New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
check Application URI of the server Certificate on OpenSecureChannel #2583
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #2583 +/- ##
==========================================
+ Coverage 54.52% 54.59% +0.07%
==========================================
Files 342 342
Lines 65044 65054 +10
Branches 13331 13334 +3
==========================================
+ Hits 35462 35517 +55
+ Misses 25728 25679 -49
- Partials 3854 3858 +4 ☔ View full report in Codecov by Sentry. |
@@ -2319,6 +2319,7 @@ public ReferenceDescriptionCollection FetchReferences(NodeId nodeId) | |||
|
|||
if (requireEncryption) | |||
{ | |||
ValidateServerCertificateApplicationUri(serverCertificate); | |||
if (checkDomain) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
technically the spec outlines to check the responses, but since the cert in the response is already binary compared to this one this is a good place to catch a misaligned application uri before connection! 👍🏼
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lets check if a undefined application uri also throw and not be ignored.
To create a test you would need to override some methods of the session to be able to change the endpoint description, can someone provide a hint? |
I did some additional manual testing both and cases disallow a new connection:
|
Proposed changes
Implement OpenSecureChannel in compliance with
Spec Part 5.4.1
The ApplicationUri specified in the Server Certificate is the same as the ApplicationUri provided in the EndpointDescription.
Related Issues
Types of changes
Checklist
Further comments