* Pics Selection: PICS_IUT_CA_ROLE
* Initial conditions:
* with {
* CA is in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the certificate
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing version
* indicating value 3
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_01_BV
* @reference ETSI TS 103 097 [2], clause 6
* IEEE Std 1609.2 [3], clause 6.4.3
*/
testcase TC_SECPKI_CA_CERTGEN_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if (not PICS_IUT_CA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_01_BV
/**
* @desc Check that the issuing certificate has type explicit
*
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES
* Initial conditions:
* with {
* CA is in 'operational' state
* CA is initialized with the explicit certificate (CERT_IUT_A_RCA)
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the explicit certificate
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing version
* indicating value 3
* and containing type
* indicating 'explicit'
* and containing toBeSigned
* containing verifyKeyIndicator
* containing verificationKey
* and containing signature
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_02_BV_01
* @reference ETSI TS 103 097 [2], clause 6
* IEEE Std 1609.2 [3], clause 6.4.3
*/
testcase TC_SECPKI_CA_CERTGEN_02_BV_01() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES)) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_02_BV_01
/**
* @desc Check that the CA, been authorized using explicit certificate, is able to issue an implicit certificate
*
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and PICS_SEC_IMPLICIT_CERTIFICATES
* Initial conditions:
* with {
* CA is in 'operational' state
* CA is initialized with the explicit certificate (CERT_IUT_A_RCA)
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the implicit certificate
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing version
* indicating value 3
* and containing type
* indicating 'implicit'
* and containing toBeSigned
* containing verifyKeyIndicator
* containing reconstructionValue
* and not containing signature
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_02_BV_02
* @reference ETSI TS 103 097 [2], clause 6
* IEEE Std 1609.2 [3], clause 6.4.3
*/
testcase TC_SECPKI_CA_CERTGEN_02_BV_02() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) or not(PICS_SEC_IMPLICIT_CERTIFICATES)) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and PICS_SEC_IMPLICIT_CERTIFICATES required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, true, true, true) == false) { // implicit, reconstructionKey and no signature
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_02_BV_02
/**
* @desc Check that the CA, been authorized using explicit certificate, is able to issue an implicit certificate
*
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and PICS_SEC_IMPLICIT_CERTIFICATES
* Initial conditions:
* with {
* CA is in 'operational' state
* CA is initialized with the explicit certificate (CERT_IUT_I_AA)
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the implicit certificate
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing version
* indicating value 3
* and containing type
* indicating 'implicit'
* and containing toBeSigned
* containing verifyKeyIndicator
* containing reconstructionValue
* and not containing signature
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_02_BV_03
* @reference ETSI TS 103 097 [2], clause 6
* IEEE Std 1609.2 [3], clause 6.4.3
*/
testcase TC_SECPKI_CA_CERTGEN_02_BV_03() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) or not(PICS_SEC_IMPLICIT_CERTIFICATES)) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and PICS_SEC_IMPLICIT_CERTIFICATES required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
// Preamble
v_result := f_get_root_ca_certificate("CERT_IUT_I_AA", -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate("CERT_IUT_I_AA", v_root_certificate) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_02_BV_03
/**
* @desc Check that the CA, been authorized using implicit certificate, does not issue an explicit certificate
*
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and PICS_SEC_IMPLICIT_CERTIFICATES
* Initial conditions:
* with {
* CA is in 'operational' state
* CA is initialized with the explicit certificate (CERT_IUT_I_AA)
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the explicit certificate
* }
* then {
* the CA doesn’t issue the certificate
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_02_BO_01
* @reference ETSI TS 103 097 [2], clause 6
* IEEE Std 1609.2 [3], clause 6.4.3
*/
testcase TC_SECPKI_CA_CERTGEN_02_BO_01() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) or not(PICS_SEC_IMPLICIT_CERTIFICATES)) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and PICS_SEC_IMPLICIT_CERTIFICATES required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
// Preamble
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
v_result := f_get_root_ca_certificate("CERT_IUT_I_AA", true, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": PASS: No root certificate was generated ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": FAIL: Root certificate shall not be generated ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_02_BO_01
/**
* @desc Check that CA issues certificate conformed to ETSI TS 103 097 [1], clause 6
*
* Pics Selection: PICS_IUT_CA_ROLE
* Initial conditions:
* with {
* CA is in 'operational' state
* CA is initialized with the explicit certificate (CERT_IUT_I_AA)
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the certificate
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing toBesigned
* containing id
* indicating 'none' or 'name'
* and containing cracaId
* indicating '000000'H
* and containing crlSeries
* indicating '0'D
* and not containing certRequestPermissions
* and not containing canRequestRollover
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_03_BV
* @reference ETSI TS 103 097 [2], clause 6
*/
testcase TC_SECPKI_CA_CERTGEN_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if (not PICS_IUT_CA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
// Preamble
v_result := f_get_root_ca_certificate("CERT_IUT_I_AA", -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate("CERT_IUT_I_AA", v_root_certificate) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_03_BV
/**
* @desc Check that the certificate issuer of certificates is referenced using digest
* Check that right digest field is used to reference to the certificate
*
* Pics Selection: PICS_IUT_CA_ROLE
* Initial conditions:
* with {
* CA is in 'operational' state
* CA is initialized with the explicit certificate (C_ISSUER)
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the explicit certificate
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing issuer
* containing self
* or containing X_DIGEST
* indicating last 8 bytes of the hash of the certificate calculated using X_ALGORITHM
* referenced to certificate
* and containing toBeSigned
* containing verifyKeyIndicator
* containing verificationKey
* containing X_KEY
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_04_BV
* @reference ETSI TS 103 097 [2], clause 6
*/
testcase TC_SECPKI_CA_CERTGEN_04_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var charstring v_authorized_certificate;
var integer v_result;
var Certificate v_root_certificate;
// Test control
if (not PICS_IUT_CA_ROLE and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
// Preamble
v_authorized_certificate := "CERT_IUT_I_AA";
v_result := f_get_root_ca_certificate(v_authorized_certificate, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(v_authorized_certificate, v_root_certificate) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_04_BV
/**
* @desc Check that the CA is able to issue the certificate with the well-formed circular region validity restriction
*
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_CIRCULAR_REGION
* Initial conditions:
* with {
* CA is in 'operational' state
* the CA is authorized with CA certificate
* containing toBeSigned
* containing region
* indicating REGION
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the certificate
* containing circular region restriction
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing toBeSigned
* containing region
* containing circularRegion
* containing center
* indicating a point inside the REGION
* and containing radius
* indicating a value when all points of the circle are inside the REGION
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_05_BV
* @reference IEEE Std 1609.2 [2], clauses 6.4.20, 6.4.17, 5.1.2.4
*/
testcase TC_SECPKI_CA_CERTGEN_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if (not PICS_IUT_CA_ROLE and not PICS_SEC_CIRCULAR_REGION) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_CIRCULAR_REGION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) {
log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***");
stop;
}
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_05_BV
/**
* @desc Check that the CA is able to issue the certificate with the well-formed rectangular region validity restriction
*
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_RECTANGULAR_REGION
* Initial conditions:
* with {
* CA is in 'operational' state
* the CA is authorized with CA certificate
* containing toBeSigned
* containing region
* indicating REGION
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the certificate
* containing rectangular region restriction
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing toBeSigned
* containing region
* containing rectangularRegion
* containing items of type RectangularRegion
* containing northwest
* indicating a point inside the REGION
* and containing southeast
* indicating a point on the south and east from northwest
* and inside the REGION
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_06_BV
* @reference IEEE Std 1609.2 [2], clauses 6.4.20, 6.4.17, 5.1.2.4
*/
testcase TC_SECPKI_CA_CERTGEN_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if (not PICS_IUT_CA_ROLE and not PICS_SEC_RECTANGULAR_REGION) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_RECTANGULAR_REGION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) {
log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***");
stop;
}
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_06_BV
/**
* @desc Check that the CA is able to issue the certificate with the well-formed polygonal region validity restriction
*
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_POLYGONAL_REGION
* Initial conditions:
* with {
* CA is in 'operational' state
* the CA is authorized with CA certificate
* containing toBeSigned
* containing region
* indicating REGION
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the certificate
* containing polygonal region restriction
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing toBeSigned
* containing region
* containing polygonalRegion
* containing more than 2 items of type TwoDLocation
* indicating points inside the REGION
* and indicating unintercepting segments
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_07_BV
* @reference IEEE Std 1609.2 [2], clauses 6.4.20, 6.4.17, 5.1.2.4
*/
testcase TC_SECPKI_CA_CERTGEN_07_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if (not PICS_IUT_CA_ROLE and not PICS_SEC_POLYGONAL_REGION) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_POLYGONAL_REGION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) {
log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***");
stop;
}
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_07_BV
/**
* @desc Check that the CA is able to issue the certificate with identified region validity restriction contains values that correspond to numeric country codes as defined by United Nations Statistics Division [5]
*
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_IDENTIFIED_REGION
* Initial conditions:
* with {
* CA is in 'operational' state
* the CA is authorized with CA certificate
* containing toBeSigned
* containing region
* indicating REGION
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the certificate
* containing identified region validity restriction
* indicating country or area COUNTRY
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing toBeSigned
* containing region
* containing identifiedRegion
* containing 1 entry of type IdentifiedRegion
* containing countryOnly
* indicating integer representation of the identifier of country or area COUNTRY
* or containing countryAndRegions
* containing countryOnly
* indicating integer representation of the identifier of country or area COUNTRY
* or containing countryAndSubregions
* containing country
* indicating integer representation of the identifier of country or area COUNTRY
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_08_BV
* @reference IEEE Std 1609.2 [2], clauses 6.4.23
*/
testcase TC_SECPKI_CA_CERTGEN_08_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if (not PICS_IUT_CA_ROLE and not PICS_SEC_IDENTIFIED_REGION) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_IDENTIFIED_REGION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) {
log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***");
stop;
}
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_08_BV
/**
* @desc Check that the identified region validity restriction of the subordinate certificate is included in the identified region validity restriction of the issuing certificate
*
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_IDENTIFIED_REGION
* Initial conditions:
* with {
* CA is in 'operational' state
* the CA is authorized with CA certificate
* containing toBeSigned
* containing region
* containing identifiedRegion
* containing countryOnly
* indicating COUNTRY
* or containing countryAndRegions
* containing countryOnly
* indicating COUNTRY
* and containing regions
* indicating REGIONS
* or containing countryAndSubregions
* containing country
* indicating COUNTRY
* and containing regionAndSubregions
* indicating REGIONS and SUBREGIONS
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the certificate
* containing identifiedRegion
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing toBeSigned
* containing region
* containing identifiedRegion
* containing countryOnly
* indicating value = COUNTRY
* or containing countryAndRegions
* containing countryOnly
* indicating value = COUNTRY
* and containing regions
* containing region identifiers contained in REGIONS
* or containing countryAndSubregions
* containing country
* indicating value = COUNTRY
* and containing regionAndSubregions
* containing region identifiers contained in REGIONS
* and containing subRegion identifiers contained in SUBREGIONS for every region
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_09_BV
* @reference IEEE Std 1609.2 [2], clauses 6.4.17, 5.1.2.4
*/
testcase TC_SECPKI_CA_CERTGEN_09_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if (not PICS_IUT_CA_ROLE and not PICS_SEC_IDENTIFIED_REGION) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_IDENTIFIED_REGION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) {
log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***");
stop;
}
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_09_BV
/**
* @desc Check that the certificate signature contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1 or x_coordinate_only
*
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES
* Initial conditions:
* with {
* CA is in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the explicit certificate
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing signature
* containing X_SIGNATURE
* containing rSig
* containing x-only
* or containing compressed-y-0
* or containing compressed-y-1
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_10_BV
* @reference IEEE Std 1609.2 [3], clause 6.3.29, 6.3.30, 6.3.31
*/
testcase TC_SECPKI_CA_CERTGEN_10_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_10_BV
/**
* @desc Check that the certificate verification key contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1 or uncompressed
*
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES
* Initial conditions:
* with {
* CA is in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the explicit certificate
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing verifyKeyIndicator
* containing verificationKey
* containing X_KEY
* containing x-only
* or containing compressed-y-0
* or containing compressed-y-1
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_11_BV
* @reference IEEE Std 1609.2 [3], clause 6.3.38
*/
testcase TC_SECPKI_CA_CERTGEN_11_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_11_BV
/**
* @desc Check that the certificate encryption key contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1 or uncompressed
*
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES
* Initial conditions:
* with {
* CA is in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the explicit certificate
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing toBeSigned
* containing encryptionKey
* containing publicKey
* containing X_KEY
* containing uncompressed
* or containing compressed-y-0
* or containing compressed-y-1
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_12_BV
* @reference IEEE Std 1609.2 [3], clause 6.3.38
*/
testcase TC_SECPKI_CA_CERTGEN_12_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_12_BV
/**
* @desc Check the explicit certificate signature
*
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES
* Initial conditions:
* with {
* CA is in 'operational' state
* and the CA is authorized with explicit certificate
* containing toBeSigned
* containing verifyKeyIndicator
* containing verificationKey
* containing X_KEY
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is requested to issue the explicit certificate
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing issuer
* referencing the certificate
* containing toBeSigned
* containing verifyKeyIndicator
* containing verificationKey
* containing X_KEY
* indicating KEY
* and containing signature
* containing X_SIGNATURE
* verifiable using KEY
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_13_BV_01
* @reference ETSI TS 103 097 [1], clause 6
*/
testcase TC_SECPKI_CA_CERTGEN_13_BV_01() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_13_BV_01
/**
* @desc Check the explicit certificate signature
*
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES
* Initial conditions:
* with {
* CA is in 'operational' state
* and the CA is authorized with explicit certificate
* containing toBeSigned
* containing verifyKeyIndicator
* containing verificationKey
* containing X_KEY
* and the CA issued the implicit certificate of type EtsiTs103097Certificate (CERT)
* not containing signature
* and containing issuer
* referencing the certificate
* containing toBeSigned
* containing verifyKeyIndicator
* containing reconstructionValue
* indicating VALUE
* }
* Expected behaviour:
* ensure that {
* when {
* the CA is calculated the digital signature
* using the private key associated with the CERT
* }
* then {
* this signature can be verified using public key
* reconstructed using VALUE and KEY
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_13_BV_02
* @reference ETSI TS 103 097 [1], clause 6
*/
testcase TC_SECPKI_CA_CERTGEN_13_BV_02() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, true, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_13_BV_02
/**
* @desc Check that all PSID entries of the appPermissions component of the certificate are unique
*
* Pics Selection: PICS_IUT_CA_ROLE
* Initial conditions:
* with {
* CA is in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the CA issued the certificate
* containing toBeSigned
* containing appPermissions
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing toBeSigned
* containing appPermissions
* containing items of type PsidSsp
* containing psid
* indicating unique values in this sequence
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_14_BV
* @reference ETSI TS 103 097 [1], clauses 6.4.28, 5.1.2.4
*/
testcase TC_SECPKI_CA_CERTGEN_14_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if (not PICS_IUT_CA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) {
log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***");
stop;
}
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_14_BV
/**
* @desc Check that all PSID entries of the appPermissions component of the certificate are also contained in the certIssuePermissions component in the issuing certificate
*
* Pics Selection: PICS_IUT_CA_ROLE
* Initial conditions:
* with {
* CA is in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the CA issued the certificate
* containing toBeSigned
* containing appPermissions
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing issuer
* referenced to the certificate
* containing toBeSigned
* containing certIssuePermissions
* containing items of type PsidGroupPermissions
* containing eeType
* indicating app(0)
* and containing subjectPermissions
* containing explicit
* containing items of type PsidSspRange
* indicating X_PSID_RANGE_LIST
* or containing all
* and containing toBeSigned
* containing appPermissions
* containing items of type PsidSsp
* containing psid
* contained in the X_PSID_RANGE_LIST
* as a psid
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_15_BV
* @reference ETSI TS 103 097 [1], clauses 6.4.28, 5.1.2.4
*/
testcase TC_SECPKI_CA_CERTGEN_15_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if (not PICS_IUT_CA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) {
log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***");
stop;
}
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_15_BV
/**
* @desc Check that all PSID entries of the certIssuePermissions component of the certificate are unique
*
* Pics Selection: PICS_IUT_CA_ROLE
* Initial conditions:
* with {
* CA is in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the CA issued the certificate
* containing toBeSigned
* containing certIssuePermissions
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing issuer
* containing toBeSigned
* containing certIssuePermissions
* containing items of type PsidGroupPermissions
* containing subjectPermissions
* containing explicit
* and containing items of type PsidSspRange
* containing psid
* indicating unique values in this sequence
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_16_BV
* @reference ETSI TS 103 097 [1], clauses 6.4.28, 5.1.2.4
*/
testcase TC_SECPKI_CA_CERTGEN_16_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if (not PICS_IUT_CA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) {
log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***");
stop;
}
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_16_BV
/**
* @desc Check that SSP field in each entry of the appPermissions component of the AT certificate is equal to or a subset of the SSP Range in the corresponding issuing entry
*
* Pics Selection: PICS_IUT_CA_ROLE
* Initial conditions:
* with {
* CA is in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the CA issued the certificate
* containing toBeSigned
* containing certIssuePermissions
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing issuer
* referenced to the certificate
* containing toBeSigned
* containing certIssuePermissions
* containing items of type PsidGroupPermissions
* containing eeType
* indicating app(0)
* and containing subjectPermissions
* containing explicit
* containing items of type PsidSspRange
* containing psid
* indicating X_PSID_AA
* containing sspRange
* indicating X_SSP_AA [ X_PSID_AA ]
* or containing all
* and containing toBeSigned
* containing appPermissions
* containing items of type PsidSsp
* containing psid
* indicating value equal to X_PSID_AA
* containing ssp
* indicating value permitted by X_SSP_AA [ X_PSID_AA ]
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_17_BV
* @reference ETSI TS 103 097 [1], clauses 6.4.28, 5.1.2.4
*/
testcase TC_SECPKI_CA_CERTGEN_17_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if (not PICS_IUT_CA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) {
log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***");
stop;
}
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_17_BV
/**
* @desc Check that the validityPeriod of the subordinate certificate is inside the validityPeriod of the issuing certificate
*
* Pics Selection: PICS_IUT_CA_ROLE
* Initial conditions:
* with {
* CA is in 'operational' state
* and the CA is authorized with CA certificate
* containing toBeSigned
* containing validityPeriod
* containing start
* indicating X_START_VALIDITY_CA
* containing duration
* indicating X_DURATION_CA
* }
* Expected behaviour:
* ensure that {
* when {
* the CA issued the certificate
* containing toBeSigned
* containing certIssuePermissions
* }
* then {
* this certificate is of type EtsiTs103097Certificate
* containing toBeSigned
* containing validityPeriod
* containing start
* indicating X_START_VALIDITY ( X_START_VALIDITY >= X_START_VALIDITY_CA )
* and containing duration
* indicating value <= X_START_VALIDITY_CA + X_DURATION_CA - X_START_VALIDITY
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_18_BV
* @reference ETSI TS 103 097 [1], clauses 6.4.28, 5.1.2.4
*/
testcase TC_SECPKI_CA_CERTGEN_18_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var integer v_result;
var Certificate v_root_certificate;
// Test control
if (not PICS_IUT_CA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_connect4SelfOrClientSync();
// Test adapter configuration
if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) {
log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***");
stop;
}
// Preamble
v_result := f_get_root_ca_certificate(-, -, v_root_certificate);
if (v_result == -1) {
log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
// Test Body
if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, -, -, -, true) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
// Postamble
f_disconnect4SelfOrClientSync();
} // End of testcase TC_SECPKI_CA_CERTGEN_18_BV
} // End of group ca_behaviour
group ea_behavior {
group ea_helpers {
} // End of group ea_helpers
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.1 Enrollment request handling
group ea_enrolment_request_handling {
/**
* @desc The EnrolmentResponse message shall be sent by the EA to the ITS-S across the interface at
* reference point S3 in response to a received EnrolmentRequest message.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* with {
* the IUT being in the "operational state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage across the interface at the reference point S3
* }
* then {
* the IUT answers with an EnrolmentResponseMessage across the interface at reference point S3
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_RCV_01_BV
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SECPKI_EA_ENR_RCV_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_RCV_01_BV
/**
* @desc Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted
* by signing certificate.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* with {
* the IUT being in the "operational state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* containing an encrypted EtsiTs103097Data-Signed
* containing signer
* containing digest
* indicating HashedId8 of the certificate CERT
* containing appPermissions
* not containing an item of type PsidSsp
* containing psid
* indicating AID_CERT_REQ
* or containing an item of type PsidSsp
* containing psid
* indicating AID_CERT_REQ
* and containing ssp
* containing opaque[0] (version)
* indicating other value than 1
* or containing opaque[1] (value)
* indicating "Enrolment Request" (bit 1) set to 0
* }
* then {
* the IUT answers with an EnrolmentResponseMessage
* containing InnerECResponse
* containing responseCode
* indicating "deniedpermissions"
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_RCV_02_BI
* @reference ETSI TS 102 941, clause B.5
*/
testcase TC_SECPKI_EA_ENR_RCV_02_BI_01() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// f_cfHttpUp("CERT_TS_A_EA_AA_AUTHVAL_RCV_02_BI_01", PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_CAM, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, -, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
// f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))) == true) {
log("*** " & testcasename() & ": PASS: InnerEcResponse error code received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_RCV_02_BI_01
testcase TC_SECPKI_EA_ENR_RCV_02_BI_02() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// f_cfHttpUp("CERT_TS_A_EA_AA_AUTHVAL_RCV_02_BI_01", PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR_WRONG_VERSION })) }, -, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
// f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))) == true) {
log("*** " & testcasename() & ": PASS: InnerEcResponse error code received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_RCV_02_BI_02
testcase TC_SECPKI_EA_ENR_RCV_02_BI_03() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// f_cfHttpUp("CERT_TS_A_EA_AA_AUTHVAL_RCV_02_BI_01", PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR_WRONG_SSP_BIT })) }, -, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
// f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))) == true) {
log("*** " & testcasename() & ": PASS: InnerEcResponse error code received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_RCV_02_BI_03
/**
* @desc Enroll an ITS-Station, but with a canonical-ID, that is not registered.
