View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0010250CTT UA Scripts1 - Script Issuepublic2025-03-21 14:272025-06-03 02:23
ReporterFranck ETIENNE Assigned ToSebastian Allmendinger  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformLinuxOSRedHatOS Version8.7
Fixed in Version1.04.509 
Summary0010250: Authentication Issue with Certificates – BadIdentityTokenRejected
Description

I am facing an issue with certificate-based authentication.
The connection fails with a BadIdentityTokenRejected error, even though the same certificates work fine with UAExpert.
After analyzing the traffic with Wireshark, I noticed that the certificate is sent without being signed.
I also found that the certificate.js file is missing, and I am wondering if this could be related.

Steps To Reproduce

Connect to OPCUA server in mode 2 sign and encrypt basic256sha256.
select certificate for UserAuthenticationPolicy

Additional Information

Version of UACTT tool : V1.04.11-01.00.508-x86_64

TagsNo tags attached.
Attached Files
image.png (129,956 bytes)   
image.png (129,956 bytes)   
image-2.png (77,593 bytes)   
image-2.png (77,593 bytes)   
ServerSide.png (420,563 bytes)
Files Affected

/library/ServiceBased/SessionServiceSet/ActivateSession.js

Relationships

has duplicate 0010255 closedPaul Hunkar CTT UA Binary Conformance unit "Security Basic 256sha256" test 002.js in "Security basic 256sha256" return error 

Activities

Paul Hunkar

2025-03-21 16:01

administrator   ~0022554

This is not about creating a secure channel (sign and encrypt ) it is about User authentication. It appear that what is being reported is a problem with Authenticating a User using the X.509 certificate - most application use username/Password.

Franck ETIENNE

2025-03-21 16:22

reporter   ~0022555

Our OPCUA server is for a specific client where authentication by usr/passwd is forbidden.
Our OPCUA server refuse authentication with usr/passwd.
Do we need to open authentication with usr/passwd ?

Paul Hunkar

2025-03-25 14:41

administrator   ~0022564

User Authentication can be accomplished by using Username/password, X509 certificates, or tokens (OAuth2 - JWT). The CTT currently tests User Authentication for Username/Password and for X509, it does not yet test for oAuth2/JWT. this still needs to be added and will be added under a different mantis issue. The tests for Username/Password and X509 work correctly and have not issues. This issue is about a Server that requires User Authentication when running. A number of test (not security related) do not work for using X509 user certificates for all connection to the Server.

A work around is to use UsernamePassword or Anonymous

Sebastian Allmendinger

2025-04-01 12:40

developer   ~0022584

The issue has been identified in the library script for activating a session.
If the Signature is not created directly in the test scripts (like it is done in the test cases that tests X509-Certificate-UserToken), the CTT always sent an empty Signature.

The creation of the Signature has been added to the library script, to ensure that a new Signature is created, if no Signature has been passed in.

Paul Hunkar

2025-06-03 02:23

administrator   ~0022887

after off-line code reviews all agreed to change, issue closed

Issue History

Date Modified Username Field Change
2025-03-21 14:27 Franck ETIENNE New Issue
2025-03-21 14:27 Franck ETIENNE File Added: image.png
2025-03-21 14:27 Franck ETIENNE File Added: image-2.png
2025-03-21 14:27 Franck ETIENNE File Added: ServerSide.png
2025-03-21 16:01 Paul Hunkar Note Added: 0022554
2025-03-21 16:22 Franck ETIENNE Note Added: 0022555
2025-03-25 14:33 Paul Hunkar Steps to Reproduce Updated
2025-03-25 14:41 Paul Hunkar Note Added: 0022564
2025-03-27 01:59 Paul Hunkar Assigned To => Alexander Allmendinger
2025-03-27 01:59 Paul Hunkar Status new => assigned
2025-03-27 02:02 Paul Hunkar Relationship added has duplicate 0010255
2025-04-01 12:31 Sebastian Allmendinger Files Affected => /library/ServiceBased/SessionServiceSet/ActivateSession.js
2025-04-01 12:40 Sebastian Allmendinger Assigned To Alexander Allmendinger => Sebastian Allmendinger
2025-04-01 12:40 Sebastian Allmendinger Status assigned => resolved
2025-04-01 12:40 Sebastian Allmendinger Resolution open => fixed
2025-04-01 12:40 Sebastian Allmendinger Note Added: 0022584
2025-06-02 13:08 Paul Hunkar Project CTT UA Binary => CTT UA Scripts
2025-06-03 02:23 Paul Hunkar Status resolved => closed
2025-06-03 02:23 Paul Hunkar Fixed in Version => 1.04.509
2025-06-03 02:23 Paul Hunkar Note Added: 0022887