Commit 1fe4c006 authored by YannGarcia's avatar YannGarcia
Browse files

Implementing SECPKI_CA_CERTGEN TPs

parent d63e8410
......@@ -3176,7 +3176,7 @@ module LibItsPki_Functions {
} // End of group dc
group rca {
function f_verify_rca_ctl_response_message(
in EtsiTs103097Data p_etsi_ts_103097_signed_data,
in boolean p_check_security := true,
......@@ -3436,6 +3436,208 @@ module LibItsPki_Functions {
return true;
}
/**
* @desc this function is used to retrieve the root certificate from SubCA entity
* @param p_certificate The root certificate
* @return 0 on success, -1 otherwise
*/
external function fx_get_root_ca_certificate(
in charstring p_iut_certificate := "CERT_IUT_A_RCA",//"CERT_IUT_A_CA",
in boolean p_explicit_type := false,
out octetstring p_certificate
) return integer;
function f_get_root_ca_certificate(
in charstring p_iut_certificate := "CERT_IUT_A_CA",
in boolean p_explicit_type := false,
out Certificate p_certificate
) return integer {
var octetstring v_os;
var bitstring v_msg_bit;
log(">>> f_get_root_ca_certificate");
// Get root certificate
if (fx_get_root_ca_certificate(p_iut_certificate, p_explicit_type, v_os) != 0) {
log("f_get_root_ca_certificate: fail to get certificate");
return -1;
}
log("f_get_root_ca_certificate: v_os=", v_os);
// Decode it
v_msg_bit := oct2bit(v_os);
if (decvalue(v_msg_bit, p_certificate) != 0) {
log("f_get_root_ca_certificate: fail to decode certificate");
return -1;
}
log("<<< f_get_root_ca_certificate: ", p_certificate);
return 0;
}
function f_verify_rca_certificate(
in charstring p_authorized_certificate := "CERT_IUT_A_RCA",//"CERT_IUT_A_RCA",
in Certificate p_certificate,
in boolean p_check_implicit := false,
in boolean p_check_reconstruction_value := false,
in boolean p_check_no_signature := false,
in boolean p_check_region_restriction := false,
in boolean p_check_signature_content := false
) return boolean {
var CertificateType v_type_ := explicit;
var template Signature v_signature_ := ?;
var template IssuerIdentifier v_issuer := ?;
var template PublicVerificationKey v_public_verification_key := ?;
log(">>> f_verify_rca_certificate: p_authorized_certificate= ", p_authorized_certificate);
log(">>> f_verify_rca_certificate: p_certificate= ", p_certificate);
if (p_check_implicit == true) {
v_type_ := implicit;
}
if (p_check_no_signature == true) {
v_signature_ := omit;
}
if (match(p_certificate, mw_etsiTs103097Certificate(-, -, v_signature_, v_type_)) == false) {
log("f_verify_rca_certificate: version/explicit mismatch");
return false;
}
if (p_check_reconstruction_value == false) {
if (match(p_certificate, mw_etsiTs103097Certificate(
-,
mw_toBeSignedCertificate_ca(
(mw_certificateId_none, mw_certificateId_name),
-,
-,
mw_verificationKeyIndicator_verificationKey
),
v_signature_
)) == false) {
log("f_verify_rca_certificate: verificationKey mismatch");
return false;
}
if (p_check_signature_content) {
var template PublicVerificationKey v_publicVerificationKey;
if (PICS_SEC_SHA256) {
v_signature_ := mw_signature_ecdsaNistP256;
v_issuer := (mw_issuerIdentifier_self(sha256), mw_issuerIdentifier_sha256AndDigest);
v_public_verification_key := mw_publicVerificationKey_ecdsaNistP256;
} else if (PICS_SEC_BRAINPOOL_P256R1) {
v_signature_ := mw_signature_ecdsaBrainpoolP256r1;
v_issuer := (mw_issuerIdentifier_self(sha256), mw_issuerIdentifier_sha256AndDigest);
v_public_verification_key := mw_publicVerificationKey_ecdsaBrainpoolP256r1;
