Check server application Uri with the create session response

[mregen]

Proposed changes

Address two issues:

• Instead of checking the application Uri wiith the discovered endpoint move the check to the result of the create session response, which then contains the application Uri returned from the server.
• Support that the server certificate may contain multiple application Uri and check all for a match.

Related Issues

• Fixes Add a 1.05 update notice #2709
• Add CheckApplicationUri flag #2721
• check Application URI of the server Certificate on OpenSecureChannel #2583
• OPCUA client should check the application URI of the server certifiate #2032

Types of changes

What types of changes does your code introduce?
Put an x in the boxes that apply. You can also fill these out after creating the PR.

• Bugfix (non-breaking change which fixes an issue)
• Enhancement (non-breaking change which adds functionality)
• Test enhancement (non-breaking change to increase test coverage)
• Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
• Documentation Update (if none of the other choices apply)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

• I have read the CONTRIBUTING doc.
• I have signed the CLA.
• I ran tests locally with my changes, all passed.
• I fixed all failing tests in the CI pipelines.
• I fixed all introduced issues with CodeQL and LGTM.
• I have added tests that prove my fix is effective or that my feature works and increased code coverage.
• I have added necessary documentation (if appropriate).
• Any dependent changes have been merged and published in downstream modules.

Further comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...

[codecov]

Codecov Report

Attention: Patch coverage is 64.35644% with 36 lines in your changes missing coverage. Please review.

Project coverage is 54.73%. Comparing base (9b0e480) to head (7d3ec37).
Report is 3 commits behind head on master.

Files	Patch %	Lines
Libraries/Opc.Ua.Client/Session/Session.cs	65.30%	10 Missing and 7 partials ⚠️
...raries/Opc.Ua.Configuration/ApplicationInstance.cs	46.66%	5 Missing and 3 partials ⚠️
Libraries/Opc.Ua.Server/Server/StandardServer.cs	60.00%	5 Missing and 1 partial ⚠️
...ack/Opc.Ua.Core/Security/Certificates/X509Utils.cs	50.00%	1 Missing and 1 partial ⚠️
Libraries/Opc.Ua.Client/ReverseConnectManager.cs	0.00%	1 Missing ⚠️
...ies/Opc.Ua.Gds.Client.Common/CertificateWrapper.cs	0.00%	1 Missing ⚠️
Stack/Opc.Ua.Core/Stack/Server/ServerBase.cs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2731      +/-   ##
==========================================
- Coverage   55.01%   54.73%   -0.29%     
==========================================
  Files         349      349              
  Lines       65872    66565     +693     
  Branches    13492    13691     +199     
==========================================
+ Hits        36242    36434     +192     
- Misses      25777    26215     +438     
- Partials     3853     3916      +63     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mregen]

return an empty string to be backward compatible?

[mregen]

Added Mantis for clarifactionof spec: https://mantis.opcfoundation.org/view.php?id=9795

[opcfoundation-org]

Need logic to pick the right one.

[opcfoundation-org]

Why not noMatch = certificateApplicationUris .Where(x => String.Equals(certificateApplicationUri, applicationUri, StringComparison.Ordinal).Any()

[mregen]

you never know what Linq is up to...

[opcfoundation-org]

Need a better way to pick the right one.

[opcfoundation-org]

Need a better way to pick the right one.

[opcfoundation-org]

Need to add a better way to pick a URI

[mregen]

@BoBiene @ilyanikolaeff @GregoireG-C please check if this implementation would work for you.

[ilyanikolaeff]

@BoBiene @ilyanikolaeff @GregoireG-C please check if this implementation would work for you.

In my case I get error

Opc.Ua.ServiceResultException: Server did not return the ApplicationUri in the EndpointDescription that is used in the server certificate.

This solution doesn't work for me.

[mregen]

Thanks @ilyanikolaeff, sounds like we still need a bypass flag..
Could you try again and provide me the error message, I pushed a small update which reveals more information.
Can you share what type of server you are dealing with or is there a public endpoint, to understand better what is missing from the server side.

[ilyanikolaeff]

Thanks @ilyanikolaeff, sounds like we still need a bypass flag.. Could you try again and provide me the error message, I pushed a small update which reveals more information. Can you share what type of server you are dealing with or is there a public endpoint, to understand better what is missing from the server side.

Error same. I can provide StackTrace if you need.

I'm using WinCC OA 3.11 Opc Ua server with custom certificate (Basic128Rsa15). Server returns ApplicationUri - PVSS, Certificate ApplicationUri - WinCC OA. I can't change settings or certificate because server works in production - my application just client that susbcribes to nodes changes.

Btw, I'll tried manually change ApplicationUri in EndpointDescription when connecting - this works too, but failed with mismatch app uri when reconnect (using default ReconnectHandler like in UA Client samples).

P.S. I'm using UaExpert as test client (latest version). It's signal error about mismatch ApplicationUri, but allow ignore it.

[mregen]

Hi @ilyanikolaeff, I looked into integration in the validation loop but I think we run then into other issues, e.g. multiple callbacks. For the next release I would just disable the check as we need some time to come up with a better solution. Thanks for the insights!