Extend ServerConfiguration & GDS Server for ECC

Docs/EccProfiles.md

@@ -237,6 +237,41 @@ Additionally the `<UserTokenPolicies>` section of the configuration file can be
 Combining the "old" and the "new" configuration formats is not supported. That means that the `<ApplicationCertificate>` tag cannot be used in the same configuration file with the `<ApplicationCertificates>` tag.
 
 
+## Configure GDS for use with ECC Certificates
+
+To configure the Global Discovery Server for use with ECC Certificates the configuration needs to be updated.
+
+```xml
+  <Extensions>
+    <ua:XmlElement>
+      <GlobalDiscoveryServerConfiguration xmlns="http://opcfoundation.org/UA/GDS/Configuration.xsd">
+        <CertificateGroups>
+          <CertificateGroupConfiguration>
+            <Id>Default</Id>
+            <CertificateType>RsaSha256ApplicationCertificateType</CertificateType>
+```
+
+Replace the `<CertificateType>` node of the Default CertificateGroupConfiguration with the `<CertificateTypes>` node. 
+This allows the Certificate Group to have multiple CA Certificates for the different Certificate types.
+
+```xml
+<Extensions>
+    <ua:XmlElement>
+      <GlobalDiscoveryServerConfiguration xmlns="http://opcfoundation.org/UA/GDS/Configuration.xsd">
+        <CertificateGroups>
+          <CertificateGroupConfiguration>
+            <Id>Default</Id>
+            <CertificateTypes>
+              <ua:String>RsaSha256ApplicationCertificateType</ua:String>
+              <ua:String>EccNistP256ApplicationCertificateType</ua:String>
+              <ua:String>EccNistP384ApplicationCertificateType</ua:String>
+            </CertificateTypes>
+```
+
+The old Configuration format is still supported but only supports either RSA or ECC Certificates for a single CertificateGroup.
+The GDS checks on startup if a valid configuration was supplied.
+
+
 ## Known Limitations
 
 Not all curves are supported by all OS platforms and not all .NET implementations offer cryptographic API support for all curve types.
@@ -249,4 +284,6 @@ The supported ECC curve types are the following:
  - `BrainpoolP384r1`        for ECC certificates with Brainpool P384r1 curve
 
 
+
+
 

Docs/README.md

@@ -11,6 +11,7 @@ UA Core stack related:
 * Support for the [TransferSubscriptions](TransferSubscription.md) service set.
 * Improved support for [Logging](Logging.md) with `ILogger` and `EventSource`.
 * Support for [WellKnownRoles & RoleBasedUserManagement](RoleBasedUserManagement.md).
+* Support for [ECC Certificates](Docs/EccProfiles.md).
 
 Reference application related:
 * [Reference Client](../Applications/ConsoleReferenceClient/README.md) documentation for configuration of the console reference client using parameters.

Libraries/Opc.Ua.Configuration/ApplicationInstance.cs

@@ -910,44 +910,18 @@ private static async Task<X509Certificate2> CreateApplicationInstanceCertificate
 #if !ECC_SUPPORT
                 throw new ServiceResultException(StatusCodes.BadConfigurationError, "The Ecc certificate type is not supported.");
 #else
-                ECCurve curve = default(ECCurve);
-                if (id.CertificateType == ObjectTypeIds.EccApplicationCertificateType ||
-                    id.CertificateType == ObjectTypeIds.EccNistP256ApplicationCertificateType)
-                {
-                    curve = ECCurve.NamedCurves.nistP256;
-                }
-                else if (id.CertificateType == ObjectTypeIds.EccNistP384ApplicationCertificateType)
-                {
-                    curve = ECCurve.NamedCurves.nistP384;
-                }
-                else if (id.CertificateType == ObjectTypeIds.EccBrainpoolP256r1ApplicationCertificateType)
-                {
-                    curve = ECCurve.NamedCurves.brainpoolP256r1;
-                }
-                else if (id.CertificateType == ObjectTypeIds.EccBrainpoolP384r1ApplicationCertificateType)
-                {
-                    curve = ECCurve.NamedCurves.brainpoolP384r1;
-                }
-#if CURVE25519
-                else if (id.CertificateType == ObjectTypeIds.EccCurve25519ApplicationCertificateType)
-                {
-                    curve = default(ECCurve);
-                }
-                else if (id.CertificateType == ObjectTypeIds.EccCurve448ApplicationCertificateType)
-                {
-                    curve = default(ECCurve);
-                }
-#endif
-                else
+                ECCurve? curve = EccUtils.GetCurveFromCertificateTypeId(id.CertificateType);
+
+                if(curve == null)
                 {
-                    throw new ServiceResultException(StatusCodes.BadConfigurationError, "The ECC certificate type is not supported.");
+                    throw new ServiceResultException(StatusCodes.BadConfigurationError, "The Ecc certificate type is not supported.");
                 }
 
                 id.Certificate = builder
-                    .SetECCurve(curve)
+                    .SetECCurve(curve.Value)
                     .CreateForECDsa();
 
-                Utils.LogCertificate("Certificate created for {0}.", id.Certificate, curve.Oid.FriendlyName);
+                Utils.LogCertificate("Certificate created for {0}.", id.Certificate, curve.Value.Oid.FriendlyName);
 #endif
             }
 
@@ -1163,7 +1137,7 @@ private static async Task<bool> ApproveMessageAsync(string message, bool silent)
                 return false;
             }
         }
-        #endregion
+#endregion
 
         #region Private Fields
         private string m_applicationName;