Skip to content

Merge and addapt Secure channel enhancements to new master code #3567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mrsuciu wants to merge 53 commits into
base: master
Choose a base branch
from
+6,566 −3,682
Open

Merge and addapt Secure channel enhancements to new master code #3567

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
53 commits
Select commit Hold shift + click to select a range
688e2b8
merged security changes
mrsuciu Nov 19, 2025
45b07a2
Tailor SecurityPolicyUri for format expected in s_securityPolicyUriTo…
mrsuciu Nov 20, 2025
cfbebe7
Enhance security policy handling and key computation logic
mrsuciu Nov 21, 2025
0477aba
Merge remote-tracking branch 'mr/eccSecurityChangesMerge'
randy-armstrong Nov 21, 2025
d0c6321
Merge SecurityEnhancements.
randy-armstrong Nov 26, 2025
a579c62
Add support for SessionTransferToken. Removed obsolete SoftwareCertif…
randy-armstrong Nov 27, 2025
e1dd311
Fix NonceLength for None.
randy-armstrong Nov 27, 2025
9ecf7c9
Add support for RSA_DH, more fixes from IOP testings.
randy-armstrong Dec 8, 2025
1ca156c
Finish implementation of SecureChannelEnhancements.
randy-armstrong Dec 11, 2025
a17b881
Merge branch 'master' of https://github.com/OPCFoundation/UA-.NETStan…
randy-armstrong Dec 11, 2025
5dfb991
Merge branch 'master' into secure-channel-enhancements-2025-11
randy-armstrong Dec 11, 2025
67f4b4b
Rename EccUtils.cs to CryptoUtils.cs
randy-armstrong Dec 11, 2025
8528e7a
Address feedback from reviewers.
randy-armstrong Dec 18, 2025
387ad76
Fix CoPilot flagged spelling errors.
randy-armstrong Dec 18, 2025
ee70b5d
Merge branch 'master' into secure-channel-enhancements-2025-11
randy-armstrong Dec 18, 2025
6153098
Rename EccUtils to CryptoUtils
randy-armstrong Dec 18, 2025
e46ff9a
Update version from 1.5.378-preview to 1.5.378
mrsuciu Dec 18, 2025
dc0b110
Fix unit tests.
randy-armstrong Dec 18, 2025
8a06ef9
Merge pull request #3422 from OPCFoundation/mrsuciu-patch-1
mrsuciu Dec 18, 2025
3f5bbe0
Merge remote-tracking branch 'origin/release/1.5.378' into secure-cha…
randy-armstrong Jan 14, 2026
1097329
Merge remote-tracking branch 'origin/master' into secure-channel-enha…
randy-armstrong Jan 14, 2026
e8befb7
Allow SignatureData.Algorithm to be NULL or Empty.
randy-armstrong Jan 16, 2026
9e8e144
Fix issue with BrainPool_p256r1_ChaChaPoly
randy-armstrong Jan 28, 2026
b7d0aff
Fix RSA_DH_AesGcm
randy-armstrong Jan 29, 2026
b4a5838
Merge master
mrsuciu Feb 3, 2026
f242325
Fix OSC/padding by deriving HMAC keys, tightening symmetric size math…
mrsuciu Feb 4, 2026
1d065c2
Policies without asymmetric encryption (ECC) return the plaintext whe…
mrsuciu Feb 5, 2026
0adcdf9
Reserve outer CBC padding for avoiding SymetricEncryptAndSign->AddPad…
mrsuciu Feb 6, 2026
30c78f6
Nonce stored as byte array in SessionConfiguration; Sesion snapshot r…
mrsuciu Feb 6, 2026
dc99f61
Added _AesGcm and _ChaChaPoly variants to BuildSupportedSecurityPolic…
mrsuciu Feb 10, 2026
0e83966
make ephemeralKeyPolicyUri nullable
mrsuciu Feb 10, 2026
9083982
GenerateSecret also for NET7 and NET8
mrsuciu Feb 12, 2026
6b60fbf
Adjust Basic128Rsa15 policy properties for backword compatibility
mrsuciu Feb 13, 2026
be88c47
Exclude unsuported AEAD policies from .NET Framework client tests
mrsuciu Feb 13, 2026
9819583
Merged latest master
mrsuciu Feb 13, 2026
8ca68a8
Addapt to new changes (still build fail)
mrsuciu Feb 14, 2026
ffa9af5
Addapt code to make it compile
mrsuciu Feb 14, 2026
24b041d
Fixed failing build on net48 (by ignoring potential null ref which is…
mrsuciu Feb 16, 2026
8d28128
Preserve the certificate reference in Clone() so copied handlers can …
mrsuciu Feb 16, 2026
aae135f
Remove extra code and addapt to existing master configuration settings
mrsuciu Feb 16, 2026
da52de8
Filter *_AesGcm and *_ChaChaPoly security policies based on actual ru…
mrsuciu Feb 16, 2026
6637a82
Expand ECC/RSA policy test coverage and keep Basic128Rsa15 nonce leng…
mrsuciu Feb 18, 2026
a7d5fb7
Fix ReconnectSessionOnAlternateChannel _AES and _ChaCha policies
mrsuciu Feb 18, 2026
e9e4c63
Fixed IgnoreIfPolicyNotAdvertised so it now fetches endpoints on-dema…
mrsuciu Feb 18, 2026
905d4ca
Merge with commit 5e627f2ca1cf from secure-channel-enhancements-2025-…
mrsuciu Feb 19, 2026
67a8f9d
minor log mesatge formating
mrsuciu Feb 19, 2026
ef7003a
Merge branch 'master' into secure-channel-enhancements-2025-11-merge5
mrsuciu Feb 19, 2026
b6230cf
Fix ClientLockoutTests
mrsuciu Feb 19, 2026
fd2b9fc
Add ServerFixture policies upfront only if framework and runtime capa…
mrsuciu Feb 20, 2026
b91217d
Merge branch 'master' into secure-channel-enhancements-2025-11-merge5
marcschier Feb 23, 2026
911c202
A few cosmetic/config changes as review sugested
mrsuciu Feb 25, 2026
05a069f
Moved the session/security handling from StandardServer into a dedica…
mrsuciu Feb 27, 2026
a2b008e
use X509IdentityTokenHandler from secure-channel-enhancements-2025-11
mrsuciu Mar 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Applications/ConsoleReferenceClient/ClientSamples.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -857,7 +857,7 @@ await uaClient
result.Sort((x, y) => x.NodeId.CompareTo(y.NodeId));

