Problem in certificate thumbprint calculation

[Filipecordeiro]

Current behavior

Using a server with the node-opcua implementation and a client using other implementation (UaExpert): when using a certificate signed by a CA for the server (i.e. not a self-signed certificate), the server throws an error while checking the receiverCertificateThumbprint sent by the client.

Describe the bug

The _check_receiverCertificateThumbprint method (node-opcua-secure-channel\source\server\server_secure_channel_layer.ts) is using the whole certificate chain for calculating the certificate thumbprint. While the opcua specification is not clear, it does mention the receiverCertificateThumbprint indicates the public key used to encrypt the MessageChunk, and every method that I've tested for calculating certificate thumbprints (including openssl) seems to use just the certificate itself and not the full certificate chain.

I've also found this issue in a Java implementation of opcua that seems exactly the same problem where they changed it to use the certificate only.

I've changed the code in _check_receiverCertificateThumbprint from const serverCertificateChain = this.getCertificateChain(); to const serverCertificateChain = this.getCertificate(); and it solved the problem.

Also had to make the same change in code in the verifyClientSignature method (node-opcua-server\source\opcua_server.ts) that seems to suffer from the same issue (full certificate chain is being used).

To Reproduce

Steps to reproduce the behavior:

1. Start node-opcua acting as an OPCUA SERVER, using a certificate signed by a CA, providing at least MessageSecurityMode = Sign&Encrypt, and automaticallyAcceptUnknownCertificate = true
2. Try connecting with a client (other than a node-opcua implementation), using MessageSecurityMode = Sign&Encrypt
3. Server throws an error and client disconnects

Expected behavior

The client should connect successfully, i.e., the receiverCertificateThumbprint sent by the client should match the certificate thumbprint computed by the server.

Details

• ( ) my request is related to node-opcua acting as an OPCUA CLIENT

• (x) my request is related to node-opcua acting as an OPCUA SERVER

  • ( ) I have installed node-opcua from source ( using git clone)

  • (x) I have installed node-opcua as a package ( using npm install )

  • (x) I am using an application that uses node-opcua

    • ( ) node-red
    • (x) other : UaExpert

  • Device: Laptop

  • OS version: Windows 10

    • (x) Windows : version : 10.0.18363
    • ( ) Linux : version : **_**
    • ( ) MacOs : version : **_**
    • ( ) Raspbian: version : **_**
    • ( ) Other : specify :

  • Description of the other OPCUA system I am trying to connect to:

    • Name: UaExpert
    • Version: 1.5.1.331
    • Manufacturer/Software vendor: Unified Automation GmbH
    • link : https://www.unified-automation.com/

• node-opcua version: :
  2.16.0

• Node:
  10.19.0

[erossignon]

Using certificate provided by a CA should work.
Please provide source code of the server for investigation. (contact me privately if you cannot share the code in github)

[erossignon]

I confirm the issue. As you found out, certificate thumbprint signature shall not be calculated using full certficate chain but only first certificate in the chain.

[erossignon]

This should now be fixed in version 2.29 , @Filipecordeiro can you confirm ?

[Filipecordeiro]

This should now be fixed in version 2.29 , @Filipecordeiro can you confirm ?

I can confirm that the issue is fixed. Thank you @erossignon
I apologize for the late reply but I wasn't able to test this until very recently.