View Issue Details

IDProjectCategoryView StatusLast Update
0001054Main CAcert Websitesource codepublic2015-05-05 22:01
ReporterINOPIAEAssigned ToTed 
PrioritynormalSeverityminorReproducibilityhave not tried
Status needs review & testingResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0001054: Review the code regarding the new point calculation in ./includes/general.php
DescriptionCheck if the point calculation is adjusted according to the new points calculation.
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0000872 needs workINOPIAE Main CAcert Website PoJAM restricitions to apply to production system (several restrictions) PoJAM 3.3,, 4.1, 4.2 
related to 0001096 closed Main CAcert Website Assurance over Locked-Account shall be impossible 
related to 0000835 closedTed test.cacert.org Assurer challenge and ssl certificat 
related to 0001098 solved?Ted test.cacert.org logout from cats testserver under ca-mgr1 results in weak link 
related to 0000440 closedNEOatNHNG Main CAcert Website Problem with subjectAltName 
related to 0001017 closedNEOatNHNG Main CAcert Website Chrome certificate enrollement 
related to 0001035 closed Main CAcert Website CN gets deleted from subjectAltName on cert renewal 
related to 0000827 closeddastrath Main CAcert Website Tverify points to be deprecated 
related to 0000114 closed Main CAcert Website Revocation Reason 
related to 0001208 closedBenBE Main CAcert Website Improve readability of "Assure someone" page 
parent of 0000301 closed Main CAcert Website Modification of the assurance system to track deletions 
related to 0001101 needs workTimoAHummel Main CAcert Website general rewrite of get info from csr routine in includes/general.php 
related to 0001042 needs review & testingEva Main CAcert Website Review the code regarding the new point calculation  
related to 0001134 closedNEOatNHNG Main CAcert Website Delete the board flag thourougly in all parts of our software 
related to 0001216 new Main CAcert Website Assure Someone Page Broken; TTP Assurer is pushed to make a false statement, assurance clashes regarding F2F confirmation 
related to 0001177 closedBenBE Main CAcert Website Combine wot.inc.php, notary.inc.php and temp-function.php 

Activities

NEOatNHNG

2012-08-27 13:35

administrator   ~0003161

Dirk has done some changes which are available on the test server. Are they complete?

Uli60

2012-08-28 10:40

updater   ~0003163

potential test scenarios affected by source code changes:

pages/wot/15.php
my details - my points - new calculation

pages/wot/6.php
assure someone, methods F2F and TTP

includes/general.php
  www.cacert.org and secure.cacert.org switch
  language detection
  switch "locked accounts"
  loadem section account.php?x index.php?y
  secure pwd validation (points regarding strong passwords)
       check on name parts, email address, dictionary
  cert subjectAltname routine, Common Name check on CSR's
      subjAltnames check, OU check on Org certs
  maxpoints routine, returns points you can issue
      check on points + assurer challenge levels
      and age of assurer (eg lt 18?)
  ping tests adding to pinglog table

|| why is philipp@c.o as rcpt added in line 642 ?!?
|| -> use function-alias eg support or sysadmin


  get-assurer-status
     checks: cats test passed, maxpoints, assurer-blocked

  no-assurer text switch

  is_assurer() using get-assurer-status

  generate-cert-path: client certs, server certs, org client certs, org server certs switch


includes/notary.inc.php
  get_number_of_assurances()
  get_number_of_assurees()
  get_top_assurer_position()
  get_top_assuree_position()
  get_given_assurances()
  get_received_assurances()
  get_given_assurances_summary()
  get_received_assurances_summary()
  get_cats_state()
  calc_experience()
  calc_assurances()
  show_user_link() name="" -> "System" or "Deleted account"
  get_assurer_ranking()
  get_assuree_ranking()
  output_ranking()
     general: output member mypoints (new calculation) and admin console new calculation
  check_date_limit(age) eg. PoJAM case calculation
  calc_points()
  max_points()
  output_summary_content() tested age limits 18, 14
  AssureMethodLine() eg assure someone with addtl. flags eg TTP, and potential others

INOPIAE

2012-08-28 20:46

updater   ~0003166

Last edited: 2012-08-28 21:21

View 4 revisions

u14.1054@acme.com DOB 1.1.2000
assured with 35 points
=> no assurer => ok
added 70 points via batch => no assurer => OK
added CATS => shows assuer with 10 points => false
added 1 assurance added => assurance possible => false

u18.1054@acme.com DOB 1.1.1996
assured with 35 points => no assurer => ok
added 70 points via batch => no assurer => OK
added CATS
added 1 assurance =>ok
added 5 assurances via batch
All assurance show 10 points => ok
account has now 6 assurances
wot.id 15 show you can grant up to 15 points => should show 10 points
added new assurance with 20 points
Points reduced to 10 points according to PoJAM

my admin account
Added TTP assurance to oa.reinhard@acme.com with 35 points. => ok

Uli60

2012-08-28 22:03

updater   ~0003171

test 1054.2.1
3 users
1054.2.1.user1@w.d
1054.2.1.admin1@w.d
1054.2.1.ttpadmin1@w.d

login 1054.2.1.admin1@w.d
set ttpadmin flag on 1054.2.1.ttpadmin1@w.d
=> ok

login 1054.2.1.ttpadmin1@w.d
assure someone
1054.2.1.user1@w.d

3 checkboxes

    F2F TTP
 A + - I certify that bug1004 userb4 has appeared in person

             "Only tick the next box if the Assurance was face to face."
             for TTP assurance this sentence is wrong

 B + + I believe that the assertion of identity I am making is correct,
             complete and verifiable. I have seen original documentation attesting
             to this identity. I accept that the CAcert Arbitrator may call upon me
             to provide evidence in any dispute, and I may be held responsible.

             original documentation?
              F2F - cap form
              TTP - ttpcap documentation


 C + + I have read and understood the Assurance Policy and the Assurance Handbook
             and am making this Assurance subject to and in compliance with the policy
             and handbook.

=> ok, except the "Only tick the next box if the Assurance was face to face."


new points:
for TTP assurance no experience points counted => ok
for F2F assurance 2 experience points counted => ok

f2f assurance
A not set => passes
  relates to points removal, reapply
  thawte patch 1023 or so
B set => ok
C set => ok

Uli60

2012-08-28 22:52

updater   ~0003172

assure someone
user f2f only
method line no longer appears => ok

update 56ca0c87

assure someone
user ttpadmin, make ttp
method line, ttp selected
checkboxes A, B not set, C set =>
ERROR: You failed to check all boxes to validate your adherence to
the rules and policies of CAcert

I have explicitly set checkbox B in TTP assurance too
but this conflicts with line of info text:
"Only tick the next box if the Assurance was face to face."

Uli60

2012-08-28 23:03

updater   ~0003173

release: 307f995b

assure someone
user f2f only
method line no longer appears => ok
"Only tick the next box if the Assurance was face to face." line no longer appears => ok

assure someone
user ttpadmin, make ttp
method line, ttp selected
"Only tick the next box if the Assurance was face to face." line no longer appears => ok
checkboxes A not set, B + C set => ok

NEOatNHNG

2012-08-28 23:14

administrator   ~0003174

I have ported changes that were present in the now deleted wot.inc.php and also did some minor improvements.

