6.1.8 Calculating Signatures used in CreateSession and ActivateSession

There are a number of Signatures which Client and Server applications may need to calculate when calling CreateSession and ActivateSession. The new Signature calculation algorithm, called channel bound Signatures, requires that the Certificates used to establish the SecureChannel be used in the calculation. Certificates that are passed as parameters in CreateSession are used to calculate the Signatures.

Channel bound Signatures are only used with SecurityPolicies with SecureChannelEnhancements = TRUE. Otherwise, the legacy calculation method is used.

The new Signature calculation method produces “channel bound” Signatures to indicate that they are only accepted as correct when they are exchanged over a SecureChannel using the Certificates used to create it.

The calculation method uses the following values:

The ChannelThumbprint is a unique identifier for the SecureChannel computed when the SecureChannel is created. The method for computing the ChannelThumbprint is defined in OPC 10000-6. If the Communication Stack does not make it available to the application because the transport being used cannot support it (i.e. HTTPS) then the ChannelThumbprint is a OctetString with 0 length.

The Client and Server SecureChannel Certificates may be different from the Client and Server Certificate when using transports such as HTTPS.

The Client and Server Certificates are exchanged in the CreateSession/ActivateSession requests.

These values are appended together to create a sequence of bytes to sign. The inputs to the Signature calculation are defined in Table 101.

Table 101 – Channel Bound Signature Calculation Inputs

Signature

Data to Sign

Signer

ServerSignature (see 5.7.2)

ChannelThumbprint |

ClientNonce |

HASH(Server ChannelCertificate) |

HASH(Client ChannelCertificate) |

ServerNonce

ServerCertificate

ClientSignature (see 5.7.3)

ChannelThumbprint |

ServerNonce |

HASH(ServerCertificate) |

HASH(Server ChannelCertificate) |

HASH(Client ChannelCertificate) |

ClientNonce

ClientCertificate

UserTokenSignature (see 5.7.3)

ChannelThumbprint |

ServerNonce |

HASH(ServerCertificate) |

HASH(Server ChannelCertificate) |

HASH(ClientCertificate) |

HASH(Client ChannelCertificate) |

ClientNonce

UserCertificate

UserTokenSignature when SecurityMode is None.

ServerNonce |

HASH(ServerCertificate) |

ClientNonce

UserCertificate

The HASH() function is specified by the CertificateThumbprintAlgorithm in the SecurityPolicy (see OPC 10000-6). If the Certificate argument is null or empty, function returns a OctetString with 0 length.

If a ChannelCertificate is the same as the corresponding ApplicationInstance Certificate then the same byte sequence is repeated in the data to sign.

A Signature shall not be verified without first validating the signing Certificate using the steps described in 6.1.3.

The ClientSignature and UserTokenSignature shall not be computed until the ServerSignature is validated.

For UserTokenSignatures the rules above apply except the SecurityPolicy for the selected UserTokenPolicy specifies the signing algorithm.

For SecurityPolicies with SecureChannelEnhancements =FALSE, the legacy Signature calculation method is used. The inputs are defined in Table 102.

Table 102 – Legacy Signature Calculation Inputs

Signature

Data to Sign

Signer

ServerSignature (see 5.7.2)

ClientCertificate | ClientNonce

ServerCertificate

ClientSignature (see 5.7.3)

ServerCertificate | ServerNonce

ClientCertificate

UserTokenSignature (see 5.7.3)

ServerCertificate | ServerNonce

UserCertificate

The legacy Signature calculation method may use the entire chain passed in ServerCertificate or ClientCertificate parameters. For backward compatibility the calculation is first done with the leaf Certificate and then with the chain passed in the parameter. The channel bound Signature method always uses the leaf Certificate.