Added test data for CertificateInstallationRes to verify one's own implementation of creating and verifying XML-based signatures

.gitignore

@@ -1,9 +1,4 @@
 *.jks
-*.p12
-*.pem
-*.cert
-*.cer
-*.key
 *.pfx
 *.bin
 *.der
@@ -19,5 +14,7 @@ RISE-V2G-Certificates/csrs
 RISE-V2G-Certificates/keystores
 RISE-V2G-Certificates/privateKeys
 RISE-V2G-Certificates/testing-symposia
+RISE-V2G-SECC/cpsCertChain.p12
+RISE-V2G-SECC/moCertChain.p12
 /.metadata/
 /.recommenders/

RISE-V2G-Certificates/signature-creation-testdata/README.txt

@@ -0,0 +1,188 @@
+# Test Data To Verify Your CertificateInstallationRes Signature
+
+This file provides test data needed to reproduce the same digest and signature values for a CertificateInstallationRes. This test data is provided for your convenience to verify that your implementation of creating and verifying digital XML-based signatures is correct.
+
+Further explanation is given in the ISO 15118 Manual in section 3.11.3 "Test Data To Verify Your CertificateInstallationRes".
+For further explanation why the different usage of XML namespace matters with regards to the resulting digest and signature values, have a look at section 3.11.4 "Pitfalls with Signatures And XML Namespaces" in the [ISO 15118 Manual](http://v2g-clarity.com/en/iso15118-masterclass/ebook/).
+
+
+
+## TEST DATA SETUP
+
+
+### Private key for signature creation
+
+The private key used to create the signature for the CertificateInstallationRes is the one belonging to the Sub-CA 2 of the Mobility Operator. See file moSubCA2.key.
+The 32 bytes represent the raw x data.
+
+5075C1E2B9911F0CCE98354F949F834CD11165F8940C7FA48B8A244436C1CE43
+
+
+### Public key for signature verification
+
+The public key used to verify the signature of the CertificateInstallationRes is part of the certificate associated with the Sub-CA 2 of the Mobility Operator. The 64 bytes represent a point on the elliptic curve, thus the raw x-coordinate and y-coordinate. The public key has an additional byte 0x04 in the beginning to represent the uncompressed form as demanded by the ISO 15118-2, resulting in 65 bytes in total.
+
+041D0B66B06A63F9E1BFC728A028704D24B0336C580CFEFF092F4B875E0677FCBC3A7B39E53582672FBB5D7BD1174E25EAC542334EC443CBA81DB59D7830B7949B
+
+
+### Parameter ContractSignatureCertChain
+
+The certificate chain provided by the Mobility Operator comprises the contract certificate and the intermediate Sub-CA certificates. 
+All Mobility Operator certificates are packaged in the PKCS#12 container file moCertChain.p12. But you can also access every single certificate by its own, if you want: the contractCert, moSubCA2, and moSubCA1 (each provided in .pem and .der format). Be aware that the order in which the certificates are placed in the SubCertificates element is important. The first element is the Sub-CA 2 certificate, followed by the Sub-CA 1 certificate.
+Also, the certificates' validity period might already have expired by the time you use this test data. But that is not a problem for this issue. 
+
+
+### Parameter ContractSignatureEncryptedPrivateKey
+
+This parameter holds the encrypted private key that belongs to the contract certificate as well as a so-called initialization vector (IV) of 16 bytes length that is needed for the AES cipher. The IV is represented by the first (also known as most significant) 16 bytes of this parameter. 
+
+1520AFFF79C2729744C3C0B90038A52063461BC0E29C8BBE029DF437C69AB7780399921A23D96FA77871E720B9D49430
+
+
+### Parameter DHpublickey
+
+The DHpublickey is the public key of a generated ECDH key pair. The private key of this key pair is used to create the session key with which the private key that belongs to the contract certificate is encrypted. Again, with an additional byte 0x04 prepended as demanded by ISO 15118-2 to represent the uncompressed form of a public key.
+
+04EC801A167AA60762B8F648902BAFFC60EF13329A860F5D0B7D84A22CC8F00C05B998DA328C719DAF1139ABF6F21B8B27CC201E9A4E3DDA6905B27C3B2831CF18
+
+
+### Parameter eMAID
+
+Let's use the following eMAID for this test case: DEABCC123ABC56
+
+
+### Parameter SAProvisioningCertificateChain
+
+The signature is built over the four parameters mentioned above. The Certificate Provisioning Service's (CPS) certificate chain is not part of the signature. However, the CPS's Sub-CA 2 certificate holds the public key (printed further above in hexadecimal notation for your convenience) with which you need to verify the signature . If you also want to validate the CPS's chain of certificates all the way up to the V2G root certificate, then use the PKCS#12 container file cpsCertChain.p12 and the v2gRootCA.pem or v2gRootCA.der file. All certificates in cpsCertChain.p12 are also provided as single certificates in this folder.
+
+
+
+## XML REFERENCE ELEMENT GENERATION WITH XML NAMESPACE "urn:iso:15118:2:2013:MsgBody"
+
+The following values are created using the XML namespace "urn:iso:15118:2:2013:MsgBody". 
+
+
+### ContractSignatureCertChain
+
+EXI:
+8021015A590C4D803308201D43082017AA00302010202010C300A06082A8648CE3D040302304F3111300F06035504030C084D4F53756243413231193017060355040A0C1052495345205632472050726F6A656374310B300906035504061302444531123010060A0992268993F22C64011916024D4F301E170D3137303832343135343733335A170D3139303832343135343733335A30573119301706035504030C1044452D4142432D43313233414243353631193017060355040A0C1052495345205632472050726F6A656374310B300906035504061302444531123010060A0992268993F22C64011916024D4F3059301306072A8648CE3D020106082A8648CE3D03010703420004D62CD181B6F03EF7E07519C2FB05D564C71D39E61A35E2E5428E78319CEFE97B8A1A17FCE1C67F8182317CFB3C7887395A6D24851EBA4A79D71F125AD631A029A33F303D300C0603551D130101FF04023000300E0603551D0F0101FF0404030203E8301D0603551D0E04160414D8A12B386B13276BDCD9D2B6FF243A797F28113F300A06082A8648CE3D0403020348003045022011BC1BA0E6C2C43AACE28233DDDEA4BDB36B00F0282EC888D49597DD76D753B3022100CD3870E39A3D4467CF85FB16356A739B2DA3097C93ADDB2BDC8A7E8EC7FBF17A06B81984100E9984100BC500181008101008598050304154324671E8201811827988898078301AA8201860426A7A9BAB121A098988C980B8301AA820506082924A9A2902B192390283937B532B1BA188598048301AA82030981222298891808030504C91344C9F91632008C8B0126A7980F0B86989B981C191A189A9A1B9999AD0B869918981C1919989A9A1B9999AD1827988898078301AA8201860426A7A9BAB121A099188C980B8301AA820506082924A9A2902B192390283937B532B1BA188598048301AA82030981222298891808030504C91344C9F91632008C8B0126A7982C98098303954324671E81008304154324671E81808381A100020E85B3583531FCF0DFE39450143826925819B62C067F7F8497A5C3AF033BFE5E1D3D9CF29AC13397DDAEBDE88BA712F562A119A76221E5D40EDACEBC185BCA4DD1A2982198090301AA8E898080FF820418030080FF81008018070301AA8E878080FF8202018100E3180E8301AA8E87020B020A0EEAFC27CB55E3659AE36178118E9A3AF36B5F0818050304154324671E82018101A48018230110806519652E19754D151E61BCA4552FD635BFA22941B2E16E205998359E0CACC56101108052FFEE2EECBF2CBF30566DD00DABE533E95C163079C58A416DA4631EF6F2C03F86A81984100E8984100BC500181008101008518050304154324671E8201811827988898078301AA8201860426A7A937B7BA21A0988C980B8301AA820506082924A9A2902B192390283937B532B1BA188598048301AA82030981222298891808030504C91344C9F91632008C8B0126A7980F0B86989B981C191A189A9A1B9999AD0B869918981C1919989A9A1B9999AD1827988898078301AA8201860426A7A9BAB121A098988C980B8301AA820506082924A9A2902B192390283937B532B1BA188598048301AA82030981222298891808030504C91344C9F91632008C8B0126A7982C98098303954324671E81008304154324671E81808381A10002606D49CDDEDB507490D545576D3EF47652741494DF8BC7162AC62C8C26CF6BD497D1722204195C5548B6D43A58100FDBC4F088C72285C62A3CAC9166D7014895D1A2982198090301AA8E898080FF820418030080FF81008098070301AA8E878080FF820201810083180E8301AA8E87020B020A20DE09BA068BB96CE9508AF6F4169B66874E8FFA18050304154324671E82018101A38018220110016F5355C84F1580680D99BC59BAB5F047ED6D346AA7ED84D4A668EBB4672E200110290994F9505A490DA7B74774FDD122E696D19169911CE583A59D5563C6D7296897A00
+
+SHA-256:
+A993EA30EB05C7FC0FB96AF2D8FF0859D012380993D63DD833395D4A9D331A84
+
+Base64 encoded SHA-256:
+qZPqMOsFx/wPuWry2P8IWdASOAmT1j3YMzldSp0zGoQ=
+
+
+
+### ContractSignatureEncryptedPrivateKey
+
+EXI:
+802202B4B2190C05482BFFDE709CA5D130F02E400E294818D186F038A722EF80A77D0DF1A6ADDE00E6648688F65BE9DE1C79C82E75250C1E80
+
+
+SHA-256:
+DC16ECAF420130C531A5B0C2BDCF31503ED7D84AEEB047AF1870EC48991B3A00
+
+Base64 encoded SHA-256:
+3Bbsr0IBMMUxpbDCvc8xUD7X2ErusEevGHDsSJkbOgA=
+
+
+### DHpublickey
+
+EXI:
+802D02B4B21990413B2006859EA981D8AE3D92240AEBFF183BC4CCA6A183D742DF61288B323C03016E66368CA31C676BC44E6AFDBC86E2C9F30807A6938F769A416C9F0ECA0C73C61E80
+
+SHA-256:
+C81FCBD160FE4A6162DD55ADED51A291DFCEEEA0D1CA52FC4C10EECAF1E5F536
+
+Base64 encoded SHA-256:
+yB/L0WD+SmFi3VWt7VGikd/O7qDRylL8TBDuyvHl9TY=
+
+
+
+### eMAID
+
+EXI:
+80EC0202B4B21A40041111505090D0CC4C8CD05090CD4DBD3D00
+
+SHA-256:
+939AF54F14396EC0D827F753C896AC0762AE1E00ACAB57E19AF100243CDD5A6B
+
+Base64 encoded SHA-256:
+k5r1TxQ5bsDYJ/dTyJasB2KuHgCsq1fhmvEAJDzdWms=
+
+
+
+## SIGNATURE GENERATION WITH XML NAMESPACE "urn:iso:15118:2:2013:MsgBody"
+
+EXI:
+808112B43A3A381D1797BBBBBB973B999737B93397AA2917B1B0B737B734B1B0B616B2BC3497A1AB43A3A381D1797BBBBBB973B999737B933979918181897981A17BC36B63239B4B396B6B7B93291B2B1B239B096B9B430991A9B220623696432025687474703A2F2F7777772E77332E6F72672F54522F63616E6F6E6963616C2D6578692F4852D0E8E8E0745E5EEEEEEE5CEE665CDEE4CE5E646060625E60685EF0DAD8CADCC646E6D0C2646A6C841B82DD95E8402618A634B61857B9E62A07DAFB095DD608F5E30E1D8913236740008188DA590C4095A1D1D1C0E8BCBDDDDDDCB9DCCCB9BDC99CBD5148BD8D85B9BDB9A58D85B0B595E1A4BD214B43A3A381D1797BBBBBB973B999737B933979918181897981A17BC36B632B73191B9B430991A9B21054C9F5187582E3FE07DCB5796C7F842CE8091C04C9EB1EEC199CAEA54E998D42020623696434025687474703A2F2F7777772E77332E6F72672F54522F63616E6F6E6963616C2D6578692F4852D0E8E8E0745E5EEEEEEE5CEE665CDEE4CE5E646060625E60685EF0DAD8CADCC646E6D0C2646A6C8412735EA9E2872DD81B04FEEA7912D580EC55C3C015956AFC335E2004879BAB4D608188DA590CC095A1D1D1C0E8BCBDDDDDDCB9DCCCB9BDC99CBD5148BD8D85B9BDB9A58D85B0B595E1A4BD214B43A3A381D1797BBBBBB973B999737B933979918181897981A17BC36B632B73191B9B430991A9B210640FE5E8B07F2530B16EAAD6F6A8D148EFE7775068E5297E2608776578F2FA9B0DC
+
+The signature value will never be the same because ECDSA always uses a random see to generate the signature. Therefore, it does not make sense to provide a signature value here for comparison.
+HINT: Do not make the mistake to hash the EXI binary stream before you run ECDSA on it. ECDSA already performs an SHA-256 hashing operation!
+
+
+
+## XML REFERENCE ELEMENT GENERATION WITH XML NAMESPACE ""
+
+The following values are created using the empty XML namespace "". 
+
+
+### ContractSignatureCertChain
+
+EXI: 80F311B436F6E74726163745369676E617475726543657274436861696E4C028006070052056964312E00109805000C7F4089A9292846288868682B0E2CE82EE928482CE92848888829684CECEE2D0D6D49EA0A2A28882D484A09AA48AEE88EEB288ACA2A2888882D09CA8629C62B2D69C849AD48AB49A84C68E8262AA8A86CEEEA2AAD6D8A8A4A684AE9AD6C6CEAA9094ECC2DAACD4C8888A989A82D68E8262AA8A84D09A86A48AAAF08AD482A284CEDE94D6D2C294D65E92E6B4828AB48CCE949CA8F482CA8CEE60F09CF482689AD4A2F09CA8A2669AF49CC28CEE60F09EA882689AD4A2F09CA8A2669AF49CC29A8CC6F08EA882B084CE9CAC84829A9A8A8AA48C98AA8C86A2F262889AA892F4A2AA94889CA8B2F08EA882B084CE9CAC8482DE9A8A8C9494AA60AACEACD49490928C84F2C464E0D8B266A2F086F4829484CE9CAC8482B2A882D6A48C9AA492EE8A82B29686B492DAD2B4A0F2988EA2848EA4B286A8AA70EEAEA882A884CEC6E2D0D6D49EA0A2928484CECEE2D0D6D49EA0A29A8484EE9C868282A8AE989C8E84E8EC8256725684628EC6986E84C8ACD6F0F0606A6AD0DE6268EAAC86D4DCCEF0DC9E5EE0CA68DEC28C5EF4D0F0DC5684CED48C7056F4F068D0F4D8C2C4A6A68C90E4E096CAC8C6CC8