/src/S2OPC/src/ClientServer/services/b2c/util_user.c

Source
/*
 * Licensed to Systerel under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
 * Systerel licenses this file to you under the Apache
 * License, Version 2.0 (the "License"); you may not use this
 * file except in compliance with the License. You may obtain
 * a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

#include <stdbool.h>
#include <string.h>

#include "sopc_types.h"
#include "sopc_user_app_itf.h"

#include "util_b2c.h"
#include "util_user.h"

constants__t_user_token_type_i util_get_user_token_type_from_token(
    const constants__t_user_token_i user_authentication_bs__p_user_token)
{
    SOPC_ASSERT(NULL != user_authentication_bs__p_user_token);
    SOPC_EncodeableType* tokenType = user_authentication_bs__p_user_token->Body.Object.ObjType;
    if (&OpcUa_AnonymousIdentityToken_EncodeableType == tokenType)
    {
        return constants__e_userTokenType_anonymous;
    }
    else if (&OpcUa_UserNameIdentityToken_EncodeableType == tokenType)
    {
        return constants__e_userTokenType_userName;
    }
    else if (&OpcUa_X509IdentityToken_EncodeableType == tokenType)
    {
        return constants__e_userTokenType_x509;
    }
    else if (&OpcUa_IssuedIdentityToken_EncodeableType == tokenType)
    {
        return constants__e_userTokenType_issued;
    }
    else
    {
        return constants__c_userTokenType_indet;
    }
}

static bool checkEncryptionAlgorithm(constants__t_SecurityPolicy secpol, SOPC_String* encryptionAlgo)
{
    switch (secpol)
    {
    case constants__e_secpol_None:
        // Part 4: "EncryptionAlgo: This parameter is null if the password is not encrypted"
        return encryptionAlgo->Length <= 0;
    case constants__e_secpol_B256:
        return 0 == strcmp("http://www.w3.org/2001/04/xmlenc#rsa-oaep", SOPC_String_GetRawCString(encryptionAlgo));
    case constants__e_secpol_B256S256:
        return 0 == strcmp("http://www.w3.org/2001/04/xmlenc#rsa-oaep", SOPC_String_GetRawCString(encryptionAlgo));
    case constants__e_secpol_Aes128Sha256RsaOaep:
        return 0 == strcmp("http://www.w3.org/2001/04/xmlenc#rsa-oaep", SOPC_String_GetRawCString(encryptionAlgo));
    case constants__e_secpol_Aes256Sha256RsaPss:
        return 0 == strcmp("http://opcfoundation.org/UA/security/rsa-oaep-sha2-256",
                           SOPC_String_GetRawCString(encryptionAlgo));
    default:
        SOPC_ASSERT(false && "Invalid security policy");
        return false;
    }
}

const char* util_getEncryptionAlgorithm(constants__t_SecurityPolicy secpol)
{
    switch (secpol)
    {
    case constants__e_secpol_None:
        // Part 4: "EncryptionAlgo: This parameter is null if the password is not encrypted"
        return NULL;
    case constants__e_secpol_B256:
        return "http://www.w3.org/2001/04/xmlenc#rsa-oaep";
    case constants__e_secpol_B256S256:
        return "http://www.w3.org/2001/04/xmlenc#rsa-oaep";
    case constants__e_secpol_Aes128Sha256RsaOaep:
        return "http://www.w3.org/2001/04/xmlenc#rsa-oaep";
    case constants__e_secpol_Aes256Sha256RsaPss:
        return "http://opcfoundation.org/UA/security/rsa-oaep-sha2-256";
    default:
        SOPC_ASSERT(false && "Invalid security policy");
        return NULL;
    }
}

bool util_check_user_token_policy_compliance(const SOPC_SecureChannel_Config* scConfig,
                                             const OpcUa_UserTokenPolicy* userTokenPolicy,
                                             const constants__t_user_token_type_i user_token_type,
                                             const constants__t_user_token_i user_token,
                                             bool check_encryption_algo,
                                             constants__t_SecurityPolicy* secpol)
{
    SOPC_String* tokenPolicyId = NULL;
    SOPC_ASSERT(secpol != NULL);
    SOPC_String* encryptionAlgo = NULL;
    bool bres = false;

