View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009813CTT UA Test Case4 - Test Case Definitionpublic2024-09-03 09:372025-07-26 09:41
ReporterTomi Takala Assigned ToSebastian Allmendinger  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Summary0009813: Security User Name Password 006.js test fails with SecurityPolicyNone and empty password
Description

If SecurityPolicyNone is used, no serverNonce is appended to the password field according to:

UserNameIdentityToken: https://reference.opcfoundation.org/Core/Part4/v104/docs/7.36.4
Password field format: https://reference.opcfoundation.org/Core/Part4/v104/docs/7.36.2.2

Test case expects ActivateSessionRequest to fail as the serverNonce is missing.

However, that is standard behaviour if SecurityPolicyNone is used and the request should succeed.

Of course, SecurityPolicyNone is not recommended to be used but, as I understand it, v1.0,4 specifications doesn't forbid using it.

Could the test case take into account the used security policy and, for example, not run the test if SecurityPolicyNone is used or then allow success in that case?

As an additional thing, the test could use the configured password so that it really tests the missing serverNonce and doesn't succeed because BadUserAccessDenied is returned.

Steps To Reproduce

Have user with empty password configured in UACTT settings.
Have a server that has only SecurityPolicyNone supported.
Run the test case.

Additional Information

Actually the product version that I'm using seems to be 1.04.11.508 but that wasn't available in the drop down.

Wireshark log and test log attached.

TagsNo tags attached.
Attached Files
Security_User_Name_Password_006.txt (10,928 bytes)    
AuditThread::Start args = false
GetEndpoints( LocaleIds #0; ProfileUris #0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
OpenSecureChannel( MessageSecurityMode: None; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#None ); Result = Good (0x00000000)
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CreateSession( EndpointUrl=opc.tcp://192.168.1.202:4840/; SessionName: UaCttSession_1; RequestedSessionTimeout: 60000 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
buildUserNameIdentityToken - password not encrypted!
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
ActivateSession( LocaleIds #1; UserIdentityToken: open62541-username-policy-none#None ( ClientSignature=, UserTokenSignature= ) ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #2; TimestampsToReturn: 1; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Obtaining the ServerCapabilities...
Read( NodesToRead #12; TimestampsToReturn: 2; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #12; TimestampsToReturn: 2; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #3; TimestampsToReturn: 2; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #3; TimestampsToReturn: 2; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #7; TimestampsToReturn: 2; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #7; TimestampsToReturn: 2; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #4; TimestampsToReturn: 2; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #4; TimestampsToReturn: 2; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #2; TimestampsToReturn: 2; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #2; TimestampsToReturn: 2; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #7; TimestampsToReturn: 2; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #7; TimestampsToReturn: 2; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #4; TimestampsToReturn: 2; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CloseSession().Result: Good (0x00000000)
CloseSession( DeleteSubscriptions=true ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CloseSecureChannel(); Result = Good (0x00000000)
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
OpenSecureChannel( MessageSecurityMode: None; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#None ); Result = Good (0x00000000)
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CreateSession( EndpointUrl=opc.tcp://192.168.1.202:4840/; SessionName: UaCttSession_2; RequestedSessionTimeout: 60000 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
buildUserNameIdentityToken - password not encrypted!
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
ActivateSession( LocaleIds #1; UserIdentityToken: open62541-username-policy-none#None ( ClientSignature=, UserTokenSignature= ) ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #2; TimestampsToReturn: 1; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Calling BuildCacheMap Loop Count 1
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CloseSession().Result: Good (0x00000000)
CloseSession( DeleteSubscriptions=true ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CloseSecureChannel(); Result = Good (0x00000000)
Time in BuildCacheMap = 0 seconds
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
OpenSecureChannel( MessageSecurityMode: None; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#None ); Result = Good (0x00000000)
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CreateSession( EndpointUrl=opc.tcp://192.168.1.202:4840/; SessionName: UaCttSession_3; RequestedSessionTimeout: 60000 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CloseSession().Result: Good (0x00000000)
CloseSession( DeleteSubscriptions=true ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CloseSecureChannel(); Result = Good (0x00000000)



***** CONFORMANCE UNIT 'Security User Name Password' INITIALIZATION COMPLETE - TESTS STARTING ******



	~~~ START OF TEST [username006] ~~~

Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
OpenSecureChannel( MessageSecurityMode: None; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#None ); Result = Good (0x00000000)
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CreateSession( EndpointUrl=opc.tcp://192.168.1.202:4840/; SessionName: UaCttSession_4; RequestedSessionTimeout: 60000 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CloseSession().Result: Good (0x00000000)
CloseSession( DeleteSubscriptions=true ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CreateSession( EndpointUrl=opc.tcp://192.168.1.202:4840/; SessionName: UaCttSession_5; RequestedSessionTimeout: 60000 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
buildUserNameIdentityToken - password not encrypted!
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
ActivateSession( LocaleIds #1; UserIdentityToken: open62541-username-policy-none#None ( ClientSignature=, UserTokenSignature= ) ).Response.ResponseHeader.ServiceResult: Good (0x00000000); would've accepted: Expected: BadIdentityTokenRejected (0x80210000) or BadUserAccessDenied (0x801f0000)
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CloseSession().Result: Good (0x00000000)
CloseSession( DeleteSubscriptions=true ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CloseSecureChannel(); Result = Good (0x00000000)


	~~~ END OF TEST [username006] ~~~




***** CONFORMANCE UNIT 'Security User Name Password' TEST SCRIPTS COMPLETE ******




***** CONFORMANCE UNIT 'Security User Name Password' TESTING COMPLETE ******

Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
OpenSecureChannel( MessageSecurityMode: None; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#None ); Result = Good (0x00000000)
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CreateSession( EndpointUrl=opc.tcp://192.168.1.202:4840/; SessionName: UaCttSession_6; RequestedSessionTimeout: 60000 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
buildUserNameIdentityToken - password not encrypted!
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
ActivateSession( LocaleIds #1; UserIdentityToken: open62541-username-policy-none#None ( ClientSignature=, UserTokenSignature= ) ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Read( NodesToRead #2; TimestampsToReturn: 1; MaxAge: 0 ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.


	~~~ START OF TEST [CheckAllUAServices] ~~~

Discovery =>
	FindServers() => Implemented
	GetEndpoints() => Implemented
	RegisterServer() => NotImplemented
Session =>
	CreateSession() => Implemented
	ActivateSession() => Implemented
	CloseSession() => Implemented
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
	Cancel() => Implemented
NodeManagement =>
	AddNodes() => NotImplemented
	AddReferences() => NotImplemented
	DeleteNodes() => NotImplemented
	DeleteReferences() => NotImplemented
View =>
	Browse() => Implemented
	BrowseNext() => Implemented
	TranslateBrowsePathsToNodeIds() => Implemented
	RegisteredNodes() => Implemented
	UnregisterNodes() => Implemented
Query =>
	QueryFirst() => NotImplemented
	QueryNext() => NotImplemented
Attribute =>
	Read() => Implemented
	HistoryRead() => NotImplemented
	Write() => Implemented
	HistoryUpdate() => NotImplemented
Method =>
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
	Call() => Implemented
MonitoredItem =>
	CreateMonitoredItems() => Implemented
	ModifyMonitoredItems() => Implemented
	SetMonitoringMode() => Implemented
	SetTriggering() => Implemented
	DeleteMonitoredItems() => Implemented
Subscription =>
	CreateSubscription() => Implemented
	ModifySubscription() => Implemented
	SetPublishingMode() => Implemented
	Publish() => Implemented
	Republish() => Implemented
	TransferSubscription.Response.Results[0] = BadSubscriptionIdInvalid (0x80280000) BadSubscriptionIdInvalid (0x80280000)
	TransferSubscriptions() => Implemented
	DeleteSubscriptions() => Implemented


	~~~ END OF TEST [CheckAllUAServices] ~~~

Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CloseSession().Result: Good (0x00000000)
CloseSession( DeleteSubscriptions=true ).Response.ResponseHeader.ServiceResult: Good (0x00000000) as expected.
Audit::PushAuditRecord - Thread and/or Subscription id is not initialized yet
CloseSecureChannel(); Result = Good (0x00000000)
******************************************
	COMPLIANCE TEST RUN COMPLETE
******************************************
	FINAL REPORT
******************************************
	UA SERVICES TESTED
******************************************
	Sessions Used: 6
	******************************************
Security_User_Name_Password_006.txt (10,928 bytes)   
CTT_Security_User_Name_Password_006.pcapng (538,256 bytes)
Files Affected

Relationships

related to 0010451 resolvedSebastian Allmendinger CTT UA Scripts Security User Name Password 006.js test fails with SecurityPolicyNone and empty password 

Activities

Paul Hunkar

2025-07-17 15:39

administrator   ~0023134

Agreed in call that the Nounce needs to be included, we believe this is no script changes

Sebastian Allmendinger

2025-07-23 07:08

developer   ~0023161

This issue may require another discussion before closing it.

Part 4, 7.41.4 UserNameIdentityToken
[...] For passwords that do not exceed 64 bytes, it is encrypted and serialized as described in 7.41.2.2. [...]

Part 4, 7.41.2.2 Legacy Encrypted Token Secret Format
[...] If no encryption is applied, the structure is not used and only the secret without any Nonce is passed to the Server. [...]

Paul Hunkar

2025-07-24 14:22

administrator   ~0023162

After additional review - the nonce only needs to be included in some cases - this testing become much more complicated to cover all cases (probably additional test cases) - but for this specific test a simple update is ok.

Sebastian Allmendinger

2025-07-26 09:41

developer   ~0023166

The test case has been updated in the current test database and in the test database for 1.05:

The following section has been added to the ExpectedResults:
Exception:
If the UserIdentityToken is unencrypted, then the expected ServiceResult is Good (if an empty password is correct for the configured user) or either Bad_UserAccessDenied or Bad_UserIdentityTokenRejected.

Issue History

Date Modified Username Field Change
2024-09-03 09:37 Tomi Takala New Issue
2024-09-03 09:37 Tomi Takala File Added: Security_User_Name_Password_006.txt
2024-09-03 09:37 Tomi Takala File Added: CTT_Security_User_Name_Password_006.pcapng
2025-04-10 15:39 Paul Hunkar Project CTT UA Test Case => CTT UA Scripts
2025-04-10 15:40 Paul Hunkar Product Version 1.04.11.502 => 1.04.508
2025-07-17 15:39 Paul Hunkar Note Added: 0023134
2025-07-17 15:39 Paul Hunkar Assigned To => Sebastian Allmendinger
2025-07-17 15:39 Paul Hunkar Status new => assigned
2025-07-23 07:08 Sebastian Allmendinger Note Added: 0023161
2025-07-24 14:22 Paul Hunkar Note Added: 0023162
2025-07-26 08:34 Sebastian Allmendinger Issue cloned: 0010451
2025-07-26 08:34 Sebastian Allmendinger Relationship added related to 0010451
2025-07-26 08:35 Sebastian Allmendinger Project CTT UA Scripts => CTT UA Test Case
2025-07-26 09:41 Sebastian Allmendinger Status assigned => resolved
2025-07-26 09:41 Sebastian Allmendinger Resolution open => fixed
2025-07-26 09:41 Sebastian Allmendinger Note Added: 0023166