*/
testcase TC_SECPKI_EA_ENR_RCV_05_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, PICS_INVALID_ITS_S_CANONICAL_ID, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), unknownits))));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), unknownits))) == false) {
log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedrequest received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_RCV_05_BI
/**
* @desc Enroll the ITS-Station, but the CSR re-quests more permissions than the issuer allows,
* i.e. request for security management SSP bit which is not set in the EA SSP
*/
testcase TC_SECPKI_EA_ENR_RCV_06_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR })) }, -, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))) == false) {
log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedpermissions received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_RCV_06_BI
/**
* @desc Enroll the ITS-Station, but the CSR requests a AID permission that the issuer does not allow, i.e. request for CAM AID
*/
testcase TC_SECPKI_EA_ENR_RCV_07_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })), valueof(m_appPermissions(c_its_aid_CAM, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_CAM })) }, -, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))) == false) {
log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedpermissions received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_RCV_07_BI
/**
* @desc Enroll the ITS-Station, but the expiring date of the CSR is before the start date of the EA
*/
testcase TC_SECPKI_EA_ENR_RCV_08_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, -, vc_eaCertificate.toBeSigned.validityPeriod.start_ / 2, valueof(m_duration_years(50)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))) == false) {
log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedrequest received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_RCV_08_BI
/**
* @desc Enroll the ITS-Station, but the start date of the CSR is before the start date of the EA
*/
testcase TC_SECPKI_EA_ENR_RCV_09_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, -, vc_eaCertificate.toBeSigned.validityPeriod.start_ / 2, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))) == false) {
log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedrequest received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_RCV_09_BI
/**
* @desc Enroll the ITS-Station, but the expiring date of the CSR is after the expiring date of the EA
*/
testcase TC_SECPKI_EA_ENR_RCV_10_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, -, vc_eaCertificate.toBeSigned.validityPeriod.start_, valueof(m_duration_years(50)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))) == false) {
log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedrequest received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_RCV_10_BI
/**
* @desc Enroll the ITS-Station, but the start date of the CSR is after the expiring date of the EA
*/
testcase TC_SECPKI_EA_ENR_RCV_11_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, -, 3 * vc_eaCertificate.toBeSigned.validityPeriod.start_, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))) == false) {
log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedrequest received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_RCV_11_BI
/**
* @desc Enroll the ITS-Station, but the lifetime of the EC would be grater than allowed (considering values in C-ITS CP)
*/
testcase TC_SECPKI_EA_ENR_RCV_12_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, -, f_getCurrentTime() / 1000, valueof(m_duration_years(4)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))) == false) {
log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedrequest received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_RCV_12_BI
/**
* @desc Enroll the ITS-Station, but the inner PoP signature in the CSR, created with the EC private key, can not be verified with the provided public key
*/
testcase TC_SECPKI_EA_ENR_RCV_13_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, -, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), true, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), invalidsignature))));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), invalidsignature))) == false) {
log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedrequest received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_RCV_13_BI
} // End of group ea_group enrolment_request_handling
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.2 Enrollment response
group ea_enrolment_response {
/**
* @desc The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved
* algorithm and the encryption shall be done with the same AES key as the one used
* by the ITS-S requestor for the encryption of the EnrolmentRequest message
*
* Pics Selection: PICS_IUT_EA_ROLE
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* containing encKey
* containing an encrypted AES key (SYMKEY)
* }
* then {
* the IUT answers with an EnrolmentResponseMessage
* containing cipherTex
* being encrypted using SYMKEY
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_01_BV
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SECPKI_EA_ENR_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) {
log("*** " & testcasename() & ": PASS: InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_01_BV
/**
* @desc The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved
* algorithm and the encryption shall be done with the same AES key as the one used
* by the ITS-S requestor for the encryption of the EnrolmentRequest message.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* containing encKey
* containing an encrypted AES key (SYMKEY)
* }
* then {
* the IUT answers with an EnrolmentResponseMessage
* containing cipherTex
* being encrypted
* using SYMKEY
* and using an ETSI TS 103 097 approved algorithm
* }
* }
*
*
* @see ETSI TS 103 525-2 TP 22
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SECPKI_EA_ENR_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) {
log("*** " & testcasename() & ": PASS: InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_02_BV
/**
* @desc The outermost structure is an EtsiTs103097Data-Encrypted structure containing
* the component recipients containing one instance of RecipientInfo of choice
* pskRecipInfo, which contains the HashedId8 of the symmetric key used by the
* ITS-S to encrypt the EnrolmentRequest message to which the response is built
* and containing the component ciphertext, once decrypted, contains an
* EtsiTs103097Data-Signed structure
*
* Pics Selection: PICS_IUT_EA_ROLE
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing recipients
* containing one instance of RecipientInfo of choice pskRecipInfo
* containing the HashedId8 of the symmetric key used to encrypt the EnrolmentRequestMessage
* and containing cipherText
* being an encrypted EtsiTs103097Data-Signed structure
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_03_BV
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SECPKI_EA_ENR_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) {
log("*** " & testcasename() & ": PASS: InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_03_BV
/**
* @desc If the ITS-S has been able to decrypt the content, this expected EtsiTs103097Data-Signed structure shall
* contain hashId, tbsData, signer and signature. The hashId shall indicate the hash algorithm to be used as
* specified in ETSI TS 103 097, the signer shall be declared as a digest, containing the HashedId8 of the
* EA certificate and the signature over tbsData shall be computed using the EA private key corresponding to
* its publicVerificationKey found in the referenced EA certificate.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing hashId
* indicating the hash algorithm to be used as specified in ETSI TS 103 097
* and containing tbsData
* and containing signer
* declared as a digest
* containing the HashedId8 of the EA certificate
* and containing signature
* computed over tbsData
* using the EA private key
* corresponding to the publicVerificationKey found in the referenced EA certificate
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_04_BV
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SECPKI_EA_ENR_04_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) {
var HashedId8 v_ec_cert_hashed_id8;
if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, vc_eaHashedId8, v_public_compressed_key, v_compressed_mode, v_ec_cert_hashed_id8) == false) {
log("*** " & testcasename() & ": FAIL: Cannot verify EC certificate signature ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_04_BV
/**
* @desc Within the headerInfo of the tbsData, the psid shall be set to secured certificate request as assigned in
* ETSI TS 102 965 and the generationTime shall be present.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing tbsData
* containing headerInfo
* containing psid
* indicating AID_CERT_REQ
* and containing generationTime
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_05_BV
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SECPKI_EA_ENR_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) {
var HashedId8 v_ec_cert_hashed_id8;
if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, vc_eaHashedId8, v_public_compressed_key, v_compressed_mode, v_ec_cert_hashed_id8)) {
log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Cannot verify EC certificate signature ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_05_BV
/**
* @desc Within the headerInfo of the tbsData, aside from psid and generationTime,
* all other components of the component tbsData.headerInfo not used and absent.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing tbsData
* containing headerInfo
* containing psid
* and containing generationTime
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_06_BV
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SECPKI_EA_ENR_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) {
var HashedId8 v_ec_cert_hashed_id8;
if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, vc_eaHashedId8, v_public_compressed_key, v_compressed_mode, v_ec_cert_hashed_id8)) {
log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Cannot verify EC certificate signature ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_06_BV
/**
* @desc The EtsiTS102941Data shall contain the version set to v1 (integer value set to 1)
* and the content set to InnerECResponse.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing tbsData
* containing EtsiTS102941Data
* containing version
* indicating v1 (integer value set to 1)
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_07_BV
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SECPKI_EA_ENR_07_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) {
log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_07_BV
/**
* @desc The InnerECResponse shall contain the requestHash, which is the left-most 16 octets of the SHA256 digest of the
* EtsiTs103097Data - Signed structure received in the request and a responseCode indicating the result of the request.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing tbsData
* containing EtsiTS102941Data
* containing requestHash
* indicating the left-most 16 octets of the SHA256 digest of the EtsiTs103097Data-Signed structure received in the request
* and containing responseCode
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_08_BV
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SECPKI_EA_ENR_08_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) {
log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_08_BV
/**
* @desc If the responseCode is 0, the InnerECResponse shall also contain an (enrolment) certificate.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing tbsData
* containing EtsiTS102941Data
* containing InnerECResponse
* containing an enrolment certificate
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_09_BV
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SECPKI_EA_ENR_09_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ mw_recipientInfo_pskRecipInfo },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))) {
var HashedId8 v_ec_cert_hashed_id8;
if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, vc_eaHashedId8, v_public_compressed_key, v_compressed_mode, v_ec_cert_hashed_id8) == true) {
log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: EC certificate is not proerly formated ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_09_BV
/**
* @desc If the responseCode is different than 0, the InnerECResponse shall not contain a certificate.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing tbsData
* containing EtsiTS102941Data
* containing InnerECResponse
* not containing a certificate
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_10_BV
* @reference ETSI TS 102 941, clause 6.2.3.2.2
*/
testcase TC_SECPKI_EA_ENR_10_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_invalid_enrolment_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
-,
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ko))) {
log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_10_BV
/**
* @desc Check that signing of Enrolment response message is permitted by the EA certificate.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the IUT sends an EtsiTs103097Data-Encrypted structure
* containing an encrypted EtsiTs103097Data-Signed structure
* containing signer
* declared as a digest
* containing the HashedId8 of the EA certificate
* containing appPermissions
* containing an item of type PsidSsp
* containing psid
* indicating AID_CERT_REQ
* and containing ssp
* containing opaque[0] (version)
* indicating 1
* containing opaque[1] (value)
* indicating bit "Enrolment Response" (5) set to 1
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_11_BV
* @reference ETSI TS 102 941, clause B[5]
*/
testcase TC_SECPKI_EA_ENR_11_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ mw_recipientInfo_pskRecipInfo },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))) {
var HashedId8 v_ec_cert_hashed_id8;
if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, vc_eaHashedId8, v_public_compressed_key, v_compressed_mode, v_ec_cert_hashed_id8) == true) {
log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: EC certificate is not proerly formated ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_11_BV
/**
* @desc Check that generated EC certificate contains only allowed permissions.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EnrolmentRequestMessage
* }
* then {
* the EC_CERT
* containing appPermissions
* containing an item of type PsidSsp
* containing psid
* indicating AID_CERT_REQ
* and containing ssp
* containing opaque[0] (version)
* indicating 1
* containing opaque[1] (value)
* indicating "Enrolment Request" (bit 0) set to 1
* indicating "Authorization Request" (bit 1) set to 1
* indicating other bits set to 0
* and NOT containing an item of type PsidSsp
* containing psid
* indicating AID_CTL
* and NOT containing an item of type PsidSsp
* containing psid
* indicating AID_CRL
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_12_BV
* @reference ETSI TS 102 941, clause B[5]
*/
testcase TC_SECPKI_EA_ENR_12_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key;
var Oct32 v_public_compressed_key;
var integer v_compressed_mode;
var Oct32 v_request_hash;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Oct16 v_aes_sym_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ mw_recipientInfo_pskRecipInfo },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***");
log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))) {
var HashedId8 v_ec_cert_hashed_id8;
if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, vc_eaHashedId8, v_public_compressed_key, v_compressed_mode, v_ec_cert_hashed_id8) == true) {
log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: EC certificate is not proerly formated ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_ENR_12_BV
} // End of group ea_enrolment_response
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.2 Enrollment response
group authorization_validation_request {
group atv_helpers {
function f_verify_http_at_request_from_iut_atv(
in Request p_request,
out Oct16 p_aes_enc_key,
out Oct16 p_request_hash,
out SharedAtRequest p_shared_at_request,
out integer p_result
) runs on ItsPkiHttp {
// Local variables
var HashedId8 v_bfk_hashed_id8;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var EtsiTs103097Certificate v_aaCertificate;
var charstring v_aaCertificate_id;
log(">>> f_verify_http_at_request_from_iut_atv: p_request= ", p_request);
p_result := 0;
if (not(f_getCertificateFromDigest(f_hashedId8FromSha256(vc_aaWholeHash), v_aaCertificate, v_aaCertificate_id))) {
p_result := -1;
return;
}
if (not(f_verify_pki_request_message(vc_eaPrivateEncKey/*Encrypted with AA*/, vc_eaWholeHash/*salt*/, vc_aaWholeHash/*Issuer is AA*/,
v_aaCertificate.toBeSigned.verifyKeyIndicator.verificationKey,
p_request.body.binary_body.ieee1609dot2_data, true, p_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, p_aes_enc_key))) {
// Set verdict
p_result := -1;
} else {
log("f_verify_http_at_request_from_iut_atv: Receive ", v_etsi_ts_102941_data);
log(match(v_etsi_ts_102941_data.content, mw_authorizationValidationRequest(mw_authorization_validation_request(mw_shared_at_request, mw_ec_signature)))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_authorizationValidationRequest(mw_authorization_validation_request(mw_shared_at_request, mw_ec_signature))) == false) { // TODO To be refined
// Set verdict
p_result := -2;
} else {
p_shared_at_request := v_etsi_ts_102941_data.content.authorizationValidationRequest.sharedAtRequest;
log("f_verify_http_at_request_from_iut_atv: p_shared_at_request= ", p_shared_at_request);
// TODO Refined expected mw_signature_ecdsaNistP256
}
}
log("<<< f_verify_http_at_request_from_iut_atv: p_shared_at_request= ", p_shared_at_request);
log("<<< f_verify_http_at_request_from_iut_atv: p_aes_sym_key= ", p_aes_enc_key);
log("<<< f_verify_http_at_request_from_iut_atv: p_request_hash= ", p_request_hash);
log("<<< f_verify_http_at_request_from_iut_atv: p_result: ", p_result);
} // End of function f_verify_http_at_request_from_iut_atv
function f_verify_http_at_response_from_iut_atv(
in InnerAtRequest p_inner_at_request,
in Response p_response,
in octetstring p_private_key,
in Oct16 p_aes_sym_key,
in Oct16 p_authentication_vector,
in Oct32 p_request_hash,
out InnerAtResponse p_inner_at_response,
//TODO out EtsiTs103097Data p_authorization_validation_response,
out integer p_result
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key;
var InnerEcResponse v_inner_ec_response;
log(">>> f_verify_http_at_response_from_iut_atv: p_inner_at_request= ", p_inner_at_request);
log(">>> f_verify_http_at_response_from_iut_atv: p_response= ", p_response);
log(">>> f_verify_http_at_response_from_iut_atv: p_private_key= ", p_private_key);
log(">>> f_verify_http_at_response_from_iut_atv: p_aes_sym_key= ", p_aes_sym_key);
log(">>> f_verify_http_at_response_from_iut_atv: p_authentication_vector= ", p_authentication_vector);
log(">>> f_verify_http_at_response_from_iut_atv: p_request_hash= ", p_request_hash);
p_result := 0;
if (f_verify_pki_response_message(p_private_key, p_aes_sym_key, p_authentication_vector, vc_eaWholeHash, p_response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
// Set verdict
p_result := -1;
} else {
log("f_verify_http_at_response_from_iut_atv: Receive ", v_etsi_ts_102941_data);
