From d1fcb3512df9201b166c35f0edb5cda6f36cd1ba Mon Sep 17 00:00:00 2001 From: Andrew Cullen Date: Sat, 18 Nov 2023 18:10:11 -0500 Subject: [PATCH] fix check of hostname --- client/client.go | 4 +++- client/client_test.go | 6 +++--- cmd/testserver/main.go | 6 +++--- server/server_service_set.go | 35 ----------------------------------- server/server_test.go | 18 +++++++++++++++--- 5 files changed, 24 insertions(+), 45 deletions(-) diff --git a/client/client.go b/client/client.go index 4d7966e..34bb698 100644 --- a/client/client.go +++ b/client/client.go @@ -28,6 +28,7 @@ var ( func Dial(ctx context.Context, endpointURL string, opts ...Option) (c *Client, err error) { cli := &Client{ + endpointURL: endpointURL, userIdentity: ua.AnonymousIdentity{}, applicationName: "application", sessionTimeout: defaultSessionTimeout, @@ -94,11 +95,12 @@ func Dial(ctx context.Context, endpointURL string, opts ...Option) (c *Client, e if selectedEndpoint == nil { return nil, ua.BadSecurityModeRejected } - cli.endpointURL = selectedEndpoint.EndpointURL + cli.securityPolicyURI = selectedEndpoint.SecurityPolicyURI cli.securityMode = selectedEndpoint.SecurityMode cli.serverCertificate = []byte(selectedEndpoint.ServerCertificate) cli.userTokenPolicies = selectedEndpoint.UserIdentityTokens + cli.localDescription = ua.ApplicationDescription{ ApplicationName: ua.LocalizedText{Text: cli.applicationName}, ApplicationType: ua.ApplicationTypeClient, diff --git a/client/client_test.go b/client/client_test.go index 5cc73d9..1584270 100644 --- a/client/client_test.go +++ b/client/client_test.go @@ -27,7 +27,7 @@ import ( ) var ( - endpointURL = "opc.tcp://127.0.0.1:46010" // our testserver + endpointURL = fmt.Sprintf("opc.tcp://%s:%d", host, port) // our testserver ) // TestMain is run at the start of client testing. If an opcua server is not already running, @@ -960,8 +960,8 @@ func createNewCertificate(appName, certFile, keyFile string) error { KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageCertSign, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, BasicConstraintsValid: true, - DNSNames: []string{host}, - IPAddresses: []net.IP{localAddr.IP}, + DNSNames: []string{host, "localhost"}, + IPAddresses: []net.IP{localAddr.IP, []byte{127, 0, 0, 1}}, URIs: []*url.URL{applicationURI}, } diff --git a/cmd/testserver/main.go b/cmd/testserver/main.go index e6ede04..af76fda 100644 --- a/cmd/testserver/main.go +++ b/cmd/testserver/main.go @@ -147,7 +147,7 @@ func main() { //server.WithInsecureSkipVerify(), server.WithTrustedCertificatesPaths("./pki/ApplicationInstance_PKI/trusted/certs", "./pki/ApplicationInstance_PKI/trusted/crl"), server.WithIssuerCertificatesPaths("./pki/ApplicationInstance_PKI/issuers/certs", "./pki/ApplicationInstance_PKI/issuers/crl"), - // server.WithRejectedCertificatesPath("./pki/ApplicationInstance_PKI/rejected"), + server.WithRejectedCertificatesPath("./pki/ApplicationInstance_PKI/rejected"), server.WithServerDiagnostics(true), server.WithMaxSessionCount(10), server.WithMaxSubscriptionCount(100), @@ -417,8 +417,8 @@ func createNewCertificate(appName, certFile, keyFile string) error { KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageCertSign, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, BasicConstraintsValid: true, - DNSNames: []string{host}, - IPAddresses: []net.IP{localAddr.IP}, + DNSNames: []string{host, "localhost"}, + IPAddresses: []net.IP{localAddr.IP, []byte{127, 0, 0, 1}}, URIs: []*url.URL{applicationURI}, } diff --git a/server/server_service_set.go b/server/server_service_set.go index 26a4cca..0c87088 100644 --- a/server/server_service_set.go +++ b/server/server_service_set.go @@ -12,7 +12,6 @@ import ( "crypto/x509" "encoding/binary" "math" - "net/url" "sort" "strconv" "strings" @@ -97,40 +96,6 @@ func (srv *Server) handleCreateSession(ch *serverSecureChannel, requestid uint32 ch.Abort(ua.BadSecurityPolicyRejected, "") return nil } - // check endpointurl hostname matches one of the certificate hostnames - valid := false - if crt, err := x509.ParseCertificate(srv.LocalCertificate()); err == nil { - if remoteURL, err := url.Parse(req.EndpointURL); err == nil { - hostname := remoteURL.Host - i := strings.Index(hostname, ":") - if i != -1 { - hostname = hostname[:i] - } - if err := crt.VerifyHostname(hostname); err == nil { - valid = true - } - } - } - if !valid { - srv.serverDiagnosticsSummary.SecurityRejectedSessionCount++ - srv.serverDiagnosticsSummary.RejectedSessionCount++ - srv.serverDiagnosticsSummary.SecurityRejectedRequestsCount++ - srv.serverDiagnosticsSummary.RejectedRequestsCount++ - err := ch.Write( - &ua.ServiceFault{ - ResponseHeader: ua.ResponseHeader{ - Timestamp: time.Now(), - RequestHandle: req.RequestHandle, - ServiceResult: ua.BadCertificateHostNameInvalid, - }, - }, - requestid, - ) - if err != nil { - return err - } - return nil - } // check nonce switch ch.SecurityPolicyURI() { case ua.SecurityPolicyURIBasic128Rsa15, ua.SecurityPolicyURIBasic256, ua.SecurityPolicyURIBasic256Sha256, diff --git a/server/server_test.go b/server/server_test.go index 1613cdc..938c243 100644 --- a/server/server_test.go +++ b/server/server_test.go @@ -13,6 +13,7 @@ import ( "encoding/pem" "fmt" "math/big" + "net" "net/url" "os" "strings" @@ -26,7 +27,7 @@ import ( ) var ( - endpointURL = "opc.tcp://127.0.0.1:46010" // our testserver + endpointURL = fmt.Sprintf("opc.tcp://%s:%d", host, port) // our testserver ) // TestMain is run at the start of client testing. If an opcua server is not already running, @@ -853,8 +854,18 @@ func createNewCertificate(appName, certFile, keyFile string) error { return ua.BadCertificateInvalid } - // Create a certificate. + // get local hostname. host, _ := os.Hostname() + + // get local ip address. + conn, err := net.Dial("udp", "8.8.8.8:53") + if err != nil { + return ua.BadCertificateInvalid + } + conn.Close() + localAddr := conn.LocalAddr().(*net.UDPAddr) + + // Create a certificate. applicationURI, _ := url.Parse(fmt.Sprintf("urn:%s:%s", host, appName)) serialNumber, _ := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128)) subjectKeyHash := sha1.New() @@ -872,7 +883,8 @@ func createNewCertificate(appName, certFile, keyFile string) error { KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageCertSign, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, BasicConstraintsValid: true, - DNSNames: []string{host}, + DNSNames: []string{host, "localhost"}, + IPAddresses: []net.IP{localAddr.IP, []byte{127, 0, 0, 1}}, URIs: []*url.URL{applicationURI}, }