Uli60

2012-09-04 21:54

updater   ~0003175

created new user 1054.2.1.user2@w.d
login 1054.2.1.ttpadmin1@w.d
assure someone: 1054.2.1.user2@w.d

F2F assurance
no checkboxes set
ERROR: You failed to check all boxes to validate your
    adherence to the rules and policies of CAcert
=> ok

all 3 set
passed
=> ok

new points calc display
261751 2012-09-04 Bug1054.2.1 User2 35 F2F of ttpadmin with selection F2F
     Face to Face Meeting 2
=> ok


created new user 1054.2.1.user3@w.d
login 1054.2.1.ttpadmin1@w.d
assure someone: 1054.2.1.user3@w.d

TTP-assisted-assurance
no checkboxes set
ERROR: You failed to check all boxes to validate your adherence to the
       rules and policies of CAcert
=> ok

checkboxes set:
I certify that Bug1054.2.1 User3 has appeared in person => No
I believe that the assertion of identity I am making is
   correct, complete and verifiable. I have seen original
   documentation attesting to this identity. => yes
I have read and understood AP => yes

passed
=> ok

new points calc display
261752 2012-09-04 Bug1054.2.1 User3 35
    TTP assurance, req ID [], req from 2012-08-28, TTP 2012-08-28
    Trusted Third Parties <> (empty points field)
=> ok


Summary:
new points:
for TTP assurance no experience points counted => ok
for F2F assurance 2 experience points counted => ok

checkboxes
              F2F TTP
i certify + -
i believe + +
i have read + +

all ok

Uli60

2012-09-04 22:00

updater   ~0003176

Last edited: 2012-09-04 22:02

View 2 revisions

1054.1.1 new points calculation display (15.php)
summary of tables points given, points received
moved 2 columns to the right
=> fail

(10.php is ok)

Uli60

2012-09-04 22:04

updater   ~0003177

1054.3.7
maxpoints routine, returns points you can issue
new points calc display (15.php)
max 35 => ok
assure someone: max 35 => ok

Uli60

2012-09-04 22:10

updater   ~0003178

1054.4.1
get_number_of_assurances()
Assurer Ranking
You have made 30 assurances which ranks you as the 0000030 top assurer.

manual counted 35 assurances total
30 assurances F2F
5 assurances TTP
=> ok

proposal:
You have made 30 assurances which ranks you as the 0000030 top assurer. *)
*) note: F2F assurances only

Uli60

2012-09-04 22:13

updater   ~0003179

1054.4.3
get_top_assurer_position()

1054.4.4
get_top_assuree_position()

Assurer Ranking
You have made 30 assurances which ranks you as the 0000030 top assurer.
You have received 3 assurances which ranks you as the 0000204 top assuree.
0000030 assurer => ok
0000204 assuree => ok

Uli60

2012-09-04 22:26

updater   ~0003180

1054.1.1 column prob reviewed
own points 15.php
Total Assurance Points: (3 columns)
=> ok

login as admin, search user:
assurances user got - new calc (43.php)
Total Assurance Points: (5 columns)
=> ok

assurances user gave - new calc (43.php)
Total Points Issued: (5 columns)
=> ok

Uli60

2012-09-04 23:07

updater   ~0003182

Last edited: 2012-09-11 21:02

View 2 revisions

scenario: 1054.3.3

new user 1054.3.3.user1@w.d
100 assurance points
assurer challenge passed
5 batch assurances
set flags: lock account
try to login 1054.3.3.user1@w.d
wrong email or wrong password
=> error message is misleading, but ok


login admin
search user 1054.3.3.user1@w.d
state: account locked

Account State
Account inconsistency: Users record locked set
code: 4
Account inconsistency can cause problems in daily account operations
 and needs to be fixed manually through arbitration/critical team.


login assurer
assure someone 1054.3.3.user1@w.d
assurance is possible, passed
261767 2012-09-05 Bug1054.3.3 User1 35
  test to locked account user Face to Face Meeting 2
=> mmh, but ok
   filed as separate bug
   assurance over potential weak user account ?!?

read https://bugs.cacert.org/view.php?id=1096

Uli60

2012-09-11 21:10

updater   ~0003185

1054.3.1 (a) cacert / (b) secure switch test
  (a) http://cacert1.it-sls.de/index.php?id=13 (Donations footer link)
      http://cacert1.it-sls.de/index.php?id=51 (mission statement footer link)
      http://cacert1.it-sls.de/index.php?id=11 (contact us footer link)

login to useraccount ... results in
https://cacert1.it-sls.de link

using cert login
cert login to another user account results in:
https://secure1.it-sls.de link

  (b) https://secure1.it-sls.de/account.php?id=38 (donations secure footer link)
      mission statement under secure link still don't exist
      https://secure1.it-sls.de/account.php?id=40 (contact us secure footer link)



(a) cacert / (b) secure switch test
  works
=> Ok

Uli60

2012-09-11 21:28

updater   ~0003186

1054.3.5
secure pwd validation (points regarding strong passwords)
check on name parts, email address, dictionary

testing pwd changes with 1054.2.1.user3@w.d

shortest known Pwd:
Failure: Pass Phrase not Changed
The Pass Phrase you submitted was too short.
=> ok

using email alias
Failure: Pass Phrase not Changed
The Pass Phrase you submitted failed to contain enough
differing characters and/or contained words from your name
and/or email address. Only scored 1 points out of 6.
=> ok

using name
Failure: Pass Phrase not Changed
The Pass Phrase you submitted failed to contain enough
differing characters and/or contained words from your name
and/or email address. Only scored 2 points out of 6.
=> ok

using 2 english known words (from dictionary)
Failure: Pass Phrase not Changed
The Pass Phrase you submitted failed to contain enough
differing characters and/or contained words from your name
and/or email address. Only scored 2 points out of 6.
=> ok

old Fred pwd
Failure: Pass Phrase not Changed
The Pass Phrase you submitted failed to contain enough
differing characters and/or contained words from your name
and/or email address. Only scored 0 points out of 6.
=> ok

using strong pwd
Pass Phrase Changed Successfully
Your Pass Phrase has been updated and your primary email
account has been notified of the change.
=> ok

INOPIAE

2012-09-11 21:55

updater   ~0003188

Test 1054.3.2
On Test Ssytem
open homepage
change translation language to Spanish
Login into account with account language English => shows English
If use go home switch back to Spanish
Login again English
Logout => stays English

On Productive Ssytem
open homepage
change translation language to Spanish
Login into account with account language English => shows English
If use go home switch back to Spanish
Login again English
Logout => stays English

