Example 6 with SecurityPolicy
use of org.eclipse.milo.opcua.stack.core.security.SecurityPolicy in project milo by eclipse.
the class SessionManager method createSession.
private CreateSessionResponse createSession(ServiceRequest serviceRequest) throws UaException {
CreateSessionRequest request = (CreateSessionRequest) serviceRequest.getRequest();
long maxSessionCount = server.getConfig().getLimits().getMaxSessionCount().longValue();
if (createdSessions.size() + activeSessions.size() >= maxSessionCount) {
throw new UaException(StatusCodes.Bad_TooManySessions);
}
ByteString serverNonce = NonceUtil.generateNonce(32);
NodeId authenticationToken = new NodeId(0, NonceUtil.generateNonce(32));
long maxRequestMessageSize = serviceRequest.getServer().getConfig().getEncodingLimits().getMaxMessageSize();
double revisedSessionTimeout = Math.max(5000, Math.min(server.getConfig().getLimits().getMaxSessionTimeout(), request.getRequestedSessionTimeout()));
ApplicationDescription clientDescription = request.getClientDescription();
long secureChannelId = serviceRequest.getSecureChannelId();
EndpointDescription endpoint = serviceRequest.getEndpoint();
SecurityPolicy securityPolicy = SecurityPolicy.fromUri(endpoint.getSecurityPolicyUri());
EndpointDescription[] serverEndpoints = server.getEndpointDescriptions().stream().filter(ed -> !ed.getEndpointUrl().endsWith("/discovery")).filter(ed -> endpointMatchesUrl(ed, request.getEndpointUrl())).filter(ed -> Objects.equal(endpoint.getTransportProfileUri(), ed.getTransportProfileUri())).map(SessionManager::stripNonEssentialFields).toArray(EndpointDescription[]::new);
if (serverEndpoints.length == 0) {
// GetEndpoints in UaStackServer returns *all* endpoints regardless of a hostname
// match in the endpoint URL if the result after filtering is 0 endpoints. Do the
// same here.
serverEndpoints = server.getEndpointDescriptions().stream().filter(ed -> !ed.getEndpointUrl().endsWith("/discovery")).filter(ed -> Objects.equal(endpoint.getTransportProfileUri(), ed.getTransportProfileUri())).map(SessionManager::stripNonEssentialFields).toArray(EndpointDescription[]::new);
}
ByteString clientNonce = request.getClientNonce();
if (securityPolicy != SecurityPolicy.None) {
NonceUtil.validateNonce(clientNonce);
if (clientNonces.contains(clientNonce)) {
throw new UaException(StatusCodes.Bad_NonceInvalid);
}
}
if (securityPolicy != SecurityPolicy.None && clientNonce.isNotNull()) {
clientNonces.add(clientNonce);
while (clientNonces.size() > 64) {
clientNonces.remove(0);
}
}
ByteString clientCertificateBytes = request.getClientCertificate();
if (securityPolicy != SecurityPolicy.None && serviceRequest.getClientCertificateBytes() != null) {
if (!Objects.equal(clientCertificateBytes, serviceRequest.getClientCertificateBytes())) {
throw new UaException(StatusCodes.Bad_SecurityChecksFailed, "certificate used to open secure channel " + "differs from certificate used to create session");
}
}
SecurityConfiguration securityConfiguration = createSecurityConfiguration(endpoint, clientCertificateBytes);
if (securityPolicy != SecurityPolicy.None) {
X509Certificate clientCertificate = securityConfiguration.getClientCertificate();
List<X509Certificate> clientCertificateChain = securityConfiguration.getClientCertificateChain();
if (clientCertificate == null || clientCertificateChain == null) {
throw new UaException(StatusCodes.Bad_SecurityChecksFailed, "client certificate must be non-null");
}
ServerCertificateValidator certificateValidator = server.getConfig().getCertificateValidator();
certificateValidator.validateCertificateChain(clientCertificateChain, clientDescription.getApplicationUri());
}
// SignatureData must be created using only the bytes of the client
// leaf certificate, not the bytes of the client certificate chain.
SignatureData serverSignature = getServerSignature(securityPolicy, securityConfiguration.getKeyPair(), clientNonce, securityConfiguration.getClientCertificateBytes());
NodeId sessionId = new NodeId(1, "Session:" + UUID.randomUUID());
String sessionName = request.getSessionName();
Duration sessionTimeout = Duration.ofMillis(DoubleMath.roundToLong(revisedSessionTimeout, RoundingMode.UP));
Session session = new Session(server, sessionId, sessionName, sessionTimeout, clientDescription, request.getServerUri(), request.getMaxResponseMessageSize(), endpoint, secureChannelId, securityConfiguration);
session.setLastNonce(serverNonce);
session.addLifecycleListener((s, remove) -> {
createdSessions.remove(authenticationToken);
activeSessions.remove(authenticationToken);
sessionListeners.forEach(l -> l.onSessionClosed(s));
});
createdSessions.put(authenticationToken, session);
sessionListeners.forEach(l -> l.onSessionCreated(session));
return new CreateSessionResponse(serviceRequest.createResponseHeader(), sessionId, authenticationToken, revisedSessionTimeout, serverNonce, endpoint.getServerCertificate(), serverEndpoints, new SignedSoftwareCertificate[0], serverSignature, uint(maxRequestMessageSize));
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
KeyPair(java.security.KeyPair)
SignedSoftwareCertificate(org.eclipse.milo.opcua.stack.core.types.structured.SignedSoftwareCertificate)
MonitoredItemServiceSet(org.eclipse.milo.opcua.stack.server.services.MonitoredItemServiceSet)
DigestUtil.sha1(org.eclipse.milo.opcua.stack.core.util.DigestUtil.sha1)
Arrays(java.util.Arrays)
ApplicationType(org.eclipse.milo.opcua.stack.core.types.enumerated.ApplicationType)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
LoggerFactory(org.slf4j.LoggerFactory)
ExtensionObject(org.eclipse.milo.opcua.stack.core.types.builtin.ExtensionObject)
ByteBuffer(java.nio.ByteBuffer)
UserIdentityToken(org.eclipse.milo.opcua.stack.core.types.structured.UserIdentityToken)
AttributeServiceSet(org.eclipse.milo.opcua.stack.server.services.AttributeServiceSet)
SecurityAlgorithm(org.eclipse.milo.opcua.stack.core.security.SecurityAlgorithm)
Unsigned.uint(org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.Unsigned.uint)
Duration(java.time.Duration)
Map(java.util.Map)
NodeManagementServiceSet(org.eclipse.milo.opcua.stack.server.services.NodeManagementServiceSet)
Objects(com.google.common.base.Objects)
ServiceAttributes(org.eclipse.milo.opcua.sdk.server.services.ServiceAttributes)
CertificateUtil(org.eclipse.milo.opcua.stack.core.util.CertificateUtil)
RoundingMode(java.math.RoundingMode)
CreateSessionRequest(org.eclipse.milo.opcua.stack.core.types.structured.CreateSessionRequest)
ActivateSessionRequest(org.eclipse.milo.opcua.stack.core.types.structured.ActivateSessionRequest)
ServerDiagnosticsSummary(org.eclipse.milo.opcua.sdk.server.diagnostics.ServerDiagnosticsSummary)
NodeId(org.eclipse.milo.opcua.stack.core.types.builtin.NodeId)
UUID(java.util.UUID)
Bytes(com.google.common.primitives.Bytes)
DiagnosticInfo(org.eclipse.milo.opcua.stack.core.types.builtin.DiagnosticInfo)
ActivateSessionResponse(org.eclipse.milo.opcua.stack.core.types.structured.ActivateSessionResponse)
Nullable(org.jetbrains.annotations.Nullable)
List(java.util.List)
StatusCode(org.eclipse.milo.opcua.stack.core.types.builtin.StatusCode)
CloseSessionResponse(org.eclipse.milo.opcua.stack.core.types.structured.CloseSessionResponse)
Optional(java.util.Optional)
NotNull(org.jetbrains.annotations.NotNull)
EndpointUtil(org.eclipse.milo.opcua.stack.core.util.EndpointUtil)
