Documentation ¶
Overview ¶
Package uasc provides encoding/decoding and automated secure channel and session handling for OPC UA Secure Conversation.
Index ¶
- Constants
- type AsymmetricSecurityHeader
- type Config
- type Header
- type Message
- type MessageAbort
- type MessageChunk
- type MessageHeader
- type Response
- type SecureChannel
- func (s *SecureChannel) Close() error
- func (s *SecureChannel) EncryptUserPassword(policyURI, password string, cert, nonce []byte) ([]byte, string, error)
- func (s *SecureChannel) LocalEndpoint() string
- func (s *SecureChannel) NewSessionSignature(cert, nonce []byte) ([]byte, string, error)
- func (s *SecureChannel) NewUserTokenSignature(policyURI string, cert, nonce []byte) ([]byte, string, error)
- func (s *SecureChannel) Open() error
- func (s *SecureChannel) Send(svc interface{}, authToken *ua.NodeID, h func(interface{}) error) error
- func (s *SecureChannel) SendAsync(svc interface{}, authToken *ua.NodeID) (resp chan Response, err error)
- func (s *SecureChannel) VerifySessionSignature(cert, nonce, signature []byte) error
- type SequenceHeader
- type SessionConfig
- type SymmetricSecurityHeader
Constants ¶
const ( MessageTypeMessage = "MSG" MessageTypeOpenSecureChannel = "OPN" MessageTypeCloseSecureChannel = "CLO" )
MessageType definitions.
const ( ChunkTypeIntermediate = 'C' ChunkTypeFinal = 'F' ChunkTypeError = 'A' )
ChunkType definitions.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AsymmetricSecurityHeader ¶
type AsymmetricSecurityHeader struct { SecurityPolicyURI string SenderCertificate []byte ReceiverCertificateThumbprint []byte }
AsymmetricSecurityHeader represents a Asymmetric Algorithm Security Header in OPC UA Secure Conversation.
func NewAsymmetricSecurityHeader ¶
func NewAsymmetricSecurityHeader(uri string, cert, thumbprint []byte) *AsymmetricSecurityHeader
NewAsymmetricSecurityHeader creates a new OPC UA Secure Conversation Asymmetric Algorithm Security Header.
func (*AsymmetricSecurityHeader) Decode ¶
func (h *AsymmetricSecurityHeader) Decode(b []byte) (int, error)
func (*AsymmetricSecurityHeader) Encode ¶
func (h *AsymmetricSecurityHeader) Encode() ([]byte, error)
func (*AsymmetricSecurityHeader) Len ¶
func (h *AsymmetricSecurityHeader) Len() int
Len returns the Header Length in bytes.
func (*AsymmetricSecurityHeader) String ¶
func (a *AsymmetricSecurityHeader) String() string
String returns Header in string.
type Config ¶
type Config struct { // SecureChannelID is a unique identifier for the SecureChannel assigned by the Server. // If a Server receives a SecureChannelId which it does not recognize it shall return an // appropriate transport layer error. // // When a Server starts the first SecureChannelId used should be a value that is likely to // be unique after each restart. This ensures that a Server restart does not cause // previously connected Clients to accidentally ‘reuse’ SecureChannels that did not belong // to them. SecureChannelID uint32 // SecurityPolicyURI is the URI of the Security Policy used to secure the Message. // This field is encoded as a UTF-8 string without a null terminator. SecurityPolicyURI string // Certificate is the X.509 v3 Certificate assigned to the sending application Instance. // This is a DER encoded blob. // The structure of an X.509 v3 Certificate is defined in X.509 v3. // The DER format for a Certificate is defined in X690. // This indicates what Private Key was used to sign the MessageChunk. // The Stack shall close the channel and report an error to the application if // the Certificate is too large for the buffer size supported by the // transport layer. // This field shall be null if the Message is not signed. Certificate []byte // LocalKey is a RSA Private Key which will be used to encrypt the OpenSecureChannel // messages. It is the key associated with Certificate LocalKey *rsa.PrivateKey // Thumbprint is the thumbprint of the X.509 v3 Certificate assigned to the receiving // application Instance. // The thumbprint is the CertificateDigest of the DER encoded form of the // Certificate. // This indicates what public key was used to encrypt the MessageChunk. // This field shall be null if the Message is not encrypted. Thumbprint []byte // RemoteCertificate is the X.509 Certificate for the receiving instance. // Used to encrypt the message chunks in the OpenSecureChannel phase. RemoteCertificate []byte // SequenceNumber is a monotonically increasing sequence number assigned by the sender to each // MessageChunk sent over the SecureChannel. SequenceNumber uint32 // RequestID is an identifier assigned by the