Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
OPC UA Client java.io.IOException: Duplicate extensions not allowed
August 15, 2017
2:53, EEST
Avatar
schodo
Member
Members
Forum Posts: 4
Member Since:
August 14, 2017
sp_UserOfflineSmall Offline

i try running the SampleClient Console Application within the SDK Evaluation on Mac/Linux but i’m getting this confusing error
java.io.IOException: Duplicate extensions not allowed i really don’t know how to fix this ?

Thank you

August 15, 2017
10:31, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 960
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Which server are you testing against? Could you provide details of the server certificate, for example by sending a copy of it to uajava-support at prosysopc.com?

Also, its would help to see the stack trace, to figure out where and when this is happening.

Which Java version are you using?

August 15, 2017
12:29, EEST
Avatar
schodo
Member
Members
Forum Posts: 4
Member Since:
August 14, 2017
sp_UserOfflineSmall Offline

Hi, im using the internal OPC UA server of a Siemens S7-1500 plc Unit. I tested it with a sample Client in C# and it worked fine.
I use Eclipse and Java 8.
Here is the complete stack trace

Exception in thread “main” org.opcfoundation.ua.common.RuntimeServiceResultException: org.opcfoundation.ua.common.ServiceResultException: Bad_CertificateInvalid (code=0x80120000, description=”2148663296, java.io.IOException: Duplicate extensions not allowed”)
at org.opcfoundation.ua.transport.TransportChannelSettings.getServerCertificate(TransportChannelSettings.java:114)
at org.opcfoundation.ua.transport.tcp.io.TcpConnection.initialize(TcpConnection.java:376)
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.initialize(SecureChannelTcp.java:273)
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.initialize(SecureChannelTcp.java:246)
at org.opcfoundation.ua.application.Client.createSecureChannel(Client.java:640)
at org.opcfoundation.ua.application.Client.createSecureChannel(Client.java:555)
at org.opcfoundation.ua.application.Client.createSessionChannel(Client.java:370)
at org.opcfoundation.ua.application.Client.createSessionChannel(Client.java:345)
at org.opcfoundation.ua.examples.SampleClient.main(SampleClient.java:109)
Caused by: org.opcfoundation.ua.common.ServiceResultException: Bad_CertificateInvalid (code=0x80120000, description=”2148663296, java.io.IOException: Duplicate extensions not allowed”)
at org.opcfoundation.ua.transport.security.Cert.(Cert.java:143)
at org.opcfoundation.ua.transport.TransportChannelSettings.getServerCertificate(TransportChannelSettings.java:112)
… 8 more
Caused by: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed
at sun.security.x509.X509CertInfo.(X509CertInfo.java:169)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804)
at sun.security.x509.X509CertImpl.(X509CertImpl.java:195)
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:102)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
at org.opcfoundation.ua.utils.CertificateUtils.decodeX509Certificate(CertificateUtils.java:193)
at org.opcfoundation.ua.transport.security.Cert.(Cert.java:136)
… 9 more
Caused by: java.io.IOException: Duplicate extensions not allowed
at sun.security.x509.CertificateExtensions.parseExtension(CertificateExtensions.java:115)
at sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:88)
at sun.security.x509.CertificateExtensions.(CertificateExtensions.java:78)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:702)
at sun.security.x509.X509CertInfo.(X509CertInfo.java:167)
… 15 more

August 15, 2017
17:13, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 960
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Do you have Bouncy Castle libraries in your class path?

Which Java 8 version are you using?

August 15, 2017
18:13, EEST
Avatar
schodo
Member
Members
Forum Posts: 4
Member Since:
August 14, 2017
sp_UserOfflineSmall Offline

I have Java 8 update 141 installed and the project compiler is set to 1.8
the bouncyCastle Libraries i think bcprov and bckpix are listed as referenced libraries in my project

August 15, 2017
18:51, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 960
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

This is a possible issue in JDK, which requires that there is only one extension of any type in the certificate. Also, for the same reason, I cannot generate such a certificate with Java to check it out.

