diff options
author | Jannis Voelker <jannis.voelker@basyskom.com> | 2023-08-09 11:12:48 +0200 |
---|---|---|
committer | Jannis Völker <jannis.voelker@basyskom.com> | 2023-08-10 12:48:08 +0000 |
commit | 1b5465a4b3083d91e5c8c8ae9d558beb7b98b88c (patch) | |
tree | 66292d4b78407bca261f18669205670351dd6748 /tests | |
parent | cc0b714badf7c1f8a4624bdca9d55e185be86e75 (diff) |
Handle OpenSSL with disabled SHA-1 signatures (open62541)
RHEL 9 ships the OpenSSL libraries with SHA-1 signatures disabled.
The security policies Basic128Rsa15 and Basic256 rely on SHA-1
which renders them unsupported on this platform.
This change checks for support and removes the two policies from
the list returned by QOpcUaClient::supportedSecurityPolicies()
and the endpoints in the test server if necessary.
Change-Id: I7bf9f903b159d794ef02163760d0c4c4781538e9
Reviewed-by: Alex Blasche <alexander.blasche@qt.io>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/auto/declarative/DiscoveryTest.qml | 4 | ||||
-rw-r--r-- | tests/auto/declarative/SecurityTest.qml | 4 | ||||
-rw-r--r-- | tests/auto/security/BLACKLIST | 4 | ||||
-rw-r--r-- | tests/open62541-testserver/testserver.cpp | 36 |
4 files changed, 38 insertions, 10 deletions
diff --git a/tests/auto/declarative/DiscoveryTest.qml b/tests/auto/declarative/DiscoveryTest.qml index 09b75db..73ba1bc 100644 --- a/tests/auto/declarative/DiscoveryTest.qml +++ b/tests/auto/declarative/DiscoveryTest.qml @@ -122,7 +122,7 @@ Item { tryVerify(function() { return myEndpoints1.count > 0;}); if (SERVER_SUPPORTS_SECURITY) - compare(myEndpoints1.count, 9); + compare(myEndpoints1.count, connection1.supportedSecurityPolicies.length === 3 ? 5 : 9); else compare(myEndpoints1.count, 1); verify(myEndpoints1.at(0).endpointUrl.startsWith("opc.tcp://")); @@ -229,7 +229,7 @@ Item { compare(endpointsStatusSpy2.count, 2); compare(endpointsChangedSpy2.count, 2); if (SERVER_SUPPORTS_SECURITY) - compare(myEndpoints2.count, 9); + compare(myEndpoints2.count, connection2.supportedSecurityPolicies.length === 3 ? 5 : 9); else compare(myEndpoints2.count, 1); verify(myEndpoints2.at(0).endpointUrl.startsWith("opc.tcp://")); diff --git a/tests/auto/declarative/SecurityTest.qml b/tests/auto/declarative/SecurityTest.qml index 76b1500..595d9b3 100644 --- a/tests/auto/declarative/SecurityTest.qml +++ b/tests/auto/declarative/SecurityTest.qml @@ -33,7 +33,9 @@ Item { compare(connection2.supportedUserTokenTypes.length, 3); } else if (backendName === "open62541") { if (SERVER_SUPPORTS_SECURITY) - compare(connection2.supportedSecurityPolicies.length, 5); + compare(connection2.supportedSecurityPolicies.length, + connection2.supportedSecurityPolicies.includes("http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15") + ? 5 : 3); else compare(connection2.supportedSecurityPolicies.length, 1); compare(connection2.supportedUserTokenTypes.length, 2); diff --git a/tests/auto/security/BLACKLIST b/tests/auto/security/BLACKLIST deleted file mode 100644 index e0a567a..0000000 --- a/tests/auto/security/BLACKLIST +++ /dev/null @@ -1,4 +0,0 @@ -# QTBUG-106285 -[connectAndDisconnectSecureUnencryptedKey] -rhel-9.0 -rhel-9.2 diff --git a/tests/open62541-testserver/testserver.cpp b/tests/open62541-testserver/testserver.cpp index 96ad7b9..663b308 100644 --- a/tests/open62541-testserver/testserver.cpp +++ b/tests/open62541-testserver/testserver.cpp @@ -154,10 +154,40 @@ bool TestServer::createSecureServerConfig(UA_ServerConfig *config) return false; } - result = UA_ServerConfig_addAllSecurityPolicies(config, &certificate, &privateKey); + // result = UA_ServerConfig_addAllSecurityPolicies(config, &certificate, &privateKey); - if (result != UA_STATUSCODE_GOOD) { - qWarning() << "Failed to add security policies"; + // Add the security policies manually because we need to skip Basic128Rsa15 and Basic256 + // if OpenSSL doesn't support SHA-1 signatures (e.g. RHEL 9). + + UA_StatusCode retval = UA_ServerConfig_addSecurityPolicyNone(config, &certificate); + if(retval != UA_STATUSCODE_GOOD) { + qWarning() << "Failed to add security policy None"; + return false; + } + + if (Open62541Utils::checkSha1SignatureSupport()) { + retval = UA_ServerConfig_addSecurityPolicyBasic128Rsa15(config, &certificate, &privateKey); + if(retval != UA_STATUSCODE_GOOD) { + qWarning() << "Failed to add security policy Basic128Rsa15"; + return false; + } + + retval = UA_ServerConfig_addSecurityPolicyBasic256(config, &certificate, &privateKey); + if(retval != UA_STATUSCODE_GOOD) { + qWarning() << "Failed to add security policy Basic256"; + return false; + } + } + + retval = UA_ServerConfig_addSecurityPolicyBasic256Sha256(config, &certificate, &privateKey); + if(retval != UA_STATUSCODE_GOOD) { + qWarning() << "Failed to add security policy Basic256Sha256"; + return false; + } + + retval = UA_ServerConfig_addSecurityPolicyAes128Sha256RsaOaep(config, &certificate, &privateKey); + if(retval != UA_STATUSCODE_GOOD) { + qWarning() << "Failed to add security policy Aes128Sha256RsaOaep"; return false; } |