View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009579Compliance Test Tool (CTT) Unified Architecture5 - General Problempublic2024-06-10 11:412024-09-18 15:09
ReporterUwe Stadelmann Assigned ToPaul Hunkar  
PrioritynormalSeverityminorReproducibilityalways
Status feedbackResolutionopen 
Product Version1.04.11-01.00.506 
Summary0009579: Security Certificate Validation/002.js and others
Description

The application instance certificate is no accepted by the server because of missing extended key usage.

The function certificateValidation002 uses the following application instance certificate:
Settings.Advanced.Certificates.ApplicationInstanceCertificates.ctt_ca1TC_ca2I_appT.

Please see the attached certdump.txt.

It looks like it is generated with the wrong section of openssl.cnf.

I modified opensll.cnf to print different Netscape comments:

===
[ usr_cert ]
These extensions are added when 'ca' signs a request.
This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate User Cert"

In the certdump you can see the Netscape Comment

Netscape Comment:
OpenSSL Generated Certificate User Cert

It seems that a user certificate is used as an application certificate.

Steps To Reproduce

Run test case Security Certificate Validation/002.js

TagsNo tags attached.
Attached Files
certdump.txt (3,469 bytes)    
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            45:26:86:43:e9:b4:a1:70:89:42:8e:15:84:8b:56:c6
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Arizona, O = OPC Foundation, CN = ctt_ca1TC_ca2I, DC = lt-homeoffice1
        Validity
            Not Before: Jun 10 11:02:58 2024 GMT
            Not After : Jun 10 11:02:58 2025 GMT
        Subject: C = US, ST = Arizona, O = OPC Foundation, CN = ctt_ca1TC_ca2I_appT, DC = lt-homeoffice1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a0:3a:73:6d:1d:46:31:6f:ff:c2:ef:af:20:06:
                    94:7a:0d:46:39:64:ca:bf:a9:eb:e9:c5:8c:97:1a:
                    7c:ed:68:79:68:2a:5c:56:31:9b:7b:a2:bc:b6:af:
                    47:3f:83:3e:7f:68:e3:cc:5d:cb:83:54:17:90:de:
                    a4:fa:57:8a:26:0e:60:9e:4c:51:ce:97:52:bb:cc:
                    51:23:a7:5b:90:af:45:79:4a:c3:ea:50:6c:eb:5e:
                    1c:b5:2e:02:85:9e:dd:7c:f2:47:49:9c:91:ca:b3:
                    91:ef:57:f7:3c:d6:79:0e:13:8d:39:57:1e:70:a4:
                    d8:ef:87:8c:3f:50:54:97:04:1f:25:71:45:96:03:
                    33:4b:e4:b0:22:7f:4c:fc:9e:34:eb:39:cb:9b:c9:
                    74:c6:b2:95:9a:5d:c6:9b:2b:ce:b7:ed:c5:c6:22:
                    d5:fb:c4:eb:e0:e8:ad:03:ee:d8:9e:76:a3:8d:4f:
                    1a:f4:6b:67:3a:f7:41:57:6c:d3:97:fd:ad:67:e9:
                    3a:fc:9e:d1:a3:a4:24:a0:73:6d:9b:17:ea:61:ac:
                    6d:6b:8c:e6:c5:57:c2:8a:68:b3:b6:81:03:82:df:
                    ee:8a:33:53:e6:3d:9f:84:21:50:c1:c5:cb:f2:2a:
                    3a:58:c4:39:15:1f:ce:8e:67:3b:be:fe:fa:fb:cf:
                    52:13
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment: 
                OpenSSL Generated Certificate User Cert
            X509v3 Subject Key Identifier: 
                BB:43:93:BC:44:47:B9:50:CD:B5:AB:4C:16:10:90:6F:5E:87:CC:DA
            X509v3 Authority Key Identifier: 
                0B:BE:B9:51:31:40:51:8D:83:B0:93:69:C9:4C:EB:63:E5:4E:13:8F
            X509v3 Subject Alternative Name: 
                URI:urn:lt-homeoffice1:OPCFoundation:UaComplianceTestTool
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Basic Constraints: 
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        a1:4c:c9:05:a6:48:07:42:29:7d:eb:19:4b:ce:aa:15:a7:90:
        02:94:74:3b:a5:68:a5:6d:c8:11:d2:a5:06:ae:c8:1c:5d:dc:
        73:22:b8:25:05:65:0e:21:3e:8d:8f:68:a9:eb:7d:8a:42:69:
        c4:d4:e3:3d:14:c1:4c:98:89:87:f5:6e:33:f4:f6:45:03:43:
        00:73:4e:02:b6:ef:09:43:4b:ee:9c:53:14:6c:b6:f2:0d:bc:
        77:99:39:12:b1:16:22:ea:9b:72:9f:01:95:cc:9a:56:76:98:
        32:98:9a:5e:de:24:7c:48:ad:07:00:27:dd:ad:6a:09:16:59:
        9e:48:11:53:cc:cd:e3:f8:1c:c0:3c:08:b0:d4:5b:2b:7d:38:
        ed:8a:ab:8a:aa:7c:f3:a5:66:f1:e4:ea:46:1b:2c:4e:d8:af:
        ac:72:ed:06:9e:88:95:ee:93:b7:55:39:24:1b:75:af:7a:02:
        92:7d:cb:eb:30:53:20:13:03:3d:45:e9:74:64:81:8d:cc:2f:
        cc:ca:ce:ab:e5:43:31:f1:df:57:65:24:e4:0d:4b:a9:ef:c7:
        10:78:f8:05:f1:09:cc:87:0c:51:d9:be:b5:58:dc:a4:6a:ac:
        73:76:a6:35:27:14:6d:ae:1b:cc:8b:4f:ff:0a:83:fd:4b:74:
        99:f8:95:fa
certdump.txt (3,469 bytes)   
Files Affected

Activities

Paul Hunkar

2024-07-04 15:52

administrator   ~0021417

We looked at the certificate and can find no issues with it other then the comment - it appears to be a valid Application Instance certificate? do you see any actual problems with the certificate other then the Comment being wrong (when you updated the text to include in the word User)

Can you try the latest CTT on a clean machine?

Issue History

Date Modified Username Field Change
2024-06-10 11:41 Uwe Stadelmann New Issue
2024-06-10 11:41 Uwe Stadelmann File Added: certdump.txt
2024-07-04 15:52 Paul Hunkar Assigned To => Paul Hunkar
2024-07-04 15:52 Paul Hunkar Status new => feedback
2024-07-04 15:52 Paul Hunkar Note Added: 0021417
2024-09-18 15:08 Paul Hunkar Description Updated
2024-09-18 15:09 Paul Hunkar Description Updated