log(match(v_etsi_ts_102941_data.content, mw_authorizationValidationResponse(mw_authorizationValidationResponse_ok(substr(p_request_hash, 0, 16), mw_certificate_subject_attributes(p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.appPermissions, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.id, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.validityPeriod))))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_authorizationValidationResponse(mw_authorizationValidationResponse_ok(substr(p_request_hash, 0, 16), mw_certificate_subject_attributes(p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.appPermissions, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.id, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.validityPeriod)))) == false) {
// Set verdict
p_result := -2;
} else {
// TODO Refined expected mw_signature_ecdsaNistP256
log("f_verify_http_at_response_from_iut_atv: Well-secured AT certificate received");
}
}
log("<<< f_verify_http_at_response_from_iut_atv: p_result: ", p_result);
} // End of function f_verify_http_at_response_from_iut_atv
function f_verify_http_at_response_from_iut_atv_error(
in InnerAtRequest p_inner_at_request,
in Response p_response,
in octetstring p_private_key,
in Oct16 p_aes_sym_key,
in Oct16 p_authentication_vector,
in Oct32 p_request_hash,
out InnerAtResponse p_inner_at_response,
//TODO out EtsiTs103097Data p_authorization_validation_response,
out integer p_result
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key;
var InnerEcResponse v_inner_ec_response;
log(">>> f_verify_http_at_response_from_iut_atv_error: p_inner_at_request= ", p_inner_at_request);
log(">>> f_verify_http_at_response_from_iut_atv_error: p_response= ", p_response);
log(">>> f_verify_http_at_response_from_iut_atv_error: p_private_key= ", p_private_key);
log(">>> f_verify_http_at_response_from_iut_atv_error: p_aes_sym_key= ", p_aes_sym_key);
log(">>> f_verify_http_at_response_from_iut_atv_error: p_authentication_vector= ", p_authentication_vector);
log(">>> f_verify_http_at_response_from_iut_atv_error: p_request_hash= ", p_request_hash);
p_result := 0;
if (f_verify_pki_response_message(p_private_key, p_aes_sym_key, p_authentication_vector, vc_eaWholeHash, p_response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
// Set verdict
p_result := -1;
} else {
log("f_verify_http_at_response_from_iut_atv_error: Receive ", v_etsi_ts_102941_data);
log(match(v_etsi_ts_102941_data.content, mw_authorizationValidationResponse(mw_authorizationValidationResponse_ko(substr(p_request_hash, 0, 16))))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_authorizationValidationResponse(mw_authorizationValidationResponse_ko(substr(p_request_hash, 0, 16)))) == false) {
// Set verdict
p_result := -2;
} else {
// TODO Refined expected mw_signature_ecdsaNistP256
log("f_verify_http_at_response_from_iut_atv_error: Well-formatted error response received");
}
}
log("<<< f_verify_http_at_response_from_iut_atv_error: p_result: ", p_result);
} // End of function f_verify_http_at_response_from_iut_atv_error
} // End of group atv_helpers
/**
* @desc The AuthorizationValidationResponse message shall be sent by the EA to the AA across the interface
* at reference point S4 in response to a received AuthorizationValidationRequest message
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* with {
* the IUT being in the "operational state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a AuthorizationValidationRequest message
* }
* then {
* the IUT sends a AuthorizationValidationResponse message
* across the reference point S4 to the AA
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_RCV_01_BV
* @reference ETSI TS 102 941, clause 6.2.3.4
* @remark Need to provide CERT_TS_A_AA & CERT_IUT_A_RCA to the PKI
*/
testcase TC_SECPKI_EA_AUTHVAL_RCV_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hashed_id8;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_key_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var InnerAtRequest v_inner_at_request;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Trigger an enrolment request
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
// Generate an InnerAtRequest
if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request);
log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_atv_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_ATV,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_atv_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_inner_at_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_AUTHVAL_RCV_01_BV
/**
* @desc Check that EA doesn't accept Authorization Validation Request when
* SharedAtRequest is signed with certificate without appropriate
* permissions
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* with {
* the IUT being in the "operational state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a AuthorizationValidationRequest message
* }
* then {
* the IUT sends a AuthorizationValidationResponse message
* across the reference point S4 to the AA
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_RCV_02_BI
* @reference ETSI TS 102 941, clause B[5]
* @remark Need to provide CERT_TS_A_EA_AA_AUTHVAL_RCV_02_BI_01 to the PKI
*/
testcase TC_SECPKI_EA_AUTHVAL_RCV_02_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hashed_id8;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_key_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var InnerAtRequest v_inner_at_request;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
//f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, "CERT_TS_A_EA_AA_AUTHVAL_RCV_02_BI_01");
// Test adapter configuration
// Preamble
// Trigger an enrolment request
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
// Generate an InnerAtRequest
if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request);
log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_atv_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_ATV,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_atv_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_inner_at_response;
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key_at, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))) == false) {
log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: InnerEcResponse received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_AUTHVAL_RCV_02_BI
} // End of group authorization_validation_request
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.4 Authorization validation response
group ea_authorization_validation_response {
/**
* @desc The EtsiTs103097Data-Encrypted is build with the component recipients containing one instance of RecipientInfo
* of choice pskRecipInfo, which contains the HashedId8 of the symmetric key used by the ITS-S to encrypt the
* AuthorizationRequest message to which the response is built and the component ciphertext containing the encrypted
* representation of the EtsiTs103097Data-Signed. The encryption uses a ETSI TS 103 097 [3] approved algorithm.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a AuthorizationValidationRequest message
* containing encKey
* containing the encrypted symmetric data encryption key (SYMKEY)
* }
* then {
* the IUT sends a AuthorizationValidationResponse message
* containing EtsiTs103097Data-Encrypted
* containing recipients
* containing one instance of RecipientInfo of choice pskRecipInfo
* indicating the HashedId8 of SYMKEY
* and containing ciphertext
* containing EtsiTs103097Data-Signed
* being encrypted using SYMKEY and an ETSI TS 103 097 approved algorithm
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_01_BV
* @reference ETSI TS 102 941, clause 6.2.3.4.2
*/
testcase TC_SECPKI_EA_AUTHVAL_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hash_256;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_key_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var InnerAtRequest v_inner_at_request;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Trigger an enrolment request
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
// Generate an InnerAtRequest
if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request);
log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_atv_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_ATV,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_atv_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_inner_at_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_AUTHVAL_01_BV
/**
* @desc To read an authorization validation response, the AA shall receive an EtsiTs103097Data-Encrypted structure,
* containing a EtsiTs103097Data-Signed structure, containing a EtsiTs102941Data structure, containing an
* AuthorizationValidationResponse structure.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a AuthorizationValidationRequest message
* }
* then {
* the IUT sends a AuthorizationValidationResponse message
* containing EtsiTs103097Data-Signed
* containing AuthorizationValidationResponse
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_02_BV
* @reference ETSI TS 102 941, clause 6.2.3.4.2
*/
testcase TC_SECPKI_EA_AUTHVAL_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hashed_id8;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_key_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var InnerAtRequest v_inner_at_request;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Trigger an enrolment request
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
// Generate an InnerAtRequest
if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request);
log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_atv_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_ATV,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_atv_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_inner_at_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: Well-secured ATV certificate received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ATV response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_AUTHVAL_02_BV
/**
* @desc The AuthorizationValidationResponse structure contains the requestHash being the left-most 16 octets of
* the SHA256 digest of the EtsiTs103097Data-Signed structure received in the AuthorizationValidationRequest
* and a responseCode.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a AuthorizationValidationRequest message
* containing EtsiTs103097Data-Signed structure (REQDSS)
* }
* then {
* the IUT sends a AuthorizationValidationResponse message
* containing EtsiTs103097Data-Signed
* containing EtsiTs102941Data
* containing AuthorizationValidationResponse
* containing requestHash
* indicating the left-most 16 octets of the SHA256 digest of REQDSS
* and containing responseCode
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_03_BV
* @reference ETSI TS 102 941, clause 6.2.3.4.2
*/
testcase TC_SECPKI_EA_AUTHVAL_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hashed_id8;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_key_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var InnerAtRequest v_inner_at_request;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Trigger an enrolment request
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
// Generate an InnerAtRequest
if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request);
log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_atv_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_ATV,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_atv_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_inner_at_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: Well-secured ATV certificate received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ATV response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_AUTHVAL_03_BV
/**
* @desc If the responseCode is 0, the AuthorizationValidationResponse structure contains the component
* confirmedSubjectAttributes with the attributes the EA wishes to confirm, except for certIssuePermissions
* which is not allowed to be present.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a AuthorizationValidationRequest message
* and the IUT responds with a AuthorizationValidationResponse message
* containing AuthorizationValidationResponse
* containing responseCode
* indicating 0
* }
* then {
* the IUT sends a AuthorizationValidationResponse message
* contains an AuthorizationValidationResponse structure
* containing confirmedSubjectAttributes
* not containing certIssuePermissions
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_04_BV
* @reference ETSI TS 102 941, clause 6.2.3.4.2
*/
testcase TC_SECPKI_EA_AUTHVAL_04_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hashed_id8;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_key_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var InnerAtRequest v_inner_at_request;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Trigger an enrolment request
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
// Generate an InnerAtRequest
if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request);
log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_atv_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_ATV,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_atv_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_inner_at_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: Well-secured ATV certificate received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ATV response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_AUTHVAL_04_BV
/**
* @desc If the responseCode is different than 0, the AuthorizationValidationResponse structure does not contain
* the component confirmedSubjectAttributes.
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a AuthorizationValidationRequest message
* and the IUT responds with a AuthorizationValidationResponse message
* containing AuthorizationValidationResponse
* containing responseCode
* indicating a value different than 0
* }
* then {
* the IUT sends a AuthorizationValidationResponse message
* contains an AuthorizationValidationResponse structure
* not containing confirmedSubjectAttributes
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_05_BV
* @reference ETSI TS 102 941, clause 6.2.3.4.2
*/
testcase TC_SECPKI_EA_AUTHVAL_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hash_256;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_key_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var InnerAtRequest v_inner_at_request;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Trigger an enrolment request
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
// Generate an InnerAtRequest
if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request);
log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_invalid_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_atv_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_ATV,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_atv_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_inner_at_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_atv_error(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: Well-formatted error response received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_AUTHVAL_04_BV
/**
* @desc The component version of the EtsiTs102941Data structure is set to v1 (integer value set to 1).
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a AuthorizationValidationRequest message
* }
* then {
* the IUT sends a AuthorizationValidationResponse message
* containing EtsiTs103097Data-Signed
* containing EtsiTs103097Data
* containing version
* indicating v1 (integer value set to 1)
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_06_BV
* @reference ETSI TS 102 941, clause 6.2.3.4.2
*/
testcase TC_SECPKI_EA_AUTHVAL_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hashed_id8;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_key_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var InnerAtRequest v_inner_at_request;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Trigger an enrolment request
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
// Generate an InnerAtRequest
if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) {
log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request);
log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_atv_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_ATV,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_atv_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_inner_at_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: Well-secured ATV certificate received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ATV response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_AUTHVAL_06_BV
// TC_SECPKI_EA_AUTHVAL_07_BV covered by TC_SECPKI_EA_AUTHVAL_02..04_BV
// TC_SECPKI_EA_AUTHVAL_08_BV covered by TC_SECPKI_EA_AUTHVAL_02..04_BV
// TC_SECPKI_EA_AUTHVAL_09_BV covered by TC_SECPKI_EA_AUTHVAL_02..04_BV
} // End of group eaauthorization_validation_response
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.5 CA Certificate Request
group ca_certificate_request {
/**
* @desc SubCA certificate requests of the EA are transported to the RCA using CACertificateRequest messages across the reference point S10
*
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to send a CACertificateRequestMessage
* }
* then {
* the IUT sends a CACertificateRequestMessage
* across the reference point S10 to the RCA
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_01_BV
* @reference ETSI TS 102 941, clause 6.2.1
*/
testcase TC_SECPKI_EA_CERTGEN_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_01_BV
/**
* @desc The application form should include the digital fingerprint of the CACertificateRequestMessage in printable format
*
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to send a CACertificateRequestMessage
* }
* then {
* the IUT sends a CACertificateRequestMessage
* containing a signature (SIG)
* containing EtsiTs103097Data
* being computed using a ETSI TS 103 097 [2] approved hash algorithm
* and the IUT exports the digital fingerprint SIG in a printable format
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_02_BV
* @reference ETSI TS 102 941, clause 6.2.1
*/
testcase TC_SECPKI_EA_CERTGEN_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_02_BV
/**
* @desc The hashId shall indicate the hash algorithm to be used as specified in ETSI TS 103 097,
* the signer is set to 'self' and the signature over the tbsData is computed using the private key corresponding to the new verificationKey to be certified (i.e. the request is self-signed)
*
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to send a CACertificateRequestMessage
* }
* then {
* the IUT sends a CACertificateRequestMessage
* containing EtsiTs103097Data-Signed structure
* containing hashId
* indicating the hash algorithm to be used
* and containing signer
* indicating 'self'
* and containing tbsData
* containing the EtsiTs102941Data structure
* containing caCertificateRequest
* containing publicKeys
* containing verification_key (VKEY)
* and containing signature
* computed over tbsData using the private key corresponding to the verificationKey (VKEY)
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_03_BV
* @reference ETSI TS 102 941, clause 6.2.1
* ETSI TS 103 097, clause 7
*/
testcase TC_SECPKI_EA_CERTGEN_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_03_BV
/**
* @desc An ECC private key is randomly generated, the corresponding public key (verificationKey) is provided to be included in the CaCertificateRequest
* An ECC encryption private key is randomly generated, the corresponding public key (encryptionKey) is provided to be included in the CACertificateRequest.