AD8E4AE9AC282E0DEF470EEA0A8829A84CE9CAC90A49A8482CC708A82D482829A82688E8262AAC888EE8A845EEEA28A82EE92886C8882C884CE9CAC90A2688A8CCEA2AA64968AE49E8EE6A89464ECC664C896645EF2A26CCAB070DE8AA870EE86CEB29296DEB492F4D4608A82EE9288A68282EEA4A292CE8AC4EEC4DE9EC486F088E2E668DE92F466C86CD6ECC49CE482A082DE98E6D2926294AEB066B0C4B0AA6E9A8692A2889C9E9088D4DAD4628AB470568C56F0B262C2DC9EC498C29A94CC949EE864F2ECC6D2DC6C9EF05EECF0CACE7A7A8E01169805000C2E00114C0280063F6044D494942307A4343415869674177494241674942437A414B42676771686B6A4F50515144416A42504D52457744775944565151444441684E54314E31596B4E424D54455A4D4263474131554543677751556B6C54525342574D6B636755484A76616D566A6444454C4D416B474131554542684D4352455578456A415142676F4A6B69614A6B2F49735A41455A46674A4E547A4165467730784E7A41344D6A51784E5451334D7A4E61467730794D5441344D6A4D784E5451334D7A4E614D4538784554415042674E5642414D4D4345315055335669513045794D526B77467759445651514B4442425353564E464946597952794251636D39715A574E304D517377435159445651514745774A45525445534D42414743676D534A6F6D543869786B41526B57416B31504D466B77457759484B6F5A497A6A3043415159494B6F5A497A6A304441516344516741454851746D7347706A2B65472F787969674B48424E4A4C417A6246674D2F76384A4C30754858675A332F4C7736657A6E6C4E594A6E4C37746465394558546958717855497A5473524479366764745A31344D4C65556D364E464D454D7745675944565230544151482F42416777426745422F7749424144414F42674E56485138424166384542414D4341635977485159445652304F42425945464233562B452B577138624C4E63624338434D644E48586D317234514D416F4743437147534D343942414D4341306B414D4559434951444B4D7370634D7571614B6A7A44655569715836787266305253673258433345437A4D47733847566D4B77674968414B582F3346335A666C6C2B594B7A626F427458796D6653754378673834735567747449786A33743559422F470008A60140031FB0226A4A4A1182A21A1A0AC34B3A0BBA4A120B3A4A121B520A5A133B3B8B435B527A828A8A220B5212826A922BBA23BACA22B28A8A22220B4272A18A53B3119A92228AA22AD26A131A3A098AAA2A1B3BBA8AAB5B62A2929A12BA6B5B1B3AAA4253B30B6AB35322222A626A0B5A3A098AAA2A13426A1A922AABC22B520A8A133B7A535B4B0A53597A4B9AD20A2AD2333A5272A3D20B2A33B983C273D209A26B528BC272A2899A6BD2730A33B983CA6AA209A26B526BC272A2899A6BD2730A6A29C3C22AA20A82133A72B2120A6A6A1A298A82A99AB34A89822BC26A935BBA33BACA22B28A8A5A2212129A9AB272324A32CBCA93CA128B1B69CB8AD2BA71826A8B9BBA1A8ACA22B28A8A3A2BBA522A92A22A9A6A120A3A1B3B6A9A537B6AA1C34BC35A0A935ABA0B598A826A335BBA2BBACA425B7AD24BD351821A0A8ACA4A5B7AD24BD35182220A8B1A228B3A0A2BBA738AA369B991937A7B5B438B7B8BA993719B79BA5AA37A5A9B697A31A1A39AB2CBC2D23A29932989B35BB37BAA922A1A2259A38B8233A38A429BBA4A11599B4B2A2A93535AAA63523291AABA9A6273933A5A9259B272326A2A6BBA2B3ACA22B29182A20A8A417A120B3BBA133A2A117BBA4A120AA20A7A133A72B24289C2120B31C22A120A6A1A0A8ACBBA428ACA22B291827A1212CA2A322A39C2299A8A72319A62D1838A2AB1BB2B3BA27399827B729179826A0B7A3A1A1B8A3A9A69A1CA120A6A1A09831A0A6A2A8A1A4A0A632B838BAA8B734B9A0982139BD32A62718B095A1A8193A383798AA97B121B0B62698323237BD363C20A0B4A129A2BCB73CB7A629A9A3981CBAB53AB71BB7B5AC272630A6B4983CA49ABCBBB22627B8B92435309AA998289E9EABE8
+
+
+SHA-256:
+149E8C972A5108ECA39E0B6BA92F9B3FEC8F266BC1337FD5E2B469A723D5FE06
+
+Base64 encoded SHA-256:
+FJ6MlypRCOyjngtrqS+bP+yPJmvBM3/V4rRppyPV/gY=
+
+
+### ContractSignatureEncryptedPrivateKey
+
+EXI:
+80F3125436F6E74726163745369676E6174757265456E63727970746564507269766174654B65794C028006070052056964326848CA686EC5E66DC86C6E0C88AEE70866A8288D2D8928E9C8E8E7088D2DC92EA5682E066609C70C2C2E866CE88DAB492C29272D8ECE066D0F06AF2866A6294A2EEFA00
+
+SHA-256:
+7F1D245F01367284C9412D1EBC714F64F25707693C28CC4AFAE584E5E0355D5E
+
+Base64 encoded SHA-256:
+fx0kXwE2coTJQS0evHFPZPJXB2k8KMxK+uWE5eA1XV4=
+
+
+### DHpublickey
+
+EXI:
+80F310C44487075626C69636B65794C028006070052056964336B4849EF2828ED0B46CE0CEC8D2EAA0B492D686EAEC5E8E88EC8AF496C2D0CE72C88666648ADED2F4927082EE8CEAB4D4C29ADEF0F0DCC270A49EC2EC6470D0EA989470EECE90E0E09EA0C8E0E084C494709EF2CEF0F4F0CE7AFA00
+
+SHA-256:
+105A7E05E5DE4FB03F050E213B01457D634C3F186CC4A28DA6403349286A5F59
+
+Base64 encoded SHA-256:
+EFp+BeXeT7A/BQ4hOwFFfWNMPxhsxKKNpkAzSShqX1k=
+
+
+### eMAID
+
+EXI:
+80F3106654D4149444C02800607005205696434620888A828486866264668284866A6CFA00
+
+SHA-256:
+45CD81DFFD1A56BB5F4A796B804CA71721AF434587E0ED803A09EAEBADBB8479
+
+Base64 encoded SHA-256:
+Rc2B3/0aVrtfSnlrgEynFyGvQ0WH4O2AOgnq6627hHk=
+
+
+
+## SIGNATURE GENERATION WITH XML NAMESPACE ""
+
+EXI:
+808112B43A3A381D1797BBBBBB973B999737B93397AA2917B1B0B737B734B1B0B616B2BC3497A1AB43A3A381D1797BBBBBB973B999737B933979918181897981A17BC36B63239B4B396B6B7B93291B2B1B239B096B9B430991A9B220623696432025687474703A2F2F7777772E77332E6F72672F54522F63616E6F6E6963616C2D6578692F4852D0E8E8E0745E5EEEEEEE5CEE665CDEE4CE5E646060625E60685EF0DAD8CADCC646E6D0C2646A6C840FE3A48BE026CE50992825A3D78E29EC9E4AE0ED278519895F5CB09CBC06ABABC08188DA590C4095A1D1D1C0E8BCBDDDDDDCB9DCCCB9BDC99CBD5148BD8D85B9BDB9A58D85B0B595E1A4BD214B43A3A381D1797BBBBBB973B999737B933979918181897981A17BC36B632B73191B9B430991A9B2100A4F464B9528847651CF05B5D497CD9FF6479335E099BFEAF15A34D391EAFF03020623696434025687474703A2F2F7777772E77332E6F72672F54522F63616E6F6E6963616C2D6578692F4852D0E8E8E0745E5EEEEEEE5CEE665CDEE4CE5E646060625E60685EF0DAD8CADCC646E6D0C2646A6C8408B9B03BFFA34AD76BE94F2D700994E2E435E868B0FC1DB007413D5D75B7708F208188DA590CC095A1D1D1C0E8BCBDDDDDDCB9DCCCB9BDC99CBD5148BD8D85B9BDB9A58D85B0B595E1A4BD214B43A3A381D1797BBBBBB973B999737B933979918181897981A17BC36B632B73191B9B430991A9B210082D3F02F2EF27D81F8287109D80A2BEB1A61F8C36625146D32019A494352FAC8DC
+
+The signature value will never be the same because ECDSA always uses a random see to generate the signature. Therefore, it does not make sense to provide a signature value here for comparison.
+HINT: Do not make the mistake to hash the EXI binary stream before you run ECDSA on it. ECDSA already performs an SHA-256 hashing operation!
+

