Bug fixed in Ats Security (eb8bd36b) · Commits · TTCN-3 Libraries / LibIts

ttcn/Pki/LibItsPki_Functions.ttcn

+55 −32

Original line number	Original line	Diff line number	Diff line
	@@ -253,6 +253,9 @@ module LibItsPki_Functions {
	log("* f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequest *");		log("* f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequest *");
	f_selfOrClientSyncAndVerdict("error", e_error);		f_selfOrClientSyncAndVerdict("error", e_error);
	}		}
			log ("f_http_build_enrolment_request: EC verification private key: ", p_private_key);
			log ("f_http_build_enrolment_request: EC verification public compressed key: ", p_public_key_compressed);
			log ("f_http_build_enrolment_request: EC verification public compressed mode: ", p_compressed_mode);
	// Generate InnerEcRequestSignedForPoP		// Generate InnerEcRequestSignedForPoP
	if (f_generate_inner_ec_request_signed_for_pop(p_private_key, v_inner_ec_request, v_inner_ec_request_signed_for_pop) == false) {		if (f_generate_inner_ec_request_signed_for_pop(p_private_key, v_inner_ec_request, v_inner_ec_request_signed_for_pop) == false) {
	log("* f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequestSignedForPop *");		log("* f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequestSignedForPop *");
	@@ -276,10 +279,9 @@ module LibItsPki_Functions {
	if (PX_FIRST_ENROLMENT == true) { // This is the first enrolment, we used Factory keys		if (PX_FIRST_ENROLMENT == true) { // This is the first enrolment, we used Factory keys
	v_ret_code := f_build_pki_secured_request_message_signed_with_pop(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/recipientId/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);		v_ret_code := f_build_pki_secured_request_message_signed_with_pop(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/recipientId/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
	} else { // We use last valid EC certificate		} else { // We use last valid EC certificate
	var Oct32 v_ec_private_key;		var Oct32 v_ec_private_key := PX_EC_PRIVATE_KEY;
	var HashedId8 v_ec_hashed_id8;		var HashedId8 v_ec_hashed_id8 := PX_EC_HASHED_ID8;
	// Retrieve EC certificate from the first enrolment		// Retrieve EC certificate from the first enrolment
	// TODO Set v_ec_private_key & v_ec_hashed_id8
	v_ret_code := f_build_pki_secured_request_message_signed_with_pop(v_ec_private_key, valueof(m_signerIdentifier_digest(v_ec_hashed_id8)), v_ec_hashed_id8/recipientId/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);		v_ret_code := f_build_pki_secured_request_message_signed_with_pop(v_ec_private_key, valueof(m_signerIdentifier_digest(v_ec_hashed_id8)), v_ec_hashed_id8/recipientId/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
	}		}
	if (v_ret_code == false) {		if (v_ret_code == false) {
	@@ -312,6 +314,9 @@ module LibItsPki_Functions {
	log("* f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequest *");		log("* f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequest *");
	f_selfOrClientSyncAndVerdict("error", e_error);		f_selfOrClientSyncAndVerdict("error", e_error);
	}		}
			log ("f_http_build_invalid_enrolment_request: EC verification private key: ", p_private_key);
			log ("f_http_build_invalid_enrolment_request: EC verification public compressed key: ", p_public_key_compressed);
			log ("f_http_build_invalid_enrolment_request: EC verification public compressed mode: ", p_compressed_mode);
	// Generate InnerEcRequestSignedForPoP		// Generate InnerEcRequestSignedForPoP
	if (f_generate_inner_ec_request_signed_for_pop(p_private_key, v_inner_ec_request, v_inner_ec_request_signed_for_pop) == false) {		if (f_generate_inner_ec_request_signed_for_pop(p_private_key, v_inner_ec_request, v_inner_ec_request_signed_for_pop) == false) {
	log("* f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequestSignedForPop *");		log("* f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequestSignedForPop *");
	@@ -384,6 +389,9 @@ module LibItsPki_Functions {
	f_selfOrClientSyncAndVerdict("error", e_error);		f_selfOrClientSyncAndVerdict("error", e_error);
	return;		return;
	}		}
			log ("f_http_build_authorization_request: AT verification private key: ", p_private_key);
			log ("f_http_build_authorization_request: AT verification public compressed key: ", p_public_key_compressed);
			log ("f_http_build_authorization_request: AT verification public compressed mode: ", p_compressed_mode);
	// Generate encryption keys for the certificate to be requested		// Generate encryption keys for the certificate to be requested
	if (PX_INCLUDE_ENCRYPTION_KEYS) {		if (PX_INCLUDE_ENCRYPTION_KEYS) {
	if (f_generate_key_pair_nistp256(p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_public_compressed_enc_key, p_compressedEncMode) == false) {		if (f_generate_key_pair_nistp256(p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_public_compressed_enc_key, p_compressedEncMode) == false) {
	@@ -620,7 +628,6 @@ module LibItsPki_Functions {
	} else {		} else {
	v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(p_public_key_compressed));		v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(p_public_key_compressed));
	}		}
	log ("f_generate_inner_ec_request: ", v_eccP256_curve_point);
	// Build the Proof of Possession InnerEcRequest		// Build the Proof of Possession InnerEcRequest
	p_inner_ec_request := valueof(		p_inner_ec_request := valueof(
	m_innerEcRequest(		m_innerEcRequest(
	@@ -991,13 +998,14 @@ module LibItsPki_Functions {
	// Verify the received EC certificate		// Verify the received EC certificate
	log("f_await_http_inner_ec_request_response: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log		log("f_await_http_inner_ec_request_response: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
	if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))) {		if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))) {
	if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, p_compressed_public_key, p_compressed_mode)) {
	p_inner_ec_response := v_etsi_ts_102941_data.content.enrolmentResponse;		p_inner_ec_response := v_etsi_ts_102941_data.content.enrolmentResponse;
			if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, vc_eaCertificate, p_compressed_public_key, p_compressed_mode)) {
	log("f_await_http_inner_ec_request_response: Well-secured EA certificate received ***");		log("f_await_http_inner_ec_request_response: Well-secured EA certificate received ***");
	log("p_inner_ec_response= ", p_inner_ec_response);		log("p_inner_ec_response= ", p_inner_ec_response);
	return true;		return true;
	} else {		} else {
	log("f_await_http_inner_ec_request_response: Cannot verify EC certificate signature ***");		log("f_await_http_inner_ec_request_response: Cannot verify EC certificate signature ***");
			return true; // For debug mode only
	}		}
	} else {		} else {
	log("f_await_http_inner_ec_request_response: Unexpected message received ***");		log("f_await_http_inner_ec_request_response: Unexpected message received ***");
	@@ -1434,16 +1442,24 @@ module LibItsPki_Functions {
	/**		/**
	* @desc Verify the EC certificate generated by the EA entity		* @desc Verify the EC certificate generated by the EA entity
	* @param p_ec_certificate The new EC certificate		* @param p_ec_certificate The new EC certificate
	* @param p_public_key_compressed The public compressed key (canonical form) for signature check		* @param p_ea_certificate The certificate issuer
			* @param p_public_key_compressed The public compressed key (canonical form) generated for the InnerEcRequest
	* @param p_compressed_mode The public compressed key mode		* @param p_compressed_mode The public compressed key mode
	* @return true on success, false otherwise		* @return true on success, false otherwise
	*/		*/
	function f_verify_ec_certificate(		function f_verify_ec_certificate(
	in Certificate p_ec_certificate,		in Certificate p_ec_certificate,
			in Certificate p_ea_certificate,
	in octetstring p_public_key_compressed,		in octetstring p_public_key_compressed,
	in integer p_compressed_mode		in integer p_compressed_mode
	) return boolean {		) return boolean {
	var bitstring v_encoded_tbs;		var bitstring v_encoded_cert;
			var HashedId8 v_ec_cert_hashed_id8;

