Skip to content
GitLab
Commits (1)
Hide whitespace changes
Inline Side-by-side
ttcn/Pki/LibItsPki_Functions.ttcn
View file @ 969b2095
......@@ -152,7 +152,7 @@ module LibItsPki_Functions {
if (PICS_MULTIPLE_END_POINT == false) {
map(self:httpPort, system:httpPort);
} else {
map(self:httpEcPort, system:httpEcPort);
map(self:httpAtPort, system:httpAtPort);
}
f_initialiseSecuredMode(p_ea_certificate_id, p_aa_certificate_id); // TODO To be removed???
......@@ -182,7 +182,7 @@ module LibItsPki_Functions {
if (PICS_MULTIPLE_END_POINT == false) {
activate(a_default_pki_http());
} else {
activate(a_default_pki_http_ec());
activate(a_default_pki_http_at());
}
} // End of function f_cfHttpUp_itss
......@@ -199,7 +199,6 @@ module LibItsPki_Functions {
map(self:httpPort, system:httpPort);
} else {
map(self:httpAtVPort, system:httpAtVPort);
map(self:httpAtPort, system:httpAtPort);
}
f_initialiseSecuredMode(p_ea_certificate_id, p_aa_certificate_id); // TODO To be removed???
......@@ -296,7 +295,7 @@ module LibItsPki_Functions {
if (PICS_MULTIPLE_END_POINT == false) {
unmap(self:httpPort, system:httpPort);
} else {
unmap(self:httpEcPort, system:httpEcPort);
unmap(self:httpAtPort, system:httpAtPort);
}
f_disconnect4SelfOrClientSync();
f_uninitialiseSecuredMode();
......@@ -310,7 +309,6 @@ module LibItsPki_Functions {
unmap(self:httpPort, system:httpPort);
} else {
unmap(self:httpAtVPort, system:httpAtVPort);
unmap(self:httpAtPort, system:httpAtPort);
}
f_disconnect4SelfOrClientSync();
f_uninitialiseSecuredMode();
......@@ -1116,6 +1114,7 @@ module LibItsPki_Functions {
in boolean p_alter_ea_id := false,
in template (omit) Time32 p_start := omit,
in template (omit) Duration p_duration := omit,
in template (omit) Time64 p_generation_time := omit,
out octetstring p_private_key,
out octetstring p_public_key_compressed,
out integer p_compressed_key_mode,
......@@ -1151,7 +1150,7 @@ module LibItsPki_Functions {
log("f_http_build_authorization_request_with_wrong_parameters: Altered eaId= ", v_ea_hashed_id8);
v_ret_code := f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, v_ea_hashed_id8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request);
} else {
v_ret_code := f_generate_inner_at_request_with_wrong_parameters(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_alter_hmac, p_alter_signer_digest, p_start, p_duration, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request);
v_ret_code := f_generate_inner_at_request_with_wrong_parameters(vc_aaCertificate, vc_aaHashedId8, vc_eaCertificate, vc_eaWholeHash/*salt*/, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_alter_hmac, p_alter_signer_digest, p_start, p_duration, p_generation_time, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request);
}
if (v_ret_code == false) {
log("*** f_http_build_authorization_request_with_wrong_parameters: ERROR: Failed to generate AuthorizationValidationRequest ***");
......@@ -1338,20 +1337,20 @@ module LibItsPki_Functions {
} // End of function f_http_build_authorization_validation_request
function f_http_build_invalid_authorization_validation_request(
in InnerAtRequest p_inner_at_request,
in octetstring p_public_key_compressed,
in integer p_compressed_key_mode,
in octetstring p_private_enc_key,
in octetstring p_public_compressed_enc_key,
in integer p_compressed_enc_key_mode,
out Oct16 p_aes_sym_key,
out Oct16 p_encrypted_sym_key,
out Oct16 p_authentication_vector,
out Oct12 p_nonce,
out octetstring p_salt,
out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data,
out Oct32 p_request_hash
) runs on ItsPkiHttp {
in InnerAtRequest p_inner_at_request,
in octetstring p_public_key_compressed,
in integer p_compressed_key_mode,
in octetstring p_private_enc_key,
in octetstring p_public_compressed_enc_key,
in integer p_compressed_enc_key_mode,
out Oct16 p_aes_sym_key,
out Oct16 p_encrypted_sym_key,
out Oct16 p_authentication_vector,
out Oct12 p_nonce,
out octetstring p_salt,