SubscriptionServiceSet(org.eclipse.milo.opcua.stack.server.services.SubscriptionServiceSet)
CopyOnWriteArrayList(java.util.concurrent.CopyOnWriteArrayList)
CloseSessionRequest(org.eclipse.milo.opcua.stack.core.types.structured.CloseSessionRequest)
ViewServiceSet(org.eclipse.milo.opcua.stack.server.services.ViewServiceSet)
UserTokenPolicy(org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy)
UaRuntimeException(org.eclipse.milo.opcua.stack.core.UaRuntimeException)
Strings.nullToEmpty(com.google.common.base.Strings.nullToEmpty)
IdentityValidator(org.eclipse.milo.opcua.sdk.server.identity.IdentityValidator)
CreateSessionResponse(org.eclipse.milo.opcua.stack.core.types.structured.CreateSessionResponse)
ArrayList(java.util.ArrayList)
Lists(com.google.common.collect.Lists)
ServiceRequest(org.eclipse.milo.opcua.stack.server.services.ServiceRequest)
EndpointDescription(org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription)
ServerCertificateValidator(org.eclipse.milo.opcua.stack.server.security.ServerCertificateValidator)
MethodServiceSet(org.eclipse.milo.opcua.stack.server.services.MethodServiceSet)
ConversionUtil.l(org.eclipse.milo.opcua.stack.core.util.ConversionUtil.l)
MessageSecurityMode(org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode)
SignatureData(org.eclipse.milo.opcua.stack.core.types.structured.SignatureData)
AttributeHistoryServiceSet(org.eclipse.milo.opcua.stack.server.services.AttributeHistoryServiceSet)
SecurityPolicy(org.eclipse.milo.opcua.stack.core.security.SecurityPolicy)
QueryServiceSet(org.eclipse.milo.opcua.stack.server.services.QueryServiceSet)
DoubleMath(com.google.common.math.DoubleMath)
StatusCodes(org.eclipse.milo.opcua.stack.core.StatusCodes)
SignatureUtil(org.eclipse.milo.opcua.stack.core.util.SignatureUtil)
Lists.newCopyOnWriteArrayList(com.google.common.collect.Lists.newCopyOnWriteArrayList)
Logger(org.slf4j.Logger)
UInteger(org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.UInteger)
AnonymousIdentityToken(org.eclipse.milo.opcua.stack.core.types.structured.AnonymousIdentityToken)
UserTokenType(org.eclipse.milo.opcua.stack.core.types.enumerated.UserTokenType)
SessionServiceSet(org.eclipse.milo.opcua.stack.server.services.SessionServiceSet)
Maps(com.google.common.collect.Maps)
NonceUtil(org.eclipse.milo.opcua.stack.core.util.NonceUtil)
ApplicationDescription(org.eclipse.milo.opcua.stack.core.types.structured.ApplicationDescription)
UaException(org.eclipse.milo.opcua.stack.core.UaException)
UaException(org.eclipse.milo.opcua.stack.core.UaException)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
Duration(java.time.Duration)
EndpointDescription(org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
ApplicationDescription(org.eclipse.milo.opcua.stack.core.types.structured.ApplicationDescription)
X509Certificate(java.security.cert.X509Certificate)
SignatureData(org.eclipse.milo.opcua.stack.core.types.structured.SignatureData)
ServerCertificateValidator(org.eclipse.milo.opcua.stack.server.security.ServerCertificateValidator)
CreateSessionRequest(org.eclipse.milo.opcua.stack.core.types.structured.CreateSessionRequest)
CreateSessionResponse(org.eclipse.milo.opcua.stack.core.types.structured.CreateSessionResponse)
SecurityPolicy(org.eclipse.milo.opcua.stack.core.security.SecurityPolicy)
NodeId(org.eclipse.milo.opcua.stack.core.types.builtin.NodeId)
Example 7 with SecurityPolicy
use of org.eclipse.milo.opcua.stack.core.security.SecurityPolicy in project vantiq-extension-sources by Vantiq.
the class OpcUaESClient method createClient.
@SuppressWarnings({ "PMD.CognitiveComplexity", "PMD.MethodLengthCheck" })
private OpcUaClient createClient(Map<String, Object> config) throws Exception {
if (storageDirectory == null) {
throw new OpcExtConfigException(ERROR_PREFIX + ".missingStorageDirectory: No storage directory specified.");
}
SecurityPolicy securityPolicy = determineSecurityPolicy(config);
MessageSecurityMode msgSecMode = determineMessageSecurityMode(config);
File securityDir = new File(storageDirectory, SECURITY_DIRECTORY);
if (!securityDir.exists() && !securityDir.mkdirs()) {
throw new OpcExtConfigException(ERROR_PREFIX + ".invalidStorageDirectory: unable to create security dir: " + securityDir);
}
log.info("security temp dir: {}", securityDir.getAbsolutePath());
keyStoreManager = new KeyStoreManager().load(securityDir);
IdentityProvider idProvider = constructIdentityProvider(config);
List<EndpointDescription> endpoints;
discoveryEndpoint = (String) config.get(OpcConstants.CONFIG_DISCOVERY_ENDPOINT);
serverEndpoint = (String) config.get(OpcConstants.CONFIG_SERVER_ENDPOINT);
if (discoveryEndpoint == null && serverEndpoint == null) {
String errorMsg = ERROR_PREFIX + ".noDiscoveryEndpoint: No discovery or server endpoint was provided in the configuration.";
log.error(errorMsg);
throw new OpcExtConfigException(errorMsg);
}
OpcUaClientConfig opcConfig;
try {
endpoints = DiscoveryClient.getEndpoints(discoveryEndpoint).get();
} catch (Throwable ex) {
try {
// try the explicit discovery endpoint as well
String discoveryUrl = discoveryEndpoint + "/discovery";
log.info("Trying explicit discovery URL: {}", discoveryUrl);
endpoints = DiscoveryClient.getEndpoints(discoveryUrl).get();
} catch (ExecutionException e) {
String errMsg = ERROR_PREFIX + ".discoveryError: Could not discover OPC Endpoints:" + e.getClass().getName() + "::" + e.getMessage();
log.error(ERROR_PREFIX + ".discoveryError: Could not discover OPC Endpoints: {} :: {}", e.getClass().getName(), e.getMessage());
throw new OpcExtConfigException(errMsg, e);
}
}
if (log.isDebugEnabled()) {
logDiscoveredEndpoints(endpoints);
}
List<EndpointDescription> validEndpoints = endpoints.stream().filter(e -> (e.getSecurityPolicyUri().equals(securityPolicy.getUri()) && e.getSecurityMode().equals(msgSecMode))).collect(Collectors.toList());
if (log.isDebugEnabled()) {
logAcceptableEndpoints(validEndpoints, securityPolicy, msgSecMode);
// The following code is here for testing only. It allows us to fake a poorly configured
// server that reports invalid or unreachable endpoints as part of discovery. This is, for
// reasons I'm sure i don't agree with, part of the protocol, so we must tolerate it. The
// purportedly proper response is to substitute the address used for discovery for any
// unreachable addresses. This, of course, makes little sense since the whole point of discovery
// is to allow these to be spread across different nodes. But I didn't write the spec.
Boolean fakeBadAddress = (Boolean) config.get(OpcConstants.CONFIG_TEST_DISCOVERY_UNREACHABLE);
if (fakeBadAddress != null && fakeBadAddress) {
List<EndpointDescription> newValidEndpoints = new ArrayList<>();
for (EndpointDescription e : validEndpoints) {
URI url = new URI(e.getEndpointUrl());
URI borkedUri = new URI(url.getScheme(), null, "utterlyWorthlessHostThatShouldNeverResolve", url.getPort(), url.getPath(), null, null);
EndpointDescription borkedEd = new EndpointDescription(borkedUri.toString(), e.getServer(), e.getServerCertificate(), e.getSecurityMode(), e.getSecurityPolicyUri(), e.getUserIdentityTokens(), e.getTransportProfileUri(), e.getSecurityLevel());
newValidEndpoints.add(borkedEd);
}
validEndpoints = newValidEndpoints;
}
}
// First, we'll look for an endpoint that doesn't contain localhost. This is, generally,
// a not too useful configuration since localhost is always a relative address.
