Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for ECC profiles #2398

Merged
merged 101 commits into from
Oct 17, 2024
Merged

Add support for ECC profiles #2398

merged 101 commits into from
Oct 17, 2024

Conversation

mrsuciu
Copy link
Contributor

@mrsuciu mrsuciu commented Nov 27, 2023
edited by mregen
Loading

Proposed changes

  • Port support for ECC NIST/Brainpool profiles from prototyping_ecc branch
  • Implement CertProvider to load certs per connection / profile
  • Backward compatibility of configuration for existing apps
  • SecurityConfiguration specifies app cert types for each profile
  • Autodetect the ECC support for brainpool/nist based on platform (mac OS 10 doesn't support brainpool)
  • ECC supported on net48 / net5.0 / net 6.0 / netstandard2.1
  • ECC supported on windows / linux / macOS (brainpool not < macOS11)
  • Self signed certs for each profile are created on start similar to RSA
  • RSA only profiles are supported on .NET standard 2.0

Types of changes

What types of changes does your code introduce?
Put an x in the boxes that apply. You can also fill these out after creating the PR.

  • Bugfix (non-breaking change which fixes an issue)
  • Enhancement (non-breaking change which adds functionality)
  • Test enhancement (non-breaking change to increase test coverage)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
  • Documentation Update (if none of the other choices apply)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

  • I have read the CONTRIBUTING doc.
  • I have signed the CLA.
  • I ran tests locally with my changes, all passed.
  • I fixed all failing tests in the CI pipelines.
  • I fixed all introduced issues with CodeQL and LGTM.
  • I have added tests that prove my fix is effective or that my feature works and increased code coverage.
  • I have added necessary documentation (if appropriate).
  • Any dependent changes have been merged and published in downstream modules.

Further comments

mregen and others added 30 commits October 6, 2023 10:11
@mregen @mrsuciu
Squash proto ecc (OPCFoundation#1998)
294192f
@mregen @mrsuciu
clean a few warning
fd3fcd1
@mrsuciu
Instantiate HMAC instance depending on provided algorithm.
dee6088
@mregen @mrsuciu
fix build
b17271c
@mrsuciu
Added ApplicationCertificates XML tag (bcw compat)
d63925f
@mrsuciu
Use ListOfCertificateIdentifier for configuration
5b1fe70
@mrsuciu
Use ApplicationCertificates tag
ab6d8fb
@mrsuciu
Added new Interface AddSecurityConfiguration(
d23450d 
            CertificateIdentifierCollection applicationCertificates,
            string pkiRoot = null,
            string rejectedRoot = null
            )
@mrsuciu
Reenabled special cases in ValidateCertificateType
8fc81d3
@mrsuciu
Use KeySize property value if set under IsECSecureForProfile method
b1cd86e
@mrsuciu
Check minimKeySize for ApplicationCertificates
108f7ed
@mrsuciu
Keep and mark as obsolete ApplicationInstance methods for bacword compat
9a25264
@mrsuciu
Fix CfgManager UpdateCertificate()
a2e0a4b
@mrsuciu
Added missing interface implementation
a0e4b0f
@mrsuciu
Added CertificateTypeString to improve visual appearance
97b4c87
@mrsuciu
Commented ECCUtils code
9efe4a7
@mrsuciu
Corrected ConsoleRefClient Configuration
a01d276
@mrsuciu
net48 has null Oid values for Brainpool curves
f165dee
@mrsuciu
Merge branch 'workeccV1' of https://github.com/mrsuciu/UA-.NETStandard
0b6d74f 
…into workeccV1
@mrsuciu
Updated tests to new API
58f583b
@mrsuciu
Default certificate type for "old" style configuration is RsaSha256Ap…
453ad95 
…plicationCertificateType
@mrsuciu
SemaphoreSlim is not reentrant => removed from ResetValidatedCertific…
11f3085 
…ates
@mrsuciu
Fixed loading of disposed cached certificates
48cce5c
@mrsuciu
Modified projects to correctly use ECC_SUPPORT flag
1ada020
@mrsuciu
Handle EphemerousKey from Server side
c7ebfe1
@mrsuciu
Added minimal test
e62ad97
@mrsuciu
Added UserIdentityToken Encypt/Decrypt functionality
1a8ab07
@mrsuciu
Preserve key material in UserIdentityToken encryption/decription
0ed43b9
@mrsuciu
Removed ECC support from NETSTANDARD2_0 (introduced bu UserIdentityEn…
f41f10a 
…cryption)
@mrsuciu
Added UserIdentity encryption positive roundtrip unit tests
c6a10d7
@mrsuciu mrsuciu linked an issue Jul 31, 2024 that may be closed by this pull request
Ensure ECC profiles use the new sequence number algorithm #2674
Closed
5 tasks
@mregen
Copy link
Contributor

mregen commented Aug 29, 2024

code review discussions for follow up

  • check if the serverNonce can be stored as Nonce and unified for ECC and RSA
  • how about key sizes, do they still make sense as they are specified by profile. How do we specify that a nist 384 cert should be used for nist256. But it is not possible to use curve 448 with curve 25519?

romanett
romanett requested changes Sep 30, 2024
View reviewed changes
Copy link
Contributor

@romanett romanett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comments for first 17 changed files

Applications/ConsoleReferenceServer/Quickstarts.ReferenceServer.Config.xml Outdated
@@ -46,6 +79,7 @@
<RejectSHA1SignedCertificates>true</RejectSHA1SignedCertificates>
<RejectUnknownRevocationStatus>true</RejectUnknownRevocationStatus>
<MinimumCertificateKeySize>2048</MinimumCertificateKeySize>
<MinimumECCertificateKeySize>256</MinimumECCertificateKeySize>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn`t this obosolete?

