Loading ttcn/Pki/LibItsPki_Functions.ttcn +203 −1 Original line number Diff line number Diff line Loading @@ -3436,6 +3436,208 @@ module LibItsPki_Functions { return true; } /** * @desc this function is used to retrieve the root certificate from SubCA entity * @param p_certificate The root certificate * @return 0 on success, -1 otherwise */ external function fx_get_root_ca_certificate( in charstring p_iut_certificate := "CERT_IUT_A_RCA",//"CERT_IUT_A_CA", in boolean p_explicit_type := false, out octetstring p_certificate ) return integer; function f_get_root_ca_certificate( in charstring p_iut_certificate := "CERT_IUT_A_CA", in boolean p_explicit_type := false, out Certificate p_certificate ) return integer { var octetstring v_os; var bitstring v_msg_bit; log(">>> f_get_root_ca_certificate"); // Get root certificate if (fx_get_root_ca_certificate(p_iut_certificate, p_explicit_type, v_os) != 0) { log("f_get_root_ca_certificate: fail to get certificate"); return -1; } log("f_get_root_ca_certificate: v_os=", v_os); // Decode it v_msg_bit := oct2bit(v_os); if (decvalue(v_msg_bit, p_certificate) != 0) { log("f_get_root_ca_certificate: fail to decode certificate"); return -1; } log("<<< f_get_root_ca_certificate: ", p_certificate); return 0; } function f_verify_rca_certificate( in charstring p_authorized_certificate := "CERT_IUT_A_RCA",//"CERT_IUT_A_RCA", in Certificate p_certificate, in boolean p_check_implicit := false, in boolean p_check_reconstruction_value := false, in boolean p_check_no_signature := false, in boolean p_check_region_restriction := false, in boolean p_check_signature_content := false ) return boolean { var CertificateType v_type_ := explicit; var template Signature v_signature_ := ?; var template IssuerIdentifier v_issuer := ?; var template PublicVerificationKey v_public_verification_key := ?; log(">>> f_verify_rca_certificate: p_authorized_certificate= ", p_authorized_certificate); log(">>> f_verify_rca_certificate: p_certificate= ", p_certificate); if (p_check_implicit == true) { v_type_ := implicit; } if (p_check_no_signature == true) { v_signature_ := omit; } if (match(p_certificate, mw_etsiTs103097Certificate(-, -, v_signature_, v_type_)) == false) { log("f_verify_rca_certificate: version/explicit mismatch"); return false; } if (p_check_reconstruction_value == false) { if (match(p_certificate, mw_etsiTs103097Certificate( -, mw_toBeSignedCertificate_ca( (mw_certificateId_none, mw_certificateId_name), -, -, mw_verificationKeyIndicator_verificationKey ), v_signature_ )) == false) { log("f_verify_rca_certificate: verificationKey mismatch"); return false; } if (p_check_signature_content) { var template PublicVerificationKey v_publicVerificationKey; if (PICS_SEC_SHA256) { v_signature_ := mw_signature_ecdsaNistP256; v_issuer := (mw_issuerIdentifier_self(sha256), mw_issuerIdentifier_sha256AndDigest); v_public_verification_key := mw_publicVerificationKey_ecdsaNistP256; } else if (PICS_SEC_BRAINPOOL_P256R1) { v_signature_ := mw_signature_ecdsaBrainpoolP256r1; v_issuer := (mw_issuerIdentifier_self(sha256), mw_issuerIdentifier_sha256AndDigest); v_public_verification_key := mw_publicVerificationKey_ecdsaBrainpoolP256r1; } else if (PICS_SEC_BRAINPOOL_P384R1) { v_signature_ := mw_signature_ecdsaBrainpoolP384r1; v_issuer := (mw_issuerIdentifier_self(sha384), mw_issuerIdentifier_sha384AndDigest); v_public_verification_key := mw_publicVerificationKey_ecdsaBrainpoolP384r1; } if (match(p_certificate, mw_etsiTs103097Certificate( v_issuer, mw_toBeSignedCertificate_ca( (mw_certificateId_none, mw_certificateId_name), -, -, mw_verificationKeyIndicator_verificationKey(v_public_verification_key), -, -, -, -, -//mw_encryptionKey ), v_signature_ )) == false) { log("f_verify_rca_certificate: signature mismatch"); return false; } // Verify