feat: add support for AuthPrivateKey

NewUserTokenSignature should use the RSA key associated with AuthCertificate to sign the user token signature. Tested with Prosys OPC UA Simulation Server. Closes gopcua#671
jackchenjc · Aug 24, 2023 · 7f8b1d1 · 7f8b1d1
1 parent 0ddf736
commit 7f8b1d1
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 1 deletion.
diff --git a/config.go b/config.go
@@ -467,6 +467,16 @@ func AuthCertificate(cert []byte) Option {
 	}
 }
 
+// AuthPrivateKey sets the client's authentication RSA private key
+// Note: PolicyID still needs to be set outside of this method, typically through
+// the SecurityFromEndpoint() Option
+func AuthPrivateKey(key *rsa.PrivateKey) Option {
+	return func(cfg *Config) error {
+		cfg.sechan.UserKey = key
+		return nil
+	}
+}
+
 // AuthIssuedToken sets the client's authentication data based on an externally-issued token
 // Note: PolicyID still needs to be set outside of this method, typically through
 // the SecurityFromEndpoint() Option

diff --git a/config_test.go b/config_test.go
@@ -218,6 +218,17 @@ func TestOptions(t *testing.T) {
 				}(),
 			},
 		},
+		{
+			name: `AuthPrivateKey()`,
+			opt:  AuthPrivateKey(cert.PrivateKey.(*rsa.PrivateKey)),
+			cfg: &Config{
+				sechan: func() *uasc.Config {
+					c := DefaultClientConfig()
+					c.UserKey = cert.PrivateKey.(*rsa.PrivateKey)
+					return c
+				}(),
+			},
+		},
 		{
 			name: `AuthIssuedToken()`,
 			opt:  AuthIssuedToken([]byte("a")),

diff --git a/uasc/config.go b/uasc/config.go
@@ -33,6 +33,10 @@ type Config struct {
 	// messages.  It is the key associated with Certificate
 	LocalKey *rsa.PrivateKey
 
+	// UserKey is a RSA Private Key which will be used to sign the UserTokenSignature.
+	// It is the key associated with AuthCertificate
+	UserKey *rsa.PrivateKey
+
 	// Thumbprint is the thumbprint of the X.509 v3 Certificate assigned to the receiving
 	// application Instance.
 	// The thumbprint is the CertificateDigest of the DER encoded form of the

diff --git a/uasc/secure_channel_crypto.go b/uasc/secure_channel_crypto.go
@@ -111,7 +111,7 @@ func (s *SecureChannel) NewUserTokenSignature(policyURI string, cert, nonce []by
 	}
 	remoteKey := remoteX509Cert.PublicKey.(*rsa.PublicKey)
 
-	enc, err := uapolicy.Asymmetric(policyURI, s.cfg.LocalKey, remoteKey)
+	enc, err := uapolicy.Asymmetric(policyURI, s.cfg.UserKey, remoteKey)
 	if err != nil {
 		return nil, "", err
 	}