diff --git a/ItsPki_Pixits.ttcn b/ItsPki_Pixits.ttcn index 301885d353aa92efc2314d6ab70d582fe6449d87..689624336858d01187c4ef65052889376e36e8ad 100644 --- a/ItsPki_Pixits.ttcn +++ b/ItsPki_Pixits.ttcn @@ -10,4 +10,9 @@ module ItsPki_Pixits { modulepar boolean PX_TRIGGER_EC_BEFORE_AT := true; + modulepar boolean PX_CHECK_INITIAL_STATES := true; + + modulepar float PX_CERT_EXPIRATION_DELAY := 10.0; + + modulepar float PX_EC_REPETITION_TIMEOUT := 120.0; } // End of module ItsPki_Pixits diff --git a/ItsPki_TestCases.ttcn b/ItsPki_TestCases.ttcn index b36a0d77035f020390258d9f9cf6ce3b22079c41..4e43ed0f7aebb8fdee8a0d82f30267e8accdafc7 100644 --- a/ItsPki_TestCases.ttcn +++ b/ItsPki_TestCases.ttcn @@ -86,6 +86,12 @@ module ItsPki_TestCases { * @desc 5.2 ITS-S behaviour */ group itss_behavior { + group itss_states { + const charstring c_stInitial := "initial"; + const charstring c_stEnrolled := "enrolled"; + const charstring c_stAuthorized := "authorized"; + } + group itss_helpers { @@ -116,12 +122,13 @@ module ItsPki_TestCases { out InnerEcResponse p_inner_ec_response, out HttpMessage p_response, out integer p_result, - in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID, - in template SignerIdentifier p_signer := m_signerIdentifier_self, + in template (present) octetstring p_its_id := PICS_ITS_S_CANONICAL_ID, + in template (present) SignerIdentifier p_signer := m_signerIdentifier_self, in EnrolmentResponseCode p_force_response_code := ok ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; + var Ieee1609Dot2Data v_ieee1609dot2_signed_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_request_hash; var HashedId8 v_bfk_hashed_id8; @@ -129,40 +136,70 @@ module ItsPki_TestCases { var template (value) HttpMessage v_response; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; + var PublicVerificationKey v_canonical_key; log(">>> f_verify_http_ec_request_from_iut_itss: ", p_request); p_result := 0; - if (f_verify_pki_request_message(vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, ''O, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message + if(false == f_get_canonical_itss_key(v_canonical_key)){ + log(">>> f_verify_http_ec_request_from_iut_itss: error getting canonical key"); + v_response := m_http_response(m_http_response_500_internal_error(p_headers)); + p_result := -1; + return; + } + + if( not f_read_pki_request_message( + p_request.body.binary_body.ieee1609dot2_data, + vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, + v_request_hash, v_aes_enc_key, + v_ieee1609dot2_signed_data, + v_etsi_ts_102941_data + )) + { + f_http_build_inner_ec_response(-, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); + p_result := -1; + goto L_Done; + } + + log("f_verify_http_ec_request_from_iut_itss: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer))))); // TODO In TITAN, this is the only way to get the unmatching in log + if (false == match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer))))) { // Send error message - v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message + f_http_build_inner_ec_response(-, badcontenttype, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); // Set verdict - p_result := -1; - } else { - log("f_verify_http_ec_request_from_iut_itss: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer))))); // TODO In TITAN, this is the only way to get the unmatching in log - if (match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer)))) == false) { + p_result := -2; + goto L_Done; + } +/* + var bitstring v_msg_bit := oct2bit(v_etsi_ts_102941_data.content.enrolmentRequest.content.signedData.tbsData.payload.data.content.unsecuredData); + if (decvalue(v_msg_bit, p_inner_ec_request) != 0) { // Send error message - f_http_build_inner_ec_response(p_inner_ec_request/*Not required*/, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); + f_http_build_inner_ec_response(-, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); // Set verdict p_result := -2; - } else { + goto L_Done; + } +*/ // Verify signature of mw_innerEcRequestSignedForPop - if (f_verify_inner_ec_request_signed_for_pop(v_etsi_ts_102941_data, p_inner_ec_request) == false) { + if (false == f_verify_inner_ec_request_signed_for_pop(v_etsi_ts_102941_data, p_inner_ec_request)) { // Send error message f_http_build_inner_ec_response(p_inner_ec_request/*Not required*/, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := -3; - } else { + goto L_Done; + } + log("f_verify_http_ec_request_from_iut_itss: matching: ", match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes({mw_appPermissions(c_its_aid_SCR, ?)})))); // TODO In TITAN, this is the only way to get the unmatching in log - if (match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes_optional_assuranceLevel({mw_appPermissions(c_its_aid_SCR, ?)}))) == false) { + if (false == match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes_optional_assuranceLevel({mw_appPermissions(c_its_aid_SCR, ?)})))) { // Send error message: Not enrolmentrequest f_http_build_inner_ec_response(p_inner_ec_request, badcontenttype, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := -4; - } else { + goto L_Done; + } + // TODO Check ValidityPeriod // Send OK message log("f_verify_http_ec_request_from_iut_itss: Receive ", p_inner_ec_request); @@ -199,12 +236,11 @@ module ItsPki_TestCases { log("f_verify_http_ec_request_from_iut_itss: Succeed but force error code ", p_force_response_code); f_http_build_inner_ec_response(p_inner_ec_request, p_force_response_code, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); } - v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); - } - } - } - } + label L_Done; + v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); + // Set verdict + p_result := 0; p_response := valueof(v_response); log("<<< f_verify_http_ec_request_from_iut_itss: p_response: ", p_response); log("<<< f_verify_http_ec_request_from_iut_itss: p_result: ", p_result); @@ -217,7 +253,7 @@ module ItsPki_TestCases { function f_verify_http_at_request_from_iut_itss( in Request p_request, in Headers p_headers, - in EtsiTs103097Certificate p_ec_certificate, + in template (omit) EtsiTs103097Certificate p_ec_certificate, out InnerAtRequest p_inner_at_request, out InnerAtResponse p_inner_at_response, out HttpMessage p_response, @@ -226,47 +262,122 @@ module ItsPki_TestCases { in AuthorizationResponseCode p_force_response_code := ok ) runs on ItsPkiHttp { // Local variables - var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; + var Ieee1609Dot2Data v_ieee1609dot2_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_request_hash; - var HashedId8 v_bfk_hashed_id8; var Oct16 v_aes_enc_key; var template (value) HttpMessage v_response; + var octetstring v_msg; + log(">>> f_verify_http_at_request_from_iut_itss:", p_request); p_result := 0; - // Do not verify the signature now because ATRequest is required to verify the POP signature ==> false - if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O, p_request.body.binary_body.ieee1609dot2_data, false, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Only decryption - // Send error message, unable to decrypt it - v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_response with an error message + // 1. Calculate the request Hash + v_msg := bit2oct(encvalue(p_request.body.binary_body.ieee1609dot2_data)); + log(">>> f_verify_http_at_request_from_iut_itss: Encoded request: ", v_msg); + v_request_hash := substr(f_hashWithSha256(v_msg), 0, 16); + log(">>> f_verify_http_at_request_from_iut_itss: p_request_hash= ", v_request_hash); + + // 2. Decrypt the InnerAtRequest + if (false == f_decrypt(vc_aaPrivateEncKey, // AA private encryption key + p_request.body.binary_body.ieee1609dot2_data , // data to be decrypted + vc_aaWholeHash, // salt + v_ieee1609dot2_data, // decrypted message + v_aes_enc_key)) + { + log("f_verify_http_at_request_from_iut_itss: Failed to decrypt message"); + // Send error message, unable to decypt it + p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request"))); // Initialize v_reponse with an error message // Set verdict p_result := -1; + return ; + } + + // check if signed + var bitstring v_msg_bit; + if(ispresent(v_ieee1609dot2_data.content.signedData)){ + if(not ispresent(v_ieee1609dot2_data.content.signedData.tbsData.payload.data) + or not ispresent(v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData)) + { + log("f_verify_http_at_request_from_iut_itss: Invalid message payload"); + p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request"))); + p_result := -1; + return; + } + log("f_verify_http_at_request_from_iut_itss: v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData= ", v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData); + v_msg_bit := oct2bit(v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData); } else { + if(not ispresent(v_ieee1609dot2_data.content.unsecuredData)){ + log("f_verify_http_at_request_from_iut_itss: Invalid message payload"); + p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request"))); + p_result := -1; + return; + } + v_msg_bit := oct2bit(v_ieee1609dot2_data.content.unsecuredData); + } + if (decvalue(v_msg_bit, v_etsi_ts_102941_data) != 0) { + log("f_verify_http_at_request_from_iut_itss: Can not decode v_etsi_ts_102941_data"); + p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request"))); + p_result := -1; + return; + } + log("f_verify_http_at_request_from_iut_itss: matching: ", match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest)) == false) { // Send error message - f_http_build_authorization_response(-, its_aa_cantparse, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); + f_http_build_authorization_response(-, its_aa_cantparse, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); // Set verdict p_result := -2; - } else { + return; + } +/* // Extract InnerAtRequest and Verify signature of mw_innerATRequestSignedForPop + if(!ispresent(p_ec_certificate)){ + // get ec certificate from + if(not f_readCertificate(PICS_IUT_EC_CERTIFICATE_ID, p_ec_certificate)){ + f_http_build_authorization_response(p_inner_at_request, unknownits, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); + p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers))); + // Set verdict + p_result := -3; + return; + } + } +*/ if (f_verify_inner_at_request_signed_for_pop(v_etsi_ts_102941_data, p_ec_certificate, p_inner_at_request) == false) { // Send error message - f_http_build_authorization_response(p_inner_at_request, its_aa_cantparse, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); - v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); + f_http_build_authorization_response(p_inner_at_request, its_aa_cantparse, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); + p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers))); // Set verdict p_result := -3; - } else { - log("f_verify_http_at_request_from_iut_itss: match ", match(p_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature))); // TODO In TITAN, this is the only way to get the unmatching in log + return; + } + + log("f_verify_http_at_request_from_iut_itss: match ", match(p_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature))); if (match(p_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature)) == false) { // TODO To be refined - // Send error message: No enrolment request - f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); - v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); + // Send error message: No authorization request + f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); + p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers))); // Set verdict p_result := -4; - } else { + return; + } + + // Verify PoP signature of outer message + if(ispresent(v_ieee1609dot2_data.content.signedData)){ + log("f_verify_http_at_request_from_iut_itss: v_ieee1609dot2_data.content.signedData.tbsData= ", v_ieee1609dot2_data.content.signedData.tbsData); + v_msg := bit2oct(encvalue(v_ieee1609dot2_data.content.signedData.tbsData)); + log("f_verify_http_at_request_from_iut_itss: v_msg= ", v_msg); + if (false == f_verifyEcdsa(v_msg, int2oct(0, 32), v_ieee1609dot2_data.content.signedData.signature_, p_inner_at_request.publicKeys.verificationKey)) { + f_http_build_authorization_response(p_inner_at_request, invalidsignature, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); + p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers))); + // Set verdict + p_result := -6; + return; + } + } + var PublicVerificationKey v_verification_tag; var octetstring v_encoded_tag; var octetstring v_key_tag; @@ -290,27 +401,22 @@ module ItsPki_TestCases { log("f_verify_http_at_request_from_iut_itss: matching: ", match(p_inner_at_request.sharedAtRequest.keyTag, v_key_tag)); if (match(p_inner_at_request.sharedAtRequest.keyTag, v_key_tag) == false) { // Send error message: No enrolment request - f_http_build_authorization_response(p_inner_at_request, its_aa_keysdontmatch, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); - v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); + f_http_build_authorization_response(p_inner_at_request, its_aa_keysdontmatch, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); + p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers))); // Set verdict p_result := -5; - } else { + return; + } + // Send OK message log("f_verify_http_at_request_from_iut_itss: Receive ", p_inner_at_request); if (p_force_response_code == ok) { - f_http_build_authorization_response(p_inner_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); + f_http_build_authorization_response(p_inner_at_request, ok, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); } else { log("f_verify_http_at_request_from_iut_itss: Succeed built force error code ", p_force_response_code); - f_http_build_authorization_response(p_inner_at_request, p_force_response_code, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); + f_http_build_authorization_response(p_inner_at_request, p_force_response_code, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); } - v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); - } - } - } - } - } - - p_response := valueof(v_response); + p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers))); log("<<< f_verify_http_at_request_from_iut_itss: p_result: ", p_result); log("<<< f_verify_http_at_request_from_iut_itss: p_response: ", p_response); } // End of function f_verify_http_at_request_from_iut_itss @@ -611,42 +717,32 @@ module ItsPki_TestCases { // Test Body tc_ac.start; alt { - [] a_await_ec_http_request_from_iut( - mw_http_request( - mw_http_request_post( - PICS_HTTP_POST_URI_EC, - -, - mw_http_message_body_binary( - mw_binary_body_ieee1609dot2_data( - mw_enrolmentRequestMessage( - mw_encryptedData( - { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, - mw_symmetricCiphertext_aes128ccm - )))))), - v_request - ) { - var HttpMessage v_response; - var integer v_result; + [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) + { + var Oct16 v_request_hash; + var Oct16 v_aes_enc_key; + var Ieee1609Dot2Data v_outer_encrypted_message; + var Ieee1609Dot2Data v_decrypted_message; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; - + var Ieee1609Dot2Data v_response_message; + var EtsiTs102941Data v_pki_request; tc_ac.stop; - // Verify IUT response - f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_inner_ec_response, v_response, v_result); - // Send response - if (isvalue(v_response)) { - httpPort.send(v_response); - } else { // Send HTTP error 500 + if( not( f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data, + v_request_hash, v_aes_enc_key, + v_decrypted_message, + v_pki_request, + v_inner_ec_request))) + { f_send_500_Internal_Error(v_headers); - } + log("*** " & testcasename() & ": INCONC: Canonical key is not set properly ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); // to emulate inconc + }else{ + f_send_500_Internal_Error(v_headers); // we dont care about response // Set verdict - if (v_result == 0) { log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); - } else { - log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); - f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { @@ -689,7 +785,7 @@ module ItsPki_TestCases { * } * * - * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_02_BV + * @see ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_02_BV * @reference ETSI TS 102 941, clause 6.1.3 */ testcase TC_SECPKI_ITSS_ENR_02_BV() runs on ItsMtc system ItsPkiItssSystem { @@ -709,7 +805,7 @@ module ItsPki_TestCases { // Start components v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); - v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); + v_ea.start(f_TC_SECPKI_ITSS_ENR_02_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); @@ -719,6 +815,95 @@ module ItsPki_TestCases { } // End of testcase TC_SECPKI_ITSS_ENR_02_BV + group f_TC_SECPKI_ITSS_ENR_02_BV { + function f_TC_SECPKI_ITSS_ENR_02_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { + // Local variable + var Headers v_headers; + var HttpMessage v_request; + + // Test component configuration + f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); + + // Test adapter configuration + + // Preamble + f_init_default_headers_list(-, "inner_ec_response", v_headers); + f_selfOrClientSyncAndVerdict(c_prDone, e_success); + + // Test Body + tc_ac.start; + alt { + [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) + { + var Ieee1609Dot2Data v_decrypted_message; + var InnerEcRequest v_inner_ec_request; + var InnerEcResponse v_inner_ec_response; + var Ieee1609Dot2Data v_response_message; + var EtsiTs102941Data v_pki_request; + var Oct16 v_request_hash, v_aes_enc_key; + var PublicVerificationKey v_canonical_key; + tc_ac.stop; + + f_send_500_Internal_Error(v_headers); // we don't care about response + + if( not f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data, + v_request_hash, v_aes_enc_key, + v_decrypted_message, + v_pki_request, + v_inner_ec_request)) + { + log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + + if( not isvalue(v_inner_ec_request) ){ + log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + + if(not match(v_inner_ec_request.itsId, LibItsPki_Pics.PICS_ITS_S_CANONICAL_ID)){ + log("*** " & testcasename() & ": FAIL: Canonical ID mismatched ***"); + log("*** " & testcasename() & ": FAIL: ", match(v_inner_ec_request.itsId, LibItsPki_Pics.PICS_ITS_S_CANONICAL_ID)); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + if(not ischosen(v_decrypted_message.content.signedData)){ + log("*** " & testcasename() & ": FAIL: EC request shall contain signed message ***"); + log("*** " & testcasename() & ": FAIL: inner data content=", v_decrypted_message.content); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + if(not ischosen(v_decrypted_message.content.signedData.signer.self_)){ + log("*** " & testcasename() & ": FAIL: EC request shall be self-signed by cannonical key ***"); + log("*** " & testcasename() & ": FAIL: signerInfo=", v_decrypted_message.content.signedData.signer); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + + if(false == f_get_canonical_itss_key(v_canonical_key)){ + log("*** " & testcasename() & ": INCONC: Unknown ITS-S canonical public key ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); // emulate inconc + } + if (not f_verifyEcdsa(bit2oct(encvalue(v_decrypted_message.content.signedData.tbsData)), + int2oct(0, 32), // issuer is emtpy string + v_decrypted_message.content.signedData.signature_, + v_canonical_key)) + { + log("*** " & testcasename() & ": FAIL: EC request signature verification failed ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + + // Set verdict + log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_success); + } + [] tc_ac.timeout { + log("*** " & testcasename() & ": INCONC: Expected message not received ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); + } + } // End of 'alt' statement + + // Postamble + f_cfHttpDown(); + } // End of function f_TC_SECPKI_ITSS_ENR_01_BV_pki + } /** * @desc In presence of a valid EC, the enrolment request of the IUT is a rekeying enrolment request with the itsId (contained in the InnerECRequest) and the SignerIdentifier @@ -748,7 +933,7 @@ module ItsPki_TestCases { * } * * - * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_03_BV + * @see ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_03_BV * @reference ETSI TS 102 941, clause 6.1.3 */ testcase TC_SECPKI_ITSS_ENR_03_BV() runs on ItsMtc system ItsPkiItssSystem { @@ -780,13 +965,12 @@ module ItsPki_TestCases { group f_TC_SECPKI_ITSS_ENR_03_BV { - function f_TC_SECPKI_ITSS_ENR_03_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { - // Local variables - var HashedId8 v_certificate_digest; - var EtsiTs103097Certificate v_certificate; - + function f_TC_SECPKI_ITSS_ENR_03_BV_itss( + in float p_delay := 0.0 + ) runs on ItsPkiItss system ItsPkiItssSystem { // Test component configuration - vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; + // vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; + vc_hashedId8ToBeUsed := ""; f_cfUp_itss(); // Test adapter configuration @@ -821,19 +1005,17 @@ module ItsPki_TestCases { //f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement + + if(p_delay > 0.0){ + log("*** " & testcasename() & "_itss: INFO: Wait for second enrolment trigger ***"); + f_sleep(p_delay); + } + // Trigger the second enrolment f_sendUtTriggerEnrolmentRequestPrimitive(); - tc_noac.start; - alt { - [] geoNetworkingPort.receive { - log("*** " & testcasename() & "_itss: FAIL: No CA message expected ***"); - f_selfOrClientSyncAndVerdict(c_tbDone, e_error); - } - [] tc_noac.timeout { + log("*** " & testcasename() & "_itss: PASS: Re-enrolment trigger sent succesfully ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); - } - } // End of 'alt' statement // Postamble f_cfDown_itss(); @@ -843,117 +1025,98 @@ module ItsPki_TestCases { // Local variable var Headers v_headers; var HttpMessage v_request; - var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; + var InnerEcRequest v_inner_ec_request; + var InnerEcResponse v_inner_ec_response; + var HashedId8 v_ec_cert_digest; + var octetstring v_ec_cert_hash; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); + // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); - alt { - [] a_await_ec_http_request_from_iut( - mw_http_request( - mw_http_request_post( - PICS_HTTP_POST_URI_EC, - -, - mw_http_message_body_binary( - mw_binary_body_ieee1609dot2_data( - mw_enrolmentRequestMessage( - mw_encryptedData( - { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, - mw_symmetricCiphertext_aes128ccm - )))))), - v_request - ) { - var integer v_result; - var InnerEcRequest v_inner_ec_request; - var InnerEcResponse v_inner_ec_response; - var HttpMessage v_response; - - tc_ac.stop; - - // Verify IUT response - f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_inner_ec_response, v_response, v_result); - // Send response - if (isvalue(v_response)) { - httpPort.send(v_response); - } else { // Send HTTP error 500 - f_send_500_Internal_Error(v_headers); + if(not f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request)){ + log("*** " & testcasename() & ": FAIL: First InnerEcRequest failed ***"); + log("*** " & testcasename() & ": v_request := ", v_request); + f_selfOrClientSyncAndVerdict(c_prDone, e_error); } - // Set verdict - if (v_result == 0) { log("*** " & testcasename() & ": INFO: First InnerEcRequest received ***"); - f_selfOrClientSyncAndVerdict(c_prDone, e_success); + log(">>>>> v_inner_ec_response=", v_inner_ec_response); + + var HashAlgorithm ha := f_getHashAlgorithmOfVerificationKeyIndicator(v_inner_ec_response.certificate.toBeSigned.verifyKeyIndicator); + if (ha == sha256) { + v_ec_cert_hash := f_hashWithSha256(bit2oct(encvalue(v_inner_ec_response.certificate))); + } else if (ha == sha384) { + v_ec_cert_hash := f_hashWithSha384(bit2oct(encvalue(v_inner_ec_response.certificate))); } else { - log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); + log("*** " & testcasename() & ": FAIL: Unknown EC certificate hash alg=", ha); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } - } - [] tc_ac.timeout { - log("*** " & testcasename() & ": INCONC: Expected message not received ***"); - f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); - } - } // End of 'alt' statement + v_ec_cert_digest := substr(v_ec_cert_hash, lengthof(v_ec_cert_hash) - 8, 8); + + log("*** " & testcasename() & ": INFO: First InnerEcRequest received ***"); + f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start; alt { - [] a_await_ec_http_request_from_iut( // Re-enrolment request - mw_http_request( - mw_http_request_post( - PICS_HTTP_POST_URI_EC, - -, - mw_http_message_body_binary( - mw_binary_body_ieee1609dot2_data( - mw_enrolmentRequestMessage( - mw_encryptedData( - { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, - mw_symmetricCiphertext_aes128ccm - )))))), - v_request - ) { + [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) + { var integer v_result; - var InnerEcRequest v_inner_ec_request; - var InnerEcResponse v_inner_ec_response; var HttpMessage v_response; + var Oct16 v_request_hash, v_aes_enc_key; + var Ieee1609Dot2Data v_decrypted_message; + var EtsiTs102941Data v_etsi_ts_102941_data; tc_ac.stop; + f_send_500_Internal_Error(v_headers); // we don't care about response // Verify IUT response - log(">>>>>>>>>>>>>> DBG: vc_ec_keys_counter= ", vc_ec_keys_counter); - log(">>>>>>>>>>>>>> DBG: vc_ec_public_compressed_key[vc_ec_keys_counter - 1]= ", vc_ec_public_compressed_key[vc_ec_keys_counter - 1]); - log(">>>>>>>>>>>>>> DBG: vc_ec_compressed_modes[vc_ec_keys_counter - 1]= ", vc_ec_compressed_modes[vc_ec_keys_counter - 1]); - log(">>>>>>>>>>>>>> DBG: vc_ec_hashed_id8[vc_ec_keys_counter - 1]= ", vc_ec_hashed_id8[vc_ec_keys_counter - 1]); - f_verify_http_ec_request_from_iut_itss( - v_request.request, - v_headers, - v_inner_ec_request, - v_inner_ec_response, - v_response, - v_result, - vc_ec_hashed_id8[vc_ec_keys_counter - 1], // v_response... - // containing itsId declared as digest containing the HashedId8 of the EC identifier - m_signerIdentifier_digest(vc_ec_hashed_id8[vc_ec_keys_counter - 1] // containing signer declared as digest containing the HashedId8 of the EC identifier - ) - ); + if(not f_read_ec_request_from_iut_itss( v_request.request.body.binary_body.ieee1609dot2_data, + v_request_hash, v_aes_enc_key, + v_decrypted_message, + v_etsi_ts_102941_data, + v_inner_ec_request)) + { + log("*** " & testcasename() & ": FAIL: Can't parse enrolment request ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + + if( not isvalue(v_inner_ec_request) ){ + log("*** " & testcasename() & ": FAIL: Can't parse enrolment request ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } - // Send response - if (isvalue(v_response)) { - httpPort.send(v_response); - } else { // Send HTTP error 500 - f_send_500_Internal_Error(v_headers); + if(not match(v_inner_ec_request.itsId, v_ec_cert_digest)){ + log("*** " & testcasename() & ": FAIL: ITS-S ID is not equal to the EC HashedId8 ***"); + log("*** " & testcasename() & ": FAIL: ", match(v_inner_ec_request.itsId, v_ec_cert_digest)); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + if(not ischosen(v_decrypted_message.content.signedData)){ + log("*** " & testcasename() & ": FAIL: EC request shall contain signed message ***"); + log("*** " & testcasename() & ": FAIL: inner data content=", v_decrypted_message.content); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + if(not ischosen(v_decrypted_message.content.signedData.signer.digest)){ + log("*** " & testcasename() & ": FAIL: re-keying EC request shall be signed by the previous EC certificate digest***"); + log("*** " & testcasename() & ": FAIL: signerInfo=", v_decrypted_message.content.signedData.signer); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + if (not f_verifyEcdsa(bit2oct(encvalue(v_decrypted_message.content.signedData.tbsData)), + v_ec_cert_hash, + v_decrypted_message.content.signedData.signature_, + v_inner_ec_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey + )) { + log("*** " & testcasename() & ": FAIL: EC request signature verification failed ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } // Set verdict - if (v_result == 0) { log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); - } else { - log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); - f_selfOrClientSyncAndVerdict(c_tbDone, e_error); - } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); @@ -982,18 +1145,11 @@ module ItsPki_TestCases { * } * * - * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_04_BV + * @see ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_04_BV * @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_04_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables - var Oct32 v_private_key; - var Oct32 v_public_key_x; - var Oct32 v_public_key_y; - var Oct32 v_public_compressed_key; - var integer v_compressed_mode; - var ItsPkiItss v_itss; - var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_CRL) { @@ -1016,17 +1172,23 @@ module ItsPki_TestCases { *
        * Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT
        * Expected behaviour:
-       *     ensure that {
-       *         when {
-       *             the EC of the IUT expires
-       *         }
-       *         then {
-       *             the IUT returns to the "initialized" state
-       *         }
-       *     }
+       * with
+       * 	the IUT being in the 'enrolled' state
+       * 	and the EC of the IUT expires 
+       * ensure that
+       * 	when
+       * 		the IUT is requested to send an EnrollmentRequestMessage
+       * 	then
+       * 		the IUT sends an EtsiTs103097Data-Encrypted
+       * 			containing an encrypted EtsiTs103097Data-Signed
+       * 				 containing EtsiTs102941Data
+       * 					 containing InnerECRequestSignedForPOP
+       * 						  containing InnerEcRequest
+       * 							   containing itsId
+       * 								   indicating the canonical identifier of the ITS-S 
        * 
* - * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_05_BV + * @see ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_05_BV * @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_05_BV() runs on ItsMtc system ItsPkiItssSystem { @@ -1047,14 +1209,155 @@ module ItsPki_TestCases { } // Test component configuration + f_cfMtcUp01(v_itss, v_ea); + + // Start components + v_itss.start(f_TC_SECPKI_ITSS_ENR_05_BV_itss()); // wait 15 sec before the second enrolment + v_ea.start(f_TC_SECPKI_ITSS_ENR_05_BV_pki()); // Synchronization + f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup - setverdict(inconc); + f_cfMtcDown01(v_itss, v_ea); } // End of TC_SECPKI_ITSS_ENR_05_BV + group f_TC_SECPKI_ITSS_ENR_05_BV { + function f_TC_SECPKI_ITSS_ENR_05_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { + // Test component configuration + // vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; + vc_hashedId8ToBeUsed := ""; + f_cfUp_itss(); + + // Test adapter configuration + + // Preamble + // Initial state: No CAM shall be emitted + geoNetworkingPort.clear; + tc_noac.start; + alt { + [] geoNetworkingPort.receive { + log("No CA message expected"); + f_selfOrClientSyncAndVerdict(c_prDone, e_error); + } + [] tc_noac.timeout { + // Trigger the first enrolment + log("*** " & testcasename() & "_itss: INFO: No CA message received ***"); + } + } // End of 'alt' statement + log("*** " & testcasename() & "_itss: INFO: Trigger 1st emrolment ***"); + f_sendUtTriggerEnrolmentRequestPrimitive(); + + // wait a couple of seconds and run second enrolment to check re-enrolment procedure + f_sleep(PX_RE_ENROLMENT_DELAY); + log("*** " & testcasename() & "_itss: INFO: Trigger 2nd emrolment ***"); + f_sendUtTriggerEnrolmentRequestPrimitive(); + + // wait 5 seconds after expiration of EC cert + f_sleep(PX_CERT_EXPIRATION_DELAY + 5.0); + + f_selfOrClientSyncAndVerdict(c_prDone, e_success); + + // Test Body + // Trigger the 3rd enrolment + log("*** " & testcasename() & "_itss: INFO: Trigger 3rd emrolment ***"); + f_sendUtTriggerEnrolmentRequestPrimitive(); + + log("*** " & testcasename() & "_itss: PASS: Re-enrolment trigger sent succesfully ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_success); + + // Postamble + f_cfDown_itss(); + } // End of function f_TC_SECPKI_ITSS_ENR_03_BV_itss + + function f_TC_SECPKI_ITSS_ENR_05_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { + // Local variable + var Headers v_headers; + var HttpMessage v_request; + var InnerEcRequest v_inner_ec_request; + var InnerEcResponse v_inner_ec_response; + var HashedId8 v_ec_cert_digest; + var EtsiTs103097Certificate v_ec_cert; + + // Test component configuration + f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); + + f_init_default_headers_list(-, "inner_ec_response", v_headers); + + // Preamble + if(not f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request, + ok, + m_certificateSubjectAttributes_id_omit( + -, + valueof(m_validityPeriod(f_getCurrentTime() / 1000, m_duration_in_seconds( float2int(PX_CERT_EXPIRATION_DELAY)))) + ) + )){ + log("*** " & testcasename() & ": FAIL: First InnerEcRequest failed ***"); + log("*** " & testcasename() & ": v_request := ", v_request); + f_selfOrClientSyncAndVerdict(c_prDone, e_error); + } + log(">>>>> 1st v_inner_ec_response=", v_inner_ec_response); + + v_ec_cert := v_inner_ec_response.certificate; + v_ec_cert_digest := f_calculateDigestFromCertificate(v_ec_cert); + + if(not ischosen(v_ec_cert.toBeSigned.validityPeriod.duration.seconds)){ + log("*** " & testcasename() & ": INCONC: wrong EC certificate validity period error"); + f_selfOrClientSyncAndVerdict(c_prDone, e_error); + } + log("*** " & testcasename() & ": INFO: First InnerEcRequest processed. EC = " & oct2str(v_ec_cert_digest) & "***"); + log("*** " & testcasename() & ": INFO: expires in " + & int2str(v_ec_cert.toBeSigned.validityPeriod.start_ + v_ec_cert.toBeSigned.validityPeriod.duration.seconds - (f_getCurrentTime()/1000)) + & " seconds ***" + ); + + // wait for 2nd request with EC data + if(not f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request, deniedrequest)) + { + log("*** " & testcasename() & ": FAIL: 2nd InnerEcRequest failed ***"); + log("*** " & testcasename() & ": v_request := ", v_request); + f_selfOrClientSyncAndVerdict(c_prDone, e_error); + } + log(">>>>> 2nd v_inner_ec_response=", v_inner_ec_response); + + if(not match(v_inner_ec_request.itsId, v_ec_cert_digest)){ + log("*** " & testcasename() & ": FAIL: ITS-S ID of 2nd request must be equal to the EC HashedId8 ***"); + log("*** " & testcasename() & ": FAIL: ", match(v_inner_ec_request.itsId, v_ec_cert_digest)); + f_selfOrClientSyncAndVerdict(c_prDone, e_error); + } + + f_selfOrClientSyncAndVerdict(c_prDone, e_success); + + // Test Body + if(not f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request, deniedrequest)) + { + log("*** " & testcasename() & ": FAIL: 3rd InnerEcRequest failed ***"); + log("*** " & testcasename() & ": v_request := ", v_request); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + log(">>>>> 3rd v_inner_ec_response=", v_inner_ec_response); + + if(match(v_inner_ec_request.itsId, v_ec_cert_digest)){ + if(v_ec_cert.toBeSigned.validityPeriod.start_ + v_ec_cert.toBeSigned.validityPeriod.duration.seconds < (f_getCurrentTime()/1000)){ + log("*** " & testcasename() & ": INCONC: EC certificate is not expired yet ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); + } + log("*** " & testcasename() & ": FAIL: ITS-S ID of 3rd request must NOT be equal to the expired EC HashedId8 ***"); + log("*** " & testcasename() & ": FAIL: ", match(v_inner_ec_request.itsId, v_ec_cert_digest)); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + f_selfOrClientSyncAndVerdict(c_tbDone, e_success); + + // Postamble + f_cfHttpDown(); + } // End of function f_TC_SECPKI_ITSS_ENR_05_BV_pki + + + } // End of group f_TC_SECPKI_ITSS_ENR_05_BV + + + group f_TC_SECPKI_ITSS_ENR_06_BV { /** * @desc For each enrolment request, the ITS-S shall generate a new verification key pair corresponding to an approved signature algorithm as specified in TS 103 097. @@ -1072,17 +1375,26 @@ module ItsPki_TestCases { * } * * - * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_06_BV + * @see ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_06_BV * @reference ETSI TS 102 941, clause 6.1.3 */ - testcase TC_SECPKI_ITSS_ENR_06_BV() runs on ItsMtc system ItsPkiItssSystem { + const charstring c_nextTry := "nextTry"; + + testcase TC_SECPKI_ITSS_ENR_06_BV_1() runs on ItsMtc system ItsPkiItssSystem { + f_TC_SECPKI_ITSS_ENR_06_BV_mtc(c_stInitial); + } + testcase TC_SECPKI_ITSS_ENR_06_BV_2() runs on ItsMtc system ItsPkiItssSystem { + f_TC_SECPKI_ITSS_ENR_06_BV_mtc(c_stEnrolled); + } + + function f_TC_SECPKI_ITSS_ENR_06_BV_mtc(in charstring p_state) runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control - if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or PICS_SECPKI_REENROLMENT) { - log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and not PICS_SECPKI_REENROLMENT required for executing the TC ***"); + if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { + log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } @@ -1091,24 +1403,31 @@ module ItsPki_TestCases { f_cfMtcUp01(v_itss, v_ea); // Start components - v_itss.start(f_TC_SECPKI_ITSS_ENR_06_BV_itss()); - v_ea.start(f_TC_SECPKI_ITSS_ENR_06_BV_pki()); + v_itss.start(f_TC_SECPKI_ITSS_ENR_06_BV_itss(PX_RE_ENROLMENT_COUNTER, p_state)); + v_ea.start(f_TC_SECPKI_ITSS_ENR_06_BV_pki(PX_RE_ENROLMENT_COUNTER, p_state)); // Synchronization - f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); + f_serverSyncClientsTimed (2, c_prDone, PX_TSYNC_TIME_LIMIT); + + for(var integer v_i := 0; v_i < PX_RE_ENROLMENT_COUNTER; v_i := v_i + 1){ + f_serverSyncClientsTimed (2, c_nextTry, PX_TSYNC_TIME_LIMIT); + } + f_serverSyncClientsTimed (2, c_tbDone, PX_TSYNC_TIME_LIMIT); // Cleanup - - } // End of TC_SECPKI_ITSS_ENR_06_BV - - group f_TC_SECPKI_ITSS_ENR_06_BV { - - function f_TC_SECPKI_ITSS_ENR_06_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { + f_serverWaitForAllClientsToStop(); + } // End of f_TC_SECPKI_ITSS_ENR_06_BV_mtc + + function f_TC_SECPKI_ITSS_ENR_06_BV_itss( + integer p_max_try, + charstring p_state) + runs on ItsPkiItss system ItsPkiItssSystem + { // Local variables - var HashedId8 v_certificate_digest := int2oct(0, 8); var EtsiTs103097Certificate v_certificate; // Test component configuration + vc_hashedId8ToBeUsed := ""; f_cfUp_itss(); // Test adapter configuration @@ -1129,37 +1448,23 @@ module ItsPki_TestCases { } // End of 'alt' statement // Test Body - // Re-enrolment - for (var integer v_i := 0; v_i < PX_RE_ENROLMENT_COUNTER; v_i := v_i + 1) { - f_sendUtTriggerEnrolmentRequestPrimitive(); + // Send first enrolment + for(var integer v_i := 0; v_i < p_max_try; v_i := v_i + 1){ f_sleep(PX_RE_ENROLMENT_DELAY); - } // End of 'for' statement - tc_noac.start; - alt { - [] geoNetworkingPort.receive { - log("No CA message expected"); - f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + f_sendUtTriggerEnrolmentRequestPrimitive(); + f_clientSync(c_nextTry, e_success); } - [] tc_noac.timeout { - log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_success); - } - } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_06_BV_itss - function f_TC_SECPKI_ITSS_ENR_06_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { + function f_TC_SECPKI_ITSS_ENR_06_BV_pki(integer p_max_try, charstring p_state) runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable - var integer v_counter := 0; var Headers v_headers; - var HttpMessage v_request; - var HttpMessage v_response; - var InnerEcRequest v_inner_ec_request; - var InnerEcResponse v_inner_ec_response; var ListOfPublicVerificationKey v_generated_keys; - var integer v_result; // Test component configuration f_cfHttpUp(); @@ -1168,98 +1473,42 @@ module ItsPki_TestCases { // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); - // Wait for the first enrolment response - tc_ac.start; - alt { - [] a_await_at_http_request_from_iut( - mw_http_request( - mw_http_request_post( - PICS_HTTP_POST_URI_EC, - -, - mw_http_message_body_binary( - mw_binary_body_ieee1609dot2_data( - mw_enrolmentRequestMessage( - mw_encryptedData( - { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, - mw_symmetricCiphertext_aes128ccm - )))))), - v_request - ) { - tc_ac.stop; + f_selfOrClientSyncAndVerdict(c_prDone, e_success); - // Verify IUT response - f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_inner_ec_response, v_response, v_result); - // Send response - if (isvalue(v_response)) { - httpPort.send(v_response); - } - // Set verdict - if (v_result == 0) { - v_generated_keys[v_counter] := v_inner_ec_request.publicKeys.verificationKey; - v_counter := v_counter + 1; - f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); + // Test Body + for(var integer v_i := 0; v_i < p_max_try; v_i := v_i + 1){ + var HttpMessage v_request; + var InnerEcRequest v_inner_ec_request; + var InnerEcResponse v_inner_ec_response; + var PublicVerificationKey v_key; + var EnrolmentResponseCode v_response_code; + + if(p_state == c_stInitial){ + v_response_code := deniedrequest; } else { - log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); - f_selfOrClientSyncAndVerdict(c_prDone, e_error); + v_response_code := ok; } + + if(not f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request, v_response_code)){ + log("*** " & testcasename() & ": ERROR: EC request receiving error ***"); + setverdict(inconc); + f_clientSync(c_nextTry, e_error); } - [] tc_ac.timeout { - log("*** " & testcasename() & ": INCONC: Expected message not received ***"); - f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); - } - } // End of 'alt' statement - // Test Body - tc_ac.start; - alt { - [] a_await_at_http_request_from_iut( - mw_http_request( - mw_http_request_post( - PICS_HTTP_POST_URI_EC, - -, - mw_http_message_body_binary( - mw_binary_body_ieee1609dot2_data( - mw_enrolmentRequestMessage( - mw_encryptedData( - { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, - mw_symmetricCiphertext_aes128ccm - )))))), - v_request - ) { - tc_ac.stop; + v_key := v_inner_ec_request.publicKeys.verificationKey; - // Verify IUT response - f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_inner_ec_response, v_response, v_result); - // Send response - if (isvalue(v_response)) { - httpPort.send(v_response); - } - // Set verdict - if (v_result == 0) { - log("*** " & testcasename() & ": LOG: ", match(v_generated_keys, superset(v_inner_ec_request.publicKeys.verificationKey)), "***"); - if (match(v_generated_keys, superset(v_inner_ec_request.publicKeys.verificationKey)) == true) { - v_generated_keys[v_counter] := v_inner_ec_request.publicKeys.verificationKey; - v_counter := v_counter + 1; - f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); - } else { + if (isbound(v_generated_keys) and match(v_generated_keys, superset(v_key))) { + log("*** " & testcasename() & ": LOG: ", match(v_generated_keys, superset(v_key)), "***"); log("*** " & testcasename() & ": FAIL: Duplication of generated public keys ***"); - f_selfOrClientSyncAndVerdict(c_prDone, e_error); + setverdict(fail); + f_clientSync(c_nextTry, e_error); } - } else { - log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); - f_selfOrClientSyncAndVerdict(c_prDone, e_error); - } - } - [] tc_ac.timeout { - if (v_counter == PX_RE_ENROLMENT_COUNTER) { - log("*** " & testcasename() & ": PASS: InnerEcRequest received with different key pairs ***"); - f_selfOrClientSyncAndVerdict(c_tbDone, e_success); - } else { - log("*** " & testcasename() & ": INCONC: Expected message not received ***"); - f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); + v_generated_keys[v_i] := v_key; + + f_clientSync(c_nextTry, e_success); } - } - } // End of 'alt' statement + log("*** " & testcasename() & ": PASS: No identical verification keys received in " & int2str(p_max_try) & " messages ***"); + f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); // Postamble f_cfHttpDown(); @@ -1267,6 +1516,7 @@ module ItsPki_TestCases { } // End of f_TC_SECPKI_ITSS_ENR_06_BV + group SECPKI_ITSS_ENR_07_BV { /** * @desc Within the InnerECRequest, the requestedSubjectAttributes shall not contain a certIssuePermissions field. *
@@ -1288,7 +1538,7 @@ module ItsPki_TestCases {
        *     }
        * 
* - * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_07_BV + * @see ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_07_BV * @reference ETSI TS 102 941, clause 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_07_BV() runs on ItsMtc system ItsPkiItssSystem { @@ -1313,7 +1563,7 @@ module ItsPki_TestCases { // Start components v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); - v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); + v_ea.start(f_TC_SECPKI_ITSS_ENR_07_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); @@ -1322,6 +1572,72 @@ module ItsPki_TestCases { } // End of TC_SECPKI_ITSS_ENR_07_BV + function f_TC_SECPKI_ITSS_ENR_07_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { + // Local variable + var Headers v_headers; + var HttpMessage v_request; + + // Test component configuration + f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); + + // Test adapter configuration + + // Preamble + f_init_default_headers_list(-, "inner_ec_response", v_headers); + f_selfOrClientSyncAndVerdict(c_prDone, e_success); + + // Test Body + tc_ac.start; + alt { + [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) + { + var Ieee1609Dot2Data v_decrypted_message; + var InnerEcRequest v_inner_ec_request; + var InnerEcResponse v_inner_ec_response; + var Ieee1609Dot2Data v_response_message; + var EtsiTs102941Data v_pki_request; + var Oct16 v_request_hash, v_aes_enc_key; + var PublicVerificationKey v_canonical_key; + tc_ac.stop; + + f_send_500_Internal_Error(v_headers); // we don't care about response + + if( not f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data, + v_request_hash, v_aes_enc_key, + v_decrypted_message, + v_pki_request, + v_inner_ec_request)) + { + log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + + if( not isvalue(v_inner_ec_request) ){ + log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + + if(ispresent(v_inner_ec_request.requestedSubjectAttributes.certIssuePermissions)){ + log("*** " & testcasename() & ": FAIL: InnerEcRequest shall not contain certIssuePermissions attribute ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + + // Set verdict + log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_success); + } + [] tc_ac.timeout { + log("*** " & testcasename() & ": INCONC: Expected message not received ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); + } + } // End of 'alt' statement + + // Postamble + f_cfHttpDown(); + } // End of function f_TC_SECPKI_ITSS_ENR_07_BV_pki + }// End of group SECPKI_ITSS_ENR_07_BV + + group SECPKI_ITSS_ENR_08_BV { /** * @desc In the headerInfo of the tbsData of the InnerECRequestSignedForPOP all other components * of the component tbsdata.headerInfo except generationTime and psid are not used and absent. @@ -1349,10 +1665,17 @@ module ItsPki_TestCases { * } * * - * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_08_BV + * @see ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_08_BV * @reference ETSI TS 102 941, clause 6.2.3.2.1 */ - testcase TC_SECPKI_ITSS_ENR_08_BV() runs on ItsMtc system ItsPkiItssSystem { + testcase TC_SECPKI_ITSS_ENR_08_BV_1() runs on ItsMtc system ItsPkiItssSystem { + f_TC_SECPKI_ITSS_ENR_08_BV_mtc(c_stInitial); + } + testcase TC_SECPKI_ITSS_ENR_08_BV_2() runs on ItsMtc system ItsPkiItssSystem { + f_TC_SECPKI_ITSS_ENR_08_BV_mtc(c_stEnrolled); + } + + function f_TC_SECPKI_ITSS_ENR_08_BV_mtc(in charstring p_itss_state) runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; @@ -1368,8 +1691,12 @@ module ItsPki_TestCases { f_cfMtcUp01(v_itss, v_ea); // Start components + if(p_itss_state == c_stEnrolled){ v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); - v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); + }else{ + v_itss.start(f_TC_SECPKI_ITSS_ENR_03_BV_itss()); + } + v_ea.start(f_TC_SECPKI_ITSS_ENR_08_BV_pki(p_itss_state)); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); @@ -1378,6 +1705,95 @@ module ItsPki_TestCases { } // End of TC_SECPKI_ITSS_ENR_08_BV + function f_TC_SECPKI_ITSS_ENR_08_BV_pki( + in charstring p_itss_state + ) runs on ItsPkiHttp system ItsPkiItssSystem { + // Local variable + var Headers v_headers; + var HttpMessage v_request; + + // Test component configuration + f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); + + // Test adapter configuration + + // Preamble + f_init_default_headers_list(-, "inner_ec_response", v_headers); + + if(p_itss_state == c_stEnrolled){ + var InnerEcRequest v_inner_ec_request; + var InnerEcResponse v_inner_ec_response; + if(not f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request)){ + log("*** " & testcasename() & ": INFO: First InnerEcRequest error ***"); + f_selfOrClientSyncAndVerdict(c_prDone, e_error); + } + log("*** " & testcasename() & ": INFO: First InnerEcRequest received ***"); + } + f_selfOrClientSyncAndVerdict(c_prDone, e_success); + + // Test Body + tc_ac.start; + alt { + [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) + { + var Oct16 v_request_hash; + var Oct16 v_aes_enc_key; + var Ieee1609Dot2Data v_decrypted_message; + var InnerEcRequest v_inner_ec_request; + var InnerEcResponse v_inner_ec_response; + var Ieee1609Dot2Data v_response_message; + var EtsiTs102941Data v_pki_request; + tc_ac.stop; + + f_send_500_Internal_Error(v_headers); // we dont care about response + + f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data, + v_request_hash, v_aes_enc_key, + v_decrypted_message, + v_pki_request, + v_inner_ec_request); + + if( not isvalue(v_pki_request)) { + log("*** " & testcasename() & ": FAIL: Can't parse enrolment request ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + if( not ischosen(v_pki_request.content.enrolmentRequest)) { + log("*** " & testcasename() & ": FAIL: Not an enrolment request ***"); + log("*** " & testcasename() & ": EtsiTs102941Data.content=", v_pki_request.content); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + + if(not match( v_pki_request.content.enrolmentRequest, + mw_etsiTs103097Data_signed( + mw_signedData( + -, + mw_toBeSignedData( + -, + mw_headerInfo_inner_pki_request() + ))) + )) { + log("*** " & testcasename() & ": FAIL: Wrong InnerECRequestSignedForPOP headers ***"); + log("*** " & testcasename() & ": ", + match( v_pki_request.content.enrolmentRequest, + m_etsiTs103097Data_signed(mw_signedData( -,mw_toBeSignedData(-,mw_headerInfo_inner_pki_request()))))); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + + // Set verdict + log("*** " & testcasename() & ": PASS: EC Request received with proper InnerECRequestSignedForPOP headers ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_success); + } + [] tc_ac.timeout { + log("*** " & testcasename() & ": INCONC: Expected message not received ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); + } + } // End of 'alt' statement + + // Postamble + f_cfHttpDown(); + } // End of function f_TC_SECPKI_ITSS_ENR_01_BV_pki + } + /** * @desc In the headerInfo of the tbsData of the outer EtsiTs102941Data-Signed all other components * of the component tbsdata.headerInfo except generationTime and psid are not used and absent. @@ -1405,10 +1821,17 @@ module ItsPki_TestCases { * } * * - * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_09_BV + * @see ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_09_BV * @reference ETSI TS 102 941, clause 6.2.3.2.1 */ - testcase TC_SECPKI_ITSS_ENR_09_BV() runs on ItsMtc system ItsPkiItssSystem { + group g_TC_SECPKI_ITSS_ENR_09_BV { + testcase TC_SECPKI_ITSS_ENR_09_BV_1() runs on ItsMtc system ItsPkiItssSystem { + f_TC_SECPKI_ITSS_ENR_09_BV_mtc(c_stInitial); + } + testcase TC_SECPKI_ITSS_ENR_09_BV_2() runs on ItsMtc system ItsPkiItssSystem { + f_TC_SECPKI_ITSS_ENR_09_BV_mtc(c_stEnrolled); + } + function f_TC_SECPKI_ITSS_ENR_09_BV_mtc(in charstring p_itss_state) runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; @@ -1424,15 +1847,101 @@ module ItsPki_TestCases { f_cfMtcUp01(v_itss, v_ea); // Start components + if(p_itss_state == c_stEnrolled){ + v_itss.start(f_TC_SECPKI_ITSS_ENR_03_BV_itss()); + }else{ v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); - v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); + } + v_ea.start(f_TC_SECPKI_ITSS_ENR_09_BV_pki(p_itss_state)); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup - } // End of TC_SECPKI_ITSS_ENR_09_BV + } // End of f_TC_SECPKI_ITSS_ENR_09_BV_mtc + + function f_TC_SECPKI_ITSS_ENR_09_BV_pki ( + in charstring p_itss_state + ) runs on ItsPkiHttp system ItsPkiItssSystem { + // Local variable + var Headers v_headers; + var HttpMessage v_request; + + // Test component configuration + f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); + + // Test adapter configuration + + // Preamble + f_init_default_headers_list(-, "inner_ec_response", v_headers); + + if(p_itss_state == c_stEnrolled){ + var InnerEcRequest v_inner_ec_request; + var InnerEcResponse v_inner_ec_response; + if(not f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request)){ + log("*** " & testcasename() & ": INFO: First InnerEcRequest error ***"); + f_selfOrClientSyncAndVerdict(c_prDone, e_error); + } + log("*** " & testcasename() & ": INFO: First InnerEcRequest received ***"); + } + f_selfOrClientSyncAndVerdict(c_prDone, e_success); + + // Test Body + tc_ac.start; + alt { + [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) + { + var Ieee1609Dot2Data v_decrypted_message; + var InnerEcRequest v_inner_ec_request; + var InnerEcResponse v_inner_ec_response; + var Ieee1609Dot2Data v_response_message; + var EtsiTs102941Data v_pki_request; + var Oct16 v_request_hash, v_aes_enc_key; + var PublicVerificationKey v_canonical_key; + tc_ac.stop; + + f_send_500_Internal_Error(v_headers); // we don't care about response + + if( not f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data, + v_request_hash, v_aes_enc_key, + v_decrypted_message, + v_pki_request, + v_inner_ec_request)) + { + log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + + if ( not match( v_decrypted_message, + mw_etsiTs103097Data_signed( + mw_signedData( + -, + mw_toBeSignedData( + -, + mw_headerInfo_outer_pki_request() + ))) + )){ + log("*** " & testcasename() & ": FAIL: Invalid outer signed structure in EC request ***"); + log("*** " & testcasename() & ": ", + match(v_decrypted_message,m_etsiTs103097Data_signed(mw_signedData(-,mw_toBeSignedData(-,mw_headerInfo_outer_pki_request())))) + ); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + // Set verdict + log("*** " & testcasename() & ": PASS: EC request contains valid outer signed structure ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_success); + } + [] tc_ac.timeout { + log("*** " & testcasename() & ": INCONC: Expected message not received ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); + } + } // End of 'alt' statement + + // Postamble + f_cfHttpDown(); + } // End of function f_TC_SECPKI_ITSS_ENR_09_BV_pki + } // End of group g_TC_SECPKI_ITSS_ENR_09_BV /** * @desc The EtsiTs103097Data-Encrypted containing the correctly encrypted ciphertext and a recipients @@ -1463,10 +1972,17 @@ module ItsPki_TestCases { * } * * - * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_10_BV + * @see ETSI TS 103 525-2 v1.2.1 SECPKI_ITSS_ENR_10_BV * @reference ETSI TS 102 941, clause 6.2.3.2.1 */ - testcase TC_SECPKI_ITSS_ENR_10_BV() runs on ItsMtc system ItsPkiItssSystem { + group g_TC_SECPKI_ITSS_ENR_10_BV { + testcase TC_SECPKI_ITSS_ENR_10_BV_1() runs on ItsMtc system ItsPkiItssSystem { + f_TC_SECPKI_ITSS_ENR_10_BV_mtc(c_stInitial); + } + testcase TC_SECPKI_ITSS_ENR_10_BV_2() runs on ItsMtc system ItsPkiItssSystem { + f_TC_SECPKI_ITSS_ENR_10_BV_mtc(c_stEnrolled); + } + function f_TC_SECPKI_ITSS_ENR_10_BV_mtc(in charstring p_itss_state) runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; @@ -1482,15 +1998,109 @@ module ItsPki_TestCases { f_cfMtcUp01(v_itss, v_ea); // Start components + // Start components + if(p_itss_state == c_stEnrolled){ + v_itss.start(f_TC_SECPKI_ITSS_ENR_03_BV_itss()); + }else{ v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); - v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); + } + v_ea.start(f_TC_SECPKI_ITSS_ENR_10_BV_pki(p_itss_state)); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup - } // End of TC_SECPKI_ITSS_ENR_10_BV + } // End of f_TC_SECPKI_ITSS_ENR_10_BV_mtc + + function f_TC_SECPKI_ITSS_ENR_10_BV_pki ( + in charstring p_itss_state + ) runs on ItsPkiHttp system ItsPkiItssSystem { + // Local variable + var Headers v_headers; + var HttpMessage v_request; + + // Test component configuration + f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); + + // Test adapter configuration + + // Preamble + f_init_default_headers_list(-, "inner_ec_response", v_headers); + + if(p_itss_state == c_stEnrolled){ + var InnerEcRequest v_inner_ec_request; + var InnerEcResponse v_inner_ec_response; + if(not f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request)){ + log("*** " & testcasename() & ": INFO: First InnerEcRequest error ***"); + f_selfOrClientSyncAndVerdict(c_prDone, e_error); + } + log("*** " & testcasename() & ": INFO: First InnerEcRequest received ***"); + } + f_selfOrClientSyncAndVerdict(c_prDone, e_success); + + // Test Body + tc_ac.start; + alt { + [] a_await_ec_http_request_from_iut( + mw_http_request( + mw_http_request_post( + PICS_HTTP_POST_URI_EC, + -, + mw_http_message_body_binary( + mw_binary_body_ieee1609dot2_data( + mw_enrolmentRequestMessage( + mw_encryptedData( + { mw_recipientInfo_certRecipInfo( + mw_pKRecipientInfo( vc_eaHashedId8) + )} + )))))), + v_request ) + { + var Ieee1609Dot2Data v_decrypted_message; + var InnerEcRequest v_inner_ec_request; + var InnerEcResponse v_inner_ec_response; + var Ieee1609Dot2Data v_response_message; + var EtsiTs102941Data v_pki_request; + var Oct16 v_request_hash, v_aes_enc_key; + var PublicVerificationKey v_canonical_key; + tc_ac.stop; + + f_send_500_Internal_Error(v_headers); // we don't care about response + + log("*** " & testcasename() & ": PASS: EC request sent to proper EA recipient ***"); + + if( not f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data, + v_request_hash, v_aes_enc_key, + v_decrypted_message, + v_pki_request, + v_inner_ec_request)) + { + log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + // Set verdict + log("*** " & testcasename() & ": PASS: EC request can be decrypted ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_success); + } + [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) + { + f_send_500_Internal_Error(v_headers); // we don't care about response + log("*** " & testcasename() & ": FAIL: EC request sent to wrong recipient ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); + } + + [] tc_ac.timeout { + log("*** " & testcasename() & ": INCONC: Expected message not received ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); + } + } // End of 'alt' statement + + // Postamble + f_cfHttpDown(); + } // End of function f_TC_SECPKI_ITSS_ENR_10_BV_pki + } // End of group g_TC_SECPKI_ITSS_ENR_10_BV + /** * @desc In the inner signed data structure (InnerECRequestSignedForPOP), the signature is computed @@ -1666,7 +2276,9 @@ module ItsPki_TestCases { var boolean v_iut_state_ok := false; // Test component configuration - vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; + // vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; + vc_hashedId8ToBeUsed := ""; // No certificates //PX_IUT_DEFAULT_CERTIFICATE + f_cfUp_itss(); // Test adapter configuration @@ -1846,7 +2458,7 @@ module ItsPki_TestCases { var boolean v_iut_state_ok := false; // Test component configuration - vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; + vc_hashedId8ToBeUsed := ""; // No certificates //PX_IUT_DEFAULT_CERTIFICATE f_cfUp_itss(); // Test adapter configuration @@ -2010,147 +2622,61 @@ module ItsPki_TestCases { f_cfMtcUp01(v_itss, v_ea); // Start component - v_itss.start(f_TC_SECPKI_ITSS_ENR_REP_01_BV_itss()); + v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); // reuse from ENR group v_ea.start(f_TC_SECPKI_ITSS_ENR_REP_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup - f_cfMtcDown01(v_itss, v_ea); - - } // End of testcase TC_SECPKI_ITSS_ENR_REP_01_BV - - group f_TC_SECPKI_ITSS_ENR_REP_01_BV { - - function f_TC_SECPKI_ITSS_ENR_REP_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { - // Local variables - var HashedId8 v_certificate_digest; - var EtsiTs103097Certificate v_certificate; - - // Test component configuration - vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; - f_cfUp_itss(); - - // Test adapter configuration - - // Preamble - // Initial state: No CAM shall be emitted - geoNetworkingPort.clear; - tc_noac.start; - alt { - [] geoNetworkingPort.receive { - log("No CA message expected"); - f_selfOrClientSyncAndVerdict(c_prDone, e_error); - } - [] tc_noac.timeout { - log("*** " & testcasename() & ": INFO: No CA message received ***"); - f_selfOrClientSyncAndVerdict(c_prDone, e_success); - } - } // End of 'alt' statement - - // Test Body - f_sendUtTriggerEnrolmentRequestPrimitive(); - tc_ac.start; - alt { - [] utPort.receive(UtPkiTriggerInd: { state := 1 }) { - tc_ac.stop; - log("*** " & testcasename() & ": INFO: IUT is in enrolment state ***"); - } - [] tc_ac.timeout { - log("*** " & testcasename() & ": DBG: IUT state update not recieved ***"); - } - } // End of 'alt' statement - tc_noac.start; - alt { - [] geoNetworkingPort.receive { - log("No CA message expected"); - f_selfOrClientSyncAndVerdict(c_tbDone, e_error); - } - [] tc_noac.timeout { - log("*** " & testcasename() & ": PASS: Enrolment trigger sent successfully ***"); - f_selfOrClientSyncAndVerdict(c_tbDone, e_success); - } - } // End of 'alt' statement - - // Postamble - f_cfDown_itss(); - } // End of function f_TC_SECPKI_ITSS_ENR_REP_01_BV_itss - - function f_TC_SECPKI_ITSS_ENR_REP_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { - // Local variable - var Headers v_headers; - var HttpMessage v_initial_request; - var HttpMessage v_request; - var InnerEcResponse v_inner_ec_response; - - // Test component configuration - f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); - - // Test adapter configuration - - // Preamble - f_init_default_headers_list(-, "inner_ec_response", v_headers); - f_await_ec_request_send_no_response(v_initial_request); - log("*** " & testcasename() & ": INFO: Reply with no response error message ***"); - f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); - - // Test Body - var integer i; - var boolean v_loop := true; - for (i := 0; i < PX_ENR_MAX_N1; i := i + 1) { - tc_ac.start; - alt { - [] a_await_ec_http_request_from_iut( - mw_http_request( - mw_http_request_post( - PICS_HTTP_POST_URI_EC, - -, - mw_http_message_body_binary( - mw_binary_body_ieee1609dot2_data( - mw_enrolmentRequestMessage( - mw_encryptedData( - { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, - mw_symmetricCiphertext_aes128ccm - )))))), - v_request - ) { - var HttpMessage v_response; - var integer v_result; - var InnerEcRequest v_inner_ec_request; + f_cfMtcDown01(v_itss, v_ea); - tc_ac.stop; + } // End of testcase TC_SECPKI_ITSS_ENR_REP_01_BV - // Verify IUT response - f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_inner_ec_response, v_response, v_result); - // Send response - if (isvalue(v_response)) { - httpPort.send(v_response); - } else { // Send HTTP error 500 - f_send_500_Internal_Error(v_headers); - } - // Set verdict - if (v_result == 0) { - log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); - f_selfOrClientSyncAndVerdict(c_tbDone, e_success); - } else { - log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); - f_selfOrClientSyncAndVerdict(c_tbDone, e_error); - } - } - [] tc_ac.timeout { - log("*** " & testcasename() & ": INCONC: Response received on the IUT ***"); - v_loop := false; - f_selfOrClientSyncAndVerdict(c_tbDone, e_success); - //break; - } - } // End of 'alt' statement - if (v_loop == false){ - break; - } - } // End of 'loop' statement + group f_TC_SECPKI_ITSS_ENR_REP_01_BV { + + function f_TC_SECPKI_ITSS_ENR_REP_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { + // Local variable + var Headers v_headers; + var HttpMessage v_initial_request; + var HttpMessage v_request; + // Test component configuration + f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); + + // Test adapter configuration + + // Preamble + f_init_default_headers_list(-, "inner_ec_response", v_headers); + + tc_ac.start; + alt { + [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) { + log("*** " & testcasename() & ": INFO: First enrolment request received ***"); + tc_ac.stop; + f_http_restart("inner_ec_request"); + } + [] tc_ac.timeout { + log("*** " & testcasename() & ": INCONC: First enrolment request not received received ***"); + f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); + } + } // End of 'alt' statement + f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); + + // Test Body + tc_wait.start(PX_EC_REPETITION_TIMEOUT); + alt { + [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) { + log("*** " & testcasename() & ": PASS: EC repetition has been received after a ", tc_wait.read, " ***"); + tc_wait.stop; + f_selfOrClientSyncAndVerdict(c_tbDone, e_success); + } + [] tc_wait.timeout { + log("*** " & testcasename() & ": FAIL: EC repetition was not received ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + } // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_REP_01_BV_pki @@ -2599,6 +3125,7 @@ module ItsPki_TestCases { var HttpMessage v_request; var HttpMessage v_initial_request; var InnerEcResponse v_inner_ec_response; + var InnerEcRequest v_inner_ec_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); @@ -2616,7 +3143,7 @@ module ItsPki_TestCases { } // End of 'for' staement // Do not expect any repetition - if (f_await_ec_request_send_response(v_inner_ec_response, v_request) == true) { + if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment not expected due to number of error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } else { @@ -2790,8 +3317,9 @@ module ItsPki_TestCases { [] tc_ac.timeout { // Do not expect any repetition var InnerEcResponse v_inner_ec_response; + var InnerEcRequest v_inner_ec_request; - if (f_await_ec_request_send_response(v_inner_ec_response, v_request) == true) { + if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment not expected due to timeout ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } else { @@ -2871,7 +3399,8 @@ module ItsPki_TestCases { var boolean v_start_awaiting := false; // Test component configuration - vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; +// vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; + vc_hashedId8ToBeUsed := ""; f_cfUp_itss(); // Test adapter configuration @@ -2886,6 +3415,8 @@ module ItsPki_TestCases { f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { + log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); + if(PX_TRIGGER_EC_BEFORE_AT){ f_sendUtTriggerEnrolmentRequestPrimitive(); tc_ac.start; // TDOD To refined, use altstep alt { @@ -2893,12 +3424,17 @@ module ItsPki_TestCases { tc_ac.stop; log("*** " & testcasename() & "_itss: INFO: IUT is in enrol state ***"); } - [] tc_ac.timeout { + [LibItsPki_Pics.PICS_UT_STATE_INDICATION] tc_ac.timeout { log("*** " & testcasename() & "_itss: DBG: IUT state update not recieved ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } + [not(LibItsPki_Pics.PICS_UT_STATE_INDICATION)] tc_ac.timeout { + log("*** " & testcasename() & "_itss: DBG: IUT doesn't support state indication. Assume it was well done.***"); + } } // End of 'alt' statement - log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); + }else{ + log("*** " & testcasename() & "_itss: DBG: Assume IUT already in enrolled state.***"); + } f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement @@ -2936,7 +3472,9 @@ module ItsPki_TestCases { // Local variable var Headers v_headers; var HttpMessage v_request; + var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; + var template (omit) EtsiTs103097Certificate v_ec_cert := omit; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); @@ -2946,7 +3484,8 @@ module ItsPki_TestCases { // Preamble f_init_default_headers_list(-, "inner_at_response", v_headers); if (PX_TRIGGER_EC_BEFORE_AT) { - if (f_await_ec_request_send_response(v_inner_ec_response, v_request) == true) { + if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { + v_ec_cert := v_inner_ec_response.certificate; log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { @@ -2954,6 +3493,8 @@ module ItsPki_TestCases { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } else { +// f_readCertificate(PICS_IUT_EC_CERTIFICATE_ID, v_inner_ec_response.certificate); +// v_ec_cert := omit; f_selfOrClientSyncAndVerdict(c_prDone, e_success); } @@ -2982,7 +3523,7 @@ module ItsPki_TestCases { tc_ac.stop; // Verify IUT response - f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result); + f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_ec_cert, v_inner_at_request, v_inner_at_response, v_response, v_result); log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_result: ", v_result); log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_response: ", v_response); // Send response @@ -3532,6 +4073,7 @@ module ItsPki_TestCases { // Local variable var Headers v_headers; var HttpMessage v_request; + var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; // Test component configuration @@ -3548,7 +4090,7 @@ module ItsPki_TestCases { f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Wait for the repetition if (PX_TRIGGER_EC_BEFORE_AT) { - if (f_await_ec_request_send_response(v_inner_ec_response, v_request) == true) { + if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { @@ -3557,6 +4099,7 @@ module ItsPki_TestCases { } } else { f_selfOrClientSyncAndVerdict(c_prDone, e_success); + v_inner_ec_response.certificate := omit; } // Test Body @@ -3734,6 +4277,7 @@ module ItsPki_TestCases { var Headers v_headers; var HttpMessage v_initial_request; var HttpMessage v_request; + var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; // Test component configuration @@ -3750,7 +4294,7 @@ module ItsPki_TestCases { f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Wait for the repetition if (PX_TRIGGER_EC_BEFORE_AT) { - if (f_await_ec_request_send_response(v_inner_ec_response, v_request) == true) { + if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { @@ -3944,6 +4488,7 @@ module ItsPki_TestCases { var Headers v_headers; var HttpMessage v_initial_request; var HttpMessage v_request; + var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; // Test component configuration @@ -3961,7 +4506,7 @@ module ItsPki_TestCases { // Wait for the repetition if (PX_TRIGGER_EC_BEFORE_AT) { - if (f_await_ec_request_send_response(v_inner_ec_response, v_request) == true) { + if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { @@ -4141,6 +4686,7 @@ module ItsPki_TestCases { var Headers v_headers; var HttpMessage v_initial_request; var HttpMessage v_request; + var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; // Test component configuration @@ -4159,7 +4705,7 @@ module ItsPki_TestCases { // Do not expect any repetition if (PX_TRIGGER_EC_BEFORE_AT) { - if (f_await_ec_request_send_response(v_inner_ec_response, v_request) == true) { + if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment not expected due to number of error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } else { @@ -4176,6 +4722,205 @@ module ItsPki_TestCases { } // End of group f_TC_SECPKI_ITSS_AUTH_REP_04_BV + /** + * @desc Check that IUT stops sending the Authorization Request message if timeout has been reached + *
