Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
The URI specified in the ApplicationDescription does not match the URI in the Certificate.
September 4, 2017
15:51, EEST
Avatar
patduflot
Member
Members
Forum Posts: 6
Member Since:
May 16, 2017
sp_UserOfflineSmall Offline

Hello,

I have this error when trying to connect to OPC-UA server using ProSys Java client SDK. Using the same certificate in UaExpert works, so I guess the issue is with my code. The server is a B&R CPU. I cannot figure out which part of the certificate should match the URI in the application description. Neither if it has to match something in the client or the server certificate.

Here are the commands used to generate the certificate:
# Create RootCA cert
openssl genrsa -des3 -out ./certs/OpcUa_CA_key.key 2048
openssl req -x509 -new -nodes -key ./certs/OpcUa_CA_key.key -days 3000 -out ./certs/OpcUA_CA.pem -config OpcUA_openssl.cfg -extensions v3_req
openssl x509 -outform der -in ./certs/OpcUA_CA.pem -out ./certs/OpcUA_CA.der
cp ./certs/OpcUA_CA.der ./certs/OpcUA_CA.cer
cp ./certs/OpcUA_CA_key.key ./certs/OpcUA_CA_key.pem

# Create Server cert
openssl genrsa -out ./certs/OpcUa_Server_key.key 2048
openssl req -new -key ./certs/OpcUa_Server_key.key -out ./certs/OpcUa_Server.csr
openssl x509 -req -in ./certs/OpcUa_Server.csr -CA ./certs/OpcUA_CA.pem -CAkey ./certs/OpcUA_CA_key.key -CAcreateserial -out ./certs/OpcUa_Server.der -outform der -days 3000 -extfile OpcUA_openssl.cfg -extensions v4_req
cp ./certs/OpcUa_Server.der ./certs/OpcUa_Server.cer
cp ./certs/OpcUa_Server_key.key ./certs/OpcUa_Server_key.pem

# Create App cert
openssl genrsa -out ./certs/OpcUa_Client_key.key 2048
openssl req -new -key ./certs/OpcUa_Client_key.key -out ./certs/OpcUa_Client.csr
openssl x509 -req -in ./certs/OpcUa_Client.csr -CA ./certs/OpcUA_CA.pem -CAkey ./certs/OpcUA_CA_key.key -CAcreateserial -out ./certs/OpcUa_Client.der -outform der -days 3000 -extfile OpcUA_openssl.cfg -extensions v4_req
cp ./certs/OpcUa_Client.der ./certs/OpcUa_Client.cer
cp ./certs/OpcUa_Client_key.key ./certs/OpcUa_Client_key.pem

Here is the client code:

ApplicationIdentity identity = new ApplicationIdentity([path to the cert generated above], [path to the pkey generated above], “mypass”);
identity.getApplicationDescription().setApplicationName(new LocalizedText(OpcUtils.getAppName(), Locale.ENGLISH));
identity.getApplicationDescription().setApplicationUri(“urn:pms-stubbed”);
identity.getApplicationDescription().setProductUri(“urn:pms-stubbed”);
identity.getApplicationDescription().setApplicationType(ApplicationType.Client);

Note: I used ‘urn:pms-stubbed’ as common name to generate my client CSR.

Can you help?

Thanks,

Patrick

September 5, 2017
12:34, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1026
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Hi,

The Subject Alternative Name part of the certificate must have
URL=(application uri)

And the ApplicationDescription.ApplicationUri must be the same.

Either side might reject the connection unless this is done. It is also the default behaviour of the Java SDK. Howerver if needed, you add a CertificateValidationListener to the PkiFileBasedCertificateValidator to change this, see MyCertificateValidationListener class for the SampleConsoleClient example.

– Bjarne

September 25, 2017
16:46, EEST
Avatar
patduflot
Member
Members
Forum Posts: 6
Member Since:
May 16, 2017
sp_UserOfflineSmall Offline

I implemented the CertificateValidator interface. I return Status.GOOD always. I gave this implementation to
UaClient.setCertificateValidator(CertificateValidator);
and UaClient.getHttpsSettings().setCertificateValidator(CertificateValidator);

However, this implementation never get called. It looks that the request fails earlier and deeper in the opcfoundation stack:

Caused by: org.opcfoundation.ua.common.ServiceFaultException: ServiceFault: Bad_CertificateUriInvalid (0x80170000) “The URI specified in the ApplicationDescription does not match the URI in the Certificate.”
Diagnostic Info:
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.serviceRequest(Unknown Source)
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.serviceRequest(Unknown Source)
at org.opcfoundation.ua.application.Client.createSession(Unknown Source)

September 25, 2017
17:26, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1026
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Hi,

That would indicate that the the server side did reject the connection.

– Bjarne

September 25, 2017
19:46, EEST
Avatar
patduflot
Member
Members
Forum Posts: 6
Member Since:
May 16, 2017
sp_UserOfflineSmall Offline

Hi,

I set the application URI to the Subject Alternate name and now, both client and server are happy.
The problem I have now is to validate the server certificate.
I wanted to allow connection only to servers that present a certificate signed by defined CA.
How can I get the full chain of certificates of the server?
Applicationdentity.getCertificate() contains only the last certifictae of the chain no?
ApplicationIdentity.getCertificate().getCertificate().getIssuerX500Principal() give me more information about the issuer but not really the CA public certificate. Is it enough to check this part?

Thanks,

Patrick

September 26, 2017
10:26, EEST
Avatar
Heikki Tahvanainen
Member
Members
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline

Hi,

You could use the ‘verify’ method in this case, meaning:

certificate.getCertificate().verify(key);

where the ‘key’ would be the public key of the CA certificate.

However, it’s good to note that the default example implementation PkiFileBasedCertificateValidator already handles this validation task. You only need to place the trusted CA certificates in the PKI/CA/certs folder. After this, the client side PkiFileBasedCertificateValidator will check if server application instance certificate is signed by one of these trusted CAs.

Do you have some reason not to use the PkiFileBasedCertificateValidator approach? Of course there are many possible reasons for overriding this basic implementation but they haven’t been explained yet. In an earlier post Bjarne mentioned that you can change the default behaviour with CertificateValidationListener attached to PkiFileBasedCertificateValidator with PkiFileBasedCertificateValidator.setValidationListener method. But he did not mean to say that you should implement all functionality yourself.

Also, just to mention the subject, please see the chapter “5.4 Validating Server Certificates” in the client tutorial if you haven’t done it yet.

September 26, 2017
16:56, EEST
Avatar
patduflot
Member
Members
Forum Posts: 6
Member Since:
May 16, 2017
sp_UserOfflineSmall Offline

Thank you, everything is setup correclty now!Laugh

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
11 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 737

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1524

Posts: 6450

Newest Members:

fannielima, kristiewinkle8, rust, christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger, howardkennerley

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0

Administrators: admin: 1