OPC UA Server: Accept client application instance certificate based on trusted issuer list

[alex0598]

Description

I have a Open62541 Client Application and a separate Open62541 Server Application.

The server application has a CA certificate in its trusted issuer list. The trusted certificate list is empty.
The client try to connect to the server application with a certificate signed by the CA certficate that is in the trusted issuers list of the server.

What needs to be changed to allow the client connection to the server based on the issuer list. I am not able to include the certificate of the client itself into the trusted list of the server ...

The server returns the error:

"TCP 628 | SC 35 | Processing the message failed with error BadCertificateUntrusted"

Background Information / Reproduction Steps

Client Connection:

static bool ConnectToServer(UA_Client*& client, const char* endpoint) 
{
   // Create the config
   UA_ClientConfig* cc = UA_Client_getConfig(client);

   // Set to default config with no trust and issuer list
   UA_ClientConfig_setDefaultEncryption(cc, certificate, privateKey, NULL, 0, NULL, 0);
   UA_CertificateVerification_AcceptAll(&cc->certificateVerification);

   // Set securityMode and securityPolicyUri
   UA_ByteString_clear(&cc->securityPolicyUri);
   cc->securityMode = UA_MESSAGESECURITYMODE_SIGNANDENCRYPT;
   cc->securityPolicyUri = UA_String_fromChars("http:https://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256");

   // Set uri and client type
   UA_ApplicationDescription_clear(&cc->clientDescription);
   UA_String_clear(&cc->clientDescription.applicationUri);
   cc->clientDescription.applicationUri = UA_STRING_ALLOC(myUrn);
   cc->clientDescription.applicationType = UA_APPLICATIONTYPE_CLIENT;

   // Connect to the server
   if (UA_Client_connect(client, endpoint) != UA_STATUSCODE_GOOD) {
      return false;
   }

   return true;
}

Server setup:

...

// Update security policies
UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_CLIENT, " - I - Update Security Policies ...");
if (UA_ServerConfig_setDefaultWithSecurityPolicies(config, 4840, &certificate, &privateKey, trustList, trustListSize, issuerList, issuerListSize, revocationList, revocationListSize) != UA_STATUSCODE_GOOD) {
   UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_CLIENT, " - E - Failed to update Security Policies ...");
   return EXIT_FAILURE;
}

...

Used CMake options:

Checklist

Please provide the following information:

• open62541 Version (release number or git tag):
• Other OPC UA SDKs used (client or server):
• Operating system:
• Logs (with UA_LOGLEVEL set as low as necessary) attached
• Wireshark network dump attached
• Self-contained code example attached
• Critical issue

[jpfr]

Thanks for the complete issue report.
Are you using OpenSSL or mbedTLS?

[alex0598]

Hi,
I am using open ssl.
Unfortunately I did not provide a valid revocation list as well as issuer list. Both are NULL in the above case. When I am providing an empty list the client can connect successfully.

[jpfr]

Thanks.
I think it makes the most sense to treat empty list == NULL list.
We should change that @NoelGraf