View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000343110000-004: ServicesSpecpublic2016-05-13 06:572017-01-03 17:57
ReporterIsele Matthias Assigned ToMatthias Damm  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformanyOSanyOS Versionany
Product Version1.03 
Summary0003431: Need a clarification for the calcualtion of ClientSignature and ServerSignature
Description

ServerSignature (CreateSession):

  • Calculated in the Server by appending the ClientNonce to the ClientCertificate and sign the resulting ByteString
  • Checked in the Client

ClientSignature (ActivateSession):

  • Calculated in the Client by appending the Last ServerNonce to the ServerCertificate and sign the resulting ByteString
  • Checked in the Server

In both cases a certificate is added to a nonce. By Spec the ClientCertificate and ServerCertificate can either be a single certificate or a complete certificate chain.
The calculated signature is different when using the leaf certificate only or the complete chain. This leads to interoperability issues if client and server do not use the same logic.
In the Spec it is not clear if the leaf certificate or the complete chain can be used to calculate the signature.

TagsNo tags attached.
Commit Version
Fix Due Date

Activities

Isele Matthias

2016-05-13 07:01

developer   ~0006914

My proposal:
Both sides (client and server) should always use the leaf certificate only not the complete chain to

  • calculate the signature
  • check the signature

For backwards compatibility it is explicitly allowed to try both

  • verify the signature with the leaf certificate
  • verify the signature with the complete chain (if available)

Jim Luth

2016-05-17 15:24

administrator   ~0006925

Needs 1.03 Errata.

Bernd Edlinger

2016-05-28 08:35

reporter   ~0006967

Both sides (client and server) should always use the leaf certificate only not the complete chain to

  • calculate the signature
  • check the signature

Has anybody implemented it this way?

Matthias Damm

2016-12-20 17:02

developer   ~0007672

Disccussed in UA WG:
Prepare update based on proposal from Matthias Isele but make both a shall.

Matthias Damm

2017-01-03 17:54

developer   ~0007692

Made changes in document version OPC UA Part 4 - Services 1.04 Specification Draft 07.docx

Jim Luth

2017-01-03 17:57

administrator   ~0007693

Agreed to change in telecon.

Note that not all backward compatibility issues can be handled with this fix -- some existing apps will break when connected to 1.04 apps.

Issue History

Date Modified Username Field Change
2016-05-13 06:57 Isele Matthias New Issue
2016-05-13 06:57 Isele Matthias Status new => assigned
2016-05-13 06:57 Isele Matthias Assigned To => Matthias Damm
2016-05-13 07:01 Isele Matthias Note Added: 0006914
2016-05-17 15:24 Jim Luth Note Added: 0006925
2016-05-28 08:35 Bernd Edlinger Note Added: 0006967
2016-12-20 17:02 Matthias Damm Note Added: 0007672
2017-01-03 17:54 Matthias Damm Note Added: 0007692
2017-01-03 17:54 Matthias Damm Status assigned => resolved
2017-01-03 17:54 Matthias Damm Resolution open => fixed
2017-01-03 17:57 Jim Luth Note Added: 0007693
2017-01-03 17:57 Jim Luth Status resolved => closed
2017-01-03 17:57 Jim Luth Fixed in Version => 1.04