-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathSetupSecurity.cpp
226 lines (196 loc) · 7.46 KB
/
SetupSecurity.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* Copyright (c) 2019-2022 Christian von Arnim, ISW University of Stuttgart (for umati and VDW e.V.)
* Copyright (c) 2020 Dominik Basner, Sotec GmbH (for VDW e.V.)
* Copyright (c) 2021 Marius Dege, basysKom GmbH
* Copyright (c) 2022 Moritz Walker, ISW University of Stuttgart (for umati and VDW e.V.)
* Copyright (c) 2023 Marc Fischer, ISW University of Stuttgart (for umati and VDW e.V.)
* Copyright (c) 2023 Sebastian Friedl, FVA GmbH interop4x
*/
#include "SetupSecurity.hpp"
// #include <python3.8/Python.h>
#include <open62541/config.h>
#include <open62541/plugin/create_certificate.h>
#include <open62541/plugin/log_stdout.h>
#include <Open62541Cpp/UA_String.hpp>
#include <Open62541Cpp/UA_QualifiedName.hpp>
#include <stdlib.h>
#include <string>
#include <fstream>
#include <iostream>
#include <easylogging++.h>
#include <sstream>
#if defined(_WIN32)
#include <io.h>
#else
#include <unistd.h>
#endif
namespace Umati {
namespace OpcUa {
UA_StatusCode bypassVerify(const UA_CertificateVerification *verificationContext, const UA_ByteString *cert) { return UA_STATUSCODE_GOOD; }
const std::string SetupSecurity::m_applicationName = std::string("umati Dashboard Gateway");
const std::string SetupSecurity::m_applicationUri = std::string("http://umati.app/OPCUA_Gateway");
const std::string SetupSecurity::m_productUri = std::string("KonI40OpcUaClient_Product");
SetupSecurity::paths_t SetupSecurity::paths = {
"./pki/",
"./pki/server/trusted/",
"./pki/server/revoked/",
"./pki/client_cert.der",
"./pki/client_key.der",
"./pki/issuer/trusted/",
"./pki/issuer/revoked/"};
/* saveFile is used to save the certificate file.
*
* @param path specifies the file name given
* @return Returns 0 if fpfrintf succeeded and -1 if it failed*/
static UA_INLINE int saveFile(const char *data, const char *path) {
FILE *fp = fopen(path, "w");
int retVal = fprintf(fp, "%s", data);
fclose(fp);
if (retVal > 0) {
return 0;
}
return -1;
}
/* loadFile parses the certificate file.
*
* @param path specifies the file name given
* @return Returns the file content after parsing */
static UA_INLINE UA_ByteString loadFile(const char *const path) {
UA_ByteString fileContents = UA_STRING_NULL;
/* Open the file */
FILE *fp = fopen(path, "rb");
if (!fp) {
errno = 0; /* We read errno also from the tcp layer... */
return fileContents;
}
/* Get the file length, allocate the data and read */
fseek(fp, 0, SEEK_END);
fileContents.length = (size_t)ftell(fp);
fileContents.data = (UA_Byte *)UA_malloc(fileContents.length * sizeof(UA_Byte));
if (fileContents.data) {
fseek(fp, 0, SEEK_SET);
size_t read = fread(fileContents.data, sizeof(UA_Byte), fileContents.length, fp);
if (read != fileContents.length) UA_ByteString_clear(&fileContents);
} else {
fileContents.length = 0;
}
fclose(fp);
return fileContents;
}
static bool createDirs(std::string directory) {
if (directory.empty()) {
return true;
}
std::vector<std::string> parts;
std::string pathPart = "";
unsigned int i = 0;
// Directory must end with a '/', otherwise last part is ignored (expected file)
while (i < directory.size()) {
if (directory[i] != '/') {
pathPart += directory[i];
} else {
parts.push_back(pathPart);
pathPart = "";
}
++i;
}
std::stringstream ss;
bool first = true;
for (const auto &part : parts) {
if (part.empty()) {
continue;
}
if (!first) {
ss << "/";
} else {
first = false;
}
ss << part;
if (part == "." || part == "..") {
continue;
}
#if defined(_WIN32)
if (_mkdir(ss.str().c_str()) != 0)
#else
if (mkdir(ss.str().c_str(), mode_t(0775)) != 0)
#endif
{
if (errno != EEXIST) {
return false;
}
}
}
return true;
}
bool SetupSecurity::setupSecurity(UA_ClientConfig *config, UA_Client *client, bool bypassCertVerification) {
std::ifstream f(paths.ClientPrivCert.c_str());
if (!f.good()) {
createDirs(paths.ServerRevokedCerts);
createDirs(paths.ServerTrustedCerts);
createDirs(paths.IssuerRevokedCerts);
createDirs(paths.IssuerTrustedCerts);
}
UA_ByteString certificate = loadFile(paths.ClientPubCert.c_str());
UA_ByteString privateKey = loadFile(paths.ClientPrivCert.c_str());
if (certificate.length == 0 || privateKey.length == 0) {
createNewClientCert();
certificate = loadFile(paths.ClientPubCert.c_str());
privateKey = loadFile(paths.ClientPrivCert.c_str());
if (certificate.length == 0 || privateKey.length == 0) {
LOG(ERROR) << "Could not load client keyfiles ('" << paths.ClientPubCert << "', '" << paths.ClientPrivCert << "')";
}
}
// VERIFY do we need the trustlist?
