/// <summary>
/// Displays the dialog.
/// </summary>
public CertificateIdentifier ShowDialog(CertificateStoreIdentifier store, bool allowStoreChange)
{
CertificateStoreCTRL.StoreType = CertificateStoreType.Directory;
CertificateStoreCTRL.StorePath = String.Empty;
CertificateStoreCTRL.ReadOnly = !allowStoreChange;
CertificatesCTRL.Initialize(null);
OkBTN.Enabled = false;
if (store != null)
{
CertificateStoreCTRL.StoreType = store.StoreType;
CertificateStoreCTRL.StorePath = store.StorePath;
}
if (ShowDialog() != DialogResult.OK)
{
return null;
}
CertificateIdentifier id = new CertificateIdentifier();
id.StoreType = CertificateStoreCTRL.StoreType;
id.StorePath = CertificateStoreCTRL.StorePath;
id.Certificate = CertificatesCTRL.SelectedCertificate;
return id;
}
/// <summary>
/// Deletes an existing application instance certificate.
/// </summary>
/// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param>
private static async Task DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration)
{
// create a default certificate id none specified.
CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate;
if (id == null)
{
return;
}
// delete certificate and private key.
X509Certificate2 certificate = await id.Find().ConfigureAwait(false);
if (certificate != null)
{
Utils.LogCertificate(TraceMasks.Security, "Deleting application instance certificate and private key.", certificate);
}
// delete trusted peer certificate.
if (configuration.SecurityConfiguration != null &&
configuration.SecurityConfiguration.TrustedPeerCertificates != null)
{
string thumbprint = id.Thumbprint;
if (certificate != null)
{
thumbprint = certificate.Thumbprint;
}
if (!string.IsNullOrEmpty(thumbprint))
{
using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore())
{
bool deleted = await store.Delete(thumbprint).ConfigureAwait(false);
if (deleted)
{
Utils.LogInfo(TraceMasks.Security, "Application Instance Certificate [{0}] deleted from trusted store.", thumbprint);
}
}
}
}
// delete certificate and private key from owner store.
if (certificate != null)
{
using (ICertificateStore store = id.OpenStore())
{
bool deleted = await store.Delete(certificate.Thumbprint).ConfigureAwait(false);
if (deleted)
{
Utils.LogCertificate(TraceMasks.Security, "Application certificate and private key deleted.", certificate);
}
}
}
// erase the memory copy of the deleted certificate
id.Certificate = null;
}
private void CopyMI_Click(object sender, EventArgs e)
{
try
{
X509Certificate2 certificate = SelectedTag as X509Certificate2;
if (certificate == null)
{
return;
}
StringBuilder builder = new StringBuilder();
XmlWriter writer = XmlWriter.Create(builder);
try
{
DataContractSerializer serializer = new DataContractSerializer(typeof(CertificateIdentifier));
CertificateIdentifier id = new CertificateIdentifier();
id.Certificate = certificate;
serializer.WriteObject(writer, id);
}
finally
{
writer.Close();
}
ClipboardHack.SetData(DataFormats.Text, builder.ToString());
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception);
}
}
private async void ViewMI_Click(object sender, EventArgs e)
{
try
{
X509Certificate2 certificate = SelectedTag as X509Certificate2;
if (certificate != null)
{
CertificateIdentifier id = new CertificateIdentifier();
id.Certificate = certificate;
if (m_storeId != null)
{
id.StoreType = m_storeId.StoreType;
id.StorePath = m_storeId.StorePath;
}
await new ViewCertificateDlg().ShowDialog(id);
}
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception);
}
}
/// <summary>
/// Displays the dialog.
/// </summary>
public SslCertificateBinding ShowDialog(ushort port, CertificateIdentifier certificate)
{
m_certificate = certificate;
IPAddressTB.Text = "0.0.0.0";
PortUD.Value = port;
CertificateTB.Text = "";
CertificateStoreTB.Text = "LocalMachine\\My";
if (PortUD.Value == 0)
{
PortUD.Value = 443;
}
if (certificate != null)
{
CertificateTB.Text = certificate.Thumbprint;
}
if (base.ShowDialog() == DialogResult.Cancel)
{
return(null);
}
return(m_binding);
}
private void PasteMI_Click(object sender, EventArgs e)
{
try
{
string xml = (string)ClipboardHack.GetData(DataFormats.Text);
if (String.IsNullOrEmpty(xml))
{
return;
}
// deserialize the data.
CertificateIdentifier id = null;
using (XmlTextReader reader = new XmlTextReader(new StringReader(xml)))
{
DataContractSerializer serializer = new DataContractSerializer(typeof(CertificateIdentifier));
id = (CertificateIdentifier)serializer.ReadObject(reader, false);
}
if (id.Certificate != null)
{
using (ICertificateStore store = m_storeId.OpenStore())
{
store.Add(id.Certificate);
}
AddItem(id.Certificate);
}
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception);
}
}
/// <summary>
/// Initializes the validator from the configuration for a token policy.
/// </summary>
/// <param name="issuerCertificate">The issuer certificate.</param>
private SecurityTokenResolver CreateSecurityTokenResolver(CertificateIdentifier issuerCertificate)
{
if (issuerCertificate == null)
{
throw new ArgumentNullException("issuerCertificate");
}
// find the certificate.
X509Certificate2 certificate = issuerCertificate.Find(false);
if (certificate == null)
{
throw ServiceResultException.Create(
StatusCodes.BadCertificateInvalid,
"Could not find issuer certificate: {0}",
issuerCertificate);
}
// create a security token representing the certificate.
List <SecurityToken> tokens = new List <SecurityToken>();
tokens.Add(new X509SecurityToken(certificate));
// create issued token resolver.
SecurityTokenResolver tokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new System.Collections.ObjectModel.ReadOnlyCollection <SecurityToken>(tokens),
false);
return(tokenResolver);
}
/// <summary>
/// Displays the dialog.
/// </summary>
public CertificateIdentifier ShowDialog(CertificateStoreIdentifier store, bool allowStoreChange)
{
CertificateStoreCTRL.StoreType = CertificateStoreType.Directory;
CertificateStoreCTRL.StorePath = String.Empty;
CertificateStoreCTRL.ReadOnly = !allowStoreChange;
CertificatesCTRL.Initialize(null);
OkBTN.Enabled = false;
if (store != null)
{
CertificateStoreCTRL.StoreType = store.StoreType;
CertificateStoreCTRL.StorePath = store.StorePath;
}
if (ShowDialog() != DialogResult.OK)
{
return(null);
}
CertificateIdentifier id = new CertificateIdentifier();
id.StoreType = CertificateStoreCTRL.StoreType;
id.StorePath = CertificateStoreCTRL.StorePath;
id.Certificate = CertificatesCTRL.SelectedCertificate;
return(id);
}
/// <summary>
/// Displays the dialog.
/// </summary>
public SslCertificateBinding ShowDialog(ushort port, CertificateIdentifier certificate)
{
m_certificate = certificate;
IPAddressTB.Text = "0.0.0.0";
PortUD.Value = port;
CertificateTB.Text = "";
CertificateStoreTB.Text = "LocalMachine\\My";
if (PortUD.Value == 0)
{
PortUD.Value = 443;
}
if (certificate != null)
{
CertificateTB.Text = certificate.Thumbprint;
}
if (base.ShowDialog() == DialogResult.Cancel)
{
return null;
}
return m_binding;
}
public async Task VerifyAppCertX509Store(string storePath)
{
var appCertificate = GetTestCert();
Assert.NotNull(appCertificate);
Assert.True(appCertificate.HasPrivateKey);
appCertificate.AddToStore(
CertificateStoreType.X509Store,
storePath
);
using (var publicKey = new X509Certificate2(appCertificate.RawData))
{
Assert.NotNull(publicKey);
Assert.False(publicKey.HasPrivateKey);
var id = new CertificateIdentifier()
{
Thumbprint = publicKey.Thumbprint,
StorePath = storePath,
StoreType = CertificateStoreType.X509Store
};
var privateKey = await id.LoadPrivateKey(null).ConfigureAwait(false);
Assert.NotNull(privateKey);
Assert.True(privateKey.HasPrivateKey);
X509Utils.VerifyRSAKeyPair(publicKey, privateKey, true);
using (var x509Store = new X509CertificateStore())
{
x509Store.Open(storePath);
await x509Store.Delete(publicKey.Thumbprint).ConfigureAwait(false);
}
}
}
/// <summary>
/// Displays the dialog.
/// </summary>
public async Task <bool> ShowDialog(CertificateIdentifier certificateIdentifier)
{
CertificateStoreCTRL.StoreType = null;
CertificateStoreCTRL.StorePath = null;
PrivateKeyCB.SelectedIndex = 0;
PropertiesCTRL.Initialize((X509Certificate2)null);
if (certificateIdentifier != null)
{
X509Certificate2 certificate = await certificateIdentifier.Find();
CertificateStoreCTRL.StoreType = certificateIdentifier.StoreType;
CertificateStoreCTRL.StorePath = certificateIdentifier.StorePath;
if (certificate != null && certificateIdentifier.Find(true) != null)
{
PrivateKeyCB.SelectedIndex = 1;
}
else
{
PrivateKeyCB.SelectedIndex = 0;
}
PropertiesCTRL.Initialize(certificate);
}
if (ShowDialog() != DialogResult.OK)
{
return(false);
}
return(true);
}
/// <summary>
/// Displays the dialog.
/// </summary>
public bool ShowDialog(CertificateIdentifier certificateIdentifier)
{
CertificateStoreCTRL.StoreType = null;
CertificateStoreCTRL.StorePath = null;
PrivateKeyCB.SelectedIndex = 0;
PropertiesCTRL.Initialize((X509Certificate2)null);
if (certificateIdentifier != null)
{
X509Certificate2 certificate = certificateIdentifier.Find();
CertificateStoreCTRL.StoreType = certificateIdentifier.StoreType;
CertificateStoreCTRL.StorePath = certificateIdentifier.StorePath;
if (certificate != null && certificateIdentifier.Find(true) != null)
{
PrivateKeyCB.SelectedIndex = 1;
}
else
{
PrivateKeyCB.SelectedIndex = 0;
}
PropertiesCTRL.Initialize(certificate);
}
if (ShowDialog() != DialogResult.OK)
{
return false;
}
return true;
}
public CertificateBundle UpdateCertificate(string vaultName, string certificateName, string certificateVersion, CertificateAttributes certificateAttributes, IDictionary <string, string> tags)
{
if (string.IsNullOrEmpty(vaultName))
{
throw new ArgumentNullException("vaultName");
}
if (string.IsNullOrEmpty(certificateName))
{
throw new ArgumentNullException("certificateName");
}
var certificateIdentifier = new CertificateIdentifier(this.vaultUriHelper.CreateVaultAddress(vaultName), certificateName, certificateVersion);
CertificateBundle certificateBundle;
try
{
certificateBundle = this.keyVaultClient.UpdateCertificateAsync(
certificateIdentifier.Identifier, null, certificateAttributes, tags).GetAwaiter().GetResult();
}
catch (Exception ex)
{
throw GetInnerException(ex);
}
return(certificateBundle);
}
/// <summary>
/// Creates the application instance certificate.
/// </summary>
/// <param name="configuration">The configuration.</param>
/// <param name="keySize">Size of the key.</param>
/// <param name="lifeTimeInMonths">The lifetime in months.</param>
/// <returns>The new certificate</returns>
private static async Task <X509Certificate2> CreateApplicationInstanceCertificate(
ApplicationConfiguration configuration,
ushort keySize,
ushort lifeTimeInMonths
)
{
Utils.Trace(Utils.TraceMasks.Information, "Creating application instance certificate.");
// delete any existing certificate.
await DeleteApplicationInstanceCertificate(configuration);
CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate;
// get the domains from the configuration file.
IList <string> serverDomainNames = configuration.GetServerDomainNames();
if (serverDomainNames.Count == 0)
{
serverDomainNames.Add(Utils.GetHostName());
}
// ensure the certificate store directory exists.
if (id.StoreType == CertificateStoreType.Directory)
{
Utils.GetAbsoluteDirectoryPath(id.StorePath, true, true, true);
}
X509Certificate2 certificate = CertificateFactory.CreateCertificate(
configuration.ApplicationUri,
configuration.ApplicationName,
id.SubjectName,
serverDomainNames)
.SetLifeTime(lifeTimeInMonths)
.SetRSAKeySize(keySize)
.CreateForRSA();
id.Certificate = certificate;
var passwordProvider = configuration.SecurityConfiguration.CertificatePasswordProvider;
certificate.AddToStore(
id.StoreType,
id.StorePath,
passwordProvider?.GetPassword(id)
);
// ensure the certificate is trusted.
if (configuration.SecurityConfiguration.AddAppCertToTrustedStore)
{
await AddToTrustedStore(configuration, certificate);
}
await configuration.CertificateValidator.Update(configuration.SecurityConfiguration);
Utils.Trace(Utils.TraceMasks.Information, "Certificate created. Thumbprint={0}", certificate.Thumbprint);
// reload the certificate from disk.
await configuration.SecurityConfiguration.ApplicationCertificate.LoadPrivateKeyEx(passwordProvider);
return(certificate);
}
/// <summary>
/// Synchronous helper implementation of CheckApplicationInstanceCertificate for C++ Proxy
/// </summary>
public static void CheckApplicationInstanceCertificate(ApplicationConfiguration configuration)
{
// create a default certificate id none specified.
CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate;
if (id == null)
{
id = new CertificateIdentifier();
id.StoreType = Utils.DefaultStoreType;
id.StorePath = Utils.DefaultStorePath;
id.SubjectName = configuration.ApplicationName;
}
// check for certificate with a private key.
X509Certificate2 certificate = id.Find(true).Result;
if (certificate != null)
{
return;
}
// construct the subject name from the
List <string> hostNames = new List <string>();
hostNames.Add(Utils.GetHostName());
string commonName = Utils.Format("CN={0}", configuration.ApplicationName);
string domainName = Utils.Format("DC={0}", hostNames[0]);
string subjectName = Utils.Format("{0}, {1}", commonName, domainName);
// create a new certificate with a new public key pair.
certificate = CertificateFactory.CreateCertificate(
configuration.ApplicationUri,
configuration.ApplicationName,
subjectName,
hostNames)
.CreateForRSA()
.AddToStore(
id.StoreType,
id.StorePath);
id.Certificate = certificate;
// update and save the configuration file.
configuration.SaveToFile(configuration.SourceFilePath);
// add certificate to the trusted peer store so other applications will trust it.
using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore())
{
X509Certificate2Collection certificateCollection = store.FindByThumbprint(certificate.Thumbprint).Result;
if (certificateCollection != null)
{
store.Add(certificateCollection[0]).Wait();
}
}
// tell the certificate validator about the new certificate.
configuration.CertificateValidator.Update(configuration.SecurityConfiguration).Wait();
}
// Builds an ApplicationConfiguration for the OPC UA Client, using the credentials mounted as secrets
// at `clientPKIPath,` which should already have the OPC UA Server's CA in the trusted folder.
// If no credentials were mounted, an insecure connection is made with the OPC UA Server (SecurityPolicy = None).
private ApplicationConfiguration CreateApplicationConfiguration()
{
CertificateIdentifier certificateIdentifier;
string clientCertificateFolder = ClientPKIPath + "own/certs/";
try
{
X509Certificate2 certificate = GetCertificate(clientCertificateFolder);
certificateIdentifier = new CertificateIdentifier
{
StoreType = "Directory",
StorePath = ClientPKIPath + "own",
Certificate = certificate,
};
}
catch (Exception e)
{
Console.WriteLine("Exception {0} thrown when trying to use application certificate mounted at {1}. Using no security.", e, clientCertificateFolder);
certificateIdentifier = new CertificateIdentifier();
}
ApplicationConfiguration config = new ApplicationConfiguration()
{
// Application name doesn't matter for certificate validation
ApplicationName = "AkriOPCUABroker",
ApplicationType = ApplicationType.Client,
// If ApplicationUri is not specified, one is automatically created with the format "urn:<hostname>:<ApplicationName>"
SecurityConfiguration = new SecurityConfiguration
{
ApplicationCertificate = certificateIdentifier,
TrustedIssuerCertificates = new CertificateTrustList
{
StoreType = "Directory",
StorePath = ClientPKIPath + "issuer",
},
TrustedPeerCertificates = new CertificateTrustList
{
StoreType = "Directory",
StorePath = ClientPKIPath + "trusted",
},
RejectedCertificateStore = new CertificateTrustList
{
StoreType = "Directory",
StorePath = ClientPKIPath + "rejected",
},
NonceLength = 32,
AutoAcceptUntrustedCertificates = AutoAccept
},
TransportConfigurations = new TransportConfigurationCollection(),
TransportQuotas = new TransportQuotas {
OperationTimeout = (int)TimeSpan.FromMinutes(10).TotalMilliseconds
},
ClientConfiguration = new ClientConfiguration {
DefaultSessionTimeout = (int)TimeSpan.FromMinutes(1).TotalMilliseconds
}
};
return(config);
}
/// <summary>
/// Creates the objects used to validate the user identity tokens supported by the server.
/// </summary>
private void CreateUserIdentityValidators(ApplicationConfiguration configuration)
{
for (int ii = 0; ii < configuration.ServerConfiguration.UserTokenPolicies.Count; ii++)
{
UserTokenPolicy policy = configuration.ServerConfiguration.UserTokenPolicies[ii];
// ignore policies without an explicit id.
if (String.IsNullOrEmpty(policy.PolicyId))
{
continue;
}
// create a validator for an issued token policy.
if (policy.TokenType == UserTokenType.IssuedToken)
{
// the name of the element in the configuration file.
XmlQualifiedName qname = new XmlQualifiedName(policy.PolicyId, Namespaces.OpcUa);
// find the id for the issuer certificate.
CertificateIdentifier id = configuration.ParseExtension <CertificateIdentifier>(qname);
if (id == null)
{
Utils.Trace(
(int)Utils.TraceMasks.Error,
"Could not load CertificateIdentifier for UserTokenPolicy {0}",
policy.PolicyId);
continue;
}
m_tokenResolver = CreateSecurityTokenResolver(id);
m_tokenSerializer = WSSecurityTokenSerializer.DefaultInstance;
}
// create a validator for a certificate token policy.
if (policy.TokenType == UserTokenType.Certificate)
{
// the name of the element in the configuration file.
XmlQualifiedName qname = new XmlQualifiedName(policy.PolicyId, Namespaces.OpcUa);
// find the location of the trusted issuers.
CertificateTrustList trustedIssuers = configuration.ParseExtension <CertificateTrustList>(qname);
if (trustedIssuers == null)
{
Utils.Trace(
(int)Utils.TraceMasks.Error,
"Could not load CertificateTrustList for UserTokenPolicy {0}",
policy.PolicyId);
continue;
}
// trusts any certificate in the trusted people store.
m_certificateValidator = X509CertificateValidator.PeerTrust;
}
}
}
/// <summary>
/// load the authority signing key.
/// </summary>
public virtual async Task <X509Certificate2> LoadSigningKeyAsync(X509Certificate2 signingCertificate, string signingKeyPassword)
{
CertificateIdentifier certIdentifier = new CertificateIdentifier(signingCertificate)
{
StorePath = m_authoritiesStorePath,
StoreType = m_authoritiesStoreType
};
return(await certIdentifier.LoadPrivateKey(signingKeyPassword));
}
/// <summary>
/// Create identifier
/// </summary>
/// <param name="certificateInfo"></param>
/// <returns></returns>
public static CertificateIdentifier ToCertificateIdentifier(this CertificateInfo certificateInfo)
{
var certificateIdentifier = new CertificateIdentifier {
StoreType = certificateInfo.StoreType,
StorePath = certificateInfo.StorePath,
SubjectName = certificateInfo.SubjectName
};
return(certificateIdentifier);
}
/// <summary>
/// Create identifier
/// </summary>
/// <param name="certificateInfo"></param>
/// <param name="hostname"></param>
/// <returns></returns>
public static CertificateIdentifier ToCertificateIdentifier(
this CertificateInfo certificateInfo, string hostname)
{
var certificateIdentifier = new CertificateIdentifier {
StoreType = certificateInfo.StoreType,
StorePath = certificateInfo.StorePath,
SubjectName = certificateInfo.SubjectName.Replace("DC=localhost", $"DC={hostname}")
};
return(certificateIdentifier);
}
/// <summary>
/// Creates a user identity for the policy.
/// </summary>
private IUserIdentity CreateUserIdentity(UserTokenPolicy policy)
{
if (policy == null || policy.TokenType == UserTokenType.Anonymous)
{
return(null);
}
if (policy.TokenType == UserTokenType.UserName)
{
return(new UserIdentity("SomeUser", "password"));
}
if (policy.TokenType == UserTokenType.Certificate)
{
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);
try
{
foreach (X509Certificate2 certificate in store.Certificates)
{
if (certificate.HasPrivateKey)
{
return(new UserIdentity(certificate));
}
}
return(null);
}
finally
{
store.Close();
}
}
if (policy.TokenType == UserTokenType.IssuedToken)
{
CertificateIdentifier userid = new CertificateIdentifier();
userid.StoreType = CertificateStoreType.Windows;
userid.StorePath = "LocalMachine\\Root";
userid.SubjectName = "UASampleRoot";
X509Certificate2 certificate = userid.Find();
X509SecurityToken signingToken = new X509SecurityToken(certificate);
SamlSecurityToken token = CreateSAMLToken("*****@*****.**", signingToken);
return(new UserIdentity(token));
}
throw ServiceResultException.Create(StatusCodes.BadSecurityPolicyRejected, "User token policy is not supported.");
}
/// <summary>
/// Serializes the object into XML according to Aadhaar API specification.
/// </summary>
/// <param name="elementName">The name of the element.</param>
/// <returns>An instance of <see cref="XElement"/>.</returns>
public XElement ToXml(string elementName)
{
var sessionKey = new XElement(elementName,
new XAttribute("ci", CertificateIdentifier.ToString(CertificateIdentifierFormat, CultureInfo.InvariantCulture)), Key);
if (KeyIdentifier != Guid.Empty)
{
sessionKey.Add(new XAttribute("ki", KeyIdentifier));
}
return(sessionKey);
}
/// <summary>
/// Creates a new certificate for application.
/// </summary>
/// <param name="application">The application.</param>
private static async Task <X509Certificate2> CreateCertificateForApplication(InstalledApplication application)
{
// build list of domains.
List <string> domains = new List <string>();
if (application.BaseAddresses != null)
{
foreach (string baseAddress in application.BaseAddresses)
{
Uri uri = Utils.ParseUri(baseAddress);
if (uri != null)
{
string domain = uri.DnsSafeHost;
if (String.Compare(domain, "localhost", StringComparison.OrdinalIgnoreCase) == 0)
{
domain = Utils.GetHostName();
}
if (!Utils.FindStringIgnoreCase(domains, domain))
{
domains.Add(domain);
}
}
}
}
// must at least of the localhost.
if (domains.Count == 0)
{
domains.Add(Utils.GetHostName());
}
// create the certificate.
X509Certificate2 certificate = await Opc.Ua.CertificateFactory.CreateCertificate(
application.ApplicationCertificate.StoreType,
application.ApplicationCertificate.StorePath,
application.ApplicationUri,
application.ApplicationName,
Utils.Format("CN={0}/DC={1}", application.ApplicationName, domains[0]),
domains,
1024,
300);
CertificateIdentifier applicationCertificate = Opc.Ua.Security.SecuredApplication.FromCertificateIdentifier(application.ApplicationCertificate);
return(await applicationCertificate.LoadPrivateKey(null));
}
private static async Task <OpcUaClient> ConnectAsync(string endpoint, string cert, string key)
{
X509Certificate2 certificate = new X509Certificate2(Encoding.ASCII.GetBytes(cert));
X509Certificate2 certWithKey = CertificateFactory.CreateCertificateWithPEMPrivateKey(certificate, Encoding.ASCII.GetBytes(key));
CertificateIdentifier certificateIdentifier = new CertificateIdentifier(certWithKey);
var client = new OpcUaClient();
client.UserIdentity = new UserIdentity(certWithKey);
client.UseSecurity = true;
client.ApplicationCertificate = certificateIdentifier;
await client.ConnectServer(endpoint);
return(client);
}
/// <summary>
/// Creates the application instance certificate.
/// </summary>
/// <param name="configuration">The configuration.</param>
/// <param name="keySize">Size of the key.</param>
/// <param name="lifetimeInMonths">The lifetime in months.</param>
/// <returns>The new certificate</returns>
private static X509Certificate2 CreateApplicationInstanceCertificate(
ApplicationConfiguration configuration,
ushort keySize,
ushort lifetimeInMonths)
{
Utils.Trace(Utils.TraceMasks.Information, "Creating application instance certificate. KeySize={0}, Lifetime={1}", keySize, lifetimeInMonths);
// Delete existing certificate
DeleteApplicationInstanceCertificate(configuration);
CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate;
// Get the domains from the configuration file.
IList <string> serverDomainNames = configuration.GetServerDomainNames();
if (serverDomainNames.Count == 0)
{
GetLocalIpAddressAndDns().ForEach(x => serverDomainNames.Add(x));
}
// ensure the certificate store directory exists.
if (id.StoreType == CertificateStoreType.Directory)
{
Utils.GetAbsoluteDirectoryPath(id.StorePath, true, true, true);
}
X509Certificate2 certificate = CertificateFactory.CreateCertificate(
id.StoreType,
id.StorePath,
configuration.ApplicationUri,
configuration.ApplicationName,
null,
serverDomainNames,
keySize,
lifetimeInMonths);
id.Certificate = certificate;
AddToTrustedStore(configuration, certificate);
configuration.CertificateValidator.Update(configuration.SecurityConfiguration);
Utils.Trace(Utils.TraceMasks.Information, "Certificate created. Thumbprint={0}", certificate.Thumbprint);
// reload the certificate from disk.
return(configuration.SecurityConfiguration.ApplicationCertificate.LoadPrivateKey(null));
}
private void PasteMI_Click(object sender, EventArgs e)
{
try
{
string xml = (string)ClipboardHack.GetData(DataFormats.Text);
if (String.IsNullOrEmpty(xml))
{
return;
}
// check if in the favorites list.
ContainerInfo info = NodesTV.SelectedNode.Tag as ContainerInfo;
// check if pasting into a store.
if (info.Type == ContainerInfoType.Store)
{
CertificateIdentifier id = null;
using (XmlTextReader reader = new XmlTextReader(new StringReader(xml)))
{
DataContractSerializer serializer = new DataContractSerializer(typeof(CertificateIdentifier));
id = (CertificateIdentifier)serializer.ReadObject(reader, false);
}
if (id.Certificate != null)
{
CertificateStoreIdentifier storeId = info.GetCertificateStore();
using (ICertificateStore store = storeId.OpenStore())
{
store.Add(id.Certificate);
}
}
SelectNode();
return;
}
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception);
}
}
/// <summary>
/// Creates a minimal endpoint description which allows a client to connect to a server.
/// </summary>
/// <remarks>
/// In most cases the client will use the server's discovery endpoint to fetch the information
/// constained in this structure.
/// </remarks>
public static EndpointDescription CreateEndpointDescription()
{
// create the endpoint description.
EndpointDescription endpointDescription = new EndpointDescription();
endpointDescription.EndpointUrl =
Utils.Format("http://{0}:61211/UA/SampleClient", System.Net.Dns.GetHostName());
// endpointDescription.EndpointUrl = Utils.Format("opc.tcp://{0}:51210/UA/SampleServer", System.Net.Dns.GetHostName());
// endpointDescription.EndpointUrl = Utils.Format("http://{0}:51211/UA/SampleServer/None", System.Net.Dns.GetHostName());
// endpointDescription.EndpointUrl = Utils.Format("http://{0}:51211/UA/SampleServer", System.Net.Dns.GetHostName());
// specify the security policy to use.
// endpointDescription.SecurityPolicyUri = SecurityPolicies.None;
// endpointDescription.SecurityMode = MessageSecurityMode.None;;
endpointDescription.SecurityPolicyUri = SecurityPolicies.Basic256Sha256;
endpointDescription.SecurityMode = MessageSecurityMode.SignAndEncrypt;
// specify the transport profile.
endpointDescription.TransportProfileUri = Profiles.WsHttpXmlOrBinaryTransport;
// endpointDescription.TransportProfileUri = Profiles.WsHttpXmlTransport;
// endpointDescription.TransportProfileUri = Profiles.UaTcpTransport;
endpointDescription.Server.DiscoveryUrls.Add(Utils.Format("http://{0}:61211/UA/SampleClient/discovery",
System.Net.Dns.GetHostName()));
// load the the server certificate from the local certificate store.
CertificateIdentifier certificateIdentifier = new CertificateIdentifier();
certificateIdentifier.StoreType = CertificateStoreType.Windows;
certificateIdentifier.StorePath = "LocalMachine\\My";
certificateIdentifier.SubjectName = "UA Sample Client";
X509Certificate2 serverCertificate = certificateIdentifier.Find();
if (serverCertificate == null)
{
throw ServiceResultException.Create(StatusCodes.BadCertificateInvalid,
"Could not find server certificate: {0}", certificateIdentifier.SubjectName);
}
endpointDescription.ServerCertificate = serverCertificate.RawData;
return(endpointDescription);
}
/// <summary>
/// Deletes an existing application instance certificate.
/// </summary>
/// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param>
private static async Task DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration)
{
Utils.Trace(Utils.TraceMasks.Information, "Deleting application instance certificate.");
// create a default certificate id none specified.
CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate;
if (id == null)
{
return;
}
// delete private key.
X509Certificate2 certificate = await id.Find().ConfigureAwait(false);
// delete trusted peer certificate.
if (configuration.SecurityConfiguration != null && configuration.SecurityConfiguration.TrustedPeerCertificates != null)
{
string thumbprint = id.Thumbprint;
if (certificate != null)
{
thumbprint = certificate.Thumbprint;
}
if (!string.IsNullOrEmpty(thumbprint))
{
using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore())
{
await store.Delete(thumbprint).ConfigureAwait(false);
}
}
}
// delete private key.
if (certificate != null)
{
using (ICertificateStore store = id.OpenStore())
{
await store.Delete(certificate.Thumbprint).ConfigureAwait(false);
}
}
}
/// <summary>
/// Applies the configuration settings to the own app certificate.
/// </summary>
public static void ApplyLocalConfig(
this CertificateIdentifier certificateIdentifier,
CertificateInfo certificateStore)
{
if (certificateIdentifier == null)
{
throw new ArgumentNullException(nameof(certificateIdentifier));
}
if (certificateStore == null)
{
throw new ArgumentNullException(nameof(certificateStore));
}
if (certificateIdentifier.StorePath != certificateStore.StorePath)
{
certificateIdentifier.StoreType = certificateStore.StoreType;
certificateIdentifier.StorePath = certificateStore.StorePath;
}
}
private void NewBindingMI_Click(object sender, EventArgs e)
{
try
{
CertificateIdentifier certificate = new CertificateIdentifier();
certificate.StoreType = m_defaultStore.StoreType;
certificate.StorePath = m_defaultStore.StorePath;
SslCertificateBinding binding = new CreateSslBindingDlg().ShowDialog(0, certificate);
if (binding != null)
{
AddRow(binding);
}
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception);
}
}
/// <summary>
/// Deletes an existing application instance certificate.
/// </summary>
/// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param>
private static void DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration)
{
Utils.Trace(Utils.TraceMasks.Information, "Deleting application instance certificate.");
// Create a default certificate id none specified.
CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate;
if (id == null)
{
return;
}
X509Certificate2 certificate = id.Find();
// Delete trusted peer certificate.
if (configuration.SecurityConfiguration?.TrustedPeerCertificates != null)
{
var thumbprint = id.Thumbprint;
if (certificate != null)
{
thumbprint = certificate.Thumbprint;
}
using (var store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore())
{
store.Delete(thumbprint);
}
}
// Delete private key.
if (certificate == null)
{
return;
}
using (ICertificateStore store = id.OpenStore())
{
store.Delete(certificate.Thumbprint);
}
}
private void CertificateBTN_Click(object sender, EventArgs e)
{
try
{
// determine default store.
CertificateStoreIdentifier store = new CertificateStoreIdentifier();
if (m_certificate != null)
{
store.StoreType = m_certificate.StoreType;
store.StorePath = m_certificate.StorePath;
}
else
{
store.StoreType = Utils.DefaultStoreType;
store.StorePath = Utils.DefaultStorePath;
}
// select the certificate.
CertificateIdentifier certificate = new CertificateListDlg().ShowDialog(store, true);
if (certificate != null)
{
m_certificate = certificate;
X509Certificate2 certificate2 = m_certificate.Find();
if (certificate2 != null)
{
CertificateTB.Text = certificate2.Subject;
}
else
{
CertificateTB.Text = m_certificate.ToString();
}
}
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, System.Reflection.MethodBase.GetCurrentMethod(), exception);
}
}
/// <summary>
/// Deletes an existing application instance certificate.
/// </summary>
/// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param>
public static void DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration)
{
// create a default certificate id none specified.
CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate;
if (id == null)
{
return;
}
// delete private key.
X509Certificate2 certificate = id.Find();
// delete trusted peer certificate.
if (configuration.SecurityConfiguration != null && configuration.SecurityConfiguration.TrustedPeerCertificates != null)
{
string thumbprint = id.Thumbprint;
if (certificate != null)
{
thumbprint = certificate.Thumbprint;
}
if (!String.IsNullOrEmpty(thumbprint))
{
using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore())
{
store.Delete(thumbprint);
}
}
}
// delete private key.
if (certificate != null)
{
using (ICertificateStore store = id.OpenStore())
{
store.Delete(certificate.Thumbprint);
}
}
}
private void OkBTN_Click(object sender, EventArgs e)
{
try
{
string storeType = null;
string storePath = null;
string applicationName = ApplicationNameTB.Text.Trim();
string subjectName = SubjectNameTB.Text.Trim();
string issuerKeyFilePath = IssuerKeyFilePathTB.Text.Trim();
string issuerKeyFilePassword = IssuerPasswordTB.Text.Trim();
if (!String.IsNullOrEmpty(issuerKeyFilePath))
{
// verify certificate.
X509Certificate2 issuer = new X509Certificate2(
issuerKeyFilePath,
issuerKeyFilePassword,
X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet);
if (!issuer.HasPrivateKey)
{
throw new ApplicationException("Issuer certificate does not have a private key.");
}
// determine certificate type.
foreach (X509Extension extension in issuer.Extensions)
{
X509BasicConstraintsExtension basicContraints = extension as X509BasicConstraintsExtension;
if (basicContraints != null)
{
if (!basicContraints.CertificateAuthority)
{
throw new ApplicationException("Certificate cannot be used to issue new certificates.");
}
}
}
}
string password1 = PasswordTB.Text;
string password2 = VerifyPasswordTB.Text;
if (password1 != password2)
{
throw new ApplicationException("Passwords do not match.");
}
if (!String.IsNullOrEmpty(CertificateStoreCTRL.StorePath))
{
storeType = CertificateStoreCTRL.StoreType;
storePath = CertificateStoreCTRL.StorePath;
}
if (String.IsNullOrEmpty(storePath))
{
throw new ApplicationException("Please specify a store path.");
}
if (String.IsNullOrEmpty(applicationName))
{
throw new ApplicationException("Please specify an application name.");
}
X509Certificate2 certificate = Opc.Ua.CertificateFactory.CreateCertificate(
storeType,
storePath,
password1,
null,
applicationName,
subjectName,
null,
Convert.ToUInt16(KeySizeCB.SelectedItem.ToString()),
DateTime.MinValue,
(ushort)LifeTimeInMonthsUD.Value,
0,
true,
false,
issuerKeyFilePath,
issuerKeyFilePassword);
m_certificate = new CertificateIdentifier();
m_certificate.StoreType = storeType;
m_certificate.StorePath = storePath;
m_certificate.Certificate = certificate;
// close the dialog.
DialogResult = DialogResult.OK;
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, System.Reflection.MethodBase.GetCurrentMethod(), exception);
}
}
/// <summary>
/// Updates the dialog with the configuration.
/// </summary>
private void Update(ManagedApplication application)
{
if (application == null)
{
application = new ManagedApplication();
}
m_application = application;
SetIsSdkApplication(application.IsSdkCompatible);
ApplicationNameTB.Text = application.DisplayName;
ExecutableFileTB.Text = application.ExecutablePath;
ConfigurationFileTB.Text = application.ConfigurationPath;
CertificateTB.Text = null;
TrustListTB.Text = null;
m_certificate = application.Certificate;
m_trustList = application.TrustList;
if (m_certificate != null)
{
X509Certificate2 certificate = m_certificate.Find();
if (certificate != null)
{
CertificateTB.Text = certificate.Subject;
}
else
{
CertificateTB.Text = m_certificate.ToString();
}
}
if (m_trustList != null)
{
TrustListTB.Text = m_trustList.ToString();
}
}
/// <summary>
/// Displays the dialog.
/// </summary>
public bool ShowDialog(CertificateIdentifier certificate)
{
m_certificate = certificate;
CertificateStoreCTRL.StoreType = null;
CertificateStoreCTRL.StorePath = null;
CertificateStoreCTRL.ReadOnly = true;
ApplicationNameTB.Text = null;
ApplicationUriTB.Text = null;
OrganizationTB.Text = null;
DomainsTB.Text = System.Net.Dns.GetHostName();
SubjectNameTB.Text = null;
IssuerNameTB.Text = null;
ValidFromTB.Text = null;
ValidToTB.Text = null;
ThumbprintTB.Text = null;
if (certificate != null)
{
CertificateStoreCTRL.StoreType = certificate.StoreType;
CertificateStoreCTRL.StorePath = certificate.StorePath;
SubjectNameTB.Text = certificate.SubjectName;
ThumbprintTB.Text = certificate.Thumbprint;
X509Certificate2 data = certificate.Find();
if (data != null)
{
// fill in subject name.
StringBuilder buffer = new StringBuilder();
foreach (string element in Utils.ParseDistinguishedName(data.Subject))
{
if (element.StartsWith("CN="))
{
ApplicationNameTB.Text = element.Substring(3);
}
if (element.StartsWith("O="))
{
OrganizationTB.Text = element.Substring(2);
}
if (buffer.Length > 0)
{
buffer.Append('/');
}
buffer.Append(element);
}
if (buffer.Length > 0)
{
SubjectNameTB.Text = buffer.ToString();
}
// fill in issuer name.
buffer = new StringBuilder();
foreach (string element in Utils.ParseDistinguishedName(data.Issuer))
{
if (buffer.Length > 0)
{
buffer.Append('/');
}
buffer.Append(element);
}
if (buffer.Length > 0)
{
IssuerNameTB.Text = buffer.ToString();
}
// fill in application uri.
string applicationUri = Utils.GetApplicationUriFromCertficate(data);
if (!String.IsNullOrEmpty(applicationUri))
{
ApplicationUriTB.Text = applicationUri;
}
// fill in domains.
buffer = new StringBuilder();
foreach (string domain in Utils.GetDomainsFromCertficate(data))
{
if (buffer.Length > 0)
{
buffer.Append(", ");
}
buffer.Append(domain);
}
if (buffer.Length > 0)
{
DomainsTB.Text = buffer.ToString();
}
ValidFromTB.Text = data.NotBefore.ToLocalTime().ToString("yyyy-MM-dd HH:mm:ss");
ValidToTB.Text = data.NotAfter.ToLocalTime().ToString("yyyy-MM-dd HH:mm:ss");
ThumbprintTB.Text = data.Thumbprint;
}
}
if (ShowDialog() != DialogResult.OK)
{
return false;
}
return true;
}
private void CertificateBTN_Click(object sender, EventArgs e)
{
try
{
// determine default store.