EndpointDescription endpoint = validEndpoints.stream().filter(e -> {
try {
// Note: Must use URI here. If you use URL, it will fail with
// a MailformedURLException because the generic system doesn't
// understand opc.tcp: as a scheme/protocol.
URI url = new URI(e.getEndpointUrl());
InetAddress ina = InetAddress.getByName(url.getHost());
if (!ina.isLoopbackAddress() || ina.isReachable(3000)) {
return true;
}
} catch (UnknownHostException | URISyntaxException ex) {
log.warn("Recoverable error during discovered server URL validation:" + ex.getClass().getName() + "::" + ex.getMessage() + "-->" + e.getEndpointUrl());
} catch (Exception ex) {
// This means that we have some non-optimal addresses returned by discovery.
// In these cases, we'll leave it up to the SDK & network stack to figure out how to get there.
log.debug("Recoverable error during discovered server URL validation. Left to network stack to resolve:" + ex.getClass().getName() + "::" + ex.getMessage() + "-->" + e.getEndpointUrl());
}
return false;
}).findFirst().orElse(null);
if (endpoint == null) {
// Discovery server returned either no reasonable endpoints or none that weren't a loopback.
log.warn("No servers at reachable, non-loopback addresses found via discovery. " + "Fixing up addresses to match discovery server.");
endpoint = validEndpoints.stream().findFirst().orElse(null);
if (endpoint != null) {
endpoint = fixLookbackAddress(endpoint);
}
}
if (endpoint == null) {
throw new Exception("No acceptable endpoints returned for security policy: " + securityPolicy.getUri() + " and security mode " + msgSecMode);
}
if (serverEndpoint != null) {
// Then we'll override the endpoint provided but otherwise use the endpoint descriptor returned.
// The SDK seems to have an issue when no EndpointDescriptor is provided.
EndpointDescription newEndpoint = new EndpointDescription(serverEndpoint, endpoint.getServer(), endpoint.getServerCertificate(), endpoint.getSecurityMode(), endpoint.getSecurityPolicyUri(), endpoint.getUserIdentityTokens(), endpoint.getTransportProfileUri(), endpoint.getSecurityLevel());
log.debug("Replacing endpoint address with provided serverEndpoint: {} --> {}", endpoint.getEndpointUrl(), newEndpoint.getEndpointUrl());
endpoint = newEndpoint;
}
log.info("Using discovered endpoint: {} [{}, {}]", endpoint.getEndpointUrl(), securityPolicy, msgSecMode.toString());
opcConfig = OpcUaClientConfig.builder().setApplicationName(LocalizedText.english("VANTIQ OPC-UA Source")).setApplicationUri("urn:io:vantiq:extsrc:opcua:client").setCertificate(keyStoreManager.getClientCertificate()).setKeyPair(keyStoreManager.getClientKeyPair()).setEndpoint(endpoint).setIdentityProvider(idProvider).setRequestTimeout(uint(5000)).build();
return OpcUaClient.create(opcConfig);
}
Also used :
MonitoringParameters(org.eclipse.milo.opcua.stack.core.types.structured.MonitoringParameters)
X509Certificate(java.security.cert.X509Certificate)
URISyntaxException(java.net.URISyntaxException)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
MonitoredItemCreateRequest(org.eclipse.milo.opcua.stack.core.types.structured.MonitoredItemCreateRequest)
InetAddress(java.net.InetAddress)
QualifiedName(org.eclipse.milo.opcua.stack.core.types.builtin.QualifiedName)
Unsigned.uint(org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.Unsigned.uint)
UaSubscription(org.eclipse.milo.opcua.sdk.client.api.subscriptions.UaSubscription)
AttributeId(org.eclipse.milo.opcua.stack.core.AttributeId)
Map(java.util.Map)
URI(java.net.URI)
AnonymousProvider(org.eclipse.milo.opcua.sdk.client.api.identity.AnonymousProvider)
MessageFormatter(org.slf4j.helpers.MessageFormatter)
X509IdentityProvider(org.eclipse.milo.opcua.sdk.client.api.identity.X509IdentityProvider)
TimestampsToReturn(org.eclipse.milo.opcua.stack.core.types.enumerated.TimestampsToReturn)
NodeId(org.eclipse.milo.opcua.stack.core.types.builtin.NodeId)
UUID(java.util.UUID)
Collectors(java.util.stream.Collectors)
ReadValueId(org.eclipse.milo.opcua.stack.core.types.structured.ReadValueId)
IdentityProvider(org.eclipse.milo.opcua.sdk.client.api.identity.IdentityProvider)
Slf4j(lombok.extern.slf4j.Slf4j)
List(java.util.List)
Variant(org.eclipse.milo.opcua.stack.core.types.builtin.Variant)
StatusCode(org.eclipse.milo.opcua.stack.core.types.builtin.StatusCode)
PrivateKey(java.security.PrivateKey)
Optional(java.util.Optional)
UaVariableNode(org.eclipse.milo.opcua.sdk.client.nodes.UaVariableNode)
MonitoringMode(org.eclipse.milo.opcua.stack.core.types.enumerated.MonitoringMode)
DataValue(org.eclipse.milo.opcua.stack.core.types.builtin.DataValue)
OpcUaClient(org.eclipse.milo.opcua.sdk.client.OpcUaClient)
CompletableFuture(java.util.concurrent.CompletableFuture)
ArrayList(java.util.ArrayList)
ImmutableList(com.google.common.collect.ImmutableList)
EndpointDescription(org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription)
UShort(org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.UShort)
MessageSecurityMode(org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode)
BiConsumer(java.util.function.BiConsumer)
SecurityPolicy(org.eclipse.milo.opcua.stack.core.security.SecurityPolicy)
UaMonitoredItem(org.eclipse.milo.opcua.sdk.client.api.subscriptions.UaMonitoredItem)
OpcUaClientConfig(org.eclipse.milo.opcua.sdk.client.api.config.OpcUaClientConfig)
UInteger(org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.UInteger)
LocalizedText(org.eclipse.milo.opcua.stack.core.types.builtin.LocalizedText)
UnknownHostException(java.net.UnknownHostException)
File(java.io.File)
ExecutionException(java.util.concurrent.ExecutionException)
AtomicLong(java.util.concurrent.atomic.AtomicLong)
UaException(org.eclipse.milo.opcua.stack.core.UaException)
DiscoveryClient(org.eclipse.milo.opcua.stack.client.DiscoveryClient)
UsernameProvider(org.eclipse.milo.opcua.sdk.client.api.identity.UsernameProvider)
MessageSecurityMode(org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode)
UnknownHostException(java.net.UnknownHostException)
ArrayList(java.util.ArrayList)
X509IdentityProvider(org.eclipse.milo.opcua.sdk.client.api.identity.X509IdentityProvider)
IdentityProvider(org.eclipse.milo.opcua.sdk.client.api.identity.IdentityProvider)
OpcUaClientConfig(org.eclipse.milo.opcua.sdk.client.api.config.OpcUaClientConfig)
EndpointDescription(org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
URISyntaxException(java.net.URISyntaxException)
URI(java.net.URI)
URISyntaxException(java.net.URISyntaxException)
UnknownHostException(java.net.UnknownHostException)
ExecutionException(java.util.concurrent.ExecutionException)
UaException(org.eclipse.milo.opcua.stack.core.UaException)
SecurityPolicy(org.eclipse.milo.opcua.stack.core.security.SecurityPolicy)
ExecutionException(java.util.concurrent.ExecutionException)
File(java.io.File)
InetAddress(java.net.InetAddress)
Example 8 with SecurityPolicy
use of org.eclipse.milo.opcua.stack.core.security.SecurityPolicy in project vantiq-extension-sources by Vantiq.
the class OpcUaESClient method determineMessageSecurityMode.
private MessageSecurityMode determineMessageSecurityMode(Map<String, Object> config) throws OpcExtConfigException {
// config.messageSecurityMode should be the URI for the appropriate security policy.
String msgSecModeSpec = (String) config.get(OpcConstants.CONFIG_MESSAGE_SECURITY_MODE);
MessageSecurityMode msgSecMode;
if (msgSecModeSpec == null || msgSecModeSpec.isEmpty()) {
// No message security mode will default to either #NONE or #SignAndEncrypt, depending on the security policy. We will, however, log a warning\
SecurityPolicy secPol = determineSecurityPolicy(config);
if (secPol.equals(SecurityPolicy.None)) {
msgSecModeSpec = MessageSecurityMode.None.toString();
} else {
msgSecModeSpec = MessageSecurityMode.SignAndEncrypt.toString();
}
log.warn(ERROR_PREFIX + ".defaultMessageSecurityMode: No OPC UA message security mode was specified in the configuration. " + "Using default value of '{}' based on the securityPolicy value of '{}'", msgSecModeSpec, secPol.getUri());
}
try {
msgSecMode = MessageSecurityMode.valueOf(msgSecModeSpec);
return msgSecMode;
} catch (IllegalArgumentException e) {
String errMsg = ERROR_PREFIX + ".invalidMessageSecurityMode: " + msgSecModeSpec + " is not a valid message security mode.";
log.error(errMsg);
throw new OpcExtConfigException(errMsg, e);
}
}
Also used :
MessageSecurityMode(org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode)
SecurityPolicy(org.eclipse.milo.opcua.stack.core.security.SecurityPolicy)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
Example 9 with SecurityPolicy
use of org.eclipse.milo.opcua.stack.core.security.SecurityPolicy in project vantiq-extension-sources by Vantiq.
the class Connection method testConnectionSecureUpw.
@Test
public void testConnectionSecureUpw() throws Exception {
List<EndpointDescription> eps = exampleServer.getServer().getEndpointDescriptions();
EnumSet<MessageSecurityMode> serverMsgModes = EnumSet.noneOf(MessageSecurityMode.class);
EnumSet<SecurityPolicy> serverSecPols = EnumSet.noneOf(SecurityPolicy.class);
for (EndpointDescription ep : eps) {
if (ep.getEndpointUrl().startsWith("opc.tpc")) {
// At present, these are all we test
serverSecPols.add(SecurityPolicy.fromUri(ep.getSecurityPolicyUri()));
serverMsgModes.add(ep.getSecurityMode());
}
}
log.debug("For example server found secPols: {}, msgSec: {}", serverSecPols, serverMsgModes);
// Below, we'll traverse the valid combinations. None's must be paired and are tested elsewhere
for (SecurityPolicy secPol : serverSecPols) {
if (!secPol.equals(SecurityPolicy.None)) {
for (MessageSecurityMode msgSec : serverMsgModes) {
if (!msgSec.equals(MessageSecurityMode.None)) {
log.info("Attempting sync connection using [{}, {}]", secPol, msgSec);
makeConnection(false, secPol.getUri(), msgSec.toString(), true);
log.info("Attempting sync connection using [{}, {}]", secPol, "(missing)");
makeConnection(false, secPol.getUri(), // Also check that the defaulting works correctly
null, true);
log.info("Attempting async connection using [{}, {}]", secPol, msgSec);
makeConnection(true, secPol.getUri(), msgSec.toString(), true);
log.info("Attempting async connection using [{}, {}] with explicit anonymous user", secPol, msgSec);
makeConnection(true, secPol.getUri(), msgSec.toString(), OpcConstants.CONFIG_IDENTITY_ANONYMOUS, null, true);
// Valid user/pw combos from ExampleServer:
// "user, password1" & "admin, password2"
String[] upwCombos = { "user, password1", "admin,password2", "user, password1" };
for (String uPw : upwCombos) {
log.info("Attempting sync connection using [{}, {}] using username/password: '{}'", secPol, msgSec, uPw);
makeConnection(false, secPol.getUri(), msgSec.toString(), OpcConstants.CONFIG_IDENTITY_USERNAME_PASSWORD, uPw, true);
}
for (String uPw : upwCombos) {
log.info("Attempting async connection using [{}, {}] using username/password: '{}'", secPol, msgSec, uPw);
makeConnection(true, secPol.getUri(), msgSec.toString(), OpcConstants.CONFIG_IDENTITY_USERNAME_PASSWORD, uPw, true);
}
}
}
}
}
}
Also used :
MessageSecurityMode(org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode)
SecurityPolicy(org.eclipse.milo.opcua.stack.core.security.SecurityPolicy)
EndpointDescription(org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription)
Test(org.junit.Test)
Example 10 with SecurityPolicy
use of org.eclipse.milo.opcua.stack.core.security.SecurityPolicy in project vantiq-extension-sources by Vantiq.
