* Add UA_ENABLE_PUBSUB_SKS Cmake option
The SKS related features are enabled in open62541. The UA_ENABLE_PUBSUB_SKS
cmake option adds the support to enable/disable SKS related features.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add securityGroupId parameter to PubSub Group Config
The PubSub groups (Reader/Writer) are associated to a security group by
securityGroupId. The securityGroupId parameter is added to UA_WriterGroupConfig
and UA_ReaderGroupConfig structs.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add UA_PubSubKeyListItem struct
The Keystorage contains a linked list of KeyItems. The KeyItems holds the
information related to a key. The UA_PubSubKeyListItem struct forms the keyItems
of the keystorage KeyList.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add UA_PubSubKeyStorage struct
A structured storage is required to store all the keys and related information,
such as which security group, what security policy, how many PubSub Groups, and
when to move to next keys. The UA_PubSubKeyStorage struct holds the list of keys
used to secure the pubsub message for a security group and related information.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add PubSubKeyStorageList to the pubSubManager
The KeyStorage is managed by the pubSubManager object. There can be multiple key
storages managed by a pubSubManager for different Security Groups. An
UA_PubSubKeyStorage List is added to the pubSubManager, which contains the
pointers to all the key Storages managed by the pubSubManager for different
Security Groups.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add KeyStorage pointer to ReaderGroup and WriterGroup struct
A reference to a Keystorage is created when a ReaderGroup or WriterGroup group
is created. This reference is used for the life cycle management of the
KeyStorage. A non-owning pointer is added to WriterGroup and ReaderGroup structs
to point to their associated keystorage in the server.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add function to initialize a keyStorage
An empty keystorage list is created when a ReaderGroup or a WriterGroup is
created in server. The new KeyStorage is added to the server KeyList and
initialized for a securityGroup. If a KeyStorage already exists in the server
for a securityGroupId, then the referenceCount is incremented and the keyStorage
is added to the initializing ReaderGroup or WriterGroup. In case of failure,
the keystorage is cleaned and deleted.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add storeSecurityKey function
After the keystorage is initialized and added to the server keyList, the
keys should be stored in the keystorage keylist. the storeSecurityKeys function
takes current key and future key list and add it a KeyStorage in the server.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add Mechanism for key Rollover after KeyLifeTime expires
After the KeyLifeTime expires the Publisher and Subscriber are required to
move to the next key in the existing list. The addMoveToNextKeyCallback function
calculates the time to trigger the callback function and adds a timed server
callback. The importKeyToChannelContext function takes the key material,
divides the key into singing, encrypting and keyNonce part according to security
Policy assigned to KeyStorage and adds them to the channelcontext of the PubSub
Group. The moveToKeyCallback is the callback function to set the keys and
add next callback for key Rollover.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add API function update the existing keyStorage
The existing KeyList is updated/replaced with the fetched list. If the
currentTokenId is unknown in the existing list, then the existing keylist is
replaced by the fetched KeyList. In othercases keystorage is updated and keylist
is extended with new future keys.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add removeKeyStorage function
A keyStorage can be referenced by multiple PubSub Groups in a server. When a
keyStorage is removed with removeKeyStorage function, it checks the number of
of referenceCount parameter and decrements it by 1. If referenceCount was 1, then
the keyStorage pointer is freed and removed from the server.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add keyStorage in Server with ReaderGroup
Each ReaderGroup is assocaited with a keyStorage. The keys are used in its
channel context to secure the messages. A keyStorage is added/updated when
a ReaderGroup is created in the server.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add KeyStorage in server with WriterGroup
Each WriterGroup is assocaited with a keyStorage. The keys are used in its
channel context to secure the messages. A keyStorage is added/updated when
a WriterGroup is created in the server.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Remove KeyStorage from server with ReaderGroup
Each ReaderGroup is assocaited with a keyStorage. The keys are used in its
channel context to secure the messages. A keyStorage is removed/updated when
a ReaderGroup is removed from the server.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Remove KeyStorage from server with a WriterGroup
Each WriterGroup is assocaited with a keyStorage. The keys are used in its
channel context to secure the messages. A keyStorage is removed/updated when
a WriterGroup is removed in the server.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Delete All KeyStorages from Server
When PubSub Configuration is deleted, all the nested configuration and members
are deleted from the server. The KeyStorages are also deleted when a
PubSubManager is deleted, because KeyStorages does not serve the purpose anymore.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add KeyStorage Test setup and unit tests
A test suite is added for the keystorage and the following using tests are added
to it
- Initialization of empty keystorage
- Initialization of keystorage with invalid PubSub security policy
- storing keys into empty keystorage
- move to next key after keylifetime expire
- Setting keys to the channel context
- Adding keyStorage with Writer and ReaderGroup
- Adding a Reader/WriterGroup to existing Keystorage
- Removing keyStorage with a Writer/ReaderGroup
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add setSecurityKeys Method Node Callback
The keys are pushed to the Publishers and Subscribers who do not have client
functionality using setSecurityKeys Method Node. The setSecurityKeys callback
implements the backend of the setSecurityKeys Method node exposed by the server.
Checking for user credentials against PubSub Security Group Object nodes
is unresolved becuase creation of Security Group Object is not implemented.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add sks push test setup and unit tests
Setups the PubSub SKS Push test suite and helper methods. The test suite
includes a server with encryption and a client to connect with the server
with encrypted channel. The following unit tests are added
- insufficient Security Mode
- MissingSecurityGroup
- Setting Security Keys
- Update CurrentKey from exisiting list
- Update CurrentKey and add new future keys
- Replace existing keys with new keys
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Add PubSubKeyStorage description
The PubSubKeyStorage description is added to the header file. It also includes
the implemented workflow of the KeyStorage API to interact with KeyStorage.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
* Integrate PubSub SKS build and unit test in CI
The unit tests should be intergerated in the CI of open62541 pipeline to provide
proper testing and integration support of the new feature. The build and unit
tests of PubSub SKS are integrated in the CI pipeline.
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
Signed-off-by: Muddasir Shakil <muddasir.shakil@linutronix.de>
- Encrypt the private key using the key stored in TPM
and remove the unencrypted private key from the filesystem
- Used the encrypted key intermittently for software-based
encryption/decryption
Change-Id: I46fc24102365292d9af6b51c582e3a3f74b2af5e
Currently there is at least one unit-test that uses
pubsub encryption that is never executed in the continous
integration. This ci extension enables the test of pubsub encryption.