			// Calculate the HashedId8 of the whole certificate
			v_encoded_cert := encvalue(p_ec_certificate);
			v_ec_cert_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256(bit2oct(v_encoded_cert)));
			log("f_verify_ec_certificate: EC certificate HashedId8: ", v_ec_cert_hashed_id8);

	// Check the signer		// Check the signer
	log("f_verify_ec_certificate: ", match(p_ec_certificate.issuer, mw_issuerIdentifier_self()));		log("f_verify_ec_certificate: ", match(p_ec_certificate.issuer, mw_issuerIdentifier_self()));
	@@ -1453,44 +1469,51 @@ module LibItsPki_Functions {

	// Check EC certificate signature		// Check EC certificate signature
	// TODO Who sign the EC certificate?		// TODO Who sign the EC certificate?
	/*if (f_verifyCertificateSignatureWithPublicKey(p_ec_certificate, p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {		if (f_verifyCertificateSignatureWithPublicKey(p_ec_certificate, p_ea_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
	log("f_verify_ec_certificate: Signature not verified");		log("f_verify_ec_certificate: Signature not verified");
	return false;		return false;
	}*/		}

	return true;		return true;
	} // End of function f_verify_ec_certificate		} // End of function f_verify_ec_certificate

	/**		/**
	* @desc Verify the generated AA certificate		* @desc Verify the generated AT certificate
	* @param p_aa_certificate The new EA certificate		* @param p_at_certificate The new AT certificate
	* @param p_public_key_compressed The public compressed key (canonical form) for signature check		* @param p_ea_certificate The certificate issuer
			* @param p_public_key_compressed The public compressed key (canonical form) generated for the InnerAtRequest
	* @param p_compressed_mode The public compressed key mode		* @param p_compressed_mode The public compressed key mode
	* @return true on success, false otherwise		* @return true on success, false otherwise
	*/		*/
	function f_verify_aa_certificate(		function f_verify_at_certificate(
			in Certificate p_at_certificate,
	in Certificate p_aa_certificate,		in Certificate p_aa_certificate,
	in octetstring p_public_key_compressed,		in octetstring p_public_key_compressed,
	in integer p_compressed_mode		in integer p_compressed_mode
	) return boolean {		) return boolean {
	var bitstring v_encoded_tbs;		var bitstring v_encoded_cert;
	var boolean v_result;		var HashedId8 v_at_cert_hashed_id8;

			// Calculate the HashedId8 of the whole certificate
			v_encoded_cert := encvalue(p_at_certificate);
			v_at_cert_hashed_id8 := f_HashedId8FromSha256(f_hashWithSha256(bit2oct(v_encoded_cert)));
			log("f_verify_at_certificate: EC certificate HashedId8: ", v_at_cert_hashed_id8);

	// Check certificate format
	v_result := match(p_aa_certificate, mw_etsiTs103097Certificate(mw_issuerIdentifier_self, mw_toBeSignedCertificate_aa, -));
	// Check the signer		// Check the signer
			log("f_verify_at_certificate: ", match(p_at_certificate.issuer, mw_issuerIdentifier_self()));
			if (match(p_at_certificate.issuer, mw_issuerIdentifier_self)) {
			return false;
			}

			// Check EC certificate signature
			// TODO Who sign the EC certificate?
			if (f_verifyCertificateSignatureWithPublicKey(p_at_certificate, p_aa_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
			log("f_verify_at_certificate: Signature not verified");
			return false;
			}

	// Check EA certificate signature		return true;
	v_encoded_tbs := encvalue(p_aa_certificate.toBeSigned);		} // End of function f_verify_at_certificate
	v_result := v_result and f_verifyWithEcdsaNistp256WithSha256(
	bit2oct(v_encoded_tbs),
	int2oct(0, 32), // self
	p_aa_certificate.signature_.ecdsaNistP256Signature.rSig.x_only & p_aa_certificate.signature_.ecdsaNistP256Signature.sSig,
	p_public_key_compressed,
	p_compressed_mode);

	return v_result;
	} // End of function f_verify_aa_certificate

	} // End of group inner_ec_xxx		} // End of group inner_ec_xxx

ttcn/Pki/LibItsPki_Pixits.ttcn

+17 −1

Original line number	Original line	Diff line number	Diff line
	module LibItsPki_Pixits {		module LibItsPki_Pixits {

			// LibCommon
			import from LibCommon_BasicTypesAndValues all;
			import from LibCommon_DataStrings all;

			// LibIts
			import from IEEE1609dot2BaseTypes language "ASN.1:1997" all;

	/**		/**
	* @desc Is the first enrolment?		* @desc Is the first enrolment?
	*/		*/
	@@ -15,4 +22,13 @@ module LibItsPki_Pixits {
	*/		*/
	modulepar boolean PX_AUTHORIZATION_REQUEST_WITH_POP := true;		modulepar boolean PX_AUTHORIZATION_REQUEST_WITH_POP := true;

			/**
			* @desc Contains the private key for the EC certificate, used in case of re-enrolment
			*/
			modulepar Oct32 PX_EC_PRIVATE_KEY := int2oct(0, 32);

			/**
			* @desc Contains the hashed id8 of the EC certificate, used in case of re-enrolment
			*/
			modulepar HashedId8 PX_EC_HASHED_ID8 := int2oct(0, 8);
	} // End of module LibItsPki_Pixits		} // End of module LibItsPki_Pixits

ttcn/Security/LibItsSecurity_Functions.ttcn

+49 −45

Original line number	Original line	Diff line number	Diff line
	@@ -795,7 +795,8 @@ module LibItsSecurity_Functions {
	var octetstring v_certificateIssuer;		var octetstring v_certificateIssuer;
	var octetstring v_privateKey;		var octetstring v_privateKey;

	//log(">>> f_buildGnSecuredMessage: p_securedMessage=", p_securedMessage);		log(">>> f_buildGnSecuredMessage: p_securedMessage=", p_securedMessage);
			log(">>> f_buildGnSecuredMessage: p_payloadField=", p_payloadField);

	// Prepare payload to be signed		// Prepare payload to be signed
	v_toBeSignedData := valueof(p_payloadField);		v_toBeSignedData := valueof(p_payloadField);
	@@ -851,7 +852,7 @@ module LibItsSecurity_Functions {
	));		));
	} // TODO To be continued		} // TODO To be continued

	//log("<<< f_buildGnSecuredMessage: p_securedMessage=", p_securedMessage);		log("<<< f_buildGnSecuredMessage: p_securedMessage=", p_securedMessage);
	return true;		return true;
	} // End of function f_buildGnSecuredMessage		} // End of function f_buildGnSecuredMessage

	@@ -1069,6 +1070,9 @@ module LibItsSecurity_Functions {
	// Local variables		// Local variables
	var EtsiTs103097Certificate v_aaCertificate, v_atCertificate;		var EtsiTs103097Certificate v_aaCertificate, v_atCertificate;

			log(">>> f_buildGnSecuredCam: p_securedMessage= ", p_securedMessage);
			log(">>> f_buildGnSecuredCam: p_payloadField= ", p_payloadField);

	// Load certificates if required		// Load certificates if required
	if (f_prepareCertificates(p_certificateName, v_aaCertificate, v_atCertificate) == false) {		if (f_prepareCertificates(p_certificateName, v_aaCertificate, v_atCertificate) == false) {
	return false;		return false;

Admin message