TC_A_04_CSMS — TLS - server-side certificate - Valid certificate
TC_A_04_CSMS — TLS - server-side certificate - Valid certificate
Source: OCPP 2.0.1 Part 6 — Test Cases (Core & Advanced Security, FINAL, 2023-06-30) — Functional block A. Security, page 330.
Identification
| Field | Value |
|---|---|
| Test case name | TLS - server-side certificate - Valid certificate |
| Test case Id | TC_A_04_CSMS |
| Use case Id(s) | A00 |
| Requirement(s) | A00.FR.306,A00.FR.307,A00.FR.312,A00.FR.318,A00.FR.321,A00.FR.502,A00.FR.503,A00.FR.507,A00.FR.50 8,A00.FR.510 |
| System under test | CSMS |
| Functional block | A. Security |
Description
The CSMS uses a server-side certificate to identify itself to the Charging Station, when using security profile 2 or 3.
Purpose
To verify whether the CSMS is able to provide a valid server certificate and setup a secured WebSocket connection.
Prerequisite(s)
The CSMS supports security profile 2 and/or 3
Before (Preparations)
Configuration State:
- N/a
Memory State:
- N/a
Reusable State(s):
- N/a
Main (Test scenario)
| Charging Station | CSMS |
|---|---|
| 1. The OCTT terminates the connection and initiates a TLS handshake and sends a Client Hello to the CSMS. | 2. The CSMS responds with a Server Hello; With the <Configured server certificate> |
| 3. The OCTT performs the following actions: Send client certificate Client Key Exchange Certificate verify Change Cipher Spec Finished; Note(s):; - The client certificate is only sent when the CSMS uses security profile 3. | 4. The CSMS performs the following actions: Change Cipher Spec Finished |
| 5. The OCTT sends a HTTP upgrade request to the CSMS; Note(s):; - The HTTP request only contains a username/password combination when the CSMS uses security profile 2. | 6. The CSMS upgrades the connection to a (secured) WebSocket connection. |
| 7. The OCTT sends a BootNotificationRequest; with reason PowerUp chargingStation.model <Configured model> chargingStation.vendorName <Configured vendorName> | 8. The CSMS responds with a BootNotificationResponse |
| 9. The OCTT notifies the CSMS about the current state of all connectors.; Message: StatusNotificationRequest; - connectorStatus Available; Message: NotifyEventRequest; - trigger Delta; - actualValue "Available"; - component.name "Connector"; - variable.name "AvailabilityState" | 10. The CSMS responds accordingly. |
Tool validations
Step 3:
The OCTT validates the following before finishing the TLS handshake:
- The CSMS must use TLS version 1.2 or above At least the following set of cipher suites must be supported: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 AND TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 AND TLS_RSA_WITH_AES_128_GCM_SHA256 AND TLS_RSA_WITH_AES_256_GCM_SHA384
- When using RSA or DSA the key must be at least 2048 bits long. and when using elliptic curve cryptography the key must be at least 224 bits long.
- The received server side certificate must be transmitted in the X.509 format encoded in Privacy-Enhanced Mail (PEM) format.
- The certificate must include a serial number.
- The subject field of the certificate must contain a commonName RDN which consists of the FQDN of the endpoint of the server. NOTE: If one of the above validations fails, the OCTT can still proceed with the next steps of the testcase (if it is able to), but the testcase will FAIL and the OCTT reports why it failed.
Step 8:
Message: BootNotificationResponse with status Accepted
Post scenario validations
- N/a