Both systems show same behavior

Uli60

2012-09-11 23:37

updater   ~0003189

1054.3.8 age limits

(a) < 14 Bug1054.3.8.UserLT14 1.1.2000, 100 AP, passed CATS
(b) 14 < 18 Bug1054.3.8.UserIs15 1.1.1997, 100 AP,
(c) > 18 Bug1054.3.8.UserGT18 1.1.1990, 100 AP


test I receive assurances
test II give assurances
test III pass cats test

testmatrix

                   a b c
rcvd assurance pass x1), x2) pass x1) x4) pass x6)
give assurances requires III requires III requires III
pass cats unknown x3) unknown x5) unknown x7)


x1) in theory, this is a PoJAM assurance that needs
    an extra line: parental consent established
    but is not yet implemented in production
x2) new calculation 15.php
Summary of your Points
Description Points Countable Points Remark
Assurance Points you received 135 100 Limit reached
Total Experience Points by Assurance 0 0
Total Experience Points (other ways) 0 0
Total Points 100 You have to pass the CAcert Assurer
                                Challenge (CATS-Test) to be an Assurer

x3)
logged-in (<14 years old)
https://cacert1.it-sls.de/wot.php?id=2 "Becoming an Assurer"
link exist
includes link to https://cats.cacert.org/

cats test on testserver link is:
https://cats1.it-sls.de
first create client cert for user
 with Enable certificate login with this certificate
passed CATS test, needs transfer to cacert1
 => ted, michael
    with request to response for re-check the result

cats passed

logout from cats server (testserver ca-mgr1)
results in link: https://cats1.it-sls.de//index.php?
                                        ^^


x4)
Summary of your Points
Description Points Countable Points Remark
Assurance Points you received 135 100 Limit reached
Total Experience Points by Assurance 0 0
Total Experience Points (other ways) 0 0
Total Points 100 You have to pass the CAcert Assurer Challenge (CATS-Test)
                                to be an Assurer

x5)
logged-in (15 years old)
https://cacert1.it-sls.de/wot.php?id=2 "Becoming an Assurer"
link exist
includes link to https://cats.cacert.org/
cats test on testserver link is:
https://cats1.it-sls.de
first create client cert for user
 with Enable certificate login with this certificate

cats passed

logout from cats server (testserver ca-mgr1)
results in link: https://cats1.it-sls.de//index.php?
                                        ^^


x6)
Summary of your Points
Description Points Countable Points Remark
Assurance Points you received 135 100 Limit reached
Total Experience Points by Assurance 0 0
Total Experience Points (other ways) 0 0
Total Points 100 You have to pass the CAcert Assurer Challenge (CATS-Test)
                                to be an Assurer

x7)
logged-in (GT 18 years old)
https://cacert1.it-sls.de/wot.php?id=2 "Becoming an Assurer"
link exist
includes link to https://cats.cacert.org/
cats test on testserver link is:
https://cats1.it-sls.de
first create client cert for user
 with Enable certificate login with this certificate

cats passed

logout from cats server (testserver ca-mgr1)
results in link: https://cats1.it-sls.de//index.php?
                                        ^^

cannot continue with this test series until
the CATS tests made on the CATS test testserver are
transfered to cacert1.it-sls.de

Uli60

2012-09-12 00:51

updater   ~0003191

1054.4.12
show_user_link() name="" -> "System" or "Deleted account"

create 2 user accounts, with 100 AP and passed CATS each


where to find "System" ?

doing assurances ... experience points issued
under My Points 10.php:

Your Assurance Points
ID Date Who Points Location Method
261780 2012-09-12 02:08:58 John 0 Doe 35 CAcert Test Manager Face to Face Meeting
261781 2012-09-12 02:08:58 John 1 Doe 35 CAcert Test Manager Face to Face Meeting
261782 2012-09-12 02:08:58 John 2 Doe 30 CAcert Test Manager Face to Face Meeting
261787 2012-09-12 Bug1054.4.12 User1 2 @home, CCA+ Administrative Increase
261789 2012-09-12 Bug1054.4.12 User1 2 @home, PoJAM+, CCA+ Administrative Increase
Total Points: 104

Assurance Points You Issued
ID Date Who Points Location Method
261786 2012-09-12 Bug1054.4.12 User2 0 @home, CCA+ Face to Face Meeting
261788 2012-09-12 Bug1054.3.8 UserIs15 0 @home, PoJAM+, CCA+ Face to Face Meeting
Total Points Issued: 0

under My Points 15.php:

Summary of your Points
Description Points Countable Points Remark
Assurance Points you received 100 100
Total Experience Points by Assurance 4 4
Total Experience Points (other ways) 0 0
Total Points 104 You may issue up to 10 points

Assurance Points You Issued
ID Date Who Points Location Method Experience Points
261786 2012-09-12 Bug1054.4.12 User2 10 @home, CCA+ Face to Face Meeting 2
261788 2012-09-12 Bug1054.3.8 UserIs15 10 @home, PoJAM+, CCA+ Face to Face Meeting 2
Total Points Issued: 20 Total Experience Points: 4

Your Assurance Points
ID Date Who Points Location Method Experience Points
261780 2012-09-12 02:08:58 John 0 Doe 35 CAcert Test Manager Face to Face Meeting 0
261781 2012-09-12 02:08:58 John 1 Doe 35 CAcert Test Manager Face to Face Meeting 0
261782 2012-09-12 02:08:58 John 2 Doe 30 CAcert Test Manager Face to Face Meeting 0
Total Assurance Points: 100 Total Experience Points: 0


"System" doesn't show up

10.php lists "Bug1054.4.12 User1" (own name) under listed administrative increase
experience points



User2:
login Admin (SE permissions)
search Bug1054.4.12.User2@w.d

walk through:
https://wiki.cacert.org/Arbitrations/Training/Lesson20/DeleteAccountProcSEv3
procedure
(not yet deleted)
under other users account, assurance is listed as:
a1054.4.12.1 a1054.4.12.1
under 15.php same, except the experience points are not
listed as individual administrative increases but as
assurance record, counted with 2 experience pts each assurance

relogin Admin account
search user a1054.4.12.1@w.d
delete account()
results in message:
"I'm sorry, the user you were looking for seems to have disappeared! Bad things are a foot!"

relogin to user account that assured deleted user
new calculation 15.php shows:
assurance over: a1054.4.12.1 a1054.4.12.1

"Deleted Account" doesn't show up

"Deleted Account" probably is displayed once the user created the account,
but still hasn't confirmed it and an assurer has passed an assurance
over this still unverified user account.
After 24/48 hours, the cleanup routine kills this user account
and probably the assurer reads "Deleted Account"


create new test user account 0000003
login to assurer #1
assure someone -> Bug1054.4.12.user3@w.d
results in: ERROR: User is not yet verified. Please try again in 24 hours!

Test scenario cannot pass

Uli60

2012-09-12 16:24

updater   ~0003194

1054.3.8 age limits (cont.)

(a) < 14 Bug1054.3.8.UserLT14 1.1.2000, 100 AP, passed CATS
(b) 14 < 18 Bug1054.3.8.UserIs15 1.1.1997, 100 AP, passed CATS
(c) > 18 Bug1054.3.8.UserGT18 1.1.1990, 100 AP, passed CATS


test I receive assurances
test II give assurances
test III pass cats test

testmatrix

................... a ............. b ............. c .........
rcvd assurance ... pass .......... pass .......... pass
give assurances .. avail, fail x1) pass ok, x2) .. pass ok, x3)
pass cats ........ pass .......... pass .......... pass


verification step III

(a) Bug1054.3.8.UserLT14
Summary of your Points
Description Points Countable Points Remark
Assurance Points you received 135 100 Limit reached
Total Experience Points by Assurance 0 0
Total Experience Points (other ways) 0 0
Total Points 100 You may issue up to 10 points
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
=> not ok

assure someone link is available
=> not ok

x1)
u14 isn't allowed to do assurances
as this is the current state of the software,
this isn't a bug here
to follow PoJAM policy a separate bug is filed
https://bugs.cacert.org/view.php?id=872

expected:
new calculation 15.php
you've passed CATS test, however you disqualify
as an assurer by PoJAM restrictions