* CaCertificateRequest.publicKeys shall contain verification_key and encryption_key
*
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to send a CACertificateRequestMessage
* }
* then {
* the IUT sends a CACertificateRequestMessage
* containing caCertificateRequest
* containing publicKeys
* and containing encryption_key
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_04_BV
* @reference ETSI TS 102 941, clause 6.2.1
*/
testcase TC_SECPKI_EA_CERTGEN_04_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_04_BV
/**
* @desc The EtsiTs102941Data structure is built with version set to v1 (integer value set to 1)
*
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to send a CACertificateRequestMessage
* }
* then {
* the IUT sends a CACertificateRequestMessage
* containing EtsiTs102941Data
* containing version
* indicating v1 (integer value set to 1)
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_05_BV
* @reference ETSI TS 102 941, clause 6.2.1
*/
testcase TC_SECPKI_EA_CERTGEN_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_05_BV
/**
* @desc CaCertificateRequest.requestedSubjectAttributes shall contain the requested certificates attributes as specified in ETSI TS 103 097, clause 7.2.4
*
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to send a CACertificateRequestMessage
* }
* then {
* the IUT sends a CACertificateRequestMessage
* containing CaCertificateRequest
* containing requestedSubjectAttributes
* as specified in ETSI TS 103 097, clause 7.2.4
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_06_BV
* @reference ETSI TS 102 941, clause 6.2.1
* ETSI TS 103 097, clause 7.2.4
*/
testcase TC_SECPKI_EA_CERTGEN_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_06_BV
/**
* @desc EtsiTs103097Data-Signed.tbsData contains the EtsiTs102941Data as payload and the headerInfo containing psid and generationTime
* The psid shall be set to "secured certificate request" as assigned in ETSI TS 102 965 and the generationTime shall be present
* All other components of the component tbsdata.headerInfo are not used and absent
*
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to send a CACertificateRequestMessage
* }
* then {
* the IUT sends a CACertificateRequestMessage
* containing headerInfo
* containing psid
* indicating SEC_CERT_REQ
* and containing generationTime
* and not containing any other component of tbsdata.headerInfo
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_07_BV
* @reference ETSI TS 102 941, clause 6.2.1
*/
testcase TC_SECPKI_EA_CERTGEN_07_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_07_BV
/**
* @desc If the current private key has reached its end of validity period or is revoked, the SubCA shall restart the initial certificate application process
*
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to perform a CA certificate rekeying procedure
* and SubCA certificate is no longer valid (due to end of validity or revocation)
* }
* then {
* the IUT switches to the ''initial' state
* and sends a CACertificateRequestMessage
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_08_BV
* @reference ETSI TS 102 941, clause 6.2.1
*/
testcase TC_SECPKI_EA_CERTGEN_08_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_08_BV
/**
* @desc For the re-keying application to the RCA (CaCertificateRekeyingMessage), an EtsiTs103097Data-Signed structure is built, containing: hashId, tbsData, signer and signature
* The hashId shall indicate the hash algorithm to be used as specified in ETSI TS 103 097
* The signer declared as a digest, containing the hashedId8 of the EA certificate and the signature over tbsData is computed using the currently valid private key corresponding to the EA certificate (outer signature)
*
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to send a CACertificateRequestMessage
* }
* then {
* the IUT sends a CACertificateRequestMessage
* containing EtsiTs103097Data-Signed structure
* containing hashId
* indicating the hash algorithm to be used
* and containing tbsData
* and containing signer
* containing digest
* indicating HashedId8 of the SubCA certificate (CERT)
* and containing signature
* computed over tbsData
* using the private key corresponding to CERT
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_09_BV
* @reference ETSI TS 102 941, clause 6.2.1
* ETSI TS 103 097, clause 7
*/
testcase TC_SECPKI_EA_CERTGEN_09_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_09_BV
/**
* @desc The (outer) tbsData of the CACertificateRekeyingMessage shall contain the CaCertificateRequestMessage as payload
*
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to perform a CA certificate rekeying procedure
* }
* then {
* the IUT sends a CACertificateRekeyingMessage
* containing EtsiTs103097Data-Signed structure
* containing tbsData
* containing CaCertificateRequestMessage
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_10_BV
* @reference ETSI TS 102 941, clause 6.2.1
*/
testcase TC_SECPKI_EA_CERTGEN_10_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_10_BV
/**
* @desc The (outer) tbsData of the CACertificateRekeyingMessage shall contain a headerInfo containing psid and generationTime.
* The psid shall be set to "secured certificate request" as assigned in ETSI TS 102 965 and the generationTime shall be present
* All other components of the component tbsdata.headerInfo are not used and absent
*
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to perform a CA certificate rekeying procedure
* }
* then {
* the IUT sends a CACertificateRekeyingMessage
* containing tbsData
* containing psid
* indicating SEC_CERT_REQ
* and containing generationTime
* and not containing any other component of tbsdata.headerInfo
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_11_BV
* @reference ETSI TS 102 941, clause 6.2.1
*/
testcase TC_SECPKI_EA_CERTGEN_11_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_11_BV
/**
* @desc Check that the CaCertificateRekeyingMessage is permitted by CA certificate
*
* Pics Selection:
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT is requested to perform a CA certificate rekeying procedure
* }
* then {
* the IUT sends a CACertificateRekeyingMessage
* containing EtsiTs103097Data-Signed structure
* containing tbsData
* and containing signer
* containing digest
* indicating HashedId8 of the CA certificate
* containing appPermissions
* containing an item of type PsidSsp
* containing psid
* indicating AID_CERT_REQ
* and containing ssp
* containing opaque[0] (version)
* indicating 1
* containing opaque[1] (value)
* indicating 'CA Certificate Response' (bit 6) set to 1
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_12_BV
* @reference ETSI TS 102 941, clause 6.2.1
*/
testcase TC_SECPKI_EA_CERTGEN_12_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
setverdict(inconc);
} // End of testcase TC_SECPKI_EA_CERTGEN_12_BV
} // End of group ca_certificate_request
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.6 Authorization using butterfly key expansion mechanism
group ea_authorization_with_bfk {
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.6.1 Butterfly authorization response
group ea_bfk_auth_response {
/**
* @desc Check that the EA sends the butterfly authorization respond message after receiving of the butterfly authorization request
* Check that this message is signed with EA certificate
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the ITS-S in 'enrolled' state
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a ButterflyAuthorizationRequestMessage message
* }
* then {
* the IUT send an EtsiTs103097Data to the ITS-S
* containing content.signedData
* containing tbsData
* containing headerInfo
* containing psid
* indicating AID_PKI_CERT_REQUEST
* and containing generationTime
* and not containing any other field
* and containing payload.data
* indicating EtsiTs102941Data
* containing version
* indicating ‘1’
* and containing content
* containing butterflyCertificateResponse
* and containing signer
* containing digest
* indicating HashedId8 of the CERT_EA
* and containing signature
* validated using CERT_EA verification public key
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_01_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.3
*/
testcase TC_SECPKI_EA_BFK_AUTH_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var octetstring v_private_key_ec;
var octetstring v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hashed_id8;
var InnerEcResponse v_inner_ec_response;
var octetstring v_caterpillar_private_key;
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
var octetstring v_caterpillar_enc_private_key;
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
var EeRaCertRequest v_ee_ra_cert_request;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
// Test control
if (not PICS_IUT_EA_ROLE or not PICS_SEC_BFK_AUTH) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE and PICS_SEC_BFK_AUTH required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Trigger an enrolment request
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response, -, true) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
}
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: = ", v_private_key_ec);
// Generate an ButterflyAutorizationRequest
f_http_build_butterfly_authorization_request_message(v_private_key_ec, v_ec_cert_hashed_id8, v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash, v_ee_ra_cert_request);
log("*** " & testcasename() & ": DEBUG: v_ee_ra_cert_request= ", v_ee_ra_cert_request);
log("*** " & testcasename() & ": DEBUG: v_caterpillar_private_key= ", v_caterpillar_private_key);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_auth_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_BFK_AUTH,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyAuthorizationResponseMessage(
mw_signedData(
sha256,
mw_toBeSignedData,
m_signerIdentifier_digest(vc_eaHashedId8)
)))))),
v_response
) {
tc_ac.stop;
log("*** " & testcasename() & ": PASS: Signed message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_01_BV
/**
* @desc Check that the butterfly authorization respond message, sent by EA, contains all necessary fields
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the ITS-S in 'enrolled' state
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a ButterflyAuthorizationRequestMessage message (REQ)
* }
* then {
* the IUT send to the ITS-S a ButterflyAuthorizationResponseMessage
* containing butterflyCertificateResponse
* containing RaEeCertInfo
* containing version
* indicating 2
* and containing generationTime
* indicating value between REQ_TIME and the current time
* and containing currentI
* and containing requestHash
* indicating the left-most 16 octets of the SHA256 digest of the REQ
* and containing nextDlTime
* and not containing acpcTreeId
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_02_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.3
*/
testcase TC_SECPKI_EA_BFK_AUTH_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var octetstring v_private_key_ec;
var octetstring v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hashed_id8;
var InnerEcResponse v_inner_ec_response;
var octetstring v_caterpillar_private_key;
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
var octetstring v_caterpillar_enc_private_key;
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
var EeRaCertRequest v_ee_ra_cert_request;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
// Test control
if (not PICS_IUT_EA_ROLE or not PICS_SEC_BFK_AUTH) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE and PICS_SEC_BFK_AUTH required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Trigger an enrolment request
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response, -, true) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
}
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: = ", v_private_key_ec);
// Generate an ButterflyAutorizationRequest
f_http_build_butterfly_authorization_request_message(v_private_key_ec, v_ec_cert_hashed_id8, v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash, v_ee_ra_cert_request);
log("*** " & testcasename() & ": DEBUG: v_ee_ra_cert_request= ", v_ee_ra_cert_request);
log("*** " & testcasename() & ": DEBUG: v_caterpillar_private_key= ", v_caterpillar_private_key);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_auth_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_BFK_AUTH,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyAuthorizationResponseMessage(
mw_signedData(
sha256,
mw_toBeSignedData,
m_signerIdentifier_digest(vc_eaHashedId8)
)))))),
v_response
) {
tc_ac.stop;
var octetstring v_tbs := bit2oct(encvalue(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData));
if (f_verifyEcdsa(v_tbs, vc_eaWholeHash256, v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.signature_, vc_eaCertificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify signature message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
var bitstring v_etsi_ts_102941_data_content_msg := oct2bit(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData);
var EtsiTs102941MessagesCa.EtsiTs102941Data v_etsi_ts_102941_data;
if (decvalue(v_etsi_ts_102941_data_content_msg, v_etsi_ts_102941_data) != 0) {
log("*** " & testcasename() & ": FAIL: Failed to decode message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": DBG: v_etsi_ts_102941_data: ", v_etsi_ts_102941_data);
log("*** " & testcasename() & ": INFO: match ", match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationResponse(mw_ra_ee_cert_info)), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (not(match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationResponse(mw_ra_ee_cert_info)))) {
log("*** " & testcasename() & ": FAIL: Unexpected message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ButterflyAuthorizationResponseMessage received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_02_BV
} // End of group ea_bfk_auth_response
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.6 Authorization using butterfly key expansion mechanism
group ea_bfk_cert_request {
group bfk_auth_request_helpers {
function f_trigger_butterfly_authorization_request(
out octetstring p_caterpillar_private_key,
out octetstring p_caterpillar_public_key_compressed,
out integer p_caterpillar_compressed_mode,
out octetstring p_caterpillar_enc_private_key,
out octetstring p_caterpillar_enc_public_key_compressed,
out integer p_caterpillar_enc_compressed_mode,
out HashedId8 p_aes_sym_key_hashed_id8,
out EeRaCertRequest p_ee_ra_cert_request,
out RaEeCertInfo p_ra_ee_cert_info
) runs on ItsPkiHttp return boolean {
// Local variables
var octetstring v_private_key_ec;
var octetstring v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hashed_id8;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
// Trigger an enrolment request
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response, -, true) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
return false;
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
}
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: = ", v_private_key_ec);
// Generate an ButterflyAutorizationRequest
f_http_build_butterfly_authorization_request_message(v_private_key_ec, v_ec_cert_hashed_id8, p_caterpillar_private_key, p_caterpillar_public_key_compressed, p_caterpillar_compressed_mode, p_caterpillar_enc_private_key, p_caterpillar_enc_public_key_compressed, p_caterpillar_enc_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash, p_ee_ra_cert_request);
log("*** " & testcasename() & ": DEBUG: p_ee_ra_cert_request= ", p_ee_ra_cert_request);
log("*** " & testcasename() & ": DEBUG: p_caterpillar_private_key= ", p_caterpillar_private_key);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_auth_request", v_headers);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_BFK_AUTH,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyAuthorizationResponseMessage(
mw_signedData(
sha256,
mw_toBeSignedData,
m_signerIdentifier_digest(vc_eaHashedId8)
)))))),
v_response
) {
tc_ac.stop;
var octetstring v_tbs := bit2oct(encvalue(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData));
if (f_verifyEcdsa(v_tbs, vc_eaWholeHash256, v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.signature_, vc_eaCertificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
log("*** " & testcasename() & ": INCONC: Failed to verify signature message ***");
return false;
} else {
var bitstring v_etsi_ts_102941_data_content_msg := oct2bit(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData);
/**
TITIAN BUG
https://www.eclipse.org/forums/index.php/t/1113606/
var EtsiTs102941MessagesCa.EtsiTs102941Data v_etsi_ts_102941_data;
if (decvalue(v_etsi_ts_102941_data_content_msg, v_etsi_ts_102941_data) != 0) {
log("*** " & testcasename() & ": INCONC: Failed to decode message ***");
return false;
} else {
log("*** " & testcasename() & ": DBG: v_etsi_ts_102941_data: ", v_etsi_ts_102941_data);
log("*** " & testcasename() & ": INFO: match ", match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationResponse(mw_ra_ee_cert_info)), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (not(match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationResponse(mw_ra_ee_cert_info)))) {
log("*** " & testcasename() & ": FAIL: Unexpected message ***");
return false;
} else {
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponseMessage received ***");
p_ra_ee_cert_info := v_etsi_ts_102941_data.content.butterflyAuthorizationResponse;
}
}
**/
// Extract currentI, request hash && nextDlTime
var integer v_len := lengthof(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData);
var IValue v_currentI := oct2int(substr(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData, v_len - 4 - 8 - 2, 2));
var HashedId8 v_requestHash := substr(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData, v_len - 4 - 8, 8);
var Time32 v_nextDlTime := oct2int(substr(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData, v_len - 4, 4));
log("*** " & testcasename() & ": DBG: nextDlTime: ", v_nextDlTime);
log("*** " & testcasename() & ": DBG: request hash: ", v_requestHash);
log("*** " & testcasename() & ": DBG: currentI: ", v_currentI);
log("*** " & testcasename() & ": DBG: v_nextDlTime - f_getCurrentTime/100: ", f_getCurrentTime() / 1000);
log("*** " & testcasename() & ": DBG: v_nextDlTime - CurrentTime: ", v_nextDlTime - f_getCurrentTime() / 1000);
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponseMessage received ***");
p_ra_ee_cert_info := valueof(
m_ra_ee_cert_info(
f_getCurrentTime() / 1000,
v_currentI,
v_requestHash,
v_nextDlTime
));
}
log("*** " & testcasename() & ": INFO: p_ra_ee_cert_info: ", p_ra_ee_cert_info, " ***");
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
return false;
}
} // End of 'alt' statement
return true;
} // End of function f_trigger_butterfly_authorization_request
function f_verify_http_butterfly_cert_request_message_from_aa(
in Request p_request,
in Headers p_headers,
in boolean p_checked_cocoon_keys_derivation := false,
in template (omit) octetstring p_caterpilar_compressed_key := omit,
out integer p_result,
out RaAcaCertRequest p_butterflyCertificateRequest,
out HttpMessage p_response
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var template (value) HttpMessage v_response;
var Oct16 v_request_hash;
var HashedId8 v_bfk_hashed_id8;
var Oct16 v_aes_enc_key;
log(">>> f_verify_http_butterfly_cert_request_message_from_aa: ", p_request);
p_result := 0;
if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O,
omit,
p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -1;
} else {
var UInt64 v_current_time := f_getCurrentTimeUtc();
var UInt64 v_delta_time := 30;
log("f_verify_http_butterfly_cert_request_message_from_aa: match ", match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request((v_current_time - v_delta_time .. v_current_time + v_delta_time), explicit, '00000000'B/*butterflyExplicit*/, mw_bfk_to_be_signed_certificate))) == false) {
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -2;
} else {
if (p_checked_cocoon_keys_derivation == true) {
// FIXME FSCOM if (f_check_cocoon_keys_derivation(v_etsi_ts_102941_data.content.butterflyCertificateRequest.tbsCert.verifyKeyIndicator, ))
} else {
var AcaRaCertResponse v_aca_ra_cert_response;
var HashedId8 v_hashedId8;
var octetstring v_msg := bit2oct(encvalue(p_request.body.binary_body.ieee1609dot2_data));
v_hashedId8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg));
f_http_build_butterfly_cert_response(v_hashedId8, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_aca_ra_cert_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
p_butterflyCertificateRequest := v_etsi_ts_102941_data.content.butterflyCertificateRequest;
}
}
}
p_response := valueof(v_response);
log("<<< f_verify_http_butterfly_cert_request_message_from_aa: p_response: ", p_response);
log("<<< f_verify_http_butterfly_cert_request_message_from_aa: p_result: ", p_result);
} // End of function f_verify_http_butterfly_cert_request_message_from_aa
} // End of group bfk_auth_request_helpers
/**
* @desc Check that the EA sends butterfly certificate request message after receiving of the butterfly authorization request
* Check that this message is encrypted for the AA
* Check that this message is signed with the EA certificate
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the AA is emulated by TS and
* authorized with CERT_AA certificate
* and EA is configured to use emulated AA to generate certificates
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAuthorizationRequestMessage
* containing EtsiTs102941Data
* containing content.butterflyAuthorizationRequest
* }
* then {
* the IUT sends a EtsiTs103097Data to the AA
* containing content.encryptedData
* containing recipients
* indicating size 1
* and containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the CERT_AA
* and containing encrypted representation of EtsiTs103097Data
* containing signedData
* containing tbsData
* containing headerInfo
* containing psid
* indicating AID_PKI_CERT_REQUEST
