Commit 7f9ffa8e authored by Yann Garcia's avatar Yann Garcia
Browse files

ITS-CMS6 Plugtest validation

parent aa689ac9
......@@ -672,8 +672,8 @@ module LibItsPki_Functions {
// Secure the response
log("f_http_build_inner_ec_response: p_inner_ec_response= ", p_inner_ec_response);
v_msg := bit2oct(encvalue(p_inner_ec_response));
v_nonce := int2oct(f_getCurrentTime(), 32); // Random value
v_msg := bit2oct(encvalue(m_etsiTs102941Data_inner_ec_response(p_inner_ec_response)));
v_nonce := substr(f_hashWithSha256(int2oct((f_getCurrentTimeUtc() * 1000), 16)), 0, 12); // Random value
// TODO Consider Sha384: m_signerIdentifier_digest(f_HashedId8FromSha384(p_digest))
if (f_build_pki_secured_response_message(p_private_key,
valueof(m_signerIdentifier_digest(f_HashedId8FromSha256(p_digest))),// in SignerIdentifier p_signer_identifier,
......@@ -1019,8 +1019,8 @@ module LibItsPki_Functions {
// Secure the response
log("f_http_build_inner_at_response: p_inner_at_response= ", p_inner_at_response);
v_msg := bit2oct(encvalue(p_inner_at_response));
v_nonce := substr(f_hashWithSha256(int2oct((f_getCurrentTimeUtc() * 1000), 16)), 0, 16); // Random value
v_msg := bit2oct(encvalue(m_etsiTs102941Data_inner_at_response(p_inner_at_response)));
v_nonce := substr(f_hashWithSha256(int2oct((f_getCurrentTimeUtc() * 1000), 16)), 0, 12); // Random value
// TODO Consider Sha384: m_signerIdentifier_digest(f_HashedId8FromSha384(p_digest))
if (f_build_pki_secured_response_message(p_private_key,
valueof(m_signerIdentifier_digest(f_HashedId8FromSha256(p_digest))),// in SignerIdentifier p_signer_identifier,
......@@ -1223,13 +1223,14 @@ module LibItsPki_Functions {
m_validityPeriod(
f_getCurrentTime() / 1000,
m_duration_in_hours(120)
),
omit/*m_geographicRegion_identifiedRegion(
)/*,
m_geographicRegion_identifiedRegion(
{
m_identifiedRegion_country_only(250), // TODO PIXIT
m_identifiedRegion_country_only(380)
}
)*/
),
'00'O*/ // TODO Use PIXIT
)
);
// Encode it ==> Get octetstring
......@@ -1419,19 +1420,19 @@ module LibItsPki_Functions {
log(">>> f_generate_at_certificate_for_authorization_response");
/*v_issuer := valueof(m_issuerIdentifier_sha256AndDigest(f_HashedId8FromSha256(p_digest))); // TODO Check sha256/384 f_HashedId8FromSha384
v_issuer := valueof(m_issuerIdentifier_sha256AndDigest(f_HashedId8FromSha256(p_digest))); // TODO Check sha256/384 f_HashedId8FromSha384
v_cert := valueof(
m_etsiTs103097Certificate(
v_issuer,
m_toBeSignedCertificate_ec(
p_inner_at_request.requestedSubjectAttributes.id,
p_inner_at_request.requestedSubjectAttributes.appPermissions,
p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.id,
p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.appPermissions,
m_verificationKeyIndicator_verificationKey(
p_inner_at_request.publicKeys.verificationKey
),
p_inner_at_request.requestedSubjectAttributes.validityPeriod,
p_inner_at_request.requestedSubjectAttributes.region,
p_inner_at_request.requestedSubjectAttributes.assuranceLevel,
p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.validityPeriod,
p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.region,
p_inner_at_request.sharedAtRequest.requestedSubjectAttributes.assuranceLevel,
p_inner_at_request.publicKeys.encryptionKey
)
)
......@@ -1474,7 +1475,7 @@ module LibItsPki_Functions {
)
);
}
p_at_certificate := valueof(v_cert);*/
p_at_certificate := valueof(v_cert);
log("f_generate_at_certificate_for_authorization_response: p_at_certificate= ", p_at_certificate);
