Failed to open a secure channel with AuthCertificate and different certificates

[jackchenjc]

Hi,

I have tried these connection options below, both of them worked well and successfully connected to the Prosys OPC-UA Server with my current code

{
     secMode: Sign,
     secPolicy: Basic128Rsa15,
     authMode: Anonymous,
}

{
     secMode: None,
     secPolicy: None,
     authMode: Certificate,
}

However, I kept getting a readChunk EOF error while trying to connect to the same server with the following options
(Note that the user authentication cert is not the same one as application cert)

{
     secMode: Sign,
     secPolicy: Basic128Rsa15,
     authMode: Certificate,
}

Here is the debug log:

debug: uacp: connecting to opc.tcp://***.local:53530/OPCUA/SimulationServer
debug: uacp 1: start HEL/ACK handshake
debug: uacp 1: sent HELF with 93 bytes
debug: uacp 1: recv ACKF with 28 bytes
debug: uacp 1: server has no chunk limit. Using 512
debug: uacp 1: recv &uacp.Acknowledge{Version:0x0, ReceiveBufSize:0x2004, SendBufSize:0x2004, MaxMessageSize:0x3fffc0, MaxChunkCount:0x200}
debug: uasc 1/1: send *ua.OpenSecureChannelRequest with 132 bytes
debug: uacp 1: recv OPNF with 135 bytes
debug: uasc 1/1: recv OPNF with 135 bytes
debug: uasc 1/1: recv *ua.OpenSecureChannelResponse
debug: uasc 1/1: sending *ua.OpenSecureChannelResponse to handler
debug: uasc 1: received security token. channelID=6 tokenID=1 createdAt=2023-08-17T03:11:17Z lifetime=1h0m0s
debug: uasc 1/2: send *ua.GetEndpointsRequest with 130 bytes
debug: uasc 1: security token is refreshed at 2023-08-17T03:56:17Z (45m0s). channelID=6 tokenID=1
debug: uasc 1: security token expires at 2023-08-17T04:26:17Z. channelID=6 tokenID=1
debug: uacp 1: recv MSGC with 4120 bytes
debug: uasc 1/2: recv MSGC with 4120 bytes
debug: uacp 1: recv MSGC with 4120 bytes
debug: uasc 1/2: recv MSGC with 4120 bytes
debug: uacp 1: recv MSGC with 4120 bytes
debug: uasc 1/2: recv MSGC with 4120 bytes
debug: uacp 1: recv MSGC with 4120 bytes
debug: uasc 1/2: recv MSGC with 4120 bytes
debug: uacp 1: recv MSGC with 4120 bytes
debug: uasc 1/2: recv MSGC with 4120 bytes
debug: uacp 1: recv MSGF with 346 bytes
debug: uasc 1/2: recv MSGF with 346 bytes
debug: uasc 1/2: recv *ua.GetEndpointsResponse
debug: uasc 1/2: sending *ua.GetEndpointsResponse to handler
debug: uasc 1: Close()
debug: uasc 1/3: send *ua.CloseSecureChannelRequest with 57 bytes
debug: uacp 1: close
debug: uasc 1: readChunk EOF
debug: uacp: connecting to opc.tcp://***.local:53530/OPCUA/SimulationServer
debug: uacp 2: start HEL/ACK handshake
debug: uacp 2: sent HELF with 93 bytes
debug: uacp 2: recv ACKF with 28 bytes
debug: uacp 2: server has no chunk limit. Using 512
debug: uacp 2: recv &uacp.Acknowledge{Version:0x0, ReceiveBufSize:0x2004, SendBufSize:0x2004, MaxMessageSize:0x3fffc0, MaxChunkCount:0x200}
debug: uasc 2/1: send *ua.OpenSecureChannelRequest with 1537 bytes
debug: uacp 2: recv ERRF with 186 bytes
debug: uasc 2: readChunk EOF
debug: uasc 2: failed to open a new secure channel
debug: uacp 2: close

But there was no error when I used the same cert for application and for the user authentication.
As far as I know, gopcua/opcua supports these three functions of type Option:

func Certificate(cert []byte) Option
func PrivateKey(key *rsa.PrivateKey) Option
func AuthCertificate(cert []byte) Option

Not sure if I've missed anything and I have just a question here:
If we use different cert for application and user auth, which private key should we set with opcua.PrivateKey()?

Any help would be appreciated.