Tests Specification for OSCORE

Notes
Security Contexts and Resources
Set up the environment
1. Test 0a
2. Test 0b
Correct OSCORE use
1. GET test
  1. Test 1a
  2. Test 1b
  3. Test 2a
  4. Test 2b
  5. Test 3a
  6. Test 3b
  7. Test 4a
  8. Test 4b
  9. Test 5a
  10. Test 5b
  11. Test 6a
  12. Test 6b
  13. Test 7a
  14. Test 7b
2. POST test
  1. Test 8a
  2. Test 8b
3. PUT test
  1. Test 9a
  2. Test 9b
  3. Test 10a
  4. Test 10b
4. DELETE test
  1. Test 11a
  2. Test 11b
Incorrect OSCORE use

1. Notes

CoAP Version is 1 in all the tests.

The client and server may optionally display external_aad and COSE object (before and after compression) to simplify debugging.

When non-indicated, CoAP messages can be NON or CON (implementer's choice).

To be able to run Test 16, the implementer must run an OSCORE-unaware server.

The number used as Object-Security option number is set to 9 in this document.

2. Security Contexts and Resources

Security Context A: Client

Common Context:
- Master Secret: 0x0102030405060708090a0b0c0d0e0f10 (16 bytes)
- Master Salt: 0x9e7ca92223786340 (8 bytes)
- Common IV: 0x4622d4dd6d944168eefb54987c (13 bytes)
Sender Context:
- Sender ID: 0x (0 byte)
- Sender Key: 0xf0910ed7295e6ad4b54fc793154302ff (16 bytes)
- Sender Seq Number: 00
- Sender IV: 0x4622d4dd6d944168eefb54987c (using Partial IV: 00)
Recipient Context:
- Recipient ID: 0x01 (1 byte)
- Recipient Key: 0xffb14e093c94c9cac9471648b4f98710 (16 bytes)
- Recipient IV: 0x4722d4dd6d944169eefb54987c (using Partial IV: 00)

Security Context B: Server

Common Context:
- Master Secret: 0x0102030405060708090a0b0c0d0e0f10 (16 bytes)
- Master Salt: 0x9e7ca92223786340 (8 bytes)
- Common IV: 0x4622d4dd6d944168eefb54987c (13 bytes)
Sender Context:
- Sender Id: 0x01 (1 byte)
- Sender Key: 0xffb14e093c94c9cac9471648b4f98710 (16 bytes)
- Sender Seq Number: 00
- Sender IV: 0x4722d4dd6d944169eefb54987c (using Partial IV: 00)
Recipient Context:
- Recipient Id: 0x (0 byte)
- Recipient Key: 0xf0910ed7295e6ad4b54fc793154302ff (16 bytes)
- Recipient IV: 0x4622d4dd6d944168eefb54987c (using Partial IV: 00)

Security Context C: Client

Common Context:
- Master Secret: 0x0102030405060708090a0b0c0d0e0f10 (16 bytes)
- Master Salt: 0x9e7ca92223786340 (8 bytes)
- Common IV: 0x0x2ca58fb85ff1b81c0b7181b85e (13 bytes)
- ID Context: 0x37cbf3210017a2d3 (8 bytes)
Sender Context:
- Sender ID: 0x (0 byte)
- Sender Key: 0xaf2a1300a5e95788b356336eeecd2b92 (16 bytes)
- Sender Seq Number: 00
- Sender IV: 0x2ca58fb85ff1b81c0b7181b85e (using Partial IV: 00)
Recipient Context:
- Recipient ID: 0x01 (1 byte)
- Recipient Key: 0xe39a0c7c77b43f03b4b39ab9a268699f (16 bytes)
- Recipient IV: 0x2da58fb85ff1b81d0b7181b85e (using Partial IV: 00)

Security Context D: Server

Common Context:
- Master Secret: 0x0102030405060708090a0b0c0d0e0f10 (16 bytes)
- Master Salt: 0x9e7ca92223786340 (8 bytes)
- Common IV: 0x2ca58fb85ff1b81c0b7181b85e (13 bytes)
- ID Context: 0x37cbf3210017a2d3 (8 bytes)
Sender Context:
- Sender Id: 0x01 (1 byte)
- Sender Key: 0xe39a0c7c77b43f03b4b39ab9a268699f (16 bytes)
- Sender Seq Number: 00
- Sender IV: 0x2da58fb85ff1b81d0b7181b85e (using Partial IV: 00)
Recipient Context:
- Recipient Id: 0x (0 byte)
- Recipient Key: 0xaf2a1300a5e95788b356336eeecd2b92 (16 bytes)
- Recipient IV: 0x2ca58fb85ff1b81c0b7181b85e (using Partial IV: 00)

Resources

The list of resources the OSCORE-aware server must implement is the following:

/oscore/hello/coap : authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain)
/oscore/hello/1 : protected resource, authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain)
/oscore/hello/2 : protected resource, authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain), and with ETag 0x2b
/oscore/hello/3 : protected resource, authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain), and Max-Age 5
/oscore/hello/6 : protected resource, authorized method: POST, returns the value of the resource with content-format 0 (text/plain)
/oscore/hello/7 : protected resource, authorized method: PUT, returns the value of the resource with content-format 0 (text/plain), has ETag 0x7b
/oscore/observe1 : protected resource, authorized method: GET, supports observe, returns "one" for the first notification, "two" for the second notification. The server is configured to return 5.00 after the 2 notifications are sent.
/oscore/observe2 : protected resource, authorized method: GET, supports observe, returns "one" for the first notification, "two" for the second notification.
/oscore/test: protected resource, authorized method: DEL.

