/// <summary> /// Throws an exception if validation fails. /// </summary> /// <param name="certificates">The certificates to be checked.</param> /// <exception cref="ServiceResultException">If certificate[0] cannot be accepted</exception> protected virtual async Task InternalValidate(X509Certificate2Collection certificates) { X509Certificate2 certificate = certificates[0]; // check for previously validated certificate. X509Certificate2 certificate2 = null; if (m_validatedCertificates.TryGetValue(certificate.Thumbprint, out certificate2)) { if (Utils.IsEqual(certificate2.RawData, certificate.RawData)) { return; } } // check if minimum requirements are met if (m_rejectSHA1SignedCertificates && IsSHA1SignatureAlgorithm(certificate.SignatureAlgorithm)) { throw new ServiceResultException(StatusCodes.BadSecurityChecksFailed, "SHA1 signed certificates are not trusted"); } if (certificate.GetRSAPublicKey().KeySize < m_minimumCertificateKeySize) { throw new ServiceResultException(StatusCodes.BadSecurityChecksFailed, "Certificate doesn't meet minimum key length requirement"); } CertificateIdentifier trustedCertificate = await GetTrustedCertificate(certificate); // get the issuers (checks the revocation lists if using directory stores). List <CertificateIdentifier> issuers = new List <CertificateIdentifier>(); bool isIssuerTrusted = await GetIssuers(certificates, issuers); // setup policy chain X509ChainPolicy policy = new X509ChainPolicy(); policy.RevocationFlag = X509RevocationFlag.EntireChain; policy.RevocationMode = X509RevocationMode.NoCheck; policy.VerificationFlags = X509VerificationFlags.NoFlag; foreach (CertificateIdentifier issuer in issuers) { if ((issuer.ValidationOptions & CertificateValidationOptions.SuppressRevocationStatusUnknown) != 0) { policy.VerificationFlags |= X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreCtlSignerRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreEndRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreRootRevocationUnknown; } // we did the revocation check in the GetIssuers call. No need here. policy.RevocationMode = X509RevocationMode.NoCheck; policy.ExtraStore.Add(issuer.Certificate); } // build chain. X509Chain chain = new X509Chain(); chain.ChainPolicy = policy; chain.Build(certificate); // check the chain results. CertificateIdentifier target = trustedCertificate; if (target == null) { target = new CertificateIdentifier(certificate); } for (int ii = 0; ii < chain.ChainElements.Count; ii++) { X509ChainElement element = chain.ChainElements[ii]; CertificateIdentifier issuer = null; if (ii < issuers.Count) { issuer = issuers[ii]; } // check for chain status errors. foreach (X509ChainStatus status in element.ChainElementStatus) { ServiceResult result = CheckChainStatus(status, target, issuer, (ii != 0)); if (ServiceResult.IsBad(result)) { // check untrusted certificates. if (trustedCertificate == null) { throw new ServiceResultException(StatusCodes.BadSecurityChecksFailed); } throw new ServiceResultException(result); } } if (issuer != null) { target = issuer; } } bool issuedByCA = !Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer); // check if certificate issuer is trusted. if (issuedByCA && !isIssuerTrusted) { if (m_applicationCertificate == null || !Utils.IsEqual(m_applicationCertificate.RawData, certificate.RawData)) { throw ServiceResultException.Create( StatusCodes.BadCertificateUntrusted, "Certificate issuer is not trusted.\r\nSubjectName: {0}\r\nIssuerName: {1}", certificate.SubjectName.Name, certificate.IssuerName.Name); } } // check if certificate is trusted. if (trustedCertificate == null && !isIssuerTrusted) { if (m_applicationCertificate == null || !Utils.IsEqual(m_applicationCertificate.RawData, certificate.RawData)) { throw ServiceResultException.Create( StatusCodes.BadCertificateUntrusted, "Certificate is not trusted.\r\nSubjectName: {0}\r\nIssuerName: {1}", certificate.SubjectName.Name, certificate.IssuerName.Name); } } }
/// <summary> /// Ensures that the application configuration is valid. /// </summary> /// <param name="applicationType">Type of the application.</param> public virtual async Task Validate(ApplicationType applicationType) { if (String.IsNullOrEmpty(ApplicationName)) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "ApplicationName must be specified."); } if (SecurityConfiguration == null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "SecurityConfiguration must be specified."); } SecurityConfiguration.Validate(); // load private key await SecurityConfiguration.ApplicationCertificate.LoadPrivateKeyEx(SecurityConfiguration.CertificatePasswordProvider); Func <string> generateDefaultUri = () => { var sb = new StringBuilder(); sb.Append("urn:"); sb.Append(Utils.GetHostName()); sb.Append(":"); sb.Append(ApplicationName); return(sb.ToString()); }; if (String.IsNullOrEmpty(ApplicationUri)) { m_applicationUri = generateDefaultUri(); } if (applicationType == ApplicationType.Client || applicationType == ApplicationType.ClientAndServer) { if (ClientConfiguration == null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "ClientConfiguration must be specified."); } ClientConfiguration.Validate(); } if (applicationType == ApplicationType.Server || applicationType == ApplicationType.ClientAndServer) { if (ServerConfiguration == null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "ServerConfiguration must be specified."); } ServerConfiguration.Validate(); } if (applicationType == ApplicationType.DiscoveryServer) { if (DiscoveryServerConfiguration == null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "DiscoveryServerConfiguration must be specified."); } DiscoveryServerConfiguration.Validate(); } // toggle the state of the hi-res clock. HiResClock.Disabled = m_disableHiResClock; if (m_disableHiResClock) { if (m_serverConfiguration != null) { if (m_serverConfiguration.PublishingResolution < 50) { m_serverConfiguration.PublishingResolution = 50; } } } await m_certificateValidator.Update(this.SecurityConfiguration); }
/// <summary> /// Decrypts the CipherText using the SecurityPolicyUri and returns the PlainTetx. /// </summary> public static byte[] Decrypt(X509Certificate2 certificate, string securityPolicyUri, EncryptedData dataToDecrypt) { // check if nothing to do. if (dataToDecrypt == null) { return(null); } // nothing more to do if no encryption. if (String.IsNullOrEmpty(securityPolicyUri)) { return(dataToDecrypt.Data); } // decrypt data. switch (securityPolicyUri) { case SecurityPolicies.Basic256: { if (dataToDecrypt.Algorithm == SecurityAlgorithms.RsaOaep) { return(RsaUtils.Decrypt(new ArraySegment <byte>(dataToDecrypt.Data), certificate, true)); } break; } case SecurityPolicies.Basic128Rsa15: { if (dataToDecrypt.Algorithm == SecurityAlgorithms.Rsa15) { return(RsaUtils.Decrypt(new ArraySegment <byte>(dataToDecrypt.Data), certificate, false)); } break; } case SecurityPolicies.None: { if (String.IsNullOrEmpty(dataToDecrypt.Algorithm)) { return(dataToDecrypt.Data); } break; } default: { throw ServiceResultException.Create( StatusCodes.BadSecurityPolicyRejected, "Unsupported security policy: {0}", securityPolicyUri); } } throw ServiceResultException.Create( StatusCodes.BadIdentityTokenInvalid, "Unexpected encryption algorithm : {0}", dataToDecrypt.Algorithm); }
/// <summary> /// Creates a new UA-binary transport channel if requested. Null otherwise. /// </summary> /// <param name="configuration">The application configuration.</param> /// <param name="description">The description for the endpoint.</param> /// <param name="endpointConfiguration">The configuration to use with the endpoint.</param> /// <param name="clientCertificate">The client certificate.</param> /// <param name="messageContext">The message context to use when serializing the messages.</param> /// <returns></returns> public static ITransportChannel CreateUaBinaryChannel( ApplicationConfiguration configuration, EndpointDescription description, EndpointConfiguration endpointConfiguration, X509Certificate2 clientCertificate, ServiceMessageContext messageContext) { // check if the server if configured to use the ANSI C stack. bool useUaTcp = description.EndpointUrl.StartsWith(Utils.UriSchemeOpcTcp); bool useHttps = description.EndpointUrl.StartsWith(Utils.UriSchemeHttps); bool useAnsiCStack = false; switch (description.TransportProfileUri) { case Profiles.UaTcpTransport: { useUaTcp = true; if (configuration != null) { useAnsiCStack = configuration.UseNativeStack; } break; } case Profiles.HttpsXmlTransport: case Profiles.HttpsBinaryTransport: case Profiles.HttpsXmlOrBinaryTransport: { useHttps = true; break; } } // note: WCF channels are not supported if (!useUaTcp && !useHttps) { throw ServiceResultException.Create( StatusCodes.BadServiceUnsupported, "Unsupported transport profile\r\n"); } // initialize the channel which will be created with the server. ITransportChannel channel = null; // create a UA-TCP channel. TransportChannelSettings settings = new TransportChannelSettings(); settings.Description = description; settings.Configuration = endpointConfiguration; settings.ClientCertificate = clientCertificate; if (description.ServerCertificate != null && description.ServerCertificate.Length > 0) { settings.ServerCertificate = Utils.ParseCertificateBlob(description.ServerCertificate); } if (configuration != null) { settings.CertificateValidator = configuration.CertificateValidator.GetChannelValidator(); } settings.NamespaceUris = messageContext.NamespaceUris; settings.Factory = messageContext.Factory; if (useUaTcp) { Type type = null; if (useAnsiCStack) { type = Type.GetType("Opc.Ua.NativeStack.NativeStackChannel,Opc.Ua.NativeStackWrapper"); } if (useAnsiCStack && type != null) { channel = (ITransportChannel)Activator.CreateInstance(type); } else { channel = new Opc.Ua.Bindings.TcpTransportChannel(); } } else if (useHttps) { channel = new Opc.Ua.Bindings.HttpsTransportChannel(); } channel.Initialize(new Uri(description.EndpointUrl), settings); channel.Open(); return(channel); }
/// <summary> /// Validates a certificate with domain validation check. /// <see cref="Validate(X509Certificate2Collection)"/> /// </summary> public virtual void Validate(X509Certificate2Collection chain, ConfiguredEndpoint endpoint) { X509Certificate2 certificate = chain[0]; try { lock (m_lock) { InternalValidate(chain, endpoint).GetAwaiter().GetResult(); // add to list of validated certificates. m_validatedCertificates[certificate.Thumbprint] = new X509Certificate2(certificate.RawData); } } catch (ServiceResultException se) { // check for errors that may be suppressed. if (ContainsUnsuppressibleSC(se.Result)) { SaveCertificate(certificate); Utils.Trace(Utils.TraceMasks.Error, "Certificate '{0}' rejected. Reason={1}.", certificate.Subject, se.Result.ToString()); TraceInnerServiceResults(se.Result); throw new ServiceResultException(se, StatusCodes.BadCertificateInvalid); } else { Utils.Trace("Certificate Vaildation failed for '{0}'. Reason={1}", certificate.Subject, se.ToLongString()); TraceInnerServiceResults(se.Result); } // invoke callback. bool accept = false; ServiceResult serviceResult = se.Result; lock (m_callbackLock) { if (m_CertificateValidation != null) { do { CertificateValidationEventArgs args = new CertificateValidationEventArgs(serviceResult, certificate); m_CertificateValidation(this, args); if (args.AcceptAll) { accept = true; serviceResult = null; break; } accept = args.Accept; if (accept) { serviceResult = serviceResult.InnerResult; } else { // report the rejected service result se = new ServiceResultException(serviceResult); } } while (accept && serviceResult != null); } } // throw if rejected. if (!accept) { // write the invalid certificate to rejected store if specified. Utils.Trace(Utils.TraceMasks.Error, "Certificate '{0}' rejected. Reason={1}", certificate.Subject, serviceResult != null ? serviceResult.ToString() : "Unknown Error"); SaveCertificate(certificate); throw new ServiceResultException(se, StatusCodes.BadCertificateInvalid); } // add to list of peers. lock (m_lock) { Utils.Trace("Validation error suppressed for '{0}'.", certificate.Subject); m_validatedCertificates[certificate.Thumbprint] = new X509Certificate2(certificate.RawData); } } }
/// <summary> /// Throws an exception if validation fails. /// </summary> /// <param name="certificates">The certificates to be checked.</param> /// <exception cref="ServiceResultException">If certificate[0] cannot be accepted</exception> protected virtual async Task InternalValidate(X509Certificate2Collection certificates) { X509Certificate2 certificate = certificates[0]; // check for previously validated certificate. X509Certificate2 certificate2 = null; if (m_validatedCertificates.TryGetValue(certificate.Thumbprint, out certificate2)) { if (Utils.IsEqual(certificate2.RawData, certificate.RawData)) { return; } } CertificateIdentifier trustedCertificate = await GetTrustedCertificate(certificate); // get the issuers (checks the revocation lists if using directory stores). List <CertificateIdentifier> issuers = new List <CertificateIdentifier>(); bool isIssuerTrusted = await GetIssuers(certificates, issuers); // setup policy chain X509ChainPolicy policy = new X509ChainPolicy(); policy.RevocationFlag = X509RevocationFlag.EntireChain; policy.RevocationMode = X509RevocationMode.NoCheck; policy.VerificationFlags = X509VerificationFlags.NoFlag; foreach (CertificateIdentifier issuer in issuers) { if ((issuer.ValidationOptions & CertificateValidationOptions.SuppressRevocationStatusUnknown) != 0) { policy.VerificationFlags |= X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreCtlSignerRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreEndRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreRootRevocationUnknown; } // we did the revocation check in the GetIssuers call. No need here. policy.RevocationMode = X509RevocationMode.NoCheck; policy.ExtraStore.Add(issuer.Certificate); } // build chain. bool chainStatusChecked = false; X509Chain chain = new X509Chain(); chain.ChainPolicy = policy; chain.Build(certificate); // check the chain results. CertificateIdentifier target = trustedCertificate; if (target == null) { target = new CertificateIdentifier(certificate); } for (int ii = 0; ii < chain.ChainElements.Count; ii++) { X509ChainElement element = chain.ChainElements[ii]; CertificateIdentifier issuer = null; if (ii < issuers.Count) { issuer = issuers[ii]; } // check for chain status errors. foreach (X509ChainStatus status in element.ChainElementStatus) { ServiceResult result = CheckChainStatus(status, target, issuer, (ii != 0)); if (ServiceResult.IsBad(result)) { // check untrusted certificates. if (trustedCertificate == null) { ServiceResult errorResult = new ServiceResult( result.StatusCode, result.SymbolicId, result.NamespaceUri, result.LocalizedText, result.AdditionalInfo, StatusCodes.BadCertificateUntrusted); throw new ServiceResultException(errorResult); } throw new ServiceResultException(result); } chainStatusChecked = true; } if (issuer != null) { target = issuer; } } // check whether the chain is complete (if there is a chain) bool issuedByCA = !Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer); bool chainIncomplete = false; if (issuers.Count > 0) { var rootCertificate = issuers[issuers.Count - 1].Certificate; if (!Utils.CompareDistinguishedName(rootCertificate.Subject, rootCertificate.Issuer)) { chainIncomplete = true; } } else { if (issuedByCA) { // no issuer found at all chainIncomplete = true; } } if (issuedByCA && (!chainStatusChecked || chainIncomplete)) { throw ServiceResultException.Create( StatusCodes.BadCertificateChainIncomplete, "Certificate chain validation incomplete.\r\nSubjectName: {0}\r\nIssuerName: {1}", certificate.SubjectName.Name, certificate.IssuerName.Name); } // check if certificate issuer is trusted. if (issuedByCA && !isIssuerTrusted && trustedCertificate == null) { if (m_applicationCertificate == null || !Utils.IsEqual(m_applicationCertificate.RawData, certificate.RawData)) { throw ServiceResultException.Create( StatusCodes.BadCertificateUntrusted, "Certificate issuer is not trusted.\r\nSubjectName: {0}\r\nIssuerName: {1}", certificate.SubjectName.Name, certificate.IssuerName.Name); } } // check if certificate is trusted. if (trustedCertificate == null && !isIssuerTrusted) { if (m_applicationCertificate == null || !Utils.IsEqual(m_applicationCertificate.RawData, certificate.RawData)) { throw ServiceResultException.Create( StatusCodes.BadCertificateUntrusted, "Certificate is not trusted.\r\nSubjectName: {0}\r\nIssuerName: {1}", certificate.SubjectName.Name, certificate.IssuerName.Name); } } // check if certificate is valid for use as app/sw or user cert X509KeyUsageFlags certificateKeyUsage = CertificateFactory.GetKeyUsage(certificate); if ((certificateKeyUsage & X509KeyUsageFlags.DataEncipherment) == 0) { throw new ServiceResultException(StatusCodes.BadCertificateUseNotAllowed, "Usage of certificate is not allowed."); } // check if minimum requirements are met if (m_rejectSHA1SignedCertificates && IsSHA1SignatureAlgorithm(certificate.SignatureAlgorithm)) { throw new ServiceResultException(StatusCodes.BadCertificatePolicyCheckFailed, "SHA1 signed certificates are not trusted"); } if (certificate.GetRSAPublicKey().KeySize < m_minimumCertificateKeySize) { throw new ServiceResultException(StatusCodes.BadCertificatePolicyCheckFailed, "Certificate doesn't meet minimum key length requirement"); } }
/// <summary> /// Ensures that the application configuration is valid. /// </summary> /// <param name="applicationType">Type of the application.</param> public virtual async Task Validate(ApplicationType applicationType) { if (String.IsNullOrEmpty(ApplicationName)) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "ApplicationName must be specified."); } if (SecurityConfiguration == null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "SecurityConfiguration must be specified."); } SecurityConfiguration.Validate(); // load private key await SecurityConfiguration.ApplicationCertificate.LoadPrivateKey(null); // generate a default uri if null if (String.IsNullOrEmpty(ApplicationUri)) { StringBuilder buffer = new StringBuilder(); buffer.Append("urn:"); buffer.Append(Utils.GetHostName()); buffer.Append(":"); buffer.Append(ApplicationName); m_applicationUri = buffer.ToString(); } if (applicationType == ApplicationType.Client || applicationType == ApplicationType.ClientAndServer) { if (ClientConfiguration == null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "ClientConfiguration must be specified."); } ClientConfiguration.Validate(); } if (applicationType == ApplicationType.Server || applicationType == ApplicationType.ClientAndServer) { if (ServerConfiguration == null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "ServerConfiguration must be specified."); } ServerConfiguration.Validate(); } if (applicationType == ApplicationType.DiscoveryServer) { if (DiscoveryServerConfiguration == null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "DiscoveryServerConfiguration must be specified."); } DiscoveryServerConfiguration.Validate(); } // toggle the state of the hi-res clock. HiResClock.Disabled = m_disableHiResClock; if (m_disableHiResClock) { if (m_serverConfiguration != null) { if (m_serverConfiguration.PublishingResolution < 50) { m_serverConfiguration.PublishingResolution = 50; } } } // create the certificate validator. m_certificateValidator = new CertificateValidator(); await m_certificateValidator.Update(this.SecurityConfiguration); }
/// <summary> /// Adds a node to the type table if it is a type and does not already exist. If it exists references are updated. /// </summary> /// <param name="node">The node.</param> public void Add(ILocalNode node) { // ignore null. if (node == null || NodeId.IsNull(node.NodeId)) { return; } // ignore non-types. if ((node.NodeClass & (NodeClass.ObjectType | NodeClass.VariableType | NodeClass.ReferenceType | NodeClass.DataType)) == 0) { return; } NodeId localsuperTypeId = null; // find the supertype. ExpandedNodeId superTypeId = node.References.FindTarget(ReferenceTypeIds.HasSubtype, true, false, null, 0); if (superTypeId != null) { localsuperTypeId = ExpandedNodeId.ToNodeId(superTypeId, m_namespaceUris); if (localsuperTypeId == null) { throw ServiceResultException.Create(StatusCodes.BadNodeIdInvalid, "A valid supertype identifier is required."); } } lock (m_lock) { // lookup the supertype. TypeInfo superTypeInfo = null; if (localsuperTypeId != null) { if (!m_nodes.TryGetValue(localsuperTypeId, out superTypeInfo)) { throw ServiceResultException.Create(StatusCodes.BadNodeIdInvalid, "A valid supertype identifier is required."); } } // create the type info. TypeInfo typeInfo = null; if (!m_nodes.TryGetValue(node.NodeId, out typeInfo)) { typeInfo = new TypeInfo(); m_nodes.Add(node.NodeId, typeInfo); } // update the info. typeInfo.NodeId = node.NodeId; typeInfo.SuperType = superTypeInfo; typeInfo.Deleted = false; // add to supertype. if (superTypeInfo != null) { superTypeInfo.AddSubType(typeInfo); } // remove the encodings. if (typeInfo.Encodings != null) { foreach (NodeId encoding in typeInfo.Encodings) { m_encodings.Remove(encoding); } } // any new encodings. IList <IReference> encodings = node.References.Find(ReferenceTypeIds.HasEncoding, false, false, null); if (encodings.Count > 0) { typeInfo.Encodings = new NodeId[encodings.Count]; for (int ii = 0; ii < encodings.Count; ii++) { typeInfo.Encodings[ii] = ExpandedNodeId.ToNodeId(encodings[ii].TargetId, m_namespaceUris); m_encodings[typeInfo.Encodings[ii]] = typeInfo; } } // add reference type. if ((node.NodeClass & NodeClass.ReferenceType) != 0) { if (!QualifiedName.IsNull(typeInfo.BrowseName)) { m_referenceTypes.Remove(typeInfo.BrowseName); } typeInfo.BrowseName = node.BrowseName; m_referenceTypes[node.BrowseName] = typeInfo; } } }
/// <summary> /// Creates a new UA-binary transport channel if requested. Null otherwise. /// </summary> /// <param name="configuration">The application configuration.</param> /// <param name="description">The description for the endpoint.</param> /// <param name="endpointConfiguration">The configuration to use with the endpoint.</param> /// <param name="clientCertificate">The client certificate.</param> /// <param name="clientCertificateChain">The client certificate chain.</param> /// <param name="messageContext">The message context to use when serializing the messages.</param> /// <returns></returns> public static ITransportChannel CreateUaBinaryChannel( ApplicationConfiguration configuration, EndpointDescription description, EndpointConfiguration endpointConfiguration, X509Certificate2 clientCertificate, X509Certificate2Collection clientCertificateChain, ServiceMessageContext messageContext) { string uriScheme = new Uri(description.EndpointUrl).Scheme; switch (description.TransportProfileUri) { case Profiles.UaTcpTransport: { uriScheme = Utils.UriSchemeOpcTcp; break; } case Profiles.HttpsBinaryTransport: { uriScheme = Utils.UriSchemeHttps; break; } case Profiles.UaWssTransport: { uriScheme = Utils.UriSchemeOpcWss; break; } } // initialize the channel which will be created with the server. ITransportChannel channel = TransportBindings.Channels.GetChannel(uriScheme); if (channel == null) { throw ServiceResultException.Create( StatusCodes.BadProtocolVersionUnsupported, "Unsupported transport profile for scheme {0}.", uriScheme); } // create a UA-TCP channel. TransportChannelSettings settings = new TransportChannelSettings { Description = description, Configuration = endpointConfiguration, ClientCertificate = clientCertificate, ClientCertificateChain = clientCertificateChain }; if (description.ServerCertificate != null && description.ServerCertificate.Length > 0) { settings.ServerCertificate = Utils.ParseCertificateBlob(description.ServerCertificate); } if (configuration != null) { settings.CertificateValidator = configuration.CertificateValidator.GetChannelValidator(); } settings.NamespaceUris = messageContext.NamespaceUris; settings.Factory = messageContext.Factory; channel.Initialize(new Uri(description.EndpointUrl), settings); channel.Open(); return(channel); }
/// <summary> /// Recursively builds the full inhierited type hierarchy starting with the top-level type. /// </summary> private void GetInstanceHierarchyForType(ExpandedNodeId typeId, InstanceDeclarationHierarchy hierarchy) { // the type must be local to the address space. ILocalNode type = m_nodes.Find(typeId) as ILocalNode; if (type == null) { throw ServiceResultException.Create( StatusCodes.BadNodeIdUnknown, "The type is not in the local address space.\r\nNodeId = {0}", typeId); } // must be an object or variable type. if ((type.NodeClass & (NodeClass.ObjectType | NodeClass.VariableType)) == 0) { throw ServiceResultException.Create( StatusCodes.BadNodeClassInvalid, "The type node is not an ObjectType or VariableType.\r\nNodeId = {0}\r\nNodeClass = {1}", typeId, type.NodeClass); } // find hierarchy in supertypes first. foreach (IReference reference in type.References.Find(ReferenceTypeIds.HasSubtype, true, false, null)) { GetInstanceHierarchyForType(reference.TargetId, hierarchy); } string browsePath = "/"; // check if the browse path already exists in the hierarchy. HierarchyBrowsePath parent = null; if (!hierarchy.BrowsePaths.TryGetValue(browsePath, out parent)) { parent = new HierarchyBrowsePath(); parent.BrowsePath = browsePath; parent.DeclarationId = type.NodeId; parent.InstanceId = null; parent.IsModelParent = true; parent.IsOptional = false; // add new browse path to hierarchy. hierarchy.BrowsePaths.Add(browsePath, parent); } // override any declaration specified in a supertype. parent.DeclarationId = type.NodeId; hierarchy.Declarations[type.NodeId] = parent; // follow hierarchial references to nodes with a naming rule of unique or unique optional. foreach (IReference reference in type.References.Find(ReferenceTypeIds.HierarchicalReferences, false, true, m_nodes.TypeTree)) { GetInstanceHierarchyForType(parent, reference.TargetId, hierarchy); } // update references defined in the type. foreach (HierarchyBrowsePath declaration in hierarchy.Declarations.Values) { // the declaration must be local to the address space. ILocalNode declarationNode = m_nodes.Find(declaration.DeclarationId) as ILocalNode; if (declarationNode == null) { continue; } // process all references. foreach (IReference reference in declarationNode.References) { UpdateReferenceDeclaration(declaration, reference, hierarchy); } } }
/// <summary> /// Throws an exception if validation fails. /// </summary> /// <param name="certificate">The certificate to be checked.</param> /// <exception cref="ServiceResultException">If certificate cannot be accepted</exception> protected virtual void InternalValidate(X509Certificate2 certificate) { lock (m_lock) { // check for previously validated certificate. X509Certificate2 certificate2 = null; if (m_validatedCertificates.TryGetValue(certificate.Thumbprint, out certificate2)) { if (Utils.IsEqual(certificate2.RawData, certificate.RawData)) { return; } } CertificateIdentifier trustedCertificate = GetTrustedCertificate(certificate); // get the issuers (checks the revocation lists if using directory stores). List <CertificateIdentifier> issuers = new List <CertificateIdentifier>(); bool isIssuerTrusted = GetIssuers(certificate, issuers); // setup policy chain X509ChainPolicy policy = new X509ChainPolicy(); policy.RevocationFlag = X509RevocationFlag.EntireChain; policy.RevocationMode = X509RevocationMode.NoCheck; policy.VerificationFlags = X509VerificationFlags.NoFlag; foreach (CertificateIdentifier issuer in issuers) { if ((issuer.ValidationOptions & CertificateValidationOptions.SuppressRevocationStatusUnknown) != 0) { policy.VerificationFlags |= X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreCtlSignerRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreEndRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreRootRevocationUnknown; } // we did the revocation check in the GetIssuers call. No need here. policy.RevocationMode = X509RevocationMode.NoCheck; policy.ExtraStore.Add(issuer.Certificate); } // build chain. X509Chain chain = new X509Chain(); chain.ChainPolicy = policy; chain.Build(certificate); // check the chain results. CertificateIdentifier target = trustedCertificate; if (target == null) { target = new CertificateIdentifier(certificate); } for (int ii = 0; ii < chain.ChainElements.Count; ii++) { X509ChainElement element = chain.ChainElements[ii]; CertificateIdentifier issuer = null; if (ii < issuers.Count) { issuer = issuers[ii]; } // check for chain status errors. foreach (X509ChainStatus status in element.ChainElementStatus) { ServiceResult result = CheckChainStatus(status, target, issuer, (ii != 0)); if (ServiceResult.IsBad(result)) { throw new ServiceResultException(result); } } if (issuer != null) { target = issuer; } } // check if certificate is trusted. if (trustedCertificate == null && !isIssuerTrusted) { if (m_applicationCertificate == null || !Utils.IsEqual(m_applicationCertificate.RawData, certificate.RawData)) { throw ServiceResultException.Create( StatusCodes.BadCertificateUntrusted, "Certificate is not trusted.\r\nSubjectName: {0}\r\nIssuerName: {1}", certificate.SubjectName.Name, certificate.IssuerName.Name); } } } }
/// <summary> /// Ensures that the application configuration is valid. /// </summary> /// <param name="applicationType">Type of the application.</param> public virtual void Validate(ApplicationType applicationType) { if (String.IsNullOrEmpty(ApplicationName)) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "ApplicationName must be specified."); } #if !SILVERLIGHT if (SecurityConfiguration == null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "SecurityConfiguration must be specified."); } SecurityConfiguration.Validate(); // ensure application uri matches the certificate. X509Certificate2 certificate = SecurityConfiguration.ApplicationCertificate.LoadPrivateKey(null); if (certificate != null) { ApplicationUri = Utils.GetApplicationUriFromCertficate(certificate); } #endif // generate a default uri. if (String.IsNullOrEmpty(ApplicationUri)) { StringBuilder buffer = new StringBuilder(); buffer.Append("urn:"); buffer.Append(System.Net.Dns.GetHostName()); buffer.Append(":"); buffer.Append(ApplicationName); m_applicationUri = buffer.ToString(); } if (applicationType == ApplicationType.Client || applicationType == ApplicationType.ClientAndServer) { if (ClientConfiguration == null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "ClientConfiguration must be specified."); } ClientConfiguration.Validate(); } if (applicationType == ApplicationType.Server || applicationType == ApplicationType.ClientAndServer) { if (ServerConfiguration == null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "ServerConfiguration must be specified."); } ServerConfiguration.Validate(); } if (applicationType == ApplicationType.DiscoveryServer) { if (DiscoveryServerConfiguration == null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "DiscoveryServerConfiguration must be specified."); } DiscoveryServerConfiguration.Validate(); } // toggle the state of the hi-res clock. HiResClock.Disabled = m_disableHiResClock; if (m_disableHiResClock) { if (m_serverConfiguration != null) { if (m_serverConfiguration.PublishingResolution < 50) { m_serverConfiguration.PublishingResolution = 50; } } } #if !SILVERLIGHT // create the certificate validator. m_certificateValidator = new CertificateValidator(); m_certificateValidator.Update(this.SecurityConfiguration); #endif }
/// <inheritdoc cref="IEncodeable.Encode(IEncoder)" /> public void Encode(IEncoder encoder) { encoder.WriteUInt32("UriVersion", UriVersion); if (NamespaceUris != null && NamespaceUris.Count > 1) { string[] uris = new string[NamespaceUris.Count - 1]; for (int ii = 1; ii < NamespaceUris.Count; ii++) { uris[ii - 1] = NamespaceUris.GetString((uint)ii); } encoder.WriteStringArray("NamespaceUris", uris); } else { encoder.WriteStringArray("NamespaceUris", Array.Empty <string>()); } if (ServerUris != null && ServerUris.Count > 1) { string[] uris = new string[ServerUris.Count - 1]; for (int ii = 1; ii < ServerUris.Count; ii++) { uris[ii - 1] = ServerUris.GetString((uint)ii); } encoder.WriteStringArray("ServerUris", uris); } else { encoder.WriteStringArray("ServerUris", Array.Empty <string>()); } if (LocaleIds != null && LocaleIds.Count > 1) { encoder.WriteStringArray("LocaleIds", LocaleIds.ToArray()); } else { encoder.WriteStringArray("LocaleIds", Array.Empty <string>()); } if (Message != null) { encoder.SetMappingTables(NamespaceUris, ServerUris); if (Message.TypeId == null || Message.TypeId.IdType != IdType.Numeric) { throw ServiceResultException.Create(StatusCodes.BadEncodingError, "SessionLessServiceMessage message body must have a numeric TypeId defined. ({0})", Message.TypeId); } encoder.WriteUInt32("ServiceId", (uint)Message.TypeId.Identifier); encoder.WriteEncodeable("Body", Message, null); } else { encoder.WriteUInt32("TypeId", (uint)0); } }
/// <summary> /// Creates a new UA-binary transport channel if requested. Null otherwise. /// </summary> /// <param name="configuration">The application configuration.</param> /// <param name="description">The description for the endpoint.</param> /// <param name="endpointConfiguration">The configuration to use with the endpoint.</param> /// <param name="clientCertificate">The client certificate.</param> /// <param name="messageContext">The message context to use when serializing the messages.</param> /// <returns></returns> public static ITransportChannel CreateUaBinaryChannel( ApplicationConfiguration configuration, EndpointDescription description, EndpointConfiguration endpointConfiguration, X509Certificate2 clientCertificate, ServiceMessageContext messageContext) { bool useUaTcp = description.EndpointUrl.StartsWith(Utils.UriSchemeOpcTcp); bool useHttps = description.EndpointUrl.StartsWith(Utils.UriSchemeHttps); switch (description.TransportProfileUri) { case Profiles.UaTcpTransport: { useUaTcp = true; break; } case Profiles.HttpsBinaryTransport: { useHttps = true; break; } } // note: WCF channels are not supported if (!useUaTcp && !useHttps) { throw ServiceResultException.Create( StatusCodes.BadServiceUnsupported, "Unsupported transport profile\r\n"); } // initialize the channel which will be created with the server. ITransportChannel channel = null; // create a UA-TCP channel. TransportChannelSettings settings = new TransportChannelSettings(); settings.Description = description; settings.Configuration = endpointConfiguration; settings.ClientCertificate = clientCertificate; if (description.ServerCertificate != null && description.ServerCertificate.Length > 0) { settings.ServerCertificate = Utils.ParseCertificateBlob(description.ServerCertificate); } if (configuration != null) { settings.CertificateValidator = configuration.CertificateValidator.GetChannelValidator(); } settings.NamespaceUris = messageContext.NamespaceUris; settings.Factory = messageContext.Factory; if (useUaTcp) { if (g_CustomTransportChannel != null) { channel = g_CustomTransportChannel.Create(); } else { channel = new TcpTransportChannel(); } } else if (useHttps) { channel = new HttpsTransportChannel(); } channel.Initialize(new Uri(description.EndpointUrl), settings); channel.Open(); return(channel); }
/// <summary> /// Pushes a new element onto the stack. /// </summary> /// <param name="op">The filter operator.</param> /// <param name="operands">The operands.</param> /// <returns></returns> public ContentFilterElement Push(FilterOperator op, params object[] operands) { // check if nothing more to do. if (operands == null || operands.Length == 0) { throw ServiceResultException.Create(StatusCodes.BadInvalidArgument, "ContentFilterElement does not have an operands."); } // create the element and set the operator. ContentFilterElement element = new ContentFilterElement(); element.FilterOperator = op; for (int ii = 0; ii < operands.Length; ii++) { // check if a FilterOperand was provided. FilterOperand filterOperand = operands[ii] as FilterOperand; if (filterOperand != null) { element.FilterOperands.Add(new ExtensionObject(filterOperand)); continue; } // check for reference to another ContentFilterElement. ContentFilterElement existingElement = operands[ii] as ContentFilterElement; if (existingElement != null) { int index = FindElementIndex(existingElement); if (index == -1) { throw ServiceResultException.Create(StatusCodes.BadInvalidArgument, "ContentFilterElement is not part of the ContentFilter."); } ElementOperand operand = new ElementOperand(); operand.Index = (uint)index; element.FilterOperands.Add(new ExtensionObject(operand)); continue; } // assume a literal operand. LiteralOperand literalOperand = new LiteralOperand(); literalOperand.Value = new Variant(operands[ii]); element.FilterOperands.Add(new ExtensionObject(literalOperand)); } // insert the new element at the begining of the list. m_elements.Insert(0, element); // re-number ElementOperands since all element were shifted up. for (int ii = 0; ii < m_elements.Count; ii++) { foreach (ExtensionObject extension in m_elements[ii].FilterOperands) { if (extension != null) { ElementOperand operand = extension.Body as ElementOperand; if (operand != null) { operand.Index++; } } } } // return new element. return(element); }
/// <summary> /// Parses a relative path formatted as a string. /// </summary> public static RelativePath Parse(string browsePath, ITypeTable typeTree) { if (typeTree == null) { throw new ArgumentNullException("typeTree"); } // parse the string. RelativePathFormatter formatter = RelativePathFormatter.Parse(browsePath); // convert the browse names to node ids. RelativePath relativePath = new RelativePath(); foreach (RelativePathFormatter.Element element in formatter.Elements) { RelativePathElement parsedElement = new RelativePathElement(); parsedElement.ReferenceTypeId = null; parsedElement.IsInverse = false; parsedElement.IncludeSubtypes = element.IncludeSubtypes; parsedElement.TargetName = element.TargetName; switch (element.ElementType) { case RelativePathFormatter.ElementType.AnyHierarchical: { parsedElement.ReferenceTypeId = ReferenceTypeIds.HierarchicalReferences; break; } case RelativePathFormatter.ElementType.AnyComponent: { parsedElement.ReferenceTypeId = ReferenceTypeIds.Aggregates; break; } case RelativePathFormatter.ElementType.ForwardReference: { parsedElement.ReferenceTypeId = typeTree.FindReferenceType(element.ReferenceTypeName); break; } case RelativePathFormatter.ElementType.InverseReference: { parsedElement.ReferenceTypeId = typeTree.FindReferenceType(element.ReferenceTypeName); parsedElement.IsInverse = true; break; } } if (NodeId.IsNull(parsedElement.ReferenceTypeId)) { throw ServiceResultException.Create( StatusCodes.BadSyntaxError, "Could not convert BrowseName to a ReferenceTypeId: {0}", element.ReferenceTypeName); } relativePath.Elements.Add(parsedElement); } return(relativePath); }
