Exemple #1
0
    def _set_endpoints(self, policy=ua.SecurityPolicy, mode=ua.MessageSecurityMode.None_):
        idtoken = ua.UserTokenPolicy()
        idtoken.PolicyId = 'anonymous'
        idtoken.TokenType = ua.UserTokenType.Anonymous

        idtoken2 = ua.UserTokenPolicy()
        idtoken2.PolicyId = 'certificate_basic256'
        idtoken2.TokenType = ua.UserTokenType.Certificate

        idtoken3 = ua.UserTokenPolicy()
        idtoken3.PolicyId = 'certificate_basic128'
        idtoken3.TokenType = ua.UserTokenType.Certificate

        idtoken4 = ua.UserTokenPolicy()
        idtoken4.PolicyId = 'username'
        idtoken4.TokenType = ua.UserTokenType.UserName

        appdesc = ua.ApplicationDescription()
        appdesc.ApplicationName = ua.LocalizedText(self.name)
        appdesc.ApplicationUri = self.application_uri
        appdesc.ApplicationType = self.application_type
        appdesc.ProductUri = self.product_uri
        appdesc.DiscoveryUrls.append(self.endpoint.geturl())

        edp = ua.EndpointDescription()
        edp.EndpointUrl = self.endpoint.geturl()
        edp.Server = appdesc
        if self.certificate:
            edp.ServerCertificate = uacrypto.der_from_x509(self.certificate)
        edp.SecurityMode = mode
        edp.SecurityPolicyUri = policy.URI
        edp.UserIdentityTokens = [idtoken, idtoken2, idtoken3]
        edp.TransportProfileUri = 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary'
        edp.SecurityLevel = 0
        self.iserver.add_endpoint(edp)
 def __init__(self, server_cert, client_cert, client_pk, mode):
     require_cryptography(self)
     if isinstance(server_cert, bytes):
         server_cert = uacrypto.x509_from_der(server_cert)
     # even in Sign mode we need to asymmetrically encrypt secrets
     # transmitted in OpenSecureChannel. So SignAndEncrypt here
     self.asymmetric_cryptography = Cryptography(
             MessageSecurityMode.SignAndEncrypt)
     self.asymmetric_cryptography.Signer = SignerRsa(client_pk)
     self.asymmetric_cryptography.Verifier = VerifierRsa(server_cert)
     self.asymmetric_cryptography.Encryptor = EncryptorRsa(
             server_cert, uacrypto.encrypt_rsa_oaep, 42)
     self.asymmetric_cryptography.Decryptor = DecryptorRsa(
             client_pk, uacrypto.decrypt_rsa_oaep, 42)
     self.symmetric_cryptography = Cryptography(mode)
     self.Mode = mode
     self.server_certificate = uacrypto.der_from_x509(server_cert)
     self.client_certificate = uacrypto.der_from_x509(client_cert)
Exemple #3
0
 def _add_certificate_auth(self, params, certificate, challenge):
     params.UserIdentityToken = ua.X509IdentityToken()
     params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.Certificate, "certificate_basic256")
     params.UserIdentityToken.CertificateData = uacrypto.der_from_x509(certificate)
     # specs part 4, 5.6.3.1: the data to sign is created by appending
     # the last serverNonce to the serverCertificate
     sig = uacrypto.sign_sha1(self.user_private_key, challenge)
     params.UserTokenSignature = ua.SignatureData()
     params.UserTokenSignature.Algorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
     params.UserTokenSignature.Signature = sig
    def __init__(self, server_cert, client_cert, client_pk, mode):
        logger = logging.getLogger(__name__)
        logger.warning("DEPRECATED! Do not use SecurityPolicyBasic256 anymore!")

        require_cryptography(self)
        if isinstance(server_cert, bytes):
            server_cert = uacrypto.x509_from_der(server_cert)
        # even in Sign mode we need to asymmetrically encrypt secrets
        # transmitted in OpenSecureChannel. So SignAndEncrypt here
        self.asymmetric_cryptography = Cryptography(
            MessageSecurityMode.SignAndEncrypt)
        self.asymmetric_cryptography.Signer = SignerRsa(client_pk)
        self.asymmetric_cryptography.Verifier = VerifierRsa(server_cert)
        self.asymmetric_cryptography.Encryptor = EncryptorRsa(
            server_cert, uacrypto.encrypt_rsa_oaep, 42)
        self.asymmetric_cryptography.Decryptor = DecryptorRsa(
            client_pk, uacrypto.decrypt_rsa_oaep, 42)
        self.symmetric_cryptography = Cryptography(mode)
        self.Mode = mode
        self.server_certificate = uacrypto.der_from_x509(server_cert)
        self.client_certificate = uacrypto.der_from_x509(client_cert)
Exemple #5
0
 def activate_session(self, username=None, password=None, certificate=None):
     """
     Activate session using either username and password or private_key
     """
     params = ua.ActivateSessionParameters()
     challenge = b""
     if self.security_policy.server_certificate is not None:
         challenge += self.security_policy.server_certificate
     if self._server_nonce is not None:
         challenge += self._server_nonce
     params.ClientSignature.Algorithm = b"http://www.w3.org/2000/09/xmldsig#rsa-sha1"
     params.ClientSignature.Signature = self.security_policy.asymmetric_cryptography.signature(challenge)
     params.LocaleIds.append("en")
     if not username and not certificate:
         params.UserIdentityToken = ua.AnonymousIdentityToken()
         params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.Anonymous, b"anonymous")
     elif certificate:
         params.UserIdentityToken = ua.X509IdentityToken()
         params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.Certificate, b"certificate_basic256")
         params.UserIdentityToken.CertificateData = uacrypto.der_from_x509(certificate)
         # specs part 4, 5.6.3.1: the data to sign is created by appending
         # the last serverNonce to the serverCertificate
         sig = uacrypto.sign_sha1(self.user_private_key, challenge)
         params.UserTokenSignature = ua.SignatureData()
         params.UserTokenSignature.Algorithm = b"http://www.w3.org/2000/09/xmldsig#rsa-sha1"
         params.UserTokenSignature.Signature = sig
     else:
         params.UserIdentityToken = ua.UserNameIdentityToken()
         params.UserIdentityToken.UserName = username
         policy_uri = self.server_policy_uri(ua.UserTokenType.UserName)
         if not policy_uri or policy_uri == security_policies.POLICY_NONE_URI:
             # see specs part 4, 7.36.3: if the token is NOT encrypted,
             # then the password only contains UTF-8 encoded password
             # and EncryptionAlgorithm is null
             if self.server_url.password:
                 self.logger.warning("Sending plain-text password")
                 params.UserIdentityToken.Password = password
             params.UserIdentityToken.EncryptionAlgorithm = ''
         elif self.server_url.password:
             pubkey = uacrypto.x509_from_der(self.security_policy.server_certificate).public_key()
             # see specs part 4, 7.36.3: if the token is encrypted, password
             # shall be converted to UTF-8 and serialized with server nonce
             passwd = bytes(password, "utf8")
             if self._server_nonce is not None:
                 passwd += self._server_nonce
             etoken = ua.pack_bytes(passwd)
             data, uri = security_policies.encrypt_asymmetric(pubkey, etoken, policy_uri)
             params.UserIdentityToken.Password = data
             params.UserIdentityToken.EncryptionAlgorithm = uri
         params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.UserName, b"username_basic256")
     return self.uaclient.activate_session(params)
    def _set_endpoints(self,
                       policy=ua.SecurityPolicy,
                       mode=ua.MessageSecurityMode.None_):
        idtoken = ua.UserTokenPolicy()
        idtoken.PolicyId = 'anonymous'
        idtoken.TokenType = ua.UserTokenType.Anonymous

        idtoken2 = ua.UserTokenPolicy()
        idtoken2.PolicyId = 'certificate_basic256'
        idtoken2.TokenType = ua.UserTokenType.Certificate

        idtoken3 = ua.UserTokenPolicy()
        idtoken3.PolicyId = 'certificate_basic128'
        idtoken3.TokenType = ua.UserTokenType.Certificate

        idtoken4 = ua.UserTokenPolicy()
        idtoken4.PolicyId = 'username'
        idtoken4.TokenType = ua.UserTokenType.UserName

        appdesc = ua.ApplicationDescription()
        appdesc.ApplicationName = ua.LocalizedText(self.name)
        appdesc.ApplicationUri = self.application_uri
        appdesc.ApplicationType = self.application_type
        appdesc.ProductUri = self.product_uri
        appdesc.DiscoveryUrls.append(self.endpoint.geturl())

        edp = ua.EndpointDescription()
        edp.EndpointUrl = self.endpoint.geturl()
        edp.Server = appdesc
        if self.certificate:
            edp.ServerCertificate = uacrypto.der_from_x509(self.certificate)
        edp.SecurityMode = mode
        edp.SecurityPolicyUri = policy.URI
        edp.UserIdentityTokens = [idtoken, idtoken2, idtoken3, idtoken4]
        edp.TransportProfileUri = 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary'
        edp.SecurityLevel = 0
        self.iserver.add_endpoint(edp)
Exemple #7
0
 def activate_session(self, username=None, password=None, certificate=None):
     """
     Activate session using either username and password or private_key
     """
     params = ua.ActivateSessionParameters()
     challenge = self.security_policy.server_certificate + self._server_nonce
     params.ClientSignature.Algorithm = b"http://www.w3.org/2000/09/xmldsig#rsa-sha1"
     params.ClientSignature.Signature = self.security_policy.asymmetric_cryptography.signature(challenge)
     params.LocaleIds.append("en")
     if not username and not certificate:
         params.UserIdentityToken = ua.AnonymousIdentityToken()
         params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.Anonymous, b"anonymous")
     elif certificate:
         params.UserIdentityToken = ua.X509IdentityToken()
         params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.Certificate, b"certificate_basic256")
         params.UserIdentityToken.CertificateData = uacrypto.der_from_x509(certificate)
         # specs part 4, 5.6.3.1: the data to sign is created by appending
         # the last serverNonce to the serverCertificate
         sig = uacrypto.sign_sha1(self.user_private_key, challenge)
         params.UserTokenSignature = ua.SignatureData()
         params.UserTokenSignature.Algorithm = b"http://www.w3.org/2000/09/xmldsig#rsa-sha1"
         params.UserTokenSignature.Signature = sig
     else:
         params.UserIdentityToken = ua.UserNameIdentityToken()
         params.UserIdentityToken.UserName = username 
         if self.server_url.password:
             pubkey = uacrypto.x509_from_der(self.security_policy.server_certificate).public_key()
             # see specs part 4, 7.36.3: if the token is encrypted, password
             # shall be converted to UTF-8 and serialized with server nonce
             etoken = ua.pack_bytes(bytes(password, "utf8") + self._server_nonce)
             #data = uacrypto.encrypt_basic256(pubkey, etoken)
             data = uacrypto.encrypt_rsa_oaep(pubkey, etoken)
             params.UserIdentityToken.Password = data
         params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.UserName, b"username_basic256")
         params.UserIdentityToken.EncryptionAlgorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep'
     return self.bclient.activate_session(params)