Secure channel enhancements 2025 11 (Take 3) (#3665)

* merged security changes

* Tailor SecurityPolicyUri for format expected in s_securityPolicyUriToInfo

* Enhance security policy handling and key computation logic

* Merge SecurityEnhancements.

* Add support for SessionTransferToken. Removed obsolete SoftwareCertificate code.

* Fix NonceLength for None.

* Add support for RSA_DH, more fixes from IOP testings.

* Finish implementation of SecureChannelEnhancements.

* Rename EccUtils.cs to CryptoUtils.cs

* Address feedback from reviewers.

* Fix CoPilot flagged spelling errors.

* Rename EccUtils to CryptoUtils

* Update version from 1.5.378-preview to 1.5.378

* Fix unit tests.

* Allow SignatureData.Algorithm to be NULL or Empty.

* Fix issue with BrainPool_p256r1_ChaChaPoly

* Fix RSA_DH_AesGcm

* Fix OSC/padding by deriving HMAC keys, tightening symmetric size math, and correcting ECC_brainpoolP384r1/Basic128Rsa15 IV, signature, padding, and nonce parameters.

* Policies without asymmetric encryption (ECC) return the plaintext when encrypting user tokens; this prevents null payloads from causing BadIdentityTokenInvalid.

* Reserve outer CBC padding for avoiding SymetricEncryptAndSign->AddPadding to overwrite next fields (signature)

* Nonce stored as byte array in SessionConfiguration; Sesion snapshot restores ServerNonce and reconstructs ECC ephemeral key Nonce from bytes and policy

* Added _AesGcm and _ChaChaPoly variants to BuildSupportedSecurityPolicies() for all six ECC certificate types (nistP256, nistP384, brainpoolP256r1, brainpoolP384r1, curve25519, curve448) to SecurityConfiguration. Added Sign and SignAndEncrypt endpoints for the four ECC AesGcm/ChaChaPoly policy pairs (nistP256, nistP384, brainpoolP256r1, brainpoolP384r1) to ServerFixture.

* make ephemeralKeyPolicyUri nullable

* GenerateSecret also for NET7 and NET8

* Adjust Basic128Rsa15 policy properties for backword compatibility

* Exclude unsuported AEAD policies from .NET Framework client tests

* Addapt to new changes (still build fail)

* Addapt code to make it compile

* Fixed failing build on net48 (by ignoring potential null ref which is not reported on other newer targets)

* Preserve the certificate reference in Clone() so copied handlers can still sign

* Remove extra code and addapt to existing master configuration settings

* Filter *_AesGcm and *_ChaChaPoly security policies based on actual runtime support, so unsupported AEAD policies are not advertised or selected on older frameworks

* Expand ECC/RSA policy test coverage and keep Basic128Rsa15 nonce length backward-compatible

* Fix ReconnectSessionOnAlternateChannel _AES and _ChaCha policies

* Fixed IgnoreIfPolicyNotAdvertised so it now fetches endpoints on-demand (instead of relying on Endpoints being preloaded by earlier tests), which avoids false ignores when running tests directlyy

* Merge with commit 5e627f2 from secure-channel-enhancements-2025-11 branch

* minor log mesatge formating

* Fix ClientLockoutTests

* Add ServerFixture policies upfront only if framework and runtime capability supports them

* A few cosmetic/config changes as review sugested

* Moved the session/security handling from StandardServer into a dedicated helper

* use X509IdentityTokenHandler from secure-channel-enhancements-2025-11

* Removed unused Opc.Ua.Types.UnitTests.csproj

* test(client): fix Basic128Rsa15 reconnect token-policy coverage

Advertise an explicit Basic128Rsa15 user token policy in the test fixture and tighten the reconnect test preconditions for non-advertised policies.

* test(client): fix session nonce persistence test helpers

Replace the generic reflection helpers in SessionTests with explicit client/server nonce accessors that match the actual field types.

Add a short Session comment to explain why client and server nonces currently use different representations.

* Merge branch 'master' into secure-channel-enhancements-2025-11-merge5

Merge with latest master and fix conflicts.

* Removed unused Opc.Ua.Types.UnitTests.csproj

* test(client): fix Basic128Rsa15 reconnect token-policy coverage

Advertise an explicit Basic128Rsa15 user token policy in the test fixture and tighten the reconnect test preconditions for non-advertised policies.

* test(client): fix session nonce persistence test helpers

Replace the generic reflection helpers in SessionTests with explicit client/server nonce accessors that match the actual field types.

Add a short Session comment to explain why client and server nonces currently use different representations.

* Build fixes

* Fix build

* update

* Minor updates

* Fix tests

* Add code to check all Endpoints.