} else if (PICS_SEC_BRAINPOOL_P384R1) {
v_signature_ := mw_signature_ecdsaBrainpoolP384r1;
v_issuer := (mw_issuerIdentifier_self(sha384), mw_issuerIdentifier_sha384AndDigest);
v_public_verification_key := mw_publicVerificationKey_ecdsaBrainpoolP384r1;
}
if (match(p_certificate, mw_etsiTs103097Certificate(
v_issuer,
mw_toBeSignedCertificate_ca(
(mw_certificateId_none, mw_certificateId_name),
-,
-,
mw_verificationKeyIndicator_verificationKey(v_public_verification_key),
-, -, -, -,
-//mw_encryptionKey
),
v_signature_
)) == false) {
log("f_verify_rca_certificate: signature mismatch");
return false;
}
// Verify Signature
if (ischosen(p_certificate.issuer.self_)) {
v_publicVerificationKey := p_certificate.toBeSigned.verifyKeyIndicator.verificationKey;
} else {
var HashedId8 v_digest;
var Certificate v_authorized_certificate;
var charstring v_cert;
if (ischosen(p_certificate.issuer.sha256AndDigest)) {
v_digest := p_certificate.issuer.sha256AndDigest;
} else if (ischosen(p_certificate.issuer.sha384AndDigest)) {
v_digest := p_certificate.issuer.sha384AndDigest;
} else {
log("f_verify_rca_certificate: Invalid certificate issuer ", p_certificate.issuer);
return false;
}
if (f_getCertificateFromDigest(v_digest, v_authorized_certificate, v_cert) == false) {
log("f_verify_rca_certificate: Fail to load p_authorized_certificate");
return false;
}
v_publicVerificationKey := v_authorized_certificate.toBeSigned.verifyKeyIndicator.verificationKey
}
log("f_verify_rca_certificate: v_publicVerificationKey= ", v_publicVerificationKey);
if (f_verifyCertificateSignatureWithPublicKey(p_certificate, v_publicVerificationKey) == false) {
log("f_verify_rca_certificate: signature not verified");
return false;
}
}
} else {
if (match(p_certificate, mw_etsiTs103097Certificate(
-,
mw_toBeSignedCertificate_ca(
(mw_certificateId_none, mw_certificateId_name),
-,
-,
mw_verificationKeyIndicator_reconstructionValue
),
v_signature_
)) == false) {
log("f_verify_rca_certificate: verificationKey mismatch");
return false;
}
// TODO Verify Signature
}
if (p_check_region_restriction == true) {
var Certificate v_authorized_certificate;
var template GeographicRegion v_geographic_region := ?;
if (f_readCertificate(p_authorized_certificate, v_authorized_certificate) == false) {
log("f_verify_rca_certificate: Fail to load p_authorized_certificate");
return false;
}
log("f_verify_rca_certificate: v_authorized_certificate=", v_authorized_certificate);
if (PICS_SEC_CIRCULAR_REGION == true) {
v_geographic_region := mw_geographicRegion_circle;
} else if (PICS_SEC_RECTANGULAR_REGION == true) {
v_geographic_region := mw_geographicRegion_rectangular;
} else if (PICS_SEC_POLYGONAL_REGION == true) {
v_geographic_region := mw_geographicRegion_polygonal;
} else if (PICS_SEC_IDENTIFIED_REGION == true) {
v_geographic_region := mw_geographicRegion_identified(
{
(mw_identifiedRegion_country_only, mw_identifiedRegion_country_and_region)
}
);
}
if (match(p_certificate, mw_etsiTs103097Certificate(
-,
mw_toBeSignedCertificate_ca(
-,
-,
-,
-,
-,
-,
v_geographic_region
)
)) == false) {
log("f_verify_rca_certificate: Geographical region mismatch");
return false;
}
// Check interception of area
if (f_checkRegionValidityRestiction(v_authorized_certificate, p_certificate) == false) {
log("f_verify_rca_certificate: Geographical region intersection mismatch");
return false;
}
}
return true;
}
} // End of group rca
group tlm {
......
......@@ -161,6 +161,11 @@ module LibItsPki_Pics {
*/
modulepar charstring PICS_HTTP_POST_URI_ATV := "/authorize_validate";
/**
* @desc HTTP GET URI for Certificate Trusted List
*/
modulepar charstring PICS_HTTP_GET_URI_CA := "/dc/getctl";
/**
* @desc HTTP GET URI for Certificate Trusted List
*/
......@@ -246,5 +251,9 @@ module LibItsPki_Pics {
* @see ETSI TS 103 097 Clause 7.2.2 Enrolment credential
*/
modulepar boolean PICS_EC_SUBJECT_ATTRIBUT_ID := false;
modulepar boolean PICS_SEC_IMPLICIT_CERTIFICATES := false;
modulepar boolean PICS_SEC_EXPLICIT_CERTIFICATES := true;
} // End of module LibItsPki_Pics
......@@ -3076,37 +3076,45 @@ module LibItsSecurity_Functions {
in EtsiTs103097Certificate p_cert,
in EtsiTs103097Certificate p_cert_issuer
) return boolean {
var ValidityPeriod v_cert_region, v_cert_issuer_region;
var GeographicRegion v_cert_region, v_cert_issuer_region;
var boolean v_cert_issuer_region_result;
/* FIXME To be reviewed v_cert_issuer_region_result := f_getCertificateValidityRestriction(p_cert_issuer, e_region, v_cert_issuer_region);
if (f_getCertificateValidityRestriction(p_cert, e_region, v_cert_region) == false) {
if (v_cert_issuer_region_result == true) {
if (v_cert_issuer_region.validity.region.region_type != e_none) {
return false;
}
}
} else if (
(v_cert_issuer_region_result == true) and
(v_cert_issuer_region.validity.region.region_type != e_none)
) {
if (v_cert_region.validity.region.region_type == e_circle) {
if (v_cert_issuer_region.validity.region.region_type == e_circle) {
// Check v_cert_region 'circle' is inside v_cert_issuer_region 'circle'
if (f_areCirclesInside(v_cert_region.validity.region.region.circular_region, v_cert_issuer_region.validity.region.region.circular_region) == false) {
log("*** " & testcasename() & ": FAIL: Issuer and issuing certificates circle area does not match ***");
return false;
}
}
} else if (v_cert_region.validity.region.region_type == e_rectangle) {
if (v_cert_issuer_region.validity.region.region_type == e_rectangle) {
// Check v_cert_region 'rectangle' is inside v_cert_issuer_region 'rectangle'
if (f_areRectanglesInside(v_cert_region.validity.region.region.rectangular_region, v_cert_issuer_region.validity.region.region.rectangular_region) == false) {
log("*** " & testcasename() & ": FAIL: Issuer and issuing certificates rectangle area does not match ***");
return false;
}
}
} else if (v_cert_region.validity.region.region_type == e_polygon) {
// FIXME To be reviewed
// Sanity checks
if (ispresent(p_cert.toBeSigned.region) == false) {
log("f_checkRegionValidityRestiction: GeographicRegion missig into certificate");
return false;
}
if (ispresent(p_cert_issuer.toBeSigned.region) == false) {
// No greographical constraints
return true;
}
v_cert_region := p_cert.toBeSigned.region;
v_cert_issuer_region := p_cert_issuer.toBeSigned.region;
if (ispresent(v_cert_region.circularRegion) and ispresent(v_cert_issuer_region.circularRegion)) {
// Check v_cert_region 'circle' is inside v_cert_issuer_region 'circle'
if (f_areCirclesInside(valueof(v_cert_region.circularRegion), valueof(v_cert_issuer_region.circularRegion)) == false) {
log("f_checkRegionValidityRestiction: FAIL: Issuer and issuing certificates circle area does not match");
return false;
}
} else if (ispresent(v_cert_region.rectangularRegion) and ispresent(v_cert_issuer_region.rectangularRegion)) {
// Check v_cert_region 'rectangle' is inside v_cert_issuer_region 'rectangle'
if (f_isRectangularRegionsIntersected(v_cert_region.rectangularRegion, v_cert_issuer_region.rectangularRegion) == false) {
log("f_checkRegionValidityRestiction: FAIL: Issuer and issuing certificates rectangle area does not match");
return false;
}
} else if (ispresent(v_cert_region.polygonalRegion) and ispresent(v_cert_issuer_region.polygonalRegion)) {
// Check v_cert_region 'polygon' is inside v_cert_issuer_region 'polygon'
log("f_checkRegionValidityRestiction: FAIL: Not implemented");
// TODO
return false;
} else if (ispresent(v_cert_region.identifiedRegion) and ispresent(v_cert_issuer_region.identifiedRegion)) {
log("f_checkRegionValidityRestiction: FAIL: Not implemented");
// Check id_region
// TODO
}
/*if (v_cert_region.validity.region.region_type == e_polygon) {
if (v_cert_issuer_region.validity.region.region_type == e_polygon) {
// Check v_cert_region 'polygon' is inside v_cert_issuer_region 'polygon'
if (f_arePolygonsInside(v_cert_region.validity.region.region.polygonal_region, v_cert_issuer_region.validity.region.region.polygonal_region) == false) {
......@@ -3215,20 +3223,23 @@ module LibItsSecurity_Functions {
* @return true on success, false otherwise
*/
function f_isRectangularRegionsIntersected(
in template (value) RectangularRegion p_r1,
in template (value) RectangularRegion p_r2
in template (value) SequenceOfRectangularRegion p_r1,
in template (value) SequenceOfRectangularRegion p_r2
) return boolean {
return not (
//FIXME RGY Titan doesn't support dot notation after valueof at the moment
// valueof(p_r2).northWest.longitude > valueof(p_r1).southEast.longitude or
// valueof(p_r2).southEast.longitude < valueof(p_r1).northWest.longitude or
// valueof(p_r2).southEast.latitude > valueof(p_r1).northWest.latitude or
// valueof(p_r2).northWest.latitude < valueof(p_r1).southEast.latitude
valueof(p_r2.northWest.longitude) > valueof(p_r1.southEast.longitude) or
valueof(p_r2.southEast.longitude) < valueof(p_r1.northWest.longitude) or
valueof(p_r2.southEast.latitude) > valueof(p_r1.northWest.latitude) or
valueof(p_r2.northWest.latitude) < valueof(p_r1.southEast.latitude)
);
var integer v_min := f_min(lengthof(p_r1), lengthof(p_r2));
for (var integer i := 0; i < v_min; i := i + 1) {
if (not (
valueof(p_r2[i].northWest.longitude) > valueof(p_r1[i].southEast.longitude) or
valueof(p_r2[i].southEast.longitude) < valueof(p_r1[i].northWest.longitude) or
valueof(p_r2[i].southEast.latitude) > valueof(p_r1[i].northWest.latitude) or
valueof(p_r2[i].northWest.latitude) < valueof(p_r1[i].southEast.latitude)
)) {
return false;
}
} // End of 'for' statement
return true;
} // End of function f_isRectangularRegionsIntersected
function f_isContinuousRectangularRegions(
......
......@@ -1242,10 +1242,11 @@ module LibItsSecurity_Templates {
template (omit) EtsiTs103097Certificate m_etsiTs103097Certificate(
in template (value) IssuerIdentifier p_issuer,
in template (value) ToBeSignedCertificate p_toBeSigned,
in template (omit) Signature p_signature_ := omit
in template (omit) Signature p_signature_ := omit,
in template (value) CertificateType p_type_ := explicit
) := {
version := c_certificate_version,
type_ := explicit,
type_ := p_type_,
issuer := p_issuer,
toBeSigned := p_toBeSigned,
signature_ := p_signature_
......@@ -1263,10 +1264,11 @@ module LibItsSecurity_Templates {
template (present) EtsiTs103097Certificate mw_etsiTs103097Certificate(
template (present) IssuerIdentifier p_issuer := ?,
template (present) ToBeSignedCertificate p_toBeSigned := ?,
template (present) Signature p_signature_ := ?
template Signature p_signature_ := ?,
template (present) CertificateType p_type_ := explicit
) := {
version := c_certificate_version,
type_ := explicit,
type_ := p_type_,
issuer := p_issuer,
toBeSigned := p_toBeSigned,
signature_ := p_signature_
......@@ -1352,9 +1354,9 @@ module LibItsSecurity_Templates {
template (present) CertificateId p_id := ?,
template (present) SequenceOfPsidSsp p_appPermissions := ?,
template (present) SequenceOfPsidGroupPermissions p_certIssuePermissions := ?,
template (present) SequenceOfPsidGroupPermissions p_certRequestPermissions := ?,
template (present) VerificationKeyIndicator p_verifyKeyIndicator := ?,
template (present) ValidityPeriod p_validityPeriod := ?,
template SequenceOfPsidGroupPermissions p_certRequestPermissions := *,
template GeographicRegion p_region := *,
template SubjectAssurance p_assuranceLevel := *,
template PublicEncryptionKey p_encryptionKey := *
......@@ -1365,13 +1367,13 @@ module LibItsSecurity_Templates {
validityPeriod := p_validityPeriod,
region := p_region,
assuranceLevel := p_assuranceLevel,
appPermissions := omit,
appPermissions := ?,
certIssuePermissions := p_certIssuePermissions,
certRequestPermissions := p_certRequestPermissions,
canRequestRollover := omit,
encryptionKey := p_encryptionKey,
verifyKeyIndicator := p_verifyKeyIndicator
} // End of template mw_toBeSignedCertificate
} // End of template mw_toBeSignedCertificate_ca
/**
* @desc Send template for ToBeSignedCertificate with Enrolment credential restrictions
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment