Handle OpenSSL with disabled SHA-1 signatures (open62541)

RHEL 9 ships the OpenSSL libraries with SHA-1 signatures disabled. The security policies Basic128Rsa15 and Basic256 rely on SHA-1 which renders them unsupported on this platform. This change checks for support and removes the two policies from the list returned by QOpcUaClient::supportedSecurityPolicies() and the endpoints in the test server if necessary. Change-Id: I7bf9f903b159d794ef02163760d0c4c4781538e9 Reviewed-by: Alex Blasche <alexander.blasche@qt.io>
author: Jannis Voelker <jannis.voelker@basyskom.com> 2023-08-09 11:12:48 +0200
committer: Jannis Völker <jannis.voelker@basyskom.com> 2023-08-10 12:48:08 +0000
commit: 1b5465a4b3083d91e5c8c8ae9d558beb7b98b88c (patch)
tree: 66292d4b78407bca261f18669205670351dd6748 /tests
parent: cc0b714badf7c1f8a4624bdca9d55e185be86e75 (diff)
4 files changed, 38 insertions, 10 deletions
diff --git a/tests/auto/declarative/DiscoveryTest.qml b/tests/auto/declarative/DiscoveryTest.qml
index 09b75db..73ba1bc 100644
--- a/tests/auto/declarative/DiscoveryTest.qml
+++ b/tests/auto/declarative/DiscoveryTest.qml
@@ -122,7 +122,7 @@ Item {
 
             tryVerify(function() { return myEndpoints1.count > 0;});
             if (SERVER_SUPPORTS_SECURITY)
-                compare(myEndpoints1.count, 9);
+                compare(myEndpoints1.count, connection1.supportedSecurityPolicies.length === 3 ? 5 : 9);
             else
                 compare(myEndpoints1.count, 1);
             verify(myEndpoints1.at(0).endpointUrl.startsWith("opc.tcp://"));
@@ -229,7 +229,7 @@ Item {
             compare(endpointsStatusSpy2.count, 2);
             compare(endpointsChangedSpy2.count, 2);
             if (SERVER_SUPPORTS_SECURITY)
-                compare(myEndpoints2.count, 9);
+                compare(myEndpoints2.count, connection2.supportedSecurityPolicies.length === 3 ? 5 : 9);
             else
                 compare(myEndpoints2.count, 1);
             verify(myEndpoints2.at(0).endpointUrl.startsWith("opc.tcp://"));
diff --git a/tests/auto/declarative/SecurityTest.qml b/tests/auto/declarative/SecurityTest.qml
index 76b1500..595d9b3 100644
--- a/tests/auto/declarative/SecurityTest.qml
+++ b/tests/auto/declarative/SecurityTest.qml
@@ -33,7 +33,9 @@ Item {
                 compare(connection2.supportedUserTokenTypes.length, 3);
             } else if (backendName === "open62541") {
                 if (SERVER_SUPPORTS_SECURITY)
-                    compare(connection2.supportedSecurityPolicies.length, 5);
+                    compare(connection2.supportedSecurityPolicies.length,
+                            connection2.supportedSecurityPolicies.includes("http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15")
+                            ? 5 : 3);
                 else
                     compare(connection2.supportedSecurityPolicies.length, 1);
                 compare(connection2.supportedUserTokenTypes.length, 2);
diff --git a/tests/auto/security/BLACKLIST b/tests/auto/security/BLACKLIST
deleted file mode 100644
index e0a567a..0000000
--- a/tests/auto/security/BLACKLIST
+++ /dev/null
@@ -1,4 +0,0 @@
-# QTBUG-106285
-[connectAndDisconnectSecureUnencryptedKey]
-rhel-9.0
-rhel-9.2
diff --git a/tests/open62541-testserver/testserver.cpp b/tests/open62541-testserver/testserver.cpp
index 96ad7b9..663b308 100644
--- a/tests/open62541-testserver/testserver.cpp
+++ b/tests/open62541-testserver/testserver.cpp
@@ -154,10 +154,40 @@ bool TestServer::createSecureServerConfig(UA_ServerConfig *config)
         return false;
     }
 
-    result = UA_ServerConfig_addAllSecurityPolicies(config, &certificate, &privateKey);
+    // result = UA_ServerConfig_addAllSecurityPolicies(config, &certificate, &privateKey);
 
-    if (result != UA_STATUSCODE_GOOD) {
-        qWarning() << "Failed to add security policies";
+    // Add the security policies manually because we need to skip Basic128Rsa15 and Basic256
+    // if OpenSSL doesn't support SHA-1 signatures (e.g. RHEL 9).
+
+    UA_StatusCode retval = UA_ServerConfig_addSecurityPolicyNone(config, &certificate);
+    if(retval != UA_STATUSCODE_GOOD) {
+        qWarning() << "Failed to add security policy None";
+        return false;
+    }
+
+    if (Open62541Utils::checkSha1SignatureSupport()) {
+        retval = UA_ServerConfig_addSecurityPolicyBasic128Rsa15(config, &certificate, &privateKey);
+        if(retval != UA_STATUSCODE_GOOD) {
+            qWarning() << "Failed to add security policy Basic128Rsa15";
+            return false;
+        }
+
+        retval = UA_ServerConfig_addSecurityPolicyBasic256(config, &certificate, &privateKey);
+        if(retval != UA_STATUSCODE_GOOD) {
+            qWarning() << "Failed to add security policy Basic256";
+            return false;
+        }
+    }
+
+    retval = UA_ServerConfig_addSecurityPolicyBasic256Sha256(config, &certificate, &privateKey);
+    if(retval != UA_STATUSCODE_GOOD) {
+        qWarning() << "Failed to add security policy Basic256Sha256";
+        return false;
+    }
+
+    retval = UA_ServerConfig_addSecurityPolicyAes128Sha256RsaOaep(config, &certificate, &privateKey);
+    if(retval != UA_STATUSCODE_GOOD) {
+        qWarning() << "Failed to add security policy Aes128Sha256RsaOaep";
         return false;
     }
author	Jannis Voelker <jannis.voelker@basyskom.com>	2023-08-09 11:12:48 +0200
committer	Jannis Völker <jannis.voelker@basyskom.com>	2023-08-10 12:48:08 +0000
commit	1b5465a4b3083d91e5c8c8ae9d558beb7b98b88c (patch)
tree	66292d4b78407bca261f18669205670351dd6748 /tests
parent	cc0b714badf7c1f8a4624bdca9d55e185be86e75 (diff)