/** * @Author ETSI / STF545 / TTF T025 * @version $Url$ * $Id$ * @desc Testcases file for Security Protocol * @reference ETSI TS ITS-00546v006 * @copyright ETSI Copyright Notification * No part may be reproduced except as authorized by written permission. * The copyright and the foregoing restriction extend to reproduction in all media. * All rights reserved. */ module ItsPki_TestCases { // Libcommon import from LibCommon_Time all; import from LibCommon_VerdictControl all; import from LibCommon_Sync all; import from LibCommon_BasicTypesAndValues all; import from LibCommon_DataStrings all; // LibIts import from Ieee1609Dot2BaseTypes language "ASN.1:1997" all; import from Ieee1609Dot2 language "ASN.1:1997" all; import from EtsiTs102941BaseTypes language "ASN.1:1997" all; import from EtsiTs102941TypesEnrolment language "ASN.1:1997" all; import from EtsiTs102941TypesAuthorization language "ASN.1:1997" all; import from EtsiTs102941TypesAuthorizationValidation language "ASN.1:1997" all; import from EtsiTs102941MessagesCa language "ASN.1:1997" all; import from EtsiTs102941TrustLists language "ASN.1:1997" all; import from EtsiTs103097Module language "ASN.1:1997" all; import from Ieee1609Dot2Dot1AcaRaInterface language "ASN.1:1997" all; import from Ieee1609Dot2Dot1EeRaInterface language "ASN.1:1997" all; import from ETSI_ITS_CDD language "ASN.1:1997" all; import from CAM_PDU_Descriptions language "ASN.1:1997" all; // LibItsCommon import from LibItsCommon_TypesAndValues all; import from LibItsCommon_Functions all; import from LibItsCommon_TypesAndValues all; import from LibItsCommon_ASN1_NamedNumbers all; // LibItsGeoNetworking import from LibItsGeoNetworking_TypesAndValues all; import from LibItsGeoNetworking_Functions all; import from LibItsGeoNetworking_Templates all; import from LibItsGeoNetworking_Pics all; import from LibItsGeoNetworking_Pixits all; import from LibItsGeoNetworking_TestSystem all; // LibItsCam import from LibItsCam_TypesAndValues all; import from LibItsCam_Templates all; // LibItsSecurity import from LibItsSecurity_TypesAndValues all; import from LibItsSecurity_TestSystem all; import from LibItsSecurity_Templates all; import from LibItsSecurity_Functions all; import from LibItsSecurity_Pixits all; import from LibItsSecurity_Pics all; // LibHttp import from LibHttp_TypesAndValues all; import from LibHttp_Templates all; import from LibHttp_Functions all; import from LibHttp_TestSystem all; import from LibHttp_Pics all; import from LibHttp_BinaryTemplates all; // LibHelpers import from LibHelpers_Functions all; // LibItsPki import from LibItsPki_TypesAndValues all; import from LibItsPki_Templates all; import from LibItsPki_Functions all; import from LibItsPki_TestSystem all; import from LibItsPki_Pics all; import from LibItsPki_Pixits all; import from LibItsPki_EncdecDeclarations all; // ItsPki import from ItsPki_Pixits all; /** * @desc 5.2 ITS-S behaviour */ group itss_behavior { group itss_states { const charstring c_stInitial := "initial"; const charstring c_stEnrolled := "enrolled"; const charstring c_stAuthorized := "authorized"; } group itss_helpers { /** * @desc Send an HTTP error message 500 Internal error. * Note: To be refined */ function f_send_500_Internal_Error( in Headers p_headers, in template (omit) charstring p_error_message := omit ) runs on ItsPkiHttp { f_http_send( p_headers, m_http_response( m_http_response_500_internal_error( p_headers ))); } // End function f_send_500_Internal_Error /** * @desc The purpose of this function is verify the EC request and extract InnerEcRequest and build the InnerEcResponse for the HTTP response * Note: This function accepts additional parameters to alter the reponse */ function f_verify_http_ec_request_from_iut_itss( in Request p_request, in Headers p_headers, out InnerEcRequest p_inner_ec_request, out InnerEcResponse p_inner_ec_response, out HttpMessage p_response, out integer p_result, in template (present) octetstring p_its_id := PICS_ITS_S_CANONICAL_ID, in template (present) SignerIdentifier p_signer := m_signerIdentifier_self, in EnrolmentResponseCode p_force_response_code := ok ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Ieee1609Dot2Data v_ieee1609dot2_signed_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_request_hash; var HashedId8 v_bfk_hashed_id8; var Oct16 v_aes_enc_key; var template (value) HttpMessage v_response; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; var PublicVerificationKey v_canonical_key; log(">>> f_verify_http_ec_request_from_iut_itss: ", p_request); p_result := 0; if(false == f_get_canonical_itss_key(v_canonical_key)){ log(">>> f_verify_http_ec_request_from_iut_itss: error getting canonical key"); v_response := m_http_response(m_http_response_500_internal_error(p_headers)); p_result := -1; return; } if(not(f_read_pki_request_message( p_request.body.binary_body.ieee1609dot2_data, vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, v_request_hash, v_aes_enc_key, v_ieee1609dot2_signed_data, v_etsi_ts_102941_data ))) { f_http_build_inner_ec_response(-, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); p_result := -1; goto L_Done; } log("f_verify_http_ec_request_from_iut_itss: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer))))); // TODO In TITAN, this is the only way to get the unmatching in log if (false == match(v_etsi_ts_102941_data.content, mw_enrolmentRequest(mw_innerEcRequestSignedForPop(mw_signedData(sha256, mw_toBeSignedData(-, mw_headerInfo_inner_pki_request), p_signer))))) { // Send error message f_http_build_inner_ec_response(-, badcontenttype, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); // Set verdict p_result := -2; goto L_Done; } // Verify signature of mw_innerEcRequestSignedForPop if (false == f_verify_inner_ec_request_signed_for_pop(v_etsi_ts_102941_data, p_inner_ec_request)) { // Send error message f_http_build_inner_ec_response(p_inner_ec_request/*Not required*/, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := -3; goto L_Done; } log("f_verify_http_ec_request_from_iut_itss: matching: ", match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes({mw_appPermissions(c_its_aid_SCR, ?)})))); // TODO In TITAN, this is the only way to get the unmatching in log if (false == match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes_optional_assuranceLevel({mw_appPermissions(c_its_aid_SCR, ?)})))) { // Send error message: Not enrolmentrequest f_http_build_inner_ec_response(p_inner_ec_request, badcontenttype, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := -4; goto L_Done; } // TODO Check ValidityPeriod // Send OK message log("f_verify_http_ec_request_from_iut_itss: Receive ", p_inner_ec_request); if (p_force_response_code == ok) { // Send EC certificate with code ok log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter); f_http_build_inner_ec_response(p_inner_ec_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256)) { if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_0)) { vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_0; vc_ec_compressed_modes[vc_ec_keys_counter] := 0; } else { vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_1; vc_ec_compressed_modes[vc_ec_keys_counter] := 1; } } else if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1)) { if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_0)) { vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_0; vc_ec_compressed_modes[vc_ec_keys_counter] := 0; } else { vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_1; vc_ec_compressed_modes[vc_ec_keys_counter] := 1; } } else { log("*** " & testcasename() & ": FAIL: Not implemented yet ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } vc_ec_hashed_id8[vc_ec_keys_counter] := v_ec_certificate_hashed_id8; vc_ec_keys_counter := vc_ec_keys_counter + 1; vc_ec_certificates[vc_ec_counter] := v_ec_certificate; vc_ec_counter := vc_ec_counter + 1; log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter); } else { log("f_verify_http_ec_request_from_iut_itss: Succeed but force error code ", p_force_response_code); f_http_build_inner_ec_response(p_inner_ec_request, p_force_response_code, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); } label L_Done; v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); p_response := valueof(v_response); log("<<< f_verify_http_ec_request_from_iut_itss: p_response: ", p_response); log("<<< f_verify_http_ec_request_from_iut_itss: p_result: ", p_result); } // End of function f_verify_http_ec_request_from_iut_itss /** * @desc The purpose of this function is verify the AT request and extract InnerAtRequest and build the InnerAtResponse for the HTTP response * Note: This function accepts additional parameters to alter the reponse */ function f_verify_http_at_request_from_iut_itss( in Request p_request, in Headers p_headers, in template (omit) EtsiTs103097Certificate p_ec_certificate, out InnerAtRequest p_inner_at_request, out InnerAtResponse p_inner_at_response, out HttpMessage p_response, out integer p_result, in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID, in AuthorizationResponseCode p_force_response_code := ok ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Ieee1609Dot2Data v_ieee1609dot2_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_request_hash; var HashedId8 v_bfk_hashed_id8; var Oct16 v_aes_enc_key; var template (value) HttpMessage v_response; var octetstring v_msg; log(">>> f_verify_http_at_request_from_iut_itss:", p_request); p_result := 0; // 1. Calculate the request Hash v_msg := bit2oct(encvalue(p_request.body.binary_body.ieee1609dot2_data)); log(">>> f_verify_http_at_request_from_iut_itss: Encoded request: ", v_msg); v_request_hash := substr(f_hashWithSha256(v_msg), 0, 16); log(">>> f_verify_http_at_request_from_iut_itss: p_request_hash= ", v_request_hash); // 2. Decrypt the InnerAtRequest if (false == f_decrypt(vc_aaPrivateEncKey, // AA private encryption key p_request.body.binary_body.ieee1609dot2_data , // data to be decrypted vc_aaWholeHash, // salt v_ieee1609dot2_data, // decrypted message v_aes_enc_key)) { log("f_verify_http_at_request_from_iut_itss: Failed to decrypt message"); // Send error message, unable to decypt it p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request"))); // Initialize v_reponse with an error message // Set verdict p_result := -1; return; } // check if signed var bitstring v_msg_bit; if(ispresent(v_ieee1609dot2_data.content.signedData)) { if(not ispresent(v_ieee1609dot2_data.content.signedData.tbsData.payload.data) or not ispresent(v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData)) { log("f_verify_http_at_request_from_iut_itss: Invalid message payload"); p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request"))); p_result := -1; return; } log("f_verify_http_at_request_from_iut_itss: v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData= ", v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData); v_msg_bit := oct2bit(v_ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData); } else { if(not ispresent(v_ieee1609dot2_data.content.unsecuredData)) { log("f_verify_http_at_request_from_iut_itss: Invalid message payload"); p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request"))); p_result := -1; return; } v_msg_bit := oct2bit(v_ieee1609dot2_data.content.unsecuredData); } if (decvalue(v_msg_bit, v_etsi_ts_102941_data) != 0) { log("f_verify_http_at_request_from_iut_itss: Can not decode v_etsi_ts_102941_data"); p_response := valueof(m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request"))); p_result := -1; return; } if (match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest)) == false) { // Send error message f_http_build_authorization_response(-, its_aa_cantparse, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); // Set verdict p_result := -2; return; } if (f_verify_inner_at_request_signed_for_pop(v_etsi_ts_102941_data, p_ec_certificate, p_inner_at_request) == false) { // Send error message f_http_build_authorization_response(p_inner_at_request, its_aa_cantparse, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers))); // Set verdict p_result := -3; return; } log("f_verify_http_at_request_from_iut_itss: match ", match(p_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature))); if (match(p_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature)) == false) { // TODO To be refined // Send error message: No authorization request f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers))); // Set verdict p_result := -4; return; } // Verify PoP signature of outer message if(ispresent(v_ieee1609dot2_data.content.signedData)){ log("f_verify_http_at_request_from_iut_itss: v_ieee1609dot2_data.content.signedData.tbsData= ", v_ieee1609dot2_data.content.signedData.tbsData); v_msg := bit2oct(encvalue(v_ieee1609dot2_data.content.signedData.tbsData)); log("f_verify_http_at_request_from_iut_itss: v_msg= ", v_msg); if (false == f_verifyEcdsa(v_msg, int2oct(0, 32), v_ieee1609dot2_data.content.signedData.signature_, p_inner_at_request.publicKeys.verificationKey)) { f_http_build_authorization_response(p_inner_at_request, invalidsignature, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers))); // Set verdict p_result := -6; return; } } var PublicVerificationKey v_verification_tag; var octetstring v_encoded_tag; var octetstring v_key_tag; // Build the tag v_encoded_tag := bit2oct(encvalue(p_inner_at_request.publicKeys.verificationKey)); if (ispresent(p_inner_at_request.publicKeys.encryptionKey)) { v_encoded_tag := v_encoded_tag & bit2oct(encvalue(p_inner_at_request.publicKeys.encryptionKey)); } // Verify HMAC-SHA256 log("f_verify_http_at_request_from_iut_itss: v_encoded_tag= ", v_encoded_tag); v_key_tag := substr( fx_hmac_sha256( // TODO Rename and use a wrapper function p_inner_at_request.hmacKey, v_encoded_tag ), 0, 16); // Leftmost 128 bits of the HMAC-SHA256 tag computed previously log("f_verify_http_at_request_from_iut_itss: v_key_tag: ", v_key_tag); log("f_verify_http_at_request_from_iut_itss: keyTag= ", p_inner_at_request.sharedAtRequest.keyTag); log("f_verify_http_at_request_from_iut_itss: matching: ", match(p_inner_at_request.sharedAtRequest.keyTag, v_key_tag)); if (match(p_inner_at_request.sharedAtRequest.keyTag, v_key_tag) == false) { // Send error message: No enrolment request f_http_build_authorization_response(p_inner_at_request, its_aa_keysdontmatch, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers))); // Set verdict p_result := -5; return; } // Send OK message log("f_verify_http_at_request_from_iut_itss: Receive ", p_inner_at_request); if (p_force_response_code == ok) { f_http_build_authorization_response(p_inner_at_request, ok, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); } else { log("f_verify_http_at_request_from_iut_itss: Succeed built force error code ", p_force_response_code); f_http_build_authorization_response(p_inner_at_request, p_force_response_code, v_request_hash, vc_aaPrivateKey, vc_aaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_data); } p_response := valueof(m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_data)), p_headers))); log("<<< f_verify_http_at_request_from_iut_itss: p_result: ", p_result); log("<<< f_verify_http_at_request_from_iut_itss: p_response: ", p_response); } // End of function f_verify_http_at_request_from_iut_itss /** * @desc The purpose of this function is verify the AT request and extract InnerAtRequest , verify ecSignature and build the InnerAtResponse for the HTTP response * Note: This function accepts additional parameters to alter the response */ function f_verify_http_at_request_from_iut_itss_for_ecSignature( in Request p_request, in Headers p_headers, in EtsiTs103097Certificate p_ec_certificate, out InnerAtRequest p_inner_at_request, out InnerAtResponse p_inner_at_response, out HttpMessage p_response, out integer p_result, out boolean p_contains_ecsignature, in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID, in AuthorizationResponseCode p_force_response_code := ok ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Ieee1609Dot2Data v_ieee1609dot2_signed_data; //new variable var HashedId8 v_ec_certificate_hashed_id8 //new variable // var EcHashedId8 vc_ec_hashed_id8; Already defined in LibItsPki_TestSystem var Oct16 v_request_hash; var HashedId8 v_bfk_hashed_id8; var Oct16 v_aes_enc_key; var template (value) HttpMessage v_response; log(">>> f_verify_http_at_request_from_iut_itss_for_ecSignature:", p_request); p_result := 0; // Do not verify the signature now because ATRequest is required to verify the POP signature ==> false if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O, omit, p_request.body.binary_body.ieee1609dot2_data, false, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Only decryption // Send error message, unable to decrypt it v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_response with an error message // Set verdict p_result := -1; } else { log("f_verify_http_at_request_from_iut_itss_for_ecSignature: matching: ", match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest))); // to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_authorizationRequest(mw_innerAtRequest)) == false) { // Send error message f_http_build_authorization_response(-, its_aa_cantparse, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); // Set verdict p_result := -2; } else { // Extract InnerAtRequest and Verify signature of mw_innerATRequestSigned var InnerAtRequest v_inner_at_request := v_etsi_ts_102941_data.content.authorizationRequest; log("f_verify_http_at_request_from_iut_itss_for_ecSignature: match ", match(v_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature))); // to get the unmatching in log if (match(v_inner_at_request, mw_innerAtRequest(mw_publicKeys, -, mw_shared_at_request, mw_ec_signature)) == false) { // TODO To be refined // Send error message: No authorization request f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := -3; } else { // Check ecSignature if (ispresent(v_inner_at_request.ecSignature.ecSignature) == false) { // Send error message: No signed external payload present f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := -4; // Verify ecSignature of mw_ec_signature (encrypted) } else { p_contains_ecsignature := true; v_ieee1609dot2_signed_data := v_inner_at_request.ecSignature.ecSignature; log("f_verify_http_at_request_from_iut_itss_for_ecSignature: match ", match(v_inner_at_request.ecSignature,mw_ec_signature_ext_payload)) if (match(v_inner_at_request.ecSignature, mw_ec_signature_ext_payload) == false) { // Send error message: Present signed external payload doesnot match mw_ec_signature_ext_payload template f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := -5; } else { // Check signer in ecSignature if (isvalue(v_ieee1609dot2_signed_data.content.signedData)) { // Verify digest of signerIdentifier_digest if (match(v_ieee1609dot2_signed_data.content.signedData.signer,mw_signerIdentifier_digest) == false) { var HashedId8 v_digest := v_ieee1609dot2_signed_data.content.signedData.signer.digest; // check if it is hashId8 //log("f_verify_http_at_request_from_iut_itss_for_ecSignature: match ", match(p_ec_certificate.issuer, v_digest)); var bitstring v_enc_value; var octetstring v_ec_hash; var Oct8 v_ec_hashed_id8; v_enc_value := encvalue(p_ec_certificate); if (ischosen(p_ec_certificate.issuer.sha256AndDigest)) { v_ec_hash := f_hashWithSha256(bit2oct(v_enc_value)); v_ec_hashed_id8 := f_hashedId8FromSha256(v_ec_hash); } else { v_ec_hash := f_hashWithSha384(bit2oct(v_enc_value)); v_ec_hashed_id8 := f_hashedId8FromSha384(v_ec_hash); } if (match(v_ec_hashed_id8, v_digest) == false) { // Send error message: Signer not contains HashedId8 of the CERT_EC certificate f_http_build_authorization_response(p_inner_at_request, its_aa_badcontenttype, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := -6; } else { // Check _signature in ecSignature if (isvalue(v_ieee1609dot2_signed_data.content.signedData.signature_)) { // var EtsiTs103097Certificate v_certificate; var EtsiTs102941Data v_etsi_ts_102941_ext_payload_data; var octetstring v_encoded_tbsData var Oct32 v_issuer; v_certificate := v_ieee1609dot2_signed_data.content.signedData.signer.certificate[0]; v_encoded_tbsData := bit2oct(encvalue(v_ieee1609dot2_signed_data.content.signedData.tbsData)); var octetstring v_enc := bit2oct(encvalue(v_certificate)); v_issuer := f_hashWithSha256(v_enc); if (f_verifyEcdsa(v_encoded_tbsData,v_issuer,v_ieee1609dot2_signed_data.content.signedData.signature_,v_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) { // Send error message: Unable to verfy signature using EC's verification public key f_http_build_authorization_response(p_inner_at_request, invalidsignature, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // Set verdict p_result := -7; } else { // Send OK message log("f_verify_http_at_request_from_iut_itss_for_ecSignature: Receive ", p_inner_at_request); if (p_force_response_code == ok) { f_http_build_authorization_response(p_inner_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); } else { log("f_verify_http_at_request_from_iut_itss_for_ecSignature: Succeed built force error code ", p_force_response_code); f_http_build_authorization_response(p_inner_at_request, p_force_response_code, v_request_hash, -, -, v_aes_enc_key, p_inner_at_response, v_ieee1609dot2_signed_and_encrypted_data); } v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); } } } } } } } // Check } } } } function f_verify_http_bfk_authorization_request( in Request p_request, in Headers p_headers, in EtsiTs103097Certificate p_ec_certificate, out EeRaCertRequest p_bfk_authorization_request, out RaEeCertInfo p_ra_ee_cert_info, out HttpMessage p_response, out integer p_result, in template octetstring p_its_id := PICS_ITS_S_CANONICAL_ID, in template SignerIdentifier p_signer := m_signerIdentifier_self, in EnrolmentResponseCode p_force_response_code := ok ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_request_hash; var HashedId8 v_bfk_request_hash; var Oct16 v_aes_enc_key; var template (value) HttpMessage v_response; log(">>> f_verify_http_bfk_authorization_request: ", p_request); p_result := 0; if (f_verify_pki_request_message_with_certificate(vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, p_ec_certificate, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message // Send error message v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message // Set verdict p_result := -1; } else { // TODO Add checks on date, log("f_verify_http_bfk_authorization_request: match ", match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationRequest(mw_ee_ra_cert_request))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationRequest(mw_ee_ra_cert_request)) == false) { // Send error message f_http_build_butterfly_authorization_response_message(p_bfk_authorization_request/*Not required*/, v_bfk_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, p_ra_ee_cert_info, v_ieee1609dot2_signed_and_encrypted_data); // Set verdict p_result := -2; } else { // TODO Add checks p_bfk_authorization_request := v_etsi_ts_102941_data.content.butterflyAuthorizationRequest; f_http_build_butterfly_authorization_response_message(p_bfk_authorization_request, v_bfk_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, p_ra_ee_cert_info, v_ieee1609dot2_signed_and_encrypted_data); // vc_ec_hashed_id8[vc_ec_keys_counter] := v_ec_certificate_hashed_id8; // vc_ec_keys_counter := vc_ec_keys_counter + 1; // vc_ec_certificates[vc_ec_counter] := v_ec_certificate; // vc_ec_counter := vc_ec_counter + 1; // log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter); // // Verify signature of mw_innerEcRequestSignedForPop // if (f_verify_inner_ec_request_signed_for_pop(v_etsi_ts_102941_data, p_inner_ec_request) == false) { // // Send error message // f_http_build_inner_ec_response(p_inner_ec_request/*Not required*/, cantparse, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); // v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // // Set verdict // p_result := -3; // } else { // log("f_verify_http_bfk_authorization_request: matching: ", match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes({mw_appPermissions(c_its_aid_SCR, ?)})))); // TODO In TITAN, this is the only way to get the unmatching in log // if (match(p_inner_ec_request, mw_innerEcRequest(p_its_id, -, mw_certificate_subject_attributes_optional_assuranceLevel({mw_appPermissions(c_its_aid_SCR, ?)}))) == false) { // // Send error message: Not enrolmentrequest // f_http_build_inner_ec_response(p_inner_ec_request, badcontenttype, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); // v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); // // Set verdict // p_result := -4; // } else { // // TODO Check ValidityPeriod // // Send OK message // log("f_verify_http_bfk_authorization_request: Receive ", p_inner_ec_request); // if (p_force_response_code == ok) { // // Send EC certificate with code ok // log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter); // f_http_build_inner_ec_response(p_inner_ec_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); // if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256)) { // if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_0)) { // vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_0; // vc_ec_compressed_modes[vc_ec_keys_counter] := 0; // } else { // vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256.compressed_y_1; // vc_ec_compressed_modes[vc_ec_keys_counter] := 1; // } // } else if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1)) { // if (ispresent(p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_0)) { // vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_0; // vc_ec_compressed_modes[vc_ec_keys_counter] := 0; // } else { // vc_ec_public_compressed_key[vc_ec_keys_counter] := p_inner_ec_request.publicKeys.verificationKey.ecdsaBrainpoolP256r1.compressed_y_1; // vc_ec_compressed_modes[vc_ec_keys_counter] := 1; // } // } else { // log("*** " & testcasename() & ": FAIL: Not implemented yet ***"); // f_selfOrClientSyncAndVerdict(c_prDone, e_error); // } // vc_ec_hashed_id8[vc_ec_keys_counter] := v_ec_certificate_hashed_id8; // vc_ec_keys_counter := vc_ec_keys_counter + 1; // vc_ec_certificates[vc_ec_counter] := v_ec_certificate; // vc_ec_counter := vc_ec_counter + 1; // log("====================================== vc_ec_keys_counter= ", vc_ec_keys_counter); // } else { // log("f_verify_http_bfk_authorization_request: Succeed but force error code ", p_force_response_code); // f_http_build_inner_ec_response(p_inner_ec_request, p_force_response_code, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_ec_certificate, v_ec_certificate_hashed_id8, p_inner_ec_response, v_ieee1609dot2_signed_and_encrypted_data); // } v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); } } p_response := valueof(v_response); log("<<< f_verify_http_bfk_authorization_request: p_response: ", p_response); log("<<< f_verify_http_bfk_authorization_request: p_result: ", p_result); } // End of function f_verify_http_bfk_authorization_request /** * @desc Await ITS CA message using the default AT certificate */ altstep a_await_cam_with_current_cert( in EtsiTs103097Certificate p_certificate ) runs on ItsPkiItss { [PICS_SEC_SHA256 == true] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData( sha256, mw_toBeSignedData( mw_signedDataPayload, mw_headerInfo_cam ), mw_signerIdentifier_certificate( mw_etsiTs103097Certificate( mw_issuerIdentifier_sha256AndDigest( p_certificate.issuer.sha256AndDigest ), mw_toBeSignedCertificate_at( -, p_certificate.toBeSigned.verifyKeyIndicator ) ) ) ) ), mw_geoNwShbPacket ))) { } [PICS_SEC_SHA384 == true] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData( sha384, mw_toBeSignedData( mw_signedDataPayload, mw_headerInfo_cam ), mw_signerIdentifier_certificate( mw_etsiTs103097Certificate( mw_issuerIdentifier_sha384AndDigest( p_certificate.issuer.sha384AndDigest ), mw_toBeSignedCertificate_at( -, p_certificate.toBeSigned.verifyKeyIndicator ) ) ) ) ), mw_geoNwShbPacket ))) { } } // End of altstep a_await_cam_with_current_cert } // End of group itss_helpers // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.2.1 Enrollment request group itss_enrolment_request { /** * @desc Check that IUT sends an enrolment request when triggered. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT * Initial conditions: * with { * the IUT being in the "initial state" * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to requested a new Enrolment Certificate (EC) * } * then { * the IUT sends to EA an EnrolmentRequestMessage * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_01_BV * @reference ETSI TS 102 941 [2], clause 6.1.3 */ testcase TC_SECPKI_ITSS_ENR_01_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_ENR_01_BV group f_TC_SECPKI_ITSS_ENR_01_BV { function f_TC_SECPKI_ITSS_ENR_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; // Test component configuration vc_hashedId8ToBeUsed := ""; // No certificates //PX_IUT_DEFAULT_CERTIFICATE f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & ": INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body f_sendUtTriggerEnrolmentRequestPrimitive(); tc_ac.start; // TDOD To refined, use altstep alt { [] utPort.receive(UtPkiTriggerInd: { state := 1 }) { tc_ac.stop; log("*** " & testcasename() & ": INFO: IUT is in enrolment state ***"); } [] tc_ac.timeout { log("*** " & testcasename() & ": DBG: IUT state update not recieved ***"); //f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_01_BV_itss function f_TC_SECPKI_ITSS_ENR_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) { var Oct16 v_request_hash; var Oct16 v_aes_enc_key; var Ieee1609Dot2Data v_outer_encrypted_message; var Ieee1609Dot2Data v_decrypted_message; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; var Ieee1609Dot2Data v_response_message; var EtsiTs102941Data v_pki_request; tc_ac.stop; if (not(f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data, v_request_hash, v_aes_enc_key, v_decrypted_message, v_pki_request, v_inner_ec_request))) { f_send_500_Internal_Error(v_headers); log("*** " & testcasename() & ": INCONC: Canonical key is not set properly ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); // to emulate inconc } else { f_send_500_Internal_Error(v_headers); // we dont care about response // Set verdict log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_01_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_01_BV /** * @desc If the enrolment request of the IUT is an initial enrolment request, the itsId * (contained in the InnerECRequest) shall be set to the canonical identifier, the * signer (contained in the outer EtsiTs1030971Data-Signed) shall be set to self and * the outer signature shall be computed using the canonical private key. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT * Expected behaviour: * ensure that { * when { * the IUT is requested to send an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted * containing an encrypted EtsiTs103097Data-Signed * containing EtsiTs103097Data * containing InnerECRequestSignedForPOP * containing InnerEcRequest * containing itsId * indicating the canonical identifier of the ITS-S * and containing signer * declared as self * and containing signature * computed using the canonical private key * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_02_BV * @reference ETSI TS 102 941, clause 6.1.3 */ testcase TC_SECPKI_ITSS_ENR_02_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_02_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_ENR_02_BV group f_TC_SECPKI_ITSS_ENR_02_BV { function f_TC_SECPKI_ITSS_ENR_02_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) { var Ieee1609Dot2Data v_decrypted_message; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; var Ieee1609Dot2Data v_response_message; var EtsiTs102941Data v_pki_request; var Oct16 v_request_hash, v_aes_enc_key; var PublicVerificationKey v_canonical_key; tc_ac.stop; f_send_500_Internal_Error(v_headers); // we don't care about response if (not(f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data, v_request_hash, v_aes_enc_key, v_decrypted_message, v_pki_request, v_inner_ec_request))) { log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if (not(isvalue(v_inner_ec_request))) { log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if(not match(v_inner_ec_request.itsId, LibItsPki_Pics.PICS_ITS_S_CANONICAL_ID)){ log("*** " & testcasename() & ": FAIL: Canonical ID mismatched ***"); log("*** " & testcasename() & ": FAIL: ", match(v_inner_ec_request.itsId, LibItsPki_Pics.PICS_ITS_S_CANONICAL_ID)); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if (not(ischosen(v_decrypted_message.content.signedData))) { log("*** " & testcasename() & ": FAIL: EC request shall contain signed message ***"); log("*** " & testcasename() & ": FAIL: inner data content=", v_decrypted_message.content); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if (not(ischosen(v_decrypted_message.content.signedData.signer.self_))) { log("*** " & testcasename() & ": FAIL: EC request shall be self-signed by cannonical key ***"); log("*** " & testcasename() & ": FAIL: signerInfo=", v_decrypted_message.content.signedData.signer); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if(false == f_get_canonical_itss_key(v_canonical_key)){ log("*** " & testcasename() & ": INCONC: Unknown ITS-S canonical public key ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); // emulate inconc } if (not(f_verifyEcdsa(bit2oct(encvalue(v_decrypted_message.content.signedData.tbsData)), int2oct(0, 32), // issuer is emtpy string v_decrypted_message.content.signedData.signature_, v_canonical_key))){ log("*** " & testcasename() & ": FAIL: EC request signature verification failed ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } // Set verdict log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_01_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_02_BV /** * @desc In presence of a valid EC, the enrolment request of the IUT is a rekeying enrolment * request with the itsId (contained in the InnerECRequest) and the SignerIdentifier * (contained in the outer EtsiTs1030971Data-Signed) both declared as digest containing * the HashedId8 of the EC and the outer signature computed using the current valid EC * private key corresponding to the verification public key. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_REENROLMENT * Expected behaviour: * ensure that { * when { * the IUT is requested to send an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted * containing an encrypted EtsiTs103097Data-Signed * containing EtsiTs103097Data * containing InnerECRequestSignedForPOP * containing InnerEcRequest * containing itsId * declared as digest containing the HashedId8 of the EC identifier * and containing signer * declared as digest containing the HashedId8 of the EC identifier * and containing signature * computed using the current valid EC private key corresponding to the verification public key * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_03_BV * @reference ETSI TS 102 941, clause 6.1.3 */ testcase TC_SECPKI_ITSS_ENR_03_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_REENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_REENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components v_itss.start(f_TC_SECPKI_ITSS_ENR_03_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_03_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_ENR_03_BV group f_TC_SECPKI_ITSS_ENR_03_BV { function f_TC_SECPKI_ITSS_ENR_03_BV_itss( in float p_delay := 0.0 ) runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; // Test component configuration vc_hashedId8ToBeUsed := ""; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { // Trigger the first enrolment f_sendUtTriggerEnrolmentRequestPrimitive(); log("*** " & testcasename() & "_itss: INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body // Give time to the IUT to setup enrol state tc_ac.start; // TDOD To refined, use altstep alt { [] utPort.receive(UtPkiTriggerInd: { state := 1 }) { tc_ac.stop; log("*** " & testcasename() & "_itss: INFO: IUT is in enrolment state ***"); } [] tc_ac.timeout { log("*** " & testcasename() & "_itss: DBG: IUT state update not recieved ***"); //f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement if(p_delay > 0.0){ log("*** " & testcasename() & "_itss: INFO: Wait for second enrolment trigger ***"); f_sleep(p_delay); } // Trigger the second enrolment f_sendUtTriggerEnrolmentRequestPrimitive(); log("*** " & testcasename() & "_itss: PASS: Re-enrolment trigger sent succesfully ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_03_BV_itss function f_TC_SECPKI_ITSS_ENR_03_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; var HashedId8 v_ec_cert_digest; var octetstring v_ec_cert_hash; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); if (not(f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request))) { log("*** " & testcasename() & ": FAIL: First InnerEcRequest failed ***"); log("*** " & testcasename() & ": v_request := ", v_request); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } log("*** " & testcasename() & ": INFO: First InnerEcRequest received ***"); log(">>>>> v_inner_ec_response=", v_inner_ec_response); var HashAlgorithm ha := f_getHashAlgorithmOfVerificationKeyIndicator(v_inner_ec_response.certificate.toBeSigned.verifyKeyIndicator); if (ha == sha256) { v_ec_cert_hash := f_hashWithSha256(bit2oct(encvalue(v_inner_ec_response.certificate))); } else if (ha == sha384) { v_ec_cert_hash := f_hashWithSha384(bit2oct(encvalue(v_inner_ec_response.certificate))); } else { log("*** " & testcasename() & ": FAIL: Unknown EC certificate hash alg=", ha); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } v_ec_cert_digest := substr(v_ec_cert_hash, lengthof(v_ec_cert_hash) - 8, 8); log("*** " & testcasename() & ": INFO: First InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) { var integer v_result; var HttpMessage v_response; var Oct16 v_request_hash, v_aes_enc_key; var Ieee1609Dot2Data v_decrypted_message; var EtsiTs102941Data v_etsi_ts_102941_data; tc_ac.stop; f_send_500_Internal_Error(v_headers); // we don't care about response // Verify IUT response if (not(f_read_ec_request_from_iut_itss( v_request.request.body.binary_body.ieee1609dot2_data, v_request_hash, v_aes_enc_key, v_decrypted_message, v_etsi_ts_102941_data, v_inner_ec_request))) { log("*** " & testcasename() & ": FAIL: Can't parse enrolment request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if (not(isvalue(v_inner_ec_request))) { log("*** " & testcasename() & ": FAIL: Can't parse enrolment request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if (not(match(v_inner_ec_request.itsId, v_ec_cert_digest))) { log("*** " & testcasename() & ": FAIL: ITS-S ID is not equal to the EC HashedId8 ***"); log("*** " & testcasename() & ": FAIL: ", match(v_inner_ec_request.itsId, v_ec_cert_digest)); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if (not(ischosen(v_decrypted_message.content.signedData))) { log("*** " & testcasename() & ": FAIL: EC request shall contain signed message ***"); log("*** " & testcasename() & ": FAIL: inner data content=", v_decrypted_message.content); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if (not(ischosen(v_decrypted_message.content.signedData.signer.digest))) { log("*** " & testcasename() & ": FAIL: re-keying EC request shall be signed by the previous EC certificate digest***"); log("*** " & testcasename() & ": FAIL: signerInfo=", v_decrypted_message.content.signedData.signer); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if (not(f_verifyEcdsa(bit2oct(encvalue(v_decrypted_message.content.signedData.tbsData)), v_ec_cert_hash, v_decrypted_message.content.signedData.signature_, v_inner_ec_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey))) { log("*** " & testcasename() & ": FAIL: EC request signature verification failed ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } // Set verdict log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_03_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_03_BV /** * @desc If the EC is revoked, the IUT returns to the state 'initialized'. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_CRL * Expected behaviour: * ensure that { * when { * the IUT is requested to send an EnrollmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted * containing an encrypted EtsiTs103097Data-Signed * containing EtsiTs102941Data * containing InnerECRequestSignedForPOP * containing InnerEcRequest * containing itsId * indicating the canonical identifier of the ITS-S * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_04_BV * @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_04_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_CRL) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_CRL required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration // Synchronization // Cleanup setverdict(inconc); } // End of TC_SECPKI_ITSS_ENR_04_BV /** * @desc If the EC expires, the IUT returns to the state 'initialized'. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT * Expected behaviour: * ensure that { * when { * the IUT is requested to send an EnrollmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted * containing an encrypted EtsiTs103097Data-Signed * containing EtsiTs102941Data * containing InnerECRequestSignedForPOP * containing InnerEcRequest * containing itsId * indicating the canonical identifier of the ITS-S * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_05_BV * @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_05_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_key_x; var Oct32 v_public_key_y; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components v_itss.start(f_TC_SECPKI_ITSS_ENR_05_BV_itss()); // wait 15 sec before the second enrolment v_ea.start(f_TC_SECPKI_ITSS_ENR_05_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of TC_SECPKI_ITSS_ENR_05_BV group f_TC_SECPKI_ITSS_ENR_05_BV { function f_TC_SECPKI_ITSS_ENR_05_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Test component configuration vc_hashedId8ToBeUsed := ""; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { // Trigger the first enrolment log("*** " & testcasename() & "_itss: INFO: No CA message received ***"); } } // End of 'alt' statement log("*** " & testcasename() & "_itss: INFO: Trigger 1st emrolment ***"); f_sendUtTriggerEnrolmentRequestPrimitive(); // wait a couple of seconds and run second enrolment to check re-enrolment procedure f_sleep(PX_RE_ENROLMENT_DELAY); log("*** " & testcasename() & "_itss: INFO: Trigger 2nd emrolment ***"); f_sendUtTriggerEnrolmentRequestPrimitive(); // wait 5 seconds after expiration of EC cert f_sleep(PX_CERT_EXPIRATION_DELAY + 5.0); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body // Trigger the 3rd enrolment log("*** " & testcasename() & "_itss: INFO: Trigger 3rd emrolment ***"); f_sendUtTriggerEnrolmentRequestPrimitive(); log("*** " & testcasename() & "_itss: PASS: Re-enrolment trigger sent succesfully ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_03_BV_itss function f_TC_SECPKI_ITSS_ENR_05_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; var HashedId8 v_ec_cert_digest; var EtsiTs103097Certificate v_ec_cert; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); f_init_default_headers_list(-, "inner_ec_response", v_headers); // Preamble if (not(f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request, ok, m_certificateSubjectAttributes_id_omit( -, valueof(m_validityPeriod(f_getCurrentTime() / 1000, m_duration_in_seconds(float2int(PX_CERT_EXPIRATION_DELAY)))) )))) { log("*** " & testcasename() & ": FAIL: First InnerEcRequest failed ***"); log("*** " & testcasename() & ": v_request := ", v_request); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } log(">>>>> 1st v_inner_ec_response=", v_inner_ec_response); v_ec_cert := v_inner_ec_response.certificate; v_ec_cert_digest := f_calculateDigestFromCertificate(v_ec_cert); if (not(ischosen(v_ec_cert.toBeSigned.validityPeriod.duration.seconds))) { log("*** " & testcasename() & ": INCONC: wrong EC certificate validity period error"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } log("*** " & testcasename() & ": INFO: First InnerEcRequest processed. EC = " & oct2str(v_ec_cert_digest) & "***"); log("*** " & testcasename() & ": INFO: expires in " & int2str(v_ec_cert.toBeSigned.validityPeriod.start_ + v_ec_cert.toBeSigned.validityPeriod.duration.seconds - (f_getCurrentTime()/1000)) & " seconds ***" ); // Wait for 2nd request with EC data if (not(f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request, deniedrequest))) { log("*** " & testcasename() & ": FAIL: 2nd InnerEcRequest failed ***"); log("*** " & testcasename() & ": v_request := ", v_request); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } log(">>>>> 2nd v_inner_ec_response=", v_inner_ec_response); if (not(match(v_inner_ec_request.itsId, v_ec_cert_digest))) { log("*** " & testcasename() & ": FAIL: ITS-S ID of 2nd request must be equal to the EC HashedId8 ***"); log("*** " & testcasename() & ": FAIL: ", match(v_inner_ec_request.itsId, v_ec_cert_digest)); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body if (not(f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request, deniedrequest))){ log("*** " & testcasename() & ": FAIL: 3rd InnerEcRequest failed ***"); log("*** " & testcasename() & ": v_request := ", v_request); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } log(">>>>> 3rd v_inner_ec_response=", v_inner_ec_response); if(match(v_inner_ec_request.itsId, v_ec_cert_digest)){ if(v_ec_cert.toBeSigned.validityPeriod.start_ + v_ec_cert.toBeSigned.validityPeriod.duration.seconds < (f_getCurrentTime()/1000)){ log("*** " & testcasename() & ": INCONC: EC certificate is not expired yet ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } log("*** " & testcasename() & ": FAIL: ITS-S ID of 3rd request must NOT be equal to the expired EC HashedId8 ***"); log("*** " & testcasename() & ": FAIL: ", match(v_inner_ec_request.itsId, v_ec_cert_digest)); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_05_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_05_BV /** * @desc For each enrolment request, the ITS-S shall generate a new verification key pair corresponding to an approved signature algorithm as specified in TS 103 097. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and not PICS_SECPKI_REENROLMENT * Expected behaviour: * ensure that { * when { * the IUT is requested to send multiple EnrolmentRequestMessage * } * then { * each EnrolmentRequestMessage * contains a different and unique verification key pair within the InnerECRequest * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_06_BV * @reference ETSI TS 102 941, clause 6.1.3 */ const charstring c_nextTry := "nextTry"; testcase TC_SECPKI_ITSS_ENR_06_BV_1() runs on ItsMtc system ItsPkiItssSystem { f_TC_SECPKI_ITSS_ENR_06_BV_mtc(c_stInitial); } // End of TC_SECPKI_ITSS_ENR_06_BV_1 testcase TC_SECPKI_ITSS_ENR_06_BV_2() runs on ItsMtc system ItsPkiItssSystem { f_TC_SECPKI_ITSS_ENR_06_BV_mtc(c_stEnrolled); } // End of TC_SECPKI_ITSS_ENR_06_BV_2 group f_TC_SECPKI_ITSS_ENR_06_BV_mtc { function f_TC_SECPKI_ITSS_ENR_06_BV_mtc( in charstring p_state ) runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components v_itss.start(f_TC_SECPKI_ITSS_ENR_06_BV_itss(PX_RE_ENROLMENT_COUNTER, p_state)); v_ea.start(f_TC_SECPKI_ITSS_ENR_06_BV_pki(PX_RE_ENROLMENT_COUNTER, p_state)); // Synchronization f_serverSyncClientsTimed(2, c_prDone, PX_TSYNC_TIME_LIMIT); for(var integer v_i := 0; v_i < PX_RE_ENROLMENT_COUNTER; v_i := v_i + 1){ f_serverSyncClientsTimed(2, c_nextTry, PX_TSYNC_TIME_LIMIT); } f_serverSyncClientsTimed(2, c_tbDone, PX_TSYNC_TIME_LIMIT); // Cleanup f_serverWaitForAllClientsToStop(); } // End of f_TC_SECPKI_ITSS_ENR_06_BV_mtc function f_TC_SECPKI_ITSS_ENR_06_BV_itss( integer p_max_try, charstring p_state ) runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var EtsiTs103097Certificate v_certificate; // Test component configuration vc_hashedId8ToBeUsed := ""; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body // Send first enrolment for(var integer v_i := 0; v_i < p_max_try; v_i := v_i + 1){ f_sleep(PX_RE_ENROLMENT_DELAY); f_sendUtTriggerEnrolmentRequestPrimitive(); f_clientSync(c_nextTry, e_success); } f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_06_BV_itss function f_TC_SECPKI_ITSS_ENR_06_BV_pki( integer p_max_try, charstring p_state ) runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var ListOfPublicVerificationKey v_generated_keys; // Test component configuration f_cfHttpUp(); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body for (var integer v_i := 0; v_i < p_max_try; v_i := v_i + 1) { var HttpMessage v_request; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; var PublicVerificationKey v_key; var EnrolmentResponseCode v_response_code; if(p_state == c_stInitial){ v_response_code := deniedrequest; } else { v_response_code := ok; } if (not(f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request, v_response_code))) { log("*** " & testcasename() & ": ERROR: EC request receiving error ***"); setverdict(inconc); f_clientSync(c_nextTry, e_error); } v_key := v_inner_ec_request.publicKeys.verificationKey; if (isbound(v_generated_keys) and match(v_generated_keys, superset(v_key))) { log("*** " & testcasename() & ": LOG: ", match(v_generated_keys, superset(v_key)), "***"); log("*** " & testcasename() & ": FAIL: Duplication of generated public keys ***"); setverdict(fail); f_clientSync(c_nextTry, e_error); } v_generated_keys[v_i] := v_key; f_clientSync(c_nextTry, e_success); } log("*** " & testcasename() & ": PASS: No identical verification keys received in " & int2str(p_max_try) & " messages ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_06_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_06_BV /** * @desc Within the InnerECRequest, the requestedSubjectAttributes shall not contain a certIssuePermissions field. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT * Expected behaviour: * ensure that { * when { * the IUT is requested to send an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted * containing an encrypted EtsiTs103097Data-Signed * containing EtsiTs103097Data * containing InnerECRequestSignedForPOP * containing InnerEcRequest * containing requestedSubjectAttributes * not containing certIssuePermissions * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_07_BV * @reference ETSI TS 102 941, clause 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_07_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_key_x; var Oct32 v_public_key_y; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_07_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of TC_SECPKI_ITSS_ENR_07_BV group f_SECPKI_ITSS_ENR_07_BV { function f_TC_SECPKI_ITSS_ENR_07_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) { var Ieee1609Dot2Data v_decrypted_message; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; var Ieee1609Dot2Data v_response_message; var EtsiTs102941Data v_pki_request; var Oct16 v_request_hash, v_aes_enc_key; var PublicVerificationKey v_canonical_key; tc_ac.stop; f_send_500_Internal_Error(v_headers); // we don't care about response if ((not f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data, v_request_hash, v_aes_enc_key, v_decrypted_message, v_pki_request, v_inner_ec_request))) { log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if ((not isvalue(v_inner_ec_request))) { log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if (ispresent(v_inner_ec_request.requestedSubjectAttributes.certIssuePermissions)) { log("*** " & testcasename() & ": FAIL: InnerEcRequest shall not contain certIssuePermissions attribute ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } // Set verdict log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_07_BV_pki } // End of group f_SECPKI_ITSS_ENR_07_BV /** * @desc In the headerInfo of the tbsData of the InnerECRequestSignedForPOP all other components * of the component tbsdata.headerInfo except generationTime and psid are not used and absent. * The psid shall be set to "secured certificate request" as assigned in ETSI TS 102 965 and * the generationTime shall be present. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT * Expected behaviour: * ensure that { * when { * the IUT is requested to send an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted * containing an encrypted EtsiTs103097Data-Signed * containing EtsiTs103097Data * containing InnerECRequestSignedForPOP * containing tbsData * containing headerInfo * containing psid * indicating AID_CERT_REQ * and containing generationTime * and not containing any other component of tbsdata.headerInfo * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_08_BV * @reference ETSI TS 102 941, clause 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_08_BV_1() runs on ItsMtc system ItsPkiItssSystem { f_TC_SECPKI_ITSS_ENR_08_BV_mtc(c_stInitial); } // End of TC_SECPKI_ITSS_ENR_08_BV_1 testcase TC_SECPKI_ITSS_ENR_08_BV_2() runs on ItsMtc system ItsPkiItssSystem { f_TC_SECPKI_ITSS_ENR_08_BV_mtc(c_stEnrolled); } // End of TC_SECPKI_ITSS_ENR_08_BV_2 group f_SECPKI_ITSS_ENR_08_BV { function f_TC_SECPKI_ITSS_ENR_08_BV_mtc(in charstring p_itss_state) runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components if(p_itss_state == c_stEnrolled) { v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); } else { v_itss.start(f_TC_SECPKI_ITSS_ENR_03_BV_itss()); } v_ea.start(f_TC_SECPKI_ITSS_ENR_08_BV_pki(p_itss_state)); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of TC_SECPKI_ITSS_ENR_08_BV function f_TC_SECPKI_ITSS_ENR_08_BV_pki( in charstring p_itss_state ) runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); if (p_itss_state == c_stEnrolled) { var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; if(not f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request)){ log("*** " & testcasename() & ": INFO: First InnerEcRequest error ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } log("*** " & testcasename() & ": INFO: First InnerEcRequest received ***"); } f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) { var Oct16 v_request_hash; var Oct16 v_aes_enc_key; var Ieee1609Dot2Data v_decrypted_message; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; var Ieee1609Dot2Data v_response_message; var EtsiTs102941Data v_pki_request; tc_ac.stop; f_send_500_Internal_Error(v_headers); // we dont care about response f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data, v_request_hash, v_aes_enc_key, v_decrypted_message, v_pki_request, v_inner_ec_request); if (not(isvalue(v_pki_request))) { log("*** " & testcasename() & ": FAIL: Can't parse enrolment request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if (not(ischosen(v_pki_request.content.enrolmentRequest))) { log("*** " & testcasename() & ": FAIL: Not an enrolment request ***"); log("*** " & testcasename() & ": EtsiTs102941Data.content=", v_pki_request.content); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if (not(match(v_pki_request.content.enrolmentRequest, mw_etsiTs103097Data_signed( mw_signedData( -, mw_toBeSignedData( -, mw_headerInfo_inner_pki_request )))))) { log("*** " & testcasename() & ": FAIL: Wrong InnerECRequestSignedForPOP headers ***"); log("*** " & testcasename() & ": ", match( v_pki_request.content.enrolmentRequest, m_etsiTs103097Data_signed(mw_signedData( -,mw_toBeSignedData(-,mw_headerInfo_inner_pki_request()))))); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } // Set verdict log("*** " & testcasename() & ": PASS: EC Request received with proper InnerECRequestSignedForPOP headers ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_08_BV_pki } // End of group f_SECPKI_ITSS_ENR_08 /** * @desc In the headerInfo of the tbsData of the outer EtsiTs102941Data-Signed all other components * of the component tbsdata.headerInfo except generationTime and psid are not used and absent. * The psid shall be set to "secured certificate request" as assigned in ETSI TS 102 965 and * the generationTime shall be present. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT * Expected behaviour: * ensure that { * when { * the IUT is requested to send an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted * containing an encrypted EtsiTs103097Data-Signed * containing EtsiTs103097Data * containing InnerECRequestSignedForPOP * containing tbsData * containing headerInfo * containing psid * indicating AID_CERT_REQ * and containing generationTime * and not containing any other component of tbsdata.headerInfo * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_09_BV * @reference ETSI TS 102 941, clause 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_09_BV_1() runs on ItsMtc system ItsPkiItssSystem { f_TC_SECPKI_ITSS_ENR_09_BV_mtc(c_stInitial); } // End of TC_SECPKI_ITSS_ENR_09_BV_1 testcase TC_SECPKI_ITSS_ENR_09_BV_2() runs on ItsMtc system ItsPkiItssSystem { f_TC_SECPKI_ITSS_ENR_09_BV_mtc(c_stEnrolled); } // End of TC_SECPKI_ITSS_ENR_09_BV_2 group f_TC_SECPKI_ITSS_ENR_09_BV { function f_TC_SECPKI_ITSS_ENR_09_BV_mtc(in charstring p_itss_state) runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components if(p_itss_state == c_stEnrolled) { v_itss.start(f_TC_SECPKI_ITSS_ENR_03_BV_itss()); } else { v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); } v_ea.start(f_TC_SECPKI_ITSS_ENR_09_BV_pki(p_itss_state)); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of f_TC_SECPKI_ITSS_ENR_09_BV_mtc function f_TC_SECPKI_ITSS_ENR_09_BV_pki( in charstring p_itss_state ) runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); if (p_itss_state == c_stEnrolled) { var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; if (not(f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request))) { log("*** " & testcasename() & ": INFO: First InnerEcRequest error ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } log("*** " & testcasename() & ": INFO: First InnerEcRequest received ***"); } f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) { var Ieee1609Dot2Data v_decrypted_message; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; var Ieee1609Dot2Data v_response_message; var EtsiTs102941Data v_pki_request; var Oct16 v_request_hash, v_aes_enc_key; var PublicVerificationKey v_canonical_key; tc_ac.stop; f_send_500_Internal_Error(v_headers); // we don't care about response if (not(f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data, v_request_hash, v_aes_enc_key, v_decrypted_message, v_pki_request, v_inner_ec_request))) { log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } if (not(match(v_decrypted_message, mw_etsiTs103097Data_signed( mw_signedData( -, mw_toBeSignedData( -, mw_headerInfo_outer_pki_request )))))) { log("*** " & testcasename() & ": FAIL: Invalid outer signed structure in EC request ***"); log("*** " & testcasename() & ": ", match(v_decrypted_message,m_etsiTs103097Data_signed(mw_signedData(-,mw_toBeSignedData(-,mw_headerInfo_outer_pki_request())))) ); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } // Set verdict log("*** " & testcasename() & ": PASS: EC request contains valid outer signed structure ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_09_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_09_BV /** * @desc The EtsiTs103097Data-Encrypted containing the correctly encrypted ciphertext and a recipients * component containing one instance of RecipientInfo of choice certRecipInfo containing the * hashedId8 of the EA certificate in recipientId and the encrypted data encryption key in encKey. * The data encryption key is encrypted using the public key found in the EA certificate referenced * in the recipientId. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT * Expected behaviour: * ensure that { * when { * the IUT is requested to send an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted * containing recipients * containing exactly one instance of RecipientInfo of choice certRecipInfo * containing recipientId * indicating the hashedId8 * referencing to the EA certificate * containing encryptionKey (KEY) * and containing encKey * being a symmetric key (SYMKEY) encrypted using the key KEY * containing ciphertext * which is encrypted using the symmetric key SYMKEY contained in encKey * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_10_BV * @reference ETSI TS 102 941, clause 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_10_BV_1() runs on ItsMtc system ItsPkiItssSystem { f_TC_SECPKI_ITSS_ENR_10_BV_mtc(c_stInitial); } // End of TC_SECPKI_ITSS_ENR_10_BV_1 testcase TC_SECPKI_ITSS_ENR_10_BV_2() runs on ItsMtc system ItsPkiItssSystem { f_TC_SECPKI_ITSS_ENR_10_BV_mtc(c_stEnrolled); } // End of TC_SECPKI_ITSS_ENR_10_BV_2 group f_TC_SECPKI_ITSS_ENR_10_BV { function f_TC_SECPKI_ITSS_ENR_10_BV_mtc(in charstring p_itss_state) runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components if(p_itss_state == c_stEnrolled) { v_itss.start(f_TC_SECPKI_ITSS_ENR_03_BV_itss()); } else { v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); } v_ea.start(f_TC_SECPKI_ITSS_ENR_10_BV_pki(p_itss_state)); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of f_TC_SECPKI_ITSS_ENR_10_BV_mtc function f_TC_SECPKI_ITSS_ENR_10_BV_pki( in charstring p_itss_state ) runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); if (p_itss_state == c_stEnrolled) { var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; if (not(f_await_ec_request_send_response( v_inner_ec_request, v_inner_ec_response, v_request))) { log("*** " & testcasename() & ": INFO: First InnerEcRequest error ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } log("*** " & testcasename() & ": INFO: First InnerEcRequest received ***"); } f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { mw_recipientInfo_certRecipInfo( mw_pKRecipientInfo(vc_eaHashedId8) ) } )))))), v_request) { var Ieee1609Dot2Data v_decrypted_message; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; var Ieee1609Dot2Data v_response_message; var EtsiTs102941Data v_pki_request; var Oct16 v_request_hash, v_aes_enc_key; var PublicVerificationKey v_canonical_key; tc_ac.stop; f_send_500_Internal_Error(v_headers); // we don't care about response log("*** " & testcasename() & ": PASS: EC request sent to proper EA recipient ***"); if (not(f_read_ec_request_from_iut_itss(v_request.request.body.binary_body.ieee1609dot2_data, v_request_hash, v_aes_enc_key, v_decrypted_message, v_pki_request, v_inner_ec_request))) { log("*** " & testcasename() & ": FAIL: Can't parse enrolment request***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } // Set verdict log("*** " & testcasename() & ": PASS: EC request can be decrypted ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) { f_send_500_Internal_Error(v_headers); // we don't care about response log("*** " & testcasename() & ": FAIL: EC request sent to wrong recipient ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_10_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_10_BV /** * @desc In the inner signed data structure (InnerECRequestSignedForPOP), the signature is computed * on InnerECRequest with the private key corresponding to the new verificationKey to prove * possession of the generated verification key pair. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT * Expected behaviour: * ensure that { * when { * the IUT is requested to send an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted * containing an encrypted EtsiTs103097Data-Signed * containing EtsiTs103097Data * containing InnerECRequestSignedForPOP * containing tbsData * containing InnerEcRequest * containing verificationKey (VKEY) * containing signature * computed on InnerECRequest * using the private key corresponding to VKEY * contained in InnerECRequest * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_11_BV * @reference ETSI TS 102 941, clause 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_11_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of TC_SECPKI_ITSS_ENR_11_BV /** * @desc Check that signing of Enrolment HttpRequest message is permitted by the EC certificate. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_REENROLMENT * Expected behaviour: * ensure that { * when { * the IUT is requested to send an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted * containing an encrypted EtsiTs103097Data-Signed * containing signer * containing digest * indicating HashedId8 of the EC certificate * containing appPermissions * containing an item of type PsidSsp * containing psid * indicating AID_CERT_REQ * and containing ssp * containing opaque[0] (version) * indicating 1 * containing opaque[1] (value) * indicating "Enrolment Request" (bit 1) set to 1 * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_12_BV * @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_12_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_REENROLMENT ) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SECPKI_REENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components v_itss.start(f_TC_SECPKI_ITSS_ENR_03_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_03_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of TC_SECPKI_ITSS_ENR_12_BV } // End of group itss_enrolment_request // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.2.2 Enrollment response handling group itss_enrolment_response { /** * @desc If an enrolment request fails, the IUT returns to the state 'initialized'. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT * Expected behaviour: * ensure that { * when { * the IUT is requested to send an EnrolmentRequestMessage * and the EnrolmentResponseMessage is received * containing a responseCode different than 0 * } * then { * the IUT returns to the "initialized" state * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_RECV_01_BV * @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_RECV_01_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components v_itss.start(f_TC_SECPKI_ITSS_ENR_RECV_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_RECV_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of TC_SECPKI_ITSS_ENR_RECV_01_BV group f_TC_SECPKI_ITSS_ENR_RECV_01_BV { function f_TC_SECPKI_ITSS_ENR_RECV_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; var boolean v_iut_state_ok := false; // Test component configuration vc_hashedId8ToBeUsed := ""; // No certificates f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { f_sendUtTriggerEnrolmentRequestPrimitive(); log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body tc_ac.start; // TDOD To refined, use altstep alt { [] utPort.receive(UtPkiTriggerInd: { state := 0 }) { tc_ac.stop; v_iut_state_ok := true; log("*** " & testcasename() & "_itss: INFO: IUT is in initialized state ***"); } [] tc_ac.timeout { log("*** " & testcasename() & "_itss: DBG: IUT state update not recieved ***"); //f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_noac.timeout { if (v_iut_state_ok == true) { log("*** " & testcasename() & "_itss: : PASS: Enrolment trigger processed succesfully ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("Did not receive IUT state update"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_RECV_01_BV_itss function f_TC_SECPKI_ITSS_ENR_RECV_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); tc_ac.start; alt { [] a_await_ec_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; tc_ac.stop; // Verify IUT response f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_inner_ec_response, v_response, v_result, -, -, cantparse); // Send response forcing error code if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": INFO: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_RECV_01_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_RECV_01_BV /** * @desc The IUT is capable of parsing and handling of positive EnrolmentResponse messages * containing the requested EC. In case of a successful enrolment, the IUT switches * to the state 'enrolled'. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT * Expected behaviour: * ensure that { * when { * the IUT is requested to send an initial EnrolmentRequestMessage * and when the IUT receives a subsequent EnrolmentResponseMessage as an answer of the EA * containing a responseCode * indicating 0 * and containing an enrolment certificate * } * then { * the IUT switches to the "enrolled" state * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_RECV_02_BV * @reference ETSI TS 102 941, clause 6.1.3, 6.2.3.2.1 */ testcase TC_SECPKI_ITSS_ENR_RECV_02_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_ENR_RECV_02_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_RECV_02_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_ENR_RECV_02_BV group f_TC_SECPKI_ITSS_ENR_RECV_02_BV { function f_TC_SECPKI_ITSS_ENR_RECV_02_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; var boolean v_iut_state_ok := false; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { f_sendUtTriggerEnrolmentRequestPrimitive(); log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body tc_ac.start; // TDOD To refined, use altstep alt { [] utPort.receive(UtPkiTriggerInd: { state := 1 }) { tc_ac.stop; v_iut_state_ok := true; log("*** " & testcasename() & "_itss: INFO: IUT is in enrol state ***"); } [] tc_ac.timeout { log("*** " & testcasename() & "_itss: DBG: IUT state update not recieved ***"); //f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_noac.timeout { if (v_iut_state_ok == true) { log("*** " & testcasename() & "_itss: : PASS: Enrolment trigger processed succesfully ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("Did not receive IUT state update"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_RECV_02_BV_itss function f_TC_SECPKI_ITSS_ENR_RECV_02_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); tc_ac.start; alt { [] a_await_ec_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; tc_ac.stop; // Verify IUT response f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_inner_ec_response, v_response, v_result); // Send response forcing error code if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": INFO: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_RECV_02_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_RECV_02_BV } // End of group itss_enrolment_response // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.2.3 Enrollment request repetition group itss_enrollment_request_repetition { /** * @desc Check that IUT repeats an enrollment request when response has not been received *
* Pics Selection: PICS_SECPKI_ENROLLMENT_RETRY * Initial conditions: { * the IUT being in the 'initialized' state * and the IUT already sent the Enrollment Request at the time T1 * and the IUT has not yet received the Enrollment Response * } * Expected behaviour: * ensure that { * when { * the IUT local time is reached the T1 + PIXIT_ENR_TIMEOUT_TH1 * } * then { * the IUT sends to EA an EnrollmentRequestMessage * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_ENR_REP_01_BV * @reference ETSI TS 103 601, clause 5.1.2 */ testcase TC_SECPKI_ITSS_ENR_REP_01_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_ENROLLMENT_RETRY) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SECPKI_ENROLLMENT_RETRY required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_ENR_01_BV_itss()); // reuse from ENR group v_ea.start(f_TC_SECPKI_ITSS_ENR_REP_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_ENR_REP_01_BV group f_TC_SECPKI_ITSS_ENR_REP_01_BV { function f_TC_SECPKI_ITSS_ENR_REP_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_initial_request; var HttpMessage v_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); tc_ac.start; alt { [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) { log("*** " & testcasename() & ": INFO: First enrolment request received ***"); tc_ac.stop; f_http_restart("inner_ec_request"); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: First enrolment request not received received ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } // End of 'alt' statement f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_wait.start(PX_EC_REPETITION_TIMEOUT); alt { [] a_await_ec_http_request_from_iut(mw_http_ec_request_generic, v_request) { log("*** " & testcasename() & ": PASS: EC repetition has been received after a ", tc_wait.read, " ***"); tc_wait.stop; f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] tc_wait.timeout { log("*** " & testcasename() & ": FAIL: EC repetition was not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_REP_01_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_REP_01_BV /** * @desc Check that IUT uses the same message to perform enrollment retry *
* Pics Selection: PICS_SECPKI_ENROLLMENT_RETRY * Initial conditions: { * the IUT being in the 'initialized' state * and the IUT already sent the Enrollment Request (M) * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to re-send an Enrollment Request * } * then { * the IUT sends M to EA * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_ENR_REP_02_BV * @reference ETSI TS 103 601, clause 5.1.2 */ testcase TC_SECPKI_ITSS_ENR_REP_02_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_ENROLLMENT_RETRY) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SECPKI_ENROLLMENT_RETRY required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_ENR_REP_02_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_REP_02_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_ENR_REP_02_BV group f_TC_SECPKI_ITSS_ENR_REP_02_BV { function f_TC_SECPKI_ITSS_ENR_REP_02_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & ": INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body f_sendUtTriggerEnrolmentRequestPrimitive(); tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & ": PASS: Enrolment trigger sent successfully ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_REP_02_BV_itss function f_TC_SECPKI_ITSS_ENR_REP_02_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var HttpMessage v_initial_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); f_await_ec_request_send_error_response(v_initial_request); log("*** " & testcasename() & ": INFO: Reply with 400 Bad Request error message ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { tc_ac.stop; if (f_verify_repeated_request(v_request, v_initial_request) == false) { log("*** " & testcasename() & ": FAIL: Repetition request are different ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } else { // Repetition request are same var HttpMessage v_response; var integer v_result; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; // Verify IUT response f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_inner_ec_response, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } else { // Send HTTP error 500 f_send_500_Internal_Error(v_headers); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_REP_02_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_REP_02_BV /** * @desc Check that IUT stops sending the Enrollment Request message if Enrollment Response message has been received *
* Pics Selection: PICS_SECPKI_ENROLLMENT_RETRY * Initial conditions: { * the IUT being in the 'initialized' state * and the IUT has sent the Enrollment Request more than 1 time * } * Expected behaviour: * ensure that { * when { * the IUT receives an Enrollment Response * } * then { * the IUT stops sending Enrollment Requests to EA * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_ENR_REP_03_BV * @reference ETSI TS 103 601, clause 5.1.2 */ testcase TC_SECPKI_ITSS_ENR_REP_03_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_ENROLLMENT_RETRY) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SECPKI_ENROLLMENT_RETRY required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_ENR_REP_03_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_REP_03_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_ENR_REP_03_BV group f_TC_SECPKI_ITSS_ENR_REP_03_BV { function f_TC_SECPKI_ITSS_ENR_REP_03_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & ": INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body f_sendUtTriggerEnrolmentRequestPrimitive(); tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_REP_03_BV_itss function f_TC_SECPKI_ITSS_ENR_REP_03_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var HttpMessage v_initial_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); f_await_ec_request_send_error_response(v_initial_request); log("*** " & testcasename() & ": INFO: Reply with 400 Bad Request error message ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; tc_ac.stop; // Verify IUT response // Verify when requests are same if (f_verify_repeated_request(v_request, v_initial_request) == false) { log("*** " & testcasename() & ": FAIL: Repetition request are different ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } else { f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_inner_ec_response, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } else { // Send HTTP error 500 f_send_500_Internal_Error(v_headers); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_REP_03_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_REP_03_BV /** * @desc Check that IUT stops sending the Enrollment Request message if maximum number of retry has been reached *
* Pics Selection: PICS_SECPKI_ENROLLMENT_RETRY * Initial conditions: { * the IUT being in the 'initialized' state * and the IUT has started sending the Enrollment Request * } * Expected behaviour: * ensure that { * when { * the IUT sent the PIXIT_ENR_MAX_N1 Enrollment Request messages * } * then { * the IUT stops sending Enrollment Requests * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_ENR_REP_04_BV * @reference ETSI TS 103 601, clause 5.1.2 */ testcase TC_SECPKI_ITSS_ENR_REP_04_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_ENROLLMENT_RETRY) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLLMENT or PICS_SECPKI_ENROLMENT_RETRY required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_ENR_REP_04_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_REP_04_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_ENR_REP_04_BV group f_TC_SECPKI_ITSS_ENR_REP_04_BV { function f_TC_SECPKI_ITSS_ENR_REP_04_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & ": INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body f_sendUtTriggerEnrolmentRequestPrimitive(); tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_REP_04_BV_itss function f_TC_SECPKI_ITSS_ENR_REP_04_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var HttpMessage v_initial_request; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body for (var integer v_i := 0; v_i < PX_ENR_MAX_N1; v_i := v_i + 1) { f_await_ec_request_send_error_response(v_initial_request); log("*** " & testcasename() & ": INFO: Reply with 400 Bad Request error message ***"); } // End of 'for' staement // Do not expect any repetition if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment not expected due to number of error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } else { log("*** " & testcasename() & ": INCONC: No more enrolment request done ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_REP_04_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_REP_04_BV /** * @desc Check that IUT stops sending the Enrollment Request message if timeout has been reached *
* Pics Selection: PICS_SECPKI_ENROLLMENT_RETRY * Initial conditions: { * the IUT being in the 'initialized' state * and the IUT has started sending the Enrollment Request at the time T1 * } * Expected behaviour: * ensure that { * when { * the IUT sent the PIXIT_ENR_TIMEOUT_TH2 Enrollment Request messages * } * then { * the IUT stops sending an Enrollment Request messages * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_ENR_REP_05_BV * @reference ETSI TS 103 601, clause 5.1.2 */ testcase TC_SECPKI_ITSS_ENR_REP_05_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SECPKI_ENROLLMENT_RETRY) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLLMENT or PICS_SECPKI_ENROLMENT_RETRY required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_ENR_REP_05_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_ENR_REP_05_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_ENR_REP_05_BV group f_TC_SECPKI_ITSS_ENR_REP_05_BV { function f_TC_SECPKI_ITSS_ENR_REP_05_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & ": INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body f_sendUtTriggerEnrolmentRequestPrimitive(); tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_ENR_REP_05_BV_itss function f_TC_SECPKI_ITSS_ENR_REP_05_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var HttpMessage v_initial_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_ec_response", v_headers); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start(PX_TAC * 1.1); // PIXIT_ENR_TIMEOUT_TH2 = PX_TAC * 1.1 alt { [] a_await_ec_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; tc_ac.stop; // Verify IUT response if (f_verify_repeated_request(v_request, v_initial_request) == false) { log("*** " & testcasename() & ": FAIL: Repetition request are different ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } else { f_verify_http_ec_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_request, v_inner_ec_response, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } else { // Send HTTP error 500 f_send_500_Internal_Error(v_headers); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } } [] tc_ac.timeout { // Do not expect any repetition var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment not expected due to timeout ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } else { log("*** " & testcasename() & ": INCONC: No more enrolment request done ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_ENR_REP_05_BV_pki } // End of group f_TC_SECPKI_ITSS_ENR_REP_05_BV } // End of group itss_enrollment_request_repetition // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.3.1 Authorization request group itss_authorization_request { /** * @desc Check that the ITS-S send the Authorization HttpRequest message to the Authorization Authority (AA) to request an authorization ticket. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION * Initial conditions: * with { * the IUT being in the "operational state" * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to requested a new Authorization Ticket (AT) * } * then { * the IUT sends EtsiTs103097Data to the AA * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_01_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.0 */ testcase TC_SECPKI_ITSS_AUTH_01_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_01_BV group f_TC_SECPKI_ITSS_AUTH_01_BV { function f_TC_SECPKI_ITSS_AUTH_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; var InfoPortData v_info_port_data; var boolean v_start_awaiting := false; // Test component configuration vc_hashedId8ToBeUsed := ""; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); if (PX_TRIGGER_EC_BEFORE_AT) { f_sendUtTriggerEnrolmentRequestPrimitive(); tc_ac.start; alt { [] utPort.receive(UtPkiTriggerInd: { state := 1 }) { tc_ac.stop; log("*** " & testcasename() & "_itss: INFO: IUT is in enrol state ***"); } [LibItsPki_Pics.PICS_UT_STATE_INDICATION] tc_ac.timeout { log("*** " & testcasename() & "_itss: DBG: IUT state update not recieved ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } [not(LibItsPki_Pics.PICS_UT_STATE_INDICATION)] tc_ac.timeout { log("*** " & testcasename() & "_itss: DBG: IUT doesn't support state indication. Assume it was well done.***"); } } // End of 'alt' statement } else { log("*** " & testcasename() & "_itss: DBG: Assume IUT already in enrolled state.***"); } f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body f_sendUtTriggerAuthorizationRequestPrimitive(); tc_ac.start; alt { [v_start_awaiting == true] a_await_cam_with_current_cert( v_info_port_data.at_certificate ) { log("*** " & testcasename() & ": PASS: IUT started to send CA message using new AT certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] geoNetworkingPort.receive { log("*** " & testcasename() & ": FAIL: IUT started to send CA message using wrong AT certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] infoPort.receive(InfoPortData:?) -> value v_info_port_data { log("*** " & testcasename() & ": INFO: Received new AT certificate ***"); v_start_awaiting := true; repeat; } [] tc_ac.timeout { log("*** " & testcasename() & "_itss: : PASS: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_AUTH_01_BV_itss function f_TC_SECPKI_ITSS_AUTH_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; var template (omit) EtsiTs103097Certificate v_ec_cert := omit; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_at_response", v_headers); if (PX_TRIGGER_EC_BEFORE_AT) { if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { v_ec_cert := v_inner_ec_response.certificate; log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } else { f_selfOrClientSyncAndVerdict(c_prDone, e_success); } // Test Body tc_ac.start; alt { [] a_await_at_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_AT, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_aaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_ec_cert, v_inner_at_request, v_inner_at_response, v_response, v_result); log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_result: ", v_result); log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_response: ", v_response); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { var octetstring v_msg; var octetstring v_hashed_id8; log("*** " & testcasename() & ": PASS: InnerAtResponse received ***"); v_msg := bit2oct(encvalue(v_inner_at_response.certificate)); if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) { v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg)); } else { v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg)); } infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate }); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_01_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_01_BV /** * @desc Check that the AuthorizationRequest message is encrypted and sent to only one Authorization Authority. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION * Initial conditions: * with { * the IUT being in the "operational state" * authorized with CERT_AA certificate * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to requested a new Authorization Ticket (AT) * } * then { * the IUT sends EtsiTs103097Data to the AA * containing content.encryptedData.recipients * indicating size 1 * and containing the instance of RecipientInfo * containing certRecipInfo * containing recipientId * indicating HashedId8 of the CERT_AA * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_02_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_02_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_02_BV /** * @desc Check that the AuthorizationRequest message is encrypted using the encryptionKey found in the AA certificate referenced in recipientId. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION * Initial conditions: * with { * the IUT being in the "operational state" * authorized with AA certificate * containing encryptionKey (AA_ENC_PUB_KEY) * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to requested a new Authorization Ticket (AT) * } * then { * the IUT sends EtsiTs103097Data to the AA * containing content.encryptedData * containing ciphertext * containing data * encrypted using AA_ENC_PUB_KEY * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_03_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_03_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_03_BV /** * @desc Check that the AuthorizationRequest message is never reused the same encryption key and nonce. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION * Initial conditions: * with { * the IUT being in the "operational state" * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to requested a new Authorization Ticket (AT) * } * then { * the IUT sends EtsiTs103097Data to the AA * containing content.encryptedData * containing ciphertext.aes128Ccm.nonce * indicating value not equal to the nonce in N previous messages * and containing recipients[0].certRecipInfo.encKey * containing encrypted symmetric key (S_KEY) * indicating symmetric key not equal to the key was used in N previous messages * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_04_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_04_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_04_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_04_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_04_BV group f_TC_SECPKI_ITSS_AUTH_04_BV { function f_TC_SECPKI_ITSS_AUTH_04_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest := int2oct(0, 8); var EtsiTs103097Certificate v_certificate; // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble // First enrolment geoNetworkingPort.clear; tc_ac.start; alt { [] a_await_cam_with_current_cert(v_certificate) { tc_ac.stop; if (PX_TRIGGER_EC_BEFORE_AT) { f_sendUtTriggerEnrolmentRequestPrimitive(); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed ))) { repeat; } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected CA message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body // N authorization for (var integer v_i := 0; v_i < PX_RE_AUTHORIZATION_COUNTER; v_i := v_i + 1) { f_sendUtTriggerAuthorizationRequestPrimitive(); f_sleep(PX_RE_AUTHORIZATION_DELAY); } // End of 'for' statement log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_AUTH_04_BV_itss function f_TC_SECPKI_ITSS_AUTH_04_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var integer v_counter := 0; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var InnerAtRequest v_inner_at_request; var ListOfPublicVerificationKey v_generated_keys; var integer v_result; // Test component configuration f_cfHttpUp(); // Test adapter configuration // Preamble /*f_init_default_headers_list(-, "inner_at_response", v_headers); // Wait for the first enrolment response tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(vc_aaHashedId8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss(v_request.request, v_request.headers, v_inner_at_request, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { v_generated_keys[v_counter] := v_inner_at_request.publicKeys.verificationKey; v_counter := v_counter + 1; f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_AT, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(vc_aaHashedId8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss(v_request.request, v_request.headers, v_inner_at_request, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": LOG: ", match(v_generated_keys, superset(v_inner_at_request.publicKeys.verificationKey)), "***"); if (match(v_generated_keys, superset(v_inner_at_request.publicKeys.verificationKey))) { v_generated_keys[v_counter] := v_inner_at_request.publicKeys.verificationKey; v_counter := v_counter + 1; f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Duplication of generated public keys ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } [] tc_ac.timeout { if (v_counter == PX_RE_AUTHORIZATION_COUNTER) { log("*** " & testcasename() & ": PASS: InnerAtRequest received with different key pairs ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } } // End of 'alt' statement */ // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_04_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_04_BV /** * @desc Check that the Authozation request protocol version is set to 1. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION * Initial conditions: * with { * the IUT being in the "operational state" * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to requested a new Authorization Ticket (AT) * } * then { * the IUT sends EtsiTs103097Data to the AA * containing version * indicating value 1 * and containing content * containing autihorizationRequest * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_05_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_05_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_05_BV /** * @desc Check that for each authorization request the ITS-S generates a new verification key pair * Check that for each authorization request the ITS-S generates a new encryption key pair * Check that for each authorization request the ITS-S generates a new hmac-key *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION * Initial conditions: * with { * the IUT in 'enrolled' state * the IUT being in the "operational state" * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to request new Authorization Ticket (AT) * } * then { * the IUT sends a EtsiTs103097Data to the AA * containing EtsiTs102941Data * containing authorizationRequest * containing publicKeys * containing verificationKey * indicating value not equal to the field verificationKey of N previous messages * and not containing encryptionKey * or containing encryptionKey * indicating value not equal to the field encryptionKey of N previous messages * and containing hmacKey * indicating value not equal to the field hmacKey of N previous messages * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_06_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_06_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_06_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_06_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_06_BV group f_TC_SECPKI_ITSS_AUTH_06_BV { function f_TC_SECPKI_ITSS_AUTH_06_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest := int2oct(0, 8); var EtsiTs103097Certificate v_certificate; // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble // First enrolment geoNetworkingPort.clear; tc_ac.start; alt { [] a_await_cam_with_current_cert(v_certificate) { tc_ac.stop; if (PX_TRIGGER_EC_BEFORE_AT) { f_sendUtTriggerEnrolmentRequestPrimitive(); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed ))) { repeat; } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected CA message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body // N authorization for (var integer v_i := 0; v_i < PX_RE_AUTHORIZATION_COUNTER; v_i := v_i + 1) { f_sendUtTriggerAuthorizationRequestPrimitive(); f_sleep(PX_RE_AUTHORIZATION_DELAY); } // End of 'for' statement log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_AUTH_04_BV_itss function f_TC_SECPKI_ITSS_AUTH_06_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var integer v_counter := 0; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var InnerAtResponse v_inner_at_response; var ListOfPublicVerificationKey v_generated_keys; var ListOfPublicEncryptionKey v_enc_key; var ListofHmacKey v_hmac_key; var InnerAtRequest v_inner_at_request; var InnerEcResponse v_inner_ec_response; var integer v_result; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_at_response", v_headers); // Wait for the first enrolment response tc_ac.start; for (var integer v_j := 0; v_j < PX_RE_AUTHORIZATION_COUNTER-1; v_j := v_j + 1) { alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(vc_aaHashedId8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { v_generated_keys[v_counter] := v_inner_at_request.publicKeys.verificationKey; v_enc_key[v_counter] := v_inner_at_request.publicKeys.encryptionKey; v_hmac_key[v_counter] := v_inner_at_request.hmacKey v_counter := v_counter + 1; f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } } // End of 'alt' statement // Test Body tc_ac.start; alt { [] a_await_at_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_AT, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_aaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result); log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_result: ", v_result); log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_response: ", v_response); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": LOG: ", match(v_generated_keys, superset(v_inner_at_request.publicKeys.verificationKey)), "***"); if (match(v_generated_keys, superset(v_inner_at_request.publicKeys.verificationKey))) { v_generated_keys[v_counter] := v_inner_at_request.publicKeys.verificationKey; f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Duplication of generated public keys ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } if(ispresent(v_inner_at_request.publicKeys.encryptionKey)){ log("*** " & testcasename() & ": LOG: ", match(v_enc_key, superset(v_inner_at_request.publicKeys.encryptionKey)), "***"); if (match(v_enc_key, superset(v_inner_at_request.publicKeys.encryptionKey))) { v_enc_key[v_counter] := v_inner_at_request.publicKeys.encryptionKey; f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Duplication of generated public keys ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } } log("*** " & testcasename() & ": LOG: ", match(v_hmac_key, superset(v_inner_at_request.hmacKey)), "***"); if (match(v_hmac_key, superset(v_inner_at_request.hmacKey))) { v_hmac_key[v_counter] := v_inner_at_request.hmacKey; f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Duplication of generated public keys ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } v_counter := v_counter + 1; } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_06_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_06_BV /** * @desc Check that ITS-S sends Authorization request with a keyTag field computed as described in ETSI TS 102 941 [1], clause 6.2.3.3.1 *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION * Initial conditions: * with { * the IUT in 'enrolled' state * the IUT being in the "operational state" * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to request a new Authorization Ticket (AT) * } * then { * the IUT sends a EtsiTs103097Data to the AA * containing EtsiTs102941Data * containing authorizationRequest * containing sharedAtRequest * containing keyTag * indicating properly calculated value * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_07_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_07_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_07_BV /** * @desc Check that ITS-S sends Authorization request with eaId of EA certificate *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION * Initial conditions: * with { * the IUT is enrolled by the EC, signed with the CERT EA certificate * the IUT being in the "operational" state * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to request new Authorization Ticket (AT) * } * then { * the IUT sends a EtsiTs103097Data to the AA * containing EtsiTs102941Data * containing authorizationRequest * containing sharedAtRequest * containing eaId * indicating HashedId8 of CERT_ EA certificate * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_08_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_08_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_08_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_08_BV group f_TC_SECPKI_ITSS_AUTH_08_BV { function f_TC_SECPKI_ITSS_AUTH_08_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var InnerEcResponse v_inner_ec_response; var InnerEcRequest v_inner_ec_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_at_response", v_headers); if (PX_TRIGGER_EC_BEFORE_AT) { if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } else { f_selfOrClientSyncAndVerdict(c_prDone, e_success); } // Test Body tc_ac.start; alt { [] a_await_at_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_AT, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_aaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result); log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_result: ", v_result); log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_response: ", v_response); var charstring v_ea_certificate_id := "CERT_TS_A_EA"; var Oct32 v_hash; var HashedId8 v_ea_certificate_hashed_id8; f_getCertificateHash256(v_ea_certificate_id, v_hash); v_ea_certificate_hashed_id8 := f_hashedId8FromSha256(v_hash); log("*** " & testcasename() & ": DEBUG: v_ea_certificate_hashed_id8= ", v_ea_certificate_hashed_id8); if(ispresent(v_inner_at_request.sharedAtRequest.eaId)){ if (match(v_inner_at_request.sharedAtRequest.eaId, v_ea_certificate_hashed_id8) == true) { // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { var octetstring v_msg; var octetstring v_hashed_id8; log("*** " & testcasename() & ": PASS: InnerAtResponse received ***"); v_msg := bit2oct(encvalue(v_inner_at_response.certificate)); if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) { v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg)); } else { v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg)); } infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate }); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_08_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_08_BV /** * @desc Check that ITS-S sends Authorization request with the certificateFormat equal to 1 *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION * Initial conditions: * with { * the IUT in 'enrolled' state * and the AA in 'operational' state * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to request new Authorization Ticket (AT) * } * then { * the IUT sends a EtsiTs103097Data to the AA * containing EtsiTs102941Data * containing authorizationRequest * containing sharedAtRequest * containing certificateFormat * indicating 1 * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_09_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_09_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_09_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_08_BV group f_TC_SECPKI_ITSS_AUTH_09_BV { function f_TC_SECPKI_ITSS_AUTH_09_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var InnerEcResponse v_inner_ec_response; var InnerEcRequest v_inner_ec_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_at_response", v_headers); if (PX_TRIGGER_EC_BEFORE_AT) { if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } else { f_selfOrClientSyncAndVerdict(c_prDone, e_success); } // Test Body tc_ac.start; alt { [] a_await_at_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_AT, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_aaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result); log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_result: ", v_result); log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_response: ", v_response); if(ispresent(v_inner_at_request.sharedAtRequest.certificateFormat)){ if (v_inner_at_request.sharedAtRequest.certificateFormat == 1) { // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { var octetstring v_msg; var octetstring v_hashed_id8; log("*** " & testcasename() & ": PASS: InnerAtResponse received ***"); v_msg := bit2oct(encvalue(v_inner_at_response.certificate)); if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) { v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg)); } else { v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg)); } infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate }); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_09_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_09_BV /** * @desc Check that ITS-S sends Authorization request certificate attributes are properly set *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION * Initial conditions: * with { * the IUT in 'enrolled' state * and the AA in 'operational' state * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to request new Authorization Ticket (AT) * } * then { * the IUT sends a EtsiTs103097Data to the AA * containing EtsiTs102941Data * containing authorizationRequest * containing sharedAtRequest * containing requestedSubjectAttributes * containing appPermissions * and not containing certIssuePermissions * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_10_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_10_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_10_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_08_BV group f_TC_SECPKI_ITSS_AUTH_10_BV { function f_TC_SECPKI_ITSS_AUTH_10_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var InnerEcResponse v_inner_ec_response; var InnerEcRequest v_inner_ec_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_at_response", v_headers); if (PX_TRIGGER_EC_BEFORE_AT) { if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } else { f_selfOrClientSyncAndVerdict(c_prDone, e_success); } // Test Body tc_ac.start; alt { [] a_await_at_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_AT, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_aaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result); log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_result: ", v_result); log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_response: ", v_response); if(ispresent(v_inner_at_request.sharedAtRequest.requestedSubjectAttributes.appPermissions)){ if (not(ispresent(v_inner_at_request.sharedAtRequest.requestedSubjectAttributes.certIssuePermissions))) { // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { var octetstring v_msg; var octetstring v_hashed_id8; log("*** " & testcasename() & ": PASS: InnerAtResponse received ***"); v_msg := bit2oct(encvalue(v_inner_at_response.certificate)); if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) { v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg)); } else { v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg)); } infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate }); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_10_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_10_BV /** * @desc Check that the ecSignature of the Authorization request is signed with EC certificate * Check that the signature over tbsData computed using the private key corresponding to * the EC's verification public key. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION * Initial conditions: * with { * the IUT is enrolled with CERT_EC certificate * and the AA in 'operational' state * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to request new Authorization Ticket (AT) * } * then { * the IUT sends EtsiTs103097Data to the AA * containing EtsiTs102941Data * containing authorizationRequest * containing ecSignature * containing structure of type EtsiTs103097Data-SignedExternalPayload * containing signer * indicating HashedId8 of the CERT_EC certificate * containing signature * indicating signature over sharedATRequest calculated with CERT_EC verificationKey * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_14_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_14_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_14_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_14_BV group f_TC_SECPKI_ITSS_AUTH_14_BV { function f_TC_SECPKI_ITSS_AUTH_14_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var InnerEcResponse v_inner_ec_response; var InnerEcRequest v_inner_ec_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_at_response", v_headers); if (PX_TRIGGER_EC_BEFORE_AT) { if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } else { f_selfOrClientSyncAndVerdict(c_prDone, e_success); } // Test Body tc_ac.start; alt { [] a_await_at_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_AT, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_aaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; var boolean v_contains_ecsignature; tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss_for_ecSignature(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result, v_contains_ecsignature); log("f_TC_SECPKI_ITSS_AUTH__BV_pki: v_result: ", v_result); log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_response: ", v_response); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { var octetstring v_msg; var octetstring v_hashed_id8; log("*** " & testcasename() & ": PASS: InnerAtResponse received ***"); v_msg := bit2oct(encvalue(v_inner_at_response.certificate)); if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) { v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg)); } else { v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg)); } infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate }); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_14_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_14_BV /** * @desc Check that the ecSignature of the Authorization request is not encrypted *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION * Initial conditions: * with { * the IUT in 'enrolled' state * and the AA in 'operational' state * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to request new Authorization Ticket (AT) * } * then { * the IUT sends EtsiTs103097Data to the AA * containing EtsiTs102941Data * containing authorizationRequest * containing ecSignature * containing ecSignature * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_16_BV * @reference ETSI TS 102 941 [2], clause 6.2.3.3.1 */ testcase TC_SECPKI_ITSS_AUTH_16_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_16_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_16_BV group f_TC_SECPKI_ITSS_AUTH_16_BV { function f_TC_SECPKI_ITSS_AUTH_16_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var InnerEcResponse v_inner_ec_response; var InnerEcRequest v_inner_ec_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_at_response", v_headers); if (PX_TRIGGER_EC_BEFORE_AT) { if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } else { f_selfOrClientSyncAndVerdict(c_prDone, e_success); } // Test Body tc_ac.start; alt { [] a_await_at_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_AT, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_aaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; var boolean v_contains_ecsignature; tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss_for_ecSignature(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result, v_contains_ecsignature); log("f_TC_SECPKI_ITSS_AUTH__BV_pki: v_result: ", v_result); log("f_TC_SECPKI_ITSS_AUTH_01_BV_pki: v_response: ", v_response); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0 and v_contains_ecsignature == true) { var octetstring v_msg; var octetstring v_hashed_id8; log("*** " & testcasename() & ": PASS: InnerAtResponse received ***"); v_msg := bit2oct(encvalue(v_inner_at_response.certificate)); if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) { v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg)); } else { v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg)); } infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate }); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AT an AuthorizationRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_16_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_16_BV } // End of group itss_authorization_request // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.3.2 Authorization response handling group itss_authorization_response { // Void } // End of group itss_authorization_response // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.3.3 Authorization request repetition group itss_authorization_request_repetition { /** * @desc Check that IUT repeats an authorization request when response has not been received *
* Pics Selection: PICS_SECPKI_AUTHORIZATION_RETRY * Initial conditions: { * the IUT being in the 'enrolled' state * and the IUT already sent the Authorization Request at the time T1 * and the IUT has not yet received the Authorization Response * } * Expected behaviour: * ensure that { * when { * the IUT local time is reached the T1 + PIXIT_AUTH_TIMEOUT_TH1 * } * then { * the IUT sends to EA an AuthorizationRequestMessage * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_AUTH_REP_01_BV * @reference ETSI TS 103 601, clause 5.2 */ testcase TC_SECPKI_ITSS_AUTH_REP_01_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_REP_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_REP_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_REP_01_BV group f_TC_SECPKI_ITSS_AUTH_REP_01_BV { function f_TC_SECPKI_ITSS_AUTH_REP_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; var InfoPortData v_info_port_data; var boolean v_start_awaiting := false; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { f_sendUtTriggerEnrolmentRequestPrimitive(); log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body f_sendUtTriggerAuthorizationRequestPrimitive(); tc_ac.start; alt { [v_start_awaiting == true] a_await_cam_with_current_cert( v_info_port_data.at_certificate ) { log("*** " & testcasename() & ": PASS: IUT started to send CA message using new AT certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] geoNetworkingPort.receive { log("*** " & testcasename() & ": FAIL: IUT started to send CA message using wrong AT certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] infoPort.receive(InfoPortData:?) -> value v_info_port_data { log("*** " & testcasename() & ": INFO: Received new AT certificate ***"); v_start_awaiting := true; repeat; } [] tc_ac.timeout { log("*** " & testcasename() & "_itss: : PASS: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_AUTH_REP_01_BV_itss function f_TC_SECPKI_ITSS_AUTH_REP_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_at_response", v_headers); if (PX_TRIGGER_EC_BEFORE_AT) { f_await_ec_request_send_error_response(v_request); log("*** " & testcasename() & ": INFO: Reply with 400 Bad Request error message ***"); } // Wait for the repetition if (PX_TRIGGER_EC_BEFORE_AT) { if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } else { f_selfOrClientSyncAndVerdict(c_prDone, e_success); v_inner_ec_response.certificate := omit; } // Test Body tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(vc_aaHashedId8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { var octetstring v_msg; var octetstring v_hashed_id8; log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); v_msg := bit2oct(encvalue(v_inner_at_response.certificate)); if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) { v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg)); } else { v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg)); } infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate }); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_REP_01_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_REP_01_BV /** * @desc Check that IUT uses the same message to perform authorization retry *
* Pics Selection: PICS_SECPKI_AUTHORIZATION_RETRY * Initial conditions: { * the IUT being in the 'enrolled' state * and the IUT already sent the Authorization Request at the time T1 * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to re-send an AuthorizationRequestMessage to AA * } * then { * the IUT sends M to AA * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_AUTH_REP_02_BV * @reference ETSI TS 103 601, clause 5.1.2 */ testcase TC_SECPKI_ITSS_AUTH_REP_02_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_REP_02_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_REP_02_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_REP_02_BV group f_TC_SECPKI_ITSS_AUTH_REP_02_BV { function f_TC_SECPKI_ITSS_AUTH_REP_02_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; var InfoPortData v_info_port_data; var boolean v_start_awaiting := false; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { f_sendUtTriggerEnrolmentRequestPrimitive(); log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body f_sendUtTriggerAuthorizationRequestPrimitive(); tc_ac.start; alt { [v_start_awaiting == true] a_await_cam_with_current_cert( v_info_port_data.at_certificate ) { log("*** " & testcasename() & ": PASS: IUT started to send CA message using new AT certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] geoNetworkingPort.receive { log("*** " & testcasename() & ": FAIL: IUT started to send CA message using wrong AT certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] infoPort.receive(InfoPortData:?) -> value v_info_port_data { log("*** " & testcasename() & ": INFO: Received new AT certificate ***"); v_start_awaiting := true; repeat; } [] tc_ac.timeout { log("*** " & testcasename() & "_itss: : PASS: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_AUTH_REP_02_BV_itss function f_TC_SECPKI_ITSS_AUTH_REP_02_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_initial_request; var HttpMessage v_request; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_at_response", v_headers); if (PX_TRIGGER_EC_BEFORE_AT) { f_await_ec_request_send_error_response(v_initial_request); log("*** " & testcasename() & ": INFO: Reply with 400 Bad Request error message ***"); } // Wait for the repetition if (PX_TRIGGER_EC_BEFORE_AT) { if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } else { f_selfOrClientSyncAndVerdict(c_prDone, e_success); } // Test Body if (f_verify_repeated_request(v_request, v_initial_request) == false) { log("*** " & testcasename() & ": FAIL: Repeatition request are different ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: Repeatition request are different ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } // Postamble // Process the next request tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(vc_aaHashedId8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { var octetstring v_msg; var octetstring v_hashed_id8; log("*** " & testcasename() & ": INFO: InnerEcRequest received ***"); v_msg := bit2oct(encvalue(v_inner_at_response.certificate)); if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) { v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg)); } else { v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg)); } infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate }); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_REP_02_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_REP_02_BV /** * @desc Check that IUT stops sending the Authorization Request message if Authorization Response message has been received *
* Pics Selection: PICS_SECPKI_AUTHORIZATION_RETRY * Initial conditions: { * the IUT being in the 'enrolled' state * and the IUT has sent the Authorization Request more than 1 time * } * Expected behaviour: * ensure that { * when { * the IUT receives an Authorization Response * } * then { * the IUT stops sending Authorization Requests to AA * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_AUTH_REP_03_BV * @reference ETSI TS 103 601, clause 5.1.2 */ testcase TC_SECPKI_ITSS_AUTH_REP_03_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_REP_03_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_REP_03_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_REP_03_BV group f_TC_SECPKI_ITSS_AUTH_REP_03_BV { function f_TC_SECPKI_ITSS_AUTH_REP_03_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; var InfoPortData v_info_port_data; var boolean v_start_awaiting := false; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { f_sendUtTriggerEnrolmentRequestPrimitive(); log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body f_sendUtTriggerAuthorizationRequestPrimitive(); tc_ac.start; alt { [v_start_awaiting == true] a_await_cam_with_current_cert( v_info_port_data.at_certificate ) { log("*** " & testcasename() & ": PASS: IUT started to send CA message using new AT certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] geoNetworkingPort.receive { log("*** " & testcasename() & ": FAIL: IUT started to send CA message using wrong AT certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] infoPort.receive(InfoPortData:?) -> value v_info_port_data { log("*** " & testcasename() & ": INFO: Received new AT certificate ***"); v_start_awaiting := true; repeat; } [] tc_ac.timeout { log("*** " & testcasename() & "_itss: : PASS: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_AUTH_REP_03_BV_itss function f_TC_SECPKI_ITSS_AUTH_REP_03_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_initial_request; var HttpMessage v_request; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_at_response", v_headers); if (PX_TRIGGER_EC_BEFORE_AT) { f_await_ec_request_send_error_response(v_initial_request); log("*** " & testcasename() & ": INFO: Reply with 400 Bad Request error message ***"); } // Wait for the repetition if (PX_TRIGGER_EC_BEFORE_AT) { if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } else { f_selfOrClientSyncAndVerdict(c_prDone, e_success); } // Test Body tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(vc_aaHashedId8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; tc_ac.stop; // Verify IUT response if (f_verify_repeated_request(v_request, v_initial_request) == false) { log("*** " & testcasename() & ": FAIL: Repeatition request are different ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } else { f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { var octetstring v_msg; var octetstring v_hashed_id8; log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); v_msg := bit2oct(encvalue(v_inner_at_response.certificate)); if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) { v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg)); } else { v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg)); } infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate }); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_REP_03_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_REP_03_BV /** * @desc Check that IUT stops sending the Authorization Request message if maximum number of retry has been reached *
* Pics Selection: PICS_SECPKI_AUTHORIZATION_RETRY * Initial conditions: { * the IUT being in the 'enrolled' state * and the IUT has sent the Authorization Request * } * Expected behaviour: * ensure that { * when { * the IUT sent the PIXIT_AUTH_MAX_N1 Authorization Request messages * } * then { * the IUT stops sending Authorization Requests * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_AUTH_REP_04_BV * @reference ETSI TS 103 601, clause 5.1.2 */ testcase TC_SECPKI_ITSS_AUTH_REP_04_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_REP_04_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_REP_04_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_AUTH_REP_04_BV group f_TC_SECPKI_ITSS_AUTH_REP_04_BV { function f_TC_SECPKI_ITSS_AUTH_REP_04_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; var InfoPortData v_info_port_data; var boolean v_start_awaiting := false; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { f_sendUtTriggerEnrolmentRequestPrimitive(); log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body geoNetworkingPort.clear; tc_ac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_AUTH_REP_04_BV_itss function f_TC_SECPKI_ITSS_AUTH_REP_04_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_initial_request; var HttpMessage v_request; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble for (var integer v_i := 0; v_i < PX_AUTH_MAX_N1; v_i := v_i + 1) { if (PX_TRIGGER_EC_BEFORE_AT) { f_await_ec_request_send_error_response(v_initial_request); log("*** " & testcasename() & ": INFO: Reply with 400 Bad Request error message ***"); } f_selfOrClientSyncAndVerdict(c_prDone, e_success); } // End of 'for' staement // Do not expect any repetition if (PX_TRIGGER_EC_BEFORE_AT) { if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment not expected due to number of error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } else { log("*** " & testcasename() & ": INCONC: No more enrolment request done ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } else { f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_REP_04_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_REP_04_BV /** * @desc Check that IUT stops sending the Authorization Request message if timeout has been reached *
* Pics Selection: PICS_SECPKI_AUTHORIZATION_RETRY * Initial conditions: { * the IUT being in the 'enrolled' state * and the IUT has started sending the Authorization Request at the time T1 * } * Expected behaviour: * ensure that { * when { * the IUT local time is reached the T1 + PIXIT_AUTH_TIMEOUT_TH2 * } * then { * the IUT stops sending an Authorization Request messages * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_AUTH_REP_05_BV * @reference ETSI TS 103 601, clause 5.1.2 */ testcase TC_SECPKI_ITSS_AUTH_REP_05_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start component v_itss.start(f_TC_SECPKI_ITSS_AUTH_REP_05_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_AUTH_REP_05_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } group f_TC_SECPKI_ITSS_AUTH_REP_05_BV { function f_TC_SECPKI_ITSS_AUTH_REP_05_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; var InfoPortData v_info_port_data; var boolean v_start_awaiting := false; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { f_sendUtTriggerEnrolmentRequestPrimitive(); log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body f_sendUtTriggerAuthorizationRequestPrimitive(); tc_ac.start; alt { [v_start_awaiting == true] a_await_cam_with_current_cert( v_info_port_data.at_certificate ) { log("*** " & testcasename() & ": PASS: IUT started to send CA message using new AT certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] geoNetworkingPort.receive { log("*** " & testcasename() & ": FAIL: IUT started to send CA message using wrong AT certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] infoPort.receive(InfoPortData:?) -> value v_info_port_data { log("*** " & testcasename() & ": INFO: Received new AT certificate ***"); v_start_awaiting := true; repeat; } [] tc_ac.timeout { log("*** " & testcasename() & "_itss: : PASS: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_AUTH_REP_05_BV_itss function f_TC_SECPKI_ITSS_AUTH_REP_05_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var InnerEcResponse v_inner_ec_response; var InnerEcRequest v_inner_ec_request; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "inner_at_response", v_headers); if (PX_TRIGGER_EC_BEFORE_AT) { f_await_ec_request_send_error_response(v_request); log("*** " & testcasename() & ": INFO: Reply with 400 Bad Request error message ***"); } else { f_selfOrClientSyncAndVerdict(c_prDone, e_success); } // Do not expect any repetition if (PX_TRIGGER_EC_BEFORE_AT) { if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // Test Body tc_ac.start(PX_TAC * 1.1); // for different timer PIXIT_AUTH_TIMEOUT_TH2 alt { [] a_await_at_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_AT, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(vc_aaHashedId8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; tc_ac.stop; // Verify IUT response f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { var octetstring v_msg; var octetstring v_hashed_id8; log("*** " & testcasename() & ": PASS: InnerAtRequest received ***"); v_msg := bit2oct(encvalue(v_inner_at_response.certificate)); if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) { v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg)); } else { v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg)); } infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate }); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AA an AuthorizationRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": PASS: Expected no AuthorizationRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_AUTH_REP_05_BV_pki } // End of group f_TC_SECPKI_ITSS_AUTH_REP_05_BV } // End of group itss_authorization_request_repetition // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.3.4 Authorization using butterfly key expansion mechanism group itss_authorization_request_bfk { /** * @desc Check that the ITS-S send the EtsiTs103097Data to the Enrollment Authority (EA) to request a batch of authorization tickets Check that this message is encrypted and addressed to a single recipient. *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SEC_BFK_AUTH * Initial conditions: * with { * the IUT being in the "initial state" and * the EA in 'operational' state * authorized with enrollment certificate CERT_IUT_A_EA * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to request a new batch of authorization tickets * } * then { * the IUT sends a EtsiTs103097Data to the EA * containing content.encryptedData * containing recipients * indicating size 1 * and containing the instance of RecipientInfo * containing certRecipInfo * containing recipientId * indicating HashedId8 of the CERT_IUT_A_EA * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_01_BV * @reference ETSI TS 102 941 [1], clause 6.2.3.5.1 */ testcase TC_SECPKI_ITSS_BFK_AUTH_01_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SEC_BFK_AUTH) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SEC_BFK_AUTH required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components v_itss.start(f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_BFK_AUTH_01_BV group f_TC_SECPKI_ITSS_BFK_AUTH_01_BV { function f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; var InfoPortData v_info_port_data; var boolean v_start_awaiting := false; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { f_sendUtTriggerEnrolmentRequestPrimitive(); tc_ac.start; // TDOD To refined, use altstep alt { [] utPort.receive(UtPkiTriggerInd: { state := 1 }) { tc_ac.stop; log("*** " & testcasename() & "_itss: INFO: IUT is in enrol state ***"); } [] tc_ac.timeout { log("*** " & testcasename() & "_itss: DBG: IUT state update not recieved ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body f_sendUtTriggerAuthorizationRequestPrimitive(); // TODO FSCOM Add BFK mode tc_ac.start; alt { [v_start_awaiting == true] a_await_cam_with_current_cert( v_info_port_data.at_certificate ) { log("*** " & testcasename() & ": PASS: IUT started to send CA message using new AT certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] geoNetworkingPort.receive { log("*** " & testcasename() & ": FAIL: IUT started to send CA message using wrong AT certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] infoPort.receive(InfoPortData:?) -> value v_info_port_data { log("*** " & testcasename() & ": INFO: Received new AT certificate ***"); v_start_awaiting := true; repeat; } [] tc_ac.timeout { log("*** " & testcasename() & "_itss: : PASS: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_itss function f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } // Test Body tc_ac.start; alt { [] a_await_ec_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_BFK_AUTH, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var EeRaCertRequest v_bfk_authorization_request; var RaEeCertInfo v_bfk_authorization_response; tc_ac.stop; // Verify IUT response f_verify_http_bfk_authorization_request(v_request.request, v_headers, v_inner_ec_response.certificate, v_bfk_authorization_request, v_bfk_authorization_response, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } else { // Send HTTP error 500 f_send_500_Internal_Error(v_headers); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_pki } // End of group f_TC_SECPKI_ITSS_BFK_AUTH_01_BV /** * @desc Check that the ButterflyAuthorizationRequestMessage is signed using the EC certificate *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SEC_BFK_AUTH * Initial conditions: * with { * the IUT being in the 'enrolled' state * with certificate CERT_EC * issued by CA authorized with CERT_IUT_A_EA * and the EA in 'operational' state * authorized with enrollment certificate CERT_IUT_A_EA * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to request a new batch of authorization tickets * } * then { * the IUT sends a EtsiTs103097Data to the EA * containing content.encryptedData.cipherText * containing encrypted representation of EtsiTs103097Data * containing signedData * containing tbsData * containing psid * indicating AID_PKI_CERT_REQUEST * and containing generationTime * and not containing any other field * and containing payload.data * indicating EtsiTs102941Data * containing version * indicating ‘1’ * and containing content * containing butterflyAuthorizationRequest * indicating EeRaCertRequest * and containing signer * containing digest * indicating HashedId8 of the CERT_EC * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_02_BV * @reference ETSI TS 102 941 [1], clause 6.2.3.5.2 */ testcase TC_SECPKI_ITSS_BFK_AUTH_02_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SEC_BFK_AUTH) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SEC_BFK_AUTH required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components v_itss.start(f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_BFK_AUTH_02_BV /** * @desc Check that the ButterflyAuthorizationRequestMessage contains all required elements *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SEC_BFK_AUTH * Initial conditions: * with { * the IUT being in the 'enrolled' state * and the EA in 'operational' state * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to request a new batch of authorization tickets (AT) * } * then { * the IUT sends to the EA a EtsiTs103097Data * containing the EeRaCertRequest * containing version * indicating ‘2’ * and containing generationTime * indicating current ITS timestamp * and containing certificateType * indicating ‘explicit” * and containing tbsCert * containing id * indicating ‘none’ * and containing cracaId * indicating ‘000000’H * and containing crlSeries * indicating ‘0’ * and containing additionalParams * containing original * or containing unified * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_03_BV * @reference ETSI TS 102 941 [1], clause 6.2.3.5.2 */ testcase TC_SECPKI_ITSS_BFK_AUTH_03_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SEC_BFK_AUTH) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SEC_BFK_AUTH required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components v_itss.start(f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_BFK_AUTH_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_BFK_AUTH_04_BV /** * @desc Check that the ButterflyAuthorizationRequestMessage contains newlly generated caterpillar public key *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SEC_BFK_AUTH * Initial conditions: * with { * the IUT being in the 'authorized' state * and the IUT already sent one or more Butterfly Authorization Requests * and the EA in 'operational' state * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to request a new batch of authorization tickets (AT) * } * then { * the IUT sends to the EA a EtsiTs103097Data * containing the EeRaCertRequest * containing version * indicating ‘2’ * and containing generationTime * indicating current ITS timestamp * and containing certificateType * indicating ‘explicit” * and containing tbsCert * containing id * indicating ‘none’ * and containing cracaId * indicating ‘000000’H * and containing crlSeries * indicating ‘0’ * and containing additionalParams * containing original * or containing unified * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_ENR_03_BV * @reference ETSI TS 102 941 [1], clause 6.2.3.5.2 */ testcase TC_SECPKI_ITSS_BFK_AUTH_04_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SEC_BFK_AUTH) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SEC_BFK_AUTH required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components v_itss.start(f_TC_SECPKI_ITSS_BFK_AUTH_04_BV_itss()); v_ea.start(f_TC_SECPKI_ITSS_BFK_AUTH_04_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_BFK_AUTH_04_BV group f_TC_SECPKI_ITSS_BFK_AUTH_04_BV { function f_TC_SECPKI_ITSS_BFK_AUTH_04_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var HashedId8 v_certificate_digest; var EtsiTs103097Certificate v_certificate; var InfoPortData v_info_port_data; var boolean v_start_awaiting := false; // Test component configuration vc_hashedId8ToBeUsed := PX_IUT_DEFAULT_CERTIFICATE; f_cfUp_itss(); // Test adapter configuration // Preamble // Initial state: No CAM shall be emitted geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive { log("No CA message expected"); f_selfOrClientSyncAndVerdict(c_prDone, e_error); } [] tc_noac.timeout { f_sendUtTriggerEnrolmentRequestPrimitive(); tc_ac.start; // TDOD To refined, use altstep alt { [] utPort.receive(UtPkiTriggerInd: { state := 1 }) { tc_ac.stop; log("*** " & testcasename() & "_itss: INFO: IUT is in enrol state ***"); } [] tc_ac.timeout { log("*** " & testcasename() & "_itss: DBG: IUT state update not recieved ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement log("*** " & testcasename() & "_itss: : INFO: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } } // End of 'alt' statement // Test Body f_sendUtTriggerAuthorizationRequestPrimitive(); // TODO FSCOM Add BFK mode tc_ac.start; alt { [v_start_awaiting == true] a_await_cam_with_current_cert( v_info_port_data.at_certificate ) { log("*** " & testcasename() & ": PASS: IUT started to send CA message using new AT certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] geoNetworkingPort.receive { log("*** " & testcasename() & ": FAIL: IUT started to send CA message using wrong AT certificate ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] infoPort.receive(InfoPortData:?) -> value v_info_port_data { log("*** " & testcasename() & ": INFO: Received new AT certificate ***"); v_start_awaiting := true; repeat; } [] tc_ac.timeout { log("*** " & testcasename() & "_itss: : PASS: No CA message received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_BFK_AUTH_04_BV_itss function f_TC_SECPKI_ITSS_BFK_AUTH_04_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var Headers v_headers; var HttpMessage v_request; var InnerEcRequest v_inner_ec_request; var InnerEcResponse v_inner_ec_response; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } // Test Body tc_ac.start; alt { [] a_await_ec_http_request_from_iut( mw_http_request( mw_http_request_post( PICS_HTTP_POST_URI_EC, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var HttpMessage v_response; var integer v_result; var EeRaCertRequest v_bfk_authorization_request; var RaEeCertInfo v_bfk_authorization_response; tc_ac.stop; // Verify IUT response f_verify_http_bfk_authorization_request(v_request.request, v_headers, v_inner_ec_response.certificate, v_bfk_authorization_request, v_bfk_authorization_response, v_response, v_result); // Send response if (isvalue(v_response)) { httpPort.send(v_response); } else { // Send HTTP error 500 f_send_500_Internal_Error(v_headers); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: InnerEcRequest received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of function f_TC_SECPKI_ITSS_BFK_AUTH_04_BV_pki } // End of group f_TC_SECPKI_ITSS_BFK_AUTH_04_BV /** * @desc Check that IUT downloads the AT certificates batch after receiving of positive ButterflyAuthorizationResponse message *
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT and PICS_SEC_BFK_AUTH * Initial conditions: * with { * the IUT being in the 'enrolled' state * and the EA in 'operational' state * and the IUT has sent the ButterflyAuthorizationRequestMessage * } * Expected behaviour: * ensure that { * when { * the IUT receives an EtsiTs102941Data as an answer of the EA * containing butterflyAuthorizationResponse * indicating RaEeCertInfo * containing generationTime * indicating GEN_TIME * and containing currentI * indicating VALUE_I * and containing requestHash * indicating REQ_HASH * and containing nextDlTime * indicating time between GEN_TIME and current time * } * then { * the IUT send the ButterflyAtDownloadRequestMessage * containing butterflyAtDownloadRequest * indicating EeRaDownloadRequest * containing generationTime * indicating value more than GEN_TIME * and containing filename * indicating string REQ_HASH + “_” + VALUE_I + “.zip” * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_BFK_CERTDNL_01_BV * @reference ETSI TS 102 941 [1], clauses 6.2.3.5.3 and 6.2.3.5.6 */ testcase TC_SECPKI_ITSS_BFK_CERTDNL_01_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_ENROLMENT or not PICS_SEC_BFK_AUTH) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_ENROLMENT or PICS_SEC_BFK_AUTH required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp01(v_itss, v_ea); // Start components v_itss.start(TC_SECPKI_ITSS_BFK_CERTDNL_01_BV_itss()); v_ea.start(TC_SECPKI_ITSS_BFK_CERTDNL_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown01(v_itss, v_ea); } // End of testcase TC_SECPKI_ITSS_BFK_CERTDNL_01_BV group f_TC_SECPKI_ITSS_BFK_CERTDNL_01_BV { function TC_SECPKI_ITSS_BFK_CERTDNL_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // FIXME TODO } // End of function TC_SECPKI_ITSS_BFK_CERTDNL_01_BV_itss function TC_SECPKI_ITSS_BFK_CERTDNL_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // FIXME TODO } // End of function TC_SECPKI_ITSS_BFK_CERTDNL_01_BV_pki } // End of group f_TC_SECPKI_ITSS_BFK_CERTDNL_01_BV } // End of group itss_authorization_request_bfk // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.4 CTL handling group itss_ctl_handling { /** * @desc Check that the IUT trust the new RCA from the received ECTL *
* Pics Selection: * Initial conditions: { * the IUT does not trust the CERT_RCA_NEW * the IUT has received the TLM CTL * containing the CERT_RCA_NEW * } * Expected behaviour: * ensure that { * when { * the IUT received a CAM * signed with AT certificate * signed with AA certificate * signed with CERT_RCA_NEW * } * then { * the IUT accepts this CAM * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_CTL_01_BV * @reference ETSI TS 102 941, clause 6.3.5 */ testcase TC_SECPKI_ITSS_CTL_01_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_cpoc; // Test control if (not PICS_IUT_ITS_S_ROLE) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp03(v_itss, v_cpoc); // Start components v_itss.start(f_TC_SECPKI_ITSS_CTL_01_BV_itss()); v_cpoc.start(f_TC_SECPKI_ITSS_CTL_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown03(v_itss, v_cpoc); } // End of testcase TC_SECPKI_ITSS_CTL_01_BV group f_TC_SECPKI_ITSS_CTL_01_BV { function f_TC_SECPKI_ITSS_CTL_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var GeoNetworkingPdu v_securedGnPdu; var integer i; // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble geoNetworkingPort.clear; tc_ac.start; alt { [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData )))) { tc_ac.stop; f_sendUtTriggerUpdateEctl(""); // FIXME Create PIXIT for ETCL URI f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body v_securedGnPdu := f_sendSecuredCam(cc_ectl_rca_new); // Check that the CAM message is forwarde to Facilies layer f_sleep(PX_TAC); for(i := 0; i < lengthof(vc_utInds) and not match(vc_utInds[i].rawPayload, valueof(v_securedGnPdu.gnPacket.packet.payload)); i := i + 1) { // empty on purpose } if(i < lengthof(vc_utInds)) { log("*** " & testcasename() & ": PASS: CA message was transmitted to upper layer ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: CA message was not transmitted to upper layer ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_CTL_01_BV_itss function f_TC_SECPKI_ITSS_CTL_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var HttpMessage v_response; var Headers v_headers; // Test component configuration f_cfHttpUp_tlm(); // Test adapter configuration // Preamble tc_ac.start; alt { [] a_await_cpoc_http_request_from_iut( mw_http_request( mw_http_request_get( PICS_HTTP_GET_URI_TLM )), v_response ) { var HashedId8 v_rca_hashed_id8; // Used for signature var Oct32 v_rca_private_key; var EtsiTs103097Certificate v_rca_new; // The CERT_RCA_NEW var bitstring v_enc_msg; var ToBeSignedData v_tbs; var bitstring v_tbs_enc; var Oct32 v_tbs_signed; var Signature v_signature; var Ieee1609Dot2Data v_ieee1609dot2_signed_data; tc_ac.stop; // Read certificates f_getCertificateHash(PICS_IUT_CA_CERTIFICATE_ID, v_rca_hashed_id8); f_readSigningKey(PICS_IUT_CA_CERTIFICATE_ID, v_rca_private_key); f_readCertificate(cc_ectl_rca_new, v_rca_new); // Build the ToBeSignedTlmCtl data structure v_enc_msg := encvalue( valueof( m_to_be_signed_tlm_full_ctl( f_getCurrentTime() / 1000 + 3600, 10, { m_ctrl_command_add( m_ctl_entry_rca( m_root_ca_entry( v_rca_new ))) } ))); v_tbs := valueof( m_toBeSignedData( m_signedDataPayload( m_etsiTs103097Data_unsecured(bit2oct(v_enc_msg)) ), m_headerInfo_inner_pki_request(-, (f_getCurrentTime() * 1000)/*us*/) )); v_tbs_enc := encvalue(v_tbs); // Sign the certificate v_tbs_signed := f_signWithEcdsa(bit2oct(v_tbs_enc), v_rca_hashed_id8, v_rca_private_key); v_signature := valueof( m_signature_ecdsaNistP256( m_ecdsaP256Signature( m_eccP256CurvePoint_x_only( substr(v_tbs_signed, 0, 32) ), substr(v_tbs_signed, 32, 32) ))); log(testcasename() & ": v_signature= ", v_signature); v_ieee1609dot2_signed_data := valueof( m_etsiTs103097Data_signed( m_signedData( sha256, v_tbs, m_signerIdentifier_digest(v_rca_hashed_id8), v_signature ))); // Send response with CERT_RCA_NEW f_init_default_headers_list(-, "tlm_ectl", v_headers); f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_data )), v_headers ))); log("*** " & testcasename() & ": INFO: CERT_RCA_NEW was sent to the IUT ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfHttpDown_tlm(); } // End of function f_TC_SECPKI_ITSS_CTL_01_BV_pki } // End of group f_TC_SECPKI_ITSS_CTL_01_BV /** * @desc Check that the IUT untrust the RCA when it is deleted from ECTL *
* Pics Selection: * Initial conditions: { * the IUT does not trust the CERT_RCA * the IUT has received the TLM CTL * not containing the CERT_RCA * } * Expected behaviour: * ensure that { * when { * the IUT received a CAM * signed with AT certificate * signed with AA certificate * signed with CERT_RCA * } * then { * the IUT rejects this CAM * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_CTL_02_BV * @reference ETSI TS 102 941, clause 6.3.5 */ testcase TC_SECPKI_ITSS_CTL_02_BV() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var GeoNetworkingPdu v_securedGnPdu; var integer i; // Test control if (not PICS_IUT_ITS_S_ROLE) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble geoNetworkingPort.clear; tc_ac.start; alt { [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData )))) { tc_ac.stop; f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body v_securedGnPdu := f_sendSecuredCam(cc_ectl_rca_untrust); // Check that the CAM message is forwarde to Facilies layer f_sleep(PX_TAC); for(i := 0; i < lengthof(vc_utInds) and not match(vc_utInds[i].rawPayload, valueof(v_securedGnPdu.gnPacket.packet.payload)); i := i + 1) { // empty on purpose } if(i < lengthof(vc_utInds)) { log("*** " & testcasename() & ": FAIL: CA message was not transmitted to upper layer ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: CA message was transmitted to upper layer ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } // Postamble f_cfDown_itss(); } // End of testcase TC_SECPKI_ITSS_CTL_02_BV /** * @desc Check that the IUT trust the AA when it is received in RCA CTL *
* Pics Selection: * Initial conditions: { * the IUT is trusting the CERT_AA_NEW * the IUT has received the RCA CTL * containing the CERT_AA_NEW * and signed by CERT_RCA * } * Expected behaviour: * ensure that { * when { * the IUT received a CAM * signed with AT certificate * signed with AA_NEW certificate * } * then { * the IUT accepts this CAM * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_CTL_03_BV * @reference ETSI TS 102 941, clause 6.3.5 */ testcase TC_SECPKI_ITSS_CTL_03_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_dc; // Test control if (not PICS_IUT_ITS_S_ROLE) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp04(v_itss, v_dc); // Start components v_itss.start(f_TC_SECPKI_ITSS_CTL_03_BV_itss()); v_dc.start(f_TC_SECPKI_ITSS_CTL_03_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown04(v_itss, v_dc); } // End of testcase TC_SECPKI_ITSS_CTL_03_BV group f_TC_SECPKI_ITSS_CTL_03_BV { function f_TC_SECPKI_ITSS_CTL_03_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var GeoNetworkingPdu v_securedGnPdu; var integer i; // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble geoNetworkingPort.clear; tc_ac.start; alt { [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData )))) { tc_ac.stop; f_sendUtTriggerRequestForRcaCtl(""); // FIXME Create PIXIT for RCA DC f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body v_securedGnPdu := f_sendSecuredCam(cc_ectl_aa_new); // Check that the CAM message is forwarde to Facilies layer f_sleep(PX_TAC); for(i := 0; i < lengthof(vc_utInds) and not match(vc_utInds[i].rawPayload, valueof(v_securedGnPdu.gnPacket.packet.payload)); i := i + 1) { // empty on purpose } if(i < lengthof(vc_utInds)) { log("*** " & testcasename() & ": PASS: CA message was transmitted to upper layer ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: CA message was not transmitted to upper layer ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_CTL_03_BV_itss function f_TC_SECPKI_ITSS_CTL_03_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var HttpMessage v_response; var Headers v_headers; // Test component configuration f_cfHttpUp_ca(); // Test adapter configuration // Preamble tc_ac.start; alt { [] a_await_dc_http_request_from_iut( mw_http_request( mw_http_request_get( PICS_HTTP_GET_URI_DC )), v_response ) { var HashedId8 v_aa_hashed_id8; // Used for signature var Oct32 v_aa_private_key; var EtsiTs103097Certificate v_aa_new; // The CERT_AA_NEW var bitstring v_enc_msg; var ToBeSignedData v_tbs; var bitstring v_tbs_enc; var Oct32 v_tbs_signed; var Signature v_signature; var Ieee1609Dot2Data v_ieee1609dot2_signed_data; tc_ac.stop; // Read certificates f_getCertificateHash("CERT_IUT_AA", v_aa_hashed_id8); f_readSigningKey("CERT_IUT_AA", v_aa_private_key); f_readCertificate(cc_ectl_aa_new, v_aa_new); // Build the ToBeSignedRcaCtl data structure v_enc_msg := encvalue( valueof( m_to_be_signed_rca_full_ctl( f_getCurrentTime() / 1000 + 3600, 10, { m_ctrl_command_add( m_ctl_entry_aa( m_aa_entry( v_aa_new, "" // FIXME PICS_AA_ENTRY_URL ))) } ))); v_tbs := valueof( m_toBeSignedData( m_signedDataPayload( m_etsiTs103097Data_unsecured(bit2oct(v_enc_msg)) ), m_headerInfo_inner_pki_request(-, (f_getCurrentTime() * 1000)/*us*/) )); v_tbs_enc := encvalue(v_tbs); // Sign the certificate v_tbs_signed := f_signWithEcdsa(bit2oct(v_tbs_enc), v_aa_hashed_id8, v_aa_private_key); v_signature := valueof( m_signature_ecdsaNistP256( m_ecdsaP256Signature( m_eccP256CurvePoint_x_only( substr(v_tbs_signed, 0, 32) ), substr(v_tbs_signed, 32, 32) ))); log(testcasename() & ": v_signature= ", v_signature); v_ieee1609dot2_signed_data := valueof( m_etsiTs103097Data_signed( m_signedData( sha256, v_tbs, m_signerIdentifier_digest(v_aa_hashed_id8), v_signature ))); // Send response with CERT_AA_NEW f_init_default_headers_list(-, "ca_request", v_headers); f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_data )), v_headers ))); log("*** " & testcasename() & ": INFO: CERT_RCA_NEW was sent to the IUT ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfHttpDown_ca(); } // End of function f_TC_SECPKI_ITSS_CTL_03_BV_pki } // End of group f_TC_SECPKI_ITSS_CTL_03_BV /** * @desc Check that the IUT requests new ECTL when current one is expired *
* Pics Selection: * Initial conditions: { * the IUT already downloaded the TLM CTL * containing nextUpdate * indicating timestamp T1 * and containing CPOC URL * } * Expected behaviour: * ensure that { * when { * the T1 < CURRENT TIME * } * then { * the IUT sends a request to the CPOC for a new CTL * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_CTL_04_BV * @reference ETSI TS 102 941, clause 6.3.5 */ testcase TC_SECPKI_ITSS_CTL_04_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_tlm; // Test control if (not PICS_IUT_ITS_S_ROLE) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp03(v_itss, v_tlm); // Start components v_itss.start(f_TC_SECPKI_ITSS_CTL_04_BV_itss()); v_tlm.start(f_TC_SECPKI_ITSS_CTL_04_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown03(v_itss, v_tlm); } // End of testcase TC_SECPKI_ITSS_CTL_04_BV group f_TC_SECPKI_ITSS_CTL_04_BV { function f_TC_SECPKI_ITSS_CTL_04_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var GeoNetworkingPdu v_securedGnPdu; var integer i; // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble geoNetworkingPort.clear; tc_ac.start; alt { [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData )))) { tc_ac.stop; f_sendUtTriggerRequestForRcaCtl(""); // FIXME Create PIXIT for RCA DC f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body log("*** " & testcasename() & ": PASS: Trigger was sent ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_CTL_04_BV_itss function f_TC_SECPKI_ITSS_CTL_04_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variables var Headers v_headers; var HttpMessage v_response; var float v_t1 := 30.0; // nextUpdate expiry in second // := (f_getCurrentTime()/* - 1072915200000*/) / 1000; // nextUpdate expiry in second // Test component configuration f_cfHttpUp_tlm(); // Test adapter configuration // Preamble f_init_default_headers_list(PICS_HEADER_CTL_CONTENT_TYPE, "tlm_request", v_headers); tc_ac.start; alt { [] a_await_cpoc_http_request_from_iut( mw_http_request( mw_http_request_get( PICS_HTTP_GET_URI_TLM )), v_response ) { var HashedId8 v_rca_hashed_id8; // Used for signature var Oct32 v_rca_private_key; var EtsiTs103097Certificate v_rca_new; // The CERT_RCA_NEW var bitstring v_enc_msg; var ToBeSignedData v_tbs; var bitstring v_tbs_enc; var Oct32 v_tbs_signed; var Signature v_signature; var Ieee1609Dot2Data v_ieee1609dot2_signed_data; tc_ac.stop; // Read certificates f_getCertificateHash(PICS_IUT_CA_CERTIFICATE_ID, v_rca_hashed_id8); f_readSigningKey(PICS_IUT_CA_CERTIFICATE_ID, v_rca_private_key); f_readCertificate(cc_ectl_rca_new, v_rca_new); // Build the ToBeSignedTlmCtl data structure v_enc_msg := encvalue( valueof( m_to_be_signed_tlm_full_ctl( f_getCurrentTime() / 1000 + 30, 10, { m_ctrl_command_add( m_ctl_entry_rca( m_root_ca_entry( v_rca_new ))) } ))); v_tbs := valueof( m_toBeSignedData( m_signedDataPayload( m_etsiTs103097Data_unsecured(bit2oct(v_enc_msg)) ), m_headerInfo_inner_pki_request(-, (f_getCurrentTime() * 1000)/*us*/) )); v_tbs_enc := encvalue(v_tbs); // Sign the certificate v_tbs_signed := f_signWithEcdsa(bit2oct(v_tbs_enc), v_rca_hashed_id8, v_rca_private_key); v_signature := valueof( m_signature_ecdsaNistP256( m_ecdsaP256Signature( m_eccP256CurvePoint_x_only( substr(v_tbs_signed, 0, 32) ), substr(v_tbs_signed, 32, 32) ))); log(testcasename() & ": v_signature= ", v_signature); v_ieee1609dot2_signed_data := valueof( m_etsiTs103097Data_signed( m_signedData( sha256, v_tbs, m_signerIdentifier_digest(v_rca_hashed_id8), v_signature ))); // Send response with CERT_RCA_NEW f_init_default_headers_list(-, "tlm_ectl", v_headers); f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_data )), v_headers ))); log("*** " & testcasename() & ": INFO: CERT_RCA_NEW was sent to the IUT ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body tc_wait.start(v_t1); alt { [] a_await_cpoc_http_request_from_iut( mw_http_request( mw_http_request_get( PICS_HTTP_GET_URI_TLM )), v_response ) { tc_wait.stop; // TODO Send an error response (400 Bad request?) log("*** " & testcasename() & ": FAIL: ITSS TLM CTL request received before the tiemer expiry ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_error); } [] tc_wait.timeout { log("*** " & testcasename() & ": PASS: No ITSS TLM CTL request done before the timer expiry ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } // End of 'alt' statement // TODO Wait for the request after timer expiry // Postamble f_cfHttpDown_tlm(); } // End of testcase TC_SECPKI_ITSS_CTL_04_BV } // End of group f_TC_SECPKI_ITSS_CTL_04_BV /** * @desc Check that the IUT requests new RCA CTL when current one is expired *
* Pics Selection: * Initial conditions: { * the IUT already downloaded the RCA CTL * containing nextUpdate * indicating timestamp T1 * and containing RCA DC URL * } * Expected behaviour: * ensure that { * when { * the T1 < CURRENT TIME * } * then { * the IUT sends a request to the RCA DC for a new CTL * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_CTL_05_BV * @reference ETSI TS 102 941, clause 6.3.5 */ testcase TC_SECPKI_ITSS_CTL_05_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_dc; // Test control if (not PICS_IUT_ITS_S_ROLE) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp04(v_itss, v_dc); // Start components v_itss.start(f_TC_SECPKI_ITSS_CTL_05_BV_itss()); v_dc.start(f_TC_SECPKI_ITSS_CTL_05_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown04(v_itss, v_dc); } // End of testcase TC_SECPKI_ITSS_CTL_05_BV group f_TC_SECPKI_ITSS_CTL_05_BV { function f_TC_SECPKI_ITSS_CTL_05_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var GeoNetworkingPdu v_securedGnPdu; var integer i; // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble geoNetworkingPort.clear; tc_ac.start; alt { [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData )))) { tc_ac.stop; f_sendUtTriggerRequestForRcaCtl(""); // FIXME Create PIXIT for RCA DC f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body log("*** " & testcasename() & ": PASS: Trigger was sent ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfDown_itss(); } // End of function f_TC_SECPKI_ITSS_CTL_05_BV_itss function f_TC_SECPKI_ITSS_CTL_05_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var HttpMessage v_response; var Headers v_headers; var float v_t1 := 30.0; // nextUpdate expiry in second // := (f_getCurrentTime()/* - 1072915200000*/) / 1000; // nextUpdate expiry in second // Test component configuration f_cfHttpUp_ca(); // Test adapter configuration // Preamble tc_ac.start; alt { [] a_await_dc_http_request_from_iut( mw_http_request( mw_http_request_get( PICS_HTTP_GET_URI_DC )), v_response ) { var HashedId8 v_aa_hashed_id8; // Used for signature var Oct32 v_aa_private_key; var EtsiTs103097Certificate v_aa_new; // The CERT_AA_NEW var bitstring v_enc_msg; var ToBeSignedData v_tbs; var bitstring v_tbs_enc; var Oct32 v_tbs_signed; var Signature v_signature; var Ieee1609Dot2Data v_ieee1609dot2_signed_data; tc_ac.stop; // Read certificates f_getCertificateHash("CERT_IUT_AA", v_aa_hashed_id8); f_readSigningKey("CERT_IUT_AA", v_aa_private_key); f_readCertificate(cc_ectl_aa_new, v_aa_new); // Build the ToBeSignedRcaCtl data structure v_enc_msg := encvalue( valueof( m_to_be_signed_rca_full_ctl( f_getCurrentTime() / 1000 + 30, 10, { m_ctrl_command_add( m_ctl_entry_aa( m_aa_entry( v_aa_new, "" // FIXME PICS_AA_ENTRY_URL ))) } ))); v_tbs := valueof( m_toBeSignedData( m_signedDataPayload( m_etsiTs103097Data_unsecured(bit2oct(v_enc_msg)) ), m_headerInfo_inner_pki_request(-, (f_getCurrentTime() * 1000)/*us*/) )); v_tbs_enc := encvalue(v_tbs); // Sign the certificate v_tbs_signed := f_signWithEcdsa(bit2oct(v_tbs_enc), v_aa_hashed_id8, v_aa_private_key); v_signature := valueof( m_signature_ecdsaNistP256( m_ecdsaP256Signature( m_eccP256CurvePoint_x_only( substr(v_tbs_signed, 0, 32) ), substr(v_tbs_signed, 32, 32) ))); log(testcasename() & ": v_signature= ", v_signature); v_ieee1609dot2_signed_data := valueof( m_etsiTs103097Data_signed( m_signedData( sha256, v_tbs, m_signerIdentifier_digest(v_aa_hashed_id8), v_signature ))); // Send response with CERT_AA_NEW f_init_default_headers_list(-, "ca_request", v_headers); f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_data )), v_headers ))); log("*** " & testcasename() & ": INFO: CERT_RCA_NEW was sent to the IUT ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body tc_wait.start(v_t1); alt { [] a_await_cpoc_http_request_from_iut( mw_http_request( mw_http_request_get( PICS_HTTP_GET_URI_TLM )), v_response ) { tc_wait.stop; // TODO Send an error response (400 Bad request?) log("*** " & testcasename() & ": FAIL: ITSS RCA DC request received before the tiemer expiry ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_error); } [] tc_wait.timeout { log("*** " & testcasename() & ": PASS: No RCA DC done before the timer expiry ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // TODO Wait for the request after timer expiry // Postamble f_cfHttpDown_ca(); } // End of testcase TC_SECPKI_ITSS_CTL_05_BV } // End of group f_TC_SECPKI_ITSS_CTL_05_BV group f_TC_SECPKI_ITSS_CTL_xx { function f_sendSecuredCam(in charstring p_certificate_id) runs on ItsPkiItss return GeoNetworkingPdu { // Local variables var GeoNetworkingPdu v_securedGnPdu; v_securedGnPdu := f_prepareSecuredCam(p_certificate_id, valueof(m_headerInfo_cam(-, (f_getCurrentTime() * 1000)/*us*/)), valueof(m_signerIdentifier_digest), f_getTsStationId()); log("f_sendSecuredCam: v_securedGnPdu= ", v_securedGnPdu); geoNetworkingPort.send(valueof(m_geoNwReq_linkLayerBroadcast(v_securedGnPdu))); return v_securedGnPdu; } function f_prepareSecuredCam( in charstring p_configId, in HeaderInfo p_headerInfo, in SignerIdentifier p_signerIdentifier, in template (value) StationId p_station_id := f_getTsStationId() ) runs on ItsPkiItss return GeoNetworkingPdu { // Local variables var GnNonSecuredPacket v_gnNonSecuredPacket; var octetstring v_gnPayload; var EtsiTs103097Data v_securedMessage; var LongPosVector v_longPosVector := valueof(m_dummyLongPosVector); log(">>> f_prepareSecuredCam"); // Build signed Ieee1609Dot2Data v_longPosVector.latitude := f_getTsLatitude(); v_longPosVector.longitude := f_getTsLongitude(); v_longPosVector.gnAddr := f_getTsGnLocalAddress(c_compNodeB); v_gnNonSecuredPacket := valueof(m_geoNwShbPacket( v_longPosVector )); // Encode CAM payload v_gnPayload := valueof( bit2oct( encvalue( m_camMsg_vehicle_HF_BV( valueof(p_station_id), f_getCurrentTime() mod 65536, // See ETSI EN 302 637-2 V1.3.0 - Clause B.3 generationDelatTime m_tsPosition )))); // Add BTP/CAM payload v_gnNonSecuredPacket.payload := int2oct(2001, 2) & int2oct(0, 2) & v_gnPayload; // Encode it log("f_prepareSecuredCam: v_gnNonSecuredPacket= ", v_gnNonSecuredPacket); v_gnPayload := bit2oct( encvalue( v_gnNonSecuredPacket ) ); log("f_prepareSecuredCam: v_gnPayload= ", v_gnPayload); f_buildGnSecuredCam( v_securedMessage, valueof(m_toBeSignedData( m_signedDataPayload( m_etsiTs103097Data_unsecured( v_gnPayload )), p_headerInfo )), p_signerIdentifier, p_configId ); // Return secured Gn packet return valueof(m_geoNwSecPdu(v_gnNonSecuredPacket, v_securedMessage)); } // End of function f_prepareSecuredCam } // End of group f_TC_SECPKI_ITSS_CTL_xx } // End of group itss_ctl_handling // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.5 CTL distribution group itss_ctl_distribution { /** * @desc Check that the IUT retransmits the newly received Delta CTL *
* Pics Selection: PICS_UC_SEC_05_2 * Initial conditions: { * the IUT is configured to redistribute the Delta CTL * and the IUT doesn’t contain an CTL information * } * Expected behaviour: * ensure that { * when { * the IUT has received the Delta CTL * } * then { * the IUT is started to broadcast the received Delta CTL * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_CTLDIST_01_BV * @reference ETSI TS 103 601, clause 4.2.1.4 */ testcase TC_SECPKI_ITSS_CTLDIST_01_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_cpoc; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_UC_SEC_05_2) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_UC_SEC_05_2 required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp03(v_itss, v_cpoc); // Start components v_itss.start(f_TC_SECPKI_ITSS_CTLDIST_01_BV_itss()); v_cpoc.start(f_TC_SECPKI_ITSS_CTLDIST_01_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown03(v_itss, v_cpoc); } // End of testcase TC_SECPKI_ITSS_CTLDIST_01_BV group f_TC_SECPKI_ITSS_CTLDIST_01_BV { function f_TC_SECPKI_ITSS_CTLDIST_01_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var GeoNetworkingInd v_geonetworking_message; // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble geoNetworkingPort.clear; tc_ac.start; alt { [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData )))) { tc_ac.stop; f_sendUtTriggerUpdateEctl(""); // FIXME Create PIXIT for ETCL URI f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body geoNetworkingPort.clear; tc_ac.start; alt { [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData )))) -> value v_geonetworking_message { tc_ac.stop; if (f_verify_broadcasted_delta_ctl(v_geonetworking_message.msgIn) == false) { log("*** " & testcasename() & ": FAIL: Delta CTL was not successfully broadcasted ***"); f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: Delta CTL was successfully broadcasted ***"); f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_success); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function TC_SECPKI_ITSS_CTLDIST_01_BV_itss function f_TC_SECPKI_ITSS_CTLDIST_01_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var HttpMessage v_response; var Headers v_headers; // Test component configuration f_cfHttpUp_tlm(); // Test adapter configuration // Preamble tc_ac.start; alt { [] a_await_cpoc_http_request_from_iut( mw_http_request( mw_http_request_get( PICS_HTTP_GET_URI_TLM )), v_response ) { var HashedId8 v_rca_hashed_id8; // Used for signature var Oct32 v_rca_private_key; var EtsiTs103097Certificate v_rca_new; // The CERT_RCA_NEW var bitstring v_enc_msg; var ToBeSignedData v_tbs; var bitstring v_tbs_enc; var Oct32 v_tbs_signed; var Signature v_signature; var Ieee1609Dot2Data v_ieee1609dot2_signed_data; tc_ac.stop; // Read certificates f_getCertificateHash(PICS_IUT_CA_CERTIFICATE_ID, v_rca_hashed_id8); f_readSigningKey(PICS_IUT_CA_CERTIFICATE_ID, v_rca_private_key); f_readCertificate(cc_ectl_rca_new, v_rca_new); // Build the ToBeSignedTlmCtl data structure v_enc_msg := encvalue( valueof( m_to_be_signed_tlm_full_ctl( f_getCurrentTime() / 1000 + 3600, 10, { m_ctrl_command_add( m_ctl_entry_rca( m_root_ca_entry( v_rca_new ))) } ))); v_tbs := valueof( m_toBeSignedData( m_signedDataPayload( m_etsiTs103097Data_unsecured(bit2oct(v_enc_msg)) ), m_headerInfo_inner_pki_request(-, (f_getCurrentTime() * 1000)/*us*/) )); v_tbs_enc := encvalue(v_tbs); // Sign the certificate v_tbs_signed := f_signWithEcdsa(bit2oct(v_tbs_enc), v_rca_hashed_id8, v_rca_private_key); v_signature := valueof( m_signature_ecdsaNistP256( m_ecdsaP256Signature( m_eccP256CurvePoint_x_only( substr(v_tbs_signed, 0, 32) ), substr(v_tbs_signed, 32, 32) ))); log(testcasename() & ": v_signature= ", v_signature); v_ieee1609dot2_signed_data := valueof( m_etsiTs103097Data_signed( m_signedData( sha256, v_tbs, m_signerIdentifier_digest(v_rca_hashed_id8), v_signature ))); // Send response with CERT_RCA_NEW f_init_default_headers_list(-, "tlm_ectl", v_headers); f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_data )), v_headers ))); log("*** " & testcasename() & ": INFO: CERT_RCA_NEW was sent to the IUT ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfHttpDown_tlm(); } // End of function f_TC_SECPKI_ITSS_CTLDIST_01_BV_pki } // End of group f_TC_SECPKI_ITSS_CTLDIST_01_BV /** * @desc Check that the IUT retransmits the updated Delta CTL *
* Pics Selection: PICS_UC_SEC_05_2 * Initial conditions: { * the IUT is configured to redistribute the Delta CTL * and the IUT contains an CTL information * containing ctlSequence (SN) * } * Expected behaviour: * ensure that { * when { * the IUT has received the Delta CTL * containing ctlSequence * indicating value greater than SN * } * then { * the IUT is started to broadcast the received Delta CTL * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_CTLDIST_02_BV * @reference ETSI TS 103 601, clause 4.2.1.4 */ testcase TC_SECPKI_ITSS_CTLDIST_02_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_cpoc; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_UC_SEC_05_2) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_UC_SEC_05_2 required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp03(v_itss, v_cpoc); // Start components v_itss.start(f_TC_SECPKI_ITSS_CTLDIST_02_BV_itss()); v_cpoc.start(f_TC_SECPKI_ITSS_CTLDIST_02_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown03(v_itss, v_cpoc); } // End of testcase TC_SECPKI_ITSS_CTLDIST_02_BV group f_TC_SECPKI_ITSS_CTLDIST_02_BV { function f_TC_SECPKI_ITSS_CTLDIST_02_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var GeoNetworkingInd v_geonetworking_message; // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble geoNetworkingPort.clear; tc_ac.start; alt { [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData )))) { tc_ac.stop; f_sendUtTriggerUpdateEctl(""); // FIXME Create PIXIT for ETCL URI f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body geoNetworkingPort.clear; tc_ac.start; alt { [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData )))) -> value v_geonetworking_message { tc_ac.stop; if (f_verify_broadcasted_delta_ctl(v_geonetworking_message.msgIn) == false) { log("*** " & testcasename() & ": FAIL: Delta CTL was not successfully broadcasted ***"); f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: Delta CTL was successfully broadcasted ***"); f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_success); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function TC_SECPKI_ITSS_CTLDIST_02_BV_itss function f_TC_SECPKI_ITSS_CTLDIST_02_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var HttpMessage v_response; var Headers v_headers; // Test component configuration f_cfHttpUp_tlm(); // Test adapter configuration // Preamble tc_ac.start; alt { [] a_await_cpoc_http_request_from_iut( mw_http_request( mw_http_request_get( PICS_HTTP_GET_URI_TLM )), v_response ) { var HashedId8 v_rca_hashed_id8; // Used for signature var Oct32 v_rca_private_key; var EtsiTs103097Certificate v_rca_new; // The CERT_RCA_NEW var bitstring v_enc_msg; var ToBeSignedData v_tbs; var bitstring v_tbs_enc; var Oct32 v_tbs_signed; var Signature v_signature; var Ieee1609Dot2Data v_ieee1609dot2_signed_data; tc_ac.stop; // Read certificates f_getCertificateHash(PICS_IUT_CA_CERTIFICATE_ID, v_rca_hashed_id8); f_readSigningKey(PICS_IUT_CA_CERTIFICATE_ID, v_rca_private_key); f_readCertificate(cc_ectl_rca_new, v_rca_new); // Build the ToBeSignedTlmCtl data structure v_enc_msg := encvalue( valueof( m_to_be_signed_tlm_full_ctl( f_getCurrentTime() / 1000 + 3600, 10, { m_ctrl_command_add( m_ctl_entry_rca( m_root_ca_entry( v_rca_new ))) } ))); v_tbs := valueof( m_toBeSignedData( m_signedDataPayload( m_etsiTs103097Data_unsecured(bit2oct(v_enc_msg)) ), m_headerInfo_inner_pki_request(-, (f_getCurrentTime() * 1000)/*us*/) )); v_tbs_enc := encvalue(v_tbs); // Sign the certificate v_tbs_signed := f_signWithEcdsa(bit2oct(v_tbs_enc), v_rca_hashed_id8, v_rca_private_key); v_signature := valueof( m_signature_ecdsaNistP256( m_ecdsaP256Signature( m_eccP256CurvePoint_x_only( substr(v_tbs_signed, 0, 32) ), substr(v_tbs_signed, 32, 32) ))); log(testcasename() & ": v_signature= ", v_signature); v_ieee1609dot2_signed_data := valueof( m_etsiTs103097Data_signed( m_signedData( sha256, v_tbs, m_signerIdentifier_digest(v_rca_hashed_id8), v_signature ))); // Send response with CERT_RCA_NEW f_init_default_headers_list(-, "tlm_ectl", v_headers); f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_data )), v_headers ))); log("*** " & testcasename() & ": INFO: CERT_RCA_NEW was sent to the IUT ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfHttpDown_tlm(); } // End of function f_TC_SECPKI_ITSS_CTLDIST_02_BV_pki } // End of group f_TC_SECPKI_ITSS_CTLDIST_02_BV /** * @desc Check that the IUT is using the proper BTP port to broadcast the Delta CTL *
* Pics Selection: PICS_UC_SEC_05_2 * Initial conditions: { * the IUT is configured to support P2P X_DISTRIBUTION distribution * and the IUT has received the Delta X_DISTRIBUTION message * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to broadcast the Delta X_DISTRIBUTION message * } * then { * the IUT sends the X_MESSAGE * using the BTP port 2014 * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_CTLDIST_03_BV * @reference ETSI TS 103 601, clause 5.4.4 */ testcase TC_SECPKI_ITSS_CTLDIST_03_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_cpoc; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_UC_SEC_05_2) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_UC_SEC_05_2 required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp03(v_itss, v_cpoc); // Start components v_itss.start(f_TC_SECPKI_ITSS_CTLDIST_03_BV_itss()); v_cpoc.start(f_TC_SECPKI_ITSS_CTLDIST_03_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown03(v_itss, v_cpoc); } // End of testcase TC_SECPKI_ITSS_CTLDIST_03_BV group f_TC_SECPKI_ITSS_CTLDIST_03_BV { function f_TC_SECPKI_ITSS_CTLDIST_03_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var GeoNetworkingInd v_geonetworking_message; var octetstring v_payload; // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble geoNetworkingPort.clear; tc_ac.start; alt { [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData )))) { tc_ac.stop; f_sendUtTriggerUpdateEctl(""); // FIXME Create PIXIT for ETCL URI f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body geoNetworkingPort.clear; tc_ac.start; alt { [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData )))) -> value v_geonetworking_message { tc_ac.stop; if (f_verify_and_extract_payload(v_geonetworking_message.msgIn, -, v_payload) == false) { log("*** " & testcasename() & ": INCONC: Failed to verifiy payload ***"); f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout); } else { // TODO Check payload if (substr(v_payload, 0, 2) == int2oct(2014, 2)) { // TODO Reorganize CAM/DENM/BTP test suites log("*** " & testcasename() & ": PASS: Delta CTL was successfully broadcasted on the correct BTP port ***"); f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Delta CTL was not broadcasted on BTP port 114 ***"); f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function TC_SECPKI_ITSS_CTLDIST_03_BV_itss function f_TC_SECPKI_ITSS_CTLDIST_03_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var HttpMessage v_response; var Headers v_headers; // Test component configuration f_cfHttpUp_tlm(); // Test adapter configuration // Preamble tc_ac.start; alt { [] a_await_cpoc_http_request_from_iut( mw_http_request( mw_http_request_get( PICS_HTTP_GET_URI_TLM )), v_response ) { var HashedId8 v_rca_hashed_id8; // Used for signature var Oct32 v_rca_private_key; var EtsiTs103097Certificate v_rca_new; // The CERT_RCA_NEW var bitstring v_enc_msg; var ToBeSignedData v_tbs; var bitstring v_tbs_enc; var Oct32 v_tbs_signed; var Signature v_signature; var Ieee1609Dot2Data v_ieee1609dot2_signed_data; tc_ac.stop; // Read certificates f_getCertificateHash(PICS_IUT_CA_CERTIFICATE_ID, v_rca_hashed_id8); f_readSigningKey(PICS_IUT_CA_CERTIFICATE_ID, v_rca_private_key); f_readCertificate(cc_ectl_rca_new, v_rca_new); // Build the ToBeSignedTlmCtl data structure v_enc_msg := encvalue( valueof( m_to_be_signed_tlm_full_ctl( f_getCurrentTime() / 1000 + 3600, 10, { m_ctrl_command_add( m_ctl_entry_rca( m_root_ca_entry( v_rca_new ))) } ))); v_tbs := valueof( m_toBeSignedData( m_signedDataPayload( m_etsiTs103097Data_unsecured(bit2oct(v_enc_msg)) ), m_headerInfo_inner_pki_request(-, (f_getCurrentTime() * 1000)/*us*/) )); v_tbs_enc := encvalue(v_tbs); // Sign the certificate v_tbs_signed := f_signWithEcdsa(bit2oct(v_tbs_enc), v_rca_hashed_id8, v_rca_private_key); v_signature := valueof( m_signature_ecdsaNistP256( m_ecdsaP256Signature( m_eccP256CurvePoint_x_only( substr(v_tbs_signed, 0, 32) ), substr(v_tbs_signed, 32, 32) ))); log(testcasename() & ": v_signature= ", v_signature); v_ieee1609dot2_signed_data := valueof( m_etsiTs103097Data_signed( m_signedData( sha256, v_tbs, m_signerIdentifier_digest(v_rca_hashed_id8), v_signature ))); // Send response with CERT_RCA_NEW f_init_default_headers_list(-, "tlm_ectl", v_headers); f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_data )), v_headers ))); log("*** " & testcasename() & ": INFO: CERT_RCA_NEW was sent to the IUT ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfHttpDown_tlm(); } // End of function f_TC_SECPKI_ITSS_CTLDIST_03_BV_pki } // End of group f_TC_SECPKI_ITSS_CTLDIST_03_BV /** * @desc Check that the IUT stops to redistribute the Delta CTL if anorther node is also sending it *
* Pics Selection: PICS_UC_SEC_05_2 * Initial conditions: { * the IUT is configured to support P2P Delta X_DISTRIBUTION distribution * and the IUT has started broadcasting the Delta X_DISTRIBUTION message * signed with X_CERTIFICATE * and containing ctlSequence (SN) * } * Expected behaviour: * ensure that { * when { * the IUT has received the Delta X_DISTRIBUTION * signed with X_CERTIFICATE * and containing ctlSequence * indicating value equal or higher than SN * } * then { * the IUT stops broadfcasting the Delta X_DISTRIBUTION * signed with X_CERTIFICATE * and containing ctlSequence (SN) * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_ITSS_CTLDIST_04_BV * @reference ETSI TS 103 601, clause 5.4.4 */ testcase TC_SECPKI_ITSS_CTLDIST_04_BV() runs on ItsMtc system ItsPkiItssSystem { // Local variables var ItsPkiItss v_itss; var ItsPkiHttp v_cpoc; // Test control if (not PICS_IUT_ITS_S_ROLE or not PICS_UC_SEC_05_2) { log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_UC_SEC_05_2 required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp03(v_itss, v_cpoc); // Start components v_itss.start(f_TC_SECPKI_ITSS_CTLDIST_04_BV_itss()); v_cpoc.start(f_TC_SECPKI_ITSS_CTLDIST_04_BV_pki()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); // Cleanup f_cfMtcDown03(v_itss, v_cpoc); } // End of testcase TC_SECPKI_ITSS_CTLDIST_04_BV group f_TC_SECPKI_ITSS_CTLDIST_04_BV { function f_broadcast_delta_ctl( in charstring p_certificate_id, out Ieee1609Dot2Data p_delta_ctl ) runs on ItsPkiItss return GeoNetworkingPdu { // Local variables var GeoNetworkingPdu v_securedGnPdu; log(">>> f_broadcast_delta_ctl"); v_securedGnPdu := f_prepareSecuredCam(p_certificate_id, valueof(m_headerInfo_cam(-, (f_getCurrentTime() * 1000)/*us*/)), valueof(m_signerIdentifier_digest), f_getTsStationId()); log("f_sendSecuredCam: v_securedGnPdu= ", v_securedGnPdu); geoNetworkingPort.send(valueof(m_geoNwReq_linkLayerBroadcast(v_securedGnPdu))); return v_securedGnPdu; } // End of function f_broadcast_delta_ctl function f_TC_SECPKI_ITSS_CTLDIST_04_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem { // Local variables var GeoNetworkingInd v_geonetworking_message; var octetstring v_payload; var Ieee1609Dot2Data v_delta_ctl; // Test component configuration f_cfUp_itss(); // Test adapter configuration // Preamble geoNetworkingPort.clear; tc_ac.start; alt { [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData )))) { tc_ac.stop; f_sendUtTriggerUpdateEctl(""); // FIXME Create PIXIT for ETCL URI } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } } // End of 'alt' statement // Check that the IUT is boradcasting the Delta CTL geoNetworkingPort.clear; tc_ac.start; alt { [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData )))) -> value v_geonetworking_message { tc_ac.stop; if (f_verify_and_extract_payload(v_geonetworking_message.msgIn, -, v_payload) == false) { log("*** " & testcasename() & ": INCONC: Failed to verifiy payload ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { // TODO Check payload if (substr(v_payload, 0, 2) == int2oct(2014, 2)) { // TODO Reorganize CAM/DENM/BTP test suites log("*** " & testcasename() & ": INFO: Delta CTL was successfully broadcasted on the correct BTP port ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } else { log("*** " & testcasename() & ": INCONC: Delta CTL was not broadcasted on BTP port 114 ***"); f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictPreamble(c_tbDone, e_timeout); } } // End of 'alt' statement // Test Body // Delta CTL boradcasting from another node f_broadcast_delta_ctl(cc_ectl_rca_new, v_delta_ctl); // Check that the IUT stops broadcasting Delta CTL geoNetworkingPort.clear; tc_noac.start; alt { [] geoNetworkingPort.receive( mw_geoNwInd( mw_geoNwSecPdu( mw_etsiTs103097Data_signed( mw_signedData )))) -> value v_geonetworking_message { tc_noac.stop; if (f_verify_and_extract_payload(v_geonetworking_message.msgIn, -, v_payload) == false) { log("*** " & testcasename() & ": INCONC: Failed to verifiy payload ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } else { // TODO Check payload if (substr(v_payload, 0, 2) == int2oct(2014, 2)) { // TODO Reorganize CAM/DENM/BTP test suites log("*** " & testcasename() & ": FAIL: The IUT shall not continue Delta CTL broadcasting ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } else { tc_noac.start; repeat; } } } [] tc_noac.timeout { log("*** " & testcasename() & ": PASS: IUT stops broadcasting Delta CTL ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } // End of 'alt' statement // Postamble f_cfDown_itss(); } // End of function TC_SECPKI_ITSS_CTLDIST_04_BV_itss function f_TC_SECPKI_ITSS_CTLDIST_04_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem { // Local variable var HttpMessage v_response; var Headers v_headers; // Test component configuration f_cfHttpUp_tlm(); // Test adapter configuration // Preamble tc_ac.start; alt { [] a_await_cpoc_http_request_from_iut( mw_http_request( mw_http_request_get( PICS_HTTP_GET_URI_TLM )), v_response ) { var HashedId8 v_rca_hashed_id8; // Used for signature var Oct32 v_rca_private_key; var EtsiTs103097Certificate v_rca_new; // The CERT_RCA_NEW var bitstring v_enc_msg; var ToBeSignedData v_tbs; var bitstring v_tbs_enc; var Oct32 v_tbs_signed; var Signature v_signature; var Ieee1609Dot2Data v_ieee1609dot2_signed_data; tc_ac.stop; // Read certificates f_getCertificateHash(PICS_IUT_CA_CERTIFICATE_ID, v_rca_hashed_id8); f_readSigningKey(PICS_IUT_CA_CERTIFICATE_ID, v_rca_private_key); f_readCertificate(cc_ectl_rca_new, v_rca_new); // Build the ToBeSignedTlmCtl data structure v_enc_msg := encvalue( valueof( m_to_be_signed_tlm_full_ctl( f_getCurrentTime() / 1000 + 3600, 10, { m_ctrl_command_add( m_ctl_entry_rca( m_root_ca_entry( v_rca_new ))) } ))); v_tbs := valueof( m_toBeSignedData( m_signedDataPayload( m_etsiTs103097Data_unsecured(bit2oct(v_enc_msg)) ), m_headerInfo_inner_pki_request(-, (f_getCurrentTime() * 1000)/*us*/) )); v_tbs_enc := encvalue(v_tbs); // Sign the certificate v_tbs_signed := f_signWithEcdsa(bit2oct(v_tbs_enc), v_rca_hashed_id8, v_rca_private_key); v_signature := valueof( m_signature_ecdsaNistP256( m_ecdsaP256Signature( m_eccP256CurvePoint_x_only( substr(v_tbs_signed, 0, 32) ), substr(v_tbs_signed, 32, 32) ))); log(testcasename() & ": v_signature= ", v_signature); v_ieee1609dot2_signed_data := valueof( m_etsiTs103097Data_signed( m_signedData( sha256, v_tbs, m_signerIdentifier_digest(v_rca_hashed_id8), v_signature ))); // Send response with CERT_RCA_NEW f_init_default_headers_list(-, "tlm_ectl", v_headers); f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_data )), v_headers ))); log("*** " & testcasename() & ": INFO: CERT_RCA_NEW was sent to the IUT ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } // End of 'alt' statement // Test Body f_selfOrClientSyncAndVerdict(c_tbDone, e_success); // Postamble f_cfHttpDown_tlm(); } // End of function f_TC_SECPKI_ITSS_CTLDIST_04_BV_pki } // End of group f_TC_SECPKI_ITSS_CTLDIST_04_BV // TODO } // End of group itss_ctl_distribution // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.6 CRL handling group itss_crl_handling { // TODO To be done after validation of itss_ctl_handling group as CTL and CRL are close } // End of group itss_crl_handling // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.2.7 CRL distribution group itss_crl_distribution { // TODO To be done after validation of itss_ctl_distribution group as CTL and CRL are close } // End of group itss_crl_distribution } // End of group itss_behavior // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.3.1 Certificate validation group ca_behaviour { /** * @desc Check that the issuing certificate has version 3 *
* Pics Selection: PICS_IUT_CA_ROLE * Initial conditions: * with { * CA is in 'operational' state * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the certificate * } * then { * this certificate is of type EtsiTs103097Certificate * containing version * indicating value 3 * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_01_BV * @reference ETSI TS 103 097 [2], clause 6 * IEEE Std 1609.2 [3], clause 6.4.3 */ testcase TC_SECPKI_CA_CERTGEN_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if (not PICS_IUT_CA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_01_BV /** * @desc Check that the issuing certificate has type explicit *
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES * Initial conditions: * with { * CA is in 'operational' state * CA is initialized with the explicit certificate (CERT_IUT_A_RCA) * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the explicit certificate * } * then { * this certificate is of type EtsiTs103097Certificate * containing version * indicating value 3 * and containing type * indicating 'explicit' * and containing toBeSigned * containing verifyKeyIndicator * containing verificationKey * and containing signature * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_02_BV_01 * @reference ETSI TS 103 097 [2], clause 6 * IEEE Std 1609.2 [3], clause 6.4.3 */ testcase TC_SECPKI_CA_CERTGEN_02_BV_01() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES)) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_02_BV_01 /** * @desc Check that the CA, been authorized using explicit certificate, is able to issue an implicit certificate *
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and PICS_SEC_IMPLICIT_CERTIFICATES * Initial conditions: * with { * CA is in 'operational' state * CA is initialized with the explicit certificate (CERT_IUT_A_RCA) * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the implicit certificate * } * then { * this certificate is of type EtsiTs103097Certificate * containing version * indicating value 3 * and containing type * indicating 'implicit' * and containing toBeSigned * containing verifyKeyIndicator * containing reconstructionValue * and not containing signature * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_02_BV_02 * @reference ETSI TS 103 097 [2], clause 6 * IEEE Std 1609.2 [3], clause 6.4.3 */ testcase TC_SECPKI_CA_CERTGEN_02_BV_02() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) or not(PICS_SEC_IMPLICIT_CERTIFICATES)) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and PICS_SEC_IMPLICIT_CERTIFICATES required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, true, true, true) == false) { // implicit, reconstructionKey and no signature log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_02_BV_02 /** * @desc Check that the CA, been authorized using explicit certificate, is able to issue an implicit certificate *
