Newer
Older
m_ec_signature(
m_etsiTs103097Data_encrypted(
m_encryptedData(
{
m_recipientInfo_certRecipInfo(
m_pKRecipientInfo(
v_recipientId,
m_symmetricCiphertext_aes128ccm(
m_aesCcmCiphertext(
v_nonce,
v_enc_signed_ec_signature
)
)
)
)
)
);
} else if (p_enc_algo == e_sm2_p256) { // FIXME FSCOM
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
} else { // Skip the encryption, alowed to be re-identified by the AA
p_inner_at_request.ecSignature := valueof(m_ec_signature_ext_payload(v_signed_at_signature));
}
// Build the InnerAtRequest, EcSignature field is already set
if (ischosen(p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256)) {
if (p_compressed_key_mode == 0) {
v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(v_public_key_x));
} else {
v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(v_public_key_x));
}
v_public_verification_key := valueof(m_publicVerificationKey_ecdsaNistP256(v_eccP256_curve_point));
} else if (ischosen(p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP256r1)) {
if (p_compressed_key_mode == 0) {
v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(v_public_key_x));
} else {
v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(v_public_key_x));
}
v_public_verification_key := valueof(m_publicVerificationKey_ecdsaBrainpoolP256r1(v_eccP256_curve_point));
} else {
var EccP384CurvePoint v_eccP384_curve_point;
if (p_compressed_key_mode == 0) {
v_eccP384_curve_point := valueof(m_eccP384CurvePoint_compressed_y_0(v_public_key_x));
} else {
v_eccP384_curve_point := valueof(m_eccP384CurvePoint_compressed_y_1(v_public_key_x));
}
v_public_verification_key := valueof(m_publicVerificationKey_ecdsaBrainpoolP384r1(v_eccP384_curve_point));
}
if (PX_INCLUDE_ENCRYPTION_KEYS) {
var template (value) EccP256CurvePoint v_enc_eccP256_curve_point;
if (p_compressed_enc_key_mode == 0) {
v_enc_eccP256_curve_point := m_eccP256CurvePoint_compressed_y_0(v_public_enc_key_x);
} else {
v_enc_eccP256_curve_point := m_eccP256CurvePoint_compressed_y_1(v_public_enc_key_x);
}
if (p_enc_algo == e_nist_p256) {
v_public_encryption_key := valueof(m_publicEncryptionKey_eciesNistP256(v_enc_eccP256_curve_point));
} else if (PX_VE_ALG == e_sm2_p256) { // FIXME FSCOM
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
} else {
v_public_encryption_key := valueof(m_publicEncryptionKey_eciesBrainpoolP256r1(v_enc_eccP256_curve_point));
}
p_inner_at_request.publicKeys := valueof( // The freshly generated public verification & encrypition keys to be used for the requested AT certificate
m_publicKeys(
v_public_verification_key,
m_encryptionKey( // FIXME Encryption keys could be optional
-,
v_public_encryption_key
)
)
);
} else {
p_inner_at_request.publicKeys := valueof( // The freshly generated public verification keys to be used for the requested AT certificate
m_publicKeys(
v_public_verification_key
)
);
}
p_inner_at_request.hmacKey := v_hmac_key;
log("f_generate_inner_at_request: p_inner_at_request= ", p_inner_at_request);
return true;
} // End of function f_generate_inner_at_request
function f_generate_inner_at_request_with_wrong_parameters(
in Certificate p_aa_certificate,
in SignAlgorithm p_enc_algo := PX_EC_ALG_FOR_AT,
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
in Oct8 p_aa_hashed_id8,
in Certificate p_ea_certificate,
in octetstring p_salt,
in Oct8 p_ea_hashed_id8,
in Certificate p_ec_certificate,
in octetstring p_ec_private_key,
in boolean p_alter_hmac := false,
in boolean p_alter_signer_digest := false,
in template (omit) Time32 p_start := omit,
in template (omit) Duration p_duration := omit,
in template (omit) Time64 p_generation_time := omit,
out octetstring p_private_key,
out octetstring p_public_key_compressed,
out integer p_compressed_key_mode,
out octetstring p_private_enc_key,
out octetstring p_public_compressed_enc_key,
out integer p_compressed_enc_key_mode,
out InnerAtRequest p_inner_at_request
) return boolean {
// Local variables
var octetstring v_public_key_x;
var octetstring v_public_key_y;
var octetstring v_public_enc_key_x;
var octetstring v_public_enc_key_y;
var bitstring v_enc_value;
var octetstring v_ec_hash;
var PublicVerificationKey v_public_verification_key;
var BasePublicEncryptionKey v_public_encryption_key;
var Oct8 v_ec_hashed_id8;
var octetstring public_enc_key_x;
var octetstring public_enc_key_y;
var Oct32 v_hmac_key;
var PublicVerificationKey v_verification_tag;
var PublicEncryptionKey v_encryption_tag;
var octetstring v_encoded_tag;
var Oct16 v_key_tag;
var octetstring v_hash_shared_at_request;
var template (value) ToBeSignedData v_tbs;
var octetstring v_tbs_signed;
var Ieee1609Dot2Data v_signed_at_signature;
var template (value) EccP256CurvePoint v_eccP256_curve_point;
var template (value) EccP256CurvePoint v_enc_eccP256_curve_point;
var HashAlgorithm v_hashId;
var Signature v_signature;
var Time32 v_start;
var Duration v_duration;
