Skip to content
GitLab
Commits (1)
Hide whitespace changes
Inline Side-by-side
ttcn/Pki/LibItsPki_Functions.ttcn
View file @ 6ad3b76d
......@@ -247,7 +247,8 @@ module LibItsPki_Functions {
var octetstring v_public_enc_key;
var integer v_compressed_enc_key_mode;
var boolean v_ret_code;
log(">>> f_http_build_inner_ec_request");
if (f_generate_inner_ec_request(p_private_key, p_public_key_compressed, p_compressed_mode, v_inner_ec_request) == false) {
log("*** f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
......@@ -285,8 +286,8 @@ module LibItsPki_Functions {
log("*** f_http_build_inner_ec_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***");
f_selfOrClientSyncAndVerdict("error", e_error);
}
log("*** f_http_build_inner_ec_request: DEBUG: p_ieee1609dot2_signed_and_encrypted_data= ", p_ieee1609dot2_signed_and_encrypted_data);
log("*** f_http_build_inner_ec_request: DEBUG: p_request_hash= ", p_request_hash);
log("*** f_http_build_inner_ec_request: p_ieee1609dot2_signed_and_encrypted_data= ", p_ieee1609dot2_signed_and_encrypted_data);
log("*** f_http_build_inner_ec_request: p_request_hash= ", p_request_hash);
} // End of function f_http_build_inner_ec_request
function f_http_build_invalid_enrolment_request(
......@@ -344,7 +345,6 @@ module LibItsPki_Functions {
if (v_ret_code == false) {
log("*** f_http_build_invalid_enrolment_request: ERROR: Failed to generate InnerEcRequestSignedForPop ***");
f_selfOrClientSyncAndVerdict("error", e_error);
return;
}
log("*** f_http_build_invalid_enrolment_request: DEBUG: p_ieee1609dot2_signed_and_encrypted_data = ", p_ieee1609dot2_signed_and_encrypted_data);
} // End of function f_http_build_invalid_enrolment_request
......@@ -470,10 +470,14 @@ module LibItsPki_Functions {
group generate_certificates {
function f_generate_ec_certificate(
in octetstring p_private_key,
in InnerEcRequest p_inner_ec_request,
out octetstring p_private_key,
out Certificate p_ec_certificate
) return boolean {
var octetstring v_public_key_x;
var octetstring v_public_key_y;
var octetstring p_public_key_compressed;
var integer p_compressed_mode;
var EccP256CurvePoint v_ecc_p256_curve_point;
var SequenceOfPsidSsp v_appPermissions := { // ETSI TS 102 965 Table A.1: ETSI ITS standardized ITS-AIDs
valueof(m_appPermissions(36, { bitmapSsp := '830001'O })),
valueof(m_appPermissions(37, { bitmapSsp := '830001'O }))
......@@ -483,13 +487,26 @@ module LibItsPki_Functions {
var Oct32 v_sig;
var bitstring v_enc_msg;
log(">>> f_generate_ec_certificate");
// Generate verification keys for the certificate
if (f_generate_key_pair_nistp256(p_private_key, v_public_key_x, v_public_key_y, p_public_key_compressed, p_compressed_mode) == false) {
log("f_generate_ec_certificate: Failed to generate verification key");
return false;
}
if (p_compressed_mode == 0) {
v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_0(p_public_key_compressed));
} else {
v_ecc_p256_curve_point := valueof(m_eccP256CurvePoint_compressed_y_1(p_public_key_compressed));
}
v_cert := m_etsiTs103097Certificate(
m_issuerIdentifier_sha256AndDigest(f_HashedId8FromSha256(f_hashWithSha256('616263'O))),
m_toBeSignedCertificate_at(
v_appPermissions,
m_verificationKeyIndicator_verificationKey(
m_publicVerificationKey_ecdsaNistP256(
p_inner_ec_request.publicKeys.verificationKey.ecdsaNistP256
v_ecc_p256_curve_point
)),
m_validityPeriod(
17469212,
......@@ -515,7 +532,7 @@ module LibItsPki_Functions {
substr(v_sig, 32, 32)
)
);
log("v_cert= ", v_cert);
log("f_generate_ec_certificate: v_cert= ", v_cert);
p_ec_certificate := valueof(v_cert);
return true;
......@@ -921,9 +938,9 @@ module LibItsPki_Functions {
group awaiting_messages {
function f_await_http_inner_ec_request_response(
in Oct32 p_private_key,
in Oct32 p_compressed_public_key,
in integer p_compressed_mode,
out Oct32 p_private_key,
