private void CheckPEMWriter(X509Certificate2 certificate, string password = null)
{
PEMWriter.ExportCertificateAsPEM(certificate);
if (certificate.HasPrivateKey)
{
PEMWriter.ExportPrivateKeyAsPEM(certificate, password);
PEMWriter.ExportECDsaPrivateKeyAsPEM(certificate);
}
}
public void VerifyPemWriterPublicKeys()
{
// all app certs are trusted
foreach (var appCert in m_appSelfSignedCerts)
{
var pemDataBlob = PEMWriter.ExportCertificateAsPEM(appCert);
var pemString = Encoding.UTF8.GetString(pemDataBlob);
TestContext.Out.WriteLine(pemString);
#if NETCOREAPP3_1
var exception = Assert.Throws <ArgumentException>(() => { CertificateFactory.CreateCertificateWithPEMPrivateKey(new X509Certificate2(appCert), pemDataBlob); });
#endif
}
}
public void UpdateCertificateSelfSigned(string keyFormat)
{
ConnectPushClient(true);
var keyFormats = _pushClient.PushClient.GetSupportedKeyFormats();
if (!keyFormats.Contains(keyFormat))
{
Assert.Ignore("Push server doesn't support {0} key update", keyFormat);
}
X509Certificate2 newCert = CertificateFactory.CreateCertificate(
null, null, null,
_applicationRecord.ApplicationUri,
_applicationRecord.ApplicationNames[0].Text,
_selfSignedServerCert.Subject,
null,
CertificateFactory.DefaultKeySize,
DateTime.UtcNow,
CertificateFactory.DefaultLifeTime,
CertificateFactory.DefaultHashSize);
byte[] privateKey = null;
if (keyFormat == "PFX")
{
Assert.IsTrue(newCert.HasPrivateKey);
privateKey = newCert.Export(X509ContentType.Pfx);
}
else if (keyFormat == "PEM")
{
Assert.IsTrue(newCert.HasPrivateKey);
privateKey = PEMWriter.ExportPrivateKeyAsPEM(newCert);
}
else
{
Assert.Fail("Testing unsupported key format {0}.", keyFormat);
}
var success = _pushClient.PushClient.UpdateCertificate(
_pushClient.PushClient.DefaultApplicationGroup,
_pushClient.PushClient.ApplicationCertificateType,
newCert.RawData,
keyFormat,
privateKey,
null);
if (success)
{
_pushClient.PushClient.ApplyChanges();
}
VerifyNewPushServerCert(newCert.RawData);
}
public void VerifyPemWriterPrivateKeys()
{
// all app certs are trusted
foreach (var appCert in m_appSelfSignedCerts)
{
var pemDataBlob = PEMWriter.ExportPrivateKeyAsPEM(appCert);
var pemString = Encoding.UTF8.GetString(pemDataBlob);
TestContext.Out.WriteLine(pemString);
CertificateFactory.CreateCertificateWithPEMPrivateKey(new X509Certificate2(appCert.RawData), pemDataBlob);
// note: password is ignored
var newCert = CertificateFactory.CreateCertificateWithPEMPrivateKey(new X509Certificate2(appCert.RawData), pemDataBlob, "password");
X509Utils.VerifyRSAKeyPair(newCert, newCert, true);
}
}
private void CheckPEMWriter(X509Certificate2 certificate, string password = null)
{
PEMWriter.ExportCertificateAsPEM(certificate);
if (certificate.HasPrivateKey)
{
#if NETFRAMEWORK || NETCOREAPP2_1
// The implementation based on bouncy castle has no support to export with password
password = null;
#endif
PEMWriter.ExportPrivateKeyAsPEM(certificate, password);
#if NETCOREAPP3_1_OR_GREATER
PEMWriter.ExportRSAPrivateKeyAsPEM(certificate);
#endif
}
}
public void VerifyPemWriterPasswordPrivateKeys()
{
// all app certs are trusted
foreach (var appCert in m_appSelfSignedCerts)
{
var password = Guid.NewGuid().ToString().Substring(0, 8);
TestContext.Out.WriteLine("Password: {0}", password);
var pemDataBlob = PEMWriter.ExportPrivateKeyAsPEM(appCert, password);
var pemString = Encoding.UTF8.GetString(pemDataBlob);
TestContext.Out.WriteLine(pemString);
var newCert = CertificateFactory.CreateCertificateWithPEMPrivateKey(new X509Certificate2(appCert), pemDataBlob, password);
var exception = Assert.Throws <CryptographicException>(() => { CertificateFactory.CreateCertificateWithPEMPrivateKey(new X509Certificate2(appCert), pemDataBlob); });
X509Utils.VerifyRSAKeyPair(newCert, newCert, true);
}
}
/// <summary>
/// Create a certificate with a new key pair signed by the CA of the cert group.
