add PX_CHECK_INITIAL_STATES (b6ee537a) · Commits · ITS - Intelligent Transport Systems / ttcn / PKI TS 103 525-3

ItsPki_Pixits.ttcn

+2 −0

Original line number	Diff line number	Diff line
		@@ -10,4 +10,6 @@ module ItsPki_Pixits {

		modulepar boolean PX_TRIGGER_EC_BEFORE_AT := true;

		modulepar boolean PX_CHECK_INITIAL_STATES := true;

		} // End of module ItsPki_Pixits

ItsPki_TestCases.ttcn

+190 −90

Original line number	Diff line number	Diff line
		@@ -113,8 +113,8 @@ module ItsPki_TestCases {
		out InnerEcResponse p_inner_ec_response,
		out HttpMessage p_response,
		out integer p_result,
		in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID,
		in template SignerIdentifier p_signer := m_signerIdentifier_self,
		in template (present) octetstring p_its_id := PICS_ITS_S_CANONICAL_ID,
		in template (present) SignerIdentifier p_signer := m_signerIdentifier_self,
		in EnrolmentResponseCode p_force_response_code := ok
		) runs on ItsPkiHttp {
		// Local variables
		@@ -125,12 +125,17 @@ module ItsPki_TestCases {
		var template (value) HttpMessage v_response;
		var EtsiTs103097Certificate v_ec_certificate;
		var HashedId8 v_ec_certificate_hashed_id8;
		var PublicVerificationKey v_canonical_key;

		log(">>> f_verify_http_ec_request_from_iut_itss: ", p_request);

		p_result := 0;

		if (f_verify_pki_request_message(vc_eaPrivateEncKey, vc_eaWholeHash/salt/, ''O, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
		if(false == f_get_canonical_itss_key(v_canonical_key)){
		log(">>> f_verify_http_ec_request_from_iut_itss: error getting canonical key");
		v_response := m_http_response(m_http_response_500_internal_error(p_headers));
		p_result := -1;
		}else if (f_verify_pki_request_message(vc_eaPrivateEncKey, vc_eaWholeHash/salt/, int2oct(0,32), v_canonical_key, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
		// Send error message
		v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
		// Set verdict
		@@ -215,7 +220,7 @@ module ItsPki_TestCases {
		function f_verify_http_at_request_from_iut_itss(
		in Request p_request,
		in Headers p_headers,
		in EtsiTs103097Certificate p_ec_certificate,
		in template (omit) EtsiTs103097Certificate p_ec_certificate,
		out InnerAtRequest p_inner_at_request,
		out InnerAtResponse p_inner_at_response,
		out HttpMessage p_response,
		@@ -224,46 +229,122 @@ module ItsPki_TestCases {
		in AuthorizationResponseCode p_force_response_code := ok
		) runs on ItsPkiHttp {
		// Local variables
		var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
		var Ieee1609Dot2Data v_ieee1609dot2_data;
		var EtsiTs102941Data v_etsi_ts_102941_data;
		var Oct16 v_request_hash;
		var Oct16 v_aes_enc_key;
		var template (value) HttpMessage v_response;
		var octetstring v_msg;


		log(">>> f_verify_http_at_request_from_iut_itss:", p_request);

		p_result := 0;

		// Do not verify the signature now because ATRequest is required to verify the POP signature ==> false
		if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/salt/, ''O, p_request.body.binary_body.ieee1609dot2_data, false, v_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Only decryption
		// 1. Calculate the request Hash
		v_msg := bit2oct(encvalue(p_request.body.binary_body.ieee1609dot2_data));
		log(">>> f_verify_http_at_request_from_iut_itss: Encoded request: ", v_msg);
		v_request_hash := substr(f_hashWithSha256(v_msg), 0, 16);
		log(">>> f_verify_http_at_request_from_iut_itss: p_request_hash= ", v_request_hash);

		// 2. Decrypt the InnerEcRequest
		if (false == f_decrypt(vc_aaPrivateEncKey, // AA private encryption key
		p_request.body.binary_body.ieee1609dot2_data , // data to be decrypted
		vc_aaWholeHash, // salt
		v_ieee1609dot2_data, // decrypted message
		v_aes_enc_key))
		{
		log("f_verify_http_at_request_from_iut_itss: Failed to decrypt message");
		// Send error message, unable to decypt it
		v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
		p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request"))); // Initialize v_reponse with an error message
		// Set verdict
		p_result := -1;
		return ;
		}

		// check if signed
		var bitstring v_msg_bit;
		if(ispresent(v_ieee1609dot2_data.content.signedData)){
		if(not ispresent(v_ieee1609dot2_data.content.signedData.tbsData.payload.data)
		or not ispresent(v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData))
		{
		log("f_verify_http_at_request_from_iut_itss: Invalid message payload");
		p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")));
		p_result := -1;
		return;
		}
		log("f_verify_http_at_request_from_iut_itss: v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData= ", v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData);
		v_msg_bit := oct2bit(v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData);
		}else{
		if(not ispresent(v_ieee1609dot2_data.content.unsecuredData)){
		log("f_verify_http_at_request_from_iut_itss: Invalid message payload");
		p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")));
		p_result := -1;
		return;
		}
		v_msg_bit := oct2bit(v_ieee1609dot2_data.content.unsecuredData);
		}
		if (decvalue(v_msg_bit, v_etsi_ts_102941_data) != 0) {
		log("f_verify_http_at_request_from_iut_itss: Can not decode v_etsi_ts_102941_data");
		p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")));
		p_result := -1;
		return;
		}

		log("f_verify_http_at_request_from_iut_itss: matching: ", match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest))); // TODO In TITAN, this is the only way to get the unmatching in log
		if (match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest)) == false) {
		// Send error message
		f_http_build_authorization_response(-, its_aa_cantparse, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
		f_http_build_authorization_response(-, its_aa_cantparse, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
		// Set verdict
		p_result := -2;
		} else {
		return;
		}
		/*
		// Extract InnerAtRequest and Verify signature of mw_innerATRequestSignedForPop
		if(!ispresent(p_ec_certificate)){
		// get ec certificate from
		if(not f_readCertificate(PICS_IUT_EC_CERTIFICATE_ID, p_ec_certificate)){
		f_http_build_authorization_response(p_inner_at_request, unknownits, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
		p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers)));
		// Set verdict
		p_result := -3;
		return;
		}
		}
		*/
		if (f_verify_inner_at_request_signed_for_pop(v_etsi_ts_102941_data, p_ec_certificate, p_inner_at_request) == false) {
		// Send error message
		f_http_build_authorization_response(p_inner_at_request, its_aa_cantparse, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
		v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
		f_http_build_authorization_response(p_inner_at_request, its_aa_cantparse, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
		p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers)));
		// Set verdict
		p_result := -3;
		} else {
		log("f_verify_http_at_request_from_iut_itss: match ", match(p_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature))); // TODO In TITAN, this is the only way to get the unmatching in log
		return;
		}

		log("f_verify_http_at_request_from_iut_itss: match ", match(p_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature)));
		if (match(p_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature)) == false) { // TODO To be refined
		// Send error message: No enrolment request
		f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
		v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
		// Send error message: No authorization request
		f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
		p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers)));
		// Set verdict
		p_result := -4;
		} else {
		return;
		}

		// Verify PoP signature of outer message
		if(ispresent(v_ieee1609dot2_data.content.signedData)){
		log("f_verify_http_at_request_from_iut_itss: v_ieee1609dot2_data.content.signedData.tbsData= ", v_ieee1609dot2_data.content.signedData.tbsData);
		v_msg := bit2oct(encvalue(v_ieee1609dot2_data.content.signedData.tbsData));
		log("f_verify_http_at_request_from_iut_itss: v_msg= ", v_msg);
		if (false == f_verifyEcdsa(v_msg, int2oct(0, 32), v_ieee1609dot2_data.content.signedData.signature_, p_inner_at_request.publicKeys.verificationKey)) {
		f_http_build_authorization_response(p_inner_at_request, invalidsignature, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
		p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers)));
		// Set verdict
		p_result := -6;
		return;
		}
		}

		var PublicVerificationKey v_verification_tag;
		var octetstring v_encoded_tag;
		var octetstring v_key_tag;
		@@ -287,27 +368,22 @@ module ItsPki_TestCases {
		log("f_verify_http_at_request_from_iut_itss: matching: ", match(p_inner_at_request.sharedAtRequest.keyTag, v_key_tag));
		if (match(p_inner_at_request.sharedAtRequest.keyTag, v_key_tag) == false) {
		// Send error message: No enrolment request
		f_http_build_authorization_response(p_inner_at_request, its_aa_keysdontmatch, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
		v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
		f_http_build_authorization_response(p_inner_at_request, its_aa_keysdontmatch, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
		p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers)));
		// Set verdict
		p_result := -5;
		} else {
		return;
		}

		// Send OK message
		log("f_verify_http_at_request_from_iut_itss: Receive ", p_inner_at_request);
		if (p_force_response_code == ok) {
		f_http_build_authorization_response(p_inner_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
		f_http_build_authorization_response(p_inner_at_request, ok, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
		} else {
		log("f_verify_http_at_request_from_iut_itss: Succeed built force error code ", p_force_response_code);
		f_http_build_authorization_response(p_inner_at_request, p_force_response_code, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
		}
		v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
		}
		}
		}
		}
		f_http_build_authorization_response(p_inner_at_request, p_force_response_code, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
		}

		p_response := valueof(v_response);
		p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers)));
		log("<<< f_verify_http_at_request_from_iut_itss: p_result: ", p_result);
		log("<<< f_verify_http_at_request_from_iut_itss: p_response: ", p_response);
		} // End of function f_verify_http_at_request_from_iut_itss
		@@ -674,7 +750,8 @@ module ItsPki_TestCases {
		var EtsiTs103097Certificate v_certificate;

		// Test component configuration
		vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE;
		// vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE;
		vc_hashedId8ToBeUsed := "";
		f_cfUp_itss();

		// Test adapter configuration
		@@ -1916,7 +1993,8 @@ module ItsPki_TestCases {
		var boolean v_start_awaiting := false;

		// Test component configuration
		vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE;
		// vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE;
		vc_hashedId8ToBeUsed := "";
		f_cfUp_itss();

		// Test adapter configuration
		@@ -1931,6 +2009,8 @@ module ItsPki_TestCases {
		f_selfOrClientSyncAndVerdict(c_prDone, e_error);
		}
		[] tc_noac.timeout {
		log("* " & testcasename() & "_itss: : INFO: No CA message received *");
		if(PX_TRIGGER_EC_BEFORE_AT){
		f_sendUtTriggerEnrolmentRequestPrimitive();
		tc_ac.start; // TDOD To refined, use altstep
		alt {
		@@ -1938,12 +2018,17 @@ module ItsPki_TestCases {
		tc_ac.stop;
		log("* " & testcasename() & "_itss: INFO: IUT is in enrol state *");
		}
		[] tc_ac.timeout {
		[LibItsPki_Pics.PICS_UT_STATE_INDICATION] tc_ac.timeout {
		log("* " & testcasename() & "_itss: DBG: IUT state update not recieved *");
		f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
		}
		[not(LibItsPki_Pics.PICS_UT_STATE_INDICATION)] tc_ac.timeout {
		log("* " & testcasename() & "_itss: DBG: IUT doesn't support state indication. Assume it was well done.*");
		}
		} // End of 'alt' statement
		log("* " & testcasename() & "_itss: : INFO: No CA message received *");
		}else{
		log("* " & testcasename() & "_itss: DBG: Assume IUT already in enrolled state.*");
		}
		f_selfOrClientSyncAndVerdict(c_prDone, e_success);
		}
		} // End of 'alt' statement
		@@ -1982,6 +2067,7 @@ module ItsPki_TestCases {
		var Headers v_headers;
		var HttpMessage v_request;
		var InnerEcResponse v_inner_ec_response;
		var template (omit) EtsiTs103097Certificate v_ec_cert := omit;

		// Test component configuration
		f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
		@@ -1992,6 +2078,7 @@ module ItsPki_TestCases {
		f_init_default_headers_list(-, "inner_at_response", v_headers);
		if (PX_TRIGGER_EC_BEFORE_AT) {
		if (f_await_ec_request_send_response(v_inner_ec_response, v_request) == true) {
		v_ec_cert := v_inner_ec_response.certificate;
		log("* " & testcasename() & ": INFO: Enrolment succeed *");
		f_selfOrClientSyncAndVerdict(c_prDone, e_success);
		} else {
		@@ -1999,6 +2086,8 @@ module ItsPki_TestCases {
		f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
		}
		} else {
		// f_readCertificate(PICS_IUT_EC_CERTIFICATE_ID, v_inner_ec_response.certificate);
		// v_ec_cert := omit;
		f_selfOrClientSyncAndVerdict(c_prDone, e_success);
		}

		@@ -2027,7 +2116,7 @@ module ItsPki_TestCases {
		tc_ac.stop;

		// Verify IUT response
		f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result);
		f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_ec_cert, v_inner_at_request, v_inner_at_response, v_response, v_result);
		log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_result: ", v_result);
		log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_response: ", v_response);
		// Send response
		@@ -2598,6 +2687,7 @@ module ItsPki_TestCases {
		}
		} else {
		f_selfOrClientSyncAndVerdict(c_prDone, e_success);
		v_inner_ec_response.certificate := omit;
		}

