ItsPki_TestCases.ttcn

@@ -86,13 +86,13 @@ module ItsPki_TestCases {
    * @desc 5.2  ITS-S behaviour
    */
   group itss_behavior {
-
     group itss_states {
       const charstring c_stInitial := "initial";
       const charstring c_stEnrolled := "enrolled";
       const charstring c_stAuthorized := "authorized";
     }
+
     group itss_helpers {
       /**
@@ -188,6 +188,7 @@ module ItsPki_TestCases {
           p_result := -4;
           goto L_Done;
         }
+
         // TODO Check ValidityPeriod
         // Send OK message
@@ -225,9 +226,12 @@ module ItsPki_TestCases {
               log("f_verify_http_ec_request_from_iut_itss: Succeed but force error code ", p_force_response_code);
           f_http_build_inner_ec_response(p_inner_ec_request, p_force_response_code, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data);
         }
+        
         label L_Done;
-          v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
+        v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
+        // Set verdict
+        p_result := 0;
         p_response := valueof(v_response);
         log("<<< f_verify_http_ec_request_from_iut_itss: p_response: ", p_response);
         log("<<< f_verify_http_ec_request_from_iut_itss: p_result: ", p_result);
@@ -249,11 +253,9 @@ module ItsPki_TestCases {
                                                       in AuthorizationResponseCode p_force_response_code := ok
                                                       ) runs on ItsPkiHttp {
         // Local variables
-        var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
         var Ieee1609Dot2Data v_ieee1609dot2_data;
         var EtsiTs102941Data v_etsi_ts_102941_data;
         var Oct16 v_request_hash;
-        var HashedId8 v_bfk_hashed_id8;
         var Oct16 v_aes_enc_key;
         var template (value) HttpMessage v_response;
         var octetstring v_msg;
@@ -398,6 +400,7 @@ module ItsPki_TestCases {
        * @desc The purpose of this function is verify the AT request and extract InnerAtRequest , verify ecSignature and build the InnerAtResponse for the HTTP response
        *       Note: This function accepts additional parameters to alter the response
        */
+
       function f_verify_http_at_request_from_iut_itss_for_ecSignature(
                                                       in Request p_request,
                                                       in Headers p_headers,
@@ -411,7 +414,7 @@ module ItsPki_TestCases {
                                                       in AuthorizationResponseCode p_force_response_code := ok
                                                       ) runs on ItsPkiHttp {
         // Local variables
-        var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
+        var Ieee1609Dot2Data v_ieee1609dot2_data;
         var EtsiTs102941Data v_etsi_ts_102941_data;
         var Ieee1609Dot2Data v_ieee1609dot2_signed_data; //new variable
         var HashedId8 v_ec_certificate_hashed_id8 //new variable
@@ -420,22 +423,51 @@ module ItsPki_TestCases {
         var HashedId8 v_bfk_hashed_id8;
         var Oct16 v_aes_enc_key;
         var template (value) HttpMessage v_response;
+        var octetstring v_msg;
+
         log(">>> f_verify_http_at_request_from_iut_itss_for_ecSignature:", p_request);
         p_result := 0;
-        // Do not verify the signature now because ATRequest is required to verify the POP signature       ==> false
-        if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O, omit, p_request.body.binary_body.ieee1609dot2_data, false, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Only decryption
-          // Send error message, unable to decrypt it
-          v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_response with an error message
+        // 1. Calculate the request Hash
+        v_msg := bit2oct(encvalue(p_request.body.binary_body.ieee1609dot2_data));
+        log(">>> f_verify_http_at_request_from_iut_itss: Encoded request: ", v_msg);
+        v_request_hash := substr(f_hashWithSha256(v_msg), 0, 16);
+        log(">>> f_verify_http_at_request_from_iut_itss: p_request_hash= ", v_request_hash);
+ 
+        // 2. Decrypt the InnerAtRequest
+        if (false == f_decrypt(vc_aaPrivateEncKey, // AA private encryption key
+                               p_request.body.binary_body.ieee1609dot2_data , // data to be decrypted
+                               vc_aaWholeHash, // salt
+                               v_ieee1609dot2_data, // decrypted message
+                               v_aes_enc_key)) {
+          log("f_verify_http_at_request_from_iut_itss: Failed to decrypt message");
+          // Send error message, unable to decypt it
+          p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request"))); // Initialize v_reponse with an error message
           // Set verdict
           p_result := -1;
+          return;
+        }
+
+        // check if signed
+        var bitstring v_msg_bit;
+        if(ispresent(v_ieee1609dot2_data.content.signedData)){
+          if(not ispresent(v_ieee1609dot2_data.content.signedData.tbsData.payload.data)
+            or not ispresent(v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData))
+          {
+            log("f_verify_http_at_request_from_iut_itss: Invalid message payload");
+            p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")));
+            p_result := -1;
+            return;
+          }
+          log("f_verify_http_at_request_from_iut_itss: v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData= ", v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData);
+          v_msg_bit := oct2bit(v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData);
         } else {
             log("f_verify_http_at_request_from_iut_itss_for_ecSignature: matching: ", match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest))); // to get the unmatching in log
           if (match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest)) == false) {
             // Send error message
-            f_http_build_authorization_response(-, its_aa_cantparse, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
+          f_http_build_authorization_response(-, its_aa_cantparse, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
             // Set verdict
             p_result := -2;
           } else {
@@ -444,8 +476,8 @@ module ItsPki_TestCases {
             log("f_verify_http_at_request_from_iut_itss_for_ecSignature: match ", match(v_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature))); // to get the unmatching in log
                 if (match(v_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature)) == false) { // TODO To be refined
                   // Send error message: No authorization request
-                  f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
-                  v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
+                  f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
+                  v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers));
                   // Set verdict
                   p_result := -3;
                   } else {
@@ -453,8 +485,8 @@ module ItsPki_TestCases {
                     // Check ecSignature
                     if (ispresent(v_inner_at_request.ecSignature.ecSignature) == false) {
                         // Send error message: No signed external payload present
-                        f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
-                        v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
+                        f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
+                        v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers));
                         // Set verdict
                         p_result := -4;
                         // Verify ecSignature of mw_ec_signature (encrypted)
@@ -465,8 +497,8 @@ module ItsPki_TestCases {
                         log("f_verify_http_at_request_from_iut_itss_for_ecSignature: match ", match(v_inner_at_request.ecSignature,mw_ec_signature_ext_payload))                  
                         if (match(v_inner_at_request.ecSignature, mw_ec_signature_ext_payload) == false) {
                             // Send error message: Present signed external payload doesnot match mw_ec_signature_ext_payload template
-                            f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
-                            v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
+                            f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
+                            v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers));
                             // Set verdict
                             p_result := -5;
                         } else {
@@ -490,8 +522,8 @@ module ItsPki_TestCases {
                                     if (match(v_ec_hashed_id8, v_digest) == false) {
                                         // Send error message: Signer not contains HashedId8 of the CERT_EC certificate
-                                        f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
-                                        v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
+                                        f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
+                                        v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers));
                                         // Set verdict
                                         p_result := -6;
                                     } else {
@@ -508,20 +540,20 @@ module ItsPki_TestCases {
                                             v_issuer := f_hashWithSha256(v_enc);
                                             if (f_verifyEcdsa(v_encoded_tbsData,v_issuer,v_ieee1609dot2_signed_data.content.signedData.signature_,v_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
                                                 // Send error message: Unable to verfy signature using EC's verification public key
-                                                f_http_build_authorization_response(p_inner_at_request, invalidsignature, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
-                                                v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
+                                                f_http_build_authorization_response(p_inner_at_request, invalidsignature, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
+                                                v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers));
                                                 // Set verdict
                                                 p_result := -7;
                                             } else {
                                                 // Send OK message
                                                 log("f_verify_http_at_request_from_iut_itss_for_ecSignature: Receive ", p_inner_at_request);
                                                 if (p_force_response_code == ok) {
-                                                    f_http_build_authorization_response(p_inner_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
+                                                    f_http_build_authorization_response(p_inner_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
                                                 } else {
                                                 log("f_verify_http_at_request_from_iut_itss_for_ecSignature: Succeed built force error code ", p_force_response_code);
-                                                    f_http_build_authorization_response(p_inner_at_request, p_force_response_code, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data);
+                                                    f_http_build_authorization_response(p_inner_at_request, p_force_response_code, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data);
                                                 }
-                                                v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
+                                                v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers));
                                             }
                                         } 
                                     }
@@ -791,7 +823,7 @@ module ItsPki_TestCases {
           alt {
             [] utPort.receive(UtPkiTriggerInd: { state := 1 }) {
               tc_ac.stop;
-              log("*** " & testcasename() & ": INFO: IUT is in enrolment state ***");
+              log("*** " & testcasename() & "itss: INFO: IUT is in enrolment state ***");
             }
             [] tc_ac.timeout {
               log("*** " & testcasename() & ": DBG: IUT state update not recieved ***");
@@ -898,7 +930,7 @@ module ItsPki_TestCases {
        *     }
        * </pre>
        * 
-       * @see       ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_02_BV
+       * @see       ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_02_BV
        * @reference ETSI TS 102 941, clause 6.1.3
        */
       testcase TC_SECPKI_ITSS_ENR_02_BV() runs on ItsMtc system ItsPkiItssSystem {
@@ -929,7 +961,6 @@ module ItsPki_TestCases {
       } // End of testcase TC_SECPKI_ITSS_ENR_02_BV
       group f_TC_SECPKI_ITSS_ENR_02_BV {
-
         function f_TC_SECPKI_ITSS_ENR_02_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
           // Local variable
           var Headers v_headers;
@@ -958,18 +989,27 @@ module ItsPki_TestCases {
               var PublicVerificationKey v_canonical_key;
               tc_ac.stop;
-              f_send_500_Internal_Error(v_headers); // we don't care about response
-
-              if (not(f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data,
+              if( not f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data,
                                                       v_request_hash, v_aes_enc_key,
                                                       v_decrypted_message,
                                                       v_pki_request,
-                                                      v_inner_ec_request))) {
+                                                      v_inner_ec_request))
+              {
                 log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***");
+                f_send_500_Internal_Error(v_headers);
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
-              if (not(isvalue(v_inner_ec_request))) {
+              if(not f_http_build_error_ec_response(unknownits, v_request_hash, vc_eaPrivateKey,
+                                                    vc_eaWholeHash, v_aes_enc_key, v_response_message))
+              {
+                log("*** " & testcasename() & ": INCOMC: Can't generate enrolment response***");
+                f_send_500_Internal_Error(v_headers);
+                f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
+              }
+              f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_response_message)),
+                                                                           v_headers)));
+              if( not isvalue(v_inner_ec_request) ){
                 log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***");
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
@@ -979,21 +1019,22 @@ module ItsPki_TestCases {
                 log("*** " & testcasename() & ": FAIL:     ", match(v_inner_ec_request.itsId, LibItsPki_Pics.PICS_ITS_S_CANONICAL_ID));
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
-              if (not(ischosen(v_decrypted_message.content.signedData))) {
+              if (not ischosen(v_decrypted_message.content.signedData)) {
                 log("*** " & testcasename() & ": FAIL: EC request shall contain signed message ***");
                 log("*** " & testcasename() & ": FAIL:     inner data content=", v_decrypted_message.content);
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
-              if (not(ischosen(v_decrypted_message.content.signedData.signer.self_))) {
+              if (not ischosen(v_decrypted_message.content.signedData.signer.self_)) {
                 log("*** " & testcasename() & ": FAIL: EC request shall be self-signed by cannonical key ***");
                 log("*** " & testcasename() & ": FAIL:     signerInfo=", v_decrypted_message.content.signedData.signer);
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
-              if(false == f_get_canonical_itss_key(v_canonical_key)){
+              if (not f_get_canonical_itss_key(v_canonical_key)){
                 log("*** " & testcasename() & ": INCONC: Unknown ITS-S canonical public key ***");
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); // emulate inconc
               }
+              
               if (not(f_verifyEcdsa(bit2oct(encvalue(v_decrypted_message.content.signedData.tbsData)),
                                     int2oct(0, 32), // issuer is emtpy string 
                                     v_decrypted_message.content.signedData.signature_,
@@ -1047,7 +1088,7 @@ module ItsPki_TestCases {
        *     }
        * </pre>
        * 
-       * @see       ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_03_BV
+       * @see       ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_03_BV
        * @reference ETSI TS 102 941, clause 6.1.3
        */
       testcase TC_SECPKI_ITSS_ENR_03_BV() runs on ItsMtc system ItsPkiItssSystem {
@@ -1081,12 +1122,9 @@ module ItsPki_TestCases {
         function f_TC_SECPKI_ITSS_ENR_03_BV_itss(
                                                  in float p_delay := 0.0
-                                                 ) runs on ItsPkiItss system ItsPkiItssSystem {
-          // Local variables
-          var HashedId8               v_certificate_digest;
-          var EtsiTs103097Certificate v_certificate;
-
+        ) runs on ItsPkiItss system ItsPkiItssSystem {
           // Test component configuration
+          // vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE;
           vc_hashedId8ToBeUsed := "";
           f_cfUp_itss();
@@ -1160,8 +1198,6 @@ module ItsPki_TestCases {
             log("*** " & testcasename() & ":      v_request := ", v_request);
             f_selfOrClientSyncAndVerdict(c_prDone, e_error);
           }
-          log("*** " & testcasename() & ": INFO: First InnerEcRequest received ***");
-          log(">>>>> v_inner_ec_response=", v_inner_ec_response);
                         
