[Bug]:Eclipse Milo OPC UA server, Invalid RSA Key #2196
Description
What happened?
I thought that PLC4X was tested using the Milo server, since that's what was written in the documentation.
Today I have tried connecting to the Milo server using 4096 certs and get the following response by the server.
io.netty.handler.codec.DecoderException: UaException: status=Bad_CertificateInvalid, message=java.security.cert.CertificateParsingException: java.io.IOException: subject key, java.security.InvalidKeyException: Invalid RSA public key
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.lang.Thread.run(Thread.java:1447)
Caused by: org.eclipse.milo.opcua.stack.core.UaException: java.security.cert.CertificateParsingException: java.io.IOException: subject key, java.security.InvalidKeyException: Invalid RSA public key
at org.eclipse.milo.opcua.stack.core.util.CertificateUtil.decodeCertificates(CertificateUtil.java:121)
at org.eclipse.milo.opcua.stack.core.util.CertificateUtil.decodeCertificate(CertificateUtil.java:82)
at org.eclipse.milo.opcua.stack.core.util.CertificateUtil.decodeCertificate(CertificateUtil.java:71)
at org.eclipse.milo.opcua.stack.core.channel.ServerSecureChannel.setRemoteCertificate(ServerSecureChannel.java:71)
at org.eclipse.milo.opcua.stack.transport.server.uasc.UascServerAsymmetricHandler.onOpenSecureChannel(UascServerAsymmetricHandler.java:259)
at org.eclipse.milo.opcua.stack.transport.server.uasc.UascServerAsymmetricHandler.decode(UascServerAsymmetricHandler.java:177)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
... 16 common frames omitted
Caused by: java.security.cert.CertificateParsingException: java.io.IOException: subject key, java.security.InvalidKeyException: Invalid RSA public key
at java.base/sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:139)
at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1456)
at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:143)
at java.base/sun.security.x509.X509CertImpl.newX509CertImpl(X509CertImpl.java:253)
at java.base/sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:475)
at java.base/sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:360)
at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:480)
at org.eclipse.milo.opcua.stack.core.util.CertificateUtil.decodeCertificates(CertificateUtil.java:117)
... 23 common frames omitted
Caused by: java.io.IOException: subject key, java.security.InvalidKeyException: Invalid RSA public key
at java.base/sun.security.x509.X509Key.parse(X509Key.java:135)
I get the same result using 2048 certs.
on the server side there shouldn't be any error. If the format is correct it will accept all certs.
Moreover, with UA Expert everything works fine.
I have tried connecting to other OPCUA servers as well like prosys and Umati.
for the prosys server only the 2048 cert work. I checked with them and they do not support 4096 on the server side.
However, if you dont use 4096 certs on both sides PLC4X will give the error
java.util.concurrent.CompletionException: java.lang.RuntimeException: javax.crypto.IllegalBlockSizeException: Data must not be longer than 214 bytes
Version
0.13.0
Programming Languages
- plc4c
- plc4go
- plc4j
- plc4net
- plc4py
Protocols
- AB-Ethernet
- ADS /AMS
- BACnet/IP
- C-Bus
- CANopen
- EtherNet/IP
- Firmata
- IEC-69870
- KNXnet/IP
- Modbus
- OPC-UA
- Profinet
- S7
- S7-light