Create 1.5.375-ECC-preview (#2667)

* Squash proto ecc (#1998)

* clean a few warning

* Instantiate HMAC instance depending on provided algorithm.

* fix build

* Added ApplicationCertificates XML tag (bcw compat)

* Use ListOfCertificateIdentifier for configuration

* Use ApplicationCertificates tag

* Added new Interface AddSecurityConfiguration(
            CertificateIdentifierCollection applicationCertificates,
            string pkiRoot = null,
            string rejectedRoot = null
            )

* Reenabled special cases in ValidateCertificateType

* Use KeySize property value if set under IsECSecureForProfile method

* Check minimKeySize for ApplicationCertificates

* Keep and mark as obsolete ApplicationInstance methods for bacword compat

* Fix CfgManager UpdateCertificate()

* Added missing interface implementation

* Added CertificateTypeString to improve visual appearance

* Commented ECCUtils code

* Corrected ConsoleRefClient Configuration

* net48 has null Oid values for Brainpool curves

* Updated tests to new API

* Default certificate type for "old" style configuration is RsaSha256ApplicationCertificateType

* SemaphoreSlim is not reentrant => removed from ResetValidatedCertificates

* Fixed loading of disposed cached certificates

* Modified projects to correctly use ECC_SUPPORT flag

* Handle EphemerousKey from Server side

* Added minimal test

* Added UserIdentityToken Encypt/Decrypt functionality

* Preserve key material in UserIdentityToken encryption/decription

* Removed ECC support from NETSTANDARD2_0 (introduced bu UserIdentityEncryption)

* Added UserIdentity encryption positive roundtrip unit tests

* Propagated clientIssuerCertificates to UserIdentityToken encryption

* Save the userTokenSecurityPolicyUri per Session (needed in reconnect)

* Added FindUserTokenPolicy methods which support providing tokenSecurityPolicy

* Added eccServerEphemeralKeu to saved session secrets

* Addapt code to merge changes

* Added ReentrantSlimSemaphore

* Added EccProfiles.md

* improve project setup for ECC

* fix build

* Removed unused code and corrected some

* ECC cert fixes

* fix a merge conflict (includes releaxed validator for cert loading)

* fix semaphore hang

* fix CertificateTypes Provider & CertificateFactory

* client session assync initialize

* Deprecated Utils.Nonce

* Simplify Nonce.CreateNonce method, added NonceTests UnitTest

* Removed #if ECC_SUPPORT conditional compilation statements related to Nonce usage

* Move async code out of the constructor

* Implemented SetECDsaPublicKey, ReentrantSemaphoreSlim removed

* Added MaxChannelCount of 100 to ServerFixture

* Set version 1.5.375-ECC-preview

* Removed ECDsaCng validation for ECDsa (OS platform dependent)

* fix CreateNonce function for invalid input data

* ignore test on OSX

* Remove NoWarn tag

* Ignore GetEndpoints call exceptions on platforms other than Windows for opc.https and https url schemes

* Use RSA minimum certificate size of 2048 (OpenSSL on Linux does not accept less for TLS versions greated than 1), revert GetEndpointsAsync

* Increase test timeout to 45 minutes

* Fix build errors

* Fix validation of Nonce length

* add ECC polices to Client Security Level calculation

* Remove wrong propagation of minKeySize into RSA application certificate creation

* Fix behaviour of flag AddAppCertToTrustedStore

* Fix netstandard2.0 compilation

* Changed versionHeightOffset to 70

* Modirfied Opc.Ua.Client.cproj to generate the APICompat suppression file

---------

Co-authored-by: Martin Regen <mregen@microsoft.com>
Co-authored-by: Roman Ettlinger <romanett98@gmail.com>

.azurepipelines/test.yml

@@ -67,7 +67,7 @@ jobs:
       arguments: '${{ variables.DotCliCommandline }} --configuration ${{ parameters.configuration }}'
   - task: DotNetCoreCLI@2
     displayName: Test ${{ parameters.configuration }}
-    timeoutInMinutes: 30
+    timeoutInMinutes: 45
     inputs:
       command: test
       projects: $(file)

Applications/ClientControls.Net4/UA Client Controls.csproj

@@ -1054,4 +1054,4 @@
     <PreBuildEvent>
     </PreBuildEvent>
   </PropertyGroup>
-</Project>
+</Project>

Applications/ConsoleReferenceClient/Program.cs

@@ -168,7 +168,7 @@ public static async Task Main(string[] args)
                 }
 
                 // check the application certificate.
-                bool haveAppCertificate = await application.CheckApplicationInstanceCertificate(false, minimumKeySize: 0).ConfigureAwait(false);
+                bool haveAppCertificate = await application.CheckApplicationInstanceCertificates(false).ConfigureAwait(false);
                 if (!haveAppCertificate)
                 {
                     throw new ErrorExitException("Application instance certificate invalid!", ExitCode.ErrorCertificate);

Applications/ConsoleReferenceClient/Quickstarts.ReferenceClient.Config.xml

@@ -12,13 +12,44 @@
   <SecurityConfiguration>
 
     <!-- Where the application instance certificate is stored (MachineDefault) -->
-    <ApplicationCertificate>
-      <StoreType>Directory</StoreType>
-      <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
-      <SubjectName>CN=Console Reference Client, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
-    </ApplicationCertificate>
-
-   <!-- Where the issuer certificate are stored (certificate authorities) -->
+    <ApplicationCertificates>
+      <CertificateIdentifier>
+        <StoreType>Directory</StoreType>
+        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <SubjectName>CN=Quickstart Reference Client, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>RsaSha256</CertificateTypeString>
+      </CertificateIdentifier>
+      <CertificateIdentifier>
+        <!-- <TypeId>NistP256</TypeId> -->
+        <StoreType>Directory</StoreType>
+        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <SubjectName>CN=Quickstart Reference Client, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>NistP256</CertificateTypeString>
+      </CertificateIdentifier>
+      <CertificateIdentifier>
+        <!-- <TypeId>NistP384</TypeId> -->
+        <StoreType>Directory</StoreType>
+        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <SubjectName>CN=Quickstart Reference client, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>NistP384</CertificateTypeString>
+      </CertificateIdentifier>
+      <CertificateIdentifier>
+        <!-- <TypeId>BrainpoolP256r1</TypeId> -->
+        <StoreType>Directory</StoreType>
+        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <SubjectName>CN=Quickstart Reference Client, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>BrainpoolP256r1</CertificateTypeString>
+      </CertificateIdentifier>
+      <CertificateIdentifier>
+        <!-- <TypeId>BrainpoolP384r1</TypeId> -->
+        <StoreType>Directory</StoreType>
+        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <SubjectName>CN=Quickstart Reference Client, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>BrainpoolP384r1</CertificateTypeString>
+      </CertificateIdentifier>
+    </ApplicationCertificates>
+
+    <!-- Where the issuer certificate are stored (certificate authorities) -->
     <TrustedIssuerCertificates>
       <StoreType>Directory</StoreType>
       <StorePath>%LocalApplicationData%/OPC Foundation/pki/issuer</StorePath>

Applications/ConsoleReferenceServer/Quickstarts.ReferenceServer.Config.xml

@@ -4,19 +4,52 @@
   xmlns:ua="http://opcfoundation.org/UA/2008/02/Types.xsd"
   xmlns="http://opcfoundation.org/UA/SDK/Configuration.xsd"
 > 
+<!-- xsi:schemaLocation="http://opcfoundation.org/UA/SDK/Configuration.xsd ./Configuration.xsd" -->
   <ApplicationName>Quickstart Reference Server</ApplicationName>
   <ApplicationUri>urn:localhost:UA:Quickstarts:ReferenceServer</ApplicationUri>
   <ProductUri>uri:opcfoundation.org:Quickstarts:ReferenceServer</ProductUri>
   <ApplicationType>Server_0</ApplicationType>
 
   <SecurityConfiguration>
+    <!-- Which certificate types are supported  -->
+    <ApplicationCertificates>
+      <CertificateIdentifier>
+        <StoreType>Directory</StoreType>
+        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <SubjectName>CN=Quickstart Reference Server, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>RsaSha256</CertificateTypeString>
+      </CertificateIdentifier>
+      <CertificateIdentifier>
+        <!-- <TypeId>NistP256</TypeId> -->
+        <StoreType>Directory</StoreType>
+        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <SubjectName>CN=Quickstart Reference Server, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>NistP256</CertificateTypeString>
+      </CertificateIdentifier>
+      <CertificateIdentifier>
+        <!-- <TypeId>NistP384</TypeId> -->
+        <StoreType>Directory</StoreType>
+        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <SubjectName>CN=Quickstart Reference Server, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>NistP384</CertificateTypeString>
+      </CertificateIdentifier>
+      <CertificateIdentifier>
+        <!-- <TypeId>BrainpoolP256r1</TypeId> -->
+        <StoreType>Directory</StoreType>
+        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <SubjectName>CN=Quickstart Reference Server, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>BrainpoolP256r1</CertificateTypeString>
+      </CertificateIdentifier>
+      <CertificateIdentifier>
+        <!-- <TypeId>BrainpoolP384r1</TypeId> -->
+        <StoreType>Directory</StoreType>
+        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <SubjectName>CN=Quickstart Reference Server, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>BrainpoolP384r1</CertificateTypeString>
+      </CertificateIdentifier>
+    </ApplicationCertificates>
 
-    <!-- Where the application instance certificate is stored (MachineDefault) -->
-    <ApplicationCertificate>
-      <StoreType>Directory</StoreType>
-      <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
-      <SubjectName>CN=Quickstart Reference Server, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
-    </ApplicationCertificate>
+    <!-- Where the other application certificates are stored -->
 
     <!-- Where the issuer certificate are stored (certificate authorities) -->
     <TrustedIssuerCertificates>
@@ -45,6 +78,7 @@
     <RejectSHA1SignedCertificates>true</RejectSHA1SignedCertificates>
     <RejectUnknownRevocationStatus>true</RejectUnknownRevocationStatus>
     <MinimumCertificateKeySize>2048</MinimumCertificateKeySize>
+    <MinimumECCertificateKeySize>256</MinimumECCertificateKeySize>
     <AddAppCertToTrustedStore>false</AddAppCertToTrustedStore>
     <SendCertificateChain>true</SendCertificateChain>
 
@@ -96,14 +130,11 @@
     </AlternateBaseAddresses>
     -->
     <SecurityPolicies>
+      <!-- the first policy is used for the https endpoint -->
       <ServerSecurityPolicy>
         <SecurityMode>SignAndEncrypt_3</SecurityMode>
         <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri>
       </ServerSecurityPolicy>
-      <ServerSecurityPolicy>
-        <SecurityMode>None_1</SecurityMode>
-        <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri>
-      </ServerSecurityPolicy>
       <ServerSecurityPolicy>
         <SecurityMode>Sign_2</SecurityMode>
         <SecurityPolicyUri></SecurityPolicyUri>
@@ -112,7 +143,43 @@
         <SecurityMode>SignAndEncrypt_3</SecurityMode>
         <SecurityPolicyUri></SecurityPolicyUri>
       </ServerSecurityPolicy>
-      <!-- deprecated security policies for reference only 
+      <ServerSecurityPolicy>
+        <SecurityMode>Sign_2</SecurityMode>
+        <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_nistP256</SecurityPolicyUri>
+      </ServerSecurityPolicy>
+      <ServerSecurityPolicy>
+        <SecurityMode>Sign_2</SecurityMode>
+        <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_nistP384</SecurityPolicyUri>
+      </ServerSecurityPolicy>
+      <ServerSecurityPolicy>
+        <SecurityMode>Sign_2</SecurityMode>
+        <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_brainpoolP256r1</SecurityPolicyUri>
+      </ServerSecurityPolicy>
+      <ServerSecurityPolicy>
+        <SecurityMode>Sign_2</SecurityMode>
+        <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_brainpoolP384r1</SecurityPolicyUri>
+      </ServerSecurityPolicy>
+      <ServerSecurityPolicy>
+        <SecurityMode>SignAndEncrypt_3</SecurityMode>
+        <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_nistP256</SecurityPolicyUri>
+      </ServerSecurityPolicy>
+      <ServerSecurityPolicy>
+        <SecurityMode>SignAndEncrypt_3</SecurityMode>
+        <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_nistP384</SecurityPolicyUri>
+      </ServerSecurityPolicy>
+      <ServerSecurityPolicy>
+        <SecurityMode>SignAndEncrypt_3</SecurityMode>
+        <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_brainpoolP256r1</SecurityPolicyUri>
+      </ServerSecurityPolicy>
+      <ServerSecurityPolicy>
+        <SecurityMode>SignAndEncrypt_3</SecurityMode>
+        <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#ECC_brainpoolP384r1</SecurityPolicyUri>
+      </ServerSecurityPolicy>
+      <ServerSecurityPolicy>
+        <SecurityMode>None_1</SecurityMode>
+        <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri>
+      </ServerSecurityPolicy>
+      <!-- deprecated security policies for reference only -->
       <ServerSecurityPolicy>
         <SecurityMode>Sign_2</SecurityMode>
         <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri>
@@ -129,7 +196,7 @@
         <SecurityMode>SignAndEncrypt_3</SecurityMode>
         <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri>
       </ServerSecurityPolicy>
-      -->
+      <!-- -->
     </SecurityPolicies>
 
     <MinRequestThreadCount>5</MinRequestThreadCount>
@@ -241,7 +308,7 @@
     </SupportedPrivateKeyFormats>
     <MaxTrustListSize>0</MaxTrustListSize>
     <MultiCastDnsEnabled>false</MultiCastDnsEnabled>
-    
+
     <!--  Reverse connection parameters for aggregation server sample -->
     <!--
     <ReverseConnect>

Applications/ConsoleReferenceServer/UAServer.cs

@@ -101,7 +101,7 @@ public async Task CheckCertificateAsync(bool renewCertificate)
                 }
 
                 // check the application certificate.
-                bool haveAppCertificate = await m_application.CheckApplicationInstanceCertificate(false, minimumKeySize: 0).ConfigureAwait(false);
+                bool haveAppCertificate = await m_application.CheckApplicationInstanceCertificates(false).ConfigureAwait(false);
                 if (!haveAppCertificate)
                 {
                     throw new ErrorExitException("Application instance certificate invalid!");

Applications/ReferenceClient/Program.cs

@@ -60,7 +60,7 @@ static void Main()
                 application.LoadApplicationConfiguration(false).Wait();
 
                 // check the application certificate.
-                var certOK = application.CheckApplicationInstanceCertificate(false, 0).Result;
+                var certOK = application.CheckApplicationInstanceCertificates(false).Result;
                 if (!certOK)
                 {
                     throw new Exception("Application instance certificate invalid!");

Applications/ReferenceServer/Program.cs

@@ -66,7 +66,7 @@ static void Main()
                 SerilogTraceLogger.Create(loggerConfiguration, config);
 
                 // check the application certificate.
-                bool certOk = application.CheckApplicationInstanceCertificate(false, 0).Result;
+                bool certOk = application.CheckApplicationInstanceCertificates(false).Result;
                 if (!certOk)
                 {
                     throw new Exception("Application instance certificate invalid!");

Applications/ServerControls.Net4/UA Server Controls.csproj

@@ -170,4 +170,4 @@
     <PostBuildEvent>
     </PostBuildEvent>
   </PropertyGroup>
-</Project>
+</Project>