out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data,
out Oct32 p_request_hash
) runs on ItsPkiHttp {
// Local variables
var AuthorizationValidationRequest v_authorization_validation_request;
var bitstring v_authorization_validation_request_msg;
......@@ -1387,7 +1386,7 @@ module LibItsPki_Functions {
} // End of function f_http_build_invalid_authorization_validation_request
function f_http_build_authorization_validation_response(
in InnerAtRequest p_inner_at_request,
in SharedAtRequest p_shared_at_request,
in AuthorizationValidationResponseCode p_responseCode := ok,
in Oct16 p_request_hash,
in octetstring p_private_key := ''O,
......@@ -1404,7 +1403,7 @@ module LibItsPki_Functions {
var EtsiTs103097Certificate v_at_certificate;
var boolean p_result := false;
log(">>> f_http_build_authorization_validation_response: p_inner_at_request= ", p_inner_at_request);
log(">>> f_http_build_authorization_validation_response: p_shared_at_request= ", p_shared_at_request);
log(">>> f_http_build_authorization_validation_response: p_responseCode= ", p_responseCode);
log(">>> f_http_build_authorization_validation_response: p_request_hash= ", p_request_hash);
log(">>> f_http_build_authorization_validation_response: p_private_key= ", p_private_key);
......@@ -1423,7 +1422,7 @@ module LibItsPki_Functions {
} else {
p_authorization_validation_response := valueof(m_authorizationValidationResponse_ok(
p_request_hash,
p_inner_at_request.sharedAtRequest.requestedSubjectAttributes
p_shared_at_request.requestedSubjectAttributes
)
);
}
......@@ -1919,16 +1918,16 @@ module LibItsPki_Functions {
}
p_inner_ec_request := valueof(
m_innerEcRequest(
PICS_ITS_S_CANONICAL_ID,
p_canonical_id,
m_publicKeys(
v_public_verification_key
),
m_certificateSubjectAttributes_id_name(
oct2char(p_canonical_id),
oct2char(PICS_ITS_S_CANONICAL_ID),
p_appPermissions, // ETSI TS 102 965 Table A.1: ETSI ITS standardized ITS-AIDs
m_validityPeriod(
p_start,
m_duration_in_hours(PX_GENERATED_CERTIFICATE_DURATION)
p_duration
),
m_geographicRegion_identifiedRegion(
{
......@@ -2181,7 +2180,7 @@ module LibItsPki_Functions {
v_key_tag, // Calculated keyTag
valueof(
m_certificate_subject_attributes( // FIXME Review subjectPermissions
v_appPermissions,//p_ec_certificate.toBeSigned.appPermissions,
v_appPermissions,
p_ec_certificate.toBeSigned.certRequestPermissions,
{ none_ := NULL },//p_ec_certificate.toBeSigned.id,
p_ec_certificate.toBeSigned.validityPeriod,
......@@ -2426,6 +2425,7 @@ module LibItsPki_Functions {
in boolean p_alter_signer_digest := false,
in template (omit) Time32 p_start := omit,
in template (omit) Duration p_duration := omit,
in template (omit) Time64 p_generation_time := omit,
out octetstring p_private_key,
out octetstring p_public_key_compressed,
out integer p_compressed_key_mode,
......@@ -2461,10 +2461,10 @@ module LibItsPki_Functions {
var Signature v_signature;
var Time32 v_start;
var Duration v_duration;
/*var SequenceOfPsidSsp v_appPermissions := { // ETSI TS 102 965 Table A.1: ETSI ITS standardized ITS-AIDs
var SequenceOfPsidSsp v_appPermissions := { // ETSI TS 102 965 Table A.1: ETSI ITS standardized ITS-AIDs
valueof(m_appPermissions(c_its_aid_CAM, { bitmapSsp := PX_INNER_AT_CERTFICATE_BITMAP_SSP_CAM })),
valueof(m_appPermissions(c_its_aid_DENM, { bitmapSsp := PX_INNER_AT_CERTFICATE_BITMAP_SSP_DENM }))
};*/
};
// Generate verification keys for the certificate to be requested
if (f_generate_key_pair(p_private_key, v_public_key_x, v_public_key_y, p_public_key_compressed, p_compressed_key_mode) == false) {
......@@ -2552,7 +2552,7 @@ module LibItsPki_Functions {
v_key_tag, // Calculated keyTag
valueof(
m_certificate_subject_attributes(
p_ec_certificate.toBeSigned.appPermissions,//v_appPermissions,
v_appPermissions,
p_ec_certificate.toBeSigned.certRequestPermissions,
{ none_ := NULL },//p_ec_certificate.toBeSigned.id,
m_validityPeriod(v_start, v_duration),
