/// <summary>
/// Displays the dialog.
/// </summary>
public bool ShowDialog(CertificateStoreIdentifier defaultStore)
{
// save the default store (used when creating new bindings).
m_defaultStore = defaultStore;
if (m_defaultStore == null)
{
m_defaultStore = new CertificateStoreIdentifier();
m_defaultStore.StoreType = Utils.DefaultStoreType;
m_defaultStore.StorePath = Utils.DefaultStorePath;
}
// populate the grid.
foreach (SslCertificateBinding binding in HttpAccessRule.GetSslCertificateBindings())
{
AddRow(binding);
}
m_dataset.AcceptChanges();
BindingsDV.DataSource = m_dataset.Tables[0].DefaultView;
if (base.ShowDialog() == DialogResult.Cancel)
{
return(false);
}
return(true);
}
/// <summary>
/// Displays the applications in the control.
/// </summary>
internal void Initialize()
{
ItemsLV.Items.Clear();
try
{
IList <HttpAccessRule> accessRules = HttpAccessRule.GetAccessRules(null);
if (accessRules == null || accessRules.Count == 0)
{
Instructions = "No HTTP access rules defined.";
AdjustColumns();
return;
}
// display the list.
foreach (HttpAccessRule accessRule in accessRules)
{
AddItem(accessRule);
}
AdjustColumns();
}
catch (Exception e)
{
Instructions = e.Message;
AdjustColumns();
}
}
private void DeleteBindingMI_Click(object sender, EventArgs e)
{
try
{
if (BindingsDV.SelectedRows.Count == 0)
{
return;
}
if (Ask("Are you sure you want to delete these bindings?"))
{
foreach (DataGridViewRow row in BindingsDV.SelectedRows)
{
DataRowView source = row.DataBoundItem as DataRowView;
SslCertificateBinding binding = (SslCertificateBinding)source.Row[4];
HttpAccessRule.DeleteSslCertificateBinding(binding.IPAddress, binding.Port);
}
m_dataset.Tables[0].Clear();
// repopulate the grid.
foreach (SslCertificateBinding binding in HttpAccessRule.GetSslCertificateBindings())
{
AddRow(binding);
}
m_dataset.AcceptChanges();
BindingsDV.DataSource = m_dataset.Tables[0].DefaultView;
}
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception);
}
}
/// <summary>
/// Extracts the access rules from the SDDL string.
/// </summary>
private static void ParseSddl(string url, string sddl, List <HttpAccessRule> accessRules)
{
IList <AccessControlEntity> entities = AccessControlEntity.Parse(sddl);
for (int ii = 0; ii < entities.Count; ii++)
{
AccessControlEntity entity = entities[ii];
if (entity.AccessType != "A")
{
continue;
}
ApplicationAccessRight rights = ApplicationAccessRight.None;
switch (entity.Rights)
{
case "GA":
case "GXGW":
case "GWGX":
{
rights = ApplicationAccessRight.Configure;
break;
}
case "GX":
{
rights = ApplicationAccessRight.Run;
break;
}
}
if (rights == ApplicationAccessRight.None)
{
continue;
}
string accountName = ApplicationAccessRule.SidToAccountName(entity.AccountSid);
if (String.IsNullOrEmpty(accountName))
{
continue;
}
HttpAccessRule rule = new HttpAccessRule();
rule.UrlPrefix = url;
rule.Right = rights;
rule.IdentityName = accountName;
accessRules.Add(rule);
}
}
/// <summary>
/// Updates an item in the view.
/// </summary>
protected override void UpdateItem(ListViewItem listItem, object item)
{
HttpAccessRule value = item as HttpAccessRule;
if (value == null)
{
base.UpdateItem(listItem, item);
return;
}
listItem.SubItems[0].Text = value.UrlPrefix;
listItem.SubItems[1].Text = value.IdentityName;
listItem.SubItems[2].Text = value.Right.ToString();
listItem.ImageKey = GuiUtils.Icons.Method;
listItem.Tag = item;
}
/// <summary>
/// Sets the application access rules for the specified URL (replaces the hostname with a wildcard).
/// </summary>
public static void SetAccessRules(Uri url, IList <ApplicationAccessRule> accessRules, bool replaceExisting)
{
StringBuilder wildcard = new StringBuilder();
wildcard.Append(url.Scheme);
wildcard.Append("://+:");
wildcard.Append(url.Port);
wildcard.Append(url.PathAndQuery);
List <HttpAccessRule> httpRules = new List <HttpAccessRule>();
foreach (ApplicationAccessRule accessRule in accessRules)
{
// urls do not support deny rules.
if (accessRule.RuleType == AccessControlType.Deny)
{
continue;
}
string identityName = accessRule.IdentityName;
if (accessRule.IdentityName.StartsWith("S-"))
{
identityName = ApplicationAccessRule.SidToAccountName(accessRule.IdentityName);
if (identityName == null)
{
Utils.Trace("Could not translate SID: {0}", accessRule.IdentityName);
continue;
}
}
HttpAccessRule httpRule = new HttpAccessRule();
httpRule.Right = accessRule.Right;
httpRule.IdentityName = identityName;
httpRules.Add(httpRule);
}
SetAccessRules(wildcard.ToString(), httpRules, replaceExisting);
}
/// <summary>
/// Extracts the access rules from the SDDL string.
/// </summary>
private static void ParseSddl(string url, string sddl, List<HttpAccessRule> accessRules)
{
IList<AccessControlEntity> entities = AccessControlEntity.Parse(sddl);
for (int ii = 0; ii < entities.Count; ii++)
{
AccessControlEntity entity = entities[ii];
if (entity.AccessType != "A")
{
continue;
}
ApplicationAccessRight rights = ApplicationAccessRight.None;
switch (entity.Rights)
{
case "GA":
case "GXGW":
case "GWGX":
{
rights = ApplicationAccessRight.Configure;
break;
}
case "GX":
{
rights = ApplicationAccessRight.Run;
break;
}
}
if (rights == ApplicationAccessRight.None)
{
continue;
}
string accountName = ApplicationAccessRule.SidToAccountName(entity.AccountSid);
if (String.IsNullOrEmpty(accountName))
{
continue;
}
HttpAccessRule rule = new HttpAccessRule();
rule.UrlPrefix = url;
rule.Right = rights;
rule.IdentityName = accountName;
accessRules.Add(rule);
}
}
/// <summary>
/// Sets the application access rules for the specified URL (replaces the hostname with a wildcard).
/// </summary>
public static void SetAccessRules(Uri url, IList<ApplicationAccessRule> accessRules, bool replaceExisting)
{
StringBuilder wildcard = new StringBuilder();
wildcard.Append(url.Scheme);
wildcard.Append("://+:");
wildcard.Append(url.Port);
wildcard.Append(url.PathAndQuery);
List<HttpAccessRule> httpRules = new List<HttpAccessRule>();
foreach (ApplicationAccessRule accessRule in accessRules)
{
// urls do not support deny rules.
if (accessRule.RuleType == AccessControlType.Deny)
{
continue;
}
string identityName = accessRule.IdentityName;
if (accessRule.IdentityName.StartsWith("S-"))
{
identityName = ApplicationAccessRule.SidToAccountName(accessRule.IdentityName);
if (identityName == null)
{
Utils.Trace("Could not translate SID: {0}", accessRule.IdentityName);
continue;
}
}
HttpAccessRule httpRule = new HttpAccessRule();
httpRule.Right = accessRule.Right;
httpRule.IdentityName = identityName;
httpRules.Add(httpRule);
}
SetAccessRules(wildcard.ToString(), httpRules, replaceExisting);
}
private void DeleteMI_Click(object sender, EventArgs e)
{
try
{
if (ItemsLV.SelectedItems.Count < 1)
{
return;
}
DialogResult result = MessageBox.Show(
"Are you sure you wish to delete the rules from the list?",
"Delete Certificate",
MessageBoxButtons.YesNo,
MessageBoxIcon.Exclamation);
if (result != DialogResult.Yes)
{
return;
}
// remove the items.
