Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IOP: ECC preview server throws BadCertificateRevocationUnknown when calling ApplyChanges after cert update #2552

Open
1 of 5 tasks
mregen opened this issue Mar 12, 2024 · 4 comments · May be fixed by OPCFoundation/UA-.NETStandard-Samples#596
Open
1 of 5 tasks

IOP: ECC preview server throws BadCertificateRevocationUnknown when calling ApplyChanges after cert update #2552

mregen opened this issue Mar 12, 2024 · 4 comments · May be fixed by OPCFoundation/UA-.NETStandard-Samples#596
Assignees
@romanett

Comments

@mregen
Copy link
Contributor

mregen commented Mar 12, 2024
edited

Type of issue

  • Bug
  • Enhancement
  • Compliance
  • Question
  • Help wanted

Current Behavior

If strict revocation check is used, GDS Push cert update fails the UpdateCertificate --> ApplyChanges because there is no way to transmit a CRL with the updated certificate. Only the Root CA cert is transmitted.
Server needs to be manually restarted or crashes.

System.AggregateException
  HResult=0x80131500
  Message=One or more errors occurred. (BadCertificateRevocationUnknown)
  Source=System.Private.CoreLib
  StackTrace:
   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at Opc.Ua.Bindings.TcpTransportListener.CertificateUpdate(ICertificateValidator validator, CertificateTypesProvider certificateTypesProvider) in D:\Source\Repos\UA-.NETStandard5\Stack\Opc.Ua.Core\Stack\Tcp\TcpTransportListener.cs:line 447

  This exception was originally thrown at this call stack:
    Opc.Ua.CertificateValidator.GetIssuer(System.Security.Cryptography.X509Certificates.X509Certificate2, Opc.Ua.CertificateIdentifierCollection, Opc.Ua.CertificateStoreIdentifier, bool) in CertificateValidator.cs
    Opc.Ua.CertificateValidator.GetIssuersNoExceptionsOnGetIssuer(System.Security.Cryptography.X509Certificates.X509Certificate2Collection, System.Collections.Generic.List<Opc.Ua.CertificateIdentifier>, System.Collections.Generic.Dictionary<System.Security.Cryptography.X509Certificates.X509Certificate2, Opc.Ua.ServiceResultException>) in CertificateValidator.cs
    Opc.Ua.CertificateTypesProvider.LoadCertificateChainAsync(System.Security.Cryptography.X509Certificates.X509Certificate2) in CertificateIdentifier.cs
    Opc.Ua.CertificateTypesProvider.LoadCertificateChainRawAsync(System.Security.Cryptography.X509Certificates.X509Certificate2) in CertificateIdentifier.cs

Inner Exception 1:
ServiceResultException: BadCertificateRevocationUnknown

Expected Behavior

The revocation check should be releaxed for the cert update check, to allow to continue to run.
Later with GDS server puish the trustlists can be updated.

Steps To Reproduce

Start GDS Server.
Start Winforms GDS Client.
Connect to UA ref server, register and update certificate using the known workflow.
--> see exception thrown.

Environment

- OS: Windows
- Environment: 
- Runtime: .NET 8.0
- Nuget Version: 1.5.375 preview
- Component:
- Server: ECC Preview server 1.5.375
- Client:  samples GDS winforms client

Anything else?

The recommendation is to update the trust lists before updating the application certificate.
@romanett
Copy link
Contributor

@mregen we could create our own certificate validator for the Apply changes, same as with the UpdateCertificate Method (with setting m_rejectUnknownRevocationStatus = false):

                        CertificateValidator certValidator = new CertificateValidator();
                        CertificateTrustList issuerStore = new CertificateTrustList();
                        CertificateIdentifierCollection issuerCollection = new CertificateIdentifierCollection();
                        foreach (var issuerCert in newIssuerCollection)
                        {
                            issuerCollection.Add(new CertificateIdentifier(issuerCert));
                        }
                        issuerStore.TrustedCertificates = issuerCollection;
                        certValidator.Update(issuerStore, issuerStore, null);
                        certValidator.Validate(newCert);

https://github.com/OPCFoundation/UA-.NETStandard/blob/3f29a72a37f231ab5ab0de151a197169940b4159/Libraries/Opc.Ua.Server/Configuration/ConfigurationNodeManager.cs#L412C24-L421C57

Should I prepare a PR?

@romanett
Copy link
Contributor

romanett commented Mar 13, 2024
edited

Here is the issue discussed in mantis: https://mantis.opcfoundation.org/view.php?id=9328

image

@mregen
Copy link
Contributor Author

mregen commented Mar 14, 2024

@romanett, now I remember the discussion. I think first of all the Winforms GDS client need to be fixed to update the Trustlist first. Then we need to check if it is ok to use an alternate validator with revocation check disabled.

@romanett romanett linked a pull request Mar 15, 2024 that will close this issue
Open
13 tasks
@romanett
Copy link
Contributor

Fix provided: OPCFoundation/UA-.NETStandard-Samples#596

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@romanett romanett

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

GDS Push Client Fix: Load TrustList before certificate exchange romanett/UA-.NETStandard-Samples
2 participants
@romanett @mregen