Skip to content
GitLab
Projects
Groups
Topics
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
TTCN-3 Libraries
LibIts
Compare revisions
a944e1ac531f806374c7b969701bb04363045250...c59baf961ec499e041a3224fd2308f9381791810
Commits (2)
Bug fixed on generationTime calculation
· 50f63dfd
Yann Garcia
authored
Feb 18, 2019
50f63dfd
Continue PKI ATS development
· c59baf96
Yann Garcia
authored
Feb 18, 2019
c59baf96
Hide whitespace changes
Inline
Side-by-side
ttcn/Pki/LibItsPki_Functions.ttcn
View file @
c59baf96
...
...
@@ -706,7 +706,7 @@ module LibItsPki_Functions {
var
bitstring
v_authorization_request_msg
;
// Generate the InnerAtRequest
if
(
f_generate_inner_at_request
(
vc_
e
aCertificate
,
vc_eaHashedId8
,
p_ec_certificate
,
p_ec_private_key
,
p_private_key
,
p_public_key_compressed
,
p_compressed_key_mode
,
p_private_enc_key
,
p_public_compressed_enc_key
,
p_compressed_enc_key_mode
,
v_inner_at_request
)
==
false
)
{
if
(
f_generate_inner_at_request
(
vc_
a
aCertificate
,
vc_aaHashedId8
,
vc_eaHashedId8
,
p_ec_certificate
,
p_ec_private_key
,
p_private_key
,
p_public_key_compressed
,
p_compressed_key_mode
,
p_private_enc_key
,
p_public_compressed_enc_key
,
p_compressed_enc_key_mode
,
v_inner_at_request
)
==
false
)
{
log
(
"*** f_http_build_authorization_request: ERROR: Failed to generate AuthorizationValidationRequest ***"
);
f_selfOrClientSyncAndVerdict
(
"error"
,
e_error
);
return
;
...
...
@@ -1285,7 +1285,7 @@ module LibItsPki_Functions {
),
m_headerInfo_inner_pki_request
(
-
,
f_getCurrentTime
Utc
()
(
f_getCurrentTime
()
*
1000
)
//us
)
);
// Signed the encoded InnerEcRequestSignedForPop
...
...
@@ -1387,7 +1387,8 @@ module LibItsPki_Functions {
group
inner_at_xxx
{
function
f_generate_inner_at_request
(
in
Certificate
p_ea_certificate
,
in
Certificate
p_aa_certificate
,
in
Oct8
p_aa_hashed_id8
,
in
Oct8
p_ea_hashed_id8
,
in
Certificate
p_ec_certificate
,
in
octetstring
p_ec_private_key
,
...
...
@@ -1434,6 +1435,10 @@ module LibItsPki_Functions {
if
(
f_generate_key_pair
(
p_private_enc_key
,
v_public_enc_key_x
,
v_public_enc_key_y
,
p_public_compressed_enc_key
,
p_compressed_enc_key_mode
)
==
false
)
{
log
(
"f_generate_inner_at_request: Failed to generate encryption key"
);
return
false
;
}
else
{
log
(
"f_generate_inner_at_request: AT encryption private key: "
,
p_private_enc_key
);
log
(
"f_generate_inner_at_request: AT encryption public compressed key: "
,
p_public_compressed_enc_key
);
log
(
"f_generate_inner_at_request: AT encryption public compressed mode: "
,
p_compressed_enc_key_mode
);
}
}
else
{
p_private_enc_key
:=
''
O
;
...
...
@@ -1453,20 +1458,26 @@ module LibItsPki_Functions {
log
(
"f_generate_inner_at_request: v_ec_hash= "
,
v_ec_hash
);
// Generate 32 octets length secret key
v_hmac_key
:=
f_hashWithSha256
(
int2oct
(
f_getCurrentTime
(
),
12
));
v_hmac_key
:=
f_hashWithSha256
(
int2oct
(
(
f_getCurrentTime
Utc
()
*
1000
),
12
));
log
(
"f_generate_inner_at_request: v_hmac_key= "
,
v_hmac_key
);
// Generate tag based on the concatenation of verification keys & encryption keys
v_message_to_tag
:=
v_public_key_x
&
v_public_key_y
&
v_public_enc_key_x
&
v_public_enc_key_y
;
log
(
"f_generate_inner_at_request: v_message_to_tag= "
,
v_message_to_tag
);
// FIXME encryption keys could be optional
v_key_tag
:=
fx_hmac_sha256
(
v_hmac_key
,
v_message_to_tag
);
// TODO Rename and use a wrapper function
v_key_tag
:=
substr
(
fx_hmac_sha256
(
// TODO Rename and use a wrapper function
v_hmac_key
,
v_message_to_tag
),
0
,
16
);
// Leftmost 128 bits of the HMAC-SHA256 tag computed previously
log
(
"f_generate_inner_at_request: v_key_tag= "
,
v_key_tag
);
// Build the SharedAtRequest
p_inner_at_request
.
sharedAtRequest
:=
valueof
(
m_shared_at_request
(
p_ea_hashed_id8
,
// eaId identifies the EA certificate shared with EA entity
substr
(
v_key_tag
,
0
,
16
),
// Calculated keyTag
v_key_tag
,
// Calculated keyTag
valueof
(
m_certificate_subject_attributes
(
// FIXME Review subjectPermissions
p_ec_certificate
.
toBeSigned
.
appPermissions
,
...
