Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Problems using application certificate with key size 2047 ?
June 6, 2019
15:51, EEST
Avatar
rocket science
Member
Members
Forum Posts: 88
Member Since:
March 16, 2017
sp_UserOfflineSmall Offline

Hi,

I’ve some problems connecting to the Prosys OpcUa Simulation Server using an application certificate. The strange thing about the problem is, that with one certificate it works, whereas with another one it does not work. Both certificates are mainly the same. The only difference I can see is the key size where the working one has 2048 and the none working one has a key size 2047.

The environment:

Prosys OPC UA Simulation Server v2.3.2-146 (also tried it with the latest version v3.2.0-214)
Prosys OPC UA Client Java SDK 4.0.2

Certificate-A
Name: Common Name
Filename: C:\Users\myUser\.prosys\SimulationServer\PKI\CA\certs\25C7AD28F2C7430DA6BBAF0F08325C05540356BD.der
Key Size: 2047
Signature algorithm SHA256withRSA

Certificate-B
Name: Common Name
Filename: C:\Users\myUser\.prosys\SimulationServer\PKI\CA\certs\ECE06AFF50205F9F46B8617703EFD5495E302E1D.der
Key Size: 2048
Signature algorithm SHA256withRSA

In the UA Simulation Server, I created a user ‘test’ with password ‘test’.
After a first attempt to connect (using Certificate-A or Certificate-B), the Certificates are registered in the ‘Certificates’-Tab and I set them from Rejected to Trusted.

When using the Certificate-B (the one with Key Size 2048) everthing works fine:

2019-06-06 14:17:15.324 DEBUG [main ] CryptoUtil:74 – CryptoUtil init
2019-06-06 14:17:15.326 DEBUG [main ] CryptoUtil:76 – CryptoUtil init: random=java.security.SecureRandom@c6f5b
2019-06-06 14:17:15.327 DEBUG [main ] CryptoUtil:520 – Providers=[SUN version 1.8, SunRsaSign version 1.8, SunEC version 1.8, SunJSSE version 1.8, SunJCE version 1.8, SunJGSS version 1.8, SunSASL version 1.8, XMLDSig version 1.8, SunPCSC version 1.8, SunMSCAPI version 1.8]
2019-06-06 14:17:24.840 DEBUG [main ] OpcUaService:516 – ApplicationCertificate content: [
[
Version: V3
Subject: EMAILADDRESS=mail@ncopcua.de, CN=Common Name, OU=Unit Name, O=Organization Name, L=DE, ST=DE, C=DE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 2048 bits
….

