Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'client_encryption.c' returns a 'BadCertificateRevocationUnknown' error #6404

Open
6 of 7 tasks
audi0615 opened this issue Apr 11, 2024 · 0 comments
Open
6 of 7 tasks

'client_encryption.c' returns a 'BadCertificateRevocationUnknown' error #6404

audi0615 opened this issue Apr 11, 2024 · 0 comments

Comments

@audi0615
Copy link

audi0615 commented Apr 11, 2024
edited

Description

Hi,

I'm struggling to implement a client with encryption.
I used client_encryption.c for testing and created the client's certificate and key using tools/certs/create_self-signed.py.
My server is a Codesys V3 SP20 OPC UA server.
UAExpert client has no issue to connect to the server but client_encryption.c returns BadCertificateRevocationUnknown error when trying to connect to the same server.

Below is a part of my code:

int main()
{
    /* Load certificate and private key */
    UA_ByteString certificate = loadFile("/home/ca/cert.der"); //tried pem, der but got same error
    UA_ByteString privateKey = loadFile("/home/ca/key.der"); //tried pem, der but got same error

    size_t trustListSize = 1;
    UA_STACKARRAY(UA_ByteString, trustList, trustListSize);
    trustList[0] = loadFile("/home/kim/server.cer");  //Codesys OPC UA Server cerficiate, tried cer, der but got same error

    UA_ByteString* revocationList = NULL;
    size_t revocationListSize = 0;

    UA_Client* client = UA_Client_new();
    UA_ClientConfig* cc = UA_Client_getConfig(client);

    cc->securityPolicyUri = UA_String_fromChars("http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256");

    UA_String_clear(&cc->clientDescription.applicationUri);
    cc->clientDescription.applicationUri = UA_STRING_ALLOC("urn:open62541.server.application");
      
    UA_StatusCode retval = UA_ClientConfig_setDefaultEncryption(cc, certificate, privateKey,
        trustList, trustListSize,
        revocationList, revocationListSize);
    if (retval != UA_STATUSCODE_GOOD) {
        UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
            "Failed to set encryption.");
        UA_Client_delete(client);
        return EXIT_FAILURE;
    }

    UA_ByteString_clear(&certificate);
    UA_ByteString_clear(&privateKey);
    for (size_t deleteCount = 0; deleteCount < 1; deleteCount++) {
        UA_ByteString_clear(&trustList[deleteCount]);
    }

    /* Secure client connect */
    cc->securityMode = UA_MESSAGESECURITYMODE_SIGNANDENCRYPT;
    retval = UA_Client_connectUsername(client, "opc.tcp://192.168.52.1:4840", "my_id", "my_pwd");
    if (retval != UA_STATUSCODE_GOOD) {
        UA_Client_delete(client);
        return EXIT_FAILURE;
    }

    // ...
}

I encountered a BadCertificateRevocationUnknown error as shown below:

...
[2024-04-11 09:56:58.833 (UTC+0900)] info/securitypolicy        The basic256sha256 security policy channel with OpenSSL is created.
[2024-04-11 09:56:58.843 (UTC+0900)] info/network       TCP 5   | Opening a connection to "192.168.52.1" on port 4840
[2024-04-11 09:56:58.843 (UTC+0900)] info/network       TCP 4   | Socket closed
[2024-04-11 09:56:58.892 (UTC+0900)] error/client       Processing the message returned the error code BadCertificateRevocationUnknown
[2024-04-11 09:56:58.892 (UTC+0900)] info/client        Client Status: ChannelState: Closing, SessionState: Closed, ConnectStatus: BadCertificateRevocationUnknown
[2024-04-11 09:56:58.892 (UTC+0900)] info/channel       TCP 5   | SC 0  | SecureChannel closed
[2024-04-11 09:56:58.892 (UTC+0900)] info/securitypolicy        The basic256sha256 security policy channel with OpenSSL is deleted.
[2024-04-11 09:56:58.892 (UTC+0900)] info/client        Client Status: ChannelState: Fresh, SessionState: Closed, ConnectStatus: BadCertificateRevocationUnknown
[2024-04-11 09:56:58.892 (UTC+0900)] info/network       TCP 5   | Socket closed
[2024-04-11 09:56:58.992 (UTC+0900)] info/eventloop     Stopping the EventLoop
[2024-04-11 09:56:58.992 (UTC+0900)] info/network       UDP     | Shutting down the ConnectionManager
[2024-04-11 09:56:58.992 (UTC+0900)] info/network       TCP     | Shutting down the ConnectionManager
[2024-04-11 09:56:58.992 (UTC+0900)] info/eventloop     The EventLoop has stopped

It appears that the server accepted the client without any issues, but the client requires the revocation list. Do I need to create a revocation list which is actullay empty i think? How can I create it?

Background Information / Reproduction Steps

  • OPC UA Server: Codesys V3 SP20 x64 (certificate + user and password)
  • UAExpert client works fine without issue.
  • 'client_encryption.c' returns BadCertificateRevocationUnknown error.

Checklist

Please provide the following information:

  • open62541 Version (release number or git tag): latest version
  • Other OPC UA SDKs used (client or server): Codesys OPC UA server
  • Operating system: Ubuntu linux x64
  • Logs (with UA_LOGLEVEL set as low as necessary) attached
  • Wireshark network dump attached
  • Self-contained code example attached
  • Critical issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@audi0615