RISE-V2G-Certificates/signature-creation-testdata/contractCert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1DCCAXqgAwIBAgIBDDAKBggqhkjOPQQDAjBPMREwDwYDVQQDDAhNT1N1YkNB
+MjEZMBcGA1UECgwQUklTRSBWMkcgUHJvamVjdDELMAkGA1UEBhMCREUxEjAQBgoJ
+kiaJk/IsZAEZFgJNTzAeFw0xNzA4MjQxNTQ3MzNaFw0xOTA4MjQxNTQ3MzNaMFcx
+GTAXBgNVBAMMEERFLUFCQy1DMTIzQUJDNTYxGTAXBgNVBAoMEFJJU0UgVjJHIFBy
+b2plY3QxCzAJBgNVBAYTAkRFMRIwEAYKCZImiZPyLGQBGRYCTU8wWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAATWLNGBtvA+9+B1GcL7BdVkxx055ho14uVCjngxnO/p
+e4oaF/zhxn+BgjF8+zx4hzlabSSFHrpKedcfElrWMaApoz8wPTAMBgNVHRMBAf8E
+AjAAMA4GA1UdDwEB/wQEAwID6DAdBgNVHQ4EFgQU2KErOGsTJ2vc2dK2/yQ6eX8o
+ET8wCgYIKoZIzj0EAwIDSAAwRQIgEbwboObCxDqs4oIz3d6kvbNrAPAoLsiI1JWX
+3XbXU7MCIQDNOHDjmj1EZ8+F+xY1anObLaMJfJOt2yvcin6Ox/vxeg==
+-----END CERTIFICATE-----