* and containing payload.data
* containing EtsiTs102941Data
* containing version
* indicating ‘1’
* and containing content
* containing butterflyCertificateRequest
* and containing signer
* containing digest
* indicating HashedId8 of the CERT_EA
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_03_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.4
*/
testcase TC_SECPKI_EA_BFK_AUTH_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var boolean v_received_butterfly_authorization_response := false;
var boolean v_tb_done := false;
var octetstring v_caterpillar_private_key;
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
var octetstring v_caterpillar_enc_private_key;
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var integer v_result;
var EeRaCertRequest v_ee_ra_cert_request;
var RaEeCertInfo p_ra_ee_cert_info;
var RaAcaCertRequest v_butterflyCertificateRequest;
// Test control
if (not PICS_IUT_EA_ROLE or not PICS_SEC_BFK_AUTH) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE and PICS_SEC_BFK_AUTH required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, p_ra_ee_cert_info);
log("*** " & testcasename() & ": INFO: p_ra_ee_cert_info:", p_ra_ee_cert_info, " ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(
mw_http_request(
mw_http_request_post(
-, // URI
v_headers, // Headers
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyCertRequestMessage(
mw_encryptedData
)))))) -> value v_request {
tc_ac.stop;
log("+++++++++++++++++++++++++++++++++++++++++++++++", v_request);
f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, -, -, v_result, v_butterflyCertificateRequest, v_response);
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
v_tb_done := true;
if (v_received_butterfly_authorization_response == false) {
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***");
tc_ac.start;
repeat;
}
}
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (v_tb_done == false) {
v_received_butterfly_authorization_response := true;
tc_ac.start;
repeat;
} // else, end on the test case
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_03_BV
/**
* @desc Check that the butterfly certificate request message sent by EA to AA contains all required elements
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the EA already received the ButterflyAuthorizationRequestMessage
* indicating the sha256 message hash MSG_HASH
* and the EA already responded with ButterflyAuthorizationResponseMessage
* containing EtsiTs102941Data
* containing butterflyAuthorizationResponse
* containing nextDlTime
* indicating DNL_TIME
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAtDownloadRequestMessage
* containing EtsiTs102941Data
* containing butterflyAtDownloadRequest
* containing EeRaCertRequest
* containing generationTime
* indicating REQ_TIME
* }
* then {
* the IUT sends to the AA the ButterflyCertRequestMessage
* containing EtsiTs102941Data
* containing content
* containing butterflyCertificateRequest
* containing RaAcaCertRequest
* containing version
* indicating 2
* and containing generationTime
* indicating value between REQ_TIME and the current time
* and containing flags
* indicating empty bit string
* and containing certEncKey
* and containing tbsCert
* and not containing linkageInfo
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_04_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.4
*/
testcase TC_SECPKI_EA_BFK_AUTH_04_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var boolean v_received_butterfly_authorization_response := false;
var boolean v_tb_done := false;
var octetstring v_caterpillar_private_key;
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
var octetstring v_caterpillar_enc_private_key;
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var integer v_result;
var EeRaCertRequest v_ee_ra_cert_request;
var RaEeCertInfo p_ra_ee_cert_info;
var RaAcaCertRequest v_butterflyCertificateRequest;
// Test control
if (not PICS_IUT_EA_ROLE or not PICS_SEC_BFK_AUTH) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE and PICS_SEC_BFK_AUTH required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, p_ra_ee_cert_info);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(
mw_http_request(
mw_http_request_post(
-, // URI
v_headers, // Headers
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyCertRequestMessage(
mw_encryptedData
)))))) -> value v_request {
tc_ac.stop;
f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, -, -, v_result, v_butterflyCertificateRequest, v_response);
// TODO Check v_butterflyCertificateRequest
// FIXME Some check can be moved to f_verify_http_butterfly_cert_request_message_from_aa
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
v_tb_done := true;
if (v_received_butterfly_authorization_response == false) {
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***");
tc_ac.start;
repeat;
}
}
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (v_tb_done == false) {
v_received_butterfly_authorization_response := true;
tc_ac.start;
repeat;
} // else, end on the test case
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_04_BV
/**
* @desc Check that the butterfly certificate request message contains expanded cocoon key
*
* Pics Selection: PICS_IUT_EA_ROLE
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the AA in 'operational' state
* authorized with CERT_AA certificate
* and EA is configured to use AA of the current configuration to generate certificates
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAuthorizationRequestMessage
* containing EtsiTs102941Data
* containing content.butterflyAuthorizationRequest
* containing EeRaCertRequest
* containing tbsCert (TBS_CERT)
* containing verification key (CATERPILLAR_KEY)
* }
* then {
* the IUT sends to the AA the ButterflyCertRequestMessage
* containing EtsiTs102941Data
* containing content
* containing butterflyCertificateRequest
* containing RaAcaCertRequest
* containing tbsCert
* containing verificationKey
* containing “cocoon” key
* derived from the CATERPILLAR_KEY
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_05_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.4
*/
testcase TC_SECPKI_EA_BFK_AUTH_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var boolean v_received_butterfly_authorization_response := false;
var boolean v_tb_done := false;
var octetstring v_caterpillar_private_key;
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
var octetstring v_caterpillar_enc_private_key;
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var integer v_result;
var EeRaCertRequest v_ee_ra_cert_request;
var RaEeCertInfo p_ra_ee_cert_info;
var RaAcaCertRequest v_butterflyCertificateRequest;
// Test control
if (not PICS_IUT_EA_ROLE or not PICS_SEC_BFK_AUTH) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE and PICS_SEC_BFK_AUTH required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, p_ra_ee_cert_info);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(
mw_http_request(
mw_http_request_post(
-, // URI
v_headers, // Headers
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyCertRequestMessage(
mw_encryptedData
)))))) -> value v_request {
tc_ac.stop;
f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, true, -, v_result, v_butterflyCertificateRequest, v_response);
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
v_tb_done := true;
if (v_received_butterfly_authorization_response == false) {
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***");
tc_ac.start;
repeat;
}
}
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (v_tb_done == false) {
v_received_butterfly_authorization_response := true;
tc_ac.start;
repeat;
} // else, end on the test case
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_05_BV
} // End of group ea_bfk_cert_request
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.6.2 Authorization certificate download
group ea_bfk_auth_cert_download {
/**
* @desc Check that the butterfly certificate request message sent by EA to AA contains all required elements
*
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the EA already responded with ButterflyAuthorizationResponseMessage (MSG_RESPONSE)
* containing EtsiTs102941Data
* containing butterflyAuthorizationResponse
* containing nextDlTime
* indicating DNL_TIME
* and containing currentI
* indicating I_VALUE
* and containing requestHash
* indicating MSG_HASH
* and the EA already received from emullated AA one or more ButterflyCertResponse messages
* containing AcaEeCertResponsePrivateSpdu (CERT_RESPONSE)
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAtDownloadRequestMessage
* containing EtsiTs102941Data
* containing butterflyAtDownloadRequest
* indicating EeRaDownloadRequest
* containing generationTime
* indicating DNL_TIME + 1
* and containing filename
* indicating MSG_HASH + “_” + hex(I_VALUE) + ".zip"
* }
* then {
* the IUT sends the requested batch of certificates
* containing file hex(I_VALUE) + “.info”
* indicating COER encoding of MSG_RESPONSE
* and containing a set of files hex(I_VALUE) + “_” + (0..N)
* indicating COER encoding of AcaEeCertResponsePrivateSpdu (CERT_RESPONSE)
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_06_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.1, 6.2.3.5.3
*/
testcase TC_SECPKI_EA_BFK_AUTH_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var octetstring v_private_key;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var octetstring v_caterpillar_private_key;
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
var octetstring v_caterpillar_enc_private_key;
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EeRaCertRequest v_ee_ra_cert_request;
var RaEeCertInfo v_ra_ee_cert_info;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE or not PICS_SEC_BFK_AUTH) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE and PICS_SEC_BFK_AUTH required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, v_ra_ee_cert_info);
// Wait for v_ee_ra_cert_request.nextDlTime
var float v_timer := int2float(v_ra_ee_cert_info.nextDlTime - v_ra_ee_cert_info.generationTime + 2);
log("*** " & testcasename() & ": INFO: Start wailting for " & float2str(v_timer) & " seconds ***");
f_sleepIgnoreDef(v_timer);
log("*** " & testcasename() & ": INFO: timer of " & float2str(v_timer) & " seconds expierd message ***");
// FIXME FSCOM In int2hex, 3 is arbitrary. Need to check the range of currentI to set the correct hex string length
f_http_build_butterfly_at_download_request_message(hex2str(oct2hex(v_ra_ee_cert_info.requestHash)) & "-" & hex2str(int2hex(v_ra_ee_cert_info.currentI, 3)) & ".zip", v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_at_download_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_BFK_AT_DOWNLOAD,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_http_message_body_binary_bfk_zip(
mw_http_message_body_binary_bfk_zip_signed_messages
)))),
v_response
) {
tc_ac.stop;
// Check item 0 is v_ra_ee_cert_info
log("Item #0 to decode (EtsiTs102941Data): ", v_response.response.body.binary_body.bfk_zip_file.content.signed_messages[0].content.signedData.tbsData.payload.data.content.unsecuredData);
var bitstring v_bt := oct2bit(v_response.response.body.binary_body.bfk_zip_file.content.signed_messages[0].content.signedData.tbsData.payload.data.content.unsecuredData);
var EtsiTs102941Data v_etsi_ts102941_data;
var integer v_result := decvalue(v_bt, v_etsi_ts102941_data);
if (v_result == 0) {
log("decvalue result: ", v_result);
log("v_etsi_ts102941_data: ", v_etsi_ts102941_data);
if (v_etsi_ts102941_data.content.butterflyAuthorizationResponse.requestHash == v_ra_ee_cert_info.requestHash) {
log("*** " & testcasename() & ": PASS: Well formated ButterflyAuthorizationResponseMessage received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Item 0 of the list does not match the ButterflyAtDownloadRequest ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Cannot decode Item 0 ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_06_BV
testcase TC_SECPKI_EA_BFK_AUTH_06_BV_01() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var octetstring v_private_key;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var octetstring v_caterpillar_private_key;
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
var octetstring v_caterpillar_enc_private_key;
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EeRaCertRequest v_ee_ra_cert_request;
var RaEeCertInfo v_ra_ee_cert_info;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE or not PICS_SEC_BFK_AUTH) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE and PICS_SEC_BFK_AUTH required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, v_ra_ee_cert_info);
// Wait for v_ee_ra_cert_request.nextDlTime
var float v_timer := int2float(v_ra_ee_cert_info.nextDlTime - v_ra_ee_cert_info.generationTime + 2);
log("*** " & testcasename() & ": INFO: Start wailting for " & float2str(v_timer) & " seconds ***");
f_sleepIgnoreDef(v_timer);
log("*** " & testcasename() & ": INFO: timer of " & float2str(v_timer) & " seconds expierd message ***");
// FIXME FSCOM In int2hex, 3 is arbitrary. Need to check the range of currentI to set the correct hex string length
f_http_build_butterfly_at_download_request_message(hex2str(oct2hex(v_ra_ee_cert_info.requestHash)) & "-" & hex2str(int2hex(v_ra_ee_cert_info.currentI, 3)) & ".zip", v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_at_download_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_BFK_AT_DOWNLOAD,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_http_message_body_binary_bfk_zip(
mw_http_message_body_binary_bfk_zip_signed_messages
)))),
v_response
) {
tc_ac.stop;
// Extract certificates
var boolean v_signature_check_failed := false;
for (var integer v_i := 1; v_i < lengthof(v_response.response.body.binary_body.bfk_zip_file.content.signed_messages); v_i := v_i + 1) {
log(
"Matching: ",
match(
v_response.response.body.binary_body.bfk_zip_file.content.signed_messages[v_i],
mw_etsiTs103097Data_signed(
mw_signedData(
-,
mw_toBeSignedData(
mw_signedDataPayload,
mw_ieee1609Dot2_headerInfo(
c_its_aid_SCR
))))));
if (not(match(v_response.response.body.binary_body.bfk_zip_file.content.signed_messages[v_i], mw_etsiTs103097Data_signed(mw_signedData(-, mw_toBeSignedData(mw_signedDataPayload, mw_ieee1609Dot2_headerInfo())))))) {
v_signature_check_failed := true;
break;
}
} // End of 'for' statement
if (not(v_signature_check_failed)) {
log("*** " & testcasename() & ": PASS: Well formated ButterflyAuthorizationResponseMessage received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Checking signature failed ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_06_BV_01
testcase TC_SECPKI_EA_BFK_AUTH_06_BV_02() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var octetstring v_private_key;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var octetstring v_caterpillar_private_key;
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
var octetstring v_caterpillar_enc_private_key;
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EeRaCertRequest v_ee_ra_cert_request;
var RaEeCertInfo v_ra_ee_cert_info;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE or not PICS_SEC_BFK_AUTH) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE and PICS_SEC_BFK_AUTH required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, v_ra_ee_cert_info);
// Wait for v_ee_ra_cert_request.nextDlTime
var float v_timer := int2float(v_ra_ee_cert_info.nextDlTime - v_ra_ee_cert_info.generationTime + 2);
log("*** " & testcasename() & ": INFO: Start wailting for " & float2str(v_timer) & " seconds ***");
f_sleepIgnoreDef(v_timer);
log("*** " & testcasename() & ": INFO: timer of " & float2str(v_timer) & " seconds expierd message ***");
// FIXME FSCOM In int2hex, 3 is arbitrary. Need to check the range of currentI to set the correct hex string length
f_http_build_butterfly_at_download_request_message(hex2str(oct2hex(v_ra_ee_cert_info.requestHash)) & "-" & hex2str(int2hex(v_ra_ee_cert_info.currentI, 3)) & ".zip", v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_at_download_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_BFK_AT_DOWNLOAD,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_http_message_body_binary_bfk_zip(
mw_http_message_body_binary_bfk_zip_signed_messages
)))),
v_response
) {
tc_ac.stop;
// Extract certificates
var boolean v_decrypt_failed := false;
for (var integer v_i := 1; v_i < lengthof(v_response.response.body.binary_body.bfk_zip_file.content.signed_messages); v_i := v_i + 1) {
log("Unsecured data to decode (EtsiTs103097Data): ", v_response.response.body.binary_body.bfk_zip_file.content.signed_messages[v_i].content.signedData.tbsData.payload.data.content.unsecuredData)
var bitstring v_bt := oct2bit(v_response.response.body.binary_body.bfk_zip_file.content.signed_messages[v_i].content.signedData.tbsData.payload.data.content.unsecuredData);
var EtsiTs103097Data v_unsecuredData;
var integer v_result := decvalue(v_bt, v_unsecuredData);
log("decvalue result: ", v_result);
if (v_result != 0) {
v_decrypt_failed := true;
break;
}
log("v_unsecuredData: ", v_unsecuredData);
log("Enc expension key: ", v_ee_ra_cert_request.additionalParams.original.encryptionExpansion.aes128);
var octetstring v_expended_private_key;
f_bfk_expend_private_key(
v_ee_ra_cert_request.additionalParams.original.encryptionExpansion.aes128,
v_caterpillar_enc_private_key,
v_expended_private_key
);
log("v_expended_private_key: ", v_expended_private_key);
var Ieee1609Dot2Data v_ieee1609dot2_data;
var Oct16 v_aes_enc_key;
var Ieee1609Dot2Data v_ieee1609dot2_dec_data;
if (f_decrypt(v_expended_private_key, // Derived private encryption key
v_unsecuredData, // data to be decrypted
v_ra_ee_cert_info.requestHash, //v_unsecuredData.content.encryptedData.recipients[0].rekRecipInfo.recipientId, // salt
v_ieee1609dot2_dec_data, // decrypted message
v_expended_private_key) == false) {
v_decrypt_failed := true;
break;
}
log("v_ieee1609dot2_dec_data: ", v_ieee1609dot2_dec_data);
} // End of 'for' statement
if (not(v_decrypt_failed)) {
log("*** " & testcasename() & ": PASS: Well formated ButterflyAuthorizationResponseMessage received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Checking decrypt message failed ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_06_BV_02
} // End of group ea_bfk_auth_cert_download
} // End of group ea_authorization_with_bfk
} // End of group ea_behavior
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5 AA behaviour
group aa_behavior {
group aa_helpers {
function f_verify_http_at_response_from_iut_aa(
in Response p_response,
in octetstring p_private_key,
in Oct16 p_aes_sym_key,
in Oct16 p_authentication_vector,
in Oct32 p_request_hash,
out InnerAtResponse p_authorization_response,
out integer p_result
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key;
var InnerEcResponse v_inner_ec_response;
log(">>> f_verify_http_at_response_from_iut_aa: p_response= ", p_response);
log(">>> f_verify_http_at_response_from_iut_aa: p_private_key= ", p_private_key);
log(">>> f_verify_http_at_response_from_iut_aa: p_aes_sym_key= ", p_aes_sym_key);
log(">>> f_verify_http_at_response_from_iut_aa: p_authentication_vector= ", p_authentication_vector);
log(">>> f_verify_http_at_response_from_iut_aa: p_request_hash= ", p_request_hash);
p_result := 0;
if (f_verify_pki_response_message(p_private_key, p_aes_sym_key, p_authentication_vector, vc_aaWholeHash, p_response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
// Set verdict
p_result := -1;
} else {
log("f_verify_http_at_response_from_iut_aa: Receive ", v_etsi_ts_102941_data);
p_authorization_response := v_etsi_ts_102941_data.content.authorizationResponse;
log(match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok(substr(p_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_at, -))))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok(substr(p_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_at, -)))) == false) {
log(match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ko)));
if (match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ko)) == false) {
// Set verdict
p_result := -2;
} else {
// Set verdict
p_result := -3;
}
} else {
// Verify AT Certificate signature
if (f_verifyCertificateSignatureWithIssuingCertificate(v_etsi_ts_102941_data.content.authorizationResponse.certificate, vc_aaCertificate) == false) {
// Set verdict
p_result := -4;
}
log("f_verify_http_at_response_from_iut_aa: Well-secured AT certificate received");
}
}
log("<<< f_verify_http_at_response_from_iut_aa: p_result: ", p_result);
} // End of function f_verify_http_at_response_from_iut_aa
} // End of group aa_helpers
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.1 Authorization request handling
group aa_authorization_request {
/**
* @desc Check that the EA/AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate
* Check that the EA/AA is able to verify the inner signature
* Check that the EA/AA is able to verify the request authenticity using the hmacKey verification
* Check that the EA/AA sends the AuthorizationValidationRequest message to the correspondent EA
*
* Pics Selection: PICS_IUT_AA_ROLE and not PICS_PKI_AUTH_POP
* Initial conditions:
* with {
* the EA/AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the certificate CERT_AA
* and containing encKey
* indicating symmetric key (S_KEY)
* encrypted with the private key correspondent to the AA_ENC_PUB_KEY
* and containing cyphertext (ENC_DATA)
* containing encrypted representation of the EtsiTs103097Data-Signed
* containing content.signedData
* containing hashId
* indicating valid hash algorythm
* and containing signer
* containing self
* and containing tbsData (SIGNED_DATA)
* containing payload
* containing EtsiTs102941Data
* containing content.authorizationRequest
* containing publicKeys.verificationKey (V_KEY)
* and containing hmacKey (HMAC)
* and containing sharedAtRequest
* containing keyTag (KEY_TAG)
* and containing eaId (EA_ID)
* indicating HashedId8 of the known EA certificate
* and containing signature (SIGNATURE)
* }
* then {
* the IUT is able to decrypt the S_KEY