the class Connection method testConnectionSecureCert.
@Test
public void testConnectionSecureCert() throws Exception {
List<EndpointDescription> eps = exampleServer.getServer().getEndpointDescriptions();
EnumSet<MessageSecurityMode> serverMsgModes = EnumSet.noneOf(MessageSecurityMode.class);
EnumSet<SecurityPolicy> serverSecPols = EnumSet.noneOf(SecurityPolicy.class);
for (EndpointDescription ep : eps) {
if (ep.getEndpointUrl().startsWith("opc.tpc")) {
// At present, these are all we test
serverSecPols.add(SecurityPolicy.fromUri(ep.getSecurityPolicyUri()));
serverMsgModes.add(ep.getSecurityMode());
}
}
// Below, we'll traverse the valid combinations. None's must be paired and are tested elsewhere
for (SecurityPolicy secPol : serverSecPols) {
if (!secPol.equals(SecurityPolicy.None)) {
for (MessageSecurityMode msgSec : serverMsgModes) {
if (!msgSec.equals(MessageSecurityMode.None)) {
// Defaults tested in *Upw test...
for (String certKey : trustedTestCerts) {
log.info("Attempting sync connection using [{}, {}] using certificate: '{}'", secPol, msgSec, certKey);
makeConnection(false, secPol.getUri(), msgSec.toString(), OpcConstants.CONFIG_IDENTITY_CERTIFICATE, certKey, true);
log.info("Attempting async connection using [{}, {}] using certificate: '{}'", secPol, msgSec, certKey);
makeConnection(true, secPol.getUri(), msgSec.toString(), OpcConstants.CONFIG_IDENTITY_CERTIFICATE, certKey, true);
}
}
}
}
}
}
Also used :
MessageSecurityMode(org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode)
SecurityPolicy(org.eclipse.milo.opcua.stack.core.security.SecurityPolicy)
EndpointDescription(org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription)
Test(org.junit.Test)
Aggregations
SecurityPolicy (org.eclipse.milo.opcua.stack.core.security.SecurityPolicy)21
UaException (org.eclipse.milo.opcua.stack.core.UaException)14
ByteString (org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)14
EndpointDescription (org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription)13
X509Certificate (java.security.cert.X509Certificate)12
MessageSecurityMode (org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode)11
KeyPair (java.security.KeyPair)7
List (java.util.List)5
SecurityAlgorithm (org.eclipse.milo.opcua.stack.core.security.SecurityAlgorithm)5
StatusCode (org.eclipse.milo.opcua.stack.core.types.builtin.StatusCode)5
Unsigned.uint (org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.Unsigned.uint)5
ByteBuf (io.netty.buffer.ByteBuf)4
StatusCodes (org.eclipse.milo.opcua.stack.core.StatusCodes)4
ServerSecureChannel (org.eclipse.milo.opcua.stack.core.channel.ServerSecureChannel)4
UInteger (org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.UInteger)4
Test (org.junit.Test)4
CompositeByteBuf (io.netty.buffer.CompositeByteBuf)3
ByteBuffer (java.nio.ByteBuffer)3
PrivateKey (java.security.PrivateKey)3
ArrayList (java.util.ArrayList)3
