Fixed verification of sender certificate in CreateSessionRequest

src/server/ua_services_session.c

@@ -289,17 +289,22 @@ Service_CreateSession(UA_Server *server, UA_SecureChannel *channel,
  return;
  }
 
- if(request->clientCertificate.length > 0) {
- UA_CertificateVerification *cv = &server->config.certificateVerification;
- response->responseHeader.serviceResult =
- cv->verifyApplicationURI(cv->context, &request->clientCertificate,
- &request->clientDescription.applicationUri);
- if(response->responseHeader.serviceResult != UA_STATUSCODE_GOOD) {
- UA_LOG_WARNING_CHANNEL(&server->config.logger, channel,
- "The client's ApplicationURI did not match the certificate");
- server->serverDiagnosticsSummary.securityRejectedSessionCount++;
- server->serverDiagnosticsSummary.rejectedSessionCount++;
- return;
+ /* "If the securityPolicyUri is None, the Server shall ignore the ApplicationInstanceCertificate".
+ * See: "OPC UA Specification Part 4 V1.04, Section 5.6.2.2". */
+ if(channel->securityMode == UA_MESSAGESECURITYMODE_SIGN ||
+ channel->securityMode == UA_MESSAGESECURITYMODE_SIGNANDENCRYPT) {
+ if(request->clientCertificate.length > 0) {
+ UA_CertificateVerification *cv = &server->config.certificateVerification;
+ response->responseHeader.serviceResult =
+ cv->verifyApplicationURI(cv->context, &request->clientCertificate,
+ &request->clientDescription.applicationUri);
+ if(response->responseHeader.serviceResult != UA_STATUSCODE_GOOD) {
+ UA_LOG_WARNING_CHANNEL(&server->config.logger, channel,
+ "The client's ApplicationURI did not match the certificate");
+ server->serverDiagnosticsSummary.securityRejectedSessionCount++;
+ server->serverDiagnosticsSummary.rejectedSessionCount++;
+ return;
+ }
  }
  }