Loading ttcn/Pki/LibItsPki_Functions.ttcn +50 −91 Original line number Diff line number Diff line Loading @@ -152,7 +152,7 @@ module LibItsPki_Functions { if (PICS_MULTIPLE_END_POINT == false) { map(self:httpPort, system:httpPort); } else { map(self:httpEcPort, system:httpEcPort); map(self:httpAtPort, system:httpAtPort); } f_initialiseSecuredMode(p_ea_certificate_id, p_aa_certificate_id); // TODO To be removed??? Loading Loading @@ -182,7 +182,7 @@ module LibItsPki_Functions { if (PICS_MULTIPLE_END_POINT == false) { activate(a_default_pki_http()); } else { activate(a_default_pki_http_ec()); activate(a_default_pki_http_at()); } } // End of function f_cfHttpUp_itss Loading @@ -199,7 +199,6 @@ module LibItsPki_Functions { map(self:httpPort, system:httpPort); } else { map(self:httpAtVPort, system:httpAtVPort); map(self:httpAtPort, system:httpAtPort); } f_initialiseSecuredMode(p_ea_certificate_id, p_aa_certificate_id); // TODO To be removed??? Loading Loading @@ -296,7 +295,7 @@ module LibItsPki_Functions { if (PICS_MULTIPLE_END_POINT == false) { unmap(self:httpPort, system:httpPort); } else { unmap(self:httpEcPort, system:httpEcPort); unmap(self:httpAtPort, system:httpAtPort); } f_disconnect4SelfOrClientSync(); f_uninitialiseSecuredMode(); Loading @@ -310,7 +309,6 @@ module LibItsPki_Functions { unmap(self:httpPort, system:httpPort); } else { unmap(self:httpAtVPort, system:httpAtVPort); unmap(self:httpAtPort, system:httpAtPort); } f_disconnect4SelfOrClientSync(); f_uninitialiseSecuredMode(); Loading Loading @@ -1116,6 +1114,7 @@ module LibItsPki_Functions { in boolean p_alter_ea_id := false, in template (omit) Time32 p_start := omit, in template (omit) Duration p_duration := omit, in template (omit) Time64 p_generation_time := omit, out octetstring p_private_key, out octetstring p_public_key_compressed, out integer p_compressed_key_mode, Loading Loading @@ -1151,7 +1150,7 @@ module LibItsPki_Functions { log("f_http_build_authorization_request_with_wrong_parameters: Altered eaId= ", v_ea_hashed_id8); v_ret_code := f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, v_ea_hashed_id8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request); } else { v_ret_code := f_generate_inner_at_request_with_wrong_parameters(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_alter_hmac, p_alter_signer_digest, p_start, p_duration, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request); v_ret_code := f_generate_inner_at_request_with_wrong_parameters(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_alter_hmac, p_alter_signer_digest, p_start, p_duration, p_generation_time, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request); } if (v_ret_code == false) { log("*** f_http_build_authorization_request_with_wrong_parameters: ERROR: Failed to generate AuthorizationValidationRequest ***"); Loading Loading @@ -1387,7 +1386,7 @@ module LibItsPki_Functions { } // End of function f_http_build_invalid_authorization_validation_request function f_http_build_authorization_validation_response( in InnerAtRequest p_inner_at_request, in SharedAtRequest p_shared_at_request, in AuthorizationValidationResponseCode p_responseCode := ok, in Oct16 p_request_hash, in octetstring p_private_key := ''O, Loading @@ -1404,7 +1403,7 @@ module LibItsPki_Functions { var EtsiTs103097Certificate v_at_certificate; var boolean p_result := false; log(">>> f_http_build_authorization_validation_response: p_inner_at_request= ", p_inner_at_request); log(">>> f_http_build_authorization_validation_response: p_shared_at_request= ", p_shared_at_request); log(">>> f_http_build_authorization_validation_response: p_responseCode= ", p_responseCode); log(">>> f_http_build_authorization_validation_response: p_request_hash= ", p_request_hash); log(">>> f_http_build_authorization_validation_response: p_private_key= ", p_private_key); Loading @@ -1423,7 +1422,7 @@ module LibItsPki_Functions { } else { p_authorization_validation_response := valueof(m_authorizationValidationResponse_ok( p_request_hash, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes p_shared_at_request.requestedSubjectAttributes ) ); } Loading Loading @@ -1919,16 +1918,16 @@ module LibItsPki_Functions { } p_inner_ec_request := valueof( m_innerEcRequest( PICS_ITS_S_CANONICAL_ID, p_canonical_id, m_publicKeys( v_public_verification_key ), m_certificateSubjectAttributes_id_name( oct2char(p_canonical_id), oct2char(PICS_ITS_S_CANONICAL_ID), p_appPermissions, // ETSI TS 102 965 Table A.1: ETSI ITS standardized ITS-AIDs m_validityPeriod( p_start, m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION) p_duration ), m_geographicRegion_identifiedRegion( { Loading Loading @@ -2181,7 +2180,7 @@ module LibItsPki_Functions { v_key_tag, // Calculated keyTag valueof( m_certificate_subject_attributes( // FIXME Review subjectPermissions v_appPermissions,//p_ec_certificate.toBeSigned.appPermissions, v_appPermissions, p_ec_certificate.toBeSigned.certRequestPermissions, { none_ := NULL },//p_ec_certificate.toBeSigned.id, p_ec_certificate.toBeSigned.validityPeriod, Loading Loading @@ -2426,6 +2425,7 @@ module LibItsPki_Functions { in boolean p_alter_signer_digest := false, in template (omit) Time32 p_start := omit, in template (omit) Duration p_duration := omit, in template (omit) Time64 p_generation_time := omit, out octetstring p_private_key, out octetstring p_public_key_compressed, out integer p_compressed_key_mode, Loading Loading @@ -2461,10 +2461,10 @@ module LibItsPki_Functions { var Signature v_signature; var Time32 v_start; var Duration v_duration; /*var SequenceOfPsidSsp v_appPermissions := { // ETSI TS 102 965 Table A.1: ETSI ITS standardized ITS-AIDs var SequenceOfPsidSsp v_appPermissions := { // ETSI TS 102 965 Table A.1: ETSI ITS standardized ITS-AIDs valueof(m_appPermissions(c_its_aid_CAM, { bitmapSsp := PX_INNER_AT_CERTFICATE_BITMAP_SSP_CAM })), valueof(m_appPermissions(c_its_aid_DENM, { bitmapSsp := PX_INNER_AT_CERTFICATE_BITMAP_SSP_DENM })) };*/ }; // Generate verification keys for the certificate to be requested if (f_generate_key_pair(p_private_key, v_public_key_x, v_public_key_y, p_public_key_compressed, p_compressed_key_mode) == false) { Loading Loading @@ -2552,7 +2552,7 @@ module LibItsPki_Functions { v_key_tag, // Calculated keyTag valueof( m_certificate_subject_attributes( p_ec_certificate.toBeSigned.appPermissions,//v_appPermissions, v_appPermissions, p_ec_certificate.toBeSigned.certRequestPermissions, { none_ := NULL },//p_ec_certificate.toBeSigned.id, m_validityPeriod(v_start, v_duration), Loading @@ -2566,13 +2566,23 @@ module LibItsPki_Functions { log("f_generate_inner_at_request_with_wrong_parameters: v_hash_shared_at_request= ", v_hash_shared_at_request); // Build the ETsiTs103097Data-SignedExternalPayload if (ispresent(p_generation_time)) { v_tbs := m_toBeSignedData( m_signedDataPayload_ext(v_hash_shared_at_request), // Payload containing extDataHash m_headerInfo_inner_pki_request( // HeaderInfo -, (f_getCurrentTime()) * 1000) //us valueof(p_generation_time) * 1000) //us ); log("f_generate_inner_at_request_with_wrong_parameters: Altered generation time: v_tbs= ", v_tbs); } else { v_tbs := m_toBeSignedData( m_signedDataPayload_ext(v_hash_shared_at_request), // Payload containing extDataHash m_headerInfo_inner_pki_request( // HeaderInfo -, f_getCurrentTime() * 1000) //us ); log("f_generate_inner_at_request_with_wrong_parameters: v_tbs= ", v_tbs); } // Signed ToBeSigned payload using the private key of EC certificate obtained from Enrolment request // In case of ITS-S privacy, v_signed_at_signature contained the data to be encrypted // TODO Simplify with f_signWithEcdsa Loading Loading @@ -3588,58 +3598,9 @@ module LibItsPki_Functions { // 4. Verifiy signature log("f_verify_pki_request_message: v_ieee1609dot2_signed_data.content.signedData.tbsData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData); v_msg := bit2oct(encvalue(v_ieee1609dot2_signed_data.content.signedData.tbsData)); if (p_issuer == ''O) { // ITS-S/OBU var PublicVerificationKey v_public_verification_key; log("f_verify_pki_request_message: Use ITS-S technical keys"); if (PX_VE_ALG == e_nist_p256) { var EccP256CurvePoint v_ecc_p256_curve_point; if (PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY[0] == '02'O) { v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 1, 32))); } else { v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 1, 32))); } v_public_verification_key := valueof( m_publicVerificationKey_ecdsaNistP256( v_ecc_p256_curve_point ) ); } else if (PX_VE_ALG == e_brainpool_p256_r1) { var EccP256CurvePoint v_ecc_p256_curve_point; if (PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY[0] == '02'O) { v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 1, 32))); } else { v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 1, 32))); } v_public_verification_key := valueof( m_publicVerificationKey_ecdsaBrainpoolP256r1( v_ecc_p256_curve_point ) ); } else if (PX_VE_ALG == e_brainpool_p384_r1) { var EccP384CurvePoint v_ecc_p384_curve_point; if (PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY[0] == '02'O) { v_ecc_p384_curve_point := valueof(m_eccP384CurvePoint_compressed_y_0(substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 1, 48))); } else { v_ecc_p384_curve_point := valueof(m_eccP384CurvePoint_compressed_y_1(substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 1, 48))); } v_public_verification_key := valueof( m_publicVerificationKey_ecdsaBrainpoolP384r1( v_ecc_p384_curve_point ) ); } else { if (p_issuer == ''O) { log("f_verify_pki_request_message: Invalid issuer value"); return false; } log("f_verify_pki_request_message: v_public_verification_key= ", v_public_verification_key); if (f_verifyEcdsa(v_msg, int2oct(0, 32), v_ieee1609dot2_signed_data.content.signedData.signature_, v_public_verification_key) == false) { if (p_check_security == true) { return false; } } } else { if (f_getCertificateFromDigest(f_HashedId8FromSha256(p_issuer), v_certificate) == false) { if (p_check_security == true) { Loading Loading @@ -3801,7 +3762,6 @@ module LibItsPki_Functions { } // Check EC certificate signature // TODO Who sign the EC certificate? if (f_verifyCertificateSignatureWithPublicKey(p_ec_certificate, p_ea_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) { log("f_verify_ec_certificate: Signature not verified"); return false; Loading Loading @@ -3846,7 +3806,6 @@ module LibItsPki_Functions { } // Check EC certificate signature // TODO Who sign the EC certificate? if (f_verifyCertificateSignatureWithPublicKey(p_at_certificate, p_aa_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) { log("f_verify_at_certificate: Signature not verified"); return false; Loading ttcn/Pki/LibItsPki_Pics.ttcn +1 −1 Original line number Diff line number Diff line Loading @@ -199,6 +199,6 @@ module LibItsPki_Pics { /** * @desc Invalid Canonical ITSS-S identifier */ modulepar octetstring PICS_INVALID_ITS_S_CANONICAL_ID := '0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A'O; modulepar octetstring PICS_INVALID_ITS_S_CANONICAL_ID := 'BABABABABABABABABABABABABABABABABABABABABABABABABABABABABABABABA'O; } // End of module LibItsPki_Pics ttcn/Pki/LibItsPki_Pixits.ttcn +4 −0 Original line number Diff line number Diff line Loading @@ -52,6 +52,10 @@ module LibItsPki_Pixits { modulepar octetstring PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR := '01FF'O; modulepar octetstring PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR_WRONG_VERSION := '00C0'O; modulepar octetstring PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR_WRONG_SSP_BIT := '0180'O; modulepar octetstring PX_INNER_EC_CERTFICATE_BITMAP_SSP_CAM := '830001'O; modulepar octetstring PX_INNER_EC_CERTFICATE_BITMAP_SSP_DENM := '830001'O; Loading ttcn/Pki/LibItsPki_Templates.ttcn +18 −12 Original line number Diff line number Diff line Loading @@ -190,10 +190,16 @@ module LibItsPki_Templates { authorizationResponse := p_authorizationResponse } // End of template mw_authorizationResponse template (present) EtsiTs102941DataContent mw_authorizationValidationRequest( template (present) AuthorizationValidationRequest p_authorization_validation_request := ? ) := { authorizationValidationRequest := p_authorization_validation_request } // End of template mw_authorizationValidationRequest template (present) EtsiTs102941DataContent mw_authorizationValidationResponse( template (present) AuthorizationValidationResponse p_authorization_alidation_response := ? template (present) AuthorizationValidationResponse p_authorization_validation_response := ? ) := { authorizationValidationResponse := p_authorization_alidation_response authorizationValidationResponse := p_authorization_validation_response } // End of template mw_authorizationValidationResponse