View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0004703CTT UA Scripts1 - Script Issuepublic2019-03-29 08:312022-09-02 14:46
ReporterBernd Edlinger Assigned ToAlexander Allmendinger  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Summary0004703: inconsistency Security Certificate Validation/002.js vs. 042.js/043.js
Description

one test expects the server to return BadCertificateIssuerRevocationUnknown the other wants BadCertificateRevocationUnknown,
but best our server can do is return BadCertificateIssuerRevocationUnknown because without the necessary
revocation lists it is impossible to build (and validate!) the full certificate chain in the first place.
Therefore this tells something about the configuration of the PKI store, which is not supposed to happen.

002.js "Connect using a client certificate signed by a CA trusted by the server where there is no revocation list available."
Error: OpenSecureChannel.Response is not good; received 'BadSecurityChecksFailed (0x80130000)'. Expected: Good (0x00000000) or BadCertificateIssuerRevocationUnknown
(0x801c0000)

042.js/043.js "Connect using an (untrusted) issued certificate of a CA that has no revocation list available."
Error: OpenSecureChannel.Response is not good; received 'BadSecurityChecksFailed (0x80130000)'. Expected: Good (0x00000000); Would
accept: BadCertificateRevocationUnknown (0x801b0000)

TagsNo tags attached.
Files Affected

Relationships

related to 0004704 closedMatthias Damm 10000-004: Services Certificate validation Steps - revocation lists 

Activities

Paul Hunkar

2019-03-29 15:16

administrator   ~0010080

Added a separate mantis issue to clarify what is expected with regards to revocation lists. Based on the return of that mantis issue "Bad_SecurityChecksFailed" might be added for both cases. Currently this is not listed in the spec. There is a difference between 2 and 42/43 in that there is an issuer certificate, thus the error being return does change. We are also asking for clarification as to what happens if the instance certificate is explicitly trusted which might also change what can be returned.

Alexander Allmendinger

2022-09-02 14:46

developer   ~0017490

Currently there is no Errata pushing this back to 1.04 nor 1.03. Therefore, this will only be fixed in the 1.05 version of the scripts.
Paul will double check with the UA Working Group whether this needs to be pushed back in an Errata too.

Issue History

Date Modified Username Field Change
2019-03-29 08:31 Bernd Edlinger New Issue
2019-03-29 14:43 Paul Hunkar Relationship added related to 0004704
2019-03-29 15:16 Paul Hunkar Note Added: 0010080
2019-03-29 15:16 Paul Hunkar Status new => acknowledged
2020-05-21 05:38 Paul Hunkar Assigned To => Alexander Allmendinger
2020-05-21 05:38 Paul Hunkar Status acknowledged => assigned
2022-08-02 20:04 Paul Hunkar Project Compliance Test Tool (CTT) Unified Architecture => CTT UA Scripts
2022-09-02 14:46 Alexander Allmendinger Note Added: 0017490