mxaccess

dohertj2/mxaccess

Fork 0

Commit Graph

Author	SHA1	Message	Date
Joseph Doherty	f14580e0db	[M5] mxaccess-asb: F28 canonical-XML signing wired + registry-driven DH params Adds `xml_canonical` module that emits XmlSerializer-compatible canonical XML for the five primary `ConnectedRequest` shapes (AuthenticateMe, Disconnect, KeepAlive, RegisterItemsRequest, UnregisterItemsRequest). Six fixture-comparison tests verify byte-exact match against captured .NET output, including the empty-MAC-IV variant that the live signing flow uses (`authenticate-me-empty-mac-iv.xml`, 896 bytes; new `emit_data_ns_byte_array` helper picks self-closing form for empty byte[]). Plumbing: `AsbAuthenticator::peek_next_message_number` exposes the pre-allocated message number; `AsbClient::send_signed_envelope[_one_way]` gain an `xml_for_signing: Option<&[u8]>` parameter. `connect`, `disconnect`, `keep_alive`, `register_items`, `unregister_items` now build a pre-signing `ConnectionValidator` (empty MAC + IV) + emit the canonical XML + pass the bytes through to HMAC. Other ops (Read, Write, Subscription) keep the legacy NBFX-bytes path until F28 expands to cover their request shapes. Live-bring-up wiring: - `tools/Get-AsbPassphrase.ps1` now exports `MX_ASB_DH_PRIME`, `MX_ASB_DH_GENERATOR`, `MX_ASB_DH_HASH_ALGORITHM` (always — even when empty, so the example can distinguish "no env var" from "registry says empty"), and `MX_ASB_DH_KEY_SIZE`. - `examples/asb-subscribe.rs` honours those env vars to override `CryptoParameters::defaults()`. Each AVEVA install picks its own DH group at provisioning time (768-bit prime is typical, vs the .NET reference's 1024-bit fallback that we previously hardcoded). Empty hashAlgorithm in the registry maps to `HashAlgorithm::Unrecognised`, matching `AsbSystemAuthenticator.CreateHmac:84-93` semantics where empty + forceHmac=true → HMAC-SHA1. - `MxAsbClient.Probe --dump-signed-xml` flag (added in earlier commit) now traces the live HMAC inputs (`asb.sign.xml-utf8-len`, `asb.sign.xml-b64`, `asb.sign.hmac-b64`, etc.) so the Rust port can diff its canonical XML against .NET's byte-for-byte for any live scenario (env-driven via `Action<string>? sharedTrace`). Wire-format alignment for `XmlSerializer` parity: - `ItemIdentity::default()` and `absolute_by_name` now use `Some(String::new())` for null-able strings (matches .NET's `CreateAbsoluteItem` setting `ContextName = string.Empty` not null). - `read_unicode_string` returns `Some(String::new())` for length-0 rather than `None` — mirrors .NET's `AsbBinary.ReadUnicodeString: return string.Empty for byteLength == 0`. Wire format genuinely cannot distinguish null from empty (both encode as 4 bytes of zero); callers that need to preserve the distinction MUST track it in their domain types before encoding. Live status (post-fix): Connect handshake completes end-to-end. The canonical XML our emitter produces matches .NET's structure byte-for- byte (verified by fixture comparison). DH prime/generator/hash now match the live registry values. Despite all this, AuthenticateMe still produces a generic dispatcher fault on the server — there's at least one more subtle wire-byte or crypto mismatch that needs isolation. F28 stays open with that note. Workspace: 709 unit tests pass (was 702 + 7 new xml_canonical tests). Clippy: clean (`-D warnings`). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-05 17:31:31 -04:00
Joseph Doherty	3b09297b27	[M5] live-probe iteration 1 — major wire-byte reconciliation fixes First live-test cycle against AVEVA on this box. Comparing the .NET probe's `--dump-messages` XML output against our NBFX-encoded envelope surfaced six structural bugs in the F25 envelope/operations layer. All fixed; tests passing (702 workspace). Fixes (all backed by the .NET dump as ground truth): 1. `mustUnderstand` attribute name — NBFS dict id was 116 (`MustUnderstand`, capital-M, a different SOAP token); SOAP 1.2 spec uses lowercase `mustUnderstand` at id 0. Sending the wrong one triggered a WCF parse fault that surfaced as TCP RST. 2. Missing `<a:MessageID>` header — WCF's default binding requires MessageID for two-way operations. We now auto-generate `urn:uuid:<v4>` per envelope via a small inline `make_random_uuid_v4` helper (no `uuid` crate dep). 3. Missing `<a:ReplyTo>` anonymous header — WCF's BinaryMessageEncoder always emits `<a:ReplyTo><a:Address>... addressing/anonymous</a:Address></a:ReplyTo>` for two-way ops. 4. ConnectionValidator field names + namespace — we were emitting PascalCase `<ConnectionId>` etc. .NET's WCF DataContractSerializer uses the private backing-field names (`<connectionIdField xmlns="...ASBContract">guid</connectionIdField>`) per `[DataMember(Name = "fooField")]`. Added the `xmlns:i="...XMLSchema-instance"` declaration WCF emits alongside (even when no `i:nil` is used). Decoder now accepts both PascalCase (legacy tests) and DataContract field names. 5. `<ASBIData>` over-wrapping — we were emitting `<Items><ASBIData>{bytes}</ASBIData></Items>`. .NET's `AsbDataCustomSerializer.WriteStartObject` (`AsbContracts.cs: 1561-1572`) REPLACES the field's outer element with `<ASBIData>` directly — there's no `<Items>` wrapper on the wire. Fixed by collapsing `BodyField::AsbiDataElement` to emit just `<ASBIData>` without the named outer element. The `name` field is retained for self-documentation. 6. `collect_asbidata_payloads` API — was keyed by field name (`Status` / `Values`); now positional (`payloads[0]`, `payloads.get(1)`) since the wrapper element is gone. All seven response decoders updated. Plus tooling for the live-probe loop: * `tools/Get-AsbPassphrase.ps1` — DPAPI loader that auto-discovers the solution name + reads the sharedsecret + decrypts it. Sets $env:MX_ASB_PASSPHRASE / MX_ASB_HOST / MX_ASB_VIA / MX_LIVE. Lowercase via-host (WCF SMSvcHost is case-sensitive on the URL host segment). * `examples/asb-preamble-probe.rs` — diagnostic that connects, runs the preamble, captures the PreambleAck, then sends a synthetic ConnectRequest and dumps both directions as hex. Used to bisect the wire-byte deltas above. * `examples/asb-subscribe.rs` port default fixed (5074 → 808 — WCF's NetTcpPortSharing/SMSvcHost listener confirmed via Get-NetTCPConnection). Status: preamble + PreambleAck round-trip works end-to-end against the live AVEVA install (verified via probe). The post-preamble Connect SOAP envelope still gets TCP RST'd — the six structural fixes above are necessary but not yet sufficient. Next iteration needs binary wire capture (Wireshark + Npcap loopback, or a TCP-relay middleman) to compare the .NET probe's BinaryMessageEncoder output byte-for-byte with ours and find the remaining delta(s). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-05 15:06:48 -04:00
Joseph Doherty	4ebfd8e3a3	[M5] tools: Get-AsbPassphrase.ps1 — DPAPI loader for live-probe env Reads the ASB solution shared secret from the local Windows registry (HKLM\SOFTWARE\Wow6432Node\ArchestrA\ArchestrAServices\<solution>\ sharedsecret) and DPAPI-decrypts it with the canonical "wonderware" entropy + LocalMachine scope, mirroring `AsbRegistry.cs:21-41`. Auto-discovers: $env:MX_LIVE = "1" $env:MX_ASB_HOST = $env:COMPUTERNAME $env:MX_ASB_SOLUTION = (read from DefaultASBSolution) $env:MX_ASB_GALAXY_NAME = "ZB" (or -GalaxyName param) $env:MX_ASB_VIA = net.tcp://<host>/ASBService/Default_<galaxy>_MxDataProvider/IDataV2 $env:MX_ASB_PASSPHRASE = (DPAPI-decrypted plaintext, never printed unless -Show) Important wiring detail flagged inline: the system-wide ArchestrA solution name (`Archestra_<HOST>`, source of the sharedsecret) is DIFFERENT from the per-Galaxy MxDataProvider service segment (`Default_<galaxy>_MxDataProvider`) that the WCF endpoint URL targets. Both live under the same registry root but only the former is owned by ArchestrA; the latter is what serves IASBIDataV2 per the .NET probe's hardcoded default URL at `src/MxAsbClient.Probe/Program.cs:5`. Tested via dry-run on this box: `Archestra_DESKTOP-6JL3KKO` resolves as the solution, 390 protected bytes decrypt to an 80-char passphrase, and the assembled VIA URL matches the .NET probe's default verbatim. Hard rules: * Plaintext passphrase NEVER printed unless -Show is explicit. * Dot-source so env vars persist in the calling pwsh session. * Caller account must be authorised against the LocalMachine-scope DPAPI blob (typically: any local Administrator). Usage: . .\tools\Get-AsbPassphrase.ps1 cargo run -p mxaccess --example asb-subscribe Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-05 14:45:43 -04:00

Author

SHA1

Message

Date

Joseph Doherty

f14580e0db

[M5] mxaccess-asb: F28 canonical-XML signing wired + registry-driven DH params

Adds `xml_canonical` module that emits XmlSerializer-compatible canonical
XML for the five primary `ConnectedRequest` shapes (AuthenticateMe,
Disconnect, KeepAlive, RegisterItemsRequest, UnregisterItemsRequest).
Six fixture-comparison tests verify byte-exact match against captured
.NET output, including the empty-MAC-IV variant that the live signing
flow uses (`authenticate-me-empty-mac-iv.xml`, 896 bytes; new
`emit_data_ns_byte_array` helper picks self-closing form for empty
byte[]).

Plumbing: `AsbAuthenticator::peek_next_message_number` exposes the
pre-allocated message number; `AsbClient::send_signed_envelope[_one_way]`
gain an `xml_for_signing: Option<&[u8]>` parameter. `connect`,
`disconnect`, `keep_alive`, `register_items`, `unregister_items` now
build a pre-signing `ConnectionValidator` (empty MAC + IV) + emit the
canonical XML + pass the bytes through to HMAC. Other ops (Read, Write,
Subscription) keep the legacy NBFX-bytes path until F28 expands to
cover their request shapes.

Live-bring-up wiring:
- `tools/Get-AsbPassphrase.ps1` now exports `MX_ASB_DH_PRIME`,
  `MX_ASB_DH_GENERATOR`, `MX_ASB_DH_HASH_ALGORITHM` (always — even when
  empty, so the example can distinguish "no env var" from "registry
  says empty"), and `MX_ASB_DH_KEY_SIZE`.
- `examples/asb-subscribe.rs` honours those env vars to override
  `CryptoParameters::defaults()`. Each AVEVA install picks its own DH
  group at provisioning time (768-bit prime is typical, vs the .NET
  reference's 1024-bit fallback that we previously hardcoded). Empty
  hashAlgorithm in the registry maps to `HashAlgorithm::Unrecognised`,
  matching `AsbSystemAuthenticator.CreateHmac:84-93` semantics where
  empty + forceHmac=true → HMAC-SHA1.
- `MxAsbClient.Probe --dump-signed-xml` flag (added in earlier commit)
  now traces the live HMAC inputs (`asb.sign.xml-utf8-len`,
  `asb.sign.xml-b64`, `asb.sign.hmac-b64`, etc.) so the Rust port can
  diff its canonical XML against .NET's byte-for-byte for any live
  scenario (env-driven via `Action<string>? sharedTrace`).

Wire-format alignment for `XmlSerializer` parity:
- `ItemIdentity::default()` and `absolute_by_name` now use
  `Some(String::new())` for null-able strings (matches .NET's
  `CreateAbsoluteItem` setting `ContextName = string.Empty` not null).
- `read_unicode_string` returns `Some(String::new())` for length-0
  rather than `None` — mirrors .NET's `AsbBinary.ReadUnicodeString:
  return string.Empty for byteLength == 0`. Wire format genuinely
  cannot distinguish null from empty (both encode as 4 bytes of zero);
  callers that need to preserve the distinction MUST track it in their
  domain types before encoding.

Live status (post-fix): Connect handshake completes end-to-end. The
canonical XML our emitter produces matches .NET's structure byte-for-
byte (verified by fixture comparison). DH prime/generator/hash now
match the live registry values. Despite all this, AuthenticateMe
still produces a generic dispatcher fault on the server — there's at
least one more subtle wire-byte or crypto mismatch that needs
isolation. F28 stays open with that note.

Workspace: 709 unit tests pass (was 702 + 7 new xml_canonical tests).
Clippy: clean (`-D warnings`).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-05 17:31:31 -04:00

Joseph Doherty

3b09297b27

[M5] live-probe iteration 1 — major wire-byte reconciliation fixes

First live-test cycle against AVEVA on this box. Comparing the .NET
probe's `--dump-messages` XML output against our NBFX-encoded
envelope surfaced six structural bugs in the F25 envelope/operations
layer. All fixed; tests passing (702 workspace).

Fixes (all backed by the .NET dump as ground truth):

1. **`mustUnderstand` attribute name** — NBFS dict id was 116
   (`MustUnderstand`, capital-M, a different SOAP token); SOAP 1.2
   spec uses lowercase `mustUnderstand` at id 0. Sending the wrong
   one triggered a WCF parse fault that surfaced as TCP RST.

2. **Missing `<a:MessageID>` header** — WCF's default binding
   requires MessageID for two-way operations. We now auto-generate
   `urn:uuid:<v4>` per envelope via a small inline `make_random_uuid_v4`
   helper (no `uuid` crate dep).

3. **Missing `<a:ReplyTo>` anonymous header** — WCF's
   BinaryMessageEncoder always emits `<a:ReplyTo><a:Address>...
   addressing/anonymous</a:Address></a:ReplyTo>` for two-way ops.

4. **ConnectionValidator field names + namespace** — we were
   emitting PascalCase `<ConnectionId>` etc. .NET's WCF
   DataContractSerializer uses the private backing-field names
   (`<connectionIdField xmlns="...ASBContract">guid</connectionIdField>`)
   per `[DataMember(Name = "fooField")]`. Added the
   `xmlns:i="...XMLSchema-instance"` declaration WCF emits
   alongside (even when no `i:nil` is used). Decoder now accepts
   both PascalCase (legacy tests) and DataContract field names.

5. **`<ASBIData>` over-wrapping** — we were emitting
   `<Items><ASBIData>{bytes}</ASBIData></Items>`. .NET's
   `AsbDataCustomSerializer.WriteStartObject` (`AsbContracts.cs:
   1561-1572`) REPLACES the field's outer element with `<ASBIData>`
   directly — there's no `<Items>` wrapper on the wire. Fixed by
   collapsing `BodyField::AsbiDataElement` to emit just `<ASBIData>`
   without the named outer element. The `name` field is retained
   for self-documentation.

6. **`collect_asbidata_payloads` API** — was keyed by field name
   (`Status` / `Values`); now positional (`payloads[0]`,
   `payloads.get(1)`) since the wrapper element is gone. All seven
   response decoders updated.

Plus tooling for the live-probe loop:
* `tools/Get-AsbPassphrase.ps1` — DPAPI loader that auto-discovers
  the solution name + reads the sharedsecret + decrypts it. Sets
  $env:MX_ASB_PASSPHRASE / MX_ASB_HOST / MX_ASB_VIA / MX_LIVE.
  Lowercase via-host (WCF SMSvcHost is case-sensitive on the URL
  host segment).
* `examples/asb-preamble-probe.rs` — diagnostic that connects,
  runs the preamble, captures the PreambleAck, then sends a
  synthetic ConnectRequest and dumps both directions as hex. Used
  to bisect the wire-byte deltas above.
* `examples/asb-subscribe.rs` port default fixed (5074 → 808 —
  WCF's NetTcpPortSharing/SMSvcHost listener confirmed via
  Get-NetTCPConnection).

**Status**: preamble + PreambleAck round-trip works end-to-end
against the live AVEVA install (verified via probe). The
post-preamble Connect SOAP envelope still gets TCP RST'd — the six
structural fixes above are necessary but not yet sufficient. Next
iteration needs binary wire capture (Wireshark + Npcap loopback,
or a TCP-relay middleman) to compare the .NET probe's BinaryMessageEncoder
output byte-for-byte with ours and find the remaining delta(s).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-05 15:06:48 -04:00

Joseph Doherty

4ebfd8e3a3

[M5] tools: Get-AsbPassphrase.ps1 — DPAPI loader for live-probe env

Reads the ASB solution shared secret from the local Windows registry
(HKLM\SOFTWARE\Wow6432Node\ArchestrA\ArchestrAServices\<solution>\
sharedsecret) and DPAPI-decrypts it with the canonical "wonderware"
entropy + LocalMachine scope, mirroring `AsbRegistry.cs:21-41`.

Auto-discovers:
  $env:MX_LIVE             = "1"
  $env:MX_ASB_HOST         = $env:COMPUTERNAME
  $env:MX_ASB_SOLUTION     = (read from DefaultASBSolution)
  $env:MX_ASB_GALAXY_NAME  = "ZB" (or -GalaxyName param)
  $env:MX_ASB_VIA          = net.tcp://<host>/ASBService/Default_<galaxy>_MxDataProvider/IDataV2
  $env:MX_ASB_PASSPHRASE   = (DPAPI-decrypted plaintext, never printed unless -Show)

Important wiring detail flagged inline: the system-wide ArchestrA
solution name (`Archestra_<HOST>`, source of the sharedsecret) is
DIFFERENT from the per-Galaxy MxDataProvider service segment
(`Default_<galaxy>_MxDataProvider`) that the WCF endpoint URL
targets. Both live under the same registry root but only the former
is owned by ArchestrA; the latter is what serves IASBIDataV2 per
the .NET probe's hardcoded default URL at
`src/MxAsbClient.Probe/Program.cs:5`.

Tested via dry-run on this box: `Archestra_DESKTOP-6JL3KKO` resolves
as the solution, 390 protected bytes decrypt to an 80-char
passphrase, and the assembled VIA URL matches the .NET probe's
default verbatim.

Hard rules:
* Plaintext passphrase NEVER printed unless -Show is explicit.
* Dot-source so env vars persist in the calling pwsh session.
* Caller account must be authorised against the LocalMachine-scope
  DPAPI blob (typically: any local Administrator).

Usage:
  . .\tools\Get-AsbPassphrase.ps1
  cargo run -p mxaccess --example asb-subscribe

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-05 14:45:43 -04:00

3 Commits