    // Retrieve security policy:
    if (userTokenPolicy->SecurityPolicyUri.Length <= 0)
    {
        // User token security policy empty, use the secure channel security policy
        bres = util_channel__SecurityPolicy_C_to_B(scConfig->reqSecuPolicyUri, secpol);
        if (!bres)
        {
            return false;
        }
    }
    else
    {
        bres =
            util_channel__SecurityPolicy_C_to_B(SOPC_String_GetRawCString(&userTokenPolicy->SecurityPolicyUri), secpol);
        if (!bres)
        {
            return false;
        }
    }

    switch (userTokenPolicy->TokenType)
    {
    case OpcUa_UserTokenType_Anonymous:
        if (user_token_type != constants__e_userTokenType_anonymous)
        {
            return false;
        }
        else
        {
            /* Important Note: we do not check the token since it could be NULL in case of Anonymous.
             * PolicyId not checked in case of Anonymous token.*/
            return true;
        }
        break;
    case OpcUa_UserTokenType_UserName:
        if (user_token_type != constants__e_userTokenType_userName)
        {
            return false;
        }
        SOPC_ASSERT(SOPC_ExtObjBodyEncoding_Object == user_token->Encoding);
        tokenPolicyId = &((OpcUa_UserNameIdentityToken*) user_token->Body.Object.Value)->PolicyId;
        // Check Encryption Algo / Security policy
        encryptionAlgo = &((OpcUa_UserNameIdentityToken*) user_token->Body.Object.Value)->EncryptionAlgorithm;
        if (check_encryption_algo)
        {
            bres = checkEncryptionAlgorithm(*secpol, encryptionAlgo);
            if (!bres)
            {
                return false;
            }
        }
        break;
    case OpcUa_UserTokenType_Certificate:
        if (user_token_type != constants__e_userTokenType_x509)
        {
            return false;
        }
        SOPC_ASSERT(SOPC_ExtObjBodyEncoding_Object == user_token->Encoding);
        tokenPolicyId = &((OpcUa_X509IdentityToken*) user_token->Body.Object.Value)->PolicyId;
        break;
    case OpcUa_UserTokenType_IssuedToken:
        if (user_token_type != constants__e_userTokenType_issued)
        {
            return false;
        }
        SOPC_ASSERT(SOPC_ExtObjBodyEncoding_Object == user_token->Encoding);
        tokenPolicyId = &((OpcUa_IssuedIdentityToken*) user_token->Body.Object.Value)->PolicyId;
        // Check Encryption Algo / Security policy
        encryptionAlgo = &((OpcUa_IssuedIdentityToken*) user_token->Body.Object.Value)->EncryptionAlgorithm;
        if (check_encryption_algo)
        {
            bres = checkEncryptionAlgorithm(*secpol, encryptionAlgo);
            if (!bres)
            {
                return false;
            }
        }
        break;
    default:
        return false;
    }
    if (SOPC_String_Equal(&userTokenPolicy->PolicyId, tokenPolicyId))
    {
        return true;
    }
    return false;
}