The list of resource the OSCORE-unaware server must implement is the following:

/oscore/hello/coap : authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain)

3. Set up the environment

3.1. Identifier: TEST_0a

Objective : Verify that CoAP exchange works. Perform a simple GET transaction using COAP, Content-Format and Uri-Path option (Client side)

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request including: Uri-Path : /oscore/hello/coap
2	Check	Client serializes the request
3	Verify	Client displays the sent packet
4	Check	Client parses the response and continues the CoAP processing expected; expected: 2.05 Content Response with: Content-Format = 0 (text/plain) Payload = "Hello World!"
5	Verify	Client displays the received packet

3.2. Identifier: TEST_0b

Objective : Verify that CoAP exchange works. Perform a simple GET transaction using COAP, Content-Format and Uri-Path option (Server side)

Configuration :

server resources:

/oscore/hello/coap : authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain)

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request including: Uri-Path = /oscore/hello/coap
2	Check	Server parses the request and continues the CoAP processing
3	Verify	Server displays the received packet
4	Check	Server serialize the response correctly, which is: 2.05 Content Response with: Content-Format = 0 (text/plain) Payload = "Hello World!"
5	Verify	Server displays the sent packet

4. Correct OSCORE use

4.1 GET Tests

4.1.1. Identifier: TEST_1a

Objective : Perform a simple GET transaction using OSCORE, Content-Format and Uri-Path option (Client side)

Configuration :

client security context: Security Context A, with:

Sequence number received not in client's replay window

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-Path : /oscore/hello/1
2	Check	Client serializes the request, which is a POST request, with: Object-Security option Payload: ciphertext including: Code: GET Uri-Path : /oscore/hello/1
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 2.04 Changed Response with: Object-Security option Payload
5	Verify	Client decrypts the message: OSCORE verification succeeds
6	Check	Client parses the decrypted response and continues the CoAP processing; expected 2.05 Content Response with: Content-Format = 0 (text/plain) Payload = "Hello World!"
7	Verify	Client displays the received packet

4.1.2. Identifier: TEST_1b

Objective : Perform a simple GET transaction using OSCORE, Content-Format and Uri-Path option (Server side)

Configuration :

server security context: Security Context B, with:

Sequence number received not in server's replay window

server resources:

/oscore/hello/1 : protected resource, authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain)

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-Path = /oscore/hello/1
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.02 POST with: Object-Security option Payload
4	Verify	Server decrypts the message: OSCORE verification succeeds
5	Check	Server parses the request and continues the CoAP processing; expected: CoAP GET request, including: Uri-Path : /oscore/hello/1
6	Verify	Server displays the received packet
7	Check	Server serialize the response correctly, which is: 2.04 Changed Response with: Object-Security option Payload: ciphertext including: Code: 2.05 Content Response Content-Format = 0 (text/plain) Payload = "Hello World!"
8	Verify	Server displays the sent packet

4.1.3. Identifier: TEST_2a

Objective : Perform a simple GET transaction using OSCORE, Content-Format and Uri-Path option (Client side), sending an ID Context in the Object Security option

Configuration :

client security context: Security Context C, with:

Sequence number received not in client's replay window
ID Context sent in the request
Sender ID sent in the request

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-Path : /oscore/hello/1
2	Check	Client serializes the request, which is a POST request, with: Object-Security option (with ID Context) Payload: ciphertext including: Code: GET Uri-Path : /oscore/hello/1
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 2.04 Changed Response with: Object-Security option Payload
5	Verify	Client decrypts the message: OSCORE verification succeeds
6	Check	Client parses the decrypted response and continues the CoAP processing; expected 2.05 Content Response with: Content-Format = 0 (text/plain) Payload = "Hello World!"
7	Verify	Client displays the received packet

4.1.4. Identifier: TEST_2b

Objective : Perform a simple GET transaction using OSCORE, Content-Format and Uri-Path option (Server side), receiving an ID Context in the Object Security option

Configuration :

server security context: Security Context D, with:

Sequence number received not in server's replay window
ID Context not sent in the response
Sender ID not sent in the response

server resources:

/oscore/hello/1 : protected resource, authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain)

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-Path = /oscore/hello/1
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.02 POST with: Object-Security option (Containing ID Context) Payload
4	Verify	Server decrypts the message: OSCORE verification succeeds
5	Check	Server parses the request and continues the CoAP processing; expected: CoAP GET request, including: Uri-Path : /oscore/hello/1
6	Verify	Server displays the received packet
7	Check	Server serialize the response correctly, which is: 2.04 Changed Response with: Object-Security option Payload: ciphertext including: Code: 2.05 Content Response Content-Format = 0 (text/plain) Payload = "Hello World!"
8	Verify	Server displays the sent packet

4.1.5. Identifier: TEST_3a

Objective : Perform a GET transaction using OSCORE, Content-Format, Uri-Path, Uri-Query and ETag option (Client side)

Configuration :

client security context: Security Context A, with:

