/// <summary>
/// Returns an object that can be used to access the store containing the certificate.
/// </summary>
/// <returns>An instance of the <see cref="ICertificateStore"/> poined out by the current value of </returns>
public ICertificateStore OpenStore()
{
ICertificateStore store = CertificateStoreIdentifier.CreateStore(this.StoreType);
store.Open(this.StorePath);
return(store);
}
/// <summary>
/// Opens the store.
/// </summary>
/// <param name="path">The path.</param>
/// <returns>The store.</returns>
public static ICertificateStore OpenStore(string path)
{
ICertificateStore store = CertificateStoreIdentifier.CreateStore(CertificateStoreIdentifier.DetermineStoreType(path));
store.Open(path);
return(store);
}
/// <summary>
/// Finds a certificate in a store.
/// </summary>
/// <param name="needPrivateKey">if set to <c>true</c> the returned certificate must contain the private key.</param>
/// <returns>An instance of the <see cref="X509Certificate2"/> that is emebeded by this instance or find it in
/// the selected strore pointed out by the <see cref="StorePath"/> using selected <see cref="SubjectName"/>.</returns>
public X509Certificate2 Find(bool needPrivateKey)
{
X509Certificate2 certificate = null;
// check if the entire certificate has been specified.
if (m_certificate != null && (!needPrivateKey || m_certificate.HasPrivateKey))
{
certificate = m_certificate;
}
else
{
// open store.
using (ICertificateStore store = CertificateStoreIdentifier.CreateStore(StoreType))
{
store.Open(StorePath);
certificate = Find(store.Enumerate(), m_thumbprint, m_subjectName, needPrivateKey);
if (certificate != null)
{
m_certificate = certificate;
}
}
}
// use the single instance in the certificate cache.
if (needPrivateKey)
{
certificate = m_certificate = CertificateFactory.Load(certificate, true);
}
return(certificate);
}
/// <summary>
/// Returns an object that can be used to access the store containing the certificate.
/// </summary>
/// <returns>An instance of the <see cref="ICertificateStore"/> poined out by the current value of </returns>
public ICertificateStore OpenStore()
{
ICertificateStore store = CertificateStoreIdentifier.CreateStore(this.StoreType);
Task t = Task.Run(() => store.Open(this.StorePath));
t.Wait();
return(store);
}
/// <summary>
/// Updates the validator with a new set of trust lists.
/// </summary>
public virtual void Update(
CertificateTrustList issuerStore,
CertificateTrustList trustedStore,
CertificateStoreIdentifier rejectedCertificateStore)
{
lock (m_lock)
{
m_validatedCertificates.Clear();
m_trustedCertificateStore = null;
m_trustedCertificateList = null;
if (trustedStore != null)
{
m_trustedCertificateStore = new CertificateStoreIdentifier();
m_trustedCertificateStore.StoreType = trustedStore.StoreType;
m_trustedCertificateStore.StorePath = trustedStore.StorePath;
m_trustedCertificateStore.ValidationOptions = trustedStore.ValidationOptions;
if (trustedStore.TrustedCertificates != null)
{
m_trustedCertificateList = new CertificateIdentifierCollection();
m_trustedCertificateList.AddRange(trustedStore.TrustedCertificates);
}
}
m_issuerCertificateStore = null;
m_issuerCertificateList = null;
if (issuerStore != null)
{
m_issuerCertificateStore = new CertificateStoreIdentifier();
m_issuerCertificateStore.StoreType = issuerStore.StoreType;
m_issuerCertificateStore.StorePath = issuerStore.StorePath;
m_issuerCertificateStore.ValidationOptions = issuerStore.ValidationOptions;
if (issuerStore.TrustedCertificates != null)
{
m_issuerCertificateList = new CertificateIdentifierCollection();
m_issuerCertificateList.AddRange(issuerStore.TrustedCertificates);
}
}
m_rejectedCertificateStore = null;
if (rejectedCertificateStore != null)
{
m_rejectedCertificateStore = (CertificateStoreIdentifier)rejectedCertificateStore.MemberwiseClone();
}
}
}
/// <summary>
/// Updates the validator with a new set of trust lists.
