OPC-UA server can have multiple certificates

[geoynomous]

The OPC-UA might announce multiple certificates - concatenated. Then

x509.ParseCertificate(cert) does not work - it will report a x509: trailing data error.

It is better to use x509.ParseCertificates(certsByteArray) (Plural!) and then to chose one of them. The first?

Honestly I do not understand why some servers provide multiple certs - maybe there should be a way to select one of them? You know it better ...

EDIT: Or is there a way to choose the cert during a config step?

EDIT2: Here is a diff - it's probably not complete, but gives an idea .. sorry it's for v0.3.9

diff -r [email protected]/client.go [email protected]/client.go
9a10
> 	"crypto/x509"
730c741,750
< 		err := c.SecureChannel().VerifySessionSignature(res.ServerCertificate, nonce, res.ServerSignature.Signature)
---
> 		remoteX509Certs, err := x509.ParseCertificates(res.ServerCertificate)
> 		if err != nil {
> 			return err
> 		}
> 		if len(remoteX509Certs) > 0 {
> 			res.ServerCertificate = remoteX509Certs[0].Raw
> 		}
>
> 		err = c.SecureChannel().VerifySessionSignature(res.ServerCertificate, nonce, res.ServerSignature.Signature)
diff -r [email protected]/uasc/secure_channel.go [email protected]/uasc/secure_channel.go
12a13
> 	"fmt"
491c492
< 		remoteCert, err := x509.ParseCertificate(s.cfg.RemoteCertificate)
---
> 		remoteCerts, err := x509.ParseCertificates(s.cfg.RemoteCertificate)
496c498
< 		if remoteKey, ok = remoteCert.PublicKey.(*rsa.PublicKey); !ok {
---
> 		if remoteKey, ok = remoteCerts[0].PublicKey.(*rsa.PublicKey); !ok {

[geoynomous]

Any comment here?

[geoynomous]

This is still open

[allenlu1990]

and why Private Key must be RSA PRIVATE KEY?

[geoynomous]

@allenlu1990 I understand your question - but this is unrelated to this issue. It might be a requirement by the standard. Here we are dealing with the fact that multiple certificates are announced.