/// <summary> /// Returns the issuers for the certificate. /// </summary> /// <param name="certificate">The certificate.</param> /// <param name="issuers">The issuers.</param> /// <returns></returns> public async Task <bool> GetIssuers(X509Certificate2 certificate, List <CertificateIdentifier> issuers) { bool isTrusted = false; CertificateIdentifier issuer = null; do { issuer = await GetIssuer(certificate, m_trustedCertificateList, m_trustedCertificateStore, true); if (issuer == null) { issuer = await GetIssuer(certificate, m_issuerCertificateList, m_issuerCertificateStore, true); } else { isTrusted = true; } if (issuer != null) { issuers.Add(issuer); certificate = await issuer.Find(false); // check for root. if (Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer)) { break; } } }while (issuer != null); return(isTrusted); }
/// <summary> /// Initializes the object with an X509 certificate identifier /// </summary> public UserIdentity(CertificateIdentifier certificateId) { if (certificateId == null) throw new ArgumentNullException("certificateId"); Task<X509Certificate2> task = certificateId.Find(); task.Wait(); X509Certificate2 certificate = task.Result; if (certificate != null) { Initialize(certificate); } }
/// <summary> /// Initializes the object with an X509 certificate identifier /// </summary> public UserIdentity(CertificateIdentifier certificateId) { if (certificateId == null) { throw new ArgumentNullException("certificateId"); } X509Certificate2 certificate = certificateId.Find().Result; if (certificate != null) { Initialize(certificate); } }
/// <summary> /// Initializes the object with an X509 certificate identifier /// </summary> private void Initialize(CertificateIdentifier certificateId) { if (certificateId == null) { throw new ArgumentNullException("certificateId"); } X509Certificate2 certificate = certificateId.Find(); if (certificate != null) { Initialize(new X509SecurityToken(certificate)); } }
/// <summary> /// Returns the issuers for the certificates. /// </summary> public async Task <bool> GetIssuers(X509Certificate2Collection certificates, List <CertificateIdentifier> issuers) { bool isTrusted = false; CertificateIdentifier issuer = null; X509Certificate2 certificate = certificates[0]; CertificateIdentifierCollection collection = new CertificateIdentifierCollection(); for (int ii = 1; ii < certificates.Count; ii++) { collection.Add(new CertificateIdentifier(certificates[ii])); } do { issuer = await GetIssuer(certificate, m_trustedCertificateList, m_trustedCertificateStore, true); if (issuer == null) { issuer = await GetIssuer(certificate, m_issuerCertificateList, m_issuerCertificateStore, true); if (issuer == null) { issuer = await GetIssuer(certificate, collection, null, true); } } if (issuer != null) { isTrusted = true; issuers.Add(issuer); certificate = await issuer.Find(false); // check for root. if (Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer)) { break; } } else { isTrusted = false; } }while (issuer != null); return(isTrusted); }
/// <summary> /// Initializes the object with an X509 certificate identifier /// </summary> public UserIdentity(CertificateIdentifier certificateId) { if (certificateId == null) { throw new ArgumentNullException("certificateId"); } Task <X509Certificate2> task = certificateId.Find(); task.Wait(); X509Certificate2 certificate = task.Result; if (certificate != null) { Initialize(certificate); } }
/// <summary> /// Initializes the object with an X509 certificate identifier /// </summary> public UserIdentity(CertificateIdentifier certificateId) { if (certificateId == null) { throw new ArgumentNullException("certificateId"); } Task <X509Certificate2> task = certificateId.Find(); task.Wait(); X509Certificate2 certificate = task.Result; if (certificate != null) { X509IdentityToken token = new X509IdentityToken(); token.CertificateData = certificate.RawData; token.Certificate = certificate; Initialize(token); } }
/// <summary> /// Creates a SAML token for the specified email address. /// </summary> public static UserIdentity CreateSAMLToken(string emailAddress) { // Normally this would be done by a server that is capable of verifying that // the user is a legimate holder of email address. Using a local certficate to // signed the SAML token is a short cut that would never be done in a real system. CertificateIdentifier userid = new CertificateIdentifier(); userid.StoreType = CertificateStoreType.Windows; userid.StorePath = "LocalMachine\\My"; userid.SubjectName = "UA Sample Client"; X509Certificate2 certificate = userid.Find(); X509SecurityToken signingToken = new X509SecurityToken(certificate); // Create list of confirmation strings List<string> confirmations = new List<string>(); // Add holder-of-key string to list of confirmation strings confirmations.Add("urn:oasis:names:tc:SAML:1.0:cm:bearer"); // Create SAML subject statement based on issuer member variable, confirmation string collection // local variable and proof key identifier parameter SamlSubject subject = new SamlSubject("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", null, emailAddress); // Create a list of SAML attributes List<SamlAttribute> attributes = new List<SamlAttribute>(); Claim claim = Claim.CreateNameClaim(emailAddress); attributes.Add(new SamlAttribute(claim)); // Create list of SAML statements List<SamlStatement> statements = new List<SamlStatement>(); // Add a SAML attribute statement to the list of statements. Attribute statement is based on // subject statement and SAML attributes resulting from claims statements.Add(new SamlAttributeStatement(subject, attributes)); // Create a valid from/until condition DateTime validFrom = DateTime.UtcNow; DateTime validTo = DateTime.UtcNow.AddHours(12); SamlConditions conditions = new SamlConditions(validFrom, validTo); // Create the SAML assertion SamlAssertion assertion = new SamlAssertion( "_" + Guid.NewGuid().ToString(), signingToken.Certificate.Subject, validFrom, conditions, null, statements); SecurityKey signingKey = new System.IdentityModel.Tokens.RsaSecurityKey((RSA)signingToken.Certificate.PrivateKey); // Set the signing credentials for the SAML assertion assertion.SigningCredentials = new SigningCredentials( signingKey, System.IdentityModel.Tokens.SecurityAlgorithms.RsaSha1Signature, System.IdentityModel.Tokens.SecurityAlgorithms.Sha1Digest, new SecurityKeyIdentifier(signingToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>())); return new UserIdentity(new SamlSecurityToken(assertion)); }
/// <summary> /// Initializes the validator from the configuration for a token policy. /// </summary> /// <param name="issuerCertificate">The issuer certificate.</param> private SecurityTokenResolver CreateSecurityTokenResolver(CertificateIdentifier issuerCertificate) { if (issuerCertificate == null) { throw new ArgumentNullException("issuerCertificate"); } // find the certificate. X509Certificate2 certificate = issuerCertificate.Find(false); if (certificate == null) { throw ServiceResultException.Create( StatusCodes.BadCertificateInvalid, "Could not find issuer certificate: {0}", issuerCertificate); } // create a security token representing the certificate. List<SecurityToken> tokens = new List<SecurityToken>(); tokens.Add(new X509SecurityToken(certificate)); // create issued token resolver. SecurityTokenResolver tokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver( new System.Collections.ObjectModel.ReadOnlyCollection<SecurityToken>(tokens), false); return tokenResolver; }
/// <summary> /// Returns the issuers for the certificates. /// </summary> public bool GetIssuersWithChainSupportEnabled(X509Certificate2Collection certificates, List <CertificateIdentifier> issuers) { bool isTrusted = false; bool isChainComplete = false; CertificateIdentifier issuer = null; X509Certificate2 certificate = certificates[0]; // application certificate is trusted CertificateIdentifier trustedCertificate = GetTrustedCertificate(certificate); if (trustedCertificate != null) { isTrusted = true; } if (Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer)) { if (!isTrusted) { throw ServiceResultException.Create( StatusCodes.BadCertificateUntrusted, "Self Signed Certificate is not trusted.\r\nIssuerName: {0}", certificate.IssuerName.Name); } return(isTrusted); } CertificateIdentifierCollection collection = new CertificateIdentifierCollection(); for (int ii = 1; ii < certificates.Count; ii++) { collection.Add(new CertificateIdentifier(certificates[ii])); } do { issuer = GetIssuer(certificate, m_trustedCertificateList, m_trustedCertificateStore, true); if (issuer != null) { isTrusted = true; } if (issuer == null) { issuer = GetIssuer(certificate, m_issuerCertificateList, m_issuerCertificateStore, true); if (issuer == null) { issuer = GetIssuer(certificate, collection, null, true); } } if (issuer != null) { //isTrusted = true; issuers.Add(issuer); certificate = issuer.Find(false); // check for root. if (Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer)) { isChainComplete = true; break; } } else { isTrusted = false; } } while (issuer != null); if (!isChainComplete) { throw ServiceResultException.Create( StatusCodes.BadSecurityChecksFailed, "Certificate chain not complete.\r\nSubjectName: {0}\r\nIssuerName: {1}", certificates[0].SubjectName.Name, certificates[0].IssuerName.Name); } if (!isTrusted) { throw ServiceResultException.Create( StatusCodes.BadCertificateUntrusted, "Certificate issuer is not trusted.\r\nSubjectName: {0}\r\nIssuerName: {1}", certificates[0].SubjectName.Name, certificates[0].IssuerName.Name); } return(isTrusted); }
