Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error BadSecurityChecksFailed even added UA Expert's Certificate #6018

Open
4 tasks
longhoang1641997 opened this issue Sep 22, 2023 · 0 comments
Open
4 tasks

Error BadSecurityChecksFailed even added UA Expert's Certificate #6018

longhoang1641997 opened this issue Sep 22, 2023 · 0 comments

Comments

@longhoang1641997
Copy link

longhoang1641997 commented Sep 22, 2023
edited
Loading

Description

Upon trying the encryption samples for the server and client, I've found that in the server we see the BadSecurityChecksFailed error when I connect to the server first time which will result in the closure of the secure channel and the session. This ideally shouldn't happen as the secure channel is established with the same pair of server and client certificates with the trusted certificate of UA Expert.

Background Information / Reproduction Steps

I just changed the way that load certificate and create certificate. My idea is in the first-time server init I will create a certificate server and in second-time, I will load the certificate that was created in the first-time run. Besides, I change trusted list is 1 to load UA Expert certificate.

#include <open62541/client_highlevel.h>
#include <open62541/plugin/log_stdout.h>
#include <open62541/plugin/create_certificate.h>
#include <open62541/plugin/securitypolicy.h>
#include <open62541/server.h>
#include <open62541/server_config_default.h>

#include <signal.h>
#include <stdlib.h>

#include "common.h"

UA_Boolean running = true;
static void stopHandler(int sig) {
UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, "received ctrl-c");
running = false;
}

int main(int argc, char* argv[]) {
signal(SIGINT, stopHandler);
signal(SIGTERM, stopHandler);
UA_ByteString certificate = UA_BYTESTRING_NULL;
UA_ByteString privateKey = UA_BYTESTRING_NULL;

argc = 3; // First time I don't set this variable

if (argc >= 3) {
    /* Load certificate and private key */
    UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, "Load Certificate");
    certificate = loadFile("D:/miscellaneous_prj/UsingOpenSource65241/UsingServer_Encryption/Cert.der");
    privateKey = loadFile("D:/miscellaneous_prj/UsingOpenSource65241/UsingServer_Encryption/PrivateKey.der");
    argc = 0;
}
else {
    UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
        "Missing arguments. Arguments are "
        "<server-certificate.der> <private-key.der> "
        "[<trustlist1.crl>, ...]");

#if defined(UA_ENABLE_ENCRYPTION_OPENSSL) || defined(UA_ENABLE_ENCRYPTION_LIBRESSL)
UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
"Trying to create a certificate.");
UA_String subject[3] = { UA_STRING_STATIC("C=DE"),
UA_STRING_STATIC("O=SampleOrganization"),
UA_STRING_STATIC("CN=Open62541Server@localhost") };
UA_UInt32 lenSubject = 3;
UA_String subjectAltName[2] = {
UA_STRING_STATIC("DNS:localhost"),
UA_STRING_STATIC("URI:urn:open62541.server.application")
};
UA_UInt32 lenSubjectAltName = 2;
UA_StatusCode statusCertGen =
UA_CreateCertificate(UA_Log_Stdout,
subject, lenSubject,
subjectAltName, lenSubjectAltName,
0, UA_CERTIFICATEFORMAT_DER,
&privateKey, &certificate);

    if (statusCertGen != UA_STATUSCODE_GOOD) {
        UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
            "Generating Certificate failed: %s",
            UA_StatusCode_name(statusCertGen));
        return EXIT_SUCCESS;
    }

#else
return EXIT_SUCCESS;
#endif
}

/* Load the trustlist */
size_t trustListSize = 1;
if (argc > 3)
    trustListSize = (size_t)argc - 3;
UA_STACKARRAY(UA_ByteString, trustList, trustListSize + 1);
for (size_t i = 0; i < trustListSize; i++)
    trustList[i] = loadFile("C:/Users/Admin/AppData/Roaming/unifiedautomation/uaexpert/PKI/own/certs/uaexpert.der");

/* Loading of an issuer list, not used in this application */
size_t issuerListSize = 0;
UA_ByteString* issuerList = NULL;

/* Loading of a revocation list currently unsupported */
UA_ByteString* revocationList = NULL;
size_t revocationListSize = 0;

UA_Server* server = UA_Server_new();
UA_ServerConfig* config = UA_Server_getConfig(server);

UA_StatusCode retval =
    UA_ServerConfig_setDefaultWithSecurityPolicies(config, 4840,
        &certificate, &privateKey,
        trustList, trustListSize,
        issuerList, issuerListSize,
        revocationList, revocationListSize);

if (retval == UA_STATUSCODE_GOOD)
{
    UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, "UA_ServerConfig_setDefaultWithSecurityPolicies");
}

#ifdef UA_ENABLE_WEBSOCKET_SERVER
UA_ServerConfig_addNetworkLayerWS(UA_Server_getConfig(server), 7681, 0, 0, &certificate, &privateKey);
#endif

// WriteFile:
writeFile("D:/miscellaneous_prj/UsingOpenSource65241/UsingServer_Encryption/PrivateKey.der", privateKey);
writeFile("D:/miscellaneous_prj/UsingOpenSource65241/UsingServer_Encryption/Cert.der", certificate);

UA_ByteString_clear(&certificate);
UA_ByteString_clear(&privateKey);
for (size_t i = 0; i < trustListSize; i++)
    UA_ByteString_clear(&trustList[i]);
if (retval != UA_STATUSCODE_GOOD)
    goto cleanup;

retval = UA_Server_run(server, &running);

cleanup:
UA_Server_delete(server);
return retval == UA_STATUSCODE_GOOD ? EXIT_SUCCESS : EXIT_FAILURE;
}
`

Used CMake options:

cmake --DLIB_EAY_LIBRARY_DEBUG:FILEPATH="D:/UAOPC Third-3rd Setup/third-party/win64/vs2015/openssl/out32dll.dbg/libeay32d.lib" -DLIB_EAY_RELEASE:FILEPATH="D:/UAOPC Third-3rd Setup/third-party/win64/vs2015/openssl/out32dll/libeay32.lib" -DLIB_EAY_DEBUG:FILEPATH="D:/UAOPC Third-3rd Setup/third-party/win64/vs2015/openssl/out32dll.dbg/libeay32d.lib" -DSSL_EAY_DEBUG:FILEPATH="D:/UAOPC Third-3rd Setup/third-party/win64/vs2015/openssl/out32dll.dbg/ssleay32d.lib" -DUA_MULTITHREADING:STRING="0" -DSSL_EAY_LIBRARY_RELEASE:FILEPATH="D:/UAOPC Third-3rd Setup/third-party/win64/vs2015/openssl/out32dll/ssleay32.lib" -DUA_ENABLE_ENCRYPTION_OPENSSL:BOOL="1" -DOPENSSL_INCLUDE_DIR:PATH="D:/UAOPC Third-3rd Setup/third-party/win64/vs2015/openssl/inc32" -DLIB_EAY_LIBRARY_RELEASE:FILEPATH="D:/UAOPC Third-3rd Setup/third-party/win64/vs2015/openssl/out32dll/libeay32.lib" -DCMAKE_INSTALL_PREFIX:PATH="D:/BuildLib3rd/open62541_package/installOpen62541" -DPDFLATEX_COMPILER:FILEPATH="PDFLATEX_COMPILER-NOTFOUND" -DBUILD_SHARED_LIBS:BOOL="1" -DUA_FORCE_CPP:BOOL="1" -DSSL_EAY_RELEASE:FILEPATH="D:/UAOPC Third-3rd Setup/third-party/win64/vs2015/openssl/out32dll/ssleay32.lib" -DSSL_EAY_LIBRARY_DEBUG:FILEPATH="D:/UAOPC Third-3rd Setup/third-party/win64/vs2015/openssl/out32dll.dbg/ssleay32d.lib" -DUA_ENABLE_ENCRYPTION:STRING="OPENSSL"

Checklist

Please provide the following information:

  • [Version open62541-1.3.6 ] open62541 Version (release number or git tag):
  • Other OPC UA SDKs used (client or server):
  • [ Window10] Operating system:
  • Logs (with UA_LOGLEVEL set as low as necessary) attached
  • [
    TraceFile.zip
    ] Wireshark network dump attached
  • Self-contained code example attached
  • Critical issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@longhoang1641997