To Software Software - To Software-Assessment - Software/Assessment - To Current Test - Software/CurrentTest
Software Current Tests - Bug 841 (Cert Login Problem)
2011-07-06 00:00 - Bug 841 last updated
Background Informations, Instructions, Testmatrix
Testserver Links
Testserver 1: http://cacert1.it-sls.de
9.1
Patch
9.2
Developer
u60
9.3
Purpose of patch
0000841: Problems on cert login with "duplicate" serial numbers
9.4
Patch Area
Cert Login, account matching
9.5
Patch Testing Requirements
Client Cert login enabled, logged in
9.6
Remarks
test szenario:
1. create 1 client cert, class1 and class3
2. Check serial number of class1 and class3 cert
3. create more client certs for the issuer with the lesser number until number reached of other issuer
4. continue issueing class1 and class3 certs with different user accounts, diffenrent name, different email
5. check if dupe serial numbers created for class1 and class3 eg 10:0C = 10:0C
6. client cert login with class1 and class3
7. check if cert with serial number and issuer matches the cert - account relation
Bug 841 - more infos
Instructions and Sample Test Matrix for Software Testers
Introduction
The Cert Login Bug revealed a problem, that is not a real issue in the production environment, but may become one day.
The problem relates to client cert to account mapping.
Username Root issued Cert Class3 issued Cert serial # serial # User 1 10:00 <--------------+ User 2 10:01 <-----------+ | User 3 10:02 | | User 4 | +-> 10:00 User 5 10:03 <-------+ | User 6 | +----> 10:01 User 7 +--------> 10:03 If User 6 logs in with client certs serial number 10:01 the cert may link to the account of User 2 The same may happen if User 7 tries to cert login with cert with serial # 10:03 (this may match with account of User 5) -or- User 4 tries to login with certs serial # 10:00 and maybe linked to account of User 1
To reproduce the problem or to test if the problem is fixed, the software tester has to create as many client certs with as many usernames (different test accounts) with different issuer (issued thru class1 and/or issued from class3)
If you check your client certs you should have a couple of test certs created:
CAcert Testserver (class1, CAcert Testserver Root) CAcert WoT User 10:54 User Abc 10:38 User Def 10:37 <-- CAcert Testsever (class3, CAcert Testserver Class 3) ^-- typo is a well known problem :) User 4 10:49 User Fgh 10:37 <-- User 6 10:31 You can start testing with user "User Def" or "User Fgh"
Preliminaries
- Create different user accounts
- assure useraccount at least with 50 assurance points (to issue class3 certs)
- for each user account create at least one class1 and one class3 cert with login enabled
- cert login to account, check if cert an account matches (compare name, email, serno)
- Root / Class 1 currently starts at 10:59
- Class 3 currently starts at 10:58
Reporting
Report your results under:
of each step you walk thru
eg: a) adding account XYZ b) assured upto 50 points c) issued cert class1 10:59 d) issued cert class3 10:3F
Additional Tests
Find other places for client cert -> account matching and test it
Happy testing
Certs prepared
User Root Cert Class3 Cert ------- ------------- ------------ unknown.cert@w..de 10:59 unknown.cert@w..de 10:58 unknown.cert@w..de 10:57 . . . . unknown.cert@w..de 10:3F