OPCFoundation / UA-.NETStandard

Type of issue

Current Behavior

Security Certificate Validation
Certificate will be validated as specified in OPC UA Part 4. This includes among others structure and signature examination.
Allowing for some validation errors to be suppressed by administration directive.

Connect using a client certificate signed by a not trusted but known CA where there is no revocation list available.

OpenSecureChannel.Response is not good; received 'BadSecurityChecksFailed (0x80130000)'. Expected: BadCertificateIssuerRevocationUnknown
(0x801c0000); Would accept: Good (0x00000000)

具体报错：OpenSecureChannel( MessageSecurityMode: SignAndEncrypt; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss ); Result = BadSecurityChecksFailed (0x80130000) Expected: BadCertificateIssuerRevocationUnknown (0x801c0000); Would accept: Good (0x00000000)

Expected Behavior

No response

Steps To Reproduce

No response

Environment

- OS:
- Environment:
- Runtime:
- Nuget Version:
- Component:
- Server:
- Client:

Anything else?

No response

@codeJJL , please provide the CTT version. in general, the security check return values are obsfuscated to not provide an attacker insights. So BadSecurityChecksFailed is mostly a valid response. unless it is an older CTT.

@codeJJL this seems to be implemented correctly:

UA-.NETStandard/Stack/Opc.Ua.Core/Stack/Tcp/TcpServerChannel.cs

Lines 515 to 526 in ce33d63

    
           else if (innerException.StatusCode == StatusCodes.BadCertificateTimeInvalid || 
        
               innerException.StatusCode == StatusCodes.BadCertificateIssuerTimeInvalid || 
        
               innerException.StatusCode == StatusCodes.BadCertificateHostNameInvalid || 
        
               innerException.StatusCode == StatusCodes.BadCertificateUriInvalid || 
        
               innerException.StatusCode == StatusCodes.BadCertificateUseNotAllowed || 
        
               innerException.StatusCode == StatusCodes.BadCertificateIssuerUseNotAllowed || 
        
               innerException.StatusCode == StatusCodes.BadCertificateRevocationUnknown || 
        
               innerException.StatusCode == StatusCodes.BadCertificateIssuerRevocationUnknown || 
        
               innerException.StatusCode == StatusCodes.BadCertificateIssuerRevoked) 
        
           { 
        
               ForceChannelFault(innerException, innerException.StatusCode, e.Message); 
        
               return false;

	else if (innerException.StatusCode == StatusCodes.BadCertificateTimeInvalid \|\|
	innerException.StatusCode == StatusCodes.BadCertificateIssuerTimeInvalid \|\|
	innerException.StatusCode == StatusCodes.BadCertificateHostNameInvalid \|\|
	innerException.StatusCode == StatusCodes.BadCertificateUriInvalid \|\|
	innerException.StatusCode == StatusCodes.BadCertificateUseNotAllowed \|\|
	innerException.StatusCode == StatusCodes.BadCertificateIssuerUseNotAllowed \|\|
	innerException.StatusCode == StatusCodes.BadCertificateRevocationUnknown \|\|
	innerException.StatusCode == StatusCodes.BadCertificateIssuerRevocationUnknown \|\|
	innerException.StatusCode == StatusCodes.BadCertificateIssuerRevoked)
	{
	ForceChannelFault(innerException, innerException.StatusCode, e.Message);
	return false;

CTT test:OpenSecureChannel.Response is not good; received 'BadSecurityChecksFailed (0x80130000)'. Expected: BadCertificateIssuerRevocationUnknown

Type of issue

Current Behavior

Expected Behavior

Steps To Reproduce

Environment

Anything else?