Dictionary <string, List <HttpAccessRule> > rulesToDelete = new Dictionary <string, List <HttpAccessRule> >();
while (ItemsLV.SelectedItems.Count > 0)
{
HttpAccessRule rule = ItemsLV.SelectedItems[0].Tag as HttpAccessRule;
List <HttpAccessRule> rules = null;
if (!rulesToDelete.TryGetValue(rule.UrlPrefix, out rules))
{
rulesToDelete[rule.UrlPrefix] = rules = new List <HttpAccessRule>();
}
rules.Add(rule);
ItemsLV.SelectedItems[0].Remove();
}
// delete rules.
foreach (KeyValuePair <string, List <HttpAccessRule> > pair in rulesToDelete)
{
IList <HttpAccessRule> existingRules = HttpAccessRule.GetAccessRules(pair.Key);
List <HttpAccessRule> remainingRules = new List <HttpAccessRule>();
for (int ii = 0; ii < existingRules.Count; ii++)
{
HttpAccessRule existingRule = existingRules[ii];
bool found = false;
for (int jj = 0; jj < pair.Value.Count; jj++)
{
HttpAccessRule ruleToDelete = pair.Value[jj];
if (ruleToDelete.IdentityName == existingRule.IdentityName)
{
continue;
}
if (ruleToDelete.Right == existingRule.Right)
{
continue;
}
found = true;
break;
}
if (!found)
{
remainingRules.Add(existingRule);
}
}
HttpAccessRule.SetAccessRules(pair.Key, remainingRules, true);
}
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception);
}
}
/// <summary>
/// Sets the permissions to match the template on the specified directory.
/// </summary>
public void SetPermissions(string template, Uri url, bool exactMatch)
{
if (url == null)
{
throw new ArgumentException("Target URI is not valid.", "target");
}
string filePath = Utils.GetAbsoluteFilePath(m_directory.FullName + "\\" + template + m_FileExtension, false, false, false);
// nothing more to do if no file.
if (filePath == null)
{
return;
}
string urlMask = null;
if (!exactMatch)
{
urlMask = url.Scheme;
urlMask += "://+:";
urlMask += url.Port;
urlMask += url.PathAndQuery;
if (!urlMask.EndsWith("/"))
{
urlMask += "/";
}
}
else
{
urlMask = url.ToString();
}
FileInfo templateFile = new FileInfo(filePath);
FileSecurity security1 = templateFile.GetAccessControl(AccessControlSections.Access);
List<HttpAccessRule> httpRules = new List<HttpAccessRule>();
foreach (AuthorizationRule rule in security1.GetAccessRules(true, true, typeof(NTAccount)))
{
FileSystemAccessRule fsr = rule as FileSystemAccessRule;
if (fsr != null)
{
HttpAccessRule httpRule = new HttpAccessRule();
httpRule.UrlPrefix = urlMask;
httpRule.IdentityName = fsr.IdentityReference.Translate(typeof(NTAccount)).ToString();
httpRules.Add(httpRule);
if ((fsr.FileSystemRights & FileSystemRights.ChangePermissions) != 0)
{
httpRule.Right = ApplicationAccessRight.Configure;
}
else if ((fsr.FileSystemRights & FileSystemRights.WriteData) != 0)
{
httpRule.Right = ApplicationAccessRight.Update;
}
else if ((fsr.FileSystemRights & FileSystemRights.ReadData) != 0)
{
httpRule.Right = ApplicationAccessRight.Run;
}
}
}
HttpAccessRule.SetAccessRules(urlMask, httpRules, true);
}
private void OkBTN_Click(object sender, EventArgs e)
{
try
{
IPAddress address = IPAddress.Parse(IPAddressTB.Text);
ushort port = (ushort)PortUD.Value;
if (m_certificate == null)
{
throw new ArgumentException("You must specify a certificate.");
}
X509Certificate2 certificate = m_certificate.Find(true);
if (certificate == null)
{
throw new ArgumentException("Certificate does not exist or has no private key.");
}
// setup policy chain
X509ChainPolicy policy = new X509ChainPolicy();
policy.RevocationFlag = X509RevocationFlag.EntireChain;
policy.RevocationMode = X509RevocationMode.Offline;
policy.VerificationFlags = X509VerificationFlags.NoFlag;
policy.VerificationFlags |= X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown;
policy.VerificationFlags |= X509VerificationFlags.IgnoreCtlSignerRevocationUnknown;
policy.VerificationFlags |= X509VerificationFlags.IgnoreEndRevocationUnknown;
policy.VerificationFlags |= X509VerificationFlags.IgnoreRootRevocationUnknown;
// build chain.
X509Chain chain = new X509Chain();
chain.ChainPolicy = policy;
chain.Build(certificate);
for (int ii = 0; ii < chain.ChainElements.Count; ii++)
{
X509ChainElement element = chain.ChainElements[ii];
// check for chain status errors.
foreach (X509ChainStatus status in element.ChainElementStatus)
{
if (status.Status == X509ChainStatusFlags.UntrustedRoot)
{
if (!Ask("Cannot verify certificate up to a trusted root.\r\nAdd anyways?"))
{
return;
}
continue;
}
if (status.Status == X509ChainStatusFlags.RevocationStatusUnknown)
{
if (!Ask("The revocation status of this certificate cannot be verified.\r\nAdd anyways?"))
{
return;
}
continue;
}
// ignore informational messages.
if (status.Status == X509ChainStatusFlags.OfflineRevocation)
{
continue;
}
if (status.Status != X509ChainStatusFlags.NoError)
{
throw new ArgumentException("[" + status.Status + "] " + status.StatusInformation);
}
}
}
// get the target store.
if (m_store == null)
{
m_store = new CertificateStoreIdentifier();
m_store.StoreType = CertificateStoreType.Windows;
m_store.StorePath = CertificateStoreTB.Text;
}
if (m_store.StoreType != CertificateStoreType.Windows)
{
throw new ArgumentException("You must choose a Windows store for SSL certificates.");
}
if (!m_store.StorePath.StartsWith("LocalMachine\\", StringComparison.OrdinalIgnoreCase))
{
throw new ArgumentException("You must choose a machine store for SSL certificates.");
}
bool deleteExisting = false;
using (ICertificateStore store = m_store.OpenStore())
{
if (store.FindByThumbprint(certificate.Thumbprint) == null)
{
store.Add(certificate);
deleteExisting = true;
}
}
if (deleteExisting)
{
if (Ask("Would you like to delete the certificate from its current location?"))
{
using (ICertificateStore store = m_certificate.OpenStore())
{
store.Delete(certificate.Thumbprint);
}
}
}
SslCertificateBinding binding = new SslCertificateBinding();
binding.IPAddress = address;
binding.Port = port;
binding.Thumbprint = certificate.Thumbprint;
binding.ApplicationId = s_DefaultApplicationId;
binding.StoreName = null;
if (!m_store.StorePath.EndsWith("\\My"))
{
int index = m_store.StorePath.LastIndexOf("\\");
binding.StoreName = m_store.StorePath.Substring(index + 1);
}
HttpAccessRule.SetSslCertificateBinding(binding);
m_binding = binding;
DialogResult = DialogResult.OK;
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception);
}
}
/// <summary>
/// Uninstalls a UA application.
/// </summary>
public static async Task UninstallApplication(InstalledApplication application)
{
// validate the executable file.
string executableFile = Utils.GetAbsoluteFilePath(application.ExecutableFile, true, true, false);
// get the default application name from the executable file.
FileInfo executableFileInfo = new FileInfo(executableFile);
string applicationName = executableFileInfo.Name.Substring(0, executableFileInfo.Name.Length - 4);
// choose a default configuration file.
if (String.IsNullOrEmpty(application.ConfigurationFile))
{
application.ConfigurationFile = Utils.Format(
"{0}\\{1}.Config.xml",
executableFileInfo.DirectoryName,
applicationName);
}
// validate the configuration file.
string configurationFile = Utils.GetAbsoluteFilePath(application.ConfigurationFile, true, false, false);
if (configurationFile != null)
{
// load the current configuration.
Opc.Ua.Security.SecuredApplication security = new Opc.Ua.Security.SecurityConfigurationManager().ReadConfiguration(configurationFile);
// delete the application certificates.
if (application.DeleteCertificatesOnUninstall)
{
CertificateIdentifier id = Opc.Ua.Security.SecuredApplication.FromCertificateIdentifier(security.ApplicationCertificate);
// delete public key from trusted peers certificate store.
try
{
CertificateStoreIdentifier certificateStore = Opc.Ua.Security.SecuredApplication.FromCertificateStoreIdentifier(security.TrustedCertificateStore);
using (ICertificateStore store = certificateStore.OpenStore())
{
X509Certificate2Collection peerCertificates = await store.FindByThumbprint(id.Thumbprint);
if (peerCertificates.Count > 0)
{
await store.Delete(peerCertificates[0].Thumbprint);
}
}
}
catch (Exception e)
{
Utils.Trace("Could not delete certificate '{0}' from store. Error={1}", id, e.Message);
}
// delete private key from application certificate store.
try
{
using (ICertificateStore store = id.OpenStore())
{
await store.Delete(id.Thumbprint);
}
}
catch (Exception e)
{
Utils.Trace("Could not delete certificate '{0}' from store. Error={1}", id, e.Message);
}
// permentently delete any UA defined stores if they are now empty.
try
{
WindowsCertificateStore store = new WindowsCertificateStore();
await store.Open("LocalMachine\\UA Applications");
X509Certificate2Collection collection = await store.Enumerate();
if (collection.Count == 0)
{
store.PermanentlyDeleteStore();
}
}
catch (Exception e)
{
Utils.Trace("Could not delete certificate '{0}' from store. Error={1}", id, e.Message);
}
}
// remove the permissions for the HTTP endpoints used by the application.
if (application.BaseAddresses != null && application.BaseAddresses.Count > 0)
{
List <ApplicationAccessRule> noRules = new List <ApplicationAccessRule>();
for (int ii = 0; ii < application.BaseAddresses.Count; ii++)
{
Uri url = Utils.ParseUri(application.BaseAddresses[ii]);
if (url != null)
{
try
{
HttpAccessRule.SetAccessRules(url, noRules, true);
Utils.Trace("Removed HTTP access rules for URL: {0}", url);
}
catch (Exception e)
{
Utils.Trace("Could not remove HTTP access rules for URL: {0}. Error={1}", url, e.Message);
}
}
}
}
}
}
/// <summary>
/// Installs a UA application.
/// </summary>
public static async Task InstallApplication(
InstalledApplication application,
bool autostart,
bool configureFirewall)
{
// validate the executable file.
string executableFile = Utils.GetAbsoluteFilePath(application.ExecutableFile, true, true, false);
// get the default application name from the executable file.
FileInfo executableFileInfo = new FileInfo(executableFile);
string applicationName = executableFileInfo.Name.Substring(0, executableFileInfo.Name.Length - 4);
// choose a default configuration file.
if (String.IsNullOrEmpty(application.ConfigurationFile))
{
application.ConfigurationFile = Utils.Format(
"{0}\\{1}.Config.xml",
executableFileInfo.DirectoryName,
applicationName);
}
// validate the configuration file.
string configurationFile = Utils.GetAbsoluteFilePath(application.ConfigurationFile, true, false, false);
// create a new file if one does not exist.
bool useExisting = true;
if (configurationFile == null)
{
configurationFile = Utils.GetAbsoluteFilePath(application.ConfigurationFile, true, true, true);
useExisting = false;
}
// create the default configuration file.
if (useExisting)
{
try
{
Opc.Ua.Security.SecuredApplication existingSettings = new Opc.Ua.Security.SecurityConfigurationManager().ReadConfiguration(configurationFile);
// copy current settings
application.ApplicationType = existingSettings.ApplicationType;
application.BaseAddresses = existingSettings.BaseAddresses;
application.ApplicationCertificate = existingSettings.ApplicationCertificate;
application.ApplicationName = existingSettings.ApplicationName;
application.ProductName = existingSettings.ProductName;
application.RejectedCertificatesStore = existingSettings.RejectedCertificatesStore;
application.TrustedCertificateStore = existingSettings.TrustedCertificateStore;
application.TrustedCertificates = existingSettings.TrustedCertificates;
application.IssuerCertificateStore = existingSettings.IssuerCertificateStore;
application.IssuerCertificates = application.IssuerCertificates;
application.UseDefaultCertificateStores = false;
}
catch (Exception e)
{
useExisting = false;
Utils.Trace("WARNING. Existing configuration file could not be loaded: {0}.\r\nReplacing with default: {1}", e.Message, configurationFile);
File.Copy(configurationFile, configurationFile + ".bak", true);
}
}
// create the configuration file from the default.
if (!useExisting)
{
try
{
string installationFile = Utils.Format(
"{0}\\Install\\{1}.Config.xml",
executableFileInfo.Directory.Parent.FullName,
applicationName);
if (!File.Exists(installationFile))
{
Utils.Trace("Could not find default configuation at: {0}", installationFile);
}
File.Copy(installationFile, configurationFile, true);
Utils.Trace("File.Copy({0}, {1})", installationFile, configurationFile);
}
catch (Exception e)
{
Utils.Trace("Could not copy default configuation to: {0}. Error={1}.", configurationFile, e.Message);
}
}
// create a default application name.
if (String.IsNullOrEmpty(application.ApplicationName))
{
application.ApplicationName = applicationName;
}
// create a default product name.
if (String.IsNullOrEmpty(application.ProductName))
{
application.ProductName = application.ApplicationName;
}
// create a default uri.
if (String.IsNullOrEmpty(application.ApplicationUri))
{
application.ApplicationUri = Utils.Format("http://localhost/{0}/{1}", applicationName, Guid.NewGuid());
}
// make the uri specify the local machine.
application.ApplicationUri = Utils.ReplaceLocalhost(application.ApplicationUri);
// set a default application store.
if (application.ApplicationCertificate == null)
{
application.ApplicationCertificate = new Opc.Ua.Security.CertificateIdentifier();
application.ApplicationCertificate.StoreType = Utils.DefaultStoreType;
application.ApplicationCertificate.StorePath = ApplicationData.Current.LocalFolder.Path + "\\OPC Foundation\\CertificateStores\\MachineDefault";
}
if (application.UseDefaultCertificateStores)
{
if (application.IssuerCertificateStore == null)
{
application.IssuerCertificateStore = new Opc.Ua.Security.CertificateStoreIdentifier();
application.IssuerCertificateStore.StoreType = Utils.DefaultStoreType;
application.IssuerCertificateStore.StorePath = ApplicationData.Current.LocalFolder.Path + "\\OPC Foundation\\CertificateStores\\MachineDefault";
}
if (application.TrustedCertificateStore == null)
{
application.TrustedCertificateStore = new Opc.Ua.Security.CertificateStoreIdentifier();
application.TrustedCertificateStore.StoreType = Utils.DefaultStoreType;
application.TrustedCertificateStore.StorePath = ApplicationData.Current.LocalFolder.Path + "\\OPC Foundation\\CertificateStores\\MachineDefault";
}
try
{
Utils.GetAbsoluteDirectoryPath(application.TrustedCertificateStore.StorePath, true, true, true);
}
catch (Exception e)
{
Utils.Trace("Could not access the machine directory: {0} '{1}'", application.RejectedCertificatesStore.StorePath, e);
}
if (application.RejectedCertificatesStore == null)
{
application.RejectedCertificatesStore = new Opc.Ua.Security.CertificateStoreIdentifier();
application.RejectedCertificatesStore.StoreType = CertificateStoreType.Directory;
application.RejectedCertificatesStore.StorePath = ApplicationData.Current.LocalFolder.Path + "\\OPC Foundation\\CertificateStores\\RejectedCertificates";
StringBuilder buffer = new StringBuilder();
buffer.Append(ApplicationData.Current.LocalFolder.Path);
buffer.Append("\\OPC Foundation");
buffer.Append("\\RejectedCertificates");
string folderPath = buffer.ToString();
if (!Directory.Exists(folderPath))
{
Directory.CreateDirectory(folderPath);
}
}
}
// check for valid certificate (discard invalid certificates).
CertificateIdentifier applicationCertificate = Opc.Ua.Security.SecuredApplication.FromCertificateIdentifier(application.ApplicationCertificate);
X509Certificate2 certificate = await applicationCertificate.Find(true);
if (certificate == null)
{
certificate = await applicationCertificate.Find(false);
if (certificate != null)
{
Utils.Trace(
"Found existing certificate but it does not have a private key: Store={0}, Certificate={1}",
application.ApplicationCertificate.StorePath,
application.ApplicationCertificate);
}
else
{
Utils.Trace(
"Existing certificate could not be found: Store={0}, Certificate={1}",
application.ApplicationCertificate.StorePath,
application.ApplicationCertificate);
}
}
// check if no certificate exists.
if (certificate == null)
{
certificate = await CreateCertificateForApplication(application);
}
// ensure the application certificate is in the trusted peers store.