out Oct32 p_compressed_public_key,
out integer p_compressed_mode,
out InnerEcResponse p_inner_ec_response
) runs on ItsPkiHttp return boolean {
var HeaderLines v_headers;
......@@ -936,7 +953,8 @@ module LibItsPki_Functions {
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var HttpMessage v_response;
log(">>> f_await_http_inner_ec_request_response");
f_http_build_inner_ec_request(p_private_key, p_compressed_public_key, p_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
f_init_default_headers_list(-, "inner_ec_request", v_headers);
httpPort.send(
......@@ -966,12 +984,17 @@ module LibItsPki_Functions {
log("f_await_http_inner_ec_request_response: Failed to verify PKI message ***");
} else {
log("f_await_http_inner_ec_request_response: Receive ", v_etsi_ts_102941_data, " ***");
log("f_await_http_inner_ec_request_response: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(mw_issuerIdentifier_self, mw_toBeSignedCertificate_ea, mw_signature_ecdsaNistP256)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(mw_issuerIdentifier_self, mw_toBeSignedCertificate_ea, mw_signature_ecdsaNistP256))))) {
p_inner_ec_response := v_etsi_ts_102941_data.content.enrolmentResponse;
log("f_await_http_inner_ec_request_response: Well-secured EA certificate received ***");
log("p_inner_ec_response= ", p_inner_ec_response);
return true;
// Verify the received EC certificate
log("f_await_http_inner_ec_request_response: match ", match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -)))), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_enrolmentResponse(mw_innerEcResponse_ok(substr(v_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_ec, -))))) {
if (f_verify_ec_certificate(v_etsi_ts_102941_data.content.enrolmentResponse.certificate, p_compressed_public_key, p_compressed_mode)) {
p_inner_ec_response := v_etsi_ts_102941_data.content.enrolmentResponse;
log("f_await_http_inner_ec_request_response: Well-secured EA certificate received ***");
log("p_inner_ec_response= ", p_inner_ec_response);
return true;
} else {
log("f_await_http_inner_ec_request_response: Cannot verify EC certificate signature ***");
}
} else {
log("f_await_http_inner_ec_request_response: Unexpected message received ***");
}
......@@ -1314,35 +1337,34 @@ module LibItsPki_Functions {
} // End of function f_verify_pki_message
/**
* @desc Verify the generated EA certificate
* @param p_ea_certificate The new EA certificate
* @desc Verify the EC certificate generated by the EA entity
* @param p_ec_certificate The new EC certificate
* @param p_public_key_compressed The public compressed key (canonical form) for signature check
* @param p_compressed_mode The public compressed key mode
* @param p_compressed_mode The public compressed key mode
* @return true on success, false otherwise
*/
function f_verify_ea_certificate(
in Certificate p_ea_certificate,
function f_verify_ec_certificate(
in Certificate p_ec_certificate,
in octetstring p_public_key_compressed,
in integer p_compressed_mode
) return boolean {
var bitstring v_encoded_tbs;
var boolean v_result;
// Check certificate format
v_result := match(p_ea_certificate, mw_etsiTs103097Certificate(mw_issuerIdentifier_self, mw_toBeSignedCertificate_ea, -));
// Check the signer
log("f_verify_ec_certificate: ", match(p_ec_certificate.issuer, mw_issuerIdentifier_self()));
if (match(p_ec_certificate.issuer, mw_issuerIdentifier_self)) {
return false;
}
// Check EA certificate signature
v_encoded_tbs := encvalue(p_ea_certificate.toBeSigned);
v_result := v_result and f_verifyWithEcdsaNistp256WithSha256(
bit2oct(v_encoded_tbs),
int2oct(0, 32), // self
p_ea_certificate.signature_.ecdsaNistP256Signature.rSig.x_only & p_ea_certificate.signature_.ecdsaNistP256Signature.sSig,
p_public_key_compressed,
p_compressed_mode);
// Check EC certificate signature
// TODO Who sign the EC certificate?
