Secure channel enhancements 2025 11

Applications/ConsoleReferenceClient/Program.cs

@@ -54,6 +54,23 @@ public static class Program
         /// <exception cref="ErrorExitException"></exception>
         public static async Task Main(string[] args)
         {
+            //foreach (var group in Enum.GetValues(typeof(RSADiffieHellmanGroup)))
+            //{
+            //    var alice = RSADiffieHellman.Create((RSADiffieHellmanGroup)group);
+            //    var bob = RSADiffieHellman.Create((RSADiffieHellmanGroup)group);
+
+            //    var aliceNonce = alice.GetNonce();
+            //    var bobNonce = bob.GetNonce();
+
+            //    var bobAtAlice = RSADiffieHellman.Create(bobNonce);
+            //    var aliceAtBob = RSADiffieHellman.Create(aliceNonce);
+
+            //    var secret1 = alice.DeriveRawSecretAgreement(bobAtAlice);
+            //    CryptoTrace.WriteLine(CryptoTrace.KeyToString(secret1));
+            //    var secret2 = bob.DeriveRawSecretAgreement(aliceAtBob);
+            //    CryptoTrace.WriteLine(CryptoTrace.KeyToString(secret2));
+            //}
+
             Console.WriteLine("OPC UA Console Reference Client");
 
             Console.WriteLine(
@@ -75,8 +92,8 @@ public static async Task Main(string[] args)
             byte[] userpassword = null;
             string userCertificateThumbprint = null;
             byte[] userCertificatePassword = null;
-            bool logConsole = false;
-            bool appLog = false;
+            bool logConsole = true;
+            bool appLog = true;
             bool fileLog = false;
             bool renewCertificate = false;
             bool loadTypes = false;
@@ -333,7 +350,7 @@ public static async Task Main(string[] args)
                     logConsole,
                     fileLog,
                     appLog,
-                    LogLevel.Information);
+                    LogLevel.Warning);
 
                 // delete old certificate
                 if (renewCertificate)
@@ -370,6 +387,14 @@ await application.DeleteApplicationInstanceCertificateAsync()
                 CancellationToken ct = quitCTS.Token;
                 ManualResetEvent quitEvent = ConsoleUtils.CtrlCHandler(quitCTS);
 
+                // insert security tester.
+                var tester = new SecurityTestClient.RunTest(config, telemetry);
+
+                if (await tester.RunAsync(quitEvent, ct).ConfigureAwait(false))
+                {
+                    return;
+                }
+
                 var userIdentity = new UserIdentity();
 
                 // set user identity of type username/pw

Applications/ConsoleReferenceClient/Quickstarts.ReferenceClient.Config.xml

@@ -13,53 +13,53 @@
     <ApplicationCertificates>
       <CertificateIdentifier>
         <StoreType>Directory</StoreType>
-        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <StorePath>./pki/own</StorePath>
         <SubjectName>CN=Quickstart Reference Client, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
         <CertificateTypeString>RsaSha256</CertificateTypeString>
       </CertificateIdentifier>
       <CertificateIdentifier>
         <!-- <TypeId>NistP256</TypeId> -->
         <StoreType>Directory</StoreType>
-        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <StorePath>./pki/own</StorePath>
         <SubjectName>CN=Quickstart Reference Client, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
         <CertificateTypeString>NistP256</CertificateTypeString>
       </CertificateIdentifier>
       <CertificateIdentifier>
         <!-- <TypeId>NistP384</TypeId> -->
         <StoreType>Directory</StoreType>
-        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <StorePath>./pki/own</StorePath>
         <SubjectName>CN=Quickstart Reference client, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
         <CertificateTypeString>NistP384</CertificateTypeString>
       </CertificateIdentifier>
       <CertificateIdentifier>
         <!-- <TypeId>BrainpoolP256r1</TypeId> -->
         <StoreType>Directory</StoreType>
-        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <StorePath>./pki/own</StorePath>
         <SubjectName>CN=Quickstart Reference Client, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
         <CertificateTypeString>BrainpoolP256r1</CertificateTypeString>
       </CertificateIdentifier>
       <CertificateIdentifier>
         <!-- <TypeId>BrainpoolP384r1</TypeId> -->
         <StoreType>Directory</StoreType>
-        <StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
+        <StorePath>./pki/own</StorePath>
         <SubjectName>CN=Quickstart Reference Client, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
         <CertificateTypeString>BrainpoolP384r1</CertificateTypeString>
       </CertificateIdentifier>
     </ApplicationCertificates>
     <!-- Where the issuer certificate are stored (certificate authorities) -->
     <TrustedIssuerCertificates>
       <StoreType>Directory</StoreType>
-      <StorePath>%LocalApplicationData%/OPC Foundation/pki/issuer</StorePath>
+      <StorePath>./pki/issuer</StorePath>
     </TrustedIssuerCertificates>
     <!-- Where the trust list is stored -->
     <TrustedPeerCertificates>
       <StoreType>Directory</StoreType>
-      <StorePath>%LocalApplicationData%/OPC Foundation/pki/trusted</StorePath>
+      <StorePath>./pki/trusted</StorePath>
     </TrustedPeerCertificates>
     <!-- The directory used to store invalid certificates for later review by the administrator. -->
     <RejectedCertificateStore>
       <StoreType>Directory</StoreType>
-      <StorePath>%LocalApplicationData%/OPC Foundation/pki/rejected</StorePath>
+      <StorePath>./pki/rejected</StorePath>
     </RejectedCertificateStore>
     <MaxRejectedCertificates>5</MaxRejectedCertificates>
     <!-- WARNING: The following setting (to automatically accept untrusted certificates) should be used
@@ -75,12 +75,12 @@
     <!-- Where the User issers list is stored-->
     <UserIssuerCertificates>
       <StoreType>Directory</StoreType>
-      <StorePath>%LocalApplicationData%/OPC Foundation/pki/userIssuer</StorePath>
+      <StorePath>./pki/userIssuer</StorePath>
     </UserIssuerCertificates>
     <!-- Where the User trust list is stored-->
     <TrustedUserCertificates>
       <StoreType>Directory</StoreType>
-      <StorePath>%LocalApplicationData%/OPC Foundation/pki/trustedUser</StorePath>
+      <StorePath>./pki/trustedUser</StorePath>
     </TrustedUserCertificates>
   </SecurityConfiguration>
   <TransportConfigurations></TransportConfigurations>
@@ -92,7 +92,7 @@
     <MaxMessageSize>4194304</MaxMessageSize>
     <MaxBufferSize>65535</MaxBufferSize>
     <ChannelLifetime>300000</ChannelLifetime>
-    <SecurityTokenLifetime>3600000</SecurityTokenLifetime>
+    <SecurityTokenLifetime>30000</SecurityTokenLifetime>
   </TransportQuotas>
   <ClientConfiguration>
     <DefaultSessionTimeout>60000</DefaultSessionTimeout>
@@ -120,7 +120,7 @@
   </ClientConfiguration>
   <Extensions></Extensions>
   <TraceConfiguration>
-    <OutputFilePath>%LocalApplicationData%/OPC Foundation/Logs/Quickstarts.ReferenceClient.log.txt</OutputFilePath>
+    <OutputFilePath>./Logs/Quickstarts.ReferenceClient.log.txt</OutputFilePath>
     <DeleteOnLoad>true</DeleteOnLoad>
     <!-- Show Only Errors -->
     <!-- <TraceMasks>1</TraceMasks> -->