2019-06-06 14:17:26.370 DEBUG [main ] UaClient:982 – discoverEndpoints: connectUri=opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer protocols=[opc.tcp]
2019-06-06 14:17:26.383 DEBUG [main ] SecureChannelTcp:590 – initialize: url=opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer
2019-06-06 14:17:26.630 INFO [main ] TcpConnection:967 – /127.0.0.1:53530 Connecting
2019-06-06 14:17:26.632 DEBUG [main ] TcpConnection:998 – /127.0.0.1:53530 Socket connected
2019-06-06 14:17:26.641 INFO [main ] TcpConnection:1230 – Connected (non-reverse), handshake completed, local=/127.0.0.1:64231, remote=/127.0.0.1:53530
2019-06-06 14:17:26.645 DEBUG [main ] ChunkAsymmEncryptSigner:86 – SecurityMode in asymm enc: 3
2019-06-06 14:17:26.757 DEBUG [main ] ChunkAsymmEncryptSigner:2147 – rsa_Encrypt: policy=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
2019-06-06 14:17:26.758 DEBUG [main ] ChunkAsymmEncryptSigner:2156 – encrypt: inputBlockSize=214
2019-06-06 14:17:26.765 DEBUG [main ] BcCryptoProvider:188 – Encrypt: inputBlockSize=214, outputBlockSize=256, dataToEncrypt.length=428
2019-06-06 14:17:27.017 DEBUG [TcpConnection/Read ] ChunkAsymmDecryptVerifier:110 – SecurityPolicy in use: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
2019-06-06 14:17:27.018 DEBUG [TcpConnection/Read ] ChunkAsymmDecryptVerifier:111 – SecurityMode in use: SignAndEncrypt
2019-06-06 14:17:27.019 DEBUG [TcpConnection/Read ] BcCryptoProvider:124 – Decrypt: inputBlockSize=256, outputBlockSize=214, dataToDecrypt.length=512
2019-06-06 14:17:27.128 DEBUG [TcpConnection/Read ] ChunkAsymmDecryptVerifier:153 – signatureAlgorithm=Algorithm URI=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 StandardName=SHA256withRSA Transformation=SHA256withRSA
2019-06-06 14:17:27.129 DEBUG [TcpConnection/Read ] ChunkAsymmDecryptVerifier:159 – signatureSize=256
2019-06-06 14:17:27.129 DEBUG [TcpConnection/Read ] ChunkAsymmDecryptVerifier:1257 – verify: policy=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
2019-06-06 14:17:27.134 DEBUG [TcpConnection/Read ] ChunkAsymmDecryptVerifier:201 – paddingEnd=1285 paddingSize=76
2019-06-06 14:17:27.320 DEBUG [TcpConnection/Read ] TcpConnection:458 – new token=SecurityToken(Id=1, secureChannelId=6, creationTime=06.06.2019 14:17:27, lifetime=3600000)
2019-06-06 14:17:27.320 DEBUG [main ] SecureChannelTcp:1108 – 6 Secure channel opened, SecureChannelId=6, TokenId=1
2019-06-06 14:17:27.320 DEBUG [main ] SecureChannelTcp:1135 – RevisedLifetime: 3600000
2019-06-06 14:17:27.321 DEBUG [main ] UaClient:5122 – createSessionChannel
2019-06-06 14:17:27.323 DEBUG [main ] CryptoUtil:159 – createNonce: bytes=32
2019-06-06 14:17:27.324 DEBUG [main ] SecureChannelTcp:833 – serviceRequest: requests.size=1
2019-06-06 14:17:27.324 DEBUG [main ] TcpConnection:1326 – sendRequest: socket=Socket[addr=/127.0.0.1,port=53530,localport=64231]
2019-06-06 14:17:27.324 DEBUG [main ] TcpConnection:1331 – sendRequest: 6 Sending Request rid:2
2019-06-06 14:17:27.325 DEBUG [main ] TcpConnection:3616 – pruneInvalidTokens: tokens(1)=[SecurityToken(Id=1, secureChannelId=6, creationTime=06.06.2019 14:17:27, lifetime=3600000)]
2019-06-06 14:17:27.325 DEBUG [main ] TcpConnection:3586 – tokens=[SecurityToken(Id=1, secureChannelId=6, creationTime=06.06.2019 14:17:27, lifetime=3600000)]
2019-06-06 14:17:27.326 DEBUG [main ] TcpConnection:3593 – getSecurityTokenToUse=SecurityToken(Id=1, secureChannelId=6, creationTime=06.06.2019 14:17:27, lifetime=3600000)
2019-06-06 14:17:27.326 DEBUG [main ] TcpConnection:1346 – sendRequest: token=SecurityToken(Id=1, secureChannelId=6, creationTime=06.06.2019 14:17:27, lifetime=3600000)
2019-06-06 14:17:27.327 DEBUG [main ] TcpConnection:1350 – sendRequest: keySize=32
2019-06-06 14:17:27.341 DEBUG [main ] SecureChannelTcp:840 – serviceRequest: Message sent, requestId=2 secureChannelId=6
2019-06-06 14:17:27.617 DEBUG [TcpConnection/Read ] TcpConnection:359 – tokens(1)=[SecurityToken(Id=1, secureChannelId=6, creationTime=06.06.2019 14:17:27, lifetime=3600000)]
2019-06-06 14:17:27.618 DEBUG [TcpConnection/Read ] TcpConnection:365 – token=SecurityToken(Id=1, secureChannelId=6, creationTime=06.06.2019 14:17:27, lifetime=3600000)
2019-06-06 14:17:27.618 DEBUG [TcpConnection/Read ] ChunkSymmDecryptVerifier:1160 – decrypt: dataToDecrypt.length=4128 inputOffset=0 inputLength=4128 output.length=4144 outputOffset=16
2019-06-06 14:17:27.630 DEBUG [TcpConnection/Read ] TcpConnection:359 – tokens(1)=[SecurityToken(Id=1, secureChannelId=6, creationTime=06.06.2019 14:17:27, lifetime=3600000)]
2019-06-06 14:17:27.630 DEBUG [TcpConnection/Read ] TcpConnection:365 – token=SecurityToken(Id=1, secureChannelId=6, creationTime=06.06.2019 14:17:27, lifetime=3600000)
2019-06-06 14:17:27.630 DEBUG [TcpConnection/Read ] ChunkSymmDecryptVerifier:1160 – decrypt: dataToDecrypt.length=4128 inputOffset=0 inputLength=4128 output.length=4144 outputOffset=16
2019-06-06 14:17:27.633 DEBUG [TcpConnection/Read ] TcpConnection:359 – tokens(1)=[SecurityToken(Id=1, secureChannelId=6, creationTime=06.06.2019 14:17:27, lifetime=3600000)]
2019-06-06 14:17:27.633 DEBUG [TcpConnection/Read ] TcpConnection:365 – token=SecurityToken(Id=1, secureChannelId=6, creationTime=06.06.2019 14:17:27, lifetime=3600000)
2019-06-06 14:17:27.633 DEBUG [TcpConnection/Read ] ChunkSymmDecryptVerifier:1160 – decrypt: dataToDecrypt.length=4128 inputOffset=0 inputLength=4128 output.length=4144 outputOffset=16
2019-06-06 14:17:27.634 DEBUG [TcpConnection/Read ] TcpConnection:359 – tokens(1)=[SecurityToken(Id=1, secureChannelId=6, creationTime=06.06.2019 14:17:27, lifetime=3600000)]
2019-06-06 14:17:27.635 DEBUG [TcpConnection/Read ] TcpConnection:365 – token=SecurityToken(Id=1, secureChannelId=6, creationTime=06.06.2019 14:17:27, lifetime=3600000)
2019-06-06 14:17:27.635 DEBUG [TcpConnection/Read ] ChunkSymmDecryptVerifier:1160 – decrypt: dataToDecrypt.length=4128 inputOffset=0 inputLength=4128 output.length=4144 outputOffset=16
2019-06-06 14:17:27.641 DEBUG [main ] SecureChannelTcp:874 – Response: CreateSessionResponse
2019-06-06 14:17:27.642 DEBUG [main ] Client:587 – MessageSecurityMode: SignAndEncrypt
2019-06-06 14:17:27.643 DEBUG [main ] Client:596 – Algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
2019-06-06 14:17:27.653 DEBUG [main ] UaClient:5139 – createSessionChannel: session.getEndpoint().getServerCertificate()=[1013] 0x308203f1308202d9a0030201020206016b270f2cb6300d06092a864886f70d01010b050030543119301706035504030c1053696d756c6174696f6e53657276657231133011060355040a0c0a50726f737973204f504331223020060a0992268993f22c64011916126267682d666d61696572322e7a6e742e6465301e170d3139303630353038353335345a170d3239303630323039353335345a30543119301706035504030c1053696d756c6174696f6e53657276657231133011060355040a0c0a50726f737973204f504331223020060a0992268993f22c64011916126267682d666d61696572322e7a6e742e646530820122300d06092a864886f70d01010105000382010f003082010a02820101008b2a02192e07eb480ca9f054794be234b729cee32c326f667623906f271ef5d7cc7f028cb443caeffe458206fa46dddd3ca89c902faf22477d1d95295f5c133c240af11acedd7cc900fd6b74a6a08a81c9d461f25e3ef819a9039d16823bf47cc3cd1320261afe6c2b7008929414793d7f7f8715b71692f1a63b487e8cb79aa474ab2b56304f625ecc76f2a17d1ee533d241c2c018450b50fc7bd1f4a0aa9a683099aa5c41e08e4d378fda99dc50edf1de3de9bfb0034aedaeb284abe5193c6a9ca0a790d1c18771a588ae9d93776a8730199971699a4793041aa76cdb073c02c1e01ee031965802d63b68e0dee86a9b035300b9a20a676ce7278681a6f5faad0203010001a381c83081c5301f0603551d23041830168014578bfe2bf57fa7b3f56d6a87beae69f02495429b301d0603551d0e04160414578bfe2bf57fa7b3f56d6a87beae69f02495429b30090603551d1304023000300b0603551d0f0404030202f4301d0603551d250416301406082b0601050507030106082b06010505070302304c0603551d1104453043862d75726e3a6267682d666d61696572322e7a6e742e64653a4f504355413a53696d756c6174696f6e53657276657282126267682d666d61696572322e7a6e742e6465300d06092a864886f70d01010b0500038201010015b085d12e7ba42af6e8e65f71102997c41674b3eea14487f84c9c231d2d0f59f53f2c86861b7bae3f7083a6ec71da56141f7279d2808248a0ca687a8ec73d058322ab75746153c910b10028c9731c6be746d299c4bb6849a96abec46fd238db6a532e7a5a9ec9788332a90352e89c02d3f313c5cddf5d4c5bb4de4ab4b3cac074daf85ef0f24261bac26e2a14003c2967dc3692ab4c122d1f9b0ea7e43d9d5989df6afb7270e65874e90499ad462a33d3a8abc1d0b673075b8e8320d11c541ea66d03c14e5fa230178b67288ca446b313d11628d62fbae11f6e25df9e25dc442f146c5f1785ae6d1915835a4c60513f35d2e88446f8bc3e769a566e9c3f9401
2019-06-06 14:17:27.655 DEBUG [main ] UaClient:4903 – activateSessionChannel: endpoint=opc.tcp://myHost:53530/OPCUA/SimulationServer
2019-06-06 14:17:27.657 DEBUG [main ] EndpointUtil:205 – createUserNameIdentityToken: algorithm=Algorithm URI=http://www.w3.org/2001/04/xmlenc#rsa-1_5 StandardName=RSA Transformation=RSA/NONE/PKCS1Padding
2019-06-06 14:17:27.659 DEBUG [main ] BcCryptoProvider:188 – Encrypt: inputBlockSize=245, outputBlockSize=256, dataToEncrypt.length=40
2019-06-06 14:17:27.662 DEBUG [main ] UaClient:4941 – UserToken encryption algorithm: http://www.w3.org/2001/04/xmlenc#rsa-1_5

