Merge remote-tracking branch 'origin/1.3' into merge_13_14_6

CMakeLists.txt

@@ -41,7 +41,7 @@ set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
 # overwritten with more detailed information if git is available.
 set(OPEN62541_VER_MAJOR 1)
 set(OPEN62541_VER_MINOR 3)
-set(OPEN62541_VER_PATCH 8)
+set(OPEN62541_VER_PATCH 9)
 set(OPEN62541_VER_LABEL "-undefined") # like "-rc1" or "-g4538abcd" or "-g4538abcd-dirty"
 set(OPEN62541_VER_COMMIT "unknown-commit")
 

src/server/ua_server_binary.c

@@ -13,6 +13,7 @@
  *    Copyright 2017 (c) frax2222
  *    Copyright 2017 (c) Mark Giraud, Fraunhofer IOSB
  *    Copyright 2019 (c) Kalycito Infotech Private Limited
+ *    Copyright 2023 (c) Hilscher Gesellschaft für Systemautomation mbH (Author: Phuong Nguyen)
  */
 
 #include <open62541/transport_generated.h>
@@ -1029,6 +1030,34 @@ purgeFirstChannelWithoutSession(UA_BinaryProtocolManager *bpm) {
     return false;
 }
 
+/* Get pointer to leaf certificate of a specified valid chain of DER encoded
+ * certificates */
+static void
+getLeafCertificate(const UA_ByteString *chain, UA_ByteString *leaf) {
+    /* Detect DER encoded X.509 v3 certificate. If the DER detection fails,
+     * return the entire chain.
+     *
+     * The OPC UA standard requires this to be DER. But we also allow other
+     * formats like PEM. Afterwards it depends on the crypto backend to parse
+     * it. mbedTLS and OpenSSL detect the format automatically. */
+    if(chain->length < 4 || chain->data[0] != 0x30 || chain->data[1] != 0x82) {
+        *leaf = *chain;
+        return;
+    }
+
+    /* The certificate length is encoded in the next 2 bytes. */
+    size_t leafLen = 4; /* Magic numbers + length bytes */
+    leafLen += (size_t)(((uint16_t)chain->data[2]) << 8);
+    leafLen += chain->data[3];
+
+    /* Length consistency check */
+    if(leafLen > chain->length)
+        return;
+
+    leaf->data = chain->data;
+    leaf->length = leafLen;
+}
+
 static UA_StatusCode
 configServerSecureChannel(void *application, UA_SecureChannel *channel,
                           const UA_AsymmetricAlgorithmSecurityHeader *asymHeader) {
@@ -1055,10 +1084,17 @@ configServerSecureChannel(void *application, UA_SecureChannel *channel,
     if(!securityPolicy)
         return UA_STATUSCODE_BADSECURITYPOLICYREJECTED;
 
+    /* If the sender provides a chain of certificates then we shall extract the
+     * ApplicationInstanceCertificate. and ignore the extra bytes. See also: OPC
+     * UA Part 6, V1.04, 6.7.2.3 Security Header, Table 42 - Asymmetric
+     * algorithm Security header */
+    UA_ByteString appInstanceCertificate = UA_BYTESTRING_NULL;
+    getLeafCertificate(&asymHeader->senderCertificate, &appInstanceCertificate);
+
     /* Create the channel context and parse the sender (remote) certificate used
      * for the secureChannel. */
     return UA_SecureChannel_setSecurityPolicy(channel, securityPolicy,
-                                              &asymHeader->senderCertificate);
+                                              &appInstanceCertificate);
 }
 
 static UA_StatusCode

src/server/ua_services_securechannel.c

@@ -7,6 +7,7 @@
  *    Copyright 2015 (c) Oleksiy Vasylyev
  *    Copyright 2017 (c) Stefan Profanter, fortiss GmbH
  *    Copyright 2017 (c) Mark Giraud, Fraunhofer IOSB
+ *    Copyright 2023 (c) Hilscher Gesellschaft für Systemautomation mbH (Author: Phuong Nguyen)
  */
 
 #include "ua_server_internal.h"