Client to OPC UA request Message. All MessageChunks // for the request and the associated response use the same identifier RequestID uint32 // SecurityMode is The type of security to apply to the messages. The type MessageSecurityMode // is defined in 7.15. // A SecureChannel may have to be created even if the securityMode is NONE. The exact behaviour // depends on the mapping used and is described in the Part 6. SecurityMode ua.MessageSecurityMode // SecurityTokenID is a unique identifier for the SecureChannel SecurityToken used to secure the Message. // This identifier is returned by the Server in an OpenSecureChannel response Message. // If a Server receives a TokenId which it does not recognize it shall return an appropriate // transport layer error. SecurityTokenID uint32 // Lifetime is the requested lifetime, in milliseconds, for the new SecurityToken when the // SecureChannel works as client. It specifies when the Client expects to renew the SecureChannel // by calling the OpenSecureChannel Service again. If a SecureChannel is not renewed, then all // Messages sent using the current SecurityTokens shall be rejected by the receiver. // Lifetime can also be the revised lifetime, the lifetime of the SecurityToken in milliseconds. // The UTC expiration time for the token may be calculated by adding the lifetime to the createdAt time. Lifetime uint32 // RequestTimeout is timeout duration for all synchronous requests over SecureChannel. // If the Server doesn't respond within RequestTimeout time, Client returns StatusBadTimeout RequestTimeout time.Duration }
Config represents a configuration which UASC client/server has in common.
type Header ¶
Header represents a OPC UA Secure Conversation Header.
type Message ¶
type Message struct { *MessageHeader TypeID *ua.ExpandedNodeID Service interface{} }
Message represents a OPC UA Secure Conversation message.
func NewMessage ¶
New creates a OPC UA Secure Conversation message.New MessageType of UASC is determined depending on the type of service given as below.
Service type: OpenSecureChannel => Message type: OPN.
Service type: CloseSecureChannel => Message type: CLO.
Service type: Others => Message type: MSG.
todo(fs): this feels wrong and we should move this switching into the secure channel.
type MessageAbort ¶
MessageAbort represents a non-terminal OPC UA Secure Channel error.
Specification: Part6, 7.3
func (*MessageAbort) Encode ¶
func (m *MessageAbort) Encode() ([]byte, error)
func (*MessageAbort) MessageAbort ¶
func (m *MessageAbort) MessageAbort() string
type MessageChunk ¶
type MessageChunk struct { *MessageHeader Data []byte }
type MessageHeader ¶
type MessageHeader struct { *Header *AsymmetricSecurityHeader *SymmetricSecurityHeader *SequenceHeader }
type SecureChannel ¶
type SecureChannel struct { EndpointURL string // contains filtered or unexported fields }
func NewSecureChannel ¶
func (*SecureChannel) Close ¶
func (s *SecureChannel) Close() error
func (*SecureChannel) EncryptUserPassword ¶
func (s *SecureChannel) EncryptUserPassword(policyURI, password string, cert, nonce []byte) ([]byte, string, error)
EncryptUserPassword issues a new signature for the client to send in ActivateSessionRequest
func (*SecureChannel) LocalEndpoint ¶
func (s *SecureChannel) LocalEndpoint() string
func (*SecureChannel) NewSessionSignature ¶
func (s *SecureChannel) NewSessionSignature(cert, nonce []byte) ([]byte, string, error)
NewSessionSignature issues a new signature for the client to send on the next ActivateSessionRequest
func (*SecureChannel) NewUserTokenSignature ¶
func (s *SecureChannel) NewUserTokenSignature(policyURI string, cert, nonce []byte) ([]byte, string, error)
NewUserTokenSignature issues a new signature for the client to send in ActivateSessionRequest
func (*SecureChannel) Open ¶
func (s *SecureChannel) Open() error
func (*SecureChannel) Send ¶
func (s *SecureChannel) Send(svc interface{}, authToken *ua.NodeID, h func(interface{}) error) error
Send sends the service request and calls h with the response.
func (*SecureChannel) SendAsync ¶
func (s *SecureChannel) SendAsync(svc interface{}, authToken *ua.NodeID) (resp chan Response, err error)
SendAsync sends the service request and returns a channel which will receive the response when it arrives.
func (*SecureChannel) VerifySessionSignature ¶
func (s *SecureChannel) VerifySessionSignature(cert, nonce, signature []byte) error
VerifySessionSignature checks the integrity of a Create/Activate Session Response's signature
type SequenceHeader ¶
SequenceHeader represents a Sequence Header in OPC UA Secure Conversation.
