You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When a CA has a CRL without certificates revoked, the CRL fails to be decoded and throws an exception when it attempts to get the list of revoked certificates.
To Reproduce
Create a self-signed CA (Ex: CA.DER + CA.PFX)
Create an empty CRL for the CA (CA.CRL)
Create a Certificate for the OPC Publisher from the CA (OPCPublisher.DER + OPCPublisher.PFX)
Copy the Certificates and the CRL to the OPC Publisher pki directories
Start the OPC Publisher (Ex: Docker run --name opcpublisher mcr.microsoft.com/iotedge/opc-publisher:2.9.6 ...)
Verify that the OPC Publisher fails to decode the CRL with the exception below
██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗██████╗ ██╗ ██╗███████╗██╗ ██╗███████╗██████╗
██╔═══██╗██╔══██╗██╔════╝ ██╔══██╗██║ ██║██╔══██╗██║ ██║██╔════╝██║ ██║██╔════╝██╔══██╗
██║ ██║██████╔╝██║ ██████╔╝██║ ██║██████╔╝██║ ██║███████╗███████║█████╗ ██████╔╝
██║ ██║██╔═══╝ ██║ ██╔═══╝ ██║ ██║██╔══██╗██║ ██║╚════██║██╔══██║██╔══╝ ██╔══██╗
╚██████╔╝██║ ╚██████╗ ██║ ╚██████╔╝██████╔╝███████╗██║███████║██║ ██║███████╗██║ ██║
╚═════╝ ╚═╝ ╚═════╝ ╚═╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝╚══════╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝
2.9.6.4+978a207cf9 (.NET 8.0.4/linux-x64/OPC Stack 1.5.374.36)
To connect to Azure IoT Hub you must run as module inside IoT Edge or specify a device connection string using EdgeHubConnectionString environment variable or command line.
[24-04-23 14:15:15.3203] warn: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[60]
Storing keys in a directory '/root/.aspnet/DataProtection-Keys' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed. For more information go to https://aka.ms/aspnet/dataprotectionwarning
[24-04-23 14:15:15.3902] info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[62]
User profile is available. Using '/root/.aspnet/DataProtection-Keys' as key repository; keys will not be encrypted at rest.
[24-04-23 14:15:16.0046] info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[58]
Creating key {b0dc7648-c4e5-4485-a2c7-9b35f1f0ea27} with creation date 2024-04-23 14:15:15Z, activation date 2024-04-23 14:15:15Z, and expiration date 2024-07-22 14:15:15Z.
[24-04-23 14:15:16.1784] warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
No XML encryptor configured. Key {b0dc7648-c4e5-4485-a2c7-9b35f1f0ea27} may be persisted to storage in unencrypted form.
[24-04-23 14:15:16.3126] info: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[39]
Writing data to file '/root/.aspnet/DataProtection-Keys/key-b0dc7648-c4e5-4485-a2c7-9b35f1f0ea27.xml'.
[24-04-23 14:15:17.9230] warn: Microsoft.AspNetCore.Server.Kestrel[0]
Overriding address(es) 'http://*:8080'. Binding to endpoints defined via IConfiguration and/or UseKestrel() instead.
[24-04-23 14:15:18.0441] info: Microsoft.Hosting.Lifetime[14]
Now listening on: http://[::]:80
[24-04-23 14:15:18.0443] info: Microsoft.Hosting.Lifetime[14]
Now listening on: https://0.0.0.0:443
[24-04-23 14:15:18.3425] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaStack[512]
Imported the PFX private key for [713ED123DAD23099D530E54F24C7A8C1E55CCF7F].
[24-04-23 14:15:18.3679] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaApplication[0]
Own certificate Subject 'CN=OPCPublisher, C=US, S=State, L=City, OU=IS-IE-PSE-MMS, O=Company' (Thumbprint: 713ED123DAD23099D530E54F24C7A8C1E55CCF7F) loaded.
[24-04-23 14:15:18.3723] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaStack[0]
Checking application instance certificate.
[24-04-23 14:15:18.4615] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaStack[512]
Imported the PFX private key for [713ED123DAD23099D530E54F24C7A8C1E55CCF7F].