/*if (f_verifyCertificateSignatureWithPublicKey(p_ec_certificate, p_ec_certificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
log("f_verify_ec_certificate: Signature not verified");
return false;
}*/
return v_result;
} // End of function f_verify_ea_certificate
return true;
} // End of function f_verify_ec_certificate
/**
* @desc Verify the generated AA certificate
......
ttcn/Pki/LibItsPki_Pics.ttcn
View file @ 6ad3b76d
......@@ -13,12 +13,12 @@ module LibItsPki_Pics {
/**
* @desc Does the IUT act as AA device?
*/
modulepar boolean PICS_IUT_AA_ROLE := false;
modulepar boolean PICS_IUT_AA_ROLE := true;
/**
* @desc Does the IUT act as combined EA-AA device?
*/
modulepar boolean PICS_IUT_COMBINED_EA_AA_ROLE := true;
modulepar boolean PICS_IUT_COMBINED_EA_AA_ROLE := false;
/**
* @desc Certificate used by the IUT acting as ITS-S
......
ttcn/Security/LibItsSecurity_Functions.ttcn
View file @ 6ad3b76d
......@@ -768,7 +768,7 @@ module LibItsSecurity_Functions {
p_atCertificate := vc_atCertificate;
p_aaCertificate := vc_aaCertificate;
}
// Store the certificte to build this message
// Store the certificate to build this message
vc_lastAtCertificateUsed := p_atCertificate;
return true;
......
ttcn/Security/LibItsSecurity_Templates.ttcn
View file @ 6ad3b76d
......@@ -1409,6 +1409,32 @@ module LibItsSecurity_Templates {
verifyKeyIndicator := p_verifyKeyIndicator
} // End of template mw_toBeSignedCertificate_ea
/**
* @desc Send template for ToBeSignedCertificate with Enrolment credential restrictions
* @see ETSI TS 103 097 V1.3.1 Clause 7.2.2 Enrolment credential
*/
template ToBeSignedCertificate mw_toBeSignedCertificate_ec(
template (present) CertificateId p_id := ?,
template (present) SequenceOfPsidSsp p_appPermissions := ?,
template (present) VerificationKeyIndicator p_verifyKeyIndicator := ?,
template (present) ValidityPeriod p_validityPeriod := ?,
template GeographicRegion p_region := *,
template SubjectAssurance p_assuranceLevel := *
) := {
id := p_id,
cracaId := '000000'O, // ETSI TS 103 097 V1.3.1 Clause 6 Bullet 2
crlSeries := 0, // ETSI TS 103 097 V1.3.1 Clause 6 Bullet 3
validityPeriod := p_validityPeriod,
region := p_region,
assuranceLevel := p_assuranceLevel,
appPermissions := p_appPermissions,
certIssuePermissions := omit,
certRequestPermissions := omit,
canRequestRollover := omit,
encryptionKey := omit,
verifyKeyIndicator := p_verifyKeyIndicator
} // End of template mw_toBeSignedCertificate_ec
/**
* @desc Send template for ToBeSignedCertificate with Authorization authority restrictions
* @see ETSI TS 103 097 V1.3.1 Clause 7.2.4 Subordinate certification authority certificates
......