1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
OPC Security
------------
....
<RItemList> | <WItemList> | <ItemList>
...
<Items ... EncyptAnswer, SignAnswer/>
<Items ... EncyptAnswer, SignAnswer/>
....
</RItemList> | </WItemList> | </ItemList>
....
[
+ to each item can corrsenpond attachment in following format
struct OPCData {
void *ptr
unsigned long size;
}
]
Two types of XML encryption/signing
1. All inside <ItemList> tag
2. All inside <Items> tag
Specifications
--------------
OPC XML-DA specification
XML Encryption specification
XML Signature specification
Request processing
------------------
1. Decrypt List if encrypted (encrypted using Server certificate,
or one of Item certificates)
[ If failed return error ]
2. Decrypt Encrypted Items
[ If one of items failed, replace with empty item and set error in
OPCSecurityRequestContext ]
3. Verify List and Items signatures
[ All certificates corresponding to valid signatures place into
OPCSecurityRequestContext ]
4. Remove signatures from XML document
5. Analyze EncryptAnswer, SignAnswer fields and remove them from XML
Repsonse processing
-------------------
1. Sign and encrypt items and list depending on supported
OPCSecurityRequestContext
a) SignItems
b) SignList
c) EncyptItems
d) EncryptList
Classes
-------
struct OPCSecurityContextT {
Server Certificate
Server Key
OPCContext sctx;
};
OPCSecurityContext opcSecurityCreateContext()
int opcSecurityInitContext(ctx, cert_file, key_file, ???)
void opcSecurityFreeContext(ctx)
void opcSecurityDestroyContext(ctx)
opcSecurityDecryptItem(ctx, xmlnode, attachment)
opcSecurityDecryptList(ctx, xmlnode, attachments)
opcSecuritySignItem(ctx, xmlnode, attachment)
opcSecuritySignList(ctx, xmlnode, attachments)
opcSecurityEncryptItem(ctx, certificate, xmlnode, attachment)
opcSecurityEncryptList(ctx, certificate, xmlnode, attachments)
opcSecurityVerifyItem(ctx, &certificate, xmlnode, attachment)
opcSecurityVerifyList(ctx, &certificate, xmlnode, attachment)
opcSecurityProcessRequest(ctx, &requestctx, xmldoc, attachments)
opcSecurityProcessAnswer(ctx, requestctx, xmldoc, attachments)
struct OPCSecurityRequestContextT {
usercert_list
usercert_item[]
tosign_list
tosign_item[]
toencrypt_list
toencrypt_item[]
failure_list (0 - OK, 1 - Decrypt failed, 2 - Verify failed)
failure_item[]
};
OPCSecuriyRequest opcSecurityRequestCreateContext()
int opcSecurityInitContext(OPCSecurityRequest ctx, ...)
void opcSecurityFreeContext(OPCSecurityRequest ctx)
void opcSecurityDestroyContext(OPCSecurityRequest ctx)
External Function:
-----------------
OPCSecurityContext opcServerInterfaceGetItemSecurity(OPCContext ctx, item_path, item_name);
[ In development treat that it returns server security context ]
External Libraries
------------------
Gnome XML Library (http://libxml.org)
Gnome XML Security Library xmlsec (http://www.aleksey.com/xmlsec/)
OpenSSL
|