View Issue Details

IDProjectCategoryView StatusLast Update
0009123CTT UA Binary8 - Packagepublic2023-10-13 15:47
ReporterMatti Siponen Assigned ToYannik Klaass  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version1.11.0.408 
Summary0009123: Potential errors in userTokenSignatures
Description

Tested with version OPC UA 1.04 Compliance Test Tool V1.04.11-01.00.503

When attempting to activate a Session with a user certificate trusted by Server (tested with SampleConsoleServer sample application bundled with Prosys OPC UA SDK for Java) in Security User X509 001.js, the test fails with Service Fault containing StatusCode Bad_IdentityTokenRejected. According to the Server, verifying the userTokenSignature has failed. The failing CTT test is using the ctt_usrT.der certificate file. When I use this certificate and its private key as user certificate in Prosys OPC UA Browser, activating the Sessions succeeds without any errors.

I attached excerpts from Wireshark that demonstrate the CTT failing to activate the Session and Browser succeeding in activating the Session using the same user certificate. The algorithm for Client and UserToken Signatures are same in the CTT and Browser.

TagsNo tags attached.
Attached Files
User Cert Error.txt (8,807 bytes)   
CTT

ActivateSessionRequest
    RequestHeader: RequestHeader
        AuthenticationToken: NodeId
            .... 0101 = EncodingMask: Opaque (0x5)
            Namespace Index: 0
            Identifier ByteString: ffc0ca7cabd0791ca7e62d2a21ee2b0c1241a908a12b92a338bea794586235a9
        Timestamp: Aug 21, 2023 11:48:36.750974900 FLE Daylight Time
        RequestHandle: 2
        Return Diagnostics: 0x00000000
            .... .... .... ...0 = ServiceLevel / SymbolicId: False
            .... .... .... ..0. = ServiceLevel / LocalizedText: False
            .... .... .... .0.. = ServiceLevel / AdditionalInfo: False
            .... .... .... 0... = ServiceLevel / Inner StatusCode: False
            .... .... ...0 .... = ServiceLevel / Inner Diagnostics: False
            .... .... ..0. .... = OperationLevel / SymbolicId: False
            .... .... .0.. .... = OperationLevel / LocalizedText: False
            .... .... 0... .... = OperationLevel / AdditionalInfo: False
            .... ...0 .... .... = OperationLevel / Inner StatusCode: False
            .... ..0. .... .... = OperationLevel / Inner Diagnostics: False
        AuditEntryId: 2023-08-21T08:48:36.750Z918391
        TimeoutHint: 20000
        AdditionalHeader: ExtensionObject
            TypeId: ExpandedNodeId
                EncodingMask: 0x00, EncodingMask: Two byte encoded Numeric
                    .... 0000 = EncodingMask: Two byte encoded Numeric (0x0)
                    .0.. .... = has server index: False
                    0... .... = has namespace uri: False
                Identifier Numeric: 0
            EncodingMask: 0x00
                .... ...0 = has binary body: False
                .... ..0. = has xml body: False
    ClientSignature: SignatureData
        Algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
        Signature: 0a0b1fc1ec26b9aec63398ce072bcd0bae60102400f2355b22f0cf390ac1251f75ca6d58…
    ClientSoftwareCertificates: Array of SignedSoftwareCertificate
        ArraySize: -1
    LocaleIds: Array of String
        ArraySize: 1
        [0]: LocaleIds: en
    UserIdentityToken: ExtensionObject
        TypeId: ExpandedNodeId
            EncodingMask: 0x01, EncodingMask: Four byte encoded Numeric
                .... 0001 = EncodingMask: Four byte encoded Numeric (0x1)
                .0.. .... = has server index: False
                0... .... = has namespace uri: False
            Namespace Index: 0
            Identifier Numeric: 327
        EncodingMask: 0x01, has binary body
            .... ...1 = has binary body: True
            .... ..0. = has xml body: False
        X509IdentityToken: X509IdentityToken
            PolicyId: certificate_basic128
            CertificateData: 3082046030820348a003020102021100fc8a1e216c5a6fd25ec1c9aeb659c361300d0609…
    UserTokenSignature: SignatureData
        Algorithm: http://www.w3.org/2000/09/xmldsig#rsa-sha1
        Signature: 85e7790437f253a2edb8c2ae17849b7216506a198f056bbf3b716daa42ec8c2099e6af75…