/// <summary> /// Checks for a valid application instance certificate. /// </summary> /// <param name="silent">if set to <c>true</c> no dialogs will be displayed.</param> /// <param name="minimumKeySize">Minimum size of the key.</param> public void CheckApplicationInstanceCertificate( bool silent, ushort minimumKeySize) { Utils.Trace(Utils.TraceMasks.Information, "Checking application instance certificate."); ApplicationConfiguration configuration = null; if (m_applicationConfiguration == null) { LoadApplicationConfiguration(silent); } configuration = m_applicationConfiguration; bool createNewCertificate = true; // find the existing certificate. CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; if (id == null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "Configuration file does not specify a certificate."); } X509Certificate2 certificate = id.Find(true); // check that it is ok. if (certificate != null) { createNewCertificate = !CheckApplicationInstanceCertificate(configuration, certificate, silent, minimumKeySize); } else { // check for missing private key. certificate = id.Find(false); if (certificate != null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "Cannot access certificate private key. Subject={0}", certificate.Subject); } // check for missing thumbprint. if (!String.IsNullOrEmpty(id.Thumbprint)) { if (!String.IsNullOrEmpty(id.SubjectName)) { CertificateIdentifier id2 = new CertificateIdentifier(); id2.StoreType = id.StoreType; id2.StorePath = id.StorePath; id2.SubjectName = id.SubjectName; certificate = id2.Find(true); } if (certificate != null) { string message = Utils.Format( "Thumbprint was explicitly specified in the configuration." + "\r\nAnother certificate with the same subject name was found." + "\r\nUse it instead?\r\n" + "\r\nRequested: {0}" + "\r\nFound: {1}", id.SubjectName, certificate.Subject); throw ServiceResultException.Create(StatusCodes.BadConfigurationError, message); } else { string message = Utils.Format("Thumbprint was explicitly specified in the configuration. Cannot generate a new certificate."); throw ServiceResultException.Create(StatusCodes.BadConfigurationError, message); } } else { if (String.IsNullOrEmpty(id.SubjectName)) { string message = Utils.Format("Both SubjectName and Thumbprint are not specified in the configuration. Cannot generate a new certificate."); throw ServiceResultException.Create(StatusCodes.BadConfigurationError, message); } } } // create a new certificate. if (createNewCertificate) { certificate = CreateApplicationInstanceCertificate(configuration, minimumKeySize, 600); } // ensure it is trusted. else { AddToTrustedStore(configuration, certificate); } // add to discovery server. if (configuration.ApplicationType == ApplicationType.Server || configuration.ApplicationType == ApplicationType.ClientAndServer) { try { AddToDiscoveryServerTrustList(certificate, null, null, configuration.SecurityConfiguration.TrustedPeerCertificates); } catch (Exception e) { Utils.Trace(e, "Could not add certificate to LDS trust list."); } } }
/// <summary> /// Initializes the object with an X509 certificate identifier /// </summary> private void Initialize(CertificateIdentifier certificateId) { if (certificateId == null) throw new ArgumentNullException("certificateId"); X509Certificate2 certificate = certificateId.Find(); if (certificate != null) { Initialize(new X509SecurityToken(certificate)); } }
/// <summary> /// Creates a minimal endpoint description which allows a client to connect to a server. /// </summary> /// <remarks> /// In most cases the client will use the server's discovery endpoint to fetch the information /// constained in this structure. /// </remarks> public static EndpointDescription CreateEndpointDescription() { // create the endpoint description. EndpointDescription endpointDescription = new EndpointDescription(); endpointDescription.EndpointUrl = Utils.Format("http://{0}:61211/UA/SampleClient", System.Net.Dns.GetHostName()); // endpointDescription.EndpointUrl = Utils.Format("opc.tcp://{0}:51210/UA/SampleServer", System.Net.Dns.GetHostName()); // endpointDescription.EndpointUrl = Utils.Format("http://{0}:51211/UA/SampleServer/None", System.Net.Dns.GetHostName()); // endpointDescription.EndpointUrl = Utils.Format("http://{0}:51211/UA/SampleServer", System.Net.Dns.GetHostName()); // specify the security policy to use. // endpointDescription.SecurityPolicyUri = SecurityPolicies.None; // endpointDescription.SecurityMode = MessageSecurityMode.None;; endpointDescription.SecurityPolicyUri = SecurityPolicies.Basic128Rsa15; endpointDescription.SecurityMode = MessageSecurityMode.SignAndEncrypt; // specify the transport profile. endpointDescription.TransportProfileUri = Profiles.WsHttpXmlOrBinaryTransport; // endpointDescription.TransportProfileUri = Profiles.WsHttpXmlTransport; // endpointDescription.TransportProfileUri = Profiles.UaTcpTransport; endpointDescription.Server.DiscoveryUrls.Add(Utils.Format("http://{0}:61211/UA/SampleClient/discovery", System.Net.Dns.GetHostName())); // load the the server certificate from the local certificate store. CertificateIdentifier certificateIdentifier = new CertificateIdentifier(); certificateIdentifier.StoreType = CertificateStoreType.Windows; certificateIdentifier.StorePath = "LocalMachine\\My"; certificateIdentifier.SubjectName = "UA Sample Client"; X509Certificate2 serverCertificate = certificateIdentifier.Find(); if (serverCertificate == null) { throw ServiceResultException.Create(StatusCodes.BadCertificateInvalid, "Could not find server certificate: {0}", certificateIdentifier.SubjectName); } endpointDescription.ServerCertificate = serverCertificate.RawData; return endpointDescription; }