/// <summary> /// Displays the dialog. /// </summary> public CertificateIdentifier ShowDialog(CertificateStoreIdentifier store, bool allowStoreChange) { CertificateStoreCTRL.StoreType = CertificateStoreType.Directory; CertificateStoreCTRL.StorePath = String.Empty; CertificateStoreCTRL.ReadOnly = !allowStoreChange; CertificatesCTRL.Initialize(null); OkBTN.Enabled = false; if (store != null) { CertificateStoreCTRL.StoreType = store.StoreType; CertificateStoreCTRL.StorePath = store.StorePath; } if (ShowDialog() != DialogResult.OK) { return null; } CertificateIdentifier id = new CertificateIdentifier(); id.StoreType = CertificateStoreCTRL.StoreType; id.StorePath = CertificateStoreCTRL.StorePath; id.Certificate = CertificatesCTRL.SelectedCertificate; return id; }
/// <summary> /// Deletes an existing application instance certificate. /// </summary> /// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param> private static async Task DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration) { // create a default certificate id none specified. CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; if (id == null) { return; } // delete certificate and private key. X509Certificate2 certificate = await id.Find().ConfigureAwait(false); if (certificate != null) { Utils.LogCertificate(TraceMasks.Security, "Deleting application instance certificate and private key.", certificate); } // delete trusted peer certificate. if (configuration.SecurityConfiguration != null && configuration.SecurityConfiguration.TrustedPeerCertificates != null) { string thumbprint = id.Thumbprint; if (certificate != null) { thumbprint = certificate.Thumbprint; } if (!string.IsNullOrEmpty(thumbprint)) { using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore()) { bool deleted = await store.Delete(thumbprint).ConfigureAwait(false); if (deleted) { Utils.LogInfo(TraceMasks.Security, "Application Instance Certificate [{0}] deleted from trusted store.", thumbprint); } } } } // delete certificate and private key from owner store. if (certificate != null) { using (ICertificateStore store = id.OpenStore()) { bool deleted = await store.Delete(certificate.Thumbprint).ConfigureAwait(false); if (deleted) { Utils.LogCertificate(TraceMasks.Security, "Application certificate and private key deleted.", certificate); } } } // erase the memory copy of the deleted certificate id.Certificate = null; }
private void CopyMI_Click(object sender, EventArgs e) { try { X509Certificate2 certificate = SelectedTag as X509Certificate2; if (certificate == null) { return; } StringBuilder builder = new StringBuilder(); XmlWriter writer = XmlWriter.Create(builder); try { DataContractSerializer serializer = new DataContractSerializer(typeof(CertificateIdentifier)); CertificateIdentifier id = new CertificateIdentifier(); id.Certificate = certificate; serializer.WriteObject(writer, id); } finally { writer.Close(); } ClipboardHack.SetData(DataFormats.Text, builder.ToString()); } catch (Exception exception) { GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception); } }
private async void ViewMI_Click(object sender, EventArgs e) { try { X509Certificate2 certificate = SelectedTag as X509Certificate2; if (certificate != null) { CertificateIdentifier id = new CertificateIdentifier(); id.Certificate = certificate; if (m_storeId != null) { id.StoreType = m_storeId.StoreType; id.StorePath = m_storeId.StorePath; } await new ViewCertificateDlg().ShowDialog(id); } } catch (Exception exception) { GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception); } }
/// <summary> /// Displays the dialog. /// </summary> public SslCertificateBinding ShowDialog(ushort port, CertificateIdentifier certificate) { m_certificate = certificate; IPAddressTB.Text = "0.0.0.0"; PortUD.Value = port; CertificateTB.Text = ""; CertificateStoreTB.Text = "LocalMachine\\My"; if (PortUD.Value == 0) { PortUD.Value = 443; } if (certificate != null) { CertificateTB.Text = certificate.Thumbprint; } if (base.ShowDialog() == DialogResult.Cancel) { return(null); } return(m_binding); }
private void PasteMI_Click(object sender, EventArgs e) { try { string xml = (string)ClipboardHack.GetData(DataFormats.Text); if (String.IsNullOrEmpty(xml)) { return; } // deserialize the data. CertificateIdentifier id = null; using (XmlTextReader reader = new XmlTextReader(new StringReader(xml))) { DataContractSerializer serializer = new DataContractSerializer(typeof(CertificateIdentifier)); id = (CertificateIdentifier)serializer.ReadObject(reader, false); } if (id.Certificate != null) { using (ICertificateStore store = m_storeId.OpenStore()) { store.Add(id.Certificate); } AddItem(id.Certificate); } } catch (Exception exception) { GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception); } }
/// <summary> /// Initializes the validator from the configuration for a token policy. /// </summary> /// <param name="issuerCertificate">The issuer certificate.</param> private SecurityTokenResolver CreateSecurityTokenResolver(CertificateIdentifier issuerCertificate) { if (issuerCertificate == null) { throw new ArgumentNullException("issuerCertificate"); } // find the certificate. X509Certificate2 certificate = issuerCertificate.Find(false); if (certificate == null) { throw ServiceResultException.Create( StatusCodes.BadCertificateInvalid, "Could not find issuer certificate: {0}", issuerCertificate); } // create a security token representing the certificate. List <SecurityToken> tokens = new List <SecurityToken>(); tokens.Add(new X509SecurityToken(certificate)); // create issued token resolver. SecurityTokenResolver tokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver( new System.Collections.ObjectModel.ReadOnlyCollection <SecurityToken>(tokens), false); return(tokenResolver); }
/// <summary> /// Displays the dialog. /// </summary> public CertificateIdentifier ShowDialog(CertificateStoreIdentifier store, bool allowStoreChange) { CertificateStoreCTRL.StoreType = CertificateStoreType.Directory; CertificateStoreCTRL.StorePath = String.Empty; CertificateStoreCTRL.ReadOnly = !allowStoreChange; CertificatesCTRL.Initialize(null); OkBTN.Enabled = false; if (store != null) { CertificateStoreCTRL.StoreType = store.StoreType; CertificateStoreCTRL.StorePath = store.StorePath; } if (ShowDialog() != DialogResult.OK) { return(null); } CertificateIdentifier id = new CertificateIdentifier(); id.StoreType = CertificateStoreCTRL.StoreType; id.StorePath = CertificateStoreCTRL.StorePath; id.Certificate = CertificatesCTRL.SelectedCertificate; return(id); }
/// <summary> /// Displays the dialog. /// </summary> public SslCertificateBinding ShowDialog(ushort port, CertificateIdentifier certificate) { m_certificate = certificate; IPAddressTB.Text = "0.0.0.0"; PortUD.Value = port; CertificateTB.Text = ""; CertificateStoreTB.Text = "LocalMachine\\My"; if (PortUD.Value == 0) { PortUD.Value = 443; } if (certificate != null) { CertificateTB.Text = certificate.Thumbprint; } if (base.ShowDialog() == DialogResult.Cancel) { return null; } return m_binding; }
public async Task VerifyAppCertX509Store(string storePath) { var appCertificate = GetTestCert(); Assert.NotNull(appCertificate); Assert.True(appCertificate.HasPrivateKey); appCertificate.AddToStore( CertificateStoreType.X509Store, storePath ); using (var publicKey = new X509Certificate2(appCertificate.RawData)) { Assert.NotNull(publicKey); Assert.False(publicKey.HasPrivateKey); var id = new CertificateIdentifier() { Thumbprint = publicKey.Thumbprint, StorePath = storePath, StoreType = CertificateStoreType.X509Store }; var privateKey = await id.LoadPrivateKey(null).ConfigureAwait(false); Assert.NotNull(privateKey); Assert.True(privateKey.HasPrivateKey); X509Utils.VerifyRSAKeyPair(publicKey, privateKey, true); using (var x509Store = new X509CertificateStore()) { x509Store.Open(storePath); await x509Store.Delete(publicKey.Thumbprint).ConfigureAwait(false); } } }
/// <summary> /// Displays the dialog. /// </summary> public async Task <bool> ShowDialog(CertificateIdentifier certificateIdentifier) { CertificateStoreCTRL.StoreType = null; CertificateStoreCTRL.StorePath = null; PrivateKeyCB.SelectedIndex = 0; PropertiesCTRL.Initialize((X509Certificate2)null); if (certificateIdentifier != null) { X509Certificate2 certificate = await certificateIdentifier.Find(); CertificateStoreCTRL.StoreType = certificateIdentifier.StoreType; CertificateStoreCTRL.StorePath = certificateIdentifier.StorePath; if (certificate != null && certificateIdentifier.Find(true) != null) { PrivateKeyCB.SelectedIndex = 1; } else { PrivateKeyCB.SelectedIndex = 0; } PropertiesCTRL.Initialize(certificate); } if (ShowDialog() != DialogResult.OK) { return(false); } return(true); }
/// <summary> /// Displays the dialog. /// </summary> public bool ShowDialog(CertificateIdentifier certificateIdentifier) { CertificateStoreCTRL.StoreType = null; CertificateStoreCTRL.StorePath = null; PrivateKeyCB.SelectedIndex = 0; PropertiesCTRL.Initialize((X509Certificate2)null); if (certificateIdentifier != null) { X509Certificate2 certificate = certificateIdentifier.Find(); CertificateStoreCTRL.StoreType = certificateIdentifier.StoreType; CertificateStoreCTRL.StorePath = certificateIdentifier.StorePath; if (certificate != null && certificateIdentifier.Find(true) != null) { PrivateKeyCB.SelectedIndex = 1; } else { PrivateKeyCB.SelectedIndex = 0; } PropertiesCTRL.Initialize(certificate); } if (ShowDialog() != DialogResult.OK) { return false; } return true; }
public CertificateBundle UpdateCertificate(string vaultName, string certificateName, string certificateVersion, CertificateAttributes certificateAttributes, IDictionary <string, string> tags) { if (string.IsNullOrEmpty(vaultName)) { throw new ArgumentNullException("vaultName"); } if (string.IsNullOrEmpty(certificateName)) { throw new ArgumentNullException("certificateName"); } var certificateIdentifier = new CertificateIdentifier(this.vaultUriHelper.CreateVaultAddress(vaultName), certificateName, certificateVersion); CertificateBundle certificateBundle; try { certificateBundle = this.keyVaultClient.UpdateCertificateAsync( certificateIdentifier.Identifier, null, certificateAttributes, tags).GetAwaiter().GetResult(); } catch (Exception ex) { throw GetInnerException(ex); } return(certificateBundle); }
/// <summary> /// Creates the application instance certificate. /// </summary> /// <param name="configuration">The configuration.</param> /// <param name="keySize">Size of the key.</param> /// <param name="lifeTimeInMonths">The lifetime in months.</param> /// <returns>The new certificate</returns> private static async Task <X509Certificate2> CreateApplicationInstanceCertificate( ApplicationConfiguration configuration, ushort keySize, ushort lifeTimeInMonths ) { Utils.Trace(Utils.TraceMasks.Information, "Creating application instance certificate."); // delete any existing certificate. await DeleteApplicationInstanceCertificate(configuration); CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; // get the domains from the configuration file. IList <string> serverDomainNames = configuration.GetServerDomainNames(); if (serverDomainNames.Count == 0) { serverDomainNames.Add(Utils.GetHostName()); } // ensure the certificate store directory exists. if (id.StoreType == CertificateStoreType.Directory) { Utils.GetAbsoluteDirectoryPath(id.StorePath, true, true, true); } X509Certificate2 certificate = CertificateFactory.CreateCertificate( configuration.ApplicationUri, configuration.ApplicationName, id.SubjectName, serverDomainNames) .SetLifeTime(lifeTimeInMonths) .SetRSAKeySize(keySize) .CreateForRSA(); id.Certificate = certificate; var passwordProvider = configuration.SecurityConfiguration.CertificatePasswordProvider; certificate.AddToStore( id.StoreType, id.StorePath, passwordProvider?.GetPassword(id) ); // ensure the certificate is trusted. if (configuration.SecurityConfiguration.AddAppCertToTrustedStore) { await AddToTrustedStore(configuration, certificate); } await configuration.CertificateValidator.Update(configuration.SecurityConfiguration); Utils.Trace(Utils.TraceMasks.Information, "Certificate created. Thumbprint={0}", certificate.Thumbprint); // reload the certificate from disk. await configuration.SecurityConfiguration.ApplicationCertificate.LoadPrivateKeyEx(passwordProvider); return(certificate); }
/// <summary> /// Synchronous helper implementation of CheckApplicationInstanceCertificate for C++ Proxy /// </summary> public static void CheckApplicationInstanceCertificate(ApplicationConfiguration configuration) { // create a default certificate id none specified. CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; if (id == null) { id = new CertificateIdentifier(); id.StoreType = Utils.DefaultStoreType; id.StorePath = Utils.DefaultStorePath; id.SubjectName = configuration.ApplicationName; } // check for certificate with a private key. X509Certificate2 certificate = id.Find(true).Result; if (certificate != null) { return; } // construct the subject name from the List <string> hostNames = new List <string>(); hostNames.Add(Utils.GetHostName()); string commonName = Utils.Format("CN={0}", configuration.ApplicationName); string domainName = Utils.Format("DC={0}", hostNames[0]); string subjectName = Utils.Format("{0}, {1}", commonName, domainName); // create a new certificate with a new public key pair. certificate = CertificateFactory.CreateCertificate( configuration.ApplicationUri, configuration.ApplicationName, subjectName, hostNames) .CreateForRSA() .AddToStore( id.StoreType, id.StorePath); id.Certificate = certificate; // update and save the configuration file. configuration.SaveToFile(configuration.SourceFilePath); // add certificate to the trusted peer store so other applications will trust it. using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore()) { X509Certificate2Collection certificateCollection = store.FindByThumbprint(certificate.Thumbprint).Result; if (certificateCollection != null) { store.Add(certificateCollection[0]).Wait(); } } // tell the certificate validator about the new certificate. configuration.CertificateValidator.Update(configuration.SecurityConfiguration).Wait(); }
