Newer
Older
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo, * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
if ((v_result != -2) and (v_result != -3)) { // Additinal shecks where done by TC_SECPKI_AA_AUTH_01_BV
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss: PASS: Received exptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss: FAIL: Unexptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown_itss();
} // End of function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss
10035
10036
10037
10038
10039
10040
10041
10042
10043
10044
10045
10046
10047
10048
10049
10050
10051
10052
10053
10054
10055
10056
10057
10058
10059
10060
function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key := int2oct(0, 16);
var SharedAtRequest v_shared_at_request;
var AuthorizationValidationResponse v_authorization_validation_response;
// Test component configuration
f_cfHttpUp_ea(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
// Preamble
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
// Test body
tc_ac.start;
alt {
[] a_await_atv_http_request_from_iut( // Wait for authorizationValidation Request from IUT to EA
mw_http_request(
mw_http_request_post(
-, //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
10091
10092
10093
10094
10095
10096
10097
10098
10099
10100
10101
10102
10103
10104
10105
10106
10107
10108
10109
10110
10111
10112
10113
10114
10115
10116
10117
10118
10119
10120
10121
10122
10123
10124
10125
10126
10127
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key, v_request_hash, v_shared_at_request, v_result);
// Set verdict
if (v_result == 0) {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: PASS: IUT has sent AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: FAIL: Failed to verify AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, deniedpermissions, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown_ea();
} // End of function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea
} // End of group f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV
10142
10143
10144
10145
10146
10147
10148
10149
10150
10151
10152
10153
10154
10155
10156
10157
10158
10159
10160
10161
10162
10163
10164
10165
10166
10167
10168
10169
10170
10171
10172
10173
10174
10175
10176
10177
10178
10179
10180
10181
10182
/**
* @desc Check that AA doesn't accept Authorization Validation Response message when this message is
* signed with certificate without appropriate permissions
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the ITSS in "enrolled" state
* the EA in "operational" state
* and the IUT(AA) in "operational" state
* and the IUT had received the AuthorizationRequest from the ITSS
* and the IUT sent the AuthorizationValidationRequest
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives the AuthorizationValidationResponseMessage
* containing signer
* containing digest
* indicating HashedId8 of the certificate
* containing appPermissions
* not containing an item of type PsidSsp
* containing psid
* indicating AID_CERT_REQ
* or containing an item of type PsidSsp
* containing psid
* indicating AID_CERT_REQ
* and containing ssp
* containing opaque[0] (version)
* indicating other value than 1
* or containing opaque[1] (value)
* indicating "AuthorizationValidationResponse" (bit 4) set to 0
* }
* then {
* the IUT answers with an AuthorisationValidationResponseMessage
* containing responseCode
* indicating non-zero value
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_RCV_02_BI
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTHVAL_RCV_02_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {} // End of testcase TC_SECPKI_AA_AUTHVAL_RCV_02_BI
} // End of group aa_authorization_validation_response
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.4 Authorization response
group aa_authorization_response {
10192
10193
10194
10195
10196
