Example 1 with OpenSecureChannelRequest
use of org.eclipse.milo.opcua.stack.core.types.structured.OpenSecureChannelRequest in project milo by eclipse.
the class UascServerAsymmetricHandler method onOpenSecureChannel.
private void onOpenSecureChannel(ChannelHandlerContext ctx, ByteBuf buffer) throws UaException {
// Skip messageType
buffer.skipBytes(3);
char chunkType = (char) buffer.readByte();
if (chunkType == 'A') {
chunkBuffers.forEach(ByteBuf::release);
chunkBuffers.clear();
headerRef.set(null);
} else {
// Skip messageSize
buffer.skipBytes(4);
final long secureChannelId = buffer.readUnsignedIntLE();
final AsymmetricSecurityHeader header = AsymmetricSecurityHeader.decode(buffer, stackServer.getConfig().getEncodingLimits());
if (!headerRef.compareAndSet(null, header)) {
if (!header.equals(headerRef.get())) {
throw new UaException(StatusCodes.Bad_SecurityChecksFailed, "subsequent AsymmetricSecurityHeader did not match");
}
}
if (secureChannelId != 0) {
if (secureChannel == null) {
throw new UaException(StatusCodes.Bad_TcpSecureChannelUnknown, "unknown secure channel id: " + secureChannelId);
}
if (secureChannelId != secureChannel.getChannelId()) {
throw new UaException(StatusCodes.Bad_TcpSecureChannelUnknown, "unknown secure channel id: " + secureChannelId);
}
}
if (secureChannel == null) {
secureChannel = new ServerSecureChannel();
secureChannel.setChannelId(stackServer.getNextChannelId());
String securityPolicyUri = header.getSecurityPolicyUri();
SecurityPolicy securityPolicy = SecurityPolicy.fromUri(securityPolicyUri);
secureChannel.setSecurityPolicy(securityPolicy);
if (securityPolicy != SecurityPolicy.None) {
secureChannel.setRemoteCertificate(header.getSenderCertificate().bytesOrEmpty());
CertificateValidator certificateValidator = stackServer.getConfig().getCertificateValidator();
certificateValidator.validateCertificateChain(secureChannel.getRemoteCertificateChain());
CertificateManager certificateManager = stackServer.getConfig().getCertificateManager();
Optional<X509Certificate[]> localCertificateChain = certificateManager.getCertificateChain(header.getReceiverThumbprint());
Optional<KeyPair> keyPair = certificateManager.getKeyPair(header.getReceiverThumbprint());
if (localCertificateChain.isPresent() && keyPair.isPresent()) {
X509Certificate[] chain = localCertificateChain.get();
secureChannel.setLocalCertificate(chain[0]);
secureChannel.setLocalCertificateChain(chain);
secureChannel.setKeyPair(keyPair.get());
} else {
throw new UaException(StatusCodes.Bad_SecurityChecksFailed, "no certificate for provided thumbprint");
}
}
}
int chunkSize = buffer.readerIndex(0).readableBytes();
if (chunkSize > maxChunkSize) {
throw new UaException(StatusCodes.Bad_TcpMessageTooLarge, String.format("max chunk size exceeded (%s)", maxChunkSize));
}
chunkBuffers.add(buffer.retain());
if (maxChunkCount > 0 && chunkBuffers.size() > maxChunkCount) {
throw new UaException(StatusCodes.Bad_TcpMessageTooLarge, String.format("max chunk count exceeded (%s)", maxChunkCount));
}
if (chunkType == 'F') {
final List<ByteBuf> buffersToDecode = chunkBuffers;
chunkBuffers = new ArrayList<>();
headerRef.set(null);
serializationQueue.decode((binaryDecoder, chunkDecoder) -> {
ByteBuf message;
long requestId;
try {
ChunkDecoder.DecodedMessage decodedMessage = chunkDecoder.decodeAsymmetric(secureChannel, buffersToDecode);
message = decodedMessage.getMessage();
requestId = decodedMessage.getRequestId();
} catch (MessageAbortException e) {
logger.warn("Received message abort chunk; error={}, reason={}", e.getStatusCode(), e.getMessage());
return;
} catch (MessageDecodeException e) {
logger.error("Error decoding asymmetric message", e);
ctx.close();
return;
}
try {
OpenSecureChannelRequest request = (OpenSecureChannelRequest) binaryDecoder.setBuffer(message).readMessage(null);
logger.debug("Received OpenSecureChannelRequest ({}, id={}).", request.getRequestType(), secureChannelId);
sendOpenSecureChannelResponse(ctx, requestId, request);
} catch (Throwable t) {
logger.error("Error decoding OpenSecureChannelRequest", t);
ctx.close();
} finally {
message.release();
buffersToDecode.clear();
}
});
}
}
}
Also used :
ServerSecureChannel(org.eclipse.milo.opcua.stack.core.channel.ServerSecureChannel)
KeyPair(java.security.KeyPair)
UaException(org.eclipse.milo.opcua.stack.core.UaException)
CertificateValidator(org.eclipse.milo.opcua.stack.core.security.CertificateValidator)
CertificateManager(org.eclipse.milo.opcua.stack.core.security.CertificateManager)
MessageAbortException(org.eclipse.milo.opcua.stack.core.channel.MessageAbortException)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
CompositeByteBuf(io.netty.buffer.CompositeByteBuf)
ByteBuf(io.netty.buffer.ByteBuf)
X509Certificate(java.security.cert.X509Certificate)
Unsigned.uint(org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.Unsigned.uint)
OpenSecureChannelRequest(org.eclipse.milo.opcua.stack.core.types.structured.OpenSecureChannelRequest)
ChunkDecoder(org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder)
SecurityPolicy(org.eclipse.milo.opcua.stack.core.security.SecurityPolicy)
MessageDecodeException(org.eclipse.milo.opcua.stack.core.channel.MessageDecodeException)
AsymmetricSecurityHeader(org.eclipse.milo.opcua.stack.core.channel.headers.AsymmetricSecurityHeader)
Example 2 with OpenSecureChannelRequest
use of org.eclipse.milo.opcua.stack.core.types.structured.OpenSecureChannelRequest in project milo by eclipse.
the class UascServerAsymmetricHandler method openSecureChannel.
private OpenSecureChannelResponse openSecureChannel(ChannelHandlerContext ctx, OpenSecureChannelRequest request) throws UaException {
SecurityTokenRequestType requestType = request.getRequestType();
if (requestType == SecurityTokenRequestType.Issue) {
secureChannel.setMessageSecurityMode(request.getSecurityMode());
String endpointUrl = ctx.channel().attr(UascServerHelloHandler.ENDPOINT_URL_KEY).get();
EndpointDescription endpoint = stackServer.getEndpointDescriptions().stream().filter(e -> {
boolean transportMatch = Objects.equals(e.getTransportProfileUri(), transportProfile.getUri());
boolean pathMatch = Objects.equals(EndpointUtil.getPath(e.getEndpointUrl()), EndpointUtil.getPath(endpointUrl));
boolean securityPolicyMatch = Objects.equals(e.getSecurityPolicyUri(), secureChannel.getSecurityPolicy().getUri());
boolean securityModeMatch = Objects.equals(e.getSecurityMode(), request.getSecurityMode());
return transportMatch && pathMatch && securityPolicyMatch && securityModeMatch;
}).findFirst().orElseThrow(() -> {
String message = String.format("no matching endpoint found: transportProfile=%s, " + "endpointUrl=%s, securityPolicy=%s, securityMode=%s", transportProfile, endpointUrl, secureChannel.getSecurityPolicy(), request.getSecurityMode());
return new UaException(StatusCodes.Bad_SecurityChecksFailed, message);
});
ctx.channel().attr(ENDPOINT_KEY).set(endpoint);
}
if (requestType == SecurityTokenRequestType.Renew && secureChannel.getMessageSecurityMode() != request.getSecurityMode()) {
throw new UaException(StatusCodes.Bad_SecurityChecksFailed, "secure channel renewal requested a different MessageSecurityMode.");
}
long channelLifetime = request.getRequestedLifetime().longValue();
channelLifetime = Math.min(channelLifetime, stackServer.getConfig().getMaximumSecureChannelLifetime().longValue());
channelLifetime = Math.max(channelLifetime, stackServer.getConfig().getMinimumSecureChannelLifetime().longValue());
ChannelSecurityToken newToken = new ChannelSecurityToken(uint(secureChannel.getChannelId()), uint(stackServer.getNextTokenId()), DateTime.now(), uint(channelLifetime));
SecurityKeys newKeys = null;
if (secureChannel.isSymmetricSigningEnabled()) {
// Validate the remote nonce; it must be non-null and the correct length for the security algorithm.