Sequence number sent not in server's replay window

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-Path = /oscore/hello/2 Uri-Query : first=1
2	Check	Client serializes the request, which is a POST request, with: Object-Security option Payload: ciphertext including: Code: GET Uri-Path : /oscore/hello/2 Uri-Query : first=1
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 2.04 Changed Response with: Object-Security option Payload
5	Verify	Client decrypts the message: OSCORE verification succeeds
6	Check	Client parses the decrypted response and continues the CoAP processing; expected 2.05 Content Response with: Content-Format = 0 (text/plain) ETag with value 0x2b Payload = "Hello World!"
7	Verify	Client displays the received packet

4.1.6. Identifier: TEST_3b

Objective : Perform a GET transaction using OSCORE, Content-Format, Uri-Path, Uri-Query and ETag option (Server side)

Configuration :

server security context: Security Context B, with:

Sequence number received not in server's replay window

server resources:

/oscore/hello/2 : protected resource, authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain), and with ETag 0x2b

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-path = /oscore/hello/2 Uri-Query : first=1
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.02 POST with: Object-Security option Payload
4	Verify	Server decrypts the message: OSCORE verification succeeds
5	Check	Server parses the request and continues the CoAP processing; expected: CoAP GET request, including: Uri-path = /oscore/hello/2 Uri-Query : first=1
6	Verify	Server displays the received packet
7	Check	Server serialize the response correctly, which is: 2.04 Changed Response with: Object-Security option Payload: ciphertext including: Code: 2.05 Content Response Content-Format = 0 (text/plain) ETag with value 0x2b Payload = "Hello World!"
8	Verify	Server displays the sent packet

4.1.7. Identifier: TEST_4a

Objective : Perform a GET transaction using OSCORE, Content-Format, Uri-Path, Accept and Max-Age option (Client side)

Configuration :

client security context: Security Context A, with:

Sequence number sent not in server's replay window

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-path = /oscore/hello/3 Accept = 0 (text/plain;charset=utf-8)
2	Check	Client serializes the request, which is a POST request, with: Object-Security option Payload: ciphertext including: Code: GET Uri-Path = /oscore/hello/3 Accept = 0 (text/plain;charset=utf-8)
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 2.04 Changed Response with: Object-Security option Max-Age with value 0x00 (optional) Payload
5	Verify	Client decrypts the message: OSCORE verification succeeds
6	Check	Client parses the decrypted response and continues the CoAP processing; expected 2.05 Content Response with: Content-Format = 0 (text/plain) Max-Age with value 0x05 Payload = "Hello World!"
7	Verify	Client displays the received packet

4.1.8. Identifier: TEST_4b

Objective :Perform a GET transaction using OSCORE, Content-Format, Uri-Path, Accept and Max-Age option (Server side)

Configuration :

server security context: Security Context B, with:

Sequence number received not in server's replay window

server resources:

/oscore/hello/3 : protected resource, authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain), and Max-Age 5

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-path = /oscore/hello/3 Accept = 0 (text/plain;charset=utf-8)
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.02 POST with: Object-Security option Max-Age with value 0x00 Payload
4	Verify	Server decrypts the message: OSCORE verification succeeds
5	Check	Server parses the request and continues the CoAP processing; expected: CoAP GET request, including: Uri-path = /oscore/hello/3 Accept = 0 (text/plain;charset=utf-8)
6	Verify	Server displays the received packet
7	Check	Server serialize the response correctly, which is: 2.04 Changed Response with: Object-Security option Payload: ciphertext including: Code: 2.05 Content Response Content-Format = 0 (text/plain) Max-Age with value 05 Payload = "Hello World!"
8	Verify	Server displays the sent packet

4.1.9. Identifier: TEST_5a

Objective : Perform a GET transaction using OSCORE, Content-Format, Uri-Path, and Observe. Response without observe. (Client side)

Configuration :

client security context: Security Context A, with:

Sequence number sent not in server's replay window

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-path = /oscore/hello/1 Observe = 0 (Registration)
2	Check	Client serializes the request, which is a FETCH request, with: Object-Security option Payload: ciphertext including: Code: GET Uri-Path = /oscore/hello/1 Observe = 0 (Registration)
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 2.04 Changed Response with: Object-Security option Payload
5	Verify	Client decrypts the message: OSCORE verification succeeds
6	Check	Client parses the decrypted response and continues the CoAP processing; expected 2.05 Content Response with: Content-Format = 0 (text/plain) Payload = "Hello World!"
7	Verify	Client displays the received packet

4.1.10. Identifier: TEST_5b

Objective : Perform a GET transaction using OSCORE, Content-Format, Uri-Path, and Observe. Response without observe. (Server side)

Configuration :

server security context: Security Context B, with:

Sequence number received not in server's replay window

server resources:

/oscore/hello/1 : protected resource, authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain)

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-path = /oscore/hello/1 Observe = 0 (Registration)
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.05 FETCH with: Object-Security option Payload
4	Verify	Server decrypts the message: OSCORE verification succeeds
5	Check	Server parses the request and continues the CoAP processing; expected: CoAP GET request, including: Uri-path = /oscore/hello/1 Observe = 0 (Registration)
6	Verify	Server displays the received packet
7	Check	Server serialize the response correctly, which is: 2.04 Changed Response with: Object-Security option Payload: ciphertext including: Code: 2.05 Content Response Content-Format = 0 (text/plain) Payload = "Hello World!"
8	Verify	Server displays the sent packet

4.1.11. Identifier: TEST_6a

Objective : Perform a GET transaction using OSCORE, Content-Format, Uri-Path, and Observe (Client side)