func NewSequenceHeader ¶
func NewSequenceHeader(seq, req uint32) *SequenceHeader
NewSequenceHeader creates a new OPC UA Secure Conversation Sequence Header.
func (*SequenceHeader) Encode ¶
func (h *SequenceHeader) Encode() ([]byte, error)
func (*SequenceHeader) String ¶
func (s *SequenceHeader) String() string
String returns Header in string.
type SessionConfig ¶
type SessionConfig struct { // AuthenticationToken is the secret Session identifier used to verify that the request is // associated with the Session. The SessionAuthenticationToken type is defined in 7.31. AuthenticationToken *ua.NodeID // ClientDescription is the information that describes the Client application. // The type ApplicationDescription is defined in 7.1. ClientDescription *ua.ApplicationDescription // ServerEndpoints is the list of Endpoints that the Server supports. // The Server shall return a set of EndpointDescriptions available for the serverUri // specified in the request. The EndpointDescription type is defined in 7.10. The Client // shall verify this list with the list from a DiscoveryEndpoint if it used a // DiscoveryEndpoint to fetch the EndpointDescriptions. // It is recommended that Servers only include the server.applicationUri, endpointUrl, // securityMode, securityPolicyUri, userIdentityTokens, transportProfileUri and // securityLevel with all other parameters set to null. Only the recommended // parameters shall be verified by the client. ServerEndpoints []*ua.EndpointDescription // LocaleIDs is the list of locale ids in priority order for localized strings. The first // LocaleId in the list has the highest priority. If the Server returns a localized string // to the Client, the Server shall return the translation with the highest priority that // it can. If it does not have a translation for any of the locales identified in this list, // then it shall return the string value that it has and include the locale id with the // string. See Part 3 for more detail on locale ids. If the Client fails to specify at least // one locale id, the Server shall use any that it has. // This parameter only needs to be specified during the first call to ActivateSession during // a single application Session. If it is not specified the Server shall keep using the // current localeIds for the Session. LocaleIDs []string // UserIdentityToken is the credentials of the user associated with the Client application. // The Server uses these credentials to determine whether the Client should be allowed to // activate a Session and what resources the Client has access to during this Session. // The UserIdentityToken is an extensible parameter type defined in 7.36. // The EndpointDescription specifies what UserIdentityTokens the Server shall accept. // Null or empty user token shall always be interpreted as anonymous. UserIdentityToken interface{} // If the Client specified a user identity token that supports digital signatures, then it // shall create a signature and pass it as this parameter. Otherwise the parameter is null. // The SignatureAlgorithm depends on the identity token type. // The SignatureData type is defined in 7.32. UserTokenSignature *ua.SignatureData // If Session works as a client, SessionTimeout is the requested maximum number of milliseconds // that a Session should remain open without activity. If the Client fails to issue a Service // request within this interval, then the Server shall automatically terminate the Client Session. // If Session works as a server, SessionTimeout is an actual maximum number of milliseconds // that a Session shall remain open without activity. The Server should attempt to honour the // Client request for this parameter,but may negotiate this value up or down to meet its own constraints. SessionTimeout time.Duration // Stored version of the password to authenticate against a server // todo: storing passwords in memory seems wrong AuthPassword string // PolicyURI to use when encrypting secrets for the User Identity Token // Could be different from the secure channel's policy AuthPolicyURI string }
SessionConfig is a set of common configurations used in Session.
type SymmetricSecurityHeader ¶
type SymmetricSecurityHeader struct {
TokenID uint32
}
SymmetricSecurityHeader represents a Symmetric Algorithm Security Header in OPC UA Secure Conversation.
func NewSymmetricSecurityHeader ¶
func NewSymmetricSecurityHeader(token uint32) *SymmetricSecurityHeader
NewSymmetricSecurityHeader creates a new OPC UA Secure Conversation Symmetric Algorithm Security Header.
func (*SymmetricSecurityHeader) Decode ¶
func (h *SymmetricSecurityHeader) Decode(b []byte) (int, error)
func (*SymmetricSecurityHeader) Encode ¶
func (h *SymmetricSecurityHeader) Encode() ([]byte, error)
func (*SymmetricSecurityHeader) Len ¶
func (h *SymmetricSecurityHeader) Len() int
Len returns the Header Length in bytes.
func (*SymmetricSecurityHeader) String ¶
func (h *SymmetricSecurityHeader) String() string
String returns Header in string.