DOCUMENT VERSION 20181023-2
Pre-conditions for test cases:
Client and Server have established a DTLS connection
In most test cases, the pre-test conditions are that a DTLS connection has been established. There are four possible combinations (Client has certificate, no-certificate, Server has certificate, no certificate), but the cases where the Client has no certificate turn out to be negative testing. The case where the Server has no certificate is nonsense, so only one test case remains.
Prerequiste: device comes from manufacturing, has an IDevID that can be validated by the server.
EST-COAP interoperability Test Description |
|||
|
Configuration: |
CoAP_CFG_est-coaps |
Configuration conditions: |
Client and Server each have a certificate The Client serves as constrained node, pledge, to be installed in the network The Server serves as EST server that supports enrolment of certificates. The IdevID of the Client serves as base for the generation of the client certificate The client certificate is stored in the server trust anchor before The client certificate already signed by CA that is trusted on the server, but does not need to be the same CA as being enrolled into. (self-signed certificate can be tested, but is a negative test case) |
|---|---|---|---|
EST-COAP interoperability Test Description |
|||
|
Identifier: |
TD_ACE_est-dtls_1 |
||
|---|---|---|---|
|
Objective: |
Perform a DTLS connection setup between Client and Server Certificate |
||
|
Configuration: |
CoAP_CFG_est-coaps |
||
|
References: |
??TBD |
||
|
Pre-test conditions: |
Validate connectivity with ping/ping6 Server has a certificate configured as a DTLS Server Certificate Client has a certificate configured as a DTLS Client Certificate |
||
|
Test Sequence: |
Step |
Type |
Description |
|
1 |
Stimulus |
Client is requested to send a GET request with: Type = 0 (CON) Code = 1 (GET) |
|
|
2 |
Check |
The request sent by the client contains: DTLS Hello, followed by DTLS negotiation of ciphers DTLS version 1.0, negotiated is 1.2 or 1.3 Type=0 and Code=1 Uri-Path option "/.well-known/core" Token = anything Max-Age = 1 Server accepts Client Certificate, validates it. |
|
|
3 |
Check |
Server sends response containing: Code = 2.05 (Content) Token = XX, set by client Content-format Payload with certificate Client validated certificate is in trust store. |
|
|
4 |
Verify |
Client receives a resource discovery payload |
|
EST-COAP interoperability Test Description |
|||
|
Identifier: |
TD_ACE_est-coaps_01 |
||
|---|---|---|---|
|
Objective: |
Perform cacerts retrieval without block ("crts") |
||
|
Configuration: |
CoAP_CFG_est-coaps |
||
|
References: |
[est-coaps] 4, A.1 |
||
|
Pre-test conditions: |
|||
|
Test Sequence: |
Step |
Type |
Description |
|
1 |
Stimulus |
Client is requested to send a GET request with: Type = 0 (CON) Code = 1 (GET) |
|
|
2 |
Check |
The request sent by the client contains: Type=0 and Code=1 Uri-Path option "est" and "crts" (aka /est/crts) Token = XX Max-Age = 1 |
|
|
3 |
Check |
Server sends response containing: Code = 2.05 (Content) Token = XX, set by client Content-format option 281 Payload with certificate |
|
|
4 |
Verify |
Client displays the correct certificate contents |
|
EST-COAP interoperability Test Description |
|||
|
Identifier: |
TD_ACE_est-coaps_02 |
||
|---|---|---|---|
|
Objective: |
Perform cacerts retrieval with block2 (crts) |
||
|
Configuration: |
CoAP_CFG_est-coaps |
||
|
References: |
[est-coaps] 4, A.1 |
||
|
Pre-test conditions: |
Client and Server have established a DTLS connection Server holds has a (list?) of trust anchor(s), but may take more than one datagram so that block1 is used. SZX = 2 (64 bytes) |
||
|
Test Sequence: |
Step |
Type |
Description |
|
1 |
Stimulus |
Client is requested to send a GET request with: Type = 0 (CON) Code = 1 (GET) |
|
|
2 |
Check |
The request sent by the client contains: Type=0 and Code=1 Uri-Path option "est and crts" Token = XX, set by client Max-Age = 1 |
|
|
3 |
Check |
Server sends response containing: Code = 2.05 (Content) Token = XX block2 option with value of SZX determined by server Content-format option 281 Payload with certificate |