m_logger.LogInformation(
"ManagedBrowseFullAddressSpace found {Count} references on server in {Duration}ms.",
"ManagedBrowseFullAddressSpace found {Count} references on server in {Duration} ms.",
result.Count,
stopWatch.ElapsedMilliseconds);

Expand Down Expand Up @@ -1078,7 +1078,7 @@ BrowseDescriptionCollection browseDescriptionCollection
result.Sort((x, y) => x.NodeId.CompareTo(y.NodeId));

m_logger.LogInformation(
"BrowseFullAddressSpace found {Count} references on server in {Duration}ms.",
"BrowseFullAddressSpace found {Count} references on server in {Duration} ms.",
referenceDescriptions.Count,
stopWatch.ElapsedMilliseconds);

Expand Down
32 changes: 32 additions & 0 deletions Applications/ConsoleReferenceServer/Quickstarts.ReferenceServer.Config.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,38 @@
<SecurityMode>SignAndEncrypt_3</SecurityMode>
<SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_brainpoolP384r1</SecurityPolicyUri>
</ServerSecurityPolicy>
<ServerSecurityPolicy>
<SecurityMode>Sign_2</SecurityMode>
<SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_nistP256_AesGcm</SecurityPolicyUri>
</ServerSecurityPolicy>
<ServerSecurityPolicy>
<SecurityMode>SignAndEncrypt_3</SecurityMode>
<SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_nistP256_AesGcm</SecurityPolicyUri>
</ServerSecurityPolicy>
<ServerSecurityPolicy>
<SecurityMode>Sign_2</SecurityMode>
<SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_brainpoolP256r1_ChaChaPoly</SecurityPolicyUri>
</ServerSecurityPolicy>
<ServerSecurityPolicy>
<SecurityMode>SignAndEncrypt_3</SecurityMode>
<SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_brainpoolP256r1_ChaChaPoly</SecurityPolicyUri>
</ServerSecurityPolicy>
<ServerSecurityPolicy>
<SecurityMode>Sign_2</SecurityMode>
<SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_brainpoolP384r1_ChaChaPoly</SecurityPolicyUri>
</ServerSecurityPolicy>
<ServerSecurityPolicy>
<SecurityMode>SignAndEncrypt_3</SecurityMode>
<SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_brainpoolP384r1_ChaChaPoly</SecurityPolicyUri>
</ServerSecurityPolicy>
<ServerSecurityPolicy>
<SecurityMode>Sign_2</SecurityMode>
<SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#RSA_DH_AesGcm</SecurityPolicyUri>
</ServerSecurityPolicy>
<ServerSecurityPolicy>
<SecurityMode>SignAndEncrypt_3</SecurityMode>
<SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#RSA_DH_AesGcm</SecurityPolicyUri>
</ServerSecurityPolicy>
<ServerSecurityPolicy>
<SecurityMode>None_1</SecurityMode>
<SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri>
Expand Down
487 changes: 351 additions & 136 deletions Libraries/Opc.Ua.Client/Session/Session.cs
View file
Open in desktop