var SequenceOfPsidSsp v_appPermissions := { // ETSI TS 102 965 Table A.1: ETSI ITS standardized ITS-AIDs
valueof(m_appPermissions(c_its_aid_CAM, { bitmapSsp := PX_INNER_AT_CERTFICATE_BITMAP_SSP_CAM })),
valueof(m_appPermissions(c_its_aid_DENM, { bitmapSsp := PX_INNER_AT_CERTFICATE_BITMAP_SSP_DENM }))
};
log("f_generate_inner_at_request_with_wrong_parameters: p_enc_algo=", p_enc_algo);
// Generate verification keys for the certificate to be requested
if (f_generate_key_pair(p_private_key, v_public_key_x, v_public_key_y, p_public_key_compressed, p_compressed_key_mode) == false) {
log("f_generate_inner_at_request_with_wrong_parameters: Failed to generate verification key");
return false;
}
log ("f_generate_inner_at_request_with_wrong_parameters: AT verification private key: ", p_private_key);
log ("f_generate_inner_at_request_with_wrong_parameters: AT verification public compressed key: ", p_public_key_compressed);
log ("f_generate_inner_at_request_with_wrong_parameters: AT verification public compressed mode: ", p_compressed_key_mode);
// Generate encryption keys for the certificate to be requested
if (PX_INCLUDE_ENCRYPTION_KEYS) {
if (f_generate_key_pair_for_encryption(p_enc_algo, p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_public_compressed_enc_key, p_compressed_enc_key_mode) == false) {
log("f_generate_inner_at_request_with_wrong_parameters: Failed to generate encryption key");
return false;
} else {
log ("f_generate_inner_at_request_with_wrong_parameters: AT encryption private key: ", p_private_enc_key);
log ("f_generate_inner_at_request_with_wrong_parameters: AT encryption public compressed key: ", p_public_compressed_enc_key);
log ("f_generate_inner_at_request_with_wrong_parameters: AT encryption public compressed mode: ", p_compressed_enc_key_mode);
}
} else {
p_private_enc_key := ''O;
v_public_enc_key_x := ''O;
v_public_enc_key_y := ''O;
p_public_compressed_enc_key := ''O;
p_compressed_enc_key_mode := -1;
}
// Calculate the whole certificate SHA
v_enc_value := encvalue(p_ec_certificate);
if (ischosen(p_ec_certificate.issuer.sha256AndDigest)) {
v_ec_hash := f_hashWithSha256(bit2oct(v_enc_value));
v_ec_hashed_id8 := f_hashedId8FromSha256(v_ec_hash);
} else {
v_ec_hash := f_hashWithSha384(bit2oct(v_enc_value));
v_ec_hashed_id8 := f_hashedId8FromSha384(v_ec_hash);
}
log("f_generate_inner_at_request_with_wrong_parameters: v_ec_hash= ", v_ec_hash);
log("f_generate_inner_at_request_with_wrong_parameters: v_ec_hashed_id8= ", v_ec_hashed_id8);
if (p_alter_signer_digest == true) {
v_ec_hashed_id8 := int2oct((f_getCurrentTimeUtc() * 1000), 8);
log("f_generate_inner_at_request_with_wrong_parameters: Altered v_ec_hashed_id8= ", v_ec_hashed_id8);
}
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
// Generate 32 octets length secret key
v_hmac_key := f_hashWithSha256(int2oct((f_getCurrentTimeUtc() * 1000), 12));
log("f_generate_inner_at_request_with_wrong_parameters: v_hmac_key= ", v_hmac_key);
// Generate tag based on the concatenation of verification keys & encryption keys
if (f_generate_key_tag(p_public_key_compressed, p_compressed_key_mode, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_encoded_tag) == false) {
log("f_generate_inner_at_request_with_wrong_parameters: Failed to generate Key tag");
return false;
}
log("f_generate_inner_at_request_with_wrong_parameters: v_encoded_tag= ", v_encoded_tag);
// Generate hmac key
v_key_tag := substr(
fx_hmac_sha256( // TODO Rename and use a wrapper function
v_hmac_key,
v_encoded_tag
),
0,
16); // Leftmost 128 bits of the HMAC-SHA256 tag computed previously
log("f_generate_inner_at_request_with_wrong_parameters: v_key_tag= ", v_key_tag);
if (p_alter_hmac == true) {
v_hmac_key[0] := 'aa'O;
v_hmac_key[1] := 'bb'O;
log("f_generate_inner_at_request_with_wrong_parameters: Altered key_tag= ", v_hmac_key);
}
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
// Build the SharedAtRequest
if (not(ispresent(p_start))) {
v_start := p_ec_certificate.toBeSigned.validityPeriod.start_;
} else {
v_start := valueof(p_start);
log("f_generate_inner_at_request_with_wrong_parameters: Altered ValidityPeriod.start= ", v_start);
}
if (not(ispresent(p_duration))) {
v_duration := p_ec_certificate.toBeSigned.validityPeriod.duration;
} else {
v_duration := valueof(p_duration);
log("f_generate_inner_at_request_with_wrong_parameters: Altered ValidityPeriod.duration= ", v_duration);
}
p_inner_at_request.sharedAtRequest := valueof(
m_shared_at_request(
p_ea_hashed_id8, // eaId identifies the EA certificate shared with EA entity
v_key_tag, // Calculated keyTag
valueof(
m_certificate_subject_attributes(
v_appPermissions,
p_ec_certificate.toBeSigned.certRequestPermissions,
{ none_ := NULL },//p_ec_certificate.toBeSigned.id,
m_validityPeriod(v_start, v_duration),
p_ec_certificate.toBeSigned.region,
p_ec_certificate.toBeSigned.assuranceLevel
))) // Desired attributes
);
// Calculate the hash of the SharedAtRequest