|
|
4 |
Verify |
Client displays the correct certificate contents |
|
|
Interoperability Test Description |
|||
|---|---|---|---|
|
Identifier: |
TD_ACE_est-coaps_03 |
||
|
Objective: |
Perform simple enrolment transaction without delay ("sen") |
||
|
Configuration: |
CoAP_CFG_est-coaps |
||
|
References: |
[est-coaps] 4, A.3 |
||
|
Pre-test conditions: |
Client and Server have established a DTLS connection. Client holds a distinguished name, a public key, and an optional set of attributes appropriately signed with private key. Server willing to generate a corresponding certificate to return to client |
||
|
Test Sequence: |
Step |
Type |
Description |
|
1 |
Stimulus |
Client is requested to send a GET request with: Type = 0 (CON) Code = 1 (GET) |
|
|
2 |
Check |
The request sent by the client contains: Type=0 and Code=1 Uri-Path option "est and sen" Token = XX , set by client Content-format option 286 Max-Age = 1 payload is certification request of RFC 2986 |
|
|
3 |
Check |
Server sends response containing: Code = 2.01 (Created) Token = XX Content-format option 281 Payload with certificate |
|
|
4 |
Verify |
Client displays the correct certificate contents |
|
EST-COAP interoperability Test Description |
|||
|
Identifier: |
TD_ACE_est-coaps_04 |
||
|---|---|---|---|
|
Objective: |
Perform enrolment ("sen") transaction with long delay |
||
|
Configuration: |
CoAP_CFG_est-coaps |
||
|
References: |
[est-coaps] 4, A.3 |
||
|
Pre-test conditions: |
Client and Server have established a DTLS connection. Client holds a distinguished name, a public key, and an optional set of attributes appropriately signed with private key. Server holds a corresponding certificate to return to client |
||
|
Test Sequence: |
Step |
Type |
Description |
|
1 |
Stimulus |
Client is requested to send a GET request with: Type = 0 (CON) Code = 1 (GET) |
|
|
|
2 |
Check |
The request sent by the client contains: Type=0 and Code=1 Uri-Path option "est and sen" Token = XX, set by client Content-format option 286 Max-Age = 1 payload is certification request of RFC 2986 block1 option with SZX=2 chosen by client (64 bytes) |
|
|
3 |
Check |
Server sends response containing: Code = 5.03 (Server unavailable) Token = XX Max-Age = 120 empty Payload |
|
|
4 |
Check |
After Max-Age time units(2 minutes), the request sent by the client contains: Type=0 and Code=1 Uri-Path option "est and sen" Token = YY, set by client Content-format option 286 Max-Age = 1 payload is certification request of RFC 2986 block1 option with SZX chosen by client |
|
|
5 |
Check |
Server sends response containing: Code = 2.04 (Changed) Token = YY Content-format option 281 Block2 option with SZX filled in by server Payload with requested certificate |
|
|
6 |
Verify |
Client displays the correct certificate contents |
EST-COAP interoperability Test Description |
|||
|
Identifier: |
TD_ACE_est-coaps_05 |
||
|---|---|---|---|
|
Objective: |
Perform simple re-enrol ("sren") transaction without delay |
||
|
Configuration: |
CoAP_CFG_est-coaps |
||
|
References: |
[est-coaps] 4, A.3 |
||
|
Pre-test conditions: |
|||
|
Test Sequence: |
Step |
Type |
Description |
|
1 |
Stimulus |
Client is requested to send a GET request with: Type = 0 (CON) Code = 1 (GET) |
|
|
2 |
Check |
The request sent by the client contains: Type=0 and Code=1 Uri-Path option "est and sren" Token = XX, set by client Content-format option 286 Max-Age = 1 payload is certification request of RFC 2986 |
|
|
3 |
Check |
Server sends response containing: Code = 2.01 (Created) Token = XX Content-format option 281 Payload with certificate |
|
|
4 |
Verify |
Client displays the correct certificate contents |
|
EST-COAP interoperability Test Description |
|||
|
Identifier: |
TD_ACE_est-coaps_06 |
||
|---|---|---|---|
|
Objective: |
Perform simple enrolment ("sren") transaction with long delay |
||
|
Configuration: |
CoAP_CFG_est-coaps |
||
|
References: |
[est-coaps] 4, A.3 |
||
|
Pre-test conditions: |
Client and Server have established a DTLS connection using previously enroled client certificate Client holds a distinguished name, a public key, and an optional set of attributes appropriately signed with private key. Server holds a corresponding certificate to return to client |
