Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OPCUA client should check the application URI of the server certifiate #2032

Closed
5 tasks done
GregoireG-C opened this issue Dec 27, 2022 · 5 comments · Fixed by #2583
Closed
5 tasks done

OPCUA client should check the application URI of the server certifiate #2032

GregoireG-C opened this issue Dec 27, 2022 · 5 comments · Fixed by #2583
Assignees
@romanett
Labels
certificates Related to certificates compliance An issue was found which is not compliant with the OPC UA specification.
Milestone
April Update

Comments

@GregoireG-C
Copy link

Type of issue

  • Bug
  • Enhancement
  • Compliance
  • Question
  • Help wanted

Current Behavior

The OPCUA client verify the following points concerning the server certificate:

  • it is trusted
  • its certificate chain is valid
  • its certificate chain is completely known
  • its clr is valid and none of the certificate chain is revoked
  • its time validity is not expired or not 'not yet valid'
    -The DNS match the server machine
    ...

But the client does not check the ApplicationUri of the server presented in its application certificate.

Expected Behavior

Th client should verify the applicationUri of the server certificate.

Steps To Reproduce

1.Compile sample client and standard UA server
2. Connect using sign or sign&encrypt to the server ; the server using a certificate presenting an applicationUri null or different form the one present into its configuration file
3. The client accept the connection.

Environment

- OS:Windows 10
- Environment: Visual Studio 2019
- Runtime:NET 4.6.2
- Server: Reference server
- Client: Reference client

Anything else?

No response
@GregoireG-C
Copy link
Author

According to the standard part 4 - Service Release:
§5.4.1 Discovery Service Set:

[...]
A Client shall be careful when using the information returned from a DiscoveryEndpoint since it
has no security. A Client does this by comparing the information returned from the
DiscoveryEndpoint to the information returned in the CreateSession response. A Client shall verify
that:
a) The ApplicationUri specified in the Server Certificate is the same as the ApplicationUri
provided in the EndpointDescription.
[...]

=> This suggest that the client must verify that the applicationUri presented in the endpoint descriptions and in the server certificate in the GetEndpointResponse match.

@GregoireG-C
Copy link
Author

I suggest the following modification:
Opc.Ua.Client.Session
public method open:

if (checkDomain)
{
    m_configuration.CertificateValidator.Validate(serverCertificateChain, m_endpoint);
    //Modification - Begin
    // verify if applicationUri from ApplicationDescription matches the applicationUri in the client certificate.
    string certificateApplicationUri = X509Utils.GetApplicationUriFromCertificate(serverCertificate);
    if (!String.IsNullOrEmpty(certificateApplicationUri) &&
        !String.IsNullOrEmpty(m_endpoint.Description.Server.ApplicationUri))
    {

        if (certificateApplicationUri != m_endpoint.Description.Server.ApplicationUri)
            throw new Exception(
                string.Format("Server certificate is refused. The applicationUri does not match:" +
                "-Certificate applicationUri='{0}', -EndpointDescription applicationUri='{1}'",
                certificateApplicationUri, m_endpoint.Description.Server.ApplicationUri));
        else
            throw new Exception(
                string.Format("Server certificate is refused. Server certificate is refused, the applicationUri " +
                "in the certificate or in the endpoint description is null."));
    }
    //Modification - End
}
else
{
    m_configuration.CertificateValidator.Validate(serverCertificateChain);
}

@mregen mregen added compliance An issue was found which is not compliant with the OPC UA specification. certificates Related to certificates labels Apr 5, 2024
@mregen mregen added this to the April Update milestone Apr 5, 2024
@mregen
Copy link
Contributor

mregen commented Apr 5, 2024

The application Uri should always be checked against the information in the endpoint.

@romanett romanett self-assigned this Apr 5, 2024
@mregen
Copy link
Contributor

mregen commented Apr 9, 2024

Hi @GregoireG-C, is this topic no more an issue? We were planning to include your fix in the next release, please share if it is not necessary.

@GregoireG-C GregoireG-C reopened this Apr 9, 2024
@GregoireG-C
Copy link
Author

It's still an issue. I closed it because you have added this one to a milestone. So I have not any reason to follow it. I will let you close it then.

Best regards

@romanett romanett mentioned this issue Apr 11, 2024
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@romanett romanett

Labels
certificates Related to certificates compliance An issue was found which is not compliant with the OPC UA specification.
Projects
None yet
Milestone
April Update
Development

Successfully merging a pull request may close this issue.

check Application URI of the server Certificate on OpenSecureChannel romanett/UA-.NETStandard
3 participants
@romanett @mregen @GregoireG-C