View Issue Details

IDProjectCategoryView StatusLast Update
0004703CTT UA Scripts1 - Script Issuepublic2024-09-26 09:40
ReporterBernd Edlinger Assigned ToSebastian Allmendinger  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Summary0004703: inconsistency Security Certificate Validation/002.js vs. 042.js/043.js
Description

one test expects the server to return BadCertificateIssuerRevocationUnknown the other wants BadCertificateRevocationUnknown,
but best our server can do is return BadCertificateIssuerRevocationUnknown because without the necessary
revocation lists it is impossible to build (and validate!) the full certificate chain in the first place.
Therefore this tells something about the configuration of the PKI store, which is not supposed to happen.

002.js "Connect using a client certificate signed by a CA trusted by the server where there is no revocation list available."
Error: OpenSecureChannel.Response is not good; received 'BadSecurityChecksFailed (0x80130000)'. Expected: Good (0x00000000) or BadCertificateIssuerRevocationUnknown
(0x801c0000)

042.js/043.js "Connect using an (untrusted) issued certificate of a CA that has no revocation list available."
Error: OpenSecureChannel.Response is not good; received 'BadSecurityChecksFailed (0x80130000)'. Expected: Good (0x00000000); Would
accept: BadCertificateRevocationUnknown (0x801b0000)

TagsNo tags attached.
Files Affected

/maintree/Security/Security Certificate Validation/Test Cases/002.js
/maintree/Security/Security Certificate Validation/Test Cases/042.js
/maintree/Security/Security Certificate Validation/Test Cases/043.js

Relationships

related to 0004704 closedMatthias Damm 10000-004: Services Certificate validation Steps - revocation lists 

Activities

Paul Hunkar

2019-03-29 15:16

administrator   ~0010080

Added a separate mantis issue to clarify what is expected with regards to revocation lists. Based on the return of that mantis issue "Bad_SecurityChecksFailed" might be added for both cases. Currently this is not listed in the spec. There is a difference between 2 and 42/43 in that there is an issuer certificate, thus the error being return does change. We are also asking for clarification as to what happens if the instance certificate is explicitly trusted which might also change what can be returned.

Alexander Allmendinger

2022-09-02 14:46

developer   ~0017490

Currently there is no Errata pushing this back to 1.04 nor 1.03. Therefore, this will only be fixed in the 1.05 version of the scripts.
Paul will double check with the UA Working Group whether this needs to be pushed back in an Errata too.

Sebastian Allmendinger

2024-09-26 09:40

developer   ~0021809

With the release of Errata 1.04.12, the expecation in the specification changed and therefore the test scripts have been updated.
Instead of Bad*RevocationUnknown, BadSecurityChecksFailed is now expected.
Because the specification added a "should", the previous error codes are still accepted, but with a warning pointing to the Errata.

Issue History

Date Modified Username Field Change
2019-03-29 08:31 Bernd Edlinger New Issue
2019-03-29 14:43 Paul Hunkar Relationship added related to 0004704
2019-03-29 15:16 Paul Hunkar Note Added: 0010080
2019-03-29 15:16 Paul Hunkar Status new => acknowledged
2020-05-21 05:38 Paul Hunkar Assigned To => Alexander Allmendinger
2020-05-21 05:38 Paul Hunkar Status acknowledged => assigned
2022-08-02 20:04 Paul Hunkar Project Compliance Test Tool (CTT) Unified Architecture => CTT UA Scripts
2022-09-02 14:46 Alexander Allmendinger Note Added: 0017490
2024-09-26 09:37 Sebastian Allmendinger Files Affected => /maintree/Security/Security Certificate Validation/Test Cases/002.js
/maintree/Security/Security Certificate Validation/Test Cases/042.js
/maintree/Security/Security Certificate Validation/Test Cases/043.js
2024-09-26 09:40 Sebastian Allmendinger Assigned To Alexander Allmendinger => Sebastian Allmendinger
2024-09-26 09:40 Sebastian Allmendinger Status assigned => resolved
2024-09-26 09:40 Sebastian Allmendinger Resolution open => fixed
2024-09-26 09:40 Sebastian Allmendinger Note Added: 0021809