From dccdfe629c9352df5ef45fab38c058ae2daf7e12 Mon Sep 17 00:00:00 2001 From: Noel Graf Date: Thu, 5 Sep 2024 10:58:43 +0200 Subject: [PATCH] feat(plugin): Check which privateKey should be used if no key is specified --- .../securitypolicy_aes128sha256rsaoaep.c | 25 ++++++++++++----- .../securitypolicy_aes256sha256rsapss.c | 25 ++++++++++++----- .../mbedtls/securitypolicy_basic128rsa15.c | 25 ++++++++++++----- .../crypto/mbedtls/securitypolicy_basic256.c | 27 +++++++++++++------ .../mbedtls/securitypolicy_basic256sha256.c | 25 ++++++++++++----- .../securitypolicy_aes128sha256rsaoaep.c | 21 ++++++++++++--- .../securitypolicy_aes256sha256rsapss.c | 20 +++++++++++--- .../openssl/securitypolicy_basic128rsa15.c | 21 ++++++++++++--- .../crypto/openssl/securitypolicy_basic256.c | 21 ++++++++++++--- .../openssl/securitypolicy_basic256sha256.c | 21 ++++++++++++--- 10 files changed, 180 insertions(+), 51 deletions(-) diff --git a/plugins/crypto/mbedtls/securitypolicy_aes128sha256rsaoaep.c b/plugins/crypto/mbedtls/securitypolicy_aes128sha256rsaoaep.c index 3c5ab54d6..8a5611fd1 100644 --- a/plugins/crypto/mbedtls/securitypolicy_aes128sha256rsaoaep.c +++ b/plugins/crypto/mbedtls/securitypolicy_aes128sha256rsaoaep.c @@ -603,6 +603,12 @@ updateCertificateAndPrivateKey_sp_aes128sha256rsaoaep(UA_SecurityPolicy *securit Aes128Sha256PsaOaep_PolicyContext *pc = (Aes128Sha256PsaOaep_PolicyContext *) securityPolicy->policyContext; + UA_Boolean isLocalKey = false; + if(newPrivateKey.length <= 0) { + if(UA_CertificateUtils_comparePublicKeys(&newCertificate, &securityPolicy->localCertificate) == 0) + isLocalKey = true; + } + UA_ByteString_clear(&securityPolicy->localCertificate); UA_StatusCode retval = UA_mbedTLS_LoadLocalCertificate(&newCertificate, &securityPolicy->localCertificate); @@ -611,12 +617,19 @@ updateCertificateAndPrivateKey_sp_aes128sha256rsaoaep(UA_SecurityPolicy *securit return retval; /* Set the new private key */ - mbedtls_pk_free(&pc->localPrivateKey); - mbedtls_pk_init(&pc->localPrivateKey); - int mbedErr = UA_mbedTLS_LoadPrivateKey(&newPrivateKey, &pc->localPrivateKey, &pc->entropyContext); - if(mbedErr) { - retval = UA_STATUSCODE_BADSECURITYCHECKSFAILED; - goto error; + if(newPrivateKey.length > 0) { + mbedtls_pk_free(&pc->localPrivateKey); + mbedtls_pk_init(&pc->localPrivateKey); + if(UA_mbedTLS_LoadPrivateKey(&newPrivateKey, &pc->localPrivateKey, &pc->entropyContext)) { + retval = UA_STATUSCODE_BADNOTSUPPORTED; + goto error; + } + } else { + if(!isLocalKey) { + mbedtls_pk_free(&pc->localPrivateKey); + pc->localPrivateKey = pc->csrLocalPrivateKey; + mbedtls_pk_init(&pc->csrLocalPrivateKey); + } } retval = asym_makeThumbprint_sp_aes128sha256rsaoaep(securityPolicy, diff --git a/plugins/crypto/mbedtls/securitypolicy_aes256sha256rsapss.c b/plugins/crypto/mbedtls/securitypolicy_aes256sha256rsapss.c index c84b04ec8..48ae760fd 100644 --- a/plugins/crypto/mbedtls/securitypolicy_aes256sha256rsapss.c +++ b/plugins/crypto/mbedtls/securitypolicy_aes256sha256rsapss.c @@ -695,6 +695,12 @@ updateCertificateAndPrivateKey_sp_aes256sha256rsapss(UA_SecurityPolicy *security Aes256Sha256RsaPss_PolicyContext *pc = (Aes256Sha256RsaPss_PolicyContext *) securityPolicy->policyContext; + UA_Boolean isLocalKey = false; + if(newPrivateKey.length <= 0) { + if(UA_CertificateUtils_comparePublicKeys(&newCertificate, &securityPolicy->localCertificate) == 0) + isLocalKey = true; + } + UA_ByteString_clear(&securityPolicy->localCertificate); UA_StatusCode retval = UA_mbedTLS_LoadLocalCertificate(&newCertificate, &securityPolicy->localCertificate); @@ -703,12 +709,19 @@ updateCertificateAndPrivateKey_sp_aes256sha256rsapss(UA_SecurityPolicy *security return retval; /* Set the new private key */ - mbedtls_pk_free(&pc->localPrivateKey); - mbedtls_pk_init(&pc->localPrivateKey); - int mbedErr = UA_mbedTLS_LoadPrivateKey(&newPrivateKey, &pc->localPrivateKey, &pc->entropyContext); - if(mbedErr) { - retval = UA_STATUSCODE_BADSECURITYCHECKSFAILED; - goto error; + if(newPrivateKey.length > 0) { + mbedtls_pk_free(&pc->localPrivateKey); + mbedtls_pk_init(&pc->localPrivateKey); + if(UA_mbedTLS_LoadPrivateKey(&newPrivateKey, &pc->localPrivateKey, &pc->entropyContext)) { + retval = UA_STATUSCODE_BADNOTSUPPORTED; + goto error; + } + } else { + if(!isLocalKey) { + mbedtls_pk_free(&pc->localPrivateKey); + pc->localPrivateKey = pc->csrLocalPrivateKey; + mbedtls_pk_init(&pc->csrLocalPrivateKey); + } } retval = asym_makeThumbprint_sp_aes256sha256rsapss(securityPolicy, diff --git a/plugins/crypto/mbedtls/securitypolicy_basic128rsa15.c b/plugins/crypto/mbedtls/securitypolicy_basic128rsa15.c index 8027caab4..afbf45a79 100644 --- a/plugins/crypto/mbedtls/securitypolicy_basic128rsa15.c +++ b/plugins/crypto/mbedtls/securitypolicy_basic128rsa15.c @@ -622,6 +622,12 @@ updateCertificateAndPrivateKey_sp_basic128rsa15(UA_SecurityPolicy *securityPolic Basic128Rsa15_PolicyContext *pc = (Basic128Rsa15_PolicyContext *)securityPolicy->policyContext; + UA_Boolean isLocalKey = false; + if(newPrivateKey.length <= 0) { + if(UA_CertificateUtils_comparePublicKeys(&newCertificate, &securityPolicy->localCertificate) == 0) + isLocalKey = true; + } + UA_ByteString_clear(&securityPolicy->localCertificate); UA_StatusCode retval = UA_mbedTLS_LoadLocalCertificate(&newCertificate, &securityPolicy->localCertificate); @@ -630,12 +636,19 @@ updateCertificateAndPrivateKey_sp_basic128rsa15(UA_SecurityPolicy *securityPolic return retval; /* Set the new private key */ - mbedtls_pk_free(&pc->localPrivateKey); - mbedtls_pk_init(&pc->localPrivateKey); - int mbedErr = UA_mbedTLS_LoadPrivateKey(&newPrivateKey, &pc->localPrivateKey, &pc->entropyContext); - if(mbedErr) { - retval = UA_STATUSCODE_BADSECURITYCHECKSFAILED; - goto error; + if(newPrivateKey.length > 0) { + mbedtls_pk_free(&pc->localPrivateKey); + mbedtls_pk_init(&pc->localPrivateKey); + if(UA_mbedTLS_LoadPrivateKey(&newPrivateKey, &pc->localPrivateKey, &pc->entropyContext)) { + retval = UA_STATUSCODE_BADNOTSUPPORTED; + goto error; + } + } else { + if(!isLocalKey) { + mbedtls_pk_free(&pc->localPrivateKey); + pc->localPrivateKey = pc->csrLocalPrivateKey; + mbedtls_pk_init(&pc->csrLocalPrivateKey); + } } retval = asym_makeThumbprint_sp_basic128rsa15(securityPolicy, diff --git a/plugins/crypto/mbedtls/securitypolicy_basic256.c b/plugins/crypto/mbedtls/securitypolicy_basic256.c index 853b0b430..c728b1070 100644 --- a/plugins/crypto/mbedtls/securitypolicy_basic256.c +++ b/plugins/crypto/mbedtls/securitypolicy_basic256.c @@ -553,6 +553,12 @@ updateCertificateAndPrivateKey_sp_basic256(UA_SecurityPolicy *securityPolicy, Basic256_PolicyContext *pc = (Basic256_PolicyContext *) securityPolicy->policyContext; + UA_Boolean isLocalKey = false; + if(newPrivateKey.length <= 0) { + if(UA_CertificateUtils_comparePublicKeys(&newCertificate, &securityPolicy->localCertificate) == 0) + isLocalKey = true; + } + UA_ByteString_clear(&securityPolicy->localCertificate); UA_StatusCode retval = UA_mbedTLS_LoadLocalCertificate(&newCertificate, &securityPolicy->localCertificate); @@ -561,14 +567,19 @@ updateCertificateAndPrivateKey_sp_basic256(UA_SecurityPolicy *securityPolicy, return retval; /* Set the new private key */ - mbedtls_pk_free(&pc->localPrivateKey); - mbedtls_pk_init(&pc->localPrivateKey); - - int mbedErr = UA_mbedTLS_LoadPrivateKey(&newPrivateKey, &pc->localPrivateKey, &pc->entropyContext); - - if(mbedErr) { - retval = UA_STATUSCODE_BADSECURITYCHECKSFAILED; - goto error; + if(newPrivateKey.length > 0) { + mbedtls_pk_free(&pc->localPrivateKey); + mbedtls_pk_init(&pc->localPrivateKey); + if(UA_mbedTLS_LoadPrivateKey(&newPrivateKey, &pc->localPrivateKey, &pc->entropyContext)) { + retval = UA_STATUSCODE_BADNOTSUPPORTED; + goto error; + } + } else { + if(!isLocalKey) { + mbedtls_pk_free(&pc->localPrivateKey); + pc->localPrivateKey = pc->csrLocalPrivateKey; + mbedtls_pk_init(&pc->csrLocalPrivateKey); + } } retval = asym_makeThumbprint_sp_basic256(securityPolicy, diff --git a/plugins/crypto/mbedtls/securitypolicy_basic256sha256.c b/plugins/crypto/mbedtls/securitypolicy_basic256sha256.c index df049958e..0f9f09ba9 100644 --- a/plugins/crypto/mbedtls/securitypolicy_basic256sha256.c +++ b/plugins/crypto/mbedtls/securitypolicy_basic256sha256.c @@ -604,6 +604,12 @@ updateCertificateAndPrivateKey_sp_basic256sha256(UA_SecurityPolicy *securityPoli Basic256Sha256_PolicyContext *pc = (Basic256Sha256_PolicyContext *) securityPolicy->policyContext; + UA_Boolean isLocalKey = false; + if(newPrivateKey.length <= 