Loading ttcn/Security/LibItsSecurity_Functions.ttcn3 +111 −81 Original line number Diff line number Diff line Loading @@ -31,13 +31,13 @@ module LibItsSecurity_Functions { /** * @desc Produces a Elliptic Curve Digital Signature Algorithm (ECDSA) signaturee * @param p_ToBeSignedSecuredMessage The data to be signed * @param p_toBeSignedSecuredMessage The data to be signed * @return The signature value */ function f_signWithEcdsaNistp256WithSha256(in Oct32 p_ToBeSignedSecuredMessage) return octetstring { function f_signWithEcdsaNistp256WithSha256(in Oct32 p_toBeSignedSecuredMessage) return octetstring { return fx_signWithEcdsaNistp256WithSha256( p_ToBeSignedSecuredMessage, PX_PRIVATE_SIGNING_KEYS[PX_CERTIFICATE_CONFIG_IDX] p_toBeSignedSecuredMessage, PX_TA_CONFIGS[PX_CERTIFICATE_CONFIG_IDX].signingPrivateKey ); } // End of function f_signWithEcdsaNistp256WithSha256 Loading Loading @@ -80,19 +80,20 @@ module LibItsSecurity_Functions { function f_buildSecuredMessagePayloadToBeSigned() return ToBeSignedSecuredMessage { // Local variables var template (value) ToBeSignedSecuredMessage v_ToBeSignedSecuredMessage; var template (value) ToBeSignedSecuredMessage v_toBeSignedSecuredMessage; // Build the beacon template v_ToBeSignedSecuredMessage := m_ToBeSignedSecuredMessage_profileOther( v_toBeSignedSecuredMessage := m_toBeSignedSecuredMessage( c_security_profileOthers, { // Field HeaderFields m_header_field_signer_info( m_signerInfo_certificate( PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX] PX_TA_CONFIGS[PX_CERTIFICATE_CONFIG_IDX].atCertificate ) // End of template m_signerInfo_certificate ), // End of template m_header_field_signer_info m_header_field_generation_time(oct2int('BBBBBBBB'O)), // To be replaced by TA with current time m_header_field_generation_location( PX_THREED_LOCATIONS[PX_CERTIFICATE_CONFIG_IDX] PX_TA_CONFIGS[PX_CERTIFICATE_CONFIG_IDX].location ) }, // End of field HeaderFields { Loading @@ -103,7 +104,7 @@ module LibItsSecurity_Functions { e_signature ); return v_ToBeSignedSecuredMessage; return v_toBeSignedSecuredMessage; } /** Loading @@ -111,7 +112,7 @@ module LibItsSecurity_Functions { * @param p_securedMessage The signed SecureMessage part * @param p_unsecuredPayload The unsigned payload (e.g. a beacon) * @param p_threeDLocation The ThreeDLocation value * @param p_headerFileds Additional HeaderFields * @param p_headerFields Additional HeaderFields * @return true on success, false otherwise * @verdict Unchanged */ Loading @@ -119,20 +120,21 @@ module LibItsSecurity_Functions { out template (value) SecuredMessage p_securedMessage, in octetstring p_unsecuredPayload, in ThreeDLocation p_threeDLocation, in template (omit) HeaderFields p_headerFileds := omit in template (omit) HeaderFields p_headerFields := omit ) return boolean { // Local variables var octetstring v_secPayload, v_signature; var Oct32 v_hash; var template (value) ToBeSignedSecuredMessage v_ToBeSignedSecuredMessage; var template (value) ToBeSignedSecuredMessage v_toBeSignedSecuredMessage; // Create SecuredMessage payload to be signed v_ToBeSignedSecuredMessage := m_ToBeSignedSecuredMessage_profileOther( v_toBeSignedSecuredMessage := m_toBeSignedSecuredMessage( c_security_profileOthers, { // Field HeaderFields m_header_field_signer_info( m_signerInfo_certificate( PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX] PX_TA_CONFIGS[PX_CERTIFICATE_CONFIG_IDX].atCertificate ) // End of template m_signerInfo_certificate ), // End of template m_header_field_signer_info m_header_field_generation_time(f_getCurrentTime()), Loading @@ -148,8 +150,18 @@ module LibItsSecurity_Functions { }, // End of field HeaderFields e_signature ); // Add additional header fields if any if (ispresent(p_headerFields) == true) { var integer v_addItemIndex := lengthof(v_toBeSignedSecuredMessage.header_fields); var integer v_counter; v_secPayload := bit2oct(encvalue(v_ToBeSignedSecuredMessage)); for (v_counter := 0; v_counter < lengthof(p_headerFields); v_counter := v_counter + 1) { v_toBeSignedSecuredMessage.header_fields[v_addItemIndex] := p_headerFields[v_counter]; v_addItemIndex := v_addItemIndex + 1; } // End of 'for' statement } v_secPayload := bit2oct(encvalue(v_toBeSignedSecuredMessage)); // Calculate the hash of the SecuredMessage payload to be signed v_hash := f_hashWithSha256(v_secPayload); Loading @@ -160,8 +172,8 @@ module LibItsSecurity_Functions { ); p_securedMessage := m_securedMessage_profileOther( // See Clause 7.3 Generic security profile for other signed messages v_ToBeSignedSecuredMessage.header_fields, v_ToBeSignedSecuredMessage.payload_fields, v_toBeSignedSecuredMessage.header_fields, v_toBeSignedSecuredMessage.payload_fields, { m_trailer_field_signature( m_signature( Loading @@ -184,7 +196,7 @@ module LibItsSecurity_Functions { * @param p_securedMessage The signed SecureMessage part * @param p_unsecuredPayload The unsigned payload (e.g. a beacon) * @param p_threeDLocation The ThreeDLocation value * @param p_headerFileds Additional HeaderFields * @param p_headerFields Additional HeaderFields * @return true on success, false otherwise * @verdict Unchanged */ Loading @@ -192,20 +204,21 @@ module LibItsSecurity_Functions { out template (value) SecuredMessage p_securedMessage, in octetstring p_unsecuredPayload, in ThreeDLocation p_threeDLocation, in template (omit) HeaderFields p_headerFileds := omit in template (omit) HeaderFields p_headerFields := omit ) return boolean { // Local variables var octetstring v_secPayload, v_signature; var Oct32 v_hash; var template (value) ToBeSignedSecuredMessage v_ToBeSignedSecuredMessage; var template (value) ToBeSignedSecuredMessage v_toBeSignedSecuredMessage; // Create SecuredMessage payload to be signed v_ToBeSignedSecuredMessage := m_ToBeSignedSecuredMessage_profileOther( v_toBeSignedSecuredMessage := m_toBeSignedSecuredMessage( c_security_profileOthers, { // Field HeaderFields m_header_field_signer_info( m_signerInfo_certificate( PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX] PX_TA_CONFIGS[PX_CERTIFICATE_CONFIG_IDX].atCertificate ) // End of template m_signerInfo_certificate ), // End of template m_header_field_signer_info m_header_field_generation_time(f_getCurrentTime()), Loading @@ -221,8 +234,18 @@ module LibItsSecurity_Functions { }, // End of field HeaderFields e_signature ); // Add additional header fields if any if (ispresent(p_headerFields) == true) { var integer v_addItemIndex := lengthof(v_toBeSignedSecuredMessage.header_fields); var integer v_counter; v_secPayload := bit2oct(encvalue(v_ToBeSignedSecuredMessage)); for (v_counter := 0; v_counter < lengthof(p_headerFields); v_counter := v_counter + 1) { v_toBeSignedSecuredMessage.header_fields[v_addItemIndex] := p_headerFields[v_counter]; v_addItemIndex := v_addItemIndex + 1; } // End of 'for' statement } v_secPayload := bit2oct(encvalue(v_toBeSignedSecuredMessage)); // Calculate the hash of the SecuredMessage payload to be signed v_hash := f_hashWithSha256(v_secPayload); Loading @@ -233,8 +256,8 @@ module LibItsSecurity_Functions { ); p_securedMessage := m_securedMessage_profileOther( // See Clause 7.3 Generic security profile for other signed messages v_ToBeSignedSecuredMessage.header_fields, v_ToBeSignedSecuredMessage.payload_fields, v_toBeSignedSecuredMessage.header_fields, v_toBeSignedSecuredMessage.payload_fields, { m_trailer_field_signature( m_signature( Loading @@ -257,7 +280,7 @@ module LibItsSecurity_Functions { * @param p_securedMessage The signed SecureMessage part * @param p_unsecuredPayload The unsigned payload (e.g. a beacon) * @param p_threeDLocation The ThreeDLocation value * @param p_headerFileds Additional HeaderFields * @param p_headerFields Additional HeaderFields * @return true on success, false otherwise * @verdict Unchanged */ Loading @@ -265,20 +288,21 @@ module LibItsSecurity_Functions { out template (value) SecuredMessage p_securedMessage, in octetstring p_unsecuredPayload, in ThreeDLocation p_threeDLocation, in template (omit) HeaderFields p_headerFileds := omit in template (omit) HeaderFields p_headerFields := omit ) return boolean { // Local variables var octetstring v_secPayload, v_signature; var Oct32 v_hash; var template (value) ToBeSignedSecuredMessage v_ToBeSignedSecuredMessage; var template (value) ToBeSignedSecuredMessage v_toBeSignedSecuredMessage; // Create SecuredMessage payload to be signed v_ToBeSignedSecuredMessage := m_ToBeSignedSecuredMessage_profileOther( v_toBeSignedSecuredMessage := m_toBeSignedSecuredMessage( c_security_profileOthers, { // Field HeaderFields m_header_field_signer_info( m_signerInfo_certificate( PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX] PX_TA_CONFIGS[PX_CERTIFICATE_CONFIG_IDX].atCertificate ) // End of template m_signerInfo_certificate ), // End of template m_header_field_signer_info m_header_field_generation_time(f_getCurrentTime()), Loading @@ -293,8 +317,19 @@ module LibItsSecurity_Functions { }, // End of field HeaderFields e_signature ); // Add additional header fields if any if (ispresent(p_headerFields) == true) { var integer v_addItemIndex := lengthof(v_toBeSignedSecuredMessage.header_fields); var integer v_counter; v_secPayload := bit2oct(encvalue(v_ToBeSignedSecuredMessage)); for (v_counter := 0; v_counter < lengthof(p_headerFields); v_counter := v_counter + 1) { v_toBeSignedSecuredMessage.header_fields[v_addItemIndex] := p_headerFields[v_counter]; v_addItemIndex := v_addItemIndex + 1; } // End of 'for' statement } log("v_toBeSignedSecuredMessage= ", v_toBeSignedSecuredMessage); v_secPayload := bit2oct(encvalue(v_toBeSignedSecuredMessage)); // Calculate the hash of the SecuredMessage payload to be signed v_hash := f_hashWithSha256(v_secPayload); Loading @@ -305,8 +340,8 @@ module LibItsSecurity_Functions { ); p_securedMessage := m_securedMessage_profileOther( // See Clause 7.3 Generic security profile for other signed messages v_ToBeSignedSecuredMessage.header_fields, v_ToBeSignedSecuredMessage.payload_fields, v_toBeSignedSecuredMessage.header_fields, v_toBeSignedSecuredMessage.payload_fields, { m_trailer_field_signature( m_signature( Loading @@ -324,55 +359,48 @@ module LibItsSecurity_Functions { return true; } // End of function f_buildGnSecuredOtherMessage } // End of group hostSignatureHelpers group deviceSignatureHelpers { /** * * @desc Verify the signature of the provided secured message * @param p_securedMessage * @param p_aaCertifcate Enrolment Credential certificate * @param p_atCertificate Authorization Ticket certificate * @return true on success, false otherwise * @verdict */ function f_verifyGnSecuredOtherMessage( // TODO For debug purpose only, to be removed in template (value) SecuredMessage p_securedMessage function f_verifyCertificateSignatureWithIssuingCertificate( in template (value) Certificate p_aaCertifcate, in template (value) Certificate p_atCertificate ) return boolean { // Local variables var octetstring v_secPayload; var octetstring v_signedData; var Oct32 v_hash; var integer v_counter; var boolean v_result := false; var template (value) ToBeSignedSecuredMessage v_ToBeSignedSecuredMessage; var template (value) ToBeSignedCertificate v_toBeSignedCertificate; // Create SecuredMessage payload to be signed v_ToBeSignedSecuredMessage := m_ToBeSignedSecuredMessage_profileOther( p_securedMessage.header_fields, p_securedMessage.payload_fields, e_signature ); // Create Certificate payload to be signed v_toBeSignedCertificate := m_toBeSignedCertificate(p_atCertificate); v_secPayload := bit2oct(encvalue(v_ToBeSignedSecuredMessage)); v_secPayload := bit2oct(encvalue(v_toBeSignedCertificate)); // Calculate the hash of the SecuredMessage payload to be signed v_hash := fx_hashWithSha256(v_secPayload); // Verify payload for (v_counter := 0; v_counter < lengthof(p_securedMessage.trailer_fields); v_counter := v_counter + 1) { if ( (p_securedMessage.trailer_fields[v_counter].type_ == e_signature) and (p_securedMessage.trailer_fields[v_counter].trailerField.signature_.algorithm == e_ecdsa_nistp256_with_sha256) ) { v_signedData := '0000'O & p_securedMessage.trailer_fields[v_counter].trailerField.signature_.signature_.ecdsa_signature.r.x & p_securedMessage.trailer_fields[v_counter].trailerField.signature_.signature_.ecdsa_signature.s; p_atCertificate.signature_.signature_.ecdsa_signature.r.x & p_atCertificate.signature_.signature_.ecdsa_signature.s; v_result := f_verifyWithEcdsaNistp256WithSha256( v_hash, v_signedData, PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX].subject_attributes[0].attribute.key.public_key.eccPoint.x, PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX].subject_attributes[0].attribute.key.public_key.eccPoint.y.y p_aaCertifcate.subject_attributes[0].attribute.key.public_key.eccPoint.x, p_aaCertifcate.subject_attributes[0].attribute.key.public_key.eccPoint.y.y ); } } // End of 'for' statement return v_result; } // End of function f_verifyGnSecuredOtherMessage Loading Loading @@ -413,14 +441,15 @@ module LibItsSecurity_Functions { /** * @desc Verify the signature of the provided secured message * @param p_securedMessage * @param p_securedMessage The message to be verified * @param p_publicKey The ECDSA public key to verify a signature * @param p_certificate Certificate to be used to verify the message * @return true on success, false otherwise * @verdict */ function f_verifyGnSecuredMessageWithPublicKey( function f_verifyCertificateSignatureWithPublicKey( in template (value) SecuredMessage p_securedMessage, in template (value) PublicKey p_key in template (value) PublicKey p_publicKey ) return boolean { // Local variables Loading @@ -429,16 +458,17 @@ module LibItsSecurity_Functions { var Oct32 v_hash; var integer v_counter; var boolean v_result := false; var template (value) ToBeSignedSecuredMessage v_ToBeSignedSecuredMessage; var template (value) ToBeSignedSecuredMessage v_toBeSignedSecuredMessage; // Create SecuredMessage payload to be signed v_ToBeSignedSecuredMessage := m_ToBeSignedSecuredMessage_profileOther( v_toBeSignedSecuredMessage := m_toBeSignedSecuredMessage( p_securedMessage.security_profile, p_securedMessage.header_fields, p_securedMessage.payload_fields, e_signature ); v_secPayload := bit2oct(encvalue(v_ToBeSignedSecuredMessage)); v_secPayload := bit2oct(encvalue(v_toBeSignedSecuredMessage)); // Calculate the hash of the SecuredMessage payload to be signed v_hash := fx_hashWithSha256(v_secPayload); Loading @@ -456,14 +486,14 @@ module LibItsSecurity_Functions { v_result := f_verifyWithEcdsaNistp256WithSha256( v_hash, v_signedData, p_key.public_key.eccPoint.x, p_key.public_key.eccPoint.y.y p_publicKey.public_key.eccPoint.x, p_publicKey.public_key.eccPoint.y.y ); } } // End of 'for' statement return v_result; } // End of function f_verifyGnSecuredOtherMessageWithPublicKey } // End of function f_verifyCertificateSignatureWithPublicKey /** * @desc Verify the signature of the provided secured message Loading Loading @@ -576,11 +606,11 @@ module LibItsSecurity_Functions { /** * @desc Produces a Elliptic Curve Digital Signature Algorithm (ECDSA) signaturee * @param p_ToBeSignedSecuredMessage The data to be signed * @param p_toBeSignedSecuredMessage The data to be signed * @param p_privateKey The private key * @return The signature value */ external function fx_signWithEcdsaNistp256WithSha256(in octetstring p_ToBeSignedSecuredMessage, in octetstring/*UInt64*/ p_privateKey) return octetstring; external function fx_signWithEcdsaNistp256WithSha256(in octetstring p_toBeSignedSecuredMessage, in octetstring/*UInt64*/ p_privateKey) return octetstring; /** * @desc Verify the signature of the specified data Loading Loading
ttcn/Security/LibItsSecurity_Functions.ttcn3 +111 −81 Original line number Diff line number Diff line Loading @@ -31,13 +31,13 @@ module LibItsSecurity_Functions { /** * @desc Produces a Elliptic Curve Digital Signature Algorithm (ECDSA) signaturee * @param p_ToBeSignedSecuredMessage The data to be signed * @param p_toBeSignedSecuredMessage The data to be signed * @return The signature value */ function f_signWithEcdsaNistp256WithSha256(in Oct32 p_ToBeSignedSecuredMessage) return octetstring { function f_signWithEcdsaNistp256WithSha256(in Oct32 p_toBeSignedSecuredMessage) return octetstring { return fx_signWithEcdsaNistp256WithSha256( p_ToBeSignedSecuredMessage, PX_PRIVATE_SIGNING_KEYS[PX_CERTIFICATE_CONFIG_IDX] p_toBeSignedSecuredMessage, PX_TA_CONFIGS[PX_CERTIFICATE_CONFIG_IDX].signingPrivateKey ); } // End of function f_signWithEcdsaNistp256WithSha256 Loading Loading @@ -80,19 +80,20 @@ module LibItsSecurity_Functions { function f_buildSecuredMessagePayloadToBeSigned() return ToBeSignedSecuredMessage { // Local variables var template (value) ToBeSignedSecuredMessage v_ToBeSignedSecuredMessage; var template (value) ToBeSignedSecuredMessage v_toBeSignedSecuredMessage; // Build the beacon template v_ToBeSignedSecuredMessage := m_ToBeSignedSecuredMessage_profileOther( v_toBeSignedSecuredMessage := m_toBeSignedSecuredMessage( c_security_profileOthers, { // Field HeaderFields m_header_field_signer_info( m_signerInfo_certificate( PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX] PX_TA_CONFIGS[PX_CERTIFICATE_CONFIG_IDX].atCertificate ) // End of template m_signerInfo_certificate ), // End of template m_header_field_signer_info m_header_field_generation_time(oct2int('BBBBBBBB'O)), // To be replaced by TA with current time m_header_field_generation_location( PX_THREED_LOCATIONS[PX_CERTIFICATE_CONFIG_IDX] PX_TA_CONFIGS[PX_CERTIFICATE_CONFIG_IDX].location ) }, // End of field HeaderFields { Loading @@ -103,7 +104,7 @@ module LibItsSecurity_Functions { e_signature ); return v_ToBeSignedSecuredMessage; return v_toBeSignedSecuredMessage; } /** Loading @@ -111,7 +112,7 @@ module LibItsSecurity_Functions { * @param p_securedMessage The signed SecureMessage part * @param p_unsecuredPayload The unsigned payload (e.g. a beacon) * @param p_threeDLocation The ThreeDLocation value * @param p_headerFileds Additional HeaderFields * @param p_headerFields Additional HeaderFields * @return true on success, false otherwise * @verdict Unchanged */ Loading @@ -119,20 +120,21 @@ module LibItsSecurity_Functions { out template (value) SecuredMessage p_securedMessage, in octetstring p_unsecuredPayload, in ThreeDLocation p_threeDLocation, in template (omit) HeaderFields p_headerFileds := omit in template (omit) HeaderFields p_headerFields := omit ) return boolean { // Local variables var octetstring v_secPayload, v_signature; var Oct32 v_hash; var template (value) ToBeSignedSecuredMessage v_ToBeSignedSecuredMessage; var template (value) ToBeSignedSecuredMessage v_toBeSignedSecuredMessage; // Create SecuredMessage payload to be signed v_ToBeSignedSecuredMessage := m_ToBeSignedSecuredMessage_profileOther( v_toBeSignedSecuredMessage := m_toBeSignedSecuredMessage( c_security_profileOthers, { // Field HeaderFields m_header_field_signer_info( m_signerInfo_certificate( PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX] PX_TA_CONFIGS[PX_CERTIFICATE_CONFIG_IDX].atCertificate ) // End of template m_signerInfo_certificate ), // End of template m_header_field_signer_info m_header_field_generation_time(f_getCurrentTime()), Loading @@ -148,8 +150,18 @@ module LibItsSecurity_Functions { }, // End of field HeaderFields e_signature ); // Add additional header fields if any if (ispresent(p_headerFields) == true) { var integer v_addItemIndex := lengthof(v_toBeSignedSecuredMessage.header_fields); var integer v_counter; v_secPayload := bit2oct(encvalue(v_ToBeSignedSecuredMessage)); for (v_counter := 0; v_counter < lengthof(p_headerFields); v_counter := v_counter + 1) { v_toBeSignedSecuredMessage.header_fields[v_addItemIndex] := p_headerFields[v_counter]; v_addItemIndex := v_addItemIndex + 1; } // End of 'for' statement } v_secPayload := bit2oct(encvalue(v_toBeSignedSecuredMessage)); // Calculate the hash of the SecuredMessage payload to be signed v_hash := f_hashWithSha256(v_secPayload); Loading @@ -160,8 +172,8 @@ module LibItsSecurity_Functions { ); p_securedMessage := m_securedMessage_profileOther( // See Clause 7.3 Generic security profile for other signed messages v_ToBeSignedSecuredMessage.header_fields, v_ToBeSignedSecuredMessage.payload_fields, v_toBeSignedSecuredMessage.header_fields, v_toBeSignedSecuredMessage.payload_fields, { m_trailer_field_signature( m_signature( Loading @@ -184,7 +196,7 @@ module LibItsSecurity_Functions { * @param p_securedMessage The signed SecureMessage part * @param p_unsecuredPayload The unsigned payload (e.g. a beacon) * @param p_threeDLocation The ThreeDLocation value * @param p_headerFileds Additional HeaderFields * @param p_headerFields Additional HeaderFields * @return true on success, false otherwise * @verdict Unchanged */ Loading @@ -192,20 +204,21 @@ module LibItsSecurity_Functions { out template (value) SecuredMessage p_securedMessage, in octetstring p_unsecuredPayload, in ThreeDLocation p_threeDLocation, in template (omit) HeaderFields p_headerFileds := omit in template (omit) HeaderFields p_headerFields := omit ) return boolean { // Local variables var octetstring v_secPayload, v_signature; var Oct32 v_hash; var template (value) ToBeSignedSecuredMessage v_ToBeSignedSecuredMessage; var template (value) ToBeSignedSecuredMessage v_toBeSignedSecuredMessage; // Create SecuredMessage payload to be signed v_ToBeSignedSecuredMessage := m_ToBeSignedSecuredMessage_profileOther( v_toBeSignedSecuredMessage := m_toBeSignedSecuredMessage( c_security_profileOthers, { // Field HeaderFields m_header_field_signer_info( m_signerInfo_certificate( PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX] PX_TA_CONFIGS[PX_CERTIFICATE_CONFIG_IDX].atCertificate ) // End of template m_signerInfo_certificate ), // End of template m_header_field_signer_info m_header_field_generation_time(f_getCurrentTime()), Loading @@ -221,8 +234,18 @@ module LibItsSecurity_Functions { }, // End of field HeaderFields e_signature ); // Add additional header fields if any if (ispresent(p_headerFields) == true) { var integer v_addItemIndex := lengthof(v_toBeSignedSecuredMessage.header_fields); var integer v_counter; v_secPayload := bit2oct(encvalue(v_ToBeSignedSecuredMessage)); for (v_counter := 0; v_counter < lengthof(p_headerFields); v_counter := v_counter + 1) { v_toBeSignedSecuredMessage.header_fields[v_addItemIndex] := p_headerFields[v_counter]; v_addItemIndex := v_addItemIndex + 1; } // End of 'for' statement } v_secPayload := bit2oct(encvalue(v_toBeSignedSecuredMessage)); // Calculate the hash of the SecuredMessage payload to be signed v_hash := f_hashWithSha256(v_secPayload); Loading @@ -233,8 +256,8 @@ module LibItsSecurity_Functions { ); p_securedMessage := m_securedMessage_profileOther( // See Clause 7.3 Generic security profile for other signed messages v_ToBeSignedSecuredMessage.header_fields, v_ToBeSignedSecuredMessage.payload_fields, v_toBeSignedSecuredMessage.header_fields, v_toBeSignedSecuredMessage.payload_fields, { m_trailer_field_signature( m_signature( Loading @@ -257,7 +280,7 @@ module LibItsSecurity_Functions { * @param p_securedMessage The signed SecureMessage part * @param p_unsecuredPayload The unsigned payload (e.g. a beacon) * @param p_threeDLocation The ThreeDLocation value * @param p_headerFileds Additional HeaderFields * @param p_headerFields Additional HeaderFields * @return true on success, false otherwise * @verdict Unchanged */ Loading @@ -265,20 +288,21 @@ module LibItsSecurity_Functions { out template (value) SecuredMessage p_securedMessage, in octetstring p_unsecuredPayload, in ThreeDLocation p_threeDLocation, in template (omit) HeaderFields p_headerFileds := omit in template (omit) HeaderFields p_headerFields := omit ) return boolean { // Local variables var octetstring v_secPayload, v_signature; var Oct32 v_hash; var template (value) ToBeSignedSecuredMessage v_ToBeSignedSecuredMessage; var template (value) ToBeSignedSecuredMessage v_toBeSignedSecuredMessage; // Create SecuredMessage payload to be signed v_ToBeSignedSecuredMessage := m_ToBeSignedSecuredMessage_profileOther( v_toBeSignedSecuredMessage := m_toBeSignedSecuredMessage( c_security_profileOthers, { // Field HeaderFields m_header_field_signer_info( m_signerInfo_certificate( PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX] PX_TA_CONFIGS[PX_CERTIFICATE_CONFIG_IDX].atCertificate ) // End of template m_signerInfo_certificate ), // End of template m_header_field_signer_info m_header_field_generation_time(f_getCurrentTime()), Loading @@ -293,8 +317,19 @@ module LibItsSecurity_Functions { }, // End of field HeaderFields e_signature ); // Add additional header fields if any if (ispresent(p_headerFields) == true) { var integer v_addItemIndex := lengthof(v_toBeSignedSecuredMessage.header_fields); var integer v_counter; v_secPayload := bit2oct(encvalue(v_ToBeSignedSecuredMessage)); for (v_counter := 0; v_counter < lengthof(p_headerFields); v_counter := v_counter + 1) { v_toBeSignedSecuredMessage.header_fields[v_addItemIndex] := p_headerFields[v_counter]; v_addItemIndex := v_addItemIndex + 1; } // End of 'for' statement } log("v_toBeSignedSecuredMessage= ", v_toBeSignedSecuredMessage); v_secPayload := bit2oct(encvalue(v_toBeSignedSecuredMessage)); // Calculate the hash of the SecuredMessage payload to be signed v_hash := f_hashWithSha256(v_secPayload); Loading @@ -305,8 +340,8 @@ module LibItsSecurity_Functions { ); p_securedMessage := m_securedMessage_profileOther( // See Clause 7.3 Generic security profile for other signed messages v_ToBeSignedSecuredMessage.header_fields, v_ToBeSignedSecuredMessage.payload_fields, v_toBeSignedSecuredMessage.header_fields, v_toBeSignedSecuredMessage.payload_fields, { m_trailer_field_signature( m_signature( Loading @@ -324,55 +359,48 @@ module LibItsSecurity_Functions { return true; } // End of function f_buildGnSecuredOtherMessage } // End of group hostSignatureHelpers group deviceSignatureHelpers { /** * * @desc Verify the signature of the provided secured message * @param p_securedMessage * @param p_aaCertifcate Enrolment Credential certificate * @param p_atCertificate Authorization Ticket certificate * @return true on success, false otherwise * @verdict */ function f_verifyGnSecuredOtherMessage( // TODO For debug purpose only, to be removed in template (value) SecuredMessage p_securedMessage function f_verifyCertificateSignatureWithIssuingCertificate( in template (value) Certificate p_aaCertifcate, in template (value) Certificate p_atCertificate ) return boolean { // Local variables var octetstring v_secPayload; var octetstring v_signedData; var Oct32 v_hash; var integer v_counter; var boolean v_result := false; var template (value) ToBeSignedSecuredMessage v_ToBeSignedSecuredMessage; var template (value) ToBeSignedCertificate v_toBeSignedCertificate; // Create SecuredMessage payload to be signed v_ToBeSignedSecuredMessage := m_ToBeSignedSecuredMessage_profileOther( p_securedMessage.header_fields, p_securedMessage.payload_fields, e_signature ); // Create Certificate payload to be signed v_toBeSignedCertificate := m_toBeSignedCertificate(p_atCertificate); v_secPayload := bit2oct(encvalue(v_ToBeSignedSecuredMessage)); v_secPayload := bit2oct(encvalue(v_toBeSignedCertificate)); // Calculate the hash of the SecuredMessage payload to be signed v_hash := fx_hashWithSha256(v_secPayload); // Verify payload for (v_counter := 0; v_counter < lengthof(p_securedMessage.trailer_fields); v_counter := v_counter + 1) { if ( (p_securedMessage.trailer_fields[v_counter].type_ == e_signature) and (p_securedMessage.trailer_fields[v_counter].trailerField.signature_.algorithm == e_ecdsa_nistp256_with_sha256) ) { v_signedData := '0000'O & p_securedMessage.trailer_fields[v_counter].trailerField.signature_.signature_.ecdsa_signature.r.x & p_securedMessage.trailer_fields[v_counter].trailerField.signature_.signature_.ecdsa_signature.s; p_atCertificate.signature_.signature_.ecdsa_signature.r.x & p_atCertificate.signature_.signature_.ecdsa_signature.s; v_result := f_verifyWithEcdsaNistp256WithSha256( v_hash, v_signedData, PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX].subject_attributes[0].attribute.key.public_key.eccPoint.x, PX_AT_CERTIFICATES[PX_CERTIFICATE_CONFIG_IDX].subject_attributes[0].attribute.key.public_key.eccPoint.y.y p_aaCertifcate.subject_attributes[0].attribute.key.public_key.eccPoint.x, p_aaCertifcate.subject_attributes[0].attribute.key.public_key.eccPoint.y.y ); } } // End of 'for' statement return v_result; } // End of function f_verifyGnSecuredOtherMessage Loading Loading @@ -413,14 +441,15 @@ module LibItsSecurity_Functions { /** * @desc Verify the signature of the provided secured message * @param p_securedMessage * @param p_securedMessage The message to be verified * @param p_publicKey The ECDSA public key to verify a signature * @param p_certificate Certificate to be used to verify the message * @return true on success, false otherwise * @verdict */ function f_verifyGnSecuredMessageWithPublicKey( function f_verifyCertificateSignatureWithPublicKey( in template (value) SecuredMessage p_securedMessage, in template (value) PublicKey p_key in template (value) PublicKey p_publicKey ) return boolean { // Local variables Loading @@ -429,16 +458,17 @@ module LibItsSecurity_Functions { var Oct32 v_hash; var integer v_counter; var boolean v_result := false; var template (value) ToBeSignedSecuredMessage v_ToBeSignedSecuredMessage; var template (value) ToBeSignedSecuredMessage v_toBeSignedSecuredMessage; // Create SecuredMessage payload to be signed v_ToBeSignedSecuredMessage := m_ToBeSignedSecuredMessage_profileOther( v_toBeSignedSecuredMessage := m_toBeSignedSecuredMessage( p_securedMessage.security_profile, p_securedMessage.header_fields, p_securedMessage.payload_fields, e_signature ); v_secPayload := bit2oct(encvalue(v_ToBeSignedSecuredMessage)); v_secPayload := bit2oct(encvalue(v_toBeSignedSecuredMessage)); // Calculate the hash of the SecuredMessage payload to be signed v_hash := fx_hashWithSha256(v_secPayload); Loading @@ -456,14 +486,14 @@ module LibItsSecurity_Functions { v_result := f_verifyWithEcdsaNistp256WithSha256( v_hash, v_signedData, p_key.public_key.eccPoint.x, p_key.public_key.eccPoint.y.y p_publicKey.public_key.eccPoint.x, p_publicKey.public_key.eccPoint.y.y ); } } // End of 'for' statement return v_result; } // End of function f_verifyGnSecuredOtherMessageWithPublicKey } // End of function f_verifyCertificateSignatureWithPublicKey /** * @desc Verify the signature of the provided secured message Loading Loading @@ -576,11 +606,11 @@ module LibItsSecurity_Functions { /** * @desc Produces a Elliptic Curve Digital Signature Algorithm (ECDSA) signaturee * @param p_ToBeSignedSecuredMessage The data to be signed * @param p_toBeSignedSecuredMessage The data to be signed * @param p_privateKey The private key * @return The signature value */ external function fx_signWithEcdsaNistp256WithSha256(in octetstring p_ToBeSignedSecuredMessage, in octetstring/*UInt64*/ p_privateKey) return octetstring; external function fx_signWithEcdsaNistp256WithSha256(in octetstring p_toBeSignedSecuredMessage, in octetstring/*UInt64*/ p_privateKey) return octetstring; /** * @desc Verify the signature of the specified data Loading
