def _set_endpoints(self, policy=ua.SecurityPolicy, mode=ua.MessageSecurityMode.None_): idtoken = ua.UserTokenPolicy() idtoken.PolicyId = 'anonymous' idtoken.TokenType = ua.UserTokenType.Anonymous idtoken2 = ua.UserTokenPolicy() idtoken2.PolicyId = 'certificate_basic256' idtoken2.TokenType = ua.UserTokenType.Certificate idtoken3 = ua.UserTokenPolicy() idtoken3.PolicyId = 'certificate_basic128' idtoken3.TokenType = ua.UserTokenType.Certificate idtoken4 = ua.UserTokenPolicy() idtoken4.PolicyId = 'username' idtoken4.TokenType = ua.UserTokenType.UserName appdesc = ua.ApplicationDescription() appdesc.ApplicationName = ua.LocalizedText(self.name) appdesc.ApplicationUri = self.application_uri appdesc.ApplicationType = self.application_type appdesc.ProductUri = self.product_uri appdesc.DiscoveryUrls.append(self.endpoint.geturl()) edp = ua.EndpointDescription() edp.EndpointUrl = self.endpoint.geturl() edp.Server = appdesc if self.certificate: edp.ServerCertificate = uacrypto.der_from_x509(self.certificate) edp.SecurityMode = mode edp.SecurityPolicyUri = policy.URI edp.UserIdentityTokens = [idtoken, idtoken2, idtoken3] edp.TransportProfileUri = 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary' edp.SecurityLevel = 0 self.iserver.add_endpoint(edp)
def __init__(self, server_cert, client_cert, client_pk, mode): require_cryptography(self) if isinstance(server_cert, bytes): server_cert = uacrypto.x509_from_der(server_cert) # even in Sign mode we need to asymmetrically encrypt secrets # transmitted in OpenSecureChannel. So SignAndEncrypt here self.asymmetric_cryptography = Cryptography( MessageSecurityMode.SignAndEncrypt) self.asymmetric_cryptography.Signer = SignerRsa(client_pk) self.asymmetric_cryptography.Verifier = VerifierRsa(server_cert) self.asymmetric_cryptography.Encryptor = EncryptorRsa( server_cert, uacrypto.encrypt_rsa_oaep, 42) self.asymmetric_cryptography.Decryptor = DecryptorRsa( client_pk, uacrypto.decrypt_rsa_oaep, 42) self.symmetric_cryptography = Cryptography(mode) self.Mode = mode self.server_certificate = uacrypto.der_from_x509(server_cert) self.client_certificate = uacrypto.der_from_x509(client_cert)
def _add_certificate_auth(self, params, certificate, challenge): params.UserIdentityToken = ua.X509IdentityToken() params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.Certificate, "certificate_basic256") params.UserIdentityToken.CertificateData = uacrypto.der_from_x509(certificate) # specs part 4, 5.6.3.1: the data to sign is created by appending # the last serverNonce to the serverCertificate sig = uacrypto.sign_sha1(self.user_private_key, challenge) params.UserTokenSignature = ua.SignatureData() params.UserTokenSignature.Algorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1" params.UserTokenSignature.Signature = sig
def __init__(self, server_cert, client_cert, client_pk, mode): logger = logging.getLogger(__name__) logger.warning("DEPRECATED! Do not use SecurityPolicyBasic256 anymore!") require_cryptography(self) if isinstance(server_cert, bytes): server_cert = uacrypto.x509_from_der(server_cert) # even in Sign mode we need to asymmetrically encrypt secrets # transmitted in OpenSecureChannel. So SignAndEncrypt here self.asymmetric_cryptography = Cryptography( MessageSecurityMode.SignAndEncrypt) self.asymmetric_cryptography.Signer = SignerRsa(client_pk) self.asymmetric_cryptography.Verifier = VerifierRsa(server_cert) self.asymmetric_cryptography.Encryptor = EncryptorRsa( server_cert, uacrypto.encrypt_rsa_oaep, 42) self.asymmetric_cryptography.Decryptor = DecryptorRsa( client_pk, uacrypto.decrypt_rsa_oaep, 42) self.symmetric_cryptography = Cryptography(mode) self.Mode = mode self.server_certificate = uacrypto.der_from_x509(server_cert) self.client_certificate = uacrypto.der_from_x509(client_cert)
def activate_session(self, username=None, password=None, certificate=None): """ Activate session using either username and password or private_key """ params = ua.ActivateSessionParameters() challenge = b"" if self.security_policy.server_certificate is not None: challenge += self.security_policy.server_certificate if self._server_nonce is not None: challenge += self._server_nonce params.ClientSignature.Algorithm = b"http://www.w3.org/2000/09/xmldsig#rsa-sha1" params.ClientSignature.Signature = self.security_policy.asymmetric_cryptography.signature(challenge) params.LocaleIds.append("en") if not username and not certificate: params.UserIdentityToken = ua.AnonymousIdentityToken() params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.Anonymous, b"anonymous") elif certificate: params.UserIdentityToken = ua.X509IdentityToken() params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.Certificate, b"certificate_basic256") params.UserIdentityToken.CertificateData = uacrypto.der_from_x509(certificate) # specs part 4, 5.6.3.1: the data to sign is created by appending # the last serverNonce to the serverCertificate sig = uacrypto.sign_sha1(self.user_private_key, challenge) params.UserTokenSignature = ua.SignatureData() params.UserTokenSignature.Algorithm = b"http://www.w3.org/2000/09/xmldsig#rsa-sha1" params.UserTokenSignature.Signature = sig else: params.UserIdentityToken = ua.UserNameIdentityToken() params.UserIdentityToken.UserName = username policy_uri = self.server_policy_uri(ua.UserTokenType.UserName) if not policy_uri or policy_uri == security_policies.POLICY_NONE_URI: # see specs part 4, 7.36.3: if the token is NOT encrypted, # then the password only contains UTF-8 encoded password # and EncryptionAlgorithm is null if self.server_url.password: self.logger.warning("Sending plain-text password") params.UserIdentityToken.Password = password params.UserIdentityToken.EncryptionAlgorithm = '' elif self.server_url.password: pubkey = uacrypto.x509_from_der(self.security_policy.server_certificate).public_key() # see specs part 4, 7.36.3: if the token is encrypted, password # shall be converted to UTF-8 and serialized with server nonce passwd = bytes(password, "utf8") if self._server_nonce is not None: passwd += self._server_nonce etoken = ua.pack_bytes(passwd) data, uri = security_policies.encrypt_asymmetric(pubkey, etoken, policy_uri) params.UserIdentityToken.Password = data params.UserIdentityToken.EncryptionAlgorithm = uri params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.UserName, b"username_basic256") return self.uaclient.activate_session(params)
def _set_endpoints(self, policy=ua.SecurityPolicy, mode=ua.MessageSecurityMode.None_): idtoken = ua.UserTokenPolicy() idtoken.PolicyId = 'anonymous' idtoken.TokenType = ua.UserTokenType.Anonymous idtoken2 = ua.UserTokenPolicy() idtoken2.PolicyId = 'certificate_basic256' idtoken2.TokenType = ua.UserTokenType.Certificate idtoken3 = ua.UserTokenPolicy() idtoken3.PolicyId = 'certificate_basic128' idtoken3.TokenType = ua.UserTokenType.Certificate idtoken4 = ua.UserTokenPolicy() idtoken4.PolicyId = 'username' idtoken4.TokenType = ua.UserTokenType.UserName appdesc = ua.ApplicationDescription() appdesc.ApplicationName = ua.LocalizedText(self.name) appdesc.ApplicationUri = self.application_uri appdesc.ApplicationType = self.application_type appdesc.ProductUri = self.product_uri appdesc.DiscoveryUrls.append(self.endpoint.geturl()) edp = ua.EndpointDescription() edp.EndpointUrl = self.endpoint.geturl() edp.Server = appdesc if self.certificate: edp.ServerCertificate = uacrypto.der_from_x509(self.certificate) edp.SecurityMode = mode edp.SecurityPolicyUri = policy.URI edp.UserIdentityTokens = [idtoken, idtoken2, idtoken3, idtoken4] edp.TransportProfileUri = 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary' edp.SecurityLevel = 0 self.iserver.add_endpoint(edp)
def activate_session(self, username=None, password=None, certificate=None): """ Activate session using either username and password or private_key """ params = ua.ActivateSessionParameters() challenge = self.security_policy.server_certificate + self._server_nonce params.ClientSignature.Algorithm = b"http://www.w3.org/2000/09/xmldsig#rsa-sha1" params.ClientSignature.Signature = self.security_policy.asymmetric_cryptography.signature(challenge) params.LocaleIds.append("en") if not username and not certificate: params.UserIdentityToken = ua.AnonymousIdentityToken() params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.Anonymous, b"anonymous") elif certificate: params.UserIdentityToken = ua.X509IdentityToken() params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.Certificate, b"certificate_basic256") params.UserIdentityToken.CertificateData = uacrypto.der_from_x509(certificate) # specs part 4, 5.6.3.1: the data to sign is created by appending # the last serverNonce to the serverCertificate sig = uacrypto.sign_sha1(self.user_private_key, challenge) params.UserTokenSignature = ua.SignatureData() params.UserTokenSignature.Algorithm = b"http://www.w3.org/2000/09/xmldsig#rsa-sha1" params.UserTokenSignature.Signature = sig else: params.UserIdentityToken = ua.UserNameIdentityToken() params.UserIdentityToken.UserName = username if self.server_url.password: pubkey = uacrypto.x509_from_der(self.security_policy.server_certificate).public_key() # see specs part 4, 7.36.3: if the token is encrypted, password # shall be converted to UTF-8 and serialized with server nonce etoken = ua.pack_bytes(bytes(password, "utf8") + self._server_nonce) #data = uacrypto.encrypt_basic256(pubkey, etoken) data = uacrypto.encrypt_rsa_oaep(pubkey, etoken) params.UserIdentityToken.Password = data params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.UserName, b"username_basic256") params.UserIdentityToken.EncryptionAlgorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep' return self.bclient.activate_session(params)