RISE-V2G-Certificates/signature-creation-testdata/cpsLeafCert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0DCCAXagAwIBAgIBDzAKBggqhkjOPQQDAjBSMRMwEQYDVQQDDApQcm92U3Vi
+Q0EyMRkwFwYDVQQKDBBSSVNFIFYyRyBQcm9qZWN0MQswCQYDVQQGEwJERTETMBEG
+CgmSJomT8ixkARkWA0NQUzAeFw0xNzA4MjQxNTQ3MzNaFw0xNzExMjIxNTQ3MzNa
+MFAxETAPBgNVBAMMCENQUyBMZWFmMRkwFwYDVQQKDBBSSVNFIFYyRyBQcm9qZWN0
+MQswCQYDVQQGEwJERTETMBEGCgmSJomT8ixkARkWA0NQUzBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABAliSbuJvCZX7mUSSfLhTx7Xga7ZqkpVRJYqfzPxPoKku9if
+KZCK5yNdfr+jdl4rx54Xit6yCPlfWpxuSkzAxPijPzA9MAwGA1UdEwEB/wQCMAAw
+DgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTj4VPerVdFt6xSJrWdtpFcb3sVETAK
+BggqhkjOPQQDAgNIADBFAiEAsGRTXuIfIuOa0owMEfD5MT/zYH6EiZao5+OkzeOf
+JXMCIB3JR3vt5l0mEWMLU+ShAmivkyUBw7O2rerExdMJttGX
+-----END CERTIFICATE-----

RISE-V2G-Certificates/signature-creation-testdata/cpsSubCA1.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAX2gAwIBAgIBDTAKBggqhkjOPQQDAjBRMRIwEAYDVQQDDAlWMkdSb290
+Q0ExGTAXBgNVBAoMEFJJU0UgVjJHIFByb2plY3QxCzAJBgNVBAYTAkRFMRMwEQYK
+CZImiZPyLGQBGRYDVjJHMB4XDTE3MDgyNDE1NDczM1oXDTIxMDgyMzE1NDczM1ow
+UjETMBEGA1UEAwwKUHJvdlN1YkNBMTEZMBcGA1UECgwQUklTRSBWMkcgUHJvamVj
+dDELMAkGA1UEBhMCREUxEzARBgoJkiaJk/IsZAEZFgNDUFMwWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAARN2s0xy3U5Zb8hVqzTUIRjaCYFqmNQhz4cvx37M+K7LfcE
+wSKWJA3DV0NDqVjYx2xDuYEne40iKWkFBTVR0vVxo0UwQzASBgNVHRMBAf8ECDAG
+AQH/AgEBMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU76lySuYRBw7aRqQ7V1cN
+1K2zlfgwCgYIKoZIzj0EAwIDSAAwRQIhAOUOszuXtl1C0OXArVHEDvOvcQutMT9e
+ctVkId8YcKPUAiARFXXI6c3Fun5Xbka2IN1F/kKv+BC/P2GMlnJOYupBcw==
+-----END CERTIFICATE-----

RISE-V2G-Certificates/signature-creation-testdata/cpsSubCA2.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAX6gAwIBAgIBDjAKBggqhkjOPQQDAjBSMRMwEQYDVQQDDApQcm92U3Vi
+Q0ExMRkwFwYDVQQKDBBSSVNFIFYyRyBQcm9qZWN0MQswCQYDVQQGEwJERTETMBEG
+CgmSJomT8ixkARkWA0NQUzAeFw0xNzA4MjQxNTQ3MzNaFw0xOTA4MjQxNTQ3MzNa
+MFIxEzARBgNVBAMMClByb3ZTdWJDQTIxGTAXBgNVBAoMEFJJU0UgVjJHIFByb2pl
+Y3QxCzAJBgNVBAYTAkRFMRMwEQYKCZImiZPyLGQBGRYDQ1BTMFkwEwYHKoZIzj0C
+AQYIKoZIzj0DAQcDQgAEGAVuEjd1iDZMfLe+Nx3++VQ4CUEGanjnE50TfIMJWMkg
+gW5yEfTW1Jvufc5y+DpUZt7gq7qv/avU49p+v6Wy76NFMEMwEgYDVR0TAQH/BAgw
+BgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFFU4w9oOBoEua91kTR+x
+7Cr+34aMMAoGCCqGSM49BAMCA0gAMEUCIBWwfkxUMuGD8B1TG9TqRTq5hMbdHAWk
+jrsn7OD9bIPxAiEA2+xoVcjPq06EG2u1VCKceY1WHhTcWFZAg2eG4X5/uBg=
+-----END CERTIFICATE-----

RISE-V2G-Certificates/signature-creation-testdata/moSubCA1.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0TCCAXigAwIBAgIBCjAKBggqhkjOPQQDAjBPMREwDwYDVQQDDAhNT1Jvb3RD
+QTEZMBcGA1UECgwQUklTRSBWMkcgUHJvamVjdDELMAkGA1UEBhMCREUxEjAQBgoJ
+kiaJk/IsZAEZFgJNTzAeFw0xNzA4MjQxNTQ3MzNaFw0yMTA4MjMxNTQ3MzNaME8x
+ETAPBgNVBAMMCE1PU3ViQ0ExMRkwFwYDVQQKDBBSSVNFIFYyRyBQcm9qZWN0MQsw
+CQYDVQQGEwJERTESMBAGCgmSJomT8ixkARkWAk1PMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAEwNqTm722oOkhqoqu2n3o7KToKSm/F44sVYxZGE2e16kvouRECDK4
+qpFtqHSwIB+3ieERjkULjFR5WSLNrgKRK6NFMEMwEgYDVR0TAQH/BAgwBgEB/wIB
+ATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEG8E3QNF3LZ0qEV7egtNs0OnR/0
+MAoGCCqGSM49BAMCA0cAMEQCIALepquQnisA0BszeLN1a+CP2tpo1U/bCalM0ddo
+zlxAAiBSEynyoLSSG09ujun7okXNLaMi0yI5ywdLOqrHja5S0Q==
+-----END CERTIFICATE-----

RISE-V2G-Certificates/signature-creation-testdata/moSubCA2.key

@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,062540BA2D6472E54C487A11D95F3AC3
+
+aYWKJNn3VFjeSvvUqwJqqmszQmZ1tMlN++l3jHc6QfwZG8M3PJ4jCNFTjYnSyLxc
+lJwTEYmdURSrzBFXxOZwHMYhBn7cWS3DavsJk1SnukAR50DctrcXc74c5aBXY6HW
+zRFtKK/1PueHlfcetnhpTclz3dY1vLh26x33iZNcM74=
+-----END EC PRIVATE KEY-----

RISE-V2G-Certificates/signature-creation-testdata/moSubCA2.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0zCCAXigAwIBAgIBCzAKBggqhkjOPQQDAjBPMREwDwYDVQQDDAhNT1N1YkNB
+MTEZMBcGA1UECgwQUklTRSBWMkcgUHJvamVjdDELMAkGA1UEBhMCREUxEjAQBgoJ
+kiaJk/IsZAEZFgJNTzAeFw0xNzA4MjQxNTQ3MzNaFw0yMTA4MjMxNTQ3MzNaME8x
+ETAPBgNVBAMMCE1PU3ViQ0EyMRkwFwYDVQQKDBBSSVNFIFYyRyBQcm9qZWN0MQsw
+CQYDVQQGEwJERTESMBAGCgmSJomT8ixkARkWAk1PMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAEHQtmsGpj+eG/xyigKHBNJLAzbFgM/v8JL0uHXgZ3/Lw6eznlNYJn
+L7tde9EXTiXqxUIzTsRDy6gdtZ14MLeUm6NFMEMwEgYDVR0TAQH/BAgwBgEB/wIB
+ADAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFB3V+E+Wq8bLNcbC8CMdNHXm1r4Q
+MAoGCCqGSM49BAMCA0kAMEYCIQDKMspcMuqaKjzDeUiqX6xrf0RSg2XC3ECzMGs8
+GVmKwgIhAKX/3F3Zfll+YKzboBtXymfSuCxg84sUgttIxj3t5YB/
+-----END CERTIFICATE-----

RISE-V2G-Certificates/signature-creation-testdata/oemProvCert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0TCCAXigAwIBAgIBCDAKBggqhkjOPQQDAjBRMRIwEAYDVQQDDAlPRU1TdWJD
+QTIxGTAXBgNVBAoMEFJJU0UgVjJHIFByb2plY3QxCzAJBgNVBAYTAkRFMRMwEQYK
+CZImiZPyLGQBGRYDT0VNMB4XDTE3MDgyNDE1NDczM1oXDTIxMDgyMzE1NDczM1ow
+UzEUMBIGA1UEAwwLT0VNUHJvdkNlcnQxGTAXBgNVBAoMEFJJU0UgVjJHIFByb2pl
+Y3QxCzAJBgNVBAYTAkRFMRMwEQYKCZImiZPyLGQBGRYDT0VNMFkwEwYHKoZIzj0C
+AQYIKoZIzj0DAQcDQgAEUqcvKGUqXWKyxSBWO/3FnqmlfMEMAnidDInpKGFiJmfE
+3UgNF3J3oJpjv9qUM3499WEpbT2CAo78x+mUDdpYl6M/MD0wDAYDVR0TAQH/BAIw
+ADAOBgNVHQ8BAf8EBAMCA4gwHQYDVR0OBBYEFCqlaYqeiG+DJv2rq+f1dfmIY5RU
+MAoGCCqGSM49BAMCA0cAMEQCICm9e1rqqqB7kwueHXqFiG2tMVrTOcVOs+jFwRwe
+gLb5AiAMedM5xhPfZsk2UQ+SPQU0sfrxMn502Lp/FNtSAC5ZhA==
+-----END CERTIFICATE-----

RISE-V2G-Certificates/signature-creation-testdata/v2gRootCA.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0jCCAXmgAwIBAgIBATAKBggqhkjOPQQDAjBRMRIwEAYDVQQDDAlWMkdSb290
+Q0ExGTAXBgNVBAoMEFJJU0UgVjJHIFByb2plY3QxCzAJBgNVBAYTAkRFMRMwEQYK
+CZImiZPyLGQBGRYDVjJHMB4XDTE3MDgyNDE1NDczM1oXDTI3MDgyMjE1NDczM1ow
+UTESMBAGA1UEAwwJVjJHUm9vdENBMRkwFwYDVQQKDBBSSVNFIFYyRyBQcm9qZWN0
+MQswCQYDVQQGEwJERTETMBEGCgmSJomT8ixkARkWA1YyRzBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABLE/MafHkojlTbVfaMAjt7/i4C6/HS389tsQziW2mR7AR9qN
+mmGPiK4RZJhA1FNjCQ6DUik5SHOO5bjNpzvAvhCjQjBAMA8GA1UdEwEB/wQFMAMB
+Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBT04/k6DUSvK3QJCG1jqlaLBrAr
+2DAKBggqhkjOPQQDAgNHADBEAiBi7kagjATT8B1CSt78apcFeAdYO1XO9d97sTHz
+j2Ql9QIgEhmGC5nwUF82Ko/Adru0l9lggWZUTo+06RB9MKZtH78=
+-----END CERTIFICATE-----

RISE-V2G-SECC/src/main/java/org/v2gclarity/risev2g/secc/states/WaitForChargingStatusReq.java

@@ -66,7 +66,7 @@ public class WaitForChargingStatusReq extends ServerState {
 				chargingStatusRes.setReceiptRequired(false);
 			} else {
 				// Only in PnC mode according to [V2G2-691]
-				chargingStatusRes.setReceiptRequired(true);
+				chargingStatusRes.setReceiptRequired(false);
 			}
 			
 			// Optionally set EVSEMaxCurrent (if NOT in AC PnC mode) -> check with AC station

RISE-V2G-SECC/src/main/java/org/v2gclarity/risev2g/secc/states/WaitForPaymentDetailsReq.java

@@ -109,7 +109,7 @@ public class WaitForPaymentDetailsReq extends ServerState {
 		
 		// Check for FAILED_ContractCancelled
 		// TODO how to check if the EMAID provided by EVCC is not accepted by secondary actor?
-		if (!SecurityUtils.isEMAIDSynstaxValid(
+		if (!SecurityUtils.isEMAIDSyntaxValid(
 				SecurityUtils.getCertificate(
 						paymentDetailsReq.getContractSignatureCertChain().getCertificate())
 						)

RISE-V2G-Shared/src/main/java/org/v2gclarity/risev2g/shared/messageHandling/MessageHandler.java

@@ -290,23 +290,29 @@ public class MessageHandler {
 			 * We need to set the localPart of the QName object for the CertificateInstallationRes/CertificateUpdateRes parameters
 			 * correctly. The messageOrField object's class name cannot be taken directly as it differs from what should be the 
 			 * XML element name.
+			 * 
+			 * In principle, there are two ways of setting the namespace for the XML elements of the parameters of a 
+			 * CertificateInstallationRes/CertificateUpdatenRes. Annex J of ISO 15118-2 is not clear about that. Standard rules of
+			 * XSD would require to always set a so-called target namespace, in this case GlobalValues.V2G_CI_MSG_BODY_NAMESPACE.
+			 * But you could also use the empty namespace "" and would still be conform to the standard.
+			 * The choice of the namespace heavily influences interoperability as the resulting digest values will be different.
 			 */
 			switch (messageName) {
 			case "CertificateChain":
 				messageName = "ContractSignatureCertChain";
-				namespace = "";
+//				namespace = "";
 				break;
 			case "DiffieHellmanPublickey":
 				messageName = "DHpublickey";
-				namespace = "";
+//				namespace = "";
 				break;
 			case "EMAID":
 				messageName = "eMAID";
-				namespace = "";
+//				namespace = "";
 				break;
 			case "ContractSignatureEncryptedPrivateKey":
 				messageName = "ContractSignatureEncryptedPrivateKey";
-				namespace = "";
+//				namespace = "";
 				break;
 			default:
 				break;

