Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GDS Server (Client) FinishRequest fails for special SubjectName #2586

Open
2 of 5 tasks
KircMax opened this issue Apr 16, 2024 · 2 comments · May be fixed by #2591
Open
2 of 5 tasks

GDS Server (Client) FinishRequest fails for special SubjectName #2586

KircMax opened this issue Apr 16, 2024 · 2 comments · May be fixed by #2591
Assignees
@romanett
Labels
Pending Feedback Pending on further feedbacks or clarification from person who create the issue.

Comments

@KircMax
Copy link
Contributor

KircMax commented Apr 16, 2024
edited

Type of issue

  • Bug
  • Enhancement
  • Compliance
  • Question
  • Help wanted

Current Behavior

When I try to have a certificate signed with a subject name like:
""ValueWith/Inside""
or
""ValueWith=Inside""
the GDS Server signing fails:
image

I call it like so:
var certificateRequest = PushClient.CreateSigningRequest(certGroup, appCertType, subjectName, regeneratePrivateKey, nonce);
var requestId = GdsClient.StartSigningRequest(appId, null, null, certificateRequest);
var certificate = GdsClient.FinishRequest(appId, requestId, out byte[] privateKey, out byte[][] issuerCertificates);

I read the spec. that this is the correct way to provide a value that contains a '/' or a '=' - please correct me if I maybe misread it:
"If the value contains a ‘/’ or a ‘=’ then it shall be enclosed in double quotes (‘”’)."
https://reference.opcfoundation.org/GDS/v105/docs/7.9.4

Expected Behavior

works fine, certificate is signed.

Steps To Reproduce

No response

Environment

- OS:
- Environment:
- Runtime:
- Nuget Version: 1.5.373.121
- Component:
- Server:
- Client:

Anything else?

No response
@romanett romanett self-assigned this Apr 16, 2024
@OPCLabs
Copy link

OPCLabs commented Apr 20, 2024
edited

@romanett, just note that per the spec, the CertificateManager may ignore the subject passed to it in StartNewKeyPairRequest or StartSigningRequest (and I have seen it happen). For this reason, a Server that does not support changing the subject name in this way won't be interoperable, I think.

@romanett
Copy link
Contributor

romanett commented Apr 20, 2024
edited

In the ConfigurationNode Manager we do exactly this and ignore the provided Subject Name to keep the running server consistent with the Name specified in the xml configuration.

The GDS does of course allow applications to specifiy their subject name.

To me it seems we are missing a parsing step in the X509Utils.ParseDistinguishedName.

Update: Fix in linked PR

@romanett romanett linked a pull request Apr 20, 2024 that will close this issue
Draft
13 tasks
@romanett romanett linked a pull request Apr 20, 2024 that will close this issue
Fix handling of Subject Names with specials Characters / and = using " as escaping character #2591
Draft
13 tasks
@romanett romanett added bug A bug was identified and should be fixed. Pending Feedback Pending on further feedbacks or clarification from person who create the issue. and removed needs investigation bug A bug was identified and should be fixed. labels Apr 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@romanett romanett

Labels
Pending Feedback Pending on further feedbacks or clarification from person who create the issue.
Projects
None yet
Milestone
No milestone
4 participants
@romanett @KircMax @EthanChangAED @OPCLabs