[Bug]: Issue with connection using 4096-bit certificates

[gustavoschewinski]

What happened?

Hello,

The connection to PLC4X using 2048-bit certificates (both client and server) works fine. However, when switching to 4096-bit certificates for both, the connection fails.

On the OPCUA side, I receive an error stating "An error occurred verifying security", and in the PLC4X logs, I only see "Connection terminated by remote." It appears that the certificates are not being accepted.

I tested the certificates separately by doing a connection using a python library, and it worked, so the issue does not seem to be with the certificates themselves.

Any insights or suggestions would be greatly appreciated on how to fix this problem.

Thanks a lot!

Version

v0.13.0-SNAPSHOT

Programming Languages

• plc4j
• plc4go
• plc4c
• plc4net

Protocols

• AB-Ethernet
• ADS /AMS
• BACnet/IP
• CANopen
• DeltaV
• DF1
• EtherNet/IP
• Firmata
• KNXnet/IP
• Modbus
• OPC-UA
• S7

[splatch]

Hello @gustavoschewinski can you provide commands for creation of certs? I would then have a reproducer locally to see why there is failure. We have some unit tests which confirm handling of specific key lengths, so if they do not spot issue its most likely other part of negotiation logic which is out of sync with spec.

[gustavoschewinski]

Hello @splatch,

Thanks for helping, this is how I am creating them:

1. CA Certificate Creation
   Create a configuration file ca.conf and use it to generate a CA certificate.

   ca.conf:

   [ req ]
   default_bits = 4096
   default_md = sha256
   distinguished_name = Digilab
   x509_extensions = v3_ca
   prompt = no
   
   [ Digilab ]
   countryName = DE
   stateOrProvinceName = Bayern
   localityName = Munich
   organizationName = MTU
   commonName = FIXI
   
   [ v3_ca ]
   basicConstraints = CA:TRUE, pathlen:0
   keyUsage = keyCertSign, cRLSign
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer:always
   
   [ ca ]
   default_ca = CA_default
   
   [ CA_default ]
   dir             = ./myCA
   database        = $dir/index.txt
   new_certs_dir   = $dir/certs
   certificate     = $dir/ca_cert.pem
   serial          = $dir/serial
   crlnumber       = $dir/crlnumber
   crl             = $dir/ca_crl.pem
   private_key     = $dir/private/ca_key.pem
   RANDFILE        = $dir/private/.rand
   
   default_md      = sha256
   policy          = policy_anything
   
   default_crl_days = 300
   
   [ policy_anything ]
   countryName             = optional
   stateOrProvinceName     = optional
   localityName            = optional
   organizationName        = optional
   commonName              = supplied
   emailAddress            = optional
   
   [ crl_ext ]
   authorityKeyIdentifier  = keyid:always
   

   Then, run these commands to create the CA certificate:

   mkdir -p myCA/private
   mkdir -p myCA/certs
   touch myCA/index.txt
   echo 1000 > myCA/serial
   echo 1000 > myCA/crlnumber
   
   openssl req -x509 -days 3650 -new -keyout myCA/private/ca_key.pem -out myCA/ca_cert.pem -config ca.conf
   openssl x509 -outform der -in myCA/ca_cert.pem -out myCA/ca_cert.der

2. Client Certificate
   Create a client certificate using a similar process.

   client-key.conf:

   [ req ]
   default_bits = 4096
   default_md = sha256
   distinguished_name = DigilabClient
   req_extensions = req_ext
   x509_extensions = req_ext
   string_mask = utf8only
   prompt = no
   
   [ DigilabClient ]
   countryName = DE
   stateOrProvinceName = Bayern
   localityName = Munich
   organizationName = MTU
   commonName = client.local
   
   [ req_ext ]
   basicConstraints = CA:FALSE
   nsCertType = client, server
   keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
   extendedKeyUsage = serverAuth, clientAuth
   nsComment = "Client 1 Certificate"
   subjectAltName = URI:urn:client.local:OPCUA:client.local,IP:127.0.0.1
   

   Generate the client certificate:

   openssl genpkey -algorithm RSA -out client_key.pem -pkeyopt rsa_keygen_bits:4096
   openssl req -new -key client_key.pem -out client.csr -config client-key.conf
   openssl ca -config ca.conf -in client.csr -out client_cert.pem -days 365 -extensions req_ext -extfile client-key.conf
   openssl x509 -outform der -in client_cert.pem -out client_cert.der

3. Server Certificate
   Create the server certificate following the same approach.

   server-key.conf:

   [ req ]
   default_bits = 4096
   default_md = sha256
   distinguished_name = digilab_server
   req_extensions = req_ext
   x509_extensions = req_ext
   string_mask = utf8only
   prompt = no
   
   [ digilab_server ]
   countryName = DE
   stateOrProvinceName = Bayern
   localityName = Munich
   organizationName = MTU
   commonName = SimulationServer@Yoshi
   
   [ req_ext ]
   basicConstraints = CA:FALSE
   nsCertType = client, server
   keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
   extendedKeyUsage= serverAuth, clientAuth
   nsComment = "Server Certificate"
   subjectAltName = URI:urn:Yoshi.lab.mtu-digilab.io:OPCUA:SimulationServer
   

   Generate the server certificate:

   openssl genpkey -algorithm RSA -out server_key.pem -pkeyopt rsa_keygen_bits:4096
   openssl req -new -key server_key.pem -out server.csr -config server-key.conf
   openssl ca -config ca.conf -in server.csr -out server_cert.pem -days 365 -extensions req_ext -extfile server-key.conf
   openssl x509 -outform der -in server_cert.pem -out server_cert.der

Best,
Gustavo

[splatch]

I am not yet sure if I have a valid reproducer, but for sure I can't get client certificate to connect with Milo server using server certificate provisioned through your script. I keep getting PlcIoException: Connection terminated by remote and Milo is showing up:

java.security.cert.CertificateParsingException: java.io.IOException: subject key, java.security.InvalidKeyException: Invalid RSA public key
	at org.eclipse.milo.opcua.stack.core.util.CertificateUtil.decodeCertificates(CertificateUtil.java:123)
	at org.eclipse.milo.opcua.stack.core.util.CertificateUtil.decodeCertificate(CertificateUtil.java:83)
	at org.eclipse.milo.opcua.stack.core.util.CertificateUtil.decodeCertificate(CertificateUtil.java:72)
	at org.eclipse.milo.opcua.stack.core.channel.ServerSecureChannel.setRemoteCertificate(ServerSecureChannel.java:72)
	at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.onOpenSecureChannel(UascServerAsymmetricHandler.java:194)
	at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.decode(UascServerAsymmetricHandler.java:120)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
	... 16 common frames omitted
Caused by: java.security.cert.CertificateParsingException: java.io.IOException: subject key, java.security.InvalidKeyException: Invalid RSA public key

Do you get any client/server stack traces to share?