CertificateStoreIdentifier store = new CertificateStoreIdentifier();
if (m_certificate != null)
{
store.StoreType = m_certificate.StoreType;
store.StorePath = m_certificate.StorePath;
}
else
{
store.StoreType = Utils.DefaultStoreType;
store.StorePath = Utils.DefaultStorePath;
}
// select the certificate.
CertificateIdentifier certificate = new CertificateListDlg().ShowDialog(store, true);
if (certificate != null)
{
m_certificate = certificate;
X509Certificate2 certificate2 = m_certificate.Find();
if (certificate2 != null)
{
CertificateTB.Text = certificate2.Subject;
}
else
{
CertificateTB.Text = m_certificate.ToString();
}
}
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, System.Reflection.MethodBase.GetCurrentMethod(), exception);
}
}
/// <summary>
/// Creates a user identity for the policy.
/// </summary>
private IUserIdentity CreateUserIdentity(UserTokenPolicy policy)
{
if (policy == null || policy.TokenType == UserTokenType.Anonymous)
{
return null;
}
if (policy.TokenType == UserTokenType.UserName)
{
return new UserIdentity("SomeUser", "password");
}
if (policy.TokenType == UserTokenType.Certificate)
{
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);
try
{
foreach (X509Certificate2 certificate in store.Certificates)
{
if (certificate.HasPrivateKey)
{
return new UserIdentity(certificate);
}
}
return null;
}
finally
{
store.Close();
}
}
if (policy.TokenType == UserTokenType.IssuedToken)
{
CertificateIdentifier userid = new CertificateIdentifier();
userid.StoreType = CertificateStoreType.Windows;
userid.StorePath = "LocalMachine\\Root";
userid.SubjectName = "UASampleRoot";
X509Certificate2 certificate = userid.Find();
X509SecurityToken signingToken = new X509SecurityToken(certificate);
SamlSecurityToken token = CreateSAMLToken("*****@*****.**", signingToken);
return new UserIdentity(token);
}
throw ServiceResultException.Create(StatusCodes.BadSecurityPolicyRejected, "User token policy is not supported.");
}
/// <summary>
/// Creates an application instance certificate if one does not already exist.
/// </summary>
public static X509Certificate2 CheckApplicationInstanceCertificate(
ApplicationConfiguration configuration,
ushort keySize,
bool interactive,
bool updateFile)
{
// create a default certificate id none specified.
CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate;
if (id == null)
{
id = new CertificateIdentifier();
id.StoreType = Utils.DefaultStoreType;
id.StorePath = Utils.DefaultStorePath;
id.SubjectName = configuration.ApplicationName;
}
bool createNewCertificate = false;
IList<string> serverDomainNames = configuration.GetServerDomainNames();
// check for private key.
X509Certificate2 certificate = id.Find(true);
if (certificate == null)
{
// check if config file has wrong thumprint.
if (!String.IsNullOrEmpty(id.SubjectName) && !String.IsNullOrEmpty(id.Thumbprint))
{
CertificateIdentifier id2 = new CertificateIdentifier();
id2.StoreType = id.StoreType;
id2.StorePath = id.StorePath;
id2.SubjectName = id.SubjectName;
id = id2;
certificate = id2.Find(true);
if (certificate != null)
{
string message = Utils.Format(
"Matching certificate with SubjectName={0} found but with a different thumbprint. Use certificate?",
id.SubjectName);
if (interactive)
{
if (MessageBox.Show(message, configuration.ApplicationName, MessageBoxButtons.YesNo) == DialogResult.No)
{
certificate = null;
}
}
}
}
}
// check if private key is missing.
if (certificate == null)
{
certificate = id.Find(false);
if (certificate != null)
{
string message = Utils.Format(
"Matching certificate with SubjectName={0} found but without a private key. Create a new certificate?",
id.SubjectName);
if (interactive)
{
if (MessageBox.Show(message, configuration.ApplicationName, MessageBoxButtons.YesNo) == DialogResult.No)
{
certificate = null;
}
}
}
}
// check domains.
if (certificate != null)
{
IList<string> certificateDomainNames = Utils.GetDomainsFromCertficate(certificate);
for (int ii = 0; ii < serverDomainNames.Count; ii++)
{
if (Utils.FindStringIgnoreCase(certificateDomainNames, serverDomainNames[ii]))
{
continue;
}
if (String.Compare(serverDomainNames[ii], "localhost", StringComparison.OrdinalIgnoreCase) == 0)
{
// check computer name.
string computerName = System.Net.Dns.GetHostName();
if (Utils.FindStringIgnoreCase(certificateDomainNames, computerName))
{
continue;
}
// check for aliases.
System.Net.IPHostEntry entry = System.Net.Dns.GetHostEntry(computerName);
bool found = false;
for (int jj = 0; jj < entry.Aliases.Length; jj++)
{
if (Utils.FindStringIgnoreCase(certificateDomainNames, entry.Aliases[jj]))
{
found = true;
break;
}
}
if (found)
{
continue;
}
// check for ip addresses.
for (int jj = 0; jj < entry.AddressList.Length; jj++)
{
if (Utils.FindStringIgnoreCase(certificateDomainNames, entry.AddressList[jj].ToString()))
{
found = true;
break;
}
}
if (found)
{
continue;
}
}
string message = Utils.Format(
"The server is configured to use domain '{0}' which does not appear in the certificate. Update certificate?",
serverDomainNames[ii]);
createNewCertificate = true;
if (interactive)
{
if (MessageBox.Show(message, configuration.ApplicationName, MessageBoxButtons.YesNo) != DialogResult.Yes)
{
createNewCertificate = false;
continue;
}
}
Utils.Trace(message);
break;
}
if (!createNewCertificate)
{
// check if key size matches.
if (keySize == certificate.PublicKey.Key.KeySize)
{
AddToTrustedStore(configuration, certificate);
return certificate;
}
}
}
// prompt user.
if (interactive)
{
if (!createNewCertificate)
{
if (MessageBox.Show("Application does not have an instance certificate. Create one automatically?", configuration.ApplicationName, MessageBoxButtons.YesNo) == DialogResult.No)
{
return null;
}
}
}
// delete existing certificate.
if (certificate != null)
{
DeleteApplicationInstanceCertificate(configuration);
}
// add the localhost.
if (serverDomainNames.Count == 0)
{
serverDomainNames.Add(System.Net.Dns.GetHostName());
}
certificate = Opc.Ua.CertificateFactory.CreateCertificate(
id.StoreType,
id.StorePath,
configuration.ApplicationUri,
configuration.ApplicationName,
null,
serverDomainNames,
keySize,
300);
id.Certificate = certificate;
AddToTrustedStore(configuration, certificate);
if (updateFile && !String.IsNullOrEmpty(configuration.SourceFilePath))
{
configuration.SaveToFile(configuration.SourceFilePath);
}
configuration.CertificateValidator.Update(configuration.SecurityConfiguration);
return configuration.SecurityConfiguration.ApplicationCertificate.LoadPrivateKey(null);
}
/// <summary>
/// Creates an application instance certificate if one does not already exist.
/// </summary>
public static async Task<X509Certificate2> CheckApplicationInstanceCertificate(
ApplicationConfiguration configuration,
ushort keySize,
bool interactive,
bool updateFile)
{
// create a default certificate if none is specified.
CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate;
if (id == null)
{
id = new CertificateIdentifier();
id.StoreType = Utils.DefaultStoreType;
id.StorePath = ApplicationData.Current.LocalFolder.Path + "\\OPC Foundation\\CertificateStores\\MachineDefault";
id.SubjectName = configuration.ApplicationName;
}
bool createNewCertificate = false;
IList<string> serverDomainNames = configuration.GetServerDomainNames();
// check for private key.
X509Certificate2 certificate = await id.Find(true);
if (certificate == null)
{
// check if config file has wrong thumprint.
if (!String.IsNullOrEmpty(id.SubjectName) && !String.IsNullOrEmpty(id.Thumbprint))
{
CertificateIdentifier id2 = new CertificateIdentifier();
id2.StoreType = id.StoreType;
id2.StorePath = id.StorePath;
id2.SubjectName = id.SubjectName;
id = id2;
certificate = await id2.Find(true);
if (certificate != null)
{
string message = Utils.Format(
"Matching certificate with SubjectName={0} found but with a different thumbprint. Use certificate?",
id.SubjectName);
if (interactive)
{
MessageDlg dialog = new MessageDlg(message, MessageDlgButton.Yes, MessageDlgButton.No);
MessageDlgButton result = await dialog.ShowAsync();
if (result != MessageDlgButton.Yes)
{
certificate = null;
}
}
}
}
// check if private key is missing.
if (certificate == null)
{
certificate = await id.Find(false);
if (certificate != null)
{
string message = Utils.Format(
"Matching certificate with SubjectName={0} found but without a private key. Create a new certificate?",
id.SubjectName);
if (interactive)
{
MessageDlg dialog = new MessageDlg(message, MessageDlgButton.Yes, MessageDlgButton.No);
MessageDlgButton result = await dialog.ShowAsync();
if (result != MessageDlgButton.Yes)
{
certificate = null;
}
}
}
}
// check domains.
if (certificate != null)
{
IList<string> certificateDomainNames = Utils.GetDomainsFromCertficate(certificate);
for (int ii = 0; ii < serverDomainNames.Count; ii++)
{
if (Utils.FindStringIgnoreCase(certificateDomainNames, serverDomainNames[ii]))
{
continue;
}
if (String.Compare(serverDomainNames[ii], "localhost", StringComparison.OrdinalIgnoreCase) == 0)
{
// check computer name.
string computerName = Utils.GetHostName();
if (Utils.FindStringIgnoreCase(certificateDomainNames, computerName))
{
continue;
}
}
string message = Utils.Format(
"The server is configured to use domain '{0}' which does not appear in the certificate. Create new certificate?",
serverDomainNames[ii]);
createNewCertificate = true;
if (interactive)
{
MessageDlg dialog = new MessageDlg(message, MessageDlgButton.Yes, MessageDlgButton.No);
MessageDlgButton result = await dialog.ShowAsync();
if (result != MessageDlgButton.Yes)
{
createNewCertificate = false;
continue;
}
}
Utils.Trace(message);
break;
}
if (!createNewCertificate)
{
// check if key size matches.
if (keySize == certificate.GetRSAPublicKey().KeySize)
{
await AddToTrustedStore(configuration, certificate);
return certificate;
}
}
}
// prompt user.
if (interactive)
{
if (!createNewCertificate)
{
MessageDlg dialog = new MessageDlg("Application does not have an instance certificate.\n Create one automatically?", MessageDlgButton.Yes, MessageDlgButton.No);
MessageDlgButton result = await dialog.ShowAsync();
if (result != MessageDlgButton.Yes)
{
return null;
}
}
}
// delete existing certificate.
if (certificate != null)
{
await DeleteApplicationInstanceCertificate(configuration);
}
// add the localhost.
if (serverDomainNames.Count == 0)
{
serverDomainNames.Add(Utils.GetHostName());
}
certificate = await Opc.Ua.CertificateFactory.CreateCertificate(
id.StoreType,
id.StorePath,
configuration.ApplicationUri,
configuration.ApplicationName,
null,
serverDomainNames,
keySize,
300);
id.Certificate = certificate;
await AddToTrustedStore(configuration, certificate);
if (updateFile && !String.IsNullOrEmpty(configuration.SourceFilePath))
{
configuration.SaveToFile(configuration.SourceFilePath);
}
await configuration.CertificateValidator.Update(configuration.SecurityConfiguration);
return await configuration.SecurityConfiguration.ApplicationCertificate.LoadPrivateKey(null);
}
return certificate;
}
public CertificateBundle UpdateCertificate(string vaultName, string certificateName, string certificateVersion, CertificateAttributes certificateAttributes, IDictionary<string, string> tags)
{
if (string.IsNullOrEmpty(vaultName))
throw new ArgumentNullException("vaultName");
if (string.IsNullOrEmpty(certificateName))
throw new ArgumentNullException("certificateName");
var certificateIdentifier = new CertificateIdentifier(this.vaultUriHelper.CreateVaultAddress(vaultName), certificateName, certificateVersion);
CertificateBundle certificateBundle;
try
{
certificateBundle = this.keyVaultClient.UpdateCertificateAsync(
certificateIdentifier.Identifier, null, certificateAttributes, tags).GetAwaiter().GetResult();
}
catch (Exception ex)
{
throw GetInnerException(ex);
}
return certificateBundle;
}
private void CopyMI_Click(object sender, EventArgs e)
{
try
{
X509Certificate2 certificate = SelectedTag as X509Certificate2;
if (certificate == null)
{
return;
}
StringBuilder builder = new StringBuilder();
XmlWriter writer = XmlWriter.Create(builder);
try
{
DataContractSerializer serializer = new DataContractSerializer(typeof(CertificateIdentifier));
CertificateIdentifier id = new CertificateIdentifier();
id.Certificate = certificate;
serializer.WriteObject(writer, id);
}
finally
{
writer.Close();
}
ClipboardHack.SetData(DataFormats.Text, builder.ToString());
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception);
}
}
private void ViewMI_Click(object sender, EventArgs e)
{
try
{
X509Certificate2 certificate = SelectedTag as X509Certificate2;
if (certificate != null)
{
CertificateIdentifier id = new CertificateIdentifier();
id.Certificate = certificate;
if (m_storeId != null)
{
id.StoreType = m_storeId.StoreType;
id.StorePath = m_storeId.StorePath;
}
new ViewCertificateDlg().ShowDialog(id);
}
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception);
}
}
private void NewBindingMI_Click(object sender, EventArgs e)
{
try
{
CertificateIdentifier certificate = new CertificateIdentifier();
certificate.StoreType = m_defaultStore.StoreType;
certificate.StorePath = m_defaultStore.StorePath;
SslCertificateBinding binding = new CreateSslBindingDlg().ShowDialog(0, certificate);
if (binding != null)
{
AddRow(binding);
}
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception);
}
}
private void CertificateBTN_Click(object sender, EventArgs e)
{
try
{
CertificateStoreIdentifier store = new CertificateStoreIdentifier();
store.StoreType = m_certificate.StoreType;
store.StorePath = m_certificate.StorePath;
CertificateIdentifier certificate = new CertificateListDlg().ShowDialog(store, true);
if (certificate != null)
{
m_certificate = certificate;
CertificateTB.Text = m_certificate.Thumbprint;
}
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception);
}
}
private void OkBTN_Click(object sender, EventArgs e)
{
try
{
string storeType = null;
string storePath = null;
string domainName = null;
string organization = null;
string subjectName = SubjectNameTB.Text.Trim();
string issuerKeyFilePath = IssuerKeyFilePathTB.Text.Trim();
string issuerKeyFilePassword = IssuerPasswordTB.Text.Trim();
if (String.IsNullOrEmpty(issuerKeyFilePath))
{
throw new ApplicationException("Must provide an issuer certificate.");
}
// verify certificate.
X509Certificate2 issuer = new X509Certificate2(
issuerKeyFilePath,
issuerKeyFilePassword,
X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet);
if (!issuer.HasPrivateKey)
{
throw new ApplicationException("Issuer certificate does not have a private key.");
}
// determine certificate type.
foreach (X509Extension extension in issuer.Extensions)
{
X509BasicConstraintsExtension basicContraints = extension as X509BasicConstraintsExtension;
if (basicContraints != null)
{
if (!basicContraints.CertificateAuthority)
{
throw new ApplicationException("Certificate cannot be used to issue new certificates.");
}
}
}
// check traget store.
if (!String.IsNullOrEmpty(CertificateStoreCTRL.StorePath))
{
storeType = CertificateStoreCTRL.StoreType;
storePath = CertificateStoreCTRL.StorePath;
}
if (String.IsNullOrEmpty(storePath))
{
throw new ApplicationException("Please specify a store path.");
}
domainName = DomainNameTB.Text;
organization = OrganizationTB.Text;
// extract key fields from the subject name.
if (SubjectNameCK.Checked)
{
List<string> parts = Utils.ParseDistinguishedName(SubjectNameTB.Text);
for (int ii = 0; ii < parts.Count; ii++)
{
if (parts[ii].StartsWith("CN="))
{
domainName = parts[ii].Substring(3).Trim();
}
if (parts[ii].StartsWith("O="))
{
organization = parts[ii].Substring(2).Trim();
}
}
}
if (String.IsNullOrEmpty(domainName))
{
throw new ApplicationException("Please specify a domain name.");
}
if (!String.IsNullOrEmpty(DomainNameTB.Text) && domainName != DomainNameTB.Text)
{
throw new ApplicationException("The domain name must be the common name for the certificate.");
}
if (!String.IsNullOrEmpty(OrganizationTB.Text) && organization != OrganizationTB.Text)
{
throw new ApplicationException("The organization must be the organization for the certificate.");
}
X509Certificate2 certificate = Opc.Ua.CertificateFactory.CreateCertificate(
storeType,
storePath,
null,
null,
domainName,
subjectName,
null,
Convert.ToUInt16(KeySizeCB.SelectedItem.ToString()),
DateTime.MinValue,
(ushort)LifeTimeInMonthsUD.Value,
0,
false,
false,
issuerKeyFilePath,
issuerKeyFilePassword);
m_certificate = new CertificateIdentifier();
m_certificate.StoreType = storeType;
m_certificate.StorePath = storePath;
m_certificate.Certificate = certificate;
try
{
CertificateStoreIdentifier rootStore = new CertificateStoreIdentifier();
rootStore.StoreType = CertificateStoreType.Windows;
rootStore.StorePath = "LocalMachine\\Root";
using (ICertificateStore store = rootStore.OpenStore())
{
X509Certificate2 rootCertificate = new X509Certificate2(issuerKeyFilePath, issuerKeyFilePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet);
if (store.FindByThumbprint(rootCertificate.Thumbprint) == null)
{
if (Ask("Would you like to install the signing certificate as a trusted root authority on this machine?"))
{
store.Add(new X509Certificate2(rootCertificate.RawData));
}
}
}
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, System.Reflection.MethodBase.GetCurrentMethod(), exception);
}
// close the dialog.
DialogResult = DialogResult.OK;
}
catch (Exception exception)
{
GuiUtils.HandleException(this.Text, System.Reflection.MethodBase.GetCurrentMethod(), exception);
}
}
/// <summary>
/// Updates the access permissions for the certificate store.
/// </summary>
private static void SetCertificatePermissions(
Opc.Ua.Security.SecuredApplication application,
CertificateIdentifier id,
IList<ApplicationAccessRule> accessRules,
bool replaceExisting)
{
if (id == null || accessRules == null || accessRules.Count == 0)
{
return;
}
try
{
using (ICertificateStore store = id.OpenStore())
{
if (store.SupportsCertificateAccessControl)
{
store.SetAccessRules(id.Thumbprint, accessRules, replaceExisting);
}
}
}
catch (Exception e)
{
Utils.Trace("Could not set permissions for certificate store: {0}. Error={1}", id, e.Message);
for (int jj = 0; jj < accessRules.Count; jj++)
{
ApplicationAccessRule rule = accessRules[jj];
Utils.Trace(
(int)Utils.TraceMasks.Error,
"IdentityName={0}, Right={1}, RuleType={2}",
rule.IdentityName,
rule.Right,
rule.RuleType);
}
}
}
/// <summary>
/// Initializes the validator from the configuration for a token policy.
/// </summary>
/// <param name="issuerCertificate">The issuer certificate.</param>
private SecurityTokenResolver CreateSecurityTokenResolver(CertificateIdentifier issuerCertificate)
{
if (issuerCertificate == null)
{
throw new ArgumentNullException("issuerCertificate");
}
// find the certificate.
X509Certificate2 certificate = issuerCertificate.Find(false);
if (certificate == null)
{
throw ServiceResultException.Create(
StatusCodes.BadCertificateInvalid,
"Could not find issuer certificate: {0}",
issuerCertificate);
}
// create a security token representing the certificate.
List<SecurityToken> tokens = new List<SecurityToken>();
tokens.Add(new X509SecurityToken(certificate));
// create issued token resolver.
SecurityTokenResolver tokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new System.Collections.ObjectModel.ReadOnlyCollection<SecurityToken>(tokens),
false);
return tokenResolver;
}
/// <summary>
/// Checks for a valid application instance certificate.
/// </summary>
/// <param name="silent">if set to <c>true</c> no dialogs will be displayed.</param>
/// <param name="minimumKeySize">Minimum size of the key.</param>
public async Task<bool> CheckApplicationInstanceCertificate(
bool silent,
ushort minimumKeySize)
{
Utils.Trace(Utils.TraceMasks.Information, "Checking application instance certificate.");
ApplicationConfiguration configuration = null;
if (m_applicationConfiguration == null)
{
await LoadApplicationConfiguration(silent);
}
configuration = m_applicationConfiguration;
bool certificateValid = false;
// find the existing certificate.
CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate;
if (id == null)
{
throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "Configuration file does not specify a certificate.");
}
X509Certificate2 certificate = await id.Find(true);
// check that it is ok.
if (certificate != null)
{
certificateValid = await CheckApplicationInstanceCertificate(configuration, certificate, silent, minimumKeySize);
}
else
{
// check for missing private key.
certificate = await id.Find(false);
if (certificate != null)
{
throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "Cannot access certificate private key. Subject={0}", certificate.Subject);
}
// check for missing thumbprint.
if (!String.IsNullOrEmpty(id.Thumbprint))
{
if (!String.IsNullOrEmpty(id.SubjectName))
{
CertificateIdentifier id2 = new CertificateIdentifier();
id2.StoreType = id.StoreType;
id2.StorePath = id.StorePath;
id2.SubjectName = id.SubjectName;
certificate = await id2.Find(true);
}
if (certificate != null)
{
string message = Utils.Format(
"Thumbprint was explicitly specified in the configuration." +
"\r\nAnother certificate with the same subject name was found." +
"\r\nUse it instead?\r\n" +
"\r\nRequested: {0}" +
"\r\nFound: {1}",
id.SubjectName,
certificate.Subject);
throw ServiceResultException.Create(StatusCodes.BadConfigurationError, message);
}
else
{
string message = Utils.Format("Thumbprint was explicitly specified in the configuration. Cannot generate a new certificate.");
throw ServiceResultException.Create(StatusCodes.BadConfigurationError, message);
}
}
}
if ((certificate == null) || !certificateValid)
{
certificate = await CreateApplicationInstanceCertificate(configuration, minimumKeySize);
if (certificate == null)
{
string message = Utils.Format(
"There is no cert with subject {0} in the configuration." +
"\r\n Please generate a cert for your application,",
"\r\n then copy the new cert to this location:" +
"\r\n{1}",
id.SubjectName,
id.StorePath);
throw ServiceResultException.Create(StatusCodes.BadConfigurationError, message);
}
}
else
{
// ensure it is trusted.
await AddToTrustedStore(configuration, certificate);
}
// add to discovery server.
if (configuration.ApplicationType == ApplicationType.Server || configuration.ApplicationType == ApplicationType.ClientAndServer)
{
try
{
await AddToDiscoveryServerTrustList(certificate, null, null, configuration.SecurityConfiguration.TrustedPeerCertificates);
}
catch (Exception e)
{
Utils.Trace(e, "Could not add certificate to LDS trust list.");
}
}
return true;
}