           var HashAlgorithm ha := f_getHashAlgorithmOfVerificationKeyIndicator(v_inner_ec_response.certificate.toBeSigned.verifyKeyIndicator);
           if (ha == sha256) {
@@ -1175,6 +1211,8 @@ module ItsPki_TestCases {
           v_ec_cert_digest := substr(v_ec_cert_hash, lengthof(v_ec_cert_hash) - 8, 8);
           log("*** " & testcasename() & ": INFO: First InnerEcRequest received ***");
+          log(">>>>> v_inner_ec_response=", v_inner_ec_response);
+          log(">>>>> v_ec_cert_hash=", v_ec_cert_hash);
           f_selfOrClientSyncAndVerdict(c_prDone, e_success);
           // Test Body
@@ -1182,13 +1220,13 @@ module ItsPki_TestCases {
           alt {
             [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) {
               var integer v_result;
-              var HttpMessage v_response;
               var Oct16 v_request_hash, v_aes_enc_key;
               var Ieee1609Dot2Data v_decrypted_message;
               var EtsiTs102941Data v_etsi_ts_102941_data;
+              var InnerEcResponse  v_inner_ec_response2;
+              var Ieee1609Dot2Data v_response_message;
               tc_ac.stop;
-              f_send_500_Internal_Error(v_headers); // we don't care about response
               // Verify IUT response
               if (not(f_read_ec_request_from_iut_itss(
@@ -1197,11 +1235,26 @@ module ItsPki_TestCases {
                                                       v_decrypted_message,
                                                       v_etsi_ts_102941_data,
                                                       v_inner_ec_request))) {
+                f_send_500_Internal_Error(v_headers);
                 log("*** " & testcasename() & ": FAIL: Can't parse enrolment request ***");
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
               
-              if (not(isvalue(v_inner_ec_request))) {
+              // send error response to prevent enrolment repetition
+              if( not f_http_build_error_ec_response(unknownits, v_request_hash,
+                                                  vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key,
+                                                  v_response_message) ) {
+                f_send_500_Internal_Error(v_headers);
+                log("*** " & testcasename() & ": FAIL: Can't build enrolment response ***");
+                f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
+              }
+              f_http_send(v_headers, m_http_response(
+                                                      m_http_response_ok(
+                                                              m_http_message_body_binary(
+                                                                      m_binary_body_ieee1609dot2_data(v_response_message)
+                                                              ), v_headers)));
+              
+              if( not isvalue(v_inner_ec_request) ){
                 log("*** " & testcasename() & ": FAIL: Can't parse enrolment request ***");
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
@@ -1211,16 +1264,19 @@ module ItsPki_TestCases {
                 log("*** " & testcasename() & ": FAIL:     ", match(v_inner_ec_request.itsId, v_ec_cert_digest));
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
+
               if (not(ischosen(v_decrypted_message.content.signedData))) {
                 log("*** " & testcasename() & ": FAIL: EC request shall contain signed message ***");
                 log("*** " & testcasename() & ": FAIL:     inner data content=", v_decrypted_message.content);
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
+
               if (not(ischosen(v_decrypted_message.content.signedData.signer.digest))) {
                 log("*** " & testcasename() & ": FAIL: re-keying EC request shall be signed by the previous EC certificate digest***");
                 log("*** " & testcasename() & ": FAIL:     signerInfo=", v_decrypted_message.content.signedData.signer);
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
+              
               if (not(f_verifyEcdsa(bit2oct(encvalue(v_decrypted_message.content.signedData.tbsData)),
                                     v_ec_cert_hash,
                                     v_decrypted_message.content.signedData.signature_,
@@ -1251,21 +1307,15 @@ module ItsPki_TestCases {
        * Expected behaviour:
        *     ensure that {
        *         when {
-       *             the IUT is requested to send an EnrollmentRequestMessage
+       *             the IUT is informed about a revocation of its EC
        *         }
        *         then {
-       *             the IUT sends an EtsiTs103097Data-Encrypted
-       *               containing an encrypted EtsiTs103097Data-Signed
-       *                 containing EtsiTs102941Data
-       *                   containing InnerECRequestSignedForPOP
-       *                     containing InnerEcRequest
-       *                       containing itsId
-       *                         indicating the canonical identifier of the ITS-S 
+       *             the IUT returns to the "initialized" state
        *         }
        *     }
        * </pre>
        * 
-       * @see       ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_04_BV
+       * @see       ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_04_BV
        * @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1
        */
       testcase TC_SECPKI_ITSS_ENR_04_BV() runs on ItsMtc system ItsPkiItssSystem {
@@ -1292,11 +1342,13 @@ module ItsPki_TestCases {
        * <pre>
        * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
        * Expected behaviour:
-       *     ensure that {
-       *         when {
+       * with
+       * 	the IUT being in the 'enrolled' state
+       * 	and the EC of the IUT expires 
+       * ensure that
+       * 	when
        *             the IUT is requested to send an EnrollmentRequestMessage
-       *         }
-       *         then {
+       * 	then
        *             the IUT sends an EtsiTs103097Data-Encrypted
        *               containing an encrypted EtsiTs103097Data-Signed
        *                 containing EtsiTs102941Data
@@ -1304,11 +1356,9 @@ module ItsPki_TestCases {
        *                     containing InnerEcRequest
        *                       containing itsId
        *                         indicating the canonical identifier of the ITS-S 
-       *         }
-       *     }
        * </pre>
        * 
-       * @see       ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_05_BV
+       * @see       ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_05_BV
        * @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1
        */
       testcase TC_SECPKI_ITSS_ENR_05_BV() runs on ItsMtc system ItsPkiItssSystem {
@@ -1411,7 +1461,7 @@ module ItsPki_TestCases {
                                                    m_certificateSubjectAttributes_id_omit(
                                                                                           -,
                                                                                           valueof(m_validityPeriod(f_getCurrentTime() / 1000, 
-                                                                                          m_duration_in_seconds(float2int(PX_CERT_EXPIRATION_DELAY))))
+                                                                                                  m_duration_in_seconds(float2int(PX_CERT_EXPIRATION_DELAY))))
                                                    )))) {
             log("*** " & testcasename() & ": FAIL: First InnerEcRequest failed ***");
             log("*** " & testcasename() & ":      v_request := ", v_request);
@@ -1489,7 +1539,7 @@ module ItsPki_TestCases {
        *     }
        * </pre>
        * 
-       * @see       ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_06_BV
+       * @see       ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_06_BV
        * @reference ETSI TS 102 941, clause 6.1.3
        */
       const charstring c_nextTry := "nextTry";
@@ -1657,7 +1707,7 @@ module ItsPki_TestCases {
        *     }
        * </pre>
        * 
-       * @see       ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_07_BV
+       * @see       ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_07_BV
        * @reference ETSI TS 102 941, clause 6.2.3.2.1
        */
       testcase TC_SECPKI_ITSS_ENR_07_BV() runs on ItsMtc system ItsPkiItssSystem {
@@ -1721,18 +1771,33 @@ module ItsPki_TestCases {
               var PublicVerificationKey v_canonical_key;
               tc_ac.stop;
-              f_send_500_Internal_Error(v_headers); // we don't care about response
-
-              if ((not f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data,
+              if( not f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data,
                                                        v_request_hash, v_aes_enc_key,
                                                        v_decrypted_message,
                                                        v_pki_request,
-                                                       v_inner_ec_request))) {
+                                                      v_inner_ec_request)) {
+                f_send_500_Internal_Error(v_headers);
                 log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***");
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
-              if ((not isvalue(v_inner_ec_request))) {
+              // send any response to prevent enrolment repetition
+              // negative is simpler
+              if( not f_http_build_error_ec_response ( unknownits,v_request_hash,
+                                                          vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key,
+                                                          v_response_message) )
+              {
+                f_send_500_Internal_Error(v_headers);
+                log("*** " & testcasename() & ": FAIL: Can't build enrolment response ***");
+                f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
+              }
+              f_http_send(v_headers, m_http_response(
+                                                      m_http_response_ok(
+                                                              m_http_message_body_binary(
+                                                                      m_binary_body_ieee1609dot2_data(v_response_message)
+                                                              ), v_headers)));
+
+              if (not isvalue(v_inner_ec_request)) {
                 log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***");
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
@@ -1785,7 +1850,7 @@ module ItsPki_TestCases {
        *     }
        * </pre>
        * 
-       * @see       ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_08_BV
+       * @see       ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_08_BV
        * @reference ETSI TS 102 941, clause 6.2.3.2.1
        */
       testcase TC_SECPKI_ITSS_ENR_08_BV_1() runs on ItsMtc system ItsPkiItssSystem {
@@ -1866,8 +1931,6 @@ module ItsPki_TestCases {
               var EtsiTs102941Data v_pki_request;
               tc_ac.stop;
-              f_send_500_Internal_Error(v_headers); // we dont care about response
-
               f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data,
                                                       v_request_hash, v_aes_enc_key,
                                                       v_decrypted_message,
@@ -1878,7 +1941,24 @@ module ItsPki_TestCases {
                 log("*** " & testcasename() & ": FAIL: Can't parse enrolment request ***");
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
-              if (not(ischosen(v_pki_request.content.enrolmentRequest))) {
+
+              // send any response to prevent enrolment repetition
+              // negative is simpler
+              if( not f_http_build_error_ec_response ( unknownits,v_request_hash,
+                                                  vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key,
+                                                  v_response_message) )
+              {
+                f_send_500_Internal_Error(v_headers);
+                log("*** " & testcasename() & ": FAIL: Can't build enrolment response ***");
+                f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
+              }
+              f_http_send(v_headers, m_http_response(
+                                                      m_http_response_ok(
+                                                              m_http_message_body_binary(
+                                                                      m_binary_body_ieee1609dot2_data(v_response_message)
+                                                              ), v_headers)));
+
+              if( not ischosen(v_pki_request.content.enrolmentRequest)) {
                 log("*** " & testcasename() & ": FAIL: Not an enrolment request ***");
                 log("*** " & testcasename() & ":       EtsiTs102941Data.content=", v_pki_request.content);
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
@@ -1915,6 +1995,7 @@ module ItsPki_TestCases {
       } // End of group f_SECPKI_ITSS_ENR_08
+
       /**
        * @desc In the headerInfo of the tbsData of the outer EtsiTs102941Data-Signed all other components 
        *       of the component tbsdata.headerInfo except generationTime and psid are not used and absent. 
@@ -1942,7 +2023,7 @@ module ItsPki_TestCases {
        *     }
        * </pre>
        * 
-       * @see       ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_09_BV
+       * @see       ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_09_BV
        * @reference ETSI TS 102 941, clause 6.2.3.2.1
        */
       testcase TC_SECPKI_ITSS_ENR_09_BV_1() runs on ItsMtc system ItsPkiItssSystem {
@@ -2024,18 +2105,33 @@ module ItsPki_TestCases {
               tc_ac.stop;
-              f_send_500_Internal_Error(v_headers); // we don't care about response
-
               if (not(f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data,
                                                       v_request_hash, v_aes_enc_key,
                                                       v_decrypted_message,
                                                       v_pki_request,
                                                       v_inner_ec_request))) {
+                f_send_500_Internal_Error(v_headers);
                 log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***");
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
-              if (not(match(v_decrypted_message,
+              // send error response to prevent enrolment repetition
+              if( not f_http_build_error_ec_response ( unknownits,v_request_hash,
+                                                  vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key,
+                                                  v_response_message) )
+              {
+                f_send_500_Internal_Error(v_headers);
+                log("*** " & testcasename() & ": FAIL: Can't build enrolment response ***");
+                f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
+              }
+              f_http_send(v_headers, m_http_response(
+                                                      m_http_response_ok(
+                                                              m_http_message_body_binary(
+                                                                      m_binary_body_ieee1609dot2_data(v_response_message)
+                                                              ), v_headers)));
+
+              // check signed message structure
+              if ( not ( match( v_decrypted_message,
                             mw_etsiTs103097Data_signed(
                                                        mw_signedData(
                                                                      -,
@@ -2043,7 +2139,7 @@ module ItsPki_TestCases {
                                                                                        -,
                                                                                        mw_headerInfo_outer_pki_request
                           
-                  )))))) {
+              )))))) {
                 log("*** " & testcasename() & ": FAIL: Invalid outer signed structure in EC request ***");
                 log("*** " & testcasename() & ":       ",
                   match(v_decrypted_message,m_etsiTs103097Data_signed(mw_signedData(-,mw_toBeSignedData(-,mw_headerInfo_outer_pki_request()))))
@@ -2096,7 +2192,7 @@ module ItsPki_TestCases {
        *     }
        * </pre>
        * 
-       * @see       ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_10_BV
+       * @see       ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_10_BV
        * @reference ETSI TS 102 941, clause 6.2.3.2.1
        */
       testcase TC_SECPKI_ITSS_ENR_10_BV_1() runs on ItsMtc system ItsPkiItssSystem {
@@ -2191,8 +2287,6 @@ module ItsPki_TestCases {
               var PublicVerificationKey v_canonical_key;
               tc_ac.stop;
-              f_send_500_Internal_Error(v_headers); // we don't care about response
-
               log("*** " & testcasename() & ": PASS: EC request sent to proper EA recipient ***");
               if (not(f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data,
@@ -2200,10 +2294,27 @@ module ItsPki_TestCases {
                                                       v_decrypted_message,
                                                       v_pki_request,
                                                       v_inner_ec_request))) {
+                f_send_500_Internal_Error(v_headers);
                 log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***");
                 f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
               }
+              // send any response to prevent enrolment repetition
+              // negative is just simpler
+              if( not f_http_build_error_ec_response ( unknownits,v_request_hash,
+                                                          vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key,
+                                                          v_response_message) )
+              {
+                f_send_500_Internal_Error(v_headers);
+                log("*** " & testcasename() & ": FAIL: Can't build enrolment response ***");
+                f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
+              }
+              f_http_send(v_headers, m_http_response(
+                                                      m_http_response_ok(
+                                                              m_http_message_body_binary(
+                                                                      m_binary_body_ieee1609dot2_data(v_response_message)
+                                                              ), v_headers)));
+
               // Set verdict
               log("*** " & testcasename() & ": PASS: EC request can be decrypted ***");
               f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
@@ -2272,7 +2383,7 @@ module ItsPki_TestCases {
         // Start components
         v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss());
-        v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki());
+        v_ea.start(f_TC_SECPKI_ITSS_ENR_11_BV_pki());
         // Synchronization
         f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
@@ -2280,6 +2391,93 @@ module ItsPki_TestCases {
         // Cleanup
         f_cfMtcDown01(v_itss, v_ea);
       } // End of TC_SECPKI_ITSS_ENR_11_BV
+      
+      group f_TC_SECPKI_ITSS_ENR_11_BV {
+        function f_TC_SECPKI_ITSS_ENR_11_BV_pki ( ) runs on ItsPkiHttp system ItsPkiItssSystem {
+          // Local variable
+          var Headers v_headers;
+          var HttpMessage v_request;
+          
+          // Test component configuration
+          f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
+          
+          // Test adapter configuration
+          
+          // Preamble
+          f_init_default_headers_list(-, "inner_ec_response", v_headers);          
+          f_selfOrClientSyncAndVerdict(c_prDone, e_success);
+          
+          // Test Body
+          tc_ac.start;          
+          alt {
+            [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request)
+            {
+              var Ieee1609Dot2Data v_decrypted_message;
+              var InnerEcRequest   v_inner_ec_request;
+              var InnerEcResponse  v_inner_ec_response;
+              var Ieee1609Dot2Data v_response_message;
+              var EtsiTs102941Data v_pki_request;
+              var Oct16 v_request_hash, v_aes_enc_key;
+              var PublicVerificationKey v_canonical_key;
+              tc_ac.stop;
+
+              if (not f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data,
+                                                      v_request_hash, v_aes_enc_key,
+                                                      v_decrypted_message,
+                                                      v_pki_request,
+                                                      v_inner_ec_request))
+              {
+                f_send_500_Internal_Error(v_headers);
+                log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***");
+                f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
+              }
+
+              // send any response to prevent enrolment repetition
+              // negative is easier
+              if( not f_http_build_error_ec_response ( unknownits,v_request_hash,
+                                                  vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key,
+                                                  v_response_message) ) {
+                f_send_500_Internal_Error(v_headers);
+                log("*** " & testcasename() & ": FAIL: Can't build enrolment response ***");
+                f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
+              }
+              f_http_send(v_headers, m_http_response(
+                                                      m_http_response_ok(
+                                                              m_http_message_body_binary(
+                                                                      m_binary_body_ieee1609dot2_data(v_response_message)
+                                                              ), v_headers)));
+
+
+              if (not isbound(v_inner_ec_request))
+              {
+                log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***");
+                f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
+              }
+
+              if (not f_verifyEcdsa(bit2oct(encvalue(v_pki_request.content.enrolmentRequest.content.signedData.tbsData)),
+                                    int2oct(0, 32),
+                                    v_pki_request.content.enrolmentRequest.content.signedData.signature_,
+                                    v_inner_ec_request.publicKeys.verificationKey))
+              {
+                log("*** " & testcasename() & ": FAIL: EC request signature verification failed ***");
+                f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
+              }
+
+              // Set verdict
+              log("*** " & testcasename() & ": PASS: EC request can be decrypted ***");
+              f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
+            }
+
+            [] tc_ac.timeout {
+              log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+              f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
+            }
+          } // End of 'alt' statement
+      
+          // Postamble
+          f_cfHttpDown();
+        } // End of function f_TC_SECPKI_ITSS_ENR_11_BV_pki
+      } // End of group g_TC_SECPKI_ITSS_ENR_11_BV
       /**
        * @desc Check that signing of Enrolment HttpRequest message is permitted by the EC certificate.
@@ -2288,6 +2486,7 @@ module ItsPki_TestCases {
        * Expected behaviour:
        *     ensure that {
        *         when {
+       *             the IUT is in enrolled state
        *             the IUT is requested to send an EnrolmentRequestMessage
        *         }
        *         then {
@@ -2579,7 +2778,7 @@ module ItsPki_TestCases {
           var boolean                 v_iut_state_ok := false;
           // Test component configuration
-          vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE;
+          vc_hashedId8ToBeUsed := ""; // No certificates //PX_IUT_DEFAULT_CERTIFICATE
           f_cfUp_itss();
           // Test adapter configuration
@@ -2727,34 +2926,34 @@ module ItsPki_TestCases {
        * @see       ETSI TS 103 525-2 TP SECPKI_ITSS_ENR_REP_01_BV
        * @reference ETSI TS 103 601, clause 5.1.2
        */
-      testcase TC_SECPKI_ITSS_ENR_REP_01_BV() runs on ItsMtc system ItsPkiItssSystem {
-        // Local variables
-        var ItsPkiItss v_itss;
-        var ItsPkiHttp v_ea;
-        // Test control
-        if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_ENROLLMENT_RETRY) {
-          log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SECPKI_ENROLLMENT_RETRY required for executing the TC ***");
-          setverdict(inconc);
-          stop;
-        }
-        // Test component configuration
-        f_cfMtcUp01(v_itss, v_ea);
-        // Start component
-        v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); // reuse from ENR group
-        v_ea.start(f_TC_SECPKI_ITSS_ENR_REP_01_BV_pki());
-        // Synchronization
-        f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
-        // Cleanup
-        f_cfMtcDown01(v_itss, v_ea);
-      } // End of testcase TC_SECPKI_ITSS_ENR_REP_01_BV
-      group f_TC_SECPKI_ITSS_ENR_REP_01_BV {
+      group g_TC_SECPKI_ITSS_ENR_REP_01_BV {
+        testcase TC_SECPKI_ITSS_ENR_REP_01_BV() runs on ItsMtc system ItsPkiItssSystem {
+          // Local variables
+          var ItsPkiItss v_itss;
+          var ItsPkiHttp v_ea;
+          // Test control
+          if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_ENROLLMENT_RETRY) {