...
@@ -1486,7 +1497,7 @@ module LibItsPki_Functions {
m_signedDataPayload_ext
(
v_hash_shared_at_request
),
// Payload containing extDataHash
m_headerInfo_inner_pki_request
(
// HeaderInfo
-
,
f_getCurrentTime
Utc
())
(
f_getCurrentTime
())
*
1000
)
//us
);
log
(
"f_generate_inner_at_request: v_tbs= "
,
v_tbs
);
// Signed ToBeSigned payload using the private key of EC certificate obtained from Enrolment request
...
...
@@ -1563,11 +1574,11 @@ module LibItsPki_Functions {
// Use EA certificate for the encryption
if
(
PX_EC_ALG
==
e_nist_p256
)
{
if
(
ischosen
(
p_
e
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesNistP256
.
compressed_y_0
))
{
v_public_enc_key
:=
p_
e
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesNistP256
.
compressed_y_0
;
if
(
ischosen
(
p_
a
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesNistP256
.
compressed_y_0
))
{
v_public_enc_key
:=
p_
a
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesNistP256
.
compressed_y_0
;
v_compressed_mode
:=
0
;
}
else
if
(
ischosen
(
p_
e
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesNistP256
.
compressed_y_1
))
{
v_public_enc_key
:=
p_
e
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesNistP256
.
compressed_y_1
;
}
else
if
(
ischosen
(
p_
a
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesNistP256
.
compressed_y_1
))
{
v_public_enc_key
:=
p_
a
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesNistP256
.
compressed_y_1
;
v_compressed_mode
:=
1
;
}
else
{
log
(
"f_generate_inner_at_request: Wrong NistP256 encryption variant"
);
...
...
@@ -1597,11 +1608,11 @@ module LibItsPki_Functions {
v_authentication_vector
)));
}
else
if
(
PX_EC_ALG
==
e_brainpool_p256_r1
)
{
if
(
ischosen
(
p_
e
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesBrainpoolP256r1
.
compressed_y_0
))
{
v_public_enc_key
:=
p_
e
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesBrainpoolP256r1
.
compressed_y_0
;
if
(
ischosen
(
p_
a
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesBrainpoolP256r1
.
compressed_y_0
))
{
v_public_enc_key
:=
p_
a
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesBrainpoolP256r1
.
compressed_y_0
;
v_compressed_mode
:=
0
;
}
else
if
(
ischosen
(
p_
e
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesBrainpoolP256r1
.
compressed_y_1
))
{
v_public_enc_key
:=
p_
e
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesBrainpoolP256r1
.
compressed_y_1
;
}
else
if
(
ischosen
(
p_
a
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesBrainpoolP256r1
.
compressed_y_1
))
{
v_public_enc_key
:=
p_
a
a_certificate
.
toBeSigned
.
encryptionKey
.
publicKey
.
eciesBrainpoolP256r1
.
compressed_y_1
;
v_compressed_mode
:=
1
;
}
else
{
log
(
"f_generate_inner_at_request: Wrong BrainpoolP256r1 encryption variant"
);
...
...
@@ -1626,7 +1637,7 @@ module LibItsPki_Functions {
log
(
"f_generate_inner_at_request: Wrong encryption variant"
);
return
false
;
}
v_recipientId
:=
p_
e
a_hashed_id8
;
// RecipientId is the HashedId8 of the EA certificate
v_recipientId
:=
p_
a
a_hashed_id8
;
// RecipientId is the HashedId8 of the EA certificate
log
(
"v_recipientId= "
,
v_recipientId
);
// Fill Certificate template with the public compressed keys (canonical form)
if
(
v_public_compressed_ephemeral_mode
==
0
)
{
...
...
@@ -1966,7 +1977,7 @@ module LibItsPki_Functions {
m_signedDataPayload
(
m_etsiTs103097Data_unsecured
(
p_pki_message
)
),
m_headerInfo_inner_pki_request
(
-
,
f_getCurrentTime
Utc
()
)
m_headerInfo_inner_pki_request
(
-
,
(
f_getCurrentTime
()
*
1000
)
/*us*/
)
);
log
(
"f_build_pki_secured_request_message_signed_with_pop: signer: "
,
p_signer_identifier
);
if
(
PICS_SECPKI_REENROLMENT
==
false
)
{
// This is the first enrolment, we used Factory keys
...
...
@@ -2367,7 +2378,7 @@ module LibItsPki_Functions {
m_signedDataPayload
(
m_etsiTs103097Data_unsecured
(
p_pki_message
)
),
m_headerInfo_inner_pki_response
(
-
,
f_getCurrentTime
Utc
()
)
m_headerInfo_inner_pki_response
(
-
,
(
f_getCurrentTime
()
*
1000
)
/*us*/
)
);
if
(
ischosen
(
p_signer_identifier
.
self_
))
{
v_tbs_signed
:=
f_signWithEcdsaNistp256WithSha256
(
bit2oct
(
encvalue
(
v_tbs
)),
int2oct
(
0
,
32
),
p_private_key
);
...
...