Skip to content
GitLab
Commits (1)
Hide whitespace changes
Inline Side-by-side
ttcn/Http/LibItsHttp_Functions.ttcn
View file @ b745c0b2
......@@ -44,38 +44,75 @@ module LibItsHttp_Functions {
group http_headers {
function f_init_default_headers_list(
in charstring p_header_content_type := PICS_HEADER_CONTENT_TYPE,
in charstring p_header_content_text := "",
out HeaderLines p_headers
) {
p_headers[0] := { c_header_host, { PICS_HEADER_HOST } };
p_headers[1] := { c_header_content_type, { PICS_HEADER_CONTENT_TYPE } };
p_headers[2] := { c_header_content_length, { "0" } };
p_headers[3] := { c_header_connection, { "keep-alive" } };
p_headers[4] := { c_header_pragma, { "no-cache" } };
p_headers[5] := { c_header_cache_control, { "no-cache" } };
var integer v_i := 0;
p_headers[v_i] := { c_header_host, { PICS_HEADER_HOST } };
v_i := v_i + 1;
p_headers[v_i] := { c_header_content_type, { p_header_content_type } };
v_i := v_i + 1;
if (p_header_content_text != "") {
p_headers[v_i] := { c_header_content_text, { p_header_content_text } };
v_i := v_i + 1;
}
p_headers[v_i] := { c_header_content_length, { "0" } };
v_i := v_i + 1;
p_headers[v_i] := { c_header_connection, { "keep-alive" } };
v_i := v_i + 1;
p_headers[v_i] := { c_header_pragma, { "no-cache" } };
v_i := v_i + 1;
p_headers[v_i] := { c_header_cache_control, { "no-cache" } };
} // End of function f_init_default_headers_list
function f_set_headears_list(
in charstring_list p_headers_to_set,
in charstring_list p_headers_value,
inout HeaderLines p_headers
) {
// Sanity checks
if (lengthof(p_headers_to_set) == 0) {
return;
} else if (lengthof(p_headers) == 0) {
return;
}
for (var integer v_idx := 0; v_idx < lengthof(p_headers_to_set); v_idx := v_idx + 1) {
var integer v_jdx;
for (v_jdx := 0; v_jdx < lengthof(p_headers); v_jdx := v_jdx + 1) {
if (p_headers[v_jdx].header_name == p_headers_to_set[v_idx]) {
p_headers[v_jdx].header_value := p_headers_value; // NOTE Codec won't encode it
break;
}
if (v_jdx == lengthof(p_headers)) {
p_headers[v_jdx].header_value := p_headers_value;
}
} // End of 'for' statement
} // End of 'for' statement
} // End of function f_set_headears_list
function f_remove_headears_list(
in charstring_list p_headers_to_remove,
inout HeaderLines p_headers
) {
// Sanity checks
if (lengthof(p_headers_to_remove) == 0) {
return;
} else if (lengthof(p_headers) == 0) {
return;
}
for (var integer v_idx := 0; v_idx < lengthof(p_headers_to_remove); v_idx := v_idx + 1) {
for (var integer v_jdx := 0; v_jdx < lengthof(p_headers); v_jdx := v_jdx + 1) {
if (p_headers[v_jdx].header_name == p_headers_to_remove[v_idx]) {
p_headers[v_jdx].header_value := omit; // NOTE Codec won't encode it
}
} // End of 'for' statement
) {
// Sanity checks
if (lengthof(p_headers_to_remove) == 0) {
return;
} else if (lengthof(p_headers) == 0) {
return;
}
for (var integer v_idx := 0; v_idx < lengthof(p_headers_to_remove); v_idx := v_idx + 1) {
for (var integer v_jdx := 0; v_jdx < lengthof(p_headers); v_jdx := v_jdx + 1) {
if (p_headers[v_jdx].header_name == p_headers_to_remove[v_idx]) {
p_headers[v_jdx].header_value := omit; // NOTE Codec won't encode it
break;
}
} // End of 'for' statement
} // End of function f_init_default_headers_list
} // End of 'for' statement
} // End of function f_remove_headears_list
} // End of group http_headers
......
ttcn/Http/LibItsHttp_TypesAndValues.ttcn
View file @ b745c0b2
......@@ -17,6 +17,7 @@ module LibItsHttp_TypesAndValues {
const charstring c_header_host := "Host";
const charstring c_header_content_type := "Content-type";
const charstring c_header_content_text := "Content-text";
const charstring c_header_content_length := "Content-length";
const charstring c_header_accept := "Accept";
const charstring c_header_connection := "Connection";
......
ttcn/Pki/LibItsPki_Functions.ttcn
View file @ b745c0b2
......@@ -62,30 +62,36 @@ module LibItsPki_Functions {
group pkiConfigurationFunctions {
/**
* @desc Setups default configuration
* @desc Setups default configuration
* @param p_certificateId The certificate identifier the TA shall use in case of secured IUT
*/
function f_cfHttpUp(
in charstring p_ea_certificate_id := "CERT_TS_A_EA", // TODO Use a constant
in charstring p_ec_certificate_id := "CERT_TS_A_EC",
in charstring p_peerCertificateId := "CERT_IUT_A_EA"
in charstring p_aa_certificate_id := "CERT_TS_A_AA"
) runs on ItsPkiHttp /* TITAN TODO: system ItsPkiHttpSystem */ {
map(self:httpPort, system:httpPort);
f_connect4SelfOrClientSync();
f_initialiseSecuredMode(p_ea_certificate_id, p_peerCertificateId);
f_initialiseSecuredMode(p_ea_certificate_id, p_aa_certificate_id); // TODO To be removed???
// Setup EA certificate shared with PKI EA entity
f_readCertificate(p_ea_certificate_id, vc_eaCertificate);
f_readSigningKey(p_ea_certificate_id, vc_eaPrivateKey);
f_readCertificate(p_ec_certificate_id, vc_ecCertificate);
f_readSigningKey(p_ec_certificate_id, vc_ecPrivateKey);
f_readEncryptingKey(p_ea_certificate_id, vc_eaPrivateEncKey);
// f_readSigningKey(p_ea_certificate_id, vc_eaPrivateKey); // TODO To be removed
// f_readCertificate(p_aa_certificate_id, vc_ecCertificate); // TODO To be removed
// f_readSigningKey(p_aa_certificate_id, vc_ecPrivateKey); // TODO To be removed
// f_readEncryptingKey(p_ea_certificate_id, vc_eaPrivateEncKey); // TODO To be removed
f_getCertificateDigest(p_ea_certificate_id, vc_eaHashedId8);
f_getCertificateHash(p_ea_certificate_id, vc_eaWholeHash);
f_getCertificateDigest(p_ec_certificate_id, vc_ecHashedId8);
f_readCertificate(p_peerCertificateId, vc_peerEaCertificate);
f_getCertificateHash(p_peerCertificateId, vc_eaPeerWholeHash);
// Setup AA certificate shared with PKI AA entity
f_readCertificate(p_aa_certificate_id, vc_aaCertificate);
f_getCertificateDigest(p_aa_certificate_id, vc_aaHashedId8);
f_getCertificateHash(p_aa_certificate_id, vc_aaWholeHash);
log("vc_aaHashedId8= ", vc_aaHashedId8);
log("vc_aaWholeHash= ", vc_aaWholeHash);
// f_readCertificate(p_peerCertificateId, vc_peerEaCertificate); // TODO To be removed
// f_getCertificateHash(p_peerCertificateId, vc_eaPeerWholeHash); // TODO To be removed
activate(a_default_pki_http());
} // End of function f_cfHttpUp
......@@ -132,13 +138,13 @@ module LibItsPki_Functions {
// Local variables
// Load certificates
if( not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) {
if(not(f_loadCertificates(PX_IUT_SEC_CONFIG_NAME))) {
log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***");
setverdict(inconc);
stop;
}
f_prepareCertificates(p_certificateId, vc_aaCertificate, vc_atCertificate);
// f_prepareCertificates(p_certificateId, vc_aaCertificate, vc_atCertificate);
} // End of function f_initialiseSecuredMode()
function f_uninitialiseSecuredMode() runs on ItsSecurityBaseComponent {
......@@ -220,7 +226,7 @@ module LibItsPki_Functions {
} // End of group ut_port
group http {
group http { // TODO Split into EinnerEc, Authorization & AuthorizationValidation
function f_http_build_inner_ec_request( // TODO Cleanup parameters
out octetstring p_private_key,
......@@ -256,14 +262,22 @@ module LibItsPki_Functions {
log("*** f_http_build_inner_ec_request: ERROR: Non canonical EA certificate ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
if (PICS_SEC_FIXED_KEYS) { // Debug mode: Use fixed values
v_public_enc_key := 'DD4F6B0DF57C6E3BD0E32B565CACA1D858CEB08A5C2BBAB2C23E203C6DE697FF'O;
v_compressed_enc_key_mode := 0;
}
log("*** f_http_build_inner_ec_request: Public encryption key: ", v_public_enc_key);
log("*** f_http_build_inner_ec_request: Public encryption key comp: ", v_compressed_enc_key_mode);
log("*** f_http_build_inner_ec_request: First enrolment: ", PX_FIRST_ENROLMENT);
p_salt := vc_eaWholeHash;
if (PX_FIRST_ENROLMENT == true) { // This is the first enrolment, we used Factory keys
v_ret_code := f_build_pki_secured_message(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
v_ret_code := f_build_pki_secured_request_message(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
} else { // We use last valid EC certificate
v_ret_code := f_build_pki_secured_message(vc_ecPrivateKey, valueof(m_signerIdentifier_digest(vc_ecHashedId8)), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
var Oct32 v_ec_private_key;
var HashedId8 v_ec_hashed_id8;
// Retrieve EC certificate from the first enrolment
// TODO Set v_ec_private_key & v_ec_hashed_id8
v_ret_code := f_build_pki_secured_request_message(v_ec_private_key, valueof(m_signerIdentifier_digest(v_ec_hashed_id8)), v_ec_hashed_id8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
}
if (v_ret_code == false) {
log("*** f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***");
......@@ -300,8 +314,13 @@ module LibItsPki_Functions {
log("*** f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
log("v_inner_ec_request_signed_for_pop= ", v_inner_ec_request_signed_for_pop);
// Modify signature to get an error
if (ischosen(v_inner_ec_request_signed_for_pop.content.signedData.signature_.ecdsaNistP256Signature)) {
v_inner_ec_request_signed_for_pop.content.signedData.signature_.ecdsaNistP256Signature.sSig[1] := bit2oct('10101010'B xor4b oct2bit(v_inner_ec_request_signed_for_pop.content.signedData.signature_.ecdsaNistP256Signature.sSig[1]));
} else {
v_inner_ec_request_signed_for_pop.content.signedData.signature_.ecdsaBrainpoolP256r1Signature.sSig[1] := bit2oct('10101010'B xor4b oct2bit(v_inner_ec_request_signed_for_pop.content.signedData.signature_.ecdsaBrainpoolP256r1Signature.sSig[1]));
}
// Secure InnerEcRequestSignedForPoP message
if (f_extract_enc_key(vc_eaCertificate, v_public_enc_key, v_compressed_enc_key_mode) == false) {
......@@ -312,57 +331,98 @@ module LibItsPki_Functions {
log("*** f_http_build_inner_ec_request: Public encryption key comp: ", v_compressed_enc_key_mode);
p_salt := vc_eaWholeHash;
if (PX_FIRST_ENROLMENT == true) { // This is the first enrolment, we used Factory keys
v_ret_code := f_build_pki_secured_message(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
v_ret_code := f_build_pki_secured_request_message(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
} else { // We use last valid EC certificate
v_ret_code := f_build_pki_secured_message(vc_ecPrivateKey, valueof(m_signerIdentifier_digest(vc_ecHashedId8)), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
var Oct32 v_ec_private_key;
var HashedId8 v_ec_hashed_id8;
// Retrieve EC certificate from the first enrolment
// TODO Set v_ec_private_key & v_ec_hashed_id8
v_ret_code := f_build_pki_secured_request_message(v_ec_private_key, valueof(m_signerIdentifier_digest(v_ec_hashed_id8)), v_ec_hashed_id8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
}
if (v_ret_code == false) {
log("*** f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***");
f_selfOrClientSyncAndVerdict("error", e_error);
return;
}
log("*** f_http_build_invalid_enrolment_request: DEBUG: p_ieee1609dot2_signed_and_encrypted_data = ", p_ieee1609dot2_signed_and_encrypted_data);
} // End of function f_http_build_invalid_enrolment_request
function f_http_build_inner_at_request(
out octetstring p_private_key,
out octetstring p_publicKeyCompressed,
out integer p_compressedMode,
out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data,
out Oct32 p_request_hash
) runs on ItsPkiHttp {
// Local variables
function f_http_build_authorization_request(
in Certificate p_ec_certificate, // Enrolment credentials certificate
in octetstring p_ec_private_key,
out octetstring p_private_key,
out octetstring p_publicKeyCompressed,
out integer p_compressedMode,
out octetstring p_private_enc_key,
out octetstring p_publicEncKeyCompressed,
out integer p_compressedEncMode,
out Oct16 p_aes_sym_key,
out Oct16 p_encrypted_sym_key,
out Oct16 p_authentication_vector,
out Oct12 p_nonce,
out octetstring p_salt,
out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data,
out Oct32 p_request_hash
) runs on ItsPkiHttp {
// Local variables
var InnerAtRequest v_authorization_request;
var bitstring v_authorization_request_msg;
var octetstring v_public_key_x;
var octetstring v_public_key_y;
var octetstring v_public_enc_key_x;
var octetstring v_public_enc_key_y;
var octetstring v_public_enc_key;
var integer v_compressed_enc_key_mode;
var InnerAtRequest v_inner_at_request;
var Ieee1609Dot2Data v_inner_at_request_data;
var InnerAtRequest v_authorization_request;
var bitstring v_authorization_request_msg;
// Generate verification keys for the certificate to be requested
if (f_generate_key_pair_nistp256(p_private_key, v_public_key_x, v_public_key_y, p_publicKeyCompressed, p_compressedMode) == false) {
log("*** f_http_build_authorization_request: ERROR: Failed to generate verification key ***");
f_selfOrClientSyncAndVerdict("error", e_error);
return;
}
// Generate encryption keys for the certificate to be requested
if (PX_INCLUDE_ENCRYPTION_KEYS) {
if (f_generate_key_pair_nistp256(p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_publicEncKeyCompressed, p_compressedEncMode) == false) {
log("*** f_http_build_authorization_request: ERROR: Failed to generate encryption key ***");
f_selfOrClientSyncAndVerdict("error", e_error);
return;
}
}
if (f_generate_authorization_request(vc_eaCertificate, vc_eaHashedId8, p_private_key, p_publicKeyCompressed, p_compressedMode, v_authorization_request) == false) {
if (f_generate_inner_at_request(vc_eaCertificate, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_private_key, v_public_key_x, v_public_key_y, p_compressedMode, p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_compressedEncMode, v_inner_at_request) == false) {
log("*** f_http_build_authorization_request: ERROR: Failed to generate AuthorizationValidationRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
return;
}
// Secure the Pki message
if (f_extract_enc_key(vc_eaCertificate, v_public_enc_key, v_compressed_enc_key_mode) == false) {
log("*** f_http_build_inner_ec_request: ERROR: Non canonical EA certificate ***");
log("v_inner_at_request= ", v_inner_at_request);
if (PX_AUTHORIZATION_REQUEST_WITH_POP) {
// TODO Set Ieee1609Dot2Data p_inner_at_request_data
} // else TODO Check what to do
// Secure InnerAtRequest message
if (f_extract_enc_key(vc_aaCertificate, v_public_enc_key, v_compressed_enc_key_mode) == false) {
log("*** f_http_build_inner_ec_request: ERROR: Non canonical AA certificate ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
if (PICS_SEC_FIXED_KEYS) { // Debug mode: Use fixed values
v_public_enc_key := 'DD4F6B0DF57C6E3BD0E32B565CACA1D858CEB08A5C2BBAB2C23E203C6DE697FF'O;
v_compressed_enc_key_mode := 0;
}
log("*** f_http_build_authorization_request: Public encryption key: ", v_public_enc_key);
log("*** f_http_build_authorization_request: Public encryption key comp: ", v_compressed_enc_key_mode);
/**
TODO: Load certificate according to the IUT role
==> a complete fucntion which set up the TestSustem certificate,keyy... according to the IUT role
**/
log("*** f_http_build_inner_ec_request: ERROR: Need to add TestSystem variable vc_aa ***");
f_selfOrClientSyncAndVerdict("error", e_error);
/* if (f_build_pki_secured_message(vc_aaPrivateKey, valueof(m_signerIdentifier_digest(vc_aaHashedId8)), vc_eaHashedId8/\*recipientId*\/, v_public_enc_key, v_compressed_enc_key_mode, vc_eaWholeHash, bit2oct(encvalue(m_etsiTs102941Data_authorization_request(v_authorization_request))), p_ieee1609dot2_signed_and_encrypted_data, p_request_hash) == false) { */
/* log("*** f_http_build_authorization_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***"); */
/* f_selfOrClientSyncAndVerdict("error", e_error); */
/* } */
log("*** f_http_build_authorization_request: DEBUG: p_ieee1609dot2_signed_and_encrypted_data = ", p_ieee1609dot2_signed_and_encrypted_data);
} // End of function f_http_build_inner_at_request
log("*** f_http_build_authorization_request: First enrolment: ", PX_FIRST_ENROLMENT);
p_salt := vc_aaWholeHash;
log("*** f_http_build_authorization_request: p_salt: ", p_salt);
if(f_build_pki_secured_request_message(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_aaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_authorization_request(v_inner_at_request))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash) == false) {
log("*** f_http_build_authorization_request: ERROR: Failed to generate Authorization Request ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
log("*** f_http_build_authorization_request: DEBUG: p_ieee1609dot2_signed_and_encrypted_data= ", p_ieee1609dot2_signed_and_encrypted_data);
log("*** f_http_build_authorization_request: DEBUG: p_request_hash= ", p_request_hash);
} // End of function f_http_build_authorization_request
function f_http_build_authorization_validation_request(
out octetstring p_private_key,
......@@ -376,10 +436,10 @@ module LibItsPki_Functions {
var octetstring v_public_enc_key;
var integer v_compressed_enc_key_mode;
if (f_generate_authorization_validation_request(vc_eaCertificate, vc_eaHashedId8, p_private_key, p_publicKeyCompressed, p_compressedMode, v_authorization_validation_request) == false) {
/* TODO if (f_generate_authorization_validation_request(vc_eaCertificate, vc_eaHashedId8, p_private_key, p_publicKeyCompressed, p_compressedMode, v_authorization_validation_request) == false) {
log("*** f_http_build_authorization_validation_request: ERROR: Failed to generate AuthorizationValidationRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
}*/
// Secure the Pki message
if (f_extract_enc_key(vc_eaCertificate, v_public_enc_key, v_compressed_enc_key_mode) == false) {
log("*** f_http_build_inner_ec_request: ERROR: Non canonical EA certificate ***");
......@@ -395,7 +455,7 @@ module LibItsPki_Functions {
**/
log("*** f_http_build_inner_ec_request: ERROR: Need to add TestSystem variable vc_aa ***");
f_selfOrClientSyncAndVerdict("error", e_error);
/* if (f_build_pki_secured_message(vc_aaPrivateKey, valueof(m_signerIdentifier_digest(vc_aaHashedId8)), vc_eaHashedId8/\*recipientId*\/, v_public_enc_key, v_compressed_enc_key_mode, vc_eaWholeHash, bit2oct(encvalue(m_etsiTs102941Data_authorization_validation_request(v_authorization_validation_request))), p_ieee1609dot2_signed_and_encrypted_data, p_request_hash) == false) { */
