AttributeError: 'bytearray' object has no attribute 'public_key'

[dufrtss]

Hi there,

I'm struggling to get my client/server running with secure policies, cryptography, and authentication, I understand this project is deprecated, but I use it for a project at work. Before refactoring and migrating to the new tools, I want to establish secure SSL communication to satisfy client needs.

Here is a simple server I instantiated to develop the PKI and learn how to set this up before adapting it to production.

Here is a simple client I instantiated to communicate with the server and get my certification and private key authenticated.

And here is the error, when I try to connect the client with the server using not just SignAndEncrypt, but Sign as well, only Anonymous access is currently working.

My initial understanding was that my certification was missing a public key, I went in and studied a little more on openssl and upon debugging, I could easily see my Subject Public Key Info pointing out that a rsaEncryption had generated a 2048bit public key, and the modulus after it, if the debugging command helps confirm it, here is the command I wrote:

openssl x509 -in cert/server_cert.pem -pubkey -noout -text

@AndreasHeine I searched the repo's issues and discussions as well as others and saw you as an active moderator at least whenever this used to be more active, I understand this error might be a misuse of some features, but I ask for some help nonetheless as this topic is hard to research upon, and I couldn't find any more info on it.

When using the client UAExpert, same thing happens in any type of Basic256Sha256 secure policy, I don't know what to do anymore. If you decide to help and need any more info on it, I'll gladly provide.

Thanks in advance!

[dufrtss]

I forgot to add that but this is how I structured my PKI, my server_cert is my CA.

#Create server key and certification
openssl req -x509 -newkey rsa:2048 -config x509v3/ssl.conf -keyout cert/server_private_key.pem -sha256 -nodes -days 1095 -out cert/server_cert.pem

#Create client key and certification signing request
openssl req -new -config client/client.conf -nodes -keyout client/client_private_key.pem -out client/client_csr.pem

# Authenticate client certification signing request with CA as server certification
openssl x509 -req -in client/client_csr.pem -days 1095 -CA cert/server_cert.pem -CAkey cert/server_private_key.pem -CAcreateserial -out client/client_cert.pem -extensions req_ext -extfile client/client.conf

[AndreasHeine]

this library is DEPRICATED so dont use it with regards to security!

your issue however is you are mixing transport security with authorization...

your client use the cert and key for auth aswell which the server do not support in the old version!

[dufrtss]

Thank you Andreas, this brings some clarity to my problem, I intend to use it momentarily just to get the feel for it, thinking about migrating the actual solution to the asyncio-opcua or node-opcua

[dufrtss]

I created another cert to separate transport security from auth, but I still get the same error, is the cert and key for transport meant to be handled differently?

[dufrtss]

I'm still struggling with this approach.

[schroeder-]

From the callstack the server certificate is not set correctly. This should be done when the server starts.
Does only setting encrypted communication help?

server.set_security_policy([ua.SecurityPolicyType.Basic256Sha256_SignAndEncrypt])

[dufrtss]

Hey, this helped, I had a little more debugging to do but it seems to be working fine now, I'll do some testing tomorrow and if it works out I'll consider it solved and close this discussion! Thank you so much.