OPCFoundation · mregen · May 2, 2024 · Apr 11, 2024 · Apr 11, 2024 · Apr 12, 2024
diff --git a/Libraries/Opc.Ua.Client/Session.cs b/Libraries/Opc.Ua.Client/Session.cs
@@ -2319,6 +2319,7 @@
 
                 if (requireEncryption)
                 {
+                    ValidateServerCertificateApplicationUri(serverCertificate);
                     if (checkDomain)
                     {
                         m_configuration.CertificateValidator.Validate(serverCertificateChain, m_endpoint);
@@ -5264,6 +5265,28 @@
                     !String.IsNullOrEmpty(identityPolicy.SecurityPolicyUri);
             }
         }
+        /// <summary>
+        /// Validates the ServerCertificate ApplicationUri to match the ApplicationUri of the Endpoint for an open call (Spec Part 4 5.4.1)
+        /// </summary>
+        private void ValidateServerCertificateApplicationUri(
+            X509Certificate2 serverCertificate)
+        {
+            var applicationUri = m_endpoint?.Description?.Server?.ApplicationUri;
+            //check is only neccessary if the ApplicatioUri is specified for the Endpoint
+            if (string.IsNullOrEmpty(applicationUri))
+            {
+                throw ServiceResultException.Create(
+                    StatusCodes.BadSecurityChecksFailed,
+                    "No ApplicationUri is specified for the server in the EndpointDescription.");
+            }
+            string certificateApplicationUri = X509Utils.GetApplicationUriFromCertificate(serverCertificate);
+            if (!string.Equals(certificateApplicationUri, applicationUri, StringComparison.Ordinal))
+            {
+                throw ServiceResultException.Create(
+                    StatusCodes.BadSecurityChecksFailed,
+                    "Server did not return a Certificate matching the ApplicationUri specified in the EndpointDescription.");
+            }
+        }
 
         private void BuildCertificateData(out byte[] clientCertificateData, out byte[] clientCertificateChainData)
         {

diff --git a/Libraries/Opc.Ua.Client/SessionAsync.cs b/Libraries/Opc.Ua.Client/SessionAsync.cs
@@ -93,6 +93,7 @@ public partial class Session : SessionClientBatched, ISession
 
                 if (requireEncryption)
                 {
+                    ValidateServerCertificateApplicationUri(serverCertificate);
                     if (checkDomain)
                     {
                         await m_configuration.CertificateValidator.ValidateAsync(serverCertificateChain, m_endpoint, ct).ConfigureAwait(false);