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and PICS_SEC_IMPLICIT_CERTIFICATES * Initial conditions: * with { * CA is in 'operational' state * CA is initialized with the explicit certificate (CERT_IUT_I_AA) * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the implicit certificate * } * then { * this certificate is of type EtsiTs103097Certificate * containing version * indicating value 3 * and containing type * indicating 'implicit' * and containing toBeSigned * containing verifyKeyIndicator * containing reconstructionValue * and not containing signature * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_02_BV_03 * @reference ETSI TS 103 097 [2], clause 6 * IEEE Std 1609.2 [3], clause 6.4.3 */ testcase TC_SECPKI_CA_CERTGEN_02_BV_03() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) or not(PICS_SEC_IMPLICIT_CERTIFICATES)) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and PICS_SEC_IMPLICIT_CERTIFICATES required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration // Preamble v_result := f_get_root_ca_certificate("CERT_IUT_I_AA", -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate("CERT_IUT_I_AA", v_root_certificate) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_02_BV_03 /** * @desc Check that the CA, been authorized using implicit certificate, does not issue an explicit certificate *
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and PICS_SEC_IMPLICIT_CERTIFICATES * Initial conditions: * with { * CA is in 'operational' state * CA is initialized with the explicit certificate (CERT_IUT_I_AA) * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the explicit certificate * } * then { * the CA doesn’t issue the certificate * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_02_BO_01 * @reference ETSI TS 103 097 [2], clause 6 * IEEE Std 1609.2 [3], clause 6.4.3 */ testcase TC_SECPKI_CA_CERTGEN_02_BO_01() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) or not(PICS_SEC_IMPLICIT_CERTIFICATES)) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and PICS_SEC_IMPLICIT_CERTIFICATES required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration // Preamble f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body v_result := f_get_root_ca_certificate("CERT_IUT_I_AA", true, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": PASS: No root certificate was generated ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": FAIL: Root certificate shall not be generated ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_02_BO_01 /** * @desc Check that CA issues certificate conformed to ETSI TS 103 097 [1], clause 6 *
* Pics Selection: PICS_IUT_CA_ROLE * Initial conditions: * with { * CA is in 'operational' state * CA is initialized with the explicit certificate (CERT_IUT_I_AA) * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the certificate * } * then { * this certificate is of type EtsiTs103097Certificate * containing toBesigned * containing id * indicating 'none' or 'name' * and containing cracaId * indicating '000000'H * and containing crlSeries * indicating '0'D * and not containing certRequestPermissions * and not containing canRequestRollover * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_03_BV * @reference ETSI TS 103 097 [2], clause 6 */ testcase TC_SECPKI_CA_CERTGEN_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if (not PICS_IUT_CA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration // Preamble v_result := f_get_root_ca_certificate("CERT_IUT_I_AA", -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate("CERT_IUT_I_AA", v_root_certificate) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_03_BV /** * @desc Check that the certificate issuer of certificates is referenced using digest * Check that right digest field is used to reference to the certificate *
* Pics Selection: PICS_IUT_CA_ROLE * Initial conditions: * with { * CA is in 'operational' state * CA is initialized with the explicit certificate (C_ISSUER) * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the explicit certificate * } * then { * this certificate is of type EtsiTs103097Certificate * containing issuer * containing self * or containing X_DIGEST * indicating last 8 bytes of the hash of the certificate calculated using X_ALGORITHM * referenced to certificate * and containing toBeSigned * containing verifyKeyIndicator * containing verificationKey * containing X_KEY * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_04_BV * @reference ETSI TS 103 097 [2], clause 6 */ testcase TC_SECPKI_CA_CERTGEN_04_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var charstring v_authorized_certificate; var integer v_result; var Certificate v_root_certificate; // Test control if (not PICS_IUT_CA_ROLE and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration // Preamble v_authorized_certificate := "CERT_IUT_I_AA"; v_result := f_get_root_ca_certificate(v_authorized_certificate, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(v_authorized_certificate, v_root_certificate) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_04_BV /** * @desc Check that the CA is able to issue the certificate with the well-formed circular region validity restriction *
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_CIRCULAR_REGION * Initial conditions: * with { * CA is in 'operational' state * the CA is authorized with CA certificate * containing toBeSigned * containing region * indicating REGION * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the certificate * containing circular region restriction * } * then { * this certificate is of type EtsiTs103097Certificate * containing toBeSigned * containing region * containing circularRegion * containing center * indicating a point inside the REGION * and containing radius * indicating a value when all points of the circle are inside the REGION * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_05_BV * @reference IEEE Std 1609.2 [2], clauses 6.4.20, 6.4.17, 5.1.2.4 */ testcase TC_SECPKI_CA_CERTGEN_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if (not PICS_IUT_CA_ROLE and not PICS_SEC_CIRCULAR_REGION) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_CIRCULAR_REGION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) { log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***"); stop; } // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_05_BV /** * @desc Check that the CA is able to issue the certificate with the well-formed rectangular region validity restriction *
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_RECTANGULAR_REGION * Initial conditions: * with { * CA is in 'operational' state * the CA is authorized with CA certificate * containing toBeSigned * containing region * indicating REGION * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the certificate * containing rectangular region restriction * } * then { * this certificate is of type EtsiTs103097Certificate * containing toBeSigned * containing region * containing rectangularRegion * containing items of type RectangularRegion * containing northwest * indicating a point inside the REGION * and containing southeast * indicating a point on the south and east from northwest * and inside the REGION * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_06_BV * @reference IEEE Std 1609.2 [2], clauses 6.4.20, 6.4.17, 5.1.2.4 */ testcase TC_SECPKI_CA_CERTGEN_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if (not PICS_IUT_CA_ROLE and not PICS_SEC_RECTANGULAR_REGION) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_RECTANGULAR_REGION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) { log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***"); stop; } // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_06_BV /** * @desc Check that the CA is able to issue the certificate with the well-formed polygonal region validity restriction *
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_POLYGONAL_REGION * Initial conditions: * with { * CA is in 'operational' state * the CA is authorized with CA certificate * containing toBeSigned * containing region * indicating REGION * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the certificate * containing polygonal region restriction * } * then { * this certificate is of type EtsiTs103097Certificate * containing toBeSigned * containing region * containing polygonalRegion * containing more than 2 items of type TwoDLocation * indicating points inside the REGION * and indicating unintercepting segments * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_07_BV * @reference IEEE Std 1609.2 [2], clauses 6.4.20, 6.4.17, 5.1.2.4 */ testcase TC_SECPKI_CA_CERTGEN_07_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if (not PICS_IUT_CA_ROLE and not PICS_SEC_POLYGONAL_REGION) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_POLYGONAL_REGION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) { log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***"); stop; } // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_07_BV /** * @desc Check that the CA is able to issue the certificate with identified region validity restriction contains values that correspond to numeric country codes as defined by United Nations Statistics Division [5] *
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_IDENTIFIED_REGION * Initial conditions: * with { * CA is in 'operational' state * the CA is authorized with CA certificate * containing toBeSigned * containing region * indicating REGION * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the certificate * containing identified region validity restriction * indicating country or area COUNTRY * } * then { * this certificate is of type EtsiTs103097Certificate * containing toBeSigned * containing region * containing identifiedRegion * containing 1 entry of type IdentifiedRegion * containing countryOnly * indicating integer representation of the identifier of country or area COUNTRY * or containing countryAndRegions * containing countryOnly * indicating integer representation of the identifier of country or area COUNTRY * or containing countryAndSubregions * containing country * indicating integer representation of the identifier of country or area COUNTRY * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_08_BV * @reference IEEE Std 1609.2 [2], clauses 6.4.23 */ testcase TC_SECPKI_CA_CERTGEN_08_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if (not PICS_IUT_CA_ROLE and not PICS_SEC_IDENTIFIED_REGION) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_IDENTIFIED_REGION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) { log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***"); stop; } // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_08_BV /** * @desc Check that the identified region validity restriction of the subordinate certificate is included in the identified region validity restriction of the issuing certificate *
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_IDENTIFIED_REGION * Initial conditions: * with { * CA is in 'operational' state * the CA is authorized with CA certificate * containing toBeSigned * containing region * containing identifiedRegion * containing countryOnly * indicating COUNTRY * or containing countryAndRegions * containing countryOnly * indicating COUNTRY * and containing regions * indicating REGIONS * or containing countryAndSubregions * containing country * indicating COUNTRY * and containing regionAndSubregions * indicating REGIONS and SUBREGIONS * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the certificate * containing identifiedRegion * } * then { * this certificate is of type EtsiTs103097Certificate * containing toBeSigned * containing region * containing identifiedRegion * containing countryOnly * indicating value = COUNTRY * or containing countryAndRegions * containing countryOnly * indicating value = COUNTRY * and containing regions * containing region identifiers contained in REGIONS * or containing countryAndSubregions * containing country * indicating value = COUNTRY * and containing regionAndSubregions * containing region identifiers contained in REGIONS * and containing subRegion identifiers contained in SUBREGIONS for every region * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_09_BV * @reference IEEE Std 1609.2 [2], clauses 6.4.17, 5.1.2.4 */ testcase TC_SECPKI_CA_CERTGEN_09_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if (not PICS_IUT_CA_ROLE and not PICS_SEC_IDENTIFIED_REGION) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_IDENTIFIED_REGION required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) { log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***"); stop; } // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_09_BV /** * @desc Check that the certificate signature contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1 or x_coordinate_only *
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES * Initial conditions: * with { * CA is in 'operational' state * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the explicit certificate * } * then { * this certificate is of type EtsiTs103097Certificate * containing signature * containing X_SIGNATURE * containing rSig * containing x-only * or containing compressed-y-0 * or containing compressed-y-1 * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_10_BV * @reference IEEE Std 1609.2 [3], clause 6.3.29, 6.3.30, 6.3.31 */ testcase TC_SECPKI_CA_CERTGEN_10_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_10_BV /** * @desc Check that the certificate verification key contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1 or uncompressed *
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES * Initial conditions: * with { * CA is in 'operational' state * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the explicit certificate * } * then { * this certificate is of type EtsiTs103097Certificate * containing verifyKeyIndicator * containing verificationKey * containing X_KEY * containing x-only * or containing compressed-y-0 * or containing compressed-y-1 * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_11_BV * @reference IEEE Std 1609.2 [3], clause 6.3.38 */ testcase TC_SECPKI_CA_CERTGEN_11_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_11_BV /** * @desc Check that the certificate encryption key contains ECC point of type set to either compressed_lsb_y_0, compressed_lsb_y_1 or uncompressed *
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES * Initial conditions: * with { * CA is in 'operational' state * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the explicit certificate * } * then { * this certificate is of type EtsiTs103097Certificate * containing toBeSigned * containing encryptionKey * containing publicKey * containing X_KEY * containing uncompressed * or containing compressed-y-0 * or containing compressed-y-1 * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_12_BV * @reference IEEE Std 1609.2 [3], clause 6.3.38 */ testcase TC_SECPKI_CA_CERTGEN_12_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_12_BV /** * @desc Check the explicit certificate signature *
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES * Initial conditions: * with { * CA is in 'operational' state * and the CA is authorized with explicit certificate * containing toBeSigned * containing verifyKeyIndicator * containing verificationKey * containing X_KEY * } * Expected behaviour: * ensure that { * when { * the CA is requested to issue the explicit certificate * } * then { * this certificate is of type EtsiTs103097Certificate * containing issuer * referencing the certificate * containing toBeSigned * containing verifyKeyIndicator * containing verificationKey * containing X_KEY * indicating KEY * and containing signature * containing X_SIGNATURE * verifiable using KEY * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_13_BV_01 * @reference ETSI TS 103 097 [1], clause 6 */ testcase TC_SECPKI_CA_CERTGEN_13_BV_01() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_13_BV_01 /** * @desc Check the explicit certificate signature *
* Pics Selection: PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES * Initial conditions: * with { * CA is in 'operational' state * and the CA is authorized with explicit certificate * containing toBeSigned * containing verifyKeyIndicator * containing verificationKey * containing X_KEY * and the CA issued the implicit certificate of type EtsiTs103097Certificate (CERT) * not containing signature * and containing issuer * referencing the certificate * containing toBeSigned * containing verifyKeyIndicator * containing reconstructionValue * indicating VALUE * } * Expected behaviour: * ensure that { * when { * the CA is calculated the digital signature * using the private key associated with the CERT * } * then { * this signature can be verified using public key * reconstructed using VALUE and KEY * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_13_BV_02 * @reference ETSI TS 103 097 [1], clause 6 */ testcase TC_SECPKI_CA_CERTGEN_13_BV_02() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, true, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_13_BV_02 /** * @desc Check that all PSID entries of the appPermissions component of the certificate are unique *
* Pics Selection: PICS_IUT_CA_ROLE * Initial conditions: * with { * CA is in 'operational' state * } * Expected behaviour: * ensure that { * when { * the CA issued the certificate * containing toBeSigned * containing appPermissions * } * then { * this certificate is of type EtsiTs103097Certificate * containing toBeSigned * containing appPermissions * containing items of type PsidSsp * containing psid * indicating unique values in this sequence * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_14_BV * @reference ETSI TS 103 097 [1], clauses 6.4.28, 5.1.2.4 */ testcase TC_SECPKI_CA_CERTGEN_14_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if (not PICS_IUT_CA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) { log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***"); stop; } // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_14_BV /** * @desc Check that all PSID entries of the appPermissions component of the certificate are also contained in the certIssuePermissions component in the issuing certificate *
* Pics Selection: PICS_IUT_CA_ROLE * Initial conditions: * with { * CA is in 'operational' state * } * Expected behaviour: * ensure that { * when { * the CA issued the certificate * containing toBeSigned * containing appPermissions * } * then { * this certificate is of type EtsiTs103097Certificate * containing issuer * referenced to the certificate * containing toBeSigned * containing certIssuePermissions * containing items of type PsidGroupPermissions * containing eeType * indicating app(0) * and containing subjectPermissions * containing explicit * containing items of type PsidSspRange * indicating X_PSID_RANGE_LIST * or containing all * and containing toBeSigned * containing appPermissions * containing items of type PsidSsp * containing psid * contained in the X_PSID_RANGE_LIST * as a psid * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_15_BV * @reference ETSI TS 103 097 [1], clauses 6.4.28, 5.1.2.4 */ testcase TC_SECPKI_CA_CERTGEN_15_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if (not PICS_IUT_CA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) { log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***"); stop; } // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_15_BV /** * @desc Check that all PSID entries of the certIssuePermissions component of the certificate are unique *
* Pics Selection: PICS_IUT_CA_ROLE * Initial conditions: * with { * CA is in 'operational' state * } * Expected behaviour: * ensure that { * when { * the CA issued the certificate * containing toBeSigned * containing certIssuePermissions * } * then { * this certificate is of type EtsiTs103097Certificate * containing issuer * containing toBeSigned * containing certIssuePermissions * containing items of type PsidGroupPermissions * containing subjectPermissions * containing explicit * and containing items of type PsidSspRange * containing psid * indicating unique values in this sequence * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_16_BV * @reference ETSI TS 103 097 [1], clauses 6.4.28, 5.1.2.4 */ testcase TC_SECPKI_CA_CERTGEN_16_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if (not PICS_IUT_CA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) { log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***"); stop; } // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_16_BV /** * @desc Check that SSP field in each entry of the appPermissions component of the AT certificate is equal to or a subset of the SSP Range in the corresponding issuing entry *
* Pics Selection: PICS_IUT_CA_ROLE * Initial conditions: * with { * CA is in 'operational' state * } * Expected behaviour: * ensure that { * when { * the CA issued the certificate * containing toBeSigned * containing certIssuePermissions * } * then { * this certificate is of type EtsiTs103097Certificate * containing issuer * referenced to the certificate * containing toBeSigned * containing certIssuePermissions * containing items of type PsidGroupPermissions * containing eeType * indicating app(0) * and containing subjectPermissions * containing explicit * containing items of type PsidSspRange * containing psid * indicating X_PSID_AA * containing sspRange * indicating X_SSP_AA [ X_PSID_AA ] * or containing all * and containing toBeSigned * containing appPermissions * containing items of type PsidSsp * containing psid * indicating value equal to X_PSID_AA * containing ssp * indicating value permitted by X_SSP_AA [ X_PSID_AA ] * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_17_BV * @reference ETSI TS 103 097 [1], clauses 6.4.28, 5.1.2.4 */ testcase TC_SECPKI_CA_CERTGEN_17_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if (not PICS_IUT_CA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) { log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***"); stop; } // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_17_BV /** * @desc Check that the validityPeriod of the subordinate certificate is inside the validityPeriod of the issuing certificate *
* Pics Selection: PICS_IUT_CA_ROLE * Initial conditions: * with { * CA is in 'operational' state * and the CA is authorized with CA certificate * containing toBeSigned * containing validityPeriod * containing start * indicating X_START_VALIDITY_CA * containing duration * indicating X_DURATION_CA * } * Expected behaviour: * ensure that { * when { * the CA issued the certificate * containing toBeSigned * containing certIssuePermissions * } * then { * this certificate is of type EtsiTs103097Certificate * containing toBeSigned * containing validityPeriod * containing start * indicating X_START_VALIDITY ( X_START_VALIDITY >= X_START_VALIDITY_CA ) * and containing duration * indicating value <= X_START_VALIDITY_CA + X_DURATION_CA - X_START_VALIDITY * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_CA_CERTGEN_18_BV * @reference ETSI TS 103 097 [1], clauses 6.4.28, 5.1.2.4 */ testcase TC_SECPKI_CA_CERTGEN_18_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var integer v_result; var Certificate v_root_certificate; // Test control if (not PICS_IUT_CA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_connect4SelfOrClientSync(); // Test adapter configuration if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) { log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***"); stop; } // Preamble v_result := f_get_root_ca_certificate(-, -, v_root_certificate); if (v_result == -1) { log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } // Test Body if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, -, -, -, true) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } // Postamble f_disconnect4SelfOrClientSync(); } // End of testcase TC_SECPKI_CA_CERTGEN_18_BV } // End of group ca_behaviour group ea_behavior { group ea_helpers { } // End of group ea_helpers // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.1 Enrollment request handling group ea_enrolment_request_handling { /** * @desc The EnrolmentResponse message shall be sent by the EA to the ITS-S across the interface at * reference point S3 in response to a received EnrolmentRequest message. *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * with { * the IUT being in the "operational state" * } * Expected behaviour: * ensure that { * when { * the IUT receives an EnrolmentRequestMessage across the interface at the reference point S3 * } * then { * the IUT answers with an EnrolmentResponseMessage across the interface at reference point S3 * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_RCV_01_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_RCV_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_01_BV /** * @desc Check that EA doesn't accept Enrolment rekeying request when enrolment is not permitted * by signing certificate. *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * with { * the IUT being in the "operational state" * } * Expected behaviour: * ensure that { * when { * the IUT receives an EnrolmentRequestMessage * containing an encrypted EtsiTs103097Data-Signed * containing signer * containing digest * indicating HashedId8 of the certificate CERT * containing appPermissions * not containing an item of type PsidSsp * containing psid * indicating AID_CERT_REQ * or containing an item of type PsidSsp * containing psid * indicating AID_CERT_REQ * and containing ssp * containing opaque[0] (version) * indicating other value than 1 * or containing opaque[1] (value) * indicating "Enrolment Request" (bit 1) set to 0 * } * then { * the IUT answers with an EnrolmentResponseMessage * containing InnerECResponse * containing responseCode * indicating "deniedpermissions" * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_RCV_02_BI * @reference ETSI TS 102 941, clause B.5 */ testcase TC_SECPKI_EA_ENR_RCV_02_BI_01() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // f_cfHttpUp("CERT_TS_A_EA_AA_AUTHVAL_RCV_02_BI_01", PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_CAM, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, -, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); // f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions)))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))) == true) { log("*** " & testcasename() & ": PASS: InnerEcResponse error code received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_02_BI_01 testcase TC_SECPKI_EA_ENR_RCV_02_BI_02() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // f_cfHttpUp("CERT_TS_A_EA_AA_AUTHVAL_RCV_02_BI_01", PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR_WRONG_VERSION })) }, -, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); // f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions)))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))) == true) { log("*** " & testcasename() & ": PASS: InnerEcResponse error code received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_02_BI_02 testcase TC_SECPKI_EA_ENR_RCV_02_BI_03() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // f_cfHttpUp("CERT_TS_A_EA_AA_AUTHVAL_RCV_02_BI_01", PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR_WRONG_SSP_BIT })) }, -, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); // f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions)))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))) == true) { log("*** " & testcasename() & ": PASS: InnerEcResponse error code received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_02_BI_03 /** * @desc Enroll an ITS-Station, but with a canonical-ID, that is not registered. */ testcase TC_SECPKI_EA_ENR_RCV_05_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, PICS_INVALID_ITS_S_CANONICAL_ID, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), unknownits)))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), unknownits))) == false) { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedrequest received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_05_BI /** * @desc Enroll the ITS-Station, but the CSR re-quests more permissions than the issuer allows, * i.e. request for security management SSP bit which is not set in the EA SSP */ testcase TC_SECPKI_EA_ENR_RCV_06_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR })) }, -, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions)))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))) == false) { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedpermissions received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_06_BI /** * @desc Enroll the ITS-Station, but the CSR requests a AID permission that the issuer does not allow, i.e. request for CAM AID */ testcase TC_SECPKI_EA_ENR_RCV_07_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })), valueof(m_appPermissions(c_its_aid_CAM, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_CAM })) }, -, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions)))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))) == false) { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedpermissions received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_07_BI /** * @desc Enroll the ITS-Station, but the expiring date of the CSR is before the start date of the EA */ testcase TC_SECPKI_EA_ENR_RCV_08_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, -, vc_eaCertificate.toBeSigned.validityPeriod.start_ / 2, valueof(m_duration_years(50)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest)))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))) == false) { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedrequest received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_08_BI /** * @desc Enroll the ITS-Station, but the start date of the CSR is before the start date of the EA */ testcase TC_SECPKI_EA_ENR_RCV_09_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, -, vc_eaCertificate.toBeSigned.validityPeriod.start_ / 2, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest)))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))) == false) { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedrequest received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_09_BI /** * @desc Enroll the ITS-Station, but the expiring date of the CSR is after the expiring date of the EA */ testcase TC_SECPKI_EA_ENR_RCV_10_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, -, vc_eaCertificate.toBeSigned.validityPeriod.start_, valueof(m_duration_years(50)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest)))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))) == false) { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedrequest received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_10_BI /** * @desc Enroll the ITS-Station, but the start date of the CSR is after the expiring date of the EA */ testcase TC_SECPKI_EA_ENR_RCV_11_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, -, 3 * vc_eaCertificate.toBeSigned.validityPeriod.start_, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest)))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))) == false) { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedrequest received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_11_BI /** * @desc Enroll the ITS-Station, but the lifetime of the EC would be grater than allowed (considering values in C-ITS CP) */ testcase TC_SECPKI_EA_ENR_RCV_12_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, -, f_getCurrentTime() / 1000, valueof(m_duration_years(4)), -, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest)))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedrequest))) == false) { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedrequest received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_12_BI /** * @desc Enroll the ITS-Station, but the inner PoP signature in the CSR, created with the EC private key, can not be verified with the provided public key */ testcase TC_SECPKI_EA_ENR_RCV_13_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request_with_wrong_parameters({ valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, -, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), true, v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), invalidsignature)))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), invalidsignature))) == false) { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse with deniedrequest received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_RCV_13_BI } // End of group ea_group enrolment_request_handling // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.2 Enrollment response group ea_enrolment_response { /** * @desc The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved * algorithm and the encryption shall be done with the same AES key as the one used * by the ITS-S requestor for the encryption of the EnrolmentRequest message *
* Pics Selection: PICS_IUT_EA_ROLE * Expected behaviour: * ensure that { * when { * the IUT receives an EnrolmentRequestMessage * containing encKey * containing an encrypted AES key (SYMKEY) * } * then { * the IUT answers with an EnrolmentResponseMessage * containing cipherTex * being encrypted using SYMKEY * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_01_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { log("*** " & testcasename() & ": PASS: InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_01_BV /** * @desc The EnrolmentResponse message shall be encrypted using an ETSI TS 103 097 approved * algorithm and the encryption shall be done with the same AES key as the one used * by the ITS-S requestor for the encryption of the EnrolmentRequest message. *
* Pics Selection: PICS_IUT_EA_ROLE * Expected behaviour: * ensure that { * when { * the IUT receives an EnrolmentRequestMessage * containing encKey * containing an encrypted AES key (SYMKEY) * } * then { * the IUT answers with an EnrolmentResponseMessage * containing cipherTex * being encrypted * using SYMKEY * and using an ETSI TS 103 097 approved algorithm * } * } ** * @see ETSI TS 103 525-2 TP 22 * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { log("*** " & testcasename() & ": PASS: InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_02_BV /** * @desc The outermost structure is an EtsiTs103097Data-Encrypted structure containing * the component recipients containing one instance of RecipientInfo of choice * pskRecipInfo, which contains the HashedId8 of the symmetric key used by the * ITS-S to encrypt the EnrolmentRequest message to which the response is built * and containing the component ciphertext, once decrypted, contains an * EtsiTs103097Data-Signed structure *
* Pics Selection: PICS_IUT_EA_ROLE * Expected behaviour: * ensure that { * when { * the IUT receives an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted structure * containing recipients * containing one instance of RecipientInfo of choice pskRecipInfo * containing the HashedId8 of the symmetric key used to encrypt the EnrolmentRequestMessage * and containing cipherText * being an encrypted EtsiTs103097Data-Signed structure * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_03_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { log("*** " & testcasename() & ": PASS: InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_03_BV /** * @desc If the ITS-S has been able to decrypt the content, this expected EtsiTs103097Data-Signed structure shall * contain hashId, tbsData, signer and signature. The hashId shall indicate the hash algorithm to be used as * specified in ETSI TS 103 097, the signer shall be declared as a digest, containing the HashedId8 of the * EA certificate and the signature over tbsData shall be computed using the EA private key corresponding to * its publicVerificationKey found in the referenced EA certificate. *
* Pics Selection: PICS_IUT_EA_ROLE * Expected behaviour: * ensure that { * when { * the IUT receives an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted structure * containing an encrypted EtsiTs103097Data-Signed structure * containing hashId * indicating the hash algorithm to be used as specified in ETSI TS 103 097 * and containing tbsData * and containing signer * declared as a digest * containing the HashedId8 of the EA certificate * and containing signature * computed over tbsData * using the EA private key * corresponding to the publicVerificationKey found in the referenced EA certificate * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_04_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_04_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { var HashedId8 v_ec_cert_hashed_id8; if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, vc_eaHashedId8, v_public_compressed_key, v_compressed_mode, v_ec_cert_hashed_id8) == false) { log("*** " & testcasename() & ": FAIL: Cannot verify EC certificate signature ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_04_BV /** * @desc Within the headerInfo of the tbsData, the psid shall be set to secured certificate request as assigned in * ETSI TS 102 965 and the generationTime shall be present. *
* Pics Selection: PICS_IUT_EA_ROLE * Expected behaviour: * ensure that { * when { * the IUT receives an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted structure * containing an encrypted EtsiTs103097Data-Signed structure * containing tbsData * containing headerInfo * containing psid * indicating AID_CERT_REQ * and containing generationTime * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_05_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { var HashedId8 v_ec_cert_hashed_id8; if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, vc_eaHashedId8, v_public_compressed_key, v_compressed_mode, v_ec_cert_hashed_id8)) { log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Cannot verify EC certificate signature ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_05_BV /** * @desc Within the headerInfo of the tbsData, aside from psid and generationTime, * all other components of the component tbsData.headerInfo not used and absent. *
* Pics Selection: PICS_IUT_EA_ROLE * Expected behaviour: * ensure that { * when { * the IUT receives an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted structure * containing an encrypted EtsiTs103097Data-Signed structure * containing tbsData * containing headerInfo * containing psid * and containing generationTime * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_06_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { var HashedId8 v_ec_cert_hashed_id8; if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, vc_eaHashedId8, v_public_compressed_key, v_compressed_mode, v_ec_cert_hashed_id8)) { log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Cannot verify EC certificate signature ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_06_BV /** * @desc The EtsiTS102941Data shall contain the version set to v1 (integer value set to 1) * and the content set to InnerECResponse. *
* Pics Selection: PICS_IUT_EA_ROLE * Expected behaviour: * ensure that { * when { * the IUT receives an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted structure * containing an encrypted EtsiTs103097Data-Signed structure * containing tbsData * containing EtsiTS102941Data * containing version * indicating v1 (integer value set to 1) * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_07_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_07_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_07_BV /** * @desc The InnerECResponse shall contain the requestHash, which is the left-most 16 octets of the SHA256 digest of the * EtsiTs103097Data - Signed structure received in the request and a responseCode indicating the result of the request. *
* Pics Selection: PICS_IUT_EA_ROLE * Expected behaviour: * ensure that { * when { * the IUT receives an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted structure * containing an encrypted EtsiTs103097Data-Signed structure * containing tbsData * containing EtsiTS102941Data * containing requestHash * indicating the left-most 16 octets of the SHA256 digest of the EtsiTs103097Data-Signed structure received in the request * and containing responseCode * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_08_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_08_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16))))) { log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_08_BV /** * @desc If the responseCode is 0, the InnerECResponse shall also contain an (enrolment) certificate. *
* Pics Selection: PICS_IUT_EA_ROLE * Expected behaviour: * ensure that { * when { * the IUT receives an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted structure * containing an encrypted EtsiTs103097Data-Signed structure * containing tbsData * containing EtsiTS102941Data * containing InnerECResponse * containing an enrolment certificate * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_09_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_09_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( { mw_recipientInfo_pskRecipInfo }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))) { var HashedId8 v_ec_cert_hashed_id8; if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, vc_eaHashedId8, v_public_compressed_key, v_compressed_mode, v_ec_cert_hashed_id8) == true) { log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: EC certificate is not proerly formated ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_09_BV /** * @desc If the responseCode is different than 0, the InnerECResponse shall not contain a certificate. *
* Pics Selection: PICS_IUT_EA_ROLE * Expected behaviour: * ensure that { * when { * the IUT receives an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted structure * containing an encrypted EtsiTs103097Data-Signed structure * containing tbsData * containing EtsiTS102941Data * containing InnerECResponse * not containing a certificate * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_10_BV * @reference ETSI TS 102 941, clause 6.2.3.2.2 */ testcase TC_SECPKI_EA_ENR_10_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_invalid_enrolment_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( -, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ko))) { log("*** " & testcasename() & ": PASS: Well-secured EA certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_10_BV /** * @desc Check that signing of Enrolment response message is permitted by the EA certificate. *
* Pics Selection: PICS_IUT_EA_ROLE * Expected behaviour: * ensure that { * when { * the IUT receives an EnrolmentRequestMessage * } * then { * the IUT sends an EtsiTs103097Data-Encrypted structure * containing an encrypted EtsiTs103097Data-Signed structure * containing signer * declared as a digest * containing the HashedId8 of the EA certificate * containing appPermissions * containing an item of type PsidSsp * containing psid * indicating AID_CERT_REQ * and containing ssp * containing opaque[0] (version) * indicating 1 * containing opaque[1] (value) * indicating bit "Enrolment Response" (5) set to 1 * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_11_BV * @reference ETSI TS 102 941, clause B[5] */ testcase TC_SECPKI_EA_ENR_11_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( { mw_recipientInfo_pskRecipInfo }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))) { var HashedId8 v_ec_cert_hashed_id8; if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, vc_eaHashedId8, v_public_compressed_key, v_compressed_mode, v_ec_cert_hashed_id8) == true) { log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: EC certificate is not proerly formated ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_11_BV /** * @desc Check that generated EC certificate contains only allowed permissions. *
