Skip to content
GitLab
Commits (7)
Expand all Hide whitespace changes
Inline Side-by-side
ItsPki_TestCases.ttcn
View file @ c148ec09
This diff is collapsed.
asn1 @ 7e4ea27e
Compare 021805f1...7e4ea27e
Subproject commit 021805f17253f5b0baf80b13bca8151a05342655
Subproject commit 7e4ea27e7e0d752587aa48051f880607c29ef8ca
lib_system/LibItsPki_Functions.ttcn
View file @ c148ec09
......@@ -1343,6 +1343,49 @@ module LibItsPki_Functions {
return p_result;
} // End of function f_http_build_inner_ec_response
function f_http_build_error_ec_response(
in EnrolmentResponseCode p_responseCode := ok,
in Oct16 p_request_hash,
in octetstring p_private_key := ''O,
in octetstring p_digest := ''O,
in Oct16 p_aes_sym_key,
out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data
) return boolean {
// Local variables
var octetstring v_msg;
var Oct12 v_nonce;
var Ieee1609Dot2Data v_ieee1609dot2_signed_data;
var boolean p_result := false;
var InnerEcResponse v_inner_ec_response;
// Check expectred response
if (p_responseCode == ok) {
return false;
}
v_inner_ec_response := valueof(
m_innerEcResponse_ko(
p_request_hash,
p_responseCode
)
);
// Secure the response
log("f_http_build_error_ec_response: p_inner_ec_response= ", v_inner_ec_response);
v_msg := bit2oct(encvalue(m_etsiTs102941Data_inner_ec_response(v_inner_ec_response)));
v_nonce := substr(f_hashWithSha256(int2oct((f_getCurrentTimeUtc() * 1000), 16)), 0, 12); // Random value
// TODO Consider Sha384: m_signerIdentifier_digest(f_hashedId8FromSha384(p_digest))
if (f_build_pki_secured_response_message(p_private_key,
valueof(m_signerIdentifier_digest(f_hashedId8FromSha256(p_digest))),// in SignerIdentifier p_signer_identifier,
v_msg,
p_aes_sym_key,
v_nonce,
p_ieee1609dot2_signed_and_encrypted_data
) == false) {
log("f_http_build_inner_ec_response: Failed to generate the certificate");
return false;
}
return true;
} // End of function f_http_build_error_ec_response
function f_http_build_authorization_request(
in Certificate p_ec_certificate, // Enrolment credentials certificate
in octetstring p_ec_private_key,
......@@ -5319,7 +5362,7 @@ module LibItsPki_Functions {
mw_enrolmentRequestMessage(
mw_encryptedData()
)))));
} // End of template mw_http_ec_request_generic
} // End of predefined requests
function f_await_ec_request_send_response(
out InnerEcRequest p_inner_ec_request,
......@@ -5340,41 +5383,39 @@ module LibItsPki_Functions {
[] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, p_request) {
var Ieee1609Dot2Data v_decrypted_message;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_request_hash;
var Oct16 v_aes_enc_key;
var InnerEcRequest v_inner_ec_request;
var template (value) HttpMessage v_response;
var Oct16 v_request_hash, v_aes_enc_key;
tc_ac.stop;
if(f_read_ec_request_from_iut_itss(p_request.request.body.binary_body.ieee1609dot2_data,
v_request_hash, v_aes_enc_key,
v_decrypted_message,
v_etsi_ts_102941_data,
p_inner_ec_request)) {
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
if(f_read_ec_request_from_iut_itss( p_request.request.body.binary_body.ieee1609dot2_data,
v_request_hash, v_aes_enc_key,
v_decrypted_message,
v_etsi_ts_102941_data,
p_inner_ec_request
)){
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
var Ieee1609Dot2Data v_response_message;
log(">>>>>> f_await_ec_request_send_response v_inner_ec_request=", p_inner_ec_request);
if(ispresent(p_attributes)) {
if(isvalue(p_attributes.id)) {
if(ispresent(p_attributes)){
if(isvalue(p_attributes.id)){
p_inner_ec_request.requestedSubjectAttributes.id := valueof(p_attributes.id);
}
if(isvalue(p_attributes.validityPeriod)) {
if(isvalue(p_attributes.validityPeriod)){
p_inner_ec_request.requestedSubjectAttributes.validityPeriod := valueof(p_attributes.validityPeriod);
}
if(isvalue(p_attributes.region)) {
if(isvalue(p_attributes.region)){
p_inner_ec_request.requestedSubjectAttributes.region := valueof(p_attributes.region);
}
if(isvalue(p_attributes.assuranceLevel)) {
if(isvalue(p_attributes.assuranceLevel)){
