def create_session(self): desc = ua.ApplicationDescription() desc.ApplicationUri = self.application_uri desc.ProductUri = self.product_uri desc.ApplicationName = ua.LocalizedText(self.name) desc.ApplicationType = ua.ApplicationType.Client params = ua.CreateSessionParameters() nonce = utils.create_nonce(32) # at least 32 random bytes for server to prove possession of private key (specs part 4, 5.6.2.2) params.ClientNonce = nonce params.ClientCertificate = self.security_policy.client_certificate params.ClientDescription = desc params.EndpointUrl = self.server_url.geturl() params.SessionName = self.description + " Session" + str(self._session_counter) params.RequestedSessionTimeout = 3600000 params.MaxResponseMessageSize = 0 # means no max size response = self.bclient.create_session(params) self.security_policy.asymmetric_cryptography.verify(self.security_policy.client_certificate + nonce, response.ServerSignature.Signature) self._server_nonce = response.ServerNonce if not self.security_policy.server_certificate: self.security_policy.server_certificate = response.ServerCertificate elif self.security_policy.server_certificate != response.ServerCertificate: raise Exception("Server certificate mismatch") # remember PolicyId's: we will use them in activate_session() ep = Client.find_endpoint(response.ServerEndpoints, self.security_policy.Mode, self.security_policy.URI) self._policy_ids = ep.UserIdentityTokens self.session_timeout = response.RevisedSessionTimeout self.keepalive = KeepAlive(self, min(self.session_timeout, self.secure_channel_timeout) * 0.7) # 0.7 is from spec self.keepalive.start() return response
def create_session(self, params, sockname=None): self.logger.info("Create session request") result = ua.CreateSessionResult() result.SessionId = self.session_id result.AuthenticationToken = self.authentication_token result.RevisedSessionTimeout = params.RequestedSessionTimeout result.MaxRequestMessageSize = 65536 self.nonce = utils.create_nonce(32) result.ServerNonce = self.nonce result.ServerEndpoints = self.get_endpoints(sockname=sockname) return result
def _open_secure_channel(self, params): self.logger.info("open secure channel") if not self.channel or params.RequestType == ua.SecurityTokenRequestType.Issue: self.channel = ua.OpenSecureChannelResult() self.channel.SecurityToken.TokenId = 13 # random value self.channel.SecurityToken.ChannelId = self.iserver.get_new_channel_id() self.channel.SecurityToken.RevisedLifetime = params.RequestedLifetime self.channel.SecurityToken.TokenId += 1 self.channel.SecurityToken.CreatedAt = datetime.utcnow() self.channel.SecurityToken.RevisedLifetime = params.RequestedLifetime self.channel.ServerNonce = utils.create_nonce(self._connection._security_policy.symmetric_key_size) self._connection.set_security_token(self.channel.SecurityToken) self._connection._security_policy.make_symmetric_key(self.channel.ServerNonce, params.ClientNonce) return self.channel
def activate_session(self, params): self.logger.info("activate session") result = ua.ActivateSessionResult() if self.state != SessionState.Created: raise utils.ServiceError(ua.StatusCodes.BadSessionIdInvalid) self.nonce = utils.create_nonce(32) result.ServerNonce = self.nonce for _ in params.ClientSoftwareCertificates: result.Results.append(ua.StatusCode()) self.state = SessionState.Activated id_token = params.UserIdentityToken if isinstance(id_token, ua.UserNameIdentityToken): if self.iserver.allow_remote_admin and id_token.UserName in ("admin", "Admin"): self.user = User.Admin return result
def create_session(self): """ send a CreateSessionRequest to server with reasonable parameters. If you want o modify settings look at code of this methods and make your own """ desc = ua.ApplicationDescription() desc.ApplicationUri = self.application_uri desc.ProductUri = self.product_uri desc.ApplicationName = ua.LocalizedText(self.name) desc.ApplicationType = ua.ApplicationType.Client params = ua.CreateSessionParameters() nonce = utils.create_nonce( 32 ) # at least 32 random bytes for server to prove possession of private key (specs part 4, 5.6.2.2) params.ClientNonce = nonce params.ClientCertificate = self.security_policy.client_certificate params.ClientDescription = desc params.EndpointUrl = self.server_url.geturl() params.SessionName = self.description + " Session" + str( self._session_counter) params.RequestedSessionTimeout = 3600000 params.MaxResponseMessageSize = 0 # means no max size response = self.uaclient.create_session(params) if self.security_policy.client_certificate is None: data = nonce else: data = self.security_policy.client_certificate + nonce self.security_policy.asymmetric_cryptography.verify( data, response.ServerSignature.Signature) self._server_nonce = response.ServerNonce if not self.security_policy.server_certificate: self.security_policy.server_certificate = response.ServerCertificate elif self.security_policy.server_certificate != response.ServerCertificate: raise ua.UaError("Server certificate mismatch") # remember PolicyId's: we will use them in activate_session() ep = Client.find_endpoint(response.ServerEndpoints, self.security_policy.Mode, self.security_policy.URI) self._policy_ids = ep.UserIdentityTokens self.session_timeout = response.RevisedSessionTimeout self.keepalive = KeepAlive( self, min(self.session_timeout, self.secure_channel_timeout) * 0.7) # 0.7 is from spec self.keepalive.start() return response
def activate_session(self, params): self.logger.info("activate session") result = ua.ActivateSessionResult() if self.state != SessionState.Created: raise utils.ServiceError(ua.StatusCodes.BadSessionIdInvalid) self.nonce = utils.create_nonce(32) result.ServerNonce = self.nonce for _ in params.ClientSoftwareCertificates: result.Results.append(ua.StatusCode()) self.state = SessionState.Activated id_token = params.UserIdentityToken if isinstance(id_token, ua.UserNameIdentityToken): if self.user_manager.check_user_token(self, id_token) == False: raise utils.ServiceError(ua.StatusCodes.BadUserAccessDenied) self.logger.info("Activated internal session %s for user %s", self.name, self.user) return result
def activate_session(self, params): self.logger.info("activate session") result = ua.ActivateSessionResult() if self.state != SessionState.Created: raise utils.ServiceError(ua.StatusCodes.BadSessionIdInvalid) self.nonce = utils.create_nonce(32) result.ServerNonce = self.nonce for _ in params.ClientSoftwareCertificates: result.Results.append(ua.StatusCode()) self.state = SessionState.Activated id_token = params.UserIdentityToken if isinstance(id_token, ua.UserNameIdentityToken): if self.iserver.allow_remote_admin and id_token.UserName in ("admin", "Admin"): self.user = User.Admin self.logger.info("Activated internal session %s for user %s", self.name, self.user) return result
def open_secure_channel(self, renew=False): """ Open secure channel, if renew is True, renew channel """ params = ua.OpenSecureChannelParameters() params.ClientProtocolVersion = 0 params.RequestType = ua.SecurityTokenRequestType.Issue if renew: params.RequestType = ua.SecurityTokenRequestType.Renew params.SecurityMode = self.security_policy.Mode params.RequestedLifetime = self.secure_channel_timeout nonce = utils.create_nonce(self.security_policy.symmetric_key_size) # length should be equal to the length of key of symmetric encryption params.ClientNonce = nonce # this nonce is used to create a symmetric key result = self.bclient.open_secure_channel(params) self.security_policy.make_symmetric_key(nonce, result.ServerNonce) self.secure_channel_timeout = result.SecurityToken.RevisedLifetime
def open_secure_channel(self, renew=False): """ Open secure channel, if renew is True, renew channel """ params = ua.OpenSecureChannelParameters() params.ClientProtocolVersion = 0 params.RequestType = ua.SecurityTokenRequestType.Issue if renew: params.RequestType = ua.SecurityTokenRequestType.Renew params.SecurityMode = self.security_policy.Mode params.RequestedLifetime = self.secure_channel_timeout nonce = utils.create_nonce(self.security_policy.symmetric_key_size) # length should be equal to the length of key of symmetric encryption params.ClientNonce = nonce # this nonce is used to create a symmetric key result = self.uaclient.open_secure_channel(params) self.security_policy.make_symmetric_key(nonce, result.ServerNonce) self.secure_channel_timeout = result.SecurityToken.RevisedLifetime
def _open_secure_channel(self, params): self.logger.info("open secure channel") if not self.channel or params.RequestType == ua.SecurityTokenRequestType.Issue: self.channel = ua.OpenSecureChannelResult() self.channel.SecurityToken.TokenId = 13 # random value self.channel.SecurityToken.ChannelId = self.iserver.get_new_channel_id( ) self.channel.SecurityToken.RevisedLifetime = params.RequestedLifetime self.channel.SecurityToken.TokenId += 1 self.channel.SecurityToken.CreatedAt = datetime.now() self.channel.SecurityToken.RevisedLifetime = params.RequestedLifetime self.channel.ServerNonce = utils.create_nonce( self._connection._security_policy.symmetric_key_size) self._connection.set_security_token(self.channel.SecurityToken) self._connection._security_policy.make_symmetric_key( self.channel.ServerNonce, params.ClientNonce) return self.channel
def open(self, params, server): """ called on server side to open secure channel """ if not self._open or params.RequestType == auto.SecurityTokenRequestType.Issue: self._open = True self.channel = auto.OpenSecureChannelResult() self.channel.SecurityToken.TokenId = 13 # random value self.channel.SecurityToken.ChannelId = server.get_new_channel_id() self.channel.SecurityToken.RevisedLifetime = params.RequestedLifetime else: self._old_tokens.append(self.channel.SecurityToken.TokenId) self.channel.SecurityToken.TokenId += 1 self.channel.SecurityToken.CreatedAt = datetime.utcnow() self.channel.SecurityToken.RevisedLifetime = params.RequestedLifetime self.channel.ServerNonce = utils.create_nonce(self._security_policy.symmetric_key_size) self._security_policy.make_symmetric_key(self.channel.ServerNonce, params.ClientNonce) return self.channel
def open_secure_channel(self, renew=False): """ Open secure channel, if renew is True, renew channel """ params = ua.OpenSecureChannelParameters() params.ClientProtocolVersion = 0 params.RequestType = ua.SecurityTokenRequestType.Issue if renew: params.RequestType = ua.SecurityTokenRequestType.Renew params.SecurityMode = self.security_policy.Mode params.RequestedLifetime = self.secure_channel_timeout # length should be equal to the length of key of symmetric encryption params.ClientNonce = utils.create_nonce(self.security_policy.symmetric_key_size) # this nonce is used to create a symmetric key result = self.uaclient.open_secure_channel(params) if self.secure_channel_timeout != result.SecurityToken.RevisedLifetime: _logger.warning("Requested secure channel timeout to be %dms, got %dms instead", self.secure_channel_timeout, result.SecurityToken.RevisedLifetime) self.secure_channel_timeout = result.SecurityToken.RevisedLifetime
def open(self, params, server): """ called on server side to open secure channel """ if not self._open or params.RequestType == auto.SecurityTokenRequestType.Issue: self._open = True self.channel = auto.OpenSecureChannelResult() self.channel.SecurityToken.TokenId = 13 # random value self.channel.SecurityToken.ChannelId = server.get_new_channel_id() self.channel.SecurityToken.RevisedLifetime = params.RequestedLifetime else: self._old_tokens.append(self.channel.SecurityToken.TokenId) self.channel.SecurityToken.TokenId += 1 self.channel.SecurityToken.CreatedAt = datetime.utcnow() self.channel.SecurityToken.RevisedLifetime = params.RequestedLifetime self.channel.ServerNonce = utils.create_nonce( self._security_policy.symmetric_key_size) self._security_policy.make_symmetric_key(self.channel.ServerNonce, params.ClientNonce) return self.channel