TC_A_07_CS — TLS - Client-side certificate - valid certificate
TC_A_07_CS — TLS - Client-side certificate - valid certificate
Source: OCPP 2.0.1 Part 6 — Test Cases (Core & Advanced Security, FINAL, 2023-06-30) — Functional block A. Security, page 13.
Identification
| Field | Value |
|---|---|
| Test case name | TLS - Client-side certificate - valid certificate |
| Test case Id | TC_A_07_CS |
| Use case Id(s) | A00 |
| Requirement(s) | A00.FR.401,A00.FR.402,A00.FR.415,A00.FR.416,A00.FR.422,A00.FR.502,A00.FR.503,A00.FR.507,A00.FR.50 8,A00.FR.511 |
| System under test | Charging Station |
| Functional block | A. Security |
Description
The Charging Station uses a client-side certificate to identify itself to the CSMS, when using security profile 3.
Purpose
To verify whether the Charging Station is able to provide a valid client certificate and setup a secured WebSocket connection.
Prerequisite(s)
- The charging station supports security profile 3
- The active NetworkConnectionProfile uses security profile 3.
Before (Preparations)
Configuration State:
- N/a
Memory State:
- N/a
Reusable State(s):
- State is Booting
Main (Test scenario)
| Charging Station | CSMS |
|---|---|
| 1. The Charging Station initiates a TLS handshake and sends a Client Hello to the OCTT. | 2. The OCTT responds with a Server Hello; With the <Configured server certificate> |
| 3. The Charging Station performs the following actions: Send client certificate Client Key Exchange Certificate verify Change Cipher Spec Finished | 4. The OCTT performs the following actions: Change Cipher Spec Finished |
| 5. The Charging Station sends a HTTP upgrade request to the OCTT | 6. The OCTT upgrades the connection to a (secured) WebSocket connection. |
| 7. The Charging Station sends a BootNotificationRequest | 8. The OCTT responds with a BootNotificationResponse; with status Accepted |
| 9. The Charging Station notifies the CSMS about the current state of all connectors. | 10. The OCTT responds accordingly. |
Tool validations
Step 4:
The OCTT validates the following before finishing the TLS handshake:
- The Charging Station must use TLS version 1.2 or above At least the following set of cipher suites must be supported: (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 AND TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) OR (TLS_RSA_WITH_AES_128_GCM_SHA256 AND TLS_RSA_WITH_AES_256_GCM_SHA384)
- When using RSA or DSA the key must be at least 2048 bits long. and when using elliptic curve cryptography the key must be at least 224 bits long.
- The received Client side certificate must be transmitted in the X.509 format encoded in Privacy-Enhanced Mail (PEM) format.
- The certificate must include a serial number.
- The subject field of the certificate must contain a commonName RDN which consists of the unique serial number of the Charging Station. NOTE: If one of the above validations fails, the OCTT can still setup the WebSocket connection (if it is able to), but the testcase will FAIL and the OCTT reports why it failed.
Step 9:
Message: StatusNotificationRequest
- connectorStatus Available Message: NotifyEventRequest
- eventData[0].trigger Delta
- eventData[0].actualValue "Available"
- eventData[0].component.name "Connector"
- eventData[0].variable.name "AvailabilityState"
Post scenario validations
- N/a