Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add crypto support to the client #166

Merged
merged 30 commits into from
Apr 19, 2019
Merged

Add crypto support to the client #166

merged 30 commits into from
Apr 19, 2019

Conversation

magiconair
Copy link
Member

@magiconair magiconair commented Apr 11, 2019
edited
Loading

This patch adds initial crypto support to the client. A working example can be found in examples/crypto. We have tested Basic128Rsa15, Basic256 with Sign and SignAndEncrypt on a Siemens PLC and others (@dwhutchison pls fill in your test equipment here).

Basic256Sha256 still has issues but in order to test this we have also updated the debugging output and are finally bubbling ERRF messages up to the client.

We still need to fix the Basic256Sha256 and better configuration options for authentication tokens but this is a start.

Closes #111

@magiconair magiconair mentioned this pull request Apr 11, 2019
Closed
@dwhutchison dwhutchison mentioned this pull request Apr 12, 2019
Closed
@dwhutchison
Copy link
Collaborator

dwhutchison commented Apr 12, 2019
edited
Loading

I've successfully tested against:

Kepware v6

Security Policy Security Mode
None None
Basic128Rsa15 Sign
Basic128Rsa15 SignAndEncrypt
Basic256 Sign
Basic256 SignAndEncrypt

Ignition 8 (Eclipse Milo)

Security Policy Security Mode
None None
Basic128Rsa15 SignAndEncrypt
Basic256 SignAndEncrypt
Basic256Sha256 SignAndEncrypt
Aes128_Sha256_RsaOaep SignAndEncrypt
Aes256_Sha256_RsaPss SignAndEncrypt

OPC UA ANSI C Demo Server v1.8.3
https://www.unified-automation.com/downloads/opc-ua-servers/file/download/details/opc-ua-ansi-c-demo-server-v183-windows.html

Security Policy Security Mode
Basic256Sha256 Sign
Basic256Sha256 SignAndEncrypt
Aes128_Sha256_RsaOaep Sign
Aes128_Sha256_RsaOaep SignAndEncrypt
Aes256_Sha256_RsaPss Sign
Aes256_Sha256_RsaPss SignAndEncrypt

Prosys Simulation Server

Security Policy Security Mode
None None
Basic128Rsa15 Sign
Basic128Rsa15 SignAndEncrypt
Basic256 Sign
Basic256 SignAndEncrypt
Basic256Sha256 Sign
Basic256Sha256 SignAndEncrypt

@dwhutchison
Copy link
Collaborator

I've also successfully tested authentication against the following servers in the latest version

Prosys Simulation Server

  • Anonymous
  • Username
  • Certificate

Kepware

  • Anonymous
  • Username

Ignition 8

  • Anonymous
  • Username

OPC UA ANSI C Demo Server v1.8.3

  • Anonymous

@magiconair
Copy link
Member Author

It might make sense to move this info to a Wiki page after the merge. I have someone from Siemens helping with the Basic256Sha256 issue.

@magiconair
Copy link
Member Author

What is your take on merging this? What is still missing?

dwhutchison and others added 19 commits April 17, 2019 21:07
@dwhutchison @magiconair
Incorporate the crypo functions into the client transport
093c40c 
Allows for sending and receiving messages secured by the various
security policies. See examples/crypto for a usage example.
@dwhutchison @magiconair
corrected padding removal while decrypting message
90f909c
@magiconair
improve debugging
a7518c8
@magiconair
make crypto client more configurable
dd6026d
@dwhutchison @magiconair
added additional checks to avoid panics
066adc6
@magiconair
goify TCP in names
1a4893b
@magiconair
control debug output via flag for tests
3f55de0
@magiconair
Trim uacp package and handle errors
a78b543
@magiconair
Receive full uacp messages in secure channel
7f5714f
@magiconair
handle ERRF and bubble it up
3ff9664
@magiconair
drop go-cmp dependency
7beae4c
@magiconair
fix tests
9bbbaab
@dwhutchison @magiconair
updated crypto client and secure channel to check for valid security …
b36f380 
…policy combinations
@dwhutchison @magiconair
fix panic on close channel
a27e98a 
If an error was recevied while sending an OpenSecureChannel request, the
stack would still try send a CloseSecureChannel even though the
channel was never fully negotiated.
This panic'd the stack as headers were not correctly initialized
@dwhutchison @magiconair
added ServiceFault to service generation code
948b370
@dwhutchison @magiconair
added preliminary support for additional auth policies
dcf8d46 
Anonymous is still the only supported authorization method, however
new Options were added for the remaining ones and added support
to the crypto client to accept an auth type parameter
@dwhutchison @magiconair
move session signature creation to before send
92df987 
Instead of generating the next signature to send after we receive
the Create/Activate response, we save the server nonce and create
the signature immeditatly before sending the next ActivateSession
request.  The nonce is also used for encrypting user tokens so
this will also allow us to support username authentication
@dwhutchison @magiconair
added support for username and certificate auth
52c0451
@dwhutchison @magiconair
modified crypto client to be more robust with user input
bee654f 
Reorganized the client so most of the flag parsing is done outside
of main and also added additional checks to make sure the user
selected a supported combination of policy/mode before connecting to
the server.
@dwhutchison
Copy link
Collaborator

It needs a sanity check on code quality, etc, then we should merge.

There are a couple QoL features I'll add later as smaller things but I don't want this to get too out of hand (it's already bigger than I was expecting)
eg. allowing username auth without supplying a certificate

@magiconair
Copy link
Member Author

Is that something you want to do yourself or should I do that?

@dwhutchison
Copy link
Collaborator

I'd appreciate if someone else could do it to ensure fresh eyes. The uasc integration is the most important and that part is mostly fine. The biggest issue I can think of is that it could use some helper methods for certificate parsing. We could create an issue and I'll work on that afterwards. I also still plan on doing a refactor of the securitypolicy package to see if I can replace the closures with something else... also a future task.

The crypto client feels like a mess since it blew up with a ton of flag parsing but since that's just an example I'm not too worried about it.

@magiconair
Copy link
Member Author

OK, I can have a look. I've rebased the branch on master and force-pushed it. I've also fixed an import cycle with the codectest which caused all binaries to include the test.* flags.

@magiconair
Copy link
Member Author

I can also refactor the security policies to proper structs. That's somewhat straightforward.

@dwhutchison
Copy link
Collaborator

Yea, you're welcome to take a run at it.
I had some other small changes that I was going to do while in that package but those can be done separately.

golangcibot
golangcibot reviewed Apr 18, 2019
View reviewed changes
uapolicy/crypto_hmac.go Outdated Show resolved Hide resolved
uapolicy/crypto_pkcs1v15.go Outdated Show resolved Hide resolved
uapolicy/crypto_pkcs1v15.go Outdated Show resolved Hide resolved
golangcibot
golangcibot reviewed Apr 18, 2019
View reviewed changes
uapolicy/crypto_rsapss.go Outdated Show resolved Hide resolved
uapolicy/crypto_rsapss.go Outdated Show resolved Hide resolved
@magiconair
Copy link
Member Author

@dwhutchison I've cleaned up the security policies as follows:

  1. convert functions with closures to structs. EncryptionAlgorithm is still using fields but with interfaces now.
  2. move constant values for block sizes and min padding to constants
  3. unify SecurityPolicy constants between uasc and this package
  4. rename securitypolicy to uapolicy

The encrypt/decrypt/signature/verifySignature fields in the EncryptionAlgorithm still bug me a bit but only b/c I think there should be a prettier solution. :)

I still get the error for Basic256Sha256 on the Siemens PLC. Basic256 and Basic128Rsa15 work with Sign and SignAndEncrypt.

@dwhutchison
Copy link
Collaborator

Nice. That works. The only thing I’d recommend is to unexport all but the EncryptionPolicy struct as the others should only used be within this package.

I know what you mean with the four interfaces; the repetition was the reason it looked the way it did to begin with. If we think of anything cleaner we can edit later.

I’ll test in the morning but I don’t see why this would change anything.

@dwhutchison
Copy link
Collaborator

Tested and everything still works fine

@magiconair magiconair changed the title WIP: Add crypto support to the client Add crypto support to the client Apr 19, 2019
@magiconair
Copy link
Member Author

Then lets merge and move on.

@magiconair magiconair merged commit 0f3eb54 into master Apr 19, 2019
@magiconair magiconair deleted the feature/crypto-client branch April 19, 2019 10:18
@magiconair magiconair added this to the v0.1.0 milestone Jul 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@golangcibot golangcibot golangcibot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.1.0
Development

Successfully merging this pull request may close these issues.

Add sign/encryption support
3 participants
@magiconair @dwhutchison @golangcibot