+            log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SECPKI_ENROLLMENT_RETRY required for executing the TC ***");
+            setverdict(inconc);
+            stop;
+          }
+          // Test component configuration
+          f_cfMtcUp01(v_itss, v_ea);
+          // Start component
+          v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); // reuse from ENR group
+          v_ea.start(f_TC_SECPKI_ITSS_ENR_REP_01_BV_pki());
+          // Synchronization
+          f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
+          // Cleanup
+          f_cfMtcDown01(v_itss, v_ea);
+        } // End of testcase TC_SECPKI_ITSS_ENR_REP_01_BV
         function f_TC_SECPKI_ITSS_ENR_REP_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
           // Local variable
@@ -2826,40 +3025,39 @@ module ItsPki_TestCases {
        * @see       ETSI TS 103 525-2 TP SECPKI_ITSS_ENR_REP_02_BV
        * @reference ETSI TS 103 601, clause 5.1.2
        */
-      testcase TC_SECPKI_ITSS_ENR_REP_02_BV() runs on ItsMtc system ItsPkiItssSystem {
-        // Local variables
-        var ItsPkiItss v_itss;
-        var ItsPkiHttp v_ea;
-
-        // Test control
-        if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_ENROLLMENT_RETRY) {
-          log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SECPKI_ENROLLMENT_RETRY required for executing the TC ***");
-          setverdict(inconc);
-          stop;
-        }
-
-        // Test component configuration
-        f_cfMtcUp01(v_itss, v_ea);
-
-        // Start component
-        v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); // reused from ENR group
-        v_ea.start(f_TC_SECPKI_ITSS_ENR_REP_02_BV_pki());
-
-        // Synchronization
-        f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
-
-        // Cleanup
-        f_cfMtcDown01(v_itss, v_ea);
-
-      } // End of testcase TC_SECPKI_ITSS_ENR_REP_02_BV
-
       group f_TC_SECPKI_ITSS_ENR_REP_02_BV {
-
+        testcase TC_SECPKI_ITSS_ENR_REP_02_BV() runs on ItsMtc system ItsPkiItssSystem {
+          // Local variables
+          var ItsPkiItss v_itss;
+          var ItsPkiHttp v_ea;
+          
+          // Test control
+          if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_ENROLLMENT_RETRY) {
+            log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SECPKI_ENROLLMENT_RETRY required for executing the TC ***");
+            setverdict(inconc);
+            stop;
+          }
+          
+          // Test component configuration
+          f_cfMtcUp01(v_itss, v_ea);
+          
+          // Start component
+          v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss());
+          v_ea.start(f_TC_SECPKI_ITSS_ENR_REP_02_BV_pki());
+          
+          // Synchronization
+          f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
+          
+          // Cleanup
+          f_cfMtcDown01(v_itss, v_ea);
+          
+        } // End of testcase TC_SECPKI_ITSS_ENR_REP_02_BV
+              
         function f_TC_SECPKI_ITSS_ENR_REP_02_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
           // Local variable
           var Headers v_headers;
-          var HttpMessage v_initial_request;
-          var HttpMessage v_request;
+          var HttpMessage v_request1;
+          var HttpMessage v_request2;
           // Test component configuration
           f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
@@ -2868,10 +3066,9 @@ module ItsPki_TestCases {
           // Preamble
           f_init_default_headers_list(-, "inner_ec_response", v_headers);
-
           tc_ac.start;
           alt {
-            [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_initial_request) {
+            [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request1) {
               log("*** " & testcasename() & ": INFO: First enrolment request received ***");
               tc_ac.stop;
               f_http_restart("inner_ec_request");
@@ -2881,29 +3078,38 @@ module ItsPki_TestCases {
               f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
             }
           } // End of 'alt' statement
-
-          f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
-
-          // Test Body
+          f_selfOrClientSyncAndVerdict(c_prDone, e_success);
+          
+          // Test Body          
           tc_ac.start;
           alt {
-            [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) {
-              log("*** " & testcasename() & "EC repetition has been received ***");
+            [] a_await_ec_http_request_from_iut(
+                                      mw_http_request(
+                                            mw_http_request_post(
+                                                    PICS_HTTP_POST_URI_EC,
+                                                    -,
+                                                    v_request1.request.body)),
+
+                                      v_request2)
+            {
               tc_ac.stop;
-              // Check if both requests are same
-              if (match(v_request, v_initial_request)) {
-                log("*** " & testcasename() & ": PASS: Repetition request is same ***");
-                f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
-              } else {
-                log("*** " & testcasename() & ": FAIL: Repetition request is different ***");
-                f_selfOrClientSyncAndVerdict(c_tbDone, e_error)
-              } 
+              log("*** " & testcasename() & ": PASS: Same enrolment request received ***");
+              // send error respond to prevent future requests
+              f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_success);
             }
-            [] tc_wait.timeout {
-              log("*** " & testcasename() & ": FAIL: EC repetition was not received ***");
-              f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
+            [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request2) {
+              tc_ac.stop;
+              log("*** " & testcasename() & ": FAIL: 2nd enrolment request is not identical ***");
+              f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error);
             }
-          }
+            [] tc_ac.timeout {
+              log("*** " & testcasename() & ": INCONC: First enrolment request not received ***");
+              f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout);
+            }
+          } // End of 'alt' statement
+
+          f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
+
           // Postamble
           f_cfHttpDown();
         } // End of function f_TC_SECPKI_ITSS_ENR_REP_02_BV_pki
@@ -2994,7 +3200,7 @@ module ItsPki_TestCases {
           tc_ac.start;
           alt {
             [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) {
-              log("*** " & testcasename() & ": PASS: EC repetition has been received ***");
+              log("*** " & testcasename() & ": EC repetition has been received ***");
               var HttpMessage v_response;
               var integer v_result;
               var InnerEcRequest v_inner_ec_request;
@@ -3112,15 +3318,16 @@ module ItsPki_TestCases {
             }
             [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_initial_request){
               // count exceed
+              log("*** " & testcasename() & ": FAIL: Too many repetitions of Enrolment requests received ***");
               f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_error);
             }
             [] tc_ac.timeout{
               if(v_count > PX_ENR_MAX_N1){
-                log("*** " & testcasename() & ": PASS: Maximum number of Enrollment request messages received ***");
+                log("*** " & testcasename() & ": PASS: Maximum number of Enrollment request repetitions received ***");
                 f_selfOrClientSyncAndVerdict(c_prDone, e_success);
               } else {
-              log("*** " & testcasename() & ": INCONC: Expected message not received ***");
-              f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);             
+                log("*** " & testcasename() & ": INCONC: Expected message not received ***");
+                f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);             
               }
             }
           }
@@ -3185,8 +3392,8 @@ module ItsPki_TestCases {
         function f_TC_SECPKI_ITSS_ENR_REP_05_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
           // Local variable
           var Headers v_headers;
-          var HttpMessage v_initial_request;
           var HttpMessage v_request;
+          var HttpMessage v_initial_request;
           // Test component configuration
           f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
@@ -5881,7 +6088,7 @@ module ItsPki_TestCases {
       } // End of group f_TC_SECPKI_ITSS_AUTH_REP_05_BV
-     } // End of group itss_authorization_request_repetition
+    } // End of group itss_authorization_request_repetition
     // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.3.4  Authorization using butterfly key expansion mechanism
     group itss_authorization_request_bfk {
@@ -6020,8 +6227,8 @@ module ItsPki_TestCases {
           // Local variable
           var Headers v_headers;
           var HttpMessage v_request;
-          var InnerEcRequest  v_inner_ec_request;
           var InnerEcResponse v_inner_ec_response;
+          var InnerEcRequest v_inner_ec_request;
           // Test component configuration
           f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
@@ -6371,8 +6578,8 @@ module ItsPki_TestCases {
           // Local variable
           var Headers v_headers;
           var HttpMessage v_request;
-          var InnerEcRequest  v_inner_ec_request;
           var InnerEcResponse v_inner_ec_response;
+          var InnerEcRequest v_inner_ec_request;
           // Test component configuration
           f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);