......@@ -2566,13 +2566,23 @@ module LibItsPki_Functions {
log("f_generate_inner_at_request_with_wrong_parameters: v_hash_shared_at_request= ", v_hash_shared_at_request);
// Build the ETsiTs103097Data-SignedExternalPayload
v_tbs := m_toBeSignedData(
m_signedDataPayload_ext(v_hash_shared_at_request), // Payload containing extDataHash
m_headerInfo_inner_pki_request( // HeaderInfo
-,
(f_getCurrentTime()) * 1000) //us
);
log("f_generate_inner_at_request_with_wrong_parameters: v_tbs= ", v_tbs);
if (ispresent(p_generation_time)) {
v_tbs := m_toBeSignedData(
m_signedDataPayload_ext(v_hash_shared_at_request), // Payload containing extDataHash
m_headerInfo_inner_pki_request( // HeaderInfo
-,
valueof(p_generation_time) * 1000) //us
);
log("f_generate_inner_at_request_with_wrong_parameters: Altered generation time: v_tbs= ", v_tbs);
} else {
v_tbs := m_toBeSignedData(
m_signedDataPayload_ext(v_hash_shared_at_request), // Payload containing extDataHash
m_headerInfo_inner_pki_request( // HeaderInfo
-,
f_getCurrentTime() * 1000) //us
);
log("f_generate_inner_at_request_with_wrong_parameters: v_tbs= ", v_tbs);
}
// Signed ToBeSigned payload using the private key of EC certificate obtained from Enrolment request
// In case of ITS-S privacy, v_signed_at_signature contained the data to be encrypted
// TODO Simplify with f_signWithEcdsa
......@@ -3588,58 +3598,9 @@ module LibItsPki_Functions {
// 4. Verifiy signature
log("f_verify_pki_request_message: v_ieee1609dot2_signed_data.content.signedData.tbsData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData);
v_msg := bit2oct(encvalue(v_ieee1609dot2_signed_data.content.signedData.tbsData));
if (p_issuer == ''O) { // ITS-S/OBU
var PublicVerificationKey v_public_verification_key;
log("f_verify_pki_request_message: Use ITS-S technical keys");
if (PX_VE_ALG == e_nist_p256) {
var EccP256CurvePoint v_ecc_p256_curve_point;
if (PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY[0] == '02'O) {
v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 1, 32)));
} else {
v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(substr(PICS_ITS_S_SIGN_NISTP256_PUBLIC_KEY, 1, 32)));
}
v_public_verification_key := valueof(
m_publicVerificationKey_ecdsaNistP256(
v_ecc_p256_curve_point
)
);
} else if (PX_VE_ALG == e_brainpool_p256_r1) {
var EccP256CurvePoint v_ecc_p256_curve_point;
if (PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY[0] == '02'O) {
v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 1, 32)));
} else {
v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(substr(PICS_ITS_S_SIGN_BRAINPOOLP256r1_PUBLIC_KEY, 1, 32)));
}
v_public_verification_key := valueof(
m_publicVerificationKey_ecdsaBrainpoolP256r1(
v_ecc_p256_curve_point
)
);
} else if (PX_VE_ALG == e_brainpool_p384_r1) {
var EccP384CurvePoint v_ecc_p384_curve_point;
if (PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY[0] == '02'O) {
v_ecc_p384_curve_point := valueof(m_eccP384CurvePoint_compressed_y_0(substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 1, 48)));
} else {
v_ecc_p384_curve_point := valueof(m_eccP384CurvePoint_compressed_y_1(substr(PICS_ITS_S_SIGN_BRAINPOOLP384r1_PUBLIC_KEY, 1, 48)));
}
v_public_verification_key := valueof(
m_publicVerificationKey_ecdsaBrainpoolP384r1(
v_ecc_p384_curve_point
)
);
} else {
return false;
}
log("f_verify_pki_request_message: v_public_verification_key= ", v_public_verification_key);
if (f_verifyEcdsa(v_msg, int2oct(0, 32), v_ieee1609dot2_signed_data.content.signedData.signature_, v_public_verification_key) == false) {
if (p_check_security == true) {
return false;
}
}
if (p_issuer == ''O) {
log("f_verify_pki_request_message: Invalid issuer value");
return false;
} else {
if (f_getCertificateFromDigest(f_HashedId8FromSha256(p_issuer), v_certificate) == false) {
if (p_check_security == true) {
......@@ -3801,7 +3762,6 @@ module LibItsPki_Functions {
}
// Check EC certificate signature
// TODO Who sign the EC certificate?
