我是新来的Milo,我正面临一个问题:我必须使用X509证书在milo客户端和服务器(都在本地主机上)之间建立连接。为了做到这一点,我使用了https://github.com/eclipse/milo/tree/master/milo-examples的KeyStoreLoader类,使它们几乎没有受到影响。服务器和客户端都可以正常启动,但是客户端没有连接,产生:
13:07:34.671 [main] INFO milo_test.client.BrowseExample - security temp dir: /tmp/security
13:07:34.671 [main] INFO milo_test.client.KeyStoreLoader - Loading KeyStore at /tmp/security/example-client.pem
13:07:35.417 [main] ERROR milo_test.client.ClientExampleRunner - Error running client example: UaServiceFaultException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
java.util.concurrent.ExecutionException: UaServiceFaultException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357)
at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1908)
at milo_test.client.BrowseExample.run(BrowseExample.java:35)
at milo_test.client.ClientExampleRunner.run(ClientExampleRunner.java:121)
at milo_test.client.BrowseExample.main(BrowseExample.java:27)
Caused by: org.eclipse.milo.opcua.stack.core.UaServiceFaultException: status=Bad_SecurityChecksFailed, description=An error occurred verifying security.
at org.eclipse.milo.opcua.stack.client.UaStackClient.lambda$deliverResponse$5(UaStackClient.java:275)
at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
13:07:35.420 [ForkJoinPool.commonPool-worker-1] ERROR milo_test.client.ClientExampleRunner - Error running example: UaServiceFaultException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
在ClientExample接口中,我有这个getIdentityProvider()方法:
default IdentityProvider getIdentityProvider() {
//return new AnonymousProvider();
//return new UsernameProvider("user", "pass");
File securityTempDir = new File(System.getProperty("java.io.tmpdir"), "security");
if (securityTempDir.exists() || securityTempDir.mkdirs()) {
try {
LoggerFactory.getLogger(getClass()).info("security temp dir: {}", securityTempDir.getAbsolutePath());
KeyStoreLoader loader = new KeyStoreLoader().load(securityTempDir.toPath());
return new X509IdentityProvider(loader.getClientCertificate(), loader.getClientKeyPair().getPrivate());
} catch (Exception e) {
e.printStackTrace();
}
}
return null;
}
如果我使用AnonymusProvider()或UsernameProvider(),一切都很好。
现在,基于这个线程,我已经搜索了securityTempDir,找到了服务器和客户端证书以及正确的结构(/pki ->发行者(已拒绝的和受信任的),但已拒绝的文件夹总是空的,使得无法将证书移动到受信任的。
我可能做错了什么?感谢所有能帮助我的人!
您混淆了应用程序实例证书和用于身份验证的单独X509证书。安全性和PKI dirs对于获得安全连接是必要的,但与基于x509的用户身份验证无关。
也就是说,我认为这可能是服务器SDK中的一个错误,如果你想在GitHub repo中打开一个问题,我们可以在那里查看它。