And the reason for this is limitation is the RFC 3280 that specifies the usage of certificates:

https://www.ietf.org/rfc/rfc3280.txt

4.2 Certificate Extensions

A certificate MUST NOT include more than
one instance of a particular extension.

So, if you could find the certificate of the server from the trust store of the other client applications, please check it out yourself or send that by email, so that we can try to verify the issue. I don’t think that there is any way to overcome this, so you will need to contact the server manufacturer and tell them that they are using invalid certificates.

August 15, 2017
19:16, EEST
Avatar
schodo
Member
Members
Forum Posts: 4
Member Since:
August 14, 2017
sp_UserOfflineSmall Offline

ok, so this is an server issue? well since its build in a Siemens PLC i don’t have any access except turning it on and off.
I have a c# sample Application provided by Siemens could the certificate you asked about be mentioned in this app?

August 16, 2017
9:38, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 960
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Yes, this is a very unfortunate interoperability issue. Apparently other development environments enable creation and usage of certificates that are invalid by the specification. And the Java environment seems to be very strict about this.

You should look for the certificate store of the client application, if you can locate the server certificate in there after accepting it. You will need to refer to the documentation of the client to locate it.

September 26, 2018
21:51, EEST
Avatar
WimVriend
Member
Members
Forum Posts: 12
Member Since:
September 26, 2018
sp_UserOfflineSmall Offline

Hello schodo and Jouni,

Was this issue solved? I have started to try the Prosys SDK for Java too and I run into the same problem. The .NET example distributed by Siemens works fine, but the Sample Client does not.

BTW: is there a way to add attachments or pictures to this forum post?

September 27, 2018
10:16, EEST
Avatar
Heikki Tahvanainen
Moderator
Members

Moderators
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline

Hello,

We have an S7-1500 device for testing and demonstration purposes here at our offices. The above mentioned issue does not happen with our device, which reports
“ProductName=SIMATIC S7-1500 OPC UA, SoftwareVersion=V02.05.00” as its version. I tested this with our Java SDK version 3.1.6.

What Simatic firmware version and Prosys OPC UA Java SDK version are you using currently?

There’s no good way to attach pictures here to the forum. Please send any pictures or other large attachments by email to us at uajava-support prosysopc.com.

November 24, 2018
20:59, EET
Avatar
WimVriend
Member
Members
Forum Posts: 12
Member Since:
September 26, 2018
sp_UserOfflineSmall Offline

Hello Heikki,

Sorry my reply is so late: I received an answer from Siemens and decided to wait for TIA Portal V15.1, which was now released.

Last week I installed V15.1, updated the firmware of my S7-1512 and also loaded a new certificate for OPCUA in the PLC. This helped: the I/O-error is gone.
Then, I updated my java SDK version to 1.8.0.172 (to fix the SSL handshake error) and installed the Siemens root certificate in my VM’s cacerts file. Now I can successfully connect!

Of course, now I run into novice problems. For instance, I have made a subscription to an UDT in an instance DB. I successfully get a notification when I change a bit in the UDT in the PLC, but: how do I get the values of all bits in the UDT? Is there an example of working with Structures and Arrays I can read?

November 26, 2018
10:43, EET
Avatar
Heikki Tahvanainen
Moderator
Members

Moderators
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline

Hi,

Good to know that the certificate issues are fixed now.

I answered your forum post in the other thread so let’s continue the discussion there.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 267

Currently Online:
13 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 124

pramanj: 86

ibrahim: 74

rocket science: 65

kapsl: 57

Sabari: 51

gjevremovic: 49

Xavier: 43

fred: 41

TimK: 41

Member Stats:

Guest Posters: 0

Members: 1759

Moderators: 15

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1323

Posts: 5649

Newest Members:

LenkaLok, seoninet, justinevillanuev, namtrott5457, DonaldWibip, AlfredoEthix, andreidla, everangel7021, Larryhed, agustincatts6

Moderators: Jouni Aro: 960, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 860, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 25, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 222, Lusetti: 0

Administrators: admin: 1