if (f_verifyCertificateSignatureWithPublicKey(p_ec_certificate, p_ea_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
log("f_verify_ec_certificate: Signature not verified");
return false;
......@@ -3846,7 +3806,6 @@ module LibItsPki_Functions {
}
// Check EC certificate signature
// TODO Who sign the EC certificate?
if (f_verifyCertificateSignatureWithPublicKey(p_at_certificate, p_aa_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
log("f_verify_at_certificate: Signature not verified");
return false;
......
ttcn/Pki/LibItsPki_Pics.ttcn
View file @ 969b2095
......@@ -199,6 +199,6 @@ module LibItsPki_Pics {
/**
* @desc Invalid Canonical ITSS-S identifier
*/
modulepar octetstring PICS_INVALID_ITS_S_CANONICAL_ID := '0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A'O;
modulepar octetstring PICS_INVALID_ITS_S_CANONICAL_ID := 'BABABABABABABABABABABABABABABABABABABABABABABABABABABABABABABABA'O;
} // End of module LibItsPki_Pics
ttcn/Pki/LibItsPki_Pixits.ttcn
View file @ 969b2095
......@@ -52,6 +52,10 @@ module LibItsPki_Pixits {
modulepar octetstring PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR := '01FF'O;
modulepar octetstring PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR_WRONG_VERSION := '00C0'O;
modulepar octetstring PX_INNER_EC_CERTFICATE_INCORRECT_BITMAP_SSP_SCR_WRONG_SSP_BIT := '0180'O;
modulepar octetstring PX_INNER_EC_CERTFICATE_BITMAP_SSP_CAM := '830001'O;
modulepar octetstring PX_INNER_EC_CERTFICATE_BITMAP_SSP_DENM := '830001'O;
......
ttcn/Pki/LibItsPki_Templates.ttcn
View file @ 969b2095
......@@ -190,10 +190,16 @@ module LibItsPki_Templates {
authorizationResponse := p_authorizationResponse
} // End of template mw_authorizationResponse
template (present) EtsiTs102941DataContent mw_authorizationValidationRequest(
template (present) AuthorizationValidationRequest p_authorization_validation_request := ?
) := {
authorizationValidationRequest := p_authorization_validation_request
} // End of template mw_authorizationValidationRequest
template (present) EtsiTs102941DataContent mw_authorizationValidationResponse(
template (present) AuthorizationValidationResponse p_authorization_alidation_response := ?
template (present) AuthorizationValidationResponse p_authorization_validation_response := ?
) := {
authorizationValidationResponse := p_authorization_alidation_response
authorizationValidationResponse := p_authorization_validation_response
} // End of template mw_authorizationValidationResponse
template (value) InnerEcRequest m_innerEcRequest(
......@@ -359,21 +365,21 @@ module LibItsPki_Templates {
certificate := omit
} // End of template mw_innerAtResponse_ko
template (value) AuthorizationValidationRequest m_authorizationValidationRequest(
in template (value) SharedAtRequest p_sharedAtRequest,
in template (value) EcSignature p_ecSignature
) := {
template (value) AuthorizationValidationRequest m_authorization_validation_request(
in template (value) SharedAtRequest p_sharedAtRequest,
in template (value) EcSignature p_ecSignature
) := {
sharedAtRequest := p_sharedAtRequest,
ecSignature := p_ecSignature
} // End of template m_authorizationValidationRequest
} // End of template m_authorization_validation_request
template (present) AuthorizationValidationRequest mw_authorizationValidationRequest(
template (present) SharedAtRequest p_sharedAtRequest := ?,
template (present) EcSignature p_ecSignature := ?
) := {
template (present) AuthorizationValidationRequest mw_authorization_validation_request(
template (present) SharedAtRequest p_sharedAtRequest := ?,
template (present) EcSignature p_ecSignature := ?
