Creating a server with certificate based authentication

[janmuc]

Hello,

complete beginner here. I am trying to establish a server on Raspberry pi that would have certification based authentication. I managed to create a simple server with no security policy, however I would now like to do a certificate based authentication.

I used generate-certificates.sh to generate certificates. I modified it slightly and added @altnames in subjectAltNames. I then wrote different IP and DNS addresses from devices that would be allowed to connect to server. Then I tried something with using the server-with-encryption.py, however, this is probably only the encryption part and not authentication. I did not work because there was an error that User does not have permissions to do that.

I am now a bit confused on how to continue. Does opcua-asyncio even support certificate based authentication? If so, can you give me an example or point me somewhere so I can read about it? If it does not, can you maybe suggest how to approach this problem with some different ideas?

Sorry if something is not okay with the post, I am posting for the first time.
Thank you in advance.

[AndreasHeine]

https://github.com/FreeOpcUa/opcua-asyncio/blob/master/examples/server-with-encryption.py

    cert_user_manager = CertificateUserManager()
    await cert_user_manager.add_user("certificates/peer-certificate-example-1.der", name='test_user')

    server = Server(user_manager=cert_user_manager)

[janmuc]

thank you for a quick reply.

Is that the part of the code that preforms authentication? If so, why does the server returns the following?

"User does not have permission to perform the requested operation." (BadUserAccessDenied)

[AndreasHeine]

opcua-asyncio/asyncua/server/user_managers.py

Line 54 in 933f4cb

async def add_admin(self, certificate_path: str, name:str, format: str = None):

[AndreasHeine]

dont know what you do on the server but if users arent allowed for your req its likely to be denied

[janmuc]

I am just testing how things work. I am using server-with-encryption.py and client-with-encryption.py. I have managed to get it working, however, now I am wondering if the server is able to allow only the certain IP addresses to connect. Is there a way to do so?

[AndreasHeine]

as far as i know there is no deeper check at this point... (but as always contribution is welcome!)
most servers (e.g. S7-1500 OPC UA Server) just validate the connecting ip and applicationuri with the ip and uri in the certificates subject altname extension