* using the private key
* corresponding to the AA_ENC_PUB_KEY
* and the IUT is able to decrypt the cypthertext ENC_DATA
* using the S_KEY
* and the IUT is able to verify the signature SIGNATURE over the SIGNED_DATA
* using the V_KEY
* and the IUT is able to verify integrity of HMAC and KEY_TAG
* and the IUT sends the AuthorizationValidationRequest message to the EA
* identified by the EA_ID
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_01_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SECPKI_AA_AUTH_RCV_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE or not PICS_PKI_AUTH_POP) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and PICS_PKI_AUTH_POP required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationResponse= ", v_authorization_response, " ***");
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
var SharedAtRequest v_shared_at_request;
var Oct16 v_aes_sym_key_atv;
var Oct8 v_aes_sym_key_atv_hashed_id8;
var octetstring v_request_hash_atv;
var Oct16 v_aes_enc_key_atv;
var AuthorizationValidationResponse v_authorization_validation_response;
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key_atv, v_request_hash_atv, v_shared_at_request, v_result);
v_aes_sym_key_atv_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key_atv)); // Used to build the response
// Set verdict, don't care of the v_result, out if scope for this test
log("*** " & testcasename() & ": INFO: IUT has sent AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8;
log("*** " & testcasename() & ": v_ieee1609dot2_signed_and_encrypted_data with new pskRecipInfo: ", v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
log("*** " & testcasename() & ": INFO: AuthorizationValidation process done ***");
repeat;
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_01_BV
/**
* @desc Check that the AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate
* Check that the AA is able to verify the request authenticity using the hmacKey verification
* Check that the AA sends the AuthorizationValidationRequest message to the correspondent EA
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA/AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the certificate CERT_AA
* and containing encKey
* indicating symmetric key (S_KEY)
* encrypted with the private key correspondent to the AA_ENC_PUB_KEY
* and containing cyphertext (ENC_DATA)
* containing EtsiTs102941Data
* containing content.authorizationRequest
* containing publicKeys.verificationKey (V_KEY)
* and containing hmacKey (HMAC)
* and containing sharedAtRequest
* containing keyTag (KEY_TAG)
* and containing eaId (EA_ID)
* indicating HashedId8 of the known EA certificate
* }
* then {
* the IUT is able to decrypt the S_KEY
* using the private key
* corresponding to the AA_ENC_PUB_KEY
* and the IUT is able to decrypt the cypthertext ENC_DATA
* using the S_KEY
* and the IUT is able to verify integrity of HMAC and KEY_TAG
* and the IUT sends the AuthorizationValidationRequest message to the EA
* identified by the EA_ID
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_02_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SECPKI_AA_AUTH_RCV_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE or PICS_PKI_AUTH_POP) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and not PICS_PKI_AUTH_POP required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationResponse= ", v_authorization_response, " ***");
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
var SharedAtRequest v_shared_at_request;
var Oct16 v_aes_sym_key_atv;
var octetstring v_request_hash_atv;
var Oct8 v_aes_sym_key_atv_hashed_id8;
var Oct16 v_aes_enc_key_atv;
var AuthorizationValidationResponse v_authorization_validation_response;
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key_atv, v_request_hash_atv, v_shared_at_request, v_result);
v_aes_sym_key_atv_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key_atv)); // Used to build the response
// Set verdict, don't care of the v_result, out if scope for this test
log("*** " & testcasename() & ": INFO: IUT has sent AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8;
log("*** " & testcasename() & ": v_ieee1609dot2_signed_and_encrypted_data with new pskRecipInfo: ", v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
log("*** " & testcasename() & ": INFO: AuthorizationValidation process done ***");
repeat;
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_02_BV
/**
* @desc Check that the AA skips the AuthorizationRequest message if it is not addressed to this AA
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA/AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* NOT equal to the HashedId8 of the certificate CERT_AA
* and containing encKey
* indicating symmetric key (S_KEY)
* encrypted with the private key correspondent to the AA_ENC_PUB_KEY
* }
* then {
* the IUT does not send the AuthorizationValidationRequest message
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_03_BI
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SECPKI_AA_AUTH_RCV_03_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_request_with_wrong_parameters(v_ec_certificate, v_private_key_ec, -, -, -, true, -, -, -, -, -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key));
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_noac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_noac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_noac.stop;
log("*** " & testcasename() & ": PASS: IUT has rejected the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
tc_noac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_noac.timeout {
log("*** " & testcasename() & ": PASS: IUT has discarded the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_03_BI
/**
* @desc Check that the AA skips the AuthorizationRequest message if it unable to decrypt the encKey
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA/AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating value
* equal to the HashedId8 of the certificate CERT_AA
* and containing encKey
* indicating symmetric key (S_KEY)
* encrypted with the OTHER private key correspondent to the AA_ENC_PUB_KEY
* }
* then {
* the IUT does not send the AuthorizationValidationRequest message
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_04_BI
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SECPKI_AA_AUTH_RCV_04_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_request_with_wrong_private_key(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_noac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_noac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_noac.stop;
log("*** " & testcasename() & ": PASS: IUT has rejected the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
tc_noac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_noac.timeout {
log("*** " & testcasename() & ": PASS: IUT has discarded the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_04_BI
/**
* @desc Check that the AA skips the AuthorizationRequest message if it unable to decrypt the encKey
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA/AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients[0].encKey
* indicating encrypted symmetric key (S_KEY)
* and containing cyphertext (ENC_DATA)
* encrypted with the OTHER key than S_KEY
* }
* then {
* the IUT does not send the AuthorizationValidationRequest message
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_05_BI
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SECPKI_AA_AUTH_RCV_05_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_request_with_wrong_parameters(v_ec_certificate, v_private_key_ec, -, -, -, -, true, -, -, -, -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_noac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_noac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_noac.stop;
log("*** " & testcasename() & ": PASS: IUT has rejected the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
tc_noac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_noac.timeout {
log("*** " & testcasename() & ": PASS: IUT has discarded the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_05_BI
/**
* @desc Check that the AA rejects the AuthorizationRequest message if it unable to verify the POP signature
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA/AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is received the EtsiTs103097Data message
* containing content.encryptedData.cyphertext
* containing encrypted representation of the EtsiTs103097Data-Signed (SIGNED_DATA)
* containing content.signedData
* containing tbsData
* containing payload
* containing EtsiTs102941Data
* containing content.authorizationRequest
* containing publicKeys.verificationKey (V_KEY)
* and containing signature (SIGNATURE)
* indicating value calculated with OTHER key than private key correspondent to V_KEY
* }
* then {
* the IUT does not send the AuthorizationValidationRequest message
* and the IUT sends to the TS the AuthorizationResponse message
* containing authorizationResponse
* containing requestHash
* indicating the leftmost 16 bits of the SHA256 value
* calculated over the SIGNED_DATA
* and containing responseCode
* indicating the value NOT EQUAL to 0
* and not containing certificate
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_06_BI
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SECPKI_AA_AUTH_RCV_06_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE or not PICS_PKI_AUTH_POP) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and PICS_PKI_AUTH_POP required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_request_with_wrong_parameters(v_ec_certificate, v_private_key_ec, true, -, -, -, -, -, -, -, -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_validation_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***");
// Set verdict
if (v_result == -3) {
log("*** " & testcasename() & ": PASS: IUT has rejected the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": FAIL: No response received from the IUT ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_06_BI
/**
* @desc Check that the AA rejects the AuthorizationRequest message if it unable to verify the integrity of the request using hmacKey
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA/AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is received the EtsiTs103097Data message
* containing EtsiTs102941Data
* containing content.authorizationRequest
* containing hmacKey (HMAC)
* and containing sharedAtRequest
* containing keyTag (KEY_TAG)
* indicating wrong value
* }
* then {
* the IUT does not send the AuthorizationValidationRequest message
* and the IUT sends to the TS the AuthorizationResponse message
* containing authorizationResponse
* containing requestHash
* indicating the leftmost 16 bits of the SHA256 value
* calculated over the X_HASH_STRUCTURE
* and containing responseCode
* indicating the value NOT EQUAL to 0
* and not containing certificate
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_07_BI
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SECPKI_AA_AUTH_RCV_07_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_request_with_wrong_parameters(v_ec_certificate, v_private_key_ec, -, true, -, -, -, -, -, -, -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_validation_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***");
// Set verdict
if (v_result == -3) {
log("*** " & testcasename() & ": PASS: IUT has rejected the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": FAIL: No response received from the IUT ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_07_BI
/**
* @desc Send a correctly encoded AT request, but the ITS-Station is not enrolled at the EA
*/
testcase TC_SECPKI_AA_AUTH_RCV_08_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_generate_inner_ec_request_with_wrong_parameters(
{ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) },
PICS_INVALID_ITS_S_CANONICAL_ID,
f_getCurrentTime() / 1000,
valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)),
-,
v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request
);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_request_with_wrong_parameters(v_ec_certificate, v_private_key_ec, -, -, true, -, -, -, -, -, -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_validation_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***");
// Set verdict
if (v_result == -3) {
log("*** " & testcasename() & ": INFO: IUT has rejected the request ***");
if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, unknownits)) == true) {
log("*** " & testcasename() & ": PASS: Error code is unknownits ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Expected error code should be unknownits ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": FAIL: No response received from the IUT ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_08_BI
/**
* @desc Send an AT request, but the inner signer (valid EC) is not issued by the EA which is known / trusted by the AA. The AA trusts only EAs listet on the RCA-CTL.
*/
testcase TC_SECPKI_AA_AUTH_RCV_09_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_request_with_wrong_parameters(v_ec_certificate, v_private_key_ec, -, -, -, -, -, true, -, -, -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_validation_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***");
// Set verdict
if (v_result == -3) {
log("*** " & testcasename() & ": INFO: IUT has rejected the request ***");
if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, its_aa_unknownea)) == true) {
log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_unknownea ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": FAIL: No response received from the IUT ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_09_BI
/**
* @desc Send an AT request, but the generation time of the CSR is in the past.
*/
testcase TC_SECPKI_AA_AUTH_RCV_10_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hash_256;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
if (PICS_SIMULATE_EA_ENTITY) {
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
} else {
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
v_ec_certificate := v_inner_ec_response.certificate;
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
}
// Test Body
f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, -, -, f_getCurrentTime() / 2, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_validation_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***");
// Set verdict
if (v_result == -3) {
log("*** " & testcasename() & ": INFO: IUT has rejected the request ***");
if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, its_aa_outofsyncrequest)) == true) {
log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": FAIL: No response received from the IUT ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_10_BI
/**
* @desc Send an AT request, but the generation time of the CSR is in the future.
*/
testcase TC_SECPKI_AA_AUTH_RCV_11_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hash_256;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
if (PICS_SIMULATE_EA_ENTITY) {
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
} else {
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
v_ec_certificate := v_inner_ec_response.certificate;
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
}
// Test Body
f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, -, -, f_getCurrentTime() * 2, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_validation_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***");
// Set verdict
if (v_result == -3) {
log("*** " & testcasename() & ": INFO: IUT has rejected the request ***");
if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, its_aa_outofsyncrequest)) == true) {
log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": FAIL: No response received from the IUT ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_11_BI
/**
* @desc Send an AT request, but the expiry date of the CSR is before the start date of the EC.
*/
testcase TC_SECPKI_AA_AUTH_RCV_12_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hash_256;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
if (PICS_SIMULATE_EA_ENTITY) {
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
} else {
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
v_ec_certificate := v_inner_ec_response.certificate;
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
}
// Test Body
f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, vc_eaCertificate.toBeSigned.validityPeriod.start_ / 2, m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION), -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_validation_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***");
// Set verdict
if (v_result == -3) {
log("*** " & testcasename() & ": INFO: IUT has rejected the request ***");
if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, deniedpermissions)) == true) {
log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": FAIL: No response received from the IUT ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_12_BI
/**
* @desc Send an AT request, but the start date of the CSR is before the start date of the EC.
*/
testcase TC_SECPKI_AA_AUTH_RCV_13_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hash_256;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
if (PICS_SIMULATE_EA_ENTITY) {
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
} else {
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
v_ec_certificate := v_inner_ec_response.certificate;
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
}
// Test Body
f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, vc_eaCertificate.toBeSigned.validityPeriod.start_ / 2, m_duration_years(50), -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_validation_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***");
// Set verdict
if (v_result == -3) {
log("*** " & testcasename() & ": INFO: IUT has rejected the request ***");
if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, deniedpermissions)) == true) {
log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": FAIL: No response received from the IUT ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_13_BI
/**
* @desc Send an AT request, but the expiry date of the CSR is after the expiry date of the EC.
*/
testcase TC_SECPKI_AA_AUTH_RCV_14_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hash_256;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
if (PICS_SIMULATE_EA_ENTITY) {
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
} else {
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
v_ec_certificate := v_inner_ec_response.certificate;
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
}
// Test Body
f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, f_getCurrentTime() / 1000, m_duration_years(100), -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_validation_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***");
// Set verdict
if (v_result == -3) {
log("*** " & testcasename() & ": INFO: IUT has rejected the request ***");
if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, deniedpermissions)) == true) {
log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": FAIL: No response received from the IUT ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_14_BI
/**
* @desc Send an AT request, but the start date of the CSR is after the expiring date of the EC.
*/
testcase TC_SECPKI_AA_AUTH_RCV_15_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hash_256;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
if (PICS_SIMULATE_EA_ENTITY) {
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
} else {
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
v_ec_certificate := v_inner_ec_response.certificate;
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
}
// Test Body
f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, 2 * f_getCurrentTime() / 1000, m_duration_years(1), -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_validation_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***");
// Set verdict
if (v_result == -3) {
log("*** " & testcasename() & ": INFO: IUT has rejected the request ***");
if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, deniedpermissions)) == true) {
log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": FAIL: No response received from the IUT ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_15_BI
/**
* @desc Send an AT request, but the expiry date of the CSR is after now + maximum pre-loading period (considering values in C-ITS CP).
*/
testcase TC_SECPKI_AA_AUTH_RCV_16_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hash_256;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
if (PICS_SIMULATE_EA_ENTITY) {
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
} else {
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
v_ec_certificate := v_inner_ec_response.certificate;
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
}
// Test Body
f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, f_getCurrentTime() / 1000, m_duration_in_hours(15*24/* ts_102941v010301 Clause7.2.1*/), -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
var InnerAtResponse v_authorization_validation_response;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result);
log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***");
// Set verdict
if (v_result == -3) {
log("*** " & testcasename() & ": INFO: IUT has rejected the request ***");
if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, deniedpermissions)) == true) {
log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": FAIL: No response received from the IUT ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTH_RCV_16_BI
} // End of group aa_authorization_request
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.2 Authorization validation request
group aa_authorization_validation_request {
/**
* @desc Check that the AA sends AuthorizationValidationRequest after receiving of the AuthorizationRequest.