Configuration :

client security context: Security Context A, with:

Sequence number sent not in server's replay window
Sequence number received not in client's replay window

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-path = /oscore/observe1 Observe = 0 (Registration)
2	Check	Client serializes the request, which is a FETCH request, with: Observe = 0 (Registration) Object-Security option Payload: ciphertext including: Code: GET Uri-Path = /oscore/observe1 Observe = 0 (Registration)
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 2.05 Content Response with: Observe (Notification) Object-Security option (with or without Partial IV) Payload
5	Verify	Client decrypts the message: OSCORE verification succeeds
6	Check	Client parses the decrypted response and continues the CoAP processing; expected 2.05 Content Response with: Observe (Notification) Content-Format = 0 (text/plain) Payload = "one"
7	Verify	Client displays the received packet
8	Check	Client parses the response; expected: 2.05 Content Response with: Observe (Notification) Object-Security option (with Partial IV) Payload
9	Verify	Client decrypts the message: OSCORE verification succeeds
10	Check	Client parses the decrypted response and continues the CoAP processing; expected 2.05 Content Response with: Observe (Notification) Content-Format = 0 (text/plain) Payload = "two"
11	Verify	Client displays the received packet
12	Check	Client parses the response; expected: 2.05 Content Response with: Object-Security option (with Partial IV) Payload
13	Verify	Client decrypts the message: OSCORE verification succeeds
14	Check	Client parses the decrypted response and continues the CoAP processing; expected 5.00 Internal Server Error: Content-Format = 0 (text/plain) Payload = "Terminate Observe"
15	Verify	Client displays the received packet

4.1.12. Identifier: TEST_6b

Objective : Perform a GET transaction using OSCORE, Content-Format, Uri-Path, and Observe (Server side)

Configuration :

server security context: Security Context B, with:

Sequence number received not in server's replay window
Sequence sent received not in client's replay window

server resources:

/oscore/observe1 : protected resource, authorized method: GET, supports observe, returns "one" for the first notification, "two" for the second notification. The server is configured to return 5.00 after the 2 notifications are sent.

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-path = /oscore/observe1 Observe = 0 (Registration)
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.05 FETCH with: Observe = 0 (Registration) Object-Security option Payload
4	Verify	Server decrypts the message: OSCORE verification succeeds
5	Check	Server parses the request and continues the CoAP processing; expected: CoAP GET request, including: Uri-path = /oscore/observe1 Observe = 0 (Registration)
6	Verify	Server displays the received packet
7	Check	Server serialize the response correctly, which is: 2.05 Content Response with: Object-Security option (with or without Partial IV) Observe (Notification) Payload: ciphertext including: Code: 2.05 Content Response Content-Format = 0 (text/plain) Payload = "one"
8	Verify	Server displays the sent packet
9	Check	Server serialize the response correctly, which is: 2.05 Content Response with: Object-Security option (with Partial IV) Observe (Notification) Payload: ciphertext including: Code: 2.05 Content Response Content-Format = 0 (text/plain) Payload = "two"
10	Verify	Server displays the sent packet
11	Check	Server serialize the response correctly, which is: 2.05 Content Response with: Object-Security option (with Partial IV) Payload: ciphertext including: Code: 5.00 Internal Server Error Content-Format = 0 (text/plain) Payload = "Terminate Observe"
12	Verify	Server displays the sent packet

4.1.13. Identifier: TEST_7a

Objective : Perform 2 GET (Registration and Cancellation) transactions using OSCORE, Content-Format, Uri-Path, and Observe (Client side)

Configuration :

client security context: Security Context A, with:

Sequence number sent not in server's replay window
Sequence number received not in client's replay window

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-path = /oscore/observe2 Observe = 0 (Registration)
2	Check	Client serializes the request, which is a FETCH request, with: Observe = 0 (Registration) Object-Security option Payload: ciphertext including: Code: GET Uri-Path = /oscore/observe2 Observe = 0 (Registration)
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 2.05 Content Response with: Observe (Notification) Object-Security option (with or without Partial IV) Payload
5	Verify	Client decrypts the message: OSCORE verification succeeds
6	Check	Client parses the decrypted response and continues the CoAP processing; expected 2.05 Content Response with: Observe (Notification) Content-Format = 0 (text/plain) Payload = "one"
7	Verify	Client displays the received packet
8	Check	Client parses the response; expected: 2.05 Content Response with: Observe (Notification) Object-Security option (with Partial IV) Payload
9	Verify	Client decrypts the message: OSCORE verification succeeds
10	Check	Client parses the decrypted response and continues the CoAP processing; expected 2.05 Content Response with: Observe (Notification) Content-Format = 0 (text/plain) Payload = "two"
11	Verify	Client displays the received packet
12	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-path = /oscore/observe2 Observe = 1 (Cancellation)
13	Check	Client serializes the request, which is a FETCH request, with: Observe = 1 (Cancellation) Object-Security option Payload: ciphertext including: Code: GET Uri-Path = /oscore/observe2 Observe = 1 (Cancellation)
14	Verify	Client displays the sent packet
15	Check	Client parses the response; expected: 2.05 Content Response with: Object-Security option (with Partial IV) Payload
16	Verify	Client decrypts the message: OSCORE verification succeeds
17	Check	Client parses the decrypted response and continues the CoAP processing; expected 2.05 Content Response with: Content-Format = 0 (text/plain) Payload = "two"
18	Verify	Client displays the received packet

4.1.14. Identifier: TEST_7b

Objective : Perform 2 GET (Registration and Cancellation) transactions using OSCORE, Content-Format, Uri-Path, and Observe (Client side)

Configuration :

server security context: Security Context B, with:

Sequence number received not in server's replay window
Sequence sent received not in client's replay window

server resources:

/oscore/observe2 : protected resource, authorized method: GET, supports observe, returns "one" for the first notification, "two" for the second notification.