ByteString remoteNonce = request.getClientNonce();
NonceUtil.validateNonce(remoteNonce, secureChannel.getSecurityPolicy());
ByteString localNonce = generateNonce(secureChannel.getSecurityPolicy());
secureChannel.setLocalNonce(localNonce);
secureChannel.setRemoteNonce(remoteNonce);
newKeys = ChannelSecurity.generateKeyPair(secureChannel, secureChannel.getRemoteNonce(), secureChannel.getLocalNonce());
}
ChannelSecurity oldSecrets = secureChannel.getChannelSecurity();
SecurityKeys oldKeys = oldSecrets != null ? oldSecrets.getCurrentKeys() : null;
ChannelSecurityToken oldToken = oldSecrets != null ? oldSecrets.getCurrentToken() : null;
ChannelSecurity newSecrets = new ChannelSecurity(newKeys, newToken, oldKeys, oldToken);
secureChannel.setChannelSecurity(newSecrets);
/*
* Cancel the previous timeout, if it exists, and start a new one.
*/
if (secureChannelTimeout == null || secureChannelTimeout.cancel()) {
final long lifetime = channelLifetime;
secureChannelTimeout = Stack.sharedWheelTimer().newTimeout(timeout -> {
logger.debug("SecureChannel renewal timed out after {}ms. id={}, channel={}", lifetime, secureChannel.getChannelId(), ctx.channel());
ctx.close();
}, channelLifetime, TimeUnit.MILLISECONDS);
}
ResponseHeader responseHeader = new ResponseHeader(DateTime.now(), request.getRequestHeader().getRequestHandle(), StatusCode.GOOD, null, null, null);
return new OpenSecureChannelResponse(responseHeader, uint(PROTOCOL_VERSION), newToken, secureChannel.getLocalNonce());
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
AttributeKey(io.netty.util.AttributeKey)
ErrorMessage(org.eclipse.milo.opcua.stack.core.channel.messages.ErrorMessage)
KeyPair(java.security.KeyPair)
ChannelSecurityToken(org.eclipse.milo.opcua.stack.core.types.structured.ChannelSecurityToken)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
LoggerFactory(org.slf4j.LoggerFactory)
SecurityKeys(org.eclipse.milo.opcua.stack.core.channel.ChannelSecurity.SecurityKeys)
DateTime(org.eclipse.milo.opcua.stack.core.types.builtin.DateTime)
MessageEncodeException(org.eclipse.milo.opcua.stack.core.channel.MessageEncodeException)
Unsigned.uint(org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.Unsigned.uint)
CertificateManager(org.eclipse.milo.opcua.stack.core.security.CertificateManager)
TransportProfile(org.eclipse.milo.opcua.stack.core.transport.TransportProfile)
SerializationQueue(org.eclipse.milo.opcua.stack.core.channel.SerializationQueue)
Objects(java.util.Objects)
CompositeByteBuf(io.netty.buffer.CompositeByteBuf)
List(java.util.List)
StatusCode(org.eclipse.milo.opcua.stack.core.types.builtin.StatusCode)
ReferenceCountUtil(io.netty.util.ReferenceCountUtil)
CertificateValidator(org.eclipse.milo.opcua.stack.core.security.CertificateValidator)
EncodedMessage(org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.EncodedMessage)
Optional(java.util.Optional)
MessageType(org.eclipse.milo.opcua.stack.core.channel.messages.MessageType)
BufferUtil(org.eclipse.milo.opcua.stack.core.util.BufferUtil)
EndpointUtil(org.eclipse.milo.opcua.stack.core.util.EndpointUtil)
