Uploaded image for project: 'netconf'
  1. netconf
  2. NETCONF-821

Mounting a device does not work when multiple TLS Certificates are present

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Medium Medium
    • 8.0.0, 6.0.8, 7.0.5
    • 1.13.2
    • netconf

      Configured netconf-keystore model with 2 sets of keystores. Following scenarios were tried out -

      1. Both sets are the same i.e, There are 2 key-id values - ODL_private_key_0 and ODL_private_key_1 and both have the same values  - In such a scenario, mounting of a device using either keys was successful.
      2. One is a valid key and the other is invalid i.e., the valid set (client.key, client.crt and trustedCertificates.crt) was taken, a copy of it was made and the client.crt was edited to include some invalid data. Both sets (valid and invalid) were used to create entries in the netconf-keystore. In this scenario, mounting a device with either of the keys is unsuccessful. The following is the exception in the karaf.log -
      2021-09-14T04:58:18,310 | INFO | nioEventLoopGroupCloseable-3-10 | AbstractNetconfSessionNegotiator | 352 - org.opendaylight.netconf.netty-util - 1.13.2 | - | Unexpected error during negotiation
java.lang.IllegalStateException: java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Empty input
 at org.opendaylight.netconf.sal.connect.util.SslHandlerFactoryImpl.createSslHandler(SslHandlerFactoryImpl.java:82) ~[bundleFile:?]
 at org.opendaylight.netconf.sal.connect.util.SslHandlerFactoryImpl.createSslHandler(SslHandlerFactoryImpl.java:45) ~[bundleFile:?]
 at org.opendaylight.netconf.client.TlsClientChannelInitializer$ChannelActiveSentry.channelActive(TlsClientChannelInitializer.java:56) ~[bundleFile:?]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230) [bundleFile:4.1.63.Final]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216) [bundleFile:4.1.63.Final]
 at io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:209) [bundleFile:4.1.63.Final]
 at io.netty.channel.DefaultChannelPipeline$HeadContext.channelActive(DefaultChannelPipeline.java:1398) [bundleFile:4.1.63.Final]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230) [bundleFile:4.1.63.Final]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216) [bundleFile:4.1.63.Final]
 at io.netty.channel.DefaultChannelPipeline.fireChannelActive(DefaultChannelPipeline.java:895) [bundleFile:4.1.63.Final]
 at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.fulfillConnectPromise(AbstractNioChannel.java:305) [bundleFile:4.1.63.Final]
 at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:335) [bundleFile:4.1.63.Final]
 at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:707) [bundleFile:4.1.63.Final]
 at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655) [bundleFile:4.1.63.Final]
 at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581) [bundleFile:4.1.63.Final]
 at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [bundleFile:4.1.63.Final]
 at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [bundleFile:4.1.63.Final]
 at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [bundleFile:4.1.63.Final]
 at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [bundleFile:4.1.63.Final]
 at java.lang.Thread.run(Unknown Source) [?:?]
Caused by: java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Empty input
 at sun.security.provider.X509Factory.engineGenerateCertificate(Unknown Source) ~[?:?]
 at java.security.cert.CertificateFactory.generateCertificate(Unknown Source) ~[?:?]
 at org.opendaylight.netconf.sal.connect.netconf.sal.NetconfKeystoreAdapter.getCertificateChain(NetconfKeystoreAdapter.java:159) ~[bundleFile:?]
 at org.opendaylight.netconf.sal.connect.netconf.sal.NetconfKeystoreAdapter.getJavaKeyStore(NetconfKeystoreAdapter.java:113) ~[bundleFile:?]
 at org.opendaylight.netconf.sal.connect.util.SslHandlerFactoryImpl.createSslHandler(SslHandlerFactoryImpl.java:51) ~[bundleFile:?]
 ... 19 more

      Expectation - When the key-id from the valid set is used, mounting of the device should be successful.

        1. [NETCONF-821] Steps to reproduce.rtf
          92 kB
        2. files.zip
          18 kB

            rkashapov Ruslan Kashapov
            pendurty Ravi Pendurty
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: