Python opc-ua通信使用自签名证书和basic128rsa15加密

Python opc-ua communication using self signed certificate and basic128rsa15 encryption

我想通过 python opcua 库与使用 Basic128Rsa15 加密的 opcua 服务器通信。

client.set_security_string("Basic128Rsa15,"
                               "SignAndEncrypt,"
                               "cert.pem,"
                               "key.pem")

我使用 Basic256Sha256 加密与 Prosys 服务器进行了相同的通信,一切正常。使用 Basic128Rsa15(使用 KEPserver)我收到以下错误:

In [19]: runfile('opcuaclient.py', wdir='/home/di29394/fue4bfi/python/fuere4bfi')
DEPRECATED! Do not use SecurityPolicyBasic128Rsa15 anymore!
Received an error: MessageAbort(error:StatusCode(BadSecurityChecksFailed), reason:An error occurred verifying security.)
Received an error: MessageAbort(error:StatusCode(BadSecurityChecksFailed), reason:An error occurred verifying security.)
Protocol Error
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 101, in _run
    self._receive()
  File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 121, in _receive
    self._call_callback(0, ua.UaStatusCodeError(msg.Error.value))
  File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 131, in _call_callback
    .format(request_id, self._callbackmap.keys())
opcua.ua.uaerrors._base.UaError: No future object found for request: 0, callbacks in list are 
Traceback (most recent call last):

  File "<ipython-input-18-4187edd51b2b>", line 1, in <module>
    runfile('opcuaclient.py', wdir='/home/opcuauser')

  File "/usr/lib/python3/dist-packages/spyder/utils/site/sitecustomize.py", line 705, in runfile
    execfile(filename, namespace)

  File "/usr/lib/python3/dist-packages/spyder/utils/site/sitecustomize.py", line 102, in execfile
    exec(compile(f.read(), filename, 'exec'), namespace)

  File "opcuaclient.py", line 57, in <module>
    connected = client.connect()

  File "/usr/local/lib/python3.6/dist-packages/opcua/client/client.py", line 259, in connect
    self.open_secure_channel()

  File "/usr/local/lib/python3.6/dist-packages/opcua/client/client.py", line 309, in open_secure_channel
    result = self.uaclient.open_secure_channel(params)

  File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 265, in open_secure_channel
    return self._uasocket.open_secure_channel(params)

  File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 199, in open_secure_channel
    response = struct_from_binary(ua.OpenSecureChannelResponse, future.result(self.timeout))

  File "/usr/lib/python3.6/concurrent/futures/_base.py", line 430, in result
    raise CancelledError()

CancelledError

证书是使用加密库(代码段)自签名的:

cert = (
        x509.CertificateBuilder()
        .subject_name(name)
        .issuer_name(name)
        .public_key(key.public_key())
        .serial_number(1000)
        .not_valid_before(now)
        .not_valid_after(now + timedelta(days=10*365)) # ggf. auch dynamisch machen
        .add_extension(basic_contraints, False)
        .add_extension(san, False)
        .sign(key, hashes.SHA256(), default_backend())

我是否必须根据 Basic128Rsa15 更改证书生成,或者是否存在其他错误?

提前致谢。

错误信息其实很清楚!

DEPRECATED! Do not use SecurityPolicyBasic128Rsa15 anymore!

Basic128Rsa15 不再被 OPC 基金会视为安全的,建议弃用它。

来源:http://opcfoundation-onlineapplications.org/ProfileReporting/index.htm?ModifyProfile.aspx?ProfileID=a84d5b70-47b2-45ca-a0cc-e98fe8528f3d

可能仍然可以将它与 KEPServerEx 一起使用,但我不建议将它用于与测试不同的用途。

注意:Basic256 也被 OPC 基金会认为已过时,因此推荐的最低 OPC UA 安全策略是 Basic256Sha256.

一些 OPC UA 客户端和服务器已经支持最新和更安全的安全策略:

  • Aes128Sha256RsaOaep
  • Aes256Sha256RsaPss

感觉Basic128Rsa15不太好用。但显然这不是问题所在。问题是,我至少两次使用不同的证书但相同的有效 URI 连接到 KEPServer。服务器对此有问题,因此拒绝了所有传入连接(错误消息似乎不是很有帮助)。删除服务器上的所有请求并重新连接后,一切正常(即使使用 Basic128Rsa15)。

我习惯跟风

client.set_security_string("Basic256Sha256,SignAndEncrypt,xxxxx.der,xxxxx.pem")

请试试这个