Additional PKI certificate validation test cases should be implemented
An important part of the PKI certificate validation tests are done in UACTT job but due to new evolution (#1307 (closed) and #1308 (closed)) some test cases are missing. The following test cases should be implemented (unit test cases or additional UACTT scripts):
- A certificate is trusted if at least 1 certificate in chain is trusted:
- (all chain trusted => already tested in UACTT)
- (leaf trusted only => already tested UACTT
- 1 intermediate CA trusted only => cert trusted
- 1 root CA trusted only (with intermediate certificates not trusted) => cert trusted
- Self-signed certificate with CA bit set (pathlen = 0) to true without CRL (backward compatibility)
- if in trusted/cert => cert trusted
- if in issuers/cert => cert not trusted
- if self-signed pathlen=1 (test particular case of mbedtls) => cert not trusted
- if self-signed pathlen is not present => cert not trusted
- Expired CRL
- if CRL should have been renewed (update time) => error due to revocation list "expired" in chain (no specific OPC UA error ?)
Edited by Vincent Monfort