Security Certificate Validation

A certificate will be validated as specified in Part 4. This includes among others structure and signature examination. Allowing for some validation errors to be suppressed by administration directive.


Questions? Contact us
Generated: 30/20/2020 at 15:30:46 p.m.
Security Certificate Validation - 43 Test Cases
Test Case Id Test Type Keywords Test Case Description Test Requirements Expected Result

001

CTT CreateSession()  Call CreateSession to obtain the Server`s Certificate and validate according to UA Part 4 Specifications Table 101 (Doc Page 95; PDF Page 111). Close the session, if opened successfully.
Service Results match those defined in the afore-mentioned table.

002

CTT OpenSecureChannel()  Deny server access to revocation information for the issuer certificates: if sever uses lists, remove them, if it uses online methods (e.g. OCSP), shutdown the connection to it.
Assumption: SuppressRevocationStatusUnknown = cleared; one or both validation settings (CheckRevocationStatusOnline or CheckRevocationStatusOffine) are SET (as applicable).Call OpenSecureChannel using a client certificate signed by a CA trusted by the server.
OpenSecureChannel returns BadSecurityChecksFailed, but the Server's log reports BadCertificateIssuerRevocationUnknown.

003

Lab OpenSecureChannel()  Deny server access to revocation information for the issuer certificates: if sever uses lists, remove them, if it uses online methods (e.g. OCSP), shutdown the connection to it.
Assumption: SuppressRevocationStatusUnknown = SET; one or both validation settings (CheckRevocationStatusOnline or CheckRevocationStatusOffine) are SET (as applicable).Call OpenSecureChannel using a client certificate signed by a CA trusted by the server.
Good, connection is established.

004

Lab CTT CreateSession()  Attempt a secure session and send an empty clientCertificate.
ServiceResult = Bad_SecurityChecksFailed, but the Server's log shows BadCertificateInvalid.

005

Lab CTT OpenSecureChannel()  Attempt a secure channel and send an untrusted certificate. ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateUntrusted

007

CTT OpenSecureChannel()  Attempt a secure Channel and send an expired [trusted] certificate.
Assumption: SuppressCertificateExpired is SET.
Returns Good, and the connection is established.

007b

Lab CTT OpenSecureChannel()  Attempt a secure Channel and send an expired certificate.
Assumption: SuppressCertificateExpired is Cleared.
The CTT test is actually accomplished in test-script 007 (mapped to test-case 007) Returns BadCertificateTimeInvalid because the certificate is trusted.

008

CTT OpenSecureChannel()  Attempt a secure Channel and send a not yet valid [trusted] certificate.
Assumption: SuppressCertificateExpired is SET.
Returns Good or BadCertificateTimeInvalid.

008b

Lab CTT Unavailable  OpenSecureChannel()  Attempt a secure Channel and send a not yet valid certificate.
Assumption: SuppressCertificateExpired is cleared.
The CTT script implementation is covered in 008.js (mapped to test-case 008) Returns BadCertificateTimeInvalid, but the Server's log shows BadCertificateTimeInvalid.

009

Lab CTT OpenSecureChannel()  Attempt a secure Channel and send a certificate that was issued by an unknown (not trusted) CertificateAuthority. ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateUntrusted

010

Lab CTT OpenSecureChannel()  Attempt a secure Channel and send a [untrusted] certificate which has an invalid signature.
Assumption: CTT uses a certificate which was manually modified, i.e. one character was altered.
ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateInvalid

012

CTT Unavailable  OpenSecureChannel()  CreateSession()  Attempt a secure Channel using one certificate, and then send an empty clientCertificate in CreateSession. ServiceResult = Good; and the session opens.
The server ignores the certificate.

013

CTT ActivateSession()  Using an insecure connection (Security=None), activate a session while sending a certificate that has been revoked. ServiceResult = Good; and the session opens.
The server ignores the certificate.

020

Lab OpenSecureChannel()  If supported, within the configuration select a certificate and enable “SuppressRevocationStatusUnknown”.
Step #
Action
Expected Result(s)

1

Connect a client whose certificate is issued by a CA, but is revoked.

