Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent false use of loading the application certificate, causing 'Keyset not valid' error. (Windows) #1162

Closed
mregen opened this issue Oct 21, 2020 · 2 comments · Fixed by #1525
Closed

Prevent false use of loading the application certificate, causing 'Keyset not valid' error. (Windows) #1162

mregen opened this issue Oct 21, 2020 · 2 comments · Fixed by #1525
Assignees
@mregen
Labels
enhancement API or feature enhancement
Milestone
1.4.367

Comments

@mregen
Copy link
Contributor

mregen commented Oct 21, 2020
edited

Type of Issue
[X] Bug [X] Enhancement [ ] Compliance [ ] Question [ ] Help wanted

Applies only for App certificate in Directory store on Windows:

When the app cert is not loaded through the xml appconfiguration API,
calling

ApplicationConfiguration.SecurityConfiguration.ApplicationCertificate.Find(true);

before

ApplicationConfiguration.SecurityConfiguration.ApplicationCertificate.LoadPrivateKey(null)

causes the certificate to be loaded without proper keyset for encrypt/decrypt.
A call to GetRSAPrivateKey throws exception. Encryption and signing will not work.

To Reproduce

in your code, load Findor Update before LoadPrivateKey, causes the cert to have invalid KeySet.
A call to GetRSAPrivateKey throws exception. Encrypion and signing will not work.

Expected behavior

API is able to load private key even if calls are not in the right order.

Code snippets

At this time, known working pseudo code:

            // reload the application certificate with private key, if it is there
            // note: do not change this sequence, or the private key is not properly loaded on some platforms
            if (await applicationConfiguration.SecurityConfiguration.ApplicationCertificate.LoadPrivateKey(null).ConfigureAwait(false) != null)
            {
                // update certificate with private key
                certificate = await ApplicationConfiguration.SecurityConfiguration.ApplicationCertificate.Find(true).ConfigureAwait(false);
            }

            // create a self signed certificate if there is none
            if (certificate == null)
            {
                certificate = CertificateFactory.CreateCertificate(
                    applicationConfiguration.SecurityConfiguration.ApplicationCertificate.StoreType,
                    applicationConfiguration.SecurityConfiguration.ApplicationCertificate.StorePath,
                    null,
                    applicationConfiguration.ApplicationUri,
                    applicationConfiguration.ApplicationName,
                    applicationConfiguration.ApplicationName,
                    null,
                    CertificateFactory.DefaultKeySize,
                    DateTime.UtcNow - TimeSpan.FromDays(1),
                    CertificateFactory.DefaultLifeTime,
                    CertificateFactory.DefaultHashSize,
                    false,
                    null,
                    null
                    );
                // reload the certificate from disk.
                certificate = await applicationConfiguration.SecurityConfiguration.ApplicationCertificate.LoadPrivateKey(null);
                if (certificate == null)
                {
                    throw new Exception("OPC UA application certificate can not be loaded from disk!");
                }
                else
                {
                    // update certificate with private key
                    certificate = await applicationConfiguration.SecurityConfiguration.ApplicationCertificate.Find(true).ConfigureAwait(false);
                }
            }
  
            // update security information
            await applicationConfiguration.CertificateValidator.Update(applicationConfiguration.SecurityConfiguration).ConfigureAwait(false);

Environment (please complete the following information):

  • OS: Windows
  • Development environment: any VS
  • Runtime: all .NET 4.6.2, .NET Core x.1
  • OPC Package Release Version 1.4.363.107
  • Component: Opc.Ua.Core
@mregen mregen added bug A bug was identified and should be fixed. enhancement API or feature enhancement labels Oct 21, 2020
@mregen mregen self-assigned this Oct 21, 2020
@mregen mregen added this to the 1.4.364 milestone Oct 21, 2020
@mregen mregen removed the bug A bug was identified and should be fixed. label Oct 21, 2020
@mregen
Copy link
Contributor Author

mregen commented Dec 13, 2020

fixed in #1209

@mregen mregen closed this as completed Dec 13, 2020
@mregen mregen reopened this May 18, 2021
@mregen
Copy link
Contributor Author

mregen commented May 18, 2021

still repro in 366 release...

@mregen mregen modified the milestones: 1.4.364, 1.4.367 Aug 20, 2021
@mregen mregen mentioned this issue Sep 26, 2021
Merged
mregen added a commit that referenced this issue Sep 28, 2021
@mregen
Application config improvements for cert recreation (#1525)
e5baad9 
- do not silent recreate a certificate if a matching cert subject is available, enforce manual deletion or replacement
- allow the application cert to be used when expired or not yet valid
- warn in trace if an app cert is loaded without loading the private key 
fixes #1162 , fixes #1102
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mregen mregen

Labels
enhancement API or feature enhancement
Projects
None yet
Milestone
1.4.367
Development

Successfully merging a pull request may close this issue.

Application config improvements for cert recreation OPCFoundation/UA-.NETStandard
1 participant
@mregen