+       * Pics Selection: PICS_SECPKI_AUTHORIZATION_RETRY
+       * Initial conditions: {
+       *     the IUT being in the 'enrolled' state
+       *     and the IUT has started sending the Authorization Request at the time T1
+       *     }
+       * Expected behaviour:
+       *     ensure that {
+       *         when {
+       *             the IUT local time is reached the T1 + PIXIT_AUTH_TIMEOUT_TH2
+       *         }
+       *         then {
+       *             the IUT stops sending an Authorization Request messages
+       *         }
+       *     }
+       * 
+ * + * @see ETSI TS 103 525-2 TP SECPKI_ITSS_AUTH_REP_05_BV + * @reference ETSI TS 103 601, clause 5.1.2 + */ + testcase TC_SECPKI_ITSS_AUTH_REP_05_BV() runs on ItsMtc system ItsPkiItssSystem { + // Local variables + var ItsPkiItss v_itss; + var ItsPkiHttp v_ea; + + // Test control + if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { + log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); + setverdict(inconc); + stop; + } + + // Test component configuration + f_cfMtcUp01(v_itss, v_ea); + + // Start component + v_itss.start(f_TC_SECPKI_ITSS_AUTH_REP_05_BV_itss()); + v_ea.start(f_TC_SECPKI_ITSS_AUTH_REP_05_BV_pki()); + + // Synchronization + f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); + + // Cleanup + f_cfMtcDown01(v_itss, v_ea); + } + + group f_TC_SECPKI_ITSS_AUTH_REP_05_BV { + + function f_TC_SECPKI_ITSS_AUTH_REP_05_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { + // Local variables + var HashedId8 v_certificate_digest; + var EtsiTs103097Certificate v_certificate; + var InfoPortData v_info_port_data; + var boolean v_start_awaiting := false; + + // Test component configuration + vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; + f_cfUp_itss(); + + // Test adapter configuration + + // Preamble + // Initial state: No CAM shall be emitted + geoNetworkingPort.clear; + tc_noac.start; + alt { + [] geoNetworkingPort.receive { + log("No CA message expected"); + f_selfOrClientSyncAndVerdict(c_prDone, e_error); + } + [] tc_noac.timeout { + f_sendUtTriggerEnrolmentRequestPrimitive(); + log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); + f_selfOrClientSyncAndVerdict(c_prDone, e_success); + } + } // End of 'alt' statement + + // Test Body + f_sendUtTriggerAuthorizationRequestPrimitive(); + tc_ac.start; + alt { + [v_start_awaiting == true] a_await_cam_with_current_cert( + v_info_port_data.at_certificate + ) { + log("*** " & testcasename() & ": PASS: IUT started to send CA message using new AT certificate ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_success); + } + [] geoNetworkingPort.receive { + log("*** " & testcasename() & ": FAIL: IUT started to send CA message using wrong AT certificate ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + [] infoPort.receive(InfoPortData:?) -> value v_info_port_data { + log("*** " & testcasename() & ": INFO: Received new AT certificate ***"); + v_start_awaiting := true; + repeat; + } + [] tc_ac.timeout { + log("*** " & testcasename() & "_itss: : PASS: No CA message received ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); + } + } // End of 'alt' statement + + // Postamble + f_cfDown_itss(); + } // End of function f_TC_SECPKI_ITSS_AUTH_REP_05_BV_itss + + function f_TC_SECPKI_ITSS_AUTH_REP_05_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { + // Local variable + var Headers v_headers; + var HttpMessage v_request; + var InnerEcResponse v_inner_ec_response; + var InnerEcRequest v_inner_ec_request; + + // Test component configuration + f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); + + // Test adapter configuration + + // Preamble + f_init_default_headers_list(-, "inner_at_response", v_headers); + if (PX_TRIGGER_EC_BEFORE_AT) { + f_await_ec_request_send_error_response(v_request); + log("*** " & testcasename() & ": INFO: Reply with 400 Bad Request error message ***"); + } else { + f_selfOrClientSyncAndVerdict(c_prDone, e_success); + } + + + // Do not expect any repetition + if (PX_TRIGGER_EC_BEFORE_AT) { + if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { + log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_success); + } else { + log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); + } + } + + // Test Body + tc_ac.start(PX_TAC * 1.1); // for different timer PIXIT_AUTH_TIMEOUT_TH2 + alt { + [] a_await_at_http_request_from_iut( + mw_http_request( + mw_http_request_post( + PICS_HTTP_POST_URI_AT, + -, + mw_http_message_body_binary( + mw_binary_body_ieee1609dot2_data( + mw_authorizationRequestMessage( + mw_encryptedData( + { *, mw_recipientInfo_pskRecipInfo(vc_aaHashedId8), * }, + mw_symmetricCiphertext_aes128ccm + )))))), + v_request + ) { + var HttpMessage v_response; + var integer v_result; + var InnerAtRequest v_inner_at_request; + var InnerAtResponse v_inner_at_response; + + tc_ac.stop; + + // Verify IUT response + f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result); + // Send response + if (isvalue(v_response)) { + httpPort.send(v_response); + } + // Set verdict + if (v_result == 0) { + var octetstring v_msg; + var octetstring v_hashed_id8; + log("*** " & testcasename() & ": PASS: InnerAtRequest received ***"); + v_msg := bit2oct(encvalue(v_inner_at_response.certificate)); + if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) { + v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg)); + } else { + v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg)); + } + infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate }); + f_selfOrClientSyncAndVerdict(c_tbDone, e_success); + } else { + log("*** " & testcasename() & ": FAIL: Failed to verify AA an AuthorizationRequestMessage ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_error); + } + } + [] tc_ac.timeout { + log("*** " & testcasename() & ": PASS: Expected no AuthorizationRequestMessage ***"); + f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); + } + } // End of 'alt' statement + + // Postamble + f_cfHttpDown(); + } // End of function f_TC_SECPKI_ITSS_AUTH_REP_05_BV_pki + } } // End of group itss_authorization_request_repetition // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.3.4 Authorization using butterfly key expansion mechanism @@ -4316,6 +5061,7 @@ module ItsPki_TestCases { var Headers v_headers; var HttpMessage v_request; var InnerEcResponse v_inner_ec_response; + var InnerEcRequest v_inner_ec_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); @@ -4323,7 +5069,7 @@ module ItsPki_TestCases { // Test adapter configuration // Preamble - if (f_await_ec_request_send_response(v_inner_ec_response, v_request) == true) { + if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { @@ -4666,6 +5412,7 @@ module ItsPki_TestCases { var Headers v_headers; var HttpMessage v_request; var InnerEcResponse v_inner_ec_response; + var InnerEcRequest v_inner_ec_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); @@ -4673,7 +5420,7 @@ module ItsPki_TestCases { // Test adapter configuration // Preamble - if (f_await_ec_request_send_response(v_inner_ec_response, v_request) == true) { + if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { @@ -11121,12 +11868,20 @@ module ItsPki_TestCases { var HashedId8 v_bfk_hashed_id8; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; + var EtsiTs103097Certificate v_aaCertificate; + var charstring v_aaCertificate_id; log(">>> f_verify_http_at_request_from_iut_atv: p_request= ", p_request); p_result := 0; - if (f_verify_pki_request_message(vc_eaPrivateEncKey/*Encrypted with AA*/, vc_eaWholeHash/*salt*/, vc_aaWholeHash/*Issuer is AA*/, p_request.body.binary_body.ieee1609dot2_data, true, p_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, p_aes_enc_key) == false) { + if (not(f_getCertificateFromDigest(f_hashedId8FromSha256(vc_aaWholeHash), v_aaCertificate, v_aaCertificate_id))) { + p_result := -1; + return; + } + if (not f_verify_pki_request_message(vc_eaPrivateEncKey/*Encrypted with AA*/, vc_eaWholeHash/*salt*/, vc_aaWholeHash/*Issuer is AA*/, + v_aaCertificate.toBeSigned.verifyKeyIndicator.verificationKey, + p_request.body.binary_body.ieee1609dot2_data, true, p_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, p_aes_enc_key)) { // Set verdict p_result := -1; } else { @@ -13176,7 +13931,9 @@ module ItsPki_TestCases { p_result := 0; - if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message + if (f_verify_pki_request_message( vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O, + omit, + p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message // Send error message v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message // Set verdict @@ -17584,7 +18341,9 @@ module ItsPki_TestCases { p_result := 0; - if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message + if (f_verify_pki_request_message( vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O, + omit, + p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message // Send error message v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message // Set verdict diff --git a/ItsPki_TestControl.ttcn b/ItsPki_TestControl.ttcn index 577ddf94cd64627dfaff728a4e1c2072348d20c1..f3a81014717bb5918b4a5ee0fd86668911d6a6b9 100644 --- a/ItsPki_TestControl.ttcn +++ b/ItsPki_TestControl.ttcn @@ -14,7 +14,8 @@ module ItsPki_TestControl { execute(TC_SECPKI_ITSS_ENR_02_BV()); if (PICS_SECPKI_REENROLMENT) { execute(TC_SECPKI_ITSS_ENR_03_BV()); - execute(TC_SECPKI_ITSS_ENR_06_BV()); + execute(TC_SECPKI_ITSS_ENR_06_BV_1()); + execute(TC_SECPKI_ITSS_ENR_06_BV_2()); execute(TC_SECPKI_ITSS_ENR_12_BV()); } if (PICS_SECPKI_CRL) { @@ -29,9 +30,12 @@ module ItsPki_TestControl { } execute(TC_SECPKI_ITSS_ENR_05_BV()); execute(TC_SECPKI_ITSS_ENR_07_BV()); - execute(TC_SECPKI_ITSS_ENR_08_BV()); - execute(TC_SECPKI_ITSS_ENR_09_BV()); - execute(TC_SECPKI_ITSS_ENR_10_BV()); + execute(TC_SECPKI_ITSS_ENR_08_BV_1()); + execute(TC_SECPKI_ITSS_ENR_08_BV_2()); + execute(TC_SECPKI_ITSS_ENR_09_BV_1()); + execute(TC_SECPKI_ITSS_ENR_09_BV_2()); + execute(TC_SECPKI_ITSS_ENR_10_BV_1()); + execute(TC_SECPKI_ITSS_ENR_10_BV_2()); execute(TC_SECPKI_ITSS_ENR_11_BV()); execute(TC_SECPKI_ITSS_ENR_RECV_01_BV()); diff --git a/lib/LibItsPki_EncdecDeclarations.ttcn b/lib/LibItsPki_EncdecDeclarations.ttcn index 70922b0a86d35fe99961d8748167ba1e341df18d..e58c926592b1a5f38ec30fc8276bc793c5b08b63 100644 --- a/lib/LibItsPki_EncdecDeclarations.ttcn +++ b/lib/LibItsPki_EncdecDeclarations.ttcn @@ -11,7 +11,7 @@ module LibItsPki_EncdecDeclarations { import from EtsiTs103097Module language "ASN.1:1997" all; import from EtsiTs102941TrustLists language "ASN.1:1997" all; - // LibItsSecurity + // LibItsPki import from LibItsSecurity_TypesAndValues all; external function fx_enc_EtsiTs102941Data(in EtsiTs102941MessagesCa.EtsiTs102941Data p_etsi_ts_102941_data) return bitstring diff --git a/lib/LibItsPki_Pics.ttcn b/lib/LibItsPki_Pics.ttcn index cab931a58a53470ac84eef14ceb6b96b9abf0c72..6f1fd42d6124d5de08f6677c17fed1a5710ae04e 100644 --- a/lib/LibItsPki_Pics.ttcn +++ b/lib/LibItsPki_Pics.ttcn @@ -60,11 +60,21 @@ module LibItsPki_Pics { */ modulepar boolean PICS_PKI_AUTH_POP := true; + /** + * @desc Do the Authorization Request use SignedWithPop mechanism? + */ + modulepar boolean PICS_UT_STATE_INDICATION := true; + /** * @desc Certificate used by the IUT acting as ITS-S */ modulepar charstring PICS_IUT_CERTIFICATE_ID := "CERT_IUT_A_AT"; + /** + * @desc Default enrollment credentials used by ITS-S + */ + modulepar charstring PICS_IUT_EC_CERTIFICATE_ID := "CERT_IUT_A_EC"; + /** * @desc Certificate used by the IUT acting as EA */ diff --git a/lib/LibItsPki_Templates.ttcn b/lib/LibItsPki_Templates.ttcn index bb58abd9122598e26dd686b013e5dc64c5a49993..65b7db986ae692e0954c300a5c193e874a358440 100644 --- a/lib/LibItsPki_Templates.ttcn +++ b/lib/LibItsPki_Templates.ttcn @@ -527,7 +527,7 @@ module LibItsPki_Templates { } // End of template mw_publicKeys template (omit) CertificateSubjectAttributes m_certificateSubjectAttributes_id_none( - in template (value) SequenceOfPsidSsp p_appPermissions, + in template (omit) SequenceOfPsidSsp p_appPermissions := omit, in template (omit) ValidityPeriod p_validityPeriod := omit, in template (omit) GeographicRegion p_region := omit, in template (omit) SubjectAssurance p_assuranceLevel := omit @@ -541,7 +541,7 @@ module LibItsPki_Templates { } // End of template m_certificateSubjectAttributes_id_none template (omit) CertificateSubjectAttributes m_certificateSubjectAttributes_id_omit( - in template (value) SequenceOfPsidSsp p_appPermissions, + in template (omit) SequenceOfPsidSsp p_appPermissions := omit, in template (omit) ValidityPeriod p_validityPeriod := omit, in template (omit) GeographicRegion p_region := omit, in template (omit) SubjectAssurance p_assuranceLevel := omit @@ -752,7 +752,7 @@ module LibItsPki_Templates { template CertificateSubjectAttributes mw_certificate_subject_attributes( template (present) SequenceOfPsidSsp p_appPermissions := ?, template CertificateId p_id := *, - template (present) ValidityPeriod p_validityPeriod := ?, + template ValidityPeriod p_validityPeriod := *, template SubjectAssurance p_assuranceLevel := *, template GeographicRegion p_region := *, template SequenceOfPsidGroupPermissions p_certIssuePermissions := omit @@ -768,7 +768,7 @@ module LibItsPki_Templates { template CertificateSubjectAttributes mw_certificate_subject_attributes_optional_assuranceLevel( template (present) SequenceOfPsidSsp p_appPermissions := ?, template (present) CertificateId p_id := ?, - template (present) ValidityPeriod p_validityPeriod := ?, + template ValidityPeriod p_validityPeriod := *, template SubjectAssurance p_assuranceLevel := *, template GeographicRegion p_region := *, template SequenceOfPsidGroupPermissions p_certIssuePermissions := omit @@ -1323,4 +1323,61 @@ module LibItsPki_Templates { cert := p_cert } // End of template mw_dc_entry + group security_templates { + template (omit) HeaderInfo m_headerInfo_inner_pki_request( + in template (value) Psid p_psid := c_its_aid_SCR, + in template (value) Time64 p_generationTime + ) modifies m_ieee1609Dot2_headerInfo := { + generationTime := p_generationTime + }; + + template (omit) HeaderInfo m_headerInfo_inner_pki_response( + in template (value) Psid p_psid := c_its_aid_SCR, + in template (value) Time64 p_generationTime + ) modifies m_ieee1609Dot2_headerInfo := { + generationTime := p_generationTime + }; + + template (omit) HeaderInfo m_headerInfo_inner_pki_ctl_response( + in template (value) Psid p_psid := c_its_aid_CPOC, + in template (value) Time64 p_generationTime + ) modifies m_ieee1609Dot2_headerInfo := { + generationTime := p_generationTime + }; + + template (omit) HeaderInfo m_headerInfo_inner_pki_crl_response( + in template (value) Psid p_psid := c_its_aid_CRL, + in template (value) Time64 p_generationTime + ) modifies m_ieee1609Dot2_headerInfo := { + generationTime := p_generationTime + }; + + template (present) HeaderInfo mw_headerInfo_inner_pki_request( + template (present) Psid p_psid := c_its_aid_SCR, + template (present) Time64 p_generationTime := ? + ) modifies mw_ieee1609Dot2_headerInfo := { + generationTime := p_generationTime, + expiryTime := omit, + generationLocation := omit + }; + + template (present) HeaderInfo mw_headerInfo_outer_pki_request( + template (present) Psid p_psid := c_its_aid_SCR, + template (present) Time64 p_generationTime := ? + ) modifies mw_ieee1609Dot2_headerInfo := { + generationTime := p_generationTime, + expiryTime := omit, + generationLocation := omit + }; + + template HeaderInfo mw_headerInfo_inner_pki_response( + template (present) Psid p_psid := c_its_aid_SCR, + template Time64 p_generationTime := * + ) modifies mw_ieee1609Dot2_headerInfo := { + generationTime := p_generationTime, + expiryTime := omit, + generationLocation := omit + } + } + } // End of module LibItsPki_Templates diff --git a/lib/asn1 b/lib/asn1 index 021805f17253f5b0baf80b13bca8151a05342655..7e4ea27e7e0d752587aa48051f880607c29ef8ca 160000 --- a/lib/asn1 +++ b/lib/asn1 @@ -1 +1 @@ -Subproject commit 021805f17253f5b0baf80b13bca8151a05342655 +Subproject commit 7e4ea27e7e0d752587aa48051f880607c29ef8ca diff --git a/lib_system/LibItsPki_Functions.ttcn b/lib_system/LibItsPki_Functions.ttcn index 371b60084e7ef06a80bea15ff133c7047aa0f3ed..8b693a438aa791006ab7cdecb67e8dc5c269a03d 100644 --- a/lib_system/LibItsPki_Functions.ttcn +++ b/lib_system/LibItsPki_Functions.ttcn @@ -573,6 +573,7 @@ module LibItsPki_Functions { v_compressed_public_key := '03'O & p_public_key_compressed; } + utPort.clear; v_ut_trigger_enrolment_request := { p_canonical_id, p_enc_algorithm, p_private_key, v_compressed_public_key }; utPort.send(UtPkiTrigger: { triggerEnrolmentRequest := v_ut_trigger_enrolment_request }); tc_ac.start; @@ -585,6 +586,10 @@ module LibItsPki_Functions { log("*** f_sendUtTriggerEnrolmentRequestPrimitive: ERROR: Received unexpected message ***"); f_selfOrClientSyncAndVerdict("error", e_error); } + [] utPort.receive { + log("*** f_sendUtTriggerEnrolmentRequestPrimitive: INFO: Some message received in UT Port ***"); + repeat; + } [] tc_ac.timeout { log("*** f_sendAcPkiPrimitive: ERROR: Timeout while waiting for adapter control event result ***"); f_selfOrClientSyncAndVerdict("error", e_timeout); @@ -620,6 +625,9 @@ module LibItsPki_Functions { log("*** f_sendUtTriggerAuthorizationRequestPrimitive: ERROR: Received unexpected message ***"); f_selfOrClientSyncAndVerdict("error", e_error); } + [] utPort.receive(UtPkiTriggerInd:?) { + repeat; + } [] tc_ac.timeout { log("*** f_sendAcPkiPrimitive: ERROR: Timeout while waiting for adapter control event result ***"); f_selfOrClientSyncAndVerdict("error", e_timeout); @@ -694,6 +702,76 @@ module LibItsPki_Functions { group helpers { + function f_decode_EccP256CurvePoint( + in octetstring buf, + out EccP256CurvePoint p + ) runs on ItsPkiHttp return boolean { + var integer ptype := oct2int(buf[0] and4b '7F'O); + if(lengthof(buf) == 33){ + if (ptype == 0) {p.x_only := substr(buf, 1, 32);} + else if (ptype == 2) {p.compressed_y_0 := substr(buf, 1, 32);} + else if (ptype == 3) {p.compressed_y_1 := substr(buf, 1, 32);} + else { + log("f_decode_EccP256CurvePoint: unsupported value for point type ", ptype); + return false; + } + }else if(lengthof(buf) == 65){ + if (ptype == 4) { + p.uncompressedP256.x := substr(buf, 1, 32); + p.uncompressedP256.y := substr(buf, 33, 32); + }else{ + log("f_decode_EccP256CurvePoint: unsupported value for point type ", ptype); + return false; + } + }else{ + log("f_decode_EccP256CurvePoint: wrong buffer length ", lengthof(buf)); + return false; + } + return true; + } + + function f_decode_EccP384CurvePoint( + in octetstring buf, + out EccP384CurvePoint p + ) runs on ItsPkiHttp return boolean { + var integer ptype := oct2int(buf[0] and4b '7F'O); + if(lengthof(buf) == 49){ + if (ptype == 0) {p.x_only := substr(buf, 1, 48);} + else if (ptype == 2) {p.compressed_y_0 := substr(buf, 1, 48);} + else if (ptype == 3) {p.compressed_y_1 := substr(buf, 1, 48);} + else { + log("f_decode_EccP384CurvePoint: unsupported value for point type ", ptype); + return false; + } + }else if(lengthof(buf) == 97){ + if (ptype == 4) { + p.uncompressedP384.x := substr(buf, 1, 48); + p.uncompressedP384.y := substr(buf, 49, 48); + }else{ + log("f_decode_EccP256CurvePoint: unsupported value for point type ", ptype); + return false; + } + }else{ + log("f_decode_EccP256CurvePoint: wrong buffer length ",lengthof(buf)); + return false; + } + return true; + } + + function f_get_canonical_itss_key( + out PublicVerificationKey p_key + ) runs on ItsPkiHttp return boolean { + log("f_get_canonical_itss_key: PX_VE_ALG=", PX_VE_ALG); + if (PX_VE_ALG == e_nist_p256) { + return f_decode_EccP256CurvePoint(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, p_key.ecdsaNistP256); + } else if (PX_VE_ALG == e_brainpool_p256_r1) { + return f_decode_EccP256CurvePoint(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, p_key.ecdsaNistP256); + } else if (PX_VE_ALG == e_brainpool_p384_r1) { + return f_decode_EccP384CurvePoint(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, p_key.ecdsaNistP256); + } + return false; + } + function f_generate_key_pair( out octetstring p_private_key, out octetstring p_public_key_x, @@ -743,6 +821,27 @@ module LibItsPki_Functions { return true; } + function f_http_restart ( + in charstring p_content_text + ) runs on ItsPkiHttp { + if (not(PICS_MULTIPLE_END_POINT)) { + log("f_http_restart: restart httpPort"); + httpPort.stop; + httpPort.start; + } else { + log("f_http_restart: restart httpPort with contentType ", p_content_text); + select(p_content_text){ + case ("inner_ec_request"){ + httpEcPort.stop; + httpEcPort.start; + } + case ("inner_atv_request"){ + httpAtVPort.stop; + httpAtVPort.start; + } + } + } + } function f_http_send( in Headers p_headers, @@ -1636,7 +1735,11 @@ module LibItsPki_Functions { p_salt := vc_eaWholeHash256; // IEEE 1609.2: If the encryption key was obtained from a certificate c, P1 is SHA-256 (c), where c is the COER encoding of the certificate, canonicalized per 6.4.3. log("f_http_build_invalid_authorization_validation_request: vc_aaHashedId8: ", vc_aaHashedId8); log("f_http_build_invalid_authorization_validation_request: p_salt: ", p_salt); - if(f_build_pki_secured_request_message_signed_with_pop(vc_aaPrivateKey, valueof(m_signerIdentifier_digest(vc_aaHashedId8)), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_authorization_validation_request(v_authorization_validation_request))), PX_EC_ALG_FOR_ATV, true, p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash) == false) { + if(f_build_pki_secured_request_message_signed_with_pop(vc_aaPrivateKey, valueof(m_signerIdentifier_digest(vc_aaHashedId8)), + vc_eaHashedId8/*recipientId*/, v_public_enc_key, + v_compressed_enc_key_mode, p_salt, + bit2oct(encvalue(m_etsiTs102941Data_authorization_validation_request(v_authorization_validation_request))), + PX_EC_ALG_FOR_ATV, true, p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash) == false) { log("f_http_build_invalid_authorization_validation_request: Failed to generate Authorization Request"); return false; } @@ -2129,6 +2232,7 @@ module LibItsPki_Functions { var IssuerIdentifier v_issuer; var bitstring v_tbs; var octetstring v_sig; + var ValidityPeriod v_valPeriod; log(">>> f_generate_ec_certificate_for_inner_ec_response: p_inner_ec_request: ", p_inner_ec_request); log(">>> f_generate_ec_certificate_for_inner_ec_response: p_digest: ", p_digest); @@ -2139,16 +2243,19 @@ module LibItsPki_Functions { } else { v_certificate_id := p_inner_ec_request.requestedSubjectAttributes.id; } + if (ispresent(p_inner_ec_request.requestedSubjectAttributes.validityPeriod)) { + v_valPeriod := p_inner_ec_request.requestedSubjectAttributes.validityPeriod; + } else { + v_valPeriod := valueof(m_validityPeriod(f_getCurrentTime() / 1000, m_duration_in_hours(24))); + } v_cert := valueof( m_etsiTs103097Certificate( v_issuer, m_toBeSignedCertificate_ec( v_certificate_id, p_inner_ec_request.requestedSubjectAttributes.appPermissions, - m_verificationKeyIndicator_verificationKey( - p_inner_ec_request.publicKeys.verificationKey - ), - p_inner_ec_request.requestedSubjectAttributes.validityPeriod, + m_verificationKeyIndicator_verificationKey(p_inner_ec_request.publicKeys.verificationKey), + v_valPeriod, p_inner_ec_request.requestedSubjectAttributes.region, p_inner_ec_request.requestedSubjectAttributes.assuranceLevel, p_inner_ec_request.publicKeys.encryptionKey @@ -3516,7 +3623,7 @@ module LibItsPki_Functions { function f_verify_inner_at_request_signed_for_pop( in EtsiTs102941Data p_etsi_ts_102941_data, - in EtsiTs103097Certificate p_ec_certificate, + in template (omit) EtsiTs103097Certificate p_ec_certificate, out InnerAtRequest p_inner_at_request ) return boolean { var bitstring v_msg_bit; @@ -5196,63 +5303,95 @@ module LibItsPki_Functions { return true; } // End of function f_await_http_inner_ec_request_response + group PredefinedRequests { + template (present) HttpMessage mw_http_ec_request_generic := + mw_http_request( + mw_http_request_post( + PICS_HTTP_POST_URI_EC, + -, + mw_http_message_body_binary( + mw_binary_body_ieee1609dot2_data( + mw_enrolmentRequestMessage( + mw_encryptedData() + ))))); + } + function f_await_ec_request_send_response( + out InnerEcRequest p_inner_ec_request, out InnerEcResponse p_inner_ec_response, - out HttpMessage p_request + out HttpMessage p_request, + in EnrolmentResponseCode p_response_code := ok, + in template (omit) CertificateSubjectAttributes p_attributes := omit ) runs on ItsPkiHttp return boolean { var boolean v_result := false; + var HttpMessage v_wrong_request; + var Headers v_headers; log(">>> f_await_ec_request_send_response"); + f_init_default_headers_list(-, "inner_ec_response", v_headers); tc_ac.start; alt { - [] a_await_ec_http_request_from_iut( - mw_http_request( - mw_http_request_post( - PICS_HTTP_POST_URI_EC, - -, - mw_http_message_body_binary( - mw_binary_body_ieee1609dot2_data( - mw_enrolmentRequestMessage( - mw_encryptedData( - -, - mw_symmetricCiphertext_aes128ccm - )))))), - p_request - ) { - var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; + [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, p_request) { + var Ieee1609Dot2Data v_decrypted_message; var EtsiTs102941Data v_etsi_ts_102941_data; - var Oct16 v_request_hash; - var HashedId8 v_bfk_hashed_id8; - var Oct16 v_aes_enc_key; - var InnerEcRequest v_inner_ec_request; var template (value) HttpMessage v_response; - var Headers v_headers; + var Oct16 v_request_hash, v_aes_enc_key; + tc_ac.stop; + + if(f_read_ec_request_from_iut_itss( p_request.request.body.binary_body.ieee1609dot2_data, + v_request_hash, v_aes_enc_key, + v_decrypted_message, + v_etsi_ts_102941_data, + p_inner_ec_request + )){ var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; + var Ieee1609Dot2Data v_response_message; - tc_ac.stop; + log(">>>>>> f_await_ec_request_send_response v_inner_ec_request=", p_inner_ec_request); - f_init_default_headers_list(-, "inner_ec_response", v_headers); + if(ispresent(p_attributes)){ + if(isvalue(p_attributes.id)){ + p_inner_ec_request.requestedSubjectAttributes.id := valueof(p_attributes.id); + } + if(isvalue(p_attributes.validityPeriod)){ + p_inner_ec_request.requestedSubjectAttributes.validityPeriod := valueof(p_attributes.validityPeriod); + } + if(isvalue(p_attributes.region)){ + p_inner_ec_request.requestedSubjectAttributes.region := valueof(p_attributes.region); + } + if(isvalue(p_attributes.assuranceLevel)){ + p_inner_ec_request.requestedSubjectAttributes.assuranceLevel := valueof(p_attributes.assuranceLevel); + } + if(isvalue(p_attributes.appPermissions)){ + p_inner_ec_request.requestedSubjectAttributes.appPermissions := valueof(p_attributes.appPermissions); + } + if(isvalue(p_attributes.certIssuePermissions)){ + p_inner_ec_request.requestedSubjectAttributes.certIssuePermissions := valueof(p_attributes.certIssuePermissions); + } + } - if (f_verify_pki_request_message(vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, ''O, p_request.request.body.binary_body.ieee1609dot2_data, false, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message - log("f_await_ec_request_send_response: Failed to verify PKI message ***"); - // Send error message - v_response := m_http_response(m_http_response_ko(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), v_headers, 400, "Bad request")); // Initialize v_reponse with an error message + f_http_build_inner_ec_response(p_inner_ec_request, p_response_code, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, + v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_response_message); + + v_response := m_http_response( + m_http_response_ok( + m_http_message_body_binary( + m_binary_body_ieee1609dot2_data(v_response_message) + ), v_headers)); } else { - log("f_await_ec_request_send_response: Receive ", v_etsi_ts_102941_data, " ***"); - if (f_verify_inner_ec_request_signed_for_pop(v_etsi_ts_102941_data, v_inner_ec_request) == false) { - log("f_await_ec_request_send_response: Failed to verify PKI message ***"); - // Send error message - f_http_build_inner_ec_response(v_inner_ec_request/*Not required*/, cantparse, v_request_hash, -, -, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); - v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), v_headers)); - } else { - f_http_build_inner_ec_response(v_inner_ec_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); - v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), v_headers)); - v_result := true; + v_response := m_http_response(m_http_response_500_internal_error(v_headers)); } f_http_send(v_headers, v_response); + v_result := true; } + + [] a_await_ec_http_request_from_iut( mw_http_request(), v_wrong_request) { + log(">>>>>> f_await_ec_request_send_response: Wrong message received ", v_wrong_request); + log(" ", match(v_wrong_request, mw_http_request())); + f_http_send(v_headers, m_http_response(m_http_response_500_internal_error(v_headers))); + repeat; } [] tc_ac.timeout { log("f_await_ec_request_send_response: Expected message not received ***"); @@ -5271,26 +5410,9 @@ module LibItsPki_Functions { tc_ac.start; alt { - [] a_await_ec_http_request_from_iut( - mw_http_request( - mw_http_request_post( - PICS_HTTP_POST_URI_EC, - -, - mw_http_message_body_binary( - mw_binary_body_ieee1609dot2_data( - mw_enrolmentRequestMessage( - mw_encryptedData( - -, - mw_symmetricCiphertext_aes128ccm - )))))), - p_request - ) { - var template (value) HttpMessage v_response; - var Headers v_headers; - + [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, p_request) { tc_ac.stop; - - f_init_default_headers_list(-, "inner_ec_response", v_headers); + f_http_restart("inner_ec_request"); log("f_await_ec_request_send_no_response: Failed to verify PKI message ***"); } [] tc_ac.timeout { @@ -5808,7 +5930,7 @@ module LibItsPki_Functions { var octetstring v_encoded_inner_ec_response; var HashedId8 v_recipientId; var octetstring v_encrypted_inner_ec_response; - + var octetstring v_symkeyidentifier; // Signed the encoded PKI message v_tbs := m_toBeSignedData( m_signedDataPayload( @@ -5844,7 +5966,9 @@ module LibItsPki_Functions { // Encode EtsiTs103097Data-Signed data structure v_encoded_inner_ec_response := bit2oct(encvalue(v_ieee1609dot2_signed_data)); v_encrypted_inner_ec_response := fx_encrypt_aes_128_ccm_test(p_aes_sym_key, p_nonce, v_encoded_inner_ec_response); - v_recipientId := f_hashedId8FromSha256(f_hashWithSha256(p_aes_sym_key)); + v_symkeyidentifier := '80'O & p_aes_sym_key; + log("v_symkeyidentifier= ", v_symkeyidentifier); + v_recipientId := f_hashedId8FromSha256(f_hashWithSha256(v_symkeyidentifier)); log("v_recipientId= ", v_recipientId); // Fill Certificate template with the public compressed keys (canonical form) p_ieee1609dot2_signed_and_encrypted_data := valueof( @@ -5869,6 +5993,92 @@ module LibItsPki_Functions { return true; } // End of function f_build_pki_secured_response_message + function f_read_pki_request_message( + in Ieee1609Dot2Data p_encrypted_message, + in Oct32 p_private_enc_key, + in Oct32 p_salt, + out Oct16 p_request_hash, + out Oct16 p_aes_enc_key, + out Ieee1609Dot2Data p_decrypted_message, + out EtsiTs102941Data p_etsi_ts_102941_data + ) return boolean { + var octetstring v_msg; + var boolean ret := true; + + // 1. Calculate the request Hash + v_msg := bit2oct(encvalue(p_encrypted_message)); + log("f_parse_pki_request: Encoded request: ", v_msg); + p_request_hash := substr(f_hashWithSha256(v_msg), 0, 16); + log("f_parse_pki_request: p_request_hash= ", p_request_hash); + + // 2. Decrypt message + log("f_parse_pki_request: p_private_enc_key= ", p_private_enc_key); + if (false == f_decrypt(p_private_enc_key, p_encrypted_message, p_salt, p_decrypted_message, p_aes_enc_key)) { + log("f_parse_pki_request: Failed to decrypt message"); + return false; + } + log("f_parse_pki_request: v_ieee1609dot2_signed_data= ", p_decrypted_message); + log("f_parse_pki_request: p_aes_enc_key= ", p_aes_enc_key); + + // 3. get TS 102 941 data + select(p_decrypted_message){ + case( mw_etsiTs103097Data_signed( + mw_signedData( + -, + mw_toBeSignedData( + mw_signedDataPayload + ) + ) + ) + ) { + var bitstring v_msg_bit; + v_msg_bit := oct2bit(p_decrypted_message.content.signedData.tbsData.payload.data.content.unsecuredData); + if (decvalue(v_msg_bit, p_etsi_ts_102941_data) != 0) { + ret := false; + } + } + case else { + ret := false; + } + } + return ret; + } // End of function f_read_pki_request_message + + function f_read_ec_request_from_iut_itss( + in Ieee1609Dot2Data p_encrypted_message, + out Oct16 p_request_hash, + out Oct16 p_aes_enc_key, + out Ieee1609Dot2Data p_decrypted_message, + out EtsiTs102941Data p_etsi_ts_102941_data, + out InnerEcRequest p_inner_ec_request + ) runs on ItsPkiHttp return boolean { + // Local variables + var PublicVerificationKey v_canonical_key; + var EtsiTs103097Certificate v_ec_certificate; + var HashedId8 v_ec_certificate_hashed_id8; + var InnerEcResponse v_inner_ec_response; +/* + if(false == f_get_canonical_itss_key(v_canonical_key)){ + log(">>> f_read_ec_request_from_iut_itss: error getting canonical key"); + return false; + } +*/ + if( f_read_pki_request_message( p_encrypted_message, vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, + p_request_hash, p_aes_enc_key, + p_decrypted_message, + p_etsi_ts_102941_data + )) { + // decode InnerEcRequest + var bitstring v_msg_bit := oct2bit(p_etsi_ts_102941_data.content.enrolmentRequest.content.signedData.tbsData.payload.data.content.unsecuredData); + if (decvalue(v_msg_bit, p_inner_ec_request) != 0) { + log("f_read_ec_request_from_iut_itss: Failed to decode InnerEcRequest"); + } + return true; + } + return false; + } // End of function f_read_ec_request_from_iut_itss + + /** * @desc Verify the protocol element of the Pki message. * If p_check_security is set to false, only decryption and decoding of the outer message are verified. @@ -5884,7 +6094,8 @@ module LibItsPki_Functions { function f_verify_pki_request_message( in Oct32 p_private_enc_key, in Oct32 p_salt, - in octetstring p_issuer, + in octetstring p_issuer_hash, + in template (omit) PublicVerificationKey p_verification_key, in Ieee1609Dot2Data p_ieee1609dot2_encrypted_and_signed_data, in boolean p_check_security := true, out Oct16 p_request_hash, @@ -5902,7 +6113,8 @@ module LibItsPki_Functions { log(">>> f_verify_pki_request_message: p_private_enc_key= ", p_private_enc_key); log(">>> f_verify_pki_request_message: p_salt= ", p_salt); - log(">>> f_verify_pki_request_message: p_issuer= ", p_issuer); + log(">>> f_verify_pki_request_message: p_issuer_hash= ", p_issuer_hash); + log(">>> f_verify_pki_request_message: p_verification_key= ", p_verification_key); log(">>> f_verify_pki_request_message: p_ieee1609dot2_encrypted_and_signed_data= ", p_ieee1609dot2_encrypted_and_signed_data); // 1. Calculate the request Hash @@ -5945,30 +6157,75 @@ module LibItsPki_Functions { // 4. Verifiy signature log("f_verify_pki_request_message: v_ieee1609dot2_signed_data.content.signedData.tbsData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData); v_msg := bit2oct(encvalue(v_ieee1609dot2_signed_data.content.signedData.tbsData)); - log("f_verify_pki_request_message: v_msg= ", v_msg); + if (not ispresent(p_verification_key)){ + var EtsiTs103097Certificate v_cert; + var charstring v_cert_id; + if (ischosen(v_ieee1609dot2_signed_data.content.signedData.signer.digest)){ + if (not f_getCertificateFromDigest(v_ieee1609dot2_signed_data.content.signedData.signer.digest, v_cert, v_cert_id)){ + if (p_check_security == true) { + return false; + } + } + } + if (ischosen(v_ieee1609dot2_signed_data.content.signedData.signer.certificate)){ + if(lengthof(v_ieee1609dot2_signed_data.content.signedData.signer.certificate) > 0){ + v_cert := v_ieee1609dot2_signed_data.content.signedData.signer.certificate[0]; + } + } + if (isbound(v_cert)){ + if(ischosen(v_cert.toBeSigned.verifyKeyIndicator.verificationKey)){ + p_verification_key := v_cert.toBeSigned.verifyKeyIndicator.verificationKey; + } + } + } + if (ispresent(p_verification_key)){ + log("f_verify_pki_request_message: v_msg= ", v_msg); + if (false == f_verifyEcdsa(v_msg, int2oct(0, 32), v_ieee1609dot2_signed_data.content.signedData.signature_, valueof(p_verification_key))) { + if (p_check_security == true) { + return false; + } + } + } + +/* if (p_issuer == ''O) { // self log("f_verify_pki_request_message: Issuer is self, check outer signature using IUT public key (PICS_ITS_S_SIGN_xxx_PUBLIC_KEY)"); var PublicVerificationKey v_verification_key; log("f_verify_pki_request_message: PX_VE_ALG=", PX_VE_ALG); if (PX_VE_ALG == e_nist_p256) { - if (PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY[0] == '02'O) { + if (PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY[0] == '00'O) { + v_verification_key.ecdsaNistP256.x_only := substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 1, 32); + }else if (PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY[0] == '02'O) { v_verification_key.ecdsaNistP256.compressed_y_0 := substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 1, 32); - } else { + }else if (PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY[0] == '03'O) { v_verification_key.ecdsaNistP256.compressed_y_1 := substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 1, 32); + } else { + v_verification_key.ecdsaNistP256.uncompressedP256.x := substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 1, 32); + v_verification_key.ecdsaNistP256.uncompressedP256.y := substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 33, 32); } } else if (PX_VE_ALG == e_sm2_p256) { // FIXME FSCOM } else if (PX_VE_ALG == e_brainpool_p256_r1) { - if (PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY[0] == '02'O) { + if (PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY[0] == '00'O) { + v_verification_key.ecdsaBrainpoolP256r1.x_only := substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 1, 32); + }else if (PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY[0] == '02'O) { v_verification_key.ecdsaBrainpoolP256r1.compressed_y_0 := substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 1, 32); - } else { + } else if (PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY[0] == '03'O) { v_verification_key.ecdsaBrainpoolP256r1.compressed_y_1 := substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 1, 32); + } else if (PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY[0] == '04'O) { + v_verification_key.ecdsaBrainpoolP256r1.uncompressedP256.x := substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 1, 32); + v_verification_key.ecdsaBrainpoolP256r1.uncompressedP256.y := substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 33, 32); } } else if (PX_VE_ALG == e_brainpool_p384_r1) { - if (PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY[0] == '02'O) { + if (PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY[0] == '00'O) { + v_verification_key.ecdsaBrainpoolP384r1.x_only := substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 1, 48); + }else if (PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY[0] == '02'O) { v_verification_key.ecdsaBrainpoolP384r1.compressed_y_0 := substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 1, 48); - } else { + }else if (PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY[0] == '02'O) { v_verification_key.ecdsaBrainpoolP384r1.compressed_y_1 := substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 1, 48); + }else if (PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY[0] == '04'O) { + v_verification_key.ecdsaBrainpoolP384r1.uncompressedP384.x := substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 1, 48); + v_verification_key.ecdsaBrainpoolP384r1.uncompressedP384.y := substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 49, 48); } } log("f_verify_pki_request_message: v_verification_key=", v_verification_key); @@ -5991,7 +6248,7 @@ module LibItsPki_Functions { } } } - + */ // 4. Return the PKI message log("f_verify_pki_request_message: v_ieee1609dot2_signed_data.content.signedData.tbsData.payload.data.content.unsecuredData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData.payload.data.content.unsecuredData); v_msg_bit := oct2bit(v_ieee1609dot2_signed_data.content.signedData.tbsData.payload.data.content.unsecuredData);