Validate server certificate with ValidationCheck.VALIDITY

[dead-land]

Hi, when I use the public DefaultClientCertificateValidator(TrustListManager trustListManager, Set validationChecks) and set ValidationCheck.VALIDITY does the DefaultClientCertificateValidator really check also the validity of the server certifcate?
When taking a look a the source of 0.6.16 it seems that in the method validateCertificateChain it checks only for ValidationCheck.APPLICATION_URI and ValidationCheck.HOSTNAME, but not for VALIDITY ?

[kevinherron]

I think this logic should end up running:

milo/opc-ua-stack/stack-core/src/main/java/org/eclipse/milo/opcua/stack/core/util/validation/CertificateValidationUtil.java

Lines 320 to 331 in bd15067

	try {
	checkValidity(anchorCert, endEntity);
	} catch (UaException e) {
	if (validationChecks.contains(ValidationCheck.VALIDITY)) {
	throw e;
	} else {
	LOGGER.warn(
	"check suppressed: certificate failed end-entity validity check: {}",
	anchorCert.getSubjectX500Principal().getName()
	);
	}
	}

[dead-land]

Ah, thanks, I think I found it - it should be checked via

public void validateCertificateChain(
List certificateChain, String applicationUri, String[] validHostNames)
throws UaException {
...
CertificateValidationUtil.validateTrustedCertPath(...

  private static void checkAnchorValidity(...

[kevinherron]

Basically... it should always be checked, but whether it's just logged or if it results in failure is up to the configured ValidationChecks.