Implement server side password encryption

locka99 · Apr 30, 2019 · 11bb88f · 11bb88f
1 parent 1f71d97
commit 11bb88f
Show file tree

Hide file tree

Showing 12 changed files with 134 additions and 90 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,12 +10,11 @@ Planned future work is listed at the bottom.
 ## 0.7 (in progress)
   - Address space nodes have been made more memory efficient, saving about 3MB of runtime space with
     the standard node set.
+  - Client and server side support for encrypted passwords in user name identity tokens.
   - TODO address space. Add a create on demand callback
   - TODO gen_types.js. Refactor so it could be used to generate code for any model
   - TODO support events 
   - TODO More control over limits on the server - number of subscriptions, monitored items, sessions
-  - Client side UserNameIdentityToken with encrypted password support. Plaintext password is already supported
-  - TODO Server side UserNameIdentityToken with encrypted password support. 
   - TODO X509IdentityToken support 
   - TODO Integration tests are broken and need to be fixed.
   - TODO Multiple chunk support in client and server, sending and receiving

diff --git a/client/src/builder.rs b/client/src/builder.rs
@@ -9,7 +9,7 @@ use crate::{client::*, config::*};
 ///
 /// # Example
 ///
-/// ```rust,no_run
+/// ```no_run
 /// use opcua_client::prelude::*;
 ///
 /// fn main() {

diff --git a/client/src/client.rs b/client/src/client.rs
@@ -91,7 +91,7 @@ impl Client {
     ///
     /// # Example
     ///
-    /// ```rust,no_run
+    /// ```no_run
     /// use opcua_client::prelude::*;
     /// use std::path::PathBuf;
     ///
@@ -331,7 +331,7 @@ impl Client {
     ///
     /// # Example
     ///
-    /// ```rust,no_run
+    /// ```no_run
     /// use opcua_client::prelude::*;
     /// use std::path::PathBuf;
     ///
@@ -472,7 +472,7 @@ impl Client {
     ///
     /// # Example
     ///
-    /// ```rust,no_run
+    /// ```no_run
     /// use opcua_client::prelude::*;
     /// let endpoints = [
     ///     EndpointDescription::from("opc.tcp://foo:123"),

diff --git a/core/src/crypto/user_identity.rs b/core/src/crypto/user_identity.rs
@@ -86,7 +86,7 @@ pub fn make_user_name_identity_token(channel_security_policy: SecurityPolicy, us
 pub fn decrypt_user_identity_token_password(user_identity_token: &UserNameIdentityToken, server_nonce: &[u8], server_key: &PrivateKey) -> Result<String, StatusCode> {
     if user_identity_token.encryption_algorithm.is_empty() {
         // Assumed to be UTF-8 plain text
-        String::from_utf8(user_identity_token.password.as_ref().to_vec()).map_err(|_| StatusCode::BadDecodingError)
+        user_identity_token.plaintext_password()
     } else {
         // Determine the padding from the algorithm.
         let padding = match user_identity_token.encryption_algorithm.as_ref() {

diff --git a/docs/compatibility.md b/docs/compatibility.md
@@ -112,12 +112,9 @@ The following security policies are supported - None, Basic128Rsa15, Basic256, B
 The server and client support the following user identities
 
 1. Anonymous - i.e. no identity
-2. UserName - plaintext password only, i.e. the encryption algorithm field supplied with the identity token must be a 
-   null string.
+2. UserName - encrypted and plaintext. User/pass identities are defined by configuration.
 
-User/pass identities are defined by configuration
-
-X509 and UserName with encrypted passwords are intended for a future release.
+X509 is intended for a future release.
 
 ## Crypto
 

diff --git a/samples/server.conf b/samples/server.conf
@@ -25,6 +25,7 @@ endpoints:
     security_policy: Basic128Rsa15
     security_mode: Sign
     security_level: 2
+    password_security_policy: ~
     user_token_ids:
       - ANONYMOUS
       - sample_user
@@ -33,6 +34,7 @@ endpoints:
     security_policy: Basic128Rsa15
     security_mode: SignAndEncrypt
     security_level: 2
+    password_security_policy: ~
     user_token_ids:
       - ANONYMOUS
       - sample_user
@@ -41,6 +43,7 @@ endpoints:
     security_policy: Basic256
     security_mode: Sign
     security_level: 3
+    password_security_policy: ~
     user_token_ids:
       - ANONYMOUS
       - sample_user
@@ -49,6 +52,7 @@ endpoints:
     security_policy: Basic256
     security_mode: SignAndEncrypt
     security_level: 3
+    password_security_policy: ~
     user_token_ids:
       - ANONYMOUS
       - sample_user
@@ -57,6 +61,7 @@ endpoints:
     security_policy: Basic256Sha256
     security_mode: Sign
     security_level: 4
+    password_security_policy: ~
     user_token_ids:
       - ANONYMOUS
       - sample_user
@@ -65,6 +70,7 @@ endpoints:
     security_policy: Basic256Sha256
     security_mode: SignAndEncrypt
     security_level: 4
+    password_security_policy: ~
     user_token_ids:
       - ANONYMOUS
       - sample_user
@@ -73,12 +79,14 @@ endpoints:
     security_policy: None
     security_mode: None
     security_level: 1
+    password_security_policy: ~
     user_token_ids: []
   none:
     path: /
     security_policy: None
     security_mode: None
     security_level: 1
+    password_security_policy: ~
     user_token_ids:
       - ANONYMOUS
       - sample_user