asn1 @ 7e4ea27e

-Subproject commit 021805f17253f5b0baf80b13bca8151a05342655
+Subproject commit 7e4ea27e7e0d752587aa48051f880607c29ef8ca

lib_system/LibItsPki_Functions.ttcn

@@ -1343,6 +1343,49 @@ module LibItsPki_Functions {
       return p_result;
     } // End of function f_http_build_inner_ec_response
 
+    function f_http_build_error_ec_response(
+                                            in EnrolmentResponseCode p_responseCode := ok,
+                                            in Oct16 p_request_hash,
+                                            in octetstring p_private_key := ''O,
+                                            in octetstring p_digest := ''O,
+                                            in Oct16 p_aes_sym_key,
+                                            out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data
+                                            ) return boolean {
+      // Local variables
+      var octetstring v_msg;
+      var Oct12 v_nonce;
+      var Ieee1609Dot2Data v_ieee1609dot2_signed_data;
+      var boolean p_result := false;
+      var InnerEcResponse v_inner_ec_response;
+
+      // Check expectred response
+      if (p_responseCode == ok) {
+        return false;
+      }
+      v_inner_ec_response := valueof(
+                                      m_innerEcResponse_ko(
+                                                          p_request_hash,
+                                                          p_responseCode
+                                                          )
+                                      );
+      // Secure the response
+      log("f_http_build_error_ec_response: p_inner_ec_response= ", v_inner_ec_response);
+      v_msg := bit2oct(encvalue(m_etsiTs102941Data_inner_ec_response(v_inner_ec_response)));
+      v_nonce := substr(f_hashWithSha256(int2oct((f_getCurrentTimeUtc() * 1000), 16)), 0, 12); // Random value
+      // TODO Consider  Sha384: m_signerIdentifier_digest(f_hashedId8FromSha384(p_digest))
+      if (f_build_pki_secured_response_message(p_private_key,
+                                               valueof(m_signerIdentifier_digest(f_hashedId8FromSha256(p_digest))),//  in SignerIdentifier p_signer_identifier,
+                                               v_msg,
+                                               p_aes_sym_key,
+                                               v_nonce,
+                                               p_ieee1609dot2_signed_and_encrypted_data
+                                               ) == false) {
+        log("f_http_build_inner_ec_response: Failed to generate the certificate");
+        return false;
+      }
+      return true;
+    } // End of function f_http_build_error_ec_response
+
     function f_http_build_authorization_request(
                                                 in Certificate p_ec_certificate, // Enrolment credentials certificate
                                                 in octetstring p_ec_private_key,
@@ -5319,7 +5362,7 @@ module LibItsPki_Functions {
                                             mw_enrolmentRequestMessage(
                                                     mw_encryptedData()
       )))));
-    } // End of template mw_http_ec_request_generic
+    } // End of predefined requests
 
     function f_await_ec_request_send_response(
                                               out InnerEcRequest p_inner_ec_request,
@@ -5340,41 +5383,39 @@ module LibItsPki_Functions {
         [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, p_request) {
           var Ieee1609Dot2Data v_decrypted_message;
           var EtsiTs102941Data v_etsi_ts_102941_data;
-          var Oct16 v_request_hash;
-          var Oct16 v_aes_enc_key;
-          var InnerEcRequest v_inner_ec_request;
           var template (value) HttpMessage v_response;
-
+          var Oct16 v_request_hash, v_aes_enc_key;
           tc_ac.stop;
 
-          if(f_read_ec_request_from_iut_itss(p_request.request.body.binary_body.ieee1609dot2_data,
-                                             v_request_hash, v_aes_enc_key,
-                                             v_decrypted_message,
-                                             v_etsi_ts_102941_data,
-                                             p_inner_ec_request)) {
-            var EtsiTs103097Certificate v_ec_certificate;
-            var HashedId8 v_ec_certificate_hashed_id8;
+          if(f_read_ec_request_from_iut_itss( p_request.request.body.binary_body.ieee1609dot2_data,
+                                              v_request_hash, v_aes_enc_key,
+                                              v_decrypted_message,
+                                              v_etsi_ts_102941_data,
+                                              p_inner_ec_request
+          )){
+          var EtsiTs103097Certificate v_ec_certificate;
+          var HashedId8 v_ec_certificate_hashed_id8;
             var Ieee1609Dot2Data v_response_message;
 
             log(">>>>>> f_await_ec_request_send_response v_inner_ec_request=", p_inner_ec_request);
 
-            if(ispresent(p_attributes)) {
-              if(isvalue(p_attributes.id)) {
+            if(ispresent(p_attributes)){
+              if(isvalue(p_attributes.id)){
                 p_inner_ec_request.requestedSubjectAttributes.id := valueof(p_attributes.id);
               }
-              if(isvalue(p_attributes.validityPeriod)) {
+              if(isvalue(p_attributes.validityPeriod)){
                 p_inner_ec_request.requestedSubjectAttributes.validityPeriod := valueof(p_attributes.validityPeriod);
               }
-              if(isvalue(p_attributes.region)) {
+              if(isvalue(p_attributes.region)){
                 p_inner_ec_request.requestedSubjectAttributes.region := valueof(p_attributes.region);
               }
-              if(isvalue(p_attributes.assuranceLevel)) {
+              if(isvalue(p_attributes.assuranceLevel)){
                 p_inner_ec_request.requestedSubjectAttributes.assuranceLevel := valueof(p_attributes.assuranceLevel);
               }
-              if(isvalue(p_attributes.appPermissions)) {
+              if(isvalue(p_attributes.appPermissions)){
                 p_inner_ec_request.requestedSubjectAttributes.appPermissions := valueof(p_attributes.appPermissions);
               }
-              if(isvalue(p_attributes.certIssuePermissions)) {
+              if(isvalue(p_attributes.certIssuePermissions)){
                 p_inner_ec_request.requestedSubjectAttributes.certIssuePermissions := valueof(p_attributes.certIssuePermissions);
               }
             }
@@ -5389,11 +5430,13 @@ module LibItsPki_Functions {
                                           ), v_headers));
           } else {
             v_response := m_http_response(m_http_response_500_internal_error(v_headers));
+            }
+            f_http_send(v_headers, v_response);
+          v_result := true;
           }
-          f_http_send(v_headers, v_response);
-        }
+
         [] a_await_ec_http_request_from_iut( mw_http_request(), v_wrong_request) {
-          log("f_await_ec_request_send_response: Wrong message received ", v_wrong_request);
+          log(">>>>>> f_await_ec_request_send_response: Wrong message received ", v_wrong_request);
           log("            ", match(v_wrong_request, mw_http_request()));
           f_http_send(v_headers, m_http_response(m_http_response_500_internal_error(v_headers)));
           repeat;
@@ -5409,8 +5452,6 @@ module LibItsPki_Functions {
     function f_await_ec_request_send_no_response(
                                                  out HttpMessage p_request
                                                  ) runs on ItsPkiHttp {
-      var boolean v_result := false;
-
       log(">>> f_await_ec_request_send_no_response");
 
       tc_ac.start;
@@ -5933,10 +5974,9 @@ module LibItsPki_Functions {
       var octetstring v_tbs_signed;
       var template (value) Ieee1609Dot2Data v_ieee1609dot2_signed_data;
       var octetstring v_encoded_inner_ec_response;
-      var octetstring v_symkeyidentifier;
       var HashedId8 v_recipientId;
       var octetstring v_encrypted_inner_ec_response;
-
+      var octetstring v_symkeyidentifier;
       // Signed the encoded PKI message
       v_tbs := m_toBeSignedData(
                                 m_signedDataPayload(
@@ -5950,6 +5990,8 @@ module LibItsPki_Functions {
         var charstring v_certificate_id;
         var Oct32 v_hash;
         fx_readCertificateFromDigest(p_signer_identifier.digest, v_certificate_id); // TODO Add a wrapper function
+        log(">>>>> f_build_pki_secured_response_message: use ", v_certificate_id, " for signing response");
+        log(">>>>> f_build_pki_secured_response_message: use ", p_private_key, " as private key");
         f_getCertificateHash(v_certificate_id, v_hash);
         v_tbs_signed := f_signWithEcdsaNistp256WithSha256(bit2oct(encvalue(v_tbs)), v_hash, p_private_key);
       }
@@ -6000,52 +6042,54 @@ module LibItsPki_Functions {
     } // End of function f_build_pki_secured_response_message
 
     function f_read_pki_request_message(
-                                        in Ieee1609Dot2Data p_encrypted_message,
-                                        in Oct32 p_private_enc_key,
-                                        in Oct32 p_salt,
-                                        out Oct16 p_request_hash,
-                                        out Oct16 p_aes_enc_key,
-                                        out Ieee1609Dot2Data p_decrypted_message,
-                                        out EtsiTs102941Data p_etsi_ts_102941_data
-                                        ) return boolean {
+                                  in Ieee1609Dot2Data p_encrypted_message,
+                                  in Oct32 p_private_enc_key,
+                                  in Oct32 p_salt,
+                                  out Oct16 p_request_hash,
+                                  out Oct16 p_aes_enc_key,
+                                  out Ieee1609Dot2Data p_decrypted_message,
+                                  out EtsiTs102941Data p_etsi_ts_102941_data
+                                ) return boolean {
       var octetstring v_msg;
-      var boolean v_return_code := true;
+      var boolean ret := true;
 
