Struct opcua_client::prelude::SecureChannel

pub struct SecureChannel { /* private fields */ }

Holds all of the security information related to this session

Implementations

impl SecureChannel

pub fn new(
    certificate_store: Arc<RwLock<CertificateStore>>,
    role: Role,
    decoding_options: DecodingOptions
) -> SecureChannel

pub fn is_client_role(&self) -> bool

pub fn set_cert(&mut self, cert: Option<X509>)

pub fn cert(&self) -> Option<X509>

pub fn set_remote_cert(&mut self, remote_cert: Option<X509>)

pub fn remote_cert(&self) -> Option<X509>

pub fn set_private_key(&mut self, private_key: Option<PKey<Private>>)

pub fn security_mode(&self) -> MessageSecurityMode

pub fn set_security_mode(&mut self, security_mode: MessageSecurityMode)

pub fn security_policy(&self) -> SecurityPolicy

pub fn set_security_policy(&mut self, security_policy: SecurityPolicy)

pub fn clear_security_token(&mut self)

pub fn set_security_token(&mut self, channel_token: ChannelSecurityToken)

pub fn set_secure_channel_id(&mut self, secure_channel_id: u32)

pub fn secure_channel_id(&self) -> u32

pub fn token_created_at(&self) -> DateTime

pub fn token_lifetime(&self) -> u32

pub fn set_token_id(&mut self, token_id: u32)

pub fn token_id(&self) -> u32

pub fn set_client_offset(&mut self, client_offset: Duration)

pub fn set_decoding_options(&mut self, decoding_options: DecodingOptions)

pub fn decoding_options(&self) -> DecodingOptions

pub fn should_renew_security_token(&self) -> bool

Test if the secure channel token needs to be renewed. The algorithm determines it needs to be renewed if the issue period has elapsed by 75% or more.

pub fn make_security_header(
    &self,
    message_type: MessageChunkType
) -> SecurityHeader

Makes a security header according to the type of message being sent, symmetric or asymmetric

pub fn create_random_nonce(&mut self)

Creates a nonce for the connection. The nonce should be the same size as the symmetric key

pub fn set_remote_cert_from_byte_string(
    &mut self,
    remote_cert: &ByteString
) -> Result<(), StatusCode>

Sets the remote certificate

pub fn remote_cert_as_byte_string(&self) -> ByteString

Obtains the remote certificate as a byte string

pub fn set_remote_nonce_from_byte_string(
    &mut self,
    remote_nonce: &ByteString
) -> Result<(), StatusCode>

Set their nonce which should be the same as the symmetric key

pub fn derive_keys(&mut self)

Part 6 6.7.5 Deriving keys Once the SecureChannel is established the Messages are signed and encrypted with keys derived from the Nonces exchanged in the OpenSecureChannel call. These keys are derived by passing the Nonces to a pseudo-random function which produces a sequence of bytes from a set of inputs. A pseudo-random function is represented by the following function declaration:

Byte[] PRF( Byte[] secret,  Byte[] seed,  Int32 length,  Int32 offset)

Where length is the number of bytes to return and offset is a number of bytes from the beginning of the sequence.

The lengths of the keys that need to be generated depend on the SecurityPolicy used for the channel. The following information is specified by the SecurityPolicy:

a) SigningKeyLength (from the DerivedSignatureKeyLength); b) EncryptingKeyLength (implied by the SymmetricEncryptionAlgorithm); c) EncryptingBlockSize (implied by the SymmetricEncryptionAlgorithm).

The parameters passed to the pseudo random function are specified in Table 33.

Table 33 – Cryptography key generation parameters

Key | Secret | Seed | Length | Offset ClientSigningKey | ServerNonce | ClientNonce | SigningKeyLength | 0 ClientEncryptingKey | ServerNonce | ClientNonce | EncryptingKeyLength | SigningKeyLength ClientInitializationVector | ServerNonce | ClientNonce | EncryptingBlockSize | SigningKeyLength + EncryptingKeyLength ServerSigningKey | ClientNonce | ServerNonce | SigningKeyLength | 0 ServerEncryptingKey | ClientNonce | ServerNonce | EncryptingKeyLength | SigningKeyLength ServerInitializationVector | ClientNonce | ServerNonce | EncryptingBlockSize | SigningKeyLength + EncryptingKeyLength

The Client keys are used to secure Messages sent by the Client. The Server keys are used to secure Messages sent by the Server.

pub fn token_has_expired(&self) -> bool

Test if the token has expired yet

pub fn signature_size(&self, security_header: &SecurityHeader) -> usize

Calculates the signature size for a message depending on the supplied security header

pub fn padding_size(
    &self,
    security_header: &SecurityHeader,
    body_size: usize,
    signature_size: usize
) -> (usize, usize)

Calculate the padding size

Padding adds bytes to the body to make it a multiple of the block size so it can be encrypted.

pub fn update_message_size_and_truncate(
    data: Vec<u8, Global>,
    message_size: usize,
    decoding_options: &DecodingOptions
) -> Result<Vec<u8, Global>, StatusCode>

pub fn apply_security(
    &self,
    message_chunk: &MessageChunk,
    dst: &mut [u8]
) -> Result<usize, StatusCode>

Applies security to a message chunk and yields a encrypted/signed block to be streamed

pub fn verify_and_remove_security(
    &mut self,
    src: &[u8]
) -> Result<MessageChunk, StatusCode>

Decrypts and verifies the body data if the mode / policy requires it

pub fn verify_and_remove_security_forensic(
    &mut self,
    src: &[u8],
    their_key: Option<PKey<Private>>
) -> Result<MessageChunk, StatusCode>

Decrypts and verifies the body data if the mode / policy requires it

Note, that normally we do not have “their” key but for testing purposes and forensics, we might have the key

pub fn local_nonce(&self) -> &[u8]

pub fn set_local_nonce(&mut self, local_nonce: &[u8])

pub fn local_nonce_as_byte_string(&self) -> ByteString

pub fn set_remote_nonce(&mut self, remote_nonce: &[u8])

pub fn remote_nonce(&self) -> &[u8]

pub fn remote_nonce_as_byte_string(&self) -> ByteString

pub fn symmetric_sign_and_encrypt(
    &self,
    src: &[u8],
    signed_range: Range<usize>,
    encrypted_range: Range<usize>,
    dst: &mut [u8]
) -> Result<usize, StatusCode>

Encode data using security. Destination buffer is expected to be same size as src and expected to have space for for a signature if a signature is to be appended

Signing is done first and then encryption

S - Message Header S - Security Header S - Sequence Header - E S - Body - E S - Padding - E Signature - E

pub fn symmetric_decrypt_and_verify(
    &self,
    src: &[u8],
    signed_range: Range<usize>,
    encrypted_range: Range<usize>,
    dst: &mut [u8]
) -> Result<usize, StatusCode>

Decrypts and verifies data.

Returns the size of the decrypted data

S - Message Header S - Security Header S - Sequence Header - E S - Body - E S - Padding - E Signature - E

Trait Implementations

impl Debug for SecureChannel

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter.

impl From<(SecurityPolicy, MessageSecurityMode)> for SecureChannel

fn from(v: (SecurityPolicy, MessageSecurityMode)) -> SecureChannel

Converts to this type from the input type.