OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

kmip message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Re: [kmip] Reporting TC errors

A good topic for discussion in the next KMIP TC meeting.
Those previous tests were in error - the KeyFormatType should not have been X.509 for those.

You can alsoÂsee that the TC-CERTATTR-1-30 has also been corrected.

Tim.


On Fri, Sep 15, 2023 at 1:57âPM ììí ìì(CSêëí) <sunho.lee@mdsit.co.kr> wrote:

I would like to discuss 'KeyFormatType' and 'Digest.KeyFormatType' in TC-IMPEXP-5-30, Step=2,3 based on the previous TC (TC-CERTATTR-1-21).

https://docs.oasis-open.org/kmip/kmip-testcases/v2.1/cn01/test-cases/kmip-v2.1/TC-CERTATTR-1-21.xml


In TC-CERTATTR-1-21 step=1, theÂ'KeyFormatType' and 'Digest.KeyFormatType'Âis 'X.509'.

Is there a reason why this value changed in KMIP VersionÂ3.0?

----- ìë ëìì -----
ëë ìë: Tim Hudson <tjh@cryptsoft.com>
ëë ìë: ììí ìì(CSêëí) <sunho.lee@mdsit.co.kr>
ìì: kmip@lists.oasis-open.org
ëì: 2023-09-13 13:12:11
ìë: Re: [kmip] Reporting TC errors


Responses inline. Thanks for the clear feedback.

On Tue, Sep 12, 2023 at 5:13 PM ììí ìì(CSêëí) <sunho.lee@mdsit.co.kr> wrote:

I found some errors in TC and have contacted you.


TC-ASYNC-9-30, Step=2

  • 'ResultStatus', âResponsePayload' is Not founded inÂBatchItem.

<ResponseMessage>
ÂÂ<ResponseHeader>
ÂÂÂÂ<ProtocolVersion>
ÂÂÂÂÂÂ<ProtocolVersionMajorÂtype="Integer" value="3"/>
ÂÂÂÂÂÂ<ProtocolVersionMinorÂtype="Integer" value="0"/>
ÂÂÂÂ</ProtocolVersion>
ÂÂÂÂ<TimeStampÂtype="DateTime" value="$NOW"/>
ÂÂ</ResponseHeader>
ÂÂ<BatchItem>
ÂÂÂÂ<Operation type="Enumeration" value="QueryAsynchronousRequests"/>
ÂÂ</BatchItem>
</ResponseMessage>


Corrected - there should ResultStatus=Success and an empty ResponsePayloadÂ


BL-M-20-30, Step=2

  • âUniqueIdentifier' founded. The Response Payload SHALL be empty.

<ResponseMessage>
ÂÂ<ResponseHeader>
ÂÂÂÂ<ProtocolVersion>
ÂÂÂÂÂÂ<ProtocolVersionMajorÂtype="Integer" value="3"/>
ÂÂÂÂÂÂ<ProtocolVersionMinorÂtype="Integer" value="0"/>
ÂÂÂÂ</ProtocolVersion>
ÂÂÂÂ<TimeStampÂtype="DateTime" value="$NOW"/>
ÂÂÂÂ<ServerCorrelationValueÂtype="TextString" value="55EBE18E-02018A04-6"/>
ÂÂ</ResponseHeader>
ÂÂ<BatchItem>
ÂÂÂÂ<Operation type="Enumeration" value="Obliterate"/>
ÂÂÂÂ<ResultStatusÂtype="Enumeration" value="Success"/>
ÂÂÂÂ<ResponsePayload>
ÂÂÂÂÂÂ<UniqueIdentifierÂtype="Identifier" value="$UNIQUE_IDENTIFIER_0"/>
ÂÂÂÂ</ResponsePayload>
ÂÂ</BatchItem>
</ResponseMessage>



Corrected. Obliterate does not return the UniqueIdentifier value so it should not be present.

Â

TC-IMPEXP-5-30, Step=2,3

  • I thought 'KeyFormatType' should be 'X_509â.
  • âCryptographicUsageMask' Not founded. Is it okay toÂnotÂhave it?


