opcua.crypto package

Submodules

opcua.crypto.security_policies module

class opcua.crypto.security_policies.Cryptography(mode=<MessageSecurityMode.Sign: 2>)

Bases: opcua.ua.uaprotocol_hand.CryptographyNone

Security policy: Sign or SignAndEncrypt

decrypt(data)

encrypt(data)

encrypted_block_size()

Size of encrypted text block for block cipher.

min_padding_size()

padding(size)

Create padding for a block of given size. plain_size = size + len(padding) + signature_size() plain_size = N * plain_block_size()

plain_block_size()

Size of plain text block for block cipher.

remove_padding(data)

signature(data)

signature_size()

verify(data, sig)

Verify signature and raise exception if signature is invalid

vsignature_size()

class opcua.crypto.security_policies.Decryptor

Bases: object

Abstract base class for decryption algorithm

decrypt(data)

encrypted_block_size()

plain_block_size()

class opcua.crypto.security_policies.DecryptorAesCbc(key, init_vec)

Bases: opcua.crypto.security_policies.Decryptor

decrypt(data)

encrypted_block_size()

plain_block_size()

class opcua.crypto.security_policies.DecryptorRsa(client_pk, dec_fn, padding_size)

Bases: opcua.crypto.security_policies.Decryptor

decrypt(data)

encrypted_block_size()

plain_block_size()

class opcua.crypto.security_policies.Encryptor

Bases: object

Abstract base class for encryption algorithm

encrypt(data)

encrypted_block_size()

plain_block_size()

class opcua.crypto.security_policies.EncryptorAesCbc(key, init_vec)

Bases: opcua.crypto.security_policies.Encryptor

encrypt(data)

encrypted_block_size()

plain_block_size()

class opcua.crypto.security_policies.EncryptorRsa(server_cert, enc_fn, padding_size)

Bases: opcua.crypto.security_policies.Encryptor

encrypt(data)

encrypted_block_size()

plain_block_size()

class opcua.crypto.security_policies.SecurityPolicyBasic128Rsa15(server_cert, client_cert, client_pk, mode)

Bases: opcua.ua.uaprotocol_hand.SecurityPolicy

DEPRECATED, do not use anymore!

Security Basic 128Rsa15 A suite of algorithms that uses RSA15 as Key-Wrap-algorithm and 128-Bit (16 bytes) for encryption algorithms. - SymmetricSignatureAlgorithm - HmacSha1

(http://www.w3.org/2000/09/xmldsig#hmac-sha1)

• SymmetricEncryptionAlgorithm - Aes128 (http://www.w3.org/2001/04/xmlenc#aes128-cbc)
• AsymmetricSignatureAlgorithm - RsaSha1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1)
• AsymmetricKeyWrapAlgorithm - KwRsa15 (http://www.w3.org/2001/04/xmlenc#rsa-1_5)
• AsymmetricEncryptionAlgorithm - Rsa15 (http://www.w3.org/2001/04/xmlenc#rsa-1_5)
• KeyDerivationAlgorithm - PSha1 (http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1)
• DerivedSignatureKeyLength - 128 (16 bytes)
• MinAsymmetricKeyLength - 1024 (128 bytes)
• MaxAsymmetricKeyLength - 2048 (256 bytes)
• CertificateSignatureAlgorithm - Sha1

If a certificate or any certificate in the chain is not signed with a hash that is Sha1 or stronger then the certificate shall be rejected.

AsymmetricEncryptionURI = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'

AsymmetricSignatureURI = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'

URI = 'http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15'

static encrypt_asymmetric(pubkey, data)

make_local_symmetric_key(secret, seed)

make_remote_symmetric_key(secret, seed)

signature_key_size = 16

symmetric_key_size = 16

class opcua.crypto.security_policies.SecurityPolicyBasic256(server_cert, client_cert, client_pk, mode)

Bases: opcua.ua.uaprotocol_hand.SecurityPolicy

DEPRECATED, do not use anymore!

Security Basic 256 A suite of algorithms that are for 256-Bit (32 bytes) encryption, algorithms include: - SymmetricSignatureAlgorithm - HmacSha1

(http://www.w3.org/2000/09/xmldsig#hmac-sha1)

• SymmetricEncryptionAlgorithm - Aes256 (http://www.w3.org/2001/04/xmlenc#aes256-cbc)
• AsymmetricSignatureAlgorithm - RsaSha1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1)
• AsymmetricKeyWrapAlgorithm - KwRsaOaep (http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p)
• AsymmetricEncryptionAlgorithm - RsaOaep (http://www.w3.org/2001/04/xmlenc#rsa-oaep)
• KeyDerivationAlgorithm - PSha1 (http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1)
• DerivedSignatureKeyLength - 192 (24 bytes)
• MinAsymmetricKeyLength - 1024 (128 bytes)
• MaxAsymmetricKeyLength - 2048 (256 bytes)
• CertificateSignatureAlgorithm - Sha1

If a certificate or any certificate in the chain is not signed with a hash that is Sha1 or stronger then the certificate shall be rejected.

AsymmetricEncryptionURI = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep'

AsymmetricSignatureURI = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'

URI = 'http://opcfoundation.org/UA/SecurityPolicy#Basic256'

static encrypt_asymmetric(pubkey, data)

make_local_symmetric_key(secret, seed)

make_remote_symmetric_key(secret, seed)

signature_key_size = 24

symmetric_key_size = 32

class opcua.crypto.security_policies.SecurityPolicyBasic256Sha256(server_cert, client_cert, client_pk, mode)

Bases: opcua.ua.uaprotocol_hand.SecurityPolicy

Security Basic 256Sha256 A suite of algorithms that uses Sha256 as Key-Wrap-algorithm and 256-Bit (32 bytes) for encryption algorithms.

• SymmetricSignatureAlgorithm_HMAC-SHA2-256 https://tools.ietf.org/html/rfc4634
• SymmetricEncryptionAlgorithm_AES256-CBC http://www.w3.org/2001/04/xmlenc#aes256-cbc
• AsymmetricSignatureAlgorithm_RSA-PKCS15-SHA2-256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
• AsymmetricEncryptionAlgorithm_RSA-OAEP-SHA1 http://www.w3.org/2001/04/xmlenc#rsa-oaep
• KeyDerivationAlgorithm_P-SHA2-256 http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha256
• CertificateSignatureAlgorithm_RSA-PKCS15-SHA2-256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

• Basic256Sha256_Limits

  -> DerivedSignatureKeyLength: 256 bits -> MinAsymmetricKeyLength: 2048 bits -> MaxAsymmetricKeyLength: 4096 bits -> SecureChannelNonceLength: 32 bytes

AsymmetricEncryptionURI = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep'

AsymmetricSignatureURI = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'

URI = 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'

static encrypt_asymmetric(pubkey, data)

make_local_symmetric_key(secret, seed)

make_remote_symmetric_key(secret, seed)

signature_key_size = 32

symmetric_key_size = 32

class opcua.crypto.security_policies.Signer

Bases: object

Abstract base class for cryptographic signature algorithm

signature(data)

signature_size()

class opcua.crypto.security_policies.SignerAesCbc(key)

Bases: opcua.crypto.security_policies.Signer

signature(data)

signature_size()

class opcua.crypto.security_policies.SignerHMac256(key)

Bases: opcua.crypto.security_policies.Signer

signature(data)

signature_size()

class opcua.crypto.security_policies.SignerRsa(client_pk)

Bases: opcua.crypto.security_policies.Signer

signature(data)

signature_size()

class opcua.crypto.security_policies.SignerSha256(client_pk)

Bases: opcua.crypto.security_policies.Signer

signature(data)

signature_size()

class opcua.crypto.security_policies.Verifier

Bases: object

Abstract base class for cryptographic signature verification

signature_size()

verify(data, signature)

class opcua.crypto.security_policies.VerifierAesCbc(key)

Bases: opcua.crypto.security_policies.Verifier

signature_size()

verify(data, signature)

class opcua.crypto.security_policies.VerifierHMac256(key)

Bases: opcua.crypto.security_policies.Verifier

signature_size()

verify(data, signature)

class opcua.crypto.security_policies.VerifierRsa(server_cert)

Bases: opcua.crypto.security_policies.Verifier

signature_size()

verify(data, signature)

class opcua.crypto.security_policies.VerifierSha256(server_cert)

Bases: opcua.crypto.security_policies.Verifier

signature_size()

verify(data, signature)

opcua.crypto.security_policies.encrypt_asymmetric(pubkey, data, policy_uri)

Encrypt data with pubkey using an asymmetric algorithm. The algorithm is selected by policy_uri. Returns a tuple (encrypted_data, algorithm_uri)

opcua.crypto.security_policies.require_cryptography(obj)

Raise exception if cryptography module is not available. Call this function in constructors.

opcua.crypto.uacrypto module

opcua.crypto.uacrypto.cipher_aes_cbc(key, init_vec)

opcua.crypto.uacrypto.cipher_decrypt(cipher, data)

opcua.crypto.uacrypto.cipher_encrypt(cipher, data)

opcua.crypto.uacrypto.decrypt_rsa15(private_key, data)

opcua.crypto.uacrypto.decrypt_rsa_oaep(private_key, data)

opcua.crypto.uacrypto.der_from_x509(certificate)

opcua.crypto.uacrypto.encrypt_basic256(public_key, data)

opcua.crypto.uacrypto.encrypt_rsa15(public_key, data)

opcua.crypto.uacrypto.encrypt_rsa_oaep(public_key, data)

opcua.crypto.uacrypto.hmac_sha1(key, message)

opcua.crypto.uacrypto.hmac_sha256(key, message)

opcua.crypto.uacrypto.load_certificate(path)

opcua.crypto.uacrypto.load_private_key(path)

opcua.crypto.uacrypto.p_sha1(secret, seed, sizes=())

Derive one or more keys from secret and seed. (See specs part 6, 6.7.5 and RFC 2246 - TLS v1.0) Lengths of keys will match sizes argument

opcua.crypto.uacrypto.p_sha256(secret, seed, sizes=())

Derive one or more keys from secret and seed. (See specs part 6, 6.7.5 and RFC 2246 - TLS v1.0) Lengths of keys will match sizes argument

opcua.crypto.uacrypto.sha1_size()

opcua.crypto.uacrypto.sha256_size()

opcua.crypto.uacrypto.sign_sha1(private_key, data)

opcua.crypto.uacrypto.sign_sha256(private_key, data)

opcua.crypto.uacrypto.verify_sha1(certificate, data, signature)

opcua.crypto.uacrypto.verify_sha256(certificate, data, signature)

opcua.crypto.uacrypto.x509_from_der(data)

opcua.crypto.uacrypto.x509_name_to_string(name)

opcua.crypto.uacrypto.x509_to_string(cert)

Convert x509 certificate to human-readable string

Module contents