v_hash_shared_at_request := f_hashWithSha256(bit2oct(encvalue(p_inner_at_request.sharedAtRequest)));
log("f_generate_inner_at_request_with_wrong_parameters: v_hash_shared_at_request= ", v_hash_shared_at_request);
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
// Build the ETsiTs103097Data-SignedExternalPayload
if (ispresent(p_generation_time)) {
v_tbs := m_toBeSignedData(
m_signedDataPayload_ext(v_hash_shared_at_request), // Payload containing extDataHash
m_headerInfo_inner_pki_request( // HeaderInfo
-,
valueof(p_generation_time) * 1000) //us
);
log("f_generate_inner_at_request_with_wrong_parameters: Altered generation time: v_tbs= ", v_tbs);
} else {
v_tbs := m_toBeSignedData(
m_signedDataPayload_ext(v_hash_shared_at_request), // Payload containing extDataHash
m_headerInfo_inner_pki_request( // HeaderInfo
-,
f_getCurrentTime() * 1000) //us
);
log("f_generate_inner_at_request_with_wrong_parameters: v_tbs= ", v_tbs);
}
// Signed ToBeSigned payload using the private key of EC certificate obtained from Enrolment request
// In case of ITS-S privacy, v_signed_at_signature contained the data to be encrypted
// TODO Simplify with f_signWithEcdsa
if (ischosen(p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) {
v_hashId := sha384;
v_tbs_signed := f_signWithEcdsaBrainpoolp384r1WithSha384(bit2oct(encvalue(v_tbs)), v_ec_hash, p_ec_private_key);
v_signature := valueof(
m_signature_ecdsaBrainpoolP384r1(
m_ecdsaP384Signature(
m_eccP384CurvePoint_x_only(
substr(v_tbs_signed, 0, 48)
),
substr(v_tbs_signed, 48, 48)
)
)
);
} else {
v_hashId := sha256;
if (ischosen(p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP256r1)) {
v_tbs_signed := f_signWithEcdsaBrainpoolp256r1WithSha256(bit2oct(encvalue(v_tbs)), v_ec_hash, p_ec_private_key);
v_signature := valueof(
m_signature_ecdsaBrainpoolP256r1(
m_ecdsaP256Signature(
m_eccP256CurvePoint_x_only(
substr(v_tbs_signed, 0, 32)
),
substr(v_tbs_signed, 32, 32)
)
)
);
} else if (ischosen(p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256)) {
v_tbs_signed := f_signWithEcdsaNistp256WithSha256(bit2oct(encvalue(v_tbs)), v_ec_hash, p_ec_private_key);
v_signature := valueof(
m_signature_ecdsaNistP256(
m_ecdsaP256Signature(
m_eccP256CurvePoint_x_only(
substr(v_tbs_signed, 0, 32)
),
substr(v_tbs_signed, 32, 32)
)
)
);
} else {
// Error
log("f_generate_inner_at_request_with_wrong_parameters: Failed to process signature");
return false;
}
}
v_signed_at_signature := valueof(
m_etsiTs103097Data_signed(
m_signedData(
v_hashId,
v_tbs,
m_signerIdentifier_digest(v_ec_hashed_id8), // Signer is the hasheId8 of the EC certificate obtained from Enrolment request
v_signature
)
)
);
log("f_generate_inner_at_request_with_wrong_parameters: v_signed_at_signature= ", v_signed_at_signature);
if (PICS_ITS_S_WITH_PRIVACY) { // Build EtsiTs102097Data-Encrypted structure
var octetstring v_public_enc_key;
var integer v_compressed_mode;
var Oct12 v_nonce;
var Oct16 v_authentication_vector;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var HashedId8 v_recipientId;
var octetstring v_public_compressed_ephemeral_key;
var integer v_public_compressed_ephemeral_mode;
var octetstring v_enc_signed_ec_signature;
var EncryptedDataEncryptionKey v_encrypted_data_encryption_key;
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
// Use EA certificate for the encryption
if (p_enc_algo == e_nist_p256) {
if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0)) {
v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0;
v_compressed_mode := 0;
} else if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1)) {
v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1;
v_compressed_mode := 1;
} else {
log("f_generate_inner_at_request_with_wrong_parameters: Wrong NistP256 encryption variant");
return false;
}
v_enc_signed_ec_signature := f_encryptWithEciesNistp256WithSha256(bit2oct(encvalue(v_signed_at_signature)), v_public_enc_key, v_compressed_mode, p_salt, v_public_compressed_ephemeral_key, v_public_compressed_ephemeral_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce);
if (v_public_compressed_ephemeral_mode == 0) {
v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(v_public_compressed_ephemeral_key));
} else {
v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(v_public_compressed_ephemeral_key));
}
v_encrypted_data_encryption_key := valueof(
m_encryptedDataEncryptionKey_eciesNistP256(
m_evciesP256EncryptedKey(
v_eccP256_curve_point,
v_encrypted_sym_key,
v_authentication_vector
)));
} else if (p_enc_algo == e_brainpool_p256_r1) {
if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0)) {
v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0;
v_compressed_mode := 0;
} else if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1)) {
v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1;
v_compressed_mode := 1;
} else {
log("f_generate_inner_at_request_with_wrong_parameters: Wrong BrainpoolP256r1 encryption variant");
return false;
}
v_enc_signed_ec_signature := f_encryptWithEciesBrainpoolp256r1WithSha256(bit2oct(encvalue(v_signed_at_signature)), v_public_enc_key, v_compressed_mode, p_salt, v_public_compressed_ephemeral_key, v_public_compressed_ephemeral_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce);
if (v_public_compressed_ephemeral_mode == 0) {
v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(v_public_compressed_ephemeral_key));
} else {
v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(v_public_compressed_ephemeral_key));
}
v_encrypted_data_encryption_key := valueof(
m_encryptedDataEncryptionKey_eciesBrainpoolP256r1(
m_evciesP256EncryptedKey(
v_eccP256_curve_point,
v_encrypted_sym_key,
v_authentication_vector
)));
} else if (p_enc_algo == e_sm2_p256) { // FIXME FSCOM
} else {
log("f_generate_inner_at_request_with_wrong_parameters: Wrong encryption variant");
return false;
}
log("f_generate_inner_at_request_with_wrong_parameters: v_encrypted_data_encryption_key= ", v_encrypted_data_encryption_key);
v_recipientId := p_ea_hashed_id8; // RecipientId is the HashedId8 of the EA certificate
log("f_generate_inner_at_request_with_wrong_parameters: v_recipientId= ", v_recipientId);
// Fill Certificate template with the public compressed keys (canonical form)
p_inner_at_request.ecSignature := valueof(
m_ec_signature(
m_etsiTs103097Data_encrypted(
m_encryptedData(
{
m_recipientInfo_certRecipInfo(
m_pKRecipientInfo(
v_recipientId,
m_symmetricCiphertext_aes128ccm(
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
m_aesCcmCiphertext(
v_nonce,
v_enc_signed_ec_signature
)
)
)
)
)
);
} else { // Skip the encryption, alowed to be re-identified by the AA
p_inner_at_request.ecSignature := valueof(m_ec_signature_ext_payload(v_signed_at_signature));
}
// Build the InnerAtRequest, EcSignature field is already set
if (ischosen(p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256)) {
if (p_compressed_key_mode == 0) {
v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(v_public_key_x));
} else {
v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(v_public_key_x));
}
v_public_verification_key := valueof(m_publicVerificationKey_ecdsaNistP256(v_eccP256_curve_point));
} else if (ischosen(p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP256r1)) {
if (p_compressed_key_mode == 0) {
v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(v_public_key_x));
} else {
v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(v_public_key_x));
}
v_public_verification_key := valueof(m_publicVerificationKey_ecdsaBrainpoolP256r1(v_eccP256_curve_point));
} else {
var EccP384CurvePoint v_eccP384_curve_point;
if (p_compressed_key_mode == 0) {
v_eccP384_curve_point := valueof(m_eccP384CurvePoint_compressed_y_0(v_public_key_x));
} else {
v_eccP384_curve_point := valueof(m_eccP384CurvePoint_compressed_y_1(v_public_key_x));
}
v_public_verification_key := valueof(m_publicVerificationKey_ecdsaBrainpoolP384r1(v_eccP384_curve_point));
}
if (PX_INCLUDE_ENCRYPTION_KEYS) {
if (p_compressed_enc_key_mode == 0) {
v_enc_eccP256_curve_point := m_eccP256CurvePoint_compressed_y_0(v_public_enc_key_x);
} else {
v_enc_eccP256_curve_point := m_eccP256CurvePoint_compressed_y_1(v_public_enc_key_x);
}
if (p_enc_algo == e_nist_p256) {
v_public_encryption_key := valueof(m_publicEncryptionKey_eciesNistP256(v_enc_eccP256_curve_point));
} else if (PX_VE_ALG == e_sm2_p256) { // FIXME FSCOM
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
3466
3467
3468
} else {
v_public_encryption_key := valueof(m_publicEncryptionKey_eciesBrainpoolP256r1(v_enc_eccP256_curve_point));
}
p_inner_at_request.publicKeys := valueof( // The freshly generated public verification & encrypition keys to be used for the requested AT certificate
m_publicKeys(
v_public_verification_key,
m_encryptionKey( // FIXME Encryption keys could be optional
-,
v_public_encryption_key
)
)
);
} else {
p_inner_at_request.publicKeys := valueof( // The freshly generated public verification keys to be used for the requested AT certificate
m_publicKeys(
v_public_verification_key
)
);
}
p_inner_at_request.hmacKey := v_hmac_key;
log("f_generate_inner_at_request_with_wrong_parameters: p_inner_at_request= ", p_inner_at_request);
return true;
} // End of function f_generate_inner_at_request_with_wrong_parameters
function f_verify_inner_at_request_signed_for_pop(
in EtsiTs102941Data p_etsi_ts_102941_data,
in EtsiTs103097Certificate p_ec_certificate,
out InnerAtRequest p_inner_at_request
) return boolean {
var bitstring v_msg_bit;
log(">>> f_verify_inner_at_request_signed_for_pop: p_etsi_ts_102941_data=", p_etsi_ts_102941_data);
log(">>> f_verify_inner_at_request_signed_for_pop: p_ec_certificate=", p_ec_certificate);
// 1. Extract content
p_inner_at_request := p_etsi_ts_102941_data.content.authorizationRequest;
// 2. Verify the InnerEcRequestSignedForPop signature
// TODO
log("<<< f_verify_inner_at_request_signed_for_pop: ", p_inner_at_request);
return true;
} // End of function f_verify_inner_at_request_signed_for_pop
function f_generate_inner_at_response(
in octetstring p_authorization_request_hash,
in EtsiTs103097Certificate p_certificate,
out InnerAtResponse p_authorization_response
) return boolean {
// Local variables
// Build the Proof of Possession InnerEcResponse
p_authorization_response := valueof(
m_innerAtResponse_ok(
substr(p_authorization_request_hash, 0, 16),
p_certificate
)
);
return true;
} // End of function f_generate_inner_at_response
group bfk {
function f_generate_ee_ra_cert_request(
out octetstring p_caterpillar_private_key,
out octetstring p_caterpillar_public_key_compressed,
out integer p_caterpillar_compressed_mode,
![Yann Garcia Yann Garcia's avatar](/rep/uploads/-/system/user/avatar/5/avatar.png?width=36)
Yann Garcia
committed
out octetstring p_caterpillar_enc_private_key,
out octetstring p_caterpillar_enc_public_key_compressed,
out integer p_caterpillar_enc_compressed_mode,
out EeRaCertRequest p_ee_ra_cert_request
) runs on ItsPkiHttp return boolean {
var octetstring v_public_key_x;
var octetstring v_public_key_y;
var EccP256CurvePoint v_ecc_p256_curve_point;
![Yann Garcia Yann Garcia's avatar](/rep/uploads/-/system/user/avatar/5/avatar.png?width=36)
Yann Garcia
committed
var EccP256CurvePoint v_ecc_enc_p256_curve_point;
var SequenceOfPsidSsp v_appPermissions := { // ETSI TS 102 965 Table A.1: ETSI ITS standardized ITS-AIDs
valueof(m_appPermissions(36, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_CAM })),
valueof(m_appPermissions(37, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_DENM }))
};
var PublicVerificationKey v_public_verification_key;
var template (value) ToBeSignedCertificate v_tbs;
log (">>> f_generate_ee_ra_cert_request");
log("f_generate_ee_ra_cert_request: PX_VE_ALG=", PX_VE_ALG);
![Yann Garcia Yann Garcia's avatar](/rep/uploads/-/system/user/avatar/5/avatar.png?width=36)
Yann Garcia
committed
// Generate caterpillar signing keys
if (PX_BFK_TEST_VECTORS) {
p_caterpillar_private_key := 'D418760F0CB2DCB856BC3C7217AD3AA36DB6742AE1DB655A3D28DF88CBBF84E1'O;
p_caterpillar_public_key_compressed := 'EE9CC7FBD9EDECEA41F7C8BD258E8D2E988E75BD069ADDCA1E5A38E534AC6818'O;
p_caterpillar_compressed_mode := 1;
} else {
if (f_generate_key_pair(p_caterpillar_private_key, v_public_key_x, v_public_key_y, p_caterpillar_public_key_compressed, p_caterpillar_compressed_mode) == false) {
log("f_generate_ee_ra_cert_request: Failed to generate caterpillar keys");
return false;
}
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
}
log ("f_generate_ee_ra_cert_request: Caterpillar private key: ", p_caterpillar_private_key);
log ("f_generate_ee_ra_cert_request: Caterpillar public compressed key: ", p_caterpillar_public_key_compressed);
log ("f_generate_ee_ra_cert_request: Caterpillar public compressed mode: ", p_caterpillar_compressed_mode);
if (p_caterpillar_compressed_mode == 0) {
v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(p_caterpillar_public_key_compressed));
} else {
v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(p_caterpillar_public_key_compressed));
}
if (PX_EC_ALG_FOR_EC == e_nist_p256) {
v_public_verification_key := valueof(
m_publicVerificationKey_ecdsaNistP256(
v_ecc_p256_curve_point
));
} else if (PX_EC_ALG_FOR_EC == e_nist_p384) { // FIXME FSCOM
// v_public_verification_key := valueof(
// m_publicVerificationKey_ecdsaNistP384(
// v_ecc_p384_curve_point
// ));
} else if (PX_EC_ALG_FOR_EC == e_brainpool_p256_r1) {
v_public_verification_key := valueof(
m_publicVerificationKey_ecdsaBrainpoolP256r1(
v_ecc_p256_curve_point
));
} else if (PX_EC_ALG_FOR_EC == e_brainpool_p384_r1) { // FIXME FSCOM
// v_public_verification_key := valueof(
// m_publicVerificationKey_ecdsaBrainpoolP384r1(
// v_ecc_p384_curve_point
// ));
} else if (PX_EC_ALG_FOR_EC == e_sm2_p256) { // FIXME FSCOM
} else {
log("f_generate_ee_ra_cert_request: Wrong encryption algorithm, check PX_EC_ALG_FOR_xx");
return false;
}
v_tbs := m_bfk_to_be_signed_certificate(
{ none_ := NULL },
v_appPermissions,
m_verificationKeyIndicator_verificationKey(
v_public_verification_key
),
m_validityPeriod(
f_getCurrentTime() / 1000,
m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)
),
m_geographicRegion_identifiedRegion(
{
m_identifiedRegion_country_only(PX_GENERATED_CERTIFICATE_REGION_COUNTRY_2),
m_identifiedRegion_country_only(PX_GENERATED_CERTIFICATE_REGION_COUNTRY_2)
}
),
PX_GENERATED_CERTIFICATE_SUBJECT_ASSURENCE_LEVEL
);
![Yann Garcia Yann Garcia's avatar](/rep/uploads/-/system/user/avatar/5/avatar.png?width=36)
Yann Garcia
committed
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697
3698
3699
// Generate caterpillar encryption keys
if (f_generate_key_pair_for_encryption(e_nist_p256, p_caterpillar_enc_private_key, v_public_key_x, v_public_key_y, p_caterpillar_enc_public_key_compressed, p_caterpillar_enc_compressed_mode) == false) {
log("f_generate_ee_ra_cert_request: Failed to generate caterpillar keys");
return false;
}
log ("f_generate_ee_ra_cert_request: Caterpillar private key: ", p_caterpillar_enc_private_key);
log ("f_generate_ee_ra_cert_request: Caterpillar public compressed key: ", p_caterpillar_enc_public_key_compressed);
log ("f_generate_ee_ra_cert_request: Caterpillar public compressed mode: ", p_caterpillar_enc_compressed_mode);
if (p_caterpillar_enc_compressed_mode == 0) {
v_ecc_enc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(p_caterpillar_enc_public_key_compressed));
} else {
v_ecc_enc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(p_caterpillar_enc_public_key_compressed));
}
if (PICS_SECPKI_ORIGINAL_BFK_KEY) {
var octetstring v_signing_expansion_key;
var octetstring v_enc_expansion_key;
f_generate_bkf_signing_expension_keys(v_signing_expansion_key);
log ("f_generate_ee_ra_cert_request: v_signing_expansion_key: ", v_signing_expansion_key);
var octetstring v_expanded_caterpillar_private_key;
f_bfk_expend_private_key(v_signing_expansion_key, p_caterpillar_private_key, v_expanded_caterpillar_private_key);
log ("f_generate_ee_ra_cert_request: v_expanded_caterpillar_private_key: ", v_expanded_caterpillar_private_key);
var octetstring v_caterpillar_expended_public_key_compressed;
var integer v_caterpillar_expended_compressed_mode;
f_bfk_expend_public_key(v_signing_expansion_key, p_caterpillar_public_key_compressed, p_caterpillar_compressed_mode, v_caterpillar_expended_public_key_compressed, v_caterpillar_expended_compressed_mode);
log ("f_generate_ee_ra_cert_request: v_caterpillar_expended_public_key_compressed: ", v_caterpillar_expended_public_key_compressed);
log ("f_generate_ee_ra_cert_request: v_caterpillar_expended_compressed_mode: ", v_caterpillar_expended_compressed_mode);
var boolean v_verif := f_bfk_verify_expended_keys(v_expanded_caterpillar_private_key, v_caterpillar_expended_public_key_compressed, v_caterpillar_expended_compressed_mode);
stop;
f_generate_bkf_enc_expension_keys(v_enc_expansion_key);
log ("f_generate_ee_ra_cert_request: v_signing_expansion_key: ", v_signing_expansion_key);
log ("f_generate_ee_ra_cert_request: v_enc_expansion_key: ", v_enc_expansion_key);
p_ee_ra_cert_request := valueof(
m_butterfly_authorization_request(
f_getCurrentTime(),
explicit,
v_tbs,
m_additional_params_original(
m_butterfly_params_original(
m_butterfly_expansion_aes128(
v_signing_expansion_key
),
m_encryptionKey(
-,
m_publicEncryptionKey_eciesNistP256(
v_ecc_enc_p256_curve_point
)),
m_butterfly_expansion_aes128(
v_enc_expansion_key
)))));
} else if (PICS_SECPKI_UNIFIED_BFK_KEY) {
var octetstring v_expansion_key;
f_generate_bkf_signing_expension_keys(v_expansion_key);
log ("f_generate_ee_ra_cert_request: v_expansion_key: ", v_expansion_key);
p_ee_ra_cert_request := valueof(
m_butterfly_authorization_request(
f_getCurrentTime(),
explicit,
v_tbs,
m_additional_params_unified(
m_butterfly_expansion_aes128(
v_expansion_key
))));
} else {
log("f_generate_ee_ra_cert_request: Wrong configuration, at least one (PICS_SECPKI_ORIGINAL_BFK_KEY, PICS_SECPKI_UNIFIED_BFK_KEY) of shall be set to true");
return false;
}
log("f_generate_ee_ra_cert_request: p_ee_ra_cert_request: ", p_ee_ra_cert_request);
return true;
} // End of function f_generate_ee_ra_cert_request
function f_generate_ee_ra_download_request(
in charstring p_filename,
out EeRaDownloadRequest p_ee_ra_download_request
) runs on ItsPkiHttp return boolean {
p_ee_ra_download_request := valueof(m_ee_ra_download_request(f_getCurrentTimeUtc(), p_filename));
![Yann Garcia Yann Garcia's avatar](/rep/uploads/-/system/user/avatar/5/avatar.png?width=36)
Yann Garcia
committed
log("f_generate_ee_ra_download_request: p_ee_ra_download_request: ", p_ee_ra_download_request);
return true
} // End of function f_generate_ee_ra_download_request
} // End of group bfk
function f_build_dc(
in charstring p_rca_certificate_id,
out EtsiTs103097Certificate p_rca_certificate
) {
log(">>> f_build_dc");
// Load certificate
f_readCertificate(p_rca_certificate_id, p_rca_certificate);
}
YannGarcia
committed
function f_verify_rca_ctl_response_message(
in EtsiTs103097Data p_etsi_ts_103097_signed_data,
in boolean p_check_security := true,
out ToBeSignedRcaCtl p_to_be_signed_rca_ctl
) return boolean {
var bitstring v_etsi_ts_102941_data_msg;
var bitstring v_tbs;
var Certificate v_certificate;
var charstring v_certificate_id;
var octetstring v_issuer;
var EtsiTs102941Data v_etsi_ts_102941_data;
log(">>> f_verify_rca_ctl_response_message: p_etsi_ts_103097_signed_data= ", p_etsi_ts_103097_signed_data);
// 1. Verify signature
log("f_verify_rca_ctl_response_message: p_etsi_ts_103097_signed_data.content.signedData.tbsData= ", p_etsi_ts_103097_signed_data.content.signedData.tbsData);
v_tbs := encvalue(p_etsi_ts_103097_signed_data.content.signedData.tbsData);
YannGarcia
committed
if (ispresent(p_etsi_ts_103097_signed_data.content.signedData.signer.digest)) {
if (f_getCertificateFromDigest(p_etsi_ts_103097_signed_data.content.signedData.signer.digest, v_certificate, v_certificate_id) == false) {
log("f_verify_rca_ctl_response_message: Failed to retrieve certificate from ", p_etsi_ts_103097_signed_data.content.signedData.signer.digest);
if (p_check_security == true) {
return false;
}
}
log("f_verify_rca_ctl_response_message (1): v_certificate: ", v_certificate);
YannGarcia
committed
f_getCertificateHash(v_certificate_id, v_issuer);
} else {
v_certificate := p_etsi_ts_103097_signed_data.content.signedData.signer.certificate[0];
log("f_verify_rca_ctl_response_message (2): v_certificate: ", v_certificate);
YannGarcia
committed
if (ispresent(v_certificate.issuer.sha256AndDigest)) {
v_issuer := v_certificate.issuer.sha256AndDigest;
} if (ispresent(v_certificate.issuer.sha384AndDigest)) {
YannGarcia
committed
v_issuer := v_certificate.issuer.sha384AndDigest;
} else { // self_
if (v_certificate.issuer.self_ == sha256) {
v_issuer := int2oct(0, 32);
} else {
v_issuer := int2oct(0, 48);
}
3769
3770
3771
3772
3773
3774
3775
3776
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
}
}
if (f_verifyEcdsa(bit2oct(v_tbs), v_issuer, p_etsi_ts_103097_signed_data.content.signedData.signature_, v_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
log("f_verify_rca_ctl_response_message: Failed to verify signature");
if (p_check_security == true) {
return false;
}
}
v_etsi_ts_102941_data_msg := oct2bit(p_etsi_ts_103097_signed_data.content.signedData.tbsData.payload.data.content.unsecuredData);
if (decvalue(v_etsi_ts_102941_data_msg, v_etsi_ts_102941_data) != 0) {
log("f_verify_rca_ctl_response_message: Failed to decode EtsiTs102941Data");
return false;
} else {
log("f_verify_rca_ctl_response_message: v_etsi_ts_102941_data= ", v_etsi_ts_102941_data);
log("f_verify_pki_response_message: RcaCertificateTrustListMessage matching= ", match(v_etsi_ts_102941_data, mw_etsiTs102941Data_to_be_signed_rca_ctl));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_to_be_signed_rca_ctl) == false) {
log("f_verify_rca_ctl_response_message: Failed to decode certificateTrustListRca");
return false;
} else {
var Time32 v_time := (f_getCurrentTime()/* - 1072915200000*/) / 1000;
p_to_be_signed_rca_ctl := v_etsi_ts_102941_data.content.certificateTrustListRca;
log("f_verify_rca_ctl_response_message: p_to_be_signed_rca_ctl= ", p_to_be_signed_rca_ctl);
if (p_to_be_signed_rca_ctl.nextUpdate <= v_time) {
log("f_verify_rca_ctl_response_message: Invalid nextUpdate value: compared values=", p_to_be_signed_rca_ctl.nextUpdate, "/", v_time);
return false;
}
// TODO Verify RCA certificate & signature
}
}
return true;
}
function f_verify_rca_crl_response_message(
in EtsiTs103097Data p_etsi_ts_103097_signed_data,
in boolean p_check_security := true,
out ToBeSignedCrl p_to_be_signed_crl
) return boolean {
var bitstring v_etsi_ts_102941_data_msg;
var bitstring v_tbs;
var Certificate v_certificate;
var charstring v_certificate_id;
var octetstring v_issuer;
var EtsiTs102941Data v_etsi_ts_102941_data;
log(">>> f_verify_rca_crl_response_message: p_etsi_ts_103097_signed_data= ", p_etsi_ts_103097_signed_data);
// 1. Verify signature
log("f_verify_rca_crl_response_message: p_etsi_ts_103097_signed_data.content.signedData.tbsData= ", p_etsi_ts_103097_signed_data.content.signedData.tbsData);
v_tbs := encvalue(p_etsi_ts_103097_signed_data.content.signedData.tbsData);
if (f_getCertificateFromDigest(p_etsi_ts_103097_signed_data.content.signedData.signer.digest, v_certificate, v_certificate_id) == false) {
log("f_verify_rca_crl_response_message: Failed to retrieve certificate from ", p_etsi_ts_103097_signed_data.content.signedData.signer.digest);
if (p_check_security == true) {
return false;
}
}
f_getCertificateHash(v_certificate_id, v_issuer);
if (f_verifyEcdsa(bit2oct(v_tbs), v_issuer, p_etsi_ts_103097_signed_data.content.signedData.signature_, v_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
log("f_verify_rca_crl_response_message: Failed to verify signature");
if (p_check_security == true) {
return false;
}
}
v_etsi_ts_102941_data_msg := oct2bit(p_etsi_ts_103097_signed_data.content.signedData.tbsData.payload.data.content.unsecuredData);
if (decvalue(v_etsi_ts_102941_data_msg, v_etsi_ts_102941_data) != 0) {
log("f_verify_rca_crl_response_message: Failed to decode EtsiTs102941Data");
return false;
} else {
log("f_verify_rca_crl_response_message: v_etsi_ts_102941_data= ", v_etsi_ts_102941_data);
log("f_verify_pki_response_message: CertificateRevocationList matching= ", match(v_etsi_ts_102941_data, mw_etsiTs102941Data_to_be_signed_crl));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_to_be_signed_crl) == false) {
log("f_verify_rca_crl_response_message: Failed to decode certificateRevocationList");
return false;
} else {
