Merge and addapt Secure channel enhancements to new master code by mrsuciu · Pull Request #3567 · OPCFoundation/UA-.NETStandard

mrsuciu · 2026-02-19T12:02:38Z

Proposed changes

Merge and addapt Secure channel enhancements to new master code

Related Issues

Fixes #

Types of changes

What types of changes does your code introduce?
Put an x in the boxes that apply. You can also fill these out after creating the PR.

Bugfix (non-breaking change which fixes an issue)
Enhancement (non-breaking change which adds functionality)
Test enhancement (non-breaking change to increase test coverage)
Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
Documentation Update (if none of the other choices apply)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

I have read the CONTRIBUTING doc.
I have signed the CLA.
I ran tests locally with my changes, all passed.
I fixed all failing tests in the CI pipelines.
I fixed all introduced issues with CodeQL and LGTM.
I have added tests that prove my fix is effective or that my feature works and increased code coverage.
I have added necessary documentation (if appropriate).
Any dependent changes have been merged and published in downstream modules.

Further comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...

…Info

…icate code.

…dard

Update version from 1.5.378-preview to 1.5.378

…nnel-enhancements-2025-11

…ncements-2025-11

…, and correcting ECC_brainpoolP384r1/Basic128Rsa15 IV, signature, padding, and nonce parameters.

…n encrypting user tokens; this prevents null payloads from causing BadIdentityTokenInvalid.

…ding to overwrite next fields (signature)

…estores ServerNonce and reconstructs ECC ephemeral key Nonce from bytes and policy

…ies() for all six ECC certificate types (nistP256, nistP384, brainpoolP256r1, brainpoolP384r1, curve25519, curve448) to SecurityConfiguration. Added Sign and SignAndEncrypt endpoints for the four ECC AesGcm/ChaChaPoly policy pairs (nistP256, nistP384, brainpoolP256r1, brainpoolP384r1) to ServerFixture.

…nd (instead of relying on Endpoints being preloaded by earlier tests), which avoids false ignores when running tests directlyy

…anch

codecov · 2026-02-19T12:04:35Z

Codecov Report

❌ Patch coverage is 79.91218% with 549 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.35%. Comparing base (d25caff) to head (a2b008e).
⚠️ Report is 129 commits behind head on master.

Files with missing lines	Patch %	Lines
...k/Opc.Ua.Core/Security/Certificates/CryptoUtils.cs	79.86%	43 Missing and 48 partials ⚠️
...Opc.Ua.Core/Security/Constants/SecurityPolicies.cs	64.10%	62 Missing and 22 partials ⚠️
Libraries/Opc.Ua.Client/Session/Session.cs	73.57%	42 Missing and 23 partials ⚠️
...c.Ua.Core/Security/Certificates/EncryptedSecret.cs	75.09%	42 Missing and 21 partials ⚠️
Libraries/Opc.Ua.Server/Server/StandardServer.cs	34.04%	62 Missing ⚠️
Stack/Opc.Ua.Core/Stack/Tcp/TcpServerChannel.cs	34.56%	51 Missing and 2 partials ⚠️
Stack/Opc.Ua.Core/Security/Certificates/Nonce.cs	80.44%	24 Missing and 11 partials ⚠️
...c.Ua.Core/Security/Constants/SecurityPolicyInfo.cs	96.65%	11 Missing and 13 partials ⚠️
Libraries/Opc.Ua.Server/Session/Session.cs	68.29%	11 Missing and 2 partials ⚠️
...c.Ua.Server/Session/SessionSecurityPolicyHelper.cs	81.13%	7 Missing and 3 partials ⚠️
... and 13 more

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #3567       +/-   ##
===========================================
+ Coverage   51.86%   66.35%   +14.48%     
===========================================
  Files         370      462       +92     
  Lines       78618    99053    +20435     
  Branches    13650    16524     +2874     
===========================================
+ Hits        40779    65724    +24945     
+ Misses      33705    28191     -5514     
- Partials     4134     5138     +1004

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

romanett · 2026-02-19T12:21:20Z

Libraries/Opc.Ua.Client/Session/Session.cs

                    }
                }

+                ITransportChannel activeChannel = TransportChannel;


we should add an enhancement Issue to get all this SecurityPolicy Specific stuff out of the main session class into a helper IMO. all signing/ encrypting / additional headers should be separate. But not required in this PR. Also the User Token handling / selection.

romanett · 2026-02-19T12:23:32Z

Libraries/Opc.Ua.Server/Server/StandardServer.cs

@@ -499,10 +494,19 @@ X509Certificate2Collection clientCertificateChain
                    //  sign the client nonce (if provided).
                    if (parsedClientCertificate != null && clientNonce != null)


all this logic should inclduing the Additional header not be in the StandardServer class, instead we should do it in a helper living in the Session folder of the Server.

Libraries/Opc.Ua.Server/Session/ISession.cs

romanett · 2026-02-19T12:27:21Z

Libraries/Opc.Ua.Server/Session/SessionManager.cs

                // create server nonce.
-                var serverNonceObject = Nonce.CreateNonce(
-                    context.ChannelContext.EndpointDescription.SecurityPolicyUri);
+                var serverNonceObject = Nonce.CreateNonce(0);


isnt the nonce length dependent on the security policy?

Stack/Opc.Ua.Core/Security/Certificates/CryptoUtils.cs

romanett · 2026-02-19T12:30:27Z

Stack/Opc.Ua.Core/Security/Certificates/CryptoUtils.cs

+        }
+
+        /// <summary>
+        /// Verifies a ECDsa signature.


Suggested change

/// Verifies a ECDsa signature.

/// Verifies a signature.

Stack/Opc.Ua.Core/Security/Certificates/CryptoUtils.cs

Stack/Opc.Ua.Core/Stack/Server/SecureChannelContext.cs

Stack/Opc.Ua.Core/Stack/Tcp/TcpServerChannel.cs

romanett · 2026-02-19T12:45:00Z

Stack/Opc.Ua.Core/Stack/Tcp/UaSCBinaryChannel.Asymmetric.cs

+
+                    if (oscRequestSignature != null && SecurityPolicy.SecureChannelEnhancements)
+                    {
+                        // copy osc request signature if provided before verifying.


osc is OpenSecureChannel?

Stack/Opc.Ua.Core/Stack/Tcp/UaSCBinaryTransportChannel.cs

Tests/Opc.Ua.Client.Tests/ClientTest.cs

Tests/Opc.Ua.Client.Tests/SubscriptionTest.cs

Tests/Opc.Ua.Gds.Tests/PushTest.cs

romanett · 2026-02-19T12:53:55Z

Tests/Opc.Ua.Server.Tests/ServerFixture.cs

                    .AddEccSignPolicies()
-                    .AddEccSignAndEncryptPolicies();
+                    .AddEccSignAndEncryptPolicies()
+                    .AddPolicy(MessageSecurityMode.Sign, SecurityPolicies.ECC_nistP256_AesGcm)


we should do a new helper

romanett · 2026-02-19T12:54:06Z

Tests/Opc.Ua.Server.Tests/ServerFixture.cs

@@ -130,8 +130,28 @@ public async Task LoadConfigurationAsync(string pkiRoot = null)
                    .AddPolicy(MessageSecurityMode.SignAndEncrypt, SecurityPolicies.Basic256)
                    .AddSignPolicies()
                    .AddSignAndEncryptPolicies()
+                    .AddPolicy(MessageSecurityMode.Sign, SecurityPolicies.RSA_DH_AesGcm)


we should do a new helper

version.json

…bility supports them

…ted helper

mrsuciu and others added 30 commits November 19, 2025 16:23

merged security changes

688e2b8

Tailor SecurityPolicyUri for format expected in s_securityPolicyUriTo…

45b07a2

…Info

Enhance security policy handling and key computation logic

cfbebe7

Merge remote-tracking branch 'mr/eccSecurityChangesMerge'

0477aba

Merge SecurityEnhancements.

d0c6321

Add support for SessionTransferToken. Removed obsolete SoftwareCertif…

a579c62

…icate code.

Fix NonceLength for None.

e1dd311

Add support for RSA_DH, more fixes from IOP testings.

9ecf7c9

Finish implementation of SecureChannelEnhancements.

1ca156c

Merge branch 'master' of https://github.com/OPCFoundation/UA-.NETStan…

a17b881

…dard

Merge branch 'master' into secure-channel-enhancements-2025-11

5dfb991

Rename EccUtils.cs to CryptoUtils.cs

67f4b4b

Address feedback from reviewers.

8528e7a

Fix CoPilot flagged spelling errors.

387ad76

Merge branch 'master' into secure-channel-enhancements-2025-11

ee70b5d

Rename EccUtils to CryptoUtils

6153098

Update version from 1.5.378-preview to 1.5.378

e46ff9a

Fix unit tests.

dc0b110

Merge pull request OPCFoundation#3422 from OPCFoundation/mrsuciu-patch-1

8a06ef9

Update version from 1.5.378-preview to 1.5.378

Merge remote-tracking branch 'origin/release/1.5.378' into secure-cha…

3f5bbe0

…nnel-enhancements-2025-11

Merge remote-tracking branch 'origin/master' into secure-channel-enha…

1097329

…ncements-2025-11

Allow SignatureData.Algorithm to be NULL or Empty.

e8befb7

Fix issue with BrainPool_p256r1_ChaChaPoly

9e8e144

Fix RSA_DH_AesGcm

b7d0aff

Merge master

b4a5838

Fix OSC/padding by deriving HMAC keys, tightening symmetric size math…

f242325

…, and correcting ECC_brainpoolP384r1/Basic128Rsa15 IV, signature, padding, and nonce parameters.

Policies without asymmetric encryption (ECC) return the plaintext whe…

1d065c2

…n encrypting user tokens; this prevents null payloads from causing BadIdentityTokenInvalid.

Reserve outer CBC padding for avoiding SymetricEncryptAndSign->AddPad…

0adcdf9

…ding to overwrite next fields (signature)

Nonce stored as byte array in SessionConfiguration; Sesion snapshot r…

30c78f6

…estores ServerNonce and reconstructs ECC ephemeral key Nonce from bytes and policy

mrsuciu added 4 commits February 18, 2026 14:14

Fix ReconnectSessionOnAlternateChannel _AES and _ChaCha policies

a7d5fb7

Fixed IgnoreIfPolicyNotAdvertised so it now fetches endpoints on-dema…

e9e4c63

…nd (instead of relying on Endpoints being preloaded by earlier tests), which avoids false ignores when running tests directlyy

Merge with commit 5e627f2 from secure-channel-enhancements-2025-11 br…

905d4ca

…anch

minor log mesatge formating

67a8f9d