return true;
......@@ -1520,14 +1521,14 @@ module LibItsPki_Functions {
m_validityPeriod(
f_getCurrentTime() / 1000,
m_duration_in_hours(120) // TODO Use PIXIT
),
omit,/*m_geographicRegion_identifiedRegion(
)/*,
m_geographicRegion_identifiedRegion(
{
m_identifiedRegion_country_only(250), // TODO Use PIXIT
m_identifiedRegion_country_only(380) // TODO Use PIXIT
}
),*/
omit//'00'O//'C0'O // TODO Use PIXIT
),
'00'O*/ // TODO Use PIXIT
)
)
);
......@@ -2482,7 +2483,7 @@ module LibItsPki_Functions {
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo/*(v_aes_sym_key_hashed_id8)*/, * },
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_SymmetricCiphertext_aes128ccm
)))))),
v_response
......@@ -2497,8 +2498,8 @@ module LibItsPki_Functions {
}
log("f_await_http_inner_ec_request_response: Receive ", v_etsi_ts_102941_data, " ***");
// Verify the received EC certificate
log("f_await_http_inner_ec_request_response: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(-/*Escryptsubstr(v_request_hash, 0, 16)*/, mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(-/*Escryptsubstr(v_request_hash, 0, 16)*/, mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec)))) == false) {
log("f_await_http_inner_ec_request_response: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec)))) == false) {
log("f_await_http_inner_ec_request_response: Unexpected message received ***");
if (p_strict_checks) {
return false;
......@@ -2670,6 +2671,8 @@ module LibItsPki_Functions {
f_getCertificateHash(v_certificate_id, v_hash);
v_tbs_signed := f_signWithEcdsa(bit2oct(encvalue(v_tbs)), v_hash, p_private_key);
}
log("f_build_pki_secured_request_message_signed_with_pop: lengthof(v_tbs_signed)= ", lengthof(v_tbs_signed));
log("f_build_pki_secured_request_message_signed_with_pop: v_tbs_signed= ", v_tbs_signed);
// Add the signature and create EtsiTs103097Data-Signed data structure
if (PX_VE_ALG == e_nist_p256) {
v_signature := valueof(
......@@ -3185,15 +3188,69 @@ module LibItsPki_Functions {
// 4. Verifiy signature
log("f_verify_pki_request_message: v_ieee1609dot2_signed_data.content.signedData.tbsData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData);
v_msg := bit2oct(encvalue(v_ieee1609dot2_signed_data.content.signedData.tbsData));
if (f_getCertificateFromDigest(f_HashedId8FromSha256(p_issuer), v_certificate) == false) {
if (p_check_security == true) {
if (p_issuer == ''O) { // ITS-S/OBU
var PublicVerificationKey v_public_verification_key;
log("f_verify_pki_request_message: Use ITS-S technical keys");
if (PX_VE_ALG == e_nist_p256) {
var EccP256CurvePoint v_ecc_p256_curve_point;
if (PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY[0] == '02'O) {
v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 1, 32)));
} else {
v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 1, 32)));
}
v_public_verification_key := valueof(
m_publicVerificationKey_ecdsaNistP256(
v_ecc_p256_curve_point
)
);
} else if (PX_VE_ALG == e_brainpool_p256_r1) {
var EccP256CurvePoint v_ecc_p256_curve_point;
if (PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY[0] == '02'O) {
v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 1, 32)));
} else {
v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 1, 32)));
}
v_public_verification_key := valueof(
m_publicVerificationKey_ecdsaBrainpoolP256r1(
v_ecc_p256_curve_point
)
);
} else if (PX_VE_ALG == e_brainpool_p384_r1) {
var EccP384CurvePoint v_ecc_p384_curve_point;
if (PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY[0] == '02'O) {
v_ecc_p384_curve_point := valueof(m_eccP384CurvePoint_compressed_y_0(substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 1, 48)));
} else {
v_ecc_p384_curve_point := valueof(m_eccP384CurvePoint_compressed_y_1(substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 1, 48)));
}
v_public_verification_key := valueof(
m_publicVerificationKey_ecdsaBrainpoolP384r1(
v_ecc_p384_curve_point
)
);
} else {
return false;
}
}
log("f_verify_pki_request_message: v_certificate= ", v_certificate);
if (f_verifyEcdsa(v_msg, p_issuer, v_ieee1609dot2_signed_data.content.signedData.signature_, v_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
if (p_check_security == true) {
return false;
log("f_verify_pki_request_message: v_public_verification_key= ", v_public_verification_key);
if (f_verifyEcdsa(v_msg, int2oct(0, 32), v_ieee1609dot2_signed_data.content.signedData.signature_, v_public_verification_key) == false) {
if (p_check_security == true) {
return false;
}
}
} else {
if (f_getCertificateFromDigest(f_HashedId8FromSha256(p_issuer), v_certificate) == false) {
if (p_check_security == true) {
return false;
}
}
log("f_verify_pki_request_message: v_certificate= ", v_certificate);
if (f_verifyEcdsa(v_msg, p_issuer, v_ieee1609dot2_signed_data.content.signedData.signature_, v_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
if (p_check_security == true) {
return false;
}
}
}
......
......@@ -55,6 +55,15 @@ module LibItsPki_Templates {
}
} // End of template m_etsiTs102941Data_inner_ec_response
template (value) EtsiTs102941Data m_etsiTs102941Data_inner_at_response(
in template (value) InnerAtResponse p_inner_at_response
) := {
version := PkiProtocolVersion,
content := {
authorizationResponse := p_inner_at_response
}
} // End of template m_etsiTs102941Data_inner_at_response
template (present) EtsiTs102941Data mw_etsiTs102941Data_inner_ec_response(
template (present) InnerEcResponse p_inner_ec_response := ?
) := {
......@@ -464,4 +473,20 @@ module LibItsPki_Templates {
certIssuePermissions := p_certIssuePermissions
} // End of template mw_certificate_subject_attributes
template CertificateSubjectAttributes mw_certificate_subject_attributes_optional_assuranceLevel(
template (present) SequenceOfPsidSsp p_appPermissions := ?,
template (present) CertificateId p_id := ?,
template (present) ValidityPeriod p_validityPeriod := ?,
template SubjectAssurance p_assuranceLevel := *,
template GeographicRegion p_region := *,
template SequenceOfPsidGroupPermissions p_certIssuePermissions := omit
) := {
id := p_id,
validityPeriod := p_validityPeriod,
region := p_region,
assuranceLevel := p_assuranceLevel,
appPermissions := p_appPermissions,
certIssuePermissions := p_certIssuePermissions
} // End of template mw_certificate_subject_attributes
} // End of module LibItsPki_Templates
......@@ -803,7 +803,8 @@ module LibItsSecurity_Templates {
*/
template (value) Ieee1609Dot2Data m_ieee1609Dot2Data(
in template (value) Ieee1609Dot2Content p_content
) := {
) := {
protocolVersion := c_protocol_version,
content := p_content
} // End of template m_ieee1609Dot2Data
......@@ -813,7 +814,8 @@ module LibItsSecurity_Templates {
*/
template (present) Ieee1609Dot2Data mw_ieee1609Dot2Data(
template (present) Ieee1609Dot2Content p_content := ?
) := {
) := {
protocolVersion := c_protocol_version,
content := p_content
} // End of template mw_ieee1609Dot2Data
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment