Certificate in Eclipse Milo

Question

I'm new to Milo and i'm facing a problem: i have to setup a connection between milo client and server (both on localhost) using X509 certificate. To do this i've used the KeyStoreLoader classes of https://github.com/eclipse/milo/tree/master/milo-examples leaving them pretty much untouched. Both server and client boot up without problem, but the client doesn't connect, producing:

13:07:34.671 [main] INFO  milo_test.client.BrowseExample - security temp dir: /tmp/security
13:07:34.671 [main] INFO  milo_test.client.KeyStoreLoader - Loading KeyStore at /tmp/security/example-client.pem
13:07:35.417 [main] ERROR milo_test.client.ClientExampleRunner - Error running client example: UaServiceFaultException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
    java.util.concurrent.ExecutionException: UaServiceFaultException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
        at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357)
        at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1908)
        at milo_test.client.BrowseExample.run(BrowseExample.java:35)
        at milo_test.client.ClientExampleRunner.run(ClientExampleRunner.java:121)
        at milo_test.client.BrowseExample.main(BrowseExample.java:27)
    Caused by: org.eclipse.milo.opcua.stack.core.UaServiceFaultException: status=Bad_SecurityChecksFailed, description=An error occurred verifying security.
        at org.eclipse.milo.opcua.stack.client.UaStackClient.lambda$deliverResponse$5(UaStackClient.java:275)
        at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
    13:07:35.420 [ForkJoinPool.commonPool-worker-1] ERROR milo_test.client.ClientExampleRunner - Error running example: UaServiceFaultException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.

Inside the ClientExample interface i've this getIdentityProvider() method:

default IdentityProvider getIdentityProvider() {
        //return new AnonymousProvider();
        //return new UsernameProvider("user", "pass");

        File securityTempDir = new File(System.getProperty("java.io.tmpdir"), "security");
        if (securityTempDir.exists() || securityTempDir.mkdirs()) {
            try {
                LoggerFactory.getLogger(getClass()).info("security temp dir: {}", securityTempDir.getAbsolutePath());
                KeyStoreLoader loader = new KeyStoreLoader().load(securityTempDir.toPath());
                return new X509IdentityProvider(loader.getClientCertificate(), loader.getClientKeyPair().getPrivate());
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        return null;
    }

and if i use the AnonymusProvider() or the UsernameProvider() everything goes fine.

Now, based on this thread i've searched for the securityTempDir, finding both the server and the client certificate and the right structure (/pki -> issuers, rejected and trusted) but the rejected folder is always empty, making impossible to move the certificate into trusted.

What do i possibly do wrong? Thanks to everyone who can help me!

Answer 1

You're mixing up the application instance certificates and the separate X509 certificates that are used for authentication. The security and PKI dirs are necessary for getting a secure connection working but have nothing to do with X509-based user identity authentication.

That said, I think this may be a bug in the server SDK, and if you want to open an issue in the GitHub repo we can look into it there.