/// <summary> /// Deletes an existing application instance certificate. /// </summary> /// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param> private static async Task DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration) { // create a default certificate id none specified. CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; if (id == null) { return; } // delete certificate and private key. X509Certificate2 certificate = await id.Find().ConfigureAwait(false); if (certificate != null) { Utils.LogCertificate(TraceMasks.Security, "Deleting application instance certificate and private key.", certificate); } // delete trusted peer certificate. if (configuration.SecurityConfiguration != null && configuration.SecurityConfiguration.TrustedPeerCertificates != null) { string thumbprint = id.Thumbprint; if (certificate != null) { thumbprint = certificate.Thumbprint; } if (!string.IsNullOrEmpty(thumbprint)) { using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore()) { bool deleted = await store.Delete(thumbprint).ConfigureAwait(false); if (deleted) { Utils.LogInfo(TraceMasks.Security, "Application Instance Certificate [{0}] deleted from trusted store.", thumbprint); } } } } // delete certificate and private key from owner store. if (certificate != null) { using (ICertificateStore store = id.OpenStore()) { bool deleted = await store.Delete(certificate.Thumbprint).ConfigureAwait(false); if (deleted) { Utils.LogCertificate(TraceMasks.Security, "Application certificate and private key deleted.", certificate); } } } // erase the memory copy of the deleted certificate id.Certificate = null; }
/// <summary> /// Deletes an existing application instance certificate. /// </summary> /// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param> private static async Task DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration) { Utils.Trace(Utils.TraceMasks.Information, "Deleting application instance certificate."); // create a default certificate id none specified. CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; if (id == null) { return; } // delete private key. X509Certificate2 certificate = await id.Find().ConfigureAwait(false); // delete trusted peer certificate. if (configuration.SecurityConfiguration != null && configuration.SecurityConfiguration.TrustedPeerCertificates != null) { string thumbprint = id.Thumbprint; if (certificate != null) { thumbprint = certificate.Thumbprint; } if (!string.IsNullOrEmpty(thumbprint)) { using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore()) { await store.Delete(thumbprint).ConfigureAwait(false); } } } // delete private key. if (certificate != null) { using (ICertificateStore store = id.OpenStore()) { await store.Delete(certificate.Thumbprint).ConfigureAwait(false); } } }
/// <summary> /// Deletes an existing application instance certificate. /// </summary> /// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param> public static void DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration) { // create a default certificate id none specified. CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; if (id == null) { return; } // delete private key. X509Certificate2 certificate = id.Find(); // delete trusted peer certificate. if (configuration.SecurityConfiguration != null && configuration.SecurityConfiguration.TrustedPeerCertificates != null) { string thumbprint = id.Thumbprint; if (certificate != null) { thumbprint = certificate.Thumbprint; } if (!String.IsNullOrEmpty(thumbprint)) { using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore()) { store.Delete(thumbprint); } } } // delete private key. if (certificate != null) { using (ICertificateStore store = id.OpenStore()) { store.Delete(certificate.Thumbprint); } } }
/// <summary> /// Deletes an existing application instance certificate. /// </summary> /// <param name="configuration">The configuration instance that stores the configurable information for a UA application.</param> private static void DeleteApplicationInstanceCertificate(ApplicationConfiguration configuration) { Utils.Trace(Utils.TraceMasks.Information, "Deleting application instance certificate."); // Create a default certificate id none specified. CertificateIdentifier id = configuration.SecurityConfiguration.ApplicationCertificate; if (id == null) { return; } X509Certificate2 certificate = id.Find(); // Delete trusted peer certificate. if (configuration.SecurityConfiguration?.TrustedPeerCertificates != null) { var thumbprint = id.Thumbprint; if (certificate != null) { thumbprint = certificate.Thumbprint; } using (var store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore()) { store.Delete(thumbprint); } } // Delete private key. if (certificate == null) { return; } using (ICertificateStore store = id.OpenStore()) { store.Delete(certificate.Thumbprint); } }
/// <summary> /// Updates the access permissions for the certificate store. /// </summary> private static void SetCertificatePermissions( Opc.Ua.Security.SecuredApplication application, CertificateIdentifier id, IList <ApplicationAccessRule> accessRules, bool replaceExisting) { if (id == null || accessRules == null || accessRules.Count == 0) { return; } try { using (ICertificateStore store = id.OpenStore()) { if (store.SupportsCertificateAccessControl) { store.SetAccessRules(id.Thumbprint, accessRules, replaceExisting); } } } catch (Exception e) { Utils.Trace("Could not set permissions for certificate store: {0}. Error={1}", id, e.Message); for (int jj = 0; jj < accessRules.Count; jj++) { ApplicationAccessRule rule = accessRules[jj]; Utils.Trace( (int)Utils.TraceMasks.Error, "IdentityName={0}, Right={1}, RuleType={2}", rule.IdentityName, rule.Right, rule.RuleType); } } }
private void OkBTN_Click(object sender, EventArgs e) { try { IPAddress address = IPAddress.Parse(IPAddressTB.Text); ushort port = (ushort)PortUD.Value; if (m_certificate == null) { throw new ArgumentException("You must specify a certificate."); } X509Certificate2 certificate = m_certificate.Find(true); if (certificate == null) { throw new ArgumentException("Certificate does not exist or has no private key."); } // setup policy chain X509ChainPolicy policy = new X509ChainPolicy(); policy.RevocationFlag = X509RevocationFlag.EntireChain; policy.RevocationMode = X509RevocationMode.Offline; policy.VerificationFlags = X509VerificationFlags.NoFlag; policy.VerificationFlags |= X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreCtlSignerRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreEndRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreRootRevocationUnknown; // build chain. X509Chain chain = new X509Chain(); chain.ChainPolicy = policy; chain.Build(certificate); for (int ii = 0; ii < chain.ChainElements.Count; ii++) { X509ChainElement element = chain.ChainElements[ii]; // check for chain status errors. foreach (X509ChainStatus status in element.ChainElementStatus) { if (status.Status == X509ChainStatusFlags.UntrustedRoot) { if (!Ask("Cannot verify certificate up to a trusted root.\r\nAdd anyways?")) { return; } continue; } if (status.Status == X509ChainStatusFlags.RevocationStatusUnknown) { if (!Ask("The revocation status of this certificate cannot be verified.\r\nAdd anyways?")) { return; } continue; } // ignore informational messages. if (status.Status == X509ChainStatusFlags.OfflineRevocation) { continue; } if (status.Status != X509ChainStatusFlags.NoError) { throw new ArgumentException("[" + status.Status + "] " + status.StatusInformation); } } } // get the target store. if (m_store == null) { m_store = new CertificateStoreIdentifier(); m_store.StoreType = CertificateStoreType.Windows; m_store.StorePath = CertificateStoreTB.Text; } if (m_store.StoreType != CertificateStoreType.Windows) { throw new ArgumentException("You must choose a Windows store for SSL certificates."); } if (!m_store.StorePath.StartsWith("LocalMachine\\", StringComparison.OrdinalIgnoreCase)) { throw new ArgumentException("You must choose a machine store for SSL certificates."); } bool deleteExisting = false; using (ICertificateStore store = m_store.OpenStore()) { if (store.FindByThumbprint(certificate.Thumbprint) == null) { store.Add(certificate); deleteExisting = true; } } if (deleteExisting) { if (Ask("Would you like to delete the certificate from its current location?")) { using (ICertificateStore store = m_certificate.OpenStore()) { store.Delete(certificate.Thumbprint); } } } SslCertificateBinding binding = new SslCertificateBinding(); binding.IPAddress = address; binding.Port = port; binding.Thumbprint = certificate.Thumbprint; binding.ApplicationId = s_DefaultApplicationId; binding.StoreName = null; if (!m_store.StorePath.EndsWith("\\My")) { int index = m_store.StorePath.LastIndexOf("\\"); binding.StoreName = m_store.StorePath.Substring(index + 1); } HttpAccessRule.SetSslCertificateBinding(binding); m_binding = binding; DialogResult = DialogResult.OK; } catch (Exception exception) { GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception); } }
/// <summary> /// Uninstalls a UA application. /// </summary> public static async Task UninstallApplication(InstalledApplication application) { // validate the executable file. string executableFile = Utils.GetAbsoluteFilePath(application.ExecutableFile, true, true, false); // get the default application name from the executable file. FileInfo executableFileInfo = new FileInfo(executableFile); string applicationName = executableFileInfo.Name.Substring(0, executableFileInfo.Name.Length - 4); // choose a default configuration file. if (String.IsNullOrEmpty(application.ConfigurationFile)) { application.ConfigurationFile = Utils.Format( "{0}\\{1}.Config.xml", executableFileInfo.DirectoryName, applicationName); } // validate the configuration file. string configurationFile = Utils.GetAbsoluteFilePath(application.ConfigurationFile, true, false, false); if (configurationFile != null) { // load the current configuration. Opc.Ua.Security.SecuredApplication security = new Opc.Ua.Security.SecurityConfigurationManager().ReadConfiguration(configurationFile); // delete the application certificates. if (application.DeleteCertificatesOnUninstall) { CertificateIdentifier id = Opc.Ua.Security.SecuredApplication.FromCertificateIdentifier(security.ApplicationCertificate); // delete public key from trusted peers certificate store. try { CertificateStoreIdentifier certificateStore = Opc.Ua.Security.SecuredApplication.FromCertificateStoreIdentifier(security.TrustedCertificateStore); using (ICertificateStore store = certificateStore.OpenStore()) { X509Certificate2Collection peerCertificates = await store.FindByThumbprint(id.Thumbprint); if (peerCertificates.Count > 0) { await store.Delete(peerCertificates[0].Thumbprint); } } } catch (Exception e) { Utils.Trace("Could not delete certificate '{0}' from store. Error={1}", id, e.Message); } // delete private key from application certificate store. try { using (ICertificateStore store = id.OpenStore()) { await store.Delete(id.Thumbprint); } } catch (Exception e) { Utils.Trace("Could not delete certificate '{0}' from store. Error={1}", id, e.Message); } // permentently delete any UA defined stores if they are now empty. try { WindowsCertificateStore store = new WindowsCertificateStore(); await store.Open("LocalMachine\\UA Applications"); X509Certificate2Collection collection = await store.Enumerate(); if (collection.Count == 0) { store.PermanentlyDeleteStore(); } } catch (Exception e) { Utils.Trace("Could not delete certificate '{0}' from store. Error={1}", id, e.Message); } } // remove the permissions for the HTTP endpoints used by the application. if (application.BaseAddresses != null && application.BaseAddresses.Count > 0) { List <ApplicationAccessRule> noRules = new List <ApplicationAccessRule>(); for (int ii = 0; ii < application.BaseAddresses.Count; ii++) { Uri url = Utils.ParseUri(application.BaseAddresses[ii]); if (url != null) { try { HttpAccessRule.SetAccessRules(url, noRules, true); Utils.Trace("Removed HTTP access rules for URL: {0}", url); } catch (Exception e) { Utils.Trace("Could not remove HTTP access rules for URL: {0}. Error={1}", url, e.Message); } } } } } }
/// <summary> /// Updates the access permissions for the certificate store. /// </summary> private static void SetCertificatePermissions( Opc.Ua.Security.SecuredApplication application, CertificateIdentifier id, IList<ApplicationAccessRule> accessRules, bool replaceExisting) { if (id == null || accessRules == null || accessRules.Count == 0) { return; } try { using (ICertificateStore store = id.OpenStore()) { if (store.SupportsCertificateAccessControl) { store.SetAccessRules(id.Thumbprint, accessRules, replaceExisting); } } } catch (Exception e) { Utils.Trace("Could not set permissions for certificate store: {0}. Error={1}", id, e.Message); for (int jj = 0; jj < accessRules.Count; jj++) { ApplicationAccessRule rule = accessRules[jj]; Utils.Trace( (int)Utils.TraceMasks.Error, "IdentityName={0}, Right={1}, RuleType={2}", rule.IdentityName, rule.Right, rule.RuleType); } } }