Secure login without direct access to private key

[Lars12358]

Hi,
is there a way to login to a secure OPC UA server without providing the KeyPair, which includes the private key, to the Milo client? This would be important in some scenarios where no direct access to the private key is possible. For example, when logging in via smartcard or for a proxy login. There we could provide the user certificate with public key and something like a callback to sign the server nonce.

Thank you

[kevinherron]

Just to clarify - you are you talking about using the Milo client against some 3rd party server and using X509IdentityProvider to provide an X509IdentityToken for authentication?

[Lars12358]

Hello Kevin,
thank you for your quick response. Yes I try to connect to a device with a 3rd party OPC UA server with the Milo client. The server requires a X.509 certificate based user login. The user certificates will be provided via smartcard (PKCS 11). There I have no direct access to the private key. It is a public key infrastructure.

[kevinherron]

You can implement your own IdentityProvider using the existing X509IdentityProvider as a guide and handle the signing however is possible for you.

[Lars12358]

I have tried, but If I configure the IdentityProvider without KeyPair in the OpcUaClientConfig then the login fails, because of the validation in the ClientSecureChannel.fromConfig(...) method.

WARN 19:35:21.350 io.netty.channel.ChannelInitializer - Failed to initialize a channel. Closing: [id: 0xa72207e3]
org.eclipse.milo.opcua.stack.core.UaException: no KeyPair configured
at org.eclipse.milo.opcua.stack.client.transport.uasc.ClientSecureChannel.lambda$fromConfig$0(ClientSecureChannel.java:183)
...

I use basically the following steps to create the client:

1. Build OpcUaClientConfig for a secure endpoint with an IdentityProvider
2. Create new OpcUaClient with the OpcUaClientConfig
3. Connect OpcUaClient

[kevinherron]

You are mixing up the KeyPair used to secure the communications channel and the one used when doing X509-based authentication. They are not the same, and the former is required if you are using anything but SecurityPolicy.None.

The KeyPair configured on the OpcUaClientConfig is only used for the secure channel. You'll notice that the existing X509IdentityProvider accepts a KeyPair certificate and PrivateKey in its constructor, which should be different than the one used for the config.

[Lars12358]

You are right. I have mixed that up. Now it works fine for me. Thank you very much. That saved me a lot of time.