Refactor SecureChannel Encryption/Decryption & add SecurityPolicyInfo

[romanett]

This pull request introduces several improvements and refactorings to the security handling and resource management in the OPC UA stack, particularly focusing on the ChannelToken and security policy utilities. The main themes are enhanced security policy information retrieval, and a refactor of the ChannelToken class to clarify property usage and resource disposal.

Security policy utilities:

• Adds a GetInfo method and a lazily-initialized dictionary (s_securityPolicyUriToInfo) to efficiently retrieve SecurityPolicyInfo objects by URI, improving security policy lookup and validation. [1] [2]

ChannelToken refactoring and improvements:

• Refactors the ChannelToken class to clarify and update property responsibilities:

  • Introduces a SecurityPolicy property to track the security policy in use.
  • Updates or replaces several cryptographic and certificate-related properties, making some internal for encapsulation and changing the semantics of others (e.g., SecureChannelSecret, ServerCertificate, ClientCertificate).
  • Removes direct references to cryptographic objects (HMAC, SymmetricAlgorithm) in favor of simpler byte array properties, and makes related properties internal for better encapsulation. (Fea73fe4L96R96, Fea73fe4L112R112, Stack/Opc.Ua.Core/Stack/Tcp/ChannelToken.csL120-R157)

• Simplifies the Dispose logic in ChannelToken by removing explicit disposal of cryptographic objects, relying on garbage collection and improved property management. [1] [2]

Types of changes

What types of changes does your code introduce?

• Bugfix (non-breaking change which fixes an issue)
• Enhancement (non-breaking change which adds functionality)
• Test enhancement (non-breaking change to increase test coverage)
• Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
• Documentation Update (if none of the other choices apply)

Checklist

• I have read the CONTRIBUTING doc.
• I have signed the CLA.
• I ran tests locally with my changes, all passed.
• I fixed all failing tests in the CI pipelines.
• I fixed all introduced issues with CodeQL and LGTM.
• I have added tests that prove my fix is effective or that my feature works and increased code coverage.
• I have added necessary documentation (if appropriate).
• Any dependent changes have been merged and published in downstream modules.

Further comments

[codecov]

Codecov Report

❌ Patch coverage is 67.46725% with 298 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.78%. Comparing base (fab6f2a) to head (6cb73a5).

Files with missing lines	Patch %	Lines
...tack/Opc.Ua.Core/Security/Certificates/EccUtils.cs	32.17%	144 Missing and 12 partials ⚠️
...c.Ua.Core/Security/Certificates/EncryptedSecret.cs	59.23%	109 Missing and 19 partials ⚠️
...c.Ua.Core/Security/Constants/SecurityPolicyInfo.cs	97.31%	5 Missing and 2 partials ⚠️
...c.Ua.Core/Stack/Tcp/UaSCBinaryChannel.Symmetric.cs	94.11%	3 Missing and 2 partials ⚠️
...Opc.Ua.Core/Security/Constants/SecurityPolicies.cs	92.30%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3293      +/-   ##
==========================================
- Coverage   57.85%   57.78%   -0.07%     
==========================================
  Files         368      370       +2     
  Lines       80144    80533     +389     
  Branches    13907    13955      +48     
==========================================
+ Hits        46367    46539     +172     
- Misses      29562    29786     +224     
+ Partials     4215     4208       -7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[romanett]

Maybe extend SecuritiypolicyInfo, with an IsEcc Property?

[romanett]

Add AlgortihmFamilyEnum RSA|EC to SecurityPolcyInfo

[romanett]

Is EccUtils the right name for this because SymmetricEncryptAndSign is called by SecureChannel for alle Policies?

[romanett]

@randy-armstrong can you check why this is failing. I did not include your refactored EncryptedSecret yet, wanted to do this separately.

[mrsuciu]

kChaChaPolyTagLength instead of kAesGcmTagLength ?

[mrsuciu]

The new implementation does not involve mix-in of the SequenceNumber and IV in the cipher. Isn't this a security issue ?

[mrsuciu]

Isn't creating the instance per message costly ?

[mrsuciu]

Isn't creating the instance per message costly ?