/// <summary>
/// Displays the applications in the control.
/// </summary>
internal void Initialize(CertificateIdentifierCollection certificates)
{
ItemsLV.Items.Clear();
m_certificates = certificates;
if (m_certificates == null || m_certificates.Count == 0)
{
Instructions = "No certificates are in the store.";
AdjustColumns();
return;
}
// display the list.
foreach (CertificateIdentifier certificate in certificates)
{
AddItem(certificate);
}
// save the unfiltered list.
m_items = new List <ListViewItem>(ItemsLV.Items.Count);
foreach (ListViewItem item in ItemsLV.Items)
{
m_items.Add(item);
}
AdjustColumns();
}
public static void VerifyApplicationCertIntegrity(
X509Certificate2 newCert,
byte[] privateKey,
string privateKeyPassword,
string privateKeyFormat,
X509Certificate2Collection issuerCertificates)
{
Assert.NotNull(newCert);
if (privateKey != null)
{
X509Certificate2 newPrivateKeyCert = null;
if (privateKeyFormat == "PFX")
{
newPrivateKeyCert = CertificateFactory.CreateCertificateFromPKCS12(privateKey, privateKeyPassword);
}
else if (privateKeyFormat == "PEM")
{
newPrivateKeyCert = CertificateFactory.CreateCertificateWithPEMPrivateKey(newCert, privateKey, privateKeyPassword);
}
else
{
Assert.True(false, "Invalid private key format");
}
Assert.NotNull(newPrivateKeyCert);
// verify the public cert matches the private key
Assert.True(CertificateFactory.VerifyRSAKeyPair(newCert, newPrivateKeyCert, true));
Assert.True(CertificateFactory.VerifyRSAKeyPair(newPrivateKeyCert, newPrivateKeyCert, true));
}
CertificateIdentifierCollection issuerCertIdCollection = new CertificateIdentifierCollection();
foreach (var issuerCert in issuerCertificates)
{
issuerCertIdCollection.Add(new CertificateIdentifier(issuerCert));
}
// verify cert with issuer chain
CertificateValidator certValidator = new CertificateValidator();
CertificateTrustList issuerStore = new CertificateTrustList();
CertificateTrustList trustedStore = new CertificateTrustList();
trustedStore.TrustedCertificates = issuerCertIdCollection;
certValidator.Update(trustedStore, issuerStore, null);
Assert.Throws <Opc.Ua.ServiceResultException>(() =>
{
certValidator.Validate(newCert);
});
issuerStore.TrustedCertificates = issuerCertIdCollection;
certValidator.Update(issuerStore, trustedStore, null);
certValidator.Validate(newCert);
}
public static void VerifyApplicationCertIntegrity(byte[] certificate, byte[] privateKey, string privateKeyPassword, string privateKeyFormat, byte[][] issuerCertificates)
{
X509Certificate2 newCert = new X509Certificate2(certificate);
Assert.IsNotNull(newCert);
X509Certificate2 newPrivateKeyCert = null;
if (privateKeyFormat == "PFX")
{
newPrivateKeyCert = X509Utils.CreateCertificateFromPKCS12(privateKey, privateKeyPassword);
}
else if (privateKeyFormat == "PEM")
{
newPrivateKeyCert = CertificateFactory.CreateCertificateWithPEMPrivateKey(newCert, privateKey, privateKeyPassword);
}
else
{
Assert.Fail("Invalid private key format");
}
Assert.IsNotNull(newPrivateKeyCert);
// verify the public cert matches the private key
Assert.IsTrue(X509Utils.VerifyRSAKeyPair(newCert, newPrivateKeyCert, true));
Assert.IsTrue(X509Utils.VerifyRSAKeyPair(newPrivateKeyCert, newPrivateKeyCert, true));
CertificateIdentifierCollection issuerCertIdCollection = new CertificateIdentifierCollection();
foreach (var issuer in issuerCertificates)
{
var issuerCert = new X509Certificate2(issuer);
Assert.IsNotNull(issuerCert);
issuerCertIdCollection.Add(new CertificateIdentifier(issuerCert));
}
// verify cert with issuer chain
CertificateValidator certValidator = new CertificateValidator();
CertificateTrustList issuerStore = new CertificateTrustList();
CertificateTrustList trustedStore = new CertificateTrustList();
trustedStore.TrustedCertificates = issuerCertIdCollection;
certValidator.Update(trustedStore, issuerStore, null);
Assert.That(() => {
certValidator.Validate(newCert);
}, Throws.Exception);
issuerStore.TrustedCertificates = issuerCertIdCollection;
certValidator.Update(issuerStore, trustedStore, null);
certValidator.Validate(newCert);
}
public static void VerifyApplicationCertIntegrity(
X509Certificate2 newCert,
Key privateKey,
X509Certificate2Collection issuerCertificates)
{
Assert.NotNull(newCert);
Assert.True(privateKey.HasPrivateKey());
if (privateKey != null)
{
using (var newPrivateKeyCert = new X509Certificate2(newCert.RawData)
{
PrivateKey = privateKey.ToRSA()
}) {
Assert.True(newPrivateKeyCert.HasPrivateKey);
Assert.NotNull(newPrivateKeyCert);
Assert.True(newPrivateKeyCert.HasPrivateKey);
// verify the public cert matches the private key
Assert.True(CertificateFactory.VerifyRSAKeyPair(newCert, newPrivateKeyCert, true));
Assert.True(CertificateFactory.VerifyRSAKeyPair(newPrivateKeyCert, newPrivateKeyCert, true));
}
}
var issuerCertIdCollection = new CertificateIdentifierCollection();
foreach (var issuerCert in issuerCertificates)
{
issuerCertIdCollection.Add(new CertificateIdentifier(issuerCert));
}
// verify cert with issuer chain
var certValidator = new CertificateValidator();
var issuerStore = new CertificateTrustList();
var trustedStore = new CertificateTrustList {
TrustedCertificates = issuerCertIdCollection
};
certValidator.Update(trustedStore, issuerStore, null);
Assert.Throws <ServiceResultException>(() => certValidator.Validate(newCert));
issuerStore.TrustedCertificates = issuerCertIdCollection;
certValidator.Update(issuerStore, trustedStore, null);
certValidator.Validate(newCert);
}
private ServiceResult UpdateCertificate(
ISystemContext context,
MethodState method,
NodeId objectId,
NodeId certificateGroupId,
NodeId certificateTypeId,
byte[] certificate,
byte[][] issuerCertificates,
string privateKeyFormat,
byte[] privateKey,
ref bool applyChangesRequired)
{
HasApplicationSecureAdminAccess(context);
if (certificate == null)
{
throw new ArgumentNullException(nameof(certificate));
}
privateKeyFormat = privateKeyFormat?.ToUpper();
if (!(String.IsNullOrEmpty(privateKeyFormat) || privateKeyFormat == "PEM" || privateKeyFormat == "PFX"))
{
throw new ServiceResultException(StatusCodes.BadNotSupported, "The private key format is not supported.");
}
ServerCertificateGroup certificateGroup = VerifyGroupAndTypeId(certificateGroupId, certificateTypeId);
certificateGroup.UpdateCertificate = null;
X509Certificate2Collection newIssuerCollection = new X509Certificate2Collection();
X509Certificate2 newCert;
try
{
// build issuer chain
if (issuerCertificates != null)
{
foreach (byte[] issuerRawCert in issuerCertificates)
{
var newIssuerCert = new X509Certificate2(issuerRawCert);
newIssuerCollection.Add(newIssuerCert);
}
}
newCert = new X509Certificate2(certificate);
}
catch
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Certificate data is invalid.");
}
// validate new subject matches the previous subject
if (!X509Utils.CompareDistinguishedName(certificateGroup.ApplicationCertificate.SubjectName, newCert.SubjectName.Name))
{
throw new ServiceResultException(StatusCodes.BadSecurityChecksFailed, "Subject Name of new certificate doesn't match the application.");
}
// self signed
bool selfSigned = X509Utils.CompareDistinguishedName(newCert.Subject, newCert.Issuer);
if (selfSigned && newIssuerCollection.Count != 0)
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Issuer list not empty for self signed certificate.");
}
if (!selfSigned)
{
try
{
// verify cert with issuer chain
CertificateValidator certValidator = new CertificateValidator();
CertificateTrustList issuerStore = new CertificateTrustList();
CertificateIdentifierCollection issuerCollection = new CertificateIdentifierCollection();
foreach (var issuerCert in newIssuerCollection)
{
issuerCollection.Add(new CertificateIdentifier(issuerCert));
}
issuerStore.TrustedCertificates = issuerCollection;
certValidator.Update(issuerStore, issuerStore, null);
certValidator.Validate(newCert);
}
catch
{
throw new ServiceResultException(StatusCodes.BadSecurityChecksFailed, "Failed to verify integrity of the new certificate and the issuer list.");
}
}
var updateCertificate = new UpdateCertificateData();
try
{
var passwordProvider = m_configuration.SecurityConfiguration.CertificatePasswordProvider;
switch (privateKeyFormat)
{
case null:
case "":
{
X509Certificate2 certWithPrivateKey = certificateGroup.ApplicationCertificate.LoadPrivateKeyEx(passwordProvider).Result;
updateCertificate.CertificateWithPrivateKey = CertificateFactory.CreateCertificateWithPrivateKey(newCert, certWithPrivateKey);
break;
}
case "PFX":
{
X509Certificate2 certWithPrivateKey = X509Utils.CreateCertificateFromPKCS12(privateKey, passwordProvider?.GetPassword(certificateGroup.ApplicationCertificate));
updateCertificate.CertificateWithPrivateKey = CertificateFactory.CreateCertificateWithPrivateKey(newCert, certWithPrivateKey);
break;
}
case "PEM":
{
updateCertificate.CertificateWithPrivateKey = CertificateFactory.CreateCertificateWithPEMPrivateKey(newCert, privateKey, passwordProvider?.GetPassword(certificateGroup.ApplicationCertificate));
break;
}
}
updateCertificate.IssuerCollection = newIssuerCollection;
updateCertificate.SessionId = context.SessionId;
}
catch
{
throw new ServiceResultException(StatusCodes.BadSecurityChecksFailed, "Failed to verify integrity of the new certificate and the private key.");
}
certificateGroup.UpdateCertificate = updateCertificate;
applyChangesRequired = true;
if (updateCertificate != null)
{
try
{
using (ICertificateStore appStore = certificateGroup.ApplicationCertificate.OpenStore())
{
Utils.LogCertificate(Utils.TraceMasks.Security, "Delete application certificate: ", certificateGroup.ApplicationCertificate.Certificate);
appStore.Delete(certificateGroup.ApplicationCertificate.Thumbprint).Wait();
Utils.LogCertificate(Utils.TraceMasks.Security, "Add new application certificate: ", updateCertificate.CertificateWithPrivateKey);
var passwordProvider = m_configuration.SecurityConfiguration.CertificatePasswordProvider;
appStore.Add(updateCertificate.CertificateWithPrivateKey, passwordProvider?.GetPassword(certificateGroup.ApplicationCertificate)).Wait();
// keep only track of cert without private key
var certOnly = new X509Certificate2(updateCertificate.CertificateWithPrivateKey.RawData);
updateCertificate.CertificateWithPrivateKey.Dispose();
updateCertificate.CertificateWithPrivateKey = certOnly;
}
using (ICertificateStore issuerStore = CertificateStoreIdentifier.OpenStore(certificateGroup.IssuerStorePath))
{
foreach (var issuer in updateCertificate.IssuerCollection)
{
try
{
Utils.LogCertificate(Utils.TraceMasks.Security, "Add new issuer certificate: ", issuer);
issuerStore.Add(issuer).Wait();
}
catch (ArgumentException)
{
// ignore error if issuer cert already exists
}
}
}
}
catch (Exception ex)
{
Utils.LogError(Utils.TraceMasks.Security, ServiceResult.BuildExceptionTrace(ex));
throw new ServiceResultException(StatusCodes.BadSecurityChecksFailed, "Failed to update certificate.", ex);
}
}
return(ServiceResult.Good);
}
private ServiceResult UpdateCertificate(
ISystemContext context,
MethodState method,
NodeId objectId,
NodeId certificateGroupId,
NodeId certificateTypeId,
byte[] certificate,
byte[][] issuerCertificates,
string privateKeyFormat,
byte[] privateKey,
ref bool applyChangesRequired)
{
HasApplicationSecureAdminAccess(context);
if (certificate == null)
{
throw new ArgumentNullException(nameof(certificate));
}
privateKeyFormat = privateKeyFormat?.ToUpper();
if (!(String.IsNullOrEmpty(privateKeyFormat) || privateKeyFormat == "PEM" || privateKeyFormat == "PFX"))
{
throw new ServiceResultException(StatusCodes.BadNotSupported, "The private key format is not supported.");
}
ServerCertificateGroup certificateGroup = VerifyGroupAndTypeId(certificateGroupId, certificateTypeId);
certificateGroup.UpdateCertificate = null;
X509Certificate2Collection newIssuerCollection = new X509Certificate2Collection();
X509Certificate2 newCert;
try
{
// build issuer chain
if (issuerCertificates != null)
{
foreach (byte[] issuerRawCert in issuerCertificates)
{
var newIssuerCert = new X509Certificate2(issuerRawCert);
newIssuerCollection.Add(newIssuerCert);
}
}
newCert = new X509Certificate2(certificate);
}
catch
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Certificate data is invalid.");
}
// load existing application cert and private key
if (!Utils.CompareDistinguishedName(certificateGroup.ApplicationCertificate.SubjectName, newCert.SubjectName.Name))
{
throw new ServiceResultException(StatusCodes.BadSecurityChecksFailed, "Subject Name of new certificate doesn't match the application.");
}
// self signed
bool selfSigned = Utils.CompareDistinguishedName(newCert.Subject, newCert.Issuer);
if (selfSigned && newIssuerCollection.Count != 0)
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Issuer list not empty for self signed certificate.");
}
if (!selfSigned)
{
try
{
// verify cert with issuer chain
CertificateValidator certValidator = new CertificateValidator();
CertificateTrustList issuerStore = new CertificateTrustList();
CertificateIdentifierCollection issuerCollection = new CertificateIdentifierCollection();
foreach (var issuerCert in newIssuerCollection)
{
issuerCollection.Add(new CertificateIdentifier(issuerCert));
}
issuerStore.TrustedCertificates = issuerCollection;
certValidator.Update(issuerStore, issuerStore, null);
certValidator.Validate(newCert);
}
catch
{
throw new ServiceResultException(StatusCodes.BadSecurityChecksFailed, "Failed to verify integrity of the new certificate and the issuer list.");
}
}
var updateCertificate = new UpdateCertificateData();
try
{
string password = String.Empty;
switch (privateKeyFormat)
{
case null:
case "":
{
X509Certificate2 certWithPrivateKey = certificateGroup.ApplicationCertificate.LoadPrivateKey(password).Result;
updateCertificate.CertificateWithPrivateKey = CertificateFactory.CreateCertificateWithPrivateKey(newCert, certWithPrivateKey);
break;
}
case "PFX":
{
X509Certificate2 certWithPrivateKey = CertificateFactory.CreateCertificateFromPKCS12(privateKey, password);
updateCertificate.CertificateWithPrivateKey = CertificateFactory.CreateCertificateWithPrivateKey(newCert, certWithPrivateKey);
break;
}
case "PEM":
{
updateCertificate.CertificateWithPrivateKey = CertificateFactory.CreateCertificateWithPEMPrivateKey(newCert, privateKey, password);
break;
}
}
updateCertificate.IssuerCollection = newIssuerCollection;
updateCertificate.SessionId = context.SessionId;
}
catch
{
throw new ServiceResultException(StatusCodes.BadSecurityChecksFailed, "Failed to verify integrity of the new certificate and the private key.");
}
certificateGroup.UpdateCertificate = updateCertificate;
applyChangesRequired = true;
return(ServiceResult.Good);
}
/// <summary>
/// Displays the applications in the control.
