Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for ECC profiles #2398

Open
wants to merge 57 commits into
base: master
Choose a base branch
from
Open

Add support for ECC profiles #2398

wants to merge 57 commits into from

Conversation

mrsuciu
Copy link
Contributor

@mrsuciu mrsuciu commented Nov 27, 2023
edited by mregen

Proposed changes

  • Port support for ECC NIST/Brainpool profiles from prototyping_ecc branch
  • Implement CertProvider to load certs per connection / profile
  • Backward compatibility of configuration for existing apps
  • SecurityConfiguration specifies app cert types for each profile
  • Autodetect the ECC support for brainpool/nist based on platform (mac OS 10 doesn't support brainpool)
  • ECC supported on net48 / net5.0 / net 6.0 / netstandard2.1
  • ECC supported on windows / linux / macOS (brainpool not < macOS11)
  • Self signed certs for each profile are created on start similar to RSA
  • RSA only profiles are supported on .NET standard 2.0

Types of changes

What types of changes does your code introduce?
Put an x in the boxes that apply. You can also fill these out after creating the PR.

  • Bugfix (non-breaking change which fixes an issue)
  • Enhancement (non-breaking change which adds functionality)
  • Test enhancement (non-breaking change to increase test coverage)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
  • Documentation Update (if none of the other choices apply)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

  • I have read the CONTRIBUTING doc.
  • I have signed the CLA.
  • I ran tests locally with my changes, all passed.
  • I fixed all failing tests in the CI pipelines.
  • I fixed all introduced issues with CodeQL and LGTM.
  • I have added tests that prove my fix is effective or that my feature works and increased code coverage.
  • I have added necessary documentation (if appropriate).
  • Any dependent changes have been merged and published in downstream modules.

Further comments

mregen and others added 30 commits October 6, 2023 10:11
@mregen @mrsuciu
Squash proto ecc (OPCFoundation#1998)
294192f
@mregen @mrsuciu
clean a few warning
fd3fcd1
@mrsuciu
Instantiate HMAC instance depending on provided algorithm.
dee6088
@mregen @mrsuciu
fix build
b17271c
@mrsuciu
Added ApplicationCertificates XML tag (bcw compat)
d63925f
@mrsuciu
Use ListOfCertificateIdentifier for configuration
5b1fe70
@mrsuciu
Use ApplicationCertificates tag
ab6d8fb
@mrsuciu
Added new Interface AddSecurityConfiguration(
d23450d 
            CertificateIdentifierCollection applicationCertificates,
            string pkiRoot = null,
            string rejectedRoot = null
            )
@mrsuciu
Reenabled special cases in ValidateCertificateType
8fc81d3
@mrsuciu
Use KeySize property value if set under IsECSecureForProfile method
b1cd86e
@mrsuciu
Check minimKeySize for ApplicationCertificates
108f7ed
@mrsuciu
Keep and mark as obsolete ApplicationInstance methods for bacword compat
9a25264
@mrsuciu
Fix CfgManager UpdateCertificate()
a2e0a4b
@mrsuciu
Added missing interface implementation
a0e4b0f
@mrsuciu
Added CertificateTypeString to improve visual appearance
97b4c87
@mrsuciu
Commented ECCUtils code
9efe4a7
@mrsuciu
Corrected ConsoleRefClient Configuration
a01d276
@mrsuciu
net48 has null Oid values for Brainpool curves
f165dee
@mrsuciu
Merge branch 'workeccV1' of https://github.com/mrsuciu/UA-.NETStandard
0b6d74f 
…into workeccV1
@mrsuciu
Updated tests to new API
58f583b
@mrsuciu
Default certificate type for "old" style configuration is RsaSha256Ap…
453ad95 
…plicationCertificateType
@mrsuciu
SemaphoreSlim is not reentrant => removed from ResetValidatedCertific…
11f3085 
…ates
@mrsuciu
Fixed loading of disposed cached certificates
48cce5c
@mrsuciu
Modified projects to correctly use ECC_SUPPORT flag
1ada020
@mrsuciu
Handle EphemerousKey from Server side
c7ebfe1
@mrsuciu
Added minimal test
e62ad97
@mrsuciu
Added UserIdentityToken Encypt/Decrypt functionality
1a8ab07
@mrsuciu
Preserve key material in UserIdentityToken encryption/decription
0ed43b9
@mrsuciu
Removed ECC support from NETSTANDARD2_0 (introduced bu UserIdentityEn…
f41f10a 
…cryption)
@mrsuciu
Added UserIdentity encryption positive roundtrip unit tests
c6a10d7
mregen
mregen reviewed Feb 16, 2024
View reviewed changes
Tests/Opc.Ua.Client.Tests/ClientTest.cs Outdated
@@ -894,7 +915,36 @@ private void ValidateDataTypeDefinition(INode node)
StructureDefinition structureDefinition = dataTypeDefinition.Body as StructureDefinition;
Assert.AreEqual(ObjectIds.ProgramDiagnosticDataType_Encoding_DefaultBinary, structureDefinition.DefaultEncodingId);
}

#if mist
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some leftover

mregen
mregen requested changes Feb 16, 2024
View reviewed changes
Copy link
Contributor

@mregen mregen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please check the reentrantsemaphore implementation and if it is really needed. Mor comments in the code.

@romanett romanett mentioned this pull request Mar 31, 2024
Closed
5 tasks
@romanett romanett self-requested a review March 31, 2024 08:13
romanett
romanett previously approved these changes Mar 31, 2024
View reviewed changes
@romanett romanett dismissed their stale review March 31, 2024 08:14

not full review

mregen
mregen reviewed Apr 16, 2024
View reviewed changes
Libraries/Opc.Ua.Client/Session.cs Outdated
@@ -98,7 +99,7 @@ public partial class Session : SessionClientBatched, ISession
:
base(channel)
{
Initialize(channel, configuration, endpoint, clientCertificate);
InitializeAsync(channel, configuration, endpoint, clientCertificate);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can not be async in a constructor

mregen
mregen reviewed Apr 16, 2024
View reviewed changes
Libraries/Opc.Ua.Client/Session.cs Outdated
@@ -174,30 +175,20 @@ public Session(ITransportChannel channel, Session template, bool copyEventHandle

if (m_endpoint.Description.SecurityPolicyUri != SecurityPolicies.None)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

try to move the async portions out of the constructor, then additional calls have to be made to load the certs

mregen
mregen reviewed Apr 16, 2024
View reviewed changes
Stack/Opc.Ua.Core/Security/Certificates/Nonce.cs
case SecurityPolicies.None:
{
// Minimum nonce length by default
return m_minNonceLength;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets check if this parameter is really needed, or good enough to define the value as a const.

@romanett romanett mentioned this pull request Apr 16, 2024
Open
5 tasks
romanett
romanett reviewed Apr 16, 2024
View reviewed changes
Stack/Opc.Ua.Core/Security/Certificates/CertificateIdentifier.cs
/// <summary>
/// The tags of the supported certificate types.
/// </summary>
private static Dictionary<uint, string> m_supportedCertificateTypes = new Dictionary<uint, string>() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn`t this mssing here:
{ ObjectTypes.EccApplicationCertificateType, "??"},

KircMax
KircMax reviewed Apr 17, 2024
View reviewed changes
Libraries/Opc.Ua.Client/CoreClientUtils.cs
/// <param name="url">The discovery Url of the server.</param>
/// <param name="endpoints"></param>
/// <param name="useSecurity"></param>
[Obsolete("Use the SelectEndpoint with ApplicationConfiguration instead.")]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not familiar with the codebase - I'm just wondering about this ... why introduce and provide a new obsolete Method?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is present in the master branch

romanett
romanett reviewed Apr 17, 2024
View reviewed changes
Stack/Opc.Ua.Core/Security/Certificates/X509Utils.cs
/// <summary>
/// Verify ECDsa key pair of two certificates.
/// </summary>
public static bool VerifyECDsaKeyPair(
Copy link
Contributor

@romanett romanett Apr 17, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

imho we should try to deprecate RSA Specific functions where possible and also try to avoid ecc specific functions where possible and insteady provide Functions supporting both certificate types:

  • GetRSAPublicKeySize -> not needed use GetPublicKeySize
  • VerifyKeyPair should be depcrecated or handle both certificate types with the latter being my favorite

Stack/Opc.Ua.Core/Security/Certificates/CertificateIdentifier.cs
/// Get the OPC UA CertificateType.
/// </summary>
/// <param name="certificate">The certificate with a signature.</param>
public static NodeId GetCertificateType(X509Certificate2 certificate)
Copy link
Contributor

@romanett romanett Apr 17, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not shure about this comment: Shouldnt this function be part of X509Utils as well as the ValidateCertificateType function or should all OPC UA Specific logic be in CertificateIdentifier

romanett
romanett requested changes Apr 18, 2024
View reviewed changes
Copy link
Contributor

@romanett romanett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my concerns are mainly about the usabilty of the added code / functionality

Libraries/Opc.Ua.Configuration/ApplicationInstance.cs
@@ -821,19 +888,72 @@ public void OnCertificateValidation(object sender, CertificateValidationEventArg
Utils.GetAbsoluteDirectoryPath(id.StorePath, true, true, true);
}

var builder = CertificateFactory.CreateCertificate(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would ike the CertificateFactory.CreateCertificate to have a method
I provide the certificateType and it creates the RSA or ECC Certificate with the right curve for me depending on the provided certificate type, or else everywhere I create a certificate I need to check the type manually and create the RSA/ECC cert depending on the type. I would also like a global List Class/Enum of Certificate Types (maybe like the well known roles) because in the code ((especially gds) i see a lot of passing around certificate type as string / Node Id and then matching it to a Dictionary of Object Type Ids which i not really see as good practice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mregen mregen mregen requested changes

@KircMax KircMax KircMax left review comments

@romanett romanett romanett requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@mrsuciu mrsuciu

Labels
None yet
Projects
None yet
Milestone
1.5.375 ECC Support preview with Node...
Development

Successfully merging this pull request may close these issues.

Support ECC user token
5 participants
@mrsuciu @EthanChangAED @romanett @mregen @KircMax