6 GTA API Profiles for OPC UA

6.1 ECC-nistP256

6.1.1 GTA API Creation Profile org.opcfoundation.ECC-nistP256

The profile org.opcfoundation.ECC-nistP256 supports creation of a personality using gta_personality_create().
Table 1 – GTA API Creation Profile org.opcfoundation.ECC-nistP256
PropertyDescription
Security MechanismMechanism details as specified in SecurityPolicy [ECC-B] – ECC-nistP256
FingerprintingImplementation dependent
Attribute type ch.iec.30168.identifier (attribute name ch.iec.30168.identifier_value; cardinality 1)
The identifier value that is assigned to the personality at the time of its creation (cf. IEC TS 30168 6.6.10.4.13).
ch.iec.30168.trustlist.certificate.self.x509 (cardinality 0..1)
X.509 end entity certificate
org.opcfoundation.product_instance_uri (cardinality 0..1)
ProductInstanceUri represented by the personality. This attribute shall be present for personalities which are eligible identities to be used in the OPC UA onboarding process. This attribute should occur at most once. The attribute name shall be set to “ProductInstanceUri”.
Usage Infoorg.opcfoundation.ECC-nistP256

6.1.2 GTA API Enrollment Profile org.opcfoundation.ECC-nistP256

Table 2 – GTA API Enrollment Profile org.opcfoundation.ECC-nistP256
PropertyDescription
Profile Dependenciesorg.opcfoundation.ECC-nistP256 for creation
Enrollment Attributes org.opcfoundation.csr.subject (optional)
CertificateRequestInfo.subject (according to IETF RFC 2986) in ASN.1 DER coding (binary).
org.opcfoundation.csr.subjectAltName (optional)
CertificateRequestInfo.subjectAltName GeneralNames structure to appear as subjectAltName inside an extensionRequest (IETF RFC 2985, IETF RFC 2986). The value shall be specified as ASN.1 DER encoded GeneralNames structure according to IETF RFC 5280.
Enrollment Artifact

PKCS#10 according to RFC 2986 in ASN.1 DER coding (binary).

CertificateRequestInfo.subjectPKInfo contains the information on the personality’s EC public key. CertificationRequest.signatureAlgorithm and CertificationRequest.signature are providing the proof-of-possession calculated with the personality’s EC private key.
CertificateRequestInfo.subject is provided via gta_context_set_attribute().

The subject alternative name is set 

	according to the context attribute type org.opcfoundation.csr.subjectAltName,or
	in case  org.opcfoundation.csr.subjectAltName is not set, the value is set according to the identifier that relates to the personality (personality attribute type ch.iec.30168.identifier) if the identifier type is org.opcfoundation.application_instance_urior

the function fails if none of the information described above is available.

6.1.3 GTA API Usage Profile org.opcfoundation.ECC-nistP256

Table 3 – GTA API Usage Profile org.opcfoundation.ECC-nistP256
PropertyDescription
Profile Dependenciesorg.opcfoundation.ECC-nistP256 for creation and enrolment
gta_personality_get_attribute()
ch.iec.30168.identifier ch.iec.30168.trustlist.certificate.self.x509 org.opcfoundation.product_instance_uri
gta_personality_add_attribute()
ch.iec.30168.trustlist.certificate.self.x509 org.opcfoundation.product_instance_uri
gta_personality_remove_attribute()
ch.iec.30168.trustlist.certificate.self.x509 org.opcfoundation.product_instance_uri
gta_authenticate_data_detached()

Signs data and returns a signature artifact depending on the mechanism of the used personality.

Mechanism details as specified in SecurityPolicy [ECC-B] – ECC-nistP256 (http://opcfoundation.org/UA/SecurityPolicy#ECC_nistP256)

Usage Attributesn/a
Usage Artifact

Binary

tbd.

6.2 Aes256-Sha256-RsaPss

6.2.1 GTA API Creation Profile org.opcfoundation.Aes256-Sha256-RsaPss

The profile org.opcfoundation.Aes256-Sha256-RsaPss supports creation of a personality using gta_personality_create().
Table 4 – GTA API Creation Profile org.opcfoundation.Aes256-Sha256-RsaPss
PropertyDescription
Security Mechanism

Mechanism details as specified in SecurityPolicy Aes256-Sha256-RsaPss

The expected key length is of 4096

FingerprintingToDo
Attribute type ch.iec.30168.identifier (attribute name ch.iec.30168.identifier_value; cardinality 1)
The identifier value that is assigned to the personality at the time of its creation (cf. IEC TS 30168 6.6.10.4.13).
ch.iec.30168.trustlist.certificate.self.x509
X.509 end entity certificate
org.opcfoundation.product_instance_uri
ProductInstanceUri represented by the personality. This attribute shall be present for personalities which are eligible identities to be used in the OPC UA onboarding process. This attribute should occur at most once per personality. The attribute name shall be set to “ProductInstanceUri”.
Usage Infoorg.opcfoundation.Aes256-Sha256-RsaPss

6.2.2 GTA API Enrollment Profile org.opcfoundation.Aes256-Sha256-RsaPss

Table 5 – GTA API Enrollment Profile org.opcfoundation.Aes256-Sha256-RsaPss
PropertyDescription
Profile Dependenciesorg.opcfoundation.Aes256-Sha256-RsaPss for creation
Enrollment Attributescf. Table 2
Enrollment Artifactcf. Table 2

6.2.3 GTA API Usage Profile org.opcfoundation.Aes256-Sha256-RsaPss

Table 6 – GTA API Usage Profile org.opcfoundation.Aes256-Sha256-RsaPss
PropertyDescription
Profile Dependenciesorg.opcfoundation.Aes256-Sha256-RsaPss for creation and enrolment
gta_personality_get_attribute()
ch.iec.30168.identifier ch.iec.30168.trustlist.certificate.self.x509 org.opcfoundation.product_instance_uri
gta_personality_add_attribute()
ch.iec.30168.trustlist.certificate.self.x509
gta_personality_remove_attribute()
ch.iec.30168.trustlist.certificate.self.x509
gta_authenticate_data_detached()

Signs data and returns a signature artifact depending on the mechanism of the used personality. 

Mechanism details as specified in SecurityPolicy Aes256-Sha256-RsaPss (http://opcfoundation.org/UA/SecurityPolicy#Aes256-Sha256-RsaPss)
gta_unseal_data()

Decryption for OpenSecureChannel

Mechanism details as specified in SecurityPolicy Aes256-Sha256-RsaPss (http://opcfoundation.org/UA/SecurityPolicy#Aes256-Sha256-RsaPss)

Usage Attributesn/a
Usage Artifact

Binary

tbd.