Skip to content
GitLab
Commits (2)
Hide whitespace changes
Inline Side-by-side
ttcn/Pki/LibItsPki_Functions.ttcn
View file @ f10fbd8c
...@@ -232,11 +232,10 @@ module LibItsPki_Functions { ...@@ -232,11 +232,10 @@ module LibItsPki_Functions {
out Oct12 p_nonce, out Oct12 p_nonce,
out octetstring p_salt, out octetstring p_salt,
out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data, out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data,
out Oct32 p_hash_inner_ec_request_signed_for_pop out Oct32 p_request_hash
) runs on ItsPkiHttp { ) runs on ItsPkiHttp {
var InnerEcRequest v_inner_ec_request; var InnerEcRequest v_inner_ec_request;
var Ieee1609Dot2Data v_inner_ec_request_signed_for_pop; var Ieee1609Dot2Data v_inner_ec_request_signed_for_pop;
var bitstring v_inner_ec_request_signed_for_pop_msg;
var octetstring v_public_enc_key; var octetstring v_public_enc_key;
var integer v_compressed_enc_key_mode; var integer v_compressed_enc_key_mode;
var boolean v_ret_code; var boolean v_ret_code;
...@@ -250,14 +249,9 @@ module LibItsPki_Functions { ...@@ -250,14 +249,9 @@ module LibItsPki_Functions {
log("*** f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***"); log("*** f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***");
f_selfOrClientSyncAndVerdict("error", e_error); f_selfOrClientSyncAndVerdict("error", e_error);
} }
// Secure InnerEcRequestSignedForPoP message
log("v_inner_ec_request_signed_for_pop= ", v_inner_ec_request_signed_for_pop); log("v_inner_ec_request_signed_for_pop= ", v_inner_ec_request_signed_for_pop);
v_inner_ec_request_signed_for_pop_msg := encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop));
log("v_inner_ec_request_signed_for_pop_msg= ", v_inner_ec_request_signed_for_pop_msg);
// Prepare for getting the 16 most bytes of SHA256 of InnerEcRequestSignedForPop // Secure InnerEcRequestSignedForPoP message
p_hash_inner_ec_request_signed_for_pop := f_hashWithSha256(bit2oct(v_inner_ec_request_signed_for_pop_msg));
// Secure the Pki message
if (f_extract_enc_key(vc_eaCertificate, v_public_enc_key, v_compressed_enc_key_mode) == false) { if (f_extract_enc_key(vc_eaCertificate, v_public_enc_key, v_compressed_enc_key_mode) == false) {
log("*** f_http_build_inner_ec_request: ERROR: Non canonical EA certificate ***"); log("*** f_http_build_inner_ec_request: ERROR: Non canonical EA certificate ***");
f_selfOrClientSyncAndVerdict("error", e_error); f_selfOrClientSyncAndVerdict("error", e_error);
...@@ -267,17 +261,16 @@ module LibItsPki_Functions { ...@@ -267,17 +261,16 @@ module LibItsPki_Functions {
log("*** f_http_build_inner_ec_request: First enrolment: ", PX_FIRST_ENROLMENT); log("*** f_http_build_inner_ec_request: First enrolment: ", PX_FIRST_ENROLMENT);
p_salt := vc_eaWholeHash; p_salt := vc_eaWholeHash;
if (PX_FIRST_ENROLMENT == true) { // This is the first enrolment, we used Factory keys if (PX_FIRST_ENROLMENT == true) { // This is the first enrolment, we used Factory keys
v_ret_code := f_build_pki_secured_message(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(v_inner_ec_request_signed_for_pop_msg), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce); v_ret_code := f_build_pki_secured_message(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
} else { // We use last valid EC certificate } else { // We use last valid EC certificate
v_ret_code := f_build_pki_secured_message(vc_ecPrivateKey, valueof(m_signerIdentifier_digest(vc_ecHashedId8)), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(v_inner_ec_request_signed_for_pop_msg), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce); v_ret_code := f_build_pki_secured_message(vc_ecPrivateKey, valueof(m_signerIdentifier_digest(vc_ecHashedId8)), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
} }
if (v_ret_code == false) { if (v_ret_code == false) {
log("*** f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***"); log("*** f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***");
f_selfOrClientSyncAndVerdict("error", e_error); f_selfOrClientSyncAndVerdict("error", e_error);
} }
log("*** f_http_build_inner_ec_request: DEBUG: v_inner_ec_request_signed_for_pop_msg= ", v_inner_ec_request_signed_for_pop_msg);
log("*** f_http_build_inner_ec_request: DEBUG: p_ieee1609dot2_signed_and_encrypted_data= ", p_ieee1609dot2_signed_and_encrypted_data); log("*** f_http_build_inner_ec_request: DEBUG: p_ieee1609dot2_signed_and_encrypted_data= ", p_ieee1609dot2_signed_and_encrypted_data);
log("*** f_http_build_inner_ec_request: DEBUG: p_hash_inner_ec_request_signed_for_pop= ", p_hash_inner_ec_request_signed_for_pop); log("*** f_http_build_inner_ec_request: DEBUG: p_request_hash= ", p_request_hash);
} // End of function f_http_build_inner_ec_request } // End of function f_http_build_inner_ec_request
function f_http_build_invalid_enrolment_request( function f_http_build_invalid_enrolment_request(
...@@ -290,7 +283,7 @@ module LibItsPki_Functions { ...@@ -290,7 +283,7 @@ module LibItsPki_Functions {
out Oct12 p_nonce, out Oct12 p_nonce,
out octetstring p_salt, out octetstring p_salt,
out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data, out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data,
out Oct32 p_hash_inner_ec_request_signed_for_pop out Oct32 p_request_hash
) runs on ItsPkiHttp { ) runs on ItsPkiHttp {
var InnerEcRequest v_inner_ec_request; var InnerEcRequest v_inner_ec_request;
var Ieee1609Dot2Data v_inner_ec_request_signed_for_pop; var Ieee1609Dot2Data v_inner_ec_request_signed_for_pop;
...@@ -307,10 +300,10 @@ module LibItsPki_Functions { ...@@ -307,10 +300,10 @@ module LibItsPki_Functions {
log("*** f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***"); log("*** f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***");
f_selfOrClientSyncAndVerdict("error", e_error); f_selfOrClientSyncAndVerdict("error", e_error);
} }
log("v_inner_ec_request_signed_for_pop= ", v_inner_ec_request_signed_for_pop);
// Secure InnerEcRequestSignedForPoP message // Secure InnerEcRequestSignedForPoP message
// Get 16 last byte of SHA256 of InnerEcRequestSignedForPop
p_hash_inner_ec_request_signed_for_pop := f_hashWithSha256(int2oct(12345, 32)); // Invalid InnseEcRequestSignedForPop
// Secure the Pki message
if (f_extract_enc_key(vc_eaCertificate, v_public_enc_key, v_compressed_enc_key_mode) == false) { if (f_extract_enc_key(vc_eaCertificate, v_public_enc_key, v_compressed_enc_key_mode) == false) {
log("*** f_http_build_inner_ec_request: ERROR: Non canonical EA certificate ***"); log("*** f_http_build_inner_ec_request: ERROR: Non canonical EA certificate ***");
f_selfOrClientSyncAndVerdict("error", e_error); f_selfOrClientSyncAndVerdict("error", e_error);
...@@ -319,9 +312,9 @@ module LibItsPki_Functions { ...@@ -319,9 +312,9 @@ module LibItsPki_Functions {
log("*** f_http_build_inner_ec_request: Public encryption key comp: ", v_compressed_enc_key_mode); log("*** f_http_build_inner_ec_request: Public encryption key comp: ", v_compressed_enc_key_mode);
p_salt := vc_eaWholeHash; p_salt := vc_eaWholeHash;
if (PX_FIRST_ENROLMENT == true) { // This is the first enrolment, we used Factory keys if (PX_FIRST_ENROLMENT == true) { // This is the first enrolment, we used Factory keys
v_ret_code := f_build_pki_secured_message(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce); v_ret_code := f_build_pki_secured_message(PICS_ITS_S_SIGN_NITSP256_PRIVATE_KEY, valueof(m_signerIdentifier_self), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
} else { // We use last valid EC certificate } else { // We use last valid EC certificate
v_ret_code := f_build_pki_secured_message(vc_ecPrivateKey, valueof(m_signerIdentifier_digest(vc_ecHashedId8)), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce); v_ret_code := f_build_pki_secured_message(vc_ecPrivateKey, valueof(m_signerIdentifier_digest(vc_ecHashedId8)), vc_eaHashedId8/*recipientId*/, v_public_enc_key, v_compressed_enc_key_mode, p_salt, bit2oct(encvalue(m_etsiTs102941Data_inner_ec_request_signed_for_pop(v_inner_ec_request_signed_for_pop))), p_ieee1609dot2_signed_and_encrypted_data, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, p_request_hash);
} }
if (v_ret_code == false) { if (v_ret_code == false) {
log("*** f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***"); log("*** f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***");
...@@ -335,7 +328,7 @@ module LibItsPki_Functions { ...@@ -335,7 +328,7 @@ module LibItsPki_Functions {
out octetstring p_publicKeyCompressed, out octetstring p_publicKeyCompressed,
out integer p_compressedMode, out integer p_compressedMode,
out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data, out Ieee1609Dot2Data p_ieee1609dot2_signed_and_encrypted_data,
out HashedId8 p_hash_inner_at_request out Oct32 p_request_hash
) runs on ItsPkiHttp { ) runs on ItsPkiHttp {
// Local variables // Local variables
...@@ -372,7 +365,7 @@ module LibItsPki_Functions { ...@@ -372,7 +365,7 @@ module LibItsPki_Functions {
**/ **/
log("*** f_http_build_inner_ec_request: ERROR: Need to add TestSystem variable vc_aa ***"); log("*** f_http_build_inner_ec_request: ERROR: Need to add TestSystem variable vc_aa ***");
f_selfOrClientSyncAndVerdict("error", e_error); f_selfOrClientSyncAndVerdict("error", e_error);
/* if (f_build_pki_secured_message(vc_aaPrivateKey, valueof(m_signerIdentifier_digest(vc_aaHashedId8)), vc_eaHashedId8/\*recipientId*\/, v_public_enc_key, v_compressed_enc_key_mode, vc_eaWholeHash, bit2oct(encvalue(m_etsiTs102941Data_authorization_validation_request(v_authorization_validation_request))), p_ieee1609dot2_signed_and_encrypted_data) == false) { */ /* if (f_build_pki_secured_message(vc_aaPrivateKey, valueof(m_signerIdentifier_digest(vc_aaHashedId8)), vc_eaHashedId8/\*recipientId*\/, v_public_enc_key, v_compressed_enc_key_mode, vc_eaWholeHash, bit2oct(encvalue(m_etsiTs102941Data_authorization_validation_request(v_authorization_validation_request))), p_ieee1609dot2_signed_and_encrypted_data, p_request_hash) == false) { */
/* log("*** f_http_build_authorization_validation_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***"); */ /* log("*** f_http_build_authorization_validation_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***"); */
/* f_selfOrClientSyncAndVerdict("error", e_error); */ /* f_selfOrClientSyncAndVerdict("error", e_error); */
/* } */ /* } */
...@@ -909,7 +902,8 @@ module LibItsPki_Functions { ...@@ -909,7 +902,8 @@ module LibItsPki_Functions {
out Oct16 p_aes_sym_key, out Oct16 p_aes_sym_key,
out Oct16 p_encrypted_sym_key, out Oct16 p_encrypted_sym_key,
out Oct16 p_authentication_vector, out Oct16 p_authentication_vector,
out Oct12 p_nonce out Oct12 p_nonce,
out Oct32 p_request_hash
) return boolean { ) return boolean {
// Local variables // Local variables
var template (value) EccP256CurvePoint v_eccP256_curve_point; var template (value) EccP256CurvePoint v_eccP256_curve_point;
...@@ -956,6 +950,9 @@ module LibItsPki_Functions { ...@@ -956,6 +950,9 @@ module LibItsPki_Functions {
); );
// Encode EtsiTs103097Data-Signed data structure // Encode EtsiTs103097Data-Signed data structure
v_encoded_inner_ec_request := bit2oct(encvalue(v_ieee1609dot2_signed_data)); v_encoded_inner_ec_request := bit2oct(encvalue(v_ieee1609dot2_signed_data));
// Calculate the SHA256 of v_encoded_inner_ec_request
p_request_hash := f_hashWithSha256(v_encoded_inner_ec_request);
log("p_request_hash= ", p_request_hash);
// Encrypt encode EtsiTs103097Data-Signed data structure // Encrypt encode EtsiTs103097Data-Signed data structure
if (PICS_SEC_FIXED_KEYS) { if (PICS_SEC_FIXED_KEYS) {
p_publicKeyCompressed := '8C5E20FE31935F6FA682A1F6D46E4468534FFEA1A698B14B0B12513EED8DEB11'O; p_publicKeyCompressed := '8C5E20FE31935F6FA682A1F6D46E4468534FFEA1A698B14B0B12513EED8DEB11'O;
...@@ -1009,25 +1006,22 @@ module LibItsPki_Functions { ...@@ -1009,25 +1006,22 @@ module LibItsPki_Functions {
} // End of function f_build_pki_secured_message } // End of function f_build_pki_secured_message
/** /**
* @desc Verify the protocol element of the Pki message * @desc Verify the protocol element of the Pki message.