<ResponseMessage>
ÂÂÂÂ<ResponseHeader>
ÂÂÂÂÂÂ<ProtocolVersion>
ÂÂÂÂÂÂÂÂ<ProtocolVersionMajorÂtype="Integer" value="3" />
ÂÂÂÂÂÂÂÂ<ProtocolVersionMinorÂtype="Integer" value="0" />
ÂÂÂÂÂÂ</ProtocolVersion>
ÂÂÂÂÂÂ<TimeStampÂtype="DateTime" value="$NOW" />
ÂÂÂÂÂÂ<ServerCorrelationValueÂtype="TextString" value="B0A32C55-F2D5D57D-6" />
ÂÂÂÂ</ResponseHeader>
ÂÂÂÂ<BatchItem>
ÂÂÂÂÂÂ<Operation type="Enumeration" value="Export" />
ÂÂÂÂÂÂ<ResultStatusÂtype="Enumeration" value="Success" />
ÂÂÂÂÂÂ<ResponsePayload>
ÂÂÂÂÂÂÂÂ<ObjectTypeÂtype="Enumeration" value="Certificate" />
ÂÂÂÂÂÂÂÂ<UniqueIdentifierÂtype="Identifier" value="$UNIQUE_IDENTIFIER_0" />
ÂÂÂÂÂÂÂÂ<Attributes>
ÂÂÂÂÂÂÂÂÂÂ<UniqueIdentifierÂtype="Identifier" value="$UNIQUE_IDENTIFIER_0" />
ÂÂÂÂÂÂÂÂÂÂ<ShortUniqueIdentifierÂtype="ByteString" value="$SHORT_UNIQUE_IDENTIFIER_0" />
ÂÂÂÂÂÂÂÂÂÂ<ObjectTypeÂtype="Enumeration" value="Certificate" />
ÂÂÂÂÂÂÂÂÂÂ<CryptographicAlgorithmÂtype="Enumeration" value="RSA" />
ÂÂÂÂÂÂÂÂÂÂ<CryptographicLengthÂtype="Integer" value="2048" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateTypeÂtype="Enumeration" value="X_509" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateLengthÂtype="Integer" value="1043" />
ÂÂÂÂÂÂÂÂÂÂ<X_509CertificateIdentifier>
ÂÂÂÂÂÂÂÂÂÂÂÂ<IssuerDistinguishedNameÂtype="ByteString" value="3062310b3009060355040613024155310b3009060355040813025350310a3008060355040713014c310a3008060355040a13014f310b3009060355040b13024f55310b300906035504031302434e3114301206092a864886f70d0109011605456d61696c" />
ÂÂÂÂÂÂÂÂÂÂÂÂ<CertificateSerialNumberÂtype="ByteString" value="020900e31cb99f91cb07ed" />
ÂÂÂÂÂÂÂÂÂÂ</X_509CertificateIdentifier>
ÂÂÂÂÂÂÂÂÂÂ<X_509CertificateSubject>
ÂÂÂÂÂÂÂÂÂÂÂÂ<SubjectDistinguishedNameÂtype="ByteString" value="3062310b3009060355040613024155310b3009060355040813025350310a3008060355040713014c310a3008060355040a13014f310b3009060355040b13024f55310b300906035504031302434e3114301206092a864886f70d0109011605456d61696c" />
ÂÂÂÂÂÂÂÂÂÂ</X_509CertificateSubject>
ÂÂÂÂÂÂÂÂÂÂ<X_509CertificateIssuer>
ÂÂÂÂÂÂÂÂÂÂÂÂ<IssuerDistinguishedNameÂtype="ByteString" value="3062310b3009060355040613024155310b3009060355040813025350310a3008060355040713014c310a3008060355040a13014f310b3009060355040b13024f55310b300906035504031302434e3114301206092a864886f70d0109011605456d61696c" />
ÂÂÂÂÂÂÂÂÂÂ</X_509CertificateIssuer>
ÂÂÂÂÂÂÂÂÂÂ<DigitalSignatureAlgorithmÂtype="Enumeration" value="SHA_256WithRSAEncryption" />
ÂÂÂÂÂÂÂÂÂÂ<Digest>
ÂÂÂÂÂÂÂÂÂÂÂÂ<HashingAlgorithmÂtype="Enumeration" value="SHA_256" />
ÂÂÂÂÂÂÂÂÂÂÂÂ<DigestValueÂtype="ByteString"
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂvalue="3610018f1b8ffb5172bef76bb81f5a56ca79a8991ea126a6b1fb6678eb758788" />
ÂÂÂÂÂÂÂÂÂÂÂÂ<KeyFormatTypeÂtype="Enumeration" value="Raw" />
ÂÂÂÂÂÂÂÂÂÂ</Digest>
ÂÂÂÂÂÂÂÂÂÂ<KeyFormatTypeÂtype="Enumeration" value="Raw" />
ÂÂÂÂÂÂÂÂÂÂ<LeaseTimeÂtype="Interval" value="3600" />
ÂÂÂÂÂÂÂÂÂÂ<InitialDateÂtype="DateTime" value="$NOW" />
ÂÂÂÂÂÂÂÂÂÂ<State type="Enumeration" value="PreActive" />
ÂÂÂÂÂÂÂÂÂÂ<LastChangeDateÂtype="DateTime" value="$NOW" />
ÂÂÂÂÂÂÂÂÂÂ<Fresh type="Boolean" value="true" />
ÂÂÂÂÂÂÂÂÂÂ<Sensitive type="Boolean" value="false" />
ÂÂÂÂÂÂÂÂÂÂ<AlwaysSensitiveÂtype="Boolean" value="false" />
ÂÂÂÂÂÂÂÂÂÂ<Extractable type="Boolean" value="true" />
ÂÂÂÂÂÂÂÂÂÂ<NeverExtractableÂtype="Boolean" value="false" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateSubjectSTÂtype="TextString" value="SP" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateSubjectEmailÂtype="TextString" value="Email" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateSubjectCÂtype="TextString" value="AU" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateSubjectLÂtype="TextString" value="L" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateSubjectOÂtype="TextString" value="O" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateSubjectOUÂtype="TextString" value="OU" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateSubjectCNÂtype="TextString" value="CN" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateIssuerSTÂtype="TextString" value="SP" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateIssuerEmailÂtype="TextString" value="Email" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateIssuerCÂtype="TextString" value="AU" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateIssuerLÂtype="TextString" value="L" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateIssuerOÂtype="TextString" value="O" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateIssuerOUÂtype="TextString" value="OU" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateIssuerCNÂtype="TextString" value="CN" />
ÂÂÂÂÂÂÂÂÂÂ<ObjectClassÂtype="Enumeration" value="User" />
ÂÂÂÂÂÂÂÂÂÂ<ProtectionStorageMaskÂtype="Integer" value="Software" />
ÂÂÂÂÂÂÂÂ</Attributes>
ÂÂÂÂÂÂÂÂ<Certificate>
ÂÂÂÂÂÂÂÂÂÂ<CertificateTypeÂtype="Enumeration" value="X_509" />
ÂÂÂÂÂÂÂÂÂÂ<CertificateValueÂtype="ByteString" value="3082040f308202f7a003020102020900e31cb99f91cb07ed300d06092a864886f70d01010b05003062310b3009060355040613024155310b3009060355040813025350310a3008060355040713014c310a3008060355040a13014f310b3009060355040b13024f55310b300906035504031302434e3114301206092a864886f70d0109011605456d61696c301e170d3130303530313036303831365a170d3132303433303036303831365a3062310b3009060355040613024155310b3009060355040813025350310a3008060355040713014c310a3008060355040a13014f310b3009060355040b13024f55310b300906035504031302434e3114301206092a864886f70d0109011605456d61696c30820122300d06092a864886f70d01010105000382010f003082010a0282010100e5b86a3cf3fb109c4622d94fa2883bf6d9098c95e1ba3344bcb50edbfba41741409b9b1931ad674d5164b833f1b1b84434bd8abddce2197f66539832f413cfff32e16cb7e67296525158cc58f085ef6ec87e15de0879534322f690d0766a5c4b0287daf50c5f84b9959ca19537609281ec2d2b3e626be9e94dbfc2cb3d75bd03d964e8379e2c5125817ff72dbee80d06a8d63e25842af38fa1aaf9e493a4ef436c1a3a4400cd4bbcd9d9bcf030d41290f3c3bfa829cff0fbf682453875cfc6b2ab5b6b3315c8281dc13f318aeeb0b05f81ea6042ffedd574b74043c33a11c2aaec2f4cf2a02e9dfd3417acdc43be26a1cf3de2463540cfa621e246de8879f9ef0203010001a381c73081c4301d0603551d0e041604144dd89a6ba988a08aa6f4a8ab5b532edea9338c2c3081940603551d2304818c30818980144dd89a6ba988a08aa6f4a8ab5b532edea9338c2ca166a4643062310b3009060355040613024155310b3009060355040813025350310a3008060355040713014c310a3008060355040a13014f310b3009060355040b13024f55310b300906035504031302434e3114301206092a864886f70d0109011605456d61696c820900e31cb99f91cb07ed300c0603551d13040530030101ff300d06092a864886f70d01010b05000382010100acda7b0c6df7e4f6507c0958f25f6b5e3bfb4de7a36f5c8aacf0664b2aec18ba2d5dda6ae35dfc103eadb1c39a0e4e3166c19eca4a35e96eb6092f74904e67a3a32e127a4f5dba655d16feeb260acb7b7245910e25e689074c057db1e17af58d8df303e5a1e881f72d46226863e2da9b4dc8f443cb5b5114e4c9e1867ce109b016a059a0b27ea3bf912f463e57fcf7b5237f124b787dfa74385cb97c400403e3362077749a8ffbe37cb2675e9db0278c6682b579622f6355acbf71fa968e68a78cf0d6a63a5a8cea8a9b97c8c482d91fa73ee76012e3dd8b379d5e4c132279b1d915c979c48e60e1454a2846e661d5659885c026a523bc613ab21db8b86f9096" />
ÂÂÂÂÂÂÂÂ</Certificate>
ÂÂÂÂÂÂ</ResponsePayload>
ÂÂÂÂ</BatchItem>
ÂÂ</ResponseMessage>


