Skip to content
GitLab
Commit c591ac73 authored by YannGarcia's avatar YannGarcia
Browse files

Update after ETSI ITS CMS-7

parent 969b2095
Hide whitespace changes
Inline Side-by-side
ttcn/Pki/LibItsPki_Functions.ttcn
View file @ c591ac73
......@@ -115,10 +115,12 @@ module LibItsPki_Functions {
f_readEncryptingKey(p_ea_certificate_id, vc_eaPrivateEncKey);
f_getCertificateDigest(p_ea_certificate_id, vc_eaHashedId8);
f_getCertificateHash(p_ea_certificate_id, vc_eaWholeHash);
f_getCertificateHash256(p_ea_certificate_id, vc_eaWholeHash256);
log("f_cfHttpUp: vc_eaPrivateKey= ", vc_eaPrivateKey);
log("f_cfHttpUp: vc_eaPrivateEncKey= ", vc_eaPrivateEncKey);
log("f_cfHttpUp: vc_eaHashedId8= ", vc_eaHashedId8);
log("f_cfHttpUp: vc_eaWholeHash= ", vc_eaWholeHash);
log("f_cfHttpUp: vc_eaWholeHash256= ", vc_eaWholeHash256);
// Setup AA certificate shared with PKI AA entity
f_readCertificate(p_aa_certificate_id, vc_aaCertificate);
......@@ -126,10 +128,12 @@ module LibItsPki_Functions {
f_readEncryptingKey(p_aa_certificate_id, vc_aaPrivateEncKey);
f_getCertificateDigest(p_aa_certificate_id, vc_aaHashedId8);
f_getCertificateHash(p_aa_certificate_id, vc_aaWholeHash);
f_getCertificateHash256(p_aa_certificate_id, vc_aaWholeHash256);
log("f_cfHttpUp: vc_aaPrivateKey= ", vc_aaPrivateKey);
log("f_cfHttpUp: vc_aaPrivateEncKey= ", vc_aaPrivateEncKey);
log("f_cfHttpUp: vc_aaHashedId8= ", vc_aaHashedId8);
log("f_cfHttpUp: vc_aaWholeHash= ", vc_aaWholeHash);
log("f_cfHttpUp: vc_aaWholeHash256= ", vc_aaWholeHash256);
if (PICS_MULTIPLE_END_POINT == false) {
activate(a_default_pki_http());
......@@ -512,7 +516,11 @@ module LibItsPki_Functions {
} else if (PX_VE_ALG == e_brainpool_p256_r1) {
return f_signWithEcdsaBrainpoolp256WithSha256(p_toBeSignedSecuredMessage, p_certificateIssuer, p_privateKey);
} else if (PX_VE_ALG == e_brainpool_p384_r1) {
return f_signWithEcdsaBrainpoolp384WithSha384(p_toBeSignedSecuredMessage, p_certificateIssuer, p_privateKey);
if (p_certificateIssuer == int2oct(0, 32)) {
return f_signWithEcdsaBrainpoolp384WithSha384(p_toBeSignedSecuredMessage, int2oct(0, 48), p_privateKey);
} else {
return f_signWithEcdsaBrainpoolp384WithSha384(p_toBeSignedSecuredMessage, p_certificateIssuer, p_privateKey);
}
}
return ''O;
......@@ -588,6 +596,8 @@ module LibItsPki_Functions {
in HeaderLines p_headers,
in template (value) HttpMessage p_http_message
) runs on ItsPkiHttp {
log(">>> f_http_send: ", p_http_message);
if (not(PICS_MULTIPLE_END_POINT)) {
httpPort.send(p_http_message);
} else {
......@@ -642,6 +652,10 @@ module LibItsPki_Functions {
// Local variables
var PublicVerificationKey v_verification_tag;
var PublicEncryptionKey v_encryption_tag;
log(">>> f_generate_key_tag: p_public_key_compressed=", p_public_key_compressed);
log(">>> f_generate_key_tag: p_public_compressed_enc_key=", p_public_compressed_enc_key);
if (PX_VE_ALG == e_nist_p256) {
if (p_compressed_key_mode == 0) {
......@@ -669,13 +683,13 @@ module LibItsPki_Functions {
p_encoded_tag := bit2oct(encvalue(v_verification_tag));
if (PX_INCLUDE_ENCRYPTION_KEYS) {
v_encryption_tag.supportedSymmAlg := aes128Ccm;
if (PX_EC_ALG_FOR_AT == e_nist_p256) {
if (PX_EC_ALG_FOR_EC_SIGN == e_nist_p256) {
if (p_compressed_enc_key_mode == 0) {
v_encryption_tag.publicKey.eciesNistP256.compressed_y_0 := p_public_compressed_enc_key;
} else {
v_encryption_tag.publicKey.eciesNistP256.compressed_y_1 := p_public_compressed_enc_key;
}
} else if (PX_EC_ALG_FOR_AT == e_brainpool_p256_r1) {
} else if (PX_EC_ALG_FOR_EC_SIGN == e_brainpool_p256_r1) {
if (p_compressed_enc_key_mode == 0) {
v_encryption_tag.publicKey.eciesBrainpoolP256r1.compressed_y_0 := p_public_compressed_enc_key;
} else {
......@@ -740,7 +754,7 @@ module LibItsPki_Functions {
}
log("f_http_build_inner_ec_request: Public encryption key: ", v_public_enc_key);
log("f_http_build_inner_ec_request: Public encryption key comp: ", v_compressed_enc_key_mode);
p_salt := vc_eaWholeHash;
p_salt := vc_eaWholeHash256; // IEEE 1609.2: If the encryption key was obtained from a certificate c, P1 is SHA-256 (c), where c is the COER encoding of the certificate, canonicalized per 6.4.3.