var Time32 v_time := (f_getCurrentTime()/* - 1072915200000*/) / 1000;
p_to_be_signed_crl := v_etsi_ts_102941_data.content.certificateRevocationList;
log("f_verify_rca_crl_response_message: p_to_be_signed_crl= ", p_to_be_signed_crl);
if (p_to_be_signed_crl.thisUpdate >= v_time) {
log("f_verify_rca_crl_response_message: Invalid thisUpdate value");
return false;
}
if (p_to_be_signed_crl.nextUpdate <= v_time) {
log("f_verify_rca_crl_response_message: Invalid nextUpdate value");
return false;
}
// TODO Verify RCA certificate & signature
}
}
return true;
}
/**
* @desc this function is used to retrieve the root certificate from SubCA entity
* @param p_certificate The root certificate
* @return 0 on success, -1 otherwise
*/
function f_get_root_ca_certificate(
in charstring p_iut_certificate := "CERT_IUT_A_CA",
in boolean p_explicit_type := false,
out Certificate p_certificate
) runs on ItsPkiHttp return integer {
var Headers v_headers;
var HttpMessage v_response;
var octetstring v_os;
var bitstring v_msg_bit;
log(">>> f_get_root_ca_certificate");
// Get root certificate
f_cfHttpUp_ca();
f_init_default_headers_list(PICS_HEADER_CTL_CONTENT_TYPE, "ca_request", v_headers);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_get(
PICS_HTTP_GET_URI_DC,
v_headers
)));
tc_ac.start;
alt {
[not(PICS_MULTIPLE_END_POINT)] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_certificate
)))) -> value v_response {
tc_ac.stop;
[PICS_MULTIPLE_END_POINT] httpCaPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_certificate
)))) -> value v_response {
tc_ac.stop;
}
[] tc_ac.timeout {
}
} // End of 'alt' statement
f_cfHttpDown_ca();
if (not(isvalue(v_response))) {
log("f_get_root_ca_certificate: fail to get certificate");
return -1;
log("v_response.response.body.binary_body.ieee1609dot2_certificate: ", v_response.response.body.binary_body.ieee1609dot2_certificate);
p_certificate := v_response.response.body.binary_body.ieee1609dot2_certificate;
log("<<< f_get_root_ca_certificate: ", p_certificate);
return 0;
function f_verify_rca_certificate(
in charstring p_authorized_certificate := "CERT_IUT_A_RCA",//"CERT_IUT_A_RCA",
in Certificate p_certificate,
in boolean p_check_implicit := false,
in boolean p_check_reconstruction_value := false,
in boolean p_check_no_signature := false,
in boolean p_check_region_restriction := false,
in boolean p_check_signature_content := false,
in boolean p_check_app_permissions := false,
in boolean p_check_app_ssps := false,
in boolean p_check_app_validity_period := false
) return boolean {
var CertificateType v_type_ := explicit;
var template Signature v_signature_ := ?;
var template IssuerIdentifier v_issuer := ?;
var template PublicVerificationKey v_public_verification_key := ?;
log(">>> f_verify_rca_certificate: p_authorized_certificate= ", p_authorized_certificate);
log(">>> f_verify_rca_certificate: p_certificate= ", p_certificate);
if (p_check_implicit == true) {
v_type_ := implicit;
}
if (p_check_no_signature == true) {
v_signature_ := omit;
}
if (match(p_certificate, mw_etsiTs103097Certificate(-, -, v_signature_, v_type_)) == false) {
log("f_verify_rca_certificate: version/explicit mismatch");
YannGarcia
committed
return false;
}
if (p_check_reconstruction_value == false) {
if (match(p_certificate, mw_etsiTs103097Certificate(
-,
mw_toBeSignedCertificate_ca(
(mw_certificateId_none, mw_certificateId_name),
-,
-,
mw_verificationKeyIndicator_verificationKey
),
v_signature_
)) == false) {
log("f_verify_rca_certificate: verificationKey mismatch");
return false;
}
if (p_check_signature_content) {
var template PublicVerificationKey v_publicVerificationKey;
YannGarcia
committed
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
if (PICS_SEC_SHA256) {
v_signature_ := mw_signature_ecdsaNistP256;
v_issuer := (mw_issuerIdentifier_self(sha256), mw_issuerIdentifier_sha256AndDigest);
v_public_verification_key := mw_publicVerificationKey_ecdsaNistP256;
} else if (PICS_SEC_BRAINPOOL_P256R1) {
v_signature_ := mw_signature_ecdsaBrainpoolP256r1;
v_issuer := (mw_issuerIdentifier_self(sha256), mw_issuerIdentifier_sha256AndDigest);
v_public_verification_key := mw_publicVerificationKey_ecdsaBrainpoolP256r1;
} else if (PICS_SEC_BRAINPOOL_P384R1) {
v_signature_ := mw_signature_ecdsaBrainpoolP384r1;
v_issuer := (mw_issuerIdentifier_self(sha384), mw_issuerIdentifier_sha384AndDigest);
v_public_verification_key := mw_publicVerificationKey_ecdsaBrainpoolP384r1;
}
if (match(p_certificate, mw_etsiTs103097Certificate(
v_issuer,
mw_toBeSignedCertificate_ca(
(mw_certificateId_none, mw_certificateId_name),
-,
-,
mw_verificationKeyIndicator_verificationKey(v_public_verification_key),
-, -, -, -,
-//mw_encryptionKey
),
v_signature_
)) == false) {
log("f_verify_rca_certificate: signature mismatch");
return false;
}
// Verify Signature
if (ischosen(p_certificate.issuer.self_)) {
v_publicVerificationKey := p_certificate.toBeSigned.verifyKeyIndicator.verificationKey;