asyncua.crypto package

asyncua.crypto.permission_rules module

class asyncua.crypto.permission_rules.PermissionRuleset

Bases: object

Base class for permission ruleset

check_validity(user, action_type, body)

class asyncua.crypto.permission_rules.SimpleRoleRuleset

Bases: PermissionRuleset

Standard simple role-based ruleset. Admins alone can write, admins and users can read, and anonymous users can’t do anything.

check_validity(user, action_type_id, body)

asyncua.crypto.security_policies module

class asyncua.crypto.security_policies.Cryptography(mode=MessageSecurityMode.Sign)

Bases: CryptographyNone

Security policy: Sign or SignAndEncrypt

decrypt(data)

encrypt(data)

encrypted_block_size()

Size of encrypted text block for block cipher.

min_padding_size()

padding(size)

Create padding for a block of given size. plain_size = size + len(padding) + signature_size() plain_size = N * plain_block_size()

plain_block_size()

Size of plain text block for block cipher.

remove_padding(data)

revolved_expired_key()

Remove expired keys as soon as possible

signature(data)

signature_size()

property use_prev_key

verify(data, sig)

Verify signature and raise exception if signature is invalid

vsignature_size()

class asyncua.crypto.security_policies.Decryptor

Bases: object

Abstract base class for decryption algorithm

abstract decrypt(data)

abstract encrypted_block_size()

abstract plain_block_size()

reset()

class asyncua.crypto.security_policies.DecryptorAesCbc(key, init_vec)

Bases: Decryptor

decrypt(data)

encrypted_block_size()

plain_block_size()

class asyncua.crypto.security_policies.DecryptorRsa(client_pk, dec_fn, padding_size)

Bases: Decryptor

decrypt(data)

encrypted_block_size()

plain_block_size()

class asyncua.crypto.security_policies.Encryptor

Bases: object

Abstract base class for encryption algorithm

abstract encrypt(data)

abstract encrypted_block_size()

abstract plain_block_size()

class asyncua.crypto.security_policies.EncryptorAesCbc(key, init_vec)

Bases: Encryptor

encrypt(data)

encrypted_block_size()

plain_block_size()

class asyncua.crypto.security_policies.EncryptorRsa(server_cert, enc_fn, padding_size)

Bases: Encryptor

encrypt(data)

encrypted_block_size()

plain_block_size()

class asyncua.crypto.security_policies.SecurityPolicyAes128Sha256RsaOaep(peer_cert, host_cert, client_pk, mode, permission_ruleset=None)

Bases: SecurityPolicy

Security Aes128 Sha256 RsaOaep A suite of algorithms that uses Sha256 as Key-Wrap-algorithm and 128-Bit (16 bytes) for encryption algorithms.

• SymmetricSignatureAlgorithm_HMAC-SHA2-256 https://tools.ietf.org/html/rfc4634

• SymmetricEncryptionAlgorithm_AES128-CBC http://www.w3.org/2001/04/xmlenc#aes256-cbc

• AsymmetricSignatureAlgorithm_RSA-PKCS15-SHA2-256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

• AsymmetricEncryptionAlgorithm_RSA-OAEP-SHA1 http://www.w3.org/2001/04/xmlenc#rsa-oaep

• KeyDerivationAlgorithm_P-SHA2-256 http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha256

• CertificateSignatureAlgorithm_RSA-PKCS15-SHA2-256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

• Aes128Sha256RsaOaep_Limits

  -> DerivedSignatureKeyLength: 256 bits -> MinAsymmetricKeyLength: 2048 bits -> MaxAsymmetricKeyLength: 4096 bits -> SecureChannelNonceLength: 32 bytes

AsymmetricEncryptionURI = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep'

AsymmetricSignatureURI: str = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'

URI = 'http://opcfoundation.org/UA/SecurityPolicy#Aes128_Sha256_RsaOaep'

static encrypt_asymmetric(pubkey, data)

make_local_symmetric_key(secret, seed)

make_remote_symmetric_key(secret, seed, lifetime)

secure_channel_nonce_length: int = 32

signature_key_size: int = 32

symmetric_key_size: int = 16

class asyncua.crypto.security_policies.SecurityPolicyAes256Sha256RsaPss(peer_cert, host_cert, client_pk, mode, permission_ruleset=None)

