View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0008373Compliance Test Tool (CTT) Unified Architecture1 - Script Issuepublic2022-09-29 16:042022-11-17 21:27
ReporterV. Monfort Assigned ToPaul Hunkar  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionno change required 
Summary0008373: Security User Name Password 015.js (PolicyId unique) seems excessive
Description

The test checks that each PolicyId is completely unique for each endpoint description without considering that it might be the same UserTokenPolicy used for several combinations.
For example we might want to add a UserTokenPolicy name username_B256S256 with parameters Username + SP B256S256 in several

  • Endpoints
  • SecurityChannel SecurityPolicies (B256S256, AES256) in the same endpoint
  • SecurityChannel SecurityModes (Sign, SignAndEncrypt) in the same SecureChannel security policy

It seems a bit excessive to request the server to produce new PolicyId for a UserTokenPolicy with the exact same parameters reused in several contexts.
Therefore the only reference to policyId I found in specification is not really precise enough to indicate if it should be allowed or not (part 4 1.05 table 196):

This value is only unique within the context of a single Server.

Moreover this is a rule for all UserTokenTypes.
It means that if it is really required to have a unique PolicyId for each instance of the same UserTokenPolicy (parameters) any instance of Anonymous token policy should also have unique PolicyId if used in several EP/SCs combinations. I am really not sure it is what we expect here.

TagsNo tags attached.
Files Affected

Activities

Paul Hunkar

2022-11-03 15:47

administrator   ~0018097

Can you provide the actual error being reported by the CTT (the error output)?

V. Monfort

2022-11-03 16:06

reporter   ~0018098

The PolicyId: username, is used for multiple UserIdentityTokens. The PolicyId has to be unique within the server.
Difference found: SecurityUri: , and: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
called from: Z:/users/vincent/git/tooling/UACTT_project/maintree/Security/Security User Name Password/Test Cases/015.js line: 48
called from: Z:/users/vincent/git/tooling/UACTT_project/library/Base/safeInvoke.js line: 104
called from: Z:/users/vincent/git/tooling/UACTT_project/maintree/Security/Security User Name Password/Test Cases/015.js line: 59
The PolicyId: username, is used for multiple UserIdentityTokens. The PolicyId has to be unique within the server.
Difference found: SecurityUri: , and: http://opcfoundation.org/UA/SecurityPolicy#Basic256
called from: Z:/users/vincent/git/tooling/UACTT_project/maintree/Security/Security User Name Password/Test Cases/015.js line: 48
called from: Z:/users/vincent/git/tooling/UACTT_project/library/Base/safeInvoke.js line: 104
called from: Z:/users/vincent/git/tooling/UACTT_project/maintree/Security/Security User Name Password/Test Cases/015.js line: 59
The PolicyId: username, is used for multiple UserIdentityTokens. The PolicyId has to be unique within the server.
Difference found: SecurityUri: , and: http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep
called from: Z:/users/vincent/git/tooling/UACTT_project/maintree/Security/Security User Name Password/Test Cases/015.js line: 48
called from: Z:/users/vincent/git/tooling/UACTT_project/library/Base/safeInvoke.js line: 104
called from: Z:/users/vincent/git/tooling/UACTT_project/maintree/Security/Security User Name Password/Test Cases/015.js line: 59
The PolicyId: username, is used for multiple UserIdentityTokens. The PolicyId has to be unique within the server.
Difference found: SecurityUri: , and: http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss
called from: Z:/users/vincent/git/tooling/UACTT_project/maintree/Security/Security User Name Password/Test Cases/015.js line: 48
called from: Z:/users/vincent/git/tooling/UACTT_project/library/Base/safeInvoke.js line: 104
called from: Z:/users/vincent/git/tooling/UACTT_project/maintree/Security/Security User Name Password/Test Cases/015.js line: 59
Policies tested: anonymous,username,username_Basic256Sha256

V. Monfort

2022-11-03 17:23

reporter   ~0018100

After a second verification it seems it occurs only when the UserTokenPolicy SecurityPolicyUri is the default one (empty) and not if we use explicitly the same UserTokenPolicy SecurityPolicyUri as I stated in the example description. Sorry about that.

In the particular case of the error log provided the UserTokenPolicy parameters are indeed exactly the same but the SecurityPolicyUri to use is deduced from the SecureChannel SecurityPolicyUri.
Therefore we are more in a corner case than I thought in the first place due to the implicit UserTokenPolicy SecurityPolicyUri evaluation.

As a consequence I guess it might be acceptable to consider those UserTokenPolicy differents since the SecurityPolicyUri becomes implicitly different depending on the SecureChannel configuration it is used on.
You might close this issue if you think it should be the case.

Paul Hunkar

2022-11-17 21:27

administrator   ~0018163

As discussed in email chain - nothing to fix

Issue History

Date Modified Username Field Change
2022-09-29 16:04 V. Monfort New Issue
2022-11-03 15:47 Paul Hunkar Status new => feedback
2022-11-03 15:47 Paul Hunkar Note Added: 0018097
2022-11-03 16:06 V. Monfort Note Added: 0018098
2022-11-03 16:06 V. Monfort Status feedback => new
2022-11-03 17:23 V. Monfort Note Added: 0018100
2022-11-17 21:27 Paul Hunkar Assigned To => Paul Hunkar
2022-11-17 21:27 Paul Hunkar Status new => closed
2022-11-17 21:27 Paul Hunkar Resolution open => no change required
2022-11-17 21:27 Paul Hunkar Note Added: 0018163