Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sender certificate shall be ignored in CreateSessionRequest for channel with SecurityPolicy None #6462

Open
2 of 7 tasks
phuong-nm opened this issue May 8, 2024 · 0 comments
Open
2 of 7 tasks

Sender certificate shall be ignored in CreateSessionRequest for channel with SecurityPolicy None #6462

phuong-nm opened this issue May 8, 2024 · 0 comments

Comments

@phuong-nm
Copy link

Description

In the "OPC UA Specification Part 4 V1.04, Section 5.6.2.2" it is stated that "If the securityPolicyUri is None, the Server shall ignore the
ApplicationInstanceCertificate".

Background Information / Reproduction Steps

Suggested solution

/*
* File: src/server/ua_services_session.c
*/

void
Service_CreateSession(UA_Server *server, UA_SecureChannel *channel,
                      const UA_CreateSessionRequest *request,
                      UA_CreateSessionResponse *response) {

    /* ... */

    if(!UA_ByteString_equal(&channel->securityPolicy->policyUri,
                            &UA_SECURITY_POLICY_NONE_URI) &&
       request->clientNonce.length < 32) {
        response->responseHeader.serviceResult = UA_STATUSCODE_BADNONCEINVALID;
        return;
    }

    /*** Hilscher ***/
    /* "If the securityPolicyUri is None, the Server shall ignore the ApplicationInstanceCertificate".
     * See: "OPC UA Specification Part 4 V1.04, Section 5.6.2.2". */
    if(channel->securityMode == UA_MESSAGESECURITYMODE_SIGN ||
       channel->securityMode == UA_MESSAGESECURITYMODE_SIGNANDENCRYPT) {
        if(request->clientCertificate.length > 0) {
            UA_CertificateVerification *cv = &server->config.certificateVerification;
            response->responseHeader.serviceResult =
                cv->verifyApplicationURI(cv->context, &request->clientCertificate,
                                        &request->clientDescription.applicationUri);
            if(response->responseHeader.serviceResult != UA_STATUSCODE_GOOD) {
                UA_LOG_WARNING_CHANNEL(&server->config.logger, channel,
                                    "The client's ApplicationURI did not match the certificate");
                server->serverDiagnosticsSummary.securityRejectedSessionCount++;
                server->serverDiagnosticsSummary.rejectedSessionCount++;
                return;
            }
        }
    }
    /*** Hilscher ***/

    /* ... */
}

Checklist

Please provide the following information:

  • open62541 Version (release number or git tag): V1.3.6
  • Other OPC UA SDKs used (client or server):
  • Operating system:
  • Logs (with UA_LOGLEVEL set as low as necessary) attached
  • Wireshark network dump attached
  • Self-contained code example attached
  • Critical issue: Conformance Test failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@phuong-nm