New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support ECC profiles #1999
base: master
Are you sure you want to change the base?
Support ECC profiles #1999
Conversation
This pull request introduces 11 alerts when merging f407a5a into 67a794e - view on LGTM.com new alerts:
Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. Please enable GitHub code scanning, which uses the same CodeQL engine ⚙️ that powers LGTM.com. For more information, please check out our post on the GitHub blog. |
@@ -17,8 +17,10 @@ | |||
<StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath> | |||
<SubjectName>CN=Console Reference Client, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName> | |||
</ApplicationCertificate> | |||
|
|||
<ApplicationCertificateTypes>Rsa,NistP256,NistP384,BrainpoolP256r1,BrainpoolP384r1</ApplicationCertificateTypes> | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discuss how the new config layout should be, @mregen provide sample from previous discussion in .NET user group.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feature request was to have a ApplicationCertificate
per ECC security profile, to be able to set different subjects
@@ -112,7 +114,43 @@ | |||
<SecurityMode>SignAndEncrypt_3</SecurityMode> | |||
<SecurityPolicyUri></SecurityPolicyUri> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
expectation were that here are add the ECC profiles if the ECC cert is configured as app cert.
Codecov Report
@@ Coverage Diff @@
## master #1999 +/- ##
==========================================
- Coverage 57.92% 57.91% -0.01%
==========================================
Files 324 326 +2
Lines 61677 62523 +846
==========================================
+ Hits 35725 36210 +485
- Misses 25952 26313 +361
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good luck!
@@ -125,6 +126,7 @@ public static EndpointDescription SelectEndpoint(string discoveryUrl, bool useSe | |||
/// <param name="useSecurity">if set to <c>true</c> select an endpoint that uses security.</param> | |||
/// <param name="discoverTimeout">Operation timeout in milliseconds.</param> | |||
/// <returns>The best available endpoint.</returns> | |||
[Obsolete("Use the SelectEndpoint with ApplicationConfiguration instead.")] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check why is it obsolete, was the function moved to ApplicationConfiguration
?
{ | ||
continue; | ||
// skip unsupported security policies | ||
if (!configuration.SecurityConfiguration.SupportedSecurityPolicies.Contains(endpoint.SecurityPolicyUri)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check if this is a good idea
// load the application instance certificate. | ||
if (m_configuration.SecurityConfiguration.ApplicationCertificate == null) | ||
m_instanceCertificate = LoadCertificate(configuration, m_endpoint.Description.SecurityPolicyUri).GetAwaiter().GetResult(); | ||
if (m_instanceCertificate == null) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is if the policy none is used, but user token should be encrypted with ECC profile ..
var cert = m_configuration.SecurityConfiguration.ApplicationCertificate; | ||
#pragma warning restore CS0618 // Type or member is obsolete |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
marked as obsolete, to catch cases that need to be handled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
display config info in the exception.
@@ -5635,7 +5628,7 @@ private static async Task<X509Certificate2Collection> LoadCertificateChain(Appli | |||
{ | |||
clientCertificateChain = new X509Certificate2Collection(clientCertificate); | |||
List<CertificateIdentifier> issuers = new List<CertificateIdentifier>(); | |||
await configuration.CertificateValidator.GetIssuers(clientCertificate, issuers).ConfigureAwait(false); | |||
await configuration.CertificateValidator.GetIssuers(clientCertificate, issuers, false).ConfigureAwait(false); | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why false?
var serverSalt = Utils.Append(length, s_HkdfServerLabel, serverSecret, clientSecret); | ||
var clientSalt = Utils.Append(length, s_HkdfClientLabel, clientSecret, serverSecret); | ||
|
||
Utils.LogTrace("Length={0}", Utils.ToHexString(length)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove if all is working :-)
{ | ||
return SymmetricSign(token, dataToSign, useClientKeys); | ||
} | ||
|
||
#if GCMMODE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GCMMODE can be removed
@@ -512,7 +512,36 @@ private void ValidateDataTypeDefinition(INode node) | |||
StructureDefinition structureDefinition = dataTypeDefinition.Body as StructureDefinition; | |||
Assert.AreEqual(ObjectIds.ProgramDiagnosticDataType_Encoding_DefaultBinary, structureDefinition.DefaultEncodingId); | |||
} | |||
|
|||
#if mist |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MIST can be removed
@@ -381,13 +381,6 @@ public void UpdateCertificateSelfSignedNoPrivateKey() | |||
[Test, Order(510)] | |||
public void UpdateCertificateCASigned() | |||
{ | |||
#if NETCOREAPP3_1_OR_GREATER |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove if it works now, but unlikely...
This pull request introduces 11 alerts when merging 5c96b3e into 67a794e - view on LGTM.com new alerts:
Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. Please enable GitHub code scanning, which uses the same CodeQL engine ⚙️ that powers LGTM.com. For more information, please check out our post on the GitHub blog. |
@mrsuciu, is this PR still needed? If it is replaced with the newer one, could you close this PR? |
Proposed changes
Whats yet working:
ToDo:
Types of changes
What types of changes does your code introduce?
Put an
x
in the boxes that apply. You can also fill these out after creating the PR.Checklist
Put an
x
in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.Further comments
If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...