public override async Task Init()
{
Utils.Trace(Utils.TraceMasks.Information, "InitializeCertificateGroup: {0}", m_subjectName);
X509Certificate2Collection rootCACertificateChain;
IList <Opc.Ua.X509CRL> rootCACrlChain;
try
{
// read root CA chain for certificate group
rootCACertificateChain = await _opcVaultHandler.GetCACertificateChainAsync(Configuration.Id).ConfigureAwait(false);
rootCACrlChain = await _opcVaultHandler.GetCACrlChainAsync(Configuration.Id).ConfigureAwait(false);
var rootCaCert = rootCACertificateChain[0];
var rootCaCrl = rootCACrlChain[0];
if (Utils.CompareDistinguishedName(rootCaCert.Subject, m_subjectName))
{
Certificate = rootCaCert;
rootCaCrl.VerifySignature(rootCaCert, true);
}
else
{
throw new ServiceResultException("Key Vault certificate subject(" + rootCaCert.Subject + ") does not match cert group subject " + m_subjectName);
}
}
catch (Exception ex)
{
Utils.Trace("Failed to load CA certificate " + Configuration.Id + " from key Vault ");
Utils.Trace(ex.Message);
throw ex;
}
// add all existing cert versions to trust list
// erase old certs
using (ICertificateStore store = CertificateStoreIdentifier.OpenStore(m_authoritiesStorePath))
{
try
{
X509Certificate2Collection certificates = await store.Enumerate();
foreach (var certificate in certificates)
{
// TODO: Subject may have changed over time
if (Utils.CompareDistinguishedName(certificate.Subject, m_subjectName))
{
var certs = rootCACertificateChain.Find(X509FindType.FindByThumbprint, certificate.Thumbprint, false);
if (certs == null || certs.Count == 0)
{
Utils.Trace("Delete CA certificate from authority store: " + certificate.Thumbprint);
// delete existing CRL in trusted list
foreach (var crl in store.EnumerateCRLs(certificate, false))
{
if (crl.VerifySignature(certificate, false))
{
store.DeleteCRL(crl);
}
}
await store.Delete(certificate.Thumbprint);
}
}
}
}
catch (Exception ex)
{
Utils.Trace("Failed to Delete existing certificates from authority store: " + ex.Message);
}
foreach (var rootCACertificate in rootCACertificateChain)
{
X509Certificate2Collection certs = await store.FindByThumbprint(rootCACertificate.Thumbprint);
if (certs.Count == 0)
{
await store.Add(rootCACertificate);
Utils.Trace("Added CA certificate to authority store: " + rootCACertificate.Thumbprint);
}
else
{
Utils.Trace("CA certificate already exists in authority store: " + rootCACertificate.Thumbprint);
}
foreach (var rootCACrl in rootCACrlChain)
{
if (rootCACrl.VerifySignature(rootCACertificate, false))
{
// delete existing CRL in trusted list
foreach (var crl in store.EnumerateCRLs(rootCACertificate, false))
{
if (crl.VerifySignature(rootCACertificate, false))
{
store.DeleteCRL(crl);
}
}
store.AddCRL(rootCACrl);
}
}
}
// load trust list from server
var trustList = await _opcVaultHandler.GetTrustListAsync(Configuration.Id).ConfigureAwait(false);
await UpdateTrustList(trustList);
}
}
