fix check of hostname

awcullen · Nov 18, 2023 · d1fcb35 · d1fcb35 · rjboer · Nov 18, 2023
1 parent 6985e12
commit d1fcb35
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 45 deletions.
diff --git a/client/client.go b/client/client.go
@@ -28,6 +28,7 @@ var (
 func Dial(ctx context.Context, endpointURL string, opts ...Option) (c *Client, err error) {
 
 	cli := &Client{
+		endpointURL:       endpointURL,
 		userIdentity:      ua.AnonymousIdentity{},
 		applicationName:   "application",
 		sessionTimeout:    defaultSessionTimeout,
@@ -94,11 +95,12 @@ func Dial(ctx context.Context, endpointURL string, opts ...Option) (c *Client, e
 	if selectedEndpoint == nil {
 		return nil, ua.BadSecurityModeRejected
 	}
-	cli.endpointURL = selectedEndpoint.EndpointURL
+
 	cli.securityPolicyURI = selectedEndpoint.SecurityPolicyURI
 	cli.securityMode = selectedEndpoint.SecurityMode
 	cli.serverCertificate = []byte(selectedEndpoint.ServerCertificate)
 	cli.userTokenPolicies = selectedEndpoint.UserIdentityTokens
+
 	cli.localDescription = ua.ApplicationDescription{
 		ApplicationName: ua.LocalizedText{Text: cli.applicationName},
 		ApplicationType: ua.ApplicationTypeClient,

diff --git a/client/client_test.go b/client/client_test.go
@@ -27,7 +27,7 @@ import (
 )
 
 var (
-	endpointURL = "opc.tcp://127.0.0.1:46010" // our testserver
+	endpointURL = fmt.Sprintf("opc.tcp://%s:%d", host, port) // our testserver
 )
 
 // TestMain is run at the start of client testing. If an opcua server is not already running,
@@ -960,8 +960,8 @@ func createNewCertificate(appName, certFile, keyFile string) error {
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageCertSign,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
 		BasicConstraintsValid: true,
-		DNSNames:              []string{host},
-		IPAddresses:           []net.IP{localAddr.IP},
+		DNSNames:              []string{host, "localhost"},
+		IPAddresses:           []net.IP{localAddr.IP, []byte{127, 0, 0, 1}},
 		URIs:                  []*url.URL{applicationURI},
 	}
 

diff --git a/cmd/testserver/main.go b/cmd/testserver/main.go
@@ -147,7 +147,7 @@ func main() {
 		//server.WithInsecureSkipVerify(),
 		server.WithTrustedCertificatesPaths("./pki/ApplicationInstance_PKI/trusted/certs", "./pki/ApplicationInstance_PKI/trusted/crl"),
 		server.WithIssuerCertificatesPaths("./pki/ApplicationInstance_PKI/issuers/certs", "./pki/ApplicationInstance_PKI/issuers/crl"),
-		// server.WithRejectedCertificatesPath("./pki/ApplicationInstance_PKI/rejected"),
+		server.WithRejectedCertificatesPath("./pki/ApplicationInstance_PKI/rejected"),
 		server.WithServerDiagnostics(true),
 		server.WithMaxSessionCount(10),
 		server.WithMaxSubscriptionCount(100),
@@ -417,8 +417,8 @@ func createNewCertificate(appName, certFile, keyFile string) error {
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageCertSign,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
 		BasicConstraintsValid: true,
-		DNSNames:              []string{host},
-		IPAddresses:           []net.IP{localAddr.IP},
+		DNSNames:              []string{host, "localhost"},
+		IPAddresses:           []net.IP{localAddr.IP, []byte{127, 0, 0, 1}},
 		URIs:                  []*url.URL{applicationURI},
 	}
 

diff --git a/server/server_service_set.go b/server/server_service_set.go
@@ -12,7 +12,6 @@ import (
 	"crypto/x509"
 	"encoding/binary"
 	"math"
-	"net/url"
 	"sort"
 	"strconv"
 	"strings"
@@ -97,40 +96,6 @@ func (srv *Server) handleCreateSession(ch *serverSecureChannel, requestid uint32
 		ch.Abort(ua.BadSecurityPolicyRejected, "")
 		return nil
 	}
-	// check endpointurl hostname matches one of the certificate hostnames
-	valid := false
-	if crt, err := x509.ParseCertificate(srv.LocalCertificate()); err == nil {
-		if remoteURL, err := url.Parse(req.EndpointURL); err == nil {
-			hostname := remoteURL.Host
-			i := strings.Index(hostname, ":")
-			if i != -1 {
-				hostname = hostname[:i]
-			}
-			if err := crt.VerifyHostname(hostname); err == nil {
-				valid = true
-			}
-		}
-	}
-	if !valid {
-		srv.serverDiagnosticsSummary.SecurityRejectedSessionCount++
-		srv.serverDiagnosticsSummary.RejectedSessionCount++
-		srv.serverDiagnosticsSummary.SecurityRejectedRequestsCount++
-		srv.serverDiagnosticsSummary.RejectedRequestsCount++
-		err := ch.Write(
-			&ua.ServiceFault{
-				ResponseHeader: ua.ResponseHeader{
-					Timestamp:     time.Now(),
-					RequestHandle: req.RequestHandle,
-					ServiceResult: ua.BadCertificateHostNameInvalid,
-				},
-			},
-			requestid,
-		)
-		if err != nil {
-			return err
-		}
-		return nil
-	}
 	// check nonce
 	switch ch.SecurityPolicyURI() {
 	case ua.SecurityPolicyURIBasic128Rsa15, ua.SecurityPolicyURIBasic256, ua.SecurityPolicyURIBasic256Sha256,

diff --git a/server/server_test.go b/server/server_test.go
@@ -13,6 +13,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"math/big"
+	"net"
 	"net/url"
 	"os"
 	"strings"
@@ -26,7 +27,7 @@ import (
 )
 
 var (
-	endpointURL = "opc.tcp://127.0.0.1:46010" // our testserver
+	endpointURL = fmt.Sprintf("opc.tcp://%s:%d", host, port) // our testserver
 )
 
 // TestMain is run at the start of client testing. If an opcua server is not already running,
@@ -853,8 +854,18 @@ func createNewCertificate(appName, certFile, keyFile string) error {
 		return ua.BadCertificateInvalid
 	}
 
-	// Create a certificate.
+	// get local hostname.
 	host, _ := os.Hostname()
+
+	// get local ip address.
+	conn, err := net.Dial("udp", "8.8.8.8:53")
+	if err != nil {
+		return ua.BadCertificateInvalid
+	}
+	conn.Close()
+	localAddr := conn.LocalAddr().(*net.UDPAddr)
+
+	// Create a certificate.
 	applicationURI, _ := url.Parse(fmt.Sprintf("urn:%s:%s", host, appName))
 	serialNumber, _ := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
 	subjectKeyHash := sha1.New()
@@ -872,7 +883,8 @@ func createNewCertificate(appName, certFile, keyFile string) error {
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageCertSign,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
 		BasicConstraintsValid: true,
-		DNSNames:              []string{host},
+		DNSNames:              []string{host, "localhost"},
+		IPAddresses:           []net.IP{localAddr.IP, []byte{127, 0, 0, 1}},
 		URIs:                  []*url.URL{applicationURI},
 	}