if (PICS_SECPKI_REENROLMENT == false) { // This is the first enrolment, we used Factory keys
v_result := f_build_pki_secured_request_message_signed_with_pop(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), PX_EC_ALG_FOR_EC, -, p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
} else { // We use last valid EC certificate
......@@ -807,7 +821,7 @@ module LibItsPki_Functions {
}
log("f_http_build_inner_ec_request_with_wrong_parameters: Public encryption key: ", v_public_enc_key);
log("f_http_build_inner_ec_request_with_wrong_parameters: Public encryption key comp: ", v_compressed_enc_key_mode);
p_salt := vc_eaWholeHash;
p_salt := vc_eaWholeHash256; // IEEE 1609.2: If the encryption key was obtained from a certificate c, P1 is SHA-256 (c), where c is the COER encoding of the certificate, canonicalized per 6.4.3.
if (PICS_SECPKI_REENROLMENT == false) { // This is the first enrolment, we used Factory keys
v_result := f_build_pki_secured_request_message_signed_with_pop(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), PX_EC_ALG_FOR_EC, -, p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
} else { // We use last valid EC certificate
......@@ -872,7 +886,7 @@ module LibItsPki_Functions {
}
log("*** f_http_build_invalid_enrolment_request: Public encryption key: ", v_public_enc_key);
log("*** f_http_build_invalid_enrolment_request: Public encryption key comp: ", v_compressed_enc_key_mode);
p_salt := vc_eaWholeHash;
p_salt := vc_eaWholeHash256; // IEEE 1609.2: If the encryption key was obtained from a certificate c, P1 is SHA-256 (c), where c is the COER encoding of the certificate, canonicalized per 6.4.3.
if (PICS_SECPKI_REENROLMENT == false) { // This is the first enrolment, we used Factory keys
v_ret_code := f_build_pki_secured_request_message_signed_with_pop(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), PX_EC_ALG_FOR_EC, -, p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
} else { // We use last valid EC certificate
......@@ -998,8 +1012,8 @@ module LibItsPki_Functions {
var bitstring v_authorization_request_msg;
// Generate the InnerAtRequest
if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request) == false) {
log("*** f_http_build_authorization_request: ERROR: Failed to generate AuthorizationValidationRequest ***");
if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request) == false) {
log("*** f_http_build_authorization_request: ERROR: Failed to generate AuthorizationRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
return;
}
......@@ -1016,7 +1030,7 @@ module LibItsPki_Functions {
}
log("*** f_http_build_authorization_request: Public encryption key: ", v_public_enc_key);
log("*** f_http_build_authorization_request: Public encryption key comp: ", v_compressed_enc_key_mode);
p_salt := vc_aaWholeHash;
p_salt := vc_aaWholeHash256; // IEEE 1609.2: If the encryption key was obtained from a certificate c, P1 is SHA-256 (c), where c is the COER encoding of the certificate, canonicalized per 6.4.3.
log("*** f_http_build_authorization_request: p_salt: ", p_salt);
if (PICS_PKI_AUTH_POP) {
if(f_build_pki_secured_request_message_signed_with_pop(p_private_key, valueof(m_signerIdentifier_self), vc_aaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_authorization_request(v_inner_at_request))), PX_EC_ALG_FOR_AT, -, p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash) == false) {
......@@ -1064,8 +1078,8 @@ module LibItsPki_Functions {
var bitstring v_authorization_request_msg;
// Generate the InnerAtRequest
if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request) == false) {
log("*** f_http_build_authorization_request_with_wrong_private_key: ERROR: Failed to generate AuthorizationValidationRequest ***");
if (f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request) == false) {
log("*** f_http_build_authorization_request_with_wrong_private_key: ERROR: Failed to generate AuthorizationRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
return;
}
......@@ -1085,7 +1099,7 @@ module LibItsPki_Functions {
}
log("*** f_http_build_authorization_request_with_wrong_private_key: Public encryption key: ", v_public_enc_key);
log("*** f_http_build_authorization_request_with_wrong_private_key: Public encryption key comp: ", v_compressed_enc_key_mode);
p_salt := vc_aaWholeHash;
p_salt := vc_aaWholeHash256; // IEEE 1609.2: If the encryption key was obtained from a certificate c, P1 is SHA-256 (c), where c is the COER encoding of the certificate, canonicalized per 6.4.3.
log("*** f_http_build_authorization_request_with_wrong_private_key: p_salt: ", p_salt);
if (PICS_PKI_AUTH_POP) {
if(f_build_pki_secured_request_message_signed_with_pop(p_private_key, valueof(m_signerIdentifier_self), vc_aaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_authorization_request(v_inner_at_request))), PX_EC_ALG_FOR_AT, -, p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash) == false) {
......@@ -1148,12 +1162,12 @@ module LibItsPki_Functions {
v_ea_hashed_id8[0] := 'bb'O;
v_ea_hashed_id8[1] := 'cc'O;
log("f_http_build_authorization_request_with_wrong_parameters: Altered eaId= ", v_ea_hashed_id8);
v_ret_code := f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, v_ea_hashed_id8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request);
v_ret_code := f_generate_inner_at_request(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, v_ea_hashed_id8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request);
} else {
v_ret_code := f_generate_inner_at_request_with_wrong_parameters(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_alter_hmac, p_alter_signer_digest, p_start, p_duration, p_generation_time, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request);
v_ret_code := f_generate_inner_at_request_with_wrong_parameters(vc_aaCertificate, -, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_alter_hmac, p_alter_signer_digest, p_start, p_duration, p_generation_time, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request);
}
if (v_ret_code == false) {
log("*** f_http_build_authorization_request_with_wrong_parameters: ERROR: Failed to generate AuthorizationValidationRequest ***");
log("*** f_http_build_authorization_request_with_wrong_parameters: ERROR: Failed to generate AuthorizationRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
return;
}
......@@ -1170,7 +1184,7 @@ module LibItsPki_Functions {
}
log("*** f_http_build_authorization_request_with_wrong_parameters: Public encryption key: ", v_public_enc_key);
log("*** f_http_build_authorization_request_with_wrong_parameters: Public encryption key comp: ", v_compressed_enc_key_mode);
p_salt := vc_aaWholeHash;
p_salt := vc_aaWholeHash256; // IEEE 1609.2: If the encryption key was obtained from a certificate c, P1 is SHA-256 (c), where c is the COER encoding of the certificate, canonicalized per 6.4.3.
log("*** f_http_build_authorization_request_with_wrong_parameters: p_salt: ", p_salt);
if (PICS_PKI_AUTH_POP) {
if(f_build_pki_secured_request_message_signed_with_pop(p_private_key, valueof(m_signerIdentifier_self), vc_aaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_authorization_request(v_inner_at_request))), PX_EC_ALG_FOR_AT, p_alter_pop_signature, p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash) == false) {
......@@ -1325,7 +1339,7 @@ module LibItsPki_Functions {
}
log("f_http_build_authorization_validation_request: Public encryption key: ", v_public_enc_key);
log("f_http_build_authorization_validation_request: Public encryption key comp: ", v_compressed_enc_key_mode);
p_salt := vc_eaWholeHash;
p_salt := vc_eaWholeHash256; // IEEE 1609.2: If the encryption key was obtained from a certificate c, P1 is SHA-256 (c), where c is the COER encoding of the certificate, canonicalized per 6.4.3.
log("f_http_build_authorization_validation_request: vc_aaHashedId8: ", vc_aaHashedId8);
log("f_http_build_authorization_validation_request: p_salt: ", p_salt);
if(f_build_pki_secured_request_message_signed_with_pop(vc_aaPrivateKey, valueof(m_signerIdentifier_digest(vc_aaHashedId8)), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_authorization_validation_request(v_authorization_validation_request))), PX_EC_ALG_FOR_ATV, -, p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash) == false) {
......@@ -1374,7 +1388,7 @@ module LibItsPki_Functions {
}
log("f_http_build_invalid_authorization_validation_request: Public encryption key: ", v_public_enc_key);
log("f_http_build_invalid_authorization_validation_request: Public encryption key comp: ", v_compressed_enc_key_mode);
p_salt := vc_eaWholeHash;
p_salt := vc_eaWholeHash256; // IEEE 1609.2: If the encryption key was obtained from a certificate c, P1 is SHA-256 (c), where c is the COER encoding of the certificate, canonicalized per 6.4.3.
log("f_http_build_invalid_authorization_validation_request: vc_aaHashedId8: ", vc_aaHashedId8);
log("f_http_build_invalid_authorization_validation_request: p_salt: ", p_salt);
if(f_build_pki_secured_request_message_signed_with_pop(vc_aaPrivateKey, valueof(m_signerIdentifier_digest(vc_aaHashedId8)), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_authorization_validation_request(v_authorization_validation_request))), PX_EC_ALG_FOR_ATV, true, p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash) == false) {
......@@ -1826,8 +1840,8 @@ module LibItsPki_Functions {
m_publicKeys(
v_public_verification_key
),
m_certificateSubjectAttributes_id_name(
oct2char(PICS_ITS_S_CANONICAL_ID),
m_certificateSubjectAttributes_id_omit/*FIXME No name*/(
/*oct2char(PICS_ITS_S_CANONICAL_ID),*/
{ // ETSI TS 102 965 Table A.1: ETSI ITS standardized ITS-AIDs
valueof(m_appPermissions(c_its_aid_SCR, { bitmapSsp := PX_INNER_EC_CERTFICATE_BITMAP_SSP_SCR }))
},
......@@ -1849,7 +1863,7 @@ module LibItsPki_Functions {
log("f_generate_inner_ec_request: This is a re-enrolment");
p_inner_ec_request.itsId := PX_EC_HASHED_ID8;
}
log("f_generate_inner_ec_request: ", p_inner_ec_request);
log("<<< f_generate_inner_ec_request: ", p_inner_ec_request);
return true;
} // End of function f_generate_inner_ec_request
......@@ -1975,7 +1989,7 @@ module LibItsPki_Functions {
)
);
// Signed the encoded InnerEcRequestSignedForPop
v_tbs_signed := f_signWithEcdsa(bit2oct(encvalue(v_tbs)), int2oct(0, 32), p_private_key);
v_tbs_signed := f_signWithEcdsa(bit2oct(encvalue(v_tbs)), int2oct(0, 32), p_private_key);
// Finalyse signed InnerEcRequestSignedForPop
if (PX_VE_ALG == e_nist_p256) {
v_signature := valueof(
......@@ -2074,6 +2088,7 @@ module LibItsPki_Functions {
function f_generate_inner_at_request(
in Certificate p_aa_certificate,
in SecurityAlg p_enc_algo := PX_EC_ALG_FOR_EC_SIGN,
in Oct8 p_aa_hashed_id8,
in Certificate p_ea_certificate,
in octetstring p_salt,
......@@ -2116,7 +2131,9 @@ module LibItsPki_Functions {
valueof(m_appPermissions(c_its_aid_CAM, { bitmapSsp := PX_INNER_AT_CERTFICATE_BITMAP_SSP_CAM })),
valueof(m_appPermissions(c_its_aid_DENM, { bitmapSsp := PX_INNER_AT_CERTFICATE_BITMAP_SSP_DENM }))
};
log(">>> f_generate_inner_at_request: p_enc_algo=", p_enc_algo);
// Generate verification keys for the certificate to be requested
if (f_generate_key_pair(p_private_key, v_public_key_x, v_public_key_y, p_public_key_compressed, p_compressed_key_mode) == false) {
log("f_generate_inner_at_request: Failed to generate verification key");
......@@ -2127,7 +2144,7 @@ module LibItsPki_Functions {
log ("f_generate_inner_at_request: AT verification public compressed mode: ", p_compressed_key_mode);
// Generate encryption keys for the certificate to be requested
if (PX_INCLUDE_ENCRYPTION_KEYS) {
if (f_generate_key_pair_for_encryption(PX_EC_ALG_FOR_AT, p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_public_compressed_enc_key, p_compressed_enc_key_mode) == false) {
if (f_generate_key_pair_for_encryption(p_enc_algo, p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_public_compressed_enc_key, p_compressed_enc_key_mode) == false) {
log("f_generate_inner_at_request: Failed to generate encryption key");
return false;
} else {
......@@ -2143,17 +2160,6 @@ module LibItsPki_Functions {
p_compressed_enc_key_mode := -1;
}
// Calculate the whole certificate SHA
v_enc_value := encvalue(p_ec_certificate);
if (ischosen(p_ec_certificate.issuer.sha256AndDigest)) {
v_ec_hash := f_hashWithSha256(bit2oct(v_enc_value));
v_ec_hashed_id8 := f_HashedId8FromSha256(v_ec_hash);
} else {
v_ec_hash := f_hashWithSha384(bit2oct(v_enc_value));
v_ec_hashed_id8 := f_HashedId8FromSha384(v_ec_hash);
}
log("f_generate_inner_at_request: v_ec_hash= ", v_ec_hash);
// Generate 32 octets length secret key
v_hmac_key := f_hashWithSha256(int2oct((f_getCurrentTimeUtc() * 1000), 12));
log("f_generate_inner_at_request: v_hmac_key= ", v_hmac_key);
......@@ -2201,6 +2207,18 @@ module LibItsPki_Functions {
(f_getCurrentTime()) * 1000) //us
);
log("f_generate_inner_at_request: v_tbs= ", v_tbs);
// Calculate the whole certificate SHA
v_enc_value := encvalue(p_ec_certificate);
if (ischosen(p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) {
v_ec_hash := f_hashWithSha384(bit2oct(v_enc_value));
v_ec_hashed_id8 := f_HashedId8FromSha384(v_ec_hash);
} else {
v_ec_hash := f_hashWithSha256(bit2oct(v_enc_value));
v_ec_hashed_id8 := f_HashedId8FromSha256(v_ec_hash);
}
log("f_generate_inner_at_request: v_ec_hash= ", v_ec_hash);
// Signed ToBeSigned payload using the private key of EC certificate obtained from Enrolment request
// In case of ITS-S privacy, v_signed_at_signature contained the data to be encrypted
if (ischosen(p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) {
......@@ -2259,6 +2277,7 @@ module LibItsPki_Functions {
)
);
log("f_generate_inner_at_request: v_signed_at_signature= ", v_signed_at_signature);
log("f_generate_inner_at_request: p_ea_certificate= ", p_ea_certificate);
if (PICS_ITS_S_WITH_PRIVACY) { // Build EtsiTs102097Data-Encrypted structure
var octetstring v_public_enc_key;
......@@ -2274,7 +2293,7 @@ module LibItsPki_Functions {
var EncryptedDataEncryptionKey v_encrypted_data_encryption_key;
// Use EA certificate for the encryption
if (PX_EC_ALG_FOR_AT == e_nist_p256) {
if (p_enc_algo == e_nist_p256) {
if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0)) {
v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0;
v_compressed_mode := 0;
......@@ -2298,7 +2317,7 @@ module LibItsPki_Functions {
v_encrypted_sym_key,
v_authentication_vector
)));
} else if (PX_EC_ALG_FOR_AT == e_brainpool_p256_r1) {
} else if (p_enc_algo == e_brainpool_p256_r1) {
if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0)) {
v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0;
v_compressed_mode := 0;
......@@ -2386,7 +2405,7 @@ module LibItsPki_Functions {
} else {
v_enc_eccP256_curve_point := m_eccP256CurvePoint_compressed_y_1(v_public_enc_key_x);
}
if (PX_EC_ALG_FOR_AT == e_nist_p256) {
if (p_enc_algo == e_nist_p256) {
v_public_encryption_key := valueof(m_publicEncryptionKey_eciesNistP256(v_enc_eccP256_curve_point));
} else {
v_public_encryption_key := valueof(m_publicEncryptionKey_eciesBrainpoolP256r1(v_enc_eccP256_curve_point));
......@@ -2415,6 +2434,7 @@ module LibItsPki_Functions {
function f_generate_inner_at_request_with_wrong_parameters(
in Certificate p_aa_certificate,
in SecurityAlg p_enc_algo := PX_EC_ALG_FOR_AT,
in Oct8 p_aa_hashed_id8,
in Certificate p_ea_certificate,
in octetstring p_salt,
......@@ -2465,7 +2485,9 @@ module LibItsPki_Functions {
valueof(m_appPermissions(c_its_aid_CAM, { bitmapSsp := PX_INNER_AT_CERTFICATE_BITMAP_SSP_CAM })),
valueof(m_appPermissions(c_its_aid_DENM, { bitmapSsp := PX_INNER_AT_CERTFICATE_BITMAP_SSP_DENM }))
};
log("f_generate_inner_at_request_with_wrong_parameters: p_enc_algo=", p_enc_algo);
// Generate verification keys for the certificate to be requested
if (f_generate_key_pair(p_private_key, v_public_key_x, v_public_key_y, p_public_key_compressed, p_compressed_key_mode) == false) {
log("f_generate_inner_at_request_with_wrong_parameters: Failed to generate verification key");
......@@ -2476,7 +2498,7 @@ module LibItsPki_Functions {
log ("f_generate_inner_at_request_with_wrong_parameters: AT verification public compressed mode: ", p_compressed_key_mode);
// Generate encryption keys for the certificate to be requested
if (PX_INCLUDE_ENCRYPTION_KEYS) {
if (f_generate_key_pair_for_encryption(PX_EC_ALG_FOR_AT, p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_public_compressed_enc_key, p_compressed_enc_key_mode) == false) {
if (f_generate_key_pair_for_encryption(p_enc_algo, p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_public_compressed_enc_key, p_compressed_enc_key_mode) == false) {
log("f_generate_inner_at_request_with_wrong_parameters: Failed to generate encryption key");
return false;
} else {
......@@ -2657,7 +2679,7 @@ module LibItsPki_Functions {
var EncryptedDataEncryptionKey v_encrypted_data_encryption_key;
// Use EA certificate for the encryption
if (PX_EC_ALG_FOR_AT == e_nist_p256) {
if (p_enc_algo == e_nist_p256) {
