Add key usage with encryption

[danidopi27]

Hello, I´ve been working these days with a OPCUA prosys server and I wanted to use a key which is encrypted with a password.

In order to be able to do that, I modifed the client.py, creating a new method called set_security_params (very similar to set_security_string) and modifying set_security function, and also I needed to modify uacrypto.py (adding to load_private_key function the password).

I don´t know if it is the best way to do it but it works (at least with the tests I did). So I want to share this changes in order that it could help someone else or to improve this library if these changes are approved for the developers.

The changes are the following:

In client.py (create the new function set_security_params and adding the password as parameter of set_security and use it in pk definition:

    def set_security_params(self, policy, mode, certificate, private_key, key_password = None, server_private_key = None):
        """
        Set SecureConnection mode.
        Policy, Mode, certificate, private_key, key_password ,server_private_key]
        where Policy is Basic128Rsa15, Basic256 or Basic256Sha256,
            Mode is Sign or SignAndEncrypt
            certificate, private_key and server_private_key are
                paths to .pem or .der files
        Call this before connect()
        """
        policy_class = getattr(security_policies, 'SecurityPolicy' + policy)
        mode = getattr(ua.MessageSecurityMode, mode)
        return self.set_security(policy_class, certificate, private_key,
                                 key_password, server_private_key, mode)

    def set_security(self, policy, certificate_path, private_key_path, key_password,
                     server_certificate_path=None,
                     mode=ua.MessageSecurityMode.SignAndEncrypt):
        """
        Set SecureConnection mode.
        Call this before connect()
        """
        if server_certificate_path is None:
            # load certificate from server's list of endpoints
            endpoints = self.connect_and_get_server_endpoints()
            endpoint = Client.find_endpoint(endpoints, mode, policy.URI)
            server_cert = uacrypto.x509_from_der(endpoint.ServerCertificate)
        else:
            server_cert = uacrypto.load_certificate(server_certificate_path)
        cert = uacrypto.load_certificate(certificate_path)
        pk = uacrypto.load_private_key(private_key_path, key_password)
        self.security_policy = policy(server_cert, cert, pk, mode)
        self.uaclient.set_security(self.security_policy)

In uacrypto.py (add to load_private_key function the possibility of having a password for the key):

    def load_private_key(path, key_password):
        _, ext = os.path.splitext(path)
        with open(path, "rb") as f:
  
            if key_password != None:
                key_password = bytearray(key_password,'utf-8')
              
            if ext == ".pem":
                return serialization.load_pem_private_key(f.read(), password=key_password, backend=default_backend())
            else:
                return serialization.load_der_private_key(f.read(), password=key_password, backend=default_backend())

In main.py (how to set the security):
client.set_security_params("Basic256Sha256", "Sign", "certs/Python/pythonCert.der", "certs/Python/pythonKey.pem", "python")

I hope this will help someone that have my initial problems :)

[AndreasHeine]

one question! is it somewhere described in opc ua reference/spec.? so is it a missing feature or just an diy custom solution?
https://reference.opcfoundation.org/v104/
i know only Anonymus auth, Username/Password auth aswell as Certificate auth!

[danidopi27]

I am not sure, I was trying to connect a python client with OPCUA prosys server using certificate, so I needed a cert and a key. To generate these files I used:
openssl.exe req -x509 -days 365 -new -out cert.pem -keyout key.pem -config user-key.conf

And the user-key.conf file was:

[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no

[ req_ext ]
basicConstraints = CA:FALSE
nsCertType = client, server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage= serverAuth, clientAuth
nsComment = "Test User Cert"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName = URI:urn:opcua:user:test,IP: 127.0.0.1

[ subject ]
countryName = ES
stateOrProvinceName = AS
localityName = Gijon
organizationName = AM
commonName = Python

So, creating the cert and key using this configuration, a key is asked in order to encrypt the key.pem. Then, the header of this .pem file is "-----BEGIN ENCRYPTED PRIVATE KEY-----"

If you use this encrypted key and the cert, with the actual state of the library, you obtain this message: "TypeError: Password was not given but private key is encrypted"

Therefore, this solution I showed before in this post is to resolve this problem and add the possibility to use a encrypted key and its password.

I think it is something that should be implemented because in the function load_private_key from uacrypto.py, in this line:
serialization.load_pem_private_key(f.read(), password=None, backend=default_backend()), there is the possibility of adding a password to the private key, but it is not able for the user to pass to this function this password. So that is why I made the changes that I mention in this post.

I don´t know if I answered your question with this. If you want me to explain more, I will try to answer again without any problem :)

[AndreasHeine]

that stuff already works ^^

[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no

[ req_ext ]
basicConstraints = CA:FALSE
nsCertType = client, server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage= serverAuth, clientAuth
nsComment = "OpenSSL Generated Certificat"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName = URI:urn:opcua:python:server,IP: 127.0.0.1

[ subject ]
countryName = DE
stateOrProvinceName = HE
localityName = HE
organizationName = AndreasHeine
commonName = PythonOpcUaServer

openssl genrsa -out key.pem 2048
openssl req -x509 -days 365 -new -out certificate.pem -key key.pem -config ssl.conf

Sources:
https://github.com/FreeOpcUa/python-opcua/blob/master/examples/generate_certificate.sh
https://github.com/FreeOpcUa/python-opcua/blob/master/examples/client-with-encryption.py
https://github.com/AndreasHeine/SecurePythonOpcUaServer
https://github.com/AndreasHeine/SecurePythonOpcUaClient/tree/master/x509v3

[AndreasHeine]

most important stuff is that the URI and IP matches the cert and then it needs to be trusted by Prosys Server

[danidopi27]

But with this way of create a key, the header of it is: -----BEGIN RSA PRIVATE KEY-----
I am talking when you generate a key with password, so the header will be: -----BEGIN ENCRYPTED PRIVATE KEY-----

With the first type of key there is no problem with the library neather with prosys server, the problem starts when you use and encrypted key. Even if there are correctly configurated in prosys, the python script crashes with error: TypeError: Password was not given but private key is encrypted if you don´t pass in some how the password of the key.

Maybe I am not explaining myself right, because I am not an expert of this topic, but I think that we are not talking exactly of the same, and I am not sure how to explain it better 😅

[AndreasHeine]

let me validate your changes tomorow if i am in the office. let me test it against some devices