Re: Re: [kmip] Reporting TC errors

[ììí ìì(CSêëí) <sunho.lee@mdsit.co.kr>]

I would like to discuss 'KeyFormatType' and 'Digest.KeyFormatType' in TC-IMPEXP-5-30, Step=2,3 based on the previous TC (TC-CERTATTR-1-21).

https://docs.oasis-open.org/kmip/kmip-testcases/v2.1/cn01/test-cases/kmip-v2.1/TC-CERTATTR-1-21.xml

In TC-CERTATTR-1-21 step=1, the 'KeyFormatType' and 'Digest.KeyFormatType' is 'X.509'.

Is there a reason why this value changed in KMIP Version 3.0?

----- ìë ëìì -----
ëë ìë: Tim Hudson <tjh@cryptsoft.com>
ëë ìë: ììí ìì(CSêëí) <sunho.lee@mdsit.co.kr>
ìì: kmip@lists.oasis-open.org
ëì: 2023-09-13 13:12:11
ìë: Re: [kmip] Reporting TC errors

Responses inline. Thanks for the clear feedback.

On Tue, Sep 12, 2023 at 5:13 PM ììí ìì(CSêëí) <sunho.lee@mdsit.co.kr> wrote:

I found some errors in TC and have contacted you.

---

TC-ASYNC-9-30, Step=2

• 'ResultStatus', ‘ResponsePayload' is Not founded in BatchItem.

<ResponseMessage>
  <ResponseHeader>
    <ProtocolVersion>
      <ProtocolVersionMajor type="Integer" value="3"/>
      <ProtocolVersionMinor type="Integer" value="0"/>
    </ProtocolVersion>
    <TimeStamp type="DateTime" value="$NOW"/>
  </ResponseHeader>
  <BatchItem>
    <Operation type="Enumeration" value="QueryAsynchronousRequests"/>
  </BatchItem>
</ResponseMessage>

Corrected - there should ResultStatus=Success and an empty ResponsePayload 

BL-M-20-30, Step=2

• ‘UniqueIdentifier' founded. The Response Payload SHALL be empty.

<ResponseMessage>
  <ResponseHeader>
    <ProtocolVersion>
      <ProtocolVersionMajor type="Integer" value="3"/>
      <ProtocolVersionMinor type="Integer" value="0"/>
    </ProtocolVersion>
    <TimeStamp type="DateTime" value="$NOW"/>
    <ServerCorrelationValue type="TextString" value="55EBE18E-02018A04-6"/>
  </ResponseHeader>
  <BatchItem>
    <Operation type="Enumeration" value="Obliterate"/>
    <ResultStatus type="Enumeration" value="Success"/>
    <ResponsePayload>
      <UniqueIdentifier type="Identifier" value="$UNIQUE_IDENTIFIER_0"/>
    </ResponsePayload>
  </BatchItem>
</ResponseMessage>

Corrected. Obliterate does not return the UniqueIdentifier value so it should not be present.

 

---

TC-IMPEXP-5-30, Step=2,3

• I thought 'KeyFormatType' should be 'X_509’.
• ‘CryptographicUsageMask' Not founded. Is it okay to not have it?

<ResponseMessage>
    <ResponseHeader>
      <ProtocolVersion>
        <ProtocolVersionMajor type="Integer" value="3" />
        <ProtocolVersionMinor type="Integer" value="0" />
      </ProtocolVersion>
      <TimeStamp type="DateTime" value="$NOW" />
      <ServerCorrelationValue type="TextString" value="B0A32C55-F2D5D57D-6" />
    </ResponseHeader>
    <BatchItem>
      <Operation type="Enumeration" value="Export" />
      <ResultStatus type="Enumeration" value="Success" />
      <ResponsePayload>
        <ObjectType type="Enumeration" value="Certificate" />
        <UniqueIdentifier type="Identifier" value="$UNIQUE_IDENTIFIER_0" />
        <Attributes>
          <UniqueIdentifier type="Identifier" value="$UNIQUE_IDENTIFIER_0" />
          <ShortUniqueIdentifier type="ByteString" value="$SHORT_UNIQUE_IDENTIFIER_0" />
          <ObjectType type="Enumeration" value="Certificate" />
          <CryptographicAlgorithm type="Enumeration" value="RSA" />
          <CryptographicLength type="Integer" value="2048" />
          <CertificateType type="Enumeration" value="X_509" />
          <CertificateLength type="Integer" value="1043" />
          <X_509CertificateIdentifier>
            <IssuerDistinguishedName type="ByteString" value="3062310b3009060355040613024155310b3009060355040813025350310a3008060355040713014c310a3008060355040a13014f310b3009060355040b13024f55310b300906035504031302434e3114301206092a864886f70d0109011605456d61696c" />
            <CertificateSerialNumber type="ByteString" value="020900e31cb99f91cb07ed" />
          </X_509CertificateIdentifier>
          <X_509CertificateSubject>
            <SubjectDistinguishedName type="ByteString" value="3062310b3009060355040613024155310b3009060355040813025350310a3008060355040713014c310a3008060355040a13014f310b3009060355040b13024f55310b300906035504031302434e3114301206092a864886f70d0109011605456d61696c" />
          </X_509CertificateSubject>
          <X_509CertificateIssuer>
            <IssuerDistinguishedName type="ByteString" value="3062310b3009060355040613024155310b3009060355040813025350310a3008060355040713014c310a3008060355040a13014f310b3009060355040b13024f55310b300906035504031302434e3114301206092a864886f70d0109011605456d61696c" />
          </X_509CertificateIssuer>
          <DigitalSignatureAlgorithm type="Enumeration" value="SHA_256WithRSAEncryption" />
          <Digest>
            <HashingAlgorithm type="Enumeration" value="SHA_256" />
            <DigestValue type="ByteString"
              value="3610018f1b8ffb5172bef76bb81f5a56ca79a8991ea126a6b1fb6678eb758788" />
            <KeyFormatType type="Enumeration" value="Raw" />
          </Digest>
          <KeyFormatType type="Enumeration" value="Raw" />
          <LeaseTime type="Interval" value="3600" />
          <InitialDate type="DateTime" value="$NOW" />
          <State type="Enumeration" value="PreActive" />
          <LastChangeDate type="DateTime" value="$NOW" />
          <Fresh type="Boolean" value="true" />
          <Sensitive type="Boolean" value="false" />
          <AlwaysSensitive type="Boolean" value="false" />
          <Extractable type="Boolean" value="true" />
          <NeverExtractable type="Boolean" value="false" />
          <CertificateSubjectST type="TextString" value="SP" />
          <CertificateSubjectEmail type="TextString" value="Email" />
          <CertificateSubjectC type="TextString" value="AU" />
          <CertificateSubjectL type="TextString" value="L" />
          <CertificateSubjectO type="TextString" value="O" />
          <CertificateSubjectOU type="TextString" value="OU" />
          <CertificateSubjectCN type="TextString" value="CN" />
          <CertificateIssuerST type="TextString" value="SP" />
          <CertificateIssuerEmail type="TextString" value="Email" />
          <CertificateIssuerC type="TextString" value="AU" />
          <CertificateIssuerL type="TextString" value="L" />
          <CertificateIssuerO type="TextString" value="O" />
          <CertificateIssuerOU type="TextString" value="OU" />
          <CertificateIssuerCN type="TextString" value="CN" />
          <ObjectClass type="Enumeration" value="User" />
          <ProtectionStorageMask type="Integer" value="Software" />
        </Attributes>
        <Certificate>
          <CertificateType type="Enumeration" value="X_509" />
          <CertificateValue type="ByteString" value="3082040f308202f7a003020102020900e31cb99f91cb07ed300d06092a864886f70d01010b05003062310b3009060355040613024155310b3009060355040813025350310a3008060355040713014c310a3008060355040a13014f310b3009060355040b13024f55310b300906035504031302434e3114301206092a864886f70d0109011605456d61696c301e170d3130303530313036303831365a170d3132303433303036303831365a3062310b3009060355040613024155310b3009060355040813025350310a3008060355040713014c310a3008060355040a13014f310b3009060355040b13024f55310b300906035504031302434e3114301206092a864886f70d0109011605456d61696c30820122300d06092a864886f70d01010105000382010f003082010a0282010100e5b86a3cf3fb109c4622d94fa2883bf6d9098c95e1ba3344bcb50edbfba41741409b9b1931ad674d5164b833f1b1b84434bd8abddce2197f66539832f413cfff32e16cb7e67296525158cc58f085ef6ec87e15de0879534322f690d0766a5c4b0287daf50c5f84b9959ca19537609281ec2d2b3e626be9e94dbfc2cb3d75bd03d964e8379e2c5125817ff72dbee80d06a8d63e25842af38fa1aaf9e493a4ef436c1a3a4400cd4bbcd9d9bcf030d41290f3c3bfa829cff0fbf682453875cfc6b2ab5b6b3315c8281dc13f318aeeb0b05f81ea6042ffedd574b74043c33a11c2aaec2f4cf2a02e9dfd3417acdc43be26a1cf3de2463540cfa621e246de8879f9ef0203010001a381c73081c4301d0603551d0e041604144dd89a6ba988a08aa6f4a8ab5b532edea9338c2c3081940603551d2304818c30818980144dd89a6ba988a08aa6f4a8ab5b532edea9338c2ca166a4643062310b3009060355040613024155310b3009060355040813025350310a3008060355040713014c310a3008060355040a13014f310b3009060355040b13024f55310b300906035504031302434e3114301206092a864886f70d0109011605456d61696c820900e31cb99f91cb07ed300c0603551d13040530030101ff300d06092a864886f70d01010b05000382010100acda7b0c6df7e4f6507c0958f25f6b5e3bfb4de7a36f5c8aacf0664b2aec18ba2d5dda6ae35dfc103eadb1c39a0e4e3166c19eca4a35e96eb6092f74904e67a3a32e127a4f5dba655d16feeb260acb7b7245910e25e689074c057db1e17af58d8df303e5a1e881f72d46226863e2da9b4dc8f443cb5b5114e4c9e1867ce109b016a059a0b27ea3bf912f463e57fcf7b5237f124b787dfa74385cb97c400403e3362077749a8ffbe37cb2675e9db0278c6682b579622f6355acbf71fa968e68a78cf0d6a63a5a8cea8a9b97c8c482d91fa73ee76012e3dd8b379d5e4c132279b1d915c979c48e60e1454a2846e661d5659885c026a523bc613ab21db8b86f9096" />
        </Certificate>
      </ResponsePayload>
    </BatchItem>
  </ResponseMessage>

The Key Format Type should be Raw - it was listed as X_509 which is the Subject Public Key Information format which is not what this is - X_509 does not mean an X_509 certificate - that is communicated in the CertificateType. The Key Format Type is meant to be Raw (i.e. binary).

We need to discuss Cryptographic Usage Mask - the specification notes it as mandatory within the attribute - except for Opaque Objects - but that isn't current practice - and it is also noted for "Keys" in the description and "All Objects" in the Attribute Rules.

We can easily add one in here but its value would only be able to be Verify (there is no other Cryptographic Usage Mask for a Certificate).

 

---

TC-OFFSET-1-30, Step=2,3,4

• I thought 'UniqueIdentifier.type' should be 'Identifier'.
  

<ResponseMessage>
  <ResponseHeader>
    <ProtocolVersion>
      <ProtocolVersionMajor type="Integer" value="3"/>
      <ProtocolVersionMinor type="Integer" value="0"/>
    </ProtocolVersion>
    <TimeStamp type="DateTime" value="$NOW"/>
  </ResponseHeader>
  <BatchItem>
    <Operation type="Enumeration" value="Locate"/>
    <ResultStatus type="Enumeration" value="Success"/>
    <ResponsePayload>
      <UniqueIdentifier type="Identifier" value="$UNIQUE_IDENTIFIER_4"/>
    </ResponsePayload>
  </BatchItem>
  <BatchItem>
    <Operation type="Enumeration" value="GetAttributes"/>
    <ResultStatus type="Enumeration" value="Success"/>
    <ResponsePayload>
      <UniqueIdentifier type="Reference" value="$UNIQUE_IDENTIFIER_4"/>
      <Attributes>
        <Attribute>
          <VendorIdentification type="TextString" value="x"/>
          <AttributeName type="TextString" value="ID"/>
          <AttributeValue type="TextString" value="TC-OFFSET-1-30-key5"/>
        </Attribute>
      </Attributes>
    </ResponsePayload>
  </BatchItem>
</ResponseMessage>

It could be either in this context - but I'll change it to Identifier for consistency with the other test cases.

These updates will all be in the intext version I upload.

Thanks,

Tim.

ììí / êíëì  Sun-ho Lee / Ph.D.

ìììêì / ëëììììëë ëììêì CSêëí   Senior Research Engineer / CyberSecurity Development Team

T +82-31-601-4358   M +82-10-9123-6173   F +82-31-601-4013   E sunho.lee@mdsit.co.kr

(ì)MDSìíëìì (ê (ì)íììíëìì)  www.mdsit.co.kr

13487 êêë ìëì ëëê íêë 228ëê 17 íêìëëìëë 2ëì 1ë 9ì

MDS Intelligence Inc. (Former Hancom Intelligence Inc.)

9F Pangyo Seven Venture Valley, 17, Pangyo-ro 228 beon-gil, Bundang-gu, Seongnam-si, Gyeonggi-do, 

Republic of Korea 13487

ë ëìê ìëëìë ììì ëì ìí êìë 'ëìêìëì ë ììëëëíì êí ëë'ì ìí ëíì ëìì ëë MDSìíëììëì ëëìëë íííê ìì ì ììëë. ëëì ë ëìê ìë ëìì ííë ìëì ìë ëë ìëë ëëìë ì3ììê êê ëë ëííë íìë ìêí êìíëë. ëì êíê ëìì ìììì ìë êì ë ëìì ëìíê ììí ììê ëëëë.
This mail and attachments contain confidential information of MDS Intelligence Inc. which has its own authority. It is not allowed to disclose or transmit this confidential information to the third parties without the prior written consent of MDS Intelligence Inc. by any form or means. If you are not the intended recipient, please notify the sender immediately and destroy all copies of the original message.