p_inner_ec_request.requestedSubjectAttributes.assuranceLevel := valueof(p_attributes.assuranceLevel);
}
if(isvalue(p_attributes.appPermissions)) {
if(isvalue(p_attributes.appPermissions)){
p_inner_ec_request.requestedSubjectAttributes.appPermissions := valueof(p_attributes.appPermissions);
}
if(isvalue(p_attributes.certIssuePermissions)) {
if(isvalue(p_attributes.certIssuePermissions)){
p_inner_ec_request.requestedSubjectAttributes.certIssuePermissions := valueof(p_attributes.certIssuePermissions);
}
}
......@@ -5389,11 +5430,13 @@ module LibItsPki_Functions {
), v_headers));
} else {
v_response := m_http_response(m_http_response_500_internal_error(v_headers));
}
f_http_send(v_headers, v_response);
v_result := true;
}
f_http_send(v_headers, v_response);
}
[] a_await_ec_http_request_from_iut( mw_http_request(), v_wrong_request) {
log("f_await_ec_request_send_response: Wrong message received ", v_wrong_request);
log(">>>>>> f_await_ec_request_send_response: Wrong message received ", v_wrong_request);
log(" ", match(v_wrong_request, mw_http_request()));
f_http_send(v_headers, m_http_response(m_http_response_500_internal_error(v_headers)));
repeat;
......@@ -5409,8 +5452,6 @@ module LibItsPki_Functions {
function f_await_ec_request_send_no_response(
out HttpMessage p_request
) runs on ItsPkiHttp {
var boolean v_result := false;
log(">>> f_await_ec_request_send_no_response");
tc_ac.start;
......@@ -5933,10 +5974,9 @@ module LibItsPki_Functions {
var octetstring v_tbs_signed;
var template (value) Ieee1609Dot2Data v_ieee1609dot2_signed_data;
var octetstring v_encoded_inner_ec_response;
var octetstring v_symkeyidentifier;
var HashedId8 v_recipientId;
var octetstring v_encrypted_inner_ec_response;
var octetstring v_symkeyidentifier;
// Signed the encoded PKI message
v_tbs := m_toBeSignedData(
m_signedDataPayload(
......@@ -5950,6 +5990,8 @@ module LibItsPki_Functions {
var charstring v_certificate_id;
var Oct32 v_hash;
fx_readCertificateFromDigest(p_signer_identifier.digest, v_certificate_id); // TODO Add a wrapper function
log(">>>>> f_build_pki_secured_response_message: use ", v_certificate_id, " for signing response");
log(">>>>> f_build_pki_secured_response_message: use ", p_private_key, " as private key");
f_getCertificateHash(v_certificate_id, v_hash);
v_tbs_signed := f_signWithEcdsaNistp256WithSha256(bit2oct(encvalue(v_tbs)), v_hash, p_private_key);
}
......@@ -6000,52 +6042,54 @@ module LibItsPki_Functions {
} // End of function f_build_pki_secured_response_message
function f_read_pki_request_message(
in Ieee1609Dot2Data p_encrypted_message,
in Oct32 p_private_enc_key,
in Oct32 p_salt,
out Oct16 p_request_hash,
out Oct16 p_aes_enc_key,
out Ieee1609Dot2Data p_decrypted_message,
out EtsiTs102941Data p_etsi_ts_102941_data
) return boolean {
in Ieee1609Dot2Data p_encrypted_message,
in Oct32 p_private_enc_key,
in Oct32 p_salt,
out Oct16 p_request_hash,
out Oct16 p_aes_enc_key,
out Ieee1609Dot2Data p_decrypted_message,
out EtsiTs102941Data p_etsi_ts_102941_data
) return boolean {
var octetstring v_msg;
var boolean v_return_code := true;
var boolean ret := true;
// 1. Calculate the request Hash
v_msg := bit2oct(encvalue(p_encrypted_message));
log("f_read_pki_request_message: Encoded request: ", v_msg);
log("f_parse_pki_request: Encoded request: ", v_msg);
p_request_hash := substr(f_hashWithSha256(v_msg), 0, 16);
log("f_read_pki_request_message: p_request_hash= ", p_request_hash);
log("f_parse_pki_request: p_request_hash= ", p_request_hash);
// 2. Decrypt message
log("f_read_pki_request_message: p_private_enc_key= ", p_private_enc_key);
log("f_parse_pki_request: p_private_enc_key= ", p_private_enc_key);
if (false == f_decrypt(p_private_enc_key, p_encrypted_message, p_salt, p_decrypted_message, p_aes_enc_key)) {
log("f_read_pki_request_message: Failed to decrypt message");
log("f_parse_pki_request: Failed to decrypt message");
return false;
}
log("f_read_pki_request_message: v_ieee1609dot2_signed_data= ", p_decrypted_message);
log("f_read_pki_request_message: p_aes_enc_key= ", p_aes_enc_key);