* If p_check_security is set to false, only decryption and decoding of the outer message are verified.
* @param p_private_key Private key for decryption * @param p_private_key Private key for decryption
* @param p_publicEphemeralCompressedKey * @param p_publicEphemeralCompressedKey
* @param p_publicEphemeralCompressedKeyMode * @param p_publicEphemeralCompressedKeyMode
* @param p_issuer Issuer * @param p_issuer Issuer
* @param p_certificate Certificate to use for verification key * @param p_certificate Certificate to use for verification key
* @param p_ieee1609dot2_encrypted_and_signed_data The received encrypted and signed data * @param p_ieee1609dot2_encrypted_and_signed_data The received encrypted and signed data
* @param p_check_security Set to true to check signatures * @param p_check_security Set to true to verify PKI protocol element such as signatures...
* @param p_etsi_ts_102941_data The EtsiTs102941Data message * @param p_etsi_ts_102941_data The EtsiTs102941Data message
* @return true on success, false otherwise * @return true on success, false otherwise
*/ */
function f_verify_pki_message( function f_verify_pki_message(
in octetstring p_private_enc_key, in octetstring p_private_enc_key,
// in octetstring p_publicEphemeralCompressedKey, // TODO Useless, to be removed
// in integer p_publicEphemeralCompressedKeyMode, // TODO Useless, to be removed
in Oct16 p_aes_sym_key, in Oct16 p_aes_sym_key,
in Oct16 p_authentication_vector, // TODO Tobe removed in Oct16 p_authentication_vector, // TODO Tobe removed
// in Oct12 p_nonce, // TODO Tobe removed
// in octetstring p_salt,
in octetstring p_issuer, in octetstring p_issuer,
in Certificate p_certificate, // TODO Tobe removed in Certificate p_certificate, // TODO Tobe removed
in Ieee1609Dot2Data p_ieee1609dot2_encrypted_and_signed_data, in Ieee1609Dot2Data p_ieee1609dot2_encrypted_and_signed_data,
...@@ -1061,9 +1055,7 @@ module LibItsPki_Functions { ...@@ -1061,9 +1055,7 @@ module LibItsPki_Functions {
// 2. Decode it // 2. Decode it
v_tbs := oct2bit(v_plain_message); v_tbs := oct2bit(v_plain_message);
if (decvalue(v_tbs, v_ieee1609dot2_signed_data) != 0) { if (decvalue(v_tbs, v_ieee1609dot2_signed_data) != 0) {
if (p_check_security == true) { return false;
return false;
}
} }
log("v_ieee1609dot2_signed_data= ", v_ieee1609dot2_signed_data); log("v_ieee1609dot2_signed_data= ", v_ieee1609dot2_signed_data);
...@@ -1075,7 +1067,7 @@ module LibItsPki_Functions { ...@@ -1075,7 +1067,7 @@ module LibItsPki_Functions {
return false; return false;
} }
} }
log("v_certificate= ", v_certificate); //log("v_certificate= ", v_certificate);
if (ischosen(v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256.compressed_y_0)) { if (ischosen(v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256.compressed_y_0)) {
v_ret := f_verifyWithEcdsaNistp256WithSha256( v_ret := f_verifyWithEcdsaNistp256WithSha256(
bit2oct(v_tbs), bit2oct(v_tbs),
......