A.4 Using org.opcfoundation.Aes256-Sha256-RsaPss to create a OpenSecureChannel Response

The example code below illustrates the use of GTA API to implement the scenario outlined in section 5.5.2, Figure 21. Note that functionality expected to be provided by the application is not elaborated but only addressed in comments. Error handling is omitted for the sake of clarity of the workflow.

The following pre-conditions apply:

  • OPC UA application installed on device
  • The OPC UA application has been successfully onboarded (cf. 5.4)
  • The OPC UA security policy used in OpenSecureChannel Response is  Aes256-Sha256-RsaPss
  • The GTA API profile used in the example is org.opcfoundation.Aes256-Sha256-RsaPss
  • The name of the attribute used to store the Application Instance Certificate is my_server
  • The GTA API personality name used in the example is urn:manufacturer.com:2024-10:myproduct:myserver_appid?cg=DefaultApplicationGroup&ct=Rsa2048&ix=1

  1. gta_errinfo_t errinfo = 0;
  3. char personality_name[]
  4. = "urn:manufacturer.com:2024-10:myproduct:myserver_appid?"
  5. "cg=DefaultApplicationGroup&ct=Rsa2048&ix=1";
  6. char profile[]
  7. = "org.opcfoundation.Aes256-Sha256-RsaPss";
  8. char certificate_name = "my_server";
  9. char trustlist_personality_name[]
  10. = "urn:manufacturer.com:2024-10:myproduct:myserver_appid?"
  11. "cg=DefaultApplicationGroup;
  12. char trustlist_profile[]
  13. = "ch.iec.30168.basic.local_data_integrity_only";
  15. gta_context_handle_t h_ctx = GTA_HANDLE_INVALID;
  16. h_ctx = gta_context_open(
  17. h_inst,
  18. personality_name,
  19. profile,
  20. &errinfo);
  22. /* Get server certificate from personality attribute (optional) */
  24. char cert_buffer[CERT_SIZE];
  25. myio_obufstream_t ostream_cert = { 0 };
  26. gta_personality_get_attribute(
  27. h_ctx,
  28. certificate_name,
  29. (gtaio_ostream_t*)&ostream_cert,
  30. &errinfo);
  31. myio_close_obufstream(&ostream_cert, &errinfo);
  33. /* Prepare OpenSecureChannel Response */
  35. gta_context_handle_t h_ctx_seal = GTA_HANDLE_INVALID;
  36. h_ctx_seal = gta_context_open(
  37. h_inst,
  38. trustlist_personality_name,
  39. trustlist_profile,
  40. &errinfo);
  42. char trustlist_buffer[] = {…};
  43. size_t trustlist_len = …;
  44. myio_ibufstream_t istream_trustlist = { 0 };
  45. myio_open_ibufstream(
  46. &istream_trustlist,
  47. trustlist_buffer, trustlist_len,
  48. &errinfo);
  49. char seal_buffer[] = {…};
  50. size_t seal_len = …;
  51. myio_ibufstream_t istream_seal = { 0 };
  52. myio_open_ibufstream(
  53. &istream_seal,
  54. seal_buffer, seal_len,
  55. &errinfo);
  56. if (!gta_verify_data_detached(
  57. h_ctx_seal,
  58. (gtaio_istream_t*)&istream_trustlist,
  59. (gtaio_istream_t*)&istream_seal,
  60. &errinfo)) {
  61. /* fail – TrustList has been tampered with */
  62. }
  63. myio_close_ibufstream(&istream_trustlist, &errinfo);
  64. myio_close_ibufstream(&istream_seal, &errinfo);
  66. gta_context_close(h_ctx_seal, &errinfo);
  68. char encrypted_requestdata_buffer[] = {…};
  69. size_t encrypted_requestdata_len = …;
  70. myio_ibufstream_t istream_encrypted_requestdata = { 0 };
  71. myio_open_ibufstream(
  72. &istream_encrypted_requestdata,
  73. encrypted_requestdata_buffer, encrypted_requestdata_len,
  74. &errinfo);
  75. #define REQUESTDATA_SIZE
  76. char decrypted_requestdata_buffer[REQUESTDATA_SIZE];
  77. myio_obufstream_t ostream_decrypted_requestdata = { 0 };
  78. myio_open_obufstream(
  79. &ostream_decrypted_requestdata,
  80. decrypted_requestdata_buffer, sizeof(decrypted_requestdata_buffer),
  81. &errinfo);
  82. gta_unseal_data(
  83. h_ctx,
  84. (gtaio_istream_t*)&istream_encrypted_requestdata,
  85. (gtaio_ostream_t*)&ostream_decrypted_requestdata,
  86. &errinfo);
  87. myio_close_ibufstream(&istream_encrypted_requestdata, &errinfo);
  88. myio_close_obufstream(&ostream_decrypted_requestdata, &errinfo);
  90. char tbs_responsedata_buffer[] = {…};
  91. size_t tbs_responsedata_len = …;
  92. myio_ibufstream_t istream_tbs_responsedata = { 0 };
  93. myio_open_ibufstream(
  94. &istream_tbs_responsedata,
  95. tbs_responsedata_buffer, tbs_responsedata_len,
  96. &errinfo);
  97. #define SIGNATURE_SIZE
  98. char signature_buffer[SIGNATURE_SIZE];
  99. myio_obufstream_t ostream_signature = { 0 };
  100. myio_open_obufstream(
  101. &ostream_signature,
  102. signature_buffer, sizeof(signature_buffer),
  103. &errinfo);
  104. gta_authenticate_data_detached(
  105. h_ctx,
  106. (gtaio_istream_t*)&istream_tbs_responsedata,
  107. (gtaio_ostream_t*)&ostream_signature,
  108. &errinfo);
  109. myio_close_ibufstream(&istream_tbs_responsedata, &errinfo);
  110. myio_close_obufstream(&ostream_signature, &errinfo);
  112. gta_context_close(h_ctx, &errinfo);