10197
10198
10199
10200
10201
10202
10203
10204
10205
10206
10207
10208
10209
10210
10211
10212
10213
10214
10215
10216
10217
10218
10219
10220
10221
10222
10223
10224
10225
10226
10227
10228
10229
10230
10231
10232
10233
10234
10235
10236
10237
10238
10239
10240
10241
10242
10243
10244
10245
10246
10247
10248
10249
10250
10251
10252
10253
10254
10255
10256
10257
10258
10259
10260
10261
10262
10263
10264
10265
10266
10267
10268
10269
10270
10271
10272
10273
10274
10275
10276
10277
10278
10279
10280
10281
10282
10283
10284
10285
10286
10287
10288
10289
10290
10291
10292
10293
10294
10295
10296
10297
10298
10299
10300
10301
10302
10303
10304
10305
10306
10307
10308
10309
10310
10311
10312
10313
10314
10315
10316
10317
10318
10319
10320
10321
10322
10323
10324
10325
10326
10327
10328
10329
10330
10331
10332
10333
10334
10335
10336
10337
10338
10339
10340
10341
10342
10343
10344
10345
10346
10347
10348
10349
10350
10351
10352
10353
10354
10355
10356
10357
10358
10359
10360
10361
10362
10363
10364
10365
10366
10367
10368
10369
10370
10371
10372
10373
10374
10375
10376
10377
10378
10379
10380
10381
10382
10383
10384
10385
10386
10387
10388
10389
10390
10391
10392
10393
10394
10395
10396
10397
10398
10399
10400
10401
10402
10403
10404
10405
10406
10407
10408
10409
10410
10411
10412
10413
10414
10415
10416
10417
10418
10419
10420
10421
10422
10423
10424
10425
10426
10427
10428
10429
10430
10431
10432
10433
10434
10435
10436
10437
10438
10439
10440
10441
10442
10443
10444
10445
10446
10447
10448
10449
10450
10451
10452
10453
10454
10455
10456
10457
10458
10459
10460
10461
10462
10463
10464
10465
10466
10467
10468
10469
10470
10471
10472
10473
10474
10475
10476
10477
10478
10479
10480
10481
10482
10483
10484
10485
10486
10487
10488
10489
10490
10491
10492
10493
10494
10495
10496
10497
10498
10499
10500
10501
10502
10503
10504
10505
10506
10507
10508
10509
10510
10511
10512
10513
10514
10515
10516
10517
10518
10519
10520
10521
10522
10523
10524
10525
10526
10527
10528
10529
10530
10531
10532
10533
10534
10535
10536
10537
10538
10539
10540
10541
10542
10543
10544
10545
10546
10547
10548
10549
10550
10551
10552
10553
10554
10555
10556
10557
10558
10559
10560
10561
10562
10563
10564
10565
10566
10567
10568
10569
10570
10571
10572
10573
10574
10575
10576
10577
10578
10579
10580
10581
10582
10583
10584
10585
10586
10587
10588
10589
10590
10591
10592
10593
10594
10595
10596
10597
10598
10599
10600
10601
10602
10603
10604
10605
10606
10607
10608
10609
10610
10611
10612
10613
10614
10615
10616
10617
10618
10619
10620
10621
10622
10623
10624
10625
10626
10627
10628
10629
10630
10631
10632
10633
10634
10635
10636
10637
10638
10639
10640
10641
10642
10643
10644
10645
10646
10647
10648
10649
10650
10651
10652
10653
10654
10655
10656
10657
10658
10659
10660
10661
10662
10663
10664
10665
10666
10667
10668
10669
10670
10671
10672
10673
10674
10675
10676
10677
10678
10679
10680
10681
10682
10683
10684
10685
10686
10687
10688
10689
10690
10691
10692
10693
10694
10695
10696
10697
10698
10699
10700
10701
10702
10703
10704
10705
10706
10707
10708
10709
10710
10711
10712
10713
10714
10715
10716
10717
10718
10719
10720
10721
10722
10723
10724
10725
10726
10727
10728
10729
10730
10731
10732
10733
10734
10735
10736
10737
10738
10739
10740
10741
10742
10743
10744
10745
10746
10747
10748
10749
10750
10751
10752
10753
10754
10755
10756
10757
10758
10759
10760
10761
10762
10763
10764
10765
10766
10767
10768
10769
10770
10771
10772
10773
10774
10775
10776
10777
10778
10779
10780
10781
10782
10783
10784
10785
10786
10787
10788
10789
10790
10791
10792
10793
10794
10795
10796
10797
10798
10799
10800
10801
10802
10803
10804
10805
10806
10807
10808
10809
10810
10811
10812
10813
10814
10815
10816
10817
10818
10819
10820
10821
10822
10823
10824
10825
10826
10827
10828
10829
10830
/**
* @desc Check that the AA sends encrypted authorization response.
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the ITS-S in "enrolled" state and
* the ITS-S has sent the AuthorizationRequestMessage
* containing encrypted enkKey
* containing AES symmetric key (SYM_KEY) and
* the EA in "operational" state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to send the authorization response to the ITS-S
* }
* then {
* the IUT is triggered to send the authorization response to the ITS-S
* containing content.encryptedData
* containing recipients of size 1
* containing the instance of RecipientInfo
* containing pskRecipInfo
* indicating HashedId8 of the SYM_KEY
* and containing cyphertext
* encrypted using SYM_KEY
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_01_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTH_01_BV() runs on ServerSyncComp system ItsPkiHttpSystem {
// Local variables
var ItsPkiHttp v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp02(v_itss, v_ea);
// Test adapter configuration
// Start components
v_itss.start(f_TC_SECPKI_AA_AUTH_01_BV_itss());
v_ea.start(f_TC_SECPKI_AA_AUTH_01_BV_ea());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
f_cfMtcDown02(v_itss, v_ea);
} // End of testcase TC_SECPKI_AA_AUTH_01_BV
group f_TC_SECPKI_AA_AUTH_01_BV {
function f_TC_SECPKI_AA_AUTH_01_BV_itss() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key;
var InnerAtRequest v_inner_at_request;
var InnerAtResponse v_inner_at_response;
var HashedId8 v_ec_certificate_hashed_id8;
// Test component configuration
f_cfHttpUp_itss(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Generate EC certificate
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
// Send AuthorizationRequest
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
// Test body
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo, * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
if ((v_result != -2) and (v_result != -3)){
log("*** f_TC_SECPKI_AA_AUTH_01_BV_itss: PASS: Received exptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTH_01_BV_itss: FAIL: Unexptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
}
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTH_01_BV_itss: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown_itss();
} // End of function f_TC_SECPKI_AA_AUTH_01_BV_itss
function f_TC_SECPKI_AA_AUTH_01_BV_ea() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key := int2oct(0, 16);
var SharedAtRequest v_shared_at_request;
var AuthorizationValidationResponse v_authorization_validation_response;
// Test component configuration
f_cfHttpUp_ea(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
tc_ac.start;
alt {
[] a_await_atv_http_request_from_iut( // Wait for authorizationValidation Request from IUT to EA
mw_http_request(
mw_http_request_post(
-, //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
tc_ac.stop;
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key, v_request_hash, v_shared_at_request, v_result);
// Set verdict
if (v_result == 0) {
log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INFO: IUT has sent AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INCONC: Failed to verify AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, deniedpermissions, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdict(c_prDone, e_timeout);
}
}
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_timeout);
}
} // End of 'alt' statement
// Test body
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
// TODO Wait for AuthorizationResponse
f_cfHttpDown_ea();
} // End of function f_TC_SECPKI_AA_AUTH
} // End of group f_TC_SECPKI_AA_AUTH_01_BV
/**
* @desc Check that the AA sends signed authorization response.
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the ITS-S in "enrolled" state and
* the IUT(AA) in 'operational' state
* authorized with CERT_AA certificate
* and the EA in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to send the authorization response to the ITS-S
* }
* then {
* the IUT is triggered to send the authorization response to the ITS-S
* containing the EtsiTs103097Data-Signed
* containing signedData
* containing signer
* containing digest
* indicating HashedId8 value of the CERT_AA
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_02_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTH_02_BV() runs on ServerSyncComp system ItsPkiHttpSystem {
// Local variables
var ItsPkiHttp v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp02(v_itss, v_ea);
// Test adapter configuration
// Start components
v_itss.start(f_TC_SECPKI_AA_AUTH_02_BV_itss());
v_ea.start(f_TC_SECPKI_AA_AUTH_02_BV_ea());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
f_cfMtcDown02(v_itss, v_ea);
} // End of testcase TC_SECPKI_AA_AUTH_02_BV
group f_TC_SECPKI_AA_AUTH_02_BV {
function f_TC_SECPKI_AA_AUTH_02_BV_itss() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key;
var InnerAtRequest v_inner_at_request;
var InnerAtResponse v_inner_at_response;
var HashedId8 v_ec_certificate_hashed_id8;
// Test component configuration
