Questions? Contact us |
Generated: 30/20/2020 at 15:30:46 p.m. |
| Test Case Id | Test Type | Keywords | Test Case Description | Test Requirements | Expected Result | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
001 |
CTT | CreateSession() | Call CreateSession to obtain the Server`s Certificate and validate according to UA
Part 4 Specifications Table 101 (Doc Page 95; PDF Page 111). Close the session, if
opened successfully. |
Service Results match those defined in the afore-mentioned table. |
|||||||||||||
|
002 |
CTT | OpenSecureChannel() | Deny server access to revocation information for the issuer certificates: if sever
uses lists, remove them, if it uses online methods (e.g. OCSP), shutdown the connection
to it. Assumption: SuppressRevocationStatusUnknown = cleared; one or both validation settings (CheckRevocationStatusOnline or CheckRevocationStatusOffine) are SET (as applicable).Call OpenSecureChannel using a client certificate signed by a CA trusted by the server. |
OpenSecureChannel returns BadSecurityChecksFailed, but the Server's log reports BadCertificateIssuerRevocationUnknown. | |||||||||||||
|
003 |
Lab | OpenSecureChannel() | Deny server access to revocation information for the issuer certificates: if sever
uses lists, remove them, if it uses online methods (e.g. OCSP), shutdown the connection
to it. Assumption: SuppressRevocationStatusUnknown = SET; one or both validation settings (CheckRevocationStatusOnline or CheckRevocationStatusOffine) are SET (as applicable).Call OpenSecureChannel using a client certificate signed by a CA trusted by the server. |
Good, connection is established. | |||||||||||||
|
004 |
Lab CTT | CreateSession() | Attempt a secure session and send an empty clientCertificate. |
ServiceResult = Bad_SecurityChecksFailed, but the Server's log shows BadCertificateInvalid. | |||||||||||||
|
005 |
Lab CTT | OpenSecureChannel() | Attempt a secure channel and send an untrusted certificate. | ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateUntrusted | |||||||||||||
|
007 |
CTT | OpenSecureChannel() | Attempt a secure Channel and send an expired [trusted] certificate. Assumption: SuppressCertificateExpired is SET. |
Returns Good, and the connection is established. | |||||||||||||
|
007b |
Lab CTT | OpenSecureChannel() | Attempt a secure Channel and send an expired certificate. Assumption: SuppressCertificateExpired is Cleared. |
The CTT test is actually accomplished in test-script 007 (mapped to test-case 007) | Returns BadCertificateTimeInvalid because the certificate is trusted. | ||||||||||||
|
008 |
CTT | OpenSecureChannel() | Attempt a secure Channel and send a not yet valid [trusted] certificate. Assumption: SuppressCertificateExpired is SET. |
Returns Good or BadCertificateTimeInvalid. | |||||||||||||
|
008b |
Lab CTT | Unavailable OpenSecureChannel() | Attempt a secure Channel and send a not yet valid certificate. Assumption: SuppressCertificateExpired is cleared. |
The CTT script implementation is covered in 008.js (mapped to test-case 008) | Returns BadCertificateTimeInvalid, but the Server's log shows BadCertificateTimeInvalid. | ||||||||||||
|
009 |
Lab CTT | OpenSecureChannel() | Attempt a secure Channel and send a certificate that was issued by an unknown (not trusted) CertificateAuthority. | ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateUntrusted | |||||||||||||
|
010 |
Lab CTT | OpenSecureChannel() | Attempt a secure Channel and send a [untrusted] certificate which has an invalid signature. Assumption: CTT uses a certificate which was manually modified, i.e. one character was altered. |
ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateInvalid | |||||||||||||
|
012 |
CTT | Unavailable OpenSecureChannel() CreateSession() | Attempt a secure Channel using one certificate, and then send an empty clientCertificate in CreateSession. | ServiceResult = Good; and the session opens. The server ignores the certificate. |
|||||||||||||
|
013 |
CTT | ActivateSession() | Using an insecure connection (Security=None), activate a session while sending a certificate that has been revoked. | ServiceResult = Good; and the session opens. The server ignores the certificate. |
|||||||||||||
|
020 |
Lab | OpenSecureChannel() | If supported, within the configuration select a certificate and enable “SuppressRevocationStatusUnknown”. |
|
|||||||||||||
|
021 |
Lab | OpenSecureChannel() | If supported, within the configuration select a certificate and enable “CheckRevocationStatusOnline” while making sure “CheckRevocationStatusOffline” is disabled. |
|
|||||||||||||
|
022 |
Lab | OpenSecureChannel() | If supported, within the configuration select a certificate and enable “CheckRevocationStatusOnline” while making sure “CheckRevocationStatusOffline” is enabled. |
|
|||||||||||||
|
023 |
Lab | OpenSecureChannel() | If supported, within the configuration select a certificate and disable “CheckRevocationStatusOnline”
while making sure “CheckRevocationStatusOffline” is disabled. Connect a client whose certificate is issued by a CA but has been revoked. Test with the CA computer being online and offline. |
In any case, the client connection will be permitted and the Server's log will report that validation failed. | |||||||||||||
|
024 |
Lab | OpenSecureChannel() | If supported, within the configuration select a certificate and disable “CheckRevocationStatusOnline”
while making sure “CheckRevocationStatusOffline” is enabled. Connect a client whose certificate is issued by a CA but has been revoked. Test with the CA computer being online and offline. |
If the local CRL indicates that the certificate is revoked then the connection will
be rejected, otherwise the connection will be permitted. ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateRevoked |
|||||||||||||
|
025 |
Lab | CreateSession() | If supported, within the configuration select a certificate and enable “DoNotTrust”. Connect the client (whose certificate was selected). Revert the setting so that it is disabled. Reconnect the same client. |
The first connection will be rejected. The second connection will be permitted. |
|||||||||||||
|
026 |
Lab | CreateSession() | If supported, within the configuration select a CA issuer certificate and enable “DoNotTrust”. Connect any client whose certificate was issued by the CA. Revert the setting so it is disabled. Reconnect the same client. |
The first connection will be rejected. The second connection will be permitted. |
|||||||||||||
|
029 |
Lab CTT | OpenSecureChannel() | Connect a Client that uses a CA certificate – which is intended for issuing certificates and not for use as an Application Instance Certificate. | ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateUseNotAllowed | |||||||||||||
|
031 |
Lab CTT | Unavailable OpenSecureChannel() | Connect a Client whose certificate was issued by a CA where that CA’s certificate has been revoked. | ServiceResult = BadSecurityChecksFailed, but the Server's log shows BadCertificateIssuerRevoked | |||||||||||||
|
032 |
CTT | Unavailable CloseSecureChannel() | Client attempts to establish a secure connection using a Certificate that was issued by a non-CA certificate. | Service result is badSecurityChecksFailed, but the Server’s log reports BadIssuerUseNotAllowed. | |||||||||||||
|
033 |
CTT | OpenSecureChannel() | Attempt to create a connection with the Server using an expired Certificate. The Certificate is NOT trusted by the Server. | Server returns BadSecurityChecks failed because the certificate is not trusted. | |||||||||||||
|
034 |
Lab | Connect to the Server through a NAT/Firewall and review the hostnames/IP addresses within the Certificate. | A NAT/Firewall appliance is needed to do the test. The Server has options that allow it to be configured with external IP/hostnames that can be generated into the certificate. | All possible hostnames and IP addresses are listed. This should also include any externally-available names/IPs too. | |||||||||||||
|
035 |
Lab | Connect to the Server through a NAT/Firewall and review the hostnames/IP addresses within the Certificate. | The Server has options that allow it to be configured with external IP/hostnames that can be generated into the certificate. The CTT has setting(s) for the external Ips/hostnames. | All possible hostnames and IP addresses are listed. This should also include any externally-available names/IPs too which are validated against the settings. | |||||||||||||
|
036 |
Lab | Create an encrypted channel using an issued certificate. The issuer's certificate
hostname is different from the computer being tested. |
The issuer is not yet trusted, so the server will need to validate it. | The server will validate the certificate chain and approve it. The Server will ignore the hostname check in the CA certificate. | |||||||||||||
|
037 |
Lab CTT | Create an encrypted channel using an issued certificate. |
The CRL is not available. | If administrator has disabled "revocation checks" (which they can) then the connection is successful, otherwise validation fails and the connection is not made. | |||||||||||||
|
038 |
CTT | Create an encrpyted channel while specifying a certificate that is trusted, but has been revoked. | Revoked certificate is in the trust list. | Connection is refused with service result BadCertificateRevoked. |
|||||||||||||
|
039 |
CTT | Unavailable UA 1.04 | Pass the certificate into CreateSession and verify the CreateSession.Response.ServerSignature. | Create a ClientCertificate that is Issued by a CA. | The signature validates with the expectation that the LEAF [clientCertificate & clientNonce] was used to compute the signature. | ||||||||||||
|
040 |
CTT | Unavailable UA 1.04 | Connect to the Server using the issued certificate where a CA at the root of a chain is not accessible. | During CTT installation: create a certificate chain using 3 CA's and copy the child/parent CA to the server's trust list. Issue a certificate for the CTT using the 3rd (grandchild) CA. Delete the 1st (grandparent) CA. | Internally the server fails with error BadCertificateChainIncomplete. Publicly, the server fails with error BadSecurityChecksFailed. | ||||||||||||
|
041 |
CTT | Unavailable UA 1.04 | Connect to the Server using the issued certificate where a CA at the middle of a chain is not accessible. | During CTT installation: create a different certificate chain using 3 CA's and copy the grandparent/child CA to the server's trust list. Issue a certificate for the CTT using the 3rd (grandchild) CA. Delete the 2nd (parent) CA. | Internally the server fails with error BadCertificateChainIncomplete. Publicly, the server fails with error BadSecurityChecksFailed. | ||||||||||||
|
042 |
CTT | OpenSecureChannel() UA 1.03 | Connect to the server using an (trusted) issued certificate of a CA that has no revocation
list available. |
If administrator has disabled "revocation checks" (which they can) then
the connection is successful, otherwise validation fails and the connection is not
made. ServiceResult: Good, Bad_CertificateRevocationUnknown |
|||||||||||||
|
043 |
CTT | OpenSecureChannel() UA 1.03 | Connect to the server using an untrusted issued certificate of a trusted CA that has
no revocation list available |
If administrator has disabled "revocation checks" (which they can) then
the connection is successful, otherwise validation fails and the connection is not
made. ServiceResult: Good, Bad_CertificateRevocationUnknown |
|||||||||||||
|
044 |
CTT | OpenSecureChannel() UA 1.03 | Connect to the server using an trusted issued certificate of a CA that is not trusted
but available. |
Good, connection is established. |
|||||||||||||
|
045 |
CTT | OpenSecureChannel() UA 1.03 | Connect to the server using an untrusted issued certificate of a CA that is not trusted
but available. |
Bad_SecurityChecksFailed |
|||||||||||||
|
046 |
CTT | OpenSecureChannel() UA 1.03 | Connect to the server using a not trusted issued certificate of a unknown CA |
Bad_SecurityChecksFailed |
|||||||||||||
|
047 |
CTT | OpenSecureChannel() UA 1.03 | Connect using a Revoked certificate that is not trusted. |
ServiceResults: BadSecurityChecksFailed |
|||||||||||||
|
048 |
CTT | OpenSecureChannel() UA 1.03 | Connect using a trusted client certificate. |
ServiceResult: Good |
|||||||||||||
|
049 |
CTT | OpenSecureChannel() UA 1.03 | Connect using a trusted client certificate (sha1-1024). |
Certificates using the Sha1 Algorithm and only a key length of 1024 are not considered secure any more. This test case assums that it has been enabled by an administrator to allow this kind of certificates for backward compatibility. | ServiceResults: Good, BadSecurityChecksFailed |
||||||||||||
|
050 |
CTT | OpenSecureChannel() UA 1.03 | Connect using a trusted client certificate (sha1-2048). |
Certificates using the Sha1 Algorithm is not considered secure any more. This test case assums that it has been enabled by an administrator to allow this kind of certificates for backward compatibility. | ServiceResults: Good, BadSecurityChecksFailed |
||||||||||||
|
051 |
CTT | OpenSecureChannel() UA 1.03 | Connect using a trusted client certificate (sha256-2048). |
ServiceResult: Good |
|||||||||||||
|
052 |
CTT | OpenSecureChannel() UA 1.03 | Connect using a trusted client certificate (sha256-4096). |
ServiceResult: Good |