Check server application Uri with the create session response #2731

opcfoundation-org · 2024-08-22T10:58:48Z

Need logic to pick the right one.

opcfoundation-org · 2024-08-22T11:00:40Z

Why not noMatch = certificateApplicationUris .Where(x => String.Equals(certificateApplicationUri, applicationUri, StringComparison.Ordinal).Any()

you never know what Linq is up to...

opcfoundation-org · 2024-08-22T11:04:47Z

Need a better way to pick the right one.

opcfoundation-org · 2024-08-22T11:05:01Z

Need a better way to pick the right one.

mregen · 2024-08-22T09:03:50Z

return an empty string to be backward compatible?

-Original file line number
+Diff line change
@@ Expand Up / @@ -163,7 +163,7 @@ @@
                     EventHandler<ConnectionWaitingEventArgs> onConnectionWaiting) :
                     this(endpointUrl, onConnectionWaiting)
                 {
-                    ServerUri = X509Utils.GetApplicationUriFromCertificate(serverCertificate);
+                    ServerUri = X509Utils.GetApplicationUrisFromCertificate(serverCertificate).FirstOrDefault();
                 }
                 private Registration(
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -2338,7 +2338,6 @@ @@
                     if (requireEncryption)
                     {
-                        ValidateServerCertificateApplicationUri(serverCertificate);
                         if (checkDomain)
                         {
                             m_configuration.CertificateValidator.Validate(serverCertificateChain, m_endpoint);
@@ Expand Down Expand Up / @@ -2417,24 +2416,24 @@ @@
                 if (!successCreateSession)
                 {
                     base.CreateSession(
-                            null,
-                            clientDescription,
-                            m_endpoint.Description.Server.ApplicationUri,
-                            m_endpoint.EndpointUrl.ToString(),
-                            sessionName,
-                            clientNonce,
-                            clientCertificateChainData != null ? clientCertificateChainData : clientCertificateData,
-                            sessionTimeout,
-                            (uint)MessageContext.MaxMessageSize,
-                            out sessionId,
-                            out sessionCookie,
-                            out m_sessionTimeout,
-                            out serverNonce,
-                            out serverCertificateData,
-                            out serverEndpoints,
-                            out serverSoftwareCertificates,
-                            out serverSignature,
-                            out m_maxRequestMessageSize);
+                        null,
+                        clientDescription,
+                        m_endpoint.Description.Server.ApplicationUri,
+                        m_endpoint.EndpointUrl.ToString(),
+                        sessionName,
+                        clientNonce,
+                        clientCertificateChainData != null ? clientCertificateChainData : clientCertificateData,
+                        sessionTimeout,
+                        (uint)MessageContext.MaxMessageSize,
+                        out sessionId,
+                        out sessionCookie,
+                        out m_sessionTimeout,
+                        out serverNonce,
+                        out serverCertificateData,
+                        out serverEndpoints,
+                        out serverSoftwareCertificates,
+                        out serverSignature,
+                        out m_maxRequestMessageSize);
                 }
                 // save session id.
@@ Expand All / @@ -2456,6 +2455,8 @@ @@
                     ValidateServerEndpoints(serverEndpoints);
+                    ValidateServerCertificateApplicationUri(m_endpoint, serverCertificate);
                     ValidateServerSignature(serverCertificate, serverSignature, clientCertificateData, clientCertificateChainData, clientNonce);
                     HandleSignedSoftwareCertificates(serverSoftwareCertificates);
@@ Expand Down Expand Up / @@ -5352,26 +5353,44 @@ @@
                         !String.IsNullOrEmpty(identityPolicy.SecurityPolicyUri);
                 }
             }
             /// <summary>
-            /// Validates the ServerCertificate ApplicationUri to match the ApplicationUri of the Endpoint for an open call (Spec Part 4 5.4.1)
+            /// Validates the ServerCertificate ApplicationUri to match the ApplicationUri
+            /// of the Endpoint (Spec Part 4 5.4.1) returned by the CreateSessionResponse.
+            /// Ensure the endpoint was matched in <see cref="ValidateServerEndpoints"/>
+            /// with the applicationUri of the server description before the validation.
             /// </summary>
-            private void ValidateServerCertificateApplicationUri(
-                X509Certificate2 serverCertificate)
+            private static void ValidateServerCertificateApplicationUri(ConfiguredEndpoint endpoint, X509Certificate2 serverCertificate)
             {
-                var applicationUri = m_endpoint?.Description?.Server?.ApplicationUri;
-                //check is only neccessary if the ApplicatioUri is specified for the Endpoint
-                if (string.IsNullOrEmpty(applicationUri))
+                if (serverCertificate != null)
                 {
-                    throw ServiceResultException.Create(
-                        StatusCodes.BadSecurityChecksFailed,
-                        "No ApplicationUri is specified for the server in the EndpointDescription.");
-                }
-                string certificateApplicationUri = X509Utils.GetApplicationUriFromCertificate(serverCertificate);
-                if (!string.Equals(certificateApplicationUri, applicationUri, StringComparison.Ordinal))
-                {
-                    throw ServiceResultException.Create(
-                        StatusCodes.BadSecurityChecksFailed,
-                        "Server did not return a Certificate matching the ApplicationUri specified in the EndpointDescription.");
+                    var applicationUri = endpoint?.Description?.Server?.ApplicationUri;
+                    // check that an ApplicatioUri is specified for the Endpoint
+                    if (string.IsNullOrEmpty(applicationUri))
+                    {
+                        throw ServiceResultException.Create(
+                            StatusCodes.BadSecurityChecksFailed,
+                            "Server did not return an ApplicationUri in the EndpointDescription.");
+                    }
+                    bool noMatch = true;
+                    var certificateApplicationUris = X509Utils.GetApplicationUrisFromCertificate(serverCertificate);
+                    foreach (var certificateApplicationUri in certificateApplicationUris)
+                    {
+                        if (string.Equals(certificateApplicationUri, applicationUri, StringComparison.Ordinal))
+                        {
+                            noMatch = false;
+                            break;
+                        }
+                    }
+                    if (noMatch)
+                    {
+                        throw ServiceResultException.Create(
+                            StatusCodes.BadSecurityChecksFailed,
+                            "Server did not return the ApplicationUri in the EndpointDescription that is used in the server certificate.");
+                    }
                 }
             }
@@ Expand Down Expand Up / @@ -5538,7 +5557,7 @@ @@
                     }
                 }
-                // find the matching description (TBD - check domains against certificate).
+                // find the matching description (TBD - check domains and application URI against certificate).
                 bool found = false;
                 var foundDescription = FindMatchingDescription(serverEndpoints, m_endpoint.Description, true);
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -93,7 +93,6 @@ public async Task OpenAsync( @@
                     if (requireEncryption)
                     {
-                        ValidateServerCertificateApplicationUri(serverCertificate);
                         if (checkDomain)
                         {
                             await m_configuration.CertificateValidator.ValidateAsync(serverCertificateChain, m_endpoint, ct).ConfigureAwait(false);
@@ Expand Down Expand Up / @@ -201,6 +200,8 @@ public async Task OpenAsync( @@
                     ValidateServerEndpoints(serverEndpoints);
+                    ValidateServerCertificateApplicationUri(m_endpoint, serverCertificate);
                     ValidateServerSignature(serverCertificate, serverSignature, clientCertificateData, clientCertificateChainData, clientNonce);
                     HandleSignedSoftwareCertificates(serverSoftwareCertificates);
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
                 }
                 // check uri.
-                string applicationUri = X509Utils.GetApplicationUriFromCertificate(certificate);
+                string applicationUri = X509Utils.GetApplicationUrisFromCertificate(certificate).FirstOrDefault();
                 if (String.IsNullOrEmpty(applicationUri))
                 {
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -29,6 +29,7 @@ @@
     using System;
     using System.Collections.Generic;
+    using System.Linq;
     using System.Runtime.Serialization;
     using System.Security.Cryptography.X509Certificates;
     using Opc.Ua.Security.Certificates;
@@ Expand Down Expand Up / @@ -213,7 +214,7 @@ @@
                     {
                         try
                         {
-                            return X509Utils.GetApplicationUriFromCertificate(Certificate);
+                            return X509Utils.GetApplicationUrisFromCertificate(Certificate).FirstOrDefault();
                         }
                         catch (Exception e)
                         {
@@ Expand Down @@

Check server application Uri with the create session response #2731

Are you sure you want to change the base?

Check server application Uri with the create session response #2731

Diff view

Diff view

There are no files selected for viewing

Codecov / codecov/patch

opcfoundation-org Aug 22, 2024

Choose a reason for hiding this comment

Codecov / codecov/patch

opcfoundation-org Aug 22, 2024

Choose a reason for hiding this comment

mregen Aug 22, 2024

Choose a reason for hiding this comment

Codecov / codecov/patch

opcfoundation-org Aug 22, 2024

Choose a reason for hiding this comment

Codecov / codecov/patch

opcfoundation-org Aug 22, 2024

Choose a reason for hiding this comment

GitHub Actions / test-ubuntu-latest-Core

GitHub Actions / test-ubuntu-latest-Client.ComplexTypes

GitHub Actions / test-ubuntu-latest-Security.Certificates

GitHub Actions / test-ubuntu-latest-Configuration

GitHub Actions / test-windows-latest-Core

GitHub Actions / test-macOS-latest-PubSub

GitHub Actions / test-windows-latest-Security.Certificates

GitHub Actions / test-windows-latest-Configuration

GitHub Actions / test-windows-latest-Client.ComplexTypes

GitHub Actions / test-ubuntu-latest-PubSub

GitHub Actions / test-ubuntu-latest-Gds

GitHub Actions / test-ubuntu-latest-Server

GitHub Actions / test-windows-latest-PubSub

GitHub Actions / test-windows-latest-Gds

GitHub Actions / test-ubuntu-latest-Client.ComplexTypes

GitHub Actions / test-ubuntu-latest-Core

GitHub Actions / test-macOS-latest-Client.ComplexTypes

GitHub Actions / test-ubuntu-latest-Configuration

GitHub Actions / test-ubuntu-latest-Security.Certificates

GitHub Actions / test-windows-latest-Server

GitHub Actions / test-windows-latest-Core

GitHub Actions / test-ubuntu-latest-PubSub

GitHub Actions / test-ubuntu-latest-Gds

GitHub Actions / test-windows-latest-Client.ComplexTypes

GitHub Actions / test-windows-latest-Configuration

GitHub Actions / test-ubuntu-latest-Server

GitHub Actions / test-macOS-latest-Security.Certificates

GitHub Actions / test-windows-latest-Security.Certificates

GitHub Actions / test-windows-latest-Gds

GitHub Actions / test-windows-latest-PubSub

GitHub Actions / test-windows-latest-Server

GitHub Actions / test-macOS-latest-Client

GitHub Actions / test-ubuntu-latest-Client

GitHub Actions / test-windows-latest-Client

GitHub Actions / test-ubuntu-latest-Client

GitHub Actions / test-windows-latest-Client

GitHub Actions / Analyze (csharp)

GitHub Actions / test-ubuntu-latest-Core

GitHub Actions / test-ubuntu-latest-Client.ComplexTypes

GitHub Actions / test-ubuntu-latest-Security.Certificates

GitHub Actions / test-ubuntu-latest-Configuration

GitHub Actions / test-windows-latest-Core

GitHub Actions / test-macOS-latest-PubSub

GitHub Actions / test-windows-latest-Security.Certificates

GitHub Actions / test-windows-latest-Configuration

GitHub Actions / test-windows-latest-Client.ComplexTypes

GitHub Actions / test-ubuntu-latest-PubSub

GitHub Actions / test-ubuntu-latest-Gds

GitHub Actions / test-ubuntu-latest-Server

GitHub Actions / test-windows-latest-PubSub

GitHub Actions / test-windows-latest-Gds

GitHub Actions / test-ubuntu-latest-Client.ComplexTypes

GitHub Actions / test-ubuntu-latest-Core

GitHub Actions / test-macOS-latest-Client.ComplexTypes

GitHub Actions / test-ubuntu-latest-Configuration

GitHub Actions / test-ubuntu-latest-Security.Certificates

GitHub Actions / test-windows-latest-Server

GitHub Actions / test-windows-latest-Core

GitHub Actions / test-ubuntu-latest-PubSub

GitHub Actions / test-ubuntu-latest-Gds