* Update Design files to 1.05.7

* Run code fixers, add missing docs

* Fix build

* Revert removal of using

* Increase build timeout

---------

Co-authored-by: mrsuciu <Mircea-Adrian.Suciu@Softing.com>
Co-authored-by: Randy Armstrong <randy@sparhawksoftware.com>

Author: 3 people

.azurepipelines/ci.yml

@@ -24,6 +24,7 @@ jobs:
       arguments: -FileName azure-pipelines.yml -AgentTable ${{ parameters.agents }}
 - job: buildall${{ parameters.jobnamesuffix }}
   displayName: Build
+  timeoutInMinutes: 90
   dependsOn: buildprep${{ parameters.jobnamesuffix }}
   strategy:
     matrix: $[dependencies.buildprep${{ parameters.jobnamesuffix }}.outputs['buildmatrix.jobMatrix'] ]

Applications/ConsoleReferenceClient/ClientSamples.cs

@@ -62,7 +62,7 @@ public interface IUAClient
     /// <summary>
     /// Sample Session calls based on the reference server node model.
     /// </summary>
-    public class ClientSamples
+    public partial class ClientSamples
     {
         private const int kMaxSearchDepth = 128;
 

Applications/ConsoleReferenceClient/ConsoleReferenceClient.csproj

@@ -11,10 +11,7 @@
     <PublishAot Condition="$([MSBuild]::IsTargetFrameworkCompatible('$(TargetFramework)', 'net10.0'))">true</PublishAot>
   </PropertyGroup>
   <ItemGroup>
-    <Compile
-      Include="..\ConsoleReferenceServer\ConsoleUtils.cs"
-      Exclude="bin\**;obj\**;**\*.xproj;packages\**"
-    />
+    <Compile Include="..\ConsoleReferenceServer\ConsoleUtils.cs" Exclude="bin\**;obj\**;**\*.xproj;packages\**" />
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.Logging" />
@@ -36,7 +33,7 @@
   </ItemGroup>
   <ItemGroup>
     <None Update="Quickstarts.ReferenceClient.Config.xml">
-      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>
   </ItemGroup>
 </Project>

Applications/ConsoleReferenceClient/Program.cs

@@ -145,6 +145,7 @@ public static Task<int> Main(string[] args)
             };
             var verboseOption = new Option<bool>("--verbose", "-v") { Description = "Verbose output" };
             var subscribeOption = new Option<bool>("--subscribe", "-s") { Description = "Subscribe" };
+            var testallEndpointsOption = new Option<bool>("--testall", "--ea") { Description = "Test All Endpoints" };
             var reverseConnectOption = new Option<string>("--reverseconnect", "--rc")
             {
                 Description = "Connect using the reverse connect endpoint. (e.g. --rc opc.tcp://localhost:65300)"
@@ -190,6 +191,7 @@ public static Task<int> Main(string[] args)
                 jsonOption,
                 verboseOption,
                 subscribeOption,
+                testallEndpointsOption,
                 reverseConnectOption,
                 foreverOption,
                 leakChannelsOption,
@@ -239,6 +241,7 @@ public static Task<int> Main(string[] args)
                 bool enableDurableSubscriptions =
                     parseResult.GetValue(durableSubscriptionOption);
                 var serverUrl = new Uri(parseResult.GetValue(serverUrlArgument));
+                var testallEndpoints = parseResult.GetValue(testallEndpointsOption);
 
                 ReverseConnectManager reverseConnectManager = null;
                 using var telemetry = new ConsoleTelemetry();
@@ -290,7 +293,7 @@ public static Task<int> Main(string[] args)
                         logConsole,
                         fileLog,
                         appLog,
-                        LogLevel.Information);
+                        LogLevel.Warning);
 
                     // delete old certificate
                     if (renewCertificate)
@@ -325,6 +328,21 @@ await application.DeleteApplicationInstanceCertificateAsync(ct: cancellationToke
                     CancellationToken ct = quitCTS.Token;
                     ManualResetEvent quitEvent = ConsoleUtils.CtrlCHandler(quitCTS);
 
+                    // handle connect all endpoints test.
+                    if (testallEndpoints)
+                    {
+                        var tester = new ClientSamples(
+                            telemetry,
+                            null,
+                            quitEvent,
+                            verbose);
+
+                        if (await tester.RunAsync(quitEvent, ct).ConfigureAwait(false))
+                        {
+                            return;
+                        }
+                    }
+
                     var userIdentity = new UserIdentity();
 
                     // set user identity of type username/pw

Applications/ConsoleReferenceClient/Quickstarts.ReferenceClient.Config.xml

@@ -65,7 +65,7 @@
     <!-- WARNING: The following setting (to automatically accept untrusted certificates) should be used
     for easy debugging purposes ONLY and turned off for production deployments! -->
     <AutoAcceptUntrustedCertificates>false</AutoAcceptUntrustedCertificates>
-    <!-- WARNING: SHA1 signed certificates are by default rejected and should be phased out. 
+    <!-- WARNING: SHA1 signed certificates are by default rejected and should be phased out.
        only nano and embedded profiles are allowed to use sha1 signed certificates. -->
     <RejectSHA1SignedCertificates>true</RejectSHA1SignedCertificates>
     <RejectUnknownRevocationStatus>true</RejectUnknownRevocationStatus>