* Pics Selection: PICS_IUT_EA_ROLE * Expected behaviour: * ensure that { * when { * the IUT receives an EnrolmentRequestMessage * } * then { * the EC_CERT * containing appPermissions * containing an item of type PsidSsp * containing psid * indicating AID_CERT_REQ * and containing ssp * containing opaque[0] (version) * indicating 1 * containing opaque[1] (value) * indicating "Enrolment Request" (bit 0) set to 1 * indicating "Authorization Request" (bit 1) set to 1 * indicating other bits set to 0 * and NOT containing an item of type PsidSsp * containing psid * indicating AID_CTL * and NOT containing an item of type PsidSsp * containing psid * indicating AID_CRL * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_ENR_12_BV * @reference ETSI TS 102 941, clause B[5] */ testcase TC_SECPKI_EA_ENR_12_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key; var Oct32 v_public_compressed_key; var integer v_compressed_mode; var Oct32 v_request_hash; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Oct16 v_aes_sym_key; var Oct16 v_encrypted_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_http_build_inner_ec_request(v_private_key, v_public_compressed_key, v_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); f_init_default_headers_list(-, "inner_ec_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_EC, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( { mw_recipientInfo_pskRecipInfo }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, -, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": LOG: Receive ", v_etsi_ts_102941_data, " ***"); log("*** " & testcasename() & ": DEBUG: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))) { var HashedId8 v_ec_cert_hashed_id8; if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, vc_eaHashedId8, v_public_compressed_key, v_compressed_mode, v_ec_cert_hashed_id8) == true) { log("*** " & testcasename() & ": PASS: Well-secured EC certificate received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: EC certificate is not proerly formated ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: Unexpected message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_ENR_12_BV } // End of group ea_enrolment_response // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.2 Enrollment response group authorization_validation_request { group atv_helpers { function f_verify_http_at_request_from_iut_atv( in Request p_request, out Oct16 p_aes_enc_key, out Oct16 p_request_hash, out SharedAtRequest p_shared_at_request, out integer p_result ) runs on ItsPkiHttp { // Local variables var HashedId8 v_bfk_hashed_id8; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; var EtsiTs103097Certificate v_aaCertificate; var charstring v_aaCertificate_id; log(">>> f_verify_http_at_request_from_iut_atv: p_request= ", p_request); p_result := 0; if (not(f_getCertificateFromDigest(f_hashedId8FromSha256(vc_aaWholeHash), v_aaCertificate, v_aaCertificate_id))) { p_result := -1; return; } if (not(f_verify_pki_request_message(vc_eaPrivateEncKey/*Encrypted with AA*/, vc_eaWholeHash/*salt*/, vc_aaWholeHash/*Issuer is AA*/, v_aaCertificate.toBeSigned.verifyKeyIndicator.verificationKey, p_request.body.binary_body.ieee1609dot2_data, true, p_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, p_aes_enc_key))) { // Set verdict p_result := -1; } else { log("f_verify_http_at_request_from_iut_atv: Receive ", v_etsi_ts_102941_data); log(match(v_etsi_ts_102941_data.content, mw_authorizationValidationRequest(mw_authorization_validation_request(mw_shared_at_request, mw_ec_signature)))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_authorizationValidationRequest(mw_authorization_validation_request(mw_shared_at_request, mw_ec_signature))) == false) { // TODO To be refined // Set verdict p_result := -2; } else { p_shared_at_request := v_etsi_ts_102941_data.content.authorizationValidationRequest.sharedAtRequest; log("f_verify_http_at_request_from_iut_atv: p_shared_at_request= ", p_shared_at_request); // TODO Refined expected mw_signature_ecdsaNistP256 } } log("<<< f_verify_http_at_request_from_iut_atv: p_shared_at_request= ", p_shared_at_request); log("<<< f_verify_http_at_request_from_iut_atv: p_aes_sym_key= ", p_aes_enc_key); log("<<< f_verify_http_at_request_from_iut_atv: p_request_hash= ", p_request_hash); log("<<< f_verify_http_at_request_from_iut_atv: p_result: ", p_result); } // End of function f_verify_http_at_request_from_iut_atv function f_verify_http_at_response_from_iut_atv( in InnerAtRequest p_inner_at_request, in Response p_response, in octetstring p_private_key, in Oct16 p_aes_sym_key, in Oct16 p_authentication_vector, in Oct32 p_request_hash, out InnerAtResponse p_inner_at_response, //TODO out EtsiTs103097Data p_authorization_validation_response, out integer p_result ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_aes_enc_key; var InnerEcResponse v_inner_ec_response; log(">>> f_verify_http_at_response_from_iut_atv: p_inner_at_request= ", p_inner_at_request); log(">>> f_verify_http_at_response_from_iut_atv: p_response= ", p_response); log(">>> f_verify_http_at_response_from_iut_atv: p_private_key= ", p_private_key); log(">>> f_verify_http_at_response_from_iut_atv: p_aes_sym_key= ", p_aes_sym_key); log(">>> f_verify_http_at_response_from_iut_atv: p_authentication_vector= ", p_authentication_vector); log(">>> f_verify_http_at_response_from_iut_atv: p_request_hash= ", p_request_hash); p_result := 0; if (f_verify_pki_response_message(p_private_key, p_aes_sym_key, p_authentication_vector, vc_eaWholeHash, p_response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { // Set verdict p_result := -1; } else { log("f_verify_http_at_response_from_iut_atv: Receive ", v_etsi_ts_102941_data); log(match(v_etsi_ts_102941_data.content, mw_authorizationValidationResponse(mw_authorizationValidationResponse_ok(substr(p_request_hash, 0, 16), mw_certificate_subject_attributes(p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.appPermissions, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.id, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.validityPeriod))))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_authorizationValidationResponse(mw_authorizationValidationResponse_ok(substr(p_request_hash, 0, 16), mw_certificate_subject_attributes(p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.appPermissions, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.id, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.validityPeriod)))) == false) { // Set verdict p_result := -2; } else { // TODO Refined expected mw_signature_ecdsaNistP256 log("f_verify_http_at_response_from_iut_atv: Well-secured AT certificate received"); } } log("<<< f_verify_http_at_response_from_iut_atv: p_result: ", p_result); } // End of function f_verify_http_at_response_from_iut_atv function f_verify_http_at_response_from_iut_atv_error( in InnerAtRequest p_inner_at_request, in Response p_response, in octetstring p_private_key, in Oct16 p_aes_sym_key, in Oct16 p_authentication_vector, in Oct32 p_request_hash, out InnerAtResponse p_inner_at_response, //TODO out EtsiTs103097Data p_authorization_validation_response, out integer p_result ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_aes_enc_key; var InnerEcResponse v_inner_ec_response; log(">>> f_verify_http_at_response_from_iut_atv_error: p_inner_at_request= ", p_inner_at_request); log(">>> f_verify_http_at_response_from_iut_atv_error: p_response= ", p_response); log(">>> f_verify_http_at_response_from_iut_atv_error: p_private_key= ", p_private_key); log(">>> f_verify_http_at_response_from_iut_atv_error: p_aes_sym_key= ", p_aes_sym_key); log(">>> f_verify_http_at_response_from_iut_atv_error: p_authentication_vector= ", p_authentication_vector); log(">>> f_verify_http_at_response_from_iut_atv_error: p_request_hash= ", p_request_hash); p_result := 0; if (f_verify_pki_response_message(p_private_key, p_aes_sym_key, p_authentication_vector, vc_eaWholeHash, p_response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { // Set verdict p_result := -1; } else { log("f_verify_http_at_response_from_iut_atv_error: Receive ", v_etsi_ts_102941_data); log(match(v_etsi_ts_102941_data.content, mw_authorizationValidationResponse(mw_authorizationValidationResponse_ko(substr(p_request_hash, 0, 16))))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_authorizationValidationResponse(mw_authorizationValidationResponse_ko(substr(p_request_hash, 0, 16)))) == false) { // Set verdict p_result := -2; } else { // TODO Refined expected mw_signature_ecdsaNistP256 log("f_verify_http_at_response_from_iut_atv_error: Well-formatted error response received"); } } log("<<< f_verify_http_at_response_from_iut_atv_error: p_result: ", p_result); } // End of function f_verify_http_at_response_from_iut_atv_error } // End of group atv_helpers /** * @desc The AuthorizationValidationResponse message shall be sent by the EA to the AA across the interface * at reference point S4 in response to a received AuthorizationValidationRequest message *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * with { * the IUT being in the "operational state" * } * Expected behaviour: * ensure that { * when { * the IUT receives a AuthorizationValidationRequest message * } * then { * the IUT sends a AuthorizationValidationResponse message * across the reference point S4 to the AA * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_RCV_01_BV * @reference ETSI TS 102 941, clause 6.2.3.4 * @remark Need to provide CERT_TS_A_AA & CERT_IUT_A_RCA to the PKI */ testcase TC_SECPKI_EA_AUTHVAL_RCV_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hashed_id8; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_key_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var InnerAtRequest v_inner_at_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Generate an InnerAtRequest if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) { log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request); log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_atv_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_ATV, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_AUTHVAL_RCV_01_BV /** * @desc Check that EA doesn't accept Authorization Validation Request when * SharedAtRequest is signed with certificate without appropriate * permissions *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * with { * the IUT being in the "operational state" * } * Expected behaviour: * ensure that { * when { * the IUT receives a AuthorizationValidationRequest message * } * then { * the IUT sends a AuthorizationValidationResponse message * across the reference point S4 to the AA * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_RCV_02_BI * @reference ETSI TS 102 941, clause B[5] * @remark Need to provide CERT_TS_A_EA_AA_AUTHVAL_RCV_02_BI_01 to the PKI */ testcase TC_SECPKI_EA_AUTHVAL_RCV_02_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hashed_id8; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_key_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var InnerAtRequest v_inner_at_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration //f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, "CERT_TS_A_EA_AA_AUTHVAL_RCV_02_BI_01"); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Generate an InnerAtRequest if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) { log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request); log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_atv_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_ATV, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; if (f_verify_pki_response_message(v_private_key_at, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions)))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_inner_ec_response(mw_innerEcResponse_ko(substr(v_request_hash, 0, 16), deniedpermissions))) == false) { log("*** " & testcasename() & ": FAIL: Invalid InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: InnerEcResponse received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_AUTHVAL_RCV_02_BI } // End of group authorization_validation_request // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.4 Authorization validation response group ea_authorization_validation_response { /** * @desc The EtsiTs103097Data-Encrypted is build with the component recipients containing one instance of RecipientInfo * of choice pskRecipInfo, which contains the HashedId8 of the symmetric key used by the ITS-S to encrypt the * AuthorizationRequest message to which the response is built and the component ciphertext containing the encrypted * representation of the EtsiTs103097Data-Signed. The encryption uses a ETSI TS 103 097 [3] approved algorithm. *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT receives a AuthorizationValidationRequest message * containing encKey * containing the encrypted symmetric data encryption key (SYMKEY) * } * then { * the IUT sends a AuthorizationValidationResponse message * containing EtsiTs103097Data-Encrypted * containing recipients * containing one instance of RecipientInfo of choice pskRecipInfo * indicating the HashedId8 of SYMKEY * and containing ciphertext * containing EtsiTs103097Data-Signed * being encrypted using SYMKEY and an ETSI TS 103 097 approved algorithm * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_01_BV * @reference ETSI TS 102 941, clause 6.2.3.4.2 */ testcase TC_SECPKI_EA_AUTHVAL_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hash_256; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_key_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var InnerAtRequest v_inner_at_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Generate an InnerAtRequest if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) { log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request); log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_atv_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_ATV, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_AUTHVAL_01_BV /** * @desc To read an authorization validation response, the AA shall receive an EtsiTs103097Data-Encrypted structure, * containing a EtsiTs103097Data-Signed structure, containing a EtsiTs102941Data structure, containing an * AuthorizationValidationResponse structure. *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT receives a AuthorizationValidationRequest message * } * then { * the IUT sends a AuthorizationValidationResponse message * containing EtsiTs103097Data-Signed * containing AuthorizationValidationResponse * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_02_BV * @reference ETSI TS 102 941, clause 6.2.3.4.2 */ testcase TC_SECPKI_EA_AUTHVAL_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hashed_id8; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_key_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var InnerAtRequest v_inner_at_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Generate an InnerAtRequest if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) { log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request); log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_atv_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_ATV, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured ATV certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify ATV response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_AUTHVAL_02_BV /** * @desc The AuthorizationValidationResponse structure contains the requestHash being the left-most 16 octets of * the SHA256 digest of the EtsiTs103097Data-Signed structure received in the AuthorizationValidationRequest * and a responseCode. *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT receives a AuthorizationValidationRequest message * containing EtsiTs103097Data-Signed structure (REQDSS) * } * then { * the IUT sends a AuthorizationValidationResponse message * containing EtsiTs103097Data-Signed * containing EtsiTs102941Data * containing AuthorizationValidationResponse * containing requestHash * indicating the left-most 16 octets of the SHA256 digest of REQDSS * and containing responseCode * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_03_BV * @reference ETSI TS 102 941, clause 6.2.3.4.2 */ testcase TC_SECPKI_EA_AUTHVAL_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hashed_id8; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_key_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var InnerAtRequest v_inner_at_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Generate an InnerAtRequest if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) { log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request); log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_atv_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_ATV, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured ATV certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify ATV response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_AUTHVAL_03_BV /** * @desc If the responseCode is 0, the AuthorizationValidationResponse structure contains the component * confirmedSubjectAttributes with the attributes the EA wishes to confirm, except for certIssuePermissions * which is not allowed to be present. *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT receives a AuthorizationValidationRequest message * and the IUT responds with a AuthorizationValidationResponse message * containing AuthorizationValidationResponse * containing responseCode * indicating 0 * } * then { * the IUT sends a AuthorizationValidationResponse message * contains an AuthorizationValidationResponse structure * containing confirmedSubjectAttributes * not containing certIssuePermissions * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_04_BV * @reference ETSI TS 102 941, clause 6.2.3.4.2 */ testcase TC_SECPKI_EA_AUTHVAL_04_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hashed_id8; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_key_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var InnerAtRequest v_inner_at_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Generate an InnerAtRequest if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) { log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request); log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_atv_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_ATV, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured ATV certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify ATV response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_AUTHVAL_04_BV /** * @desc If the responseCode is different than 0, the AuthorizationValidationResponse structure does not contain * the component confirmedSubjectAttributes. *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT receives a AuthorizationValidationRequest message * and the IUT responds with a AuthorizationValidationResponse message * containing AuthorizationValidationResponse * containing responseCode * indicating a value different than 0 * } * then { * the IUT sends a AuthorizationValidationResponse message * contains an AuthorizationValidationResponse structure * not containing confirmedSubjectAttributes * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_05_BV * @reference ETSI TS 102 941, clause 6.2.3.4.2 */ testcase TC_SECPKI_EA_AUTHVAL_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hash_256; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_key_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var InnerAtRequest v_inner_at_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Generate an InnerAtRequest if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) { log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request); log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_invalid_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_atv_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_ATV, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; f_verify_http_at_response_from_iut_atv_error(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-formatted error response received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_AUTHVAL_04_BV /** * @desc The component version of the EtsiTs102941Data structure is set to v1 (integer value set to 1). *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT receives a AuthorizationValidationRequest message * } * then { * the IUT sends a AuthorizationValidationResponse message * containing EtsiTs103097Data-Signed * containing EtsiTs103097Data * containing version * indicating v1 (integer value set to 1) * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_AUTHVAL_06_BV * @reference ETSI TS 102 941, clause 6.2.3.4.2 */ testcase TC_SECPKI_EA_AUTHVAL_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hashed_id8; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_key_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var InnerAtRequest v_inner_at_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); // Generate an InnerAtRequest if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, v_inner_ec_response.certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_inner_at_request) == false) { log("*** " & testcasename() & ": ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("*** " & testcasename() & ": DEBUG: v_inner_at_request= ", v_inner_at_request); log("*** " & testcasename() & ": DEBUG: v_private_key_at= ", v_private_key_at); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_validation_request(v_inner_at_request, v_public_compressed_key_at, v_compressed_key_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_atv_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_ATV, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_inner_at_response; tc_ac.stop; f_verify_http_at_response_from_iut_atv(v_inner_at_request, v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured ATV certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify ATV response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_AUTHVAL_06_BV // TC_SECPKI_EA_AUTHVAL_07_BV covered by TC_SECPKI_EA_AUTHVAL_02..04_BV // TC_SECPKI_EA_AUTHVAL_08_BV covered by TC_SECPKI_EA_AUTHVAL_02..04_BV // TC_SECPKI_EA_AUTHVAL_09_BV covered by TC_SECPKI_EA_AUTHVAL_02..04_BV } // End of group eaauthorization_validation_response // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.5 CA Certificate Request group ca_certificate_request { /** * @desc SubCA certificate requests of the EA are transported to the RCA using CACertificateRequest messages across the reference point S10 *
* Pics Selection: * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT is requested to send a CACertificateRequestMessage * } * then { * the IUT sends a CACertificateRequestMessage * across the reference point S10 to the RCA * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_01_BV * @reference ETSI TS 102 941, clause 6.2.1 */ testcase TC_SECPKI_EA_CERTGEN_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { setverdict(inconc); } // End of testcase TC_SECPKI_EA_CERTGEN_01_BV /** * @desc The application form should include the digital fingerprint of the CACertificateRequestMessage in printable format *
* Pics Selection: * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT is requested to send a CACertificateRequestMessage * } * then { * the IUT sends a CACertificateRequestMessage * containing a signature (SIG) * containing EtsiTs103097Data * being computed using a ETSI TS 103 097 [2] approved hash algorithm * and the IUT exports the digital fingerprint SIG in a printable format * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_02_BV * @reference ETSI TS 102 941, clause 6.2.1 */ testcase TC_SECPKI_EA_CERTGEN_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { setverdict(inconc); } // End of testcase TC_SECPKI_EA_CERTGEN_02_BV /** * @desc The hashId shall indicate the hash algorithm to be used as specified in ETSI TS 103 097, * the signer is set to 'self' and the signature over the tbsData is computed using the private key corresponding to the new verificationKey to be certified (i.e. the request is self-signed) *
* Pics Selection: * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT is requested to send a CACertificateRequestMessage * } * then { * the IUT sends a CACertificateRequestMessage * containing EtsiTs103097Data-Signed structure * containing hashId * indicating the hash algorithm to be used * and containing signer * indicating 'self' * and containing tbsData * containing the EtsiTs102941Data structure * containing caCertificateRequest * containing publicKeys * containing verification_key (VKEY) * and containing signature * computed over tbsData using the private key corresponding to the verificationKey (VKEY) * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_03_BV * @reference ETSI TS 102 941, clause 6.2.1 * ETSI TS 103 097, clause 7 */ testcase TC_SECPKI_EA_CERTGEN_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { setverdict(inconc); } // End of testcase TC_SECPKI_EA_CERTGEN_03_BV /** * @desc An ECC private key is randomly generated, the corresponding public key (verificationKey) is provided to be included in the CaCertificateRequest * An ECC encryption private key is randomly generated, the corresponding public key (encryptionKey) is provided to be included in the CACertificateRequest. * CaCertificateRequest.publicKeys shall contain verification_key and encryption_key *
* Pics Selection: * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT is requested to send a CACertificateRequestMessage * } * then { * the IUT sends a CACertificateRequestMessage * containing caCertificateRequest * containing publicKeys * and containing encryption_key * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_04_BV * @reference ETSI TS 102 941, clause 6.2.1 */ testcase TC_SECPKI_EA_CERTGEN_04_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { setverdict(inconc); } // End of testcase TC_SECPKI_EA_CERTGEN_04_BV /** * @desc The EtsiTs102941Data structure is built with version set to v1 (integer value set to 1) *
* Pics Selection: * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT is requested to send a CACertificateRequestMessage * } * then { * the IUT sends a CACertificateRequestMessage * containing EtsiTs102941Data * containing version * indicating v1 (integer value set to 1) * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_05_BV * @reference ETSI TS 102 941, clause 6.2.1 */ testcase TC_SECPKI_EA_CERTGEN_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { setverdict(inconc); } // End of testcase TC_SECPKI_EA_CERTGEN_05_BV /** * @desc CaCertificateRequest.requestedSubjectAttributes shall contain the requested certificates attributes as specified in ETSI TS 103 097, clause 7.2.4 *
* Pics Selection: * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT is requested to send a CACertificateRequestMessage * } * then { * the IUT sends a CACertificateRequestMessage * containing CaCertificateRequest * containing requestedSubjectAttributes * as specified in ETSI TS 103 097, clause 7.2.4 * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_06_BV * @reference ETSI TS 102 941, clause 6.2.1 * ETSI TS 103 097, clause 7.2.4 */ testcase TC_SECPKI_EA_CERTGEN_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { setverdict(inconc); } // End of testcase TC_SECPKI_EA_CERTGEN_06_BV /** * @desc EtsiTs103097Data-Signed.tbsData contains the EtsiTs102941Data as payload and the headerInfo containing psid and generationTime * The psid shall be set to "secured certificate request" as assigned in ETSI TS 102 965 and the generationTime shall be present * All other components of the component tbsdata.headerInfo are not used and absent *
* Pics Selection: * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT is requested to send a CACertificateRequestMessage * } * then { * the IUT sends a CACertificateRequestMessage * containing headerInfo * containing psid * indicating SEC_CERT_REQ * and containing generationTime * and not containing any other component of tbsdata.headerInfo * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_07_BV * @reference ETSI TS 102 941, clause 6.2.1 */ testcase TC_SECPKI_EA_CERTGEN_07_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { setverdict(inconc); } // End of testcase TC_SECPKI_EA_CERTGEN_07_BV /** * @desc If the current private key has reached its end of validity period or is revoked, the SubCA shall restart the initial certificate application process *
* Pics Selection: * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT is requested to perform a CA certificate rekeying procedure * and SubCA certificate is no longer valid (due to end of validity or revocation) * } * then { * the IUT switches to the ''initial' state * and sends a CACertificateRequestMessage * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_08_BV * @reference ETSI TS 102 941, clause 6.2.1 */ testcase TC_SECPKI_EA_CERTGEN_08_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { setverdict(inconc); } // End of testcase TC_SECPKI_EA_CERTGEN_08_BV /** * @desc For the re-keying application to the RCA (CaCertificateRekeyingMessage), an EtsiTs103097Data-Signed structure is built, containing: hashId, tbsData, signer and signature * The hashId shall indicate the hash algorithm to be used as specified in ETSI TS 103 097 * The signer declared as a digest, containing the hashedId8 of the EA certificate and the signature over tbsData is computed using the currently valid private key corresponding to the EA certificate (outer signature) *
* Pics Selection: * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT is requested to send a CACertificateRequestMessage * } * then { * the IUT sends a CACertificateRequestMessage * containing EtsiTs103097Data-Signed structure * containing hashId * indicating the hash algorithm to be used * and containing tbsData * and containing signer * containing digest * indicating HashedId8 of the SubCA certificate (CERT) * and containing signature * computed over tbsData * using the private key corresponding to CERT * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_09_BV * @reference ETSI TS 102 941, clause 6.2.1 * ETSI TS 103 097, clause 7 */ testcase TC_SECPKI_EA_CERTGEN_09_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { setverdict(inconc); } // End of testcase TC_SECPKI_EA_CERTGEN_09_BV /** * @desc The (outer) tbsData of the CACertificateRekeyingMessage shall contain the CaCertificateRequestMessage as payload *
* Pics Selection: * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT is requested to perform a CA certificate rekeying procedure * } * then { * the IUT sends a CACertificateRekeyingMessage * containing EtsiTs103097Data-Signed structure * containing tbsData * containing CaCertificateRequestMessage * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_10_BV * @reference ETSI TS 102 941, clause 6.2.1 */ testcase TC_SECPKI_EA_CERTGEN_10_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { setverdict(inconc); } // End of testcase TC_SECPKI_EA_CERTGEN_10_BV /** * @desc The (outer) tbsData of the CACertificateRekeyingMessage shall contain a headerInfo containing psid and generationTime. * The psid shall be set to "secured certificate request" as assigned in ETSI TS 102 965 and the generationTime shall be present * All other components of the component tbsdata.headerInfo are not used and absent *
* Pics Selection: * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT is requested to perform a CA certificate rekeying procedure * } * then { * the IUT sends a CACertificateRekeyingMessage * containing tbsData * containing psid * indicating SEC_CERT_REQ * and containing generationTime * and not containing any other component of tbsdata.headerInfo * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_11_BV * @reference ETSI TS 102 941, clause 6.2.1 */ testcase TC_SECPKI_EA_CERTGEN_11_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { setverdict(inconc); } // End of testcase TC_SECPKI_EA_CERTGEN_11_BV /** * @desc Check that the CaCertificateRekeyingMessage is permitted by CA certificate *
* Pics Selection: * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT is requested to perform a CA certificate rekeying procedure * } * then { * the IUT sends a CACertificateRekeyingMessage * containing EtsiTs103097Data-Signed structure * containing tbsData * and containing signer * containing digest * indicating HashedId8 of the CA certificate * containing appPermissions * containing an item of type PsidSsp * containing psid * indicating AID_CERT_REQ * and containing ssp * containing opaque[0] (version) * indicating 1 * containing opaque[1] (value) * indicating 'CA Certificate Response' (bit 6) set to 1 * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_CERTGEN_12_BV * @reference ETSI TS 102 941, clause 6.2.1 */ testcase TC_SECPKI_EA_CERTGEN_12_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { setverdict(inconc); } // End of testcase TC_SECPKI_EA_CERTGEN_12_BV } // End of group ca_certificate_request // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.6 Authorization using butterfly key expansion mechanism group ea_authorization_with_bfk { // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.6.1 Butterfly authorization response group ea_bfk_auth_response { /** * @desc Check that the EA sends the butterfly authorization respond message after receiving of the butterfly authorization request * Check that this message is signed with EA certificate *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * the EA in 'operational' state * authorized with CERT_EA certificate * and the ITS-S in 'enrolled' state * Expected behaviour: * ensure that { * when { * the IUT receives a ButterflyAuthorizationRequestMessage message * } * then { * the IUT send an EtsiTs103097Data to the ITS-S * containing content.signedData * containing tbsData * containing headerInfo * containing psid * indicating AID_PKI_CERT_REQUEST * and containing generationTime * and not containing any other field * and containing payload.data * indicating EtsiTs102941Data * containing version * indicating ‘1’ * and containing content * containing butterflyCertificateResponse * and containing signer * containing digest * indicating HashedId8 of the CERT_EA * and containing signature * validated using CERT_EA verification public key * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_01_BV * @reference ETSI TS 102 941 [1], clause 6.2.3.5.3 */ testcase TC_SECPKI_EA_BFK_AUTH_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var octetstring v_private_key_ec; var octetstring v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hashed_id8; var InnerEcResponse v_inner_ec_response; var octetstring v_caterpillar_private_key; var octetstring v_caterpillar_public_key_compressed; var integer v_caterpillar_compressed_mode; var octetstring v_caterpillar_enc_private_key; var octetstring v_caterpillar_enc_public_key_compressed; var integer v_caterpillar_enc_compressed_mode; var EeRaCertRequest v_ee_ra_cert_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response, -, true) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: = ", v_private_key_ec); // Generate an ButterflyAutorizationRequest f_http_build_butterfly_authorization_request_message(v_private_key_ec, v_ec_cert_hashed_id8, v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash, v_ee_ra_cert_request); log("*** " & testcasename() & ": DEBUG: v_ee_ra_cert_request= ", v_ee_ra_cert_request); log("*** " & testcasename() & ": DEBUG: v_caterpillar_private_key= ", v_caterpillar_private_key); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "bfk_auth_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_BFK_AUTH, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_butterflyAuthorizationResponseMessage( mw_signedData( sha256, mw_toBeSignedData, m_signerIdentifier_digest(vc_eaHashedId8) )))))), v_response ) { tc_ac.stop; log("*** " & testcasename() & ": PASS: Signed message received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_BFK_AUTH_01_BV /** * @desc Check that the butterfly authorization respond message, sent by EA, contains all necessary fields *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * the EA in 'operational' state * authorized with CERT_EA certificate * and the ITS-S in 'enrolled' state * Expected behaviour: * ensure that { * when { * the IUT receives a ButterflyAuthorizationRequestMessage message (REQ) * } * then { * the IUT send to the ITS-S a ButterflyAuthorizationResponseMessage * containing butterflyCertificateResponse * containing RaEeCertInfo * containing version * indicating 2 * and containing generationTime * indicating value between REQ_TIME and the current time * and containing currentI * and containing requestHash * indicating the left-most 16 octets of the SHA256 digest of the REQ * and containing nextDlTime * and not containing acpcTreeId * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_02_BV * @reference ETSI TS 102 941 [1], clause 6.2.3.5.3 */ testcase TC_SECPKI_EA_BFK_AUTH_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var octetstring v_private_key_ec; var octetstring v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hashed_id8; var InnerEcResponse v_inner_ec_response; var octetstring v_caterpillar_private_key; var octetstring v_caterpillar_public_key_compressed; var integer v_caterpillar_compressed_mode; var octetstring v_caterpillar_enc_private_key; var octetstring v_caterpillar_enc_public_key_compressed; var integer v_caterpillar_enc_compressed_mode; var EeRaCertRequest v_ee_ra_cert_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response, -, true) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: = ", v_private_key_ec); // Generate an ButterflyAutorizationRequest f_http_build_butterfly_authorization_request_message(v_private_key_ec, v_ec_cert_hashed_id8, v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash, v_ee_ra_cert_request); log("*** " & testcasename() & ": DEBUG: v_ee_ra_cert_request= ", v_ee_ra_cert_request); log("*** " & testcasename() & ": DEBUG: v_caterpillar_private_key= ", v_caterpillar_private_key); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "bfk_auth_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_BFK_AUTH, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_butterflyAuthorizationResponseMessage( mw_signedData( sha256, mw_toBeSignedData, m_signerIdentifier_digest(vc_eaHashedId8) )))))), v_response ) { tc_ac.stop; var octetstring v_tbs := bit2oct(encvalue(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData)); if (f_verifyEcdsa(v_tbs, vc_eaWholeHash256, v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.signature_, vc_eaCertificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify signature message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { var bitstring v_etsi_ts_102941_data_content_msg := oct2bit(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData); var EtsiTs102941MessagesCa.EtsiTs102941Data v_etsi_ts_102941_data; if (decvalue(v_etsi_ts_102941_data_content_msg, v_etsi_ts_102941_data) != 0) { log("*** " & testcasename() & ": FAIL: Failed to decode message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": DBG: v_etsi_ts_102941_data: ", v_etsi_ts_102941_data); log("*** " & testcasename() & ": INFO: match ", match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationResponse(mw_ra_ee_cert_info)), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (not(match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationResponse(mw_ra_ee_cert_info)))) { log("*** " & testcasename() & ": FAIL: Unexpected message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log("*** " & testcasename() & ": PASS: ButterflyAuthorizationResponseMessage received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_BFK_AUTH_02_BV } // End of group ea_bfk_auth_response // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.6 Authorization using butterfly key expansion mechanism group ea_bfk_cert_request { group bfk_auth_request_helpers { function f_trigger_butterfly_authorization_request( out HashedId8 p_aes_sym_key_hashed_id8, out EeRaCertRequest p_ee_ra_cert_request, out RaEeCertInfo p_ra_ee_cert_info ) runs on ItsPkiHttp return boolean { // Local variables var octetstring v_private_key_ec; var octetstring v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hashed_id8; var InnerEcResponse v_inner_ec_response; var octetstring v_caterpillar_private_key; var octetstring v_caterpillar_public_key_compressed; var integer v_caterpillar_compressed_mode; var octetstring v_caterpillar_enc_private_key; var octetstring v_caterpillar_enc_public_key_compressed; var integer v_caterpillar_enc_compressed_mode; var EeRaCertRequest v_ee_ra_cert_request; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; // Trigger an enrolment request if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response, -, true) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); return false; } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); } log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: = ", v_private_key_ec); // Generate an ButterflyAutorizationRequest f_http_build_butterfly_authorization_request_message(v_private_key_ec, v_ec_cert_hashed_id8, v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash, v_ee_ra_cert_request); log("*** " & testcasename() & ": DEBUG: v_ee_ra_cert_request= ", v_ee_ra_cert_request); log("*** " & testcasename() & ": DEBUG: v_caterpillar_private_key= ", v_caterpillar_private_key); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "bfk_auth_request", v_headers); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_BFK_AUTH, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_butterflyAuthorizationResponseMessage( mw_signedData( sha256, mw_toBeSignedData, m_signerIdentifier_digest(vc_eaHashedId8) )))))), v_response ) { tc_ac.stop; var octetstring v_tbs := bit2oct(encvalue(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData)); if (f_verifyEcdsa(v_tbs, vc_eaWholeHash256, v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.signature_, vc_eaCertificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) { log("*** " & testcasename() & ": INCONC: Failed to verify signature message ***"); return false; } else { var bitstring v_etsi_ts_102941_data_content_msg := oct2bit(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData); /** TITIAN BUG https://www.eclipse.org/forums/index.php/t/1113606/ var EtsiTs102941MessagesCa.EtsiTs102941Data v_etsi_ts_102941_data; if (decvalue(v_etsi_ts_102941_data_content_msg, v_etsi_ts_102941_data) != 0) { log("*** " & testcasename() & ": INCONC: Failed to decode message ***"); return false; } else { log("*** " & testcasename() & ": DBG: v_etsi_ts_102941_data: ", v_etsi_ts_102941_data); log("*** " & testcasename() & ": INFO: match ", match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationResponse(mw_ra_ee_cert_info)), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log if (not(match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationResponse(mw_ra_ee_cert_info)))) { log("*** " & testcasename() & ": FAIL: Unexpected message ***"); return false; } else { log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponseMessage received ***"); p_ra_ee_cert_info := v_etsi_ts_102941_data.content.butterflyAuthorizationResponse; } } **/ // Extract currentI, request hash && nextDlTime var integer v_len := lengthof(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData); var IValue v_currentI := oct2int(substr(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData, v_len - 4 - 8 - 2, 2)); var HashedId8 v_requestHash := substr(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData, v_len - 4 - 8, 8); var Time32 v_nextDlTime := oct2int(substr(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData, v_len - 4, 4)); log("*** " & testcasename() & ": DBG: nextDlTime: ", v_nextDlTime); log("*** " & testcasename() & ": DBG: request hash: ", v_requestHash); log("*** " & testcasename() & ": DBG: currentI: ", v_currentI); log("*** " & testcasename() & ": DBG: v_nextDlTime - f_getCurrentTime/100: ", f_getCurrentTime() / 1000); log("*** " & testcasename() & ": DBG: v_nextDlTime - CurrentTime: ", v_nextDlTime - f_getCurrentTime() / 1000); log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponseMessage received ***"); p_ra_ee_cert_info := valueof( m_ra_ee_cert_info( f_getCurrentTime() / 1000, v_currentI, v_requestHash, v_nextDlTime )); } log("*** " & testcasename() & ": INFO: p_ra_ee_cert_info: ", p_ra_ee_cert_info, " ***"); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); return false; } } // End of 'alt' statement return true; } // End of function f_trigger_butterfly_authorization_request function f_verify_http_butterfly_cert_request_message_from_aa( in Request p_request, in Headers p_headers, in boolean p_checked_cocoon_keys_derivation := false, in template (omit) octetstring p_caterpilar_compressed_key := omit, out integer p_result, out RaAcaCertRequest p_butterflyCertificateRequest, out HttpMessage p_response ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; var template (value) HttpMessage v_response; var Oct16 v_request_hash; var HashedId8 v_bfk_hashed_id8; var Oct16 v_aes_enc_key; log(">>> f_verify_http_butterfly_cert_request_message_from_aa: ", p_request); p_result := 0; if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O, omit, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message // Send error message v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message // Set verdict p_result := -1; } else { var UInt64 v_current_time := f_getCurrentTimeUtc(); var UInt64 v_delta_time := 30; log("f_verify_http_butterfly_cert_request_message_from_aa: match ", match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request((v_current_time - v_delta_time .. v_current_time + v_delta_time), explicit, '00000000'B/*butterflyExplicit*/, mw_bfk_to_be_signed_certificate))) == false) { // Send error message v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message // Set verdict p_result := -2; } else { if (p_checked_cocoon_keys_derivation == true) { // FIXME FSCOM if (f_check_cocoon_keys_derivation(v_etsi_ts_102941_data.content.butterflyCertificateRequest.tbsCert.verifyKeyIndicator, )) } else { var AcaRaCertResponse v_aca_ra_cert_response; var HashedId8 v_hashedId8; var octetstring v_msg := bit2oct(encvalue(p_request.body.binary_body.ieee1609dot2_data)); v_hashedId8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg)); f_http_build_butterfly_cert_response(v_hashedId8, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_aca_ra_cert_response, v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers)); p_butterflyCertificateRequest := v_etsi_ts_102941_data.content.butterflyCertificateRequest; } } } p_response := valueof(v_response); log("<<< f_verify_http_butterfly_cert_request_message_from_aa: p_response: ", p_response); log("<<< f_verify_http_butterfly_cert_request_message_from_aa: p_result: ", p_result); } // End of function f_verify_http_butterfly_cert_request_message_from_aa } // End of group bfk_auth_request_helpers /** * @desc Check that the EA sends butterfly certificate request message after receiving of the butterfly authorization request * Check that this message is encrypted for the AA * Check that this message is signed with the EA certificate *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * the EA in 'operational' state * authorized with CERT_EA certificate * and the AA is emulated by TS and * authorized with CERT_AA certificate * and EA is configured to use emulated AA to generate certificates * Expected behaviour: * ensure that { * when { * the IUT received the ButterflyAuthorizationRequestMessage * containing EtsiTs102941Data * containing content.butterflyAuthorizationRequest * } * then { * the IUT sends a EtsiTs103097Data to the AA * containing content.encryptedData * containing recipients * indicating size 1 * and containing the instance of RecipientInfo * containing certRecipInfo * containing recipientId * indicating HashedId8 of the CERT_AA * and containing encrypted representation of EtsiTs103097Data * containing signedData * containing tbsData * containing headerInfo * containing psid * indicating AID_PKI_CERT_REQUEST * and containing payload.data * containing EtsiTs102941Data * containing version * indicating ‘1’ * and containing content * containing butterflyCertificateRequest * and containing signer * containing digest * indicating HashedId8 of the CERT_EA * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_03_BV * @reference ETSI TS 102 941 [1], clause 6.2.3.5.4 */ testcase TC_SECPKI_EA_BFK_AUTH_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var boolean v_received_butterfly_authorization_response := false; var boolean v_tb_done := false; var HashedId8 v_aes_sym_key_hashed_id8; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var integer v_result; var EeRaCertRequest v_ee_ra_cert_request; var RaEeCertInfo p_ra_ee_cert_info; var RaAcaCertRequest v_butterflyCertificateRequest; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, p_ra_ee_cert_info); log("*** " & testcasename() & ": INFO: p_ra_ee_cert_info:", p_ra_ee_cert_info, " ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpAtVPort.receive( mw_http_request( mw_http_request_post( -, // URI v_headers, // Headers mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_butterflyCertRequestMessage( mw_encryptedData )))))) -> value v_request { tc_ac.stop; log("+++++++++++++++++++++++++++++++++++++++++++++++", v_request); f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, -, -, v_result, v_butterflyCertificateRequest, v_response); // Send response forcing error code if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } v_tb_done := true; if (v_received_butterfly_authorization_response == false) { log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***"); tc_ac.start; repeat; } } [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (v_tb_done == false) { v_received_butterfly_authorization_response := true; tc_ac.start; repeat; } // else, end on the test case } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_BFK_AUTH_03_BV /** * @desc Check that the butterfly certificate request message sent by EA to AA contains all required elements *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * the EA in 'operational' state * authorized with CERT_EA certificate * and the EA already received the ButterflyAuthorizationRequestMessage * indicating the sha256 message hash MSG_HASH * and the EA already responded with ButterflyAuthorizationResponseMessage * containing EtsiTs102941Data * containing butterflyAuthorizationResponse * containing nextDlTime * indicating DNL_TIME * Expected behaviour: * ensure that { * when { * the IUT received the ButterflyAtDownloadRequestMessage * containing EtsiTs102941Data * containing butterflyAtDownloadRequest * containing EeRaCertRequest * containing generationTime * indicating REQ_TIME * } * then { * the IUT sends to the AA the ButterflyCertRequestMessage * containing EtsiTs102941Data * containing content * containing butterflyCertificateRequest * containing RaAcaCertRequest * containing version * indicating 2 * and containing generationTime * indicating value between REQ_TIME and the current time * and containing flags * indicating empty bit string * and containing certEncKey * and containing tbsCert * and not containing linkageInfo * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_04_BV * @reference ETSI TS 102 941 [1], clause 6.2.3.5.4 */ testcase TC_SECPKI_EA_BFK_AUTH_04_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var boolean v_received_butterfly_authorization_response := false; var boolean v_tb_done := false; var HashedId8 v_aes_sym_key_hashed_id8; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var integer v_result; var EeRaCertRequest v_ee_ra_cert_request; var RaEeCertInfo p_ra_ee_cert_info; var RaAcaCertRequest v_butterflyCertificateRequest; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, p_ra_ee_cert_info); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpAtVPort.receive( mw_http_request( mw_http_request_post( -, // URI v_headers, // Headers mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_butterflyCertRequestMessage( mw_encryptedData )))))) -> value v_request { tc_ac.stop; f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, -, -, v_result, v_butterflyCertificateRequest, v_response); // TODO Check v_butterflyCertificateRequest // FIXME Some check can be moved to f_verify_http_butterfly_cert_request_message_from_aa // Send response forcing error code if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } v_tb_done := true; if (v_received_butterfly_authorization_response == false) { log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***"); tc_ac.start; repeat; } } [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (v_tb_done == false) { v_received_butterfly_authorization_response := true; tc_ac.start; repeat; } // else, end on the test case } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_BFK_AUTH_04_BV /** * @desc Check that the butterfly certificate request message contains expanded cocoon key *
