Support ECC profiles

[mrsuciu]

Proposed changes

• Port support for ECC NIST/Brainpool profiles from prototyping_ecc branch
• Implement CertProvider to load certs per connection / profile
• Goal to be backward compatible for configuration of existing apps

Whats yet working:

• Simple configuration to enable ECC profiles
• ECC supported on net472 / net5.0 / net 6.0 / netstandard2.1
• ECC supported on windows / linux / macOS (brainpool not < macOS11)
• Self signed certs for each profile are created on start similar to RSA
• CertProvider to load cert/cert chains as per profile
• Client/Server can specify supported profiles
• Client server connections

ToDo:

• SecurityConfiguration to specify app cert types for each profile
• Cache the certs in CertProvider
• Autodetect the ECC support for brainpool/nist based on platform (mac OS 10 doesn't support brainpool)
• Tests for certificate validator for NIST/Brainpool PKI
• GDS Push support for ECC (yet no cert groups created on server)
• IOP testing with other servers / clients
• make Winforms samples work

Types of changes

What types of changes does your code introduce?
Put an x in the boxes that apply. You can also fill these out after creating the PR.

• Bugfix (non-breaking change which fixes an issue)
• Enhancement (non-breaking change which adds functionality)
• Test enhancement (non-breaking change to increase test coverage)
• Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
• Documentation Update (if none of the other choices apply)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

• I have read the CONTRIBUTING doc.
• I have signed the CLA.
• I ran tests locally with my changes, all passed.
• I fixed all failing tests in the CI pipelines.
• I fixed all introduced issues with CodeQL and LGTM.
• I have added tests that prove my fix is effective or that my feature works and increased code coverage.
• I have added necessary documentation (if appropriate).
• Any dependent changes have been merged and published in downstream modules.

Further comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...

[lgtm-com]

This pull request introduces 11 alerts when merging f407a5a into 67a794e - view on LGTM.com

new alerts:

• 4 for Constant condition
• 3 for Useless assignment to local variable
• 2 for Container contents are never accessed
• 1 for Dereferenced variable may be null
• 1 for Empty branch of conditional, or empty loop body

---

Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. Please enable GitHub code scanning, which uses the same CodeQL engine ⚙️ that powers LGTM.com. For more information, please check out our post on the GitHub blog.

[mregen]

Discuss how the new config layout should be, @mregen provide sample from previous discussion in .NET user group.

[mregen]

Feature request was to have a ApplicationCertificate per ECC security profile, to be able to set different subjects

[mregen]

expectation were that here are add the ECC profiles if the ECC cert is configured as app cert.

[codecov]

Codecov Report

Merging #1999 (50774b6) into master (29a3be5) will decrease coverage by 0.01%.
The diff coverage is 64.98%.

@@            Coverage Diff             @@
##           master    #1999      +/-   ##
==========================================
- Coverage   57.92%   57.91%   -0.01%     
==========================================
  Files         324      326       +2     
  Lines       61677    62523     +846     
==========================================
+ Hits        35725    36210     +485     
- Misses      25952    26313     +361     

Impacted Files	Coverage Δ
...ries/Opc.Ua.Security.Certificates/PEM/PEMReader.cs	93.75% <ø> (ø)
...Certificates/X509Certificate/CertificateBuilder.cs	85.63% <ø> (ø)
...braries/Opc.Ua.Server/Server/ServerInternalData.cs	88.75% <0.00%> (-0.35%)	⬇️
...ck/Opc.Ua.Core/Schema/SecuredApplicationHelpers.cs	0.00% <ø> (ø)
...Core/Security/Certificates/X509CertificateStore.cs	78.31% <0.00%> (-0.96%)	⬇️
...pc.Ua.Core/Security/Constants/SecurityConstants.cs	100.00% <ø> (ø)
...ack/Opc.Ua.Core/Stack/Client/ReverseConnectHost.cs	74.28% <ø> (-1.39%)	⬇️
...tack/Configuration/SecurityConfigurationManager.cs	0.00% <ø> (ø)
...tack/Opc.Ua.Core/Security/Certificates/EccUtils.cs	24.01% <24.01%> (ø)
...ndings.Https/Stack/Https/HttpsTransportListener.cs	72.00% <41.66%> (+0.72%)	⬆️
... and 30 more

... and 10 files with indirect coverage changes

[mregen]

good luck!

[mregen]

check why is it obsolete, was the function moved to ApplicationConfiguration?

[mregen]

check if this is a good idea

[mregen]

what is if the policy none is used, but user token should be encrypted with ECC profile ..

[mregen]

marked as obsolete, to catch cases that need to be handled.

[mregen]

display config info in the exception.

[mregen]

why false?

[mregen]

remove if all is working :-)

[mregen]

GCMMODE can be removed

[mregen]

MIST can be removed

[mregen]

remove if it works now, but unlikely...

[lgtm-com]

This pull request introduces 11 alerts when merging 5c96b3e into 67a794e - view on LGTM.com

new alerts:

• 4 for Constant condition
• 3 for Useless assignment to local variable
• 2 for Container contents are never accessed
• 1 for Dereferenced variable may be null
• 1 for Empty branch of conditional, or empty loop body

---

Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. Please enable GitHub code scanning, which uses the same CodeQL engine ⚙️ that powers LGTM.com. For more information, please check out our post on the GitHub blog.

[EthanChangAED]

@mrsuciu, is this PR still needed? If it is replaced with the newer one, could you close this PR?