From 83e81de66ecf1eb538b9d23b4a7c0dacfee1416e Mon Sep 17 00:00:00 2001 From: Janik Knodel <10290002+led0nk@users.noreply.github.com> Date: Thu, 30 Jan 2025 15:21:18 +0100 Subject: [PATCH] security policies --- opcua_plugin/authentication.go | 20 ++++++++++++++++++-- opcua_plugin/connect.go | 2 +- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/opcua_plugin/authentication.go b/opcua_plugin/authentication.go index 86236b5e..4c6fc3b5 100644 --- a/opcua_plugin/authentication.go +++ b/opcua_plugin/authentication.go @@ -16,13 +16,17 @@ func (g *OPCUAInput) orderEndpoints( selectedAuthentication ua.UserTokenType, ) []*ua.EndpointDescription { - var highSecurityEndpoints, noSecurityEndpoints []*ua.EndpointDescription + var highSecurityEndpoints, mediumSecurityEndpoints, lowSecurityEndpoints, noSecurityEndpoints []*ua.EndpointDescription for _, endpoint := range endpoints { if isUserTokenSupported(endpoint, selectedAuthentication) { switch { case isSignAndEncryptbasic256Sha256Endpoint(endpoint): highSecurityEndpoints = append(highSecurityEndpoints, endpoint) + case isSignAndEncryptbasic256Endpoint(endpoint): + mediumSecurityEndpoints = append(mediumSecurityEndpoints, endpoint) + case isSignAndEncryptbasic128Rsa15Endpoint(endpoint): + lowSecurityEndpoints = append(lowSecurityEndpoints, endpoint) case isNoSecurityEndpoint(endpoint): noSecurityEndpoints = append(noSecurityEndpoints, endpoint) } @@ -30,7 +34,9 @@ func (g *OPCUAInput) orderEndpoints( } // Append no security endpoints to the end of the high security endpoints. - orderedEndpoints := append(highSecurityEndpoints, noSecurityEndpoints...) + orderedEndpoints := append(highSecurityEndpoints, mediumSecurityEndpoints...) + orderedEndpoints = append(orderedEndpoints, lowSecurityEndpoints...) + orderedEndpoints = append(orderedEndpoints, noSecurityEndpoints...) return orderedEndpoints } @@ -51,6 +57,16 @@ func isSignAndEncryptbasic256Sha256Endpoint(endpoint *ua.EndpointDescription) bo endpoint.SecurityPolicyURI == "http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256" } +func isSignAndEncryptbasic256Endpoint(endpoint *ua.EndpointDescription) bool { + return endpoint.SecurityMode == ua.MessageSecurityModeFromString("SignAndEncrypt") && + endpoint.SecurityPolicyURI == "http://opcfoundation.org/UA/SecurityPolicy#Basic256" +} + +func isSignAndEncryptbasic128Rsa15Endpoint(endpoint *ua.EndpointDescription) bool { + return endpoint.SecurityMode == ua.MessageSecurityModeFromString("SignAndEncrypt") && + endpoint.SecurityPolicyURI == "http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15" +} + // isNoSecurityEndpoint checks if the endpoint has no security configured. func isNoSecurityEndpoint(endpoint *ua.EndpointDescription) bool { return endpoint.SecurityMode == ua.MessageSecurityModeFromString("None") && diff --git a/opcua_plugin/connect.go b/opcua_plugin/connect.go index 23fe3e84..f2825061 100644 --- a/opcua_plugin/connect.go +++ b/opcua_plugin/connect.go @@ -40,7 +40,7 @@ func (g *OPCUAInput) GetOPCUAClientOptions(selectedEndpoint *ua.EndpointDescript // Generate certificates if Basic256Sha256 if selectedEndpoint.SecurityPolicyURI == ua.SecurityPolicyURIBasic256Sha256 { randomStr := randomString(8) // Generates an 8-character random string - clientName := "urn:benthos-umh:client-" + randomStr + clientName := "urn:benthos-umh-test:client-" + randomStr certPEM, keyPEM, err := GenerateCert(clientName, 2048, 24*time.Hour*365*10) if err != nil { g.Log.Errorf("Failed to generate certificate: %v", err)