/* if (f_build_pki_secured_request_message(vc_aaPrivateKey, valueof(m_signerIdentifier_digest(vc_aaHashedId8)), vc_eaHashedId8/\*recipientId*\/, v_public_enc_key, v_compressed_enc_key_mode, vc_eaWholeHash, bit2oct(encvalue(m_etsiTs102941Data_authorization_validation_request(v_authorization_validation_request))), p_ieee1609dot2_signed_and_encrypted_data, p_request_hash) == false) { */
/* log("*** f_http_build_authorization_validation_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***"); */
/* f_selfOrClientSyncAndVerdict("error", e_error); */
/* } */
......@@ -639,122 +699,99 @@ module LibItsPki_Functions {
group inner_at_xxx {
function f_generate_inner_at_request(
in Certificate p_ea_certificate,
in Oct8 p_ea_hashed_id8,
in Certificate p_ec_certificate,
in octetstring p_ec_private_key,
in octetstring p_private_key,
in Certificate p_ea_certificate,
in HashedId8 p_eaHashedId8,
in boolean p_itss_privacy,
out octetstring p_private_enc_key,
out octetstring p_publicEncKeyCompressed,
out integer p_compressedMode,
out InnerAtRequest p_inner_at_request,
out Ieee1609Dot2Data p_inner_at_request_data
in octetstring p_public_key_x,
in octetstring p_public_key_y,
in integer p_compressed_key_mode,
in octetstring p_private_enc_key,
in octetstring p_public_enc_key_x,
in octetstring p_public_enc_key_y,
in integer p_compressed_enc_key_mode,
out InnerAtRequest p_inner_at_request
) return boolean {
// Local variables
var bitstring v_enc_value;
var octetstring v_ec_hash;
var Oct8 v_ec_hashed_id8;
var octetstring public_enc_key_x;
var octetstring public_enc_key_y;
var template (value) EccP256CurvePoint v_eccP256_curve_point;
var Oct32 v_hmac_key;
var octetstring v_message_to_tag;
var Oct16 v_key_tag;
var octetstring v_whole_certificate_hash;
var octetstring v_hash_shared_at_request;
var template (value) ToBeSignedData v_tbs;
var octetstring v_tbs_signed;
var Ieee1609Dot2Data v_signed_ec_signature;
// Generate encryption keys for the certificate to be requested
if (f_generate_key_pair_nistp256(p_private_enc_key, public_enc_key_x, public_enc_key_y, p_publicEncKeyCompressed, p_compressedMode) == false) {
return false;
}
if (p_compressedMode == 0) {
v_eccP256_curve_point := m_eccP256CurvePoint_compressed_y_0(p_publicEncKeyCompressed);
var template (value) EccP256CurvePoint v_eccP256_curve_point;
var template (value) EccP256CurvePoint v_enc_eccP256_curve_point;
var HashAlgorithm v_hashId;
// Calculate the whole certificate SHA
v_enc_value := encvalue(p_ec_certificate);
if (ischosen(p_ec_certificate.issuer.sha256AndDigest)) {
v_ec_hash := f_hashWithSha256(bit2oct(v_enc_value));
v_ec_hashed_id8 := f_HashedId8FromSha256(v_ec_hash);
} else {
v_eccP256_curve_point := m_eccP256CurvePoint_compressed_y_1(p_publicEncKeyCompressed);
v_ec_hash := f_hashWithSha384(bit2oct(v_enc_value));
v_ec_hashed_id8 := f_HashedId8FromSha384(v_ec_hash);
}
log("v_ec_hash= ", v_ec_hash);
// Generate 32 octets length secret key
v_hmac_key := f_hashWithSha256(int2oct(f_getCurrentTime(), 12));
log("v_hmac_key=", v_hmac_key);
log("v_hmac_key= ", v_hmac_key);
// Generate tag based on the concatenation of ???
if (ischosen(p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey)) {
if (ischosen(p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256)) {
if (ischosen(p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256.compressed_y_0)) {
v_message_to_tag := '02'O & p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256.compressed_y_0;
} else {
v_message_to_tag := '03'O & p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256.compressed_y_1;
}
} else {
// TODO
/* if (ischosen(p_ec_certificate.verifyKeyIndicator.ecdsaBrainpoolP256.compressed_y_0)) { */
/* v_message_to_tag := '02'O & p_ec_certificate.verifyKeyIndicator.ecdsaBrainpoolP256.compressed_y_0; */
/* } else { */
/* v_message_to_tag := '03'O & p_ec_certificate.verifyKeyIndicator.ecdsaBrainpoolP256.compressed_y_1; */
/* } */
}
} else {
return false;
}
if (p_compressedMode == 0) {
v_message_to_tag := v_message_to_tag & '02'O & p_publicEncKeyCompressed;
} else {
v_message_to_tag := v_message_to_tag & '03'O & p_publicEncKeyCompressed;
}
log("v_message_to_tag=", v_message_to_tag);
// Generate tag based on the concatenation of verification keys & encryption keys
v_message_to_tag := p_public_key_x & p_public_key_y & p_public_enc_key_x & p_public_enc_key_y;
log("v_message_to_tag= ", v_message_to_tag); // FIXME encryption keys could be optional
v_key_tag := fx_hmac_sha256(v_hmac_key, v_message_to_tag); // TODO Rename and use a wrapper function
log("v_key_tag=", v_key_tag);
log("v_key_tag= ", v_key_tag);
// Build the SharedAtRequest
p_inner_at_request.publicKeys := valueof(
m_publicKeys(
m_publicVerificationKey_ecdsaNistP256(
p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256
),
m_encryptionKey(
-,
m_publicEncryptionKey_ecdsaNistP256(v_eccP256_curve_point)
)
)
);
p_inner_at_request.hmacKey := v_hmac_key;
p_inner_at_request.sharedAtRequest := valueof(
m_shared_at_request(
p_eaHashedId8,
v_key_tag,
valueof(
m_certificate_subject_attributes( // FIXME Review subjectPermissions
p_ec_certificate.toBeSigned.appPermissions,
{ { subjectPermissions := { all_ := NULL }, minChainLength := 1, chainLengthRange := 0, eeType := '00000000'B } },
p_ec_certificate.toBeSigned.id,
p_ec_certificate.toBeSigned.validityPeriod,
p_ec_certificate.toBeSigned.region,
p_ec_certificate.toBeSigned.assuranceLevel
))));
p_inner_at_request.sharedAtRequest := valueof(
m_shared_at_request(
p_ea_hashed_id8, // eaId identifies the EA certificate shared with EA entity
substr(v_key_tag, 0, 16), // Calculated keyTag
valueof(
m_certificate_subject_attributes( // FIXME Review subjectPermissions
p_ec_certificate.toBeSigned.appPermissions,
{ { subjectPermissions := { all_ := NULL }, minChainLength := 1, chainLengthRange := 0, eeType := '00000000'B } },
p_ec_certificate.toBeSigned.id,
p_ec_certificate.toBeSigned.validityPeriod,
p_ec_certificate.toBeSigned.region,
p_ec_certificate.toBeSigned.assuranceLevel
))) // Desired attributes
);
// Calculate the hash of the SharedAtRequest
v_hash_shared_at_request := f_hashWithSha256(bit2oct(encvalue(p_inner_at_request.sharedAtRequest)));
log("v_hash_shared_at_request=", v_hash_shared_at_request);
// Build the ToBeSigned payload
log("v_hash_shared_at_request= ", v_hash_shared_at_request);
// Build the ETsiTs103097Data-SignedExternalPayload
v_tbs := m_toBeSignedData(
m_signedDataPayload_ext(v_hash_shared_at_request),
m_headerInfo_inner_ec_request(
m_signedDataPayload_ext(v_hash_shared_at_request), // Payload containing extDataHash
m_headerInfo_inner_ec_request( // HeaderInfo
c_its_aid_SCR,
f_getCurrentTimeUtc())
);
log("v_tbs=", v_tbs);
// Signed ToBeSigned payload
v_whole_certificate_hash := f_hashWithSha256(bit2oct(encvalue(p_ec_certificate)));
log("v_whole_certificate_hash=", v_whole_certificate_hash);