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-path = /oscore/observe2 Observe = 0 (Registration)
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.05 FETCH with: Observe = 0 (Registration) Object-Security option Payload
4	Verify	Server decrypts the message: OSCORE verification succeeds
5	Check	Server parses the request and continues the CoAP processing; expected: CoAP GET request, including: Uri-path = /oscore/observe2 Observe = 0 (Registration)
6	Verify	Server displays the received packet
7	Check	Server serialize the response correctly, which is: 2.05 Content Response with: Object-Security option (with or without Partial IV) Observe (Notification) Payload: ciphertext including: Code: 2.05 Content Response Content-Format = 0 (text/plain) Payload = "one"
8	Verify	Server displays the sent packet
9	Check	Server serialize the response correctly, which is: 2.05 Content Response with: Object-Security option (with Partial IV) Observe (Notification) Payload: ciphertext including: Code: 2.05 Content Response Content-Format = 0 (text/plain) Payload = "two"
10	Verify	Server displays the sent packet
11	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-path = /oscore/observe2 Observe = 1 (Cancellation)
12	Verify	Server displays the received packet
13	Check	Server parses the request; expected: 0.05 FETCH with: Observe = 1 (Cancellation) Object-Security option Payload
14	Verify	Server decrypts the message: OSCORE verification succeeds
15	Check	Server parses the request and continues the CoAP processing; expected: CoAP GET request, including: Uri-path = /oscore/observe2 Observe = 0 (Cancellation)
16	Verify	Server displays the received packet
17	Check	Server serialize the response correctly, which is: 2.05 Content Response with: Object-Security option (with Partial IV) Payload: ciphertext including: Code: 2.05 Content Response Content-Format = 0 (text/plain) Payload = "two"
18	Verify	Server displays the sent packet

4.2. POST Tests

4.2.1. Identifier: TEST_8a

Objective : Perform a POST transaction using OSCORE, Content-Format, and Uri-Path option, changing a resource (Client side)

Configuration :

client security context: Security Context A, with:

Sequence number sent not in server's replay window

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP POST request protected with OSCORE, including: Object-Security option Uri-Path = /oscore/hello/6 Content-Format = 0 payload = 0x4a
2	Check	Client serializes the request, which is a POST request, with: Object-Security option Payload: ciphertext including: Code: POST Uri-Path = /oscore/hello/6 Content-Format = 0 payload = 0x4a
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 2.04 Changed Response with: Object-Security option Payload
5	Verify	Client decrypts the message: OSCORE verification succeeds
6	Check	Client parses the decrypted response and continues the CoAP processing; expected 2.04 Changed Response with: Content-Format = 0 (text/plain) Payload = 0x4a
7	Verify	Client displays the received packet

4.2.2. Identifier: TEST_8b

Objective : Perform a POST transaction using OSCORE, Content-Format, and Uri-Path option, updating a resource (Server side)

Configuration :

server security context: Security Context B, with:

Sequence number received not in server's replay window

server resources:

/hello/6 : protected resource, authorized method: POST, returns the value of the resource with content-format 0 (text/plain)

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP POST request protected with OSCORE, including: Object-Security option Uri-Path = /oscore/hello/6 Content-Format = 0 payload = 0x4a
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.02 POST with: Object-Security option Payload
4	Verify	Server decrypts the message: OSCORE verification succeeds
5	Check	Server parses the request and continues the CoAP processing; expected: CoAP POST request, including: Uri-Path = /oscore/hello/6 Content-Format = 0 (text/plain) Payload = 0x4a
6	Verify	Server displays the received packet
7	Check	Server serialize the response correctly, which is: 2.04 Changed Response with: Object-Security option Payload: ciphertext including: Code: 2.04 Changed Response Content-Format = 0 (text/plain) Payload = 0x4a
8	Verify	Server displays the sent packet

4.3 PUT Tests

4.3.1. Identifier: TEST_9a

Objective : Perform a PUT transaction using OSCORE, Uri-Path, Content-Format and If-Match option (Client side)

Configuration :

client security context: Security Context A, with:

Sequence number sent not in server's replay window

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP PUT request protected with OSCORE, including: Object-Security option Uri-Path = /oscore/hello/7 Content-Format = 0 If-Match with value 0x7b payload = 0x7a
2	Check	Client serializes the request, which is a POST request, with: Object-Security option Payload: ciphertext including: Code: PUT Uri-Path = /oscore/hello/7 Content-Format = 0 If-Match with value 0x7b payload = 0x7a
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 2.04 Changed Response with: Object-Security option Payload
5	Verify	Client decrypts the message: OSCORE verification succeeds
6	Check	Client parses the decrypted response and continues the CoAP processing; expected 2.04 Changed Response
7	Verify	Client displays the received packet

4.3.2. Identifier: TEST_9b

Objective : Perform a PUT transaction using OSCORE, Uri-Path, Content-Format and If-Match option (Server side)