/// </summary>
public virtual void Update(
CertificateTrustList issuerStore,
CertificateTrustList trustedStore,
CertificateStoreIdentifier rejectedCertificateStore)
{
lock (m_lock)
{
m_validatedCertificates.Clear();
m_trustedCertificateStore = null;
m_trustedCertificateList = null;
if (trustedStore != null)
{
m_trustedCertificateStore = new CertificateStoreIdentifier();
m_trustedCertificateStore.StoreType = trustedStore.StoreType;
m_trustedCertificateStore.StorePath = trustedStore.StorePath;
m_trustedCertificateStore.ValidationOptions = trustedStore.ValidationOptions;
if (trustedStore.TrustedCertificates != null)
{
m_trustedCertificateList = new CertificateIdentifierCollection();
m_trustedCertificateList.AddRange(trustedStore.TrustedCertificates);
}
}
m_issuerCertificateStore = null;
m_issuerCertificateList = null;
if (issuerStore != null)
{
m_issuerCertificateStore = new CertificateStoreIdentifier();
m_issuerCertificateStore.StoreType = issuerStore.StoreType;
m_issuerCertificateStore.StorePath = issuerStore.StorePath;
m_issuerCertificateStore.ValidationOptions = issuerStore.ValidationOptions;
if (issuerStore.TrustedCertificates != null)
{
m_issuerCertificateList = new CertificateIdentifierCollection();
m_issuerCertificateList.AddRange(issuerStore.TrustedCertificates);
}
}
m_rejectedCertificateStore = null;
if (rejectedCertificateStore != null)
{
m_rejectedCertificateStore = (CertificateStoreIdentifier)rejectedCertificateStore.Clone();
}
}
}
/// <summary>
/// Add to certificate store
/// </summary>
/// <param name="identifier"></param>
/// <param name="certificate"></param>
/// <param name="noCopy"></param>
/// <returns></returns>
public static void AddToStore(this CertificateIdentifier identifier,
X509Certificate2 certificate, bool noCopy = false)
{
if (certificate == null)
{
throw new ArgumentNullException(nameof(certificate));
}
using (var store = CertificateStoreIdentifier.CreateStore(identifier.StoreType)) {
store.Open(identifier.StorePath);
store.Add(certificate.YieldReturn(), noCopy);
}
}
/// <summary>
/// Remove from certificate store
/// </summary>
/// <param name="identifier"></param>
/// <param name="certificate"></param>
public static void RemoveFromStore(this CertificateIdentifier identifier,
X509Certificate2 certificate)
{
if (certificate == null)
{
throw new ArgumentNullException(nameof(certificate));
}
using (var store = CertificateStoreIdentifier.CreateStore(identifier.StoreType)) {
store.Open(identifier.StorePath);
store.Remove(certificate.YieldReturn());
}
}
/// <summary>
/// Validates the security configuration.
/// </summary>
public void Validate()
{
if (m_applicationCertificate == null)
{
throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "ApplicationCertificate must be specified.");
}
TrustedIssuerCertificates = CreateDefaultTrustList(TrustedIssuerCertificates);
TrustedPeerCertificates = CreateDefaultTrustList(TrustedPeerCertificates);
//set a default rejected certificate store.
if (RejectedCertificateStore == null)
{
RejectedCertificateStore = new CertificateStoreIdentifier();
RejectedCertificateStore.StoreType = CertificateStoreType.Directory;
RejectedCertificateStore.StorePath = Utils.DefaultLocalFolder + Path.DirectorySeparatorChar + "Rejected";
}
}
/// <summary>
/// Validates the security configuration.
/// </summary>
public void Validate()
{
if (m_applicationCertificate == null)
{
throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "ApplicationCertificate must be specified.");
}
TrustedIssuerCertificates = CreateDefaultTrustList(TrustedIssuerCertificates);
TrustedPeerCertificates = CreateDefaultTrustList(TrustedPeerCertificates);
//set a default rejected certificate store.
if (RejectedCertificateStore == null)
{
RejectedCertificateStore = new CertificateStoreIdentifier();
RejectedCertificateStore.StoreType = CertificateStoreType.Directory;
RejectedCertificateStore.StorePath = Utils.DefaultLocalFolder + Path.DirectorySeparatorChar + "Rejected";
}
}
/// <summary>
/// Gets the private key file path.
/// </summary>
public string GetPrivateKeyFilePath()
{
X509Certificate2 certificate = Find(false);
if (certificate == null)
{
return(null);
}
ICertificateStore store = CertificateStoreIdentifier.CreateStore(this.StoreType);
try {
store.Open(this.StorePath);
return(store.GetPrivateKeyFilePath(certificate.Thumbprint));
} finally {
store.Close();
}
}
/// <summary>
/// Validates the security configuration.
/// </summary>
public void Validate()
{
if (m_applicationCertificate == null)
{
throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "ApplicationCertificate must be specified.");
}
TrustedIssuerCertificates = CreateDefaultTrustList(TrustedIssuerCertificates);
TrustedPeerCertificates = CreateDefaultTrustList(TrustedPeerCertificates);
// set a default rejected certificate store.
if (RejectedCertificateStore == null)
{
RejectedCertificateStore = new CertificateStoreIdentifier();
RejectedCertificateStore.StoreType = CertificateStoreType.Directory;
RejectedCertificateStore.StorePath = "%CommonApplicationData%\\OPC Foundation\\CertificateStores\\RejectedCertificates";
}
}
/// <summary>
/// Validates the security configuration.
/// </summary>
public void Validate()
{
if (m_applicationCertificate == null)
{
throw ServiceResultException.Create(StatusCodes.BadConfigurationError, "ApplicationCertificate must be specified.");
}
TrustedIssuerCertificates = CreateDefaultTrustList(TrustedIssuerCertificates);
TrustedPeerCertificates = CreateDefaultTrustList(TrustedPeerCertificates);
//set a default rejected certificate store.
if (RejectedCertificateStore == null)
{
RejectedCertificateStore = new CertificateStoreIdentifier();
RejectedCertificateStore.StoreType = CertificateStoreType.Directory;
RejectedCertificateStore.StorePath = ApplicationData.Current.LocalFolder.Path + "\\OPC Foundation\\CertificateStores\\RejectedCertificates";
}
}
/// <summary>
/// Loads the private key for the certificate with an optional password.
/// </summary>
public async Task <X509Certificate2> LoadPrivateKeyEx(ICertificatePasswordProvider passwordProvider)
{
if (this.StoreType != CertificateStoreType.X509Store)
{
using (ICertificateStore store = CertificateStoreIdentifier.CreateStore(StoreType))
{
if (store.SupportsLoadPrivateKey)
{
store.Open(this.StorePath, false);
string password = passwordProvider?.GetPassword(this);
m_certificate = await store.LoadPrivateKey(this.Thumbprint, this.SubjectName, password).ConfigureAwait(false);
return(m_certificate);
}
}
}
return(await Find(true).ConfigureAwait(false));
}
public async Task <X509Certificate2Collection> GetCertificates()
{
X509Certificate2Collection collection = new X509Certificate2Collection();
CertificateStoreIdentifier id = new CertificateStoreIdentifier();
id.StoreType = this.StoreType;
id.StorePath = this.StorePath;
if (!String.IsNullOrEmpty(id.StorePath))
{
try
{
ICertificateStore store = id.OpenStore();
try
{
collection = await store.Enumerate().ConfigureAwait(false);
}
finally
{
store.Close();
}
}
catch (Exception)
{
// TODO check all StorePath references to not leak information
Utils.LogError("Could not load certificates from store: {0}.", this.StorePath);
}
}
foreach (CertificateIdentifier trustedCertificate in TrustedCertificates)
{
X509Certificate2 certificate = await trustedCertificate.Find().ConfigureAwait(false);
if (certificate != null)
{
collection.Add(certificate);
}
}
return(collection);
}
/// <summary>
/// Finds a certificate in a store.
/// </summary>
/// <param name="needPrivateKey">if set to <c>true</c> the returned certificate must contain the private key.</param>
/// <returns>An instance of the <see cref="X509Certificate2"/> that is embedded by this instance or find it in
/// the selected store pointed out by the <see cref="StorePath"/> using selected <see cref="SubjectName"/>.</returns>
public async Task <X509Certificate2> Find(bool needPrivateKey)
{
X509Certificate2 certificate = null;
// check if the entire certificate has been specified.
if (m_certificate != null && (!needPrivateKey || m_certificate.HasPrivateKey))
{
certificate = m_certificate;
}
else
{
// open store.
using (ICertificateStore store = CertificateStoreIdentifier.CreateStore(StoreType))
{
store.Open(StorePath, false);
X509Certificate2Collection collection = await store.Enumerate().ConfigureAwait(false);
certificate = Find(collection, m_thumbprint, m_subjectName, needPrivateKey);
if (certificate != null)
{
if (needPrivateKey && store.SupportsLoadPrivateKey)
{
var message = new StringBuilder();
message.AppendLine("Loaded a certificate with private key from store {0}.");
message.AppendLine("Ensure to call LoadPrivateKeyEx with password provider before calling Find(true).");
Utils.LogWarning(message.ToString(), StoreType);
}
m_certificate = certificate;
}
}
}
// use the single instance in the certificate cache.
if (needPrivateKey)
{
certificate = m_certificate = CertificateFactory.Load(certificate, true);
}
return(certificate);
}
public X509Certificate2Collection GetCertificates()
{
X509Certificate2Collection collection = new X509Certificate2Collection();
CertificateStoreIdentifier id = new CertificateStoreIdentifier();
id.StoreType = this.StoreType;
id.StorePath = this.StorePath;
if (!String.IsNullOrEmpty(id.StorePath))
{
try
{
ICertificateStore store = id.OpenStore();
try
{
collection = store.Enumerate();
}
finally
{
store.Close();
}
}
catch (Exception)
{
Utils.Trace("Could not load certificates from store: {0}.", this.StorePath);
}
}
foreach (CertificateIdentifier trustedCertificate in TrustedCertificates)
{
X509Certificate2 certificate = trustedCertificate.Find();
if (certificate != null)
{
collection.Add(certificate);
}
}
return(collection);
}
public async Task<X509Certificate2Collection> GetCertificates()
{
X509Certificate2Collection collection = new X509Certificate2Collection();
CertificateStoreIdentifier id = new CertificateStoreIdentifier();
id.StoreType = this.StoreType;
id.StorePath = this.StorePath;
if (!String.IsNullOrEmpty(id.StorePath))
{
try
{
ICertificateStore store = id.OpenStore();
try
{
collection = await store.Enumerate();
}
finally
{
store.Close();
}
}
catch (Exception)
{
Utils.Trace("Could not load certificates from store: {0}.", this.StorePath);
}
}
foreach (CertificateIdentifier trustedCertificate in TrustedCertificates)
{
X509Certificate2 certificate = await trustedCertificate.Find();
if (certificate != null)
{
collection.Add(certificate);
}
}
return collection;
}
/// <summary>
/// Adds an application certificate to a store.
/// </summary>
private static void AddIssuerCertificatesToStore(CertificateStoreIdentifier csid, IList<X509Certificate2> issuers)
{
ICertificateStore store = csid.OpenStore();
try
{
foreach (X509Certificate2 issuer in issuers)
{
if (store.FindByThumbprint(issuer.Thumbprint) == null)
{
store.Add(issuer);
}
}
}
finally
{
store.Close();
}
}
/// <summary>
/// Adds the application certificate to the discovery server trust list.
/// </summary>
public static void AddToDiscoveryServerTrustList(
X509Certificate2 certificate,
string oldThumbprint,
IList<X509Certificate2> issuers,
CertificateStoreIdentifier trustedCertificateStore)
{
Utils.Trace(Utils.TraceMasks.Information, "Adding certificate to discovery server trust list.");
try
{
string configurationPath = Utils.GetAbsoluteFilePath(@"%CommonApplicationData%\OPC Foundation\Config\Opc.Ua.DiscoveryServer.Config.xml", true, false, false);
if (configurationPath == null)
{
throw new ServiceResultException("Could not find the discovery server configuration file. Please confirm that it is installed.");
}
Opc.Ua.Security.SecuredApplication ldsConfiguration = new Opc.Ua.Security.SecurityConfigurationManager().ReadConfiguration(configurationPath);
CertificateStoreIdentifier csid = Opc.Ua.Security.SecuredApplication.FromCertificateStoreIdentifier(ldsConfiguration.TrustedCertificateStore);
AddApplicationCertificateToStore(csid, certificate, oldThumbprint);
if (issuers != null && ldsConfiguration.IssuerCertificateStore != null)
{
csid = Opc.Ua.Security.SecuredApplication.FromCertificateStoreIdentifier(ldsConfiguration.IssuerCertificateStore);
AddIssuerCertificatesToStore(csid, issuers);
}
CertificateIdentifier cid = Opc.Ua.Security.SecuredApplication.FromCertificateIdentifier(ldsConfiguration.ApplicationCertificate);
X509Certificate2 ldsCertificate = cid.Find(false);
// add LDS certificate to application trust list.
if (ldsCertificate != null && trustedCertificateStore != null)
{
AddApplicationCertificateToStore(csid, ldsCertificate, null);
}
}
catch (Exception e)
{
Utils.Trace(e, "Could not add certificate to discovery server trust list.");
}
}
/// <summary>
/// Adds an application certificate to a store.
/// </summary>
private static void AddApplicationCertificateToStore(
CertificateStoreIdentifier csid,
X509Certificate2 certificate,
string oldThumbprint)
{
ICertificateStore store = csid.OpenStore();
try
{
// delete the old certificate.
if (oldThumbprint != null)
{
store.Delete(oldThumbprint);
}
// delete certificates with the same application uri.
if (store.FindByThumbprint(certificate.Thumbprint) == null)
{
string applicationUri = Utils.GetApplicationUriFromCertficate(certificate);
// delete any existing certificates.
foreach (X509Certificate2 target in store.Enumerate())
{
if (Utils.CompareDistinguishedName(target.Subject, certificate.Subject))
{
if (Utils.GetApplicationUriFromCertficate(target) == applicationUri)
{
store.Delete(target.Thumbprint);
}
}
}
// add new certificate.
store.Add(new X509Certificate2(certificate.RawData));
}
}
finally
{
store.Close();
}
}
/// <summary>
/// Returns the certificate information for a trusted issuer certificate.
/// </summary>
private async Task <CertificateIdentifier> GetIssuer(
X509Certificate2 certificate,
CertificateIdentifierCollection explicitList,
CertificateStoreIdentifier certificateStore,
bool checkRecovationStatus)
{
string subjectName = certificate.IssuerName.Name;
string keyId = null;
string serialNumber = null;
// find the authority key identifier.
X509AuthorityKeyIdentifierExtension authority = FindAuthorityKeyIdentifier(certificate);
if (authority != null)
{
keyId = authority.KeyId;
serialNumber = authority.SerialNumber;
}
// check in explicit list.
if (explicitList != null)
{
for (int ii = 0; ii < explicitList.Count; ii++)
{
X509Certificate2 issuer = await explicitList[ii].Find(false);
if (issuer != null)
{
if (!IsIssuerAllowed(issuer))
{
continue;
}
if (Match(issuer, subjectName, serialNumber, keyId))
{
// can't check revocation.
return(new CertificateIdentifier(issuer, CertificateValidationOptions.SuppressRevocationStatusUnknown));
}
}
}
}
// check in certificate store.
if (certificateStore != null)
{
ICertificateStore store = certificateStore.OpenStore();
try
{
X509Certificate2Collection certificates = await store.Enumerate();
for (int ii = 0; ii < certificates.Count; ii++)
{
X509Certificate2 issuer = certificates[ii];
if (issuer != null)
{
if (!IsIssuerAllowed(issuer))
{
continue;
}
if (Match(issuer, subjectName, serialNumber, keyId))
{
CertificateValidationOptions options = certificateStore.ValidationOptions;
// already checked revocation for file based stores. windows based stores always suppress.
options |= CertificateValidationOptions.SuppressRevocationStatusUnknown;
if (checkRecovationStatus)
{
StatusCode status = store.IsRevoked(issuer, certificate);
if (StatusCode.IsBad(status))
{
if (status != StatusCodes.BadNotSupported && status != StatusCodes.BadCertificateRevocationUnknown)
{
throw new ServiceResultException(status);
}
}
}
return(new CertificateIdentifier(certificates[ii], options));
}
}
}
}
finally
{
store.Close();
}
}
// not a trusted issuer.
return(null);
}
/// <summary>
/// Returns the certificate information for a trusted issuer certificate.
/// </summary>
private CertificateIdentifier GetIssuer(
X509Certificate2 certificate,
CertificateIdentifierCollection explicitList,
CertificateStoreIdentifier certificateStore,
bool checkRecovationStatus)
{
string subjectName = certificate.IssuerName.Name;
string keyId = null;
string serialNumber = null;
// find the authority key identifier.
X509AuthorityKeyIdentifierExtension authority = FindAuthorityKeyIdentifier(certificate);
if (authority != null)
{
keyId = authority.KeyId;
serialNumber = authority.SerialNumber;
}
// check in explicit list.
if (explicitList != null)
{
for (int ii = 0; ii < explicitList.Count; ii++)
{
X509Certificate2 issuer = explicitList[ii].Find(false);
if (issuer != null)
{
if (!IsIssuerAllowed(issuer))
{
continue;
}
if (Match(issuer, subjectName, serialNumber, keyId))
{
// can't check revocation.
return new CertificateIdentifier(issuer, CertificateValidationOptions.SuppressRevocationStatusUnknown);
}
}
}
}
// check in certificate store.
if (certificateStore != null)
{
ICertificateStore store = certificateStore.OpenStore();
try
{
X509Certificate2Collection certificates = store.Enumerate();
for (int ii = 0; ii < certificates.Count; ii++)
{
X509Certificate2 issuer = certificates[ii];
if (issuer != null)
{
if (!IsIssuerAllowed(issuer))
{
continue;
}
if (Match(issuer, subjectName, serialNumber, keyId))
{
CertificateValidationOptions options = certificateStore.ValidationOptions;
// already checked revocation for file based stores. windows based stores always suppress.
options |= CertificateValidationOptions.SuppressRevocationStatusUnknown;
if (checkRecovationStatus)
{
StatusCode status = store.IsRevoked(issuer, certificate);
if (StatusCode.IsBad(status))
{
if (status != StatusCodes.BadNotSupported && status != StatusCodes.BadCertificateRevocationUnknown)
{
throw new ServiceResultException(status);
}
}
}
return new CertificateIdentifier(certificates[ii], options);
}
}
}
}
finally
{
store.Close();
}
}
// not a trusted issuer.
return null;
}
