Loading ttcn/Http/LibItsHttp_Templates.ttcn +13 −0 Original line number Diff line number Diff line Loading @@ -140,6 +140,19 @@ module LibItsHttp_Templates { body := p_body } // End of template m_http_response_ko template (value) Response m_http_response_ko_no_body( in template (value) HeaderLines p_header, in template (value) integer p_statuscode := 404, in template (value) charstring p_statustext := "Not found" ) := { version_major := 1, version_minor := 1, statuscode := p_statuscode, statustext := p_statustext, header := p_header, body := omit } // End of template m_http_response_ko_no_body template Response mw_http_response_ko( template HttpMessageBody p_body := *, template (present) HeaderLines p_header := ? Loading ttcn/Pki/LibItsPki_Functions.ttcn +143 −56 Original line number Diff line number Diff line Loading @@ -144,9 +144,6 @@ module LibItsPki_Functions { inout ItsPkiItss p_itss, inout ItsPkiHttp p_pki ) runs on ItsMtc { p_itss := ItsPkiItss.create("IUT") alive; p_pki := ItsPkiHttp.create("TS") alive; disconnect(self:syncPort, mtc:syncPort); disconnect(p_itss:syncPort, self:syncPort); disconnect(p_pki:syncPort, self:syncPort); Loading Loading @@ -245,12 +242,12 @@ module LibItsPki_Functions { } // End of function f_utInitializeIut function f_sendUtTriggerPrimitive( in octetstring p_canonical_id, in Oct1 p_enc_algorithm, in octetstring p_private_key, in octetstring p_public_key_compressed, in integer p_compressed_mode function f_sendUtTriggerEnrolmentRequestPrimitive( in octetstring p_canonical_id := ''O, in Oct1 p_enc_algorithm := '00'O, in octetstring p_private_key := ''O, in octetstring p_public_key_compressed := ''O, in integer p_compressed_mode := 0 ) runs on ItsPkiItss { var TriggerEnrolmentRequest v_ut_trigger_enrolment_request; var octetstring v_compressed_public_key; Loading @@ -270,7 +267,42 @@ module LibItsPki_Functions { } [] utPort.receive(UtPkiResults: { utPkiTriggerResult := false }) { tc_ac.stop; log("*** f_sendUtTriggerPrimitive: ERROR: Received unexpected message ***"); log("*** f_sendUtTriggerEnrolmentRequestPrimitive: ERROR: Received unexpected message ***"); f_selfOrClientSyncAndVerdict("error", e_error); } [] tc_ac.timeout { log("*** f_sendAcPkiPrimitive: ERROR: Timeout while waiting for adapter control event result ***"); f_selfOrClientSyncAndVerdict("error", e_timeout); } } // End of 'alt' statement } // End of function f_sendUtTriggerEnrolmentRequestPrimitive function f_sendUtTriggerAuthorizationRequestPrimitive( in octetstring p_canonical_id := ''O, in Oct1 p_enc_algorithm := '00'O, in octetstring p_private_key := ''O, in octetstring p_public_key_compressed := ''O, in integer p_compressed_mode := 0 ) runs on ItsPkiItss { var TriggerAuthorizationRequest v_ut_trigger_enrolment_request; var octetstring v_compressed_public_key; if (p_compressed_mode == 2) { // TODO v_compressed_public_key := int2oct(p_compressed_mode, 1) & p_public_key_compressed? v_compressed_public_key := '02'O & p_public_key_compressed; } else { v_compressed_public_key := '03'O & p_public_key_compressed; } v_ut_trigger_enrolment_request := { p_canonical_id, p_enc_algorithm, p_private_key, v_compressed_public_key }; utPort.send(UtPkiTrigger: { triggerAuthorizationRequest := v_ut_trigger_enrolment_request }); tc_ac.start; alt { [] utPort.receive(UtPkiResults: { utPkiTriggerResult := true }) { tc_ac.stop; } [] utPort.receive(UtPkiResults: { utPkiTriggerResult := false }) { tc_ac.stop; log("*** f_sendUtTriggerAuthorizationRequestPrimitive: ERROR: Received unexpected message ***"); f_selfOrClientSyncAndVerdict("error", e_error); } [] tc_ac.timeout { Loading @@ -278,7 +310,7 @@ module LibItsPki_Functions { f_selfOrClientSyncAndVerdict("error", e_timeout); } } // End of 'alt' statement } // End of function f_sendUtTriggerPrimitive } // End of function f_sendUtTriggerAuthorizationRequestPrimitive } // End of group ut_port Loading Loading @@ -327,7 +359,10 @@ module LibItsPki_Functions { ) return boolean { var boolean v_ret := false; log(" >>> f_verifyEcdsa"); log(" >>> f_verifyEcdsa: p_tbs", p_tbs); log(" >>> f_verifyEcdsa: p_issuer", p_issuer); log(" >>> f_verifyEcdsa: p_signature_", p_signature_); log(" >>> f_verifyEcdsa: p_verification_key", p_verification_key); if (ischosen(p_verification_key.ecdsaNistP256)) { if (ischosen(p_verification_key.ecdsaNistP256.compressed_y_0)) { Loading Loading @@ -402,22 +437,22 @@ module LibItsPki_Functions { var Ieee1609Dot2Data v_inner_ec_request_signed_for_pop; var octetstring v_public_enc_key; var integer v_compressed_enc_key_mode; var boolean v_ret_code; var boolean v_result; log(">>> f_http_build_inner_ec_request"); if (f_generate_inner_ec_request(p_private_key, p_public_key_compressed, p_compressed_mode, v_inner_ec_request) == false) { log("*** f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log ("f_http_build_enrolment_request: EC verification private key: ", p_private_key); log ("f_http_build_enrolment_request: EC verification public compressed key: ", p_public_key_compressed); log ("f_http_build_enrolment_request: EC verification public compressed mode: ", p_compressed_mode); log ("f_http_build_enrolment_request: ==> EC verification private key: ", p_private_key); log ("f_http_build_enrolment_request: ==> EC verification public compressed key: ", p_public_key_compressed); log ("f_http_build_enrolment_request: ==> EC verification public compressed mode: ", p_compressed_mode); // Generate InnerEcRequestSignedForPoP if (f_generate_inner_ec_request_signed_for_pop(p_private_key, v_inner_ec_request, v_inner_ec_request_signed_for_pop) == false) { log("*** f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("v_inner_ec_request_signed_for_pop= ", v_inner_ec_request_signed_for_pop); log("f_http_build_enrolment_request: v_inner_ec_request_signed_for_pop= ", v_inner_ec_request_signed_for_pop); // Secure InnerEcRequestSignedForPoP message if (f_extract_enc_key(vc_eaCertificate, v_public_enc_key, v_compressed_enc_key_mode) == false) { Loading @@ -428,23 +463,24 @@ module LibItsPki_Functions { v_public_enc_key := 'DD4F6B0DF57C6E3BD0E32B565CACA1D858CEB08A5C2BBAB2C23E203C6DE697FF'O; v_compressed_enc_key_mode := 0; } log("*** f_http_build_inner_ec_request: Public encryption key: ", v_public_enc_key); log("*** f_http_build_inner_ec_request: Public encryption key comp: ", v_compressed_enc_key_mode); log("f_http_build_inner_ec_request: Public encryption key: ", v_public_enc_key); log("f_http_build_inner_ec_request: Public encryption key comp: ", v_compressed_enc_key_mode); p_salt := vc_eaWholeHash; if (PICS_SECPKI_REENROLMENT == false) { // This is the first enrolment, we used Factory keys v_ret_code := f_build_pki_secured_request_message_signed_with_pop(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash); v_result := f_build_pki_secured_request_message_signed_with_pop(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash); } else { // We use last valid EC certificate var Oct32 v_ec_private_key := PX_EC_PRIVATE_KEY; var HashedId8 v_ec_hashed_id8 := PX_EC_HASHED_ID8; // Retrieve EC certificate from the first enrolment v_ret_code := f_build_pki_secured_request_message_signed_with_pop(v_ec_private_key, valueof(m_signerIdentifier_digest(v_ec_hashed_id8)), v_ec_hashed_id8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash); // TODO Retrieve EC certificate from the first enrolment instead of PX log("f_http_build_inner_ec_request: v_ec_private_key: ", PX_EC_PRIVATE_KEY); log("f_http_build_inner_ec_request: v_ec_hashed_id8: ", PX_EC_HASHED_ID8); v_result := f_build_pki_secured_request_message_signed_with_pop(PX_EC_PRIVATE_KEY, valueof(m_signerIdentifier_digest(PX_EC_HASHED_ID8)), PX_EC_HASHED_ID8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash); } if (v_ret_code == false) { if (v_result == false) { log("*** f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***"); f_selfOrClientSyncAndVerdict("error", e_error); } else { log("f_http_build_inner_ec_request: p_ieee1609dot2_signed_and_encrypted_data= ", p_ieee1609dot2_signed_and_encrypted_data); log("f_http_build_inner_ec_request: p_request_hash= ", p_request_hash); } log("*** f_http_build_inner_ec_request: p_ieee1609dot2_signed_and_encrypted_data= ", p_ieee1609dot2_signed_and_encrypted_data); log("*** f_http_build_inner_ec_request: p_request_hash= ", p_request_hash); } // End of function f_http_build_inner_ec_request function f_http_build_invalid_enrolment_request( Loading Loading @@ -496,11 +532,10 @@ module LibItsPki_Functions { if (PICS_SECPKI_REENROLMENT == false) { // This is the first enrolment, we used Factory keys v_ret_code := f_build_pki_secured_request_message_signed_with_pop(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash); } else { // We use last valid EC certificate var Oct32 v_ec_private_key; var HashedId8 v_ec_hashed_id8; // Retrieve EC certificate from the first enrolment // TODO Set v_ec_private_key & v_ec_hashed_id8 v_ret_code := f_build_pki_secured_request_message_signed_with_pop(v_ec_private_key, valueof(m_signerIdentifier_digest(v_ec_hashed_id8)), v_ec_hashed_id8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash); // TODO Retrieve EC certificate from the first enrolment instead of PX log("f_http_build_inner_ec_request: v_ec_private_key: ", PX_EC_PRIVATE_KEY); log("f_http_build_inner_ec_request: v_ec_hashed_id8: ", PX_EC_HASHED_ID8); v_ret_code := f_build_pki_secured_request_message_signed_with_pop(PX_EC_PRIVATE_KEY, valueof(m_signerIdentifier_digest(PX_EC_HASHED_ID8)), PX_EC_HASHED_ID8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash); } if (v_ret_code == false) { log("*** f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***"); Loading Loading @@ -1012,6 +1047,10 @@ module LibItsPki_Functions { ) ) ); if (PICS_SECPKI_REENROLMENT) { // This is a re-enrolment, the identifier of its current valid Enrolment Credential log("f_generate_inner_ec_request: This is a re-enrolment"); p_inner_ec_request.itsId := PX_EC_HASHED_ID8; } log("f_generate_inner_ec_request: ", p_inner_ec_request); return true; Loading @@ -1038,8 +1077,8 @@ module LibItsPki_Functions { v_encoded_inner_ec_request ) ), m_headerInfo_inner_ec_request( c_its_aid_SCR, m_headerInfo_inner_pki_request( -, f_getCurrentTimeUtc() ) ); Loading Loading @@ -1113,7 +1152,7 @@ module LibItsPki_Functions { log("f_verify_inner_ec_request_signed_for_pop: v_inner_ec_request= ", p_inner_ec_request); // 2. Verify the InnerEcRequestSignedForPop signature // TODO } return true; Loading Loading @@ -1239,8 +1278,8 @@ module LibItsPki_Functions { // Build the ETsiTs103097Data-SignedExternalPayload v_tbs := m_toBeSignedData( m_signedDataPayload_ext(v_hash_shared_at_request), // Payload containing extDataHash m_headerInfo_inner_ec_request( // HeaderInfo c_its_aid_SCR, m_headerInfo_inner_pki_request( // HeaderInfo -, f_getCurrentTimeUtc()) ); log("f_generate_inner_at_request: v_tbs= ", v_tbs); Loading Loading @@ -1673,17 +1712,18 @@ module LibItsPki_Functions { m_signedDataPayload( m_etsiTs103097Data_unsecured(p_pki_message) ), m_headerInfo_inner_ec_request(c_its_aid_SCR, f_getCurrentTimeUtc()) m_headerInfo_inner_pki_request(-, f_getCurrentTimeUtc()) ); log("f_build_pki_secured_request_message_signed_with_pop: signer: ", p_signer_identifier); if (ischosen(p_signer_identifier.self_)) { if (PICS_SECPKI_REENROLMENT == false) { // This is the first enrolment, we used Factory keys //if (ischosen(p_signer_identifier.self_)) { v_tbs_signed := f_signWithEcdsa(bit2oct(encvalue(v_tbs)), int2oct(0, 32), p_private_key); } else { var charstring v_certificate_id; /*var charstring v_certificate_id; var octetstring v_hash; fx_readCertificateFromDigest(p_signer_identifier.digest, v_certificate_id); // TODO Add a wrapper function f_getCertificateHash(v_certificate_id, v_hash); v_tbs_signed := f_signWithEcdsa(bit2oct(encvalue(v_tbs)), v_hash, p_private_key); f_getCertificateHash(v_certificate_id, v_hash);*/ v_tbs_signed := f_signWithEcdsa(bit2oct(encvalue(v_tbs)), PX_EC_HASH, p_private_key); } // Add the signature and create EtsiTs103097Data-Signed data structure if (PX_VE_ALG == e_nist_p256) { Loading Loading @@ -2073,7 +2113,7 @@ module LibItsPki_Functions { m_signedDataPayload( m_etsiTs103097Data_unsecured(p_pki_message) ), m_headerInfo_inner_ec_response(c_its_aid_SCR, f_getCurrentTimeUtc()) m_headerInfo_inner_pki_response(-, f_getCurrentTimeUtc()) ); if (ischosen(p_signer_identifier.self_)) { v_tbs_signed := f_signWithEcdsaNistp256WithSha256(bit2oct(encvalue(v_tbs)), int2oct(0, 32), p_private_key); Loading Loading @@ -2199,8 +2239,10 @@ module LibItsPki_Functions { log("f_verify_pki_request_message: v_ieee1609dot2_signed_data.content.signedData.tbsData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData); v_msg := bit2oct(encvalue(v_ieee1609dot2_signed_data.content.signedData.tbsData)); if (f_getCertificateFromDigest(f_HashedId8FromSha256(p_issuer), v_certificate) == false) { if (p_check_security == true) { return false; } } log("f_verify_pki_request_message: v_certificate= ", v_certificate); if (f_verifyEcdsa(v_msg, p_issuer, v_ieee1609dot2_signed_data.content.signedData.signature_, v_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) { if (p_check_security == true) { Loading @@ -2212,12 +2254,15 @@ module LibItsPki_Functions { log("f_verify_pki_request_message: v_ieee1609dot2_signed_data.content.signedData.tbsData.payload.data.content.unsecuredData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData.payload.data.content.unsecuredData); v_msg_bit := oct2bit(v_ieee1609dot2_signed_data.content.signedData.tbsData.payload.data.content.unsecuredData); if (decvalue(v_msg_bit, p_etsi_ts_102941_data) != 0) { if (p_check_security == true) { return false; } } if (p_etsi_ts_102941_data.version != PkiProtocolVersion) { if (p_check_security == true) { return false; } } log("<<< f_verify_pki_request_message: true"); return true; Loading Loading @@ -2319,16 +2364,19 @@ module LibItsPki_Functions { in integer p_compressed_mode ) return boolean { var bitstring v_encoded_cert; var Oct32 v_ec_cert_hash; var HashedId8 v_ec_cert_hashed_id8; // Calculate the HashedId8 of the whole certificate v_encoded_cert := encvalue(p_ec_certificate); v_ec_cert_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256(bit2oct(v_encoded_cert))); log("f_verify_ec_certificate: EC certificate HashedId8: ", v_ec_cert_hashed_id8); v_ec_cert_hash := f_hashWithSha256(bit2oct(v_encoded_cert)); log("f_verify_ec_certificate: ==> EC certificate Hash: ", v_ec_cert_hash); v_ec_cert_hashed_id8 := f_HashedId8FromSha256(v_ec_cert_hash); log("f_verify_ec_certificate: ==> EC certificate HashedId8: ", v_ec_cert_hashed_id8); // Check the signer log("f_verify_ec_certificate: ", match(p_ec_certificate.issuer, mw_issuerIdentifier_self())); if (match(p_ec_certificate.issuer, mw_issuerIdentifier_self)) { log("f_verify_ec_certificate: ", match(p_ec_certificate.issuer, mw_issuerIdentifier_sha256AndDigest)); if (match(p_ec_certificate.issuer, mw_issuerIdentifier_sha256AndDigest)) { return false; } Loading @@ -2339,6 +2387,9 @@ module LibItsPki_Functions { return false; } // TODO Check that requested information are present return true; } // End of function f_verify_ec_certificate Loading Loading @@ -2549,6 +2600,42 @@ module LibItsPki_Functions { } } // End of altstep a_default_pki_http_at altstep a_await_ec_http_response_from_iut( template HttpMessage p_http_message, out HttpMessage p_response ) runs on ItsPkiHttp { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive(p_http_message) -> value p_response { log("a_await_ec_http_response_from_iut: Received message on httpPort"); } [PICS_MULTIPLE_END_POINT] httpEcPort.receive(p_http_message) -> value p_response { log("a_await_ec_http_response_from_iut: Received message on httpEcPort"); } } // End of altstep a_await_ec_http_response_from_iut altstep a_await_at_http_response_from_iut( template HttpMessage p_http_message, out HttpMessage p_response ) runs on ItsPkiHttp { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive(p_http_message) -> value p_response { log("a_await_at_http_response_from_iut: Received message on httpPort"); } [PICS_MULTIPLE_END_POINT] httpAtPort.receive(p_http_message) -> value p_response { log("a_await_at_http_response_from_iut: Received message on httpAtPort"); } } // End of altstep a_await_at_http_response_from_iut altstep a_await_avt_http_response_from_iut( template HttpMessage p_http_message, out HttpMessage p_response ) runs on ItsPkiHttp { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive(p_http_message) -> value p_response { log("a_await_avt_http_response_from_iut: Received message on httpPort"); } [PICS_MULTIPLE_END_POINT] httpAtVPort.receive(p_http_message) -> value p_response { log("a_await_avt_http_response_from_iut: Received message on httpAtVPort"); } } // End of altstep a_await_avt_http_response_from_iut } // End of group altsteps } // End of module LibItsPki_Functions ttcn/Pki/LibItsPki_Pixits.ttcn +5 −0 Original line number Diff line number Diff line Loading @@ -30,6 +30,11 @@ module LibItsPki_Pixits { */ modulepar HashedId8 PX_EC_HASHED_ID8 := int2oct(0, 8); /** * @desc Contains the hash of the EC certificate, used in case of re-enrolment */ modulepar Oct32 PX_EC_HASH := int2oct(0, 32); /** * @desc Indicate which encryption algorithem to be used */ Loading ttcn/Pki/LibItsPki_Templates.ttcn +16 −0 Original line number Diff line number Diff line Loading @@ -415,4 +415,20 @@ module LibItsPki_Templates { certIssuePermissions := p_certIssuePermissions } // End of template m_certificate_subject_attributes template CertificateSubjectAttributes mw_certificate_subject_attributes( template (present) SequenceOfPsidSsp p_appPermissions := ?, template (present) CertificateId p_id := ?, template (present) ValidityPeriod p_validityPeriod := ?, template (present) SubjectAssurance p_assuranceLevel := ?, template GeographicRegion p_region := *, template SequenceOfPsidGroupPermissions p_certIssuePermissions := omit ) := { id := p_id, validityPeriod := p_validityPeriod, region := p_region, assuranceLevel := p_assuranceLevel, appPermissions := p_appPermissions, certIssuePermissions := p_certIssuePermissions } // End of template mw_certificate_subject_attributes } // End of module LibItsPki_Templates ttcn/Pki/LibItsPki_TypesAndValues.ttcn +2 −0 Original line number Diff line number Diff line Loading @@ -29,6 +29,8 @@ module LibItsPki_TypesAndValues { e_brainpool_p384_r1 (2) } // End of type SecurityAlg type set of PublicVerificationKey ListOfPublicVerificationKey; group utPrimitives { /** Loading Loading
ttcn/Http/LibItsHttp_Templates.ttcn +13 −0 Original line number Diff line number Diff line Loading @@ -140,6 +140,19 @@ module LibItsHttp_Templates { body := p_body } // End of template m_http_response_ko template (value) Response m_http_response_ko_no_body( in template (value) HeaderLines p_header, in template (value) integer p_statuscode := 404, in template (value) charstring p_statustext := "Not found" ) := { version_major := 1, version_minor := 1, statuscode := p_statuscode, statustext := p_statustext, header := p_header, body := omit } // End of template m_http_response_ko_no_body template Response mw_http_response_ko( template HttpMessageBody p_body := *, template (present) HeaderLines p_header := ? Loading
ttcn/Pki/LibItsPki_Functions.ttcn +143 −56 Original line number Diff line number Diff line Loading @@ -144,9 +144,6 @@ module LibItsPki_Functions { inout ItsPkiItss p_itss, inout ItsPkiHttp p_pki ) runs on ItsMtc { p_itss := ItsPkiItss.create("IUT") alive; p_pki := ItsPkiHttp.create("TS") alive; disconnect(self:syncPort, mtc:syncPort); disconnect(p_itss:syncPort, self:syncPort); disconnect(p_pki:syncPort, self:syncPort); Loading Loading @@ -245,12 +242,12 @@ module LibItsPki_Functions { } // End of function f_utInitializeIut function f_sendUtTriggerPrimitive( in octetstring p_canonical_id, in Oct1 p_enc_algorithm, in octetstring p_private_key, in octetstring p_public_key_compressed, in integer p_compressed_mode function f_sendUtTriggerEnrolmentRequestPrimitive( in octetstring p_canonical_id := ''O, in Oct1 p_enc_algorithm := '00'O, in octetstring p_private_key := ''O, in octetstring p_public_key_compressed := ''O, in integer p_compressed_mode := 0 ) runs on ItsPkiItss { var TriggerEnrolmentRequest v_ut_trigger_enrolment_request; var octetstring v_compressed_public_key; Loading @@ -270,7 +267,42 @@ module LibItsPki_Functions { } [] utPort.receive(UtPkiResults: { utPkiTriggerResult := false }) { tc_ac.stop; log("*** f_sendUtTriggerPrimitive: ERROR: Received unexpected message ***"); log("*** f_sendUtTriggerEnrolmentRequestPrimitive: ERROR: Received unexpected message ***"); f_selfOrClientSyncAndVerdict("error", e_error); } [] tc_ac.timeout { log("*** f_sendAcPkiPrimitive: ERROR: Timeout while waiting for adapter control event result ***"); f_selfOrClientSyncAndVerdict("error", e_timeout); } } // End of 'alt' statement } // End of function f_sendUtTriggerEnrolmentRequestPrimitive function f_sendUtTriggerAuthorizationRequestPrimitive( in octetstring p_canonical_id := ''O, in Oct1 p_enc_algorithm := '00'O, in octetstring p_private_key := ''O, in octetstring p_public_key_compressed := ''O, in integer p_compressed_mode := 0 ) runs on ItsPkiItss { var TriggerAuthorizationRequest v_ut_trigger_enrolment_request; var octetstring v_compressed_public_key; if (p_compressed_mode == 2) { // TODO v_compressed_public_key := int2oct(p_compressed_mode, 1) & p_public_key_compressed? v_compressed_public_key := '02'O & p_public_key_compressed; } else { v_compressed_public_key := '03'O & p_public_key_compressed; } v_ut_trigger_enrolment_request := { p_canonical_id, p_enc_algorithm, p_private_key, v_compressed_public_key }; utPort.send(UtPkiTrigger: { triggerAuthorizationRequest := v_ut_trigger_enrolment_request }); tc_ac.start; alt { [] utPort.receive(UtPkiResults: { utPkiTriggerResult := true }) { tc_ac.stop; } [] utPort.receive(UtPkiResults: { utPkiTriggerResult := false }) { tc_ac.stop; log("*** f_sendUtTriggerAuthorizationRequestPrimitive: ERROR: Received unexpected message ***"); f_selfOrClientSyncAndVerdict("error", e_error); } [] tc_ac.timeout { Loading @@ -278,7 +310,7 @@ module LibItsPki_Functions { f_selfOrClientSyncAndVerdict("error", e_timeout); } } // End of 'alt' statement } // End of function f_sendUtTriggerPrimitive } // End of function f_sendUtTriggerAuthorizationRequestPrimitive } // End of group ut_port Loading Loading @@ -327,7 +359,10 @@ module LibItsPki_Functions { ) return boolean { var boolean v_ret := false; log(" >>> f_verifyEcdsa"); log(" >>> f_verifyEcdsa: p_tbs", p_tbs); log(" >>> f_verifyEcdsa: p_issuer", p_issuer); log(" >>> f_verifyEcdsa: p_signature_", p_signature_); log(" >>> f_verifyEcdsa: p_verification_key", p_verification_key); if (ischosen(p_verification_key.ecdsaNistP256)) { if (ischosen(p_verification_key.ecdsaNistP256.compressed_y_0)) { Loading Loading @@ -402,22 +437,22 @@ module LibItsPki_Functions { var Ieee1609Dot2Data v_inner_ec_request_signed_for_pop; var octetstring v_public_enc_key; var integer v_compressed_enc_key_mode; var boolean v_ret_code; var boolean v_result; log(">>> f_http_build_inner_ec_request"); if (f_generate_inner_ec_request(p_private_key, p_public_key_compressed, p_compressed_mode, v_inner_ec_request) == false) { log("*** f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log ("f_http_build_enrolment_request: EC verification private key: ", p_private_key); log ("f_http_build_enrolment_request: EC verification public compressed key: ", p_public_key_compressed); log ("f_http_build_enrolment_request: EC verification public compressed mode: ", p_compressed_mode); log ("f_http_build_enrolment_request: ==> EC verification private key: ", p_private_key); log ("f_http_build_enrolment_request: ==> EC verification public compressed key: ", p_public_key_compressed); log ("f_http_build_enrolment_request: ==> EC verification public compressed mode: ", p_compressed_mode); // Generate InnerEcRequestSignedForPoP if (f_generate_inner_ec_request_signed_for_pop(p_private_key, v_inner_ec_request, v_inner_ec_request_signed_for_pop) == false) { log("*** f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***"); f_selfOrClientSyncAndVerdict("error", e_error); } log("v_inner_ec_request_signed_for_pop= ", v_inner_ec_request_signed_for_pop); log("f_http_build_enrolment_request: v_inner_ec_request_signed_for_pop= ", v_inner_ec_request_signed_for_pop); // Secure InnerEcRequestSignedForPoP message if (f_extract_enc_key(vc_eaCertificate, v_public_enc_key, v_compressed_enc_key_mode) == false) { Loading @@ -428,23 +463,24 @@ module LibItsPki_Functions { v_public_enc_key := 'DD4F6B0DF57C6E3BD0E32B565CACA1D858CEB08A5C2BBAB2C23E203C6DE697FF'O; v_compressed_enc_key_mode := 0; } log("*** f_http_build_inner_ec_request: Public encryption key: ", v_public_enc_key); log("*** f_http_build_inner_ec_request: Public encryption key comp: ", v_compressed_enc_key_mode); log("f_http_build_inner_ec_request: Public encryption key: ", v_public_enc_key); log("f_http_build_inner_ec_request: Public encryption key comp: ", v_compressed_enc_key_mode); p_salt := vc_eaWholeHash; if (PICS_SECPKI_REENROLMENT == false) { // This is the first enrolment, we used Factory keys v_ret_code := f_build_pki_secured_request_message_signed_with_pop(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash); v_result := f_build_pki_secured_request_message_signed_with_pop(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash); } else { // We use last valid EC certificate var Oct32 v_ec_private_key := PX_EC_PRIVATE_KEY; var HashedId8 v_ec_hashed_id8 := PX_EC_HASHED_ID8; // Retrieve EC certificate from the first enrolment v_ret_code := f_build_pki_secured_request_message_signed_with_pop(v_ec_private_key, valueof(m_signerIdentifier_digest(v_ec_hashed_id8)), v_ec_hashed_id8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash); // TODO Retrieve EC certificate from the first enrolment instead of PX log("f_http_build_inner_ec_request: v_ec_private_key: ", PX_EC_PRIVATE_KEY); log("f_http_build_inner_ec_request: v_ec_hashed_id8: ", PX_EC_HASHED_ID8); v_result := f_build_pki_secured_request_message_signed_with_pop(PX_EC_PRIVATE_KEY, valueof(m_signerIdentifier_digest(PX_EC_HASHED_ID8)), PX_EC_HASHED_ID8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash); } if (v_ret_code == false) { if (v_result == false) { log("*** f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***"); f_selfOrClientSyncAndVerdict("error", e_error); } else { log("f_http_build_inner_ec_request: p_ieee1609dot2_signed_and_encrypted_data= ", p_ieee1609dot2_signed_and_encrypted_data); log("f_http_build_inner_ec_request: p_request_hash= ", p_request_hash); } log("*** f_http_build_inner_ec_request: p_ieee1609dot2_signed_and_encrypted_data= ", p_ieee1609dot2_signed_and_encrypted_data); log("*** f_http_build_inner_ec_request: p_request_hash= ", p_request_hash); } // End of function f_http_build_inner_ec_request function f_http_build_invalid_enrolment_request( Loading Loading @@ -496,11 +532,10 @@ module LibItsPki_Functions { if (PICS_SECPKI_REENROLMENT == false) { // This is the first enrolment, we used Factory keys v_ret_code := f_build_pki_secured_request_message_signed_with_pop(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash); } else { // We use last valid EC certificate var Oct32 v_ec_private_key; var HashedId8 v_ec_hashed_id8; // Retrieve EC certificate from the first enrolment // TODO Set v_ec_private_key & v_ec_hashed_id8 v_ret_code := f_build_pki_secured_request_message_signed_with_pop(v_ec_private_key, valueof(m_signerIdentifier_digest(v_ec_hashed_id8)), v_ec_hashed_id8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash); // TODO Retrieve EC certificate from the first enrolment instead of PX log("f_http_build_inner_ec_request: v_ec_private_key: ", PX_EC_PRIVATE_KEY); log("f_http_build_inner_ec_request: v_ec_hashed_id8: ", PX_EC_HASHED_ID8); v_ret_code := f_build_pki_secured_request_message_signed_with_pop(PX_EC_PRIVATE_KEY, valueof(m_signerIdentifier_digest(PX_EC_HASHED_ID8)), PX_EC_HASHED_ID8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash); } if (v_ret_code == false) { log("*** f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***"); Loading Loading @@ -1012,6 +1047,10 @@ module LibItsPki_Functions { ) ) ); if (PICS_SECPKI_REENROLMENT) { // This is a re-enrolment, the identifier of its current valid Enrolment Credential log("f_generate_inner_ec_request: This is a re-enrolment"); p_inner_ec_request.itsId := PX_EC_HASHED_ID8; } log("f_generate_inner_ec_request: ", p_inner_ec_request); return true; Loading @@ -1038,8 +1077,8 @@ module LibItsPki_Functions { v_encoded_inner_ec_request ) ), m_headerInfo_inner_ec_request( c_its_aid_SCR, m_headerInfo_inner_pki_request( -, f_getCurrentTimeUtc() ) ); Loading Loading @@ -1113,7 +1152,7 @@ module LibItsPki_Functions { log("f_verify_inner_ec_request_signed_for_pop: v_inner_ec_request= ", p_inner_ec_request); // 2. Verify the InnerEcRequestSignedForPop signature // TODO } return true; Loading Loading @@ -1239,8 +1278,8 @@ module LibItsPki_Functions { // Build the ETsiTs103097Data-SignedExternalPayload v_tbs := m_toBeSignedData( m_signedDataPayload_ext(v_hash_shared_at_request), // Payload containing extDataHash m_headerInfo_inner_ec_request( // HeaderInfo c_its_aid_SCR, m_headerInfo_inner_pki_request( // HeaderInfo -, f_getCurrentTimeUtc()) ); log("f_generate_inner_at_request: v_tbs= ", v_tbs); Loading Loading @@ -1673,17 +1712,18 @@ module LibItsPki_Functions { m_signedDataPayload( m_etsiTs103097Data_unsecured(p_pki_message) ), m_headerInfo_inner_ec_request(c_its_aid_SCR, f_getCurrentTimeUtc()) m_headerInfo_inner_pki_request(-, f_getCurrentTimeUtc()) ); log("f_build_pki_secured_request_message_signed_with_pop: signer: ", p_signer_identifier); if (ischosen(p_signer_identifier.self_)) { if (PICS_SECPKI_REENROLMENT == false) { // This is the first enrolment, we used Factory keys //if (ischosen(p_signer_identifier.self_)) { v_tbs_signed := f_signWithEcdsa(bit2oct(encvalue(v_tbs)), int2oct(0, 32), p_private_key); } else { var charstring v_certificate_id; /*var charstring v_certificate_id; var octetstring v_hash; fx_readCertificateFromDigest(p_signer_identifier.digest, v_certificate_id); // TODO Add a wrapper function f_getCertificateHash(v_certificate_id, v_hash); v_tbs_signed := f_signWithEcdsa(bit2oct(encvalue(v_tbs)), v_hash, p_private_key); f_getCertificateHash(v_certificate_id, v_hash);*/ v_tbs_signed := f_signWithEcdsa(bit2oct(encvalue(v_tbs)), PX_EC_HASH, p_private_key); } // Add the signature and create EtsiTs103097Data-Signed data structure if (PX_VE_ALG == e_nist_p256) { Loading Loading @@ -2073,7 +2113,7 @@ module LibItsPki_Functions { m_signedDataPayload( m_etsiTs103097Data_unsecured(p_pki_message) ), m_headerInfo_inner_ec_response(c_its_aid_SCR, f_getCurrentTimeUtc()) m_headerInfo_inner_pki_response(-, f_getCurrentTimeUtc()) ); if (ischosen(p_signer_identifier.self_)) { v_tbs_signed := f_signWithEcdsaNistp256WithSha256(bit2oct(encvalue(v_tbs)), int2oct(0, 32), p_private_key); Loading Loading @@ -2199,8 +2239,10 @@ module LibItsPki_Functions { log("f_verify_pki_request_message: v_ieee1609dot2_signed_data.content.signedData.tbsData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData); v_msg := bit2oct(encvalue(v_ieee1609dot2_signed_data.content.signedData.tbsData)); if (f_getCertificateFromDigest(f_HashedId8FromSha256(p_issuer), v_certificate) == false) { if (p_check_security == true) { return false; } } log("f_verify_pki_request_message: v_certificate= ", v_certificate); if (f_verifyEcdsa(v_msg, p_issuer, v_ieee1609dot2_signed_data.content.signedData.signature_, v_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) { if (p_check_security == true) { Loading @@ -2212,12 +2254,15 @@ module LibItsPki_Functions { log("f_verify_pki_request_message: v_ieee1609dot2_signed_data.content.signedData.tbsData.payload.data.content.unsecuredData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData.payload.data.content.unsecuredData); v_msg_bit := oct2bit(v_ieee1609dot2_signed_data.content.signedData.tbsData.payload.data.content.unsecuredData); if (decvalue(v_msg_bit, p_etsi_ts_102941_data) != 0) { if (p_check_security == true) { return false; } } if (p_etsi_ts_102941_data.version != PkiProtocolVersion) { if (p_check_security == true) { return false; } } log("<<< f_verify_pki_request_message: true"); return true; Loading Loading @@ -2319,16 +2364,19 @@ module LibItsPki_Functions { in integer p_compressed_mode ) return boolean { var bitstring v_encoded_cert; var Oct32 v_ec_cert_hash; var HashedId8 v_ec_cert_hashed_id8; // Calculate the HashedId8 of the whole certificate v_encoded_cert := encvalue(p_ec_certificate); v_ec_cert_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256(bit2oct(v_encoded_cert))); log("f_verify_ec_certificate: EC certificate HashedId8: ", v_ec_cert_hashed_id8); v_ec_cert_hash := f_hashWithSha256(bit2oct(v_encoded_cert)); log("f_verify_ec_certificate: ==> EC certificate Hash: ", v_ec_cert_hash); v_ec_cert_hashed_id8 := f_HashedId8FromSha256(v_ec_cert_hash); log("f_verify_ec_certificate: ==> EC certificate HashedId8: ", v_ec_cert_hashed_id8); // Check the signer log("f_verify_ec_certificate: ", match(p_ec_certificate.issuer, mw_issuerIdentifier_self())); if (match(p_ec_certificate.issuer, mw_issuerIdentifier_self)) { log("f_verify_ec_certificate: ", match(p_ec_certificate.issuer, mw_issuerIdentifier_sha256AndDigest)); if (match(p_ec_certificate.issuer, mw_issuerIdentifier_sha256AndDigest)) { return false; } Loading @@ -2339,6 +2387,9 @@ module LibItsPki_Functions { return false; } // TODO Check that requested information are present return true; } // End of function f_verify_ec_certificate Loading Loading @@ -2549,6 +2600,42 @@ module LibItsPki_Functions { } } // End of altstep a_default_pki_http_at altstep a_await_ec_http_response_from_iut( template HttpMessage p_http_message, out HttpMessage p_response ) runs on ItsPkiHttp { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive(p_http_message) -> value p_response { log("a_await_ec_http_response_from_iut: Received message on httpPort"); } [PICS_MULTIPLE_END_POINT] httpEcPort.receive(p_http_message) -> value p_response { log("a_await_ec_http_response_from_iut: Received message on httpEcPort"); } } // End of altstep a_await_ec_http_response_from_iut altstep a_await_at_http_response_from_iut( template HttpMessage p_http_message, out HttpMessage p_response ) runs on ItsPkiHttp { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive(p_http_message) -> value p_response { log("a_await_at_http_response_from_iut: Received message on httpPort"); } [PICS_MULTIPLE_END_POINT] httpAtPort.receive(p_http_message) -> value p_response { log("a_await_at_http_response_from_iut: Received message on httpAtPort"); } } // End of altstep a_await_at_http_response_from_iut altstep a_await_avt_http_response_from_iut( template HttpMessage p_http_message, out HttpMessage p_response ) runs on ItsPkiHttp { [not(PICS_MULTIPLE_END_POINT)] httpPort.receive(p_http_message) -> value p_response { log("a_await_avt_http_response_from_iut: Received message on httpPort"); } [PICS_MULTIPLE_END_POINT] httpAtVPort.receive(p_http_message) -> value p_response { log("a_await_avt_http_response_from_iut: Received message on httpAtVPort"); } } // End of altstep a_await_avt_http_response_from_iut } // End of group altsteps } // End of module LibItsPki_Functions
ttcn/Pki/LibItsPki_Pixits.ttcn +5 −0 Original line number Diff line number Diff line Loading @@ -30,6 +30,11 @@ module LibItsPki_Pixits { */ modulepar HashedId8 PX_EC_HASHED_ID8 := int2oct(0, 8); /** * @desc Contains the hash of the EC certificate, used in case of re-enrolment */ modulepar Oct32 PX_EC_HASH := int2oct(0, 32); /** * @desc Indicate which encryption algorithem to be used */ Loading
ttcn/Pki/LibItsPki_Templates.ttcn +16 −0 Original line number Diff line number Diff line Loading @@ -415,4 +415,20 @@ module LibItsPki_Templates { certIssuePermissions := p_certIssuePermissions } // End of template m_certificate_subject_attributes template CertificateSubjectAttributes mw_certificate_subject_attributes( template (present) SequenceOfPsidSsp p_appPermissions := ?, template (present) CertificateId p_id := ?, template (present) ValidityPeriod p_validityPeriod := ?, template (present) SubjectAssurance p_assuranceLevel := ?, template GeographicRegion p_region := *, template SequenceOfPsidGroupPermissions p_certIssuePermissions := omit ) := { id := p_id, validityPeriod := p_validityPeriod, region := p_region, assuranceLevel := p_assuranceLevel, appPermissions := p_appPermissions, certIssuePermissions := p_certIssuePermissions } // End of template mw_certificate_subject_attributes } // End of module LibItsPki_Templates
ttcn/Pki/LibItsPki_TypesAndValues.ttcn +2 −0 Original line number Diff line number Diff line Loading @@ -29,6 +29,8 @@ module LibItsPki_TypesAndValues { e_brainpool_p384_r1 (2) } // End of type SecurityAlg type set of PublicVerificationKey ListOfPublicVerificationKey; group utPrimitives { /** Loading
