Finalyze implementation of new TPs from ETSI TS 103 525-2 V1.2.4 (2021-10)

ttcn/Pki/LibItsPki_Functions.ttcn

@@ -3481,7 +3481,9 @@ module LibItsPki_Functions {
                                       in boolean p_check_no_signature := false,
                                       in boolean p_check_region_restriction := false,
                                       in boolean p_check_signature_content := false,
-                                      in boolean p_check_app_permissions := false
+                                      in boolean p_check_app_permissions := false,
+                                      in boolean p_check_app_ssps := false,
+                                      in boolean p_check_app_validity_period := false
                                       ) return boolean {
       var CertificateType v_type_ := explicit;
       var template Signature v_signature_ := ?;
@@ -3682,10 +3684,98 @@ module LibItsPki_Functions {
           }
         } // End of 'for'statement
       }
+
+      if (p_check_app_ssps == true) {
+        var integer v_idx, v_jdx;
+        var Certificate v_authorized_certificate;
+
+        if (f_readCertificate(p_authorized_certificate, v_authorized_certificate) == false) {
+          log("f_verify_rca_certificate: Fail to load p_authorized_certificate");
+          return false;
+        }
+        log("f_verify_rca_certificate: v_authorized_certificate=", v_authorized_certificate);
+        for (v_idx := 0; v_idx < lengthof(p_certificate.toBeSigned.appPermissions); v_idx := v_idx + 1) {
+          log("f_verify_rca_certificate: Processing ", p_certificate.toBeSigned.appPermissions[v_idx]);
+          if (match(p_certificate.toBeSigned.appPermissions[v_idx], mw_appPermissions(-, ?)) == false) {
+            log("f_verify_rca_certificate: appPermissions mismatch");
+            return false;
+          }
+          // Check that 'ssp' is in the certIssuePermissions component in the issuing certificate
+          for (v_jdx := 0; v_jdx < lengthof(v_authorized_certificate.toBeSigned.certIssuePermissions[0].subjectPermissions.explicit); v_jdx := v_jdx + 1) {
+            log("f_verify_rca_certificate: compare psid ", v_authorized_certificate.toBeSigned.certIssuePermissions[0].subjectPermissions.explicit[v_jdx].psid, " - ", p_certificate.toBeSigned.appPermissions[v_idx].psid);
+            if (v_authorized_certificate.toBeSigned.certIssuePermissions[0].subjectPermissions.explicit[v_jdx].psid == p_certificate.toBeSigned.appPermissions[v_idx].psid) {
+              break;
+            }
+          } // End of 'for'statement
+          if (v_jdx == lengthof(v_authorized_certificate.toBeSigned.certIssuePermissions[0].subjectPermissions.explicit)) {
+            log("f_verify_rca_certificate: Psid is not in the list of the issuing certificate");
+            return false;
+          } else {
+            var BitmapSsp v_ssp_ca := substr(v_authorized_certificate.toBeSigned.certIssuePermissions[0].subjectPermissions.explicit[v_jdx].sspRange.bitmapSspRange.sspValue, 1, -1 + lengthof(v_authorized_certificate.toBeSigned.certIssuePermissions[0].subjectPermissions.explicit[v_jdx].sspRange.bitmapSspRange.sspValue));
+            log("f_verify_rca_certificate: v_ssp_ca= ", v_ssp_ca, " - ssp= ", p_certificate.toBeSigned.appPermissions[v_idx].ssp.bitmapSsp);
+            if (v_ssp_ca != p_certificate.toBeSigned.appPermissions[v_idx].ssp.bitmapSsp) {
+              log("f_verify_rca_certificate: SSPs mismatch: CA");
+              return false;
+            }
+          }
+        } // End of 'for'statement
+      }
+
+      if (p_check_app_validity_period == true) {
+        var integer v_idx, v_jdx;
+        var Certificate v_authorized_certificate;
+        var UInt32 v_duration, v_duration_ca;
+
+        if (f_readCertificate(p_authorized_certificate, v_authorized_certificate) == false) {
+          log("f_verify_rca_certificate: Fail to load p_authorized_certificate");
+          return false;
+        }
+        log("f_verify_rca_certificate: v_authorized_certificate=", v_authorized_certificate);
+        // Check start date (indicating X_START_VALIDITY ( X_START_VALIDITY >= X_START_VALIDITY_CA ))
+        if (p_certificate.toBeSigned.validityPeriod.start_ < v_authorized_certificate.toBeSigned.validityPeriod.start_) {
+          log("f_verify_rca_certificate: validityPeriod.start_ mismatch");
+          return false;
+        }
+        // Check duration (value <= X_START_VALIDITY_CA + X_DURATION_CA - X_START_VALIDITY)
+        v_duration := duration_to_uint32(p_certificate.toBeSigned.validityPeriod.duration);
+        v_duration_ca := duration_to_uint32(v_authorized_certificate.toBeSigned.validityPeriod.duration);
+        if (v_duration > (v_authorized_certificate.toBeSigned.validityPeriod.start_ + v_duration_ca - p_certificate.toBeSigned.validityPeriod.start_)) {
+          log("f_verify_rca_certificate: validityPeriod.duration mismatch");
+          return false;
+        }
+      }
       
       return true;
     }
 
+    function duration_to_uint32(
+                                in Duration p_duration
+                                ) return UInt32 {
+      if (ischosen(p_duration.microseconds)) {
+        return p_duration.microseconds * 1000000;
+      }
+      else if (ischosen(p_duration.milliseconds)) {
+        return p_duration.milliseconds * 1000;
+      }
+      else if (ischosen(p_duration.seconds)) {
+        return p_duration.seconds;
+      }
+      else if (ischosen(p_duration.minutes)) {
+        return p_duration.minutes * 60;
+      }
+      else if (ischosen(p_duration.hours)) {
+        return p_duration.hours * 3600;
+      }
+      else if (ischosen(p_duration.sixtyHours)) {
+        return p_duration.sixtyHours * 60 * 3600;
+      }
+      else if (ischosen(p_duration.sixtyHours)) {
+        return p_duration.sixtyHours * 60 * 3600;
+      }
+      // No choice!
+      return p_duration.years * 31536000; // One calendar common year has 365 days
+    }
+
   } // End of group rca
 
   group tlm {