Signature if (ischosen(p_certificate.issuer.self_)) { v_publicVerificationKey := p_certificate.toBeSigned.verifyKeyIndicator.verificationKey; } else { var HashedId8 v_digest; var Certificate v_authorized_certificate; var charstring v_cert; if (ischosen(p_certificate.issuer.sha256AndDigest)) { v_digest := p_certificate.issuer.sha256AndDigest; } else if (ischosen(p_certificate.issuer.sha384AndDigest)) { v_digest := p_certificate.issuer.sha384AndDigest; } else { log("f_verify_rca_certificate: Invalid certificate issuer ", p_certificate.issuer); return false; } if (f_getCertificateFromDigest(v_digest, v_authorized_certificate, v_cert) == false) { log("f_verify_rca_certificate: Fail to load p_authorized_certificate"); return false; } v_publicVerificationKey := v_authorized_certificate.toBeSigned.verifyKeyIndicator.verificationKey } log("f_verify_rca_certificate: v_publicVerificationKey= ", v_publicVerificationKey); if (f_verifyCertificateSignatureWithPublicKey(p_certificate, v_publicVerificationKey) == false) { log("f_verify_rca_certificate: signature not verified"); return false; } } } else { if (match(p_certificate, mw_etsiTs103097Certificate( -, mw_toBeSignedCertificate_ca( (mw_certificateId_none, mw_certificateId_name), -, -, mw_verificationKeyIndicator_reconstructionValue ), v_signature_ )) == false) { log("f_verify_rca_certificate: verificationKey mismatch"); return false; } // TODO Verify Signature } if (p_check_region_restriction == true) { var Certificate v_authorized_certificate; var template GeographicRegion v_geographic_region := ?; if (f_readCertificate(p_authorized_certificate, v_authorized_certificate) == false) { log("f_verify_rca_certificate: Fail to load p_authorized_certificate"); return false; } log("f_verify_rca_certificate: v_authorized_certificate=", v_authorized_certificate); if (PICS_SEC_CIRCULAR_REGION == true) { v_geographic_region := mw_geographicRegion_circle; } else if (PICS_SEC_RECTANGULAR_REGION == true) { v_geographic_region := mw_geographicRegion_rectangular; } else if (PICS_SEC_POLYGONAL_REGION == true) { v_geographic_region := mw_geographicRegion_polygonal; } else if (PICS_SEC_IDENTIFIED_REGION == true) { v_geographic_region := mw_geographicRegion_identified( { (mw_identifiedRegion_country_only, mw_identifiedRegion_country_and_region) } ); } if (match(p_certificate, mw_etsiTs103097Certificate( -, mw_toBeSignedCertificate_ca( -, -, -, -, -, -, v_geographic_region ) )) == false) { log("f_verify_rca_certificate: Geographical region mismatch"); return false; } // Check interception of area if (f_checkRegionValidityRestiction(v_authorized_certificate, p_certificate) == false) { log("f_verify_rca_certificate: Geographical region intersection mismatch"); return false; } } return true; } } // End of group rca group tlm { Loading ttcn/Pki/LibItsPki_Pics.ttcn +10 −1 Original line number Diff line number Diff line Loading @@ -161,6 +161,11 @@ module LibItsPki_Pics { */ modulepar charstring PICS_HTTP_POST_URI_ATV := "/authorize_validate"; /** * @desc HTTP GET URI for Certificate Trusted List */ modulepar charstring PICS_HTTP_GET_URI_CA := "/dc/getctl"; /** * @desc HTTP GET URI for Certificate Trusted List */ Loading Loading @@ -247,4 +252,8 @@ module LibItsPki_Pics { */ modulepar boolean PICS_EC_SUBJECT_ATTRIBUT_ID := false; modulepar boolean PICS_SEC_IMPLICIT_CERTIFICATES := false; modulepar boolean PICS_SEC_EXPLICIT_CERTIFICATES := true; } // End of module LibItsPki_Pics ttcn/Security/LibItsSecurity_Functions.ttcn +53 −42 Original line number Diff line number Diff line Loading @@ -3076,37 +3076,45 @@ module LibItsSecurity_Functions { in EtsiTs103097Certificate p_cert, in EtsiTs103097Certificate p_cert_issuer ) return boolean { var ValidityPeriod v_cert_region, v_cert_issuer_region; var GeographicRegion