* Pics Selection: PICS_IUT_EA_ROLE * the EA in 'operational' state * authorized with CERT_EA certificate * and the AA in 'operational' state * authorized with CERT_AA certificate * and EA is configured to use AA of the current configuration to generate certificates * Initial conditions: * Expected behaviour: * ensure that { * when { * the IUT received the ButterflyAuthorizationRequestMessage * containing EtsiTs102941Data * containing content.butterflyAuthorizationRequest * containing EeRaCertRequest * containing tbsCert (TBS_CERT) * containing verification key (CATERPILLAR_KEY) * } * then { * the IUT sends to the AA the ButterflyCertRequestMessage * containing EtsiTs102941Data * containing content * containing butterflyCertificateRequest * containing RaAcaCertRequest * containing tbsCert * containing verificationKey * containing “cocoon” key * derived from the CATERPILLAR_KEY * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_05_BV * @reference ETSI TS 102 941 [1], clause 6.2.3.5.4 */ testcase TC_SECPKI_EA_BFK_AUTH_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var boolean v_received_butterfly_authorization_response := false; var boolean v_tb_done := false; var HashedId8 v_aes_sym_key_hashed_id8; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var integer v_result; var EeRaCertRequest v_ee_ra_cert_request; var RaEeCertInfo p_ra_ee_cert_info; var RaAcaCertRequest v_butterflyCertificateRequest; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, p_ra_ee_cert_info); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpAtVPort.receive( mw_http_request( mw_http_request_post( -, // URI v_headers, // Headers mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_butterflyCertRequestMessage( mw_encryptedData )))))) -> value v_request { tc_ac.stop; f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, true, -, v_result, v_butterflyCertificateRequest, v_response); // Send response forcing error code if (isvalue(v_response)) { httpPort.send(v_response); } // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } v_tb_done := true; if (v_received_butterfly_authorization_response == false) { log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***"); tc_ac.start; repeat; } } [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_enrolmentResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (v_tb_done == false) { v_received_butterfly_authorization_response := true; tc_ac.start; repeat; } // else, end on the test case } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_BFK_AUTH_05_BV } // End of group ea_bfk_cert_request // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.4.6.2 Authorization certificate download group ea_bfk_auth_cert_download { /** * @desc Check that the butterfly certificate request message sent by EA to AA contains all required elements *
* Pics Selection: PICS_IUT_EA_ROLE * Initial conditions: * the EA in 'operational' state * authorized with CERT_EA certificate * and the EA already responded with ButterflyAuthorizationResponseMessage (MSG_RESPONSE) * containing EtsiTs102941Data * containing butterflyAuthorizationResponse * containing nextDlTime * indicating DNL_TIME * and containing currentI * indicating I_VALUE * and containing requestHash * indicating MSG_HASH * and the EA already received from emullated AA one or more ButterflyCertResponse messages * containing AcaEeCertResponsePrivateSpdu (CERT_RESPONSE) * Expected behaviour: * ensure that { * when { * the IUT received the ButterflyAtDownloadRequestMessage * containing EtsiTs102941Data * containing butterflyAtDownloadRequest * indicating EeRaDownloadRequest * containing generationTime * indicating DNL_TIME + 1 * and containing filename * indicating MSG_HASH + “_” + hex(I_VALUE) + ".zip" * } * then { * the IUT sends the requested batch of certificates * containing file hex(I_VALUE) + “.info” * indicating COER encoding of MSG_RESPONSE * and containing a set of files hex(I_VALUE) + “_” + (0..N) * indicating COER encoding of AcaEeCertResponsePrivateSpdu (CERT_RESPONSE) * } * } ** * @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_06_BV * @reference ETSI TS 102 941 [1], clause 6.2.3.5.1, 6.2.3.5.3 */ testcase TC_SECPKI_EA_BFK_AUTH_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var octetstring v_private_key; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EeRaCertRequest v_ee_ra_cert_request; var RaEeCertInfo p_ra_ee_cert_info; var EtsiTs102941Data v_etsi_ts_102941_data; // Test control if (not PICS_IUT_EA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request, p_ra_ee_cert_info); // Wait for v_ee_ra_cert_request.nextDlTime var float v_timer := int2float(p_ra_ee_cert_info.nextDlTime - p_ra_ee_cert_info.generationTime + 2); log("*** " & testcasename() & ": INFO: Start wailting for " & float2str(v_timer) & " seconds ***"); f_sleepIgnoreDef(v_timer); log("*** " & testcasename() & ": INFO: timer of " & float2str(v_timer) & " seconds expierd message ***"); // FISME FSCOM In int2hex, 3 is arbitrary. Need to check the range of currentI to set the correct hex string length f_http_build_butterfly_at_download_request_message(hex2str(oct2hex(p_ra_ee_cert_info.requestHash)) & "-" & hex2str(int2hex(p_ra_ee_cert_info.currentI, 3)) & ".zip", v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "bfk_at_download_request", v_headers); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_BFK_AT_DOWNLOAD, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_ec_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_butterflyCertResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_response(mw_ra_aca_cert_response))); if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_response(mw_ra_aca_cert_response)) == true) { log("*** " & testcasename() & ": PASS: Well formated ButterflyAuthorizationResponseMessage received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Invalid ButterflyAuthorizationResponseMessage received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_EA_BFK_AUTH_06_BV } // End of group ea_bfk_auth_cert_download } // End of group ea_authorization_with_bfk } // End of group ea_behavior // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5 AA behaviour group aa_behavior { group aa_helpers { function f_verify_http_at_response_from_iut_aa( in Response p_response, in octetstring p_private_key, in Oct16 p_aes_sym_key, in Oct16 p_authentication_vector, in Oct32 p_request_hash, out InnerAtResponse p_authorization_response, out integer p_result ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_aes_enc_key; var InnerEcResponse v_inner_ec_response; log(">>> f_verify_http_at_response_from_iut_aa: p_response= ", p_response); log(">>> f_verify_http_at_response_from_iut_aa: p_private_key= ", p_private_key); log(">>> f_verify_http_at_response_from_iut_aa: p_aes_sym_key= ", p_aes_sym_key); log(">>> f_verify_http_at_response_from_iut_aa: p_authentication_vector= ", p_authentication_vector); log(">>> f_verify_http_at_response_from_iut_aa: p_request_hash= ", p_request_hash); p_result := 0; if (f_verify_pki_response_message(p_private_key, p_aes_sym_key, p_authentication_vector, vc_aaWholeHash, p_response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) { // Set verdict p_result := -1; } else { log("f_verify_http_at_response_from_iut_aa: Receive ", v_etsi_ts_102941_data); p_authorization_response := v_etsi_ts_102941_data.content.authorizationResponse; log(match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok(substr(p_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_at, -))))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok(substr(p_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_at, -)))) == false) { log(match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ko))); if (match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ko)) == false) { // Set verdict p_result := -2; } else { // Set verdict p_result := -3; } } else { // Verify AT Certificate signature if (f_verifyCertificateSignatureWithIssuingCertificate(v_etsi_ts_102941_data.content.authorizationResponse.certificate, vc_aaCertificate) == false) { // Set verdict p_result := -4; } log("f_verify_http_at_response_from_iut_aa: Well-secured AT certificate received"); } } log("<<< f_verify_http_at_response_from_iut_aa: p_result: ", p_result); } // End of function f_verify_http_at_response_from_iut_aa } // End of group aa_helpers // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.1 Authorization request handling group aa_authorization_request { /** * @desc Check that the EA/AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate * Check that the EA/AA is able to verify the inner signature * Check that the EA/AA is able to verify the request authenticity using the hmacKey verification * Check that the EA/AA sends the AuthorizationValidationRequest message to the correspondent EA *
* Pics Selection: PICS_IUT_AA_ROLE and not PICS_PKI_AUTH_POP * Initial conditions: * with { * the EA/AA in "operational state" * authorized with the certificate CERT_AA * containing encryptionKey (AA_ENC_PUB_KEY) * } * Expected behaviour: * ensure that { * when { * the IUT receives an EtsiTs103097Data message * containing content.encryptedData * containing recipients * containing the instance of RecipientInfo * containing certRecipInfo * containing recipientId * indicating HashedId8 of the certificate CERT_AA * and containing encKey * indicating symmetric key (S_KEY) * encrypted with the private key correspondent to the AA_ENC_PUB_KEY * and containing cyphertext (ENC_DATA) * containing encrypted representation of the EtsiTs103097Data-Signed * containing content.signedData * containing hashId * indicating valid hash algorythm * and containing signer * containing self * and containing tbsData (SIGNED_DATA) * containing payload * containing EtsiTs102941Data * containing content.authorizationRequest * containing publicKeys.verificationKey (V_KEY) * and containing hmacKey (HMAC) * and containing sharedAtRequest * containing keyTag (KEY_TAG) * and containing eaId (EA_ID) * indicating HashedId8 of the known EA certificate * and containing signature (SIGNATURE) * } * then { * the IUT is able to decrypt the S_KEY * using the private key * corresponding to the AA_ENC_PUB_KEY * and the IUT is able to decrypt the cypthertext ENC_DATA * using the S_KEY * and the IUT is able to verify the signature SIGNATURE over the SIGNED_DATA * using the V_KEY * and the IUT is able to verify integrity of HMAC and KEY_TAG * and the IUT sends the AuthorizationValidationRequest message to the EA * identified by the EA_ID * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_01_BV * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SECPKI_AA_AUTH_RCV_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var octetstring v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE or not PICS_PKI_AUTH_POP) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and PICS_PKI_AUTH_POP required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_authorization_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_response, v_result); log("*** " & testcasename() & ": INFO: AuthorizationResponse= ", v_authorization_response, " ***"); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_atv_http_request_from_iut( mw_http_request( mw_http_request_post( "/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var integer v_result; var SharedAtRequest v_shared_at_request; var Oct16 v_aes_sym_key_atv; var Oct8 v_aes_sym_key_atv_hashed_id8; var octetstring v_request_hash_atv; var Oct16 v_aes_enc_key_atv; var AuthorizationValidationResponse v_authorization_validation_response; f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key_atv, v_request_hash_atv, v_shared_at_request, v_result); v_aes_sym_key_atv_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key_atv)); // Used to build the response // Set verdict, don't care of the v_result, out if scope for this test log("*** " & testcasename() & ": INFO: IUT has sent AuthorizationValidation request ***"); // Send AuthorizationValidation response to finalize the exchange log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***"); f_init_default_headers_list(-, "inner_atv_response", v_headers); f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data); v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8; log("*** " & testcasename() & ": v_ieee1609dot2_signed_and_encrypted_data with new pskRecipInfo: ", v_ieee1609dot2_signed_and_encrypted_data); f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data )), v_headers ))); log("*** " & testcasename() & ": INFO: AuthorizationValidation process done ***"); repeat; } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_01_BV /** * @desc Check that the AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate * Check that the AA is able to verify the request authenticity using the hmacKey verification * Check that the AA sends the AuthorizationValidationRequest message to the correspondent EA *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the EA/AA in "operational state" * authorized with the certificate CERT_AA * containing encryptionKey (AA_ENC_PUB_KEY) * } * Expected behaviour: * ensure that { * when { * the IUT receives an EtsiTs103097Data message * containing content.encryptedData * containing recipients * containing the instance of RecipientInfo * containing certRecipInfo * containing recipientId * indicating HashedId8 of the certificate CERT_AA * and containing encKey * indicating symmetric key (S_KEY) * encrypted with the private key correspondent to the AA_ENC_PUB_KEY * and containing cyphertext (ENC_DATA) * containing EtsiTs102941Data * containing content.authorizationRequest * containing publicKeys.verificationKey (V_KEY) * and containing hmacKey (HMAC) * and containing sharedAtRequest * containing keyTag (KEY_TAG) * and containing eaId (EA_ID) * indicating HashedId8 of the known EA certificate * } * then { * the IUT is able to decrypt the S_KEY * using the private key * corresponding to the AA_ENC_PUB_KEY * and the IUT is able to decrypt the cypthertext ENC_DATA * using the S_KEY * and the IUT is able to verify integrity of HMAC and KEY_TAG * and the IUT sends the AuthorizationValidationRequest message to the EA * identified by the EA_ID * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_02_BV * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SECPKI_AA_AUTH_RCV_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE or PICS_PKI_AUTH_POP) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and not PICS_PKI_AUTH_POP required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_authorization_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_response, v_result); log("*** " & testcasename() & ": INFO: AuthorizationResponse= ", v_authorization_response, " ***"); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: Well-secured AT certificate received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify AT response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_atv_http_request_from_iut( mw_http_request( mw_http_request_post( "/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var integer v_result; var SharedAtRequest v_shared_at_request; var Oct16 v_aes_sym_key_atv; var octetstring v_request_hash_atv; var Oct8 v_aes_sym_key_atv_hashed_id8; var Oct16 v_aes_enc_key_atv; var AuthorizationValidationResponse v_authorization_validation_response; f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key_atv, v_request_hash_atv, v_shared_at_request, v_result); v_aes_sym_key_atv_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key_atv)); // Used to build the response // Set verdict, don't care of the v_result, out if scope for this test log("*** " & testcasename() & ": INFO: IUT has sent AuthorizationValidation request ***"); // Send AuthorizationValidation response to finalize the exchange log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***"); f_init_default_headers_list(-, "inner_atv_response", v_headers); f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data); v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8; log("*** " & testcasename() & ": v_ieee1609dot2_signed_and_encrypted_data with new pskRecipInfo: ", v_ieee1609dot2_signed_and_encrypted_data); f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data )), v_headers ))); log("*** " & testcasename() & ": INFO: AuthorizationValidation process done ***"); repeat; } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_02_BV /** * @desc Check that the AA skips the AuthorizationRequest message if it is not addressed to this AA *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the EA/AA in "operational state" * authorized with the certificate CERT_AA * containing encryptionKey (AA_ENC_PUB_KEY) * } * Expected behaviour: * ensure that { * when { * the IUT receives an EtsiTs103097Data message * containing content.encryptedData * containing recipients * containing the instance of RecipientInfo * containing certRecipInfo * containing recipientId * NOT equal to the HashedId8 of the certificate CERT_AA * and containing encKey * indicating symmetric key (S_KEY) * encrypted with the private key correspondent to the AA_ENC_PUB_KEY * } * then { * the IUT does not send the AuthorizationValidationRequest message * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_03_BI * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SECPKI_AA_AUTH_RCV_03_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_request_with_wrong_parameters(v_ec_certificate, v_private_key_ec, -, -, -, true, -, -, -, -, -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_noac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_noac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_noac.stop; log("*** " & testcasename() & ": PASS: IUT has rejected the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] a_await_atv_http_request_from_iut( mw_http_request( mw_http_request_post( "/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { tc_noac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & ": PASS: IUT has discarded the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_03_BI /** * @desc Check that the AA skips the AuthorizationRequest message if it unable to decrypt the encKey *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the EA/AA in "operational state" * authorized with the certificate CERT_AA * containing encryptionKey (AA_ENC_PUB_KEY) * } * Expected behaviour: * ensure that { * when { * the IUT receives an EtsiTs103097Data message * containing content.encryptedData * containing recipients * containing the instance of RecipientInfo * containing certRecipInfo * containing recipientId * indicating value * equal to the HashedId8 of the certificate CERT_AA * and containing encKey * indicating symmetric key (S_KEY) * encrypted with the OTHER private key correspondent to the AA_ENC_PUB_KEY * } * then { * the IUT does not send the AuthorizationValidationRequest message * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_04_BI * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SECPKI_AA_AUTH_RCV_04_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_request_with_wrong_private_key(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_noac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_noac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_noac.stop; log("*** " & testcasename() & ": PASS: IUT has rejected the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] a_await_atv_http_request_from_iut( mw_http_request( mw_http_request_post( "/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { tc_noac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & ": PASS: IUT has discarded the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_04_BI /** * @desc Check that the AA skips the AuthorizationRequest message if it unable to decrypt the encKey *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the EA/AA in "operational state" * authorized with the certificate CERT_AA * containing encryptionKey (AA_ENC_PUB_KEY) * } * Expected behaviour: * ensure that { * when { * the IUT receives an EtsiTs103097Data message * containing content.encryptedData * containing recipients[0].encKey * indicating encrypted symmetric key (S_KEY) * and containing cyphertext (ENC_DATA) * encrypted with the OTHER key than S_KEY * } * then { * the IUT does not send the AuthorizationValidationRequest message * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_05_BI * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SECPKI_AA_AUTH_RCV_05_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_request_with_wrong_parameters(v_ec_certificate, v_private_key_ec, -, -, -, -, true, -, -, -, -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_noac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_noac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_noac.stop; log("*** " & testcasename() & ": PASS: IUT has rejected the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } [] a_await_atv_http_request_from_iut( mw_http_request( mw_http_request_post( "/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { tc_noac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_noac.timeout { log("*** " & testcasename() & ": PASS: IUT has discarded the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_05_BI /** * @desc Check that the AA rejects the AuthorizationRequest message if it unable to verify the POP signature *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the EA/AA in "operational state" * authorized with the certificate CERT_AA * containing encryptionKey (AA_ENC_PUB_KEY) * } * Expected behaviour: * ensure that { * when { * the IUT is received the EtsiTs103097Data message * containing content.encryptedData.cyphertext * containing encrypted representation of the EtsiTs103097Data-Signed (SIGNED_DATA) * containing content.signedData * containing tbsData * containing payload * containing EtsiTs102941Data * containing content.authorizationRequest * containing publicKeys.verificationKey (V_KEY) * and containing signature (SIGNATURE) * indicating value calculated with OTHER key than private key correspondent to V_KEY * } * then { * the IUT does not send the AuthorizationValidationRequest message * and the IUT sends to the TS the AuthorizationResponse message * containing authorizationResponse * containing requestHash * indicating the leftmost 16 bits of the SHA256 value * calculated over the SIGNED_DATA * and containing responseCode * indicating the value NOT EQUAL to 0 * and not containing certificate * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_06_BI * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SECPKI_AA_AUTH_RCV_06_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE or not PICS_PKI_AUTH_POP) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and PICS_PKI_AUTH_POP required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_request_with_wrong_parameters(v_ec_certificate, v_private_key_ec, true, -, -, -, -, -, -, -, -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_authorization_validation_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result); log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***"); // Set verdict if (v_result == -3) { log("*** " & testcasename() & ": PASS: IUT has rejected the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] a_await_atv_http_request_from_iut( mw_http_request( mw_http_request_post( "/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": FAIL: No response received from the IUT ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_06_BI /** * @desc Check that the AA rejects the AuthorizationRequest message if it unable to verify the integrity of the request using hmacKey *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the EA/AA in "operational state" * authorized with the certificate CERT_AA * containing encryptionKey (AA_ENC_PUB_KEY) * } * Expected behaviour: * ensure that { * when { * the IUT is received the EtsiTs103097Data message * containing EtsiTs102941Data * containing content.authorizationRequest * containing hmacKey (HMAC) * and containing sharedAtRequest * containing keyTag (KEY_TAG) * indicating wrong value * } * then { * the IUT does not send the AuthorizationValidationRequest message * and the IUT sends to the TS the AuthorizationResponse message * containing authorizationResponse * containing requestHash * indicating the leftmost 16 bits of the SHA256 value * calculated over the X_HASH_STRUCTURE * and containing responseCode * indicating the value NOT EQUAL to 0 * and not containing certificate * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_07_BI * @reference ETSI TS 102 941, clause 6.2.3.3.1 */ testcase TC_SECPKI_AA_AUTH_RCV_07_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_request_with_wrong_parameters(v_ec_certificate, v_private_key_ec, -, true, -, -, -, -, -, -, -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_authorization_validation_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result); log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***"); // Set verdict if (v_result == -3) { log("*** " & testcasename() & ": PASS: IUT has rejected the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] a_await_atv_http_request_from_iut( mw_http_request( mw_http_request_post( "/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": FAIL: No response received from the IUT ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_07_BI /** * @desc Send a correctly encoded AT request, but the ITS-Station is not enrolled at the EA */ testcase TC_SECPKI_AA_AUTH_RCV_08_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_generate_inner_ec_request_with_wrong_parameters( { valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR })) }, PICS_INVALID_ITS_S_CANONICAL_ID, f_getCurrentTime() / 1000, valueof(m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)), -, v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request ); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_request_with_wrong_parameters(v_ec_certificate, v_private_key_ec, -, -, true, -, -, -, -, -, -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_authorization_validation_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result); log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***"); // Set verdict if (v_result == -3) { log("*** " & testcasename() & ": INFO: IUT has rejected the request ***"); if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, unknownits)) == true) { log("*** " & testcasename() & ": PASS: Error code is unknownits ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Expected error code should be unknownits ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] a_await_atv_http_request_from_iut( mw_http_request( mw_http_request_post( "/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": FAIL: No response received from the IUT ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_08_BI /** * @desc Send an AT request, but the inner signer (valid EC) is not issued by the EA which is known / trusted by the AA. The AA trusts only EAs listet on the RCA-CTL. */ testcase TC_SECPKI_AA_AUTH_RCV_09_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_request_with_wrong_parameters(v_ec_certificate, v_private_key_ec, -, -, -, -, -, true, -, -, -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_authorization_validation_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result); log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***"); // Set verdict if (v_result == -3) { log("*** " & testcasename() & ": INFO: IUT has rejected the request ***"); if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, its_aa_unknownea)) == true) { log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_unknownea ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] a_await_atv_http_request_from_iut( mw_http_request( mw_http_request_post( "/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not process the AtV request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": FAIL: No response received from the IUT ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_09_BI /** * @desc Send an AT request, but the generation time of the CSR is in the past. */ testcase TC_SECPKI_AA_AUTH_RCV_10_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hash_256; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (PICS_SIMULATE_EA_ENTITY) { f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } else { if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } v_ec_certificate := v_inner_ec_response.certificate; log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); } // Test Body f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, -, -, f_getCurrentTime() / 2, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_authorization_validation_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result); log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***"); // Set verdict if (v_result == -3) { log("*** " & testcasename() & ": INFO: IUT has rejected the request ***"); if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, its_aa_outofsyncrequest)) == true) { log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": FAIL: No response received from the IUT ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_10_BI /** * @desc Send an AT request, but the generation time of the CSR is in the future. */ testcase TC_SECPKI_AA_AUTH_RCV_11_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hash_256; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (PICS_SIMULATE_EA_ENTITY) { f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } else { if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } v_ec_certificate := v_inner_ec_response.certificate; log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); } // Test Body f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, -, -, f_getCurrentTime() * 2, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_authorization_validation_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result); log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***"); // Set verdict if (v_result == -3) { log("*** " & testcasename() & ": INFO: IUT has rejected the request ***"); if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, its_aa_outofsyncrequest)) == true) { log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": FAIL: No response received from the IUT ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_11_BI /** * @desc Send an AT request, but the expiry date of the CSR is before the start date of the EC. */ testcase TC_SECPKI_AA_AUTH_RCV_12_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hash_256; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (PICS_SIMULATE_EA_ENTITY) { f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } else { if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } v_ec_certificate := v_inner_ec_response.certificate; log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); } // Test Body f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, vc_eaCertificate.toBeSigned.validityPeriod.start_ / 2, m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION), -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_authorization_validation_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result); log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***"); // Set verdict if (v_result == -3) { log("*** " & testcasename() & ": INFO: IUT has rejected the request ***"); if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, deniedpermissions)) == true) { log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": FAIL: No response received from the IUT ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_12_BI /** * @desc Send an AT request, but the start date of the CSR is before the start date of the EC. */ testcase TC_SECPKI_AA_AUTH_RCV_13_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hash_256; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (PICS_SIMULATE_EA_ENTITY) { f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } else { if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } v_ec_certificate := v_inner_ec_response.certificate; log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); } // Test Body f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, vc_eaCertificate.toBeSigned.validityPeriod.start_ / 2, m_duration_years(50), -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_authorization_validation_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result); log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***"); // Set verdict if (v_result == -3) { log("*** " & testcasename() & ": INFO: IUT has rejected the request ***"); if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, deniedpermissions)) == true) { log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": FAIL: No response received from the IUT ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_13_BI /** * @desc Send an AT request, but the expiry date of the CSR is after the expiry date of the EC. */ testcase TC_SECPKI_AA_AUTH_RCV_14_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hash_256; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (PICS_SIMULATE_EA_ENTITY) { f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } else { if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } v_ec_certificate := v_inner_ec_response.certificate; log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); } // Test Body f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, f_getCurrentTime() / 1000, m_duration_years(100), -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_authorization_validation_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result); log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***"); // Set verdict if (v_result == -3) { log("*** " & testcasename() & ": INFO: IUT has rejected the request ***"); if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, deniedpermissions)) == true) { log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": FAIL: No response received from the IUT ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_14_BI /** * @desc Send an AT request, but the start date of the CSR is after the expiring date of the EC. */ testcase TC_SECPKI_AA_AUTH_RCV_15_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hash_256; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (PICS_SIMULATE_EA_ENTITY) { f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } else { if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } v_ec_certificate := v_inner_ec_response.certificate; log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); } // Test Body f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, 2 * f_getCurrentTime() / 1000, m_duration_years(1), -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_authorization_validation_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result); log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***"); // Set verdict if (v_result == -3) { log("*** " & testcasename() & ": INFO: IUT has rejected the request ***"); if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, deniedpermissions)) == true) { log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": FAIL: No response received from the IUT ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_15_BI /** * @desc Send an AT request, but the expiry date of the CSR is after now + maximum pre-loading period (considering values in C-ITS CP). */ testcase TC_SECPKI_AA_AUTH_RCV_16_BI() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var HashedId8 v_ec_cert_hash_256; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var Oct32 v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble if (PICS_SIMULATE_EA_ENTITY) { f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } else { if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hash_256, v_inner_ec_response) == false) { log("*** " & testcasename() & ": INCONC: Enrolment failed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); } else { log("*** " & testcasename() & ": INFO: Enrolment succeed ***"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); } v_ec_certificate := v_inner_ec_response.certificate; log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); } // Test Body f_http_build_authorization_request_with_wrong_parameters(v_inner_ec_response.certificate, v_private_key_ec, -, -, -, -, -, -, f_getCurrentTime() / 1000, m_duration_in_hours(15*24/* ts_102941v010301 Clause7.2.1*/), -, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; var InnerAtResponse v_authorization_validation_response; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_authorization_validation_response, v_result); log("*** " & testcasename() & ": INFO: AuthorizationValidationResponse= ", v_authorization_validation_response, " ***"); // Set verdict if (v_result == -3) { log("*** " & testcasename() & ": INFO: IUT has rejected the request ***"); if (match(v_authorization_validation_response, mw_innerAtResponse_ko(-, deniedpermissions)) == true) { log("*** " & testcasename() & ": PASS: Error code is its_aa_unknownea ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Expected error code should be its_aa_outofsyncrequest ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } else { log("*** " & testcasename() & ": FAIL: IUT shall not process the request ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] a_await_at_http_response_from_iut(mw_http_response(mw_http_response_ko), v_response) { tc_ac.stop; log("*** " & testcasename() & ": FAIL: IUT shall not respond with HTTP error ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } [] tc_ac.timeout { log("*** " & testcasename() & ": FAIL: No response received from the IUT ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTH_RCV_16_BI } // End of group aa_authorization_request // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.2 Authorization validation request group aa_authorization_validation_request { /** * @desc Check that the AA sends AuthorizationValidationRequest after receiving of the AuthorizationRequest. *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the EA in "operational" state * authorized with CERT_EA certificate * } * Expected behaviour: * ensure that { * when { * the IUT received the AuthorizationRequest * } * then { * the IUT sends the EtsiTs103097Data message to the ITSS * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_01_BV * @reference ETSI TS 102 941, clause 6.2.3.3.2 */ testcase TC_SECPKI_AA_AUTHVAL_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var octetstring v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE or not PICS_PKI_AUTH_POP) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and PICS_PKI_AUTH_POP required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_request_from_iut( mw_http_request( mw_http_request_post( "/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var integer v_result; var SharedAtRequest v_shared_at_request; var Oct16 v_aes_sym_key_atv; var Oct8 v_aes_sym_key_atv_hashed_id8; var octetstring v_request_hash_atv; var Oct16 v_aes_enc_key_atv; var AuthorizationValidationResponse v_authorization_validation_response; f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key_atv, v_request_hash_atv, v_shared_at_request, v_result); v_aes_sym_key_atv_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key_atv)); // Used to build the response if (v_result == 0) { log("*** " & testcasename() & ": PASS: IUT has sent AuthorizationValidation request ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); // Send AuthorizationValidation response to finalize the exchange log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***"); f_init_default_headers_list(-, "inner_atv_response", v_headers); f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data); v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8; log("*** " & testcasename() & ": v_ieee1609dot2_signed_and_encrypted_data with new pskRecipInfo: ", v_ieee1609dot2_signed_and_encrypted_data); } else { log("*** " & testcasename() & ": FAIL: IUT has sent AuthorizationValidation request ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); // Send AuthorizationValidation response to finalize the exchange f_http_build_authorization_validation_response(v_shared_at_request, cantparse, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data); v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8; } f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data )), v_headers ))); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble tc_ac.start; // Continue to finalyze the process alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTHVAL_01_BV /** * @desc Check that the AuthorizationValidationRequest message is encrypted using approved algorithm and sent to only one Enrolment Authority *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the EA in "operational" state * authorized with CERT_EA certificate * } * Expected behaviour: * ensure that { * when { * the IUT received the AuthorizationRequest * } * then { * the IUT sends the EtsiTs103097Data message * containing content.encryptedData.recipients * indicating size 1 * and containing the instance of RecipientInfo * containing certRecipInfo * containing recipientId * indicating HashedId8 of the CERT_EA * and containing encKey * containing eciesNistP256 * or containing eciesBrainpoolP256r1 * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_02_BV * @reference ETSI TS 102 941, clause 6.2.3.3.2 */ testcase TC_SECPKI_AA_AUTHVAL_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcResponse v_inner_ec_response; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer p_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var octetstring