Strona główna Odkrywaj Pomoc
Zaloguj się
opc-ua
/
open62541
Obserwuj 2
Polub 0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Przeglądaj źródła

Compare end certificates of channel and CreateSessionRequest

A client are allowed to include a partitial or a complete certificate
chain both in the OpenSecureChannelRequest and in the
CreateSessionRequest. When comparing the certificates while
processing the CreateSessionRequest this must be considered.
The comparition has been updated to use the compareCertificate
function of the channelModule of the SecurityPolicy plugin API.
Jonas Green 6 lat temu
rodzic
43a2b539c2
commit
691ec179cf
3 zmienionych plików z 11 dodań i 2 usunięć
Widok podzielony Pokaż statystyki zmian
  1. 1 0
      plugins/ua_securitypolicy_basic128rsa15.c
  2. 1 0
      plugins/ua_securitypolicy_basic256sha256.c
  3. 9 2
      src/server/ua_services_session.c

+ 1 - 0
plugins/ua_securitypolicy_basic128rsa15.c
Wyświetl plik 

@@ -718,6 +718,7 @@ channelContext_compareCertificate_sp_basic128rsa15(const Basic128Rsa15_ChannelCo
 
     const UA_SecurityPolicy *securityPolicy = cc->policyContext->securityPolicy;
 
 
     mbedtls_x509_crt cert;
 
+    mbedtls_x509_crt_init(&cert);
 
     int mbedErr = mbedtls_x509_crt_parse(&cert, certificate->data, certificate->length);
 
     UA_MBEDTLS_ERRORHANDLING_RETURN(UA_STATUSCODE_BADSECURITYCHECKSFAILED);

+ 1 - 0
plugins/ua_securitypolicy_basic256sha256.c
Wyświetl plik 

@@ -740,6 +740,7 @@ channelContext_compareCertificate_sp_basic256sha256(const Basic256Sha256_Channel
 
     const UA_SecurityPolicy *securityPolicy = cc->policyContext->securityPolicy;
 
 
     mbedtls_x509_crt cert;
 
+    mbedtls_x509_crt_init(&cert);
 
     int mbedErr = mbedtls_x509_crt_parse(&cert, certificate->data, certificate->length);
 
     UA_MBEDTLS_ERRORHANDLING_RETURN(UA_STATUSCODE_BADSECURITYCHECKSFAILED);

+ 9 - 2
src/server/ua_services_session.c
Wyświetl plik 

@@ -73,8 +73,15 @@ Service_CreateSession(UA_Server *server, UA_SecureChannel *channel,
 
 
     if(channel->securityMode == UA_MESSAGESECURITYMODE_SIGN ||
 
        channel->securityMode == UA_MESSAGESECURITYMODE_SIGNANDENCRYPT) {
 
-        if(!UA_ByteString_equal(&request->clientCertificate,
 
-                                &channel->remoteCertificate)) {
 
+        /* Compare the clientCertificate with the remoteCertificate of the channel.
 
+         * Both the clientCertificate of this request and the remoteCertificate
 
+         * of the channel may contain a partial or a complete certificate chain.
 
+         * The compareCertificate function of the channelModule will compare the 
+         * first certificate of each chain. The end certificate shall be located
 
+         * first in the chain according to the OPC UA specification Part 6 (1.04),
 
+         * chapter 6.2.3.*/
 
+        if(channel->securityPolicy->channelModule.compareCertificate(channel->channelContext,
 
+                                                                     &request->clientCertificate) != UA_STATUSCODE_GOOD) {
 
             response->responseHeader.serviceResult = UA_STATUSCODE_BADCERTIFICATEINVALID;
 
             return;
 
         }