TC_A_05_CS — TLS - server-side certificate - Invalid certificate
TC_A_05_CS — TLS - server-side certificate - Invalid certificate
Source: OCPP 2.0.1 Part 6 — Test Cases (Core & Advanced Security, FINAL, 2023-06-30) — Functional block A. Security, page 9.
Identification
| Field | Value |
|---|---|
| Test case name | TLS - server-side certificate - Invalid certificate |
| Test case Id | TC_A_05_CS |
| Use case Id(s) | A00 |
| Requirement(s) | A00.FR.309,A00.FR.310,A00.FR.311,A00.FR.412,A00.FR.413,A00.FR.414 |
| System under test | Charging Station |
| Functional block | A. Security |
Description
The CSMS uses a server-side certificate to identify itself to the Charging Station, when using security profile 2 or 3.
Purpose
To verify whether the Charging Station is able to terminate the connection when the received server certificate is invalid.
Prerequisite(s)
- The charging station supports security profile 2 and/or 3
- The active NetworkConnectionProfile uses either security profile 2 OR 3.
- This testcase can be executed multiple times, using different kinds of invalid certificates: Unknown certificate expired certificate certificate with commonName that does not equal the FQDN of the CSMS.
Before (Preparations)
Configuration State:
- OCPPCommCtrlr.NetworkProfileConnectionAttempts is 2
Memory State:
- N/a
Reusable State(s):
- State is Booting
Main (Test scenario)
| Charging Station | CSMS |
|---|---|
| 1. The Charging Station initiates a TLS handshake and sends a Client Hello to the OCTT. | 2. The OCTT responds with a Server Hello; With a <Configured invalid server certificate> |
| 3. The Charging Station deems the server certificate invalid and terminates the connection. | |
| 4. The Charging Station initiates a TLS handshake and sends a Client Hello to the OCTT. | 5. The OCTT responds with a Server Hello; With the <Configured server certificate> |
| 6. The Charging Station performs the following actions: Send client certificate Client Key Exchange Certificate verify Change Cipher Spec Finished; Note(s):; - The client certificate is only sent when the Charging Station uses security profile 3. | 7. The OCTT performs the following actions: Change Cipher Spec Finished |
| 8. The Charging Station sends a HTTP upgrade request to the OCTT; Note(s):; - The HTTP request only contains a username/password combination when the Charging Station uses security profile 2. | 9. The OCTT upgrades the connection to a (secured) WebSocket connection. |
| 10. The Charging Station sends a BootNotificationRequest | 11. The OCTT responds with a BootNotificationResponse; with status Accepted |
| 12. The Charging Station notifies the CSMS about the current state of all connectors. | 13. The OCTT responds accordingly. |
| 14 The Charging Station sends a SecurityEventNotificationRequest | 15 The OCTT responds with a SecurityEventNotificationResponse |
Tool validations
Step 14:
Message: SecurityEventNotificationRequest
- type must be InvalidCsmsCertificate
Post scenario validations
- N/a