Implementing SECPKI_CA_CERTGEN TPs (1fe4c006) · Commits · TTCN-3 Libraries / LibIts

ttcn/Pki/LibItsPki_Functions.ttcn

+203 −1

Original line number	Diff line number	Diff line
		@@ -3436,6 +3436,208 @@ module LibItsPki_Functions {
		return true;
		}

		/**
		* @desc this function is used to retrieve the root certificate from SubCA entity
		* @param p_certificate The root certificate
		* @return 0 on success, -1 otherwise
		*/
		external function fx_get_root_ca_certificate(
		in charstring p_iut_certificate := "CERT_IUT_A_RCA",//"CERT_IUT_A_CA",
		in boolean p_explicit_type := false,
		out octetstring p_certificate
		) return integer;

		function f_get_root_ca_certificate(
		in charstring p_iut_certificate := "CERT_IUT_A_CA",
		in boolean p_explicit_type := false,
		out Certificate p_certificate
		) return integer {
		var octetstring v_os;
		var bitstring v_msg_bit;

		log(">>> f_get_root_ca_certificate");

		// Get root certificate
		if (fx_get_root_ca_certificate(p_iut_certificate, p_explicit_type, v_os) != 0) {
		log("f_get_root_ca_certificate: fail to get certificate");
		return -1;
		}
		log("f_get_root_ca_certificate: v_os=", v_os);
		// Decode it
		v_msg_bit := oct2bit(v_os);
		if (decvalue(v_msg_bit, p_certificate) != 0) {
		log("f_get_root_ca_certificate: fail to decode certificate");
		return -1;
		}
		log("<<< f_get_root_ca_certificate: ", p_certificate);
		return 0;
		}

		function f_verify_rca_certificate(
		in charstring p_authorized_certificate := "CERT_IUT_A_RCA",//"CERT_IUT_A_RCA",
		in Certificate p_certificate,
		in boolean p_check_implicit := false,
		in boolean p_check_reconstruction_value := false,
		in boolean p_check_no_signature := false,
		in boolean p_check_region_restriction := false,
		in boolean p_check_signature_content := false
		) return boolean {
		var CertificateType v_type_ := explicit;
		var template Signature v_signature_ := ?;
		var template IssuerIdentifier v_issuer := ?;
		var template PublicVerificationKey v_public_verification_key := ?;

		log(">>> f_verify_rca_certificate: p_authorized_certificate= ", p_authorized_certificate);
		log(">>> f_verify_rca_certificate: p_certificate= ", p_certificate);

		if (p_check_implicit == true) {
		v_type_ := implicit;
		}
		if (p_check_no_signature == true) {
		v_signature_ := omit;
		}
		if (match(p_certificate, mw_etsiTs103097Certificate(-, -, v_signature_, v_type_)) == false) {
		log("f_verify_rca_certificate: version/explicit mismatch");
		return false;
		}
		if (p_check_reconstruction_value == false) {
		if (match(p_certificate, mw_etsiTs103097Certificate(
		-,
		mw_toBeSignedCertificate_ca(
		(mw_certificateId_none, mw_certificateId_name),
		-,
		-,
		mw_verificationKeyIndicator_verificationKey
		),
		v_signature_
		)) == false) {
		log("f_verify_rca_certificate: verificationKey mismatch");
		return false;
		}
		if (p_check_signature_content) {
		var template PublicVerificationKey v_publicVerificationKey;

		if (PICS_SEC_SHA256) {
		v_signature_ := mw_signature_ecdsaNistP256;
		v_issuer := (mw_issuerIdentifier_self(sha256), mw_issuerIdentifier_sha256AndDigest);
		v_public_verification_key := mw_publicVerificationKey_ecdsaNistP256;
		} else if (PICS_SEC_BRAINPOOL_P256R1) {
		v_signature_ := mw_signature_ecdsaBrainpoolP256r1;
		v_issuer := (mw_issuerIdentifier_self(sha256), mw_issuerIdentifier_sha256AndDigest);
		v_public_verification_key := mw_publicVerificationKey_ecdsaBrainpoolP256r1;
		} else if (PICS_SEC_BRAINPOOL_P384R1) {
		v_signature_ := mw_signature_ecdsaBrainpoolP384r1;
		v_issuer := (mw_issuerIdentifier_self(sha384), mw_issuerIdentifier_sha384AndDigest);
		v_public_verification_key := mw_publicVerificationKey_ecdsaBrainpoolP384r1;
		}
		if (match(p_certificate, mw_etsiTs103097Certificate(
		v_issuer,
		mw_toBeSignedCertificate_ca(
		(mw_certificateId_none, mw_certificateId_name),
		-,
		-,
		mw_verificationKeyIndicator_verificationKey(v_public_verification_key),
		-, -, -, -,
		-//mw_encryptionKey
		),
		v_signature_
		)) == false) {
		log("f_verify_rca_certificate: signature mismatch");
		return false;
		}
		// Verify Signature
		if (ischosen(p_certificate.issuer.self_)) {
		v_publicVerificationKey := p_certificate.toBeSigned.verifyKeyIndicator.verificationKey;
		} else {
		var HashedId8 v_digest;
		var Certificate v_authorized_certificate;
		var charstring v_cert;

		if (ischosen(p_certificate.issuer.sha256AndDigest)) {
		v_digest := p_certificate.issuer.sha256AndDigest;
		} else if (ischosen(p_certificate.issuer.sha384AndDigest)) {
		v_digest := p_certificate.issuer.sha384AndDigest;
		} else {
		log("f_verify_rca_certificate: Invalid certificate issuer ", p_certificate.issuer);
		return false;
		}
		if (f_getCertificateFromDigest(v_digest, v_authorized_certificate, v_cert) == false) {
		log("f_verify_rca_certificate: Fail to load p_authorized_certificate");
		return false;
		}
		v_publicVerificationKey := v_authorized_certificate.toBeSigned.verifyKeyIndicator.verificationKey
		}
		log("f_verify_rca_certificate: v_publicVerificationKey= ", v_publicVerificationKey);
		if (f_verifyCertificateSignatureWithPublicKey(p_certificate, v_publicVerificationKey) == false) {
		log("f_verify_rca_certificate: signature not verified");
		return false;
		}
		}
		} else {
		if (match(p_certificate, mw_etsiTs103097Certificate(
		-,
		mw_toBeSignedCertificate_ca(
		(mw_certificateId_none, mw_certificateId_name),
		-,
		-,
		mw_verificationKeyIndicator_reconstructionValue
		),
		v_signature_
		)) == false) {
		log("f_verify_rca_certificate: verificationKey mismatch");
		return false;
		}
		// TODO Verify Signature
		}

		if (p_check_region_restriction == true) {
		var Certificate v_authorized_certificate;
		var template GeographicRegion v_geographic_region := ?;

		if (f_readCertificate(p_authorized_certificate, v_authorized_certificate) == false) {
		log("f_verify_rca_certificate: Fail to load p_authorized_certificate");
		return false;
		}
		log("f_verify_rca_certificate: v_authorized_certificate=", v_authorized_certificate);

		if (PICS_SEC_CIRCULAR_REGION == true) {
		v_geographic_region := mw_geographicRegion_circle;
		} else if (PICS_SEC_RECTANGULAR_REGION == true) {
		v_geographic_region := mw_geographicRegion_rectangular;
		} else if (PICS_SEC_POLYGONAL_REGION == true) {
		v_geographic_region := mw_geographicRegion_polygonal;
		} else if (PICS_SEC_IDENTIFIED_REGION == true) {
		v_geographic_region := mw_geographicRegion_identified(
		{
		(mw_identifiedRegion_country_only, mw_identifiedRegion_country_and_region)
		}
		);
		}
		if (match(p_certificate, mw_etsiTs103097Certificate(
		-,
		mw_toBeSignedCertificate_ca(
		-,
		-,
		-,
		-,
		-,
		-,
		v_geographic_region
		)
		)) == false) {
		log("f_verify_rca_certificate: Geographical region mismatch");
		return false;
		}
		// Check interception of area
		if (f_checkRegionValidityRestiction(v_authorized_certificate, p_certificate) == false) {
		log("f_verify_rca_certificate: Geographical region intersection mismatch");
		return false;
		}
		}

		return true;
		}

		} // End of group rca

		group tlm {

ttcn/Pki/LibItsPki_Pics.ttcn

+10 −1

Original line number	Diff line number	Diff line
		@@ -161,6 +161,11 @@ module LibItsPki_Pics {
		*/
		modulepar charstring PICS_HTTP_POST_URI_ATV := "/authorize_validate";

		/**
		* @desc HTTP GET URI for Certificate Trusted List
		*/
		modulepar charstring PICS_HTTP_GET_URI_CA := "/dc/getctl";

		/**
		* @desc HTTP GET URI for Certificate Trusted List
		*/
		@@ -247,4 +252,8 @@ module LibItsPki_Pics {
		*/
		modulepar boolean PICS_EC_SUBJECT_ATTRIBUT_ID := false;

		modulepar boolean PICS_SEC_IMPLICIT_CERTIFICATES := false;

		modulepar boolean PICS_SEC_EXPLICIT_CERTIFICATES := true;

		} // End of module LibItsPki_Pics

ttcn/Security/LibItsSecurity_Functions.ttcn

+53 −42

Original line number	Diff line number	Diff line
		@@ -3076,37 +3076,45 @@ module LibItsSecurity_Functions {
		in EtsiTs103097Certificate p_cert,
		in EtsiTs103097Certificate p_cert_issuer
		) return boolean {
		var ValidityPeriod v_cert_region, v_cert_issuer_region;
		var GeographicRegion v_cert_region, v_cert_issuer_region;
		var boolean v_cert_issuer_region_result;

		/* FIXME To be reviewed v_cert_issuer_region_result := f_getCertificateValidityRestriction(p_cert_issuer, e_region, v_cert_issuer_region);
		if (f_getCertificateValidityRestriction(p_cert, e_region, v_cert_region) == false) {
		if (v_cert_issuer_region_result == true) {
		if (v_cert_issuer_region.validity.region.region_type != e_none) {
		// FIXME To be reviewed

		// Sanity checks
		if (ispresent(p_cert.toBeSigned.region) == false) {
		log("f_checkRegionValidityRestiction: GeographicRegion missig into certificate");
		return false;
		}
		if (ispresent(p_cert_issuer.toBeSigned.region) == false) {
		// No greographical constraints
		return true;
		}
		} else if (
		(v_cert_issuer_region_result == true) and
		(v_cert_issuer_region.validity.region.region_type != e_none)
		) {
		if (v_cert_region.validity.region.region_type == e_circle) {
		if (v_cert_issuer_region.validity.region.region_type == e_circle) {
		v_cert_region := p_cert.toBeSigned.region;
		v_cert_issuer_region := p_cert_issuer.toBeSigned.region;
		if (ispresent(v_cert_region.circularRegion) and ispresent(v_cert_issuer_region.circularRegion)) {
		// Check v_cert_region 'circle' is inside v_cert_issuer_region 'circle'
		if (f_areCirclesInside(v_cert_region.validity.region.region.circular_region, v_cert_issuer_region.validity.region.region.circular_region) == false) {
		log("* " & testcasename() & ": FAIL: Issuer and issuing certificates circle area does not match *");
		if (f_areCirclesInside(valueof(v_cert_region.circularRegion), valueof(v_cert_issuer_region.circularRegion)) == false) {
		log("f_checkRegionValidityRestiction: FAIL: Issuer and issuing certificates circle area does not match");
		return false;
		}
		}
		} else if (v_cert_region.validity.region.region_type == e_rectangle) {
		if (v_cert_issuer_region.validity.region.region_type == e_rectangle) {
		} else if (ispresent(v_cert_region.rectangularRegion) and ispresent(v_cert_issuer_region.rectangularRegion)) {
		// Check v_cert_region 'rectangle' is inside v_cert_issuer_region 'rectangle'
		if (f_areRectanglesInside(v_cert_region.validity.region.region.rectangular_region, v_cert_issuer_region.validity.region.region.rectangular_region) == false) {
		log("* " & testcasename() & ": FAIL: Issuer and issuing certificates rectangle area does not match *");
		if (f_isRectangularRegionsIntersected(v_cert_region.rectangularRegion, v_cert_issuer_region.rectangularRegion) == false) {
		log("f_checkRegionValidityRestiction: FAIL: Issuer and issuing certificates rectangle area does not match");
		return false;
		}
		} else if (ispresent(v_cert_region.polygonalRegion) and ispresent(v_cert_issuer_region.polygonalRegion)) {
		// Check v_cert_region 'polygon' is inside v_cert_issuer_region 'polygon'
		log("f_checkRegionValidityRestiction: FAIL: Not implemented");
		// TODO
		return false;
		} else if (ispresent(v_cert_region.identifiedRegion) and ispresent(v_cert_issuer_region.identifiedRegion)) {
		log("f_checkRegionValidityRestiction: FAIL: Not implemented");
		// Check id_region
		// TODO
		}
		} else if (v_cert_region.validity.region.region_type == e_polygon) {
		/*if (v_cert_region.validity.region.region_type == e_polygon) {
		if (v_cert_issuer_region.validity.region.region_type == e_polygon) {
		// Check v_cert_region 'polygon' is inside v_cert_issuer_region 'polygon'
		if (f_arePolygonsInside(v_cert_region.validity.region.region.polygonal_region, v_cert_issuer_region.validity.region.region.polygonal_region) == false) {
		@@ -3215,20 +3223,23 @@ module LibItsSecurity_Functions {
		* @return true on success, false otherwise
		*/
		function f_isRectangularRegionsIntersected(
		in template (value) RectangularRegion p_r1,
		in template (value) RectangularRegion p_r2
		in template (value) SequenceOfRectangularRegion p_r1,
		in template (value) SequenceOfRectangularRegion p_r2
		) return boolean {
		return not (
		//FIXME RGY Titan doesn't support dot notation after valueof at the moment
		// valueof(p_r2).northWest.longitude > valueof(p_r1).southEast.longitude or
		// valueof(p_r2).southEast.longitude < valueof(p_r1).northWest.longitude or
		// valueof(p_r2).southEast.latitude > valueof(p_r1).northWest.latitude or
		// valueof(p_r2).northWest.latitude < valueof(p_r1).southEast.latitude
		valueof(p_r2.northWest.longitude) > valueof(p_r1.southEast.longitude) or
		valueof(p_r2.southEast.longitude) < valueof(p_r1.northWest.longitude) or
		valueof(p_r2.southEast.latitude) > valueof(p_r1.northWest.latitude) or
		valueof(p_r2.northWest.latitude) < valueof(p_r1.southEast.latitude)
		);
		var integer v_min := f_min(lengthof(p_r1), lengthof(p_r2));

		for (var integer i := 0; i < v_min; i := i + 1) {
		if (not (
		valueof(p_r2[i].northWest.longitude) > valueof(p_r1[i].southEast.longitude) or
		valueof(p_r2[i].southEast.longitude) < valueof(p_r1[i].northWest.longitude) or
		valueof(p_r2[i].southEast.latitude) > valueof(p_r1[i].northWest.latitude) or
		valueof(p_r2[i].northWest.latitude) < valueof(p_r1[i].southEast.latitude)
		)) {
		return false;
		}
		} // End of 'for' statement

		return true;
		} // End of function f_isRectangularRegionsIntersected

		function f_isContinuousRectangularRegions(

ttcn/Security/LibItsSecurity_Templates.ttcn

+9 −7

Original line number	Diff line number	Diff line
		@@ -1242,10 +1242,11 @@ module LibItsSecurity_Templates {
		template (omit) EtsiTs103097Certificate m_etsiTs103097Certificate(
		in template (value) IssuerIdentifier p_issuer,
		in template (value) ToBeSignedCertificate p_toBeSigned,
		in template (omit) Signature p_signature_ := omit
		in template (omit) Signature p_signature_ := omit,
		in template (value) CertificateType p_type_ := explicit
		) := {
		version := c_certificate_version,
		type_ := explicit,
		type_ := p_type_,
		issuer := p_issuer,
		toBeSigned := p_toBeSigned,
		signature_ := p_signature_
		@@ -1263,10 +1264,11 @@ module LibItsSecurity_Templates {
		template (present) EtsiTs103097Certificate mw_etsiTs103097Certificate(
		template (present) IssuerIdentifier p_issuer := ?,
		template (present) ToBeSignedCertificate p_toBeSigned := ?,
		template (present) Signature p_signature_ := ?
		template Signature p_signature_ := ?,
		template (present) CertificateType p_type_ := explicit
		) := {
		version := c_certificate_version,
		type_ := explicit,
		type_ := p_type_,
		issuer := p_issuer,
		toBeSigned := p_toBeSigned,
		signature_ := p_signature_
		@@ -1352,9 +1354,9 @@ module LibItsSecurity_Templates {
		template (present) CertificateId p_id := ?,
		template (present) SequenceOfPsidSsp p_appPermissions := ?,
		template (present) SequenceOfPsidGroupPermissions p_certIssuePermissions := ?,
		template (present) SequenceOfPsidGroupPermissions p_certRequestPermissions := ?,
		template (present) VerificationKeyIndicator p_verifyKeyIndicator := ?,
		template (present) ValidityPeriod p_validityPeriod := ?,
		template SequenceOfPsidGroupPermissions p_certRequestPermissions := *,
		template GeographicRegion p_region := *,
		template SubjectAssurance p_assuranceLevel := *,
		template PublicEncryptionKey p_encryptionKey := *
		@@ -1365,13 +1367,13 @@ module LibItsSecurity_Templates {
		validityPeriod := p_validityPeriod,
		region := p_region,
		assuranceLevel := p_assuranceLevel,
		appPermissions := omit,
		appPermissions := ?,
		certIssuePermissions := p_certIssuePermissions,
		certRequestPermissions := p_certRequestPermissions,
		canRequestRollover := omit,
		encryptionKey := p_encryptionKey,
		verifyKeyIndicator := p_verifyKeyIndicator
		} // End of template mw_toBeSignedCertificate
		} // End of template mw_toBeSignedCertificate_ca

		/**
		* @desc Send template for ToBeSignedCertificate with Enrolment credential restrictions

Admin message