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA in "operational" state
* authorized with CERT_EA certificate
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT received the AuthorizationRequest
* }
* then {
* the IUT sends the EtsiTs103097Data message to the ITSS
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_01_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTHVAL_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE or not PICS_PKI_AUTH_POP) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and PICS_PKI_AUTH_POP required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
var SharedAtRequest v_shared_at_request;
var Oct16 v_aes_sym_key_atv;
var Oct8 v_aes_sym_key_atv_hashed_id8;
var octetstring v_request_hash_atv;
var Oct16 v_aes_enc_key_atv;
var AuthorizationValidationResponse v_authorization_validation_response;
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key_atv, v_request_hash_atv, v_shared_at_request, v_result);
v_aes_sym_key_atv_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key_atv)); // Used to build the response
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: IUT has sent AuthorizationValidation request ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Send AuthorizationValidation response to finalize the exchange
log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8;
log("*** " & testcasename() & ": v_ieee1609dot2_signed_and_encrypted_data with new pskRecipInfo: ", v_ieee1609dot2_signed_and_encrypted_data);
} else {
log("*** " & testcasename() & ": FAIL: IUT has sent AuthorizationValidation request ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
// Send AuthorizationValidation response to finalize the exchange
f_http_build_authorization_validation_response(v_shared_at_request, cantparse, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8;
}
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
tc_ac.start; // Continue to finalyze the process
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTHVAL_01_BV
/**
* @desc Check that the AuthorizationValidationRequest message is encrypted using approved algorithm and sent to only one Enrolment Authority
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA in "operational" state
* authorized with CERT_EA certificate
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT received the AuthorizationRequest
* }
* then {
* the IUT sends the EtsiTs103097Data message
* containing content.encryptedData.recipients
* indicating size 1
* and containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the CERT_EA
* and containing encKey
* containing eciesNistP256
* or containing eciesBrainpoolP256r1
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_02_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTHVAL_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var HashedId8 v_ec_certificate_hashed_id8;
// Test control
if (not PICS_IUT_AA_ROLE or not PICS_PKI_AUTH_POP) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and PICS_PKI_AUTH_POP required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_atv_http_request_from_iut(
mw_http_request(
mw_http_request_post(
"/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
var SharedAtRequest v_shared_at_request;
var Oct16 v_aes_sym_key_atv;
var Oct8 v_aes_sym_key_atv_hashed_id8;
var octetstring v_request_hash_atv;
var Oct16 v_aes_enc_key_atv;
var AuthorizationValidationResponse v_authorization_validation_response;
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key_atv, v_request_hash_atv, v_shared_at_request, v_result);
v_aes_sym_key_atv_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key_atv)); // Used to build the response
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: IUT has sent AuthorizationValidation request ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Send AuthorizationValidation response to finalize the exchange
log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8;
log("*** " & testcasename() & ": v_ieee1609dot2_signed_and_encrypted_data with new pskRecipInfo: ", v_ieee1609dot2_signed_and_encrypted_data);
} else {
log("*** " & testcasename() & ": FAIL: IUT has sent AuthorizationValidation request ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
// Send AuthorizationValidation response to finalize the exchange
f_http_build_authorization_validation_response(v_shared_at_request, cantparse, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8;
}
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
tc_ac.start; // Continue to finalyze the process
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_AUTHVAL_02_BV
} // End of group aa_authorization_validation_request
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.3 Authorization validation response handling
group aa_authorization_validation_response {
/**
* @desc Check that the AA sends AuthorizationResponse after receiving the AuthorizationRequest.
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the ITSS in "enrolled" state
* the EA in "operational" state
* and the IUT(AA) in "operational" state
* and the IUT had received the AuthorizationRequest from the ITSS
* and the IUT sent the AuthorizationValidationRequest
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT received the AuthorizationValidationResponseMessage
* }
* then {
* the IUT sends the EtsiTs103097Data message to the ITSS
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_RCV_01_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTHVAL_RCV_01_BV() runs on ServerSyncComp system ItsPkiHttpSystem {
// Local variables
var ItsPkiHttp v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp02(v_itss, v_ea);
// Test adapter configuration
// Start components
v_itss.start(f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss());
v_ea.start(f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
f_cfMtcDown02(v_itss, v_ea);
} // End of testcase TC_SECPKI_AA_AUTHVAL_RCV_01_BV
group f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV {
function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key;
var InnerAtRequest v_inner_at_request;
var InnerAtResponse v_inner_at_response;
var HashedId8 v_ec_certificate_hashed_id8;
// Test component configuration
f_cfHttpUp_itss(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Generate EC certificate
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
// Send AuthorizationRequest
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
// Test body
tc_ac.start;
alt { // Wait for AuthorizationResponse
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo, * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
if ((v_result != -2) and (v_result != -3)) { // Additinal shecks where done by TC_SECPKI_AA_AUTH_01_BV
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss: PASS: Received exptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss: FAIL: Unexptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
}
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown_itss();
} // End of function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss
function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key := int2oct(0, 16);
var SharedAtRequest v_shared_at_request;
var AuthorizationValidationResponse v_authorization_validation_response;
// Test component configuration
f_cfHttpUp_ea(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
// Test body
tc_ac.start;
alt {
[] a_await_atv_http_request_from_iut( // Wait for authorizationValidation Request from IUT to EA
mw_http_request(
mw_http_request_post(
-, //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
tc_ac.stop;
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key, v_request_hash, v_shared_at_request, v_result);
// Set verdict
if (v_result == 0) {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: PASS: IUT has sent AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: FAIL: Failed to verify AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, deniedpermissions, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown_ea();
} // End of function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea
} // End of group f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV
/**
* @desc Check that AA doesn't accept Authorization Validation Response message when this message is
* signed with certificate without appropriate permissions
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the ITSS in "enrolled" state
* the EA in "operational" state
* and the IUT(AA) in "operational" state
* and the IUT had received the AuthorizationRequest from the ITSS
* and the IUT sent the AuthorizationValidationRequest
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives the AuthorizationValidationResponseMessage
* containing signer
* containing digest
* indicating HashedId8 of the certificate
* containing appPermissions
* not containing an item of type PsidSsp
* containing psid
* indicating AID_CERT_REQ
* or containing an item of type PsidSsp
* containing psid
* indicating AID_CERT_REQ
* and containing ssp
* containing opaque[0] (version)
* indicating other value than 1
* or containing opaque[1] (value)
* indicating "AuthorizationValidationResponse" (bit 4) set to 0
* }
* then {
* the IUT answers with an AuthorisationValidationResponseMessage
* containing responseCode
* indicating non-zero value
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_RCV_02_BI
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTHVAL_RCV_02_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {} // End of testcase TC_SECPKI_AA_AUTHVAL_RCV_02_BI
} // End of group aa_authorization_validation_response
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.4 Authorization response
group aa_authorization_response {
/**
* @desc Check that the AA sends encrypted authorization response.
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the ITS-S in "enrolled" state and
* the ITS-S has sent the AuthorizationRequestMessage
* containing encrypted enkKey
* containing AES symmetric key (SYM_KEY) and
* the EA in "operational" state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to send the authorization response to the ITS-S
* }
* then {
* the IUT is triggered to send the authorization response to the ITS-S
* containing content.encryptedData
* containing recipients of size 1
* containing the instance of RecipientInfo
* containing pskRecipInfo
* indicating HashedId8 of the SYM_KEY
* and containing cyphertext
* encrypted using SYM_KEY
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_01_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTH_01_BV() runs on ServerSyncComp system ItsPkiHttpSystem {
// Local variables
var ItsPkiHttp v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp02(v_itss, v_ea);
// Test adapter configuration
// Start components
v_itss.start(f_TC_SECPKI_AA_AUTH_01_BV_itss());
v_ea.start(f_TC_SECPKI_AA_AUTH_01_BV_ea());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
f_cfMtcDown02(v_itss, v_ea);
} // End of testcase TC_SECPKI_AA_AUTH_01_BV
group f_TC_SECPKI_AA_AUTH_01_BV {
function f_TC_SECPKI_AA_AUTH_01_BV_itss() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key;
var InnerAtRequest v_inner_at_request;
var InnerAtResponse v_inner_at_response;
var HashedId8 v_ec_certificate_hashed_id8;
// Test component configuration
f_cfHttpUp_itss(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Generate EC certificate
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
// Send AuthorizationRequest
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
// Test body
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo, * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
if ((v_result != -2) and (v_result != -3)){
log("*** f_TC_SECPKI_AA_AUTH_01_BV_itss: PASS: Received exptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTH_01_BV_itss: FAIL: Unexptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
}
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTH_01_BV_itss: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown_itss();
} // End of function f_TC_SECPKI_AA_AUTH_01_BV_itss
function f_TC_SECPKI_AA_AUTH_01_BV_ea() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key := int2oct(0, 16);
var SharedAtRequest v_shared_at_request;
var AuthorizationValidationResponse v_authorization_validation_response;
// Test component configuration
f_cfHttpUp_ea(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
tc_ac.start;
alt {
[] a_await_atv_http_request_from_iut( // Wait for authorizationValidation Request from IUT to EA
mw_http_request(
mw_http_request_post(
-, //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
tc_ac.stop;
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key, v_request_hash, v_shared_at_request, v_result);
// Set verdict
if (v_result == 0) {
log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INFO: IUT has sent AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INCONC: Failed to verify AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, deniedpermissions, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdict(c_prDone, e_timeout);
}
}
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_timeout);
}
} // End of 'alt' statement
// Test body
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
// TODO Wait for AuthorizationResponse
f_cfHttpDown_ea();
} // End of function f_TC_SECPKI_AA_AUTH
} // End of group f_TC_SECPKI_AA_AUTH_01_BV
/**
* @desc Check that the AA sends signed authorization response.
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the ITS-S in "enrolled" state and
* the IUT(AA) in 'operational' state
* authorized with CERT_AA certificate
* and the EA in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to send the authorization response to the ITS-S
* }
* then {
* the IUT is triggered to send the authorization response to the ITS-S
* containing the EtsiTs103097Data-Signed
* containing signedData
* containing signer
* containing digest
* indicating HashedId8 value of the CERT_AA
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_02_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTH_02_BV() runs on ServerSyncComp system ItsPkiHttpSystem {
// Local variables
var ItsPkiHttp v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp02(v_itss, v_ea);
// Test adapter configuration
// Start components
v_itss.start(f_TC_SECPKI_AA_AUTH_02_BV_itss());
v_ea.start(f_TC_SECPKI_AA_AUTH_02_BV_ea());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
f_cfMtcDown02(v_itss, v_ea);
} // End of testcase TC_SECPKI_AA_AUTH_02_BV
group f_TC_SECPKI_AA_AUTH_02_BV {
function f_TC_SECPKI_AA_AUTH_02_BV_itss() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key;
var InnerAtRequest v_inner_at_request;
var InnerAtResponse v_inner_at_response;
var HashedId8 v_ec_certificate_hashed_id8;
// Test component configuration
f_cfHttpUp_itss(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Generate EC certificate
f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request);
f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8);
// Send AuthorizationRequest
f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "inner_at_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
// Test body
tc_ac.start;
alt {
[] a_await_at_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo, * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
var integer v_result;
tc_ac.stop;
f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result);
if (v_result == 0) {
log("*** f_TC_SECPKI_AA_AUTH_02_BV_itss: PASS: Received exptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTH_02_BV_itss: FAIL: Unexptected response ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
}
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTH_02_BV_itss: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown_itss();
} // End of function f_TC_SECPKI_AA_AUTH_02_BV_itss
function f_TC_SECPKI_AA_AUTH_02_BV_ea() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcRequest v_inner_ec_request;
var EtsiTs103097Certificate v_ec_certificate;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer v_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var octetstring v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key := int2oct(0, 16);
var SharedAtRequest v_shared_at_request;
var AuthorizationValidationResponse v_authorization_validation_response;
// Test component configuration
f_cfHttpUp_ea(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
tc_ac.start;
alt {
[] a_await_atv_http_request_from_iut( // Wait for authorizationValidation Request from IUT to EA
mw_http_request(
mw_http_request_post(
-, //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_authorizationRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var integer v_result;
tc_ac.stop;
f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key, v_request_hash, v_shared_at_request, v_result);
// Set verdict
if (v_result == 0) {
log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INFO: IUT has sent AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_response(
m_http_response_ok(
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)),
v_headers
)));
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
} else {
log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INCONC: Failed to verify AuthorizationValidation request ***");
// Send AuthorizationValidation response to finalize the exchange
log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***");
f_init_default_headers_list(-, "inner_atv_response", v_headers);
f_http_build_authorization_validation_response(v_shared_at_request, deniedpermissions, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_AT,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
f_selfOrClientSyncAndVerdict(c_prDone, e_timeout);
}
}
[] tc_ac.timeout {
log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_timeout);
}
} // End of 'alt' statement
// Test body
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
// TODO Wait for AuthorizationResponse
f_cfHttpDown_ea();
} // End of function f_TC_SECPKI_AA_AUTH
} // End of group f_TC_SECPKI_AA_AUTH_02_BV
/**
* @desc Check that the AA sends signed authorization response with signature properly calculated using approved hash algorithm.
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the ITS-S in "enrolled" state and
* the IUT(AA) in 'operational' state
* authorized with CERT_AA certificate
* containing verificationKey (AA_PUB_V_KEY)
* and the EA in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to send the authorization response to the ITS-S
* }
* then {
* the IUT is triggered to send the authorization response to the ITS-S
* containing the EtsiTs103097Data-Signed
* containing signedData
* containing hashId
* indicating supported hash algorithm (HASH_ALG)
* and containing signature
* calculated using the HASH_ALG and private key correspondent to the AA_PUB_V_KEY
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_02_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTH_03_BV() runs on ServerSyncComp system ItsPkiHttpSystem {
// Local variables
var ItsPkiHttp v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp02(v_itss, v_ea);
// Test adapter configuration
// Start components
v_itss.start(f_TC_SECPKI_AA_AUTH_02_BV_itss());
v_ea.start(f_TC_SECPKI_AA_AUTH_02_BV_ea());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
f_cfMtcDown02(v_itss, v_ea);
} // End of testcase TC_SECPKI_AA_AUTH_03_BV
/**
* @desc Check that the AA sends signed AuthorizationResponseMessage using valid ITS AID and only allowed headers.
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the ITS-S in "enrolled" state and
* the IUT(AA) in 'operational' state
* and the EA in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to send the authorization response to the ITS-S
* }
* then {
* the IUT is triggered to send the authorization response to the ITS-S
* containing the EtsiTs103097Data-Signed
* containing signedData
* containing tbsData
* containing psid
* indicating AID_PKI_CERT_REQUEST
* and containing generationTime
* and not containing any other headers
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_02_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_AUTH_04_BV() runs on ServerSyncComp system ItsPkiHttpSystem {
// Local variables
var ItsPkiHttp v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp02(v_itss, v_ea);
// Test adapter configuration
// Start components
v_itss.start(f_TC_SECPKI_AA_AUTH_02_BV_itss());
v_ea.start(f_TC_SECPKI_AA_AUTH_02_BV_ea());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
f_cfMtcDown02(v_itss, v_ea);
} // End of testcase TC_SECPKI_AA_AUTH_04_BV
} // End of group aa_authorization_response
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.5 CA Certificate Request
group aa_ca_certificates_request {
// TODO
} // End of group aa_ca_certificates_request
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.6 Authorization using butterfly key expansion mechanism
group aa_authorization_with_bfk {
group bfk_cert_request_helpers {
function f_trigger_butterfly_cert_request(
out HashedId8 p_aes_sym_key_hashed_id8,
out RaAcaCertRequest p_ra_aca_cert_request
) runs on ItsPkiHttp {
// Local variables
var octetstring v_caterpillar_private_key
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
var octetstring v_caterpillar_enc_private_key
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
var EeRaCertRequest v_ee_ra_cert_request;
var octetstring v_private_key;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var Oct32 v_request_hash;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Generate EeRaCertRequest
if (f_generate_ee_ra_cert_request(v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_ee_ra_cert_request) == false) {
log("*** f_trigger_butterfly_cert_request: ERROR: Failed to generate InnerEcRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
log ("f_trigger_butterfly_cert_request: p_ee_ra_cert_request: ", v_ee_ra_cert_request);
// Buikd theHTTP request
f_http_build_butterfly_cert_request(v_ee_ra_cert_request, vc_eaPrivateKey, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, p_ra_aca_cert_request, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
p_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_cert_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_BFK_AA,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
} // End of function f_trigger_butterfly_cert_request
function f_verify_http_butterfly_cert_request_message_to_ea(
in Request p_request,
in Headers p_headers,
out integer p_result,
out AcaRaCertResponse p_aca_ra_cert_response
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var template (value) HttpMessage v_response;
var Oct16 v_request_hash;
var HashedId8 v_bfk_hashed_id8;
var Oct16 v_aes_enc_key;
log(">>> f_verify_http_butterfly_cert_request_message_to_ea: ", p_request);
p_result := 0;
if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O,
omit,
p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -1;
} else {
var UInt64 v_current_time := f_getCurrentTimeUtc();
var UInt64 v_delta_time := 30;
log("f_verify_http_butterfly_cert_request_message_to_ea: match ", match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request((v_current_time - v_delta_time .. v_current_time + v_delta_time), explicit, '00000000'B/*butterflyExplicit*/, mw_bfk_to_be_signed_certificate))) == false) {
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -2;
} else {
// TODO Add checked ???
}
}
log("<<< f_verify_http_butterfly_cert_request_message_to_ea: p_result: ", p_result);
} // End of function f_verify_http_butterfly_cert_request_message_to_ea
} // End of group bfk_cert_request_helpers
/**
* @desc Check that the AA sends the butterfly certificate response message after receiving of the butterfly certificate request
* Check that this message is encrypted using the same symmetric encryption key as the butterfly certificate request message
*
* Pics Selection: PICS_IUT_AA_ROLE
* Initial conditions:
* with {
* the EA in "operational" state
* authorized with CERT_AA certificate
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyCertificateRequestMessage
* containing content.encryptedData.recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the CERT_AA
* and containing encKey
* containing encrypted symmetric encryption key (ENC_KEY)
* }
* then {
* the IUT sends to the EA a EtsiTs103097Data-Encrypted
* containing content.encryptedData.recipients
* indicating size 1
* and containing the instance of RecipientInfo
* containing pskRecipInfo
* indicating HashedId8 of the ENC_KEY
* }
* }
*
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_01_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.2
*/
testcase TC_SECPKI_AA_BFK_AUTH_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var integer v_result;
var RaAcaCertRequest v_ra_aca_cert_request;
var AcaRaCertResponse v_aca_ra_cert_response;
// Test control
if (not PICS_IUT_AA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_cert_request(v_aes_sym_key_hashed_id8, v_ra_aca_cert_request);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(
mw_http_request(
mw_http_request_post(
-, // URI
v_headers, // Headers
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyCertResponseMessage(
mw_encryptedData
)))))) -> value v_request {
tc_ac.stop;
f_verify_http_butterfly_cert_request_message_to_ea(v_request.request, v_headers, v_result, v_aca_ra_cert_response);
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: ButterflyCertResponsetMessage received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertResponsetMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_AA_BFK_AUTH_01_BV
} // End of group aa_authorization_with_bfk
} // End of group aa_beavior
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.6 RootCA behaviour
group ca_behavior {
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.6.1 CTL generation
group ca_ctl_generation {
/**
* @desc Check that the RootCA generates the Full CTL when new EA is about to be added to the Root CTL
*
* Pics Selection: PICS_IUT_CA_ROLE
* Initial conditions:
* }
* Expected behaviour:
* ensure that {
* when {
* the RootCA is triggered to add new EA certificate (CERT_EA) in the CTL
* }
* then {
* the IUT issue a new CTL of type CtlFormat
* containing isFullCtl
* indicating TRUE
* and containing ctlCommands
* containing CtlCommand
* containing add
* containing ea
* containing eaCertificate
* indicating CERT_EA
* }
* }
*
*
* @see ETSI TS 103 525-2 TP RCA_CTLGEN_01_BV
* @reference ETSI TS 102 941, clause 6.3.2 and 6.3.4
*/
testcase TC_RCA_CTLGEN_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Headers v_headers;
var HttpMessage v_response;
// Test control
if (not PICS_IUT_CA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp_ca();
// Test adapter configuration
// Preamble
f_init_default_headers_list(PICS_HEADER_CTL_CONTENT_TYPE, "ca_request", v_headers);
action("The RootCA is triggered to add new EA certificate (CERT_EA) in the CTL");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_get(
PICS_HTTP_GET_URI_CTL,
v_headers
)));
tc_ac.start;
alt {
[not(PICS_MULTIPLE_END_POINT)] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_etsiTs103097Data_signed(
mw_signedData(
-,
mw_toBeSignedData(
mw_signedDataPayload
),
?
))))))) -> value v_response {
var charstring_list v_etag;
var ToBeSignedRcaCtl v_to_be_signed_rca_ctl;
tc_ac.stop;
// Check ETag header
if (f_check_headers(v_response.response.header, c_etag_http_header) == false) {
log("*** " & testcasename() & ": INFO: 'ETag' HTTP header not set ***");
//f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
} else {
f_get_header(v_response.response.header, c_etag_http_header, v_etag);
log("*** " & testcasename() & ": INFO: ETag= ", v_etag[0]);
}
if (f_verify_rca_ctl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, true, v_to_be_signed_rca_ctl) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
if (f_verify_full_ctl(v_to_be_signed_rca_ctl) == true) {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Receive unexpected message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[PICS_MULTIPLE_END_POINT] httpCaPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_etsiTs103097Data_signed(
mw_signedData(
-,
mw_toBeSignedData(
mw_signedDataPayload
),
?
))))))) -> value v_response {
var charstring_list v_etag;
var ToBeSignedRcaCtl v_to_be_signed_rca_ctl;
tc_ac.stop;
// Check ETag header
if (f_check_headers(v_response.response.header, c_etag_http_header) == false) {
log("*** " & testcasename() & ": INCONC: 'ETag' HTTP header not set ***");
//f_selfOrClientSyncAndVerdict(c_prDone, e_timeout);
} else {
f_get_header(v_response.response.header, c_etag_http_header, v_etag);
log("*** " & testcasename() & ": INFO: ETag= ", v_etag[0]);
}
if (f_verify_rca_ctl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, true, v_to_be_signed_rca_ctl) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
if (f_verify_full_ctl(v_to_be_signed_rca_ctl) == true) {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Receive unexpected message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown_ca();
} // End of testcase TC_RCA_CTLGEN_01_BV
} // End of ca_group ctl_generation
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.6.2 CRL generation
group ca_crl_generation {
/**
* @desc Check that the RootCA generates the CRL signed with appropriate certificate
*
* Pics Selection: PICS_IUT_CA_ROLE
* Initial conditions:
* }
* Expected behaviour:
* ensure that {
* when {
* the RootCA is triggered to add new CA certificate (CERT_CA) to the revocation list
* }
* then {
* the IUT issue a new CRL of type ToBeSignedCrl
* containing emtries
* containing item of type CrlEntry
* indicating HashedId8 of CERT_CA
* }
* }
*
*
* @see ETSI TS 103 525-2 TP RCA_CRLGEN_01_BV
* @reference ETSI TS 102 941, clause 6.3.3
*/
testcase TC_RCA_CRLGEN_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Headers v_headers;
var HttpMessage v_response;
// Test control
if (not PICS_IUT_CA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp_ca();
// Test adapter configuration
// Preamble
f_init_default_headers_list(PICS_HEADER_CRL_CONTENT_TYPE, "ca_request", v_headers);
action("the RootCA is triggered to generate new CRL");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_get(
PICS_HTTP_GET_URI_CRL,
v_headers
)));
tc_ac.start;
alt {
[not(PICS_MULTIPLE_END_POINT)] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_etsiTs103097Data_signed(
mw_signedData(
-,
mw_toBeSignedData( mw_signedDataPayload ),
mw_signerIdentifier_digest
))))))) -> value v_response {
var ToBeSignedCrl v_to_be_signed_crl;
tc_ac.stop;
if (f_verify_rca_crl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, true, v_to_be_signed_crl) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
if (f_verify_full_crl(v_to_be_signed_crl) == true) {
log("*** " & testcasename() & ": PASS: ToBeSignedCrl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Receive unexpected message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[PICS_MULTIPLE_END_POINT] httpCaPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_etsiTs103097Data_signed(
mw_signedData(
-,
mw_toBeSignedData( mw_signedDataPayload ),
mw_signerIdentifier_digest
))))))) -> value v_response {
var ToBeSignedCrl v_to_be_signed_crl;
tc_ac.stop;
if (f_verify_rca_crl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, true, v_to_be_signed_crl) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
if (f_verify_full_crl(v_to_be_signed_crl) == true) {
log("*** " & testcasename() & ": PASS: ToBeSignedCrl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Receive unexpected message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown_ca();
} // End of testcase TC_RCA_CRLGEN_01_BV
} // End of group ca_crl_generation
} // End of group ca_behavior
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.7 DC behaviour
group dc_behavior {
// TODO
} // End of group dc_behavior
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.8 TLM behaviour
group tlm_behavior {
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.8.1 CTL generation
group tlm_ctl_generation {
/**
* @desc Check that the TLM generates the ECTL when new RootCA is about to be added
*
* Pics Selection: PICS_IUT_CA_ROLE
* Initial conditions:
* }
* Expected behaviour:
* ensure that {
* when {
* the TLM is triggered to add new RootCA certificate (CERT_RCA) in the CTL
* }
* then {
* the IUT issue a new CTL of type CtlFormat
* containing isFullCtl
* indicating TRUE
* and containing ctlCommands
* containing CtlCommand
* containing add
* containing rca
* containing selfsignedRootCa
* indicating CERT_RCA
* }
* }
*
*
* @see ETSI TS 103 525-2 TP TLM_ECTLGEN_01_BV
* @reference ETSI TS 102 941, clause 6.3.1
*/
testcase TC_TLM_ECTLGEN_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var Headers v_headers;
var HttpMessage v_response;
// Test control
if (not PICS_IUT_CA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp_tlm();
// Test adapter configuration
// Preamble
f_init_default_headers_list(PICS_HEADER_CTL_CONTENT_TYPE, "tlm_request", v_headers);
action("The TLM is triggered to add new RootCA certificate (CERT_RCA) in the CTL");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_get(
PICS_HTTP_GET_URI_TLM,
v_headers
)));
tc_ac.start;
alt {
[not(PICS_MULTIPLE_END_POINT)] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_etsiTs103097Data_signed(
mw_signedData(
-,
mw_toBeSignedData( mw_signedDataPayload ),
- // Certificate or HasedId8
))))))) -> value v_response {
var ToBeSignedTlmCtl v_to_be_signed_tlm_ectl;
tc_ac.stop;
// FIXME Can not verify signature, to be checked
if (f_verify_tlm_ectl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, false, v_to_be_signed_tlm_ectl) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
if (f_verify_full_ectl(v_to_be_signed_tlm_ectl) == true) {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Receive unexpected message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[PICS_MULTIPLE_END_POINT] httpTlmPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_etsiTs103097Data_signed(
mw_signedData(
-,
mw_toBeSignedData( mw_signedDataPayload ),
- // Certificate or HasedId8
))))))) -> value v_response {
var ToBeSignedTlmCtl v_to_be_signed_tlm_ectl;
tc_ac.stop;
// FIXME Can not verify signature, to be checked
if (f_verify_tlm_ectl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, false, v_to_be_signed_tlm_ectl) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
if (f_verify_full_ectl(v_to_be_signed_tlm_ectl) == true) {
log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Receive unexpected message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown_tlm();
} // End of testcase TC_TLM_ECTLGEN_01_BV
} // End of group tlm_ctl_generation
} // End of group tlm_behavior
// ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.9 CPOC behaviour
group cpoc_behavior {
/**
* @desc Check that the TLM CTL is published and accessible when issued
*
* Pics Selection:
* Initial conditions:
* the TLM issued a new CTL
* }
* Expected behaviour:
* ensure that {
* when {
* the ITS-S asked the IUT for the newly issued CTL
* }
* then {
* the IUT is answered with this CTL
* }
* }
*
*
* @see ETSI TS 103 525-2 TP SECPKI_CPOC_LISTDIST_01_BV
* @reference ETSI TS 102 941, Clauses 6.3.2 and 6.3.3
*/
testcase TC_SECPKI_CPOC_LISTDIST_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variable
var Headers v_headers;
var HttpMessage v_response;
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_init_default_headers_list(-, "cpoc_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_get(
PICS_HTTP_GET_URI_TLM,
v_headers
)));
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[not(PICS_MULTIPLE_END_POINT)] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_etsiTs103097Data_signed(
mw_signedData(
-,
mw_toBeSignedData(
mw_signedDataPayload
)
))))))) -> value v_response {
var ToBeSignedTlmCtl v_to_be_signed_tlm_ectl;
tc_ac.stop;
// FIXME Can not verify signature, to be checked
if (f_verify_tlm_ectl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, false, v_to_be_signed_tlm_ectl) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify ECTL message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
if (f_verify_full_ectl(v_to_be_signed_tlm_ectl) == true) {
log("*** " & testcasename() & ": PASS: ToBeSignedTlmCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Receive unexpected message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[PICS_MULTIPLE_END_POINT] httpPort.receive(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_etsiTs103097Data_signed(
mw_signedData(
-,
mw_toBeSignedData(
mw_signedDataPayload
)
))))))) -> value v_response {
var ToBeSignedTlmCtl v_to_be_signed_tlm_ectl;
tc_ac.stop;
// FIXME Can not verify signature, to be checked
if (f_verify_tlm_ectl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, false, v_to_be_signed_tlm_ectl) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify ECTL message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
if (f_verify_full_ectl(v_to_be_signed_tlm_ectl) == true) {
log("*** " & testcasename() & ": PASS: ToBeSignedTlmCtl received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Receive unexpected message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_CPOC_LISTDIST_01_BV
} // End of group cpoc_behavior
group pki_platform_simu {
/**
* @desc Await for DC/CTL/CRL request and provides "CERT_IUT_A_RCA", "CERT_TS_A_AA", "CERT_TS_A_EA" certificates
* It simulates the ETSI point of certificates distribution
* Usage: curl 'http://192.168.1.43/dc/getctl/{hasehedid8}' --header 'Content-Type: application/x-its-ctl' --header 'Content-Text: ca_request' --output ctl.oer
*/
testcase TC_PKI_PLTF_RCV_BV_01() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var charstring v_rca_certificate_id := "CERT_IUT_A_RCA";
var charstring v_tlm_certificate_id := "CERT_IUT_A_RCA"; // TODO Need CERT_IUT_A_TLM certificate
var charstring v_aa_certificate_id := "CERT_TS_A_AA";
var charstring v_ea_certificate_id := "CERT_TS_A_EA";
var Oct32 v_hash;
var Oct8 v_rca_hashed_id8;
var HttpMessage v_request;
var boolean v_result := false;
var ToBeSignedRcaCtl v_ctl;
var Headers v_headers;
var template (value) HttpMessage v_response;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_request_hash;
var Oct16 v_aes_enc_key;
// Test component configuration
f_cfHttpUp_ca();
// Test control
if (not PICS_IUT_CA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp_ca();
// Preamble
f_getCertificateHash256(v_rca_certificate_id, v_hash);
v_rca_hashed_id8 := f_hashedId8FromSha256(v_hash);
log("*** " & testcasename() & ": DEBUG: v_rca_hashed_id8= ", v_rca_hashed_id8);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_wait.start;
alt {
[] a_await_dc_http_request_from_iut( // Await for DC request
mw_http_request(
mw_http_request_get(
PICS_HTTP_GET_URI_DC & "/" & oct2str(v_rca_hashed_id8)
)),
v_request
) {
var EtsiTs103097Certificate v_rca_certificate;
tc_wait.stop;
f_init_default_headers_list(-, "ca_response", v_headers);
// Send message
f_build_dc(
v_rca_certificate_id,
v_rca_certificate
);
log("*** " & testcasename() & ": INFO: v_rca_certificate: ", v_rca_certificate);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_certificate(v_rca_certificate)), v_headers));
f_http_send(v_headers, v_response);
log("*** " & testcasename() & ": INFO: ToBeSignedRcaCtl sent ***");
tc_wait.start;
repeat;
}
[] a_await_ctl_http_request_from_iut( // Await for CTL request
mw_http_request(
mw_http_request_get(
PICS_HTTP_GET_URI_CTL & "/" & oct2str(v_rca_hashed_id8)
)),
v_request
) {
var ToBeSignedRcaCtl v_to_be_signed_rca_ctl;
tc_wait.stop;
f_init_default_headers_list(-, "ca_response", v_headers);
// Send message
f_build_ctl(
v_ea_certificate_id,
v_aa_certificate_id,
v_rca_certificate_id,
v_to_be_signed_rca_ctl
);
log("*** " & testcasename() & ": INFO: v_to_be_signed_rca_ctl: ", v_to_be_signed_rca_ctl);
f_sign_dc_ctl(v_rca_certificate_id, v_to_be_signed_rca_ctl, v_ieee1609dot2_signed_and_encrypted_data);
log("*** " & testcasename() & ": INFO: v_ieee1609dot2_signed_and_encrypted_data: ", v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), v_headers));
f_http_send(v_headers, v_response);
log("*** " & testcasename() & ": INFO: ToBeSignedRcaCtl sent ***");
tc_wait.start;
repeat;
}
[] a_await_crl_http_request_from_iut( // Await for CTL request
mw_http_request(
mw_http_request_get(
PICS_HTTP_GET_URI_CRL & "/" & oct2str(v_rca_hashed_id8)
)),
v_request
) {
var ToBeSignedCrl v_to_be_signed_crl;
tc_wait.stop;
f_init_default_headers_list(-, "ca_response", v_headers);
// Send message
f_build_crl(
-,
-,
v_to_be_signed_crl
);
log("*** " & testcasename() & ": INFO: v_to_be_signed_crl: ", v_to_be_signed_crl);
f_sign_dc_crl(v_rca_certificate_id, v_to_be_signed_crl, v_ieee1609dot2_signed_and_encrypted_data);
log("*** " & testcasename() & ": INFO: v_ieee1609dot2_signed_and_encrypted_data: ", v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), v_headers));
f_http_send(v_headers, v_response);
log("*** " & testcasename() & ": INFO: ToBeSignedCRl sent ***");
tc_wait.start;
repeat;
}
[] a_await_cpoc_http_request_from_iut( // Await for TLM request (E-CPOC)
mw_http_request(
mw_http_request_get(
PICS_HTTP_GET_URI_TLM & "/" & oct2str(v_rca_hashed_id8)
)),
v_request
) {
var ToBeSignedTlmCtl v_to_be_signed_tlm_ctl;
tc_wait.stop;
f_init_default_headers_list(-, "ca_response", v_headers);
// Send message
f_build_tlm(
v_tlm_certificate_id,
v_rca_certificate_id,
v_to_be_signed_tlm_ctl
);
log("*** " & testcasename() & ": INFO: v_to_be_signed_tlm_ctl: ", v_to_be_signed_tlm_ctl);
f_sign_dc_ctl(v_rca_certificate_id, v_to_be_signed_tlm_ctl, v_ieee1609dot2_signed_and_encrypted_data);
log("*** " & testcasename() & ": INFO: v_ieee1609dot2_signed_and_encrypted_data: ", v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), v_headers));
f_http_send(v_headers, v_response);
log("*** " & testcasename() & ": INFO: ToBeSignedTlmCtl sent ***");
tc_wait.start;
repeat;
}
[] a_await_any_http_request_from_iut(
mw_http_request,
v_request
) {
tc_wait.stop;
f_init_default_headers_list(-, "ca_response", v_headers);
v_response := m_http_response(m_http_response_400_bad_request(m_http_message_body_html("Request not supported
"), v_headers)); f_http_send(v_headers, v_response); tc_wait.start; repeat; } [] tc_wait.timeout { //log("*** " & testcasename() & ": PASS: Terminate Generation/Distrbution server ***"); //f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); tc_wait.start; repeat; } } // End of 'alt' statement f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); // Postamble f_cfHttpDown_ca(); } // End of testcase TC_PKI_PLTF_RCV_BV_01 } // End of group pki_platform_simu } // End of module ItsPki_TestCases