Mantis issue 0006992: Changing security protocol version or added additional... (038d4ba0) · Commits · TTCN-3 Libraries / LibIts

ttcn/Security/LibItsSecurity_Functions.ttcn3

+339 −14

Original line number	Diff line number	Diff line
		@@ -225,12 +225,7 @@ module LibItsSecurity_Functions {
		}

		// Prepare payload to be signed
		// if (
		// (valueof(p_payloadField.type_) == e_signed) or
		// (valueof(p_payloadField.type_) == e_signed_and_encrypted
		// )) {
		v_toBeSignedPayload := valueof(p_payloadField);
		// } // TODO else, check draft

		v_toBeSignedSecuredMessage := m_toBeSignedSecuredMessage(
		v_headerFields,
		@@ -240,9 +235,6 @@ module LibItsSecurity_Functions {

		v_secPayload := bit2oct(encvalue(v_toBeSignedSecuredMessage));

		// Calculate the hash of the SecuredMessage payload to be signed
		// FIXME BUG Framework already compute the hash v_hash := f_hashWithSha256(v_secPayload);

		// Signed payload
		if (ispresent(p_certificateName) and (valueof(p_certificateName) != cc_taCert_A)) {
		if(not f_readSigningKey(valueof(p_certificateName), v_privateKey)){
		@@ -254,7 +246,8 @@ module LibItsSecurity_Functions {
		}
		}
		v_signature := f_signWithEcdsaNistp256WithSha256(
		v_secPayload, v_privateKey // FIXME BUG Framework already compute the hash v_hash
		v_secPayload,
		v_privateKey
		);

		p_securedMessage := m_securedMessage(
		@@ -275,8 +268,184 @@ module LibItsSecurity_Functions {
		);

		return true;
		} // End of function f_buildGnSecuredMessage

		/**
		* @desc This function build and sign the SecureMessage part covered by the signature process including wrong elements of protocols. It is used for BO test cases
		* @param p_securedMessage The signed SecureMessage part
		* @param p_certificateName The certificate name
		* @param p_protocolVersion The protocol version to be set. Default: 2
		* @param p_trailerStatus The Traile behaviour:
		* <li>0 for no trailer</li>
		* <li>1 for invalid trailer</li>
		* <li>2 for duplicated trailer</li>
		* @param p_payloadField Payloads to be included in the message
		* @param p_mandatoryHeaders Mandatory headers for the selected profile
		* @param p_headerFields HeaderFields to be inserted in the message
		* @param p_securityProfile Selected security profile
		* @return true on success, false otherwise
		*/
		function f_buildGnSecuredMessage_Bo(
		out template (value) SecuredMessage p_securedMessage,
		in template (value) charstring p_certificateName,
		in integer p_protocolVersion := c_protocol_version,
		in integer p_trailerStatus := 0,
		in template (value) SecPayload p_payloadField,
		in template (value) HeaderFields p_mandatoryHeaders,
		in template (omit) HeaderFields p_headerFields := omit
		) runs on ItsSecurityBaseComponent return boolean {

		// Local variables
		var octetstring v_secPayload, v_signature;
		var Oct32 v_hash;
		var template (value) ToBeSignedSecuredMessage v_toBeSignedSecuredMessage;
		var integer i, j, k, n;
		var HeaderFields v_headerFields := {};
		var SecPayload v_toBeSignedPayload;
		var Oct32 v_privateKey;
		var UInt8 v_trailerSize;

		// Prepare headers
		if (not(ispresent(p_headerFields))) {
		v_headerFields := valueof(p_mandatoryHeaders);
		} else {
		// Merge p_headerFields and v_mandatoryHeaders into v_headerFields

		i := 0; // index for p_headerFields
		j := 0; // index for v_mandatoryHeaders
		k := 0; // index for v_headerFields

		// Special processing for signer_info
		if (lengthof(valueof(p_headerFields)) > 0 and valueof(p_headerFields[i].type_) == e_signer_info) {
		v_headerFields[k] := valueof(p_headerFields[i]);
		k := k + 1;
		i := i + 1;
		}

		for (j := j; j < lengthof(p_mandatoryHeaders); j := j + 1) {
		// Search for mandatory header in p_HeaderFields
		for (n := 0; n < lengthof(p_headerFields); n := n + 1) {
		if (valueof(p_headerFields[n].type_) == valueof(p_mandatoryHeaders[j].type_)) {
		// mandatory header already in p_HeaderFields
		break;
		}
		} // End of 'for' statement
		if (n >= lengthof(p_headerFields)) {
		if (valueof(p_mandatoryHeaders[j].type_) != e_signer_info) {
		// Add headers from p_headerFields having lower number than mandatory header
		for (n := i; n < lengthof(p_headerFields) and valueof(p_headerFields[n].type_) < valueof(p_mandatoryHeaders[j].type_); n := n + 1) {
		v_headerFields[k] := valueof(p_headerFields[n]);
		k := k + 1;
		i := i + 1;
		}
		}
		// Add mandatory header
		v_headerFields[k] := valueof(p_mandatoryHeaders[j]);
		k := k + 1;
		}
		} // End of 'for' statement

		// Add remaining headers from p_HeaderFields
		for ( i := i; i < lengthof(p_headerFields); i := i + 1) {
		// Add headers from p_headerFields having lower number than mandatory header
		v_headerFields[k] := valueof(p_headerFields[i]);
		k := k + 1;
		} // End of 'for' statement
		}

		// Prepare payload to be signed
		v_toBeSignedPayload := valueof(p_payloadField);
		if (p_trailerStatus == 0) {
		v_trailerSize := 0;
		} else if (p_trailerStatus == 1) {
		v_trailerSize := 67;
		} else if (p_trailerStatus == 2) {
		v_trailerSize := 2 * 67;
		} else {
		v_trailerSize := 67;
		}
		v_toBeSignedSecuredMessage := m_toBeSignedSecuredMessage_wrong_protocol(
		v_headerFields,
		v_toBeSignedPayload,
		e_signature,
		p_protocolVersion,
		v_trailerSize
		);

		v_secPayload := bit2oct(encvalue(v_toBeSignedSecuredMessage));

		// Signed payload
		if (ispresent(p_certificateName) and (valueof(p_certificateName) != cc_taCert_A)) {
		if(not f_readSigningKey(valueof(p_certificateName), v_privateKey)){
		return false;
		}
		} else {
		if(not f_readSigningKey(valueof(cc_taCert_A), v_privateKey)){
		return false;
		}
		}
		v_signature := f_signWithEcdsaNistp256WithSha256(
		v_secPayload,
		v_privateKey
		);

		if (p_trailerStatus == 0) { // No signature
		p_securedMessage := m_securedMessage(
		v_toBeSignedSecuredMessage.header_fields,
		p_payloadField,
		{ }
		);
		v_trailerSize := 0;
		} else if (p_trailerStatus == 2) { // Duplicate signature
		p_securedMessage := m_securedMessage(
		v_toBeSignedSecuredMessage.header_fields,
		p_payloadField,
		{
		m_trailer_field_signature(
		m_signature(
		m_ecdsaSignature(
		m_eccPointecdsa_nistp256_with_sha256_y_coordinate_only(
		substr(v_signature, 2, 32)
		),
		substr(v_signature, 34, 32)
		)
		)
		),
		m_trailer_field_signature(
		m_signature(
		m_ecdsaSignature(
		m_eccPointecdsa_nistp256_with_sha256_y_coordinate_only(
		substr(v_signature, 2, 32)
		),
		substr(v_signature, 34, 32)
		)
		)
		)
		}
		);
		} else { // Invalid signature
		p_securedMessage := m_securedMessage(
		v_toBeSignedSecuredMessage.header_fields,
		p_payloadField,
		{
		m_trailer_field_signature(
		m_signature(
		m_ecdsaSignature(
		m_eccPointecdsa_nistp256_with_sha256_y_coordinate_only(
		substr(v_signature, 2, 32)
		),
		substr(v_signature, 34, 32)
		)
		)
		)
		}
		);
		p_securedMessage.trailer_fields[0].trailerField.signature_.signature_.ecdsa_signature.s := not4b(p_securedMessage.trailer_fields[0].trailerField.signature_.signature_.ecdsa_signature.s);
		}

		return true;
		} // End of function f_buildGnSecuredMessage_Bo

		/**
		* @desc This function build and sign the SecureMessage part covered by the signature process
		* @param p_securedMessage The signed SecureMessage part
		@@ -347,6 +516,83 @@ module LibItsSecurity_Functions {

		} // End of function f_buildGnSecuredCam

		/**
		* @desc This function build and sign the SecureMessage part covered by the signature process including wrong elements of protocols. It is used for BO test cases
		* @param p_securedMessage The signed SecureMessage part
		* @param p_protocolVersion The protocol version to be set. Default: 2
		* @param p_trailerStatus The Traile behaviour:
		* <li>0 for no trailer</li>
		* <li>1 for invalid trailer</li>
		* <li>2 for duplicated trailer</li>
		* @param p_payloadField Payloads to be included in the message
		* @param p_signerInfoType Add digest or AT certificate or certificate chain
		* @param p_threeDLocation The 3D location
		* @param p_headerFields HeaderFields to be inserted in the message
		* @param p_certificateName The certificate identifier to be used. Default: TA_CERT_A
		* @param p_addMissingHeaders Whether to add mandatory headers not present in p_headerFields
		* @return true on success, false otherwise
		*
		* @see Draft ETSI TS 103 097 V1.1.14 Clause 7.1 Security profile for CAMs
		*/
		function f_buildGnSecuredCam_Bo(
		out template (value) SecuredMessage p_securedMessage,
		in integer p_protocolVersion := c_protocol_version,
		in integer p_trailerStatus := 0,
		in template (value) SecPayload p_payloadField,
		in template (omit) SignerInfoType p_signerInfoType := e_certificate_digest_with_sha256,
		in template (omit) HeaderFields p_headerFields := omit,
		in template (omit) charstring p_certificateName := omit,
		in boolean p_addMissingHeaders := true
		) runs on ItsSecurityBaseComponent return boolean {

		// Local variables
		var Certificate v_aaCertificate, v_atCertificate;
		var HeaderFields v_mandatoryHeaders := {};
		var HeaderField v_signerInfo;

		// Load certificates if required
		if (f_prepareCertificates(p_certificateName, v_aaCertificate, v_atCertificate) == false) {
		return false;
		}

		if (p_addMissingHeaders == true) {
		// Prepare mandatory headers
		if (valueof(p_signerInfoType) == e_certificate) { // Add the AT certificate
		v_signerInfo := valueof(
		m_header_field_signer_info(
		m_signerInfo_certificate(
		v_atCertificate
		)));
		}
		if (valueof(p_signerInfoType) == e_certificate_chain) { // Add the AT certificate + AA Certificate
		v_signerInfo := valueof(
		m_header_field_signer_info(
		m_signerInfo_certificates(
		{
		v_aaCertificate,
		v_atCertificate
		}
		)
		));
		}
		if (valueof(p_signerInfoType) == e_certificate_digest_with_sha256) { // Add the AT certificate digest
		v_signerInfo := valueof(
		m_header_field_signer_info(
		m_signerInfo_digest(
		f_calculateDigestFromCertificate(v_atCertificate)
		)));
		}
		v_mandatoryHeaders := {
		v_signerInfo,
		valueof(m_header_field_generation_time(1000 * f_getCurrentTime())), // In us
		valueof(m_header_field_its_aid(c_its_aid_CAM))
		}
		}

		return f_buildGnSecuredMessage_Bo(p_securedMessage, p_certificateName, p_protocolVersion, p_trailerStatus, p_payloadField, v_mandatoryHeaders, p_headerFields);

		} // End of function f_buildGnSecuredCam_Bo

		/**
		* @desc This function build and sign the SecureMessage part covered by the signature process
		* @param p_securedMessage The signed SecureMessage part
		@@ -419,6 +665,85 @@ module LibItsSecurity_Functions {

		} // End of function f_buildGnSecuredDenm

		/**
		* @desc This function build and sign the SecureMessage part covered by the signature process including wrong elements of protocols. It is used for BO test cases
		* @param p_securedMessage The signed SecureMessage part
		* @param p_protocolVersion The protocol version to be set. Default: 2
		* @param p_trailerStatus The Traile behaviour:
		* <li>0 for no trailer</li>
		* <li>1 for invalid trailer</li>
		* <li>2 for duplicated trailer</li>
		* @param p_payloadField Payloads to be included in the message
		* @param p_signerInfoType Add digest or AT certificate or certificate chain
		* @param p_threeDLocation The 3D location
		* @param p_headerFields HeaderFields to be inserted in the message
		* @param p_certificateName The certificate identifier to be used. Default: TA_CERT_A
		* @param p_addMissingHeaders Whether to add mandatory headers not present in p_headerFields
		* @return true on success, false otherwise
		*/
		function f_buildGnSecuredDenm_Bo(
		out template (value) SecuredMessage p_securedMessage,
		in integer p_protocolVersion := c_protocol_version,
		in integer p_trailerStatus := 0,
		in template (value) SecPayload p_payloadField,
		in template (omit) SignerInfoType p_signerInfoType := e_certificate_digest_with_sha256,
		in ThreeDLocation p_threeDLocation,
		in template (omit) HeaderFields p_headerFields := omit,
		in template (omit) charstring p_certificateName := omit,
		in boolean p_addMissingHeaders := true
		) runs on ItsSecurityBaseComponent return boolean {

		// Local variables
		var Certificate v_aaCertificate, v_atCertificate;
		var HeaderFields v_mandatoryHeaders := {};
		var HeaderField v_signerInfo;

		// Load certificates if required
		if (f_prepareCertificates(p_certificateName, v_aaCertificate, v_atCertificate) == false) {
		return false;
		}

		// Add additional headers if required
		if (p_addMissingHeaders == true) {
		// Prepare mandatory headers
		if (valueof(p_signerInfoType) == e_certificate) { // Add the AT certificate
		v_signerInfo := valueof(
		m_header_field_signer_info(
		m_signerInfo_certificate(
		v_atCertificate
		)));
		}
		if (valueof(p_signerInfoType) == e_certificate_chain) { // Add the AT certificate + AA Certificate
		v_signerInfo := valueof(
		m_header_field_signer_info(
		m_signerInfo_certificates(
		{
		v_aaCertificate,
		v_atCertificate
		}
		)
		));
		}
		if (valueof(p_signerInfoType) == e_certificate_digest_with_sha256) { // Add the AT certificate digest
		v_signerInfo := valueof(
		m_header_field_signer_info(
		m_signerInfo_digest(
		v_atCertificate.signer_info.signerInfo.digest
		)));
		}
		v_mandatoryHeaders := {
		v_signerInfo,
		valueof(m_header_field_generation_time(1000 * f_getCurrentTime())), // In us
		valueof(m_header_field_generation_location(p_threeDLocation)),
		valueof(m_header_field_its_aid(c_its_aid_DENM))
		}
		}

		// Build the secured message and return it
		return f_buildGnSecuredMessage_Bo(p_securedMessage, p_certificateName, p_protocolVersion, p_trailerStatus, p_payloadField, v_mandatoryHeaders, p_headerFields);

		} // End of function f_buildGnSecuredDenm_Bo

		/**
		* @desc This function build and sign the SecureMessage part covered by the signature process
		* @param p_securedMessage The signed SecureMessage part

ttcn/Security/LibItsSecurity_Templates.ttcn3

+11 −0

Original line number	Diff line number	Diff line
		@@ -2477,6 +2477,17 @@ module LibItsSecurity_Templates {
		trailerFieldType := p_trailer_field_type
		} // End of template m_toBeSignedSecuredMessage

		// FIXME Replace c_protocol_version by a PIXIT
		template (value) ToBeSignedSecuredMessage m_toBeSignedSecuredMessage_wrong_protocol(
		in template (value) HeaderFields p_header_fields,
		in template (value) SecPayload p_payload_field,
		in template (value) TrailerFieldType p_trailer_field_type,
		in template (value) UInt8 p_protocol_version := c_protocol_version,
		in template (value) UInt8 p_trailer_fieldsLength := 67
		) modifies m_toBeSignedSecuredMessage := {
		protocol_version := p_protocol_version
		} // End of template m_toBeSignedSecuredMessage

		/**
		* @desc The certificate paylaod to be signed
		* @member p_certificate The signed certificate to be verified