v_tbs_signed := f_signWithEcdsaNistp256WithSha256(bit2oct(encvalue(v_tbs)), v_whole_certificate_hash, p_private_key);
log("v_tbs= ", v_tbs);
// Signed ToBeSigned payload using the private key of EC certificate obtained from Enrolment request
v_tbs_signed := f_signWithEcdsaNistp256WithSha256(bit2oct(encvalue(v_tbs)), v_ec_hash, p_ec_private_key);
// In case of ITS-S privacy, v_signed_ec_signature contained the data to be encrypted
if (ischosen(p_ec_certificate.signature_.ecdsaBrainpoolP384r1Signature)) {
v_hashId := sha384;
} else {
v_hashId := sha256;
}
v_signed_ec_signature := valueof(
m_etsiTs103097Data_signed(
m_signedData(
sha256,
v_hashId,
v_tbs,
m_signerIdentifier_digest(
f_HashedId8FromSha256(
v_whole_certificate_hash
)
),
m_signerIdentifier_digest(v_ec_hashed_id8), // Signer is thehasheId8 of the EC certificate obtained from Enrolment request
m_signature_ecdsaNistP256(
m_ecdsaP256Signature(
m_eccP256CurvePoint_x_only(
......@@ -766,8 +803,9 @@ module LibItsPki_Functions {
)
)
);
// Encrypt EcSignature with EA certificate
if (p_itss_privacy) {
log("v_signed_ec_signature= ", v_signed_ec_signature);
if (PICS_ITS_S_WITH_PRIVACY) { // Build EtsiTs102097Data-Encrypted structure
var octetstring v_public_enc_key;
var integer v_compressed_mode;
var Oct12 v_nonce;
......@@ -778,7 +816,8 @@ module LibItsPki_Functions {
var octetstring v_publicEphemeralKeyCompressed;
var integer v_ephemeralKeyModeCompressed;
var octetstring v_enc_signed_ec_signature;
// Use EA certificate for the encryption
if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0)) {
v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0;
v_compressed_mode := 0;
......@@ -788,9 +827,9 @@ module LibItsPki_Functions {
} else {
return false;
}
v_enc_signed_ec_signature := f_encryptWithEciesNistp256WithSha256(bit2oct(encvalue(v_signed_ec_signature)), v_public_enc_key, v_compressed_mode, ''O, v_publicEphemeralKeyCompressed, v_ephemeralKeyModeCompressed, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce);
v_recipientId := p_eaHashedId8;
log("v_recipientId=", v_recipientId);
v_enc_signed_ec_signature := f_encryptWithEciesNistp256WithSha256(bit2oct(encvalue(v_signed_ec_signature)), v_public_enc_key, v_compressed_mode, ''O, v_publicEphemeralKeyCompressed, v_ephemeralKeyModeCompressed, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, PICS_SEC_FIXED_KEYS);
v_recipientId := p_ea_hashed_id8; // RecipientId is the HashedId8 of the EA certificate
log("v_recipientId= ", v_recipientId);
// Fill Certificate template with the public compressed keys (canonical form)
if (v_ephemeralKeyModeCompressed == 0) {
v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(v_publicEphemeralKeyCompressed));
......@@ -808,13 +847,13 @@ module LibItsPki_Functions {
m_encryptedDataEncryptionKey_eciesNistP256(
m_evciesP256EncryptedKey(
v_eccP256_curve_point,
v_encrypted_sym_key,
v_encrypted_sym_key,
v_authentication_vector
))))
},
m_SymmetricCiphertext_aes128ccm(
m_aesCcmCiphertext(
v_nonce,
v_nonce,
v_enc_signed_ec_signature
)
)
......@@ -822,150 +861,69 @@ module LibItsPki_Functions {
)
)
);
} else {
} else { // Skip the encryption, alowed to be re-identified by the AA
p_inner_at_request.ecSignature := valueof(m_ec_signature_ext_payload(v_signed_ec_signature));
}
log("p_inner_at_request=", p_inner_at_request);
// Build the InnerAtRequest, EcSignature field is already set
if (p_compressed_key_mode == 0) {
v_eccP256_curve_point := m_eccP256CurvePoint_compressed_y_0(p_public_key_x);
} else {
v_eccP256_curve_point := m_eccP256CurvePoint_compressed_y_1(p_public_key_x);
}
if (p_compressed_enc_key_mode == 0) {
v_enc_eccP256_curve_point := m_eccP256CurvePoint_compressed_y_0(p_public_enc_key_x);
} else {
v_enc_eccP256_curve_point := m_eccP256CurvePoint_compressed_y_1(p_public_enc_key_x);
}
p_inner_at_request.publicKeys := valueof( // The freshly generated public keys to be used for the requested AT certificate
m_publicKeys(
m_publicVerificationKey_ecdsaNistP256(
v_eccP256_curve_point
),
m_encryptionKey( // FIXME Encryption keys could be optional
-,
m_publicEncryptionKey_ecdsaNistP256(v_enc_eccP256_curve_point)
)
)
);
p_inner_at_request.hmacKey := v_hmac_key;
log("p_inner_at_request= ", p_inner_at_request);
return true;
} // End of function f_generate_inner_at_request
function f_generate_inner_at_response(
in Certificate p_ec_certificate,
in octetstring p_private_key,
in HashedId8 p_eaHashedId8,
out octetstring p_private_enc_key,
out octetstring p_publicEncKeyX,
out octetstring p_publicEncKeyY,
out octetstring p_publicEncKeyCompressed,
out integer p_compressedMode,
out InnerAtRequest p_inner_at_request,
out Ieee1609Dot2Data p_inner_at_request_data
in octetstring p_authorization_request_hash,
in EtsiTs103097Certificate p_certificate,
out InnerAtResponse p_authorization_response
) return boolean {
// Local variables
return false;
} // End of function f_generate_inner_at_response
} // End of group inner_at_xxx
group authorization_xxx {
function f_generate_authorization_request(
in Certificate p_ea_certificate,
in HashedId8 p_ea_certificate_hashed_id8,
out octetstring p_private_key,
out octetstring p_publicKeyCompressed,
out integer p_compressedMode,
out InnerAtRequest p_authorization_request
) return boolean {
// Local variables
var octetstring v_private_enc_key;
var Oct32 v_publicEncKeyCompressed;
var integer v_compressedMode;
var InnerEcRequest v_inner_ec_request;
var Certificate v_ec_certificate;
var InnerAtRequest v_inner_at_request;
var Ieee1609Dot2Data v_inner_at_request_data;
if (f_generate_inner_ec_request(p_private_key, p_publicKeyCompressed, p_compressedMode, v_inner_ec_request) == false) {
return false;
}
if (f_generate_ec_certificate(p_private_key, v_inner_ec_request, v_ec_certificate) == false) {
return false;
}
if (f_generate_inner_at_request(v_ec_certificate, p_private_key, p_ea_certificate, p_ea_certificate_hashed_id8, true, v_private_enc_key, v_publicEncKeyCompressed, v_compressedMode, v_inner_at_request, v_inner_at_request_data) == false) {
return false;
}
p_authorization_request.sharedAtRequest := v_inner_at_request.sharedAtRequest;
p_authorization_request.ecSignature := v_inner_at_request.ecSignature;
log("f_generate_authorization_request: ", p_authorization_request);
return true;
} // End of function f_generate_authorization_request
function f_generate_authorization_response(
in octetstring p_authorization_request_hash,
in CertificateSubjectAttributes p_Certificate_subject_attributes,
out InnerAtResponse p_authorization_response
) return boolean {
// Local variables
// Build the Proof of Possession InnerAtResponse
/*p_authorization_response := valueof(
// Build the Proof of Possession InnerEcResponse
p_authorization_response := valueof(
m_innerAtResponse_ok(