The Key Format Type should be Raw - it was listed as X_509 which is the Subject Public Key Information format which is not what this is - X_509 does not mean an X_509 certificate - that is communicated in the CertificateType. TheÂKey Format Type is meant to be Raw (i.e. binary).

We need to discuss Cryptographic Usage Mask - the specification notes it as mandatory within the attribute - except for Opaque Objects - but that isn't current practice - and it is also noted for "Keys" in the description and "All Objects" in the Attribute Rules.

We can easily add one in here but its value would only be able to be Verify (there is no other Cryptographic Usage Mask for a Certificate).

Â


TC-OFFSET-1-30, Step=2,3,4

  • I thought 'UniqueIdentifier.type' should be 'Identifier'.

<ResponseMessage>
ÂÂ<ResponseHeader>
ÂÂÂÂ<ProtocolVersion>
ÂÂÂÂÂÂ<ProtocolVersionMajorÂtype="Integer" value="3"/>
ÂÂÂÂÂÂ<ProtocolVersionMinorÂtype="Integer" value="0"/>
ÂÂÂÂ</ProtocolVersion>
ÂÂÂÂ<TimeStampÂtype="DateTime" value="$NOW"/>
ÂÂ</ResponseHeader>
ÂÂ<BatchItem>
ÂÂÂÂ<Operation type="Enumeration" value="Locate"/>
ÂÂÂÂ<ResultStatusÂtype="Enumeration" value="Success"/>
ÂÂÂÂ<ResponsePayload>
ÂÂÂÂÂÂ<UniqueIdentifierÂtype="Identifier" value="$UNIQUE_IDENTIFIER_4"/>
ÂÂÂÂ</ResponsePayload>
ÂÂ</BatchItem>
ÂÂ<BatchItem>
ÂÂÂÂ<Operation type="Enumeration" value="GetAttributes"/>
ÂÂÂÂ<ResultStatusÂtype="Enumeration" value="Success"/>
ÂÂÂÂ<ResponsePayload>
ÂÂÂÂÂÂ<UniqueIdentifierÂtype="Reference" value="$UNIQUE_IDENTIFIER_4"/>
ÂÂÂÂÂÂ<Attributes>
ÂÂÂÂÂÂÂÂ<Attribute>
ÂÂÂÂÂÂÂÂÂÂ<VendorIdentificationÂtype="TextString" value="x"/>
ÂÂÂÂÂÂÂÂÂÂ<AttributeNameÂtype="TextString" value="ID"/>
ÂÂÂÂÂÂÂÂÂÂ<AttributeValueÂtype="TextString" value="TC-OFFSET-1-30-key5"/>
ÂÂÂÂÂÂÂÂ</Attribute>
ÂÂÂÂÂÂ</Attributes>
ÂÂÂÂ</ResponsePayload>
ÂÂ</BatchItem>
</ResponseMessage>


It could be either in this context - but I'll change it to Identifier for consistency with the other test cases.

These updates will all be in the intext version I upload.

Thanks,
Tim.




ììí / êíëìÂÂSun-ho Lee / Ph.D.
ìììêì / ëëììììëë ëììêì CSêëí Senior Research Engineer / CyberSecurity Development Team
TÂ+82-31-601-4358ÂÂÂMÂ+82-10-9123-6173ÂÂÂFÂ+82-31-601-4013ÂÂÂEÂsunho.lee@mdsit.co.kr
(ì)MDSìíëììÂ(êÂ(ì)íììíëìì)ÂÂwww.mdsit.co.kr

13487 êêë ìëì ëëê íêë 228ëê 17Âíêìëëìëë 2ëì 1ë 9ì
MDS Intelligence Inc.Â(Former Hancom Intelligence Inc.)

9FÂPangyo Seven Venture Valley, 17, Pangyo-ro 228Âbeon-gil, Bundang-gu, Seongnam-si, Gyeonggi-do,Â

Republic of Korea 13487
ë ëìê ìëëìë ììì ëì ìí êìë 'ëìêìëì ë ììëëëíì êí ëë'ì ìí ëíì ëìì ëë MDSìíëììëì ëëìëë íííê ìì ì ììëë. ëëì ë ëìê ìë ëìì ííë ìëì ìë ëë ìëë ëëìë ì3ììê êê ëë ëííë íìë ìêí êìíëë. ëì êíê ëìì ìììì ìë êì ë ëìì ëìíê ììí ììê ëëëë.
This mail and attachments contain confidential information of MDS Intelligence Inc. which has its own authority. It is not allowed to disclose or transmit this confidential information to the third parties without the prior written consent of MDS Intelligence Inc. by any form or means. If you are not the intended recipient, please notify the sender immediately and destroy all copies of the original message.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]