log("f_parse_pki_request: v_ieee1609dot2_signed_data= ", p_decrypted_message);
log("f_parse_pki_request: p_aes_enc_key= ", p_aes_enc_key);
// 3. get TS 102 941 data
select(p_decrypted_message) {
case (mw_etsiTs103097Data_signed(
mw_signedData(
-,
mw_toBeSignedData(
mw_signedDataPayload
)))) {
var bitstring v_msg_bit;
v_msg_bit := oct2bit(p_decrypted_message.content.signedData.tbsData.payload.data.content.unsecuredData);
if (decvalue(v_msg_bit, p_etsi_ts_102941_data) != 0) {
v_return_code := false;
}
}
select(p_decrypted_message){
case( mw_etsiTs103097Data_signed(
mw_signedData(
-,
mw_toBeSignedData(
mw_signedDataPayload
)
)
)
) {
var bitstring v_msg_bit;
v_msg_bit := oct2bit(p_decrypted_message.content.signedData.tbsData.payload.data.content.unsecuredData);
if (decvalue(v_msg_bit, p_etsi_ts_102941_data) != 0) {
ret := false;
}
}
case else {
v_return_code := false;
ret := false;
}
} // End of 'select' statement
return v_return_code;
}
return ret;
} // End of function f_read_pki_request_message
function f_read_ec_request_from_iut_itss(
......@@ -6061,11 +6105,17 @@ module LibItsPki_Functions {
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
var InnerEcResponse v_inner_ec_response;
if (f_read_pki_request_message(p_encrypted_message, vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/,
p_request_hash, p_aes_enc_key,
p_decrypted_message,
p_etsi_ts_102941_data)) {
/*
if(false == f_get_canonical_itss_key(v_canonical_key)){
log(">>> f_read_ec_request_from_iut_itss: error getting canonical key");
return false;
}
*/
if( f_read_pki_request_message( p_encrypted_message, vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/,
p_request_hash, p_aes_enc_key,
p_decrypted_message,
p_etsi_ts_102941_data
)) {
// decode InnerEcRequest
var bitstring v_msg_bit := oct2bit(p_etsi_ts_102941_data.content.enrolmentRequest.content.signedData.tbsData.payload.data.content.unsecuredData);
if (decvalue(v_msg_bit, p_inner_ec_request) != 0) {
......@@ -6076,6 +6126,7 @@ module LibItsPki_Functions {
return false;
} // End of function f_read_ec_request_from_iut_itss
/**
* @desc Verify the protocol element of the Pki message.
* If p_check_security is set to false, only decryption and decoding of the outer message are verified.
......@@ -6154,29 +6205,29 @@ module LibItsPki_Functions {
// 4. Verifiy signature
log("f_verify_pki_request_message: v_ieee1609dot2_signed_data.content.signedData.tbsData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData);
v_msg := bit2oct(encvalue(v_ieee1609dot2_signed_data.content.signedData.tbsData));
log("f_verify_pki_request_message: v_msg= ", v_msg);
if (not ispresent(p_verification_key)) {
if (not ispresent(p_verification_key)){
var EtsiTs103097Certificate v_cert;
var charstring v_cert_id;
if (ischosen(v_ieee1609dot2_signed_data.content.signedData.signer.digest)) {
if (ischosen(v_ieee1609dot2_signed_data.content.signedData.signer.digest)){
if (not f_getCertificateFromDigest(v_ieee1609dot2_signed_data.content.signedData.signer.digest, v_cert, v_cert_id)){
if (p_check_security == true) {
return false;
}
}
}
if (ischosen(v_ieee1609dot2_signed_data.content.signedData.signer.certificate)) {
if(lengthof(v_ieee1609dot2_signed_data.content.signedData.signer.certificate) > 0) {
if (ischosen(v_ieee1609dot2_signed_data.content.signedData.signer.certificate)){
if(lengthof(v_ieee1609dot2_signed_data.content.signedData.signer.certificate) > 0){
v_cert := v_ieee1609dot2_signed_data.content.signedData.signer.certificate[0];
}
}
if (isbound(v_cert)) {
if (isbound(v_cert)){
if(ischosen(v_cert.toBeSigned.verifyKeyIndicator.verificationKey)){
p_verification_key := v_cert.toBeSigned.verifyKeyIndicator.verificationKey;
}
}
}
if (ispresent(p_verification_key)) {
if (ispresent(p_verification_key)){
log("f_verify_pki_request_message: v_msg= ", v_msg);
if (false == f_verifyEcdsa(v_msg, int2oct(0, 32), v_ieee1609dot2_signed_data.content.signedData.signature_, valueof(p_verification_key))) {
if (p_check_security == true) {
return false;
......