View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0009123 | CTT UA Binary | 8 - Package | public | 2023-08-23 10:53 | 2023-10-13 15:47 |
| Reporter | Matti Siponen | Assigned To | Yannik Klaass | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 1.11.0.408 | ||||
| Summary | 0009123: Potential errors in userTokenSignatures | ||||
| Description | Tested with version OPC UA 1.04 Compliance Test Tool V1.04.11-01.00.503 When attempting to activate a Session with a user certificate trusted by Server (tested with SampleConsoleServer sample application bundled with Prosys OPC UA SDK for Java) in Security User X509 001.js, the test fails with Service Fault containing StatusCode Bad_IdentityTokenRejected. According to the Server, verifying the userTokenSignature has failed. The failing CTT test is using the ctt_usrT.der certificate file. When I use this certificate and its private key as user certificate in Prosys OPC UA Browser, activating the Sessions succeeds without any errors. I attached excerpts from Wireshark that demonstrate the CTT failing to activate the Session and Browser succeeding in activating the Session using the same user certificate. The algorithm for Client and UserToken Signatures are same in the CTT and Browser. | ||||
| Tags | No tags attached. | ||||
| Attached Files | User Cert Error.txt (8,807 bytes)
CTT
ActivateSessionRequest
RequestHeader: RequestHeader
AuthenticationToken: NodeId
.... 0101 = EncodingMask: Opaque (0x5)
Namespace Index: 0
Identifier ByteString: ffc0ca7cabd0791ca7e62d2a21ee2b0c1241a908a12b92a338bea794586235a9
Timestamp: Aug 21, 2023 11:48:36.750974900 FLE Daylight Time
RequestHandle: 2
Return Diagnostics: 0x00000000
.... .... .... ...0 = ServiceLevel / SymbolicId: False
.... .... .... ..0. = ServiceLevel / LocalizedText: False
.... .... .... .0.. = ServiceLevel / AdditionalInfo: False
.... .... .... 0... = ServiceLevel / Inner StatusCode: False
.... .... ...0 .... = ServiceLevel / Inner Diagnostics: False
.... .... ..0. .... = OperationLevel / SymbolicId: False
.... .... .0.. .... = OperationLevel / LocalizedText: False
.... .... 0... .... = OperationLevel / AdditionalInfo: False
.... ...0 .... .... = OperationLevel / Inner StatusCode: False
.... ..0. .... .... = OperationLevel / Inner Diagnostics: False
AuditEntryId: 2023-08-21T08:48:36.750Z918391
TimeoutHint: 20000
AdditionalHeader: ExtensionObject
TypeId: ExpandedNodeId
EncodingMask: 0x00, EncodingMask: Two byte encoded Numeric
.... 0000 = EncodingMask: Two byte encoded Numeric (0x0)
.0.. .... = has server index: False
0... .... = has namespace uri: False
Identifier Numeric: 0
EncodingMask: 0x00
.... ...0 = has binary body: False
.... ..0. = has xml body: False
ClientSignature: SignatureData
Algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Signature: 0a0b1fc1ec26b9aec63398ce072bcd0bae60102400f2355b22f0cf390ac1251f75ca6d58…
ClientSoftwareCertificates: Array of SignedSoftwareCertificate
ArraySize: -1
LocaleIds: Array of String
ArraySize: 1
[0]: LocaleIds: en
UserIdentityToken: ExtensionObject
TypeId: ExpandedNodeId
EncodingMask: 0x01, EncodingMask: Four byte encoded Numeric
.... 0001 = EncodingMask: Four byte encoded Numeric (0x1)
.0.. .... = has server index: False
0... .... = has namespace uri: False
Namespace Index: 0
Identifier Numeric: 327
EncodingMask: 0x01, has binary body
.... ...1 = has binary body: True
.... ..0. = has xml body: False
X509IdentityToken: X509IdentityToken
PolicyId: certificate_basic128
CertificateData: 3082046030820348a003020102021100fc8a1e216c5a6fd25ec1c9aeb659c361300d0609…
UserTokenSignature: SignatureData
Algorithm: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Signature: 85e7790437f253a2edb8c2ae17849b7216506a198f056bbf3b716daa42ec8c2099e6af75…
ServiceFault
ResponseHeader: ResponseHeader
Timestamp: Aug 21, 2023 11:48:36.752000000 FLE Daylight Time
RequestHandle: 2
ServiceResult: 0x80210000 [BadIdentityTokenRejected]
ServiceDiagnostics: DiagnosticInfo
EncodingMask: 0x00
.... ...0 = has symbolic id: False
.... ..0. = has namespace: False
.... .0.. = has localizedtext: False
.... 0... = has locale: False
...0 .... = has additional info: False
..0. .... = has inner statuscode: False
.0.. .... = has inner diagnostic info: False
StringTable: Array of String
ArraySize: -1
AdditionalHeader: ExtensionObject
TypeId: ExpandedNodeId
EncodingMask: 0x00, EncodingMask: Two byte encoded Numeric
.... 0000 = EncodingMask: Two byte encoded Numeric (0x0)
.0.. .... = has server index: False
0... .... = has namespace uri: False
Identifier Numeric: 0
EncodingMask: 0x00
.... ...0 = has binary body: False
.... ..0. = has xml body: False
BROWSER
ActivateSessionRequest
RequestHeader: RequestHeader
AuthenticationToken: NodeId
.... 0101 = EncodingMask: Opaque (0x5)
Namespace Index: 0
