Added security policy Basic256Sha256

Added deprecated warning to the implementation of Basic256 and
Basic128Rsa15 security policies.
Removed usage of security policies Basic256 and Basic128Rsa15 from server example
implementation.
Basic256 and Basic128Rsa15 use both the sha-1 algorithm.
This is considererd not secure anymore since OPC UA Spec 1.04.
See:
http://opcfoundation.org/UA-Profile/UA/SecurityPolicy%23Basic128Rsa15
http://opcfoundation.org/UA-Profile/UA/SecurityPolicy%23Basic256

For details on Basic256Sha256 security policy have a look here:
http://opcfoundation.org/UA-Profile/UA/SecurityPolicy%23Basic256Sha256

Author: Thilo Cestonaro

examples/client_to_prosys.py

@@ -25,7 +25,7 @@ def event_notification(self, event):
     logging.basicConfig(level=logging.DEBUG)
     client = Client("opc.tcp://localhost:53530/OPCUA/SimulationServer/")
     #client = Client("opc.tcp://olivier:olivierpass@localhost:53530/OPCUA/SimulationServer/")
-    #client.set_security_string("Basic256,SignAndEncrypt,certificate-example.der,private-key-example.pem")
+    #client.set_security_string("Basic256Sha256,SignAndEncrypt,certificate-example.der,private-key-example.pem")
     try:
         client.connect()
         root = client.get_root_node()

examples/client_to_prosys_crypto.py

@@ -10,7 +10,7 @@
 if __name__ == "__main__":
     logging.basicConfig(level=logging.DEBUG)
     client = Client("opc.tcp://localhost:53530/OPCUA/SimulationServer/")
-    client.set_security_string("Basic256,Sign,certificate-example.der,private-key-example.pem")
+    client.set_security_string("Basic256Sha256,Sign,certificate-example.der,private-key-example.pem")
     try:
         client.connect()
         root = client.get_root_node()

examples/server-example.py

@@ -91,10 +91,8 @@ def run(self):
     # set all possible endpoint policies for clients to connect through
     server.set_security_policy([
                 ua.SecurityPolicyType.NoSecurity,
-                ua.SecurityPolicyType.Basic128Rsa15_SignAndEncrypt,
-                ua.SecurityPolicyType.Basic128Rsa15_Sign,
-                ua.SecurityPolicyType.Basic256_SignAndEncrypt,
-                ua.SecurityPolicyType.Basic256_Sign])
+                ua.SecurityPolicyType.Basic256Sha256_SignAndEncrypt,
+                ua.SecurityPolicyType.Basic256Sha256_Sign])
 
     # setup our own namespace
     uri = "http://examples.freeopcua.github.io"

opcua/client/client.py

@@ -159,7 +159,7 @@ def set_security_string(self, string):
         """
         Set SecureConnection mode. String format:
         Policy,Mode,certificate,private_key[,server_private_key]
-        where Policy is Basic128Rsa15 or Basic256,
+        where Policy is Basic128Rsa15, Basic256 or Basic256Sha256,
             Mode is Sign or SignAndEncrypt
             certificate, private_key and server_private_key are
                 paths to .pem or .der files

opcua/crypto/security_policies.py

@@ -1,3 +1,5 @@
+import logging
+
 from abc import ABCMeta, abstractmethod
 from opcua.ua import CryptographyNone, SecurityPolicy
 from opcua.ua import MessageSecurityMode
@@ -307,9 +309,63 @@ def encrypted_block_size(self):
     def decrypt(self, data):
         return uacrypto.cipher_decrypt(self.cipher, data)
 
+class SignerSha256(Signer):
+
+    def __init__(self, client_pk):
+        require_cryptography(self)
+        self.client_pk = client_pk
+        self.key_size = self.client_pk.key_size // 8
+
+    def signature_size(self):
+        return self.key_size
+
+    def signature(self, data):
+        return uacrypto.sign_sha256(self.client_pk, data)
+
+class VerifierSha256(Verifier):
+
+    def __init__(self, server_cert):
+        require_cryptography(self)
+        self.server_cert = server_cert
+        self.key_size = self.server_cert.public_key().key_size // 8
+
+    def signature_size(self):
+        return self.key_size
+
+    def verify(self, data, signature):
+        uacrypto.verify_sha256(self.server_cert, data, signature)
+
+class SignerHMac256(Signer):
+
+    def __init__(self, key):
+        require_cryptography(self)
+        self.key = key
+
+    def signature_size(self):
+        return uacrypto.sha256_size()
+
+    def signature(self, data):
+        return uacrypto.hmac_sha256(self.key, data)
+
+
+class VerifierHMac256(Verifier):
+
+    def __init__(self, key):
+        require_cryptography(self)
+        self.key = key
+
+    def signature_size(self):
+        return uacrypto.sha256_size()
+
+    def verify(self, data, signature):
+        expected = uacrypto.hmac_sha256(self.key, data)
+        if signature != expected:
+            raise uacrypto.InvalidSignature
 
 class SecurityPolicyBasic128Rsa15(SecurityPolicy):
     """
+    DEPRECATED, do not use anymore!
+
     Security Basic 128Rsa15
     A suite of algorithms that uses RSA15 as Key-Wrap-algorithm
     and 128-Bit (16 bytes) for encryption algorithms.
@@ -344,6 +400,9 @@ def encrypt_asymmetric(pubkey, data):
         return uacrypto.encrypt_rsa15(pubkey, data)
 
     def __init__(self, server_cert, client_cert, client_pk, mode):
+        logger = logging.getLogger(__name__)
+        logger.warning("DEPRECATED! Do not use SecurityPolicyBasic128Rsa15 anymore!")
+
         require_cryptography(self)
         if isinstance(server_cert, bytes):
             server_cert = uacrypto.x509_from_der(server_cert)
@@ -376,6 +435,8 @@ def make_symmetric_key(self, nonce1, nonce2):
 
 class SecurityPolicyBasic256(SecurityPolicy):
     """
+    DEPRECATED, do not use anymore!
+
     Security Basic 256
     A suite of algorithms that are for 256-Bit (32 bytes) encryption,
     algorithms include:
@@ -410,6 +471,9 @@ def encrypt_asymmetric(pubkey, data):
         return uacrypto.encrypt_rsa_oaep(pubkey, data)
 
     def __init__(self, server_cert, client_cert, client_pk, mode):
+        logger = logging.getLogger(__name__)
+        logger.warning("DEPRECATED! Do not use SecurityPolicyBasic256 anymore!")
+
         require_cryptography(self)
         if isinstance(server_cert, bytes):
             server_cert = uacrypto.x509_from_der(server_cert)
@@ -440,14 +504,78 @@ def make_symmetric_key(self, nonce1, nonce2):
         self.symmetric_cryptography.Verifier = VerifierAesCbc(sigkey)
         self.symmetric_cryptography.Decryptor = DecryptorAesCbc(key, init_vec)
 
+class SecurityPolicyBasic256Sha256(SecurityPolicy):
+    """
+    Security Basic 256Sha256
+    A suite of algorithms that uses Sha256 as Key-Wrap-algorithm
+    and 256-Bit (32 bytes) for encryption algorithms.
+
+    - SymmetricSignatureAlgorithm_HMAC-SHA2-256
+      https://tools.ietf.org/html/rfc4634
+    - SymmetricEncryptionAlgorithm_AES256-CBC
+      http://www.w3.org/2001/04/xmlenc#aes256-cbc
+    - AsymmetricSignatureAlgorithm_RSA-PKCS15-SHA2-256
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+    - AsymmetricEncryptionAlgorithm_RSA-OAEP-SHA1
+      http://www.w3.org/2001/04/xmlenc#rsa-oaep
+    - KeyDerivationAlgorithm_P-SHA2-256
+      http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha256
+    - CertificateSignatureAlgorithm_RSA-PKCS15-SHA2-256
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+    - Basic256Sha256_Limits
+        -> DerivedSignatureKeyLength: 256 bits
+        -> MinAsymmetricKeyLength: 2048 bits
+        -> MaxAsymmetricKeyLength: 4096 bits
+        -> SecureChannelNonceLength: 32 bytes
+    """
+
+    URI = "http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256"
+    signature_key_size = 32
+    symmetric_key_size = 32
+    AsymmetricEncryptionURI = "http://www.w3.org/2001/04/xmlenc#rsa-oaep"
+
+    @staticmethod
+    def encrypt_asymmetric(pubkey, data):
+        return uacrypto.encrypt_rsa_oaep(pubkey, data)
+
+    def __init__(self, server_cert, client_cert, client_pk, mode):
+        require_cryptography(self)
+        if isinstance(server_cert, bytes):
+            server_cert = uacrypto.x509_from_der(server_cert)
+        # even in Sign mode we need to asymmetrically encrypt secrets
+        # transmitted in OpenSecureChannel. So SignAndEncrypt here
+        self.asymmetric_cryptography = Cryptography(
+            MessageSecurityMode.SignAndEncrypt)
+        self.asymmetric_cryptography.Signer = SignerSha256(client_pk)
+        self.asymmetric_cryptography.Verifier = VerifierSha256(server_cert)
+        self.asymmetric_cryptography.Encryptor = EncryptorRsa(
+            server_cert, uacrypto.encrypt_rsa_oaep, 42)
+        self.asymmetric_cryptography.Decryptor = DecryptorRsa(
+            client_pk, uacrypto.decrypt_rsa_oaep, 42)
+        self.symmetric_cryptography = Cryptography(mode)
+        self.Mode = mode
+        self.server_certificate = uacrypto.der_from_x509(server_cert)
+        self.client_certificate = uacrypto.der_from_x509(client_cert)
+
+    def make_symmetric_key(self, nonce1, nonce2):
+        # specs part 6, 6.7.5
+        key_sizes = (self.signature_key_size, self.symmetric_key_size, 16)
+
+        (sigkey, key, init_vec) = uacrypto.p_sha256(nonce2, nonce1, key_sizes)
+        self.symmetric_cryptography.Signer = SignerHMac256(sigkey)
+        self.symmetric_cryptography.Encryptor = EncryptorAesCbc(key, init_vec)
+
+        (sigkey, key, init_vec) = uacrypto.p_sha256(nonce1, nonce2, key_sizes)
+        self.symmetric_cryptography.Verifier = VerifierHMac256(sigkey)
+        self.symmetric_cryptography.Decryptor = DecryptorAesCbc(key, init_vec)
 
 def encrypt_asymmetric(pubkey, data, policy_uri):
     """
     Encrypt data with pubkey using an asymmetric algorithm.
     The algorithm is selected by policy_uri.
     Returns a tuple (encrypted_data, algorithm_uri)
     """
-    for cls in [SecurityPolicyBasic256, SecurityPolicyBasic128Rsa15]:
+    for cls in [SecurityPolicyBasic256Sha256, SecurityPolicyBasic256, SecurityPolicyBasic128Rsa15]:
         if policy_uri == cls.URI:
             return (cls.encrypt_asymmetric(pubkey, data),
                     cls.AsymmetricEncryptionURI)

opcua/crypto/uacrypto.py

@@ -49,13 +49,27 @@ def sign_sha1(private_key, data):
         hashes.SHA1()
     )
 
+def sign_sha256(private_key, data):
+    return private_key.sign(
+        data,
+        padding.PKCS1v15(),
+        hashes.SHA256()
+    )
+
 def verify_sha1(certificate, data, signature):
     certificate.public_key().verify(
         signature,
         data,
         padding.PKCS1v15(),
         hashes.SHA1())
 
+def verify_sha256(certificate, data, signature):
+    certificate.public_key().verify(
+        signature,
+        data,
+        padding.PKCS1v15(),
+        hashes.SHA256())
+
 def encrypt_basic256(public_key, data):
     ciphertext = public_key.encrypt(
         data,
@@ -124,10 +138,16 @@ def hmac_sha1(key, message):
     hasher.update(message)
     return hasher.finalize()
 
+def hmac_sha256(key, message):
+    hasher = hmac.HMAC(key, hashes.SHA256(), backend=default_backend())
+    hasher.update(message)
+    return hasher.finalize()
 
 def sha1_size():
     return hashes.SHA1.digest_size
 
+def sha256_size():
+    return hashes.SHA256.digest_size
 
 def p_sha1(secret, seed, sizes=()):
     """
@@ -151,6 +171,27 @@ def p_sha1(secret, seed, sizes=()):
         result = result[size:]
     return tuple(parts)
 
+def p_sha256(secret, seed, sizes=()):
+    """
+    Derive one or more keys from secret and seed.
+    (See specs part 6, 6.7.5 and RFC 2246 - TLS v1.0)
+    Lengths of keys will match sizes argument
+    """
+    full_size = 0
+    for size in sizes:
+        full_size += size
+
+    result = b''
+    accum = seed
+    while len(result) < full_size:
+        accum = hmac_sha256(secret, accum)
+        result += hmac_sha256(secret, accum + seed)
+
+    parts = []
+    for size in sizes:
+        parts.append(result[:size])
+        result = result[size:]
+    return tuple(parts)
 
 def x509_name_to_string(name):
     parts = ["{0}={1}".format(attr.oid._name, attr.value) for attr in name]
@@ -174,6 +215,6 @@ def x509_to_string(cert):
     cert = load_certificate("../examples/server_cert.pem")
     #rsa_pubkey = pubkey_from_dercert(der)
     rsa_privkey = load_private_key("../examples/mykey.pem")
-    
+
     from IPython import embed
     embed()