       // 1. Calculate the request Hash
       v_msg := bit2oct(encvalue(p_encrypted_message));
-      log("f_read_pki_request_message: Encoded request: ", v_msg);
+      log("f_parse_pki_request: Encoded request: ", v_msg);
       p_request_hash := substr(f_hashWithSha256(v_msg), 0, 16);
-      log("f_read_pki_request_message: p_request_hash= ", p_request_hash);
+      log("f_parse_pki_request: p_request_hash= ", p_request_hash);
 
       // 2. Decrypt message
-      log("f_read_pki_request_message: p_private_enc_key= ", p_private_enc_key);
+      log("f_parse_pki_request: p_private_enc_key= ", p_private_enc_key);
       if (false == f_decrypt(p_private_enc_key, p_encrypted_message, p_salt, p_decrypted_message, p_aes_enc_key)) {
-        log("f_read_pki_request_message: Failed to decrypt message");
+        log("f_parse_pki_request: Failed to decrypt message");
         return false;
       }
-      log("f_read_pki_request_message: v_ieee1609dot2_signed_data= ", p_decrypted_message);
-      log("f_read_pki_request_message: p_aes_enc_key= ", p_aes_enc_key);
+      log("f_parse_pki_request: v_ieee1609dot2_signed_data= ", p_decrypted_message);
+      log("f_parse_pki_request: p_aes_enc_key= ", p_aes_enc_key);
 
       // 3. get TS 102 941 data
-      select(p_decrypted_message) {
-        case (mw_etsiTs103097Data_signed(
-                                         mw_signedData(
-                                                       -,
-                                                       mw_toBeSignedData(
-                                                                         mw_signedDataPayload
-              )))) {
-           var bitstring v_msg_bit;
-           v_msg_bit := oct2bit(p_decrypted_message.content.signedData.tbsData.payload.data.content.unsecuredData);
-           if (decvalue(v_msg_bit, p_etsi_ts_102941_data) != 0) {
-             v_return_code := false;
-           }
-        }
+      select(p_decrypted_message){
+        case( mw_etsiTs103097Data_signed(
+                    mw_signedData(
+                            -,
+                            mw_toBeSignedData(
+                                    mw_signedDataPayload
+                            )
+                    )
+              )
+        ) {
+            var bitstring v_msg_bit;
+            v_msg_bit := oct2bit(p_decrypted_message.content.signedData.tbsData.payload.data.content.unsecuredData);
+            if (decvalue(v_msg_bit, p_etsi_ts_102941_data) != 0) {
+              ret := false;
+            }
+          }
         case else {
-          v_return_code := false;
+          ret := false;
         }
-      } // End of 'select' statement
-
-      return v_return_code;
+      }
+      return ret;
     } // End of function f_read_pki_request_message
 
     function f_read_ec_request_from_iut_itss(
@@ -6061,11 +6105,17 @@ module LibItsPki_Functions {
       var EtsiTs103097Certificate v_ec_certificate;
       var HashedId8 v_ec_certificate_hashed_id8;
       var InnerEcResponse v_inner_ec_response;
-
-      if (f_read_pki_request_message(p_encrypted_message, vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/,
-                                     p_request_hash, p_aes_enc_key,
-                                     p_decrypted_message,
-                                     p_etsi_ts_102941_data)) {
+/*      
+      if(false == f_get_canonical_itss_key(v_canonical_key)){
+        log(">>> f_read_ec_request_from_iut_itss: error getting canonical key");
+        return false;
+      }
+*/
+      if( f_read_pki_request_message( p_encrypted_message, vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/,
+                                          p_request_hash, p_aes_enc_key,
+                                          p_decrypted_message,
+                                          p_etsi_ts_102941_data
+      )) {
         // decode InnerEcRequest 
         var bitstring v_msg_bit := oct2bit(p_etsi_ts_102941_data.content.enrolmentRequest.content.signedData.tbsData.payload.data.content.unsecuredData);
         if (decvalue(v_msg_bit, p_inner_ec_request) != 0) {
@@ -6076,6 +6126,7 @@ module LibItsPki_Functions {
       return false;
     } // End of function f_read_ec_request_from_iut_itss
 
+
     /**
      * @desc Verify the protocol element of the Pki message. 
      *       If p_check_security is set to false, only decryption and decoding of the outer message are verified.
@@ -6154,29 +6205,29 @@ module LibItsPki_Functions {
       // 4. Verifiy signature
       log("f_verify_pki_request_message: v_ieee1609dot2_signed_data.content.signedData.tbsData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData);
       v_msg := bit2oct(encvalue(v_ieee1609dot2_signed_data.content.signedData.tbsData));
-      log("f_verify_pki_request_message: v_msg= ", v_msg);
-      if (not ispresent(p_verification_key)) {
+      if (not ispresent(p_verification_key)){
         var EtsiTs103097Certificate v_cert;
         var charstring v_cert_id;
-        if (ischosen(v_ieee1609dot2_signed_data.content.signedData.signer.digest)) {
+        if (ischosen(v_ieee1609dot2_signed_data.content.signedData.signer.digest)){
           if (not f_getCertificateFromDigest(v_ieee1609dot2_signed_data.content.signedData.signer.digest, v_cert, v_cert_id)){
             if (p_check_security == true) {
               return false;
             }
           }
         }
-        if (ischosen(v_ieee1609dot2_signed_data.content.signedData.signer.certificate)) {
-          if(lengthof(v_ieee1609dot2_signed_data.content.signedData.signer.certificate) > 0) {
+        if (ischosen(v_ieee1609dot2_signed_data.content.signedData.signer.certificate)){
+          if(lengthof(v_ieee1609dot2_signed_data.content.signedData.signer.certificate) > 0){
             v_cert := v_ieee1609dot2_signed_data.content.signedData.signer.certificate[0];
           }
         }
-        if (isbound(v_cert)) {
+        if (isbound(v_cert)){
           if(ischosen(v_cert.toBeSigned.verifyKeyIndicator.verificationKey)){
             p_verification_key := v_cert.toBeSigned.verifyKeyIndicator.verificationKey;
           }
         }
       }
-      if (ispresent(p_verification_key)) {
+      if (ispresent(p_verification_key)){
+        log("f_verify_pki_request_message: v_msg= ", v_msg);
         if (false == f_verifyEcdsa(v_msg, int2oct(0, 32), v_ieee1609dot2_signed_data.content.signedData.signature_, valueof(p_verification_key))) {
           if (p_check_security == true) {
             return false;