template (value) InnerEcRequest m_innerEcRequest( Loading Loading @@ -359,21 +365,21 @@ module LibItsPki_Templates { certificate := omit } // End of template mw_innerAtResponse_ko template (value) AuthorizationValidationRequest m_authorizationValidationRequest( template (value) AuthorizationValidationRequest m_authorization_validation_request( in template (value) SharedAtRequest p_sharedAtRequest, in template (value) EcSignature p_ecSignature ) := { sharedAtRequest := p_sharedAtRequest, ecSignature := p_ecSignature } // End of template m_authorizationValidationRequest } // End of template m_authorization_validation_request template (present) AuthorizationValidationRequest mw_authorizationValidationRequest( template (present) AuthorizationValidationRequest mw_authorization_validation_request( template (present) SharedAtRequest p_sharedAtRequest := ?, template (present) EcSignature p_ecSignature := ? ) := { sharedAtRequest := p_sharedAtRequest, ecSignature := p_ecSignature } // End of template mw_authorizationValidationRequest } // End of template mw_authorization_validation_request template (value) AuthorizationValidationResponse m_authorizationValidationResponse_ok( template (value) Oct16 p_requestHash, Loading ttcn/Security/LibItsSecurity_Functions.ttcn +29 −7 Original line number Diff line number Diff line Loading @@ -2013,18 +2013,30 @@ module LibItsSecurity_Functions { function f_verifySspPermissions( in SequenceOfPsidSsp p_issuer_ssp_permissions, in SequenceOfPsidSsp p_subordinate_ssp_permissions in SequenceOfPsidSsp p_subordinate_ssp_permissions, in boolean p_strict_checks := false ) return boolean { // Local variables var integer v_idx := 0; log(">>> f_verifySspPermissions: p_issuer_ssp_permissions:", p_issuer_ssp_permissions); log(">>> f_verifySspPermissions: p_subordinate_ssp_permissions: ", p_subordinate_ssp_permissions); for (v_idx := 0; v_idx < lengthof(p_issuer_ssp_permissions); v_idx := v_idx + 1) { var PsidSsp v_issuerPsidSsp := p_issuer_ssp_permissions[v_idx]; var PsidSsp v_subordinatePsidSsp; var boolean v_found := false; var integer v_jdx := 0; log("f_verifySspPermissions: v_issuerPsidSsp: ", v_issuerPsidSsp); // 1. Check permission from issuer is present for (v_jdx := 0; v_jdx < lengthof(p_subordinate_ssp_permissions); v_jdx := v_jdx + 1) { log("f_verifySspPermissions: match=", match(v_issuerPsidSsp, m_appPermissions(p_subordinate_ssp_permissions[v_jdx].psid, p_subordinate_ssp_permissions[v_jdx].ssp))); // 1. Check the version if (p_subordinate_ssp_permissions[v_jdx].ssp.bitmapSsp[0] != '01'O) { log("f_verifySspPermissions: Wrong SSP version control (1 is expected): ", p_subordinate_ssp_permissions[v_jdx].ssp.bitmapSsp[0]); return false; } // 2. Check the version if (match(v_issuerPsidSsp, m_appPermissions(p_subordinate_ssp_permissions[v_jdx].psid, p_subordinate_ssp_permissions[v_jdx].ssp)) == true) { v_subordinatePsidSsp := p_subordinate_ssp_permissions[v_jdx]; v_found := true; Loading @@ -2033,21 +2045,31 @@ module LibItsSecurity_Functions { } // End of 'for' statement if (v_found == false) { log("f_verifySspPermissions: Permission set not found: ", v_issuerPsidSsp) if (p_strict_checks == true) { return false; } else { return true; } } // 2. Validate bits mask if (ispresent(v_issuerPsidSsp.ssp)) { if (ispresent(v_subordinatePsidSsp.ssp) == false) { log("f_verifySspPermissions: Ssp shall not be omitted: ", v_issuerPsidSsp) if (p_strict_checks == true) { return false; } } if ((ischosen(v_issuerPsidSsp.ssp.bitmapSsp) == false) or (ischosen(v_subordinatePsidSsp.ssp.bitmapSsp) == false)) { log("f_verifySspPermissions: Wrong variant : ", v_issuerPsidSsp.ssp, " / ", v_subordinatePsidSsp.ssp); log("f_verifySspPermissions: Wrong variant : ", v_issuerPsidSsp, " / ", v_subordinatePsidSsp); if (p_strict_checks == true) { return false; } } if (lengthof(v_issuerPsidSsp.ssp.bitmapSsp) < lengthof(v_subordinatePsidSsp.ssp.bitmapSsp)) { log("f_verifySspPermissions: Ssp not be compliant: ", v_issuerPsidSsp.ssp, " / ", v_subordinatePsidSsp.ssp); if (p_strict_checks == true) { return false; } } else { var charstring v_issuerSsp := bit2str(oct2bit(v_issuerPsidSsp.ssp.bitmapSsp)); var charstring v_subordinateSsp := bit2str(oct2bit(v_subordinatePsidSsp.ssp.bitmapSsp)); Loading Loading
ttcn/Pki/LibItsPki_Functions.ttcn +50 −91 Original line number Diff line number Diff line Loading @@ -152,7 +152,7 @@ module LibItsPki_Functions { if (PICS_MULTIPLE_END_POINT == false) { map(self:httpPort, system:httpPort); } else { map(self:httpEcPort, system:httpEcPort); map(self:httpAtPort, system:httpAtPort); } f_initialiseSecuredMode(p_ea_certificate_id, p_aa_certificate_id); // TODO To be removed??? Loading Loading @@ -182,7 +182,7 @@ module LibItsPki_Functions { if (PICS_MULTIPLE_END_POINT == false) { activate(a_default_pki_http()); } else { activate(a_default_pki_http_ec()); activate(a_default_pki_http_at()); } } // End of function f_cfHttpUp_itss Loading @@ -199,7 +199,6 @@ module LibItsPki_Functions { map(self:httpPort, system:httpPort); } else { map(self:httpAtVPort, system:httpAtVPort); map(self:httpAtPort, system:httpAtPort); } f_initialiseSecuredMode(p_ea_certificate_id, p_aa_certificate_id); // TODO To be removed??? Loading Loading @@ -296,7 +295,7 @@ module LibItsPki_Functions { if (PICS_MULTIPLE_END_POINT == false) { unmap(self:httpPort, system:httpPort); } else { unmap(self:httpEcPort, system:httpEcPort); unmap(self:httpAtPort, system:httpAtPort); } f_disconnect4SelfOrClientSync(); f_uninitialiseSecuredMode(); Loading @@ -310,7 +309,6 @@ module LibItsPki_Functions { unmap(self:httpPort, system:httpPort); } else { unmap(self:httpAtVPort, system:httpAtVPort); unmap(self:httpAtPort, system:httpAtPort); } f_disconnect4SelfOrClientSync(); f_uninitialiseSecuredMode(); Loading Loading @@ -1116,6 +1114,7 @@ module LibItsPki_Functions { in boolean p_alter_ea_id := false, in template (omit) Time32 p_start := omit, in template (omit) Duration p_duration := omit, in template (omit) Time64 p_generation_time := omit, out octetstring p_private_key, out octetstring p_public_key_compressed, out integer p_compressed_key_mode, Loading Loading @@ -1151,7 +1150,7 @@ module LibItsPki_Functions { log("f_http_build_authorization_request_with_wrong_parameters: Altered eaId= ", v_ea_hashed_id8); v_ret_code := f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, v_ea_hashed_id8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request); } else { v_ret_code := f_generate_inner_at_request_with_wrong_parameters(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_alter_hmac, p_alter_signer_digest, p_start, p_duration, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request); v_ret_code := f_generate_inner_at_request_with_wrong_parameters(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_alter_hmac, p_alter_signer_digest, p_start, p_duration, p_generation_time, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request); } if (v_ret_code == false) { log("*** f_http_build_authorization_request_with_wrong_parameters: ERROR: Failed to generate AuthorizationValidationRequest ***"); Loading Loading @@ -1387,7 +1386,7 @@ module LibItsPki_Functions { } // End of function f_http_build_invalid_authorization_validation_request function f_http_build_authorization_validation_response( in InnerAtRequest p_inner_at_request, in SharedAtRequest p_shared_at_request, in AuthorizationValidationResponseCode p_responseCode := ok, in Oct16 p_request_hash, in octetstring p_private_key := ''O, Loading @@ -1404,7 +1403,7 @@ module LibItsPki_Functions { var EtsiTs103097Certificate v_at_certificate; var boolean p_result := false; log(">>> f_http_build_authorization_validation_response: p_inner_at_request= ", p_inner_at_request); log(">>> f_http_build_authorization_validation_response: p_shared_at_request= ", p_shared_at_request); log(">>> f_http_build_authorization_validation_response: p_responseCode= ", p_responseCode); log(">>> f_http_build_authorization_validation_response: p_request_hash= ", p_request_hash); log(">>> f_http_build_authorization_validation_response: p_private_key= ", p_private_key); Loading @@ -1423,7 +1422,7 @@ module LibItsPki_Functions { } else { p_authorization_validation_response := valueof(m_authorizationValidationResponse_ok( p_request_hash, p_inner_at_request.sharedAtRequest.requestedSubjectAttributes p_shared_at_request.requestedSubjectAttributes ) ); } Loading Loading @@ -1919,16 +1918,16 @@ module LibItsPki_Functions { } p_inner_ec_request := valueof( m_innerEcRequest( PICS_ITS_S_CANONICAL_ID, p_canonical_id, m_publicKeys( v_public_verification_key ), m_certificateSubjectAttributes_id_name( oct2char(p_canonical_id), oct2char(PICS_ITS_S_CANONICAL_ID), p_appPermissions, // ETSI TS 102 965 Table A.1: ETSI ITS standardized ITS-AIDs m_validityPeriod( p_start, m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION) p_duration ), m_geographicRegion_identifiedRegion( { Loading Loading @@ -2181,7 +2180,7 @@ module LibItsPki_Functions { v_key_tag, // Calculated keyTag valueof( m_certificate_subject_attributes( // FIXME Review subjectPermissions v_appPermissions,//p_ec_certificate.toBeSigned.appPermissions, v_appPermissions, p_ec_certificate.toBeSigned.certRequestPermissions, { none_ := NULL },//p_ec_certificate.toBeSigned.id, p_ec_certificate.toBeSigned.validityPeriod, Loading Loading @@ -2426,6 +2425,7 @@ module LibItsPki_Functions { in boolean p_alter_signer_digest := false, in template (omit) Time32 p_start := omit, in template (omit) Duration p_duration := omit, in template (omit) Time64 p_generation_time := omit, out octetstring p_private_key, out octetstring p_public_key_compressed, out integer p_compressed_key_mode, Loading Loading @@ -2461,10 +2461,10 @@ module LibItsPki_Functions { var Signature v_signature; var Time32 v_start; var Duration v_duration; /*var SequenceOfPsidSsp v_appPermissions := { // ETSI TS 102 965 Table A.1: ETSI ITS standardized ITS-AIDs var SequenceOfPsidSsp v_appPermissions := { // ETSI TS 102 965 Table A.1: ETSI ITS standardized ITS-AIDs valueof(m_appPermissions(c_its_aid_CAM, { bitmapSsp := PX_INNER_AT_CERTFICATE_BITMAP_SSP_CAM })), valueof(m_appPermissions(c_its_aid_DENM, { bitmapSsp := PX_INNER_AT_CERTFICATE_BITMAP_SSP_DENM })) };*/ }; // Generate verification keys for the certificate to be requested if (f_generate_key_pair(p_private_key, v_public_key_x, v_public_key_y, p_public_key_compressed, p_compressed_key_mode) == false) { Loading Loading @@ -2552,7 +2552,7 @@ module LibItsPki_Functions { v_key_tag, // Calculated keyTag valueof( m_certificate_subject_attributes( p_ec_certificate.toBeSigned.appPermissions,//v_appPermissions, v_appPermissions, p_ec_certificate.toBeSigned.certRequestPermissions, { none_ := NULL },//p_ec_certificate.toBeSigned.id, m_validityPeriod(v_start, v_duration), Loading @@ -2566,13 +2566,23 @@ module LibItsPki_Functions { log("f_generate_inner_at_request_with_wrong_parameters: v_hash_shared_at_request= ", v_hash_shared_at_request); // Build the ETsiTs103097Data-SignedExternalPayload if (ispresent(p_generation_time)) { v_tbs := m_toBeSignedData( m_signedDataPayload_ext(v_hash_shared_at_request), // Payload containing extDataHash m_headerInfo_inner_pki_request( // HeaderInfo -, (f_getCurrentTime()) * 1000) //us valueof(p_generation_time) * 1000) //us ); log("f_generate_inner_at_request_with_wrong_parameters: Altered generation time: v_tbs= ", v_tbs); } else { v_tbs := m_toBeSignedData( m_signedDataPayload_ext(v_hash_shared_at_request), // Payload containing extDataHash m_headerInfo_inner_pki_request( // HeaderInfo -, f_getCurrentTime() * 1000) //us ); log("f_generate_inner_at_request_with_wrong_parameters: v_tbs= ", v_tbs); } // Signed ToBeSigned payload using the private key of EC certificate obtained from Enrolment request // In case of ITS-S privacy, v_signed_at_signature contained the data to be encrypted // TODO Simplify with f_signWithEcdsa Loading Loading @@ -3588,58 +3598,9 @@ module LibItsPki_Functions { // 4. Verifiy signature log("f_verify_pki_request_message: v_ieee1609dot2_signed_data.content.signedData.tbsData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData); v_msg := bit2oct(encvalue(v_ieee1609dot2_signed_data.content.signedData.tbsData)); if (p_issuer == ''O) { // ITS-S/OBU var PublicVerificationKey v_public_verification_key; log("f_verify_pki_request_message: Use ITS-S technical keys"); if (PX_VE_ALG == e_nist_p256) { var EccP256CurvePoint v_ecc_p256_curve_point; if (PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY[0] == '02'O) { v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 1, 32))); } else { v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 1, 32))); } v_public_verification_key := valueof( m_publicVerificationKey_ecdsaNistP256( v_ecc_p256_curve_point ) ); } else if (PX_VE_ALG == e_brainpool_p256_r1) { var EccP256CurvePoint v_ecc_p256_curve_point; if (PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY[0] == '02'O) { v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 1, 32))); } else { v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 1, 32))); } v_public_verification_key := valueof( m_publicVerificationKey_ecdsaBrainpoolP256r1( v_ecc_p256_curve_point ) ); } else if (PX_VE_ALG == e_brainpool_p384_r1) { var EccP384CurvePoint v_ecc_p384_curve_point; if (PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY[0] == '02'O) { v_ecc_p384_curve_point := valueof(m_eccP384CurvePoint_compressed_y_0(substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 1, 48))); } else { v_ecc_p384_curve_point := valueof(m_eccP384CurvePoint_compressed_y_1(substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 1, 48))); } v_public_verification_key := valueof( m_publicVerificationKey_ecdsaBrainpoolP384r1( v_ecc_p384_curve_point ) ); } else { if (p_issuer == ''O) { log("f_verify_pki_request_message: Invalid issuer value"); return false; } log("f_verify_pki_request_message: v_public_verification_key= ", v_public_verification_key); if (f_verifyEcdsa(v_msg, int2oct(0, 32), v_ieee1609dot2_signed_data.content.signedData.signature_, v_public_verification_key) == false) { if (p_check_security == true) { return false; } } } else { if (f_getCertificateFromDigest(f_HashedId8FromSha256(p_issuer), v_certificate) == false) { if (p_check_security == true) { Loading Loading @@ -3801,7 +3762,6 @@ module LibItsPki_Functions { } // Check EC certificate signature // TODO Who sign the EC certificate? if (f_verifyCertificateSignatureWithPublicKey(p_ec_certificate, p_ea_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) { log("f_verify_ec_certificate: Signature not verified"); return false; Loading Loading @@ -3846,7 +3806,6 @@ module LibItsPki_Functions { } // Check EC certificate signature // TODO Who sign the EC certificate? if (f_verifyCertificateSignatureWithPublicKey(p_at_certificate, p_aa_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) { log("f_verify_at_certificate: Signature not verified"); return false; Loading
ttcn/Pki/LibItsPki_Pics.ttcn +1 −1 Original line number Diff line number Diff line Loading @@ -199,6 +199,6 @@ module LibItsPki_Pics { /** * @desc Invalid Canonical ITSS-S identifier */ modulepar octetstring PICS_INVALID_ITS_S_CANONICAL_ID := '0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A'O; modulepar octetstring PICS_INVALID_ITS_S_CANONICAL_ID := 'BABABABABABABABABABABABABABABABABABABABABABABABABABABABABABABABA'O; } // End of module LibItsPki_Pics
ttcn/Pki/LibItsPki_Pixits.ttcn +4 −0 Original line number Diff line number Diff line Loading @@ -52,6 +52,10 @@ module LibItsPki_Pixits { modulepar octetstring PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR := '01FF'O; modulepar octetstring PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR_WRONG_VERSION := '00C0'O; modulepar octetstring PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR_WRONG_SSP_BIT := '0180'O; modulepar octetstring PX_INNER_EC_CERTFICATE_BITMAP_SSP_CAM := '830001'O; modulepar octetstring PX_INNER_EC_CERTFICATE_BITMAP_SSP_DENM := '830001'O; Loading
ttcn/Pki/LibItsPki_Templates.ttcn +18 −12 Original line number Diff line number Diff line Loading @@ -190,10 +190,16 @@ module LibItsPki_Templates { authorizationResponse := p_authorizationResponse } // End of template mw_authorizationResponse template (present) EtsiTs102941DataContent mw_authorizationValidationRequest( template (present) AuthorizationValidationRequest p_authorization_validation_request := ? ) := { authorizationValidationRequest := p_authorization_validation_request } // End of template mw_authorizationValidationRequest template (present) EtsiTs102941DataContent mw_authorizationValidationResponse( template (present) AuthorizationValidationResponse p_authorization_alidation_response := ? template (present) AuthorizationValidationResponse p_authorization_validation_response := ? ) := { authorizationValidationResponse := p_authorization_alidation_response authorizationValidationResponse := p_authorization_validation_response } // End of template mw_authorizationValidationResponse