Good, connection is established; the Server's log reports the validation error.

2

Change the server setting so that it is disabled. Connect the same client, as before.

ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateRevoked

021

Lab OpenSecureChannel()  If supported, within the configuration select a certificate and enable “CheckRevocationStatusOnline” while making sure “CheckRevocationStatusOffline” is disabled.
Step #
Action
Expected Result(s)

1

Connect a client whose certificate is issued by a CA but has been revoked.

"If the CRL is accessible then the connection will be rejected. ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateRevoked."

2

Test with the CA computer being online and offline.

If the CA is unavailable then the connection will be allowed and the Server's log will report that validation failed.

3

Test with the CA computer being online and offline.

022

Lab OpenSecureChannel()  If supported, within the configuration select a certificate and enable “CheckRevocationStatusOnline” while making sure “CheckRevocationStatusOffline” is enabled.
Step #
Action
Expected Result(s)

1

Connect the client.

If the CA is available then the connection will be rejected. ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateRevoked

2

Connect a client whose certificate is issued by a CA but has been revoked.

If the CA is unavailable then the connection will be rejected if the local CRL also shows the certificate is revoked. ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateRevoked.

3

Test with the CA computer being online and offline.

023

Lab OpenSecureChannel()  If supported, within the configuration select a certificate and disable “CheckRevocationStatusOnline” while making sure “CheckRevocationStatusOffline” is disabled.
Connect a client whose certificate is issued by a CA but has been revoked.
Test with the CA computer being online and offline.
In any case, the client connection will be permitted and the Server's log will report that validation failed.

024

Lab OpenSecureChannel()  If supported, within the configuration select a certificate and disable “CheckRevocationStatusOnline” while making sure “CheckRevocationStatusOffline” is enabled.
Connect a client whose certificate is issued by a CA but has been revoked.
Test with the CA computer being online and offline.
If the local CRL indicates that the certificate is revoked then the connection will be rejected, otherwise the connection will be permitted.
ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateRevoked

025

Lab CreateSession()  If supported, within the configuration select a certificate and enable “DoNotTrust”.
Connect the client (whose certificate was selected).
Revert the setting so that it is disabled.
Reconnect the same client.
The first connection will be rejected.
The second connection will be permitted.

026

Lab CreateSession()  If supported, within the configuration select a CA issuer certificate and enable “DoNotTrust”.
Connect any client whose certificate was issued by the CA.
Revert the setting so it is disabled.
Reconnect the same client.
The first connection will be rejected.
The second connection will be permitted.

029

Lab CTT OpenSecureChannel()  Connect a Client that uses a CA certificate – which is intended for issuing certificates and not for use as an Application Instance Certificate. ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateUseNotAllowed

031

Lab CTT Unavailable  OpenSecureChannel()  Connect a Client whose certificate was issued by a CA where that CA’s certificate has been revoked. ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateIssuerRevoked

032

CTT Unavailable  CloseSecureChannel()  Client attempts to establish a secure connection using a Certificate that was issued by a non-CA certificate. Service result is badSecurityChecksFailed, but the Server’s log reports BadIssuerUseNotAllowed.

033

CTT OpenSecureChannel()  Attempt to create a connection with the Server using an expired Certificate. The Certificate is NOT trusted by the Server. Server returns BadSecurityChecks failed because the certificate is not trusted.

034

Lab Connect to the Server through a NAT/Firewall and review the hostnames/IP addresses within the Certificate. A NAT/Firewall appliance is needed to do the test. The Server has options that allow it to be configured with external IP/hostnames that can be generated into the certificate. All possible hostnames and IP addresses are listed. This should also include any externally-available names/IPs too.

035

Lab Connect to the Server through a NAT/Firewall and review the hostnames/IP addresses within the Certificate. The Server has options that allow it to be configured with external IP/hostnames that can be generated into the certificate. The CTT has setting(s) for the external Ips/hostnames. All possible hostnames and IP addresses are listed. This should also include any externally-available names/IPs too which are validated against the settings.

036

Lab Create an encrypted channel using an issued certificate. The issuer's certificate hostname is different from the computer being tested.
The issuer is not yet trusted, so the server will need to validate it. The server will validate the certificate chain and approve it. The Server will ignore the hostname check in the CA certificate.

037

Lab CTT Create an encrypted channel using an issued certificate.
The CRL is not available. If administrator has disabled "revocation checks" (which they can) then the connection is successful, otherwise validation fails and the connection is not made.

038

CTT Create an encrpyted channel while specifying a certificate that is trusted, but has been revoked. Revoked certificate is in the trust list. Connection is refused with service result BadCertificateRevoked.

039

CTT Unavailable  UA 1.04  Pass the certificate into CreateSession and verify the CreateSession.Response.ServerSignature. Create a ClientCertificate that is Issued by a CA. The signature validates with the expectation that the LEAF [clientCertificate & clientNonce] was used to compute the signature.

040

CTT Unavailable  UA 1.04  Connect to the Server using the issued certificate where a CA at the root of a chain is not accessible. During CTT installation: create a certificate chain using 3 CA's and copy the child/parent CA to the server's trust list. Issue a certificate for the CTT using the 3rd (grandchild) CA. Delete the 1st (grandparent) CA. Internally the server fails with error BadCertificateChainIncomplete. Publicly, the server fails with error BadSecurityChecksFailed.

041

CTT Unavailable  UA 1.04  Connect to the Server using the issued certificate where a CA at the middle of a chain is not accessible. During CTT installation: create a different certificate chain using 3 CA's and copy the grandparent/child CA to the server's trust list. Issue a certificate for the CTT using the 3rd (grandchild) CA. Delete the 2nd (parent) CA. Internally the server fails with error BadCertificateChainIncomplete. Publicly, the server fails with error BadSecurityChecksFailed.

042

CTT OpenSecureChannel()  UA 1.03  Connect to the server using an (trusted) issued certificate of a CA that has no revocation list available.
If administrator has disabled "revocation checks" (which they can) then the connection is successful, otherwise validation fails and the connection is not made.
ServiceResult: Good, Bad_CertificateRevocationUnknown

043

CTT OpenSecureChannel()  UA 1.03  Connect to the server using an untrusted issued certificate of a trusted CA that has no revocation list available
If administrator has disabled "revocation checks" (which they can) then the connection is successful, otherwise validation fails and the connection is not made.
ServiceResult: Good, Bad_CertificateRevocationUnknown

044

CTT OpenSecureChannel()  UA 1.03  Connect to the server using an trusted issued certificate of a CA that is not trusted but available.
Good, connection is established.

045

CTT OpenSecureChannel()  UA 1.03  Connect to the server using an untrusted issued certificate of a CA that is not trusted but available.
Bad_SecurityChecksFailed

046

CTT OpenSecureChannel()  UA 1.03  Connect to the server using a not trusted issued certificate of a unknown CA
Bad_SecurityChecksFailed

047

CTT OpenSecureChannel()  UA 1.03  Connect using a Revoked certificate that is not trusted.
ServiceResults: BadSecurityChecksFailed

048

CTT OpenSecureChannel()  UA 1.03  Connect using a trusted client certificate.
ServiceResult: Good

049

CTT OpenSecureChannel()  UA 1.03  Connect using a trusted client certificate (sha1-1024).
Certificates using the Sha1 Algorithm and only a key length of 1024 are not considered secure any more. This test case assums that it has been enabled by an administrator to allow this kind of certificates for backward compatibility. ServiceResults: Good, BadSecurityChecksFailed

050

CTT OpenSecureChannel()  UA 1.03  Connect using a trusted client certificate (sha1-2048).
Certificates using the Sha1 Algorithm is not considered secure any more. This test case assums that it has been enabled by an administrator to allow this kind of certificates for backward compatibility. ServiceResults: Good, BadSecurityChecksFailed

051

CTT OpenSecureChannel()  UA 1.03  Connect using a trusted client certificate (sha256-2048).
ServiceResult: Good

052

CTT OpenSecureChannel()  UA 1.03  Connect using a trusted client certificate (sha256-4096).
ServiceResult: Good