Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Asymmmetric Signature Verification fails
February 23, 2012
9:56, EET
Avatar
poubelle2012
Member
Members
Forum Posts: 3
Member Since:
February 23, 2012
sp_UserOfflineSmall Offline

I am evaluating your Prosys-OPC-UA-Java-SDK-Client-Server-Evaluation-1.3.0-3321 archive.
I tried to open a secure session from a simple OPC client to your java OPC UA server like this:

client part:
I generated a certificate and keys like this:
* Generate private key:
———-
> openssl genrsa -des3 -out privkey.pem 2048

* Generate self-signed PEM encoded certificate:
———-
> openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

* Convert private key to PKCS#12 format:
———-
> openssl pkcs12 -export -in cacert.pem -inkey privkey.pem -out privkey.pfx

And here after the java OPC UA client part:

        Cert myClientCertificate = Cert.load(Test01.class.getResource("cacert.pem"));
        PrivKey myClientPrivateKey = PrivKey.loadFromKeyStore(Test01.class.getResource("privkey.pfx"), "xxx");
        KeyPair myClientApplicationInstanceCertificate = new KeyPair(myClientCertificate, myClientPrivateKey);
        Client myClient = new Client(myClientApplicationInstanceCertificate);

        EndpointDescription[] endpoints = myClient.discoverEndpoints("opc.tcp://remote_address_to_server_side:52520/OPCUA/SampleConsoleServer");
        endpoints = EndpointUtil.selectByProtocol(endpoints, "opc.tcp");
        endpoints = EndpointUtil.selectByMessageSecurityMode(endpoints, MessageSecurityMode.SignAndEncrypt);
        endpoints = EndpointUtil.selectBySecurityPolicy(endpoints, SecurityPolicy.BASIC128RSA15);
        endpoints = EndpointUtil.sortBySecurityLevel(endpoints);
        EndpointDescription endpoint = endpoints[endpoints.length - 1];
        SessionChannel mySession = myClient.createSessionChannel(endpoint);
        mySession.activate();

Like this, I cannot connect. I get a “Asymmmetric Signature Verification fails” from server side without more explanations (even in DEBUG log level).

I can add that client runs under GNU/Linux Ubuntu 11.04 platform and the server runs under VVindows XP SP3 platform.

Would you be able to help me?

February 23, 2012
10:04, EET
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1019
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

poubelle2012 said

I am evaluating your Prosys-OPC-UA-Java-SDK-Client-Server-Evaluation-1.3.0-3321 archive.
I tried to open a secure session from a simple OPC client to your java OPC UA server like this:

client part:
I generated a certificate and keys like this:
* Generate private key:
———-
> openssl genrsa -des3 -out privkey.pem 2048

The stack does not currently work with other than 1024 bit private keys.

Also, the OPCUA certificates require some additional fields, so you should use the methods of ApplicationIdentity to create a valid certificate for your Java application.

February 23, 2012
10:49, EET
Avatar
poubelle2012
Member
Members
Forum Posts: 3
Member Since:
February 23, 2012
sp_UserOfflineSmall Offline

I thank you for your very fast reply.
I have just tried to use your com.prosysopc.uaApplicationIdentity class in your com.prosysopc.ua.samples.SampleConsoleClient class
It genarates two files:
the PEM encoded private key in pem format: SampleConsoleClient.pem
the DER encoded certificate: SampleConsoleClient.der
Then, to use it, I convert these files like this:
* DER certificate to PEM certificate
> openssl x509 -in SampleConsoleClient.der -inform DER -out SampleConsoleClient.cert.pem -outform PEM
* PEM certificate + PEM private key to PKCS#12 PRIVKEY format:
> openssl pkcs12 -export -inkey SampleConsoleClient.pem -in SampleConsoleClient.cert.pem -out SampleConsoleClient.pfx

Then, my java code become:

        Cert myClientCertificate = Cert.load(Test01.class.getResource("SampleConsoleClient.cert.pem"));
        PrivKey myClientPrivateKey = PrivKey.loadFromKeyStore(Test01.class.getResource("SampleConsoleClient.pfx"), "opcua");
        KeyPair myClientApplicationInstanceCertificate = new KeyPair(myClientCertificate, myClientPrivateKey);
        Client myClient = new Client(myClientApplicationInstanceCertificate);

        EndpointDescription[] endpoints = myClient.discoverEndpoints("opc.tcp://remote_address_to_server_side:52520/OPCUA/SampleConsoleServer");
        endpoints = EndpointUtil.selectByProtocol(endpoints, "opc.tcp");
        endpoints = EndpointUtil.selectByMessageSecurityMode(endpoints, MessageSecurityMode.SignAndEncrypt);
        endpoints = EndpointUtil.selectBySecurityPolicy(endpoints, SecurityPolicy.BASIC128RSA15);
        endpoints = EndpointUtil.sortBySecurityLevel(endpoints);
        EndpointDescription endpoint = endpoints[endpoints.length - 1];
        SessionChannel mySession = myClient.createSessionChannel(endpoint); // line 113
        mySession.activate();
        // etc...

I get the following message in client side:

2857 INFO  [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection     - /131.1.30.58:52520 Connecting
3033 INFO  [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection     - /131.1.30.58:52520 Connected
3033 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp     - tokenLifetime: 3600000
3033 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection     - 0 Sending Request (rid=1)OpenSecureChannelRequest
3033 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection     - token=null
3033 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection     - SecureChannelId=0 SequenceNumber=1, RequestId=1
3123 DEBUG [main] org.opcfoundation.ua.transport.tcp.impl.ChunkAsymmEncryptSigner     - Asym ecryption: Total decrypted bytes: 128
3123 DEBUG [main] org.opcfoundation.ua.transport.tcp.impl.ChunkAsymmEncryptSigner     - Asym encryption: Offsets: 117 outputOffset: 1030 and index : 902
3123 DEBUG [main] org.opcfoundation.ua.transport.tcp.impl.ChunkAsymmEncryptSigner     - Asym ecryption: Total decrypted bytes: 128
3123 DEBUG [main] org.opcfoundation.ua.transport.tcp.impl.ChunkAsymmEncryptSigner     - Asym encryption: Offsets: 234 outputOffset: 1158 and index : 1019
3198 DEBUG [TcpConnection/Read] org.opcfoundation.ua.transport.tcp.impl.ChunkAsymmDecryptVerifier     - SecurityPolicy in use: http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
3198 DEBUG [TcpConnection/Read] org.opcfoundation.ua.transport.tcp.impl.ChunkAsymmDecryptVerifier     - SecurityMode in use: SignAndEncrypt
3205 DEBUG [TcpConnection/Read] org.opcfoundation.ua.transport.tcp.impl.ChunkAsymmDecryptVerifier     - Asym Signature Verify : OK
3222 DEBUG [TcpConnection/Read] org.opcfoundation.ua.transport.tcp.io.TcpConnection     - new token=SecurityToken(Id=1, secureChannelId=9, creationTime=Feb 23, 2012 11:36:00 AM, lifetime=3600000)
3222 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp     - 9 Secure channel opened, SecureChannelId=9, TokenId=1
3222 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp     - RevisedLifetime: 3600000
3224 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp     - serviceRequest: requests.size=1
3224 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection     - 9 Sending Request (rid=2)CreateSessionRequest
3224 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection     - pruneInvalidTokens: tokens(1)=[SecurityToken(Id=1, secureChannelId=9, creationTime=Feb 23, 2012 11:36:00 AM, lifetime=3600000)]
3224 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection     - tokens=[SecurityToken(Id=1, secureChannelId=9, creationTime=Feb 23, 2012 11:36:00 AM, lifetime=3600000)]
3224 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection     - getSecurityTokenToUse#1=SecurityToken(Id=1, secureChannelId=9, creationTime=Feb 23, 2012 11:36:00 AM, lifetime=3600000)
3224 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection     - getSecurityTokenToUse#2=SecurityToken(Id=1, secureChannelId=9, creationTime=Feb 23, 2012 11:36:00 AM, lifetime=3600000)
3224 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.TcpConnection     - token=SecurityToken(Id=1, secureChannelId=9, creationTime=Feb 23, 2012 11:36:00 AM, lifetime=3600000)
3232 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp     - Message sent, requestId=2, secureChannelId=9
3319 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp     - Response: CreateSessionResponse
3320 DEBUG [main] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp     - BAD response: Bad_CertificateUntrusted (0x801A0000) "The Certificate is not trusted."
Exception in thread "main" 3320 INFO  [Blocking-Work-Executor-1] org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp     - 9 Closed
ServiceFault: Bad_CertificateUntrusted (0x801A0000) "The Certificate is not trusted."
Diagnostic Info: 
	at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.serviceRequest(SecureChannelTcp.java:371)
	at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.serviceRequest(SecureChannelTcp.java:311)
	at org.opcfoundation.ua.application.Client.createSession(Client.java:162)
	at org.opcfoundation.ua.application.Client.createSession(Client.java:105)
	at org.opcfoundation.ua.application.Client.createSessionChannel(Client.java:275)
	at myopcuatest.Test01.main(Test01.java:113)

line 113 of Test01.main is the following one:

        SessionChannel mySession = myClient.createSessionChannel(endpoint);
February 23, 2012
11:29, EET
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1019
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

poubelle2012 said

Yes, this is expected: you must accept the certificate in the server. In the Java SDK SampleConsoleServer, you do this by moving the certificate from the PKI/CA/rejected folder to PKI/CA/certs.

You can use the certificate in DER format as well for Cert.load().

February 23, 2012
13:47, EET
Avatar
poubelle2012
Member
Members
Forum Posts: 3
Member Since:
February 23, 2012
sp_UserOfflineSmall Offline

Jouni Aro said

poubelle2012 said

Yes, this is expected: you must accept the certificate in the server. In the Java SDK SampleConsoleServer, you do this by moving the certificate from the PKI/CA/rejected folder to PKI/CA/certs.

You can use the certificate in DER format as well for Cert.load().

Ok, it works well now!
It’s very kind of you to give as much attention to my questions. It has really helped me.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
16 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 86

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 732

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1508

Posts: 6396

Newest Members:

elainesever, powhephenry, mamiecaldwell5, Lamasom, scsneed, berrybulcock, icerdraizomma, athenasummy5, vtaletbhcx, HaroldaDob

Moderators: Jouni Aro: 1019, Pyry: 1, Petri: 0, Bjarne Boström: 1016, Jimmy Ni: 26, Matti Siponen: 340, Lusetti: 0

Administrators: admin: 1