0008362: Self signed CTT certificates do not meet specified requirements

ID	Project	Category	View Status	Date Submitted	Last Update

0008362	CTT UA Package	5 - General Problem	public	2022-09-28 07:20	2023-02-21 05:10

Reporter	Adrian Scholl	Assigned To	Alexander Allmendinger
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Platform	Windows	OS	10	OS Version	21H2
Fixed in Version	1.03.09-01.00.502

Summary	0008362: Self signed CTT certificates do not meet specified requirements
Description	The self-signed certificates of the CTT (e.g. ctt_AppT.der) are configured to have CA:TRUE and pathlength=-1 (no restriction). Additionally, the ca_sign key usage is set. This results in completely valid CA certificates which are not allowed by servers following the latest specification (1.05 Part6). This requires that either CA:FALSE is set for ApplicationInstance certificates, or for backward compatibility the verification shall accept CA:TRUE with pathlength=0. None of these requirements is met by the CTT. This results that the testcases Security/Security Certificate Validation/029 and 048-052 can not be passed with a specification compliant implementation of the checks.
Steps To Reproduce	Generate the certificates using create_ctt_pki.bat Check that the self-signed certificates contain either CA:FALSE or CA:TRUE and pathlength=0
Tags	No tags attached.

Files Affected

Date Modified	Username	Field	Change
2022-09-28 07:20	Adrian Scholl	New Issue
2022-10-06 20:46	Paul Hunkar	Assigned To	=> Alexander Allmendinger
2022-10-06 20:46	Paul Hunkar	Status	new => assigned
2023-02-09 11:43	Alexander Allmendinger	Status	assigned => resolved
2023-02-09 11:43	Alexander Allmendinger	Resolution	open => fixed
2023-02-09 11:43	Alexander Allmendinger	Note Added: 0018691
2023-02-18 16:31	Paul Hunkar	Project	Compliance Test Tool (CTT) Unified Architecture => CTT UA Package
2023-02-21 05:10	Paul Hunkar	Status	resolved => closed
2023-02-21 05:10	Paul Hunkar	Fixed in Version	=> 1.03.09-01.00.502

Alexander Allmendinger 2023-02-09 11:43 developer ~0018691	Changing general setting to set the critical flag for basicConstraints and keyUsage for CA certificates. Changing CA flag to FALSE for self-signed certificates.