// Builds an ApplicationConfiguration for the OPC UA Client, using the credentials mounted as secrets // at `clientPKIPath,` which should already have the OPC UA Server's CA in the trusted folder. // If no credentials were mounted, an insecure connection is made with the OPC UA Server (SecurityPolicy = None). private ApplicationConfiguration CreateApplicationConfiguration() { CertificateIdentifier certificateIdentifier; string clientCertificateFolder = ClientPKIPath + "own/certs/"; try { X509Certificate2 certificate = GetCertificate(clientCertificateFolder); certificateIdentifier = new CertificateIdentifier { StoreType = "Directory", StorePath = ClientPKIPath + "own", Certificate = certificate, }; } catch (Exception e) { Console.WriteLine("Exception {0} thrown when trying to use application certificate mounted at {1}. Using no security.", e, clientCertificateFolder); certificateIdentifier = new CertificateIdentifier(); } ApplicationConfiguration config = new ApplicationConfiguration() { // Application name doesn't matter for certificate validation ApplicationName = "AkriOPCUABroker", ApplicationType = ApplicationType.Client, // If ApplicationUri is not specified, one is automatically created with the format "urn:<hostname>:<ApplicationName>" SecurityConfiguration = new SecurityConfiguration { ApplicationCertificate = certificateIdentifier, TrustedIssuerCertificates = new CertificateTrustList { StoreType = "Directory", StorePath = ClientPKIPath + "issuer", }, TrustedPeerCertificates = new CertificateTrustList { StoreType = "Directory", StorePath = ClientPKIPath + "trusted", }, RejectedCertificateStore = new CertificateTrustList { StoreType = "Directory", StorePath = ClientPKIPath + "rejected", }, NonceLength = 32, AutoAcceptUntrustedCertificates = AutoAccept }, TransportConfigurations = new TransportConfigurationCollection(), TransportQuotas = new TransportQuotas { OperationTimeout = (int)TimeSpan.FromMinutes(10).TotalMilliseconds }, ClientConfiguration = new ClientConfiguration { DefaultSessionTimeout = (int)TimeSpan.FromMinutes(1).TotalMilliseconds } }; return(config); }
/// <summary> /// Creates the objects used to validate the user identity tokens supported by the server. /// </summary> private void CreateUserIdentityValidators(ApplicationConfiguration configuration) { for (int ii = 0; ii < configuration.ServerConfiguration.UserTokenPolicies.Count; ii++) { UserTokenPolicy policy = configuration.ServerConfiguration.UserTokenPolicies[ii]; // ignore policies without an explicit id. if (String.IsNullOrEmpty(policy.PolicyId)) { continue; } // create a validator for an issued token policy. if (policy.TokenType == UserTokenType.IssuedToken) { // the name of the element in the configuration file. XmlQualifiedName qname = new XmlQualifiedName(policy.PolicyId, Namespaces.OpcUa); // find the id for the issuer certificate. CertificateIdentifier id = configuration.ParseExtension <CertificateIdentifier>(qname); if (id == null) { Utils.Trace( (int)Utils.TraceMasks.Error, "Could not load CertificateIdentifier for UserTokenPolicy {0}", policy.PolicyId); continue; } m_tokenResolver = CreateSecurityTokenResolver(id); m_tokenSerializer = WSSecurityTokenSerializer.DefaultInstance; } // create a validator for a certificate token policy. if (policy.TokenType == UserTokenType.Certificate) { // the name of the element in the configuration file. XmlQualifiedName qname = new XmlQualifiedName(policy.PolicyId, Namespaces.OpcUa); // find the location of the trusted issuers. CertificateTrustList trustedIssuers = configuration.ParseExtension <CertificateTrustList>(qname); if (trustedIssuers == null) { Utils.Trace( (int)Utils.TraceMasks.Error, "Could not load CertificateTrustList for UserTokenPolicy {0}", policy.PolicyId); continue; } // trusts any certificate in the trusted people store. m_certificateValidator = X509CertificateValidator.PeerTrust; } } }
/// <summary> /// load the authority signing key. /// </summary> public virtual async Task <X509Certificate2> LoadSigningKeyAsync(X509Certificate2 signingCertificate, string signingKeyPassword) { CertificateIdentifier certIdentifier = new CertificateIdentifier(signingCertificate) { StorePath = m_authoritiesStorePath, StoreType = m_authoritiesStoreType }; return(await certIdentifier.LoadPrivateKey(signingKeyPassword)); }
/// <summary> /// Create identifier /// </summary> /// <param name="certificateInfo"></param> /// <returns></returns> public static CertificateIdentifier ToCertificateIdentifier(this CertificateInfo certificateInfo) { var certificateIdentifier = new CertificateIdentifier { StoreType = certificateInfo.StoreType, StorePath = certificateInfo.StorePath, SubjectName = certificateInfo.SubjectName }; return(certificateIdentifier); }
/// <summary> /// Create identifier /// </summary> /// <param name="certificateInfo"></param> /// <param name="hostname"></param> /// <returns></returns> public static CertificateIdentifier ToCertificateIdentifier( this CertificateInfo certificateInfo, string hostname) { var certificateIdentifier = new CertificateIdentifier { StoreType = certificateInfo.StoreType, StorePath = certificateInfo.StorePath, SubjectName = certificateInfo.SubjectName.Replace("DC=localhost", $"DC={hostname}") }; return(certificateIdentifier); }
/// <summary> /// Creates a user identity for the policy. /// </summary> private IUserIdentity CreateUserIdentity(UserTokenPolicy policy) { if (policy == null || policy.TokenType == UserTokenType.Anonymous) { return(null); } if (policy.TokenType == UserTokenType.UserName) { return(new UserIdentity("SomeUser", "password")); } if (policy.TokenType == UserTokenType.Certificate) { X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly); try { foreach (X509Certificate2 certificate in store.Certificates) { if (certificate.HasPrivateKey) { return(new UserIdentity(certificate)); } } return(null); } finally { store.Close(); } } if (policy.TokenType == UserTokenType.IssuedToken) { CertificateIdentifier userid = new CertificateIdentifier(); userid.StoreType = CertificateStoreType.Windows; userid.StorePath = "LocalMachine\\Root"; userid.SubjectName = "UASampleRoot"; X509Certificate2 certificate = userid.Find(); X509SecurityToken signingToken = new X509SecurityToken(certificate); SamlSecurityToken token = CreateSAMLToken("*****@*****.**", signingToken); return(new UserIdentity(token)); } throw ServiceResultException.Create(StatusCodes.BadSecurityPolicyRejected, "User token policy is not supported."); }
/// <summary> /// Serializes the object into XML according to Aadhaar API specification. /// </summary> /// <param name="elementName">The name of the element.</param> /// <returns>An instance of <see cref="XElement"/>.</returns> public XElement ToXml(string elementName) { var sessionKey = new XElement(elementName, new XAttribute("ci", CertificateIdentifier.ToString(CertificateIdentifierFormat, CultureInfo.InvariantCulture)), Key); if (KeyIdentifier != Guid.Empty) { sessionKey.Add(new XAttribute("ki", KeyIdentifier)); } return(sessionKey); }
/// <summary> /// Creates a new certificate for application. /// </summary> /// <param name="application">The application.</param> private static async Task <X509Certificate2> CreateCertificateForApplication(InstalledApplication application) { // build list of domains. List <string> domains = new List <string>(); if (application.BaseAddresses != null) { foreach (string baseAddress in application.BaseAddresses) { Uri uri = Utils.ParseUri(baseAddress); if (uri != null) { string domain = uri.DnsSafeHost; if (String.Compare(domain, "localhost", StringComparison.OrdinalIgnoreCase) == 0) { domain = Utils.GetHostName(); } if (!Utils.FindStringIgnoreCase(domains, domain)) { domains.Add(domain); } } } } // must at least of the localhost. if (domains.Count == 0) { domains.Add(Utils.GetHostName()); } // create the certificate. X509Certificate2 certificate = await Opc.Ua.CertificateFactory.CreateCertificate( application.ApplicationCertificate.StoreType, application.ApplicationCertificate.StorePath, application.ApplicationUri, application.ApplicationName, Utils.Format("CN={0}/DC={1}", application.ApplicationName, domains[0]), domains, 1024, 300); CertificateIdentifier applicationCertificate = Opc.Ua.Security.SecuredApplication.FromCertificateIdentifier(application.ApplicationCertificate); return(await applicationCertificate.LoadPrivateKey(null)); }