Line	Count	Source
1		/*
2		* Licensed to Systerel under one or more contributor license
3		* agreements. See the NOTICE file distributed with this work
4		* for additional information regarding copyright ownership.
5		* Systerel licenses this file to you under the Apache
6		* License, Version 2.0 (the "License"); you may not use this
7		* file except in compliance with the License. You may obtain
8		* a copy of the License at
9		*
10		* http://www.apache.org/licenses/LICENSE-2.0
11		*
12		* Unless required by applicable law or agreed to in writing,
13		* software distributed under the License is distributed on an
14		* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15		* KIND, either express or implied. See the License for the
16		* specific language governing permissions and limitations
17		* under the License.
18		*/
19
20		#include <stdbool.h>
21		#include <string.h>
22
23		#include "sopc_types.h"
24		#include "sopc_user_app_itf.h"
25
26		#include "util_b2c.h"
27		#include "util_user.h"
28
29		constants__t_user_token_type_i util_get_user_token_type_from_token(
30		const constants__t_user_token_i user_authentication_bs__p_user_token)
31	0	{
32	0	SOPC_ASSERT(NULL != user_authentication_bs__p_user_token);
33	0	SOPC_EncodeableType* tokenType = user_authentication_bs__p_user_token->Body.Object.ObjType;
34	0	if (&OpcUa_AnonymousIdentityToken_EncodeableType == tokenType)
35	0	{
36	0	return constants__e_userTokenType_anonymous;
37	0	}
38	0	else if (&OpcUa_UserNameIdentityToken_EncodeableType == tokenType)
39	0	{
40	0	return constants__e_userTokenType_userName;
41	0	}
42	0	else if (&OpcUa_X509IdentityToken_EncodeableType == tokenType)
43	0	{
44	0	return constants__e_userTokenType_x509;
45	0	}
46	0	else if (&OpcUa_IssuedIdentityToken_EncodeableType == tokenType)
47	0	{
48	0	return constants__e_userTokenType_issued;
49	0	}
50	0	else
51	0	{
52	0	return constants__c_userTokenType_indet;
53	0	}
54	0	}
55
56		static bool checkEncryptionAlgorithm(constants__t_SecurityPolicy secpol, SOPC_String* encryptionAlgo)
57	0	{
58	0	switch (secpol)
59	0	{
60	0	case constants__e_secpol_None:
61		// Part 4: "EncryptionAlgo: This parameter is null if the password is not encrypted"
62	0	return encryptionAlgo->Length <= 0;
63	0	case constants__e_secpol_B256:
64	0	return 0 == strcmp("http://www.w3.org/2001/04/xmlenc#rsa-oaep", SOPC_String_GetRawCString(encryptionAlgo));
65	0	case constants__e_secpol_B256S256:
66	0	return 0 == strcmp("http://www.w3.org/2001/04/xmlenc#rsa-oaep", SOPC_String_GetRawCString(encryptionAlgo));
67	0	case constants__e_secpol_Aes128Sha256RsaOaep:
68	0	return 0 == strcmp("http://www.w3.org/2001/04/xmlenc#rsa-oaep", SOPC_String_GetRawCString(encryptionAlgo));
69	0	case constants__e_secpol_Aes256Sha256RsaPss:
70	0	return 0 == strcmp("http://opcfoundation.org/UA/security/rsa-oaep-sha2-256",
71	0	SOPC_String_GetRawCString(encryptionAlgo));
72	0	default:
73	0	SOPC_ASSERT(false && "Invalid security policy");
74	0	return false;
75	0	}
76	0	}
77
78		const char* util_getEncryptionAlgorithm(constants__t_SecurityPolicy secpol)
79	0	{
80	0	switch (secpol)
81	0	{
82	0	case constants__e_secpol_None:
83		// Part 4: "EncryptionAlgo: This parameter is null if the password is not encrypted"
84	0	return NULL;
85	0	case constants__e_secpol_B256:
86	0	return "http://www.w3.org/2001/04/xmlenc#rsa-oaep";
87	0	case constants__e_secpol_B256S256:
88	0	return "http://www.w3.org/2001/04/xmlenc#rsa-oaep";
89	0	case constants__e_secpol_Aes128Sha256RsaOaep:
90	0	return "http://www.w3.org/2001/04/xmlenc#rsa-oaep";
