -3)) { // Additinal shecks where done by TC_SECPKI_AA_AUTH_01_BV
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss: PASS: Received exptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss: FAIL: Unexptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown_itss();
} // End of function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss
18637
18638
18639
18640
18641
18642
18643
18644
18645
18646
18647
18648
18649
18650
18651
18652
18653
18654
18655
18656
18657
18658
18659
18660
18661
18662
function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key := int2oct(0, 16);
var SharedAtRequest v_shared_at_request;
var AuthorizationValidationResponse v_authorization_validation_response;
// Test component configuration
f_cfHttpUp_ea(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
// Preamble
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
// Test body
tc_ac.start;
alt {
[] a_await_atv_http_request_from_iut( // Wait for authorizationValidation Request from IUT to EA
mw_http_request(
mw_http_request_post(
-, //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
18693
18694
18695
18696
18697
18698
18699
18700
18701
18702
18703
18704
18705
18706
18707
18708
18709
18710
18711
18712
18713
18714
18715
18716
18717
18718
18719
18720
18721
18722
18723
18724
18725
18726
18727
18728
18729
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key, v_request_hash, v_shared_at_request, v_result);
// Set verdict
if (v_result == 0) {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: PASS: IUT has sent AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: FAIL: Failed to verify AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, deniedpermissions, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown_ea();
} // End of function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea
} // End of group f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV
18744
18745
18746
18747
18748
18749
18750
18751
18752
18753
18754
18755
18756
18757
18758
18759
18760
18761
18762
18763
18764
18765
18766
18767
18768
18769
18770
18771
18772
18773
18774
18775
18776
18777
18778
18779
18780
18781
18782
18783
18784
/**
* @desc Check that AA doesn't accept Authorization Validation Response message when this message is
* signed with certificate without appropriate permissions
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the ITSS in "enrolled" state
* the EA in "operational" state
* and the IUT(AA) in "operational" state
* and the IUT had received the AuthorizationRequest from the ITSS
* and the IUT sent the AuthorizationValidationRequest
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives the AuthorizationValidationResponseMessage
* containing signer
* containing digest
* indicating HashedId8 of the certificate
* containing appPermissions
* not containing an item of type PsidSsp
* containing psid
* indicating AID_CERT_REQ
* or containing an item of type PsidSsp
* containing psid
* indicating AID_CERT_REQ
* and containing ssp
* containing opaque[0] (version)
* indicating other value than 1
* or containing opaque[1] (value)
* indicating "AuthorizationValidationResponse" (bit 4) set to 0
* }
* then {
* the IUT answers with an AuthorisationValidationResponseMessage
* containing responseCode
* indicating non-zero value
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_RCV_02_BI
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTHVAL_RCV_02_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {} // End of testcase TC_SECPKI_AA_AUTHVAL_RCV_02_BI
} // End of group aa_authorization_validation_response
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.4 Authorization response
group aa_authorization_response {
18794
18795
18796
18797
18798
18799
18800
18801
18802
18803
18804
18805
18806
18807
18808
18809
18810
18811
18812
18813
18814
18815
18816
18817
18818
18819
18820
18821
18822
18823
18824
18825
18826
18827
18828
18829
18830
18831
18832
18833
18834
18835
18836
18837
18838
18839
18840
18841
18842
18843
18844
18845
18846
18847
18848
18849
18850
18851
18852
18853
18854
18855
18856
18857
18858
18859
18860
18861
18862
18863
18864
18865
18866
18867
18868
18869
18870
18871
18872
18873
18874
18875
18876
18877
18878
18879
18880
18881
18882
18883
18884
18885
18886
18887
18888
18889
18890
18891
18892
18893
18894
18895
18896
18897
18898
18899
18900
18901
18902
18903
18904
18905
18906
18907
18908
18909
18910
18911
18912
18913
18914
18915
18916
18917
18918
18919
18920
18921
18922
18923
18924
18925
18926
18927
18928
18929
18930
18931
18932
18933
18934
18935
18936
18937
18938
18939
18940
18941
18942
18943
18944
18945
18946
18947
18948
18949
18950
18951
18952
18953
18954
18955
18956
18957
18958
18959
18960
18961
18962
18963
18964
18965
18966
18967
18968
18969
18970
18971
18972
18973
18974
18975
18976
18977
18978
18979
18980
18981
18982
18983
18984
18985
18986
18987
18988
18989
18990
18991
18992
18993
18994
18995
18996
18997
18998
18999
19000
/**
* @desc Check that the AA sends encrypted authorization response.
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the ITS-S in "enrolled" state and
* the ITS-S has sent the AuthorizationRequestMessage
* containing encrypted enkKey
* containing AES symmetric key (SYM_KEY) and
* the EA in "operational" state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to send the authorization response to the ITS-S
* }
* then {
* the IUT is triggered to send the authorization response to the ITS-S
* containing content.encryptedData
* containing recipients of size 1
* containing the instance of RecipientInfo
* containing pskRecipInfo
* indicating HashedId8 of the SYM_KEY
* and containing cyphertext
* encrypted using SYM_KEY
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_01_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTH_01_BV() runs on ServerSyncComp system ItsPkiHttpSystem {
// Local variables
var ItsPkiHttp v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp02(v_itss, v_ea);
// Test adapter configuration
// Start components
v_itss.start(f_TC_SECPKI_AA_AUTH_01_BV_itss());
v_ea.start(f_TC_SECPKI_AA_AUTH_01_BV_ea());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
f_cfMtcDown02(v_itss, v_ea);
} // End of testcase TC_SECPKI_AA_AUTH_01_BV
group f_TC_SECPKI_AA_AUTH_01_BV {
function f_TC_SECPKI_AA_AUTH_01_BV_itss() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key;
var InnerAtRequest v_inner_at_request;
var InnerAtResponse v_inner_at_response;
var HashedId8 v_ec_certificate_hashed_id8;
// Test component configuration
f_cfHttpUp_itss(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Generate EC certificate
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
// Send AuthorizationRequest
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
// Test body
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo, * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
if ((v_result != -2) and (v_result != -3)){
log("*** f_TC_SECPKI_AA_AUTH_01_BV_itss: PASS: Received exptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTH_01_BV_itss: FAIL: Unexptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
}
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTH_01_BV_itss: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown_itss();
} // End of function f_TC_SECPKI_AA_AUTH_01_BV_itss
function f_TC_SECPKI_AA_AUTH_01_BV_ea() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key := int2oct(0, 16);
var SharedAtRequest v_shared_at_request;
var AuthorizationValidationResponse v_authorization_validation_response;
// Test component configuration
f_cfHttpUp_ea(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
tc_ac.start;
alt {
[] a_await_atv_http_request_from_iut( // Wait for authorizationValidation Request from IUT to EA
mw_http_request(
mw_http_request_post(
-, //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
tc_ac.stop;