private static async Task <OpcUaClient> ConnectAsync(string endpoint, string cert, string key) { X509Certificate2 certificate = new X509Certificate2(Encoding.ASCII.GetBytes(cert)); X509Certificate2 certWithKey = CertificateFactory.CreateCertificateWithPEMPrivateKey(certificate, Encoding.ASCII.GetBytes(key)); CertificateIdentifier certificateIdentifier = new CertificateIdentifier(certWithKey); var client = new OpcUaClient(); client.UserIdentity = new UserIdentity(certWithKey); client.UseSecurity = true; client.ApplicationCertificate = certificateIdentifier; await client.ConnectServer(endpoint); return(client); }
/// <summary> /// Creates the application instance certificate. /// </summary> /// <param name="configuration">The configuration.</param> /// <param name="keySize">Size of the key.</param> /// <param name="lifetimeInMonths">The lifetime in months.</param> /// <returns>The new certificate</returns> private static X509Certificate2 CreateApplicationInstanceCertificate( ApplicationConfiguration configuration, ushort keySize, ushort lifetimeInMonths) { Utils.Trace(Utils.TraceMasks.Information, "Creating application instance certificate. KeySize={0}, Lifetime={1}", keySize, lifetimeInMonths); // Delete existing certificate DeleteApplicationInstanceCertificate(configuration); CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; // Get the domains from the configuration file. IList <string> serverDomainNames = configuration.GetServerDomainNames(); if (serverDomainNames.Count == 0) { GetLocalIpAddressAndDns().ForEach(x => serverDomainNames.Add(x)); } // ensure the certificate store directory exists. if (id.StoreType == CertificateStoreType.Directory) { Utils.GetAbsoluteDirectoryPath(id.StorePath, true, true, true); } X509Certificate2 certificate = CertificateFactory.CreateCertificate( id.StoreType, id.StorePath, configuration.ApplicationUri, configuration.ApplicationName, null, serverDomainNames, keySize, lifetimeInMonths); id.Certificate = certificate; AddToTrustedStore(configuration, certificate); configuration.CertificateValidator.Update(configuration.SecurityConfiguration); Utils.Trace(Utils.TraceMasks.Information, "Certificate created. Thumbprint={0}", certificate.Thumbprint); // reload the certificate from disk. return(configuration.SecurityConfiguration.ApplicationCertificate.LoadPrivateKey(null)); }
private void PasteMI_Click(object sender, EventArgs e) { try { string xml = (string)ClipboardHack.GetData(DataFormats.Text); if (String.IsNullOrEmpty(xml)) { return; } // check if in the favorites list. ContainerInfo info = NodesTV.SelectedNode.Tag as ContainerInfo; // check if pasting into a store. if (info.Type == ContainerInfoType.Store) { CertificateIdentifier id = null; using (XmlTextReader reader = new XmlTextReader(new StringReader(xml))) { DataContractSerializer serializer = new DataContractSerializer(typeof(CertificateIdentifier)); id = (CertificateIdentifier)serializer.ReadObject(reader, false); } if (id.Certificate != null) { CertificateStoreIdentifier storeId = info.GetCertificateStore(); using (ICertificateStore store = storeId.OpenStore()) { store.Add(id.Certificate); } } SelectNode(); return; } } catch (Exception exception) { GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception); } }
/// <summary> /// Creates a minimal endpoint description which allows a client to connect to a server. /// </summary> /// <remarks> /// In most cases the client will use the server's discovery endpoint to fetch the information /// constained in this structure. /// </remarks> public static EndpointDescription CreateEndpointDescription() { // create the endpoint description. EndpointDescription endpointDescription = new EndpointDescription(); endpointDescription.EndpointUrl = Utils.Format("http://{0}:61211/UA/SampleClient", System.Net.Dns.GetHostName()); // endpointDescription.EndpointUrl = Utils.Format("opc.tcp://{0}:51210/UA/SampleServer", System.Net.Dns.GetHostName()); // endpointDescription.EndpointUrl = Utils.Format("http://{0}:51211/UA/SampleServer/None", System.Net.Dns.GetHostName()); // endpointDescription.EndpointUrl = Utils.Format("http://{0}:51211/UA/SampleServer", System.Net.Dns.GetHostName()); // specify the security policy to use. // endpointDescription.SecurityPolicyUri = SecurityPolicies.None; // endpointDescription.SecurityMode = MessageSecurityMode.None;; endpointDescription.SecurityPolicyUri = SecurityPolicies.Basic256Sha256; endpointDescription.SecurityMode = MessageSecurityMode.SignAndEncrypt; // specify the transport profile. endpointDescription.TransportProfileUri = Profiles.WsHttpXmlOrBinaryTransport; // endpointDescription.TransportProfileUri = Profiles.WsHttpXmlTransport; // endpointDescription.TransportProfileUri = Profiles.UaTcpTransport; endpointDescription.Server.DiscoveryUrls.Add(Utils.Format("http://{0}:61211/UA/SampleClient/discovery", System.Net.Dns.GetHostName())); // load the the server certificate from the local certificate store. CertificateIdentifier certificateIdentifier = new CertificateIdentifier(); certificateIdentifier.StoreType = CertificateStoreType.Windows; certificateIdentifier.StorePath = "LocalMachine\\My"; certificateIdentifier.SubjectName = "UA Sample Client"; X509Certificate2 serverCertificate = certificateIdentifier.Find(); if (serverCertificate == null) { throw ServiceResultException.Create(StatusCodes.BadCertificateInvalid, "Could not find server certificate: {0}", certificateIdentifier.SubjectName); } endpointDescription.ServerCertificate = serverCertificate.RawData; return(endpointDescription); }
/// <summary> /// Deletes an existing application instance certificate. /// </summary> /// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param> private static async Task DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration) { Utils.Trace(Utils.TraceMasks.Information, "Deleting application instance certificate."); // create a default certificate id none specified. CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; if (id == null) { return; } // delete private key. X509Certificate2 certificate = await id.Find().ConfigureAwait(false); // delete trusted peer certificate. if (configuration.SecurityConfiguration != null && configuration.SecurityConfiguration.TrustedPeerCertificates != null) { string thumbprint = id.Thumbprint; if (certificate != null) { thumbprint = certificate.Thumbprint; } if (!string.IsNullOrEmpty(thumbprint)) { using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore()) { await store.Delete(thumbprint).ConfigureAwait(false); } } } // delete private key. if (certificate != null) { using (ICertificateStore store = id.OpenStore()) { await store.Delete(certificate.Thumbprint).ConfigureAwait(false); } } }
/// <summary> /// Applies the configuration settings to the own app certificate. /// </summary> public static void ApplyLocalConfig( this CertificateIdentifier certificateIdentifier, CertificateInfo certificateStore) { if (certificateIdentifier == null) { throw new ArgumentNullException(nameof(certificateIdentifier)); } if (certificateStore == null) { throw new ArgumentNullException(nameof(certificateStore)); } if (certificateIdentifier.StorePath != certificateStore.StorePath) { certificateIdentifier.StoreType = certificateStore.StoreType; certificateIdentifier.StorePath = certificateStore.StorePath; } }