p_authorization_request_hash,
p_Certificate_subject_attributes
substr(p_authorization_request_hash, 0, 16),
p_certificate
)
);*/
);
return true;
} // End of function f_generate_authorization_response
} // End of function f_generate_inner_at_response
} // End of group inner_at_xxx
group authorization_xxx {
} // End of group authorization_xxx
group authorization_validation_xxx {
function f_generate_authorization_validation_request(
in Certificate p_ea_certificate,
in HashedId8 p_ea_certificate_hashed_id8,
out octetstring p_private_key,
out octetstring p_publicKeyCompressed,
out integer p_compressedMode,
out AuthorizationValidationRequest p_authorization_validation_request
) return boolean {
// Local variables
var octetstring v_private_enc_key;
var Oct32 v_publicEncKeyCompressed;
var integer v_compressedMode;
var InnerEcRequest v_inner_ec_request;
var Certificate v_ec_certificate;
var InnerAtRequest v_inner_at_request;
var Ieee1609Dot2Data v_inner_at_request_data;
if (f_generate_inner_ec_request(p_private_key, p_publicKeyCompressed, p_compressedMode, v_inner_ec_request) == false) {
return false;
}
if (f_generate_ec_certificate(p_private_key, v_inner_ec_request, v_ec_certificate) == false) {
return false;
}
if (f_generate_inner_at_request(v_ec_certificate, p_private_key, p_ea_certificate, p_ea_certificate_hashed_id8, true, v_private_enc_key, v_publicEncKeyCompressed, v_compressedMode, v_inner_at_request, v_inner_at_request_data) == false) {
return false;
}
p_authorization_validation_request.sharedAtRequest := v_inner_at_request.sharedAtRequest;
p_authorization_validation_request.ecSignature := v_inner_at_request.ecSignature;
log("f_generate_authorization_validation_request: ", p_authorization_validation_request);
return true;
} // End of function f_generate_authorization_validation_request
function f_generate_authorization_validation_response(
in octetstring p_authorization_validation_request_hash,
in CertificateSubjectAttributes p_Certificate_subject_attributes,
out AuthorizationValidationResponse p_authorization_validation_response
) return boolean {
// Local variables
// Build the Proof of Possession InnerEcResponse
p_authorization_validation_response := valueof(
m_authorizationValidationResponse_ok(
substr(p_authorization_validation_request_hash, 0, 16),
p_Certificate_subject_attributes
)
);
return true;
} // End of function f_generate_authorization_validation_response
} // End of group authorization_validation_xxx
group pki_functions {
/**
* @desc Build a signed and encrypted PKI message
* @desc Build a signed and encrypted PKI request message
* @param p_private_key Private key for signature
* @param p_signer_identifier Signer identifier for signature, could be self or certificate HashedId8
* @param p_recipientId Recipient identifier to be inclued in encrypted layer.
......@@ -976,21 +934,21 @@ module LibItsPki_Functions {
* @param p_ieee1609dot2_signed_and_encrypted_data The secured message
* @return true on success, false otherwise
*/
function f_build_pki_secured_message(
in octetstring p_private_key,
in SignerIdentifier p_signer_identifier,
in HashedId8 p_recipientId,
in octetstring p_publicKeyCompressed,
in integer p_compressedMode,
in octetstring p_salt,
in octetstring p_pki_message,
out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data,
out Oct16 p_aes_sym_key,
out Oct16 p_encrypted_sym_key,
out Oct16 p_authentication_vector,
out Oct12 p_nonce,
out Oct32 p_request_hash
) return boolean {
function f_build_pki_secured_request_message(
in octetstring p_private_key,
in SignerIdentifier p_signer_identifier,
in HashedId8 p_recipientId,
in octetstring p_publicKeyCompressed,
in integer p_compressedMode,
in octetstring p_salt,
in octetstring p_pki_message,
out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data,
out Oct16 p_aes_sym_key,
out Oct16 p_encrypted_sym_key,
out Oct16 p_authentication_vector,
out Oct12 p_nonce,
out Oct32 p_request_hash
) return boolean {
// Local variables
var template (value) EccP256CurvePoint v_eccP256_curve_point;
var template (value) ToBeSignedData v_tbs;
......@@ -1037,27 +995,29 @@ module LibItsPki_Functions {
// Encode EtsiTs103097Data-Signed data structure
v_encoded_inner_ec_request := bit2oct(encvalue(v_ieee1609dot2_signed_data));
// Calculate the SHA256 of v_encoded_inner_ec_request
p_request_hash := f_hashWithSha256(v_encoded_inner_ec_request);
log("p_request_hash= ", p_request_hash);
if (PICS_SEC_FIXED_KEYS) {
p_request_hash := '10ED97A2F2933DD3AC55F47022D125E18F5E1AA024613E616A75BA4979EFE318'O;
} else {
p_request_hash := f_hashWithSha256(v_encoded_inner_ec_request);
log("p_request_hash= ", p_request_hash);
}
// Encrypt encode EtsiTs103097Data-Signed data structure
if (PICS_SEC_FIXED_KEYS) {
p_publicKeyCompressed := '8C5E20FE31935F6FA682A1F6D46E4468534FFEA1A698B14B0B12513EED8DEB11'O;
p_compressedMode := 0;
p_salt := '9169155B08B07674CBADF75FB46A7B0D'O;
p_salt := '77C0637C3558B3238FDE1EEC376DA080BE4076FB8491CA0F8C19FD34DF298CEB'O;
}
v_encrypted_inner_ec_request := f_encryptWithEciesNistp256WithSha256(v_encoded_inner_ec_request, p_publicKeyCompressed, p_compressedMode, p_salt, v_publicEphemeralKeyCompressed, v_ephemeralKeyModeCompressed, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, PICS_SEC_FIXED_KEYS);
log("p_aes_sym_key=", p_aes_sym_key);
log("p_encrypted_sym_key=", p_encrypted_sym_key);
log("p_authentication_vector=", p_authentication_vector);
log("p_nonce=", p_nonce);
log("p_recipientId=", p_recipientId);
log("p_aes_sym_key= ", p_aes_sym_key);
log("p_encrypted_sym_key= ", p_encrypted_sym_key);
log("p_authentication_vector= ", p_authentication_vector);
log("p_nonce= ", p_nonce);
log("p_recipientId= ", p_recipientId);
if (p_recipientId == int2oct(0, 8)) {
log("f_hashWithSha256(v_encrypted_sym_key)=", f_hashWithSha256(p_encrypted_sym_key));
log("f_hashWithSha256(v_encrypted_sym_key)= ", f_hashWithSha256(p_encrypted_sym_key));
v_recipientId := f_HashedId8FromSha256(f_hashWithSha256(p_encrypted_sym_key));
} else {
v_recipientId := p_recipientId;
}
log("v_recipientId=", v_recipientId);
log("v_recipientId= ", v_recipientId);
// Fill Certificate template with the public compressed keys (canonical form)
if (v_ephemeralKeyModeCompressed == 0) {
v_eccP256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(v_publicEphemeralKeyCompressed));
......@@ -1089,7 +1049,94 @@ module LibItsPki_Functions {
);
return true;
} // End of function f_build_pki_secured_message
} // End of function f_build_pki_secured_request_message
/**
* @desc Build a signed and encrypted PKI response message
* @param p_private_key Private key for signature
* @param p_signer_identifier Signer identifier for signature, could be self or certificate HashedId8
* @param p_recipientId Recipient identifier to be inclued in encrypted layer.
* If value is int2oct(0. 8), the recipient id is the HashedId8 of the symmetric key used by the sender to encrypt the message to which the response is built
* @param p_publicKeyCompressed The public compressed key (canonical form) for encryption
* @param p_compressedMode The compressed mode of the public compressed key (canonical form) for encryption
* @param p_pki_message The PKI message to be secured
* @param p_ieee1609dot2_signed_and_encrypted_data The secured message
* @return true on success, false otherwise
*/
function f_build_pki_secured_response_message(
in octetstring p_private_key,
in SignerIdentifier p_signer_identifier,
in octetstring p_pki_message,
in Oct16 p_aes_sym_key,
in Oct12 p_nonce,
out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data
) return boolean {
// Local variables
var template (value) ToBeSignedData v_tbs;
var octetstring v_tbs_signed;
var template (value) Ieee1609Dot2Data v_ieee1609dot2_signed_data;
var octetstring v_encoded_inner_ec_response;
var HashedId8 v_recipientId;
var octetstring v_encrypted_inner_ec_response;
// Signed the encoded PKI message
v_tbs := m_toBeSignedData(
m_signedDataPayload(
m_etsiTs103097Data_unsecured(p_pki_message)
),
m_headerInfo_inner_ec_response(c_its_aid_SCR, f_getCurrentTimeUtc())
);
if (ischosen(p_signer_identifier.self_)) {
v_tbs_signed := f_signWithEcdsaNistp256WithSha256(bit2oct(encvalue(v_tbs)), int2oct(0, 32), p_private_key);
} else {
var charstring v_certificate_id;
var octetstring v_hash;
fx_readCertificateFromDigest(p_signer_identifier.digest, v_certificate_id); // TODO Add a wrapper function
f_getCertificateHash(v_certificate_id, v_hash);
v_tbs_signed := f_signWithEcdsaNistp256WithSha256(bit2oct(encvalue(v_tbs)), v_hash, p_private_key);
}
// Add the signature and create EtsiTs103097Data-Signed data structure
v_ieee1609dot2_signed_data := m_etsiTs103097Data_signed(
m_signedData(
sha256,
v_tbs,
p_signer_identifier,
m_signature_ecdsaNistP256(
m_ecdsaP256Signature(
m_eccP256CurvePoint_x_only(
substr(v_tbs_signed, 0, 32)
),
substr(v_tbs_signed, 32, 32)
)
)
)
);
// Encode EtsiTs103097Data-Signed data structure
v_encoded_inner_ec_response := bit2oct(encvalue(v_ieee1609dot2_signed_data));
v_encrypted_inner_ec_response := fx_encrypt_aes_128_ccm_test(p_aes_sym_key, p_nonce, v_encoded_inner_ec_response);
v_recipientId := f_HashedId8FromSha256(f_hashWithSha256(p_aes_sym_key));
log("v_recipientId= ", v_recipientId);
// Fill Certificate template with the public compressed keys (canonical form)
p_ieee1609dot2_signed_and_encrypted_data := valueof(
m_etsiTs103097Data_encrypted(
m_encryptedData(
{
m_recipientInfo_pskRecipInfo(
v_recipientId
)
},
m_SymmetricCiphertext_aes128ccm(
m_aesCcmCiphertext(
p_nonce,
v_encrypted_inner_ec_response
)
)
)
)
);
return true;
} // End of function f_build_pki_secured_response_message
/**
* @desc Verify the protocol element of the Pki message.
......@@ -1125,9 +1172,9 @@ module LibItsPki_Functions {
var boolean v_ret;
log(">>> f_verify_pki_message: p_private_enc_key= ", p_private_enc_key);
log(">>> f_verify_pki_message: p_aes_sym_key=", p_aes_sym_key);
log(">>> f_verify_pki_message: p_authentication_vector=", p_authentication_vector);
log(">>> f_verify_pki_message: p_issuer=", p_issuer);
log(">>> f_verify_pki_message: p_aes_sym_key= ", p_aes_sym_key);
log(">>> f_verify_pki_message: p_authentication_vector= ", p_authentication_vector);
log(">>> f_verify_pki_message: p_issuer= ", p_issuer);
// TODO Check p_ieee1609dot2_encrypted_and_signed_data.content.encryptedData.recipients[0].pskRecipInfo. See IEEE Std 1609.2-2017 Clause 6.3.34 PreSharedKeyRecipientInfo
......@@ -1262,30 +1309,32 @@ module LibItsPki_Functions {
out octetstring p_public_enc_key,
out integer p_compressed_enc_key_mode
) return boolean {
log(">>> f_extract_enc_key: ", p_certificate);
if (ischosen(p_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256)) {
if (ischosen(p_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0)) {
p_public_enc_key := p_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0;
p_compressed_enc_key_mode := 0;
p_public_enc_key := p_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0;
p_compressed_enc_key_mode := 0;
} else if (ischosen(p_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1)) {
p_public_enc_key := p_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1;
p_compressed_enc_key_mode := 1;
p_public_enc_key := p_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1;
p_compressed_enc_key_mode := 1;
} else {
log("f_extract_enc_key: Non canonical EA certificate");
log("f_extract_enc_key: Non canonical certificate: ", p_certificate);
return false;
}
} else if (ischosen(p_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1)) {
if (ischosen(p_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0)) {
p_public_enc_key := p_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0;
p_compressed_enc_key_mode := 0;
p_public_enc_key := p_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0;
p_compressed_enc_key_mode := 0;
} else if (ischosen(p_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1)) {
p_public_enc_key := p_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1;
p_compressed_enc_key_mode := 0;
} else {
log("f_extract_enc_key: Non canonical EA certificate");
log("f_extract_enc_key: Non canonical certificate: ", p_certificate);
return false;
}
} else {
log("f_extract_enc_key: Invalid EA certificate");
log("f_extract_enc_key: Invalid certificate: ", p_certificate);
return false;
}
......
ttcn/Pki/LibItsPki_Pics.ttcn
View file @ b745c0b2
......@@ -48,13 +48,18 @@ module LibItsPki_Pics {
/**
* @desc Certificate used by the Test System acting as AA
*/
modulepar charstring PICS_TS_AA_CERTIFICATE_ID := "CERT_TS_A_EA";
modulepar charstring PICS_TS_AA_CERTIFICATE_ID := "CERT_AA";
/**
* @desc Certificate used by the Test System
*/
modulepar charstring PICS_HTTP_GET_URI := "/its/inner_ec_request";
modulepar charstring PICS_HTTP_POST_URI := "/its/inner_ec_request";
/**
* @desc ITS-S with privacy
*/
modulepar boolean PICS_ITS_S_WITH_PRIVACY := true;
/**
* @desc Factory private key for verification Nist P256
*/
......
ttcn/Pki/LibItsPki_Pixits.ttcn
View file @ b745c0b2
module LibItsPki_Pixits {
/**
* @desc Is the first enrolment?
*/
modulepar boolean PX_FIRST_ENROLMENT := true;
/**
* @desc Do the encryption keys be included in Authorization Request?
*/
modulepar boolean PX_INCLUDE_ENCRYPTION_KEYS := true;
/**
* @desc Do the Authorization Request use SignedWithPop mechanism?
*/
modulepar boolean PX_AUTHORIZATION_REQUEST_WITH_POP := true;
} // End of module LibItsPki_Pixits
ttcn/Pki/LibItsPki_Templates.ttcn
View file @ b745c0b2
......@@ -55,23 +55,23 @@ module LibItsPki_Templates {
}
} // End of template m_etsiTs102941Data_inner_ec_response
template (value) EtsiTs102941Data m_etsiTs102941Data_inner_at_request(
in template (value) InnerAtRequest p_inner_at_request
) := {
template (value) EtsiTs102941Data m_etsiTs102941Data_authorization_request(
in template (value) InnerAtRequest p_inner_at_request
) := {
version := PkiProtocolVersion,
content := {
authorizationRequest := p_inner_at_request
}
} // End of template m_etsiTs102941Data_inner_at_request
} // End of template m_etsiTs102941Data_authorization_request
template (value) EtsiTs102941Data m_etsiTs102941Data_inner_at_response(
in template (value) InnerAtResponse p_inner_at_response
) := {
template (value) EtsiTs102941Data m_etsiTs102941Data_authorization_response(
in template (value) InnerAtResponse p_inner_at_response
) := {
version := PkiProtocolVersion,
content := {
authorizationResponse := p_inner_at_response
}
} // End of template m_etsiTs102941Data_inner_at_response
} // End of template m_etsiTs102941Data_authorization_response
template (value) EtsiTs102941Data m_etsiTs102941Data_authorization_validation_request(
in template (value) AuthorizationValidationRequest p_authorization_validation_request
......
ttcn/Pki/LibItsPki_TestSystem.ttcn
View file @ b745c0b2
......@@ -67,14 +67,16 @@ module LibItsPki_TestSystem {
type component ItsPkiHttp extends ItsSecurityBaseComponent, HttpComponent {
var Certificate vc_eaCertificate; /** Test Adapter EA certificate */
var octetstring vc_eaPrivateKey; /** Test Adapter EA private key for signature */
var Certificate vc_ecCertificate; /** Test Adapter EC certificate */
var octetstring vc_ecPrivateKey; /** Test Adapter EC private key for signature */
// var Certificate vc_ecCertificate; /** Test Adapter AA certificate */
// var octetstring vc_ecPrivateKey; /** Test Adapter AA private key for signature */
var octetstring vc_eaPrivateEncKey; /** Test Adapter EA private key for encryption */
var HashedId8 vc_eaHashedId8; /** Test Adapter EA HashedId8 for decryption of IUT's response */
var octetstring vc_eaWholeHash; /** TS EA whole-hash for signature check */
var HashedId8 vc_ecHashedId8; /** Test Adapter EC HashedId8 for decryption of IUT's response */
var Certificate vc_peerEaCertificate; /** IUT EA certificate for signature check */
var octetstring vc_eaPeerWholeHash; /** IUT EA whole-hash for signature check */
var HashedId8 vc_aaHashedId8; /** Test Adapter AA HashedId8 for decryption of IUT's response */
var octetstring vc_aaWholeHash; /** TS AA whole-hash for signature check */
// var HashedId8 vc_ecHashedId8; /** Test Adapter AA HashedId8 for decryption of IUT's response */
// var Certificate vc_peerEaCertificate; /** IUT EA certificate for signature check */
// var octetstring vc_eaPeerWholeHash; /** IUT EA whole-hash for signature check */
} // End of component ItsPki
/**
......
ttcn/Security/LibItsSecurity_Functions.ttcn
View file @ b745c0b2
......@@ -608,11 +608,11 @@ module LibItsSecurity_Functions {
out Oct32 p_publicKeyCompressed,
out integer p_compressedMode
) return boolean {
if (PICS_SEC_FIXED_KEYS) {
p_privateKey := 'D418760F0CB2DCB856BC3C7217AD3AA36DB6742AE1DB655A3D28DF88CBBF84E1'O;
p_publicKeyX := 'EE9CC7FBD9EDECEA41F7C8BD258E8D2E988E75BD069ADDCA1E5A38E534AC6818'O;
p_publicKeyY := '5AE3C8D9FE0B1FC7438F29417C240F8BF81C358EC1A4D0C6E98D8EDBCC714017'O;
p_publicKeyCompressed := 'EE9CC7FBD9EDECEA41F7C8BD258E8D2E988E75BD069ADDCA1E5A38E534AC6818'O;
if (PICS_SEC_FIXED_KEYS) { // Debug mode: Use fixed values
p_privateKey := '43481BC44C073C1432DB6EC4F0EF57062BEA08E4C19F811567325AD1FD1C6577'O;
p_publicKeyX := '0B5D74B033531C51D17B4F218DD4E39289AE4BF2EE3D7BAB7C07DAF0C14F0317'O;
p_publicKeyY := '5D49B139A9237832FDE24D77555878CE65D6C2284A1BDA4CE08ABDD4071E0255'O;
p_publicKeyCompressed := '0B5D74B033531C51D17B4F218DD4E39289AE4BF2EE3D7BAB7C07DAF0C14F0317'O;
p_compressedMode := 1;
return true;
......
ttcn/Security/LibItsSecurity_Templates.ttcn
View file @ b745c0b2
......@@ -1015,6 +1015,11 @@ module LibItsSecurity_Templates {
in template (value) Time64 p_generationTime
) modifies m_headerInfo_gn := {};
template (omit) HeaderInfo m_headerInfo_inner_ec_response(
in template (value) Psid p_psid := c_its_aid_GN,
in template (value) Time64 p_generationTime
) modifies m_headerInfo_gn := {};
} // End of group headerFields
group signatures {
......