(b) Bug1054.3.8.UserIs15
Summary of your Points
Description Points Countable Points Remark
Assurance Points you received 145 100 Limit reached
Total Experience Points by Assurance 0 0
Total Experience Points (other ways) 0 0
Total Points 100 You may issue up to 10 points
=> ok

assure someone link is available
=> ok

x2)
between age of 14 and 18, an assurer can issue upto
max 10 assurance points
no matter of experiences

doing 5 assurances 10 AP each
=> ok

doing more then 5 assurances
max 10 AP each (limited)
=> ok

Assurance Points You Issued
ID Date Who Points Location Method Experience Points
261791 2012-09-12 bug1004 userb4 10 PoJAM assurer, CCA+ Face to Face Meeting 2
261793 2012-09-12 Bug1070 User 10 PoJAM assurer, CCA+ Face to Face Meeting 2
261795 2012-09-12 bug1004 userb5 10 PoJAM assurer, CCA+ Face to Face Meeting 2
261797 2012-09-12 Bug1004 User2 10 PoJAM assurer, CCA+ Face to Face Meeting 2
261799 2012-09-12 bug1004 userb3 10 PoJAM assurer, CCA+ Face to Face Meeting 2
261801 2012-09-12 Bug 846 User2 10 PoJAM assurer, CCA+ Face to Face Meeting 2
261803 2012-09-12 Bug922 User2 10 PoJAM assurer, CCA+ Face to Face Meeting 2
Total Points Issued: 70 Total Experience Points: 14
=> ok



(c) Bug1054.3.8.UserGT18
Summary of your Points
Description Points Countable Points Remark
Assurance Points you received 135 100 Limit reached
Total Experience Points by Assurance 0 0
Total Experience Points (other ways) 0 0
Total Points 100 You may issue up to 10 points
=> ok

assure someone link is available
=> ok

x3)
over 18, assurer follows regular experience levels
first 5 assurances -> max 10 AP
2nd set of 5 assurances -> max 15 AP
and so forth

doing 5 assurances 10 AP each
=> ok

doing assurances 6-10, 15 AP each
=> ok

doing assurances 11-15, 20 AP each
=> ok

doing assurances 16-20, 25 AP each
=> ok

doing assurances 21-25, 30 AP each
=> ok

doing assurances 25 and more, max 35 AP each
=> ok

Uli60

2012-09-18 21:24

updater   ~0003200

1054.3.9 write PingLog entries
in SA project team meeting, NEO checked PingLog table
last entries from last weeks Tuesdays meeting
of bug1054 test users
=> ok

Uli60

2012-09-19 00:21

updater   ~0003201

1054.4.19 "how many points an assurer can award at max"
checked in several tests
1054.4.20 output_summary_content() tested age limits 18, 14 (see also 1054.3.8)
tested under 1054.3.8
1054.3.4 loadem routine, several tests doesn't disclose a problem in
switching between different pages (different id=x pages)
1054.4.19 max_points() how many points an assurer can award at max
tested under 1054.4.19
1054.4.9 get_cats_state() newpoints 15.php several times checked, ok
1054.4.10 calc_experience() calculate EP points summarize, no anomaly detected in tests, ok
1054.4.11 calc_assurances() calculate AP points summarize, no anomaly detected in tests, ok
1054.4.13 get_assurer_ranking() stats for 15.php, no anomaly detected in tests, ok
1054.4.14 get_assuree_ranking() stats for 15.php no anomaly detected in tests, ok
1054.4.15 output_ranking(), tested under 1054.4.13 + 1054.4.14
1054.3.10 get-assurer-status<
> checks: cats test passed, maxpoints, assurer-blocked. cats passed tested, maxpoints tested, assurer-blocked not yet tested
1054.3.11 no-assurer text switch, checked, ok
1054.3.12 is_assurer() using get-assurer-status, checked, ok
1054.3.13 generate-cert-path: client certs, server certs, org client certs, org server certs switch, several certs created, signed certs received, so procedure works as expected, low level check impossible for software testers. ok

Uli60

2012-09-19 00:50

updater   ~0003202

Last edited: 2012-09-19 00:57

View 3 revisions

scenario 1054.3.10

new user 1054.3.10.user1@w.d
setting 100 AP, assurer challenge, 50 EP

login 1054.3.10.user1@w.d
assure someone: 1054.2.1.user1@w.d
max points (0)
enter points: 35
15.php: 0 pts awarded

-NEO did some changes-

again:
assure someone: Bug1054.2.1 User3
max points (35)
enter points: 35
15.php: 35 pts awarded


setting block assurer flag

login user: 1054.3.10.user1@w.d
assure someone
"ERROR: Sorry, you are not allowed to be an Assurer.
 Please contact cacert-support@lists.cacert.org
 if you feel that this is not corect."
                                ^^ correct with two "r"
=> ok

unblock assurer

test again
assure someone: Bug1054.3.8 UserGT18
max points: (35)
enter points: 35
15.php: 35 pts awarded
=> ok

setting block assurer flag

Assure someone: -> error message (see above)
15.php summary:
Summary of your Points
Description Points Countable Points Remark
Assurance Points you received 100 100
Total Experience Points by Assurance 56 50 Limit reached
Total Experience Points (other ways) 0 0
Total Points 150 You may issue up to 35 points
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
wrong message: shall be "assurer status blocked"
or similar message
=> not ok in 15.php

Uli60

2012-09-20 21:54

updater   ~0003204

1054.3.6 part I

test #1 - client certs variations
using bug 0000440 test account, 150pts assurer
similar to test
https://bugs.cacert.org/view.php?id=440#c2833
re-test

create client cert
a) email 1
   class1
   no name
   enable cert login

   create client cert
   install client cert x1)

Valid certs.test@w.d 115C Not Revoked 2012-10-20 21:04:00

   serno: 115c
   displ.name: CAcert WoT User -> ok
   valid from/to: 20.09.2012 23:04:00 / 20.10.2012 23:04:00 -> ok
   owner: E = certs.test@w.d, CN = CAcert WoT User -> ok

   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

    certs alternate name
    Nicht kritisch
    E-Mail-Adresse: certs.test@w.d

    => all ok

b) email 1
   class3
   no name
   enable cert login

   create client cert
   install client cert x1)

Valid certs.test@w.d 10D6 Not Revoked 2012-10-20 21:14:31


   serno: 10D6
   displ.name: CAcert WoT User -> ok
   valid from/to: 20.09.2012 23:14:31 / 20.10.2012 23:14:31 -> ok
   owner: E = certs.test@w.d, CN = CAcert WoT User -> ok

   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

   certs alternate name
    Nicht kritisch
    E-Mail-Adresse: certs.test@w.d

   => all ok

c) email 1
   class1
   "Certs Test"
   enable cert login

   create client cert
   install client cert x1)

Valid certs.test@w.d 115D Not Revoked 2012-10-20 21:26:44

   serno: 115d
   displ.name: Certs Test -> ok
   owner: E = certs.test@w.d, CN = Certs Test -> ok

   extended key usage -> ok
   cert alternate name:
    Nicht kritisch
    E-Mail-Adresse: certs.test@w.d ->

  => all ok

d) email 1
   class3
   "Certs Test"
   enable cert login

   create client cert
   install client cert x1)

Valid certs.test@w.d 10D7 Not Revoked 2012-10-20 21:32:52

   serno: 10d7
   displ.name: Certs Test -> ok
   owner: E = certs.test@w.d, CN = Certs Test -> ok

   extended key usage -> ok
   cert alternate name:
    Nicht kritisch
    E-Mail-Adresse: certs.test@w.d -> ok

  => all ok

e) email 1
   class1
   "Certs Sub Test"
   enable cert login

   create client cert
   install client cert x1)

Valid certs.test@w.d 115E Not Revoked 2012-10-20 21:37:02

   serno: 115e
   displ.name: Certs Sub Test -> ok
   owner: E = certs.test@w.d, CN = Certs Sub Test -> ok

   extended key usage -> ok
   cert alternate name:
    Nicht kritisch
    E-Mail-Adresse: certs.test@w.d -> ok

  => all ok

f) email 1
   class3
   "Certs Sub Test"
   enable cert login

   create client cert
   install client cert x1)

Valid certs.test@w.d 10D8 Not Revoked 2012-10-20 21:46:32

   serno: 10d8
   displ.name: Certs Sub Test -> ok

   owner: E = certs.test@w.d, CN = Certs Sub Test -> ok
   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

   certs alternate name
   Nicht kritisch
   E-Mail-Adresse: certs.test@w.d

   => all ok

x1)
runs into fix https://bugs.cacert.org/view.php?id=1017
/account.php?id=6 list 3 options
a. Install the certificate into your browser
b. Download the certificate in PEM format
c. Download the certificate in DER format
using a. with FF

see also https://bugs.cacert.org/view.php?id=440#c3203

Uli60

2012-09-21 12:52

updater   ~0003207

1054.3.6 part II

test 0000002 - server certs variations
similar to test
https://bugs.cacert.org/view.php?id=440#c2839
re-test

using prev account from bug#440 testing
using prev used domain under bug#440 testing

openssl genrsa -out test1-avintec-com-512.key 512
openssl req -new -key test1-avintec-com-512.key -out test1-avintec-com-512.csr

paste csr

sign class1
<paste>
submit

error/warning
"The keys that you use are very small and therefore insecure.
Please generate stronger keys. More information about this
issue can be found in the wiki"

=> ok

openssl genrsa -out test1-avintec-com-1024.key 1024
openssl req -new -key test1-avintec-com-1024.key -out test1-avintec-com-1024.csr

sign class1
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-1024-signed-c1.key
<paste>

key in list:
 Valid test1.avintec.com 115F Not Revoked 2012-10-21 12:19:20

openssl x509 -text -in test1-avintec-com-1024-signed-c1.key -noout
....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4447 (0x115f)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 12:19:20 2012 GMT
            Not After : Oct 21 12:19:20 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
....................................................................
=> ok



openssl genrsa -out test1-avintec-com-2048.key 2048
openssl req -new -key test1-avintec-com-2048.key -out test1-avintec-com-2048.csr

sign class1
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-2048-signed-c1.key
<paste>

key in list:
 Valid test1.avintec.com 1160 Not Revoked 2012-10-21 12:43:39

openssl x509 -text -in test1-avintec-com-2048-signed-c1.key -noout
......................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4448 (0x1160)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 12:43:39 2012 GMT
            Not After : Oct 21 12:43:39 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
......................................................
=> ok

see also https://bugs.cacert.org/view.php?id=440#c3206

Uli60

2012-09-21 13:12

updater   ~0003208

1054.3.6 part III

test 0000003 - client certs variations, multiple emails in cert
using prev account from bug#440 testing

adding 2 more email addresses to test account
old 1. certs.test@w.d
add 2. bug1054.3.6.3.user1@w.d
add 3. bug1054.3.6.3.user2@w.d

email accounts - view:
prim Verified N/A certs.test@w.d
sec1 Verified bug1054.3.6.3.user1@w.d
sec2 Verified bug1054.3.6.3.user2@w.d

=> ok

client cert - new

selecting email 1-3
class 1
Include 'Certs Sub Test'
enable cert login

Next

Create Cert Request (High)

Install the certificate into your browser

cert has been installed ....

client certs - view:
addtl. key:
Valid certs.test@w.d 1161 Not Revoked 2012-10-21 13:02:39

Name: Certs Sub Test -> ok
Valid from/to: 21.09.2012 15:02:39 / 21.10.2012 15:02:39 -> ok
owner:
E = bug1054.3.6.3.user2@w.d
E = bug1054.3.6.3.user1@w.d
E = certs.test@w.d
CN = Certs Sub Test
     -> ok

cert alternate name(s):
Nicht kritisch
E-Mail-Adresse: certs.test@w.d
E-Mail-Adresse: bug1054.3.6.3.user1@w.d
E-Mail-Adresse: bug1054.3.6.3.user2@w.d
      -> ok

openssl x509 -text -in client-cert-CertsSubTest-c1-3addr.pem -noout
..............................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4449 (0x1161)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 13:02:39 2012 GMT
            Not After : Oct 21 13:02:39 2012 GMT
        Subject: CN=Certs Sub Test/emailAddress=certs.test@w.d/emailAddre
ss=bug1054.3.6.3.user1@w.d/emailAddress=bug1054.3.6.3.user2@w.d
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            Netscape Comment:
                To get your own certificate for FREE head over to http://www.CAc
ert.org
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                E-mail Protection, TLS Web Client Authentication, Microsoft Encr
ypted File System, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                email:certs.test@w.d, email:bug1054.3.6.3.user1@w.d,
email:bug1054.3.6.3.user2@w.d
    Signature Algorithm: sha1WithRSAEncryption
[...]
..............................................................
=> seems to be ok

Uli60

2012-09-21 14:47

updater   ~0003211

1054.3.6 part IV

test 0000004

server cert variation
multiple servernames in one csr

openssl genrsa -out test2-avintec-com-2048.key 2048
openssl req -new -key test2-avintec-com-2048.key -out test2-avintec-com-2048.csr

using:
Common Name (e.g. server FQDN or YOUR name) []:test1.avintec.com,mail.avintec.co
m,www.avintec.com,www.fra.avintec.com,mx.avintec.com,support.avintec.com

string is too long, it needs to be less than 64 bytes long
Common Name (e.g. server FQDN or YOUR name) []:test1.avintec.com

ok, again ...
how to enter multiple hostnames into an csr request ?

see http://apetec.com/support/GenerateSAN-CSR.htm

copy openssl.cnf to openssl-san.cfg
edit openssl-san.cfg
adding:
............................................................
[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = test1.avintec.com
DNS.2 = mail.avintec.com
DNS.3 = www.avintec.com
DNS.4 = www.fra.avintec.com
DNS.5 = mx.avintec.com
DNS.6 = support.avintec.com
............................................................

starting script:

openssl genrsa -out test2-avintec-com-2048.key 2048
openssl req -new -out test2-avintec-com-2048.csr -key test2-avintec-com-2048.key -config openssl-san.cfg

copy content of test2-avintec-com-2048.csr
as server signing request

 Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can
 not be automatically checked by the system.

submit

Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

output to file test2-avintec-com-2048-signed-c1.key

openssl x509 -text -in test2-avintec-com-2048-signed-c1.key -noout
.................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4450 (0x1162)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 13:50:27 2012 GMT
            Not After : Oct 21 13:50:27 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
.................................................................
=> fail
   subjAltNames not transfered :-P

procedural problem ?!?

verifying csr request:
openssl req -text -noout -in test2-avintec-com-2048.csr

.................................................................
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=DE, ST=Germany, L=Frankfurt/Main, O=AVINTEC, OU=IT, CN=test1.
avintec.com/emailAddress=certs.test@w.d
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
[...]
.................................................................

no SAN's :-P

correct conf file has been used as some parameters
has been changed to other default values, shown in
the interactive openssl keygen process

probably the conf parameter
[req]
req_extensions = v3_req
was missing, retrying ....

openssl genrsa -out test2-avintec-com-2048.key 2048
openssl req -new -out test2-avintec-com-2048.csr -key test2-avintec-com-2048.key -config openssl-san.cfg

testing csr:
openssl req -text -noout -in test2-avintec-com-2048.csr
.................................................................
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=DE, ST=Germany, L=Frankfurt/Main, O=AVINTEC, OU=IT, CN=test1.
avintec.com/emailAddress=certs.test@w.d
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, DNS:mail.avintec.com, DNS:www.avintec.com
, DNS:www.fra.avintec.com, DNS:mx.avintec.com, DNS:support.avintec.com
    Signature Algorithm: sha1WithRSAEncryption
[...]
.................................................................
=> seems to be ok until this state

copy & paste content of test2-avintec-com-2048.csr
to the signing request

results in:
 Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
subjectAltName: DNS:test1.avintec.com
subjectAltName: DNS:mail.avintec.com
subjectAltName: DNS:www.avintec.com
subjectAltName: DNS:www.fra.avintec.com
subjectAltName: DNS:mx.avintec.com
subjectAltName: DNS:support.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

Below is your Server Certificate

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

copy & paste into new file
test2-avintec-com-2048-signed-c1.key

testing key
openssl x509 -text -in test2-avintec-com-2048-signed-c1.key -noout
.......................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4451 (0x1163)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 14:41:43 2012 GMT
            Not After : Oct 21 14:41:43 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>, DNS:mail.avintec
.com, othername:<unsupported>, DNS:www.avintec.com, othername:<unsupported>, DNS
:www.fra.avintec.com, othername:<unsupported>, DNS:mx.avintec.com, othername:<un
supported>, DNS:support.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
.......................................................................
=> seems to be ok

see also https://bugs.cacert.org/view.php?id=440#c3210

Uli60

2012-09-21 21:48

updater   ~0003212

1054.3.6 part V

client certs variation
renewal of cert

1. Valid certs.test@w.d 115C Not Revoked 2012-10-20 21:04:00

Now renewing the following certificates:
Certificate for 'certs.test@w.d' has been renewed.
Click here to install your certificate.

(next page) x1)
Install your certificate
Install the certificate into your browser

new cert
Valid certs.test@w.d 1164 Not Revoked 2012-10-21 21:26:44

(next cert after Serial Number: 4449 (0x1161) -> 1164)

cert serno 115c no longer in list

view all certs, 115c listed:
Valid certs.test@w.d 115C Not Revoked 2012-10-20 21:04:00


cert serno 1164 details:
not yet visible in FF cert store
ok, retrying to save new key in FF cert store

Install the certificate into your browser
https://cacert1.it-sls.de/account.php?id=6&cert=259099&install
result: cert stored in cert store ... (or similar msg)

now cert is visible in FF cert store

Serno: 11:64
valid from/to: 21.09.2012 23:26:44 / 21.10.2012 23:26:44
owner:
E = certs.test@w.d
CN = CAcert WoT User
-> ok

cert-alternate-name
Nicht kritisch
E-Mail-Adresse: certs.test@w.d
-> ok


2. renew key
-------------------------------------------------------------
Valid certs.test@w.d 1161 Not Revoked 2012-10-21 13:02:39

Name: Certs Sub Test -> ok
Valid from/to: 21.09.2012 15:02:39 / 21.10.2012 15:02:39 -> ok
owner:
E = bug1054.3.6.3.user2@w.d
E = bug1054.3.6.3.user1@w.d
E = certs.test@w.d
CN = Certs Sub Test
-------------------------------------------------------------

Now renewing the following certificates:
Certificate for 'certs.test@w.d' has been renewed.
Click here to install your certificate.
https://cacert1.it-sls.de/account.php?id=6&cert=259100

x1)

link opens new window/tab ...
-> problem

Install your certificate
Install the certificate into your browser
https://cacert1.it-sls.de/account.php?id=6&cert=259100&install

cert saved to cert store

new cert in list:
     Valid certs.test@w.d 1165 Not Revoked 2012-10-21 21:41:56

prev cert not in main list
view all certs (cert still there)
Valid certs.test@w.d 1161 Not Revoked 2012-10-21 13:02:39


cert 1165 details
serno: 11:65
valid from/to: 21.09.2012 23:41:56 / 21.10.2012 23:41:56 -> ok
owner:
E = bug1054.3.6.3.user2@w.d
E = bug1054.3.6.3.user1@w.d
E = certs.test@w.d
CN = Certs Sub Test
-> ok

externded keyusage -> ok

cert-alternate-name:
Nicht kritisch
E-Mail-Adresse: certs.test@w.d
E-Mail-Adresse: bug1054.3.6.3.user1@w.d
E-Mail-Adresse: bug1054.3.6.3.user2@w.d
-> ok

=> all ok except problem of https://bugs.cacert.org/view.php?id=1017
   routine



x1)
runs into fix https://bugs.cacert.org/view.php?id=1017 [^]
/account.php?id=6 list 3 options
a. Install the certificate into your browser
b. Download the certificate in PEM format
c. Download the certificate in DER format
using a. with FF

Uli60

2012-09-21 22:23

updater   ~0003215

1054.3.6 part VI

server certs variation
renewal of cert

1. Valid test1.avintec.com 115F Not Revoked 2012-10-21 12:19:20

details original cert
openssl x509 -text -in test1-avintec-com-1024-signed-c1.key -noout
....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4447 (0x115f)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 [^]
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 12:19:20 2012 GMT
            Not After : Oct 21 12:19:20 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/ [^]

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl [^]

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
....................................................................
=> ok


starting renewal:
Now renewing the following certificates:
Processing request 302035:
Renewing: test1.avintec.com

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

content saved to test1-renewal-115f-signed-c1.key

new key after renewal:
Valid test1.avintec.com 1166 Not Revoked 2012-10-21 22:06:42

old key 115f not visible in main server certs list
view all certs (shows in the list)
     Valid test1.avintec.com 115F Not Revoked 2012-10-21 12:19:20

details of server cert 0001166

openssl x509 -text -in test1-renewal-115f-signed-c1.key -noout
.................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4454 (0x1166)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 22:06:42 2012 GMT
            Not After : Oct 21 22:06:42 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
.................................................................
=> ok


2. Valid test1.avintec.com 1163 Not Revoked 2012-10-21 14:41:43
details original cert
openssl x509 -text -in test2-avintec-com-2048-signed-c1.key -noout
.......................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4451 (0x1163)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 [^]
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 14:41:43 2012 GMT
            Not After : Oct 21 14:41:43 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/ [^]

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl [^]

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>, DNS:mail.avintec
.com, othername:<unsupported>, DNS:www.avintec.com, othername:<unsupported>, DNS
:www.fra.avintec.com, othername:<unsupported>, DNS:mx.avintec.com, othername:<un
supported>, DNS:support.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
.......................................................................
=> ok

starting renewal:
Now renewing the following certificates:
Processing request 302038:
Renewing: test1.avintec.com

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

content saved to test2-renewal-1163-signed-c1.key

new key after renewal:
     Valid test1.avintec.com 1167 Not Revoked 2012-10-21 22:17:20

old key 1163 not visible in main server certs list
view all certs (shows in the list)
     Valid test1.avintec.com 1163 Not Revoked 2012-10-21 14:41:43


details of server cert 0001166
openssl x509 -text -in test2-renewal-1163-signed-c1.key -noout
.................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4455 (0x1167)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Sep 21 22:17:20 2012 GMT
            Not After : Oct 21 22:17:20 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>, DNS:mail.avintec
.com, othername:<unsupported>, DNS:www.avintec.com, othername:<unsupported>, DNS
:www.fra.avintec.com, othername:<unsupported>, DNS:mx.avintec.com, othername:<un
supported>, DNS:support.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
.................................................................
=> ok


=> all ok

Uli60

2012-09-21 23:48

updater   ~0003218

Last edited: 2012-09-21 23:50

View 2 revisions

1054.4.12
show_user_link() name="" -> "System" or "Deleted account"
under user account ulrich@c.o
admin console
Show Assurances the user gave (New calculation)
                               ^^^^^^^^^^^^^^^
assurance id: 255093
255093 11.08.2010 2010-08-11 01:00:44 Deleted account <=== 1 Testserver, -CCA Face to Face Meeting 2
=> ok

Uli60

2012-09-21 23:53

updater   ~0003219

1054.4.16

login to an "old" account with several "buggy" notary table entries
eg empty assurance method lines, tverify points, TTP points,
"yellow" lines
check new points calculation 15.php

login to admin account search user in admin interface
show member user received / gave new calculation

compare both tables

10.php
old calculations
mixed methods:
Face to Face Meeting, Administrative Increase, CT Magazine - Germany,
"Project-Id-Version: CAcert Production Report-Msgid-Bugs-To: translations-admin@cacert.org POT-Creation-Date: 2012-09-17 10:51+0200 PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE Last-Translator: FULL NAME Language-Team: LANGUAGE Language: en MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Generator: Translate Toolkit 1.9.0 " (!!!)
Thawte Points Transfer
assurance points rcvd total: 200

assurances given:
methods:
Face to Face Meeting, <empty> (was several TTP assurance), Thawte Points Transfer
assurance points given total: 2342

15.php
Summary of your Points
Description Points Countable Points Remark
Assurance Points you received 719 100 Limit reached
Total Experience Points by Assurance 270 50 Limit reached
Total Experience Points (other ways) 173 0 Limit reached
        Total Points 150 You may issue up to 35 points

assurance pts given:
Face to Face Meeting, <empty> (was several TTP assurance), Thawte Points Transfer
assurance points given total: 6024, EPs 270

assurance pts rcvd:
methods: Face to Face Meeting, Thawte Points Transfer, <empty> (was TTP),
Administrative Increase, CT Magazine - Germany
total pts: 719, EP 173


admin console
Show Assurances the user got (New calculation)
                              ^^^^^^^^^^^^^^^
methods: Face to Face Meeting, Thawte Points Transfer, <empty> (was TTP),
Administrative Increase, CT Magazine - Germany
total pts: 719, EP 173


Show Assurances the user gave (New calculation)
                               ^^^^^^^^^^^^^^^
methods: Face to Face Meeting, <empty> (was TTP), Thawte Points Transfer,
total points issued: 6024, EP 270

Uli60

2012-09-22 00:36

updater   ~0003220

Last edited: 2012-09-22 00:38

View 2 revisions

1054.4.18 + 1054.4.21
using outputs from 1054.4.16
print to pdf for better compare

inspect 0 records under 10.php
inspect different assurance methods and their results
compare to related records (use assurance id)
under 15.php

tables switched between 10.php and 15.php,
table points rcvd is top in 10.php
                  is bottom in 15.php
table points given is bottom in 10.php
                   is top in 15.php

eg

10: 183546 / 2010-08-04 13:34:54 / John 5 Doe / 0 / CAcert Test Manager / F2F
15: 183546 / 2010-08-04 13:34:54 / John 5 Doe / 30 / CAcert Test Manager / F2F / 0
-> ok

10: 183324 / 2010-07-05 / Andreas Baess / 5 / Im Testsystem vertraue ich jedem :-) / F2F
15: 183324 / 2010-07-05 / Andreas Baess / 5 / Im Testsystem vertraue ich jedem :-) / F2F / 0
-> ok

10: 183502 / 04.08.2010 / Ulrich Schroeter / 2 / Testsystem, +CCA / Administrative Increase
15: not found
-> ok

10: 255390 / 2010-09-01 22:40:22 / Mario Lipinski / 0 / CT / CT Magazine
15: 255390 / 2010-09-01 22:40:22 / Mario Lipinski / Revoked / CT / CT Magazine / 0
-> ok

10: 255389 / 2010-09-01 22:39:14 / Mario Lipinski / 0 / Admin Incr. / Admin Incr.
15: 255389 / 2010-09-01 22:39:14 / Mario Lipinski / 9 / Admin Incr. / Admin Incr. / 0
-> ok

10: 255388 / 2010-09-01 22:37:23 / Mario Lipinski / 0 / TTP / x1)
15: 255388 / 2010-09-01 22:37:23 / Mario Lipinski / 100 / TTP / <empty> / 23
-> ok

10: 255383 / 2010-08-25 10:37:47 / Mario Lipinski / 50 / 38102 / Thawte Points Transfer
15: 255383 / 2010-08-25 10:37:47 / Mario Lipinski / Revoked / 38102 / Thawte Points Transfer / 0
-> ok


=> all ok


x1) Full text is:
Project-Id-Version: CAcert
Production Report-Msgid-
Bugs-To: translationsadmin@
cacert.org
POT-Creation-Date:
2012-09-17 10:51+0200
PO-Revision-Date:
YEAR-MO-DA HO:MI+ZONE
Last-Translator: FULL NAME
Language-Team: LANGUAGE
Language: en
MIME-Version: 1.0
Content-Type: text/plain;
charset=UTF-8
Content- Transfer-Encoding: 8bit
X-Generator: Translate Toolkit 1.9.0

Uli60

2012-10-16 13:36

updater   ~0003253

see report http://bugs.cacert.org/view.php?id=1101#c3252

Uli60

2012-10-23 22:39

updater   ~0003268

1054.5.1 test scenario
---------
created new account Bug1054.5.1.user1@w.d
verified

set flags board, tverify on an admin user
login
assure someone Bug1054.5.1.User1@w.d

only f2f or ttp available as selection
no tverify

https://cacert1.it-sls.de/tverify/index.php
file not found

=> ok

felixd

2015-04-07 20:08

updater   ~0005368

A patch is here: (including www/index.php) https://github.com/yellowant/cacert-devel/commits/bug-1054