) := {
sharedAtRequest := p_sharedAtRequest,
ecSignature := p_ecSignature
} // End of template mw_authorizationValidationRequest
} // End of template mw_authorization_validation_request
template (value) AuthorizationValidationResponse m_authorizationValidationResponse_ok(
template (value) Oct16 p_requestHash,
......
ttcn/Security/LibItsSecurity_Functions.ttcn
View file @ 969b2095
......@@ -2012,19 +2012,31 @@ module LibItsSecurity_Functions {
group sspPermissions {
function f_verifySspPermissions(
in SequenceOfPsidSsp p_issuer_ssp_permissions,
in SequenceOfPsidSsp p_subordinate_ssp_permissions
in SequenceOfPsidSsp p_issuer_ssp_permissions,
in SequenceOfPsidSsp p_subordinate_ssp_permissions,
in boolean p_strict_checks := false
) return boolean {
// Local variables
var integer v_idx := 0;
log(">>> f_verifySspPermissions: p_issuer_ssp_permissions:", p_issuer_ssp_permissions);
log(">>> f_verifySspPermissions: p_subordinate_ssp_permissions: ", p_subordinate_ssp_permissions);
for (v_idx := 0; v_idx < lengthof(p_issuer_ssp_permissions); v_idx := v_idx + 1) {
var PsidSsp v_issuerPsidSsp := p_issuer_ssp_permissions[v_idx];
var PsidSsp v_subordinatePsidSsp;
var boolean v_found := false;
var integer v_jdx := 0;
log("f_verifySspPermissions: v_issuerPsidSsp: ", v_issuerPsidSsp);
// 1. Check permission from issuer is present
for (v_jdx := 0; v_jdx < lengthof(p_subordinate_ssp_permissions); v_jdx := v_jdx + 1) {
log("f_verifySspPermissions: match=", match(v_issuerPsidSsp, m_appPermissions(p_subordinate_ssp_permissions[v_jdx].psid, p_subordinate_ssp_permissions[v_jdx].ssp)));
// 1. Check the version
if (p_subordinate_ssp_permissions[v_jdx].ssp.bitmapSsp[0] != '01'O) {
log("f_verifySspPermissions: Wrong SSP version control (1 is expected): ", p_subordinate_ssp_permissions[v_jdx].ssp.bitmapSsp[0]);
return false;
}
// 2. Check the version
if (match(v_issuerPsidSsp, m_appPermissions(p_subordinate_ssp_permissions[v_jdx].psid, p_subordinate_ssp_permissions[v_jdx].ssp)) == true) {
v_subordinatePsidSsp := p_subordinate_ssp_permissions[v_jdx];
v_found := true;
......@@ -2033,21 +2045,31 @@ module LibItsSecurity_Functions {
} // End of 'for' statement
if (v_found == false) {
log("f_verifySspPermissions: Permission set not found: ", v_issuerPsidSsp)
return false;
if (p_strict_checks == true) {
return false;
} else {
return true;
}
}
// 2. Validate bits mask
if (ispresent(v_issuerPsidSsp.ssp)) {
if (ispresent(v_subordinatePsidSsp.ssp) == false) {
log("f_verifySspPermissions: Ssp shall not be omitted: ", v_issuerPsidSsp)
return false;
if (p_strict_checks == true) {
return false;
}
}
if ((ischosen(v_issuerPsidSsp.ssp.bitmapSsp) == false) or (ischosen(v_subordinatePsidSsp.ssp.bitmapSsp) == false)) {
log("f_verifySspPermissions: Wrong variant : ", v_issuerPsidSsp.ssp, " / ", v_subordinatePsidSsp.ssp);
return false;
log("f_verifySspPermissions: Wrong variant : ", v_issuerPsidSsp, " / ", v_subordinatePsidSsp);
if (p_strict_checks == true) {
return false;
}
}
if (lengthof(v_issuerPsidSsp.ssp.bitmapSsp) < lengthof(v_subordinatePsidSsp.ssp.bitmapSsp)) {
log("f_verifySspPermissions: Ssp not be compliant: ", v_issuerPsidSsp.ssp, " / ", v_subordinatePsidSsp.ssp);
return false;
if (p_strict_checks == true) {
return false;
}
} else {
var charstring v_issuerSsp := bit2str(oct2bit(v_issuerPsidSsp.ssp.bitmapSsp));
var charstring v_subordinateSsp := bit2str(oct2bit(v_subordinatePsidSsp.ssp.bitmapSsp));
......