||
|
Test Sequence: |
Step |
Type |
Description |
|
1 |
Stimulus |
Client is requested to send a GET request with: Type = 0 (CON) Code = 1 (GET) |
|
|
2 |
Check |
The request sent by the client contains: Type=0 and Code=1 Uri-Path option "est and sren" Token = XX, set by client Content-format option 286 Max-Age = 1 payload is certification request of RFC 2986 block1 option with SZX=2 chosen by client (64 bytes) |
|
|
3 |
Check |
Server sends response containing: Code = 5.03 (Server unavailable) Token = XX Max-Age = 120 empty Payload |
|
|
4 |
Check |
After Max-Age time units The request sent by the client contains: Type=0 and Code=1 Uri-Path option "est and sren" Token = YY, set by client Content-format option 286 Max-Age = 1 payload is certification request of RFC 2986 block1 option with SZX chosen by client |
|
|
5 |
Check |
Server sends response containing: Code = 2.04 (Changed) Token = YY Content-format option 281 Block2 option with SZX filled in by server Payload with requested certificate |
|
|
6 |
Verify |
Client displays the correct certificate contents |
|
EST-COAP interoperability Test DescriptionOptional functionality |
|||
|---|---|---|---|
|
USE number 287 for content-format application/multipart-core |
|||
|
Identifier: |
TD_ACE_est-coaps_07 |
||
|
Objective: |
Perform server generated key ("skg") transaction without block |
||
|
Configuration: |
CoAP_CFG_est-coaps |
||
|
References: |
[est-coaps] 4, A.1 |
||
|
Pre-test conditions: |
Client and Server have established a DTLS connection. Server provides a random number generation service |
||
|
Test Sequence: |
Step |
Type |
Description |
|
1 |
Stimulus |
Client is requested to send a GET request with: Type = 0 (CON) Code = 1 (GET) |
|
|
2 |
Check |
The request sent by the client contains: Type=0 and Code=1 Uri-Path option "est and skg" Token = XX Content-format 286 Max-Age = 120 |
|
|
3 |
Check |
Server sends response containing: Code = 2.01 (Content) Token = XX Content-format option 287 Payload with preamble and key |
|
|
4 |
Verify |
Client displays the correct key value |
|
EST-COAP interoperability Test DescriptionOptional functionality |
|||
|---|---|---|---|
|
Identifier: |
TD_ACE_est-coaps_08 |
||
|
Objective: |
Perform CSR attribute ("att") transaction |
||
|
Configuration: |
CoAP_CFG_est-coaps |
||
|
References: |
[est-coaps] 4, A.1 |
||
|
Pre-test conditions: |
Client and Server have established a DTLS connection. Server has a list of desired attributes (including at least subjectAltName...? extension? CN= values, notAfter date) |
||
|
Test Sequence: |
Step |
Type |
Description |
|
1 |
Stimulus |
Client is requested to send a GET request with: Type = 0 (CON) Code = 1 (GET) |
|
|
2 |
Check |
The request sent by the client contains: Type=0 and Code=1 Uri-Path option "est and att" Token = XX, set by client Content-format 285 payload with attribute names |
|
|
3 |
Check |
Server sends response containing: Code = 2.05 (Content) Token = XX Content-format option 285 Payload with certificate attributes |
|
|
4 |
Verify |
Client displays the correct attribute values |
|
EST-COAP interoperability Test DescriptionOptional functionality |
|||
|---|---|---|---|
|
Identifier: |
TD_ACE_est-coaps_09 |
||
|
Objective: |
Discover EST server with coap multicast (can not be done over internet!) |
||
|
Configuration: |
CoAP_CFG_est-coaps |
||
|
References: |
[est-coaps] 5 |
||
|
Pre-test conditions: |
Server enabled its interface for MC address "All CoAP Nodes" address FF0X::FD |
||
|
Test Sequence: |
Step |
Type |
Description |
|
1 |
Stimulus |
Client is requested to send a MC GET request with: Type = 1 (NON) Code = 1 (GET) |
|
|
2 |
Check |
The request sent by the client contains: Type=1 and Code=1 Uri-Path option ".well-known and core" Token = XX, set by client URI-query=ace.est* empty payload |
|
|
3 |
Check |
Server sends response containing: Code = 2.05 (Content) Token = XX Content-format=40 Payload with est resources |
|
|
4 |
Verify |
Client displays at least ;rt="ace.est" possibly followed by list of sub resources |
|