Large diffs are not rendered by default.

16 changes: 12 additions & 4 deletions Libraries/Opc.Ua.Client/Session/SessionConfiguration.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,10 +123,18 @@ public SessionState(SessionOptions options)
public NodeId AuthenticationToken { get; init; }

/// <summary>
/// The last server nonce received.
/// The raw bytes of the last server nonce received.
/// Persisting bytes avoids object-serialization ambiguity for Nonce internals.
/// </summary>
[DataMember(IsRequired = true, Order = 80)]
public Nonce? ServerNonce { get; init; }
public byte[]? ServerNonce { get; init; }

/// <summary>
/// The raw bytes of the client nonce used when the session was created.
/// Required for enhanced-policy activate signatures during reconnect.
/// </summary>
[DataMember(IsRequired = false, Order = 85)]
public byte[]? ClientNonce { get; init; }

/// <summary>
/// The user identity token policy which was used to create the session.
Expand All @@ -135,10 +143,10 @@ public SessionState(SessionOptions options)
public string? UserIdentityTokenPolicy { get; init; }

/// <summary>
/// The last server ecc ephemeral key received.
/// The raw bytes of the last server ECC ephemeral key received.
/// </summary>
[DataMember(IsRequired = false, Order = 100)]
public Nonce? ServerEccEphemeralKey { get; init; }
public byte[]? ServerEccEphemeralKey { get; init; }

/// <summary>
/// Allows the list of subscriptions to be saved/restored
Expand Down
6 changes: 4 additions & 2 deletions Libraries/Opc.Ua.Configuration/ApplicationInstance.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -868,8 +868,10 @@ await DeleteApplicationInstanceCertificateAsync(configuration, id, ct).Configure
else
{
ECCurve? curve =
EccUtils.GetCurveFromCertificateTypeId(id.CertificateType)
?? throw ServiceResultException.ConfigurationError("The Ecc certificate type is not supported.");
CryptoUtils.GetCurveFromCertificateTypeId(id.CertificateType)
?? throw new ServiceResultException(
StatusCodes.BadConfigurationError,
"The Ecc certificate type is not supported.");

id.Certificate = builder.SetECCurve(curve.Value).CreateForECDsa();

Expand Down
2 changes: 1 addition & 1 deletion Libraries/Opc.Ua.Gds.Server.Common/CertificateGroup.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -756,7 +756,7 @@ private static bool TryGetECCCurve(NodeId certificateType, out ECCurve curve)
return false;
}
curve =
EccUtils.GetCurveFromCertificateTypeId(certificateType)
CryptoUtils.GetCurveFromCertificateTypeId(certificateType)
?? throw new ServiceResultException(
StatusCodes.BadNotSupported,
$"The certificate type {certificateType} is not supported.");
Expand Down
3 changes: 2 additions & 1 deletion Libraries/Opc.Ua.Server/Configuration/ConfigurationNodeManager.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -392,6 +392,7 @@ public void HasApplicationSecureAdminAccess(ISystemContext context)
}

/// <inheritdoc/>
[System.Diagnostics.CodeAnalysis.SuppressMessage("Naming", "CA1725:Parameter names should match base declaration", Justification = "<Pending>")]
public void HasApplicationSecureAdminAccess(
ISystemContext context,
CertificateStoreIdentifier trustedStore)
Expand Down Expand Up @@ -950,7 +951,7 @@ private X509Certificate2 GenerateTemporaryApplicationCertificate(
else
{
ECCurve? curve =
EccUtils.GetCurveFromCertificateTypeId(certificateTypeId)
CryptoUtils.GetCurveFromCertificateTypeId(certificateTypeId)
?? throw new ServiceResultException(
StatusCodes.BadNotSupported,
"The Ecc certificate type is not supported.");
Expand Down
Loading
Loading