ServiceFault
    ResponseHeader: ResponseHeader
        Timestamp: Aug 21, 2023 11:48:36.752000000 FLE Daylight Time
        RequestHandle: 2
        ServiceResult: 0x80210000 [BadIdentityTokenRejected]
        ServiceDiagnostics: DiagnosticInfo
            EncodingMask: 0x00
                .... ...0 = has symbolic id: False
                .... ..0. = has namespace: False
                .... .0.. = has localizedtext: False
                .... 0... = has locale: False
                ...0 .... = has additional info: False
                ..0. .... = has inner statuscode: False
                .0.. .... = has inner diagnostic info: False
        StringTable: Array of String
            ArraySize: -1
        AdditionalHeader: ExtensionObject
            TypeId: ExpandedNodeId
                EncodingMask: 0x00, EncodingMask: Two byte encoded Numeric
                    .... 0000 = EncodingMask: Two byte encoded Numeric (0x0)
                    .0.. .... = has server index: False
                    0... .... = has namespace uri: False
                Identifier Numeric: 0
            EncodingMask: 0x00
                .... ...0 = has binary body: False
                .... ..0. = has xml body: False



BROWSER

ActivateSessionRequest
    RequestHeader: RequestHeader
        AuthenticationToken: NodeId
            .... 0101 = EncodingMask: Opaque (0x5)
            Namespace Index: 0
            Identifier ByteString: 99e203dcb29fbea7dfcb9ba3d3b0f712300339a051b452830a7a098f134c5c7e
        Timestamp: Aug 21, 2023 13:47:48.114000000 FLE Daylight Time
        RequestHandle: 0
        Return Diagnostics: 0x00000000
            .... .... .... ...0 = ServiceLevel / SymbolicId: False
            .... .... .... ..0. = ServiceLevel / LocalizedText: False
            .... .... .... .0.. = ServiceLevel / AdditionalInfo: False
            .... .... .... 0... = ServiceLevel / Inner StatusCode: False
            .... .... ...0 .... = ServiceLevel / Inner Diagnostics: False
            .... .... ..0. .... = OperationLevel / SymbolicId: False
            .... .... .0.. .... = OperationLevel / LocalizedText: False
            .... .... 0... .... = OperationLevel / AdditionalInfo: False
            .... ...0 .... .... = OperationLevel / Inner StatusCode: False
            .... ..0. .... .... = OperationLevel / Inner Diagnostics: False
        AuditEntryId: [OpcUa Null String]
        TimeoutHint: 0
        AdditionalHeader: ExtensionObject
            TypeId: ExpandedNodeId
                EncodingMask: 0x00, EncodingMask: Two byte encoded Numeric
                    .... 0000 = EncodingMask: Two byte encoded Numeric (0x0)
                    .0.. .... = has server index: False
                    0... .... = has namespace uri: False
                Identifier Numeric: 0
            EncodingMask: 0x00
                .... ...0 = has binary body: False
                .... ..0. = has xml body: False
    ClientSignature: SignatureData
        Algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
        Signature: 2fdb0b9a2975dbb781ff2f97560a28cea7dc0d0e3ed4eea8f1d0a39c6d1875fc549ff77b…
    ClientSoftwareCertificates: Array of SignedSoftwareCertificate
        ArraySize: 0
    LocaleIds: Array of String
        ArraySize: 1
        [0]: LocaleIds: en-US
    UserIdentityToken: ExtensionObject
        TypeId: ExpandedNodeId
            EncodingMask: 0x01, EncodingMask: Four byte encoded Numeric
                .... 0001 = EncodingMask: Four byte encoded Numeric (0x1)
                .0.. .... = has server index: False
                0... .... = has namespace uri: False
            Namespace Index: 0
            Identifier Numeric: 327
        EncodingMask: 0x01, has binary body
            .... ...1 = has binary body: True
            .... ..0. = has xml body: False
        X509IdentityToken: X509IdentityToken
            PolicyId: certificate_basic128
            CertificateData: 3082046030820348a003020102021100fc8a1e216c5a6fd25ec1c9aeb659c361300d0609…
    UserTokenSignature: SignatureData
        Algorithm: http://www.w3.org/2000/09/xmldsig#rsa-sha1
        Signature: 1b59f212119bbab377df4c42b0530e4e6baf7c7411003cce059e06a2d21e77604b30a0c8…

ActivateSessionResponse
    ResponseHeader: ResponseHeader
        Timestamp: Aug 21, 2023 13:47:48.140000000 FLE Daylight Time
        RequestHandle: 0
        ServiceResult: 0x00000000 [Good]
        ServiceDiagnostics: DiagnosticInfo
            EncodingMask: 0x00
                .... ...0 = has symbolic id: False
                .... ..0. = has namespace: False
                .... .0.. = has localizedtext: False
                .... 0... = has locale: False
                ...0 .... = has additional info: False
                ..0. .... = has inner statuscode: False
                .0.. .... = has inner diagnostic info: False
        StringTable: Array of String
            ArraySize: -1
        AdditionalHeader: ExtensionObject
            TypeId: ExpandedNodeId
                EncodingMask: 0x00, EncodingMask: Two byte encoded Numeric
                    .... 0000 = EncodingMask: Two byte encoded Numeric (0x0)
                    .0.. .... = has server index: False
                    0... .... = has namespace uri: False
                Identifier Numeric: 0
            EncodingMask: 0x00
                .... ...0 = has binary body: False
                .... ..0. = has xml body: False
    ServerNonce: 7ac64c5bcf6158102176ebd3ec83eb4de12203d24c5551cd600b7608d19fc718
    Results: Array of StatusCode
        ArraySize: -1
    DiagnosticInfos: Array of DiagnosticInfo
        ArraySize: -1
User Cert Error.txt (8,807 bytes)   
Files Affected

Activities

Yannik Klaass

2023-09-11 13:55

developer   ~0019977

Adding code to CttCryptoProviderPrivate::asymmetricSign to initialize and resize pSignature to have the expected size of the expected signature, before signing

Paul Hunkar

2023-10-13 15:47

administrator   ~0020183

agreed to changes and closed issue

Issue History

Date Modified Username Field Change
2023-08-23 10:53 Matti Siponen New Issue
2023-08-23 10:53 Matti Siponen File Added: User Cert Error.txt
2023-09-01 14:52 Paul Hunkar Assigned To => Alexander Allmendinger
2023-09-01 14:52 Paul Hunkar Status new => assigned
2023-09-11 13:52 Yannik Klaass Files Affected => /src/scriptengine/BaseSdk/uapkiprivatekeyclass.cpp
/src/scriptengine/uapki/uacryptoproviderclass.cpp
2023-09-11 13:54 Yannik Klaass Files Affected /src/scriptengine/BaseSdk/uapkiprivatekeyclass.cpp
/src/scriptengine/uapki/uacryptoproviderclass.cpp =>
2023-09-11 13:55 Yannik Klaass Assigned To Alexander Allmendinger => Yannik Klaass
2023-09-11 13:55 Yannik Klaass Status assigned => resolved
2023-09-11 13:55 Yannik Klaass Resolution open => fixed
2023-09-11 13:55 Yannik Klaass Note Added: 0019977
2023-10-13 15:46 Paul Hunkar Project Compliance Test Tool (CTT) Unified Architecture => CTT UA Binary
2023-10-13 15:46 Paul Hunkar Category 1 - Script Issue => 8 - Package
2023-10-13 15:47 Paul Hunkar Status resolved => closed
2023-10-13 15:47 Paul Hunkar Fixed in Version => 1.11.0.408
2023-10-13 15:47 Paul Hunkar Note Added: 0020183