Newer
Older
This set of programs and files aims at generating the x509v3 certificates used for the Accessor Authentication Service as described in annex C of the [TS 103.666 part 1 V15.2.0 (2020-04)](https://www.etsi.org/deliver/etsi_ts/103600_103699/10366601/15.00.00_60/ts_10366601v150000p.pdf) .
OpenSSL 3.0.0 shall be installed. The guidelines for performing the installation are available in [OpenSSL](https://www.openssl.org)
Python Cryptography package shall be installed. The guidelines for performing the installation are available in [Cryptography.io](https://cryptography.io/en/latest/installation.html) .
The batch file GENKEY.bat contains the OpenSSL instruction for generating the private and public keys acccording to annex C of ETSI TS 103.666 part 1.
The following shell command shall be executed.
`./GENKEY.bat`
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
`python3 CreateCertificate.py -i <parameters_file.yaml`
The **parameters_file.yaml** contains the certificate parameters.
The certificates are generated and stored in the **./certificates** directory with the DER and PEM format.
The human readable visualization is possible on the following web site [Certlogic](https://certlogik.com/decoder)
## Certificate parameters
Each certificate has its parameters in a YAML structure in a YAML file.
As example, the YAML structure of the AAS certification path from the CI to the End Entity certificate is the following:
- Extensions:
CertificatePolicies:
Critical: true
Value:
Identifier: 0.4.0.3666.1.2
Explicit_text: id-role-AAA
BasicConstraints:
Critical: true
Value:
CA: true
Pathlen: 0
Serial_number: 3
Not_after: '2021-12-01T12:00:00'
Not_before: '2021-01-01T12:00:00'
Issuer:
C: FR
ST: PACA
CN: ETSI-SSP-AAA-CI
O: ETSI.ORG
OU: SSP-TTF
Subject:
C: FR
ST: PACA
CN: ETSI-SSP-AAA-CA
O: ETSI.ORG
OU: SSP-TTF
## Generation of the authentication token
The following command allows to generate an authentication token:
`python3 CreateToken.py -i <parameters_file.yaml`
The **parameters_file.yaml** contains the authentication token parameters.
Challenge:
Generate: false # Do not generate a challenge
Name: AAS01 # File name of the file containing the challenge
CertificationPath:
Name: CP_AAA # File name of the DER file containing the certification path
Path:
- ETSI-SSP-AAA-CI # AAA CI
- ETSI-SSP-AAA-CA # AAA CA
- ETSI-SSP-AAA-EE # AAA EE
Modeles:
- RFC5280.asn # x509v3 certificate model
- RFC3279.asn # ECC signature parameters
AuthenticationToken:
Name: ATK-AAA-ECKA # File name of the authentication token DER file
Issuer: ETSI-SSP-AAA-EE # Certificatte verifying the authentication token
ECKA-Curve: BrainpoolP256R1 # ECC curve for key agreement
KeySize: 256 # key size of the streamcipher
Modeles:
- RFC5280.asn # x509v3 certificate model
- RFC3279.asn # ECC signature parameters
- SSP_ASN.asn # SSP model
The autentication token can be dumped by using the online tool [here](https://lapo.it/asn1js/#).
![ATK.AAA.ECKA dump](./ATK_DUMP.png)
## Generation of the accessor authentication commands and responses.
The following command allows to generate the commands for the accessor authentication service:
`python3 CreateAuthCommand.py -i <parameters_file.yaml`
Challenge command: # Generate a challenge
Name: AAS01 # Write a binary file containing a 128 bit challenge
Challenge response:
Path: CP_AAS # AAS certification path
Challenge: AAS01 # Write a binary file containing a 128 bit challenge
Name: aAAS-OP-GET-CHALLENGE-Service-Response
Read Challenge response:
Name: aAAS-OP-GET-CHALLENGE-Service-Response
Authenticate command:
Path: CP_AAA # File name of the DER file containing the certification path
AuthenticationToken: ATK-AAA-ECKA # File name of the DER file containing the authentication token
Name: aAAS-OP-AUTHENTICATE-Service-Command
Authenticate response:
AuthenticationToken: ATK-AAS-ECKA
Name: aAAS-OP-AUTHENTICATE-Service-Response
OAS command: # Generate aAAS-OP-ACCESS-SERVICE-Service-Command for secure pipe
Name: OAS_COMMAND # Name file containing the DER command
Service Identifier: 'DD61116FF0DD57F48A4F52EE70276F24' # Root accessor identifier
OAS response: # Generate aAAS-OP-ACCESS-SERVICE-Service-Response with a random gate identifier
Name: OAS_RESPONSE # Name file containing the DER response
Read OAS response: # Read aAAS-OP-ACCESS-SERVICE-Service-Response and extract the gate identifier
Name: OAS_RESPONSE # Name file containing the DER response
Generate shared key:
Private: ATK-AAA-ECKA # File name of the DER file containing the private key
Public: ATK-AAS-ECKA # File name of the DER file containing the authentication token
Name: GCM_AAA_AAS # File name of the DER file containing K and IV
Encrypt:
Name: GCM_AAA_AAS # Container for the derived keys/IV
MTU: 240 # MTU of the secure SCL message
Sequence: 1
In: Text_In # File name in
Out: Text_Out #File Name out
Decrypt:
Name: GCM_AAA_AAS
MTU: 240
In: Text_Out # File name in
Out: Text_Out_bis #File Name out