Issue History

Date Modified Username Field Change
2012-05-31 04:01 INOPIAE New Issue
2012-05-31 04:01 INOPIAE Assigned To => dastrath
2012-08-27 13:25 NEOatNHNG Source_changeset_attached => cacert-devel testserver 563ebf3e
2012-08-27 13:25 Source_changeset_attached => cacert-devel testserver e2a8b5de
2012-08-27 13:35 NEOatNHNG Note Added: 0003161
2012-08-27 13:35 NEOatNHNG Status new => needs work
2012-08-28 10:02 Uli60 Relationship added related to 0000948
2012-08-28 10:40 Uli60 Note Added: 0003163
2012-08-28 12:11 NEOatNHNG Relationship deleted related to 0000948
2012-08-28 20:46 INOPIAE Note Added: 0003166
2012-08-28 20:46 INOPIAE Note Edited: 0003166 View Revisions
2012-08-28 20:54 INOPIAE Note Edited: 0003166 View Revisions
2012-08-28 20:57 Uli60 Relationship added related to 0000872
2012-08-28 21:21 INOPIAE Note Edited: 0003166 View Revisions
2012-08-28 22:03 Uli60 Note Added: 0003171
2012-08-28 22:40 NEOatNHNG Source_changeset_attached => cacert-devel testserver fedae61c
2012-08-28 22:40 NEOatNHNG Source_changeset_attached => cacert-devel testserver 56ca0c87
2012-08-28 22:52 Uli60 Note Added: 0003172
2012-08-28 23:00 NEOatNHNG Source_changeset_attached => cacert-devel testserver 65e95932
2012-08-28 23:00 NEOatNHNG Source_changeset_attached => cacert-devel testserver b11f8e96
2012-08-28 23:00 NEOatNHNG Source_changeset_attached => cacert-devel testserver 6aa33870
2012-08-28 23:00 NEOatNHNG Source_changeset_attached => cacert-devel testserver 307f995b
2012-08-28 23:03 Uli60 Note Added: 0003173
2012-08-28 23:14 NEOatNHNG Note Added: 0003174
2012-09-04 21:54 Uli60 Note Added: 0003175
2012-09-04 22:00 Uli60 Note Added: 0003176
2012-09-04 22:02 Uli60 Note Edited: 0003176 View Revisions
2012-09-04 22:04 Uli60 Note Added: 0003177
2012-09-04 22:10 Uli60 Note Added: 0003178
2012-09-04 22:13 Uli60 Note Added: 0003179
2012-09-04 22:20 NEOatNHNG Source_changeset_attached => cacert-devel testserver 6f09dcf2
2012-09-04 22:20 Source_changeset_attached => cacert-devel testserver e1a89f57
2012-09-04 22:20 Source_changeset_attached => cacert-devel testserver cdf9692d
2012-09-04 22:26 Uli60 Note Added: 0003180
2012-09-04 23:07 Uli60 Note Added: 0003182
2012-09-11 21:02 Uli60 Note Edited: 0003182 View Revisions
2012-09-11 21:03 Uli60 Relationship added related to 0001096
2012-09-11 21:10 Uli60 Note Added: 0003185
2012-09-11 21:28 Uli60 Note Added: 0003186
2012-09-11 21:55 INOPIAE Note Added: 0003188
2012-09-11 23:37 Uli60 Note Added: 0003189
2012-09-11 23:38 Uli60 Assigned To dastrath => Ted
2012-09-11 23:39 Uli60 Relationship added related to 0000835
2012-09-11 23:40 Uli60 Relationship added related to 0001098
2012-09-12 00:51 Uli60 Note Added: 0003191
2012-09-12 16:24 Uli60 Note Added: 0003194
2012-09-18 21:24 Uli60 Note Added: 0003200
2012-09-18 21:40 NEOatNHNG Source_changeset_attached => cacert-devel testserver 5fcbbb05
2012-09-18 21:40 Source_changeset_attached => cacert-devel testserver 4a3440f3
2012-09-18 22:35 NEOatNHNG Source_changeset_attached => cacert-devel testserver 2d62ec44
2012-09-18 22:35 Source_changeset_attached => cacert-devel testserver 90765f64
2012-09-18 22:35 Source_changeset_attached => cacert-devel testserver 155844fd
2012-09-18 22:35 Source_changeset_attached => cacert-devel testserver d2d4a360
2012-09-19 00:21 Uli60 Note Added: 0003201
2012-09-19 00:45 NEOatNHNG Source_changeset_attached => cacert-devel testserver d0d9d817
2012-09-19 00:45 NEOatNHNG Source_changeset_attached => cacert-devel testserver 25a2c1ba
2012-09-19 00:50 Uli60 Note Added: 0003202
2012-09-19 00:54 Uli60 Note Edited: 0003202 View Revisions
2012-09-19 00:57 Uli60 Note Edited: 0003202 View Revisions
2012-09-19 10:36 Uli60 Relationship added related to 0000440
2012-09-20 21:54 Uli60 Note Added: 0003204
2012-09-21 12:52 Uli60 Note Added: 0003207
2012-09-21 13:12 Uli60 Note Added: 0003208
2012-09-21 14:47 Uli60 Note Added: 0003211
2012-09-21 21:48 Uli60 Note Added: 0003212
2012-09-21 21:53 Uli60 Relationship added related to 0001017
2012-09-21 21:57 Uli60 Relationship added related to 0001035
2012-09-21 22:23 Uli60 Note Added: 0003215
2012-09-21 23:48 Uli60 Note Added: 0003218
2012-09-21 23:50 Uli60 Note Edited: 0003218 View Revisions
2012-09-21 23:53 Uli60 Note Added: 0003219
2012-09-22 00:36 Uli60 Note Added: 0003220
2012-09-22 00:38 Uli60 Note Edited: 0003220 View Revisions
2012-09-23 11:23 Uli60 Relationship added related to 0001101
2012-10-02 23:45 NEOatNHNG Source_changeset_attached => cacert-devel testserver 8cd72df5
2012-10-02 23:45 Source_changeset_attached => cacert-devel testserver 80850ba4
2012-10-16 13:36 Uli60 Note Added: 0003253
2012-10-23 22:39 Uli60 Note Added: 0003268
2012-11-07 00:40 BenBE Source_changeset_attached => cacert-devel testserver 94e1086e
2012-11-07 00:40 Source_changeset_attached => cacert-devel testserver 826556f8
2012-12-20 19:09 Werner Dworak Relationship added parent of 0000301
2012-12-27 06:20 Werner Dworak Relationship added related to 0001042
2012-12-27 06:33 Werner Dworak Relationship added related to 0000827
2013-01-07 15:01 Werner Dworak Relationship added related to 0000114
2013-01-09 04:04 Werner Dworak Relationship added related to 0001134
2013-05-14 21:29 INOPIAE Relationship added related to 0001177
2013-05-14 21:29 INOPIAE Relationship deleted related to 0001177
2013-05-14 21:30 INOPIAE Relationship added child of 0001177
2013-10-24 13:18 Uli60 Relationship added related to 0001208
2013-10-24 13:36 Uli60 Relationship added related to 0001216
2014-09-02 20:52 INOPIAE Relationship deleted child of 0001177
2014-09-02 20:52 INOPIAE Relationship added related to 0001177
2015-04-07 20:08 felixd Note Added: 0005368
2015-04-07 20:08 felixd Status needs work => fix available
2015-05-05 22:01 BenBE Status fix available => needs review & testing