Commit 6e0111d0 authored by YannGarcia's avatar YannGarcia
Browse files

Add TC_RCA_CTLGEN_01_BV

parent 9ee2927d
......@@ -18,7 +18,8 @@ module LibItsHttp_Pics {
/**
* @desc
*/
modulepar charstring PICS_HEADER_CONTENT_TYPE := "application/x-its-request";
modulepar charstring PICS_HEADER_CONTENT_TYPE := "application/x-its-request";
modulepar charstring PICS_HEADER_CTL_CONTENT_TYPE := "application/x-its-crl";
/**
* @desc Set to false in TOKEN header shall not be used
......
......@@ -26,6 +26,7 @@ module LibItsPki_Functions {
import from EtsiTs102941TypesAuthorization language "ASN.1:1997" all;
import from EtsiTs102941TypesAuthorizationValidation language "ASN.1:1997" all;
import from EtsiTs102941MessagesCa language "ASN.1:1997" all;
import from EtsiTs102941TrustLists language "ASN.1:1997" all;
import from EtsiTs103097Module language "ASN.1:1997" all;
import from ITS_Container language "ASN.1:1997" all;
import from CAM_PDU_Descriptions language "ASN.1:1997" all;
......@@ -107,7 +108,7 @@ module LibItsPki_Functions {
}
f_connect4SelfOrClientSync();
f_initialiseSecuredMode(p_ea_certificate_id, p_aa_certificate_id); // TODO To be removed???
f_initialiseSecuredMode(p_ea_certificate_id, p_aa_certificate_id);
// Setup EA certificate shared with PKI EA entity
f_readCertificate(p_ea_certificate_id, vc_eaCertificate);
......@@ -144,6 +145,27 @@ module LibItsPki_Functions {
}
} // End of function f_cfHttpUp
/**
* @desc Setups default configuration
*/
function f_cfHttpUp_ca() runs on ItsPkiHttp /* TITAN TODO: system ItsPkiHttpSystem */ {
if (PICS_MULTIPLE_END_POINT == false) {
map(self:httpPort, system:httpPort);
} else {
map(self:httpCaPort, system:httpCaPort);
}
f_connect4SelfOrClientSync();
f_initialiseSecuredMode();
if (PICS_MULTIPLE_END_POINT == false) {
activate(a_default_pki_http());
} else {
activate(a_default_pki_http_ca());
}
} // End of function f_cfHttpUp_ca
/**
* @desc Setups default configuration
* @param p_certificate_id The certificate identifier the TA shall use in case of secured IUT
......@@ -292,6 +314,19 @@ module LibItsPki_Functions {
f_uninitialiseSecuredMode();
} // End of function f_cfHttpDown
/**
* @desc Deletes default configuration
*/
function f_cfHttpDown_ca() runs on ItsPkiHttp /* TITAN TODO: system ItsPkiHttpSystem */ {
if (PICS_MULTIPLE_END_POINT == false) {
unmap(self:httpPort, system:httpPort);
} else {
unmap(self:httpCaPort, system:httpCaPort);
}
f_disconnect4SelfOrClientSync();
f_uninitialiseSecuredMode();
} // End of function f_cfHttpDown_ca
/**
* @desc Deletes default configuration
*/
......@@ -636,6 +671,15 @@ module LibItsPki_Functions {
p_http_message.response.header := p_headers;
}
httpAtPort.send(p_http_message);
} else if (v_content_text == { "ca_request" }) {
log("f_http_send: Send on CA end point");
f_set_headers_list({ c_header_host }, { PICS_HEADER_HOST_CA }, p_headers);
if (ischosen(p_http_message.request)) {
p_http_message.request.header := p_headers;
} else {
p_http_message.response.header := p_headers;
}
httpCaPort.send(p_http_message);
} else {
log("f_http_send: Invalid header value: ", v_content_text);
}
......@@ -2863,6 +2907,116 @@ module LibItsPki_Functions {
} // End of group authorization_validation_xxx
group rca {
function f_verify_rca_response_message(
in Ieee1609Dot2Data p_ieee1609dot2_signed_data,
in boolean p_check_security := true,
out ToBeSignedRcaCtl p_to_be_signed_rca_ctl
) return boolean {
var bitstring v_etsi_ts_102941_data_msg;
var bitstring v_tbs;
var Certificate v_certificate;
var charstring v_certificate_id;
var Oct32 v_issuer;
var EtsiTs102941Data v_etsi_ts_102941_data;
log(">>> f_verify_rca_response_message: p_ieee1609dot2_signed_data= ", p_ieee1609dot2_signed_data);
// 1. Verify signature
log("f_verify_rca_response_message: p_ieee1609dot2_signed_data.content.signedData.tbsData= ", p_ieee1609dot2_signed_data.content.signedData.tbsData);
v_tbs := encvalue(p_ieee1609dot2_signed_data.content.signedData.tbsData);
if (f_getCertificateFromDigest(p_ieee1609dot2_signed_data.content.signedData.signer.digest, v_certificate, v_certificate_id) == false) {
if (p_check_security == true) {
return false;
}
}
f_getCertificateHash256(v_certificate_id, v_issuer);
if (f_verifyEcdsa(bit2oct(v_tbs), v_issuer, p_ieee1609dot2_signed_data.content.signedData.signature_, v_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
if (p_check_security == true) {
return false;
}
}
v_etsi_ts_102941_data_msg := oct2bit(p_ieee1609dot2_signed_data.content.signedData.tbsData.payload.data.content.unsecuredData);
if (decvalue(v_etsi_ts_102941_data_msg, v_etsi_ts_102941_data) != 0) {
log("f_verify_rca_response_message: Failed to decode EtsiTs102941Data");
return false;
} else {
log("f_verify_rca_response_message: v_etsi_ts_102941_data= ", v_etsi_ts_102941_data);
log("f_verify_pki_response_message: RcaCertificateTrustListMessage matching= ", match(v_etsi_ts_102941_data, mw_etsiTs102941Data_to_be_signed_rca_ctl));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_to_be_signed_rca_ctl) == false) {
log("f_verify_rca_response_message: Failed to decode certificateTrustListRca");
return false;
} else {
p_to_be_signed_rca_ctl := v_etsi_ts_102941_data.content.certificateTrustListRca;
log("f_verify_rca_response_message: p_to_be_signed_rca_ctl= ", p_to_be_signed_rca_ctl);
}
}
return true;
}
function f_verify_full_ctl(
in ToBeSignedRcaCtl p_to_be_signed_rca_ctl
) return boolean {
log(">>> f_verify_full_ctl: p_to_be_signed_rca_ctl= ", p_to_be_signed_rca_ctl);
// 1. Check mandatory fields
log("f_verify_full_ctl matching= ", match(p_to_be_signed_rca_ctl, mw_to_be_signed_rca_full_ctl));
if (match(p_to_be_signed_rca_ctl, mw_to_be_signed_rca_full_ctl) == false) {
return false;
}
log("f_verify_full_ctl: ctlCommands length: ", lengthof(p_to_be_signed_rca_ctl.ctlCommands));
for (var integer v_i := 0; v_i < lengthof(p_to_be_signed_rca_ctl.ctlCommands); v_i := v_i + 1) {
var CtlCommand v_ctl_command := p_to_be_signed_rca_ctl.ctlCommands[v_i];
if (ischosen(v_ctl_command.delete)) {
log("f_verify_full_ctl: ctlCommands shall not contains 'delete' variant");
return false;
} else {
if (f_verify_ctl_entry(v_ctl_command.add) == false) {
log("f_verify_full_ctl: ctlCommands contains inavlid entries");
return false;
}
}
} // End of 'for' statements
return true;
}
function f_verify_ctl_entry(
in CtlEntry p_ctl_entry
) return boolean {
if (ischosen(p_ctl_entry.rca)) {
if (match(p_ctl_entry.rca, mw_root_ca_entry(mw_etsiTs103097Certificate)) == false) {
return false;
}
} else if (ischosen(p_ctl_entry.ea)) {
if (match(p_ctl_entry.ea, mw_ea_entry(mw_etsiTs103097Certificate)) == false) {
return false;
}
} else if (ischosen(p_ctl_entry.aa)) {
if (match(p_ctl_entry.aa, mw_aa_entry(mw_etsiTs103097Certificate)) == false) {
return false;
}
} else if (ischosen(p_ctl_entry.dc)) {
if (match(p_ctl_entry.dc, mw_dc_entry) == false) {
return false;
}
} else if (ischosen(p_ctl_entry.tlm)) {
if (match(p_ctl_entry.tlm, mw_tlm_entry(mw_etsiTs103097Certificate)) == false) {
return false;
}
} else {
return false;
}
return true;
}
} // End of group rca
group awaiting_messages {
function f_await_http_inner_ec_request_response(
......@@ -3568,6 +3722,7 @@ module LibItsPki_Functions {
var octetstring v_msg;
var Ieee1609Dot2Data v_ieee1609dot2_signed_data;
var Certificate v_certificate;
var charstring v_certificate_id;
log(">>> f_verify_pki_request_message: p_private_enc_key= ", p_private_enc_key);
log(">>> f_verify_pki_request_message: p_salt= ", p_salt);
......@@ -3641,7 +3796,7 @@ module LibItsPki_Functions {
}
//return false;
} else {
if (f_getCertificateFromDigest(f_HashedId8FromSha256(p_issuer), v_certificate) == false) {
if (f_getCertificateFromDigest(f_HashedId8FromSha256(p_issuer), v_certificate, v_certificate_id) == false) {
if (p_check_security == true) {
return false;
}
......@@ -3702,6 +3857,7 @@ module LibItsPki_Functions {
var octetstring v_plain_message;
var Ieee1609Dot2Data v_ieee1609dot2_signed_data;
var Certificate v_certificate;
var charstring v_certificate_id;
var bitstring v_etsi_ts_102941_data_msg;
var bitstring v_tbs;
var boolean v_ret;
......@@ -3732,7 +3888,7 @@ module LibItsPki_Functions {
// 3. Check the signature
log("f_verify_pki_response_message: v_ieee1609dot2_signed_data.content.signedData.tbsData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData);
v_tbs := encvalue(v_ieee1609dot2_signed_data.content.signedData.tbsData);
if (f_getCertificateFromDigest(v_ieee1609dot2_signed_data.content.signedData.signer.digest, v_certificate) == false) {
if (f_getCertificateFromDigest(v_ieee1609dot2_signed_data.content.signedData.signer.digest, v_certificate, v_certificate_id) == false) {
if (p_check_security == true) {
return false;
}
......@@ -4029,6 +4185,37 @@ module LibItsPki_Functions {
}
} // End of altstep a_default_pki_http_at
altstep a_default_pki_http_ca() runs on ItsPkiHttp {
[PICS_MULTIPLE_END_POINT] httpCaPort.receive(
mw_http_response(
mw_http_response_ko
)) {
tc_ac.stop;
log("*** " & testcasename() & ": FAIL: Unexpected message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
[PICS_MULTIPLE_END_POINT] httpCaPort.receive(mw_http_request) {
tc_ac.stop;
log("*** a_default: ERROR: Unexpected HTTP Request received ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
[PICS_MULTIPLE_END_POINT] httpCaPort.receive(mw_http_response) {
tc_ac.stop;
log("*** a_default: ERROR: Unexpected HTTP Response received ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
[PICS_MULTIPLE_END_POINT] httpCaPort.receive {
tc_ac.stop;
log("*** a_default: ERROR: Unexpected HTTP message received ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
[] a_shutdown() {
log("*** a_default: INFO: TEST COMPONENT NOW STOPPING ITSELF! ***");
stop;
}
} // End of altstep a_default_pki_http_ca
altstep a_await_ec_http_request_from_iut(
template HttpMessage p_http_message,
out HttpMessage p_response
......
......@@ -15,6 +15,11 @@ module LibItsPki_Pics {
*/
modulepar boolean PICS_IUT_AA_ROLE := true;
/**
* @desc Does the IUT act as CA device?
*/
modulepar boolean PICS_IUT_CA_ROLE := true;
/**
* @desc Does the IUT support enrolment?
*/
......@@ -100,6 +105,11 @@ module LibItsPki_Pics {
*/
modulepar charstring PICS_HEADER_HOST_AT := "www.its.at.org";
/**
* @desc End point for the CA
*/
modulepar charstring PICS_HEADER_HOST_CA := "www.its.ca.org";
/**
* @desc Certificate used by the Test System
*/
......@@ -136,6 +146,11 @@ module LibItsPki_Pics {
*/
modulepar charstring PICS_HTTP_POST_URI_ATV := "/authorize_validate";
/**
* @desc HTTP GET URI for Certificate Trusted List
*/
modulepar charstring PICS_HTTP_GET_URI_CTL := "/dc/getctl";
/**
* @desc Factory private key for verification Nist P256
*/
......
......@@ -29,9 +29,11 @@ module LibItsPki_Templates {
import from EtsiTs102941TypesAuthorization language "ASN.1:1997" all;
import from EtsiTs102941TypesAuthorizationValidation language "ASN.1:1997" all;
import from EtsiTs102941MessagesCa language "ASN.1:1997" all;
import from EtsiTs102941TrustLists language "ASN.1:1997" all;
import from EtsiTs103097Module language "ASN.1:1997" all;
// LibItsSecurity
import from LibItsSecurity_TypesAndValues all;
import from LibItsSecurity_Templates all;
// LibItsPki
......@@ -129,6 +131,15 @@ module LibItsPki_Templates {
) modifies mw_etsiTs103097Data_encrypted := {
} // End of template mw_authorizationValidationResponseMessage
template (present) EtsiTs102941Data mw_etsiTs102941Data_to_be_signed_rca_ctl(
template (present) ToBeSignedRcaCtl p_to_be_signed_rca_ctl := ?
) := {
version := PkiProtocolVersion,
content := {
certificateTrustListRca := p_to_be_signed_rca_ctl
}
} // End of template mw_etsiTs102941Data_to_be_signed_rca_ctl
template (value) AuthorizationRequestMessage m_authorizationRequestMessage(
in template (value) EncryptedData p_encryptedData
) modifies m_etsiTs103097Data_encrypted := {
......@@ -518,5 +529,62 @@ module LibItsPki_Templates {
appPermissions := p_appPermissions,
certIssuePermissions := p_certIssuePermissions
} // End of template mw_certificate_subject_attributes
template (present) ToBeSignedRcaCtl mw_to_be_signed_rca_full_ctl := {
version := 1,
nextUpdate := ?,
isFullCtl := true,
ctlSequence := ?,
ctlCommands := ?
} // End of template mw_to_be_signed_rca_ful_ctl
template (present) ToBeSignedRcaCtl mw_to_be_signed_rca_delta_ctl := {
version := 1,
nextUpdate := ?,
isFullCtl := false,
ctlSequence := ?,
ctlCommands := ?
} // End of template mw_to_be_signed_rca_delta_ctl
template (present) TlmEntry mw_tlm_entry(
template (present) EtsiTs103097Certificate p_selfSignedTLMCertificate := ?,
template (present) Url p_accessPoint := ?
) := {
selfSignedTLMCertificate := p_selfSignedTLMCertificate,
linkTLMCertificate := *,
accessPoint := p_accessPoint
} // End of template mw_tlm_entry
template (present) RootCaEntry mw_root_ca_entry(
template (present) EtsiTs103097Certificate p_selfsignedRootCa := ?
) := {
selfsignedRootCa := p_selfsignedRootCa,
linkRootCaCertificate := *
} // End of template mw_root_ca_entry
template (present) EaEntry mw_ea_entry(
template (present) EtsiTs103097Certificate p_eaCertificate := ?,
template (present) Url p_aaAccessPoint := ?
) := {
eaCertificate := p_eaCertificate,
aaAccessPoint := p_aaAccessPoint,
itsAccessPoint := *
} // End of linkRootCaCertificate mw_ea_entry
template (present) AaEntry mw_aa_entry(
template (present) EtsiTs103097Certificate p_aaCertificate := ?,
template (present) Url p_accessPoint := ?
) := {
aaCertificate := p_aaCertificate,
accessPoint := p_accessPoint
} // End of template mw_aa_entry
template (present) DcEntry mw_dc_entry(
template (present) Url p_url := ?,
template (present) HashedId8s p_cert := ?
) := {
url := p_url,
cert := p_cert
} // End of template mw_dc_entry
} // End of module LibItsPki_Templates
......@@ -63,6 +63,7 @@ module LibItsPki_TestSystem {
port HttpPort httpEcPort; /** Enrolment end point */
port HttpPort httpAtVPort; /** Authorization Validation end point */
port HttpPort httpAtPort; /** Authorization end point */
port HttpPort httpCaPort; /** CA CTL/CRL end point */
} // End of component ItsPkiHttpSystem
/**
......@@ -73,6 +74,7 @@ module LibItsPki_TestSystem {
port HttpPort httpEcPort; /** Enrolment end point */
port HttpPort httpAtVPort; /** Authorization Validation end point */
port HttpPort httpAtPort; /** Authorization end point */
port HttpPort httpCaPort; /** CA CTL/CRL end point */
var Certificate vc_eaCertificate; /** Test Adapter EA certificate */
var octetstring vc_eaPrivateKey; /** Test Adapter EA private key for signature */
var octetstring vc_eaPrivateEncKey; /** Test Adapter EA private key for encryption */
......
......@@ -764,12 +764,13 @@ module LibItsSecurity_Functions {
out EtsiTs103097Certificate p_aaCertificate,
out EtsiTs103097Certificate p_atCertificate
) runs on ItsSecurityBaseComponent return boolean {
var charstring v_certificate_id;
//log(">>> f_prepareCertificates: ", p_certificateName);
// Load certificates if required
if ((lengthof(p_certificateName) > 0) and (valueof(p_certificateName) != cc_taCert_A)) {
var HashedId8 v_digest;
var charstring v_cert;
if (f_readCertificate(valueof(p_certificateName), p_atCertificate) == false){
log("f_prepareCertificates: Failed to read certificate ", p_certificateName);
......@@ -783,7 +784,7 @@ module LibItsSecurity_Functions {
log("f_prepareCertificates: Invalid certificate issuer ", p_atCertificate.issuer);
return false;
}
if (f_getCertificateFromDigest(v_digest, p_aaCertificate) == false) {
if (f_getCertificateFromDigest(v_digest, p_aaCertificate, v_certificate_id) == false) {
log("f_prepareCertificates: Failed to read certificate issuer ", v_digest);
return false;
}
......@@ -2173,6 +2174,8 @@ module LibItsSecurity_Functions {
function f_loadCertificates(
in charstring p_configId
) runs on ItsSecurityBaseComponent return boolean {
var charstring v_certificate_id;
// Setup certificates memory cache
if (fx_loadCertificates(PX_CERTIFICATE_POOL_PATH, p_configId) == true) {
// Setup security component variables
......@@ -2188,7 +2191,7 @@ module LibItsSecurity_Functions {
return false;
}
log("Selected issuer: ", v_issuer);
if (f_getCertificateFromDigest(v_issuer, vc_aaCertificate)) {
if (f_getCertificateFromDigest(v_issuer, vc_aaCertificate, v_certificate_id)) {
if (f_readSigningKey(cc_taCert_A, vc_signingPrivateKey) == true) {
f_readEncryptingKey(cc_taCert_A, vc_encryptPrivateKey);
return true;
......@@ -2298,15 +2301,15 @@ module LibItsSecurity_Functions {
function f_getCertificateFromDigest(
in HashedId8 p_digest,
out EtsiTs103097Certificate p_certificate
out EtsiTs103097Certificate p_certificate,
out charstring p_certificate_id
) return boolean {
var charstring v_certificate_id;
if (not(fx_readCertificateFromDigest(p_digest, v_certificate_id))) {
if (not(fx_readCertificateFromDigest(p_digest, p_certificate_id))) {
log("f_getCertificateFromDigest: Failed to retrieve digest for ", p_digest);
return false;
}
if (not(f_readCertificate(v_certificate_id, p_certificate))) {
log("f_getCertificateFromDigest: Failed to retrieve digest for ", v_certificate_id);
if (not(f_readCertificate(p_certificate_id, p_certificate))) {
log("f_getCertificateFromDigest: Failed to retrieve digest for ", p_certificate_id);
return false;
}
return true;
......
......@@ -22,7 +22,12 @@ module LibItsSecurity_TypesAndValues {
import from IEEE1609dot2BaseTypes language "ASN.1:1997" all;
import from IEEE1609dot2 language "ASN.1:1997" all;
import from EtsiTs103097Module language "ASN.1:1997" all;
/**
* @desc Sequence of HashedId8
*/
type record of HashedId8 HashedId8s;
// Test Adapter certificates & private keys - Valid behavior
const charstring cc_taCert_A := PX_CERT_FOR_TS; /** Default certificate, without region validity restriction, to be used when secured messages are sent from TA to IUT */
const charstring cc_taCert_A_AA := "CERT_TS_A_AA";
......@@ -259,7 +264,6 @@ module LibItsSecurity_TypesAndValues {
e_brainpool_384
}
group taConfiguration {
/**
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment