Merge remote-tracking branch 'origin/master' into UpdateConfiguration…

…NodeManger
OPCFoundation · Dec 19, 2024 · 3919ad1 · 3919ad1
2 parents 25c0837 + 6489c12
commit 3919ad1
Show file tree

Hide file tree

Showing 25 changed files with 141 additions and 72 deletions.
diff --git a/Applications/ConsoleReferenceClient/ConsoleReferenceClient.csproj b/Applications/ConsoleReferenceClient/ConsoleReferenceClient.csproj
@@ -24,7 +24,7 @@
     <PackageReference Include="Microsoft.Extensions.Configuration" Version="9.0.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="9.0.0" />
     <PackageReference Include="Mono.Options" Version="6.12.0.148" />
-    <PackageReference Include="Serilog" Version="4.1.0" />
+    <PackageReference Include="Serilog" Version="4.2.0" />
     <PackageReference Include="Serilog.Expressions" Version="5.0.0" />
     <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0" />
     <PackageReference Include="Serilog.Extensions.Logging" Version="3.1.0" />

diff --git a/Applications/ConsoleReferenceServer/ConsoleReferenceServer.csproj b/Applications/ConsoleReferenceServer/ConsoleReferenceServer.csproj
@@ -33,7 +33,7 @@
     <PackageReference Include="Microsoft.Extensions.Configuration" Version="9.0.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="9.0.0" />
     <PackageReference Include="Mono.Options" Version="6.12.0.148" />
-    <PackageReference Include="Serilog" Version="4.1.0" />
+    <PackageReference Include="Serilog" Version="4.2.0" />
     <PackageReference Include="Serilog.Expressions" Version="5.0.0" />
     <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0" />
     <PackageReference Include="Serilog.Extensions.Logging" Version="3.1.0" />

diff --git a/Fuzzing/Encoders/Fuzz.Tests/Opc.Ua.Encoders.Fuzz.Tests.csproj b/Fuzzing/Encoders/Fuzz.Tests/Opc.Ua.Encoders.Fuzz.Tests.csproj
@@ -20,7 +20,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
-    <PackageReference Include="NUnit" Version="4.2.2" />
+    <PackageReference Include="NUnit" Version="4.3.0" />
     <PackageReference Include="NUnit.Console" Version="3.18.3" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.6.0">
       <PrivateAssets>all</PrivateAssets>

diff --git a/Fuzzing/Encoders/Fuzz.Tools/Encoders.Fuzz.Tools.csproj b/Fuzzing/Encoders/Fuzz.Tools/Encoders.Fuzz.Tools.csproj
@@ -23,7 +23,7 @@
     <PackageReference Include="SharpFuzz" Version="2.1.1" />
     <PackageReference Include="Mono.Options" Version="6.12.0.148" />
     <PackageReference Include="Microsoft.Extensions.Logging" Version="8.0.1" />
-    <PackageReference Include="Serilog" Version="4.1.0" />
+    <PackageReference Include="Serilog" Version="4.2.0" />
     <PackageReference Include="Serilog.Expressions" Version="5.0.0" />
     <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0" />
     <PackageReference Include="Serilog.Extensions.Logging" Version="3.1.0" />

diff --git a/Libraries/Opc.Ua.Configuration/ApplicationInstance.cs b/Libraries/Opc.Ua.Configuration/ApplicationInstance.cs
@@ -2,7 +2,7 @@
  * Copyright (c) 2005-2021 The OPC Foundation, Inc. All rights reserved.
  *
  * OPC Foundation MIT License 1.00
- * 
+ *
  * Permission is hereby granted, free of charge, to any person
  * obtaining a copy of this software and associated documentation
  * files (the "Software"), to deal in the Software without
@@ -11,7 +11,7 @@
  * copies of the Software, and to permit persons to whom the
  * Software is furnished to do so, subject to the following
  * conditions:
- * 
+ *
  * The above copyright notice and this permission notice shall be
  * included in all copies or substantial portions of the Software.
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
@@ -499,7 +499,7 @@ public async Task<bool> CheckApplicationInstanceCertificates(
 
         #region Private Methods
         /// <summary>
-        /// 
+        ///
         /// </summary>
         /// <param name="id"></param>
         /// <param name="silent"></param>
@@ -715,7 +715,7 @@ await configuration.CertificateValidator.ValidateAsync(
                 configuration.CertificateValidator.CertificateValidation -= certValidator.OnCertificateValidation;
             }
 
-            // check key size 
+            // check key size
             int keySize = X509Utils.GetPublicKeySize(certificate);
             if (minimumKeySize > keySize)
             {

diff --git a/Libraries/Opc.Ua.PubSub/Encoding/UadpNetworkMessage.cs b/Libraries/Opc.Ua.PubSub/Encoding/UadpNetworkMessage.cs
@@ -117,7 +117,7 @@ public UadpNetworkMessage(UADPNetworkMessageDiscoveryType discoveryType)
         /// Create new instance of <see cref="UadpNetworkMessage"/> as a DiscoveryResponse of PublisherEndpoints type
         /// </summary>
         /// <param name="publisherEndpoints"></param>
-        /// <param name="publisherProvidesEndpoints "></param>
+        /// <param name="publisherProvidesEndpoints"></param>
         public UadpNetworkMessage(EndpointDescription[] publisherEndpoints, StatusCode publisherProvidesEndpoints)
         : base(null, new List<UaDataSetMessage>())
         {

diff --git a/Libraries/Opc.Ua.Server/Diagnostics/CustomNodeManager.cs b/Libraries/Opc.Ua.Server/Diagnostics/CustomNodeManager.cs
@@ -3021,16 +3021,16 @@ protected virtual ServiceResult Call(
             List<ServiceResult> argumentErrors = new List<ServiceResult>();
             VariantCollection outputArguments = new VariantCollection();
 
-            ServiceResult error = method.Call(
+            ServiceResult callResult = method.Call(
                 context,
                 methodToCall.ObjectId,
                 methodToCall.InputArguments,
                 argumentErrors,
                 outputArguments);
 
-            if (ServiceResult.IsBad(error))
+            if (ServiceResult.IsBad(callResult))
             {
-                return error;
+                return callResult;
             }
 
             // check for argument errors.
@@ -3085,7 +3085,8 @@ protected virtual ServiceResult Call(
             // return output arguments.
             result.OutputArguments = outputArguments;
 
-            return ServiceResult.Good;
+            // return the actual result of the original call
+            return callResult;
         }
 
 

diff --git a/Stack/Opc.Ua.Core/Security/Certificates/CertificateIdentifier.cs b/Stack/Opc.Ua.Core/Security/Certificates/CertificateIdentifier.cs
@@ -12,8 +12,6 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 
 using System;
 using System.Collections.Generic;
-using System.Diagnostics;
-using System.Linq;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
@@ -243,20 +241,6 @@ public async Task<X509Certificate2> Find(bool needPrivateKey)
             return certificate;
         }
 
-        /// <summary>
-        /// Updates the object from another object (usage is not updated).
-        /// </summary>
-        /// <param name="certificate">The certificate.</param>
-        private void Paste(CertificateIdentifier certificate)
-        {
-            this.SubjectName = certificate.SubjectName;
-            this.Thumbprint = certificate.Thumbprint;
-            this.RawData = certificate.RawData;
-            this.ValidationOptions = certificate.ValidationOptions;
-            this.Certificate = certificate.Certificate;
-            this.CertificateType = certificate.CertificateType;
-        }
-
         /// <summary>
         /// Returns a display name for a certificate.
         /// </summary>
@@ -528,9 +512,6 @@ public ushort GetMinKeySize(SecurityConfiguration securityConfiguration)
                 // non RSA
                 return 0;
             }
-
-            throw new ArgumentException("Certificate type is unknown");
-
         }
 
