Feature/enable mtls opcua (#1246)

* Implementation using SAN

* Added tests

* Make applicationUri configurable

Author: codepitbull

.claude/settings.local.json

@@ -39,9 +39,20 @@ public OpcUaClientConfigurator(final @NotNull String adapterId, final @NotNull P
 
     @Override
     public void accept(final @NotNull OpcUaClientConfigBuilder configBuilder) {
+        // Use Application URI from certificate if available, otherwise fall back to default
+        final String applicationUri = parsedConfig.applicationUri() != null
+                ? parsedConfig.applicationUri()
+                : Constants.OPCUA_APPLICATION_URI;
+
+        if (parsedConfig.applicationUri() == null) {
+            log.info("Using default Application URI: {}", applicationUri);
+        } else {
+            log.info("Using Application URI from certificate: {}", applicationUri);
+        }
+
         configBuilder
                 .setApplicationName(LocalizedText.english(Constants.OPCUA_APPLICATION_NAME))
-                .setApplicationUri(Constants.OPCUA_APPLICATION_URI)
+                .setApplicationUri(applicationUri)
                 .setProductUri(Constants.OPCUA_PRODUCT_URI)
                 .setSessionName(() -> Constants.OPCUA_SESSION_NAME_PREFIX + adapterId);
 

modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/client/OpcUaClientConfigurator.java

@@ -46,7 +46,8 @@
 import java.util.Set;
 
 public record ParsedConfig(boolean tlsEnabled, KeystoreUtil.KeyPairWithChain keyPairWithChain,
-                           CertificateValidator clientCertificateValidator, IdentityProvider identityProvider) {
+                           CertificateValidator clientCertificateValidator, IdentityProvider identityProvider,
+                           @Nullable String applicationUri) {
 
     private static final @NotNull Logger log = LoggerFactory.getLogger(ParsedConfig.class);
 
@@ -79,7 +80,25 @@ public static Result<ParsedConfig, String> fromConfig(final OpcUaSpecificAdapter
             return Failure.of("Failed to create identity provider, check authentication configuration");
         }
 
-        return Success.of(new ParsedConfig(tlsEnabled, keyPairWithChain, certValidator, identityProvider.get()));
+        // Determine Application URI with priority: configured > certificate SAN > default
+        final String applicationUri;
+        if (adapterConfig.getApplicationUri() != null && !adapterConfig.getApplicationUri().isBlank()) {
+            // Priority 1: Use configured override
+            applicationUri = adapterConfig.getApplicationUri();
+            log.info("Using configured Application URI override: {}", applicationUri);
+        } else if (keyPairWithChain != null && keyPairWithChain.applicationUri() != null) {
+            // Priority 2: Use certificate SAN URI
+            applicationUri = keyPairWithChain.applicationUri();
+            log.info("Using Application URI from certificate: {}", applicationUri);
+        } else {
+            // Priority 3: Will use default in OpcUaClientConfigurator
+            applicationUri = null;
+            if (tlsEnabled && keyPairWithChain != null) {
+                log.warn("Certificate does not contain Application URI in SAN extension, will use default URI");
+            }
+        }
+
+        return Success.of(new ParsedConfig(tlsEnabled, keyPairWithChain, certValidator, identityProvider.get(), applicationUri));
     }
 
     private static @NotNull Optional<List<X509Certificate>> getTrustedCerts(@Nullable final Truststore truststore) {

modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/client/ParsedConfig.java

@@ -27,10 +27,11 @@ public class BidirectionalOpcUaSpecificAdapterConfig extends OpcUaSpecificAdapte
     public BidirectionalOpcUaSpecificAdapterConfig(
             @JsonProperty(value = "uri", required = true) final @NotNull String uri,
             @JsonProperty(value = "overrideUri", defaultValue = "false") final @Nullable Boolean overrideUri,
+            @JsonProperty("applicationUri") final @Nullable String applicationUri,
             @JsonProperty("auth") final @Nullable Auth auth,
             @JsonProperty("tls") final @Nullable Tls tls,
             @JsonProperty(value = "opcuaToMqtt") final @Nullable OpcUaToMqttConfig opcuaToMqttConfig,
             @JsonProperty("security") final @Nullable Security security) {
-        super(uri, overrideUri, auth, tls, opcuaToMqttConfig, security);
+        super(uri, overrideUri, applicationUri, auth, tls, opcuaToMqttConfig, security);
     }
 }

modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/config/BidirectionalOpcUaSpecificAdapterConfig.java

@@ -55,6 +55,13 @@ public class OpcUaSpecificAdapterConfig implements ProtocolSpecificAdapterConfig
                        defaultValue = "false")
     private final boolean overrideUri;
 
+    @JsonProperty("applicationUri")
+    @ModuleConfigField(title = "Application URI Override",
+                       description = "Overrides the Application URI used for OPC UA client identification. If not specified, the URI from the certificate SAN extension is used, or the default URI 'urn:hivemq:edge:client' as fallback.",
+                       format = ModuleConfigField.FieldType.URI,
+                       required = false)
+    private final @Nullable String applicationUri;
+
     @JsonProperty("auth")
     @JsonInclude(JsonInclude.Include.NON_NULL)
     private final @Nullable Auth auth;
@@ -74,12 +81,14 @@ public class OpcUaSpecificAdapterConfig implements ProtocolSpecificAdapterConfig
     public OpcUaSpecificAdapterConfig(
             @JsonProperty(value = "uri", required = true) final @NotNull String uri,
             @JsonProperty("overrideUri") final @Nullable Boolean overrideUri,
+            @JsonProperty("applicationUri") final @Nullable String applicationUri,
             @JsonProperty("auth") final @Nullable Auth auth,
             @JsonProperty("tls") final @Nullable Tls tls,
             @JsonProperty(value = "opcuaToMqtt") final @Nullable OpcUaToMqttConfig opcuaToMqttConfig,
             @JsonProperty("security") final @Nullable Security security) {
         this.uri = uri;
         this.overrideUri = requireNonNullElse(overrideUri, false);
+        this.applicationUri = (applicationUri != null && !applicationUri.isBlank()) ? applicationUri : null;
         this.auth = auth;
         this.tls = requireNonNullElse(tls, new Tls(false, null, null));
         this.opcuaToMqttConfig =
@@ -112,6 +121,10 @@ public OpcUaSpecificAdapterConfig(
         return overrideUri;
     }
 
+    public @Nullable String getApplicationUri() {
+        return applicationUri;
+    }
+
     @Override
     public boolean equals(final @Nullable Object o) {
         if (o == null || getClass() != o.getClass()) {
@@ -121,6 +134,7 @@ public boolean equals(final @Nullable Object o) {
         return getOverrideUri().equals(that.getOverrideUri()) &&
                 Objects.equals(id, that.id) &&
                 Objects.equals(getUri(), that.getUri()) &&
+                Objects.equals(getApplicationUri(), that.getApplicationUri()) &&
                 Objects.equals(getAuth(), that.getAuth()) &&
                 Objects.equals(getTls(), that.getTls()) &&
                 Objects.equals(getSecurity(), that.getSecurity()) &&
@@ -129,6 +143,6 @@ public boolean equals(final @Nullable Object o) {
 
     @Override
     public int hashCode() {
-        return Objects.hash(getOverrideUri(), id, getUri(), getAuth(), getTls(), getSecurity(), getOpcuaToMqttConfig());
+        return Objects.hash(getOverrideUri(), id, getUri(), getApplicationUri(), getAuth(), getTls(), getSecurity(), getOpcuaToMqttConfig());
     }
 }

modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/config/OpcUaSpecificAdapterConfig.java

@@ -15,7 +15,9 @@
  */
 package com.hivemq.edge.adapters.opcua.util;
 
+import org.eclipse.milo.opcua.stack.core.util.CertificateUtil;
 import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
@@ -95,18 +97,36 @@ public class KeystoreUtil {
             //load keystore from TLS config
             final KeyStore keyStore = KeyStore.getInstance(keyStoreType);
             keyStore.load(fileInputStream, keyStorePassword.toCharArray());
-            final String firstAlias = keyStore.aliases().nextElement();
-            final PrivateKey privateKey = (PrivateKey) keyStore.getKey(firstAlias, privateKeyPassword.toCharArray());
-            final Certificate certificate = keyStore.getCertificate(firstAlias);
-            final Certificate[] certificateChain = keyStore.getCertificateChain(firstAlias);
+
+            // Find the first key entry (not just any alias, which might be a certificate entry)
+            String keyAlias = null;
+            final Iterator<String> aliasIterator = keyStore.aliases().asIterator();
+            while (aliasIterator.hasNext()) {
+                final String alias = aliasIterator.next();
+                if (keyStore.isKeyEntry(alias)) {
+                    keyAlias = alias;
+                    break;
+                }
+            }
+
+            if (keyAlias == null) {
+                throw new SslException("No key entry found in KeyStore '" + keyStorePath + "'");
+            }
+
+            final PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyAlias, privateKeyPassword.toCharArray());
+            final Certificate certificate = keyStore.getCertificate(keyAlias);
+            final Certificate[] certificateChain = keyStore.getCertificateChain(keyAlias);
 
             final X509Certificate certificateX509 = (X509Certificate) certificate;
             final X509Certificate[] certificateChainX509 = new X509Certificate[certificateChain.length];
             for (int i = 0; i < certificateChain.length; i++) {
                 certificateChainX509[i] = (X509Certificate) certificateChain[i];
             }
 
-            return new KeyPairWithChain(privateKey, certificateX509, certificateChainX509);
+            // Extract Application URI from certificate SAN extension
+            final String applicationUri = CertificateUtil.getSanUri(certificateX509).orElse(null);
+
+            return new KeyPairWithChain(privateKey, certificateX509, certificateChainX509, applicationUri);
         } catch (final UnrecoverableKeyException e1) {
             throw new SslException(
                     "Not able to recover key from KeyStore, please check your private-key-password and your keyStorePassword",
@@ -125,6 +145,7 @@ public class KeystoreUtil {
     }
 
     public record KeyPairWithChain(@NotNull PrivateKey privateKey, @NotNull X509Certificate publicKey,
-                                   @NotNull X509Certificate[] certificateChain) {
+                                   @NotNull X509Certificate[] certificateChain,
+                                   @Nullable String applicationUri) {
     }
 }

modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/util/KeystoreUtil.java

@@ -30,12 +30,12 @@
 import java.util.Optional;
 import java.util.stream.Collectors;
 
+import static com.hivemq.edge.adapters.opcua.Constants.DEFAULT_SECURITY_POLICY;
 import static com.hivemq.edge.adapters.opcua.config.SecPolicy.AES128_SHA256_RSAOAEP;
 import static com.hivemq.edge.adapters.opcua.config.SecPolicy.AES256_SHA256_RSAPSS;
 import static com.hivemq.edge.adapters.opcua.config.SecPolicy.BASIC128RSA15;
 import static com.hivemq.edge.adapters.opcua.config.SecPolicy.BASIC256;
 import static com.hivemq.edge.adapters.opcua.config.SecPolicy.BASIC256SHA256;
-import static com.hivemq.edge.adapters.opcua.Constants.DEFAULT_SECURITY_POLICY;
 import static com.hivemq.edge.adapters.opcua.config.SecPolicy.NONE;
 import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
 
@@ -53,6 +53,7 @@ public void whenSingleEndpointConfigSet_thenPickCorrectEndpoint() {
         final OpcUaSpecificAdapterConfig config = new OpcUaSpecificAdapterConfig("opc.tcp://127.0.0.1:49320",
                 false,
                 null,
+                null,
                 new Tls(true, new Keystore("path", null, null), null),
                 null,
                 null);
@@ -69,7 +70,7 @@ public void whenSingleEndpointConfigSet_thenPickCorrectEndpoint() {
     @Test
     public void whenSingleEndpointConfigSetAndNoKeystorePresent_thenPickNoEndpoint() {
         final OpcUaSpecificAdapterConfig config =
-                new OpcUaSpecificAdapterConfig("opc.tcp://127.0.0.1:49320", false, null, null, null, null);
+                new OpcUaSpecificAdapterConfig("opc.tcp://127.0.0.1:49320", false, null, null, null, null, null);
 
         final String configUri = convertToUri(BASIC256SHA256);
         final OpcUaEndpointFilter opcUaEndpointFilter = new OpcUaEndpointFilter("id", configUri, config);
@@ -83,7 +84,7 @@ public void whenSingleEndpointConfigSetAndNoKeystorePresent_thenPickNoEndpoint()
     public void whenSingleEndpointConfigSetAndNotAvailOnServer_thenPickNoEndpoint() {
         final String configUri = convertToUri(BASIC256SHA256);
         final OpcUaSpecificAdapterConfig config =
-                new OpcUaSpecificAdapterConfig("opc.tcp://127.0.0.1:49320", false, null, null, null, null);
+                new OpcUaSpecificAdapterConfig("opc.tcp://127.0.0.1:49320", false, null, null, null, null, null);
         final OpcUaEndpointFilter opcUaEndpointFilter = new OpcUaEndpointFilter("id", configUri, config);
 
         final Optional<EndpointDescription> result =
@@ -95,7 +96,7 @@ public void whenSingleEndpointConfigSetAndNotAvailOnServer_thenPickNoEndpoint()
     @Test
     public void whenDefaultEndpointConfigSet_thenPickMatchingEndpoint() {
         final OpcUaSpecificAdapterConfig config =
-                new OpcUaSpecificAdapterConfig("opc.tcp://127.0.0.1:49320", false, null, null, null, null);
+                new OpcUaSpecificAdapterConfig("opc.tcp://127.0.0.1:49320", false, null, null, null, null, null);
         final OpcUaEndpointFilter opcUaEndpointFilter = new OpcUaEndpointFilter("id", convertToUri(
                 DEFAULT_SECURITY_POLICY), config);
 
@@ -106,7 +107,7 @@ public void whenDefaultEndpointConfigSet_thenPickMatchingEndpoint() {
     }
 
     @NotNull
-    private static List<EndpointDescription> convertToEndpointDescription(List<String> allUris) {
+    private static List<EndpointDescription> convertToEndpointDescription(final @NotNull List<String> allUris) {
         final ArrayList<EndpointDescription> endpointList = allUris.stream()
                 .map(policyUri -> new EndpointDescription("opc.tcp://127.0.0.1:49320",
                         null,
@@ -124,7 +125,7 @@ private static List<EndpointDescription> convertToEndpointDescription(List<Strin
     private @NotNull List<String> convertToUri(final @NotNull List<SecPolicy> policies) {
         return policies.stream()
                 .map(secPolicy -> secPolicy.getSecurityPolicy().getUri())
-                .collect(Collectors.toUnmodifiableList());
+                .toList();
     }
 
     private @NotNull String convertToUri(final @NotNull SecPolicy policy) {

modules/hivemq-edge-module-opcua/src/test/java/com/hivemq/edge/adapters/opcua/OpcUaEndpointFilterTest.java

@@ -97,6 +97,7 @@ public void whenNoAuthAndNoSubscriptions_thenConnectSuccessfully() {
                 false,
                 null,
                 null,
+                null,
                 new OpcUaToMqttConfig(1, 1000),
                 null);
 
@@ -122,6 +123,7 @@ public void whenBasicAuthAndNoSubscriptions_thenConnectSuccessfully() {
         final OpcUaSpecificAdapterConfig config = new OpcUaSpecificAdapterConfig(
                 opcUaServerExtension.getServerUri(),
                 false,
+                null,
                 auth,
                 null,
                 null,
@@ -148,6 +150,7 @@ public void whenTlsAndNoSubscriptions_thenConnectSuccessfully() {
                 opcUaServerExtension.getServerUri(),
                 false,
                 null,
+                null,
                 tls,
                 null,
                 security);
@@ -175,6 +178,7 @@ public void whenCertAuthAndNoSubscriptions_thenConnectSuccessfully() throws Exce
         final OpcUaSpecificAdapterConfig config = new OpcUaSpecificAdapterConfig(
                 opcUaServerExtension.getServerUri(),
                 false,
+                null,
                 auth,
                 tls,
                 null,