View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000896810000-004: ServicesSpecpublic2023-05-17 15:182023-06-06 15:25
ReporterRandy Armstrong Assigned ToRandy Armstrong  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionno change required 
Product Version1.04 
Summary0008968: Part 4 §6.1.3 should indicate that the error reported by the server to the client is Bad_SecurityChecksFailed for all steps
Description

Part 4 (v1.04) table 106 contains several items where it is not indicated that Server shall report Bad_SecurityChecksFailed to the Client instead of the detailed status.

But it should be the cases due to additional information provided by Part 2 and Part 6.

Indeed, in Part 2 §6.3 indicates:
"Error codes can be used as an attack vector, thus their uses should be limited as described in Part 4.
Part 4 describes that a single generic error is returned before and during the establishment of a secure channel.
Once the secure channel has been established then appropriate specific error codes are returned."

Thus no specific error code should be returned prior to secure channel establishment and then for the certificate validation steps during establishment.

In addition, in Part 6 §6.7.6 it is indicated:
"If decryption or signature validation fails, then a Bad_SecurityChecksFailed error is reported.
[...]
At this point the SecureChannel knows it is dealing with an authenticated Message that was not tampered with or resent.
This means the SecureChannel can return secured error responses if any further problems are encountered."

This section only indicates reporting Bad_SecurityChecksFailed error code and that secured error responses can only be sent after establishment.

In my opinion the Part 4 §6.1.3 should be modified to indicate that the server shall only report to client SecurityChecksFailed for every step it is missing.

In addition, the following sentence might be modified to reflect that the server does not return the error status to the client but should log it:
"Each validation step has a unique error status and audit event type that shall be reported if the check fails."

And we might want to add the sentence of Part 2 in an appropriate section of Part 4, may be the Secure Channel service section (§5.5.1) ?
"A single generic error [Bad_SecurityChecksFailed] is returned before and during the establishment of a secure channel.
Once the secure channel has been established then appropriate specific error codes are returned."

Moreover UACTT certificate validation tests should check for Bad_SecurityChecksFailed error, might display a warning if specific error code is reported to client and specific error codes might be checked manually in logs.

Note: this subject was originally discussed in the OPC Foundation forum leading to the same conclusion on expected behavior of Server:
https://opcfoundation.org/forum/opc-ua-standard/error-codes-management-during-the-establishment-of-a-secure-channel/

Steps To Reproduce

The text for Revocation Check needs to be removed from Part 4
If this check fails on the Server side, the error Bad_SecurityChecksFailed shall be reported back to the Client.

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

related to 0008938 closedPaul Hunkar 10000-002: Security Part 4 §6.1.3 should indicate that the error reported by the server to the client is Bad_SecurityChecksFailed for all steps 
related to 0008977 closedAlexander Allmendinger CTT UA Scripts Security certificate validation 038: expects Bad_SecurityChecksFailed whereas Bad_CertificateRevoked is actually expected 

Activities

V. Monfort

2023-05-22 10:05

reporter   ~0019425

This issue was created from 0008938 but it only concerns the following comment https://mantis.opcfoundation.org/view.php?id=8938#c19370

Note: for the "Revocation Check" step it is mentioned that Bad_SecurityChecksFailed shall be reported by the Server in the Description but the error code is not present in the Error/AuditEvent column.

As discussed during the Security WG meeting the text mentioning Bad_SecurityChecksFailed needs to be removed from Revocation Check description.
Maybe the title / description of this issue should be modified to reflect that, only the "steps to reproduce" part contains the issue information for now.

Another consequence is that UACTT security certificate validation test 038 expects Bad_SecurityChecksFailed whereas Bad_CertificateRevoked is actually expected.
I created the following associated issue for UACTT script: 0008977

Jim Luth

2023-06-06 15:25

administrator   ~0019470

Security sub-group decided no change in Part 4 required.

Issue History

Date Modified Username Field Change
2023-05-17 15:18 Randy Armstrong New Issue
2023-05-17 15:18 Randy Armstrong Status new => assigned
2023-05-17 15:18 Randy Armstrong Assigned To => Randy Armstrong
2023-05-17 15:18 Randy Armstrong Issue generated from: 0008938
2023-05-17 15:18 Randy Armstrong Status assigned => new
2023-05-17 15:18 Randy Armstrong Project 10000-002: Security => 10000-004: Services
2023-05-22 10:05 V. Monfort Note Added: 0019425
2023-05-26 14:54 Paul Hunkar Relationship added related to 0008977
2023-06-06 15:24 Jim Luth Relationship added related to 0008938
2023-06-06 15:25 Jim Luth Note Added: 0019470
2023-06-06 15:25 Jim Luth Status new => closed
2023-06-06 15:25 Jim Luth Resolution open => no change required