Improve https clien/server support (#1490)

- add support for security header in client/server libs fixes #1118
OPCFoundation · Aug 20, 2021 · 4a2f13e · 4a2f13e
1 parent cff7546
commit 4a2f13e
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 3 deletions.
diff --git a/Stack/Opc.Ua.Bindings.Https/Stack/Https/HttpsTransportChannel.cs b/Stack/Opc.Ua.Bindings.Https/Stack/Https/HttpsTransportChannel.cs
@@ -207,6 +207,11 @@ public IAsyncResult BeginSendRequest(IServiceRequest request, AsyncCallback call
             {
                 ByteArrayContent content = new ByteArrayContent(BinaryEncoder.EncodeMessage(request, m_quotas.MessageContext));
                 content.Headers.ContentType = m_mediaTypeHeaderValue;
+                if (EndpointDescription?.SecurityPolicyUri != null &&
+                    string.Compare(EndpointDescription.SecurityPolicyUri, SecurityPolicies.None) != 0)
+                {
+                    content.Headers.Add("OPCUA-SecurityPolicy", EndpointDescription.SecurityPolicyUri);
+                }
 
                 var result = new HttpsAsyncResult(callback, callbackData, m_operationTimeout, request, null);
                 Task.Run(async () => {

diff --git a/Stack/Opc.Ua.Bindings.Https/Stack/Https/HttpsTransportListener.cs b/Stack/Opc.Ua.Bindings.Https/Stack/Https/HttpsTransportListener.cs
@@ -30,6 +30,7 @@
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Server.Kestrel.Core;
 using Microsoft.AspNetCore.Server.Kestrel.Https;
 
 
@@ -230,13 +231,13 @@ public void Start()
         {
             Startup.Listener = this;
             m_hostBuilder = new WebHostBuilder();
-
             HttpsConnectionAdapterOptions httpsOptions = new HttpsConnectionAdapterOptions();
             httpsOptions.CheckCertificateRevocation = false;
             httpsOptions.ClientCertificateMode = ClientCertificateMode.NoCertificate;
             httpsOptions.ServerCertificate = m_serverCert;
+
             // note: although security tools recommend 'None' here,
-            // it only works on .NET 4.6 if Tls12 is used
+            // it only works on .NET 4.6.2 if Tls12 is used
 #if NET462
             httpsOptions.SslProtocols = SslProtocols.Tls12;
 #else
@@ -324,17 +325,40 @@ public async Task SendAsync(HttpContext context)
                     }
                 }
 
-                EndpointDescription endpoint = null;
+                if (!context.Request.Headers.TryGetValue("OPCUA-SecurityPolicy", out var header))
+                {
+                    header = SecurityPolicies.None;
+                }
 
+                EndpointDescription endpoint = null;
                 foreach (var ep in m_descriptions)
                 {
                     if (ep.EndpointUrl.StartsWith(Utils.UriSchemeHttps))
                     {
+                        if (!string.IsNullOrEmpty(header))
+                        {
+                            if (string.Compare(ep.SecurityPolicyUri, header) != 0)
+                            {
+                                continue;
+                            }
+                        }
+
                         endpoint = ep;
                         break;
                     }
                 }
 
+                if (endpoint == null &&
+                    input.TypeId != DataTypeIds.GetEndpointsRequest)
+                {
+                    var message = "Connection refused, invalid security policy.";
+                    Utils.Trace(Utils.TraceMasks.Error, message);
+                    context.Response.ContentLength = message.Length;
+                    context.Response.ContentType = "text/plain";
+                    context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
+                    await context.Response.WriteAsync(message).ConfigureAwait(false);
+                }
+
                 result = m_callback.BeginProcessRequest(
                     m_listenerId,
                     endpoint,