View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0004615Compliance Test Tool (CTT) Unified Architecture4 - Test Case Definitionpublic2019-02-11 14:342019-07-23 13:00
ReporterHannes Mezger Assigned ToAlexander Allmendinger  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.03.341.384 
Target Version1.03Fixed in Version1.03.341.389 
Summary0004615: Security/Security Certificate Validation/029.js
Description

It has to be allowed to use CA certificates as application instance certificates:

  • A self-signed certificate requires to sign itself
  • The X509 specification states that the keyCertSign flag has to be set for certificates that sign others, including themselves
    http://tools.ietf.org/html/rfc3280#page-29:
    "The keyCertSign bit is asserted when the subject public key is used for verifying a signature on public key certificates."
  • The X509 specification states that the CA flag has to be set if the keyCertSign flag is set
    http://tools.ietf.org/html/rfc3280#page-29:
    "If the keyCertSign bit is asserted, then the CA bit in the basic constraints extension (section 4.2.1.10) MUST also be asserted."

This leads to the conclusion that all self-signed certificates MUST be CA certificates.

This again leads to the test being invalid at this point, as it assumes that CA certificates are not allowed to be used as application instance certificates. Instead, the test should use a certificate which is missing one of the required usage flags (e.g. dataEncipherment).

TagsNo tags attached.
Files Affected

Activities

Alexander Allmendinger

2019-02-14 16:06

developer   ~0009892

Generated Certificates needs to be changed:
BasicConstraints: In the Application Instance Certificates remove the EndEntity and add CA
KeyUsage: Remove the crl-Flags for the ApplicationInstance Certificates and remove the DataEncipherment Flags in the CA Certificates

Enhance description for test to indicate that the server needs to check for flags which are required for a Application Instance Certificate and then prohibit a CA certificate for a connection.

Alexander Allmendinger

2019-02-25 12:19

developer   ~0009924

Fixed as described in 1.03.341.386

Also switched to a uniform certificate naming structure to ease investigations.

Paul Hunkar

2019-07-23 13:00

administrator   ~0010543

reviewed in CMP Call

Issue History

Date Modified Username Field Change
2019-02-11 14:34 Hannes Mezger New Issue
2019-02-14 16:06 Alexander Allmendinger Status new => assigned
2019-02-14 16:06 Alexander Allmendinger Product Version => 1.03.341.384
2019-02-14 16:06 Alexander Allmendinger Target Version => 1.04
2019-02-14 16:06 Alexander Allmendinger Note Added: 0009892
2019-02-25 12:19 Alexander Allmendinger Assigned To => Alexander Allmendinger
2019-02-25 12:19 Alexander Allmendinger Status assigned => resolved
2019-02-25 12:19 Alexander Allmendinger Resolution open => fixed
2019-02-25 12:19 Alexander Allmendinger Note Added: 0009924
2019-07-23 12:57 Paul Hunkar Fixed in Version => 1.03.341.389
2019-07-23 12:57 Paul Hunkar Target Version 1.04 => 1.03
2019-07-23 13:00 Paul Hunkar Status resolved => closed
2019-07-23 13:00 Paul Hunkar Note Added: 0010543