Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

check Application URI of the server Certificate on OpenSecureChannel #2583

Merged
merged 3 commits into from May 2, 2024
Merged

check Application URI of the server Certificate on OpenSecureChannel #2583

merged 3 commits into from May 2, 2024

Conversation

romanett
Copy link
Contributor

Proposed changes

Implement OpenSecureChannel in compliance with
Spec Part 5.4.1

The ApplicationUri specified in the Server Certificate is the same as the ApplicationUri provided in the EndpointDescription.

Related Issues

Types of changes

  • Bugfix (non-breaking change which fixes an issue)
  • Enhancement (non-breaking change which adds functionality)
  • Test enhancement (non-breaking change to increase test coverage)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
  • Documentation Update (if none of the other choices apply)

Checklist

  • I have read the CONTRIBUTING doc.
  • I have signed the CLA.
  • I ran tests locally with my changes, all passed.
  • I fixed all failing tests in the CI pipelines.
  • I fixed all introduced issues with CodeQL and LGTM.
  • I have added tests that prove my fix is effective or that my feature works and increased code coverage.
  • I have added necessary documentation (if appropriate).
  • Any dependent changes have been merged and published in downstream modules.

Further comments

@romanett romanett self-assigned this Apr 11, 2024
@romanett romanett added this to the April Update milestone Apr 11, 2024
@codecov Codecov
Copy link

codecov bot commented Apr 11, 2024
edited

Codecov Report

Attention: Patch coverage is 30.76923% with 9 lines in your changes are missing coverage. Please review.

Project coverage is 54.59%. Comparing base (fb0fc44) to head (c925e68).
Report is 3 commits behind head on master.

Files Patch % Lines
Libraries/Opc.Ua.Client/Session.cs 25.00% 6 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2583      +/-   ##
==========================================
+ Coverage   54.52%   54.59%   +0.07%     
==========================================
  Files         342      342              
  Lines       65044    65054      +10     
  Branches    13331    13334       +3     
==========================================
+ Hits        35462    35517      +55     
+ Misses      25728    25679      -49     
- Partials     3854     3858       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

mregen
mregen reviewed Apr 11, 2024
View reviewed changes
Libraries/Opc.Ua.Client/Session.cs
@@ -2319,6 +2319,7 @@ public ReferenceDescriptionCollection FetchReferences(NodeId nodeId)

if (requireEncryption)
{
ValidateServerCertificateApplicationUri(serverCertificate);
if (checkDomain)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

technically the spec outlines to check the responses, but since the cert in the response is already binary compared to this one this is a good place to catch a misaligned application uri before connection! 👍🏼

mregen
mregen requested changes Apr 11, 2024
View reviewed changes
Copy link
Contributor

@mregen mregen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets check if a undefined application uri also throw and not be ignored.

@romanett romanett marked this pull request as draft April 11, 2024 06:34
@romanett
Copy link
Contributor Author

romanett commented Apr 12, 2024
edited

To create a test you would need to override some methods of the session to be able to change the endpoint description, can someone provide a hint?

@romanett romanett requested a review from mregen April 12, 2024 11:38
@romanett romanett marked this pull request as ready for review April 18, 2024 15:41
@romanett
Copy link
Contributor Author

I did some additional manual testing both and cases disallow a new connection:

  • server with Application Uri in Cert not matching the returned Endpoint Description
  • EndPointDescription without specified ApplicationUri

@mregen mregen merged commit f081d51 into OPCFoundation:master May 2, 2024
72 of 73 checks passed
@romanett romanett deleted the ClientCheckServerUri branch May 2, 2024 17:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mregen mregen mregen approved these changes

@mrsuciu mrsuciu Awaiting requested review from mrsuciu

@ThomasNehring ThomasNehring Awaiting requested review from ThomasNehring

Assignees

@romanett romanett

Labels
None yet
Projects
None yet
Milestone
April Update
Development

Successfully merging this pull request may close these issues.

OPCUA client should check the application URI of the server certifiate
2 participants
@romanett @mregen