RISE-V2G-Shared/src/main/java/org/v2gclarity/risev2g/shared/utils/SecurityUtils.java

@@ -453,7 +453,7 @@ public final class SecurityUtils {
 			}
 			break;
 		case MO:
-			if (!isEMAIDSynstaxValid(leafCertificate)) {
+			if (!isEMAIDSyntaxValid(leafCertificate)) {
 				return ResponseCodeType.FAILED_CERT_CHAIN_ERROR;
 			}
 			break;
@@ -716,8 +716,11 @@ public final class SecurityUtils {
 		 * systems, the memory is very limited which is why we should not use long IDs for the signature reference
 		 * element. A good size would be 3 characters max (like the example in the ISO 15118-2 annex J)
 		 */
-		dhPublicKey.setId("id1"); // dhPublicKey
-		dhPublicKey.setValue(getUncompressedSubjectPublicKey((ECPublicKey) ecdhKeyPair.getPublic()));
+		dhPublicKey.setId("id1"); 
+		
+		byte[] uncompressedDHpublicKey = getUncompressedSubjectPublicKey((ECPublicKey) ecdhKeyPair.getPublic());
+		getLogger().debug("Created DHpublickey: " + ByteUtils.toHexString(uncompressedDHpublicKey));
+		dhPublicKey.setValue(uncompressedDHpublicKey);
 		
 		return dhPublicKey;
 	}
@@ -826,8 +829,6 @@ public final class SecurityUtils {
 			privateKey = (ECPrivateKey) keyStore.getKey(
 						alias, 
 						GlobalValues.PASSPHRASE_FOR_CERTIFICATES_AND_KEYS.toString().toCharArray());
-			
-			getLogger().debug("Private key used for creating signature: " + ByteUtils.toHexString(privateKey.getEncoded()));
 		} catch (KeyStoreException | UnrecoverableKeyException | NoSuchAlgorithmException e) {
 			getLogger().error("The private key from keystore with alias '" + alias + 
 							  "' could not be retrieved (" + e.getClass().getSimpleName() + ")", e);
@@ -1715,6 +1716,8 @@ public final class SecurityUtils {
 			encoded = getExiCodec().encodeEXI(jaxbMessageOrField, GlobalValues.SCHEMA_PATH_XMLDSIG.toString());
 		} else encoded = getExiCodec().encodeEXI(jaxbMessageOrField, GlobalValues.SCHEMA_PATH_MSG_DEF.toString());
 		
+		getLogger().debug("EXI encoded " + jaxbMessageOrField.getName().getLocalPart() + ": " + ByteUtils.toHexString(encoded));
+		
 		// Do not use the schema-informed fragment grammar option for other EXI encodings (message bodies)
 		getExiCodec().setFragment(false);
 		
@@ -1735,7 +1738,7 @@ public final class SecurityUtils {
 				 */
 				if ( !(jaxbMessageOrField.getValue() instanceof SignedInfoType) ) {
 					getLogger().debug("\n"
-									+ "\tDigest generated for reference element " + jaxbMessageOrField.getClass().getSimpleName() + ": " + ByteUtils.toHexString(digest) + "\n"
+									+ "\tDigest generated for XML reference element " + jaxbMessageOrField.getName().getLocalPart() + ": " + ByteUtils.toHexString(digest) + "\n"
 									+ "\tBase64 encoding of digest: " + Base64.getEncoder().encodeToString(digest));
 				}
 			}
@@ -1759,6 +1762,9 @@ public final class SecurityUtils {
 		try {
 			Signature ecdsa = Signature.getInstance("SHA256withECDSA", "SunEC");
 		
+			getLogger().debug("EXI encoded SignedInfo: " + ByteUtils.toHexString(signedInfoElementExi));
+			getLogger().debug("\n\tPrivate key used for creating signature: " + ByteUtils.toHexString(ecPrivateKey.getS().toByteArray()));
+			
 			ecdsa.initSign(ecPrivateKey);
 			ecdsa.update(signedInfoElementExi);
 			
@@ -1767,6 +1773,8 @@ public final class SecurityUtils {
 			// Java operates on DER encoded signatures, but we must send the raw r and s values as signature 
 			byte[] rawSignature = getRawSignatureFromDEREncoding(signature);
 			
+			getLogger().debug("Signature value: " + ByteUtils.toHexString(rawSignature));
+			
 			return rawSignature;
 		} catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException | NoSuchProviderException e) {
 			getLogger().error(e.getClass().getSimpleName() + " occurred while trying to create signature", e);
@@ -2132,7 +2140,7 @@ public final class SecurityUtils {
 	 * @param certChain The contract certificate chain. The EMAID is read from the contract certificate's common name
 	 * @return True, if the syntax is valid, false otherwise
 	 */
-	public static boolean isEMAIDSynstaxValid(X509Certificate contractCertificate) {
+	public static boolean isEMAIDSyntaxValid(X509Certificate contractCertificate) {
 		String emaid = getEMAID(contractCertificate).getValue().toUpperCase();
 		
 		if (emaid.length() < 14 || emaid.length() > 18) {