diff --git a/server/src/config.rs b/server/src/config.rs
@@ -36,7 +36,6 @@ pub struct ServerUserToken {
     pub x509: Option<PathBuf>,
 }
 
-
 impl ServerUserToken {
     pub fn new_user_pass<T>(user: T, pass: T) -> Self where T: Into<String> {
         ServerUserToken {
@@ -80,6 +79,8 @@ pub struct ServerEndpoint {
     pub security_mode: String,
     /// Security level, higher being more secure
     pub security_level: u8,
+    /// Password security policy when a client supplies a user name identity token
+    pub password_security_policy: Option<String>,
     /// User tokens
     pub user_token_ids: BTreeSet<String>,
 }
@@ -92,6 +93,7 @@ impl<'a> From<(&'a str, SecurityPolicy, MessageSecurityMode, &'a [&'a str])> for
             security_policy: v.1.to_string(),
             security_mode: v.2.to_string(),
             security_level: Self::security_level(v.1),
+            password_security_policy: None,
             user_token_ids: v.3.iter().map(|id| id.to_string()).collect(),
         }
     }
@@ -104,6 +106,7 @@ impl ServerEndpoint {
             security_policy: security_policy.to_string(),
             security_mode: security_mode.to_string(),
             security_level: Self::security_level(security_policy),
+            password_security_policy: None,
             user_token_ids: user_token_ids.iter().map(|id| id.clone()).collect(),
         }
     }
@@ -162,6 +165,14 @@ impl ServerEndpoint {
             }
         }
 
+        if let Some(ref password_security_policy) = self.password_security_policy {
+            let password_security_policy = SecurityPolicy::from_str(password_security_policy).unwrap();
+            if password_security_policy == SecurityPolicy::Unknown {
+                error!("Endpoint {} is invalid. Password security policy \"{}\" is invalid. Valid values are None, Basic128Rsa15, Basic256, Basic256Sha256", id, password_security_policy);
+                valid = false;
+            }
+        }
+
         // Validate the security policy and mode
         let security_policy = SecurityPolicy::from_str(&self.security_policy).unwrap();
         let security_mode = MessageSecurityMode::from(self.security_mode.as_ref());
@@ -288,7 +299,6 @@ impl Config for ServerConfig {
     fn product_uri(&self) -> UAString { UAString::from(self.product_uri.as_ref()) }
 }
 
-
 impl Default for ServerConfig {
     fn default() -> Self {
         let pki_dir = PathBuf::from("./pki");

diff --git a/server/src/lib.rs b/server/src/lib.rs
@@ -14,7 +14,7 @@
 //!
 //! This is a minimal server which runs with the default address space on the default port.
 //! 
-//!  ```rust,no_run
+//!  ```no_run
 //!  use opcua_server::prelude::*;
 //! 
 //!  fn main() {

diff --git a/server/src/services/session.rs b/server/src/services/session.rs
@@ -154,15 +154,18 @@ impl SessionService {
             StatusCode::Good
         };
 
-        // Authenticate the user identity token
         if service_result.is_good() {
-            service_result = server_state.authenticate_endpoint(endpoint_url, security_policy, security_mode, &request.user_identity_token);
+            if let Err(err) = server_state.authenticate_endpoint(endpoint_url, security_policy, security_mode, &request.user_identity_token, &session.session_nonce) {
+                service_result = err;
+            }
         }
 
+        // Authenticate the user identity token
         let response = if service_result.is_good() {
             session.activated = true;
             session.session_nonce = server_nonce;
             let diagnostic_infos = None;
+
             ActivateSessionResponse {
                 response_header: ResponseHeader::new_good(&request.request_header),
                 server_nonce: session.session_nonce.clone(),