-
Notifications
You must be signed in to change notification settings - Fork 943
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for ECC profiles #2398
base: master
Are you sure you want to change the base?
Conversation
CertificateIdentifierCollection applicationCertificates, string pkiRoot = null, string rejectedRoot = null )
…into workeccV1
…plicationCertificateType
I just had a look at the wireshark trace of the handshake between ConsoleReferenceClient and ConsoleReferenceServer. The good news is that the GetEndpointsResponse shows the ECC profiles. That's nice. Otoh, it looks as if the server offers all the old and deprecated security policies (Basic128Rsa15, Basic 256). Is this by intention? I think we should try not not expose them by default. (This is probably just a configuration issue). |
@ThomasNehring The server's Quickstarts.ReferenceServer.Config.xml configuration contains the deprecated security policies below the |
<RootNamespace>Opc.Ua.Configuration</RootNamespace> | ||
<Description>OPC UA Configuration Class Library</Description> | ||
<IsPackable>true</IsPackable> | ||
<PackageLicenseExpression>MIT</PackageLicenseExpression> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove .bak, I must have unintentionally pushed it
code review discussions for follow up
|
VerifySequenceNumber takes policy into account
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comments for first 17 changed files
@@ -46,6 +79,7 @@ | |||
<RejectSHA1SignedCertificates>true</RejectSHA1SignedCertificates> | |||
<RejectUnknownRevocationStatus>true</RejectUnknownRevocationStatus> | |||
<MinimumCertificateKeySize>2048</MinimumCertificateKeySize> | |||
<MinimumECCertificateKeySize>256</MinimumECCertificateKeySize> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isn`t this obosolete?
@@ -122,6 +189,14 @@ | |||
<SecurityMode>SignAndEncrypt_3</SecurityMode> | |||
<SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> | |||
</ServerSecurityPolicy> | |||
<ServerSecurityPolicy> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these shall be removed
@@ -5639,7 +5625,14 @@ ITransportChannel transportChannel | |||
EndpointDescription endpoint = m_endpoint.Description; | |||
SignatureData clientSignature = SecurityPolicies.Sign(m_instanceCertificate, endpoint.SecurityPolicyUri, dataToSign); | |||
|
|||
#if TODO // new code inside, please check if the update is valid |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
whats up with this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/// <param name="responseHeader"></param> | ||
/// <param name="serverCertificate"></param> | ||
/// <exception cref="ServiceResultException"></exception> | ||
protected virtual void ProcessResponseAdditionalHeader(ResponseHeader responseHeader, X509Certificate2 serverCertificate) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does a more precise name exist in the spec for this header?
/// </summary> | ||
public async Task DeleteApplicationInstanceCertificate(CancellationToken ct = default) | ||
public async Task DeleteApplicationInstanceCertificate(string[] profileIds = null, CancellationToken ct = default) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I oppose extending the interface before supporting only deleting certain profiles
throw new ServiceResultException(StatusCodes.BadConfigurationError, "The Ecc certificate type is not supported."); | ||
#else | ||
ECCurve curve = default(ECCurve); | ||
if (id.CertificateType == ObjectTypeIds.EccApplicationCertificateType || |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this code should live in a static function where it is globally accessible
@@ -63,6 +63,28 @@ private static X509KeyUsageFlags GetKeyUsage(X509Certificate2 cert) | |||
return allFlags; | |||
} | |||
|
|||
/// <summary> | |||
/// Verify RSA key pair of two certificates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comment is misleading, supports both ecc & RSA
|
||
/// <summary> | ||
/// TODO: Holds the application certificates but should be generated and the Opc.Ua.Security namespace automatically | ||
/// TODO: Should replace ApplicationCertificateField in the generated Opc.Ua.Security.SecuredApplication class |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this needed before merging?
/// <summary> | ||
/// Lazy helper for checking ECC eliptic curve support for running OS | ||
/// </summary> | ||
private static readonly Dictionary<string, Lazy<bool>> s_eccCurveSupportCache = new Dictionary<string, Lazy<bool>>{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this used anywhere?
/// </summary> | ||
/// <param name="certificate"></param> | ||
/// <returns></returns> | ||
public static ECDsa GetPublicKey(X509Certificate2 certificate) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isnt this function also present as non ecc specific variants in another class, if yes i think we can remove it in EccUtils?
@@ -738,6 +972,12 @@ public Task<X509Certificate2> LoadPrivateKey(string thumbprint, string subjectNa | |||
return Task.FromResult<X509Certificate2>(null); | |||
} | |||
|
|||
/// <inheritdoc/> | |||
public Task<X509Certificate2> LoadPrivateKey(string thumbprint, string subjectName, NodeId certificateType, string password) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why return always null?
Proposed changes
Types of changes
What types of changes does your code introduce?
Put an
x
in the boxes that apply. You can also fill these out after creating the PR.Checklist
Put an
x
in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.Further comments