|
@@ 377-441 (lines=65) @@
|
| 374 |
|
self.symmetric_cryptography.Decryptor = DecryptorAesCbc(key, init_vec) |
| 375 |
|
|
| 376 |
|
|
| 377 |
|
class SecurityPolicyBasic256(SecurityPolicy): |
| 378 |
|
""" |
| 379 |
|
Security Basic 256 |
| 380 |
|
A suite of algorithms that are for 256-Bit (32 bytes) encryption, |
| 381 |
|
algorithms include: |
| 382 |
|
- SymmetricSignatureAlgorithm - HmacSha1 |
| 383 |
|
(http://www.w3.org/2000/09/xmldsig#hmac-sha1) |
| 384 |
|
- SymmetricEncryptionAlgorithm - Aes256 |
| 385 |
|
(http://www.w3.org/2001/04/xmlenc#aes256-cbc) |
| 386 |
|
- AsymmetricSignatureAlgorithm - RsaSha1 |
| 387 |
|
(http://www.w3.org/2000/09/xmldsig#rsa-sha1) |
| 388 |
|
- AsymmetricKeyWrapAlgorithm - KwRsaOaep |
| 389 |
|
(http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) |
| 390 |
|
- AsymmetricEncryptionAlgorithm - RsaOaep |
| 391 |
|
(http://www.w3.org/2001/04/xmlenc#rsa-oaep) |
| 392 |
|
- KeyDerivationAlgorithm - PSha1 |
| 393 |
|
(http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1) |
| 394 |
|
- DerivedSignatureKeyLength - 192 (24 bytes) |
| 395 |
|
- MinAsymmetricKeyLength - 1024 (128 bytes) |
| 396 |
|
- MaxAsymmetricKeyLength - 2048 (256 bytes) |
| 397 |
|
- CertificateSignatureAlgorithm - Sha1 |
| 398 |
|
|
| 399 |
|
If a certificate or any certificate in the chain is not signed with |
| 400 |
|
a hash that is Sha1 or stronger then the certificate shall be rejected. |
| 401 |
|
""" |
| 402 |
|
|
| 403 |
|
URI = "http://opcfoundation.org/UA/SecurityPolicy#Basic256" |
| 404 |
|
signature_key_size = 24 |
| 405 |
|
symmetric_key_size = 32 |
| 406 |
|
AsymmetricEncryptionURI = "http://www.w3.org/2001/04/xmlenc#rsa-oaep" |
| 407 |
|
|
| 408 |
|
@staticmethod |
| 409 |
|
def encrypt_asymmetric(pubkey, data): |
| 410 |
|
return uacrypto.encrypt_rsa_oaep(pubkey, data) |
| 411 |
|
|
| 412 |
|
def __init__(self, server_cert, client_cert, client_pk, mode): |
| 413 |
|
require_cryptography(self) |
| 414 |
|
if isinstance(server_cert, bytes): |
| 415 |
|
server_cert = uacrypto.x509_from_der(server_cert) |
| 416 |
|
# even in Sign mode we need to asymmetrically encrypt secrets |
| 417 |
|
# transmitted in OpenSecureChannel. So SignAndEncrypt here |
| 418 |
|
self.asymmetric_cryptography = Cryptography( |
| 419 |
|
MessageSecurityMode.SignAndEncrypt) |
| 420 |
|
self.asymmetric_cryptography.Signer = SignerRsa(client_pk) |
| 421 |
|
self.asymmetric_cryptography.Verifier = VerifierRsa(server_cert) |
| 422 |
|
self.asymmetric_cryptography.Encryptor = EncryptorRsa( |
| 423 |
|
server_cert, uacrypto.encrypt_rsa_oaep, 42) |
| 424 |
|
self.asymmetric_cryptography.Decryptor = DecryptorRsa( |
| 425 |
|
client_pk, uacrypto.decrypt_rsa_oaep, 42) |
| 426 |
|
self.symmetric_cryptography = Cryptography(mode) |
| 427 |
|
self.Mode = mode |
| 428 |
|
self.server_certificate = uacrypto.der_from_x509(server_cert) |
| 429 |
|
self.client_certificate = uacrypto.der_from_x509(client_cert) |
| 430 |
|
|
| 431 |
|
def make_symmetric_key(self, nonce1, nonce2): |
| 432 |
|
# specs part 6, 6.7.5 |
| 433 |
|
key_sizes = (self.signature_key_size, self.symmetric_key_size, 16) |
| 434 |
|
|
| 435 |
|
(sigkey, key, init_vec) = uacrypto.p_sha1(nonce2, nonce1, key_sizes) |
| 436 |
|
self.symmetric_cryptography.Signer = SignerAesCbc(sigkey) |
| 437 |
|
self.symmetric_cryptography.Encryptor = EncryptorAesCbc(key, init_vec) |
| 438 |
|
|
| 439 |
|
(sigkey, key, init_vec) = uacrypto.p_sha1(nonce1, nonce2, key_sizes) |
| 440 |
|
self.symmetric_cryptography.Verifier = VerifierAesCbc(sigkey) |
| 441 |
|
self.symmetric_cryptography.Decryptor = DecryptorAesCbc(key, init_vec) |
| 442 |
|
|
| 443 |
|
|
| 444 |
|
def encrypt_asymmetric(pubkey, data, policy_uri): |
|
@@ 311-374 (lines=64) @@
|
| 308 |
|
return uacrypto.cipher_decrypt(self.cipher, data) |
| 309 |
|
|
| 310 |
|
|
| 311 |
|
class SecurityPolicyBasic128Rsa15(SecurityPolicy): |
| 312 |
|
""" |
| 313 |
|
Security Basic 128Rsa15 |
| 314 |
|
A suite of algorithms that uses RSA15 as Key-Wrap-algorithm |
| 315 |
|
and 128-Bit (16 bytes) for encryption algorithms. |
| 316 |
|
- SymmetricSignatureAlgorithm - HmacSha1 |
| 317 |
|
(http://www.w3.org/2000/09/xmldsig#hmac-sha1) |
| 318 |
|
- SymmetricEncryptionAlgorithm - Aes128 |
| 319 |
|
(http://www.w3.org/2001/04/xmlenc#aes128-cbc) |
| 320 |
|
- AsymmetricSignatureAlgorithm - RsaSha1 |
| 321 |
|
(http://www.w3.org/2000/09/xmldsig#rsa-sha1) |
| 322 |
|
- AsymmetricKeyWrapAlgorithm - KwRsa15 |
| 323 |
|
(http://www.w3.org/2001/04/xmlenc#rsa-1_5) |
| 324 |
|
- AsymmetricEncryptionAlgorithm - Rsa15 |
| 325 |
|
(http://www.w3.org/2001/04/xmlenc#rsa-1_5) |
| 326 |
|
- KeyDerivationAlgorithm - PSha1 |
| 327 |
|
(http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1) |
| 328 |
|
- DerivedSignatureKeyLength - 128 (16 bytes) |
| 329 |
|
- MinAsymmetricKeyLength - 1024 (128 bytes) |
| 330 |
|
- MaxAsymmetricKeyLength - 2048 (256 bytes) |
| 331 |
|
- CertificateSignatureAlgorithm - Sha1 |
| 332 |
|
|
| 333 |
|
If a certificate or any certificate in the chain is not signed with |
| 334 |
|
a hash that is Sha1 or stronger then the certificate shall be rejected. |
| 335 |
|
""" |
| 336 |
|
|
| 337 |
|
URI = "http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15" |
| 338 |
|
signature_key_size = 16 |
| 339 |
|
symmetric_key_size = 16 |
| 340 |
|
AsymmetricEncryptionURI = "http://www.w3.org/2001/04/xmlenc#rsa-1_5" |
| 341 |
|
|
| 342 |
|
@staticmethod |
| 343 |
|
def encrypt_asymmetric(pubkey, data): |
| 344 |
|
return uacrypto.encrypt_rsa15(pubkey, data) |
| 345 |
|
|
| 346 |
|
def __init__(self, server_cert, client_cert, client_pk, mode): |
| 347 |
|
require_cryptography(self) |
| 348 |
|
if isinstance(server_cert, bytes): |
| 349 |
|
server_cert = uacrypto.x509_from_der(server_cert) |
| 350 |
|
# even in Sign mode we need to asymmetrically encrypt secrets |
| 351 |
|
# transmitted in OpenSecureChannel. So SignAndEncrypt here |
| 352 |
|
self.asymmetric_cryptography = Cryptography( |
| 353 |
|
MessageSecurityMode.SignAndEncrypt) |
| 354 |
|
self.asymmetric_cryptography.Signer = SignerRsa(client_pk) |
| 355 |
|
self.asymmetric_cryptography.Verifier = VerifierRsa(server_cert) |
| 356 |
|
self.asymmetric_cryptography.Encryptor = EncryptorRsa( |
| 357 |
|
server_cert, uacrypto.encrypt_rsa15, 11) |
| 358 |
|
self.asymmetric_cryptography.Decryptor = DecryptorRsa( |
| 359 |
|
client_pk, uacrypto.decrypt_rsa15, 11) |
| 360 |
|
self.symmetric_cryptography = Cryptography(mode) |
| 361 |
|
self.Mode = mode |
| 362 |
|
self.server_certificate = uacrypto.der_from_x509(server_cert) |
| 363 |
|
self.client_certificate = uacrypto.der_from_x509(client_cert) |
| 364 |
|
|
| 365 |
|
def make_symmetric_key(self, nonce1, nonce2): |
| 366 |
|
key_sizes = (self.signature_key_size, self.symmetric_key_size, 16) |
| 367 |
|
|
| 368 |
|
(sigkey, key, init_vec) = uacrypto.p_sha1(nonce2, nonce1, key_sizes) |
| 369 |
|
self.symmetric_cryptography.Signer = SignerAesCbc(sigkey) |
| 370 |
|
self.symmetric_cryptography.Encryptor = EncryptorAesCbc(key, init_vec) |
| 371 |
|
|
| 372 |
|
(sigkey, key, init_vec) = uacrypto.p_sha1(nonce1, nonce2, key_sizes) |
| 373 |
|
self.symmetric_cryptography.Verifier = VerifierAesCbc(sigkey) |
| 374 |
|
self.symmetric_cryptography.Decryptor = DecryptorAesCbc(key, init_vec) |
| 375 |
|
|
| 376 |
|
|
| 377 |
|
class SecurityPolicyBasic256(SecurityPolicy): |
FreeOpcUa /
python-opcua