template (value) InnerEcRequest m_innerEcRequest( Loading Loading @@ -359,21 +365,21 @@ module LibItsPki_Templates { certificate := omit } // End of template mw_innerAtResponse_ko template (value) AuthorizationValidationRequest m_authorizationValidationRequest( template (value) AuthorizationValidationRequest m_authorization_validation_request( in template (value) SharedAtRequest p_sharedAtRequest, in template (value) EcSignature p_ecSignature ) := { sharedAtRequest := p_sharedAtRequest, ecSignature := p_ecSignature } // End of template m_authorizationValidationRequest } // End of template m_authorization_validation_request template (present) AuthorizationValidationRequest mw_authorizationValidationRequest( template (present) AuthorizationValidationRequest mw_authorization_validation_request( template (present) SharedAtRequest p_sharedAtRequest := ?, template (present) EcSignature p_ecSignature := ? ) := { sharedAtRequest := p_sharedAtRequest, ecSignature := p_ecSignature } // End of template mw_authorizationValidationRequest } // End of template mw_authorization_validation_request template (value) AuthorizationValidationResponse m_authorizationValidationResponse_ok( template (value) Oct16 p_requestHash, Loading
ttcn/Security/LibItsSecurity_Functions.ttcn +29 −7 Original line number Diff line number Diff line Loading @@ -2013,18 +2013,30 @@ module LibItsSecurity_Functions { function f_verifySspPermissions( in SequenceOfPsidSsp p_issuer_ssp_permissions, in SequenceOfPsidSsp p_subordinate_ssp_permissions in SequenceOfPsidSsp p_subordinate_ssp_permissions, in boolean p_strict_checks := false ) return boolean { // Local variables var integer v_idx := 0; log(">>> f_verifySspPermissions: p_issuer_ssp_permissions:", p_issuer_ssp_permissions); log(">>> f_verifySspPermissions: p_subordinate_ssp_permissions: ", p_subordinate_ssp_permissions); for (v_idx := 0; v_idx < lengthof(p_issuer_ssp_permissions); v_idx := v_idx + 1) { var PsidSsp v_issuerPsidSsp := p_issuer_ssp_permissions[v_idx]; var PsidSsp v_subordinatePsidSsp; var boolean v_found := false; var integer v_jdx := 0; log("f_verifySspPermissions: v_issuerPsidSsp: ", v_issuerPsidSsp); // 1. Check permission from issuer is present for (v_jdx := 0; v_jdx < lengthof(p_subordinate_ssp_permissions); v_jdx := v_jdx + 1) { log("f_verifySspPermissions: match=", match(v_issuerPsidSsp, m_appPermissions(p_subordinate_ssp_permissions[v_jdx].psid, p_subordinate_ssp_permissions[v_jdx].ssp))); // 1. Check the version if (p_subordinate_ssp_permissions[v_jdx].ssp.bitmapSsp[0] != '01'O) { log("f_verifySspPermissions: Wrong SSP version control (1 is expected): ", p_subordinate_ssp_permissions[v_jdx].ssp.bitmapSsp[0]); return false; } // 2. Check the version if (match(v_issuerPsidSsp, m_appPermissions(p_subordinate_ssp_permissions[v_jdx].psid, p_subordinate_ssp_permissions[v_jdx].ssp)) == true) { v_subordinatePsidSsp := p_subordinate_ssp_permissions[v_jdx]; v_found := true; Loading @@ -2033,21 +2045,31 @@ module LibItsSecurity_Functions { } // End of 'for' statement if (v_found == false) { log("f_verifySspPermissions: Permission set not found: ", v_issuerPsidSsp) if (p_strict_checks == true) { return false; } else { return true; } } // 2. Validate bits mask if (ispresent(v_issuerPsidSsp.ssp)) { if (ispresent(v_subordinatePsidSsp.ssp) == false) { log("f_verifySspPermissions: Ssp shall not be omitted: ", v_issuerPsidSsp) if (p_strict_checks == true) { return false; } } if ((ischosen(v_issuerPsidSsp.ssp.bitmapSsp) == false) or (ischosen(v_subordinatePsidSsp.ssp.bitmapSsp) == false)) { log("f_verifySspPermissions: Wrong variant : ", v_issuerPsidSsp.ssp, " / ", v_subordinatePsidSsp.ssp); log("f_verifySspPermissions: Wrong variant : ", v_issuerPsidSsp, " / ", v_subordinatePsidSsp); if (p_strict_checks == true) { return false; } } if (lengthof(v_issuerPsidSsp.ssp.bitmapSsp) < lengthof(v_subordinatePsidSsp.ssp.bitmapSsp)) { log("f_verifySspPermissions: Ssp not be compliant: ", v_issuerPsidSsp.ssp, " / ", v_subordinatePsidSsp.ssp); if (p_strict_checks == true) { return false; } } else { var charstring v_issuerSsp := bit2str(oct2bit(v_issuerPsidSsp.ssp.bitmapSsp)); var charstring v_subordinateSsp := bit2str(oct2bit(v_subordinatePsidSsp.ssp.bitmapSsp)); Loading