91	0	case constants__e_secpol_Aes256Sha256RsaPss:
92	0	return "http://opcfoundation.org/UA/security/rsa-oaep-sha2-256";
93	0	default:
94	0	SOPC_ASSERT(false && "Invalid security policy");
95	0	return NULL;
96	0	}
97	0	}
98
99		bool util_check_user_token_policy_compliance(const SOPC_SecureChannel_Config* scConfig,
100		const OpcUa_UserTokenPolicy* userTokenPolicy,
101		const constants__t_user_token_type_i user_token_type,
102		const constants__t_user_token_i user_token,
103		bool check_encryption_algo,
104		constants__t_SecurityPolicy* secpol)
105	0	{
106	0	SOPC_String* tokenPolicyId = NULL;
107	0	SOPC_ASSERT(secpol != NULL);
108	0	SOPC_String* encryptionAlgo = NULL;
109	0	bool bres = false;
110
111		// Retrieve security policy:
112	0	if (userTokenPolicy->SecurityPolicyUri.Length <= 0)
113	0	{
114		// User token security policy empty, use the secure channel security policy
115	0	bres = util_channel__SecurityPolicy_C_to_B(scConfig->reqSecuPolicyUri, secpol);
116	0	if (!bres)
117	0	{
118	0	return false;
119	0	}
120	0	}
121	0	else
122	0	{
123	0	bres =
124	0	util_channel__SecurityPolicy_C_to_B(SOPC_String_GetRawCString(&userTokenPolicy->SecurityPolicyUri), secpol);
125	0	if (!bres)
126	0	{
127	0	return false;
128	0	}
129	0	}
130
131	0	switch (userTokenPolicy->TokenType)
132	0	{
133	0	case OpcUa_UserTokenType_Anonymous:
134	0	if (user_token_type != constants__e_userTokenType_anonymous)
135	0	{
136	0	return false;
137	0	}
138	0	else
139	0	{
140		/* Important Note: we do not check the token since it could be NULL in case of Anonymous.
141		* PolicyId not checked in case of Anonymous token.*/
142	0	return true;
143	0	}
144	0	break;
145	0	case OpcUa_UserTokenType_UserName:
146	0	if (user_token_type != constants__e_userTokenType_userName)
147	0	{
148	0	return false;
149	0	}
150	0	SOPC_ASSERT(SOPC_ExtObjBodyEncoding_Object == user_token->Encoding);
151	0	tokenPolicyId = &((OpcUa_UserNameIdentityToken*) user_token->Body.Object.Value)->PolicyId;
152		// Check Encryption Algo / Security policy
153	0	encryptionAlgo = &((OpcUa_UserNameIdentityToken*) user_token->Body.Object.Value)->EncryptionAlgorithm;
154	0	if (check_encryption_algo)
155	0	{
156	0	bres = checkEncryptionAlgorithm(*secpol, encryptionAlgo);
157	0	if (!bres)
158	0	{
159	0	return false;
160	0	}
161	0	}
162	0	break;
163	0	case OpcUa_UserTokenType_Certificate:
164	0	if (user_token_type != constants__e_userTokenType_x509)
165	0	{
166	0	return false;
167	0	}
168	0	SOPC_ASSERT(SOPC_ExtObjBodyEncoding_Object == user_token->Encoding);
169	0	tokenPolicyId = &((OpcUa_X509IdentityToken*) user_token->Body.Object.Value)->PolicyId;
170	0	break;
171	0	case OpcUa_UserTokenType_IssuedToken:
172	0	if (user_token_type != constants__e_userTokenType_issued)
173	0	{
174	0	return false;
175	0	}
176	0	SOPC_ASSERT(SOPC_ExtObjBodyEncoding_Object == user_token->Encoding);
177	0	tokenPolicyId = &((OpcUa_IssuedIdentityToken*) user_token->Body.Object.Value)->PolicyId;
178		// Check Encryption Algo / Security policy
179	0	encryptionAlgo = &((OpcUa_IssuedIdentityToken*) user_token->Body.Object.Value)->EncryptionAlgorithm;
180	0	if (check_encryption_algo)
181	0	{
182	0	bres = checkEncryptionAlgorithm(*secpol, encryptionAlgo);
183	0	if (!bres)
184	0	{
185	0	return false;
186	0	}
187	0	}
188	0	break;
189	0	default:
190	0	return false;
191	0	}
192	0	if (SOPC_String_Equal(&userTokenPolicy->PolicyId, tokenPolicyId))
193	0	{
194	0	return true;
195	0	}
196	0	return false;
197	0	}

Coverage Report

Created: 2025-11-11 06:21