 

diff --git a/Stack/Opc.Ua.Core/Security/Certificates/CertificateValidator.cs b/Stack/Opc.Ua.Core/Security/Certificates/CertificateValidator.cs
@@ -30,7 +30,7 @@ namespace Opc.Ua
     /// </summary>
     public class CertificateValidator : ICertificateValidator
     {
-        // default number of rejected certificates for history 
+        // default number of rejected certificates for history
         const int kDefaultMaxRejectedCertificates = 5;
 
         #region Constructors
@@ -1414,7 +1414,23 @@ protected virtual async Task InternalValidateAsync(X509Certificate2Collection ce
                     null, null, "SHA1 signed certificates are not trusted.", null, sresult);
             }
 
-            if (!isECDsaSignature)
+            // check if certificate signature algorithm length is sufficient
+            if (isECDsaSignature)
+            {
+                int publicKeySize = X509Utils.GetPublicKeySize(certificate);
+                bool isInvalid = (certificate.SignatureAlgorithm.Value == Oids.ECDsaWithSha256 &&
+                                  publicKeySize > 256) ||
+                                 (certificate.SignatureAlgorithm.Value == Oids.ECDsaWithSha384 &&
+                                  (publicKeySize <= 256 || publicKeySize > 384)) ||
+                                 (certificate.SignatureAlgorithm.Value == Oids.ECDsaWithSha512 &&
+                                  publicKeySize <= 384);
+                if (isInvalid)
+                {
+                    sresult = new ServiceResult(StatusCodes.BadCertificatePolicyCheckFailed,
+                        null, null, "Certificate doesn't meet minimum signature algorithm length requirement.", null, sresult);
+                }
+            }
+            else // RSA
             {
                 int keySize = X509Utils.GetRSAPublicKeySize(certificate);
                 if (keySize < m_minimumCertificateKeySize)

diff --git a/Stack/Opc.Ua.Core/Security/Certificates/EccUtils.cs b/Stack/Opc.Ua.Core/Security/Certificates/EccUtils.cs
@@ -222,8 +222,7 @@ public static string GetECDsaQualifier(X509Certificate2 certificate)
         /// <returns></returns>
         public static ECDsa GetPublicKey(X509Certificate2 certificate)
         {
-            string[] securityPolicyUris;
-            return GetPublicKey(certificate, out securityPolicyUris);
+            return GetPublicKey(certificate, out string[] _);
         }
 
         /// <summary>
@@ -236,14 +235,19 @@ public static ECDsa GetPublicKey(X509Certificate2 certificate, out string[] secu
         {
             securityPolicyUris = null;
 
+            if (certificate == null)
+            {
+                return null;
+            }
+
             var keyAlgorithm = certificate.GetKeyAlgorithm();
 
-            if (certificate == null || keyAlgorithm != Oids.ECPublicKey)
+            if (keyAlgorithm != Oids.ECPublicKey)
             {
                 return null;
             }
 
-            const X509KeyUsageFlags SufficientFlags =
+            const X509KeyUsageFlags kSufficientFlags =
                 X509KeyUsageFlags.KeyAgreement |
                 X509KeyUsageFlags.DigitalSignature |
                 X509KeyUsageFlags.NonRepudiation |
@@ -256,7 +260,7 @@ public static ECDsa GetPublicKey(X509Certificate2 certificate, out string[] secu
                 {
                     X509KeyUsageExtension kuExt = (X509KeyUsageExtension)extension;
 
-                    if ((kuExt.KeyUsages & SufficientFlags) == 0)
+                    if ((kuExt.KeyUsages & kSufficientFlags) == 0)
                     {
                         return null;
                     }
@@ -343,8 +347,6 @@ public static int GetSignatureLength(X509Certificate2 signingCertificate)
 
                 return publicKey.KeySize / 4;
             }
-
-            throw new NotImplementedException();
         }
 
         /// <summary>

diff --git a/Stack/Opc.Ua.Core/Security/Constants/SecurityPolicies.cs b/Stack/Opc.Ua.Core/Security/Constants/SecurityPolicies.cs
@@ -621,11 +621,6 @@ public static bool Verify(X509Certificate2 certificate, string securityPolicyUri
                         securityPolicyUri);
                 }
             }
-
-            throw ServiceResultException.Create(
-                StatusCodes.BadSecurityChecksFailed,
-                "Unexpected security policy Uri: {0}",
-                securityPolicyUri);
         }
         #endregion
     }

diff --git a/Stack/Opc.Ua.Core/Stack/State/MethodState.cs b/Stack/Opc.Ua.Core/Stack/State/MethodState.cs
@@ -706,7 +706,7 @@ public virtual ServiceResult Call(
             }
 
             // copy out arguments.
-            if (ServiceResult.IsGood(result))
+            if (ServiceResult.IsGoodOrUncertain(result))
             {
                 for (int ii = 0; ii < outputs.Count; ii++)
                 {

diff --git a/Stack/Opc.Ua.Core/Types/Utils/ServiceResult.cs b/Stack/Opc.Ua.Core/Types/Utils/ServiceResult.cs
@@ -524,6 +524,19 @@ public static bool IsUncertain(ServiceResult status)
             return false;
         }
 
+        /// <summary>
+        /// Returns true if the status code is good or uncertain.
+        /// </summary>
+        public static bool IsGoodOrUncertain(ServiceResult status)
+        {
+            if (status != null)
+            {
+                return StatusCode.IsGood(status.m_code) || StatusCode.IsUncertain(status.m_code);
+            }
+
+            return false;
+        }
+
         /// <summary>
         /// Returns true if the status is good or uncertain.
         /// </summary>

diff --git a/Tests/Opc.Ua.Client.ComplexTypes.Tests/Opc.Ua.Client.ComplexTypes.Tests.csproj b/Tests/Opc.Ua.Client.ComplexTypes.Tests/Opc.Ua.Client.ComplexTypes.Tests.csproj
@@ -9,7 +9,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
-    <PackageReference Include="NUnit" Version="4.2.2" />
+    <PackageReference Include="NUnit" Version="4.3.0" />
     <PackageReference Include="NUnit.Console" Version="3.18.3" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.6.0">
       <PrivateAssets>all</PrivateAssets>

diff --git a/Tests/Opc.Ua.Client.Tests/ClientTest.cs b/Tests/Opc.Ua.Client.Tests/ClientTest.cs
@@ -1705,6 +1705,7 @@ public async Task OpenSessionECCUserCertIdentityToken(
                 }
                 if (eccurveHashPair.Curve.Oid.FriendlyName.Contains(extractedFriendlyNamae))
                 {
+
                     X509Certificate2 cert = CertificateBuilder.Create("CN=Client Test ECC Subject, O=OPC Foundation")
                     .SetECCurve(eccurveHashPair.Curve)
                     .CreateForECDsa();

diff --git a/Tests/Opc.Ua.Client.Tests/Opc.Ua.Client.Tests.csproj b/Tests/Opc.Ua.Client.Tests/Opc.Ua.Client.Tests.csproj
@@ -23,7 +23,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
-    <PackageReference Include="NUnit" Version="4.2.2" />
+    <PackageReference Include="NUnit" Version="4.3.0" />
     <PackageReference Include="NUnit.Console" Version="3.18.3" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.6.0">
       <PrivateAssets>all</PrivateAssets>

diff --git a/Tests/Opc.Ua.Configuration.Tests/Opc.Ua.Configuration.Tests.csproj b/Tests/Opc.Ua.Configuration.Tests/Opc.Ua.Configuration.Tests.csproj
@@ -23,7 +23,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
-    <PackageReference Include="NUnit" Version="4.2.2" />
+    <PackageReference Include="NUnit" Version="4.3.0" />
     <PackageReference Include="NUnit.Console" Version="3.18.3" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.6.0">
       <PrivateAssets>all</PrivateAssets>

diff --git a/Tests/Opc.Ua.Core.Tests/Opc.Ua.Core.Tests.csproj b/Tests/Opc.Ua.Core.Tests/Opc.Ua.Core.Tests.csproj
@@ -13,7 +13,7 @@
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageReference Include="Moq" Version="4.20.72" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
-    <PackageReference Include="NUnit" Version="4.2.2" />
+    <PackageReference Include="NUnit" Version="4.3.0" />
     <PackageReference Include="NUnit.Console" Version="3.18.3" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.6.0">
       <PrivateAssets>all</PrivateAssets>

diff --git a/Tests/Opc.Ua.Core.Tests/Security/Certificates/CertificateValidatorTest.cs b/Tests/Opc.Ua.Core.Tests/Security/Certificates/CertificateValidatorTest.cs
@@ -39,6 +39,7 @@
 using System.Threading.Tasks;
 using NUnit.Framework;
 using Opc.Ua.Security.Certificates;
+using Opc.Ua.Security.Certificates.Tests;
 using Assert = NUnit.Framework.Legacy.ClassicAssert;
 
 #if NETCOREAPP2_1 || !ECC_SUPPORT
@@ -55,6 +56,11 @@ namespace Opc.Ua.Core.Tests.Security.Certificates
     [SetCulture("en-us")]
     public class CertificateValidatorTest
     {
+        #region DataPoints
+        [DatapointSource]
+        public static readonly ECCurveHashPair[] ECCurveHashPairs = CertificateTestsForECDsa.GetECCurveHashPairs();
+        #endregion
+
         #region Test Setup
         public const string RootCASubject = "CN=Root CA Test Cert, O=OPC Foundation";
 
@@ -1268,6 +1274,36 @@ public async Task TestMinimumKeyRejected(bool trusted)
             certValidator.CertificateValidation -= approver.OnCertificateValidation;
         }
 
+        /// <summary>
+        /// Test that Hash sizes lower than public key sizes of certificates are not valid
+        /// </summary>
+        /// <param name="ecCurveHashPair"></param>
+        /// <returns></returns>
+        [Theory]
+        public async Task ECDsaHashSizeLowerThanPublicKeySize(
+            ECCurveHashPair ecCurveHashPair
+            )
+        {
+            if (ecCurveHashPair.HashSize > 0)
+            {
+                // default signing cert with custom key
+                X509Certificate2 cert = CertificateBuilder.Create("CN=LowHash")
+                    .SetHashAlgorithm(HashAlgorithmName.SHA512)
+                    .SetECCurve(ecCurveHashPair.Curve)
+                    .CreateForECDsa();
+
+                var validator = TemporaryCertValidator.Create();
+                await validator.TrustedStore.Add(cert).ConfigureAwait(false);
+                var certValidator = validator.Update();
+
+                var serviceResultException = Assert.Throws<ServiceResultException>(() => certValidator.Validate(cert));
+                Assert.AreEqual((StatusCode)StatusCodes.BadCertificatePolicyCheckFailed, (StatusCode)serviceResultException.StatusCode, serviceResultException.Message);
+                Assert.NotNull(serviceResultException.InnerResult);
+                ServiceResult innerResult = serviceResultException.InnerResult.InnerResult;
+                Assert.Null(innerResult);
+            }
+        }
+
         /// <summary>
         /// Test auto accept.
         /// </summary>

diff --git a/Tests/Opc.Ua.Gds.Tests/Opc.Ua.Gds.Tests.csproj b/Tests/Opc.Ua.Gds.Tests/Opc.Ua.Gds.Tests.csproj
@@ -26,7 +26,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
-    <PackageReference Include="NUnit" Version="4.2.2" />
+    <PackageReference Include="NUnit" Version="4.3.0" />
     <PackageReference Include="NUnit.Console" Version="3.18.3" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.6.0">
       <PrivateAssets>all</PrivateAssets>

diff --git a/Tests/Opc.Ua.PubSub.Tests/Opc.Ua.PubSub.Tests.csproj b/Tests/Opc.Ua.PubSub.Tests/Opc.Ua.PubSub.Tests.csproj
@@ -22,7 +22,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
-    <PackageReference Include="NUnit" Version="4.2.2" />
+    <PackageReference Include="NUnit" Version="4.3.0" />
     <PackageReference Include="NUnit.Console" Version="3.18.3" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.6.0">
       <PrivateAssets>all</PrivateAssets>