ChunkDecoder(org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder)
ExceptionHandler(org.eclipse.milo.opcua.stack.core.channel.ExceptionHandler)
HeaderDecoder(org.eclipse.milo.opcua.stack.core.channel.headers.HeaderDecoder)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
ArrayList(java.util.ArrayList)
MessageDecodeException(org.eclipse.milo.opcua.stack.core.channel.MessageDecodeException)
ChannelHandlerContext(io.netty.channel.ChannelHandlerContext)
ByteBuf(io.netty.buffer.ByteBuf)
Stack(org.eclipse.milo.opcua.stack.core.Stack)
EndpointDescription(org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription)
ByteToMessageDecoder(io.netty.handler.codec.ByteToMessageDecoder)
SecurityPolicy(org.eclipse.milo.opcua.stack.core.security.SecurityPolicy)
UaStackServer(org.eclipse.milo.opcua.stack.server.UaStackServer)
StatusCodes(org.eclipse.milo.opcua.stack.core.StatusCodes)
Timeout(io.netty.util.Timeout)
AsymmetricSecurityHeader(org.eclipse.milo.opcua.stack.core.channel.headers.AsymmetricSecurityHeader)
Logger(org.slf4j.Logger)
NonceUtil.generateNonce(org.eclipse.milo.opcua.stack.core.util.NonceUtil.generateNonce)
IOException(java.io.IOException)
UaSerializationException(org.eclipse.milo.opcua.stack.core.UaSerializationException)
OpenSecureChannelRequest(org.eclipse.milo.opcua.stack.core.types.structured.OpenSecureChannelRequest)
MessageAbortException(org.eclipse.milo.opcua.stack.core.channel.MessageAbortException)
ServerSecureChannel(org.eclipse.milo.opcua.stack.core.channel.ServerSecureChannel)
OpenSecureChannelResponse(org.eclipse.milo.opcua.stack.core.types.structured.OpenSecureChannelResponse)
TimeUnit(java.util.concurrent.TimeUnit)
NonceUtil(org.eclipse.milo.opcua.stack.core.util.NonceUtil)
ChannelSecurity(org.eclipse.milo.opcua.stack.core.channel.ChannelSecurity)
UaException(org.eclipse.milo.opcua.stack.core.UaException)
SecurityTokenRequestType(org.eclipse.milo.opcua.stack.core.types.enumerated.SecurityTokenRequestType)
ResponseHeader(org.eclipse.milo.opcua.stack.core.types.structured.ResponseHeader)
ResponseHeader(org.eclipse.milo.opcua.stack.core.types.structured.ResponseHeader)
OpenSecureChannelResponse(org.eclipse.milo.opcua.stack.core.types.structured.OpenSecureChannelResponse)
UaException(org.eclipse.milo.opcua.stack.core.UaException)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
SecurityKeys(org.eclipse.milo.opcua.stack.core.channel.ChannelSecurity.SecurityKeys)
ChannelSecurity(org.eclipse.milo.opcua.stack.core.channel.ChannelSecurity)
SecurityTokenRequestType(org.eclipse.milo.opcua.stack.core.types.enumerated.SecurityTokenRequestType)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
EndpointDescription(org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription)
ChannelSecurityToken(org.eclipse.milo.opcua.stack.core.types.structured.ChannelSecurityToken)
Example 3 with OpenSecureChannelRequest
use of org.eclipse.milo.opcua.stack.core.types.structured.OpenSecureChannelRequest in project milo by eclipse.
the class UascClientMessageHandler method sendOpenSecureChannelRequest.
private void sendOpenSecureChannelRequest(ChannelHandlerContext ctx, SecurityTokenRequestType requestType) {
ByteString clientNonce = secureChannel.isSymmetricSigningEnabled() ? NonceUtil.generateNonce(secureChannel.getSecurityPolicy()) : ByteString.NULL_VALUE;
secureChannel.setLocalNonce(clientNonce);
RequestHeader header = new RequestHeader(null, DateTime.now(), uint(0), uint(0), null, config.getRequestTimeout(), null);
OpenSecureChannelRequest request = new OpenSecureChannelRequest(header, uint(PROTOCOL_VERSION), requestType, secureChannel.getMessageSecurityMode(), secureChannel.getLocalNonce(), config.getChannelLifetime());
serializationQueue.encode((binaryEncoder, chunkEncoder) -> {
ByteBuf messageBuffer = BufferUtil.pooledBuffer();
try {
binaryEncoder.setBuffer(messageBuffer);
binaryEncoder.writeMessage(null, request);
checkMessageSize(messageBuffer);
EncodedMessage encodedMessage = chunkEncoder.encodeAsymmetric(secureChannel, requestIdSequence.getAndIncrement(), messageBuffer, MessageType.OpenSecureChannel);
CompositeByteBuf chunkComposite = BufferUtil.compositeBuffer();
for (ByteBuf chunk : encodedMessage.getMessageChunks()) {
chunkComposite.addComponent(chunk);
chunkComposite.writerIndex(chunkComposite.writerIndex() + chunk.readableBytes());
}
ctx.writeAndFlush(chunkComposite, ctx.voidPromise());
ChannelSecurity channelSecurity = secureChannel.getChannelSecurity();
long currentTokenId = -1L;
if (channelSecurity != null) {
currentTokenId = channelSecurity.getCurrentToken().getTokenId().longValue();
}
long previousTokenId = -1L;
if (channelSecurity != null) {
previousTokenId = channelSecurity.getPreviousToken().map(token -> token.getTokenId().longValue()).orElse(-1L);
}
logger.debug("Sent OpenSecureChannelRequest ({}, id={}, currentToken={}, previousToken={}).", request.getRequestType(), secureChannel.getChannelId(), currentTokenId, previousTokenId);
} catch (MessageEncodeException e) {
logger.error("Error encoding {}: {}", request, e.getMessage(), e);
ctx.close();
} finally {
messageBuffer.release();
}
});
}
Also used :
OpenSecureChannelRequest(org.eclipse.milo.opcua.stack.core.types.structured.OpenSecureChannelRequest)
EncodedMessage(org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.EncodedMessage)
CompositeByteBuf(io.netty.buffer.CompositeByteBuf)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
ChannelSecurity(org.eclipse.milo.opcua.stack.core.channel.ChannelSecurity)
RequestHeader(org.eclipse.milo.opcua.stack.core.types.structured.RequestHeader)
CompositeByteBuf(io.netty.buffer.CompositeByteBuf)
ByteBuf(io.netty.buffer.ByteBuf)
MessageEncodeException(org.eclipse.milo.opcua.stack.core.channel.MessageEncodeException)
Aggregations
ByteBuf (io.netty.buffer.ByteBuf)3
CompositeByteBuf (io.netty.buffer.CompositeByteBuf)3
ByteString (org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)3
OpenSecureChannelRequest (org.eclipse.milo.opcua.stack.core.types.structured.OpenSecureChannelRequest)3
KeyPair (java.security.KeyPair)2
X509Certificate (java.security.cert.X509Certificate)2
UaException (org.eclipse.milo.opcua.stack.core.UaException)2
ChannelSecurity (org.eclipse.milo.opcua.stack.core.channel.ChannelSecurity)2
ChunkDecoder (org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder)2
EncodedMessage (org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.EncodedMessage)2
MessageAbortException (org.eclipse.milo.opcua.stack.core.channel.MessageAbortException)2
MessageDecodeException (org.eclipse.milo.opcua.stack.core.channel.MessageDecodeException)2
MessageEncodeException (org.eclipse.milo.opcua.stack.core.channel.MessageEncodeException)2
ServerSecureChannel (org.eclipse.milo.opcua.stack.core.channel.ServerSecureChannel)2
AsymmetricSecurityHeader (org.eclipse.milo.opcua.stack.core.channel.headers.AsymmetricSecurityHeader)2
CertificateManager (org.eclipse.milo.opcua.stack.core.security.CertificateManager)2
CertificateValidator (org.eclipse.milo.opcua.stack.core.security.CertificateValidator)2
SecurityPolicy (org.eclipse.milo.opcua.stack.core.security.SecurityPolicy)2
Unsigned.uint (org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.Unsigned.uint)2
ChannelHandlerContext (io.netty.channel.ChannelHandlerContext)1