size_t trustListSize = 0;
UA_ByteString *trustList = NULL;
UA_ByteString *revocationList = NULL;
size_t revocationListSize = 0;
UA_ClientConfig_setDefaultEncryption(config, certificate, privateKey, trustList, trustListSize, revocationList, revocationListSize);
setSessionConnectInfo(config->clientDescription);
if (bypassCertVerification) {
config->certificateVerification.verifyCertificate = &bypassVerify;
}
UA_ByteString_clear(&certificate);
UA_ByteString_clear(&privateKey);
return true;
}
void SetupSecurity::setSessionConnectInfo(UA_ApplicationDescription &sessionConnectInfo) {
UA_LocalizedText_clear(&sessionConnectInfo.applicationName);
sessionConnectInfo.applicationName = UA_LOCALIZEDTEXT_ALLOC("en-US", m_applicationName.c_str());
UA_String_clear(&sessionConnectInfo.applicationUri);
sessionConnectInfo.applicationUri = UA_STRING_ALLOC(m_applicationUri.c_str());
UA_String_clear(&sessionConnectInfo.productUri);
sessionConnectInfo.productUri = UA_STRING_ALLOC(m_productUri.c_str());
}
void SetupSecurity::createNewClientCert() {
LOG(INFO) << "Creating new client certificate";
UA_String subject[3] = {UA_STRING_STATIC("C=DE"), UA_STRING_STATIC("O=UmatiApp"), UA_STRING_STATIC("CN=UmatiDashboardGateway@localhost")};
UA_UInt32 lenSubject = 3;
std::stringstream ssSubAltNameUri;
ssSubAltNameUri << "URI:" << m_applicationUri;
open62541Cpp::UA_String altNameUri(ssSubAltNameUri.str());
UA_String subjectAltName[2] = {UA_STRING_STATIC("DNS:localhost"), *altNameUri.String};
UA_UInt32 lenSubjectAltName = 2;
UA_ByteString certificate = UA_BYTESTRING_NULL;
UA_ByteString privateKey = UA_BYTESTRING_NULL;
UA_KeyValueMap *kvm = UA_KeyValueMap_new();
UA_UInt16 expiresIn = 356;
UA_KeyValueMap_setScalar(kvm, *open62541Cpp::UA_QualifiedName(0, "expires-in-days").QualifiedName, (void *)&expiresIn, &UA_TYPES[UA_TYPES_UINT16]);
UA_UInt16 keySize = 2048;
UA_KeyValueMap_setScalar(kvm, *open62541Cpp::UA_QualifiedName(0, "key-size-bits").QualifiedName, (void *)&keySize, &UA_TYPES[UA_TYPES_UINT16]);
UA_StatusCode statusCertGen =
UA_CreateCertificate(UA_Log_Stdout, subject, lenSubject, subjectAltName, lenSubjectAltName, UA_CERTIFICATEFORMAT_PEM, kvm, &privateKey, &certificate);
UA_KeyValueMap_delete(kvm);
if (statusCertGen != UA_STATUSCODE_GOOD) {
UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, "Generating Certificate failed: %s", UA_StatusCode_name(statusCertGen));
return;
}
saveFile((char *)certificate.data, paths.ClientPubCert.c_str());
saveFile((char *)privateKey.data, paths.ClientPrivCert.c_str());
return;
}
} // namespace OpcUa
} // namespace Umati