Configuration :

server security context: Security Context B, with:

Sequence number received not in server's replay window

server resources:

/hello/7 : protected resource, authorized method: PUT, returns the value of the resource with content-format 0 (text/plain), has ETag 0x7b

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP PUT request protected with OSCORE, including: Object-Security option Uri-Path = /oscore/hello/7 Content-Format = 0 If-Match with value 0x7b payload = 0x7a
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.02 POST with: Object-Security option Payload
4	Verify	Server decrypts the message: OSCORE verification succeeds
5	Check	Server parses the request and continues the CoAP processing; expected: CoAP PUT request, including: Uri-Path = /oscore/hello/7 Content-Format = 0 If-Match with value 0x7b payload = 0x7a
6	Verify	Server displays the received packet
7	Check	Server serialize the response correctly, which is: 2.04 Changed Response with: Object-Security option Payload: ciphertext including: Code: 2.04 Changed Response
8	Verify	Server displays the sent packet

4.3.3. Identifier: TEST_10a

Objective : Perform a PUT transaction using OSCORE, Uri-Path, Content-Format and If-None-Match option (Client side)

Configuration :

client security context: Security Context A, with:

Sequence number sent not in server's replay window

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP PUT request protected with OSCORE, including: Object-Security option Uri-Path = /oscore/hello/7 Content-Format = 0 If-None-Match payload = 0x8a
2	Check	Client serializes the request, which is a POST request, with: Object-Security option Payload: ciphertext including: Code: PUT Uri-Path = /oscore/hello/7 Content-Format = 0 If-None-Match payload = 0x8a
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 2.04 Changed Response with: Object-Security option Payload
5	Verify	Client decrypts the message: OSCORE verification succeeds
6	Check	Client parses the decrypted response and continues the CoAP processing; expected 4.12 Precondition Failed
7	Verify	Client displays the received packet

4.3.4. Identifier: TEST_10b

Objective : Perform a PUT transaction using OSCORE, Uri-Path, Content-Format and If-None-Match option (Server side)

Configuration :

server security context: Security Context B, with:

Sequence number received not in server's replay window

server resources:

/oscore/hello/7 : protected resource, authorized method: PUT, returns the value of the resource with content-format 0 (text/plain), has ETag 0x7b

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP PUT request protected with OSCORE, including: Object-Security option Uri-Path = /oscore/hello/7 Content-Format = 0 If-None-Match payload = 0x8a
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.02 POST with: Object-Security option Payload
4	Verify	Server decrypts the message: OSCORE verification succeeds
5	Check	Server parses the request and continues the CoAP processing; expected: CoAP PUT request, including: Uri-Path = /oscore/hello/7 Content-Format = 0 If-None-Match payload = 0x8a
6	Verify	Server displays the received packet
7	Check	Server serialize the response correctly, which is: 2.04 Changed Response with: Object-Security option Payload: ciphertext including: Code: 4.12 Precondition Failed
8	Verify	Server displays the sent packet

4.4. DELETE Tests

4.4.1. Identifier: TEST_11a

Objective : Perform a DELETE transaction using OSCORE and Uri-Path option (Client side)

Configuration :

client security context: Security Context A, with:

Sequence number sent not in server's replay window

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP DEL request protected with OSCORE, including: Object-Security option Uri-Path = /oscore/test
2	Check	Client serializes the request, which is a POST request, with: Object-Security option Payload: ciphertext including: Code: DEL Uri-Path = /oscore/test
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 2.04 Changed Response with: Object-Security option Payload
5	Verify	Client decrypts the message: OSCORE verification succeeds
6	Check	Client parses the decrypted response and continues the CoAP processing; expected 2.02 Deleted
7	Verify	Client displays the received packet

4.4.2. Identifier: TEST_11b

Objective : Perform a DELETE transaction using OSCORE and Uri-Path option (Server side)

Configuration :

server security context: Security Context B, with:

Sequence number received not in server's replay window

server resources:

oscore/test: protected resource, authorized method: DEL.

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP DEL request protected with OSCORE, including: Object-Security option Uri-Path = /oscore/test
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.02 POST with: Object-Security option Payload
4	Verify	Server decrypts the message: OSCORE verification succeeds
5	Check	Server parses the request and continues the CoAP processing; expected: CoAP DEL request, including: Uri-Path = /oscore/test
6	Verify	Server displays the received packet
7	Check	Server serialize the response correctly, which is: 2.04 Changed Response with: Object-Security option Payload: ciphertext including: Code: 2.02 Deleted
8	Verify	Server displays the sent packet

5. Incorrect OSCORE use

5.1. Security Context not matching

5.1.1. Identifier: TEST_12a

Objective : Perform an unauthorized CON GET transaction: non matching Client Sender Id - Server Recipient Id (Client side)

Configuration :

client security context: Security Context A, with:

Sender Context:
- Sender ID: modified sender ID (arbitrarily set by the Client)

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option (modified Sender ID) Uri-Path : /oscore/hello/1
2	Check	Client serializes the request, which is a POST request, with: Object-Security option Payload: ciphertext including: Code: GET Uri-Path = /oscore/hello/1
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 4.01 Unauthorized, with: Payload: Security context not found (optional)
5	Verify	Client displays the received packet

5.1.2. Identifier: TEST_12b

Objective :Perform an unauthorized GET transaction: non matching Client Sender Id - Server Recipient Id (Server side)

Configuration :

server security context: Security Context B

server resources:

/oscore/hello/1 : protected resource, authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain)

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option (modified Sender ID) Uri-Path : /oscore/hello/1
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.02 POST with: Object-Security option Payload
4	Verify	Server: OSCORE verification fails (Context not found)
5	Check	Server serialize the response correctly, which is 4.01 Unauthorized, with: Payload: Security context not found (optional)
8	Verify	Server displays the sent packet

5.1.3. Identifier: TEST_13a

Objective : Perform a CON GET transaction with non matching Client Sender - Server Recipient Keys (Client side)

Configuration :

client security context: Security Context A, with:

Sender Context:
- Sender Key: modified key (arbitrarily set by the Client)

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-Path : /oscore/hello/1
2	Check	Client serializes the request, which is a POST request, with: Object-Security option Payload: ciphertext including: Code: GET Uri-Path = /oscore/hello/1
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 4.00 Bad Request error message: Payload: Decryption failed (optional)
7	Verify	Client displays the received packet

5.1.4. Identifier: TEST_13b

Objective : Perform a CON GET transaction with non matching Client Sender - Server Recipient Keys (Server side)

Configuration :

server security context: Security Context B

server resources:

/oscore/hello/1 : protected resource, authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain)

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-Path : /oscore/hello/1
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.02 POST with: Object-Security option Payload
4	Verify	Server: OSCORE verification fails (Decryption failed)
5	Check	Server serialize the response correctly, which is 4.00 Bad Request, with: Payload: Decryption failed (optional)
8	Verify	Server displays the sent packet

5.1.5. Identifier: TEST_14a

Objective : Perform a CON GET transaction with non matching Client Recipient - Server Sender Keys (Client side)

Configuration :

client security context: Security Context A, with:

Recipient Context:
- Recipient Key: modified key (arbitrarily set by the Client)

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-Path : /oscore/hello/1
2	Check	Client serializes the request, which is a POST request, with: Object-Security option Payload: ciphertext including: Code: GET Uri-Path = /oscore/hello/1
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 2.04 Changed Response with: Object-Security option Payload
5	Verify	Client: OSCORE verification fails (Decryption failed) response dropped, empty ACK sent back to the Server
6	Verify	Client displays the received packet

5.1.6. Identifier: TEST_14b

Objective : Perform a CON GET transaction with non matching Client Recipient - Server Sender Keys (Server side)

Configuration :

server security context: Security Context B

server resources:

/oscore/hello/1 : protected resource, authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain)

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-Path : /oscore/hello/1
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.02 POST with: Object-Security option Payload
4	Verify	Server decrypts the message: OSCORE verification succeeds
5	Check	Server parses the request and continues the CoAP processing; expected: CoAP GET request, including: Uri-Path = /oscore/hello/1
6	Verify	Server displays the received packet
7	Check	Server serialize the response correctly, which is: 2.04 Changed Response with: Object-Security option Payload: ciphertext including: Code: 2.05 Content Content-Format = 0 (text/plain) Payload = "Hello World!"
8	Verify	Server displays the sent packet

5.2. Replay of a previously sent message

5.2.1. Identifier: TEST_15a

Objective : Perform a CON GET transaction using OSCORE, Content-Format and Uri-Path option, request replayed by the Client (Client side)

Configuration :

client security context: Security Context A

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-Path : /oscore/hello/1
2	Check	Client serializes the request, which is a POST request, with: Object-Security option Payload: ciphertext including: Code: GET Uri-Path = /oscore/hello/1
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 2.04 Changed Response with: Object-Security option Payload
5	Verify	Client decrypts the message: OSCORE verification succeeds
6	Check	Client parses the decrypted response and continues the CoAP processing; expected 2.05 Content Response with: Content-Format = 0 (text/plain) Payload = "Hello World!"
7	Verify	Client displays the received packet
8	Stimulus	The client is requested to reset its own sequence number to the value before executing step 1
9	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-Path : /oscore/hello/1
10	Check	Client serializes the request, which is a POST request, with: Object-Security option Payload: ciphertext including: Code: GET Uri-Path = /oscore/hello/1
11	Verify	Client displays the sent packet
12	Check	Client parses the response; expected: 4.01 Unauthorized, with: Payload: Replay detected
15	Verify	Client displays the received packet

5.2.2. Identifier: TEST_15b

Objective : Perform a CON GET transaction using OSCORE, Content-Format and Uri-Path option, request replayed by the Client (Client side)

Configuration :

server security context: Security Context B

server resources:

/oscore/hello/1 : protected resource, authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain)

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-Path = /oscore/hello/1
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.02 POST with: Object-Security option Payload
4	Verify	Server decrypts the message: OSCORE verification succeeds
5	Check	Server parses the request and continues the CoAP processing; expected: CoAP GET request, including: Uri-Path : /oscore/hello/1
6	Verify	Server displays the received packet
7	Check	Server serialize the response correctly, which is: 2.04 Changed Response with: Object-Security option Payload: ciphertext including: Code: 2.05 Content Response Content-Format = 0 (text/plain) Payload = "Hello World!"
8	Verify	Server displays the sent packet
8	Stimulus	The client is requested to reset its own sequence number to the value before executing step 1
9	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-Path : /oscore/hello/1
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.02 POST with: Object-Security option Payload
4	Verify	Server: OSCORE verification fails (Replay protection failed)
5	Check	Server serialize the response correctly, which is 4.01 Unauthorized, with: Payload: Replay protection failed (optional)
8	Verify	Server displays the sent packet