f_cfHttpUp_itss(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Generate EC certificate
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
// Send AuthorizationRequest
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
// Test body
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo, * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
if (v_result == 0) {
log("*** f_TC_SECPKI_AA_AUTH_02_BV_itss: PASS: Received exptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTH_02_BV_itss: FAIL: Unexptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
}
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTH_02_BV_itss: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown_itss();
} // End of function f_TC_SECPKI_AA_AUTH_02_BV_itss
function f_TC_SECPKI_AA_AUTH_02_BV_ea() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key := int2oct(0, 16);
var SharedAtRequest v_shared_at_request;
var AuthorizationValidationResponse v_authorization_validation_response;
// Test component configuration
f_cfHttpUp_ea(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
tc_ac.start;
alt {
[] a_await_atv_http_request_from_iut( // Wait for authorizationValidation Request from IUT to EA
mw_http_request(
mw_http_request_post(
-, //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
tc_ac.stop;
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key, v_request_hash, v_shared_at_request, v_result);
// Set verdict
if (v_result == 0) {
log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INFO: IUT has sent AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INCONC: Failed to verify AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, deniedpermissions, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdict(c_prDone, e_timeout);
}
}
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_timeout);
}
} // End of 'alt' statement
// Test body
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
// TODO Wait for AuthorizationResponse
f_cfHttpDown_ea();
} // End of function f_TC_SECPKI_AA_AUTH
} // End of group f_TC_SECPKI_AA_AUTH_02_BV
/**
* @desc Check that the AA sends signed authorization response with signature properly calculated using approved hash algorithm.
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the ITS-S in "enrolled" state and
* the IUT(AA) in 'operational' state
* authorized with CERT_AA certificate
* containing verificationKey (AA_PUB_V_KEY)
* and the EA in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to send the authorization response to the ITS-S
* }
* then {
* the IUT is triggered to send the authorization response to the ITS-S
* containing the EtsiTs103097Data-Signed
* containing signedData
* containing hashId
* indicating supported hash algorithm (HASH_ALG)
* and containing signature
* calculated using the HASH_ALG and private key correspondent to the AA_PUB_V_KEY
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_02_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTH_03_BV() runs on ServerSyncComp system ItsPkiHttpSystem {
// Local variables
var ItsPkiHttp v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp02(v_itss, v_ea);
// Test adapter configuration
// Start components
v_itss.start(f_TC_SECPKI_AA_AUTH_02_BV_itss());
v_ea.start(f_TC_SECPKI_AA_AUTH_02_BV_ea());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
f_cfMtcDown02(v_itss, v_ea);
} // End of testcase TC_SECPKI_AA_AUTH_03_BV
/**
* @desc Check that the AA sends signed AuthorizationResponseMessage using valid ITS AID and only allowed headers.
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the ITS-S in "enrolled" state and
* the IUT(AA) in 'operational' state
* and the EA in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to send the authorization response to the ITS-S
* }
* then {
* the IUT is triggered to send the authorization response to the ITS-S
* containing the EtsiTs103097Data-Signed
* containing signedData
* containing tbsData
* containing psid
* indicating AID_PKI_CERT_REQUEST
* and containing generationTime
* and not containing any other headers
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_02_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTH_04_BV() runs on ServerSyncComp system ItsPkiHttpSystem {
// Local variables
var ItsPkiHttp v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp02(v_itss, v_ea);
// Test adapter configuration
// Start components
v_itss.start(f_TC_SECPKI_AA_AUTH_02_BV_itss());
v_ea.start(f_TC_SECPKI_AA_AUTH_02_BV_ea());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
f_cfMtcDown02(v_itss, v_ea);
} // End of testcase TC_SECPKI_AA_AUTH_04_BV
} // End of group aa_authorization_response
Yann Garcia
committed
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.5 CA Certificate Request
group aa_ca_certificates_request {
// TODO
} // End of group aa_ca_certificates_request
Yann Garcia
committed
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.6 Authorization using butterfly key expansion mechanism
group aa_authorization_with_bfk {
Yann Garcia