0) { + if(UA_CertificateUtils_comparePublicKeys(&newCertificate, &securityPolicy->localCertificate) == 0) + isLocalKey = true; + } + UA_ByteString_clear(&securityPolicy->localCertificate); UA_StatusCode retval = UA_mbedTLS_LoadLocalCertificate(&newCertificate, &securityPolicy->localCertificate); @@ -612,12 +618,19 @@ updateCertificateAndPrivateKey_sp_basic256sha256(UA_SecurityPolicy *securityPoli return retval; /* Set the new private key */ - mbedtls_pk_free(&pc->localPrivateKey); - mbedtls_pk_init(&pc->localPrivateKey); - int mbedErr = UA_mbedTLS_LoadPrivateKey(&newPrivateKey, &pc->localPrivateKey, &pc->entropyContext); - if(mbedErr) { - retval = UA_STATUSCODE_BADSECURITYCHECKSFAILED; - goto error; + if(newPrivateKey.length > 0) { + mbedtls_pk_free(&pc->localPrivateKey); + mbedtls_pk_init(&pc->localPrivateKey); + if(UA_mbedTLS_LoadPrivateKey(&newPrivateKey, &pc->localPrivateKey, &pc->entropyContext)) { + retval = UA_STATUSCODE_BADNOTSUPPORTED; + goto error; + } + } else { + if(!isLocalKey) { + mbedtls_pk_free(&pc->localPrivateKey); + pc->localPrivateKey = pc->csrLocalPrivateKey; + mbedtls_pk_init(&pc->csrLocalPrivateKey); + } } retval = asym_makeThumbprint_sp_basic256sha256(securityPolicy, diff --git a/plugins/crypto/openssl/securitypolicy_aes128sha256rsaoaep.c b/plugins/crypto/openssl/securitypolicy_aes128sha256rsaoaep.c index 66727450e..d954e9ce0 100644 --- a/plugins/crypto/openssl/securitypolicy_aes128sha256rsaoaep.c +++ b/plugins/crypto/openssl/securitypolicy_aes128sha256rsaoaep.c @@ -121,6 +121,12 @@ updateCertificateAndPrivateKey_sp_aes128sha256rsaoaep(UA_SecurityPolicy *securit Policy_Context_Aes128Sha256RsaOaep *pc = (Policy_Context_Aes128Sha256RsaOaep *)securityPolicy->policyContext; + UA_Boolean isLocalKey = false; + if(newPrivateKey.length <= 0) { + if(UA_CertificateUtils_comparePublicKeys(&newCertificate, &securityPolicy->localCertificate) == 0) + isLocalKey = true; + } + UA_ByteString_clear(&securityPolicy->localCertificate); UA_StatusCode retval = UA_OpenSSL_LoadLocalCertificate( @@ -130,12 +136,19 @@ updateCertificateAndPrivateKey_sp_aes128sha256rsaoaep(UA_SecurityPolicy *securit return retval; /* Set the new private key */ - EVP_PKEY_free(pc->localPrivateKey); - - pc->localPrivateKey = UA_OpenSSL_LoadPrivateKey(&newPrivateKey); + if(newPrivateKey.length > 0) { + EVP_PKEY_free(pc->localPrivateKey); + pc->localPrivateKey = UA_OpenSSL_LoadPrivateKey(&newPrivateKey); + } else { + if(!isLocalKey) { + EVP_PKEY_free(pc->localPrivateKey); + pc->localPrivateKey = pc->csrLocalPrivateKey; + pc->csrLocalPrivateKey = NULL; + } + } if(!pc->localPrivateKey) { - retval = UA_STATUSCODE_BADSECURITYCHECKSFAILED; + retval = UA_STATUSCODE_BADNOTSUPPORTED; goto error; } diff --git a/plugins/crypto/openssl/securitypolicy_aes256sha256rsapss.c b/plugins/crypto/openssl/securitypolicy_aes256sha256rsapss.c index 22854f097..5ee066381 100644 --- a/plugins/crypto/openssl/securitypolicy_aes256sha256rsapss.c +++ b/plugins/crypto/openssl/securitypolicy_aes256sha256rsapss.c @@ -143,6 +143,12 @@ updateCertificateAndPrivateKey_sp_aes128sha256rsapss(UA_SecurityPolicy *security Policy_Context_Aes256Sha256RsaPss *pc = (Policy_Context_Aes256Sha256RsaPss *)securityPolicy->policyContext; + UA_Boolean isLocalKey = false; + if(newPrivateKey.length <= 0) { + if(UA_CertificateUtils_comparePublicKeys(&newCertificate, &securityPolicy->localCertificate) == 0) + isLocalKey = true; + } + UA_ByteString_clear(&securityPolicy->localCertificate); UA_ByteString_clear(&pc->localCertThumbprint); @@ -153,11 +159,19 @@ updateCertificateAndPrivateKey_sp_aes128sha256rsapss(UA_SecurityPolicy *security return retval; /* Set the new private key */ - EVP_PKEY_free(pc->localPrivateKey); + if(newPrivateKey.length > 0) { + EVP_PKEY_free(pc->localPrivateKey); + pc->localPrivateKey = UA_OpenSSL_LoadPrivateKey(&newPrivateKey); + } else { + if(!isLocalKey) { + EVP_PKEY_free(pc->localPrivateKey); + pc->localPrivateKey = pc->csrLocalPrivateKey; + pc->csrLocalPrivateKey = NULL; + } + } - pc->localPrivateKey = UA_OpenSSL_LoadPrivateKey(&newPrivateKey); if(!pc->localPrivateKey) { - retval = UA_STATUSCODE_BADSECURITYCHECKSFAILED; + retval = UA_STATUSCODE_BADNOTSUPPORTED; goto error; } diff --git a/plugins/crypto/openssl/securitypolicy_basic128rsa15.c b/plugins/crypto/openssl/securitypolicy_basic128rsa15.c index 873c3a496..21ebed57c 100644 --- a/plugins/crypto/openssl/securitypolicy_basic128rsa15.c +++ b/plugins/crypto/openssl/securitypolicy_basic128rsa15.c @@ -113,6 +113,12 @@ updateCertificateAndPrivateKey_sp_basic128rsa15(UA_SecurityPolicy *securityPolic Policy_Context_Basic128Rsa15 *pc = (Policy_Context_Basic128Rsa15 *)securityPolicy->policyContext; + UA_Boolean isLocalKey = false; + if(newPrivateKey.length <= 0) { + if(UA_CertificateUtils_comparePublicKeys(&newCertificate, &securityPolicy->localCertificate) == 0) + isLocalKey = true; + } + UA_ByteString_clear(&securityPolicy->localCertificate); UA_StatusCode retval = UA_OpenSSL_LoadLocalCertificate( @@ -122,12 +128,19 @@ updateCertificateAndPrivateKey_sp_basic128rsa15(UA_SecurityPolicy *securityPolic return retval; /* Set the new private key */ - EVP_PKEY_free(pc->localPrivateKey); - - pc->localPrivateKey = UA_OpenSSL_LoadPrivateKey(&newPrivateKey); + if(newPrivateKey.length > 0) { + EVP_PKEY_free(pc->localPrivateKey); + pc->localPrivateKey = UA_OpenSSL_LoadPrivateKey(&newPrivateKey); + } else { + if(!isLocalKey) { + EVP_PKEY_free(pc->localPrivateKey); + pc->localPrivateKey = pc->csrLocalPrivateKey; + pc->csrLocalPrivateKey = NULL; + } + } if(!pc->localPrivateKey) { - retval = UA_STATUSCODE_BADSECURITYCHECKSFAILED; + retval = UA_STATUSCODE_BADNOTSUPPORTED; goto error; } diff --git a/plugins/crypto/openssl/securitypolicy_basic256.c