search

locka99 / opcua

A client and server implementation of the OPC UA specification written in Rust
Mozilla Public License 2.0
496 stars 131 forks source link

Fix username/password authentication #111

Closed laumann closed 3 years ago

laumann commented 3 years ago

This fixes two issues that combined caused the client to be unable to connect to our OPC-UA server (Kepware).

Here's a snippet from the GetEndpointsResponse that details the endpoint configuration

    0000000000:             messageSecurityMode: None 
    0000000000:             securityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#None 
    0000000000:             userIdentityTokens []: Size: 2 
    0000000000:                userIdentityTokens [ 0 ]: 
    0000000000:                   policyId: UserName 
    0000000000:                   tokenType: 1 
    0000000000:                   issuedTokenType: [empty] 
    0000000000:                   isssuerEndpointUrl: [empty] 
    0000000000:                   securityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15

Overall, the two problems were:

crypto/user_identity: Fix selection of security policy

In make_user_name_identity_token() the security policy to use when authenticating with username and password is determined from the user_token_policy and token_security_policy.

In our tests, if the server provides eg. Basic128Rsa15 as the user token policy, the logic would select None as the policy and subsequently not encrypt the password and fail to connect.

Inverting some of the logic appears to work (at least for our tests).

core/comms/secure_channel: Always set remote nonce

The set_remote_nonce_from_byte_string() performs some checks against the message security mode.

In our tests, we use security policy = None and security mode = None, but the server sets Basic126Rsa15 for the user identity token policy meaning that we still need to use the server nonce for authentication.

This patch removes all the checking around security policy and mode, which allows the client to connect to our OPC-UA server (Kepware) successfully.

laumann commented 3 years ago

Hi @locka99 sorry for the noise, I wanted to open this PR against omnioiot/opcua and do a full verification that it works before opening a PR for you. I'm also not convinced that the fix I've implemented is the right way to do it, but I think it works for our purposes for now.