URI from x509 certificate is not correctly read by QtopcUa module

PawelW

Hello,

I’m using Qtopcua module to establish encryptet connection with Opc Ua server. Certifcate which I’m, using works fine for Windows, Linux and Android, but when I’m switching on MacOS or iOs, the part:

QOpcUaPkiConfiguration m_pkiConfig;
m_pkiConfig.setClientCertificateFile(pkidir + "/opcuaviewer.der");
m_pkiConfig.setPrivateKeyFile(pkidir + "/opcuaviewer.key");
auto m_identity = m_pkiConfig.applicationIdentity(); 

Cause warning form qtopcua module:

[qt.opcua.security] URI string from certificate has unexpected format: "" Application identity will be invalid.

And connection could not be established because of missing URI in extension. After debugging QtOpcua module I found that there is correct count of extensions (5), and there is an extension with correct name "subjectAltName". So far, so good, but when calling method „toMap()” in "applicationIdentity()", returned map is empty.

\qtopcua\src\opcua\client\qopcuapkiconfiguration.cpp

QOpcUaApplicationIdentity QOpcUaPkiConfiguration::applicationIdentity()
{
    ...
    auto extensions = certList[0].extensions();
    for (const auto extension : qAsConst(extensions)) {
        if (extension.name() == QLatin1String("subjectAltName")) { // OID: 2.5.29.17
            const auto value = extension.value().toMap();

Funny thing that I can successful use method „toString()” on this QVariant but only on MacOs and iOS. So on Windows looks like QVariant "subjectAltName" is QMap (which is correct) and on Apple system somehow it is QString. Module uses method „toMap()” so it should be a correct way.

I have updated Qt and qtopcua (15.1) and download newest version of mbedtls, but it does not help. I have checked DER certificate with Openssl and it looks fine, all extensions included (the same one works fine on other's systems so it should be).

       X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                email:my@other.address, URI:http://my.url.here/
            X509v3 Subject Key Identifier: 
                EA:59:19:39:BF:1B:CC:22:FB:26:E9:C0:C2:EB:26:52:E2:55:34:EF
            X509v3 Authority Key Identifier: 
                keyid:EA:59:19:39:BF:1B:CC:22:FB:26:E9:C0:C2:EB:26:52:E2:55:34:EF
                DirName:
                serial:01

Did somebody ever, faced similar issue?

Acx.Dev

We're facing the same problem, depending how the certificates are been created and fixed it using the following code.

QOpcUaApplicationIdentity QOpcUaPkiConfiguration::applicationIdentity() const
{
    ...
    if (extension.name() == QLatin1String("subjectAltName")) { // OID: 2.5.29.17
        QString uri;

        const QMap<QString, QVariant> valueMap = extension.value().toMap();
        if(valueMap.count()>0) {
            uri = valueMap[QLatin1String("URI")].toString();
        }
        else {
            QByteArray valBytes = extension.value().toByteArray();
            qsizetype urnStartInd = valBytes.indexOf(QStringLiteral("urn:").toUtf8());  //TODO[QT6]: use QByteArrayView here in QT6
            qsizetype urnEndInd = (urnStartInd < 0) ? -1 : valBytes.indexOf('0x82', urnStartInd);
            if(urnStartInd != -1) {
                uri = valBytes.mid(urnStartInd, (urnEndInd < 0) ? -1 : urnEndInd-urnStartInd);
            }
        }

        const QStringList token = uri.split(':', QString::SkipEmptyParts);