5.3. Accessing a non-OSCORE-protected resource with OSCORE

5.3.1. Identifier: TEST_16a

Objective : Perform a CON GET transaction using OSCORE to an OSCORE-unaware resource server, Content-Format and Uri-Path option (Client side)

Configuration :

client security context: Security Context A

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request protected with OSCORE, including: Object-Security option Uri-Path : /oscore/hello/coap
2	Check	Client serializes the request, which is a POST request, with: Object-Security option Payload: ciphertext including: Code: GET Uri-Path = /oscore/hello/coap
3	Verify	Client displays the sent packet
4	Check	Client parses the response; expected: 4.02 Bad Option with: (Optional) Payload
5	Verify	Client: OSCORE verification fails (expected OSCORE) response dropped, empty ACK sent back to the Server
6	Verify	Client displays the received packet

5.3.2. Identifier: TEST_16b

Objective : Perform a CON GET transaction using OSCORE to a non protected resource, Content-Format and Uri-Path option (Server side)

Configuration :

The server does not implement OSCORE.

server security context: None

server resources:

/oscore/hello/coap : authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain)

Note: a 4.05 Method Not Allowed error response is also an acceptable outcome of this test. To avoid entering this case, it is recommended that the /oscore/hello/coap resource also supports the method PUT.

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request, including: Object-Security option Uri-Path : /oscore/hello/coap
2	Verify	Server displays the received packet
3	Check	Server parses the request; expected: 0.02 POST with: Object-Security option (unrecognized "critical" option) Payload
4	Check	Server serialize the response correctly, which is: 4.02 Bad Option with: (Optional) Payload
5	Verify	Server displays the sent packet

5.4. Accessing an OSCORE-protected resource without OSCORE

5.4.1. Identifier: TEST_17a

Objective : Perform a CON GET transaction to a protected resource, Content-Format and Uri-Path option (Client side)

Configuration :

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request, including: Uri-Path : /oscore/hello/1
2	Check	Client serializes the request, which is a GET request, with: Uri-Path : /oscore/hello/1
3	Verify	Client displays the sent packet
4	Check	Client parses the response and continues the CoAP processing; expected: 4.01 Unauthorized error response, with: Payload = diagnostic payload (optional)
5	Verify	Client displays the received packet

5.3.2. Identifier: TEST_17b

Objective : Perform a CON GET transaction to a protected resource, Content-Format and Uri-Path option (Server side)

Configuration :

server security context: Security Context B

server resources:

/oscore/hello/1 : protected resource, authorized method: GET, returns the string "Hello World!" with content-format 0 (text/plain)

Test Sequence

Step	Type	Description
1	Stimulus	The client is requested to send a CoAP GET request, including: Uri-Path : /oscore/hello/1
2	Check	Server parses the request; expected: 0.01 GET with: Uri-Path : /oscore/hello/1
3	Verify	Server displays the received packet
4	Check	Server serialize the response correctly, which is: 4.01 Unauthorized error response, with: Payload = diagnostic payload (optional)
5	Verify	Server displays the sent packet

Tests Specification for OSCORE

Table of Contents

1. Notes

2. Security Contexts and Resources

Security Context A: Client

Security Context B: Server

Security Context C: Client

Security Context D: Server

Resources

3. Set up the environment

3.1. Identifier: TEST_0a

3.2. Identifier: TEST_0b

4. Correct OSCORE use

4.1 GET Tests

4.1.1. Identifier: TEST_1a

4.1.2. Identifier: TEST_1b

4.1.3. Identifier: TEST_2a

4.1.4. Identifier: TEST_2b

4.1.5. Identifier: TEST_3a

4.1.6. Identifier: TEST_3b

4.1.7. Identifier: TEST_4a

4.1.8. Identifier: TEST_4b

4.1.9. Identifier: TEST_5a

4.1.10. Identifier: TEST_5b

4.1.11. Identifier: TEST_6a

4.1.12. Identifier: TEST_6b

4.1.13. Identifier: TEST_7a

4.1.14. Identifier: TEST_7b

4.2. POST Tests

4.2.1. Identifier: TEST_8a

4.2.2. Identifier: TEST_8b

4.3 PUT Tests

4.3.1. Identifier: TEST_9a

4.3.2. Identifier: TEST_9b

4.3.3. Identifier: TEST_10a

4.3.4. Identifier: TEST_10b

4.4. DELETE Tests

4.4.1. Identifier: TEST_11a

4.4.2. Identifier: TEST_11b

5. Incorrect OSCORE use

5.1. Security Context not matching

5.1.1. Identifier: TEST_12a

5.1.2. Identifier: TEST_12b

5.1.3. Identifier: TEST_13a

5.1.4. Identifier: TEST_13b

5.1.5. Identifier: TEST_14a

5.1.6. Identifier: TEST_14b

5.2. Replay of a previously sent message

5.2.1. Identifier: TEST_15a

5.2.2. Identifier: TEST_15b

5.3. Accessing a non-OSCORE-protected resource with OSCORE

5.3.1. Identifier: TEST_16a

5.3.2. Identifier: TEST_16b

5.4. Accessing an OSCORE-protected resource without OSCORE

5.4.1. Identifier: TEST_17a

5.3.2. Identifier: TEST_17b