Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

how to make a certificate of basic256sha256 ? #16

Open
shirenfeng opened this issue Oct 23, 2019 · 1 comment
Open

how to make a certificate of basic256sha256 ? #16

shirenfeng opened this issue Oct 23, 2019 · 1 comment

Comments

@shirenfeng
Copy link

@hansgschossmann

I set client securityMode to UA_MESSAGESECURITYMODE_NONE,
securityPolicyUri to http://opcfoundation.org/UA/SecurityPolicy#None, can connect the client to a TCP secure channel;

I set client securityMode to UA_MESSAGESECURITYMODE_SIGNANDENCRYPT,
securityPolicyUri to http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256,couldn't connect the client to a TCP secure channel.

need to create a basic256sha256 certificate ?

I create the certificate with default para.
my certificate:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
83:1a:43:e0:9a:60:89:47:81:02:3d:28:0e:28:62:82
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=srf, O=JM, CN=jmApp
Validity
Not Before: Oct 17 07:40:09 2019 GMT
Not After : Oct 11 07:40:09 2020 GMT
Subject: DC=srf, O=JM, CN=jmApp
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b5:dd:d6:9f:bd:38:ef:9f:16:d0:44:46:1d:a3:
dc:85:a1:d7:d0:66:20:59:d4:b0:fe:ea:de:71:4a:
d2:7e:e1:c2:d9:32:28:8d:10:8c:1a:99:81:6a:fc:
38:d2:21:91:55:34:f6:5d:38:63:11:8e:4f:64:9e:
89:70:4a:54:4f:80:b2:17:da:86:c7:e0:91:0f:1d:
7c:ea:e7:72:bf:2d:6d:f0:77:36:cb:88:72:a2:58:
70:96:c4:db:a6:3e:17:c7:d0:84:5c:00:99:71:56:
e1:0d:81:8b:cd:1c:02:52:8c:a2:14:65:98:4e:9c:
bf:40:7f:1f:b6:2f:f5:a9:ad:72:94:f6:ba:99:97:
ba:38:81:28:15:fb:b4:be:03:4f:b4:31:ec:26:8c:
b1:ab:b4:35:d2:10:6a:7f:c0:4b:92:34:73:3c:5b:
33:89:11:96:15:33:5d:94:0e:cb:df:8f:28:ef:b7:
15:cc:f9:23:95:82:3c:6d:bb:07:ac:11:cb:41:01:
40:e5:1a:62:6f:bb:dd:a4:5f:f6:9a:5b:cf:30:74:
18:63:45:95:31:8c:ca:c1:d1:2e:41:ef:4b:78:91:
e4:c5:5a:cb:b7:28:ca:9c:4b:0b:e5:af:f5:da:d8:
53:ee:a5:41:c5:02:1d:15:0c:6b:b4:be:ae:4a:22:
e2:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:2F:BA:DA:E1:4B:DC:1D:CB:8C:C0:F6:99:4E:DF:F7:21:F5:77:E4:75

        X509v3 Basic Constraints: critical
            CA:FALSE
        X509v3 Key Usage: critical
            Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign
        X509v3 Extended Key Usage: critical
            TLS Web Server Authentication, TLS Web Client Authentication
        X509v3 Subject Key Identifier:
            2F:BA:DA:E1:4B:DC:1D:CB:8C:C0:F6:99:4E:DF:F7:21:F5:77:E4:75
        X509v3 Subject Alternative Name:
            URI:urn:srfJM:jmApp, DNS:srf
Signature Algorithm: sha256WithRSAEncryption
     85:93:8b:eb:a4:fc:e8:76:b7:d3:13:9c:ea:f1:34:ae:10:95:
     c8:65:e6:3c:d0:d9:ba:bc:50:50:7b:77:c6:9c:b9:4f:1e:f7:
     b9:c5:88:a7:be:79:74:20:df:68:95:05:ff:aa:a5:2f:90:63:
     f2:89:bd:5d:83:74:2a:61:b9:63:82:8d:f2:91:10:d5:ec:33:
     ec:ca:1a:da:9c:97:2a:de:4a:8c:e9:fb:72:5d:94:e9:0a:59:
     c9:47:3f:0d:43:7c:b8:7f:de:57:11:2f:15:58:7f:71:eb:12:
     97:7a:a1:9c:4b:e0:80:4e:ed:08:42:c5:76:fe:34:ed:32:cd:
     d4:86:10:6f:4e:f4:e0:94:79:d4:ff:3f:31:e9:50:f9:f7:21:
     26:cc:80:b1:a5:72:3d:5a:40:2e:8f:e7:79:d1:51:62:db:71:
     98:c9:5e:35:0c:ee:0c:da:62:a4:8a:58:54:59:93:5d:67:13:
     2e:84:07:c5:3c:7f:ec:a3:8c:f5:ae:26:de:c8:0b:75:c7:32:
     38:56:46:de:d3:34:1f:cd:57:bd:48:e4:08:fe:64:e8:e0:0b:
     74:e0:dc:5c:d3:28:10:e5:d8:39:b4:51:ad:25:dd:f5:e6:65:
     a9:f3:11:52:88:70:27:82:d2:6f:c8:5a:5f:b0:92:a0:86:b0:
     68:92:fb:5a
@shirenfeng
Copy link
Author

server code:

.......
UA_Server *server = UA_Server_new();
UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, "call UA_ServerConfig_setDefault");
UA_ServerConfig *config = UA_Server_getConfig(server);

UA_StatusCode retval =
UA_ServerConfig_setDefaultWithSecurityPolicies(config, 4840,
&certificate, &privateKey,
trustList, trustListSize,
issuerList, issuerListSize,
revocationList, revocationListSize);

UA_ByteString_clear(&certificate);
UA_ByteString_clear(&privateKey);

for(size_t i = 0; i < trustListSize; i++)
UA_ByteString_clear(&trustList[i]);
if(retval != UA_STATUSCODE_GOOD){
UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, "UA_ServerConfig_setDefaultWithSecurityPolicies FAIL");
UA_Server_delete(server);
return retval == UA_STATUSCODE_GOOD ? EXIT_SUCCESS : EXIT_FAILURE;
}

retval = UA_Server_run(server, &running);
........

client code:

...

client = UA_Client_new();
UA_ClientConfig_setDefault(UA_Client_getConfig(client));

UA_StatusCode retval = UA_Client_getEndpoints(client, endpointUrl, // "opc.tcp://localhost:4840",
&endpointArraySize, &endpointArray);
if(retval != UA_STATUSCODE_GOOD){
UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, "UA_Client_getEndpoints FAIL");
return retval == UA_STATUSCODE_GOOD ? EXIT_SUCCESS : EXIT_FAILURE;
}
if(endpointArraySize <= 0){
UA_LOG_ERROR(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, "endpointArraySize <= 0 FAIL");
return retval == UA_STATUSCODE_GOOD ? EXIT_SUCCESS : EXIT_FAILURE;
}
for(size_t i = 0; i < endpointArraySize; i++) {
UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, "UA_Client_getEndpoints : i=%u,endpointUrl:%s,mode:%u,policyUri:%s",
i,endpointArray[i].endpointUrl.data,endpointArray[i].securityMode,endpointArray[i].securityPolicyUri.data);
}

UA_Array_delete(endpointArray, endpointArraySize,
&UA_TYPES[UA_TYPES_ENDPOINTDESCRIPTION]);

UA_Client_delete(client);

/* Secure client initialization */
client = UA_Client_new();
UA_ClientConfig *cc = UA_Client_getConfig(client);

/* Secure client connect */
UA_ClientConfig_setDefaultEncryption(cc, certificate, privateKey,
trustList, trustListSize,
revocationList, revocationListSize);

/* SecurityPolicy for the SecureChannel. An
* empty string indicates the client to select
* any matching SecurityPolicy. */

for(size_t deleteCount = 0; deleteCount < trustListSize; deleteCount++) {
UA_ByteString_clear(&trustList[deleteCount]);
}

/* Secure client connect /
cc->securityMode = 3; / require encryption */
cc->securityPolicyUri = UA_STRING_ALLOC("http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256");

retval = UA_Client_connect(client, endpointUrl);
if(retval != UA_STATUSCODE_GOOD) {
UA_Client_delete(client);
UA_ByteString_clear(&certificate);
UA_ByteString_clear(&privateKey);
return EXIT_FAILURE;
}
....

client log:

[2019-10-24 14:42:06.593 (UTC+0800)] info/client SecurityPolicy not specified -> use default #None
[2019-10-24 14:42:06.593 (UTC+0800)] warn/securitypolicy Security policy None is used to create SecureChannel. Accepting all certificates
[2019-10-24 14:42:06.602 (UTC+0800)] info/client TCP connection established
[2019-10-24 14:42:06.611 (UTC+0800)] info/client Opened SecureChannel with SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None
[2019-10-24 14:42:06.620 (UTC+0800)] info/userland UA_Client_getEndpoints : i=0,endpointUrl:opc.tcp://localhost:4840!,mode:1,policyUri:http://opcfoundation.org/UA/SecurityPolicy#None
[2019-10-24 14:42:06.621 (UTC+0800)] info/userland UA_Client_getEndpoints : i=1,endpointUrl:opc.tcp://localhost:4840!,mode:2,policyUri:http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15▒
[2019-10-24 14:42:06.621 (UTC+0800)] info/userland UA_Client_getEndpoints : i=2,endpointUrl:opc.tcp://localhost:4840!,mode:3,policyUri:http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15▒
[2019-10-24 14:42:06.621 (UTC+0800)] info/userland UA_Client_getEndpoints : i=3,endpointUrl:opc.tcp://localhost:4840!,mode:2,policyUri:http://opcfoundation.org/UA/SecurityPolicy#Basic256
[2019-10-24 14:42:06.621 (UTC+0800)] info/userland UA_Client_getEndpoints : i=4,endpointUrl:opc.tcp://localhost:4840!,mode:3,policyUri:http://opcfoundation.org/UA/SecurityPolicy#Basic256
[2019-10-24 14:42:06.622 (UTC+0800)] info/userland UA_Client_getEndpoints : i=5,endpointUrl:opc.tcp://localhost:4840!,mode:2,policyUri:http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
[2019-10-24 14:42:06.622 (UTC+0800)] info/userland UA_Client_getEndpoints : i=6,endpointUrl:opc.tcp://localhost:4840!,mode:3,policyUri:http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256

mbedtls_pk_parse_key 1

mbedtls_pk_parse_key 2

mbedtls_pk_parse_key 3

mbedtls_pk_parse_key 5

mbedtls_pk_parse_key 6

mbedtls_pk_parse_key 9 ret=-4224

mbedtls_pk_parse_key 10 ret=0

pk_parse_key_pkcs8_unencrypted_der 11 ret=0

mbedtls_pk_parse_key 11 ret=0

mbedtls_pk_parse_key 1

mbedtls_pk_parse_key 2

mbedtls_pk_parse_key 3

mbedtls_pk_parse_key 5

mbedtls_pk_parse_key 6

mbedtls_pk_parse_key 9 ret=-4224

mbedtls_pk_parse_key 10 ret=0

pk_parse_key_pkcs8_unencrypted_der 11 ret=0

mbedtls_pk_parse_key 11 ret=0

mbedtls_pk_parse_key 1

mbedtls_pk_parse_key 2

mbedtls_pk_parse_key 3

mbedtls_pk_parse_key 5

mbedtls_pk_parse_key 6

mbedtls_pk_parse_key 9 ret=-4224

mbedtls_pk_parse_key 10 ret=0

pk_parse_key_pkcs8_unencrypted_der 11 ret=0

mbedtls_pk_parse_key 11 ret=0

[2019-10-24 14:42:06.641 (UTC+0800)] info/client Connecting to endpoint opc.tcp://localhost:4840
[2019-10-24 14:42:06.642 (UTC+0800)] error/client Failed to set the security policy
[2019-10-24 14:42:06.642 (UTC+0800)] error/client Couldn't connect the client to a TCP secure channel

server log:

..........
[2019-10-24 14:41:06.303 (UTC+0800)] warn/userland No CA trust-list provide d. Any remote certificate will be accepted.

mbedtls_pk_parse_key 1

mbedtls_pk_parse_key 2

mbedtls_pk_parse_key 3

mbedtls_pk_parse_key 5

mbedtls_pk_parse_key 6

mbedtls_pk_parse_key 9 ret=-4224

mbedtls_pk_parse_key 10 ret=0

pk_parse_key_pkcs8_unencrypted_der 11 ret=0

mbedtls_pk_parse_key 11 ret=0

mbedtls_pk_parse_key 1

mbedtls_pk_parse_key 2

mbedtls_pk_parse_key 3

mbedtls_pk_parse_key 5

mbedtls_pk_parse_key 6

mbedtls_pk_parse_key 9 ret=-4224

mbedtls_pk_parse_key 10 ret=0

pk_parse_key_pkcs8_unencrypted_der 11 ret=0

mbedtls_pk_parse_key 11 ret=0

mbedtls_pk_parse_key 1

mbedtls_pk_parse_key 2

mbedtls_pk_parse_key 3

mbedtls_pk_parse_key 5

mbedtls_pk_parse_key 6

mbedtls_pk_parse_key 9 ret=-4224

mbedtls_pk_parse_key 10 ret=0

pk_parse_key_pkcs8_unencrypted_der 11 ret=0

mbedtls_pk_parse_key 11 ret=0
[2019-10-24 14:41:06.308 (UTC+0800)] info/server server->config.applicati onDescription.applicationUri urn:srfJM:jmApp
[2019-10-24 14:41:06.308 (UTC+0800)] info/server server->config.applicati onDescription.applicationUri urn:srfJM:jmApp
[2019-10-24 14:41:06.308 (UTC+0800)] info/server server->config.applicati onDescription.applicationUri urn:srfJM:jmApp
[2019-10-24 14:41:06.308 (UTC+0800)] info/network TCP network layer listen ing on opc.tcp://ubuntu:4840/
[2019-10-24 14:42:06.602 (UTC+0800)] info/network Connection 6 | New connection over TCP from 127.0.0.1
[2019-10-24 14:42:06.611 (UTC+0800)] info/channel Creating a new SecureChannel
[2019-10-24 14:42:06.611 (UTC+0800)] warn/securitypolicy Security policy None is used to create SecureChannel. Accepting all certificates
[2019-10-24 14:42:06.611 (UTC+0800)] info/channel Connection 6 | SecureChannel 1 | Opened SecureChannel
[2019-10-24 14:42:06.612 (UTC+0800)] info/channel Connection 6 | SecureChannel 1 | CloseSecureChannel
[2019-10-24 14:42:06.612 (UTC+0800)] info/network Connection 6 | Closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shirenfeng