/// <summary>
/// Deletes an existing application instance certificate.
/// </summary>
/// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param>
private static async Task DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration)
{
// create a default certificate id none specified.
CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate;
if (id == null)
{
return;
}
// delete certificate and private key.
X509Certificate2 certificate = await id.Find().ConfigureAwait(false);
if (certificate != null)
{
Utils.LogCertificate(TraceMasks.Security, "Deleting application instance certificate and private key.", certificate);
}
// delete trusted peer certificate.
if (configuration.SecurityConfiguration != null &&
configuration.SecurityConfiguration.TrustedPeerCertificates != null)
{
string thumbprint = id.Thumbprint;
if (certificate != null)
{
thumbprint = certificate.Thumbprint;
}
if (!string.IsNullOrEmpty(thumbprint))
{
using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore())
{
bool deleted = await store.Delete(thumbprint).ConfigureAwait(false);
if (deleted)
{
Utils.LogInfo(TraceMasks.Security, "Application Instance Certificate [{0}] deleted from trusted store.", thumbprint);
}
}
}
}
// delete certificate and private key from owner store.
if (certificate != null)
{
using (ICertificateStore store = id.OpenStore())
{
bool deleted = await store.Delete(certificate.Thumbprint).ConfigureAwait(false);
if (deleted)
{
Utils.LogCertificate(TraceMasks.Security, "Application certificate and private key deleted.", certificate);
}
}
}
// erase the memory copy of the deleted certificate
id.Certificate = null;
}
/// <summary>
/// Deletes an existing application instance certificate.
/// </summary>
/// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param>
private static async Task DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration)
{
Utils.Trace(Utils.TraceMasks.Information, "Deleting application instance certificate.");
// create a default certificate id none specified.
CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate;
if (id == null)
{
return;
}
// delete private key.
X509Certificate2 certificate = await id.Find().ConfigureAwait(false);
// delete trusted peer certificate.
if (configuration.SecurityConfiguration != null && configuration.SecurityConfiguration.TrustedPeerCertificates != null)
{
string thumbprint = id.Thumbprint;
if (certificate != null)
{
thumbprint = certificate.Thumbprint;
}
if (!string.IsNullOrEmpty(thumbprint))
{
using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore())
{
await store.Delete(thumbprint).ConfigureAwait(false);
}
}
}
// delete private key.
if (certificate != null)
{
using (ICertificateStore store = id.OpenStore())
{
await store.Delete(certificate.Thumbprint).ConfigureAwait(false);
}
}
}
/// <summary>
/// Deletes an existing application instance certificate.
/// </summary>
/// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param>
public static void DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration)
{
// create a default certificate id none specified.
CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate;
if (id == null)
{
return;
}
// delete private key.
X509Certificate2 certificate = id.Find();
// delete trusted peer certificate.
if (configuration.SecurityConfiguration != null && configuration.SecurityConfiguration.TrustedPeerCertificates != null)
{
string thumbprint = id.Thumbprint;
if (certificate != null)
{
thumbprint = certificate.Thumbprint;
}
if (!String.IsNullOrEmpty(thumbprint))
{
using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore())
{
store.Delete(thumbprint);
}
}
}
// delete private key.
if (certificate != null)
{
using (ICertificateStore store = id.OpenStore())
{
store.Delete(certificate.Thumbprint);
}
}
}
/// <summary>
/// Deletes an existing application instance certificate.
/// </summary>
/// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param>
private static void DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration)
{
Utils.Trace(Utils.TraceMasks.Information, "Deleting application instance certificate.");
// Create a default certificate id none specified.
CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate;
if (id == null)
{
return;
}
X509Certificate2 certificate = id.Find();
// Delete trusted peer certificate.
if (configuration.SecurityConfiguration?.TrustedPeerCertificates != null)
{
var thumbprint = id.Thumbprint;
if (certificate != null)
{
thumbprint = certificate.Thumbprint;
}
using (var store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore())
{
store.Delete(thumbprint);
}
}
// Delete private key.
if (certificate == null)
{
return;
}
using (ICertificateStore store = id.OpenStore())
{
store.Delete(certificate.Thumbprint);
}
}
/// <summary>
/// Updates the access permissions for the certificate store.
/// </summary>
private static void SetCertificatePermissions(
Opc.Ua.Security.SecuredApplication application,
CertificateIdentifier id,
IList <ApplicationAccessRule> accessRules,
bool replaceExisting)
{
if (id == null || accessRules == null || accessRules.Count == 0)
{
return;
}
try
{
using (ICertificateStore store = id.OpenStore())
{
if (store.SupportsCertificateAccessControl)
{
store.SetAccessRules(id.Thumbprint, accessRules, replaceExisting);
}
}
}
catch (Exception e)
{
Utils.Trace("Could not set permissions for certificate store: {0}. Error={1}", id, e.Message);
for (int jj = 0; jj < accessRules.Count; jj++)
{
ApplicationAccessRule rule = accessRules[jj];
Utils.Trace(
(int)Utils.TraceMasks.Error,
"IdentityName={0}, Right={1}, RuleType={2}",
rule.IdentityName,
rule.Right,
rule.RuleType);
}
}
}
private void OkBTN_Click(object sender, EventArgs e)
{
try
{
IPAddress address = IPAddress.Parse(IPAddressTB.Text);
ushort port = (ushort)PortUD.Value;
if (m_certificate == null)
{
throw new ArgumentException("You must specify a certificate.");
}
X509Certificate2 certificate = m_certificate.Find(true);
if (certificate == null)
{
throw new ArgumentException("Certificate does not exist or has no private key.");
}
// setup policy chain
X509ChainPolicy policy = new X509ChainPolicy();
policy.RevocationFlag = X509RevocationFlag.EntireChain;
policy.RevocationMode = X509RevocationMode.Offline;
policy.VerificationFlags = X509VerificationFlags.NoFlag;
policy.VerificationFlags |= X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown;
policy.VerificationFlags |= X509VerificationFlags.IgnoreCtlSignerRevocationUnknown;
policy.VerificationFlags |= X509VerificationFlags.IgnoreEndRevocationUnknown;
policy.VerificationFlags |= X509VerificationFlags.IgnoreRootRevocationUnknown;
// build chain.
X509Chain chain = new X509Chain();
chain.ChainPolicy = policy;
chain.Build(certificate);
for (int ii = 0; ii < chain.ChainElements.Count; ii++)
{
X509ChainElement element = chain.ChainElements[ii];
// check for chain status errors.
foreach (X509ChainStatus status in element.ChainElementStatus)
{
if (status.Status == X509ChainStatusFlags.UntrustedRoot)
{
if (!Ask("Cannot verify certificate up to a trusted root.\r\nAdd anyways?"))
{
return;
}
continue;
}
if (status.Status == X509ChainStatusFlags.RevocationStatusUnknown)
{
if (!Ask("The revocation status of this certificate cannot be verified.\r\nAdd anyways?"))
{
return;
}
continue;
}
// ignore informational messages.
if (status.Status == X509ChainStatusFlags.OfflineRevocation)
{
continue;
}
if (status.Status != X509ChainStatusFlags.NoError)
{
throw new ArgumentException("[" + status.Status + "] " + status.StatusInformation);
}
}
}
// get the target store.
if (m_store == null)
{
m_store = new CertificateStoreIdentifier();
m_store.StoreType = CertificateStoreType.Windows;
m_store.StorePath = CertificateStoreTB.Text;
}
if (m_store.StoreType != CertificateStoreType.Windows)
{
throw new ArgumentException("You must choose a Windows store for SSL certificates.");
}
if (!m_store.StorePath.StartsWith("LocalMachine\\", StringComparison.OrdinalIgnoreCase))
{
throw new ArgumentException("You must choose a machine store for SSL certificates.");
}
bool deleteExisting = false;
using (ICertificateStore store = m_store.OpenStore())
{
if (store.FindByThumbprint(certificate.Thumbprint) == null)
{
store.Add(certificate);
deleteExisting = true;
}
}
if (deleteExisting)
{
if (Ask("Would you like to delete the certificate from its current location?"))
{
using (ICertificateStore store = m_certificate.OpenStore())
{
store.Delete(certificate.Thumbprint);
}
}
}
SslCertificateBinding binding = new SslCertificateBinding();
binding.IPAddress = address;
binding.Port = port;
binding.Thumbprint = certificate.Thumbprint;
binding.ApplicationId = s_DefaultApplicationId;
binding.StoreName = null;
if (!m_store.StorePath.EndsWith("\\My"))
{
int index = m_store.StorePath.LastIndexOf("\\");
binding.StoreName = m_store.StorePath.Substring(index + 1);
}
HttpAccessRule.SetSslCertificateBinding(binding);
m_binding = binding;
DialogResult = DialogResult.OK;
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception);
}
}
/// <summary>
/// Uninstalls a UA application.
