Final validation of Enrolment request/response (7f527d2d) · Commits · TTCN-3 Libraries / LibIts

ttcn/Pki/LibItsPki_Functions.ttcn

+23 −31

Original line number	Diff line number	Diff line
		@@ -232,11 +232,10 @@ module LibItsPki_Functions {
		out Oct12 p_nonce,
		out octetstring p_salt,
		out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data,
		out Oct32 p_hash_inner_ec_request_signed_for_pop
		out Oct32 p_request_hash
		) runs on ItsPkiHttp {
		var InnerEcRequest v_inner_ec_request;
		var Ieee1609Dot2Data v_inner_ec_request_signed_for_pop;
		var bitstring v_inner_ec_request_signed_for_pop_msg;
		var octetstring v_public_enc_key;
		var integer v_compressed_enc_key_mode;
		var boolean v_ret_code;
		@@ -250,14 +249,9 @@ module LibItsPki_Functions {
		log("* f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequestSignedForPop *");
		f_selfOrClientSyncAndVerdict("error", e_error);
		}
		// Secure InnerEcRequestSignedForPoP message
		log("v_inner_ec_request_signed_for_pop= ", v_inner_ec_request_signed_for_pop);
		v_inner_ec_request_signed_for_pop_msg := encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop));
		log("v_inner_ec_request_signed_for_pop_msg= ", v_inner_ec_request_signed_for_pop_msg);

		// Prepare for getting the 16 most bytes of SHA256 of InnerEcRequestSignedForPop
		p_hash_inner_ec_request_signed_for_pop := f_hashWithSha256(bit2oct(v_inner_ec_request_signed_for_pop_msg));
		// Secure the Pki message
		// Secure InnerEcRequestSignedForPoP message
		if (f_extract_enc_key(vc_eaCertificate, v_public_enc_key, v_compressed_enc_key_mode) == false) {
		log("* f_http_build_inner_ec_request: ERROR: Non canonical EA certificate *");
		f_selfOrClientSyncAndVerdict("error", e_error);
		@@ -267,17 +261,16 @@ module LibItsPki_Functions {
		log("*** f_http_build_inner_ec_request: First enrolment: ", PX_FIRST_ENROLMENT);
		p_salt := vc_eaWholeHash;
		if (PX_FIRST_ENROLMENT == true) { // This is the first enrolment, we used Factory keys
		v_ret_code := f_build_pki_secured_message(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/recipientId/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(v_inner_ec_request_signed_for_pop_msg), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce);
		v_ret_code := f_build_pki_secured_message(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/recipientId/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
		} else { // We use last valid EC certificate
		v_ret_code := f_build_pki_secured_message(vc_ecPrivateKey, valueof(m_signerIdentifier_digest(vc_ecHashedId8)), vc_eaHashedId8/recipientId/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(v_inner_ec_request_signed_for_pop_msg), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce);
		v_ret_code := f_build_pki_secured_message(vc_ecPrivateKey, valueof(m_signerIdentifier_digest(vc_ecHashedId8)), vc_eaHashedId8/recipientId/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
		}
		if (v_ret_code == false) {
		log("* f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequestSignedForPop *");
		f_selfOrClientSyncAndVerdict("error", e_error);
		}
		log("*** f_http_build_inner_ec_request: DEBUG: v_inner_ec_request_signed_for_pop_msg= ", v_inner_ec_request_signed_for_pop_msg);
		log("*** f_http_build_inner_ec_request: DEBUG: p_ieee1609dot2_signed_and_encrypted_data= ", p_ieee1609dot2_signed_and_encrypted_data);
		log("*** f_http_build_inner_ec_request: DEBUG: p_hash_inner_ec_request_signed_for_pop= ", p_hash_inner_ec_request_signed_for_pop);
		log("*** f_http_build_inner_ec_request: DEBUG: p_request_hash= ", p_request_hash);
		} // End of function f_http_build_inner_ec_request

		function f_http_build_invalid_enrolment_request(
		@@ -290,7 +283,7 @@ module LibItsPki_Functions {
		out Oct12 p_nonce,
		out octetstring p_salt,
		out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data,
		out Oct32 p_hash_inner_ec_request_signed_for_pop
		out Oct32 p_request_hash
		) runs on ItsPkiHttp {
		var InnerEcRequest v_inner_ec_request;
		var Ieee1609Dot2Data v_inner_ec_request_signed_for_pop;
		@@ -307,10 +300,10 @@ module LibItsPki_Functions {
		log("* f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequestSignedForPop *");
		f_selfOrClientSyncAndVerdict("error", e_error);
		}

		log("v_inner_ec_request_signed_for_pop= ", v_inner_ec_request_signed_for_pop);

		// Secure InnerEcRequestSignedForPoP message
		// Get 16 last byte of SHA256 of InnerEcRequestSignedForPop
		p_hash_inner_ec_request_signed_for_pop := f_hashWithSha256(int2oct(12345, 32)); // Invalid InnseEcRequestSignedForPop
		// Secure the Pki message
		if (f_extract_enc_key(vc_eaCertificate, v_public_enc_key, v_compressed_enc_key_mode) == false) {
		log("* f_http_build_inner_ec_request: ERROR: Non canonical EA certificate *");
		f_selfOrClientSyncAndVerdict("error", e_error);
		@@ -319,9 +312,9 @@ module LibItsPki_Functions {
		log("*** f_http_build_inner_ec_request: Public encryption key comp: ", v_compressed_enc_key_mode);
		p_salt := vc_eaWholeHash;
		if (PX_FIRST_ENROLMENT == true) { // This is the first enrolment, we used Factory keys
		v_ret_code := f_build_pki_secured_message(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/recipientId/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce);
		v_ret_code := f_build_pki_secured_message(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/recipientId/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
		} else { // We use last valid EC certificate
		v_ret_code := f_build_pki_secured_message(vc_ecPrivateKey, valueof(m_signerIdentifier_digest(vc_ecHashedId8)), vc_eaHashedId8/recipientId/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce);
		v_ret_code := f_build_pki_secured_message(vc_ecPrivateKey, valueof(m_signerIdentifier_digest(vc_ecHashedId8)), vc_eaHashedId8/recipientId/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
		}
		if (v_ret_code == false) {
		log("* f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequestSignedForPop *");
		@@ -335,7 +328,7 @@ module LibItsPki_Functions {
		out octetstring p_publicKeyCompressed,
		out integer p_compressedMode,
		out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data,
		out HashedId8 p_hash_inner_at_request
		out Oct32 p_request_hash
		) runs on ItsPkiHttp {
		// Local variables

		@@ -372,7 +365,7 @@ module LibItsPki_Functions {
		**/
		log("* f_http_build_inner_ec_request: ERROR: Need to add TestSystem variable vc_aa *");
		f_selfOrClientSyncAndVerdict("error", e_error);
		/* if (f_build_pki_secured_message(vc_aaPrivateKey, valueof(m_signerIdentifier_digest(vc_aaHashedId8)), vc_eaHashedId8/\recipientId\/, v_public_enc_key, v_compressed_enc_key_mode, vc_eaWholeHash, bit2oct(encvalue(m_etsiTs102941Data_authorization_validation_request(v_authorization_validation_request))), p_ieee1609dot2_signed_and_encrypted_data) == false) { */
		/* if (f_build_pki_secured_message(vc_aaPrivateKey, valueof(m_signerIdentifier_digest(vc_aaHashedId8)), vc_eaHashedId8/\recipientId\/, v_public_enc_key, v_compressed_enc_key_mode, vc_eaWholeHash, bit2oct(encvalue(m_etsiTs102941Data_authorization_validation_request(v_authorization_validation_request))), p_ieee1609dot2_signed_and_encrypted_data, p_request_hash) == false) { */
		/* log("* f_http_build_authorization_validation_request: ERROR: Failed to generate InnerEcRequestSignedForPop "); /
		/* f_selfOrClientSyncAndVerdict("error", e_error); */
		/* } */
		@@ -909,7 +902,8 @@ module LibItsPki_Functions {
		out Oct16 p_aes_sym_key,
		out Oct16 p_encrypted_sym_key,
		out Oct16 p_authentication_vector,
		out Oct12 p_nonce
		out Oct12 p_nonce,
		out Oct32 p_request_hash
		) return boolean {
		// Local variables
		var template (value) EccP256CurvePoint v_eccP256_curve_point;
		@@ -956,6 +950,9 @@ module LibItsPki_Functions {
		);
		// Encode EtsiTs103097Data-Signed data structure
		v_encoded_inner_ec_request := bit2oct(encvalue(v_ieee1609dot2_signed_data));
		// Calculate the SHA256 of v_encoded_inner_ec_request
		p_request_hash := f_hashWithSha256(v_encoded_inner_ec_request);
		log("p_request_hash= ", p_request_hash);
		// Encrypt encode EtsiTs103097Data-Signed data structure
		if (PICS_SEC_FIXED_KEYS) {
		p_publicKeyCompressed := '8C5E20FE31935F6FA682A1F6D46E4468534FFEA1A698B14B0B12513EED8DEB11'O;
		@@ -1009,25 +1006,22 @@ module LibItsPki_Functions {
		} // End of function f_build_pki_secured_message

		/**
		* @desc Verify the protocol element of the Pki message
		* @desc Verify the protocol element of the Pki message.
		* If p_check_security is set to false, only decryption and decoding of the outer message are verified.
		* @param p_private_key Private key for decryption
		* @param p_publicEphemeralCompressedKey
		* @param p_publicEphemeralCompressedKeyMode
		* @param p_issuer Issuer
		* @param p_certificate Certificate to use for verification key
		* @param p_ieee1609dot2_encrypted_and_signed_data The received encrypted and signed data
		* @param p_check_security Set to true to check signatures
		* @param p_check_security Set to true to verify PKI protocol element such as signatures...
		* @param p_etsi_ts_102941_data The EtsiTs102941Data message
		* @return true on success, false otherwise
		*/
		function f_verify_pki_message(
		in octetstring p_private_enc_key,
		// in octetstring p_publicEphemeralCompressedKey, // TODO Useless, to be removed
		// in integer p_publicEphemeralCompressedKeyMode, // TODO Useless, to be removed
		in Oct16 p_aes_sym_key,
		in Oct16 p_authentication_vector, // TODO Tobe removed
		// in Oct12 p_nonce, // TODO Tobe removed
		// in octetstring p_salt,
		in octetstring p_issuer,
		in Certificate p_certificate, // TODO Tobe removed
		in Ieee1609Dot2Data p_ieee1609dot2_encrypted_and_signed_data,
		@@ -1061,10 +1055,8 @@ module LibItsPki_Functions {
		// 2. Decode it
		v_tbs := oct2bit(v_plain_message);
		if (decvalue(v_tbs, v_ieee1609dot2_signed_data) != 0) {
		if (p_check_security == true) {
		return false;
		}
		}
		log("v_ieee1609dot2_signed_data= ", v_ieee1609dot2_signed_data);

		// 3. Check the signature
		@@ -1075,7 +1067,7 @@ module LibItsPki_Functions {
		return false;
		}
		}
		log("v_certificate= ", v_certificate);
		//log("v_certificate= ", v_certificate);
		if (ischosen(v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256.compressed_y_0)) {
		v_ret := f_verifyWithEcdsaNistp256WithSha256(
		bit2oct(v_tbs),