b/plugins/crypto/openssl/securitypolicy_basic256.c index 8a08e8064..21f608126 100644 --- a/plugins/crypto/openssl/securitypolicy_basic256.c +++ b/plugins/crypto/openssl/securitypolicy_basic256.c @@ -111,6 +111,12 @@ updateCertificateAndPrivateKey_sp_basic256(UA_SecurityPolicy *securityPolicy, Policy_Context_Basic256 *pc = (Policy_Context_Basic256 *)securityPolicy->policyContext; + UA_Boolean isLocalKey = false; + if(newPrivateKey.length <= 0) { + if(UA_CertificateUtils_comparePublicKeys(&newCertificate, &securityPolicy->localCertificate) == 0) + isLocalKey = true; + } + UA_ByteString_clear(&securityPolicy->localCertificate); UA_StatusCode retval = UA_OpenSSL_LoadLocalCertificate( @@ -120,12 +126,19 @@ updateCertificateAndPrivateKey_sp_basic256(UA_SecurityPolicy *securityPolicy, return retval; /* Set the new private key */ - EVP_PKEY_free(pc->localPrivateKey); - - pc->localPrivateKey = UA_OpenSSL_LoadPrivateKey(&newPrivateKey); + if(newPrivateKey.length > 0) { + EVP_PKEY_free(pc->localPrivateKey); + pc->localPrivateKey = UA_OpenSSL_LoadPrivateKey(&newPrivateKey); + } else { + if(!isLocalKey) { + EVP_PKEY_free(pc->localPrivateKey); + pc->localPrivateKey = pc->csrLocalPrivateKey; + pc->csrLocalPrivateKey = NULL; + } + } if(!pc->localPrivateKey) { - retval = UA_STATUSCODE_BADSECURITYCHECKSFAILED; + retval = UA_STATUSCODE_BADNOTSUPPORTED; goto error; } diff --git a/plugins/crypto/openssl/securitypolicy_basic256sha256.c b/plugins/crypto/openssl/securitypolicy_basic256sha256.c index b1cf4b08e..b9dbc79da 100644 --- a/plugins/crypto/openssl/securitypolicy_basic256sha256.c +++ b/plugins/crypto/openssl/securitypolicy_basic256sha256.c @@ -112,6 +112,12 @@ updateCertificateAndPrivateKey_sp_basic256sha256(UA_SecurityPolicy *securityPoli Policy_Context_Basic256Sha256 *pc = (Policy_Context_Basic256Sha256 *)securityPolicy->policyContext; + UA_Boolean isLocalKey = false; + if(newPrivateKey.length <= 0) { + if(UA_CertificateUtils_comparePublicKeys(&newCertificate, &securityPolicy->localCertificate) == 0) + isLocalKey = true; + } + UA_ByteString_clear(&securityPolicy->localCertificate); UA_StatusCode retval = UA_OpenSSL_LoadLocalCertificate( @@ -121,12 +127,19 @@ updateCertificateAndPrivateKey_sp_basic256sha256(UA_SecurityPolicy *securityPoli return retval; /* Set the new private key */ - EVP_PKEY_free(pc->localPrivateKey); - - pc->localPrivateKey = UA_OpenSSL_LoadPrivateKey(&newPrivateKey); + if(newPrivateKey.length > 0) { + EVP_PKEY_free(pc->localPrivateKey); + pc->localPrivateKey = UA_OpenSSL_LoadPrivateKey(&newPrivateKey); + } else { + if(!isLocalKey) { + EVP_PKEY_free(pc->localPrivateKey); + pc->localPrivateKey = pc->csrLocalPrivateKey; + pc->csrLocalPrivateKey = NULL; + } + } if(!pc->localPrivateKey) { - retval = UA_STATUSCODE_BADSECURITYCHECKSFAILED; + retval = UA_STATUSCODE_BADNOTSUPPORTED; goto error; }