View Issue Details

IDProjectCategoryView StatusLast Update
000253410000-004: Servicespublic2013-12-10 17:17
ReporterJim Luth Assigned ToMatthias Damm  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version1.02 
Summary0002534: Security Validation Tests expect wrong error codes.
Description

Part 6 Section 6.7.6 Verifying Message Security lays out the requirements for these test cases. Specifically it says that Bad_SecurityChecksFailed is the only error that returned until security validation is complete. Security validation includes all checks on the certificate provided by the client.

It also says that applications must log the real error, however, checking the application log requires a lab test and cannot be done with the CTT.

Additional Information

After the security validation is complete the receiver shall verify the RequestId and the SequenceNumber. If these checks fail a Bad_SecurityChecksFailed error is reported. The RequestId only needs to be verified by the Client since only the Client knows if it is valid or not.
Text from spec:

At this point the SecureChannel knows it is dealing with an authenticated Message that was not tampered with or resent. This means the SecureChannel can return secured error responses if any further problems are encountered.

Stacks that implement UASC shall have a mechanism to log errors when invalid Messages are discarded. This mechanism is intended for developers, systems integrators and administrators to debug network system configuration issues and to detect attacks on the network.

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

related to 0002504 closedRandy Armstrong 10000-006: Mappings Security Validation Tests expect wrong error codes. 

Activities

Jim Luth

2013-07-16 16:41

administrator   ~0004814

Need to clarify under what conditions detailed error codes in Table 8 are to be returned to caller.

Matthias Damm

2013-11-25 15:56

developer   ~0005136

Clarified that trust list check is executed first and fails with unspecific error. If trust list check succeeds, the validation steps are executed for the whole certificate chain and specific errors are provided if they fail.

Resolved in document IEC 62541-4 - Services [Pre-CDV] 1.02.07.doc

Jim Luth

2013-11-25 17:46

administrator   ~0005139

Reviewed doc and agreed to changes in telecon. Awaiting completed errata before closing. Matthias will add a related code Mantis issue to make sure the stacks are made compliant.

Jim Luth

2013-12-10 17:17

administrator   ~0005180

Agreed to reviewed Errata with minor changes.

Issue History

Date Modified Username Field Change
2013-07-16 16:40 Jim Luth New Issue
2013-07-16 16:40 Jim Luth Issue generated from: 0002504
2013-07-16 16:40 Jim Luth Relationship added related to 0002504
2013-07-16 16:40 Jim Luth Project 10000-006: Mappings => 10000-004: Services
2013-07-16 16:41 Jim Luth Note Added: 0004814
2013-07-16 16:41 Jim Luth Status new => assigned
2013-07-16 16:41 Jim Luth Assigned To => Matthias Damm
2013-11-25 15:56 Matthias Damm Status assigned => resolved
2013-11-25 15:56 Matthias Damm Resolution open => fixed
2013-11-25 15:56 Matthias Damm Note Added: 0005136
2013-11-25 17:46 Jim Luth Note Added: 0005139
2013-12-10 17:17 Jim Luth Status resolved => closed
2013-12-10 17:17 Jim Luth Note Added: 0005180
2013-12-10 17:17 Jim Luth Fixed in Version => 1.02