committed
10840
10841
10842
10843
10844
10845
10846
10847
10848
10849
10850
10851
10852
10853
10854
10855
10856
10857
10858
10859
10860
10861
10862
10863
10864
10865
10866
10867
10868
10869
10870
10871
10872
10873
10874
10875
10876
10877
10878
10879
10880
10881
10882
10883
10884
10885
10886
10887
10888
10889
10890
10891
10892
10893
10894
10895
10896
10897
10898
10899
10900
10901
group bfk_cert_request_helpers {
function f_trigger_butterfly_cert_request(
out HashedId8 p_aes_sym_key_hashed_id8,
out RaAcaCertRequest p_ra_aca_cert_request
) runs on ItsPkiHttp {
// Local variables
var octetstring v_caterpillar_private_key
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
var octetstring v_caterpillar_enc_private_key
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
var EeRaCertRequest v_ee_ra_cert_request;
var octetstring v_private_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var Oct32 v_request_hash;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Generate EeRaCertRequest
if (f_generate_ee_ra_cert_request(v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_ee_ra_cert_request) == false) {
log("*** f_trigger_butterfly_cert_request: ERROR: Failed to generate InnerEcRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
log ("f_trigger_butterfly_cert_request: p_ee_ra_cert_request: ", v_ee_ra_cert_request);
// Buikd theHTTP request
f_http_build_butterfly_cert_request(v_ee_ra_cert_request, vc_eaPrivateKey, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, p_ra_aca_cert_request, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
p_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_cert_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_BFK_AA,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
} // End of function f_trigger_butterfly_cert_request
function f_verify_http_butterfly_cert_request_message_to_ea(
in Request p_request,
in Headers p_headers,
out integer p_result,
out AcaRaCertResponse p_aca_ra_cert_response
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var template (value) HttpMessage v_response;
var Oct16 v_request_hash;
Yann Garcia
committed
var Oct16 v_aes_enc_key;
log(">>> f_verify_http_butterfly_cert_request_message_to_ea: ", p_request);
p_result := 0;
if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O,
omit,
p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
Yann Garcia
committed
10912
10913
10914
10915
10916
10917
10918
10919
10920
10921
10922
10923
10924
10925
10926
10927
10928
10929
10930
10931
10932
10933
10934
10935
10936
10937
10938
10939
10940
10941
10942
10943
10944
10945
10946
10947
10948
10949
10950
10951
10952
10953
10954
10955
10956
10957
10958
10959
10960
10961
10962
10963
10964
10965
10966
10967
10968
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -1;
} else {
var UInt64 v_current_time := f_getCurrentTimeUtc();
var UInt64 v_delta_time := 30;
log("f_verify_http_butterfly_cert_request_message_to_ea: match ", match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request((v_current_time - v_delta_time .. v_current_time + v_delta_time), explicit, '00000000'B/*butterflyExplicit*/, mw_bfk_to_be_signed_certificate))) == false) {
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -2;
} else {
// TODO Add checked ???
}
}
log("<<< f_verify_http_butterfly_cert_request_message_to_ea: p_result: ", p_result);
} // End of function f_verify_http_butterfly_cert_request_message_to_ea
} // End of group bfk_cert_request_helpers
/**
* @desc Check that the AA sends the butterfly certificate response message after receiving of the butterfly certificate request
* Check that this message is encrypted using the same symmetric encryption key as the butterfly certificate request message
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA in "operational" state
* authorized with CERT_AA certificate
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyCertificateRequestMessage
* containing content.encryptedData.recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the CERT_AA
* and containing encKey
* containing encrypted symmetric encryption key (ENC_KEY)
* }
* then {
* the IUT sends to the EA a EtsiTs103097Data-Encrypted
* containing content.encryptedData.recipients
* indicating size 1
* and containing the instance of RecipientInfo
* containing pskRecipInfo
* indicating HashedId8 of the ENC_KEY
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_01_BV
Yann Garcia
committed
10970
10971
10972
10973
10974
10975
10976
10977
10978
10979
10980
10981
10982
10983
10984
10985
10986
10987
10988
10989
10990
10991
10992
10993
10994
10995
10996
10997
10998
10999
11000
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_BFK_AUTH_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var integer v_result;
var RaAcaCertRequest v_ra_aca_cert_request;
var AcaRaCertResponse v_aca_ra_cert_response;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_cert_request(v_aes_sym_key_hashed_id8, v_ra_aca_cert_request);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(