/// </summary>
internal void Initialize(CertificateIdentifierCollection certificates)
{
ItemsLV.Items.Clear();
m_certificates = certificates;
if (m_certificates == null || m_certificates.Count == 0)
{
Instructions = "No certificates are in the store.";
AdjustColumns();
return;
}
// display the list.
foreach (CertificateIdentifier certificate in certificates)
{
AddItem(certificate);
}
// save the unfiltered list.
m_items = new List<ListViewItem>(ItemsLV.Items.Count);
foreach (ListViewItem item in ItemsLV.Items)
{
m_items.Add(item);
}
AdjustColumns();
}
public static void VerifySignedApplicationCert(ApplicationTestData testApp,
X509Certificate2 signedCert, X509Certificate2Collection issuerCerts)
{
var issuerCert = issuerCerts[0];
var signedCertO = signedCert.ToCertificate();
Assert.NotNull(signedCertO);
Assert.False(signedCert.HasPrivateKey);
Assert.True(Utils.CompareDistinguishedName(testApp.Subject, signedCert.Subject));
Assert.False(Utils.CompareDistinguishedName(signedCert.Issuer, signedCert.Subject));
Assert.True(Utils.CompareDistinguishedName(signedCert.Issuer, issuerCert.Subject));
// test basic constraints
var constraints = signedCertO.GetBasicConstraintsExtension();
Assert.NotNull(constraints);
Assert.True(constraints.Critical);
Assert.False(constraints.CertificateAuthority);
Assert.False(constraints.HasPathLengthConstraint);
// key usage
var keyUsage = signedCertO.GetKeyUsageExtension();
Assert.NotNull(keyUsage);
Assert.True(keyUsage.Critical);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.CrlSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DataEncipherment) == X509KeyUsageFlags.DataEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DecipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) == X509KeyUsageFlags.DigitalSignature);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.EncipherOnly) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyAgreement) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyCertSign) == 0);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.KeyEncipherment) == X509KeyUsageFlags.KeyEncipherment);
Assert.True((keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) == X509KeyUsageFlags.NonRepudiation);
// enhanced key usage
var enhancedKeyUsage = signedCertO.GetEnhancedKeyUsageExtension();
Assert.NotNull(enhancedKeyUsage);
Assert.True(enhancedKeyUsage.Critical);
// test for authority key
var authority = signedCertO.GetAuthorityKeyIdentifierExtension();
Assert.NotNull(authority);
Assert.NotNull(authority.SerialNumber);
Assert.NotNull(authority.KeyId);
Assert.NotNull(authority.AuthorityNames);
// verify authority key in signed cert
var subjectKeyId = signedCertO.GetSubjectKeyIdentifierExtension();
Assert.Equal(subjectKeyId.SubjectKeyIdentifier, authority.KeyId);
Assert.Equal(issuerCert.SerialNumber, authority.SerialNumber.ToString());
var subjectAlternateName = signedCertO.GetSubjectAltNameExtension();
Assert.NotNull(subjectAlternateName);
Assert.False(subjectAlternateName.Critical);
var domainNames = Utils.GetDomainsFromCertficate(signedCert);
foreach (var domainName in testApp.DomainNames)
{
Assert.Contains(domainName, domainNames, StringComparer.OrdinalIgnoreCase);
}
Assert.True(subjectAlternateName.Uris.Count == 1);
var applicationUri = Utils.GetApplicationUriFromCertificate(signedCert);
Assert.True(testApp.ApplicationRecord.ApplicationUri == applicationUri);
var issuerCertIdCollection = new CertificateIdentifierCollection();
foreach (var cert in issuerCerts)
{
issuerCertIdCollection.Add(new CertificateIdentifier(cert));
}
// verify cert with issuer chain
var certValidator = new CertificateValidator();
var issuerStore = new CertificateTrustList();
var trustedStore = new CertificateTrustList {
TrustedCertificates = issuerCertIdCollection
};
certValidator.Update(trustedStore, issuerStore, null);
Assert.Throws <ServiceResultException>(() => certValidator.Validate(signedCert));
issuerStore.TrustedCertificates = issuerCertIdCollection;
certValidator.Update(issuerStore, trustedStore, null);
certValidator.Validate(signedCert);
}