/// </summary>
/// <param name="application">The application record.</param>
/// <param name="subjectName">The subject of the certificate.</param>
/// <param name="domainNames">The domain names for the subject alt name extension.</param>
/// <param name="privateKeyFormat">The private key format as PFX or PEM.</param>
/// <param name="privateKeyPassword">A password for the private key.</param>
public virtual async Task <X509Certificate2KeyPair> NewKeyPairRequestAsync(
ApplicationRecordDataType application,
string subjectName,
string[] domainNames,
string privateKeyFormat,
string privateKeyPassword)
{
if (application == null)
{
throw new ArgumentNullException(nameof(application));
}
if (application.ApplicationUri == null)
{
throw new ArgumentNullException(nameof(application.ApplicationUri));
}
if (application.ApplicationNames == null)
{
throw new ArgumentNullException(nameof(application.ApplicationNames));
}
using (var signingKey = await LoadSigningKeyAsync(Certificate, string.Empty).ConfigureAwait(false))
using (var certificate = CertificateFactory.CreateCertificate(
application.ApplicationUri,
application.ApplicationNames.Count > 0 ? application.ApplicationNames[0].Text : "ApplicationName",
subjectName,
domainNames)
.SetIssuer(signingKey)
.CreateForRSA())
{
byte[] privateKey;
if (privateKeyFormat == "PFX")
{
privateKey = certificate.Export(X509ContentType.Pfx, privateKeyPassword);
}
else if (privateKeyFormat == "PEM")
{
privateKey = PEMWriter.ExportPrivateKeyAsPEM(certificate, privateKeyPassword);
}
else
{
throw new ServiceResultException(StatusCodes.BadInvalidArgument, "Invalid private key format");
}
return(new X509Certificate2KeyPair(new X509Certificate2(certificate.RawData), privateKeyFormat, privateKey));
}
}
public virtual async Task <X509Certificate2KeyPair> NewKeyPairRequestAsync(
ApplicationRecordDataType application,
string subjectName,
string[] domainNames,
string privateKeyFormat,
string privateKeyPassword)
{
using (var signingKey = await LoadSigningKeyAsync(Certificate, string.Empty))
using (var certificate = CertificateFactory.CreateCertificate(
null, null, null,
application.ApplicationUri ?? "urn:ApplicationURI",
application.ApplicationNames.Count > 0 ? application.ApplicationNames[0].Text : "ApplicationName",
subjectName,
domainNames,
Configuration.DefaultCertificateKeySize,
DateTime.UtcNow.AddDays(-1),
Configuration.DefaultCertificateLifetime,
Configuration.DefaultCertificateHashSize,
false,
signingKey,
null))
{
byte[] privateKey;
if (privateKeyFormat == "PFX")
{
privateKey = certificate.Export(X509ContentType.Pfx, privateKeyPassword);
}
else if (privateKeyFormat == "PEM")
{
privateKey = PEMWriter.ExportPrivateKeyAsPEM(certificate);
}
else
{
throw new ServiceResultException(StatusCodes.BadInvalidArgument, "Invalid private key format");
}
return(new X509Certificate2KeyPair(new X509Certificate2(certificate.RawData), privateKeyFormat, privateKey));
}
}
private async void CertificateRequestTimer_Tick(object sender, EventArgs e)
{
try
{
NodeId requestId = NodeId.Parse(m_application.CertificateRequestId);
byte[] privateKeyPFX = null;
byte[][] issuerCertificates = null;
byte[] certificate = m_gds.FinishRequest(
m_application.ApplicationId,
requestId,
out privateKeyPFX,
out issuerCertificates);
if (certificate == null)
{
// request not done yet, try again in a few seconds
return;
}
CertificateRequestTimer.Enabled = false;
RequestProgressLabel.Visible = false;
if (m_application.RegistrationType != RegistrationType.ServerPush)
{
X509Certificate2 newCert = new X509Certificate2(certificate);
if (!String.IsNullOrEmpty(m_application.CertificateStorePath) && !String.IsNullOrEmpty(m_application.CertificateSubjectName))
{
CertificateIdentifier cid = new CertificateIdentifier()
{
StorePath = m_application.CertificateStorePath,
StoreType = CertificateStoreIdentifier.DetermineStoreType(m_application.CertificateStorePath),
SubjectName = m_application.CertificateSubjectName.Replace("localhost", Utils.GetHostName())
};
// update store
using (var store = CertificateStoreIdentifier.OpenStore(m_application.CertificateStorePath))
{
// if we used a CSR, we already have a private key and therefore didn't request one from the GDS
// in this case, privateKey is null
if (privateKeyPFX == null)
{
X509Certificate2 oldCertificate = await cid.Find(true);
if (oldCertificate != null && oldCertificate.HasPrivateKey)
{
oldCertificate = await cid.LoadPrivateKey(string.Empty);
newCert = CertificateFactory.CreateCertificateWithPrivateKey(newCert, oldCertificate);
await store.Delete(oldCertificate.Thumbprint);
}
else
{
throw new ServiceResultException("Failed to merge signed certificate with the private key.");
}
}
else
{
newCert = new X509Certificate2(privateKeyPFX, string.Empty, X509KeyStorageFlags.Exportable);
newCert = CertificateFactory.Load(newCert, true);
}
await store.Add(newCert);
}
}
else
{
DialogResult result = DialogResult.Yes;
string absoluteCertificatePublicKeyPath = Utils.GetAbsoluteFilePath(m_application.CertificatePublicKeyPath, true, false, false) ?? m_application.CertificatePublicKeyPath;
FileInfo file = new FileInfo(absoluteCertificatePublicKeyPath);
if (file.Exists)
{
result = MessageBox.Show(
Parent,
"Replace certificate " +
absoluteCertificatePublicKeyPath +
"?",
Parent.Text,
MessageBoxButtons.YesNo,
MessageBoxIcon.Exclamation);
}
if (result == DialogResult.Yes)
{
byte[] exportedCert;
if (string.Compare(file.Extension, ".PEM", true) == 0)
{
exportedCert = PEMWriter.ExportCertificateAsPEM(newCert);
}
else
{
exportedCert = newCert.Export(X509ContentType.Cert);
}
File.WriteAllBytes(absoluteCertificatePublicKeyPath, exportedCert);
}
// if we provided a PFX or P12 with the private key, we need to merge the new cert with the private key
if (m_application.GetPrivateKeyFormat(m_server?.GetSupportedKeyFormats()) == "PFX")
{
string absoluteCertificatePrivateKeyPath = Utils.GetAbsoluteFilePath(m_application.CertificatePrivateKeyPath, true, false, false) ?? m_application.CertificatePrivateKeyPath;
file = new FileInfo(absoluteCertificatePrivateKeyPath);
if (file.Exists)
{
result = MessageBox.Show(
Parent,
"Replace private key " +
absoluteCertificatePrivateKeyPath +
"?",
Parent.Text,
MessageBoxButtons.YesNo,
MessageBoxIcon.Exclamation);
}
if (result == DialogResult.Yes)
{
if (file.Exists)
{
byte[] pkcsData = File.ReadAllBytes(absoluteCertificatePrivateKeyPath);
X509Certificate2 oldCertificate = X509PfxUtils.CreateCertificateFromPKCS12(pkcsData, m_certificatePassword);
newCert = CertificateFactory.CreateCertificateWithPrivateKey(newCert, oldCertificate);
pkcsData = newCert.Export(X509ContentType.Pfx, m_certificatePassword);
File.WriteAllBytes(absoluteCertificatePrivateKeyPath, pkcsData);
if (privateKeyPFX != null)
{
throw new ServiceResultException("Did not expect a private key for this operation.");
}
}
else
{
File.WriteAllBytes(absoluteCertificatePrivateKeyPath, privateKeyPFX);
}
}
}
}
// update trust list.
if (!String.IsNullOrEmpty(m_application.TrustListStorePath))
{
using (ICertificateStore store = CertificateStoreIdentifier.OpenStore(m_application.TrustListStorePath))
{
foreach (byte[] issuerCertificate in issuerCertificates)
{
X509Certificate2 x509 = new X509Certificate2(issuerCertificate);
X509Certificate2Collection certs = await store.FindByThumbprint(x509.Thumbprint);
if (certs.Count == 0)
{
await store.Add(new X509Certificate2(issuerCertificate));
}
}
}
}
m_certificate = newCert;
}
else
{
if (privateKeyPFX != null && privateKeyPFX.Length > 0)
{
var x509 = new X509Certificate2(privateKeyPFX, m_certificatePassword, X509KeyStorageFlags.Exportable);
privateKeyPFX = x509.Export(X509ContentType.Pfx);
}
bool applyChanges = m_server.UpdateCertificate(
null,
m_server.ApplicationCertificateType,
certificate,
(privateKeyPFX != null) ? "PFX" : null,
privateKeyPFX,
issuerCertificates);
if (applyChanges)
{
MessageBox.Show(
Parent,
"The certificate was updated, however, the apply changes command must be sent before the server will use the new certificate.",
Parent.Text,
MessageBoxButtons.OK,
MessageBoxIcon.Information);
ApplyChangesButton.Enabled = true;
}
}
CertificateControl.ShowValue(null, "Application Certificate", new CertificateWrapper()
{
Certificate = m_certificate
}, true);
}
catch (Exception exception)
{
if (exception is ServiceResultException sre && sre.StatusCode == StatusCodes.BadNothingToDo)
{
return;
}
RequestProgressLabel.Visible = false;
CertificateRequestTimer.Enabled = false;
Opc.Ua.Client.Controls.ExceptionDlg.Show(Text, exception);
}
}
public void ExportPrivateKeyAsPEM()
{
_ = PEMWriter.ExportPrivateKeyAsPEM(m_certificate);
}
public void ExportCertificateAsPEM()
{
_ = PEMWriter.ExportCertificateAsPEM(m_certificate);
}