private void NewBindingMI_Click(object sender, EventArgs e) { try { CertificateIdentifier certificate = new CertificateIdentifier(); certificate.StoreType = m_defaultStore.StoreType; certificate.StorePath = m_defaultStore.StorePath; SslCertificateBinding binding = new CreateSslBindingDlg().ShowDialog(0, certificate); if (binding != null) { AddRow(binding); } } catch (Exception exception) { GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception); } }
/// <summary> /// Deletes an existing application instance certificate. /// </summary> /// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param> private static void DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration) { Utils.Trace(Utils.TraceMasks.Information, "Deleting application instance certificate."); // Create a default certificate id none specified. CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; if (id == null) { return; } X509Certificate2 certificate = id.Find(); // Delete trusted peer certificate. if (configuration.SecurityConfiguration?.TrustedPeerCertificates != null) { var thumbprint = id.Thumbprint; if (certificate != null) { thumbprint = certificate.Thumbprint; } using (var store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore()) { store.Delete(thumbprint); } } // Delete private key. if (certificate == null) { return; } using (ICertificateStore store = id.OpenStore()) { store.Delete(certificate.Thumbprint); } }
private void CertificateBTN_Click(object sender, EventArgs e) { try { // determine default store. CertificateStoreIdentifier store = new CertificateStoreIdentifier(); if (m_certificate != null) { store.StoreType = m_certificate.StoreType; store.StorePath = m_certificate.StorePath; } else { store.StoreType = Utils.DefaultStoreType; store.StorePath = Utils.DefaultStorePath; } // select the certificate. CertificateIdentifier certificate = new CertificateListDlg().ShowDialog(store, true); if (certificate != null) { m_certificate = certificate; X509Certificate2 certificate2 = m_certificate.Find(); if (certificate2 != null) { CertificateTB.Text = certificate2.Subject; } else { CertificateTB.Text = m_certificate.ToString(); } } } catch (Exception exception) { GuiUtils.HandleException(this.Text, System.Reflection.MethodBase.GetCurrentMethod(), exception); } }
/// <summary> /// Deletes an existing application instance certificate. /// </summary> /// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param> public static void DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration) { // create a default certificate id none specified. CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; if (id == null) { return; } // delete private key. X509Certificate2 certificate = id.Find(); // delete trusted peer certificate. if (configuration.SecurityConfiguration != null && configuration.SecurityConfiguration.TrustedPeerCertificates != null) { string thumbprint = id.Thumbprint; if (certificate != null) { thumbprint = certificate.Thumbprint; } if (!String.IsNullOrEmpty(thumbprint)) { using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore()) { store.Delete(thumbprint); } } } // delete private key. if (certificate != null) { using (ICertificateStore store = id.OpenStore()) { store.Delete(certificate.Thumbprint); } } }
private void OkBTN_Click(object sender, EventArgs e) { try { string storeType = null; string storePath = null; string applicationName = ApplicationNameTB.Text.Trim(); string subjectName = SubjectNameTB.Text.Trim(); string issuerKeyFilePath = IssuerKeyFilePathTB.Text.Trim(); string issuerKeyFilePassword = IssuerPasswordTB.Text.Trim(); if (!String.IsNullOrEmpty(issuerKeyFilePath)) { // verify certificate. X509Certificate2 issuer = new X509Certificate2( issuerKeyFilePath, issuerKeyFilePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet); if (!issuer.HasPrivateKey) { throw new ApplicationException("Issuer certificate does not have a private key."); } // determine certificate type. foreach (X509Extension extension in issuer.Extensions) { X509BasicConstraintsExtension basicContraints = extension as X509BasicConstraintsExtension; if (basicContraints != null) { if (!basicContraints.CertificateAuthority) { throw new ApplicationException("Certificate cannot be used to issue new certificates."); } } } } string password1 = PasswordTB.Text; string password2 = VerifyPasswordTB.Text; if (password1 != password2) { throw new ApplicationException("Passwords do not match."); } if (!String.IsNullOrEmpty(CertificateStoreCTRL.StorePath)) { storeType = CertificateStoreCTRL.StoreType; storePath = CertificateStoreCTRL.StorePath; } if (String.IsNullOrEmpty(storePath)) { throw new ApplicationException("Please specify a store path."); } if (String.IsNullOrEmpty(applicationName)) { throw new ApplicationException("Please specify an application name."); } X509Certificate2 certificate = Opc.Ua.CertificateFactory.CreateCertificate( storeType, storePath, password1, null, applicationName, subjectName, null, Convert.ToUInt16(KeySizeCB.SelectedItem.ToString()), DateTime.MinValue, (ushort)LifeTimeInMonthsUD.Value, 0, true, false, issuerKeyFilePath, issuerKeyFilePassword); m_certificate = new CertificateIdentifier(); m_certificate.StoreType = storeType; m_certificate.StorePath = storePath; m_certificate.Certificate = certificate; // close the dialog. DialogResult = DialogResult.OK; } catch (Exception exception) { GuiUtils.HandleException(this.Text, System.Reflection.MethodBase.GetCurrentMethod(), exception); } }
/// <summary> /// Updates the dialog with the configuration. /// </summary> private void Update(ManagedApplication application) { if (application == null) { application = new ManagedApplication(); } m_application = application; SetIsSdkApplication(application.IsSdkCompatible); ApplicationNameTB.Text = application.DisplayName; ExecutableFileTB.Text = application.ExecutablePath; ConfigurationFileTB.Text = application.ConfigurationPath; CertificateTB.Text = null; TrustListTB.Text = null; m_certificate = application.Certificate; m_trustList = application.TrustList; if (m_certificate != null) { X509Certificate2 certificate = m_certificate.Find(); if (certificate != null) { CertificateTB.Text = certificate.Subject; } else { CertificateTB.Text = m_certificate.ToString(); } } if (m_trustList != null) { TrustListTB.Text = m_trustList.ToString(); } }
/// <summary> /// Displays the dialog. /// </summary> public bool ShowDialog(CertificateIdentifier certificate) { m_certificate = certificate; CertificateStoreCTRL.StoreType = null; CertificateStoreCTRL.StorePath = null; CertificateStoreCTRL.ReadOnly = true; ApplicationNameTB.Text = null; ApplicationUriTB.Text = null; OrganizationTB.Text = null; DomainsTB.Text = System.Net.Dns.GetHostName(); SubjectNameTB.Text = null; IssuerNameTB.Text = null; ValidFromTB.Text = null; ValidToTB.Text = null; ThumbprintTB.Text = null; if (certificate != null) { CertificateStoreCTRL.StoreType = certificate.StoreType; CertificateStoreCTRL.StorePath = certificate.StorePath; SubjectNameTB.Text = certificate.SubjectName; ThumbprintTB.Text = certificate.Thumbprint; X509Certificate2 data = certificate.Find(); if (data != null) { // fill in subject name. StringBuilder buffer = new StringBuilder(); foreach (string element in Utils.ParseDistinguishedName(data.Subject)) { if (element.StartsWith("CN=")) { ApplicationNameTB.Text = element.Substring(3); } if (element.StartsWith("O=")) { OrganizationTB.Text = element.Substring(2); } if (buffer.Length > 0) { buffer.Append('/'); } buffer.Append(element); } if (buffer.Length > 0) { SubjectNameTB.Text = buffer.ToString(); } // fill in issuer name. buffer = new StringBuilder(); foreach (string element in Utils.ParseDistinguishedName(data.Issuer)) { if (buffer.Length > 0) { buffer.Append('/'); } buffer.Append(element); } if (buffer.Length > 0) { IssuerNameTB.Text = buffer.ToString(); } // fill in application uri. string applicationUri = Utils.GetApplicationUriFromCertficate(data); if (!String.IsNullOrEmpty(applicationUri)) { ApplicationUriTB.Text = applicationUri; } // fill in domains. buffer = new StringBuilder(); foreach (string domain in Utils.GetDomainsFromCertficate(data)) { if (buffer.Length > 0) { buffer.Append(", "); } buffer.Append(domain); } if (buffer.Length > 0) { DomainsTB.Text = buffer.ToString(); } ValidFromTB.Text = data.NotBefore.ToLocalTime().ToString("yyyy-MM-dd HH:mm:ss"); ValidToTB.Text = data.NotAfter.ToLocalTime().ToString("yyyy-MM-dd HH:mm:ss"); ThumbprintTB.Text = data.Thumbprint; } } if (ShowDialog() != DialogResult.OK) { return false; } return true; }
/// <summary> /// Creates a user identity for the policy. /// </summary> private IUserIdentity CreateUserIdentity(UserTokenPolicy policy) { if (policy == null || policy.TokenType == UserTokenType.Anonymous) { return null; } if (policy.TokenType == UserTokenType.UserName) { return new UserIdentity("SomeUser", "password"); } if (policy.TokenType == UserTokenType.Certificate) { X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly); try { foreach (X509Certificate2 certificate in store.Certificates) { if (certificate.HasPrivateKey) { return new UserIdentity(certificate); } } return null; } finally { store.Close(); } } if (policy.TokenType == UserTokenType.IssuedToken) { CertificateIdentifier userid = new CertificateIdentifier(); userid.StoreType = CertificateStoreType.Windows; userid.StorePath = "LocalMachine\\Root"; userid.SubjectName = "UASampleRoot"; X509Certificate2 certificate = userid.Find(); X509SecurityToken signingToken = new X509SecurityToken(certificate); SamlSecurityToken token = CreateSAMLToken("*****@*****.**", signingToken); return new UserIdentity(token); } throw ServiceResultException.Create(StatusCodes.BadSecurityPolicyRejected, "User token policy is not supported."); }
/// <summary> /// Creates an application instance certificate if one does not already exist. /// </summary> public static X509Certificate2 CheckApplicationInstanceCertificate( ApplicationConfiguration configuration, ushort keySize, bool interactive, bool updateFile) { // create a default certificate id none specified. CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; if (id == null) { id = new CertificateIdentifier(); id.StoreType = Utils.DefaultStoreType; id.StorePath = Utils.DefaultStorePath; id.SubjectName = configuration.ApplicationName; } bool createNewCertificate = false; IList<string> serverDomainNames = configuration.GetServerDomainNames(); // check for private key. X509Certificate2 certificate = id.Find(true); if (certificate == null) { // check if config file has wrong thumprint. if (!String.IsNullOrEmpty(id.SubjectName) && !String.IsNullOrEmpty(id.Thumbprint)) { CertificateIdentifier id2 = new CertificateIdentifier(); id2.StoreType = id.StoreType; id2.StorePath = id.StorePath; id2.SubjectName = id.SubjectName; id = id2; certificate = id2.Find(true); if (certificate != null) { string message = Utils.Format( "Matching certificate with SubjectName={0} found but with a different thumbprint. Use certificate?", id.SubjectName); if (interactive) { if (MessageBox.Show(message, configuration.ApplicationName, MessageBoxButtons.YesNo) == DialogResult.No) { certificate = null; } } } } } // check if private key is missing. if (certificate == null) { certificate = id.Find(false); if (certificate != null) { string message = Utils.Format( "Matching certificate with SubjectName={0} found but without a private key. Create a new certificate?", id.SubjectName); if (interactive) { if (MessageBox.Show(message, configuration.ApplicationName, MessageBoxButtons.YesNo) == DialogResult.No) { certificate = null; } } } } // check domains. if (certificate != null) { IList<string> certificateDomainNames = Utils.GetDomainsFromCertficate(certificate); for (int ii = 0; ii < serverDomainNames.Count; ii++) { if (Utils.FindStringIgnoreCase(certificateDomainNames, serverDomainNames[ii])) { continue; } if (String.Compare(serverDomainNames[ii], "localhost", StringComparison.OrdinalIgnoreCase) == 0) { // check computer name. string computerName = System.Net.Dns.GetHostName(); if (Utils.FindStringIgnoreCase(certificateDomainNames, computerName)) { continue; } // check for aliases. System.Net.IPHostEntry entry = System.Net.Dns.GetHostEntry(computerName); bool found = false; for (int jj = 0; jj < entry.Aliases.Length; jj++) { if (Utils.FindStringIgnoreCase(certificateDomainNames, entry.Aliases[jj])) { found = true; break; } } if (found) { continue; } // check for ip addresses. for (int jj = 0; jj < entry.AddressList.Length; jj++) { if (Utils.FindStringIgnoreCase(certificateDomainNames, entry.AddressList[jj].ToString())) { found = true; break; } } if (found) { continue; } } string message = Utils.Format( "The server is configured to use domain '{0}' which does not appear in the certificate. Update certificate?", serverDomainNames[ii]); createNewCertificate = true; if (interactive) { if (MessageBox.Show(message, configuration.ApplicationName, MessageBoxButtons.YesNo) != DialogResult.Yes) { createNewCertificate = false; continue; } } Utils.Trace(message); break; } if (!createNewCertificate) { // check if key size matches. if (keySize == certificate.PublicKey.Key.KeySize) { AddToTrustedStore(configuration, certificate); return certificate; } } } // prompt user. if (interactive) { if (!createNewCertificate) { if (MessageBox.Show("Application does not have an instance certificate. Create one automatically?", configuration.ApplicationName, MessageBoxButtons.YesNo) == DialogResult.No) { return null; } } } // delete existing certificate. if (certificate != null) { DeleteApplicationInstanceCertificate(configuration); } // add the localhost. if (serverDomainNames.Count == 0) { serverDomainNames.Add(System.Net.Dns.GetHostName()); } certificate = Opc.Ua.CertificateFactory.CreateCertificate( id.StoreType, id.StorePath, configuration.ApplicationUri, configuration.ApplicationName, null, serverDomainNames, keySize, 300); id.Certificate = certificate; AddToTrustedStore(configuration, certificate); if (updateFile && !String.IsNullOrEmpty(configuration.SourceFilePath)) { configuration.SaveToFile(configuration.SourceFilePath); } configuration.CertificateValidator.Update(configuration.SecurityConfiguration); return configuration.SecurityConfiguration.ApplicationCertificate.LoadPrivateKey(null); }
/// <summary> /// Creates an application instance certificate if one does not already exist. /// </summary> public static async Task<X509Certificate2> CheckApplicationInstanceCertificate( ApplicationConfiguration configuration, ushort keySize, bool interactive, bool updateFile) { // create a default certificate if none is specified. CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; if (id == null) { id = new CertificateIdentifier(); id.StoreType = Utils.DefaultStoreType; id.StorePath = ApplicationData.Current.LocalFolder.Path + "\\OPC Foundation\\CertificateStores\\MachineDefault"; id.SubjectName = configuration.ApplicationName; } bool createNewCertificate = false; IList<string> serverDomainNames = configuration.GetServerDomainNames(); // check for private key. X509Certificate2 certificate = await id.Find(true); if (certificate == null) { // check if config file has wrong thumprint. if (!String.IsNullOrEmpty(id.SubjectName) && !String.IsNullOrEmpty(id.Thumbprint)) { CertificateIdentifier id2 = new CertificateIdentifier(); id2.StoreType = id.StoreType; id2.StorePath = id.StorePath; id2.SubjectName = id.SubjectName; id = id2; certificate = await id2.Find(true); if (certificate != null) { string message = Utils.Format( "Matching certificate with SubjectName={0} found but with a different thumbprint. Use certificate?", id.SubjectName); if (interactive) { MessageDlg dialog = new MessageDlg(message, MessageDlgButton.Yes, MessageDlgButton.No); MessageDlgButton result = await dialog.ShowAsync(); if (result != MessageDlgButton.Yes) { certificate = null; } } } } // check if private key is missing. if (certificate == null) { certificate = await id.Find(false); if (certificate != null) { string message = Utils.Format( "Matching certificate with SubjectName={0} found but without a private key. Create a new certificate?", id.SubjectName); if (interactive) { MessageDlg dialog = new MessageDlg(message, MessageDlgButton.Yes, MessageDlgButton.No); MessageDlgButton result = await dialog.ShowAsync(); if (result != MessageDlgButton.Yes) { certificate = null; } } } } // check domains. if (certificate != null) { IList<string> certificateDomainNames = Utils.GetDomainsFromCertficate(certificate); for (int ii = 0; ii < serverDomainNames.Count; ii++) { if (Utils.FindStringIgnoreCase(certificateDomainNames, serverDomainNames[ii])) { continue; } if (String.Compare(serverDomainNames[ii], "localhost", StringComparison.OrdinalIgnoreCase) == 0) { // check computer name. string computerName = Utils.GetHostName(); if (Utils.FindStringIgnoreCase(certificateDomainNames, computerName)) { continue; } } string message = Utils.Format( "The server is configured to use domain '{0}' which does not appear in the certificate. Create new certificate?", serverDomainNames[ii]); createNewCertificate = true; if (interactive) { MessageDlg dialog = new MessageDlg(message, MessageDlgButton.Yes, MessageDlgButton.No); MessageDlgButton result = await dialog.ShowAsync(); if (result != MessageDlgButton.Yes) { createNewCertificate = false; continue; } } Utils.Trace(message); break; } if (!createNewCertificate) { // check if key size matches. if (keySize == certificate.GetRSAPublicKey().KeySize) { await AddToTrustedStore(configuration, certificate); return certificate; } } } // prompt user. if (interactive) { if (!createNewCertificate) { MessageDlg dialog = new MessageDlg("Application does not have an instance certificate.\n Create one automatically?", MessageDlgButton.Yes, MessageDlgButton.No); MessageDlgButton result = await dialog.ShowAsync(); if (result != MessageDlgButton.Yes) { return null; } } } // delete existing certificate. if (certificate != null) { await DeleteApplicationInstanceCertificate(configuration); } // add the localhost. if (serverDomainNames.Count == 0) { serverDomainNames.Add(Utils.GetHostName()); } certificate = await Opc.Ua.CertificateFactory.CreateCertificate( id.StoreType, id.StorePath, configuration.ApplicationUri, configuration.ApplicationName, null, serverDomainNames, keySize, 300); id.Certificate = certificate; await AddToTrustedStore(configuration, certificate); if (updateFile && !String.IsNullOrEmpty(configuration.SourceFilePath)) { configuration.SaveToFile(configuration.SourceFilePath); } await configuration.CertificateValidator.Update(configuration.SecurityConfiguration); return await configuration.SecurityConfiguration.ApplicationCertificate.LoadPrivateKey(null); } return certificate; }
public CertificateBundle UpdateCertificate(string vaultName, string certificateName, string certificateVersion, CertificateAttributes certificateAttributes, IDictionary<string, string> tags) { if (string.IsNullOrEmpty(vaultName)) throw new ArgumentNullException("vaultName"); if (string.IsNullOrEmpty(certificateName)) throw new ArgumentNullException("certificateName"); var certificateIdentifier = new CertificateIdentifier(this.vaultUriHelper.CreateVaultAddress(vaultName), certificateName, certificateVersion); CertificateBundle certificateBundle; try { certificateBundle = this.keyVaultClient.UpdateCertificateAsync( certificateIdentifier.Identifier, null, certificateAttributes, tags).GetAwaiter().GetResult(); } catch (Exception ex) { throw GetInnerException(ex); } return certificateBundle; }
private void ViewMI_Click(object sender, EventArgs e) { try { X509Certificate2 certificate = SelectedTag as X509Certificate2; if (certificate != null) { CertificateIdentifier id = new CertificateIdentifier(); id.Certificate = certificate; if (m_storeId != null) { id.StoreType = m_storeId.StoreType; id.StorePath = m_storeId.StorePath; } new ViewCertificateDlg().ShowDialog(id); } } catch (Exception exception) { GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception); } }
private void CertificateBTN_Click(object sender, EventArgs e) { try { CertificateStoreIdentifier store = new CertificateStoreIdentifier(); store.StoreType = m_certificate.StoreType; store.StorePath = m_certificate.StorePath; CertificateIdentifier certificate = new CertificateListDlg().ShowDialog(store, true); if (certificate != null) { m_certificate = certificate; CertificateTB.Text = m_certificate.Thumbprint; } } catch (Exception exception) { GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception); } }
private void OkBTN_Click(object sender, EventArgs e) { try { string storeType = null; string storePath = null; string domainName = null; string organization = null; string subjectName = SubjectNameTB.Text.Trim(); string issuerKeyFilePath = IssuerKeyFilePathTB.Text.Trim(); string issuerKeyFilePassword = IssuerPasswordTB.Text.Trim(); if (String.IsNullOrEmpty(issuerKeyFilePath)) { throw new ApplicationException("Must provide an issuer certificate."); } // verify certificate. X509Certificate2 issuer = new X509Certificate2( issuerKeyFilePath, issuerKeyFilePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet); if (!issuer.HasPrivateKey) { throw new ApplicationException("Issuer certificate does not have a private key."); } // determine certificate type. foreach (X509Extension extension in issuer.Extensions) { X509BasicConstraintsExtension basicContraints = extension as X509BasicConstraintsExtension; if (basicContraints != null) { if (!basicContraints.CertificateAuthority) { throw new ApplicationException("Certificate cannot be used to issue new certificates."); } } } // check traget store. if (!String.IsNullOrEmpty(CertificateStoreCTRL.StorePath)) { storeType = CertificateStoreCTRL.StoreType; storePath = CertificateStoreCTRL.StorePath; } if (String.IsNullOrEmpty(storePath)) { throw new ApplicationException("Please