Client will not create certificates
Posted: 29 Jan 2020, 18:22
I have the following code:
UaStatus UAConfiguration::setupSecurity(SessionSecurityInfo & sessionSecurityInfo)
{
UaStatus result;
// create directories
UaDir dirHelper("");
UaUniString usClientCertificatePath(dirHelper.filePath(UaDir::fromNativeSeparators(m_clientCertificateFile.toUtf16())));
dirHelper.mkpath(usClientCertificatePath);
UaUniString usPrivateKeyPath(dirHelper.filePath(UaDir::fromNativeSeparators(m_clientPrivateKeyFile.toUtf16())));
dirHelper.mkpath(usPrivateKeyPath);
UaUniString usTrustListLocationPath(dirHelper.filePath(UaDir::fromNativeSeparators(m_certificateTrustListLocation.toUtf16())));
dirHelper.mkpath(usTrustListLocationPath);
UaUniString usRevocationListPath(dirHelper.filePath(UaDir::fromNativeSeparators(m_certificateRevocationListLocation.toUtf16())));
dirHelper.mkpath(usRevocationListPath);
// try to load the client certificate
UaPkiCertificate clientCertificate = UaPkiCertificate::fromDERFile(m_clientCertificateFile);
// Setup Username and Password
sessionSecurityInfo.setUserPasswordUserIdentity(m_clientUsername, m_clientPassword);
// certificate doesn't exists - we create a new one
if (clientCertificate.isNull())
{
// Create the certificate
UaPkiRsaKeyPair keyPair(1024);
UaPkiPrivateKey IssuerPrivateKey;
UaPkiPublicKey SubjectPublicKey;
UaPkiIdentity identity;
UaString sNodeName;
char szHostName[256];
if (0 == UA_GetHostname(szHostName, 256))
{
sNodeName = szHostName;
}
identity.commonName = UaString("Client_Cpp_SDK@%1").arg(sNodeName);
identity.organization = "Organization";
identity.organizationUnit = "Unit";
identity.locality = "LocationName";
identity.state = "Ohio";
identity.country = "USA";
identity.domainComponent = sNodeName;
UaPkiCertificateInfo info;
info.URI = UaString("urn:%1:%2:%3").arg(sNodeName).arg(COMPANY_NAME).arg(PRODUCT_NAME);
info.DNSNames.create(1);
sNodeName.copyTo(&info.DNSNames[0]);
info.validTime = 3600 * 24 * 365 * 5; // 5 years in seconds
IssuerPrivateKey = keyPair.privateKey();
SubjectPublicKey = keyPair.publicKey();
// create a self signed certificate
UaPkiCertificate cert(info, identity, keyPair); // These ARGS need to be evaluated for correctness
// save public key to file
//cert.toDERFile(m_clientCertificateFile.toUtf8());
cert.toDERFile(m_clientCertificateFile);
// save private key to file
keyPair.toPEMFile(m_clientPrivateKeyFile.toUtf8(), 0);
}
// initialize the PKI provider for using OpenSSL
result = sessionSecurityInfo.initializePkiProviderOpenSSL(
m_certificateRevocationListLocation,
m_certificateTrustListLocation,
m_issuersRevocationListLocation,
m_issuersCertificatesLocation);
if (result.isBad())
{
printf("*******************************************************\n");
printf("** setupSecurity failed!\n");
printf("** Could not initialize PKI\n");
printf("*******************************************************\n");
return result;
}
// load client certificate and private key
result = sessionSecurityInfo.loadClientCertificateOpenSSL(
m_clientCertificateFile,
m_clientPrivateKeyFile,
m_clientPassword);
if (result.isBad())
{
printf("*******************************************************\n");
printf("** setupSecurity failed!\n");
printf("** Could not load Client certificate\n");
printf("** Connect will work only without security\n");
printf("*******************************************************\n");
return result;
}
return result;
}
For whatever reason it will not create the DER certificate needed to connect to the KepServer. However it will create the PEM certificate. Does anyone know why this is?
UaStatus UAConfiguration::setupSecurity(SessionSecurityInfo & sessionSecurityInfo)
{
UaStatus result;
// create directories
UaDir dirHelper("");
UaUniString usClientCertificatePath(dirHelper.filePath(UaDir::fromNativeSeparators(m_clientCertificateFile.toUtf16())));
dirHelper.mkpath(usClientCertificatePath);
UaUniString usPrivateKeyPath(dirHelper.filePath(UaDir::fromNativeSeparators(m_clientPrivateKeyFile.toUtf16())));
dirHelper.mkpath(usPrivateKeyPath);
UaUniString usTrustListLocationPath(dirHelper.filePath(UaDir::fromNativeSeparators(m_certificateTrustListLocation.toUtf16())));
dirHelper.mkpath(usTrustListLocationPath);
UaUniString usRevocationListPath(dirHelper.filePath(UaDir::fromNativeSeparators(m_certificateRevocationListLocation.toUtf16())));
dirHelper.mkpath(usRevocationListPath);
// try to load the client certificate
UaPkiCertificate clientCertificate = UaPkiCertificate::fromDERFile(m_clientCertificateFile);
// Setup Username and Password
sessionSecurityInfo.setUserPasswordUserIdentity(m_clientUsername, m_clientPassword);
// certificate doesn't exists - we create a new one
if (clientCertificate.isNull())
{
// Create the certificate
UaPkiRsaKeyPair keyPair(1024);
UaPkiPrivateKey IssuerPrivateKey;
UaPkiPublicKey SubjectPublicKey;
UaPkiIdentity identity;
UaString sNodeName;
char szHostName[256];
if (0 == UA_GetHostname(szHostName, 256))
{
sNodeName = szHostName;
}
identity.commonName = UaString("Client_Cpp_SDK@%1").arg(sNodeName);
identity.organization = "Organization";
identity.organizationUnit = "Unit";
identity.locality = "LocationName";
identity.state = "Ohio";
identity.country = "USA";
identity.domainComponent = sNodeName;
UaPkiCertificateInfo info;
info.URI = UaString("urn:%1:%2:%3").arg(sNodeName).arg(COMPANY_NAME).arg(PRODUCT_NAME);
info.DNSNames.create(1);
sNodeName.copyTo(&info.DNSNames[0]);
info.validTime = 3600 * 24 * 365 * 5; // 5 years in seconds
IssuerPrivateKey = keyPair.privateKey();
SubjectPublicKey = keyPair.publicKey();
// create a self signed certificate
UaPkiCertificate cert(info, identity, keyPair); // These ARGS need to be evaluated for correctness
// save public key to file
//cert.toDERFile(m_clientCertificateFile.toUtf8());
cert.toDERFile(m_clientCertificateFile);
// save private key to file
keyPair.toPEMFile(m_clientPrivateKeyFile.toUtf8(), 0);
}
// initialize the PKI provider for using OpenSSL
result = sessionSecurityInfo.initializePkiProviderOpenSSL(
m_certificateRevocationListLocation,
m_certificateTrustListLocation,
m_issuersRevocationListLocation,
m_issuersCertificatesLocation);
if (result.isBad())
{
printf("*******************************************************\n");
printf("** setupSecurity failed!\n");
printf("** Could not initialize PKI\n");
printf("*******************************************************\n");
return result;
}
// load client certificate and private key
result = sessionSecurityInfo.loadClientCertificateOpenSSL(
m_clientCertificateFile,
m_clientPrivateKeyFile,
m_clientPassword);
if (result.isBad())
{
printf("*******************************************************\n");
printf("** setupSecurity failed!\n");
printf("** Could not load Client certificate\n");
printf("** Connect will work only without security\n");
printf("*******************************************************\n");
return result;
}
return result;
}
For whatever reason it will not create the DER certificate needed to connect to the KepServer. However it will create the PEM certificate. Does anyone know why this is?