Identifier ByteString: 99e203dcb29fbea7dfcb9ba3d3b0f712300339a051b452830a7a098f134c5c7e
Timestamp: Aug 21, 2023 13:47:48.114000000 FLE Daylight Time
RequestHandle: 0
Return Diagnostics: 0x00000000
.... .... .... ...0 = ServiceLevel / SymbolicId: False
.... .... .... ..0. = ServiceLevel / LocalizedText: False
.... .... .... .0.. = ServiceLevel / AdditionalInfo: False
.... .... .... 0... = ServiceLevel / Inner StatusCode: False
.... .... ...0 .... = ServiceLevel / Inner Diagnostics: False
.... .... ..0. .... = OperationLevel / SymbolicId: False
.... .... .0.. .... = OperationLevel / LocalizedText: False
.... .... 0... .... = OperationLevel / AdditionalInfo: False
.... ...0 .... .... = OperationLevel / Inner StatusCode: False
.... ..0. .... .... = OperationLevel / Inner Diagnostics: False
AuditEntryId: [OpcUa Null String]
TimeoutHint: 0
AdditionalHeader: ExtensionObject
TypeId: ExpandedNodeId
EncodingMask: 0x00, EncodingMask: Two byte encoded Numeric
.... 0000 = EncodingMask: Two byte encoded Numeric (0x0)
.0.. .... = has server index: False
0... .... = has namespace uri: False
Identifier Numeric: 0
EncodingMask: 0x00
.... ...0 = has binary body: False
.... ..0. = has xml body: False
ClientSignature: SignatureData
Algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Signature: 2fdb0b9a2975dbb781ff2f97560a28cea7dc0d0e3ed4eea8f1d0a39c6d1875fc549ff77b…
ClientSoftwareCertificates: Array of SignedSoftwareCertificate
ArraySize: 0
LocaleIds: Array of String
ArraySize: 1
[0]: LocaleIds: en-US
UserIdentityToken: ExtensionObject
TypeId: ExpandedNodeId
EncodingMask: 0x01, EncodingMask: Four byte encoded Numeric
.... 0001 = EncodingMask: Four byte encoded Numeric (0x1)
.0.. .... = has server index: False
0... .... = has namespace uri: False
Namespace Index: 0
Identifier Numeric: 327
EncodingMask: 0x01, has binary body
.... ...1 = has binary body: True
.... ..0. = has xml body: False
X509IdentityToken: X509IdentityToken
PolicyId: certificate_basic128
CertificateData: 3082046030820348a003020102021100fc8a1e216c5a6fd25ec1c9aeb659c361300d0609…
UserTokenSignature: SignatureData
Algorithm: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Signature: 1b59f212119bbab377df4c42b0530e4e6baf7c7411003cce059e06a2d21e77604b30a0c8…
ActivateSessionResponse
ResponseHeader: ResponseHeader
Timestamp: Aug 21, 2023 13:47:48.140000000 FLE Daylight Time
RequestHandle: 0
ServiceResult: 0x00000000 [Good]
ServiceDiagnostics: DiagnosticInfo
EncodingMask: 0x00
.... ...0 = has symbolic id: False
.... ..0. = has namespace: False
.... .0.. = has localizedtext: False
.... 0... = has locale: False
...0 .... = has additional info: False
..0. .... = has inner statuscode: False
.0.. .... = has inner diagnostic info: False
StringTable: Array of String
ArraySize: -1
AdditionalHeader: ExtensionObject
TypeId: ExpandedNodeId
EncodingMask: 0x00, EncodingMask: Two byte encoded Numeric
.... 0000 = EncodingMask: Two byte encoded Numeric (0x0)
.0.. .... = has server index: False
0... .... = has namespace uri: False
Identifier Numeric: 0
EncodingMask: 0x00
.... ...0 = has binary body: False
.... ..0. = has xml body: False
ServerNonce: 7ac64c5bcf6158102176ebd3ec83eb4de12203d24c5551cd600b7608d19fc718
Results: Array of StatusCode
ArraySize: -1
DiagnosticInfos: Array of DiagnosticInfo
ArraySize: -1 | ||||
| Files Affected | |||||
|
|
Adding code to CttCryptoProviderPrivate::asymmetricSign to initialize and resize pSignature to have the expected size of the expected signature, before signing |
|
|
agreed to changes and closed issue |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-08-23 10:53 | Matti Siponen | New Issue | |
| 2023-08-23 10:53 | Matti Siponen | File Added: User Cert Error.txt | |
| 2023-09-01 14:52 | Paul Hunkar | Assigned To | => Alexander Allmendinger |
| 2023-09-01 14:52 | Paul Hunkar | Status | new => assigned |
| 2023-09-11 13:52 | Yannik Klaass | Files Affected |
=> /src/scriptengine/BaseSdk/uapkiprivatekeyclass.cpp
/src/scriptengine/uapki/uacryptoproviderclass.cpp |
| 2023-09-11 13:54 | Yannik Klaass | Files Affected |
/src/scriptengine/BaseSdk/uapkiprivatekeyclass.cpp
/src/scriptengine/uapki/uacryptoproviderclass.cpp => |
| 2023-09-11 13:55 | Yannik Klaass | Assigned To | Alexander Allmendinger => Yannik Klaass |
| 2023-09-11 13:55 | Yannik Klaass | Status | assigned => resolved |
| 2023-09-11 13:55 | Yannik Klaass | Resolution | open => fixed |
| 2023-09-11 13:55 | Yannik Klaass | Note Added: 0019977 | |
| 2023-10-13 15:46 | Paul Hunkar | Project | Compliance Test Tool (CTT) Unified Architecture => CTT UA Binary |
| 2023-10-13 15:46 | Paul Hunkar | Category | 1 - Script Issue => 8 - Package |
| 2023-10-13 15:47 | Paul Hunkar | Status | resolved => closed |
| 2023-10-13 15:47 | Paul Hunkar | Fixed in Version | => 1.11.0.408 |
| 2023-10-13 15:47 | Paul Hunkar | Note Added: 0020183 |