if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0)) {
v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0;
v_compressed_mode := 0;
......@@ -2681,7 +2703,7 @@ module LibItsPki_Functions {
v_encrypted_sym_key,
v_authentication_vector
)));
} else if (PX_EC_ALG_FOR_AT == e_brainpool_p256_r1) {
} else if (p_enc_algo == e_brainpool_p256_r1) {
if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0)) {
v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0;
v_compressed_mode := 0;
......@@ -2767,7 +2789,7 @@ module LibItsPki_Functions {
} else {
v_enc_eccP256_curve_point := m_eccP256CurvePoint_compressed_y_1(v_public_enc_key_x);
}
if (PX_EC_ALG_FOR_AT == e_nist_p256) {
if (p_enc_algo == e_nist_p256) {
v_public_encryption_key := valueof(m_publicEncryptionKey_eciesNistP256(v_enc_eccP256_curve_point));
} else {
v_public_encryption_key := valueof(m_publicEncryptionKey_eciesBrainpoolP256r1(v_enc_eccP256_curve_point));
......@@ -2967,7 +2989,7 @@ module LibItsPki_Functions {
f_init_default_headers_list(-, "inner_ec_response", v_headers);
if (f_verify_pki_request_message(vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, vc_eaWholeHash, v_request.request.body.binary_body.ieee1609dot2_data, false, v_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
if (f_verify_pki_request_message(vc_eaPrivateEncKey, vc_eaWholeHash/*salt*/, ''O, v_request.request.body.binary_body.ieee1609dot2_data, false, v_request_hash, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
log("f_await_ec_request_send_response: Failed to verify PKI message ***");
// Send error message
v_response := m_http_response(m_http_response_ko(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), v_headers, 400, "Bad request")); // Initialize v_reponse with an error message
......@@ -3598,9 +3620,35 @@ module LibItsPki_Functions {
// 4. Verifiy signature
log("f_verify_pki_request_message: v_ieee1609dot2_signed_data.content.signedData.tbsData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData);
v_msg := bit2oct(encvalue(v_ieee1609dot2_signed_data.content.signedData.tbsData));
if (p_issuer == ''O) {
log("f_verify_pki_request_message: Invalid issuer value");
return false;
if (p_issuer == ''O) { // self
log("f_verify_pki_request_message: Issuer is self, check outer signature using IUT public key (PICS_ITS_S_SIGN_xxx_PUBLIC_KEY)");
var PublicVerificationKey v_verification_key;
if (PX_VE_ALG == e_nist_p256) {
if (PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY[0] == '02'O) {
v_verification_key.ecdsaNistP256.compressed_y_0 := substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 1, 32);
} else {
v_verification_key.ecdsaNistP256.compressed_y_1 := substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 1, 32);
}
} else if (PX_VE_ALG == e_brainpool_p256_r1) {
if (PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY[0] == '02'O) {
v_verification_key.ecdsaNistP256.compressed_y_0 := substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 1, 32);
} else {
v_verification_key.ecdsaNistP256.compressed_y_1 := substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 1, 32);
}
} else if (PX_VE_ALG == e_brainpool_p384_r1) {
if (PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY[0] == '02'O) {
v_verification_key.ecdsaNistP256.compressed_y_0 := substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 1, 48);
} else {
v_verification_key.ecdsaNistP256.compressed_y_1 := substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 1, 48);
}
}
log("f_verify_pki_request_message: v_verification_key=", v_verification_key);
if (f_verifyEcdsa(v_msg, p_issuer, v_ieee1609dot2_signed_data.content.signedData.signature_, v_verification_key) == false) {
if (p_check_security == true) {
return false;
}
}
//return false;
} else {
if (f_getCertificateFromDigest(f_HashedId8FromSha256(p_issuer), v_certificate) == false) {
if (p_check_security == true) {
......
ttcn/Pki/LibItsPki_Pixits.ttcn
View file @ c591ac73
......@@ -35,13 +35,17 @@ module LibItsPki_Pixits {
*/
modulepar SecurityAlg PX_EC_ALG_FOR_EC := e_nist_p256; // TODO Use RCA to determine encryption algorithm?
/**
* @desc Indicate which encryption algorithem to be used for Authorization Request
* @desc Indicate which encryption algorithem to be used for Authorization Request (AA certificate of the IUT)
*/
modulepar SecurityAlg PX_EC_ALG_FOR_AT := e_nist_p256;
/**
* @desc Indicate which encryption algorithem to be used for Authorization Validation Request
* @desc Indicate which encryption algorithem to be used for Authorization Validation Request (EA certificate of the IUT)
*/
modulepar SecurityAlg PX_EC_ALG_FOR_ATV := e_nist_p256;
/**
* @desc Indicate which encryption algorithem to be used for EcSignature (EA certificate of the IUT)
*/
modulepar SecurityAlg PX_EC_ALG_FOR_EC_SIGN := e_nist_p256;
/**
* @desc Indicate which verification algorithem to be used
......
ttcn/Pki/LibItsPki_Templates.ttcn
View file @ c591ac73
......@@ -278,6 +278,15 @@ module LibItsPki_Templates {
certIssuePermissions := omit
} // End of template m_certificateSubjectAttributes_id_none
template (omit) CertificateSubjectAttributes m_certificateSubjectAttributes_id_omit(
in template (value) SequenceOfPsidSsp p_appPermissions,
in template (omit) ValidityPeriod p_validityPeriod := omit,
in template (omit) GeographicRegion p_region := omit,
in template (omit) SubjectAssurance p_assuranceLevel := omit
) modifies m_certificateSubjectAttributes_id_none := {
id := omit
} // End of template m_certificateSubjectAttributes_id_omit
template (omit) CertificateSubjectAttributes m_certificateSubjectAttributes_id_name(
in template (value) Hostname p_name,
in template (value) SequenceOfPsidSsp p_appPermissions,
......@@ -482,7 +491,7 @@ module LibItsPki_Templates {
template (present) SequenceOfPsidSsp p_appPermissions := ?,
template CertificateId p_id := *,
template (present) ValidityPeriod p_validityPeriod := ?,
template (present) SubjectAssurance p_assuranceLevel := ?,
template SubjectAssurance p_assuranceLevel := *,
template GeographicRegion p_region := *,
template SequenceOfPsidGroupPermissions p_certIssuePermissions := omit
) := {
......
ttcn/Pki/LibItsPki_TestSystem.ttcn
View file @ c591ac73
......@@ -77,11 +77,13 @@ module LibItsPki_TestSystem {
var octetstring vc_eaPrivateKey; /** Test Adapter EA private key for signature */
var octetstring vc_eaPrivateEncKey; /** Test Adapter EA private key for encryption */
var octetstring vc_eaWholeHash; /** Test Adapter EA whole-hash for signature check */
var octetstring vc_eaWholeHash256; /** Test Adapter EA whole-hash using SHA 256 for encryption because of encryption key size ==32 */
var HashedId8 vc_eaHashedId8; /** Test Adapter EA HashedId8 for decryption of IUT's response */
var octetstring vc_aaPrivateKey; /** Test Adapter AA private key for signature */
var octetstring vc_aaPrivateEncKey; /** Test Adapter AA private key for encryption */
var HashedId8 vc_aaHashedId8; /** Test Adapter AA HashedId8 for decryption of IUT's response */
var octetstring vc_aaWholeHash; /** Test Adapter AA whole-hash for signature check */
var octetstring vc_aaWholeHash256; /** Test Adapter EA whole-hash using SHA 256 for encryption because of encryption key size ==32 */
} // End of component ItsPkiHttp
/**
......
ttcn/Security/LibItsSecurity_Functions.ttcn
View file @ c591ac73
......@@ -107,6 +107,9 @@ module LibItsSecurity_Functions {
in Oct48 p_certificateIssuer,
in Oct48 p_privateKey
) return octetstring {
log(">>> f_signWithEcdsaBrainpoolp384WithSha384: ", p_toBeSignedSecuredMessage);
log(">>> f_signWithEcdsaBrainpoolp384WithSha384: ", p_certificateIssuer);
log(">>> f_signWithEcdsaBrainpoolp384WithSha384: ", p_privateKey);
return fx_signWithEcdsaBrainpoolp384WithSha384(
p_toBeSignedSecuredMessage,
p_certificateIssuer,
......@@ -865,8 +868,8 @@ module LibItsSecurity_Functions {
);
p_securedMessage.content.signedData.signature_ := valueof(m_signature_ecdsaBrainpoolP384r1(
m_ecdsaP384Signature(
m_eccP384CurvePoint_x_only(substr(v_signature, 0, 32)),
substr(v_signature, 32, 32)
m_eccP384CurvePoint_x_only(substr(v_signature, 0, 48)),
substr(v_signature, 48, 48)
)
));
} // TODO To be continued
......@@ -904,7 +907,7 @@ module LibItsSecurity_Functions {
var octetstring v_secPayload, v_signature;
var template (value) ToBeSignedData v_toBeSignedData;
var integer i, j, k, n;
var HeaderInfo v_headerFields := {};
var HeaderInfo v_headerFields;
var Ieee1609Dot2Content v_toBeSignedPayload;
var Oct32 v_privateKey;
var UInt8 v_trailerSize;
......@@ -1207,7 +1210,7 @@ module LibItsSecurity_Functions {
// Local variables
var EtsiTs103097Certificate v_aaCertificate, v_atCertificate;
var HeaderInfo v_mandatoryHeaders := {};
var HeaderInfo v_mandatoryHeaders;
var HeaderInfo v_signerInfo;
// Load certificates if required
......@@ -1282,7 +1285,7 @@ module LibItsSecurity_Functions {
// Local variables
var EtsiTs103097Certificate v_aaCertificate, v_atCertificate;
var HeaderInfo v_mandatoryHeaders := {};
var HeaderInfo v_mandatoryHeaders;
var HeaderInfo v_signerInfo;
// Load certificates if required
......@@ -1359,7 +1362,7 @@ module LibItsSecurity_Functions {
// Local variables
var EtsiTs103097Certificate v_aaCertificate, v_atCertificate;
var HeaderInfo v_mandatoryHeaders := {};
var HeaderInfo v_mandatoryHeaders;
var HeaderInfo v_signerInfo;
// Load certificates if required
......@@ -1429,7 +1432,7 @@ module LibItsSecurity_Functions {
// Local variables
var EtsiTs103097Certificate v_aaCertificate, v_atCertificate;
var HeaderInfo v_mandatoryHeaders := {};
var HeaderInfo v_mandatoryHeaders;
var HeaderInfo v_signerInfo;
// Load certificates if required
......@@ -1504,7 +1507,7 @@ module LibItsSecurity_Functions {
// Local variables
var EtsiTs103097Certificate v_aaCertificate, v_atCertificate;
var HeaderInfo v_mandatoryHeaders := {};
var HeaderInfo v_mandatoryHeaders;
var HeaderInfo v_signerInfo;
// Load certificates if required
......@@ -2044,7 +2047,7 @@ module LibItsSecurity_Functions {
}
} // End of 'for' statement
if (v_found == false) {
log("f_verifySspPermissions: Permission set not found: ", v_issuerPsidSsp)
log("f_verifySspPermissions: Permission set not found: ", v_issuerPsidSsp);
if (p_strict_checks == true) {
return false;
} else {
......@@ -2054,7 +2057,7 @@ module LibItsSecurity_Functions {
// 2. Validate bits mask
if (ispresent(v_issuerPsidSsp.ssp)) {
if (ispresent(v_subordinatePsidSsp.ssp) == false) {
log("f_verifySspPermissions: Ssp shall not be omitted: ", v_issuerPsidSsp)
log("f_verifySspPermissions: Ssp shall not be omitted: ", v_issuerPsidSsp);
if (p_strict_checks == true) {
return false;
}
......@@ -2277,6 +2280,23 @@ module LibItsSecurity_Functions {
return true;
} // End of function f_getCertificateHash
/**
* @desc Read the whole-hash of the certificate SHA 256
* @param p_certificate_id the certificate identifier
* @param p_hash the whole-hash of the certificate using SHA 256
* @return true on success, false otherwise
*/
function f_getCertificateHash256(
in charstring p_certificate_id,
out Oct32 p_hash
) return boolean {
if (not fx_readCertificateHash256(p_certificate_id, p_hash)){
log("f_getCertificateHash256: Failed to retrieve digest for ", p_certificate_id);
return false;
}
return true;
} // End of function f_getCertificateHash
function f_getCertificateFromDigest(
in HashedId8 p_digest,
out EtsiTs103097Certificate p_certificate
......@@ -2657,7 +2677,7 @@ module LibItsSecurity_Functions {
* @return true on success, false otherwise
*/
external function fx_loadCertificates(in charstring p_rootDirectory, in charstring p_configId) return boolean;
external function fx_store_certificate(in charstring p_cert_id, in octetstring p_cert, in octetstring p_private_key, in octetstring p_public_key_x, in octetstring p_public_key_y, in octetstring p_public_key_compressed, in integer p_public_key_compressed_mode, in octetstring p_hash, in octetstring p_hashid8, in octetstring p_issuer, in template (omit) octetstring p_private_enc_key, in template (omit) octetstring p_public_enc_key_x, in template (omit) octetstring p_public_enc_key_y, in template (omit) octetstring p_public_enc_compressed_key, in template (omit) integer p_public_enc_key_compressed_mode) return boolean;
external function fx_store_certificate(in charstring p_cert_id, in octetstring p_cert, in octetstring p_private_key, in octetstring p_public_key_x, in octetstring p_public_key_y, in octetstring p_public_key_compressed, in integer p_public_key_compressed_mode, in octetstring p_hash, in octetstring p_hash_256, in octetstring p_hashid8, in octetstring p_issuer, in template (omit) octetstring p_private_enc_key, in template (omit) octetstring p_public_enc_key_x, in template (omit) octetstring p_public_enc_key_y, in template (omit) octetstring p_public_enc_compressed_key, in template (omit) integer p_public_enc_key_compressed_mode) return boolean;
/**
* @desc Unload from memory cache the certificates
......@@ -2689,6 +2709,14 @@ module LibItsSecurity_Functions {
*/
external function fx_readCertificateHash(in charstring p_certificate_id, out octetstring p_hash) return boolean;
/**