Merge pull request #697 from ephraim/master

Removed security policies with Sha-1 algorithm

Author: oroulet

examples/client_to_prosys.py

@@ -25,7 +25,7 @@ def event_notification(self, event):
     logging.basicConfig(level=logging.DEBUG)
     client = Client("opc.tcp://localhost:53530/OPCUA/SimulationServer/")
     #client = Client("opc.tcp://olivier:olivierpass@localhost:53530/OPCUA/SimulationServer/")
-    #client.set_security_string("Basic256,SignAndEncrypt,certificate-example.der,private-key-example.pem")
+    #client.set_security_string("Basic256Sha256,SignAndEncrypt,certificate-example.der,private-key-example.pem")
     try:
         client.connect()
         root = client.get_root_node()

examples/client_to_prosys_crypto.py

@@ -10,7 +10,7 @@
 if __name__ == "__main__":
     logging.basicConfig(level=logging.DEBUG)
     client = Client("opc.tcp://localhost:53530/OPCUA/SimulationServer/")
-    client.set_security_string("Basic256,Sign,certificate-example.der,private-key-example.pem")
+    client.set_security_string("Basic256Sha256,Sign,certificate-example.der,private-key-example.pem")
     try:
         client.connect()
         root = client.get_root_node()

examples/server-example.py

@@ -91,10 +91,8 @@ def run(self):
     # set all possible endpoint policies for clients to connect through
     server.set_security_policy([
                 ua.SecurityPolicyType.NoSecurity,
-                ua.SecurityPolicyType.Basic128Rsa15_SignAndEncrypt,
-                ua.SecurityPolicyType.Basic128Rsa15_Sign,
-                ua.SecurityPolicyType.Basic256_SignAndEncrypt,
-                ua.SecurityPolicyType.Basic256_Sign])
+                ua.SecurityPolicyType.Basic256Sha256_SignAndEncrypt,
+                ua.SecurityPolicyType.Basic256Sha256_Sign])
 
     # setup our own namespace
     uri = "http://examples.freeopcua.github.io"

opcua/client/client.py

@@ -159,7 +159,7 @@ def set_security_string(self, string):
         """
         Set SecureConnection mode. String format:
         Policy,Mode,certificate,private_key[,server_private_key]
-        where Policy is Basic128Rsa15 or Basic256,
+        where Policy is Basic128Rsa15, Basic256 or Basic256Sha256,
             Mode is Sign or SignAndEncrypt
             certificate, private_key and server_private_key are
                 paths to .pem or .der files

opcua/crypto/security_policies.py

@@ -1,3 +1,5 @@
+import logging
+
 from abc import ABCMeta, abstractmethod
 from opcua.ua import CryptographyNone, SecurityPolicy
 from opcua.ua import MessageSecurityMode
@@ -307,9 +309,63 @@ def encrypted_block_size(self):
     def decrypt(self, data):
         return uacrypto.cipher_decrypt(self.cipher, data)
 
+class SignerSha256(Signer):
+
+    def __init__(self, client_pk):
+        require_cryptography(self)
+        self.client_pk = client_pk
+        self.key_size = self.client_pk.key_size // 8
+
+    def signature_size(self):
+        return self.key_size
+
+    def signature(self, data):
+        return uacrypto.sign_sha256(self.client_pk, data)
+
+class VerifierSha256(Verifier):
+
+    def __init__(self, server_cert):
+        require_cryptography(self)
+        self.server_cert = server_cert
+        self.key_size = self.server_cert.public_key().key_size // 8
+
+    def signature_size(self):
+        return self.key_size
+
+    def verify(self, data, signature):
+        uacrypto.verify_sha256(self.server_cert, data, signature)
+
+class SignerHMac256(Signer):
+
+    def __init__(self, key):
+        require_cryptography(self)
+        self.key = key
+
+    def signature_size(self):
+        return uacrypto.sha256_size()
+
+    def signature(self, data):
+        return uacrypto.hmac_sha256(self.key, data)
+
+
+class VerifierHMac256(Verifier):
+
+    def __init__(self, key):
+        require_cryptography(self)
+        self.key = key
+
+    def signature_size(self):
+        return uacrypto.sha256_size()
+
+    def verify(self, data, signature):
+        expected = uacrypto.hmac_sha256(self.key, data)
+        if signature != expected:
+            raise uacrypto.InvalidSignature
 
 class SecurityPolicyBasic128Rsa15(SecurityPolicy):
     """
+    DEPRECATED, do not use anymore!
+
     Security Basic 128Rsa15
     A suite of algorithms that uses RSA15 as Key-Wrap-algorithm
     and 128-Bit (16 bytes) for encryption algorithms.
@@ -344,6 +400,9 @@ def encrypt_asymmetric(pubkey, data):
         return uacrypto.encrypt_rsa15(pubkey, data)
 
     def __init__(self, server_cert, client_cert, client_pk, mode):
+        logger = logging.getLogger(__name__)
+        logger.warning("DEPRECATED! Do not use SecurityPolicyBasic128Rsa15 anymore!")
+
         require_cryptography(self)
         if isinstance(server_cert, bytes):
             server_cert = uacrypto.x509_from_der(server_cert)
@@ -376,6 +435,8 @@ def make_symmetric_key(self, nonce1, nonce2):
 
 class SecurityPolicyBasic256(SecurityPolicy):
     """
+    DEPRECATED, do not use anymore!
+
     Security Basic 256
     A suite of algorithms that are for 256-Bit (32 bytes) encryption,
     algorithms include:
@@ -410,6 +471,9 @@ def encrypt_asymmetric(pubkey, data):
         return uacrypto.encrypt_rsa_oaep(pubkey, data)
 
     def __init__(self, server_cert, client_cert, client_pk, mode):
+        logger = logging.getLogger(__name__)
+        logger.warning("DEPRECATED! Do not use SecurityPolicyBasic256 anymore!")
+
         require_cryptography(self)
         if isinstance(server_cert, bytes):
             server_cert = uacrypto.x509_from_der(server_cert)
@@ -440,14 +504,78 @@ def make_symmetric_key(self, nonce1, nonce2):
         self.symmetric_cryptography.Verifier = VerifierAesCbc(sigkey)
         self.symmetric_cryptography.Decryptor = DecryptorAesCbc(key, init_vec)
 
+class SecurityPolicyBasic256Sha256(SecurityPolicy):
+    """
+    Security Basic 256Sha256
+    A suite of algorithms that uses Sha256 as Key-Wrap-algorithm
+    and 256-Bit (32 bytes) for encryption algorithms.
+
+    - SymmetricSignatureAlgorithm_HMAC-SHA2-256
+      https://tools.ietf.org/html/rfc4634
+    - SymmetricEncryptionAlgorithm_AES256-CBC
+      http://www.w3.org/2001/04/xmlenc#aes256-cbc
+    - AsymmetricSignatureAlgorithm_RSA-PKCS15-SHA2-256
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+    - AsymmetricEncryptionAlgorithm_RSA-OAEP-SHA1
+      http://www.w3.org/2001/04/xmlenc#rsa-oaep
+    - KeyDerivationAlgorithm_P-SHA2-256
+      http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha256
+    - CertificateSignatureAlgorithm_RSA-PKCS15-SHA2-256
+      http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
+    - Basic256Sha256_Limits
+        -> DerivedSignatureKeyLength: 256 bits
+        -> MinAsymmetricKeyLength: 2048 bits
+        -> MaxAsymmetricKeyLength: 4096 bits
+        -> SecureChannelNonceLength: 32 bytes
+    """
+
+    URI = "http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256"
+    signature_key_size = 32
+    symmetric_key_size = 32
+    AsymmetricEncryptionURI = "http://www.w3.org/2001/04/xmlenc#rsa-oaep"
+
+    @staticmethod
+    def encrypt_asymmetric(pubkey, data):
+        return uacrypto.encrypt_rsa_oaep(pubkey, data)
+
+    def __init__(self, server_cert, client_cert, client_pk, mode):
+        require_cryptography(self)
+        if isinstance(server_cert, bytes):
+            server_cert = uacrypto.x509_from_der(server_cert)
+        # even in Sign mode we need to asymmetrically encrypt secrets
+        # transmitted in OpenSecureChannel. So SignAndEncrypt here
+        self.asymmetric_cryptography = Cryptography(
+            MessageSecurityMode.SignAndEncrypt)
+        self.asymmetric_cryptography.Signer = SignerSha256(client_pk)
+        self.asymmetric_cryptography.Verifier = VerifierSha256(server_cert)
+        self.asymmetric_cryptography.Encryptor = EncryptorRsa(
+            server_cert, uacrypto.encrypt_rsa_oaep, 42)
+        self.asymmetric_cryptography.Decryptor = DecryptorRsa(
+            client_pk, uacrypto.decrypt_rsa_oaep, 42)
+        self.symmetric_cryptography = Cryptography(mode)
+        self.Mode = mode
+        self.server_certificate = uacrypto.der_from_x509(server_cert)
+        self.client_certificate = uacrypto.der_from_x509(client_cert)
+
+    def make_symmetric_key(self, nonce1, nonce2):
+        # specs part 6, 6.7.5
+        key_sizes = (self.signature_key_size, self.symmetric_key_size, 16)
+
+        (sigkey, key, init_vec) = uacrypto.p_sha256(nonce2, nonce1, key_sizes)
+        self.symmetric_cryptography.Signer = SignerHMac256(sigkey)
+        self.symmetric_cryptography.Encryptor = EncryptorAesCbc(key, init_vec)
+
+        (sigkey, key, init_vec) = uacrypto.p_sha256(nonce1, nonce2, key_sizes)
+        self.symmetric_cryptography.Verifier = VerifierHMac256(sigkey)
+        self.symmetric_cryptography.Decryptor = DecryptorAesCbc(key, init_vec)
 
 def encrypt_asymmetric(pubkey, data, policy_uri):
     """
     Encrypt data with pubkey using an asymmetric algorithm.
     The algorithm is selected by policy_uri.
     Returns a tuple (encrypted_data, algorithm_uri)
     """
-    for cls in [SecurityPolicyBasic256, SecurityPolicyBasic128Rsa15]:
+    for cls in [SecurityPolicyBasic256Sha256, SecurityPolicyBasic256, SecurityPolicyBasic128Rsa15]:
         if policy_uri == cls.URI:
             return (cls.encrypt_asymmetric(pubkey, data),
                     cls.AsymmetricEncryptionURI)

opcua/crypto/uacrypto.py

@@ -49,13 +49,27 @@ def sign_sha1(private_key, data):
         hashes.SHA1()
     )
 
+def sign_sha256(private_key, data):
+    return private_key.sign(
+        data,
+        padding.PKCS1v15(),
+        hashes.SHA256()
+    )
+
 def verify_sha1(certificate, data, signature):
     certificate.public_key().verify(
         signature,
         data,
         padding.PKCS1v15(),
         hashes.SHA1())
 
+def verify_sha256(certificate, data, signature):
+    certificate.public_key().verify(
+        signature,
+        data,
+        padding.PKCS1v15(),
+        hashes.SHA256())
+
 def encrypt_basic256(public_key, data):
     ciphertext = public_key.encrypt(
         data,
@@ -124,10 +138,16 @@ def hmac_sha1(key, message):
     hasher.update(message)
     return hasher.finalize()
 
+def hmac_sha256(key, message):
+    hasher = hmac.HMAC(key, hashes.SHA256(), backend=default_backend())
+    hasher.update(message)
+    return hasher.finalize()
 
 def sha1_size():
     return hashes.SHA1.digest_size
 
+def sha256_size():
+    return hashes.SHA256.digest_size
 
 def p_sha1(secret, seed, sizes=()):
     """
@@ -151,6 +171,27 @@ def p_sha1(secret, seed, sizes=()):
         result = result[size:]
     return tuple(parts)
 
+def p_sha256(secret, seed, sizes=()):
+    """
+    Derive one or more keys from secret and seed.
+    (See specs part 6, 6.7.5 and RFC 2246 - TLS v1.0)
+    Lengths of keys will match sizes argument
+    """
+    full_size = 0
+    for size in sizes:
+        full_size += size
+
+    result = b''
+    accum = seed
+    while len(result) < full_size:
+        accum = hmac_sha256(secret, accum)
+        result += hmac_sha256(secret, accum + seed)
+
+    parts = []
+    for size in sizes:
+        parts.append(result[:size])
+        result = result[size:]
+    return tuple(parts)
 
 def x509_name_to_string(name):
     parts = ["{0}={1}".format(attr.oid._name, attr.value) for attr in name]
@@ -174,6 +215,6 @@ def x509_to_string(cert):
     cert = load_certificate("../examples/server_cert.pem")
     #rsa_pubkey = pubkey_from_dercert(der)
     rsa_privkey = load_private_key("../examples/mykey.pem")
-    
+
     from IPython import embed
     embed()