		// Test Body
		@@ -9645,12 +9735,21 @@ module ItsPki_TestCases {
		// Local variables
		var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
		var EtsiTs102941Data v_etsi_ts_102941_data;
		var EtsiTs103097Certificate v_aaCertificate;
		var charstring v_aaCertificate_id;

		log(">>> f_verify_http_at_request_from_iut_atv: p_request= ", p_request);

		p_result := 0;

		if (f_verify_pki_request_message(vc_eaPrivateEncKey/Encrypted with AA/, vc_eaWholeHash/salt/, vc_aaWholeHash/Issuer is AA/, p_request.body.binary_body.ieee1609dot2_data, true, p_request_hash, v_etsi_ts_102941_data, p_aes_enc_key) == false) {
		if (not(f_getCertificateFromDigest(f_hashedId8FromSha256(vc_aaWholeHash), v_aaCertificate, v_aaCertificate_id))) {
		p_result := -1;
		return;
		}

		if (not(f_verify_pki_request_message(vc_eaPrivateEncKey/Encrypted with AA/, vc_eaWholeHash/salt/, vc_aaWholeHash/Issuer is AA/,
		v_aaCertificate.toBeSigned.verifyKeyIndicator.verificationKey,
		p_request.body.binary_body.ieee1609dot2_data, true, p_request_hash, v_etsi_ts_102941_data, p_aes_enc_key))) {
		// Set verdict
		p_result := -1;
		} else {
		@@ -14532,6 +14631,7 @@ module ItsPki_TestCases {

		// Preamble
		f_getCertificateHash256(v_rca_certificate_id, v_hash);

		v_rca_hashed_id8 := f_hashedId8FromSha256(v_hash);
		log("*** " & testcasename() & ": DEBUG: v_rca_hashed_id8= ", v_rca_hashed_id8);
		f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);

lib/LibItsPki_Pics.ttcn

+12 −0

Original line number	Diff line number	Diff line
		@@ -50,11 +50,21 @@ module LibItsPki_Pics {
		*/
		modulepar boolean PICS_PKI_AUTH_POP := true;

		/**
		* @desc Do the Authorization Request use SignedWithPop mechanism?
		*/
		modulepar boolean PICS_UT_STATE_INDICATION := true;

		/**
		* @desc Certificate used by the IUT acting as ITS-S
		*/
		modulepar charstring PICS_IUT_CERTIFICATE_ID := "CERT_IUT_A_AT";

		/**
		* @desc Default enrollment credentials used by ITS-S
		*/
		modulepar charstring PICS_IUT_EC_CERTIFICATE_ID := "CERT_IUT_A_EC";

		/**
		* @desc Certificate used by the IUT acting as EA
		*/
		@@ -267,4 +277,6 @@ module LibItsPki_Pics {

		modulepar charstring PICS_EA_ENDPOINT := "http://www.etsi.org"



		} // End of module LibItsPki_Pics

lib/LibItsPki_Templates.ttcn

+2 −2

Original line number	Diff line number	Diff line
		@@ -537,7 +537,7 @@ module LibItsPki_Templates {
		template CertificateSubjectAttributes mw_certificate_subject_attributes(
		template (present) SequenceOfPsidSsp p_appPermissions := ?,
		template CertificateId p_id := *,
		template (present) ValidityPeriod p_validityPeriod := ?,
		template ValidityPeriod p_validityPeriod := *,
		template SubjectAssurance p_assuranceLevel := *,
		template GeographicRegion p_region := *,
		template SequenceOfPsidGroupPermissions p_certIssuePermissions := omit
		@@ -553,7 +553,7 @@ module LibItsPki_Templates {
		template CertificateSubjectAttributes mw_certificate_subject_attributes_optional_assuranceLevel(
		template (present) SequenceOfPsidSsp p_appPermissions := ?,
		template (present) CertificateId p_id := ?,
		template (present) ValidityPeriod p_validityPeriod := ?,
		template ValidityPeriod p_validityPeriod := *,
		template SubjectAssurance p_assuranceLevel := *,
		template GeographicRegion p_region := *,
		template SequenceOfPsidGroupPermissions p_certIssuePermissions := omit

lib_system/LibItsPki_Functions.ttcn

+135 −29

File changed.

Preview size limit exceeded, changes collapsed.

Admin message