Can't Connect using User Certificate

Questions regarding the use of the C++ SDK for Server or Client development or integration into customer products ...

Moderator: uasdkcpp

Post Reply
trandana
Full Member
Full Member
Posts: 6
Joined: 10 Jul 2019, 17:27

Can't Connect using User Certificate

Post by trandana »

I'm unable to connect to the UA Server using User Certificate authentication.

Configuration.cpp:

Code: Select all

	//Try and load the user certificate
	UaPkiCertificate userCertificate = UaPkiCertificate::fromDERFile(getUserCertificate());
        //Try and load the user private key
	UaPkiRsaKeyPair userPrivateKey = UaPkiRsaKeyPair::fromPEMFile(getUserPrivateKey(), getUserPrivateKeyPassword().toUtf8());

	if (userCertificate.isNull())
	{
		printf("\nUser cert was null\n");
	}
	if (!userPrivateKey.isValid())
	{
		printf("\nUser private key invalid\n");
	}

The certificate loads okay, but userPrivateKey.isValid() is always false.
I can connect to UA Expert using the same certificate, private key and password.
What might cause this to fail?

Thanks!

trandana
Full Member
Full Member
Posts: 6
Joined: 10 Jul 2019, 17:27

Re: Can't Connect using User Certificate

Post by trandana »

I fixed this by switching to the User Certificate code in the client_app_sdk project:

Code: Select all

UaStatus Configuration::setupSecurity(SessionSecurityInfo& sessionSecurityInfo)
{
	UaStatus uStatus;

	// Create folders
	uStatus = createPKIFolders();
	if (uStatus.isBad())
	{
		printf("*******************************************************\n");
		printf("** setupSecurity failed!\n");
		printf("** Could not create PKI folders\n");
		printf("*******************************************************\n");
		return uStatus;
	}

	// Check if certifcates exist and create if necessary
	uStatus = createCertificates();
	if (uStatus.isBad())
	{
		printf("*******************************************************\n");
		printf("** setupSecurity failed!\n");
		printf("** Could not create certificates\n");
		printf("*******************************************************\n");
		return uStatus;
	}

	/*********************************************************************
	 Initialize the PKI provider for OpenSSL
	**********************************************************************/
	uStatus = sessionSecurityInfo.initializePkiProviderOpenSSL(m_issuersRevocationListLocation, m_certificateTrustListLocation, m_issuersRevocationListLocation, m_issuersCertificatesLocation);
	/*********************************************************************/
	if (uStatus.isBad())
	{
		printf("*******************************************************\n");
		printf("** setupSecurity failed!\n");
		printf("** Could not initialize PKI\n");
		printf("*******************************************************\n");
		return uStatus;
	}

	/*********************************************************************
	 Load certificate and private key for client from OpenSSL store
	**********************************************************************/
	uStatus = sessionSecurityInfo.loadClientCertificateOpenSSL(m_clientCertificateFilePath, m_clientPrivateKeyFilePath, m_applicationPassword);
	/*********************************************************************/
	if (uStatus.isBad())
	{
		printf("*******************************************************\n");
		printf("** setupSecurity failed!\n");
		printf("** Could not load Client certificate\n");
		printf("** Connect will work only without security\n");
		printf("*******************************************************\n");
		return uStatus;
	}

	/*********************************************************************
	 Load user certificate and private key from OpenSSL store
	**********************************************************************/
	UaPkiCertificate userCert = UaPkiCertificate::fromDERFile(m_userCertificateFilePath);
	if (userCert.isValid())
	{
		m_userCertificate = userCert.toDER();
	}
	else
	{
		printf("*******************************************************\n");
		printf("** setupSecurity failed!\n");
		printf("** Could not load user certificate\n");
		printf("*******************************************************\n");
		return OpcUa_Bad;
	}
	m_userCertificate = userCert.toDER();
	UaPkiProviderOpenSSL pkiProvider(m_certificateRevocationListLocation, m_certificateTrustListLocation);
	uStatus = pkiProvider.openCertificateStore();

	if (uStatus.isGood())
	{
		OpcUa_Key privateKey;
		OpcUa_Key_Initialize(&privateKey);
		uStatus = pkiProvider.loadPrivateKey(m_userPrivateKeyFilePath,	OpcUa_Crypto_Encoding_PEM,	m_userPrivateKeyPassword, &privateKey);

		if (uStatus.isGood())
		{
			printf("\nUser cert store opened, user cert and private key loaded\n");

			if (privateKey.Type == OpcUa_Crypto_KeyType_Rsa_Private)
			{
				m_userPrivateKey = UaByteString(privateKey.Key);
			}
			else
			{
				printf("*******************************************************\n");
				printf("** setupSecurity failed!\n");
				printf("** loadPrivateKey failed - wrong key type\n");
				printf("*******************************************************\n");
				uStatus = OpcUa_Bad;
			}
			OpcUa_Key_Clear(&privateKey);
		}
		else
		{
			printf("*******************************************************\n");
			printf("** setupSecurity failed!\n");
			printf("** loadPrivateKey failed\n");
			printf("*******************************************************\n");
		}
	}
	else
	{
		printf("*******************************************************\n");
		printf("** setupSecurity failed!\n");
		printf("** openCertificateStore failed\n");
		printf("*******************************************************\n");
	}

	return uStatus;
}

Post Reply