/// </summary>
public static async Task UninstallApplication(InstalledApplication application)
{
// validate the executable file.
string executableFile = Utils.GetAbsoluteFilePath(application.ExecutableFile, true, true, false);
// get the default application name from the executable file.
FileInfo executableFileInfo = new FileInfo(executableFile);
string applicationName = executableFileInfo.Name.Substring(0, executableFileInfo.Name.Length - 4);
// choose a default configuration file.
if (String.IsNullOrEmpty(application.ConfigurationFile))
{
application.ConfigurationFile = Utils.Format(
"{0}\\{1}.Config.xml",
executableFileInfo.DirectoryName,
applicationName);
}
// validate the configuration file.
string configurationFile = Utils.GetAbsoluteFilePath(application.ConfigurationFile, true, false, false);
if (configurationFile != null)
{
// load the current configuration.
Opc.Ua.Security.SecuredApplication security = new Opc.Ua.Security.SecurityConfigurationManager().ReadConfiguration(configurationFile);
// delete the application certificates.
if (application.DeleteCertificatesOnUninstall)
{
CertificateIdentifier id = Opc.Ua.Security.SecuredApplication.FromCertificateIdentifier(security.ApplicationCertificate);
// delete public key from trusted peers certificate store.
try
{
CertificateStoreIdentifier certificateStore = Opc.Ua.Security.SecuredApplication.FromCertificateStoreIdentifier(security.TrustedCertificateStore);
using (ICertificateStore store = certificateStore.OpenStore())
{
X509Certificate2Collection peerCertificates = await store.FindByThumbprint(id.Thumbprint);
if (peerCertificates.Count > 0)
{
await store.Delete(peerCertificates[0].Thumbprint);
}
}
}
catch (Exception e)
{
Utils.Trace("Could not delete certificate '{0}' from store. Error={1}", id, e.Message);
}
// delete private key from application certificate store.
try
{
using (ICertificateStore store = id.OpenStore())
{
await store.Delete(id.Thumbprint);
}
}
catch (Exception e)
{
Utils.Trace("Could not delete certificate '{0}' from store. Error={1}", id, e.Message);
}
// permentently delete any UA defined stores if they are now empty.
try
{
WindowsCertificateStore store = new WindowsCertificateStore();
await store.Open("LocalMachine\\UA Applications");
X509Certificate2Collection collection = await store.Enumerate();
if (collection.Count == 0)
{
store.PermanentlyDeleteStore();
}
}
catch (Exception e)
{
Utils.Trace("Could not delete certificate '{0}' from store. Error={1}", id, e.Message);
}
}
// remove the permissions for the HTTP endpoints used by the application.
if (application.BaseAddresses != null && application.BaseAddresses.Count > 0)
{
List <ApplicationAccessRule> noRules = new List <ApplicationAccessRule>();
for (int ii = 0; ii < application.BaseAddresses.Count; ii++)
{
Uri url = Utils.ParseUri(application.BaseAddresses[ii]);
if (url != null)
{
try
{
HttpAccessRule.SetAccessRules(url, noRules, true);
Utils.Trace("Removed HTTP access rules for URL: {0}", url);
}
catch (Exception e)
{
Utils.Trace("Could not remove HTTP access rules for URL: {0}. Error={1}", url, e.Message);
}
}
}
}
}
}
/// <summary>
/// Updates the access permissions for the certificate store.
/// </summary>
private static void SetCertificatePermissions(
Opc.Ua.Security.SecuredApplication application,
CertificateIdentifier id,
IList<ApplicationAccessRule> accessRules,
bool replaceExisting)
{
if (id == null || accessRules == null || accessRules.Count == 0)
{
return;
}
try
{
using (ICertificateStore store = id.OpenStore())
{
if (store.SupportsCertificateAccessControl)
{
store.SetAccessRules(id.Thumbprint, accessRules, replaceExisting);
}
}
}
catch (Exception e)
{
Utils.Trace("Could not set permissions for certificate store: {0}. Error={1}", id, e.Message);
for (int jj = 0; jj < accessRules.Count; jj++)
{
ApplicationAccessRule rule = accessRules[jj];
Utils.Trace(
(int)Utils.TraceMasks.Error,
"IdentityName={0}, Right={1}, RuleType={2}",
rule.IdentityName,
rule.Right,
rule.RuleType);
}
}
}
