Eclipse Milo中的证书

Question

我刚接触Milo，现在面临一个问题:我必须使用X509证书在milo客户机和服务器(两者都在本地主机上)之间建立连接。为此，我使用了https://github.com/eclipse/milo/tree/master/milo-examples的KeyStoreLoader类，它们几乎保持不变。服务器和客户端都启动，没有问题，但是客户端没有连接，产生：

13:07:34.671 [main] INFO  milo_test.client.BrowseExample - security temp dir: /tmp/security
13:07:34.671 [main] INFO  milo_test.client.KeyStoreLoader - Loading KeyStore at /tmp/security/example-client.pem
13:07:35.417 [main] ERROR milo_test.client.ClientExampleRunner - Error running client example: UaServiceFaultException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
    java.util.concurrent.ExecutionException: UaServiceFaultException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
        at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357)
        at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1908)
        at milo_test.client.BrowseExample.run(BrowseExample.java:35)
        at milo_test.client.ClientExampleRunner.run(ClientExampleRunner.java:121)
        at milo_test.client.BrowseExample.main(BrowseExample.java:27)
    Caused by: org.eclipse.milo.opcua.stack.core.UaServiceFaultException: status=Bad_SecurityChecksFailed, description=An error occurred verifying security.
        at org.eclipse.milo.opcua.stack.client.UaStackClient.lambda$deliverResponse$5(UaStackClient.java:275)
        at org.eclipse.milo.opcua.stack.core.util.ExecutionQueue$Task.run(ExecutionQueue.java:119)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
    13:07:35.420 [ForkJoinPool.commonPool-worker-1] ERROR milo_test.client.ClientExampleRunner - Error running example: UaServiceFaultException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.

在ClientExample接口中，我有这个getIdentityProvider()方法：

default IdentityProvider getIdentityProvider() {
        //return new AnonymousProvider();
        //return new UsernameProvider("user", "pass");

        File securityTempDir = new File(System.getProperty("java.io.tmpdir"), "security");
        if (securityTempDir.exists() || securityTempDir.mkdirs()) {
            try {
                LoggerFactory.getLogger(getClass()).info("security temp dir: {}", securityTempDir.getAbsolutePath());
                KeyStoreLoader loader = new KeyStoreLoader().load(securityTempDir.toPath());
                return new X509IdentityProvider(loader.getClientCertificate(), loader.getClientKeyPair().getPrivate());
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        return null;
    }

如果我使用AnonymusProvider()或UsernameProvider()，一切都很顺利。

现在，基于this线程，我已经搜索了securityTempDir，找到了服务器和客户端证书以及正确的结构(/pki -> issuers、rejected和trusted)，但rejected文件夹始终为空，这使得无法将证书移动到trusted中。

我可能做错了什么？感谢每一个能帮助我的人！

Answer 1

您混淆了应用程序实例证书和用于身份验证的单独X509证书。安全性和PKI目录是实现安全连接所必需的，但与基于X509的用户身份验证无关。

也就是说，我认为这可能是服务器SDK中的错误，如果您想在GitHub代码库中打开一个问题，我们可以在那里进行调查。