View Issue Details

IDProjectCategoryView StatusLast Update
0004817Compliance Test Tool (CTT) Unified Architecture1 - Script Issuepublic2021-05-13 14:55
ReporterV. Monfort Assigned ToAlexander Allmendinger  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionduplicate 
Product Version1.03.341.389 
Fixed in Version1.03.341.390 
Summary0004817: Security User Name Password 002 + 011 / Session Base Err-001+Err-002+Err-003+Err-005: fail when None security mode is set for SC
Description

When the secure channel is configured as security mode None and security policy mode in Server Test -> Secure Channel and the Unsecured endpoint does not provide a server certificate, the tests Security User Name Password 002 + 011 / Session Base Err-001+Err-002+Err-003+Err-005: fail.
Note: some secure endpoints with a certificate are available on the server even if unsecured endpoint is configured by default in settings.

This is at least due to the following code in OpenSecureChannel.js:
if( !isDefined( args.ServerCertificate ) ) {
if( isDefined( gServerCapabilities ) && isDefined( gServerCapabilities.ServerCertificate ) ) this.Channel.ServerCertificate = gServerCapabilities.ServerCertificate.toDER();

In this case gServerCapabilities.ServerCertificate is defined but its content is empty therefore the call to this.Channel.connect( args.ServerUrl ); fails returning BadInvalidArgument because the server certificate content is empty whereas the policy used requires a certificate.

Additional Information

The following fixes were intended to fix the situation (but on version 1.3.340.380 even if bug still present in latest version), it completely worked for "Security User Name Password 002 + 011":

--- a/library/ServiceBased/SecureChannel/OpenSecureChannel.js
+++ b/library/ServiceBased/SecureChannel/OpenSecureChannel.js
@@ -36,12 +36,13 @@ function OpenSecureChannelService( args ) {
else this.Channel.RequestedSecurityPolicyUri = parseInt( readSetting( "/Server Test/Secure Channel/RequestedSecurityPolicyUri" ) );

     if( !isDefined( args.ServerCertificate ) ) {
  • if( isDefined( gServerCapabilities ) && isDefined( gServerCapabilities.ServerCertificate ) ) this.Channel.ServerCertificate = gServerCapabilities.ServerCertificate.toDER();
  • if( isDefined( gServerCapabilities ) && isDefined( gServerCapabilities.ServerCertificate ) && isDefined( gServerCapabilities.ServerCertificate.ApplicationUri )) this.Channel.ServerCertificate = gServerCapabilities.ServerCertificate.toDER();
    else { // we don't have the server certificate; let's go get it using an insecure connection
    var tmpChannel = new UaChannel();
    var discoverySession = new UaDiscovery( tmpChannel );
    var status = tmpChannel.connect( readSetting( "/Server Test/Server URL" ) );
    if( status.isGood() ) {
  • gServerCapabilities.Endpoints = [];
    var getEndpointsHelper = new GetEndpointsService( { Session: discoverySession } );
    getEndpointsHelper.Execute2();
    tmpChannel.disconnect();

--- a/library/ClassBased/UaI.js
+++ b//library/ClassBased/UaI.js
@@ -23,7 +23,7 @@ IdentifierType.Validate = function( args ) {
// function that is useful for ALL scripts
function isDefined( obj ) {
var result = true;

  • if( obj === undefined || obj === null ) {
  • if( obj === undefined || obj === null || obj === "" ) {
    result = false;
    }
    else if( obj.length !== undefined && obj.length > 0 && typeof( obj ) !== "string" && typeof( obj ) !== "function" ) {
TagsNo tags attached.
Attached Files
ctt.pcapng (11,440 bytes)
Files Affected

Relationships

duplicate of 0004777 closedAlexander Allmendinger CTT uses wrong ServerCertificate 
related to 0005661 closedAlexander Allmendinger Function buildAnonymousIdentityToken builds UserIdentityToken incorrectly 

Activities

Paul Hunkar

2019-07-12 14:28

administrator   ~0010478

Can you send a wireshark trace or a CTT trace of the problem? or provides us a simulation server that this problem occurs in?
We don't see an issue, it might also be that we are not understanding the description of the problem.

V. Monfort

2019-07-12 14:49

reporter   ~0010480

Here are the elements when running only the following test "Security User Name Password 002" and "Server Test->Secure Channel" is configured to security mode and policy None.

As you can see with the following line in log, an attempt to connect with security is done but fails with BadInvalidArgument:
OpenSecureChannel( MessageSecurityMode: SignAndEncrypt; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 ); Result = BadInvalidArgument (0x80ab0000)

But you can see the absence of OPN message with those mode and policy in the wireshark capture. This is due to the fact the CTT scripts failed during call to connect as stated in issue description.
And call to connect fails because in this case the server certificate is empty, whereas the endpoint corresponding to http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 are providing a server certificate.

CTT.log (7,593 bytes)   
GetEndpoints( LocaleIds #0; ProfileUris #0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
ServerCertificate is empty. This is allowed per Errata 1.02.03, but it can cause interoperability problems with older UA 1.01 Clients.
Message suppressed from being displayed again.
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/Base/warnOnce.js  line: 75
    called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/DiscoveryServiceSet/GetEndpoints.js  line: 138
        called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/DiscoveryServiceSet/GetEndpoints.js  line: 56
            called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/DiscoveryServiceSet/GetEndpoints.js  line: 81
                called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/SecureChannel/OpenSecureChannel.js  line: 47
                    called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/Base/safeInvoke.js  line: 46
                        called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/initialize.js  line: 48
GetEndpoints.Response.Endpoints[3].UserIdentityTokens[1].UserName does not have a SecurityPolicyUri defined. This is legal but could result in the plain-text transmission of user credentials.
Message suppressed from being displayed again.
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/Base/warnOnce.js  line: 78
    called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/DiscoveryServiceSet/GetEndpoints.js  line: 151
        called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/DiscoveryServiceSet/GetEndpoints.js  line: 56
            called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/DiscoveryServiceSet/GetEndpoints.js  line: 81
                called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/SecureChannel/OpenSecureChannel.js  line: 47
                    called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/Base/safeInvoke.js  line: 46
                        called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/initialize.js  line: 48
GetEndpoints and ServerCertificate validation succeeded.
OpenSecureChannel( MessageSecurityMode: None; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#None ); Result = Good (0x00000000)
CloseSecureChannel(); Result = Good (0x00000000)
OpenSecureChannel( MessageSecurityMode: SignAndEncrypt; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 ); Result = BadInvalidArgument (0x80ab0000)
OpenSecureChannel( MessageSecurityMode: SignAndEncrypt; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 ); Result = BadInvalidArgument (0x80ab0000)
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/SecureChannel/OpenSecureChannel.js  line: 119
    called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/initialize.js  line: 88
CreateSessionResponseHeader.RequestHandle does not match expected RequestHandle. Expected: 1 Received: 0
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ClassBased/UaR.js  line: 209
    called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/SessionServiceSet/CreateSession.js  line: 126
        called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/initialize.js  line: 90
CreateSession.Response.ResponseHeader.Timestamp shows a delay in excess of 391672700ms, which exceeds the configured tolerance of: 100 msecs
Message suppressed from being displayed again.
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/Base/warnOnce.js  line: 75
    called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ClassBased/UaR.js  line: 216
        called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/SessionServiceSet/CreateSession.js  line: 126
            called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/initialize.js  line: 90
CreateSession( EndpointUrl=opc.tcp://localhost:4841; SessionName: UaCttSession_1; RequestedSessionTimeout: 120000 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
CloseSession().Result: Good (0x00000000)



***** CONFORMANCE UNIT 'Security User Name Password' INITIALIZATION COMPLETE - TESTS STARTING ******



	~~~ START OF TEST [username002] ~~~

OpenSecureChannel( MessageSecurityMode: SignAndEncrypt; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 ); Result = BadInvalidArgument (0x80ab0000)
OpenSecureChannel( MessageSecurityMode: SignAndEncrypt; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 ); Result = BadInvalidArgument (0x80ab0000)
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/SecureChannel/OpenSecureChannel.js  line: 119
    called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/002.js  line: 11
        called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/Base/safeInvoke.js  line: 95
            called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/002.js  line: 53
CreateSessionResponseHeader.RequestHandle does not match expected RequestHandle. Expected: 3 Received: 0
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ClassBased/UaR.js  line: 209
    called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/SessionServiceSet/CreateSession.js  line: 126
        called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/002.js  line: 13
            called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/Base/safeInvoke.js  line: 95
                called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/002.js  line: 53
CreateSession( EndpointUrl=opc.tcp://localhost:4841; SessionName: UaCttSession_2; RequestedSessionTimeout: 120000 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
CloseSession().Result: Good (0x00000000)
The desired endpoint does define a specific SecurityPolicy for the Username Password UserIdentityToken. Therefore we can't run the test on this one.


	~~~ END OF TEST [username002] ~~~




***** CONFORMANCE UNIT 'Security User Name Password' TEST SCRIPTS COMPLETE ******




***** CONFORMANCE UNIT 'Security User Name Password' TESTING COMPLETE ******

CTT.log (7,593 bytes)   

Alexander Allmendinger

2019-11-04 14:46

developer   ~0011191

The CTT was storing the Server Certificate of the default SecurityPolicy defined by the settings. Because several test scripts are using different endpoints and these endpoints can need different certificates it was needed to use the certificate provided for each endpoint.

V. Monfort

2020-03-05 17:56

reporter   ~0011692

Problem still present in version 1.03.341.390

V. Monfort

2020-03-05 17:59

reporter   ~0011693

The following patches are still necessary with version 390

patchs (3,089 bytes)   
diff --git a/library/ClassBased/UaI.js b/library/ClassBased/UaI.js
--- a/library/ClassBased/UaI.js
+++ b/library/ClassBased/UaI.js
@@ -23,7 +23,7 @@ IdentifierType.Validate = function( args ) {
 // function that is useful for ALL scripts
 function isDefined( obj ) {
     var result = true;
-    if( obj === undefined || obj === null ) {
+    if( obj === undefined || obj === null || obj === "" ) {
         result = false;
     }
     else if( obj.length !== undefined && obj.length > 0 && typeof( obj ) !== "string" && typeof( obj ) !== "function" ) {
diff --git a/library/ServiceBased/SecureChannel/OpenSecureChannel.js b/library/ServiceBased/SecureChannel/OpenSecureChannel.js
--- a/library/ServiceBased/SecureChannel/OpenSecureChannel.js
+++ b/library/ServiceBased/SecureChannel/OpenSecureChannel.js
@@ -36,12 +36,13 @@ function OpenSecureChannelService( args ) {
         else this.Channel.RequestedSecurityPolicyUri = parseInt( readSetting( "/Server Test/Secure Channel/RequestedSecurityPolicyUri" ) );
 
         if( !isDefined( args.ServerCertificate ) ) {
-            if( isDefined( gServerCapabilities ) && isDefined( gServerCapabilities.ServerCertificate ) ) this.Channel.ServerCertificate = gServerCapabilities.ServerCertificate.toDER();
+            if( isDefined( gServerCapabilities ) && isDefined( gServerCapabilities.ServerCertificate ) && isDefined( gServerCapabilities.ServerCertificate.ApplicationUri )) this.Channel.ServerCertificate = gServerCapabilities.ServerCertificate.toDER();
             else { // we don't have the server certificate; let's go get it using an insecure connection
                 var tmpChannel = new UaChannel();
                 var discoverySession = new UaDiscovery( tmpChannel );
                 var status = tmpChannel.connect( readSetting( "/Server Test/Server URL" ) );
                 if (status.isGood()) {
+                    gServerCapabilities.Endpoints = [];
                     var foundDesiredEndpoint = false;
                     var getEndpointsHelper = new GetEndpointsService( { Session: discoverySession } );
                     getEndpointsHelper.Execute2();
diff --git a/maintree/Security/Security User Name Password/Test Cases/002.js b/maintree/Security/Security User Name Password/Test Cases/002.js
--- a/maintree/Security/Security User Name Password/Test Cases/002.js	
+++ b/maintree/Security/Security User Name Password/Test Cases/002.js	
@@ -23,7 +23,7 @@ function username002() {
         var strUserToken = UserTokenType.toString( epSecureEncrypt.UserIdentityTokens[u].TokenType );
         if( epSecureEncrypt.UserIdentityTokens[u].TokenType === UserTokenType.UserName ) {
             // skip test case if there is a SecurityPolicy for the IdentityToken defined
-            if (epSecureEncrypt.UserIdentityTokens[u].SecurityPolicy == SecurityPolicy.policyToString(SecurityPolicy.None)) {
+            if (epSecureEncrypt.UserIdentityTokens[u].SecurityPolicyUri == SecurityPolicy.policyToString(SecurityPolicy.None)) {
                 foundIdentityToken = true;
                 break;
             }
patchs (3,089 bytes)   

Alexander Allmendinger

2020-07-10 13:41

developer   ~0012582

Because of the changes being done to the script library this should be fixed in the latest release 1.03.341.396. Could you please doublecheck if the problem still persists?

Alexander Allmendinger

2021-05-13 14:54

developer   ~0014373

As we didn't receive further feedback we assume this issue is not present in the latest version any more.

Paul Hunkar

2021-05-13 14:55

administrator   ~0014374

duplicate - fixed in older set of fixes

Issue History

Date Modified Username Field Change
2019-07-12 14:06 V. Monfort New Issue
2019-07-12 14:28 Paul Hunkar Assigned To => Paul Hunkar
2019-07-12 14:28 Paul Hunkar Status new => feedback
2019-07-12 14:28 Paul Hunkar Note Added: 0010478
2019-07-12 14:49 V. Monfort File Added: ctt.pcapng
2019-07-12 14:49 V. Monfort File Added: CTT.log
2019-07-12 14:49 V. Monfort Note Added: 0010480
2019-07-12 14:49 V. Monfort Status feedback => assigned
2019-08-12 05:14 Paul Hunkar Assigned To Paul Hunkar =>
2019-08-12 05:15 Paul Hunkar Assigned To => Alexander Allmendinger
2019-11-04 14:46 Alexander Allmendinger Status assigned => resolved
2019-11-04 14:46 Alexander Allmendinger Resolution open => fixed
2019-11-04 14:46 Alexander Allmendinger Fixed in Version => 1.03.341.390
2019-11-04 14:46 Alexander Allmendinger Note Added: 0011191
2019-11-04 14:48 Alexander Allmendinger Relationship added duplicate of 0004777
2020-03-05 17:56 V. Monfort Status resolved => feedback
2020-03-05 17:56 V. Monfort Resolution fixed => reopened
2020-03-05 17:56 V. Monfort Note Added: 0011692
2020-03-05 17:59 V. Monfort File Added: patchs
2020-03-05 17:59 V. Monfort Note Added: 0011693
2020-03-05 17:59 V. Monfort Status feedback => assigned
2020-07-09 14:44 Paul Hunkar Relationship added related to 0005661
2020-07-10 13:41 Alexander Allmendinger Status assigned => feedback
2020-07-10 13:41 Alexander Allmendinger Note Added: 0012582
2021-05-13 14:53 Paul Hunkar Status feedback => assigned
2021-05-13 14:54 Alexander Allmendinger Status assigned => resolved
2021-05-13 14:54 Alexander Allmendinger Resolution reopened => duplicate
2021-05-13 14:54 Alexander Allmendinger Note Added: 0014373
2021-05-13 14:55 Paul Hunkar Status resolved => closed
2021-05-13 14:55 Paul Hunkar Note Added: 0014374