/// <summary> /// Updates an endpoint with information from the server's discovery endpoint. /// </summary> public void UpdateFromServer( Uri endpointUrl, MessageSecurityMode securityMode, string securityPolicyUri) { // get the a discovery url. Uri discoveryUrl = GetDiscoveryUrl(endpointUrl); // create the discovery client. DiscoveryClient client = DiscoveryClient.Create(discoveryUrl, m_configuration); try { // get the endpoints. EndpointDescriptionCollection collection = client.GetEndpoints(null); if (collection == null || collection.Count == 0) { throw ServiceResultException.Create( StatusCodes.BadUnknownResponse, "Server does not have any endpoints defined."); } // find list of matching endpoints. EndpointDescriptionCollection matches = new EndpointDescriptionCollection(); // first pass - match on the requested security parameters. foreach (EndpointDescription description in collection) { // check for match on security policy. if (!String.IsNullOrEmpty(securityPolicyUri)) { if (securityPolicyUri != description.SecurityPolicyUri) { continue; } } // check for match on security mode. if (securityMode != MessageSecurityMode.Invalid) { if (securityMode != description.SecurityMode) { continue; } } // add to list of matches. matches.Add(description); } // no matches (security parameters may have changed). if (matches.Count == 0) { matches = collection; } // check if list has to be narrowed down further. if (matches.Count > 1) { collection = matches; matches = new EndpointDescriptionCollection(); // second pass - match on the url scheme. foreach (EndpointDescription description in collection) { // parse the endpoint url. Uri sessionUrl = Utils.ParseUri(description.EndpointUrl); if (sessionUrl == null) { continue; } // check for matching protocol. if (sessionUrl.Scheme != endpointUrl.Scheme) { continue; } matches.Add(description); } } // no matches (protocol may not be supported). if (matches.Count == 0) { matches = collection; } // choose first in list by default. EndpointDescription match = matches[0]; // check if list has to be narrowed down further. if (matches.Count > 1) { // third pass - match based on security level. foreach (EndpointDescription description in matches) { if (description.SecurityLevel > match.SecurityLevel) { match = description; } } } // check if the endpoint url matches the endpoint used in the request. Uri matchUrl = Utils.ParseUri(match.EndpointUrl); if (matchUrl == null || String.Compare(discoveryUrl.DnsSafeHost, matchUrl.DnsSafeHost, StringComparison.OrdinalIgnoreCase) != 0) { UriBuilder uri = new UriBuilder(matchUrl); uri.Host = discoveryUrl.DnsSafeHost; uri.Port = discoveryUrl.Port; match.EndpointUrl = uri.ToString(); // need to update the discovery urls. match.Server.DiscoveryUrls.Clear(); match.Server.DiscoveryUrls.Add(discoveryUrl.ToString()); } // update the endpoint. Update(match); } finally { client.Close(); } }
/// <summary> /// Used to indicate that the asynchronous operation has completed. /// </summary> /// <param name="response">The response. May be null if an error is provided.</param> /// <param name="error"></param> public void OperationCompleted(IServiceResponse response, ServiceResult error) { // save response and/or error. m_error = null; m_response = response; if (ServiceResult.IsBad(error)) { m_error = new ServiceResultException(error); m_response = SaveExceptionAsResponse(m_error); } // operation completed. OperationCompleted(); }
/// <summary> /// Returns the issuers for the certificates. /// </summary> public bool GetIssuersWithChainSupportEnabled(X509Certificate2Collection certificates, List <CertificateIdentifier> issuers) { bool isTrusted = false; bool isChainComplete = false; CertificateIdentifier issuer = null; X509Certificate2 certificate = certificates[0]; // application certificate is trusted CertificateIdentifier trustedCertificate = GetTrustedCertificate(certificate); if (trustedCertificate != null) { isTrusted = true; } if (Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer)) { if (!isTrusted) { throw ServiceResultException.Create( StatusCodes.BadCertificateUntrusted, "Self Signed Certificate is not trusted.\r\nIssuerName: {0}", certificate.IssuerName.Name); } return(isTrusted); } CertificateIdentifierCollection collection = new CertificateIdentifierCollection(); for (int ii = 1; ii < certificates.Count; ii++) { collection.Add(new CertificateIdentifier(certificates[ii])); } do { issuer = GetIssuer(certificate, m_trustedCertificateList, m_trustedCertificateStore, true); if (issuer != null) { isTrusted = true; } if (issuer == null) { issuer = GetIssuer(certificate, m_issuerCertificateList, m_issuerCertificateStore, true); if (issuer == null) { issuer = GetIssuer(certificate, collection, null, true); } } if (issuer != null) { //isTrusted = true; issuers.Add(issuer); certificate = issuer.Find(false); // check for root. if (Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer)) { isChainComplete = true; break; } } else { isTrusted = false; } }while (issuer != null); if (!isChainComplete) { throw ServiceResultException.Create( StatusCodes.BadSecurityChecksFailed, "Certificate chain not complete.\r\nSubjectName: {0}\r\nIssuerName: {1}", certificates[0].SubjectName.Name, certificates[0].IssuerName.Name); } if (!isTrusted) { throw ServiceResultException.Create( StatusCodes.BadCertificateUntrusted, "Certificate issuer is not trusted.\r\nSubjectName: {0}\r\nIssuerName: {1}", certificates[0].SubjectName.Name, certificates[0].IssuerName.Name); } return(isTrusted); }