View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0008359Compliance Test Tool (CTT) Unified Architecture1 - Script Issuepublic2022-09-27 12:422023-04-27 15:12
ReporterV. Monfort Assigned ToPaul Hunkar  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionno change required 
Summary0008359: UACTT wrongly reports an error due to different certificate use between SC and Session
Description

UACTT version: 1.03.09-01.00.500

Context: When running UACTT scripts with SC None security or running "Security None" conformance unit tests with a server that provides an Endpoint with SC None security policy and a UserName token type session with a security policy different from None.

Example of Endpoint configuration: 

                    MessageSecurityMode: None (0x00000001)
                    SecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#None
                        [0]: UserTokenPolicy
                        [1]: UserTokenPolicy
                            PolicyId: username_Basic256Sha256
                            UserTokenType: UserName (0x00000001)
                            SecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256

The following error is raised by UACTT due to the fact the SC OPN response does not provide certificate whereas CreateSesion does:

ServerCertificate returned in CreateSessionResponse (length: 1303) is different than the one used in CreateChannel (length: size=-1, data=NULL).
called from: Z:/users/vincent/git/tooling/UACTT_project/library/ServiceBased/SessionServiceSet/CreateSession.js  line: 189
    called from: Z:/users/vincent/git/tooling/UACTT_project/library/ServiceBased/SessionServiceSet/CreateSession.js  line: 134
        called from: Z:/users/vincent/git/tooling/UACTT_project/library/Base/sessionCreator.js  line: 56
            called from: Z:/users/vincent/git/tooling/UACTT_project/library/Base/safeInvoke.js  line: 47
                called from: Z:/users/vincent/git/tooling/UACTT_project/maintree/Security/Security None/Test Cases/001.js  line: 20
                    called from: Z:/users/vincent/git/tooling/UACTT_project/library/Base/safeInvoke.js  line: 104
                        called from: Z:/users/vincent/git/tooling/UACTT_project/maintree/Security/Security None/Test Cases/001.js  line: 26

It shall not be the case since it is the expected behavior in this case regarding OPC UA specification.
The part 6 indicates for the OPN asymmetric security header SendCertifcate field "This field shall be null if the Message is not signed.". This is the case for a Secure Channel with None policy.
The part 4 indicates for the CreateSession response serverCertificate field:
"For SecureChannels that use the Application Instance Certificate the Client shall verify that this Certificate is the same as the one it used to create the SecureChannel."
[...] "If the securityPolicyUri is None and none of the UserTokenPolicies requires encryption, the Client shall ignore the ApplicationInstanceCertificate."

Therefore the client shall verify the certificate is the same if the SC uses the certificate whereas in this case the SC does not use the Certificate since we are using None policy.

TagsNo tags attached.
Attached Files
UACTT_reports_different_certificate.pcapng (742,016 bytes)
Files Affected

Activities

V. Monfort

2022-09-27 13:33

reporter   ~0017849

Regarding the specification it might be sufficient to add the following exception in scripts:

diff --git a/library/ServiceBased/SessionServiceSet/CreateSession.js b/UACTT_project/library/ServiceBased/SessionServiceSet/CreateSession.js
index 93df243..0b77f50 100755
--- a/library/ServiceBased/SessionServiceSet/CreateSession.js
+++ b/library/ServiceBased/SessionServiceSet/CreateSession.js
@@ -185,7 +185,7 @@ function CreateSessionService( args ) {
         else {
             if( Assert.True( UaPkiCertificate.IsValid( this.Response.ServerCertificate, this.Request.EndpointUrl ), "Expected CreateSession.Response.ServerCertificate to contain valid information.", "CreateSession.Response.ServerCertificate validated successfully." ) ) {
                 // check if the server certificate is the same as the one used for creating the channel
-                if( !this.Channel.Channel.ServerCertificate.equals( this.Response.ServerCertificate ) ) {
+                if( !this.Channel.Channel.ServerCertificate.equals( this.Response.ServerCertificate ) && this.Channel.Channel.ServerCertificate.length > 0) { 
                     addError( "ServerCertificate returned in CreateSessionResponse (length: " + this.Response.ServerCertificate.length + ") is different than the one used in CreateChannel (length: " + this.Channel.Channel.ServerCertificate + ")." );

Paul Hunkar

2022-11-18 17:13

administrator   ~0018164

The comparison is to the certificate that is returned in the GetEndpoint. If you have a user policy in the endpoint (i.e. Username/Password) then your endpoint needs to provide a certificate.

If you think this is not clear in the specification - I would enter an issue on Part 4 to clean up this wording

Paul Hunkar

2023-04-27 15:12

administrator   ~0019245

Agreed in call - no change required - closed issue

Issue History

Date Modified Username Field Change
2022-09-27 12:42 V. Monfort New Issue
2022-09-27 12:42 V. Monfort File Added: UACTT_reports_different_certificate.pcapng
2022-09-27 13:33 V. Monfort Note Added: 0017849
2022-11-18 17:13 Paul Hunkar Note Added: 0018164
2022-11-18 17:13 Paul Hunkar Assigned To => Paul Hunkar
2022-11-18 17:13 Paul Hunkar Status new => resolved
2022-11-18 17:13 Paul Hunkar Resolution open => no change required
2023-04-27 15:12 Paul Hunkar Status resolved => closed
2023-04-27 15:12 Paul Hunkar Note Added: 0019245