v_cert_region, v_cert_issuer_region; var boolean v_cert_issuer_region_result; /* FIXME To be reviewed v_cert_issuer_region_result := f_getCertificateValidityRestriction(p_cert_issuer, e_region, v_cert_issuer_region); if (f_getCertificateValidityRestriction(p_cert, e_region, v_cert_region) == false) { if (v_cert_issuer_region_result == true) { if (v_cert_issuer_region.validity.region.region_type != e_none) { // FIXME To be reviewed // Sanity checks if (ispresent(p_cert.toBeSigned.region) == false) { log("f_checkRegionValidityRestiction: GeographicRegion missig into certificate"); return false; } if (ispresent(p_cert_issuer.toBeSigned.region) == false) { // No greographical constraints return true; } } else if ( (v_cert_issuer_region_result == true) and (v_cert_issuer_region.validity.region.region_type != e_none) ) { if (v_cert_region.validity.region.region_type == e_circle) { if (v_cert_issuer_region.validity.region.region_type == e_circle) { v_cert_region := p_cert.toBeSigned.region; v_cert_issuer_region := p_cert_issuer.toBeSigned.region; if (ispresent(v_cert_region.circularRegion) and ispresent(v_cert_issuer_region.circularRegion)) { // Check v_cert_region 'circle' is inside v_cert_issuer_region 'circle' if (f_areCirclesInside(v_cert_region.validity.region.region.circular_region, v_cert_issuer_region.validity.region.region.circular_region) == false) { log("*** " & testcasename() & ": FAIL: Issuer and issuing certificates circle area does not match ***"); if (f_areCirclesInside(valueof(v_cert_region.circularRegion), valueof(v_cert_issuer_region.circularRegion)) == false) { log("f_checkRegionValidityRestiction: FAIL: Issuer and issuing certificates circle area does not match"); return false; } } } else if (v_cert_region.validity.region.region_type == e_rectangle) { if (v_cert_issuer_region.validity.region.region_type == e_rectangle) { } else if (ispresent(v_cert_region.rectangularRegion) and ispresent(v_cert_issuer_region.rectangularRegion)) { // Check v_cert_region 'rectangle' is inside v_cert_issuer_region 'rectangle' if (f_areRectanglesInside(v_cert_region.validity.region.region.rectangular_region, v_cert_issuer_region.validity.region.region.rectangular_region) == false) { log("*** " & testcasename() & ": FAIL: Issuer and issuing certificates rectangle area does not match ***"); if (f_isRectangularRegionsIntersected(v_cert_region.rectangularRegion, v_cert_issuer_region.rectangularRegion) == false) { log("f_checkRegionValidityRestiction: FAIL: Issuer and issuing certificates rectangle area does not match"); return false; } } else if (ispresent(v_cert_region.polygonalRegion) and ispresent(v_cert_issuer_region.polygonalRegion)) { // Check v_cert_region 'polygon' is inside v_cert_issuer_region 'polygon' log("f_checkRegionValidityRestiction: FAIL: Not implemented"); // TODO return false; } else if (ispresent(v_cert_region.identifiedRegion) and ispresent(v_cert_issuer_region.identifiedRegion)) { log("f_checkRegionValidityRestiction: FAIL: Not implemented"); // Check id_region // TODO } } else if (v_cert_region.validity.region.region_type == e_polygon) { /*if (v_cert_region.validity.region.region_type == e_polygon) { if (v_cert_issuer_region.validity.region.region_type == e_polygon) { // Check v_cert_region 'polygon' is inside v_cert_issuer_region 'polygon' if (f_arePolygonsInside(v_cert_region.validity.region.region.polygonal_region, v_cert_issuer_region.validity.region.region.polygonal_region) == false) { Loading Loading @@ -3215,20 +3223,23 @@ module LibItsSecurity_Functions { * @return true on success, false otherwise */ function f_isRectangularRegionsIntersected( in template (value) RectangularRegion p_r1, in template (value) RectangularRegion p_r2 in template (value) SequenceOfRectangularRegion p_r1, in template (value) SequenceOfRectangularRegion p_r2 ) return boolean { return not ( //FIXME RGY Titan doesn't support dot notation after valueof at the moment // valueof(p_r2).northWest.longitude > valueof(p_r1).southEast.longitude or // valueof(p_r2).southEast.longitude < valueof(p_r1).northWest.longitude or // valueof(p_r2).southEast.latitude > valueof(p_r1).northWest.latitude or // valueof(p_r2).northWest.latitude < valueof(p_r1).southEast.latitude valueof(p_r2.northWest.longitude) > valueof(p_r1.southEast.longitude) or valueof(p_r2.southEast.longitude) < valueof(p_r1.northWest.longitude) or valueof(p_r2.southEast.latitude) > valueof(p_r1.northWest.latitude) or valueof(p_r2.northWest.latitude) < valueof(p_r1.southEast.latitude) ); var integer v_min := f_min(lengthof(p_r1), lengthof(p_r2)); for (var integer i := 0; i < v_min; i := i + 1) { if (not ( valueof(p_r2[i].northWest.longitude) > valueof(p_r1[i].southEast.longitude) or valueof(p_r2[i].southEast.longitude) < valueof(p_r1[i].northWest.longitude) or valueof(p_r2[i].southEast.latitude) > valueof(p_r1[i].northWest.latitude) or valueof(p_r2[i].northWest.latitude) < valueof(p_r1[i].southEast.latitude) )) { return false; } } // End of 'for' statement return true; } // End of function f_isRectangularRegionsIntersected function f_isContinuousRectangularRegions( Loading ttcn/Security/LibItsSecurity_Templates.ttcn +9 −7 Original line number Diff line number Diff line Loading @@ -1242,10 +1242,11 @@ module LibItsSecurity_Templates { template (omit) EtsiTs103097Certificate m_etsiTs103097Certificate( in template (value) IssuerIdentifier p_issuer, in template (value) ToBeSignedCertificate p_toBeSigned, in template (omit) Signature p_signature_ := omit in template (omit) Signature p_signature_ := omit, in template (value) CertificateType p_type_ := explicit ) := { version := c_certificate_version, type_ := explicit, type_ := p_type_, issuer := p_issuer, toBeSigned := p_toBeSigned, signature_ := p_signature_ Loading @@ -1263,10 +1264,11 @@ module LibItsSecurity_Templates { template (present) EtsiTs103097Certificate mw_etsiTs103097Certificate( template (present) IssuerIdentifier p_issuer := ?, template (present) ToBeSignedCertificate p_toBeSigned := ?, template (present) Signature p_signature_ := ? template Signature p_signature_ := ?, template (present) CertificateType p_type_ := explicit ) := { version := c_certificate_version, type_ := explicit, type_ := p_type_, issuer := p_issuer, toBeSigned := p_toBeSigned, signature_ := p_signature_ Loading Loading @@ -1352,9 +1354,9 @@ module LibItsSecurity_Templates { template (present) CertificateId p_id := ?, template (present) SequenceOfPsidSsp p_appPermissions := ?, template (present) SequenceOfPsidGroupPermissions p_certIssuePermissions := ?, template (present) SequenceOfPsidGroupPermissions p_certRequestPermissions := ?, template (present) VerificationKeyIndicator p_verifyKeyIndicator := ?, template (present) ValidityPeriod p_validityPeriod := ?, template SequenceOfPsidGroupPermissions p_certRequestPermissions := *, template GeographicRegion p_region := *, template SubjectAssurance p_assuranceLevel := *, template PublicEncryptionKey p_encryptionKey := * Loading @@ -1365,13 +1367,13 @@ module LibItsSecurity_Templates { validityPeriod := p_validityPeriod, region := p_region, assuranceLevel := p_assuranceLevel, appPermissions := omit, appPermissions := ?, certIssuePermissions := p_certIssuePermissions, certRequestPermissions := p_certRequestPermissions, canRequestRollover := omit, encryptionKey := p_encryptionKey, verifyKeyIndicator := p_verifyKeyIndicator } // End of template mw_toBeSignedCertificate } // End of template mw_toBeSignedCertificate_ca /** * @desc Send template for ToBeSignedCertificate with Enrolment credential restrictions Loading Loading
ttcn/Pki/LibItsPki_Functions.ttcn +203 −1 Original line number Diff line number Diff line Loading @@ -3436,6 +3436,208 @@ module LibItsPki_Functions { return true; } /** * @desc this function is used to retrieve the root certificate from SubCA entity * @param p_certificate The root certificate * @return 0 on success, -1 otherwise */ external function fx_get_root_ca_certificate( in charstring p_iut_certificate := "CERT_IUT_A_RCA",//"CERT_IUT_A_CA", in boolean p_explicit_type := false, out octetstring p_certificate ) return integer; function f_get_root_ca_certificate( in charstring p_iut_certificate := "CERT_IUT_A_CA", in boolean p_explicit_type := false, out Certificate p_certificate ) return integer { var octetstring v_os; var bitstring v_msg_bit; log(">>> f_get_root_ca_certificate"); // Get root certificate if (fx_get_root_ca_certificate(p_iut_certificate, p_explicit_type, v_os) != 0) { log("f_get_root_ca_certificate: fail to get certificate"); return -1; } log("f_get_root_ca_certificate: v_os=", v_os); // Decode it v_msg_bit := oct2bit(v_os); if (decvalue(v_msg_bit, p_certificate) != 0) { log("f_get_root_ca_certificate: fail to decode certificate"); return -1; } log("<<< f_get_root_ca_certificate: ", p_certificate); return 0; } function f_verify_rca_certificate( in charstring p_authorized_certificate := "CERT_IUT_A_RCA",//"CERT_IUT_A_RCA", in Certificate p_certificate, in boolean p_check_implicit := false, in boolean p_check_reconstruction_value := false, in boolean p_check_no_signature := false, in boolean p_check_region_restriction := false, in boolean p_check_signature_content := false ) return boolean { var CertificateType v_type_ := explicit; var template Signature v_signature_ := ?; var template IssuerIdentifier v_issuer := ?; var template PublicVerificationKey v_public_verification_key := ?; log(">>> f_verify_rca_certificate: p_authorized_certificate= ", p_authorized_certificate); log(">>> f_verify_rca_certificate: p_certificate= ", p_certificate); if (p_check_implicit == true) { v_type_ := implicit; } if (p_check_no_signature == true) { v_signature_ := omit; } if (match(p_certificate, mw_etsiTs103097Certificate(-, -, v_signature_, v_type_)) == false) { log("f_verify_rca_certificate: version/explicit mismatch"); return false; } if (p_check_reconstruction_value == false) { if (match(p_certificate, mw_etsiTs103097Certificate( -, mw_toBeSignedCertificate_ca( (mw_certificateId_none, mw_certificateId_name), -, -, mw_verificationKeyIndicator_verificationKey ), v_signature_ )) == false) { log("f_verify_rca_certificate: verificationKey mismatch"); return false; } if (p_check_signature_content) { var template PublicVerificationKey v_publicVerificationKey; if (PICS_SEC_SHA256) { v_signature_ := mw_signature_ecdsaNistP256; v_issuer := (mw_issuerIdentifier_self(sha256), mw_issuerIdentifier_sha256AndDigest); v_public_verification_key := mw_publicVerificationKey_ecdsaNistP256; } else if (PICS_SEC_BRAINPOOL_P256R1) { v_signature_ := mw_signature_ecdsaBrainpoolP256r1; v_issuer := (mw_issuerIdentifier_self(sha256), mw_issuerIdentifier_sha256AndDigest); v_public_verification_key := mw_publicVerificationKey_ecdsaBrainpoolP256r1; } else if (PICS_SEC_BRAINPOOL_P384R1) { v_signature_ := mw_signature_ecdsaBrainpoolP384r1; v_issuer := (mw_issuerIdentifier_self(sha384), mw_issuerIdentifier_sha384AndDigest); v_public_verification_key := mw_publicVerificationKey_ecdsaBrainpoolP384r1; } if (match(p_certificate, mw_etsiTs103097Certificate( v_issuer, mw_toBeSignedCertificate_ca( (mw_certificateId_none, mw_certificateId_name), -, -, mw_verificationKeyIndicator_verificationKey(v_public_verification_key), -, -, -, -, -//mw_encryptionKey ), v_signature_ )) == false) { log("f_verify_rca_certificate: signature mismatch"); return false; } // Verify Signature if (ischosen(p_certificate.issuer.self_)) { v_publicVerificationKey := p_certificate.toBeSigned.verifyKeyIndicator.verificationKey; } else { var HashedId8 v_digest; var Certificate v_authorized_certificate; var charstring v_cert; if (ischosen(p_certificate.issuer.sha256AndDigest)) { v_digest := p_certificate.issuer.sha256AndDigest; } else if (ischosen(p_certificate.issuer.sha384AndDigest)) { v_digest := p_certificate.issuer.sha384AndDigest; } else { log("f_verify_rca_certificate: Invalid certificate issuer ", p_certificate.issuer); return false; } if (f_getCertificateFromDigest(v_digest, v_authorized_certificate, v_cert) == false) { log("f_verify_rca_certificate: Fail to load p_authorized_certificate"); return false; } v_publicVerificationKey := v_authorized_certificate.toBeSigned.verifyKeyIndicator.verificationKey } log("f_verify_rca_certificate: v_publicVerificationKey= ", v_publicVerificationKey); if (f_verifyCertificateSignatureWithPublicKey(p_certificate, v_publicVerificationKey) == false) { log("f_verify_rca_certificate: signature not verified"); return false; } } } else { if (match(p_certificate, mw_etsiTs103097Certificate( -, mw_toBeSignedCertificate_ca( (mw_certificateId_none, mw_certificateId_name), -, -, mw_verificationKeyIndicator_reconstructionValue ), v_signature_ )) == false) { log("f_verify_rca_certificate: verificationKey mismatch"); return false; } // TODO Verify Signature } if (p_check_region_restriction == true) { var Certificate v_authorized_certificate; var template GeographicRegion v_geographic_region := ?; if (f_readCertificate(p_authorized_certificate, v_authorized_certificate) == false) { log("f_verify_rca_certificate: Fail to load p_authorized_certificate"); return false; } log("f_verify_rca_certificate: v_authorized_certificate=", v_authorized_certificate); if (PICS_SEC_CIRCULAR_REGION == true) { v_geographic_region := mw_geographicRegion_circle; } else if (PICS_SEC_RECTANGULAR_REGION == true) { v_geographic_region := mw_geographicRegion_rectangular; } else if (PICS_SEC_POLYGONAL_REGION == true) { v_geographic_region := mw_geographicRegion_polygonal; } else if (PICS_SEC_IDENTIFIED_REGION == true) { v_geographic_region := mw_geographicRegion_identified( { (mw_identifiedRegion_country_only, mw_identifiedRegion_country_and_region) } ); } if (match(p_certificate, mw_etsiTs103097Certificate( -, mw_toBeSignedCertificate_ca( -, -, -, -, -, -, v_geographic_region ) )) == false) { log("f_verify_rca_certificate: Geographical region mismatch"); return false; } // Check interception of area if (f_checkRegionValidityRestiction(v_authorized_certificate, p_certificate) == false) { log("f_verify_rca_certificate: Geographical region intersection mismatch"); return false; } } return true; } } // End of group rca group tlm { Loading
ttcn/Pki/LibItsPki_Pics.ttcn +10 −1 Original line number Diff line number Diff line Loading @@ -161,6 +161,11 @@ module LibItsPki_Pics { */ modulepar charstring PICS_HTTP_POST_URI_ATV := "/authorize_validate"; /** * @desc HTTP GET URI for Certificate Trusted List */ modulepar charstring PICS_HTTP_GET_URI_CA := "/dc/getctl"; /** * @desc HTTP GET URI for Certificate Trusted List */ Loading Loading @@ -247,4 +252,8 @@ module LibItsPki_Pics { */ modulepar boolean PICS_EC_SUBJECT_ATTRIBUT_ID := false; modulepar boolean PICS_SEC_IMPLICIT_CERTIFICATES := false; modulepar boolean PICS_SEC_EXPLICIT_CERTIFICATES := true; } // End of module LibItsPki_Pics
ttcn/Security/LibItsSecurity_Functions.ttcn +53 −42 Original line number Diff line number Diff line Loading @@ -3076,37 +3076,45 @@ module LibItsSecurity_Functions { in EtsiTs103097Certificate p_cert, in EtsiTs103097Certificate p_cert_issuer ) return boolean { var ValidityPeriod v_cert_region, v_cert_issuer_region; var GeographicRegion v_cert_region, v_cert_issuer_region; var boolean v_cert_issuer_region_result; /* FIXME To be reviewed v_cert_issuer_region_result := f_getCertificateValidityRestriction(p_cert_issuer, e_region, v_cert_issuer_region); if (f_getCertificateValidityRestriction(p_cert, e_region, v_cert_region) == false) { if (v_cert_issuer_region_result == true) { if (v_cert_issuer_region.validity.region.region_type != e_none) { // FIXME To be reviewed // Sanity checks if (ispresent(p_cert.toBeSigned.region) == false) { log("f_checkRegionValidityRestiction: GeographicRegion missig into certificate"); return false; } if (ispresent(p_cert_issuer.toBeSigned.region) == false) { // No greographical constraints return true; } } else if ( (v_cert_issuer_region_result == true) and (v_cert_issuer_region.validity.region.region_type != e_none) ) { if (v_cert_region.validity.region.region_type == e_circle) { if (v_cert_issuer_region.validity.region.region_type == e_circle) { v_cert_region := p_cert.toBeSigned.region; v_cert_issuer_region := p_cert_issuer.toBeSigned.region; if (ispresent(v_cert_region.circularRegion) and ispresent(v_cert_issuer_region.circularRegion)) { // Check v_cert_region 'circle' is inside v_cert_issuer_region 'circle' if (f_areCirclesInside(v_cert_region.validity.region.region.circular_region, v_cert_issuer_region.validity.region.region.circular_region) == false) { log("*** " & testcasename() & ": FAIL: Issuer and issuing certificates circle area does not match ***"); if (f_areCirclesInside(valueof(v_cert_region.circularRegion), valueof(v_cert_issuer_region.circularRegion)) == false) { log("f_checkRegionValidityRestiction: FAIL: Issuer and issuing certificates circle area does not match"); return false; } } } else if (v_cert_region.validity.region.region_type == e_rectangle) { if (v_cert_issuer_region.validity.region.region_type == e_rectangle) { } else if (ispresent(v_cert_region.rectangularRegion) and ispresent(v_cert_issuer_region.rectangularRegion)) { // Check v_cert_region 'rectangle' is inside v_cert_issuer_region 'rectangle' if (f_areRectanglesInside(v_cert_region.validity.region.region.rectangular_region, v_cert_issuer_region.validity.region.region.rectangular_region) == false) { log("*** " & testcasename() & ": FAIL: Issuer and issuing certificates rectangle area does not match ***"); if (f_isRectangularRegionsIntersected(v_cert_region.rectangularRegion, v_cert_issuer_region.rectangularRegion) == false) { log("f_checkRegionValidityRestiction: FAIL: Issuer and issuing certificates rectangle area does not match"); return false; } } else if (ispresent(v_cert_region.polygonalRegion) and ispresent(v_cert_issuer_region.polygonalRegion)) { // Check v_cert_region 'polygon' is inside v_cert_issuer_region 'polygon' log("f_checkRegionValidityRestiction: FAIL: Not implemented"); // TODO return false; } else if (ispresent(v_cert_region.identifiedRegion) and ispresent(v_cert_issuer_region.identifiedRegion)) { log("f_checkRegionValidityRestiction: FAIL: Not implemented"); // Check id_region // TODO } } else if (v_cert_region.validity.region.region_type == e_polygon) { /*if (v_cert_region.validity.region.region_type == e_polygon) { if (v_cert_issuer_region.validity.region.region_type == e_polygon) { // Check v_cert_region 'polygon' is inside v_cert_issuer_region 'polygon' if (f_arePolygonsInside(v_cert_region.validity.region.region.polygonal_region, v_cert_issuer_region.validity.region.region.polygonal_region) == false) { Loading Loading @@ -3215,20 +3223,23 @@ module LibItsSecurity_Functions { * @return true on success, false otherwise */ function f_isRectangularRegionsIntersected( in template (value) RectangularRegion p_r1, in template (value) RectangularRegion p_r2 in template (value) SequenceOfRectangularRegion p_r1, in template (value) SequenceOfRectangularRegion p_r2 ) return boolean { return not ( //FIXME RGY Titan doesn't support dot notation after valueof at the moment // valueof(p_r2).northWest.longitude > valueof(p_r1).southEast.longitude or // valueof(p_r2).southEast.longitude < valueof(p_r1).northWest.longitude or // valueof(p_r2).southEast.latitude > valueof(p_r1).northWest.latitude or // valueof(p_r2).northWest.latitude < valueof(p_r1).southEast.latitude valueof(p_r2.northWest.longitude) > valueof(p_r1.southEast.longitude) or valueof(p_r2.southEast.longitude) < valueof(p_r1.northWest.longitude) or valueof(p_r2.southEast.latitude) > valueof(p_r1.northWest.latitude) or valueof(p_r2.northWest.latitude) < valueof(p_r1.southEast.latitude) ); var integer v_min := f_min(lengthof(p_r1), lengthof(p_r2)); for (var integer i := 0; i < v_min; i := i + 1) { if (not ( valueof(p_r2[i].northWest.longitude) > valueof(p_r1[i].southEast.longitude) or valueof(p_r2[i].southEast.longitude) < valueof(p_r1[i].northWest.longitude) or valueof(p_r2[i].southEast.latitude) > valueof(p_r1[i].northWest.latitude) or valueof(p_r2[i].northWest.latitude) < valueof(p_r1[i].southEast.latitude) )) { return false; } } // End of 'for' statement return true; } // End of function f_isRectangularRegionsIntersected function f_isContinuousRectangularRegions( Loading
ttcn/Security/LibItsSecurity_Templates.ttcn +9 −7 Original line number Diff line number Diff line Loading @@ -1242,10 +1242,11 @@ module LibItsSecurity_Templates { template (omit) EtsiTs103097Certificate m_etsiTs103097Certificate( in template (value) IssuerIdentifier p_issuer, in template (value) ToBeSignedCertificate p_toBeSigned, in template (omit) Signature p_signature_ := omit in template (omit) Signature p_signature_ := omit, in template (value) CertificateType p_type_ := explicit ) := { version := c_certificate_version, type_ := explicit, type_ := p_type_, issuer := p_issuer, toBeSigned := p_toBeSigned, signature_ := p_signature_ Loading @@ -1263,10 +1264,11 @@ module LibItsSecurity_Templates { template (present) EtsiTs103097Certificate mw_etsiTs103097Certificate( template (present) IssuerIdentifier p_issuer := ?, template (present) ToBeSignedCertificate p_toBeSigned := ?, template (present) Signature p_signature_ := ? template Signature p_signature_ := ?, template (present) CertificateType p_type_ := explicit ) := { version := c_certificate_version, type_ := explicit, type_ := p_type_, issuer := p_issuer, toBeSigned := p_toBeSigned, signature_ := p_signature_ Loading Loading @@ -1352,9 +1354,9 @@ module LibItsSecurity_Templates { template (present) CertificateId p_id := ?, template (present) SequenceOfPsidSsp p_appPermissions := ?, template (present) SequenceOfPsidGroupPermissions p_certIssuePermissions := ?, template (present) SequenceOfPsidGroupPermissions p_certRequestPermissions := ?, template (present) VerificationKeyIndicator p_verifyKeyIndicator := ?, template (present) ValidityPeriod p_validityPeriod := ?, template SequenceOfPsidGroupPermissions p_certRequestPermissions := *, template GeographicRegion p_region := *, template SubjectAssurance p_assuranceLevel := *, template PublicEncryptionKey p_encryptionKey := * Loading @@ -1365,13 +1367,13 @@ module LibItsSecurity_Templates { validityPeriod := p_validityPeriod, region := p_region, assuranceLevel := p_assuranceLevel, appPermissions := omit, appPermissions := ?, certIssuePermissions := p_certIssuePermissions, certRequestPermissions := p_certRequestPermissions, canRequestRollover := omit, encryptionKey := p_encryptionKey, verifyKeyIndicator := p_verifyKeyIndicator } // End of template mw_toBeSignedCertificate } // End of template mw_toBeSignedCertificate_ca /** * @desc Send template for ToBeSignedCertificate with Enrolment credential restrictions Loading