When using the Certificate-A (the one with Key Size 2047) the connection fails:

2019-06-06 14:18:51.429 DEBUG [main ] OpcUaService:516 – ApplicationCertificate content: [
[
Version: V3
Subject: EMAILADDRESS=app@ncopcua.de, CN=Common Name, OU=Unit Name, O=Organization Name, L=DE, ST=DE, C=DE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 2047 bits
….

2019-06-06 14:18:53.169 DEBUG [main ] SecureChannelTcp:590 – initialize: url=opc.tcp://127.0.0.1:53530/OPCUA/SimulationServer
2019-06-06 14:18:53.170 DEBUG [main ] SecureChannelTcp:737 – open
2019-06-06 14:18:53.171 INFO [main ] TcpConnection:967 – /127.0.0.1:53530 Connecting
2019-06-06 14:18:53.173 DEBUG [main ] TcpConnection:998 – /127.0.0.1:53530 Socket connected
2019-06-06 14:18:53.181 INFO [main ] TcpConnection:1230 – Connected (non-reverse), handshake completed, local=/127.0.0.1:64249, remote=/127.0.0.1:53530
2019-06-06 14:18:53.182 DEBUG [main ] TcpConnection:1238 – Creating ReadThread
2019-06-06 14:18:53.182 DEBUG [main ] SecureChannelTcp:1001 – createSecureChannel: renew=false channel=com.prosysopc.ua.stack.transport.tcp.io.TcpConnection@1f8fa12
2019-06-06 14:18:53.183 DEBUG [main ] SecureChannelTcp:1007 – createSecureChannel: requestId=1
2019-06-06 14:18:53.183 DEBUG [main ] CryptoUtil:159 – createNonce: bytes=32
2019-06-06 14:18:53.183 DEBUG [main ] SecureChannelTcp:1018 – tokenLifetime: 3600000
2019-06-06 14:18:53.183 DEBUG [main ] TcpConnection:1326 – sendRequest: socket=Socket[addr=/127.0.0.1,port=53530,localport=64249]
2019-06-06 14:18:53.183 DEBUG [main ] TcpConnection:1331 – sendRequest: 0 Sending Request rid:1
2019-06-06 14:18:53.184 DEBUG [main ] TcpConnection:1346 – sendRequest: token=null
2019-06-06 14:18:53.184 DEBUG [main ] TcpConnection:1350 – sendRequest: keySize=0
2019-06-06 14:18:53.186 DEBUG [main ] TcpConnection:4696 – SecureChannelId=0 SequenceNumber=1, RequestId=1
2019-06-06 14:18:53.187 DEBUG [main ] ChunkAsymmEncryptSigner:86 – SecurityMode in asymm enc: 3
2019-06-06 14:18:53.298 DEBUG [main ] ChunkAsymmEncryptSigner:2147 – rsa_Encrypt: policy=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
2019-06-06 14:18:53.298 DEBUG [main ] ChunkAsymmEncryptSigner:2156 – encrypt: inputBlockSize=214
2019-06-06 14:18:53.305 DEBUG [main ] BcCryptoProvider:188 – Encrypt: inputBlockSize=214, outputBlockSize=256, dataToEncrypt.length=428
2019-06-06 14:18:53.457 WARN [TcpConnection/Read ] TcpConnection:278 – /127.0.0.1:53530 Error
com.prosysopc.ua.stack.common.ServiceResultException: Bad_UnexpectedError (code=0x80010000, description=”Bad_UnexpectedError (code=0x80010000, description=”org.opcfoundation.ua.common.ServiceResultException: Bad_SecurityChecksFailed (code=0x80130000, description=”Signature could not be VERIFIED”)”)”)
at com.prosysopc.ua.stack.transport.tcp.io.TcpConnection$b.run(SourceFile:276)
2019-06-06 14:18:53.463 INFO [TcpConnection/Read ] TcpConnection:1459 – /127.0.0.1:53530 Closed
2019-06-06 14:18:54.558 DEBUG [main ] SecureChannelTcp:403 – requests.clear()
2019-06-06 14:18:54.562 ERROR [main ] OpcUaService:52 – com.prosysopc.ua.client.ConnectException: Failed to create secure channel to server: : opc.tcp://myHost:53530/OPCUA/SimulationServer [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,SignAndEncrypt] ServiceResult=Bad_UnexpectedError (0x80010000) “An unexpected error occurred.”
com.prosysopc.ua.client.ConnectException: Failed to create secure channel to server: : opc.tcp://myHost:53530/OPCUA/SimulationServer [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,SignAndEncrypt] ServiceResult=Bad_UnexpectedError (0x80010000) “An unexpected error occurred.”
at com.prosysopc.ua.client.UaClient.r(SourceFile:5115)
at com.prosysopc.ua.client.UaClient.connect(SourceFile:874)

Sometimes I get following exception:

2019-06-06 14:19:42.139 DEBUG [main ] ChunkAsymmEncryptSigner:86 – SecurityMode in asymm enc: 3
2019-06-06 14:19:42.255 DEBUG [main ] ChunkAsymmEncryptSigner:2147 – rsa_Encrypt: policy=http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
2019-06-06 14:19:42.255 DEBUG [main ] ChunkAsymmEncryptSigner:2156 – encrypt: inputBlockSize=214
2019-06-06 14:19:42.262 DEBUG [main ] BcCryptoProvider:188 – Encrypt: inputBlockSize=214, outputBlockSize=256, dataToEncrypt.length=428
2019-06-06 14:19:42.450 WARN [TcpConnection/Read ] TcpConnection:278 – /127.0.0.1:53530 Error
com.prosysopc.ua.stack.common.ServiceResultException: Bad_EndOfStream (code=0x80B00000, description=”Bad_EndOfStream (code=0x80B00000, description=”2159017984, null”)”)
at com.prosysopc.ua.stack.transport.tcp.io.TcpConnection$b.run(SourceFile:276)
2019-06-06 14:19:42.458 INFO [TcpConnection/Read ] TcpConnection:1459 – /127.0.0.1:53530 Closed
2019-06-06 14:19:43.546 DEBUG [main ] SecureChannelTcp:403 – requests.clear()
2019-06-06 14:19:43.551 ERROR [main ] OpcUaService:52 – com.prosysopc.ua.client.ConnectException: Failed to create secure channel to server: : opc.tcp://myHost:53530/OPCUA/SimulationServer [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,SignAndEncrypt] ServiceResult=Bad_EndOfStream (0x80B00000) “Cannot move beyond end of the stream.”
com.prosysopc.ua.client.ConnectException: Failed to create secure channel to server: : opc.tcp://myHost:53530/OPCUA/SimulationServer [http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,SignAndEncrypt] ServiceResult=Bad_EndOfStream (0x80B00000) “Cannot move beyond end of the stream.”
at com.prosysopc.ua.client.UaClient.r(SourceFile:5115)
at com.prosysopc.ua.client.UaClient.connect(SourceFile:874)

Is it a known problem that certificates which have a key size of 2047 do not work?
If the problem has nothing to do with the key size what else can I check?

Thanks for helping!

June 6, 2019
17:43, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1026
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Hi,

Certs must be exactly 1024, 2048 or 4096. Other sizes do not work. 1024 and 4096 have limitations on which security policies they do work (and some are consider deprecated in 1.04), therefore generally I would recommend to use 2048 at the moment.

I guess in theory some other sizes could exist, but I have never seen a cert other than those sizes (also https://crypto.stackexchange.com/questions/7849/why-are-rsa-key-sizes-almost-always-a-power-of-two).

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
12 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 736

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1524

Posts: 6450

Newest Members:

kristiewinkle8, rust, christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger, howardkennerley, Thomassnism

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0

Administrators: admin: 1