Applications/ConsoleReferenceServer/Quickstarts.ReferenceServer.Config.xml Outdated Show resolved Hide resolved
Libraries/Opc.Ua.Client/Session/Session.cs Outdated Show resolved Hide resolved
Libraries/Opc.Ua.Client/Session/Session.cs Show resolved Hide resolved
Libraries/Opc.Ua.Configuration/ApplicationInstance.cs
/// </summary>
public async Task DeleteApplicationInstanceCertificate(CancellationToken ct = default)
public async Task DeleteApplicationInstanceCertificate(string[] profileIds = null, CancellationToken ct = default)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I oppose extending the interface before supporting only deleting certain profiles

Libraries/Opc.Ua.Configuration/ApplicationInstance.cs
throw new ServiceResultException(StatusCodes.BadConfigurationError, "The Ecc certificate type is not supported.");
#else
ECCurve curve = default(ECCurve);
if (id.CertificateType == ObjectTypeIds.EccApplicationCertificateType ||
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this code should live in a static function where it is globally accessible

romanett
romanett reviewed Oct 2, 2024
View reviewed changes
Libraries/Opc.Ua.Security.Certificates/X509Certificate/X509PfxUtils.cs Outdated Show resolved Hide resolved
Stack/Opc.Ua.Core/Schema/SecuredApplicationHelpers.cs

/// <summary>
/// TODO: Holds the application certificates but should be generated and the Opc.Ua.Security namespace automatically
/// TODO: Should replace ApplicationCertificateField in the generated Opc.Ua.Security.SecuredApplication class
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this needed before merging?

Stack/Opc.Ua.Core/Types/Utils/Utils.cs Show resolved Hide resolved
Stack/Opc.Ua.Core/Security/Certificates/EccUtils.cs
/// </summary>
/// <param name="certificate"></param>
/// <returns></returns>
public static ECDsa GetPublicKey(X509Certificate2 certificate)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isnt this function also present as non ecc specific variants in another class, if yes i think we can remove it in EccUtils?

Stack/Opc.Ua.Core/Security/Certificates/CertificateIdentifier.cs
@@ -738,6 +972,12 @@ public Task<X509Certificate2> LoadPrivateKey(string thumbprint, string subjectNa
return Task.FromResult<X509Certificate2>(null);
}

/// <inheritdoc/>
public Task<X509Certificate2> LoadPrivateKey(string thumbprint, string subjectName, NodeId certificateType, string password)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why return always null?

mrsuciu and others added 3 commits October 4, 2024 18:25
@mrsuciu
Simplify GetNewSequenceNumber
69ab50a
@marcschier
Null pointer exception when reading a complex type with empty arrays. (
3672ebe 
…OPCFoundation#2798)

The server under test has a extension object with a complex type.  Type id = {nsu=http://opcfoundation.org/UA/Machinery/Result/;i=5008}.  This contains something with a variant array that is null though (-1).  SetProperty should support setting a Array that is null.  Therefore, test for null collection (case when length was encoded as -1) before dereferencing ahead of the ToArrray() conversion to Array.
@mregen
merge main
4fbd592
@mregen mregen requested review from mregen, romanett and KircMax October 17, 2024 11:40
mregen
mregen reviewed Oct 17, 2024
View reviewed changes
Docs/EccProfiles.md
<ServerSecurityPolicy>
<SecurityMode>Sign_2</SecurityMode>
<SecurityPolicyUri></SecurityPolicyUri>
</ServerSecurityPolicy>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are the default policies populated as per available ECC certificates?

mregen
mregen reviewed Oct 17, 2024
View reviewed changes
Docs/EccProfiles.md
<ua:TokenType>UserName_1</ua:TokenType>
<!-- passwords must be encrypted - this specifies what algorithm to use -->
<!-- if no algorithm is specified, the active security policy is used -->
<ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't this now a n invalid configuration if the ECC cert is used?

@mregen mregen merged commit f001eab into OPCFoundation:master Oct 17, 2024
77 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mregen mregen mregen approved these changes

@romanett romanett romanett approved these changes

@KircMax KircMax Awaiting requested review from KircMax

Assignees

@mrsuciu mrsuciu

Labels
ecc
Projects
None yet
Milestone
1.5.375 ECC official release
7 participants
@mrsuciu @EthanChangAED @ThomasNehring @mregen @romanett @KircMax @marcschier