Bases: SecurityPolicy

Security policy Aes256_Sha256_RsaPss implementation

• SymmetricSignatureAlgorithm_HMAC-SHA2-256 https://tools.ietf.org/html/rfc4634

• SymmetricEncryptionAlgorithm_AES256-CBC http://www.w3.org/2001/04/xmlenc#aes256-cbc

• AsymmetricSignatureAlgorithm_RSA-PSS-SHA2-256 http://opcfoundation.org/UA/security/rsa-pss-sha2-256

• AsymmetricEncryptionAlgorithm_RSA-OAEP-SHA2-256 http://opcfoundation.org/UA/security/rsa-oaep-sha2-256

• KeyDerivationAlgorithm_P-SHA2-256 http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha256

• CertificateSignatureAlgorithm_RSA-PKCS15-SHA2-256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

• Aes256Sha256RsaPss_Limits

  -> DerivedSignatureKeyLength: 256 bits -> MinAsymmetricKeyLength: 2048 bits -> MaxAsymmetricKeyLength: 4096 bits -> SecureChannelNonceLength: 32 bytes

AsymmetricEncryptionURI = 'http://opcfoundation.org/UA/security/rsa-oaep-sha2-256'

AsymmetricSignatureURI: str = 'http://opcfoundation.org/UA/security/rsa-pss-sha2-256'

URI = 'http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss'

static encrypt_asymmetric(pubkey, data)

make_local_symmetric_key(secret, seed)

make_remote_symmetric_key(secret, seed, lifetime)

secure_channel_nonce_length: int = 32

signature_key_size: int = 32

symmetric_key_size: int = 32

class asyncua.crypto.security_policies.SecurityPolicyBasic128Rsa15(peer_cert, host_cert, client_pk, mode, permission_ruleset=None)

Bases: SecurityPolicy

DEPRECATED, do not use anymore!

Security Basic 128Rsa15 A suite of algorithms that uses RSA15 as Key-Wrap-algorithm and 128-Bit (16 bytes) for encryption algorithms. - SymmetricSignatureAlgorithm - HmacSha1

(http://www.w3.org/2000/09/xmldsig#hmac-sha1)

• SymmetricEncryptionAlgorithm - Aes128 (http://www.w3.org/2001/04/xmlenc#aes128-cbc)

• AsymmetricSignatureAlgorithm - RsaSha1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1)

• AsymmetricKeyWrapAlgorithm - KwRsa15 (http://www.w3.org/2001/04/xmlenc#rsa-1_5)

• AsymmetricEncryptionAlgorithm - Rsa15 (http://www.w3.org/2001/04/xmlenc#rsa-1_5)

• KeyDerivationAlgorithm - PSha1 (http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1)

• DerivedSignatureKeyLength - 128 (16 bytes)

• MinAsymmetricKeyLength - 1024 (128 bytes)

• MaxAsymmetricKeyLength - 2048 (256 bytes)

• CertificateSignatureAlgorithm - Sha1

If a certificate or any certificate in the chain is not signed with a hash that is Sha1 or stronger than the certificate shall be rejected.

AsymmetricEncryptionURI = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'

AsymmetricSignatureURI: str = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'

URI = 'http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15'

static encrypt_asymmetric(pubkey, data)

make_local_symmetric_key(secret, seed)

make_remote_symmetric_key(secret, seed, lifetime)

secure_channel_nonce_length: int = 16

signature_key_size: int = 16

symmetric_key_size: int = 16

class asyncua.crypto.security_policies.SecurityPolicyBasic256(peer_cert, host_cert, client_pk, mode, permission_ruleset=None)

Bases: SecurityPolicy

DEPRECATED, do not use anymore!

Security Basic 256 A suite of algorithms that are for 256-Bit (32 bytes) encryption, algorithms include: - SymmetricSignatureAlgorithm - HmacSha1

(http://www.w3.org/2000/09/xmldsig#hmac-sha1)

• SymmetricEncryptionAlgorithm - Aes256 (http://www.w3.org/2001/04/xmlenc#aes256-cbc)

• AsymmetricSignatureAlgorithm - RsaSha1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1)

• AsymmetricKeyWrapAlgorithm - KwRsaOaep (http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p)

• AsymmetricEncryptionAlgorithm - RsaOaep (http://www.w3.org/2001/04/xmlenc#rsa-oaep)

• KeyDerivationAlgorithm - PSha1 (http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1)

• DerivedSignatureKeyLength - 192 (24 bytes)

• MinAsymmetricKeyLength - 1024 (128 bytes)

• MaxAsymmetricKeyLength - 2048 (256 bytes)

• CertificateSignatureAlgorithm - Sha1

If a certificate or any certificate in the chain is not signed with a hash that is Sha1 or stronger than the certificate shall be rejected.

AsymmetricEncryptionURI = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep'

AsymmetricSignatureURI: str = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'

URI = 'http://opcfoundation.org/UA/SecurityPolicy#Basic256'

static encrypt_asymmetric(pubkey, data)

make_local_symmetric_key(secret, seed)

make_remote_symmetric_key(secret, seed, lifetime)

secure_channel_nonce_length: int = 32

signature_key_size: int = 24

symmetric_key_size: int = 32

class asyncua.crypto.security_policies.SecurityPolicyBasic256Sha256(peer_cert, host_cert, client_pk, mode, permission_ruleset=None)

Bases: SecurityPolicy

Security Basic 256Sha256 A suite of algorithms that uses Sha256 as Key-Wrap-algorithm and 256-Bit (32 bytes) for encryption algorithms.

• SymmetricSignatureAlgorithm_HMAC-SHA2-256 https://tools.ietf.org/html/rfc4634

• SymmetricEncryptionAlgorithm_AES256-CBC http://www.w3.org/2001/04/xmlenc#aes256-cbc

• AsymmetricSignatureAlgorithm_RSA-PKCS15-SHA2-256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

• AsymmetricEncryptionAlgorithm_RSA-OAEP-SHA1 http://www.w3.org/2001/04/xmlenc#rsa-oaep

• KeyDerivationAlgorithm_P-SHA2-256 http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha256

• CertificateSignatureAlgorithm_RSA-PKCS15-SHA2-256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

• Basic256Sha256_Limits

  -> DerivedSignatureKeyLength: 256 bits -> MinAsymmetricKeyLength: 2048 bits -> MaxAsymmetricKeyLength: 4096 bits -> SecureChannelNonceLength: 32 bytes

AsymmetricEncryptionURI = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep'

AsymmetricSignatureURI: str = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'

URI = 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'

static encrypt_asymmetric(pubkey, data)

make_local_symmetric_key(secret, seed)

make_remote_symmetric_key(secret, seed, lifetime)

secure_channel_nonce_length: int = 32

signature_key_size: int = 32

symmetric_key_size: int = 32

class asyncua.crypto.security_policies.Signer

Bases: object

Abstract base class for cryptographic signature algorithm

abstract signature(data)

abstract signature_size()

class asyncua.crypto.security_policies.SignerAesCbc(key)

Bases: Signer

signature(data)

signature_size()

class asyncua.crypto.security_policies.SignerHMac256(key)

Bases: Signer

signature(data)

signature_size()

class asyncua.crypto.security_policies.SignerPssSha256(client_pk)

Bases: Signer

signature(data)

signature_size()

class asyncua.crypto.security_policies.SignerRsa(client_pk)

Bases: Signer

signature(data)

signature_size()

class asyncua.crypto.security_policies.SignerSha256(client_pk)

Bases: Signer

signature(data)

signature_size()

class asyncua.crypto.security_policies.Verifier

Bases: object

Abstract base class for cryptographic signature verification

reset()

abstract signature_size()

abstract verify(data, signature)

class asyncua.crypto.security_policies.VerifierAesCbc(key)

Bases: Verifier

signature_size()

verify(data, signature)

class asyncua.crypto.security_policies.VerifierHMac256(key)

Bases: Verifier

signature_size()

verify(data, signature)

class asyncua.crypto.security_policies.VerifierPssSha256(server_cert)

Bases: Verifier

signature_size()

verify(data, signature)

class asyncua.crypto.security_policies.VerifierRsa(server_cert)

Bases: Verifier

signature_size()

verify(data, signature)

class asyncua.crypto.security_policies.VerifierSha256(server_cert)

Bases: Verifier

signature_size()

verify(data, signature)

asyncua.crypto.security_policies.encrypt_asymmetric(pubkey, data, policy_uri)

Encrypt data with pubkey using an asymmetric algorithm. The algorithm is selected by policy_uri. Returns a tuple (encrypted_data, algorithm_uri)

asyncua.crypto.security_policies.require_cryptography(obj)

Raise exception if cryptography module is not available. Call this function in constructors.

asyncua.crypto.uacrypto module

class asyncua.crypto.uacrypto.CertProperties(path_or_content: bytes | pathlib.Path | str, extension: str | None = None, password: str | bytes | NoneType = None)

Bases: object

extension: str | None = None

password: str | bytes | None = None

path_or_content: bytes | Path | str

exception asyncua.crypto.uacrypto.InvalidSignature

Bases: Exception

asyncua.crypto.uacrypto.check_certificate(cert: Certificate, application_uri: str, hostname: str | None = None) → bool

check certificate if it matches the application_uri and log errors.

asyncua.crypto.uacrypto.cipher_aes_cbc(key, init_vec)

asyncua.crypto.uacrypto.cipher_decrypt(cipher, data)

asyncua.crypto.uacrypto.cipher_encrypt(cipher, data)

asyncua.crypto.uacrypto.decrypt_rsa15(private_key, data)

asyncua.crypto.uacrypto.decrypt_rsa_oaep(private_key, data)

asyncua.crypto.uacrypto.decrypt_rsa_oaep_sha256(private_key, data)

asyncua.crypto.uacrypto.der_from_x509(certificate)

asyncua.crypto.uacrypto.encrypt_basic256(public_key, data)

asyncua.crypto.uacrypto.encrypt_rsa15(public_key, data)

asyncua.crypto.uacrypto.encrypt_rsa_oaep(public_key, data)

asyncua.crypto.uacrypto.encrypt_rsa_oaep_sha256(public_key, data)

async asyncua.crypto.uacrypto.get_content(path_or_content: str | bytes | Path) → bytes

asyncua.crypto.uacrypto.hmac_sha1(key, message)

asyncua.crypto.uacrypto.hmac_sha256(key, message)

async asyncua.crypto.uacrypto.load_certificate(path_or_content: bytes | str | Path, extension: str | None = None)

async asyncua.crypto.uacrypto.load_private_key(path_or_content: str | Path | bytes, password: str | bytes | None = None, extension: str | None = None)

asyncua.crypto.uacrypto.p_sha1(secret, seed, sizes=())

Derive one or more keys from secret and seed. (See specs part 6, 6.7.5 and RFC 2246 - TLS v1.0) Lengths of keys will match sizes argument

asyncua.crypto.uacrypto.p_sha256(secret, seed, sizes=())

Derive one or more keys from secret and seed. (See specs part 6, 6.7.5 and RFC 2246 - TLS v1.0) Lengths of keys will match sizes argument

asyncua.crypto.uacrypto.pem_from_key(private_key: RSAPrivateKey) → bytes

dumps a private key in PEM format

Args:

private_key (rsa.RSAPrivateKey): The privatekey to dump

Returns:

bytes: The private as PEM/PKCS8 format

asyncua.crypto.uacrypto.sha1_size()

asyncua.crypto.uacrypto.sha256_size()

asyncua.crypto.uacrypto.sign_pss_sha256(private_key, data)

asyncua.crypto.uacrypto.sign_sha1(private_key, data)

asyncua.crypto.uacrypto.sign_sha256(private_key, data)

asyncua.crypto.uacrypto.verify_pss_sha256(certificate, data, signature)

asyncua.crypto.uacrypto.verify_sha1(certificate, data, signature)

asyncua.crypto.uacrypto.verify_sha256(certificate, data, signature)

asyncua.crypto.uacrypto.x509_from_der(data)

asyncua.crypto.uacrypto.x509_name_to_string(name)

asyncua.crypto.uacrypto.x509_to_string(cert)

Convert x509 certificate to human-readable string