Finalise support of secured other-message (4e0146db) · Commits · TTCN-3 Libraries / LibIts

ttcn/Security/LibItsSecurity_Functions.ttcn3

+375 −283

Original line number	Diff line number	Diff line
		@@ -72,6 +72,40 @@ module LibItsSecurity_Functions {
		return '0000000000000000'O;
		}

		group hostSignatureHelpers {

		/**
		* @desc Build a template of a secured beacon to be used for the Test Adapter secured beaconing processing
		*/
		function f_buildSecuredMessagePayloadToBeSigned()
		return ToBeSignedData {
		// Local variables
		var template (value) ToBeSignedData v_toBeSignedData;

		// Build the beacon template
		v_toBeSignedData := m_toBeSignedData_profileOther(
		{ // Field HeaderFields
		m_header_field_signer_info(
		m_signerInfo_certificate(
		PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX]
		) // End of template m_signerInfo_certificate
		), // End of template m_header_field_signer_info
		m_header_field_generation_time(oct2int('BBBBBBBB'O)), // To be replaced by TA with current time
		m_header_field_generation_location(
		PX_THREED_LOCATIONS[PX_CERTIFICATE_CONFIG_IDX]
		)
		}, // End of field HeaderFields
		{
		m_payload_unsecured(
		'AAAAAAAAAA'O // To be replaced by TA with real payload
		)
		}, // End of field HeaderFields
		e_signature
		);

		return v_toBeSignedData;
		}

		/**
		* @desc This function build and sign the SecureMessage part covered by the signature process
		* @param p_unsecuredPayload The unsigned payload (e.g. a beacon)
		@@ -83,8 +117,8 @@ module LibItsSecurity_Functions {
		function f_buildGnSecuredCam(
		in octetstring p_unsecuredPayload,
		in ThreeDLocation p_threeDLocation,
		out template (value) SecuredMessage p_securedMessage)
		return boolean {
		out template (value) SecuredMessage p_securedMessage
		) return boolean {

		// Local variables
		var octetstring v_secPayload, v_signature;
		@@ -114,17 +148,14 @@ module LibItsSecurity_Functions {
		);

		v_secPayload := bit2oct(encvalue(v_toBeSignedData));
		// log("v_secPayload: ", v_secPayload);

		// Calculate the hash of the SecuredMessage payload to be signed
		v_hash := f_hashWithSha256(v_secPayload);
		// log("v_hash: ", v_hash);

		// Signed payload
		v_signature := f_signWithEcdsaNistp256WithSha256(
		v_hash
		);
		// log("v_signature: ", v_signature);

		p_securedMessage := m_securedMessage_profileOther( // See Clause 7.3 Generic security profile for other signed messages
		v_toBeSignedData.header_fields,
		@@ -157,8 +188,8 @@ module LibItsSecurity_Functions {
		function f_buildGnSecuredDenm(
		in octetstring p_unsecuredPayload,
		in ThreeDLocation p_threeDLocation,
		out template (value) SecuredMessage p_securedMessage)
		return boolean {
		out template (value) SecuredMessage p_securedMessage
		) return boolean {

		// Local variables
		var octetstring v_secPayload, v_signature;
		@@ -188,17 +219,14 @@ module LibItsSecurity_Functions {
		);

		v_secPayload := bit2oct(encvalue(v_toBeSignedData));
		// log("v_secPayload: ", v_secPayload);

		// Calculate the hash of the SecuredMessage payload to be signed
		v_hash := f_hashWithSha256(v_secPayload);
		// log("v_hash: ", v_hash);

		// Signed payload
		v_signature := f_signWithEcdsaNistp256WithSha256(
		v_hash
		);
		// log("v_signature: ", v_signature);

		p_securedMessage := m_securedMessage_profileOther( // See Clause 7.3 Generic security profile for other signed messages
		v_toBeSignedData.header_fields,
		@@ -231,8 +259,8 @@ module LibItsSecurity_Functions {
		function f_buildGnSecuredOtherMessage(
		in octetstring p_unsecuredPayload,
		in ThreeDLocation p_threeDLocation,
		out template (value) SecuredMessage p_securedMessage)
		return boolean {
		out template (value) SecuredMessage p_securedMessage
		) return boolean {

		// Local variables
		var octetstring v_secPayload, v_signature;
		@@ -261,17 +289,14 @@ module LibItsSecurity_Functions {
		);

		v_secPayload := bit2oct(encvalue(v_toBeSignedData));
		// log("f_buildGnSecuredOtherMessage: v_secPayload: ", v_secPayload);

		// Calculate the hash of the SecuredMessage payload to be signed
		v_hash := f_hashWithSha256(v_secPayload);
		// log("f_buildGnSecuredOtherMessage: v_hash: ", v_hash);

		// Signed payload
		v_signature := f_signWithEcdsaNistp256WithSha256(
		v_hash
		);
		// log("f_buildGnSecuredOtherMessage: v_signature: ", v_signature);

		p_securedMessage := m_securedMessage_profileOther( // See Clause 7.3 Generic security profile for other signed messages
		v_toBeSignedData.header_fields,
		@@ -295,14 +320,14 @@ module LibItsSecurity_Functions {

		/**
		*
		* @desc Verify the signature of the prvided secured message
		* @desc Verify the signature of the provided secured message
		* @param p_securedMessage
		* @return true on success, false otherwise
		* @verdict
		*/
		function f_verifyGnSecuredOtherMessage(
		in template (value) SecuredMessage p_securedMessage)
		return boolean {
		in template (value) SecuredMessage p_securedMessage
		) return boolean {

		// Local variables
		var octetstring v_secPayload;
		@@ -320,11 +345,9 @@ module LibItsSecurity_Functions {
		);

		v_secPayload := bit2oct(encvalue(v_toBeSignedData));
		// log("f_verifyGnSecuredOtherMessage: v_secPayload: ", v_secPayload);

		// Calculate the hash of the SecuredMessage payload to be signed
		v_hash := fx_hashWithSha256(v_secPayload);
		// log("f_verifyGnSecuredOtherMessage: v_hash: ", v_hash);

		// Verify payload
		for (v_counter := 0; v_counter < lengthof(p_securedMessage.trailer_fields); v_counter := v_counter + 1) {
		@@ -336,7 +359,6 @@ module LibItsSecurity_Functions {
		'0000'O &
		p_securedMessage.trailer_fields[v_counter].trailerField.signature_.signature_.ecdsa_signature.r.x &
		p_securedMessage.trailer_fields[v_counter].trailerField.signature_.signature_.ecdsa_signature.s;
		// log("f_verifyGnSecuredOtherMessage: v_signedData: ", v_signedData);
		v_result := f_verifyWithEcdsaNistp256WithSha256(
		v_hash,
		v_signedData,
		@@ -349,6 +371,65 @@ module LibItsSecurity_Functions {
		return v_result;
		} // End of function f_verifyGnSecuredOtherMessage

		} // End of group hostSignatureHelpers

		group deviceSignatureHelpers {

		/**
		* @desc Verify the signature of the provided secured message
		* @param p_securedMessage
		* @return true on success, false otherwise
		* @verdict
		*/
		function f_verifyGnSecuredOtherMessageWithDeviceCertificate(
		in template (value) SecuredMessage p_securedMessage,
		in template (value) Certificate p_certificate
		) return boolean {

		// Local variables
		var octetstring v_secPayload;
		var octetstring v_signedData;
		var Oct32 v_hash;
		var integer v_counter;
		var boolean v_result := false;
		var template (value) ToBeSignedData v_toBeSignedData;

		// Create SecuredMessage payload to be signed
		v_toBeSignedData := m_toBeSignedData_profileOther(
		p_securedMessage.header_fields,
		p_securedMessage.payload_fields,
		e_signature
		);

		v_secPayload := bit2oct(encvalue(v_toBeSignedData));

		// Calculate the hash of the SecuredMessage payload to be signed
		v_hash := fx_hashWithSha256(v_secPayload);

		// Verify payload
		for (v_counter := 0; v_counter < lengthof(p_securedMessage.trailer_fields); v_counter := v_counter + 1) {
		if (
		(p_securedMessage.trailer_fields[v_counter].type_ == e_signature) and
		(p_securedMessage.trailer_fields[v_counter].trailerField.signature_.algorithm == e_ecdsa_nistp256_with_sha256)
		) {
		v_signedData :=
		'0000'O &
		p_securedMessage.trailer_fields[v_counter].trailerField.signature_.signature_.ecdsa_signature.r.x &
		p_securedMessage.trailer_fields[v_counter].trailerField.signature_.signature_.ecdsa_signature.s;
		v_result := f_verifyWithEcdsaNistp256WithSha256(
		v_hash,
		v_signedData,
		p_certificate.subject_attributes[0].attribute.key.public_key.eccPoint.x,
		p_certificate.subject_attributes[0].attribute.key.public_key.eccPoint.y.y
		);
		}
		} // End of 'for' statement

		return v_result;
		} // End of function f_verifyGnSecuredOtherMessageWithDeviceCertificate

		} // End of group deviceSignatureHelpers

		group messageGetters {

		/**
		@@ -357,15 +438,17 @@ module LibItsSecurity_Functions {
		* @param p_type header field type
		* @return HeaderField of given type if any or null
		*/
		function f_getMsgHeaderField(in SecuredMessage p_msg, in HeaderFieldType p_type)
		return HeaderField {
		var HeaderField v_return := null;
		var integer v_length := lengthof(p_msg.header_fields);
		var integer v_i;

		for(v_i := 0; v_i < v_length; v_i := v_i + 1){
		if(p_msg.header_fields[v_i].type_ == p_type){
		v_return := p_msg.header_fields[v_i];
		function f_getMsgHeaderField(
		in SecuredMessage p_securedMessage,
		in HeaderFieldType p_headerFieldType
		) return HeaderField {
		var HeaderField v_return;
		var integer v_length := lengthof(p_securedMessage.header_fields);
		var integer v_index;

		for (v_index := 0; v_index < v_length; v_index := v_index + 1) {
		if (p_securedMessage.header_fields[v_index].type_ == p_headerFieldType) {
		v_return := p_securedMessage.header_fields[v_index];
		break;
		}
		}
		@@ -376,8 +459,10 @@ module LibItsSecurity_Functions {
		/**
		* @desc return SignerInfo SecuredMessage field
		*/
		function f_getMsgSignerInfo(in SecuredMessage p_msg) return SignerInfo {
		var HeaderField v_hf := f_getMsgHeaderField(p_msg, e_signer_info);
		function f_getMsgSignerInfo(
		in SecuredMessage p_securedMessage
		) return SignerInfo {
		var HeaderField v_hf := f_getMsgHeaderField(p_securedMessage, e_signer_info);

		if (isbound(v_hf)) {
		return v_hf.headerField.signer;
		@@ -389,11 +474,15 @@ module LibItsSecurity_Functions {
		}// End of group messageGetters

		group certificateGetters {
		function f_getCertificateValidityRestriction(in Certificate p_cert, in ValidityRestrictionType p_type)
		return ValidityRestriction {
		var ValidityRestriction v_return := null;

		function f_getCertificateValidityRestriction(
		in Certificate p_cert,
		in ValidityRestrictionType p_type
		) return ValidityRestriction {
		var ValidityRestriction v_return;
		var integer v_length := lengthof(p_cert.validity_restrictions);
		var integer v_index;

		for (v_index := 0; v_index < v_length; v_index := v_index + 1) {
		if( p_cert.validity_restrictions[v_index].type_ == p_type ) {
		v_return := p_cert.validity_restrictions[v_index];
		@@ -405,7 +494,7 @@ module LibItsSecurity_Functions {

		function f_getCertificateSignerInfo (in Certificate p_cert)
		return SignerInfo {
		var SignerInfo ret := null;
		var SignerInfo ret;
		if (lengthof(p_cert.signer_infos) > 0) {
		ret := p_cert.signer_infos[0];
		}
		@@ -413,10 +502,13 @@ module LibItsSecurity_Functions {
		}

		}// End of group certificateGetters

		group CertRequests{

		function f_askForCertificateChain (in HashedId3s p_digests) {

		}

		} // End of group CertRequests

		} // End of group helpersFunctions

ttcn/Security/LibItsSecurity_Pixits.ttcn3

+15 −1

Original line number	Diff line number	Diff line
		@@ -11,6 +11,8 @@ module LibItsSecurity_Pixits {
		import from LibItsSecurity_TypesAndValues all;
		import from LibItsSecurity_Templates all;

		// FIXME Create a configuration structure to unify all PIXITs into one configuration PIXIT record of

		/**
		* @desc Index on the certificate to be used. Default: configuration #0
		*/
		@@ -33,7 +35,7 @@ module LibItsSecurity_Pixits {
		};

		/**
		* @desc Authorization Ticate certificates generated by the PKI Infrastructire tool
		* @desc Authorization Tickate certificates generated by the PKI Infrastructire tool
		*/
		modulepar CertificateChain PX_AT_CERTIFICATES := {
		{
		@@ -94,4 +96,16 @@ module LibItsSecurity_Pixits {
		// TODO Add additional configurations
		}; // End of pixit PX_AT_CERTIFICATES

		/**
		* @desc 3D location associated to each configuration
		*/
		modulepar ThreeDLocations PX_THREED_LOCATIONS := {
		{
		latitude := 12345,
		longitude := 12345,
		elevation := '020E'O
		} // End of Config #0
		// TODO Add additional configurations
		};

		} // End of module LibItsSecurity_Pixits
		No newline at end of file

ttcn/Security/LibItsSecurity_Templates.ttcn3

+27 −0

Original line number	Diff line number	Diff line
		@@ -14,6 +14,7 @@ module LibItsSecurity_Templates {

		// LibItsSecurity
		import from LibItsSecurity_TypesAndValues all;
		import from LibItsSecurity_Pixits all;

		/**
		* @desc Constants declaration
		@@ -1893,6 +1894,32 @@ module LibItsSecurity_Templates {

		} // End of group securityProfiles

		group taPrimitives {

		/**
		* @desc Enable security support
		*/
		template (value) AcEnableSecurity m_enableSecurity(
		in octetstring p_toBeSignedDataTemplate
		) := {
		signingPrivateKey := PX_PRIVATE_SIGNING_KEYS[PX_CERTIFICATE_CONFIG_IDX],
		signingPublicKeyX := PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX].subject_attributes[0].attribute.key.public_key.eccPoint.x,
		signingPublicKeyY := PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX].subject_attributes[0].attribute.key.public_key.eccPoint.y.y,
		encryptPrivateKey := PC_PRIVATE_ENCRYPTION_KEYS[PX_CERTIFICATE_CONFIG_IDX],
		encryptPublicKeyX := PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX].subject_attributes[1].attribute.key.public_key.aesCcm.eccPoint.x,
		encryptPublicKeyY := PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX].subject_attributes[1].attribute.key.public_key.aesCcm.eccPoint.y.y,
		toBeSignedDataTemplate := p_toBeSignedDataTemplate
		} // End of template m_enableSecurity

		/**
		* @desc Disable security support
		*/
		template (value) AcDisableSecurity m_disableSecurity := {
		disable := true
		} // End of template m_disableSecurity

		} // End of group taPrimitives

		group utPrimitives {

		} // End of group utPrimitives

ttcn/Security/LibItsSecurity_TypesAndValues.ttcn3

+22 −8

Original line number	Diff line number	Diff line
		@@ -302,6 +302,8 @@ module LibItsSecurity_TypesAndValues {
		Oct2 elevation // Due to physical meaning, it cannot be Oct0to2
		} // End of type ThreeDLocation

		type record of ThreeDLocation ThreeDLocations; // FIXME To be removed after creation of the configuration structure to unify all PIXITs into one configuration PIXIT record of

		/**
		* @desc Defines geographic regions used to limit the validity of certificates
		* @member region_type Region type
		@@ -750,17 +752,29 @@ module LibItsSecurity_TypesAndValues {

		} // End of group certificateSpecification

		group acPrimitives {
		group taPrimitives {

		type union AcGnSecurityPrimitive {
		octetstring null_ // TODO To be refined
		} // End of type AcGnSecurityPrimitive
		/**
		* @desc Primitive used to activate security support
		*/
		type record AcEnableSecurity {
		Oct32 signingPrivateKey,
		Oct32 signingPublicKeyX,
		Oct32 signingPublicKeyY,
		Oct32 encryptPrivateKey,
		Oct32 encryptPublicKeyX,
		Oct32 encryptPublicKeyY,
		octetstring toBeSignedDataTemplate
		} // End of type AcEnableSecurity

		type union AcGnSecurityResponse {
		octetstring null_ // TODO To be refined
		} // End of type AcGnSecurityResponse
		/**
		* @desc Primitive used to deactiate security support
		*/
		type record AcDisableSecurity {
		boolean disable
		} // End of type AcDisableSecurity

		} // End of group acPrimitives
		} // End of group taPrimitives

		group utPrimitives {