try
{
CertificateStoreIdentifier certificateStore = Opc.Ua.Security.SecuredApplication.FromCertificateStoreIdentifier(application.TrustedCertificateStore);
using (ICertificateStore store = certificateStore.OpenStore())
{
X509Certificate2Collection peerCertificates = await store.FindByThumbprint(certificate.Thumbprint);
if (peerCertificates.Count == 0)
{
await store.Add(new X509Certificate2(certificate.RawData));
}
}
}
catch (Exception e)
{
Utils.Trace(
"Could not add certificate '{0}' to trusted peer store '{1}'. Error={2}",
certificate.Subject,
application.TrustedCertificateStore,
e.Message);
}
// update configuration file location.
UpdateConfigurationLocation(executableFile, configurationFile);
// update configuration file.
new Opc.Ua.Security.SecurityConfigurationManager().WriteConfiguration(configurationFile, application);
ApplicationAccessRuleCollection accessRules = application.AccessRules;
bool noRulesDefined = application.AccessRules == null || application.AccessRules.Count == 0;
// add the default access rules.
if (noRulesDefined)
{
ApplicationAccessRule rule = new ApplicationAccessRule();
rule.IdentityName = WellKnownSids.Administrators;
rule.RuleType = AccessControlType.Allow;
rule.Right = ApplicationAccessRight.Configure;
accessRules.Add(rule);
rule = new ApplicationAccessRule();
rule.IdentityName = WellKnownSids.Users;
rule.RuleType = AccessControlType.Allow;
rule.Right = ApplicationAccessRight.Update;
accessRules.Add(rule);
}
// ensure the service account has priviledges.
if (application.InstallAsService)
{
// check if a specific account is assigned.
AccountInfo accountInfo = null;
if (!String.IsNullOrEmpty(application.ServiceUserName))
{
accountInfo = AccountInfo.Create(application.ServiceUserName);
}
// choose a built-in service account.
if (accountInfo == null)
{
accountInfo = AccountInfo.Create(WellKnownSids.NetworkService);
if (accountInfo == null)
{
accountInfo = AccountInfo.Create(WellKnownSids.LocalSystem);
}
}
ApplicationAccessRule rule = new ApplicationAccessRule();
rule.IdentityName = accountInfo.ToString();
rule.RuleType = AccessControlType.Allow;
rule.Right = ApplicationAccessRight.Run;
accessRules.Add(rule);
}
// set the permissions for the HTTP endpoints used by the application.
if (configureFirewall && application.BaseAddresses != null && application.BaseAddresses.Count > 0)
{
for (int ii = 0; ii < application.BaseAddresses.Count; ii++)
{
Uri url = Utils.ParseUri(application.BaseAddresses[ii]);
if (url != null)
{
try
{
HttpAccessRule.SetAccessRules(url, accessRules, true);
Utils.Trace("Added HTTP access rules for URL: {0}", url);
}
catch (Exception e)
{
Utils.Trace("Could not set HTTP access rules for URL: {0}. Error={1}", url, e.Message);
for (int jj = 0; jj < accessRules.Count; jj++)
{
ApplicationAccessRule rule = accessRules[jj];
Utils.Trace(
(int)Utils.TraceMasks.Error,
"IdentityName={0}, Right={1}, RuleType={2}",
rule.IdentityName,
rule.Right,
rule.RuleType);
}
}
}
}
}
// set permissions on the local certificate store.
SetCertificatePermissions(
application,
applicationCertificate,
accessRules,
false);
// set permissions on the local certificate store.
if (application.RejectedCertificatesStore != null)
{
// need to grant full control to certificates in the RejectedCertificatesStore.
foreach (ApplicationAccessRule rule in accessRules)
{
if (rule.RuleType == AccessControlType.Allow)
{
rule.Right = ApplicationAccessRight.Configure;
}
}
CertificateStoreIdentifier rejectedCertificates = Opc.Ua.Security.SecuredApplication.FromCertificateStoreIdentifier(application.RejectedCertificatesStore);
using (ICertificateStore store = rejectedCertificates.OpenStore())
{
if (store.SupportsAccessControl)
{
store.SetAccessRules(accessRules, false);
}
}
}
}
