-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add crypto support to the client #166
Conversation
I've successfully tested against: Kepware v6
Ignition 8 (Eclipse Milo)
OPC UA ANSI C Demo Server v1.8.3
Prosys Simulation Server
|
I've also successfully tested authentication against the following servers in the latest version Prosys Simulation Server
Kepware
Ignition 8
OPC UA ANSI C Demo Server v1.8.3
|
It might make sense to move this info to a Wiki page after the merge. I have someone from Siemens helping with the Basic256Sha256 issue. |
What is your take on merging this? What is still missing? |
Allows for sending and receiving messages secured by the various security policies. See examples/crypto for a usage example.
…policy combinations
If an error was recevied while sending an OpenSecureChannel request, the stack would still try send a CloseSecureChannel even though the channel was never fully negotiated. This panic'd the stack as headers were not correctly initialized
Anonymous is still the only supported authorization method, however new Options were added for the remaining ones and added support to the crypto client to accept an auth type parameter
Instead of generating the next signature to send after we receive the Create/Activate response, we save the server nonce and create the signature immeditatly before sending the next ActivateSession request. The nonce is also used for encrypting user tokens so this will also allow us to support username authentication
Reorganized the client so most of the flag parsing is done outside of main and also added additional checks to make sure the user selected a supported combination of policy/mode before connecting to the server.
It needs a sanity check on code quality, etc, then we should merge. There are a couple QoL features I'll add later as smaller things but I don't want this to get too out of hand (it's already bigger than I was expecting) |
Is that something you want to do yourself or should I do that? |
I'd appreciate if someone else could do it to ensure fresh eyes. The uasc integration is the most important and that part is mostly fine. The biggest issue I can think of is that it could use some helper methods for certificate parsing. We could create an issue and I'll work on that afterwards. I also still plan on doing a refactor of the securitypolicy package to see if I can replace the closures with something else... also a future task. The crypto client feels like a mess since it blew up with a ton of flag parsing but since that's just an example I'm not too worried about it. |
7dc6d6d
to
590e473
Compare
OK, I can have a look. I've rebased the branch on master and force-pushed it. I've also fixed an import cycle with the codectest which caused all binaries to include the |
I can also refactor the security policies to proper structs. That's somewhat straightforward. |
Yea, you're welcome to take a run at it. |
@dwhutchison I've cleaned up the security policies as follows:
The encrypt/decrypt/signature/verifySignature fields in the EncryptionAlgorithm still bug me a bit but only b/c I think there should be a prettier solution. :) I still get the error for Basic256Sha256 on the Siemens PLC. Basic256 and Basic128Rsa15 work with Sign and SignAndEncrypt. |
Nice. That works. The only thing I’d recommend is to unexport all but the EncryptionPolicy struct as the others should only used be within this package. I know what you mean with the four interfaces; the repetition was the reason it looked the way it did to begin with. If we think of anything cleaner we can edit later. I’ll test in the morning but I don’t see why this would change anything. |
Tested and everything still works fine |
Then lets merge and move on. |
This patch adds initial crypto support to the client. A working example can be found in
examples/crypto
. We have tested Basic128Rsa15, Basic256 with Sign and SignAndEncrypt on a Siemens PLC and others (@dwhutchison pls fill in your test equipment here).Basic256Sha256 still has issues but in order to test this we have also updated the debugging output and are finally bubbling ERRF messages up to the client.
We still need to fix the Basic256Sha256 and better configuration options for authentication tokens but this is a start.
Closes #111