specify a store path."); } domainName = DomainNameTB.Text; organization = OrganizationTB.Text; // extract key fields from the subject name. if (SubjectNameCK.Checked) { List<string> parts = Utils.ParseDistinguishedName(SubjectNameTB.Text); for (int ii = 0; ii < parts.Count; ii++) { if (parts[ii].StartsWith("CN=")) { domainName = parts[ii].Substring(3).Trim(); } if (parts[ii].StartsWith("O=")) { organization = parts[ii].Substring(2).Trim(); } } } if (String.IsNullOrEmpty(domainName)) { throw new ApplicationException("Please specify a domain name."); } if (!String.IsNullOrEmpty(DomainNameTB.Text) && domainName != DomainNameTB.Text) { throw new ApplicationException("The domain name must be the common name for the certificate."); } if (!String.IsNullOrEmpty(OrganizationTB.Text) && organization != OrganizationTB.Text) { throw new ApplicationException("The organization must be the organization for the certificate."); } X509Certificate2 certificate = Opc.Ua.CertificateFactory.CreateCertificate( storeType, storePath, null, null, domainName, subjectName, null, Convert.ToUInt16(KeySizeCB.SelectedItem.ToString()), DateTime.MinValue, (ushort)LifeTimeInMonthsUD.Value, 0, false, false, issuerKeyFilePath, issuerKeyFilePassword); m_certificate = new CertificateIdentifier(); m_certificate.StoreType = storeType; m_certificate.StorePath = storePath; m_certificate.Certificate = certificate; try { CertificateStoreIdentifier rootStore = new CertificateStoreIdentifier(); rootStore.StoreType = CertificateStoreType.Windows; rootStore.StorePath = "LocalMachine\\Root"; using (ICertificateStore store = rootStore.OpenStore()) { X509Certificate2 rootCertificate = new X509Certificate2(issuerKeyFilePath, issuerKeyFilePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet); if (store.FindByThumbprint(rootCertificate.Thumbprint) == null) { if (Ask("Would you like to install the signing certificate as a trusted root authority on this machine?")) { store.Add(new X509Certificate2(rootCertificate.RawData)); } } } } catch (Exception exception) { GuiUtils.HandleException(this.Text, System.Reflection.MethodBase.GetCurrentMethod(), exception); } // close the dialog. DialogResult = DialogResult.OK; } catch (Exception exception) { GuiUtils.HandleException(this.Text, System.Reflection.MethodBase.GetCurrentMethod(), exception); } }
/// <summary> /// Updates the access permissions for the certificate store. /// </summary> private static void SetCertificatePermissions( Opc.Ua.Security.SecuredApplication application, CertificateIdentifier id, IList<ApplicationAccessRule> accessRules, bool replaceExisting) { if (id == null || accessRules == null || accessRules.Count == 0) { return; } try { using (ICertificateStore store = id.OpenStore()) { if (store.SupportsCertificateAccessControl) { store.SetAccessRules(id.Thumbprint, accessRules, replaceExisting); } } } catch (Exception e) { Utils.Trace("Could not set permissions for certificate store: {0}. Error={1}", id, e.Message); for (int jj = 0; jj < accessRules.Count; jj++) { ApplicationAccessRule rule = accessRules[jj]; Utils.Trace( (int)Utils.TraceMasks.Error, "IdentityName={0}, Right={1}, RuleType={2}", rule.IdentityName, rule.Right, rule.RuleType); } } }
/// <summary> /// Initializes the validator from the configuration for a token policy. /// </summary> /// <param name="issuerCertificate">The issuer certificate.</param> private SecurityTokenResolver CreateSecurityTokenResolver(CertificateIdentifier issuerCertificate) { if (issuerCertificate == null) { throw new ArgumentNullException("issuerCertificate"); } // find the certificate. X509Certificate2 certificate = issuerCertificate.Find(false); if (certificate == null) { throw ServiceResultException.Create( StatusCodes.BadCertificateInvalid, "Could not find issuer certificate: {0}", issuerCertificate); } // create a security token representing the certificate. List<SecurityToken> tokens = new List<SecurityToken>(); tokens.Add(new X509SecurityToken(certificate)); // create issued token resolver. SecurityTokenResolver tokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver( new System.Collections.ObjectModel.ReadOnlyCollection<SecurityToken>(tokens), false); return tokenResolver; }
/// <summary> /// Checks for a valid application instance certificate. /// </summary> /// <param name="silent">if set to <c>true</c> no dialogs will be displayed.</param> /// <param name="minimumKeySize">Minimum size of the key.</param> public async Task<bool> CheckApplicationInstanceCertificate( bool silent, ushort minimumKeySize) { Utils.Trace(Utils.TraceMasks.Information, "Checking application instance certificate."); ApplicationConfiguration configuration = null; if (m_applicationConfiguration == null) { await LoadApplicationConfiguration(silent); } configuration = m_applicationConfiguration; bool certificateValid = false; // find the existing certificate. CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; if (id == null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "Configuration file does not specify a certificate."); } X509Certificate2 certificate = await id.Find(true); // check that it is ok. if (certificate != null) { certificateValid = await CheckApplicationInstanceCertificate(configuration, certificate, silent, minimumKeySize); } else { // check for missing private key. certificate = await id.Find(false); if (certificate != null) { throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "Cannot access certificate private key. Subject={0}", certificate.Subject); } // check for missing thumbprint. if (!String.IsNullOrEmpty(id.Thumbprint)) { if (!String.IsNullOrEmpty(id.SubjectName)) { CertificateIdentifier id2 = new CertificateIdentifier(); id2.StoreType = id.StoreType; id2.StorePath = id.StorePath; id2.SubjectName = id.SubjectName; certificate = await id2.Find(true); } if (certificate != null) { string message = Utils.Format( "Thumbprint was explicitly specified in the configuration." + "\r\nAnother certificate with the same subject name was found." + "\r\nUse it instead?\r\n" + "\r\nRequested: {0}" + "\r\nFound: {1}", id.SubjectName, certificate.Subject); throw ServiceResultException.Create(StatusCodes.BadConfigurationError, message); } else { string message = Utils.Format("Thumbprint was explicitly specified in the configuration. Cannot generate a new certificate."); throw ServiceResultException.Create(StatusCodes.BadConfigurationError, message); } } } if ((certificate == null) || !certificateValid) { certificate = await CreateApplicationInstanceCertificate(configuration, minimumKeySize); if (certificate == null) { string message = Utils.Format( "There is no cert with subject {0} in the configuration." + "\r\n Please generate a cert for your application,", "\r\n then copy the new cert to this location:" + "\r\n{1}", id.SubjectName, id.StorePath); throw ServiceResultException.Create(StatusCodes.BadConfigurationError, message); } } else { // ensure it is trusted. await AddToTrustedStore(configuration, certificate); } // add to discovery server. if (configuration.ApplicationType == ApplicationType.Server || configuration.ApplicationType == ApplicationType.ClientAndServer) { try { await AddToDiscoveryServerTrustList(certificate, null, null, configuration.SecurityConfiguration.TrustedPeerCertificates); } catch (Exception e) { Utils.Trace(e, "Could not add certificate to LDS trust list."); } } return true; }