View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004817 | Compliance Test Tool (CTT) Unified Architecture | 1 - Script Issue | public | 2019-07-12 14:06 | 2021-05-13 14:55 |
| Reporter | V. Monfort | Assigned To | Alexander Allmendinger | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | duplicate | ||
| Product Version | 1.03.341.389 | ||||
| Fixed in Version | 1.03.341.390 | ||||
| Summary | 0004817: Security User Name Password 002 + 011 / Session Base Err-001+Err-002+Err-003+Err-005: fail when None security mode is set for SC | ||||
| Description | When the secure channel is configured as security mode None and security policy mode in Server Test -> Secure Channel and the Unsecured endpoint does not provide a server certificate, the tests Security User Name Password 002 + 011 / Session Base Err-001+Err-002+Err-003+Err-005: fail. This is at least due to the following code in OpenSecureChannel.js: In this case gServerCapabilities.ServerCertificate is defined but its content is empty therefore the call to this.Channel.connect( args.ServerUrl ); fails returning BadInvalidArgument because the server certificate content is empty whereas the policy used requires a certificate. | ||||
| Additional Information | The following fixes were intended to fix the situation (but on version 1.3.340.380 even if bug still present in latest version), it completely worked for "Security User Name Password 002 + 011": --- a/library/ServiceBased/SecureChannel/OpenSecureChannel.js
--- a/library/ClassBased/UaI.js
| ||||
| Tags | No tags attached. | ||||
| Attached Files | |||||
| Files Affected | |||||
| duplicate of | 0004777 | closed | Alexander Allmendinger | CTT uses wrong ServerCertificate |
| related to | 0005661 | closed | Alexander Allmendinger | Function buildAnonymousIdentityToken builds UserIdentityToken incorrectly |
|
|
Can you send a wireshark trace or a CTT trace of the problem? or provides us a simulation server that this problem occurs in? |
|
|
Here are the elements when running only the following test "Security User Name Password 002" and "Server Test->Secure Channel" is configured to security mode and policy None. As you can see with the following line in log, an attempt to connect with security is done but fails with BadInvalidArgument: But you can see the absence of OPN message with those mode and policy in the wireshark capture. This is due to the fact the CTT scripts failed during call to connect as stated in issue description. CTT.log (7,593 bytes)
GetEndpoints( LocaleIds #0; ProfileUris #0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
ServerCertificate is empty. This is allowed per Errata 1.02.03, but it can cause interoperability problems with older UA 1.01 Clients.
Message suppressed from being displayed again.
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/Base/warnOnce.js line: 75
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/DiscoveryServiceSet/GetEndpoints.js line: 138
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/DiscoveryServiceSet/GetEndpoints.js line: 56
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/DiscoveryServiceSet/GetEndpoints.js line: 81
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/SecureChannel/OpenSecureChannel.js line: 47
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/Base/safeInvoke.js line: 46
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/initialize.js line: 48
GetEndpoints.Response.Endpoints[3].UserIdentityTokens[1].UserName does not have a SecurityPolicyUri defined. This is legal but could result in the plain-text transmission of user credentials.
Message suppressed from being displayed again.
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/Base/warnOnce.js line: 78
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/DiscoveryServiceSet/GetEndpoints.js line: 151
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/DiscoveryServiceSet/GetEndpoints.js line: 56
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/DiscoveryServiceSet/GetEndpoints.js line: 81
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/SecureChannel/OpenSecureChannel.js line: 47
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/Base/safeInvoke.js line: 46
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/initialize.js line: 48
GetEndpoints and ServerCertificate validation succeeded.
OpenSecureChannel( MessageSecurityMode: None; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#None ); Result = Good (0x00000000)
CloseSecureChannel(); Result = Good (0x00000000)
OpenSecureChannel( MessageSecurityMode: SignAndEncrypt; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 ); Result = BadInvalidArgument (0x80ab0000)
OpenSecureChannel( MessageSecurityMode: SignAndEncrypt; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 ); Result = BadInvalidArgument (0x80ab0000)
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/SecureChannel/OpenSecureChannel.js line: 119
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/initialize.js line: 88
CreateSessionResponseHeader.RequestHandle does not match expected RequestHandle. Expected: 1 Received: 0
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ClassBased/UaR.js line: 209
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/SessionServiceSet/CreateSession.js line: 126
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/initialize.js line: 90
CreateSession.Response.ResponseHeader.Timestamp shows a delay in excess of 391672700ms, which exceeds the configured tolerance of: 100 msecs
Message suppressed from being displayed again.
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/Base/warnOnce.js line: 75
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ClassBased/UaR.js line: 216
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/SessionServiceSet/CreateSession.js line: 126
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/initialize.js line: 90
CreateSession( EndpointUrl=opc.tcp://localhost:4841; SessionName: UaCttSession_1; RequestedSessionTimeout: 120000 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
CloseSession().Result: Good (0x00000000)
***** CONFORMANCE UNIT 'Security User Name Password' INITIALIZATION COMPLETE - TESTS STARTING ******
~~~ START OF TEST [username002] ~~~
OpenSecureChannel( MessageSecurityMode: SignAndEncrypt; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 ); Result = BadInvalidArgument (0x80ab0000)
OpenSecureChannel( MessageSecurityMode: SignAndEncrypt; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256 ); Result = BadInvalidArgument (0x80ab0000)
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/SecureChannel/OpenSecureChannel.js line: 119
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/002.js line: 11
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/Base/safeInvoke.js line: 95
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/002.js line: 53
CreateSessionResponseHeader.RequestHandle does not match expected RequestHandle. Expected: 3 Received: 0
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ClassBased/UaR.js line: 209
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/ServiceBased/SessionServiceSet/CreateSession.js line: 126
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/002.js line: 13
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/library/Base/safeInvoke.js line: 95
called from: /users/vincent/git/S2OPC_dup/acceptances_tests/Acceptation_S2OPC/maintree/Security/Security User Name Password/Test Cases/002.js line: 53
CreateSession( EndpointUrl=opc.tcp://localhost:4841; SessionName: UaCttSession_2; RequestedSessionTimeout: 120000 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
CloseSession().Result: Good (0x00000000)
The desired endpoint does define a specific SecurityPolicy for the Username Password UserIdentityToken. Therefore we can't run the test on this one.
~~~ END OF TEST [username002] ~~~
***** CONFORMANCE UNIT 'Security User Name Password' TEST SCRIPTS COMPLETE ******
***** CONFORMANCE UNIT 'Security User Name Password' TESTING COMPLETE ******
|
|
|
The CTT was storing the Server Certificate of the default SecurityPolicy defined by the settings. Because several test scripts are using different endpoints and these endpoints can need different certificates it was needed to use the certificate provided for each endpoint. |
|
|
Problem still present in version 1.03.341.390 |
|
|
The following patches are still necessary with version 390 patchs (3,089 bytes)
diff --git a/library/ClassBased/UaI.js b/library/ClassBased/UaI.js
--- a/library/ClassBased/UaI.js
+++ b/library/ClassBased/UaI.js
@@ -23,7 +23,7 @@ IdentifierType.Validate = function( args ) {
// function that is useful for ALL scripts
function isDefined( obj ) {
var result = true;
- if( obj === undefined || obj === null ) {
+ if( obj === undefined || obj === null || obj === "" ) {
result = false;
}
else if( obj.length !== undefined && obj.length > 0 && typeof( obj ) !== "string" && typeof( obj ) !== "function" ) {
diff --git a/library/ServiceBased/SecureChannel/OpenSecureChannel.js b/library/ServiceBased/SecureChannel/OpenSecureChannel.js
--- a/library/ServiceBased/SecureChannel/OpenSecureChannel.js
+++ b/library/ServiceBased/SecureChannel/OpenSecureChannel.js
@@ -36,12 +36,13 @@ function OpenSecureChannelService( args ) {
else this.Channel.RequestedSecurityPolicyUri = parseInt( readSetting( "/Server Test/Secure Channel/RequestedSecurityPolicyUri" ) );
if( !isDefined( args.ServerCertificate ) ) {
- if( isDefined( gServerCapabilities ) && isDefined( gServerCapabilities.ServerCertificate ) ) this.Channel.ServerCertificate = gServerCapabilities.ServerCertificate.toDER();
+ if( isDefined( gServerCapabilities ) && isDefined( gServerCapabilities.ServerCertificate ) && isDefined( gServerCapabilities.ServerCertificate.ApplicationUri )) this.Channel.ServerCertificate = gServerCapabilities.ServerCertificate.toDER();
else { // we don't have the server certificate; let's go get it using an insecure connection
var tmpChannel = new UaChannel();
var discoverySession = new UaDiscovery( tmpChannel );
var status = tmpChannel.connect( readSetting( "/Server Test/Server URL" ) );
if (status.isGood()) {
+ gServerCapabilities.Endpoints = [];
var foundDesiredEndpoint = false;
var getEndpointsHelper = new GetEndpointsService( { Session: discoverySession } );
getEndpointsHelper.Execute2();
diff --git a/maintree/Security/Security User Name Password/Test Cases/002.js b/maintree/Security/Security User Name Password/Test Cases/002.js
--- a/maintree/Security/Security User Name Password/Test Cases/002.js
+++ b/maintree/Security/Security User Name Password/Test Cases/002.js
@@ -23,7 +23,7 @@ function username002() {
var strUserToken = UserTokenType.toString( epSecureEncrypt.UserIdentityTokens[u].TokenType );
if( epSecureEncrypt.UserIdentityTokens[u].TokenType === UserTokenType.UserName ) {
// skip test case if there is a SecurityPolicy for the IdentityToken defined
- if (epSecureEncrypt.UserIdentityTokens[u].SecurityPolicy == SecurityPolicy.policyToString(SecurityPolicy.None)) {
+ if (epSecureEncrypt.UserIdentityTokens[u].SecurityPolicyUri == SecurityPolicy.policyToString(SecurityPolicy.None)) {
foundIdentityToken = true;
break;
}
|
|
|
Because of the changes being done to the script library this should be fixed in the latest release 1.03.341.396. Could you please doublecheck if the problem still persists? |
|
|
As we didn't receive further feedback we assume this issue is not present in the latest version any more. |
|
|
duplicate - fixed in older set of fixes |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2019-07-12 14:06 | V. Monfort | New Issue | |
| 2019-07-12 14:28 | Paul Hunkar | Assigned To | => Paul Hunkar |
| 2019-07-12 14:28 | Paul Hunkar | Status | new => feedback |
| 2019-07-12 14:28 | Paul Hunkar | Note Added: 0010478 | |
| 2019-07-12 14:49 | V. Monfort | File Added: ctt.pcapng | |
| 2019-07-12 14:49 | V. Monfort | File Added: CTT.log | |
| 2019-07-12 14:49 | V. Monfort | Note Added: 0010480 | |
| 2019-07-12 14:49 | V. Monfort | Status | feedback => assigned |
| 2019-08-12 05:14 | Paul Hunkar | Assigned To | Paul Hunkar => |
| 2019-08-12 05:15 | Paul Hunkar | Assigned To | => Alexander Allmendinger |
| 2019-11-04 14:46 | Alexander Allmendinger | Status | assigned => resolved |
| 2019-11-04 14:46 | Alexander Allmendinger | Resolution | open => fixed |
| 2019-11-04 14:46 | Alexander Allmendinger | Fixed in Version | => 1.03.341.390 |
| 2019-11-04 14:46 | Alexander Allmendinger | Note Added: 0011191 | |
| 2019-11-04 14:48 | Alexander Allmendinger | Relationship added | duplicate of 0004777 |
| 2020-03-05 17:56 | V. Monfort | Status | resolved => feedback |
| 2020-03-05 17:56 | V. Monfort | Resolution | fixed => reopened |
| 2020-03-05 17:56 | V. Monfort | Note Added: 0011692 | |
| 2020-03-05 17:59 | V. Monfort | File Added: patchs | |
| 2020-03-05 17:59 | V. Monfort | Note Added: 0011693 | |
| 2020-03-05 17:59 | V. Monfort | Status | feedback => assigned |
| 2020-07-09 14:44 | Paul Hunkar | Relationship added | related to 0005661 |
| 2020-07-10 13:41 | Alexander Allmendinger | Status | assigned => feedback |
| 2020-07-10 13:41 | Alexander Allmendinger | Note Added: 0012582 | |
| 2021-05-13 14:53 | Paul Hunkar | Status | feedback => assigned |
| 2021-05-13 14:54 | Alexander Allmendinger | Status | assigned => resolved |
| 2021-05-13 14:54 | Alexander Allmendinger | Resolution | reopened => duplicate |
| 2021-05-13 14:54 | Alexander Allmendinger | Note Added: 0014373 | |
| 2021-05-13 14:55 | Paul Hunkar | Status | resolved => closed |
| 2021-05-13 14:55 | Paul Hunkar | Note Added: 0014374 |
