View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0004146Compliance Test Tool (CTT) Unified Architecture1 - Script Issuepublic2018-01-31 12:152019-07-25 15:24
ReporterBernd Edlinger Assigned ToAlexander Allmendinger  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
PlatformPCOSWindowsOS Version8.1
Product Version1.03.340.380 
Target Version1.03Fixed in Version1.03.341.383 
Summary0004146: Security Certificate Validation/008.js produces invalid signature
Description

I have selected Advanced/CertificateOverrides/DisableCertificateTimeInvalid
and configured the server to ignore certificate expirations.
The server uses Basic256Sha256 Sign&Encrypt security.

Now this test continues to the activate session request,
which fails with:

ActivateSession.Response.ResponseHeader.ServiceResult is Bad: BadSignatureInvalid (0x81010000)

I cannot tell what is exactly wrong with the signature.

But this is the only test in that the whole CU that does not use

"SkipCreateSession: true"

If I use SkipCreateSession here as well everyhing is fine.

TagsNo tags attached.
Files Affected

Activities

Alexander Allmendinger

2018-03-01 16:54

developer   ~0008904

Compliance Group Meeting: We are not sure on the problem. Can you join a future call to discuss and show what your are seeing? We do agree on the fact that the CreateSession can be skipped for that test case but we'd like to figure out why this happens to ensure that this doesn't indicate a deeper problem.

Bernd Edlinger

2018-11-12 11:42

reporter   ~0009572

The problem still persists with the current CTT version,
if the server and CTT is configured to disable certificate time validation.

Interesting is that 007.js (expired certificate) succeeds.

I think the secure channel is created using the "not-yet-valid" certificate,
but the CreateSession Request sends a wrong certificate (not exired), and
the ActivateSession Request sends the signature which is probably signed
by the not-yet-valid cert, therefore the Server fails to validate the signature.

Bernd Edlinger

2018-11-12 11:49

reporter   ~0009573

I think the difference is that 007.js has "SkipCreateSession: true"
while 008.js does not.
And indeed the wireshark captures of 007.js only show
OpenSecureChannelRequest/Response
CloseSecureChannelRequest.

while 008.js does:
OpenSecureChannelRequest/Response
CreateSessionRequest/Response
ActivateSessionRequest/Fault

Paul Hunkar

2018-11-12 15:42

administrator   ~0009578

Agree to add skip session, but will also check as to why the create session causes the failure.

Alexander Allmendinger

2018-12-07 12:00

developer   ~0009675

Fixed as decided

Paul Hunkar

2019-07-25 15:24

administrator   ~0010613

Reviewed in CMP Call

Issue History

Date Modified Username Field Change
2018-01-31 12:15 Bernd Edlinger New Issue
2018-03-01 16:54 Alexander Allmendinger Note Added: 0008904
2018-03-01 16:54 Alexander Allmendinger Status new => feedback
2018-11-12 11:42 Bernd Edlinger Note Added: 0009572
2018-11-12 11:42 Bernd Edlinger Status feedback => new
2018-11-12 11:49 Bernd Edlinger Note Added: 0009573
2018-11-12 15:42 Paul Hunkar Note Added: 0009578
2018-11-12 15:43 Paul Hunkar Assigned To => Alexander Allmendinger
2018-11-12 15:43 Paul Hunkar Status new => assigned
2018-12-07 12:00 Alexander Allmendinger Note Added: 0009675
2018-12-07 12:00 Alexander Allmendinger Status assigned => resolved
2018-12-07 12:00 Alexander Allmendinger Fixed in Version => 1.03.341.383
2018-12-07 12:00 Alexander Allmendinger Resolution open => fixed
2019-01-28 14:10 Paul Hunkar Category Script Issue => 1 - Script Issue
2019-07-25 15:24 Paul Hunkar Target Version => 1.03
2019-07-25 15:24 Paul Hunkar Status resolved => closed
2019-07-25 15:24 Paul Hunkar Note Added: 0010613