[24-04-23 14:15:18.4729] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaStack[0]
Check certificate: [CN=OPCPublisher, C=US, S=State, L=City, OU=IS-IE-PSE-MMS, O=Company] [713ED123DAD23099D530E54F24C7A8C1E55CCF7F]
[24-04-23 14:15:18.4809] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaStack[0]
Check application instance certificate. [CN=OPCPublisher, C=US, S=State, L=City, OU=IS-IE-PSE-MMS, O=Company] [713ED123DAD23099D530E54F24C7A8C1E55CCF7F]
[24-04-23 14:15:18.9367] warn: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaStack[0]
Application Certificate Validation suppressed BadCertificateRevocationUnknown
[24-04-23 14:15:18.9371] warn: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaStack[0]
Validation errors suppressed: [CN=OPCPublisher, C=US, S=State, L=City, OU=IS-IE-PSE-MMS, O=Company] [713ED123DAD23099D530E54F24C7A8C1E55CCF7F]
[24-04-23 14:15:18.9414] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaStack[0]
Updated the ApplicationUri: urn:76f5:f3be:7f85:b215:a1f7:ee6b:941d:96ba:OPCPublisher:microsoft: --> urn:2fe5:32b8:155d:157d:7ceb:76bb:a830:1d20:OPCPublisher:microsoft:
[24-04-23 14:15:18.9416] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaStack[0]
Using the ApplicationUri: urn:2fe5:32b8:155d:157d:7ceb:76bb:a830:1d20:OPCPublisher:microsoft:
[24-04-23 14:15:18.9790] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaApplication[0]
Application own certificate store contains 1 certs.
[24-04-23 14:15:18.9802] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaApplication[0]
01: Subject 'CN=OPCPublisher, C=US, S=State, L=City, OU=IS-IE-PSE-MMS, O=Company' (Thumbprint: 713ED123DAD23099D530E54F24C7A8C1E55CCF7F)
[24-04-23 14:15:19.0255] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaApplication[0]
Trusted issuer store contains 1 certs.
[24-04-23 14:15:19.0257] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaApplication[0]
01: Subject 'DC=ABCDEFG, C=US, S=State, L=City, OU=IS-IE-PSE-MMS, O=Company, CN=Company Root CA TEST CERTIFICATE' (Thumbprint: 48DAAF298B252104906C52FE5D02C22D2116ED5C)
[24-04-23 14:15:19.0527] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaApplication[0]
Trusted issuer store has 1 CRLs.
[24-04-23 14:15:19.0742] fail: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaApplication[0]
Error while trying to read information from trusted issuer store.
System.Security.Cryptography.CryptographicException: Failed to decode the CRL.
---> System.Formats.Asn1.AsnContentException: The provided data does not represent a valid tag.
at System.Formats.Asn1.Asn1Tag.Decode(ReadOUSySpan`1 source, Int32& bytesConsumed)
at System.Formats.Asn1.AsnReader.PeekTag()
at Opc.Ua.Security.Certificates.X509CRL.DecodeCrl(Byte[] tbs)
--- End of inner exception stack trace ---
at Opc.Ua.Security.Certificates.X509CRL.DecodeCrl(Byte[] tbs)
at Opc.Ua.Security.Certificates.X509CRL.Decode(Byte[] crl)
at Opc.Ua.Security.Certificates.X509CRL.EnsureDecoded()
at Opc.Ua.Security.Certificates.X509CRL.get_IssuerName()
at Opc.Ua.Security.Certificates.X509CRL.get_Issuer()
[24-04-23 14:15:19.2368] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaApplication[0]
Trusted peer store contains 1 certs.
[24-04-23 14:15:19.2370] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaApplication[0]
01: Subject 'DC=ABCDEFG, C=US, S=State, L=City, OU=IS-IE-PSE-MMS, O=Company, CN=Company Root CA TEST CERTIFICATE' (Thumbprint: 48DAAF298B252104906C52FE5D02C22D2116ED5C)
[24-04-23 14:15:19.2455] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaApplication[0]
Trusted peer store has 0 CRLs.
[24-04-23 14:15:19.2514] info: Azure.IIoT.OpcUa.Publisher.Stack.Services.OpcUaApplication[0]
Rejected certificate store contains 0 certs.
Expected behavior
When a CA has a CRL without revoked certificates, the CRL should still be decoded properly.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
OS: Windows 11 on WSL running the Docker command indicated above
Hi @nelsonmorais, I can repro the issue when neither revoked nor CRL extensions are encoded. As a workaround you can add a CRL extension or revoke a cert. Otherwise fix is available in the next release.
Describe the bug
When a CA has a CRL without certificates revoked, the CRL fails to be decoded and throws an exception when it attempts to get the list of revoked certificates.
To Reproduce
Expected behavior
When a CA has a CRL without revoked certificates, the CRL should still be decoded properly.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
The issue is on the OPC Foundation .NET-Standard stack at this location:
https://github.com/OPCFoundation/UA-.NETStandard/blob/6bdd741dc0869ab463974e181b82b84b16222234/Libraries/Opc.Ua.Security.Certificates/X509Crl/X509Crl.cs#L271
Possible fix:
Other info:
A similar issue was opened on the OPC Foundation .NET Standard repository for cross reference at: OPCFoundation/UA-.NETStandard#2595
The text was updated successfully, but these errors were encountered: