check Application URI of the server Certificate on OpenSecureChannel (#…

…2583) - Implement OpenSecureChannel in compliance with Spec Part 5.4.1 - check Application URI of the server Certificate on OpenSecureChannel - The ApplicationUri specified in the Server Certificate must match the ApplicationUri provided in the EndpointDescription.
OPCFoundation · May 2, 2024 · f081d51 · f081d51
1 parent 9cd4536
commit f081d51
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/Libraries/Opc.Ua.Client/Session.cs b/Libraries/Opc.Ua.Client/Session.cs
@@ -2319,6 +2319,7 @@ public ReferenceDescriptionCollection FetchReferences(NodeId nodeId)
 
                 if (requireEncryption)
                 {
+                    ValidateServerCertificateApplicationUri(serverCertificate);
                     if (checkDomain)
                     {
                         m_configuration.CertificateValidator.Validate(serverCertificateChain, m_endpoint);
@@ -5264,6 +5265,28 @@ public bool ResendData(IEnumerable<Subscription> subscriptions, out IList<Servic
                     !String.IsNullOrEmpty(identityPolicy.SecurityPolicyUri);
             }
         }
+        /// <summary>
+        /// Validates the ServerCertificate ApplicationUri to match the ApplicationUri of the Endpoint for an open call (Spec Part 4 5.4.1)
+        /// </summary>
+        private void ValidateServerCertificateApplicationUri(
+            X509Certificate2 serverCertificate)
+        {
+            var applicationUri = m_endpoint?.Description?.Server?.ApplicationUri;
+            //check is only neccessary if the ApplicatioUri is specified for the Endpoint
+            if (string.IsNullOrEmpty(applicationUri))
+            {
+                throw ServiceResultException.Create(
+                    StatusCodes.BadSecurityChecksFailed,
+                    "No ApplicationUri is specified for the server in the EndpointDescription.");
+            }
+            string certificateApplicationUri = X509Utils.GetApplicationUriFromCertificate(serverCertificate);
+            if (!string.Equals(certificateApplicationUri, applicationUri, StringComparison.Ordinal))
+            {
+                throw ServiceResultException.Create(
+                    StatusCodes.BadSecurityChecksFailed,
+                    "Server did not return a Certificate matching the ApplicationUri specified in the EndpointDescription.");
+            }
+        }
 
         private void BuildCertificateData(out byte[] clientCertificateData, out byte[] clientCertificateChainData)
         {

diff --git a/Libraries/Opc.Ua.Client/SessionAsync.cs b/Libraries/Opc.Ua.Client/SessionAsync.cs
@@ -93,6 +93,7 @@ public partial class Session : SessionClientBatched, ISession
 
                 if (requireEncryption)
                 {
+                    ValidateServerCertificateApplicationUri(serverCertificate);
                     if (checkDomain)
                     {
                         await m_configuration.CertificateValidator.ValidateAsync(serverCertificateChain, m_endpoint, ct).ConfigureAwait(false);