v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var HashedId8 v_ec_certificate_hashed_id8; // Test control if (not PICS_IUT_AA_ROLE or not PICS_PKI_AUTH_POP) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE and PICS_PKI_AUTH_POP required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); log("*** " & testcasename() & ": DEBUG: v_ec_certificate= ", v_ec_certificate); log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, p_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); tc_ac.start; alt { [] a_await_atv_http_request_from_iut( mw_http_request( mw_http_request_post( "/Auth", //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var integer v_result; var SharedAtRequest v_shared_at_request; var Oct16 v_aes_sym_key_atv; var Oct8 v_aes_sym_key_atv_hashed_id8; var octetstring v_request_hash_atv; var Oct16 v_aes_enc_key_atv; var AuthorizationValidationResponse v_authorization_validation_response; f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key_atv, v_request_hash_atv, v_shared_at_request, v_result); v_aes_sym_key_atv_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key_atv)); // Used to build the response if (v_result == 0) { log("*** " & testcasename() & ": PASS: IUT has sent AuthorizationValidation request ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); // Send AuthorizationValidation response to finalize the exchange log("*** " & testcasename() & ": INFO: Send AuthorizationValidation response to finalize the exchange ***"); f_init_default_headers_list(-, "inner_atv_response", v_headers); f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data); v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8; log("*** " & testcasename() & ": v_ieee1609dot2_signed_and_encrypted_data with new pskRecipInfo: ", v_ieee1609dot2_signed_and_encrypted_data); } else { log("*** " & testcasename() & ": FAIL: IUT has sent AuthorizationValidation request ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); // Send AuthorizationValidation response to finalize the exchange f_http_build_authorization_validation_response(v_shared_at_request, cantparse, v_request_hash_atv, vc_eaPrivateKey, vc_eaWholeHash, v_aes_sym_key_atv, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data); v_ieee1609dot2_signed_and_encrypted_data.content.encryptedData.recipients[0].pskRecipInfo := v_aes_sym_key_atv_hashed_id8; } f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data )), v_headers ))); } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble tc_ac.start; // Continue to finalyze the process alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationResponseMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { tc_ac.stop; } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_AUTHVAL_02_BV } // End of group aa_authorization_validation_request // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.3 Authorization validation response handling group aa_authorization_validation_response { /** * @desc Check that the AA sends AuthorizationResponse after receiving the AuthorizationRequest. *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the ITSS in "enrolled" state * the EA in "operational" state * and the IUT(AA) in "operational" state * and the IUT had received the AuthorizationRequest from the ITSS * and the IUT sent the AuthorizationValidationRequest * } * Expected behaviour: * ensure that { * when { * the IUT received the AuthorizationValidationResponseMessage * } * then { * the IUT sends the EtsiTs103097Data message to the ITSS * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_RCV_01_BV * @reference ETSI TS 102 941, clause 6.2.3.3.2 */ testcase TC_SECPKI_AA_AUTHVAL_RCV_01_BV() runs on ServerSyncComp system ItsPkiHttpSystem { // Local variables var ItsPkiHttp v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp02(v_itss, v_ea); // Test adapter configuration // Start components v_itss.start(f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss()); v_ea.start(f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); f_cfMtcDown02(v_itss, v_ea); } // End of testcase TC_SECPKI_AA_AUTHVAL_RCV_01_BV group f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV { function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var octetstring v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_aes_enc_key; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; var HashedId8 v_ec_certificate_hashed_id8; // Test component configuration f_cfHttpUp_itss(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble // Generate EC certificate f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); // Send AuthorizationRequest f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test body tc_ac.start; alt { // Wait for AuthorizationResponse [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo, * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); if ((v_result != -2) and (v_result != -3)) { // Additinal shecks where done by TC_SECPKI_AA_AUTH_01_BV log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss: PASS: Received exptected response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss: FAIL: Unexptected response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } [] tc_ac.timeout { log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss: INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown_itss(); } // End of function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_itss function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var octetstring v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_aes_enc_key := int2oct(0, 16); var SharedAtRequest v_shared_at_request; var AuthorizationValidationResponse v_authorization_validation_response; // Test component configuration f_cfHttpUp_ea(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test body tc_ac.start; alt { [] a_await_atv_http_request_from_iut( // Wait for authorizationValidation Request from IUT to EA mw_http_request( mw_http_request_post( -, //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var integer v_result; tc_ac.stop; f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key, v_request_hash, v_shared_at_request, v_result); // Set verdict if (v_result == 0) { log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: PASS: IUT has sent AuthorizationValidation request ***"); // Send AuthorizationValidation response to finalize the exchange log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***"); f_init_default_headers_list(-, "inner_atv_response", v_headers); f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data); f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data )), v_headers ))); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: FAIL: Failed to verify AuthorizationValidation request ***"); // Send AuthorizationValidation response to finalize the exchange log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***"); f_init_default_headers_list(-, "inner_atv_response", v_headers); f_http_build_authorization_validation_response(v_shared_at_request, deniedpermissions, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea: INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown_ea(); } // End of function f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV_ea } // End of group f_TC_SECPKI_AA_AUTHVAL_RCV_01_BV /** * @desc Check that AA doesn't accept Authorization Validation Response message when this message is * signed with certificate without appropriate permissions *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the ITSS in "enrolled" state * the EA in "operational" state * and the IUT(AA) in "operational" state * and the IUT had received the AuthorizationRequest from the ITSS * and the IUT sent the AuthorizationValidationRequest * } * Expected behaviour: * ensure that { * when { * the IUT receives the AuthorizationValidationResponseMessage * containing signer * containing digest * indicating HashedId8 of the certificate * containing appPermissions * not containing an item of type PsidSsp * containing psid * indicating AID_CERT_REQ * or containing an item of type PsidSsp * containing psid * indicating AID_CERT_REQ * and containing ssp * containing opaque[0] (version) * indicating other value than 1 * or containing opaque[1] (value) * indicating "AuthorizationValidationResponse" (bit 4) set to 0 * } * then { * the IUT answers with an AuthorisationValidationResponseMessage * containing responseCode * indicating non-zero value * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_RCV_02_BI * @reference ETSI TS 102 941, clause 6.2.3.3.2 */ testcase TC_SECPKI_AA_AUTHVAL_RCV_02_BI() runs on ItsPkiHttp system ItsPkiHttpSystem {} // End of testcase TC_SECPKI_AA_AUTHVAL_RCV_02_BI } // End of group aa_authorization_validation_response // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.4 Authorization response group aa_authorization_response { /** * @desc Check that the AA sends encrypted authorization response. *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the ITS-S in "enrolled" state and * the ITS-S has sent the AuthorizationRequestMessage * containing encrypted enkKey * containing AES symmetric key (SYM_KEY) and * the EA in "operational" state * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to send the authorization response to the ITS-S * } * then { * the IUT is triggered to send the authorization response to the ITS-S * containing content.encryptedData * containing recipients of size 1 * containing the instance of RecipientInfo * containing pskRecipInfo * indicating HashedId8 of the SYM_KEY * and containing cyphertext * encrypted using SYM_KEY * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_01_BV * @reference ETSI TS 102 941, clause 6.2.3.3.2 */ testcase TC_SECPKI_AA_AUTH_01_BV() runs on ServerSyncComp system ItsPkiHttpSystem { // Local variables var ItsPkiHttp v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp02(v_itss, v_ea); // Test adapter configuration // Start components v_itss.start(f_TC_SECPKI_AA_AUTH_01_BV_itss()); v_ea.start(f_TC_SECPKI_AA_AUTH_01_BV_ea()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); f_cfMtcDown02(v_itss, v_ea); } // End of testcase TC_SECPKI_AA_AUTH_01_BV group f_TC_SECPKI_AA_AUTH_01_BV { function f_TC_SECPKI_AA_AUTH_01_BV_itss() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var octetstring v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_aes_enc_key; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; var HashedId8 v_ec_certificate_hashed_id8; // Test component configuration f_cfHttpUp_itss(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble // Generate EC certificate f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); // Send AuthorizationRequest f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test body tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo, * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); if ((v_result != -2) and (v_result != -3)){ log("*** f_TC_SECPKI_AA_AUTH_01_BV_itss: PASS: Received exptected response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** f_TC_SECPKI_AA_AUTH_01_BV_itss: FAIL: Unexptected response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } [] tc_ac.timeout { log("*** f_TC_SECPKI_AA_AUTH_01_BV_itss: INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown_itss(); } // End of function f_TC_SECPKI_AA_AUTH_01_BV_itss function f_TC_SECPKI_AA_AUTH_01_BV_ea() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var octetstring v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_aes_enc_key := int2oct(0, 16); var SharedAtRequest v_shared_at_request; var AuthorizationValidationResponse v_authorization_validation_response; // Test component configuration f_cfHttpUp_ea(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble tc_ac.start; alt { [] a_await_atv_http_request_from_iut( // Wait for authorizationValidation Request from IUT to EA mw_http_request( mw_http_request_post( -, //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var integer v_result; tc_ac.stop; f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key, v_request_hash, v_shared_at_request, v_result); // Set verdict if (v_result == 0) { log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INFO: IUT has sent AuthorizationValidation request ***"); // Send AuthorizationValidation response to finalize the exchange log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***"); f_init_default_headers_list(-, "inner_atv_response", v_headers); f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data); f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data )), v_headers ))); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INCONC: Failed to verify AuthorizationValidation request ***"); // Send AuthorizationValidation response to finalize the exchange log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***"); f_init_default_headers_list(-, "inner_atv_response", v_headers); f_http_build_authorization_validation_response(v_shared_at_request, deniedpermissions, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } [] tc_ac.timeout { log("*** f_TC_SECPKI_AA_AUTH_01_BV_ea: INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_timeout); } } // End of 'alt' statement // Test body f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); // Postamble // TODO Wait for AuthorizationResponse f_cfHttpDown_ea(); } // End of function f_TC_SECPKI_AA_AUTH } // End of group f_TC_SECPKI_AA_AUTH_01_BV /** * @desc Check that the AA sends signed authorization response. *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the ITS-S in "enrolled" state and * the IUT(AA) in 'operational' state * authorized with CERT_AA certificate * and the EA in 'operational' state * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to send the authorization response to the ITS-S * } * then { * the IUT is triggered to send the authorization response to the ITS-S * containing the EtsiTs103097Data-Signed * containing signedData * containing signer * containing digest * indicating HashedId8 value of the CERT_AA * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_02_BV * @reference ETSI TS 102 941, clause 6.2.3.3.2 */ testcase TC_SECPKI_AA_AUTH_02_BV() runs on ServerSyncComp system ItsPkiHttpSystem { // Local variables var ItsPkiHttp v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp02(v_itss, v_ea); // Test adapter configuration // Start components v_itss.start(f_TC_SECPKI_AA_AUTH_02_BV_itss()); v_ea.start(f_TC_SECPKI_AA_AUTH_02_BV_ea()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); f_cfMtcDown02(v_itss, v_ea); } // End of testcase TC_SECPKI_AA_AUTH_02_BV group f_TC_SECPKI_AA_AUTH_02_BV { function f_TC_SECPKI_AA_AUTH_02_BV_itss() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var octetstring v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct16 v_authentication_vector; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_aes_enc_key; var InnerAtRequest v_inner_at_request; var InnerAtResponse v_inner_at_response; var HashedId8 v_ec_certificate_hashed_id8; // Test component configuration f_cfHttpUp_itss(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble // Generate EC certificate f_generate_inner_ec_request(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_request); f_generate_ec_certificate_for_inner_ec_response(v_inner_ec_request, v_private_key_ec, vc_eaWholeHash, v_ec_certificate, v_ec_certificate_hashed_id8); // Send AuthorizationRequest f_http_build_authorization_request(v_ec_certificate, v_private_key_ec, v_private_key_at, v_public_compressed_key_at, v_compressed_mode_at, v_private_enc_key_at, v_public_compressed_enc_key_at, v_compressed_enc_mode_at, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "inner_at_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test body tc_ac.start; alt { [] a_await_at_http_response_from_iut( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_pskRecipInfo, * }, mw_symmetricCiphertext_aes128ccm )))))), v_response ) { var integer v_result; tc_ac.stop; f_verify_http_at_response_from_iut_aa(v_response.response, v_private_key_at, v_aes_sym_key, v_authentication_vector, v_request_hash, v_inner_at_response, v_result); if (v_result == 0) { log("*** f_TC_SECPKI_AA_AUTH_02_BV_itss: PASS: Received exptected response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** f_TC_SECPKI_AA_AUTH_02_BV_itss: FAIL: Unexptected response ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } [] tc_ac.timeout { log("*** f_TC_SECPKI_AA_AUTH_02_BV_itss: INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown_itss(); } // End of function f_TC_SECPKI_AA_AUTH_02_BV_itss function f_TC_SECPKI_AA_AUTH_02_BV_ea() runs on ItsPkiHttp system ItsPkiHttpSystem { var Oct32 v_private_key_ec; var Oct32 v_public_compressed_key_ec; var integer v_compressed_key_mode_ec; var InnerEcRequest v_inner_ec_request; var EtsiTs103097Certificate v_ec_certificate; var Oct32 v_private_key_at; var Oct32 v_public_compressed_key_at; var integer v_compressed_mode_at; var Oct32 v_private_enc_key_at; var Oct32 v_public_compressed_enc_key_at; var integer v_compressed_enc_mode_at; var octetstring v_request_hash; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var HashedId8 v_aes_sym_key_hashed_id8; var Oct12 v_nonce; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_request; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_aes_enc_key := int2oct(0, 16); var SharedAtRequest v_shared_at_request; var AuthorizationValidationResponse v_authorization_validation_response; // Test component configuration f_cfHttpUp_ea(cc_taCert_A_EA, PICS_IUT_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble tc_ac.start; alt { [] a_await_atv_http_request_from_iut( // Wait for authorizationValidation Request from IUT to EA mw_http_request( mw_http_request_post( -, //FIXME: Use another PIXIT than PICS_HTTP_POST_URI_ATV, -, mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_authorizationRequestMessage( mw_encryptedData( { *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_eaHashedId8)), * }, mw_symmetricCiphertext_aes128ccm )))))), v_request ) { var integer v_result; tc_ac.stop; f_verify_http_at_request_from_iut_atv(v_request.request, v_aes_sym_key, v_request_hash, v_shared_at_request, v_result); // Set verdict if (v_result == 0) { log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INFO: IUT has sent AuthorizationValidation request ***"); // Send AuthorizationValidation response to finalize the exchange log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***"); f_init_default_headers_list(-, "inner_atv_response", v_headers); f_http_build_authorization_validation_response(v_shared_at_request, ok, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data); f_http_send( v_headers, m_http_response( m_http_response_ok( m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data )), v_headers ))); f_selfOrClientSyncAndVerdict(c_prDone, e_success); } else { log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INCONC: Failed to verify AuthorizationValidation request ***"); // Send AuthorizationValidation response to finalize the exchange log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INFO: Send AuthorizationValidation response to finalize the exchange ***"); f_init_default_headers_list(-, "inner_atv_response", v_headers); f_http_build_authorization_validation_response(v_shared_at_request, deniedpermissions, v_request_hash, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_authorization_validation_response, v_ieee1609dot2_signed_and_encrypted_data); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_AT, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } } [] tc_ac.timeout { log("*** f_TC_SECPKI_AA_AUTH_02_BV_ea: INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_timeout); } } // End of 'alt' statement // Test body f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); // Postamble // TODO Wait for AuthorizationResponse f_cfHttpDown_ea(); } // End of function f_TC_SECPKI_AA_AUTH } // End of group f_TC_SECPKI_AA_AUTH_02_BV /** * @desc Check that the AA sends signed authorization response with signature properly calculated using approved hash algorithm. *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the ITS-S in "enrolled" state and * the IUT(AA) in 'operational' state * authorized with CERT_AA certificate * containing verificationKey (AA_PUB_V_KEY) * and the EA in 'operational' state * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to send the authorization response to the ITS-S * } * then { * the IUT is triggered to send the authorization response to the ITS-S * containing the EtsiTs103097Data-Signed * containing signedData * containing hashId * indicating supported hash algorithm (HASH_ALG) * and containing signature * calculated using the HASH_ALG and private key correspondent to the AA_PUB_V_KEY * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_02_BV * @reference ETSI TS 102 941, clause 6.2.3.3.2 */ testcase TC_SECPKI_AA_AUTH_03_BV() runs on ServerSyncComp system ItsPkiHttpSystem { // Local variables var ItsPkiHttp v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp02(v_itss, v_ea); // Test adapter configuration // Start components v_itss.start(f_TC_SECPKI_AA_AUTH_02_BV_itss()); v_ea.start(f_TC_SECPKI_AA_AUTH_02_BV_ea()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); f_cfMtcDown02(v_itss, v_ea); } // End of testcase TC_SECPKI_AA_AUTH_03_BV /** * @desc Check that the AA sends signed AuthorizationResponseMessage using valid ITS AID and only allowed headers. *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the ITS-S in "enrolled" state and * the IUT(AA) in 'operational' state * and the EA in 'operational' state * } * Expected behaviour: * ensure that { * when { * the IUT is triggered to send the authorization response to the ITS-S * } * then { * the IUT is triggered to send the authorization response to the ITS-S * containing the EtsiTs103097Data-Signed * containing signedData * containing tbsData * containing psid * indicating AID_PKI_CERT_REQUEST * and containing generationTime * and not containing any other headers * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_02_BV * @reference ETSI TS 102 941, clause 6.2.3.3.2 */ testcase TC_SECPKI_AA_AUTH_04_BV() runs on ServerSyncComp system ItsPkiHttpSystem { // Local variables var ItsPkiHttp v_itss; var ItsPkiHttp v_ea; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfMtcUp02(v_itss, v_ea); // Test adapter configuration // Start components v_itss.start(f_TC_SECPKI_AA_AUTH_02_BV_itss()); v_ea.start(f_TC_SECPKI_AA_AUTH_02_BV_ea()); // Synchronization f_serverSync2ClientsAndStop({c_prDone, c_tbDone}); f_cfMtcDown02(v_itss, v_ea); } // End of testcase TC_SECPKI_AA_AUTH_04_BV } // End of group aa_authorization_response // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.5 CA Certificate Request group aa_ca_certificates_request { // TODO } // End of group aa_ca_certificates_request // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.5.6 Authorization using butterfly key expansion mechanism group aa_authorization_with_bfk { group bfk_cert_request_helpers { function f_trigger_butterfly_cert_request( out HashedId8 p_aes_sym_key_hashed_id8, out RaAcaCertRequest p_ra_aca_cert_request ) runs on ItsPkiHttp { // Local variables var octetstring v_caterpillar_private_key var octetstring v_caterpillar_public_key_compressed; var integer v_caterpillar_compressed_mode; var octetstring v_caterpillar_enc_private_key var octetstring v_caterpillar_enc_public_key_compressed; var integer v_caterpillar_enc_compressed_mode; var EeRaCertRequest v_ee_ra_cert_request; var octetstring v_private_key; var Oct16 v_encrypted_sym_key; var Oct16 v_aes_sym_key; var Oct16 v_authentication_vector; var Oct12 v_nonce; var Oct32 v_request_hash; var octetstring v_salt; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var Headers v_headers; var HttpMessage v_response; var EtsiTs102941Data v_etsi_ts_102941_data; // Generate EeRaCertRequest if (f_generate_ee_ra_cert_request(v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_ee_ra_cert_request) == false) { log("*** f_trigger_butterfly_cert_request: ERROR: Failed to generate InnerEcRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log ("f_trigger_butterfly_cert_request: p_ee_ra_cert_request: ", v_ee_ra_cert_request); // Buikd theHTTP request f_http_build_butterfly_cert_request(v_ee_ra_cert_request, vc_eaPrivateKey, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, p_ra_aca_cert_request, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash); p_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response f_init_default_headers_list(-, "bfk_cert_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_post( PICS_HTTP_POST_URI_BFK_AA, v_headers, m_http_message_body_binary( m_binary_body_ieee1609dot2_data( v_ieee1609dot2_signed_and_encrypted_data ))))); } // End of function f_trigger_butterfly_cert_request function f_verify_http_butterfly_cert_request_message_to_ea( in Request p_request, in Headers p_headers, out integer p_result, out AcaRaCertResponse p_aca_ra_cert_response ) runs on ItsPkiHttp { // Local variables var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; var template (value) HttpMessage v_response; var Oct16 v_request_hash; var HashedId8 v_bfk_hashed_id8; var Oct16 v_aes_enc_key; log(">>> f_verify_http_butterfly_cert_request_message_to_ea: ", p_request); p_result := 0; if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O, omit, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message // Send error message v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message // Set verdict p_result := -1; } else { var UInt64 v_current_time := f_getCurrentTimeUtc(); var UInt64 v_delta_time := 30; log("f_verify_http_butterfly_cert_request_message_to_ea: match ", match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request))); // TODO In TITAN, this is the only way to get the unmatching in log if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request((v_current_time - v_delta_time .. v_current_time + v_delta_time), explicit, '00000000'B/*butterflyExplicit*/, mw_bfk_to_be_signed_certificate))) == false) { // Send error message v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message // Set verdict p_result := -2; } else { // TODO Add checked ??? } } log("<<< f_verify_http_butterfly_cert_request_message_to_ea: p_result: ", p_result); } // End of function f_verify_http_butterfly_cert_request_message_to_ea } // End of group bfk_cert_request_helpers /** * @desc Check that the AA sends the butterfly certificate response message after receiving of the butterfly certificate request * Check that this message is encrypted using the same symmetric encryption key as the butterfly certificate request message *
* Pics Selection: PICS_IUT_AA_ROLE * Initial conditions: * with { * the EA in "operational" state * authorized with CERT_AA certificate * } * Expected behaviour: * ensure that { * when { * the IUT received the ButterflyCertificateRequestMessage * containing content.encryptedData.recipients * containing the instance of RecipientInfo * containing certRecipInfo * containing recipientId * indicating HashedId8 of the CERT_AA * and containing encKey * containing encrypted symmetric encryption key (ENC_KEY) * } * then { * the IUT sends to the EA a EtsiTs103097Data-Encrypted * containing content.encryptedData.recipients * indicating size 1 * and containing the instance of RecipientInfo * containing pskRecipInfo * indicating HashedId8 of the ENC_KEY * } * } ** * @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTHVAL_01_BV * @reference ETSI TS 102 941, clause 6.2.3.3.2 */ testcase TC_SECPKI_AA_BFK_AUTH_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var HashedId8 v_aes_sym_key_hashed_id8; var Headers v_headers; var HttpMessage v_request; var integer v_result; var RaAcaCertRequest v_ra_aca_cert_request; var AcaRaCertResponse v_aca_ra_cert_response; // Test control if (not PICS_IUT_AA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_AA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_trigger_butterfly_cert_request(v_aes_sym_key_hashed_id8, v_ra_aca_cert_request); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_ac.start; alt { [] httpAtVPort.receive( mw_http_request( mw_http_request_post( -, // URI v_headers, // Headers mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_butterflyCertResponseMessage( mw_encryptedData )))))) -> value v_request { tc_ac.stop; f_verify_http_butterfly_cert_request_message_to_ea(v_request.request, v_headers, v_result, v_aca_ra_cert_response); // Set verdict if (v_result == 0) { log("*** " & testcasename() & ": PASS: ButterflyCertResponsetMessage received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertResponsetMessage ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_error); } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_AA_BFK_AUTH_01_BV } // End of group aa_authorization_with_bfk } // End of group aa_beavior // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.6 RootCA behaviour group ca_behavior { // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.6.1 CTL generation group ca_ctl_generation { /** * @desc Check that the RootCA generates the Full CTL when new EA is about to be added to the Root CTL *
* Pics Selection: PICS_IUT_CA_ROLE * Initial conditions: * } * Expected behaviour: * ensure that { * when { * the RootCA is triggered to add new EA certificate (CERT_EA) in the CTL * } * then { * the IUT issue a new CTL of type CtlFormat * containing isFullCtl * indicating TRUE * and containing ctlCommands * containing CtlCommand * containing add * containing ea * containing eaCertificate * indicating CERT_EA * } * } ** * @see ETSI TS 103 525-2 TP RCA_CTLGEN_01_BV * @reference ETSI TS 102 941, clause 6.3.2 and 6.3.4 */ testcase TC_RCA_CTLGEN_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Headers v_headers; var HttpMessage v_response; // Test control if (not PICS_IUT_CA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp_ca(); // Test adapter configuration // Preamble f_init_default_headers_list(PICS_HEADER_CTL_CONTENT_TYPE, "ca_request", v_headers); action("The RootCA is triggered to add new EA certificate (CERT_EA) in the CTL"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_get( PICS_HTTP_GET_URI_CTL, v_headers ))); tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_etsiTs103097Data_signed( mw_signedData( -, mw_toBeSignedData( mw_signedDataPayload ), ? ))))))) -> value v_response { var charstring_list v_etag; var ToBeSignedRcaCtl v_to_be_signed_rca_ctl; tc_ac.stop; // Check ETag header if (f_check_headers(v_response.response.header, c_etag_http_header) == false) { log("*** " & testcasename() & ": INFO: 'ETag' HTTP header not set ***"); //f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } else { f_get_header(v_response.response.header, c_etag_http_header, v_etag); log("*** " & testcasename() & ": INFO: ETag= ", v_etag[0]); } if (f_verify_rca_ctl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, true, v_to_be_signed_rca_ctl) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { if (f_verify_full_ctl(v_to_be_signed_rca_ctl) == true) { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Receive unexpected message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [PICS_MULTIPLE_END_POINT] httpCaPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_etsiTs103097Data_signed( mw_signedData( -, mw_toBeSignedData( mw_signedDataPayload ), ? ))))))) -> value v_response { var charstring_list v_etag; var ToBeSignedRcaCtl v_to_be_signed_rca_ctl; tc_ac.stop; // Check ETag header if (f_check_headers(v_response.response.header, c_etag_http_header) == false) { log("*** " & testcasename() & ": INCONC: 'ETag' HTTP header not set ***"); //f_selfOrClientSyncAndVerdict(c_prDone, e_timeout); } else { f_get_header(v_response.response.header, c_etag_http_header, v_etag); log("*** " & testcasename() & ": INFO: ETag= ", v_etag[0]); } if (f_verify_rca_ctl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, true, v_to_be_signed_rca_ctl) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { if (f_verify_full_ctl(v_to_be_signed_rca_ctl) == true) { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Receive unexpected message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown_ca(); } // End of testcase TC_RCA_CTLGEN_01_BV } // End of ca_group ctl_generation // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.6.2 CRL generation group ca_crl_generation { /** * @desc Check that the RootCA generates the CRL signed with appropriate certificate *
* Pics Selection: PICS_IUT_CA_ROLE * Initial conditions: * } * Expected behaviour: * ensure that { * when { * the RootCA is triggered to add new CA certificate (CERT_CA) to the revocation list * } * then { * the IUT issue a new CRL of type ToBeSignedCrl * containing emtries * containing item of type CrlEntry * indicating HashedId8 of CERT_CA * } * } ** * @see ETSI TS 103 525-2 TP RCA_CRLGEN_01_BV * @reference ETSI TS 102 941, clause 6.3.3 */ testcase TC_RCA_CRLGEN_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Headers v_headers; var HttpMessage v_response; // Test control if (not PICS_IUT_CA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp_ca(); // Test adapter configuration // Preamble f_init_default_headers_list(PICS_HEADER_CRL_CONTENT_TYPE, "ca_request", v_headers); action("the RootCA is triggered to generate new CRL"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_get( PICS_HTTP_GET_URI_CRL, v_headers ))); tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_etsiTs103097Data_signed( mw_signedData( -, mw_toBeSignedData( mw_signedDataPayload ), mw_signerIdentifier_digest ))))))) -> value v_response { var ToBeSignedCrl v_to_be_signed_crl; tc_ac.stop; if (f_verify_rca_crl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, true, v_to_be_signed_crl) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { if (f_verify_full_crl(v_to_be_signed_crl) == true) { log("*** " & testcasename() & ": PASS: ToBeSignedCrl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Receive unexpected message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [PICS_MULTIPLE_END_POINT] httpCaPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_etsiTs103097Data_signed( mw_signedData( -, mw_toBeSignedData( mw_signedDataPayload ), mw_signerIdentifier_digest ))))))) -> value v_response { var ToBeSignedCrl v_to_be_signed_crl; tc_ac.stop; if (f_verify_rca_crl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, true, v_to_be_signed_crl) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { if (f_verify_full_crl(v_to_be_signed_crl) == true) { log("*** " & testcasename() & ": PASS: ToBeSignedCrl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Receive unexpected message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown_ca(); } // End of testcase TC_RCA_CRLGEN_01_BV } // End of group ca_crl_generation } // End of group ca_behavior // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.7 DC behaviour group dc_behavior { // TODO } // End of group dc_behavior // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.8 TLM behaviour group tlm_behavior { // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.8.1 CTL generation group tlm_ctl_generation { /** * @desc Check that the TLM generates the ECTL when new RootCA is about to be added *
* Pics Selection: PICS_IUT_CA_ROLE * Initial conditions: * } * Expected behaviour: * ensure that { * when { * the TLM is triggered to add new RootCA certificate (CERT_RCA) in the CTL * } * then { * the IUT issue a new CTL of type CtlFormat * containing isFullCtl * indicating TRUE * and containing ctlCommands * containing CtlCommand * containing add * containing rca * containing selfsignedRootCa * indicating CERT_RCA * } * } ** * @see ETSI TS 103 525-2 TP TLM_ECTLGEN_01_BV * @reference ETSI TS 102 941, clause 6.3.1 */ testcase TC_TLM_ECTLGEN_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var Headers v_headers; var HttpMessage v_response; // Test control if (not PICS_IUT_CA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp_tlm(); // Test adapter configuration // Preamble f_init_default_headers_list(PICS_HEADER_CTL_CONTENT_TYPE, "tlm_request", v_headers); action("The TLM is triggered to add new RootCA certificate (CERT_RCA) in the CTL"); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body f_http_send( v_headers, m_http_request( m_http_request_get( PICS_HTTP_GET_URI_TLM, v_headers ))); tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_etsiTs103097Data_signed( mw_signedData( -, mw_toBeSignedData( mw_signedDataPayload ), - // Certificate or HasedId8 ))))))) -> value v_response { var ToBeSignedTlmCtl v_to_be_signed_tlm_ectl; tc_ac.stop; // FIXME Can not verify signature, to be checked if (f_verify_tlm_ectl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, false, v_to_be_signed_tlm_ectl) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { if (f_verify_full_ectl(v_to_be_signed_tlm_ectl) == true) { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Receive unexpected message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [PICS_MULTIPLE_END_POINT] httpTlmPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_etsiTs103097Data_signed( mw_signedData( -, mw_toBeSignedData( mw_signedDataPayload ), - // Certificate or HasedId8 ))))))) -> value v_response { var ToBeSignedTlmCtl v_to_be_signed_tlm_ectl; tc_ac.stop; // FIXME Can not verify signature, to be checked if (f_verify_tlm_ectl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, false, v_to_be_signed_tlm_ectl) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { if (f_verify_full_ectl(v_to_be_signed_tlm_ectl) == true) { log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Receive unexpected message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown_tlm(); } // End of testcase TC_TLM_ECTLGEN_01_BV } // End of group tlm_ctl_generation } // End of group tlm_behavior // ETSI TS 103 525-2 V2.0.2 (2023-07) Clause 5.9 CPOC behaviour group cpoc_behavior { /** * @desc Check that the TLM CTL is published and accessible when issued *
* Pics Selection: * Initial conditions: * the TLM issued a new CTL * } * Expected behaviour: * ensure that { * when { * the ITS-S asked the IUT for the newly issued CTL * } * then { * the IUT is answered with this CTL * } * } ** * @see ETSI TS 103 525-2 TP SECPKI_CPOC_LISTDIST_01_BV * @reference ETSI TS 102 941, Clauses 6.3.2 and 6.3.3 */ testcase TC_SECPKI_CPOC_LISTDIST_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variable var Headers v_headers; var HttpMessage v_response; // Test component configuration f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID); // Test adapter configuration // Preamble f_init_default_headers_list(-, "cpoc_request", v_headers); f_http_send( v_headers, m_http_request( m_http_request_get( PICS_HTTP_GET_URI_TLM, v_headers ))); f_selfOrClientSyncAndVerdict(c_prDone, e_success); // Test Body tc_ac.start; alt { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_etsiTs103097Data_signed( mw_signedData( -, mw_toBeSignedData( mw_signedDataPayload ) ))))))) -> value v_response { var ToBeSignedTlmCtl v_to_be_signed_tlm_ectl; tc_ac.stop; // FIXME Can not verify signature, to be checked if (f_verify_tlm_ectl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, false, v_to_be_signed_tlm_ectl) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify ECTL message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { if (f_verify_full_ectl(v_to_be_signed_tlm_ectl) == true) { log("*** " & testcasename() & ": PASS: ToBeSignedTlmCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Receive unexpected message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [PICS_MULTIPLE_END_POINT] httpPort.receive( mw_http_response( mw_http_response_ok( mw_http_message_body_binary( mw_binary_body_ieee1609dot2_data( mw_etsiTs103097Data_signed( mw_signedData( -, mw_toBeSignedData( mw_signedDataPayload ) ))))))) -> value v_response { var ToBeSignedTlmCtl v_to_be_signed_tlm_ectl; tc_ac.stop; // FIXME Can not verify signature, to be checked if (f_verify_tlm_ectl_response_message(v_response.response.body.binary_body.ieee1609dot2_data, false, v_to_be_signed_tlm_ectl) == false) { log("*** " & testcasename() & ": FAIL: Failed to verify ECTL message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } else { if (f_verify_full_ectl(v_to_be_signed_tlm_ectl) == true) { log("*** " & testcasename() & ": PASS: ToBeSignedTlmCtl received ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); } else { log("*** " & testcasename() & ": FAIL: Receive unexpected message ***"); f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); } } } [] tc_ac.timeout { log("*** " & testcasename() & ": INCONC: Expected message not received ***"); f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout); } } // End of 'alt' statement // Postamble f_cfHttpDown(); } // End of testcase TC_SECPKI_CPOC_LISTDIST_01_BV } // End of group cpoc_behavior group pki_platform_simu { /** * @desc Await for DC/CTL/CRL request and provides "CERT_IUT_A_RCA", "CERT_TS_A_AA", "CERT_TS_A_EA" certificates * It simulates the ETSI point of certificates distribution * Usage: curl 'http://192.168.1.43/dc/getctl/{hasehedid8}' --header 'Content-Type: application/x-its-ctl' --header 'Content-Text: ca_request' --output ctl.oer */ testcase TC_PKI_PLTF_RCV_BV_01() runs on ItsPkiHttp system ItsPkiHttpSystem { // Local variables var charstring v_rca_certificate_id := "CERT_IUT_A_RCA"; var charstring v_tlm_certificate_id := "CERT_IUT_A_RCA"; // TODO Need CERT_IUT_A_TLM certificate var charstring v_aa_certificate_id := "CERT_TS_A_AA"; var charstring v_ea_certificate_id := "CERT_TS_A_EA"; var Oct32 v_hash; var Oct8 v_rca_hashed_id8; var HttpMessage v_request; var boolean v_result := false; var ToBeSignedRcaCtl v_ctl; var Headers v_headers; var template (value) HttpMessage v_response; var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data; var EtsiTs102941Data v_etsi_ts_102941_data; var Oct16 v_request_hash; var Oct16 v_aes_enc_key; // Test component configuration f_cfHttpUp_ca(); // Test control if (not PICS_IUT_CA_ROLE) { log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } // Test component configuration f_cfHttpUp_ca(); // Preamble f_getCertificateHash256(v_rca_certificate_id, v_hash); v_rca_hashed_id8 := f_hashedId8FromSha256(v_hash); log("*** " & testcasename() & ": DEBUG: v_rca_hashed_id8= ", v_rca_hashed_id8); f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); // Test Body tc_wait.start; alt { [] a_await_dc_http_request_from_iut( // Await for DC request mw_http_request( mw_http_request_get( PICS_HTTP_GET_URI_DC & "/" & oct2str(v_rca_hashed_id8) )), v_request ) { var EtsiTs103097Certificate v_rca_certificate; tc_wait.stop; f_init_default_headers_list(-, "ca_response", v_headers); // Send message f_build_dc( v_rca_certificate_id, v_rca_certificate ); log("*** " & testcasename() & ": INFO: v_rca_certificate: ", v_rca_certificate); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_certificate(v_rca_certificate)), v_headers)); f_http_send(v_headers, v_response); log("*** " & testcasename() & ": INFO: ToBeSignedRcaCtl sent ***"); tc_wait.start; repeat; } [] a_await_ctl_http_request_from_iut( // Await for CTL request mw_http_request( mw_http_request_get( PICS_HTTP_GET_URI_CTL & "/" & oct2str(v_rca_hashed_id8) )), v_request ) { var ToBeSignedRcaCtl v_to_be_signed_rca_ctl; tc_wait.stop; f_init_default_headers_list(-, "ca_response", v_headers); // Send message f_build_ctl( v_ea_certificate_id, v_aa_certificate_id, v_rca_certificate_id, v_to_be_signed_rca_ctl ); log("*** " & testcasename() & ": INFO: v_to_be_signed_rca_ctl: ", v_to_be_signed_rca_ctl); f_sign_dc_ctl(v_rca_certificate_id, v_to_be_signed_rca_ctl, v_ieee1609dot2_signed_and_encrypted_data); log("*** " & testcasename() & ": INFO: v_ieee1609dot2_signed_and_encrypted_data: ", v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), v_headers)); f_http_send(v_headers, v_response); log("*** " & testcasename() & ": INFO: ToBeSignedRcaCtl sent ***"); tc_wait.start; repeat; } [] a_await_crl_http_request_from_iut( // Await for CTL request mw_http_request( mw_http_request_get( PICS_HTTP_GET_URI_CRL & "/" & oct2str(v_rca_hashed_id8) )), v_request ) { var ToBeSignedCrl v_to_be_signed_crl; tc_wait.stop; f_init_default_headers_list(-, "ca_response", v_headers); // Send message f_build_crl( -, -, v_to_be_signed_crl ); log("*** " & testcasename() & ": INFO: v_to_be_signed_crl: ", v_to_be_signed_crl); f_sign_dc_crl(v_rca_certificate_id, v_to_be_signed_crl, v_ieee1609dot2_signed_and_encrypted_data); log("*** " & testcasename() & ": INFO: v_ieee1609dot2_signed_and_encrypted_data: ", v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), v_headers)); f_http_send(v_headers, v_response); log("*** " & testcasename() & ": INFO: ToBeSignedCRl sent ***"); tc_wait.start; repeat; } [] a_await_cpoc_http_request_from_iut( // Await for TLM request (E-CPOC) mw_http_request( mw_http_request_get( PICS_HTTP_GET_URI_TLM & "/" & oct2str(v_rca_hashed_id8) )), v_request ) { var ToBeSignedTlmCtl v_to_be_signed_tlm_ctl; tc_wait.stop; f_init_default_headers_list(-, "ca_response", v_headers); // Send message f_build_tlm( v_tlm_certificate_id, v_rca_certificate_id, v_to_be_signed_tlm_ctl ); log("*** " & testcasename() & ": INFO: v_to_be_signed_tlm_ctl: ", v_to_be_signed_tlm_ctl); f_sign_dc_ctl(v_rca_certificate_id, v_to_be_signed_tlm_ctl, v_ieee1609dot2_signed_and_encrypted_data); log("*** " & testcasename() & ": INFO: v_ieee1609dot2_signed_and_encrypted_data: ", v_ieee1609dot2_signed_and_encrypted_data); v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), v_headers)); f_http_send(v_headers, v_response); log("*** " & testcasename() & ": INFO: ToBeSignedTlmCtl sent ***"); tc_wait.start; repeat; } [] a_await_any_http_request_from_iut( mw_http_request, v_request ) { tc_wait.stop; f_init_default_headers_list(-, "ca_response", v_headers); v_response := m_http_response(m_http_response_400_bad_request(m_http_message_body_html("
Request not supported
"), v_headers)); f_http_send(v_headers, v_response); tc_wait.start; repeat; } [] tc_wait.timeout { //log("*** " & testcasename() & ": PASS: Terminate Generation/Distrbution server ***"); //f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); tc_wait.start; repeat; } } // End of 'alt' statement f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); // Postamble f_cfHttpDown_ca(); } // End of testcase TC_PKI_PLTF_RCV_BV_01 } // End of group pki_platform_simu } // End of module ItsPki_TestCases