private ICertificateStore CreateStore(string storePath)
{
ICertificateStore store = CertificateStoreIdentifier.CreateStore(CertificateStoreIdentifier.DetermineStoreType(storePath));
store.Open(storePath);
return(store);
}
protected CertificateGroup(
string authoritiesStorePath,
CertificateGroupConfiguration certificateGroupConfiguration
)
{
m_authoritiesStorePath = authoritiesStorePath;
m_authoritiesStoreType = CertificateStoreIdentifier.DetermineStoreType(m_authoritiesStorePath);
Configuration = certificateGroupConfiguration;
}
protected CertificateGroup(
string authoritiesStorePath,
CertificateGroupConfiguration certificateGroupConfiguration
)
{
m_authoritiesStorePath = authoritiesStorePath;
m_authoritiesStoreType = CertificateStoreIdentifier.DetermineStoreType(m_authoritiesStorePath);
Configuration = certificateGroupConfiguration;
m_subjectName = Configuration.SubjectName.Replace("localhost", Utils.GetHostName());
}
private void BrowseBTN_Click(object sender, EventArgs e)
{
CertificateStoreIdentifier store = new CertificateStoreIdentifier();
store.StoreType = CertificateStoreIdentifier.DetermineStoreType(CertificateStoreControl.Text);
store.StorePath = CertificateStoreControl.Text;
store = new CertificateStoreDlg().ShowDialog(store);
if (store == null)
{
return;
}
CertificateStoreControl.Text = store.StorePath;
if (m_CertificateStoreSelected != null)
{
m_CertificateStoreSelected(this, new EventArgs());
}
}
/// <summary>
/// Revoke the CA signed certificate.
/// The issuer CA public key, the private key and the crl reside in the storepath.
/// The CRL number is increased by one and existing CRL for the issuer are deleted from the store.
/// </summary>
public static async Task <X509CRL> RevokeCertificateAsync(
string storePath,
X509Certificate2 certificate,
string issuerKeyFilePassword = null
)
{
X509CRL updatedCRL = null;
try
{
string subjectName = certificate.IssuerName.Name;
string keyId = null;
string serialNumber = null;
// caller may want to create empty CRL using the CA cert itself
bool isCACert = IsCertificateAuthority(certificate);
// find the authority key identifier.
X509AuthorityKeyIdentifierExtension authority = FindAuthorityKeyIdentifier(certificate);
if (authority != null)
{
keyId = authority.KeyId;
serialNumber = authority.SerialNumber;
}
else
{
throw new ArgumentException("Certificate does not contain an Authority Key");
}
if (!isCACert)
{
if (serialNumber == certificate.SerialNumber ||
Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer))
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Cannot revoke self signed certificates");
}
}
X509Certificate2 certCA = null;
using (ICertificateStore store = CertificateStoreIdentifier.OpenStore(storePath))
{
if (store == null)
{
throw new ArgumentException("Invalid store path/type");
}
certCA = await FindIssuerCABySerialNumberAsync(store, certificate.Issuer, serialNumber);
if (certCA == null)
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Cannot find issuer certificate in store.");
}
if (!certCA.HasPrivateKey)
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Issuer certificate has no private key, cannot revoke certificate.");
}
CertificateIdentifier certCAIdentifier = new CertificateIdentifier(certCA);
certCAIdentifier.StorePath = storePath;
certCAIdentifier.StoreType = CertificateStoreIdentifier.DetermineStoreType(storePath);
X509Certificate2 certCAWithPrivateKey = await certCAIdentifier.LoadPrivateKey(issuerKeyFilePassword);
if (certCAWithPrivateKey == null)
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Failed to load issuer private key. Is the password correct?");
}
List <X509CRL> certCACrl = store.EnumerateCRLs(certCA, false);
using (var cfrg = new CertificateFactoryRandomGenerator())
{
// cert generators
SecureRandom random = new SecureRandom(cfrg);
BigInteger crlSerialNumber = BigInteger.Zero;
Org.BouncyCastle.X509.X509Certificate bcCertCA = new X509CertificateParser().ReadCertificate(certCA.RawData);
AsymmetricKeyParameter signingKey = GetPrivateKeyParameter(certCAWithPrivateKey);
ISignatureFactory signatureFactory =
new Asn1SignatureFactory(GetRSAHashAlgorithm(defaultHashSize), signingKey, random);
X509V2CrlGenerator crlGen = new X509V2CrlGenerator();
crlGen.SetIssuerDN(bcCertCA.IssuerDN);
crlGen.SetThisUpdate(DateTime.UtcNow);
crlGen.SetNextUpdate(DateTime.UtcNow.AddMonths(12));
// merge all existing revocation list
X509CrlParser parser = new X509CrlParser();
foreach (X509CRL caCrl in certCACrl)
{
X509Crl crl = parser.ReadCrl(caCrl.RawData);
crlGen.AddCrl(crl);
var crlVersion = GetCrlNumber(crl);
if (crlVersion.IntValue > crlSerialNumber.IntValue)
{
crlSerialNumber = crlVersion;
}
}
if (isCACert)
{
// add a dummy revoked cert
crlGen.AddCrlEntry(BigInteger.One, DateTime.UtcNow, CrlReason.Superseded);
}
else
{
// add the revoked cert
crlGen.AddCrlEntry(GetSerialNumber(certificate), DateTime.UtcNow, CrlReason.PrivilegeWithdrawn);
}
crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier,
false,
new AuthorityKeyIdentifierStructure(bcCertCA));
// set new serial number
crlSerialNumber = crlSerialNumber.Add(BigInteger.One);
crlGen.AddExtension(X509Extensions.CrlNumber,
false,
new CrlNumber(crlSerialNumber));
// generate updated CRL
X509Crl updatedCrl = crlGen.Generate(signatureFactory);
// add updated CRL to store
updatedCRL = new X509CRL(updatedCrl.GetEncoded());
store.AddCRL(updatedCRL);
// delete outdated CRLs from store
foreach (X509CRL caCrl in certCACrl)
{
store.DeleteCRL(caCrl);
}
}
store.Close();
}
}
catch (Exception e)
{
throw e;
}
return(updatedCRL);
}
public async Task Initialize(
GlobalDiscoveryClientConfiguration configuration,
GlobalDiscoveryServerClient gds,
ServerPushConfigurationClient server,
RegisteredApplication application,
bool isHttps)
{
m_configuration = configuration;
m_gds = gds;
m_server = server;
m_application = application;
m_certificate = null;
m_certificatePassword = null;
CertificateRequestTimer.Enabled = false;
RequestProgressLabel.Visible = false;
ApplyChangesButton.Enabled = false;
CertificateControl.ShowNothing();
X509Certificate2 certificate = null;
if (!isHttps)
{
if (server.Endpoint != null && server.Endpoint.Description.ServerCertificate != null)
{
certificate = new X509Certificate2(server.Endpoint.Description.ServerCertificate);
}
else if (application != null)
{
if (!String.IsNullOrEmpty(application.CertificatePublicKeyPath))
{
string file = Utils.GetAbsoluteFilePath(application.CertificatePublicKeyPath, true, false, false);
if (file != null)
{
certificate = new X509Certificate2(file);
}
}
else if (!String.IsNullOrEmpty(application.CertificateStorePath))
{
CertificateIdentifier id = new CertificateIdentifier
{
StorePath = application.CertificateStorePath
};
id.StoreType = CertificateStoreIdentifier.DetermineStoreType(id.StorePath);
id.SubjectName = application.CertificateSubjectName.Replace("localhost", Utils.GetHostName());
certificate = await id.Find(true);
}
}
}
else
{
if (application != null)
{
if (!String.IsNullOrEmpty(application.HttpsCertificatePublicKeyPath))
{
string file = Utils.GetAbsoluteFilePath(application.HttpsCertificatePublicKeyPath, true, false, false);
if (file != null)
{
certificate = new X509Certificate2(file);
}
}
else
{
foreach (string disoveryUrl in application.DiscoveryUrl)
{
if (Uri.IsWellFormedUriString(disoveryUrl, UriKind.Absolute))
{
Uri url = new Uri(disoveryUrl);
CertificateIdentifier id = new CertificateIdentifier()
{
StoreType = CertificateStoreType.X509Store,
StorePath = "CurrentUser\\UA_MachineDefault",
SubjectName = "CN=" + url.DnsSafeHost
};
certificate = await id.Find();
}
}
}
}
}
if (certificate != null)
{
try
{
CertificateControl.Tag = certificate.Thumbprint;
}
catch (Exception)
{
MessageBox.Show(
Parent,
"The certificate does not appear to be valid. Please check configuration settings.",
Parent.Text,
MessageBoxButtons.OK,
MessageBoxIcon.Error);
certificate = null;
}
}
WarningLabel.Visible = certificate == null;
if (certificate != null)
{
m_certificate = certificate;
CertificateControl.ShowValue(null, "Application Certificate", new CertificateWrapper()
{
Certificate = certificate
}, true);
}
}
private async void CertificateRequestTimer_Tick(object sender, EventArgs e)
{
try
{
NodeId requestId = NodeId.Parse(m_application.CertificateRequestId);
byte[] privateKeyPFX = null;
byte[][] issuerCertificates = null;
byte[] certificate = m_gds.FinishRequest(
m_application.ApplicationId,
requestId,
out privateKeyPFX,
out issuerCertificates);
if (certificate == null)
{
// request not done yet, try again in a few seconds
return;
}
CertificateRequestTimer.Enabled = false;
RequestProgressLabel.Visible = false;
if (m_application.RegistrationType != RegistrationType.ServerPush)
{
X509Certificate2 newCert = new X509Certificate2(certificate);
if (!String.IsNullOrEmpty(m_application.CertificateStorePath) && !String.IsNullOrEmpty(m_application.CertificateSubjectName))
{
CertificateIdentifier cid = new CertificateIdentifier()
{
StorePath = m_application.CertificateStorePath,
StoreType = CertificateStoreIdentifier.DetermineStoreType(m_application.CertificateStorePath),
SubjectName = m_application.CertificateSubjectName.Replace("localhost", Utils.GetHostName())
};
// update store
using (var store = CertificateStoreIdentifier.OpenStore(m_application.CertificateStorePath))
{
// if we used a CSR, we already have a private key and therefore didn't request one from the GDS
// in this case, privateKey is null
if (privateKeyPFX == null)
{
X509Certificate2 oldCertificate = await cid.Find(true);
if (oldCertificate != null && oldCertificate.HasPrivateKey)
{
oldCertificate = await cid.LoadPrivateKey(string.Empty);
newCert = CertificateFactory.CreateCertificateWithPrivateKey(newCert, oldCertificate);
await store.Delete(oldCertificate.Thumbprint);
}
else
{
throw new ServiceResultException("Failed to merge signed certificate with the private key.");
}
}
else
{
newCert = new X509Certificate2(privateKeyPFX, string.Empty, X509KeyStorageFlags.Exportable);
newCert = CertificateFactory.Load(newCert, true);
}
await store.Add(newCert);
}
}
else
{
DialogResult result = DialogResult.Yes;
string absoluteCertificatePublicKeyPath = Utils.GetAbsoluteFilePath(m_application.CertificatePublicKeyPath, true, false, false) ?? m_application.CertificatePublicKeyPath;
FileInfo file = new FileInfo(absoluteCertificatePublicKeyPath);
if (file.Exists)
{
result = MessageBox.Show(
Parent,
"Replace certificate " +
absoluteCertificatePublicKeyPath +
"?",
Parent.Text,
MessageBoxButtons.YesNo,
MessageBoxIcon.Exclamation);
}
if (result == DialogResult.Yes)
{
byte[] exportedCert;
if (string.Compare(file.Extension, ".PEM", true) == 0)
{
exportedCert = CertificateFactory.ExportCertificateAsPEM(newCert);
}
else
{
exportedCert = newCert.Export(X509ContentType.Cert);
}
File.WriteAllBytes(absoluteCertificatePublicKeyPath, exportedCert);
}
// if we provided a PFX or P12 with the private key, we need to merge the new cert with the private key
if (m_application.GetPrivateKeyFormat(m_server?.GetSupportedKeyFormats()) == "PFX")
{
string absoluteCertificatePrivateKeyPath = Utils.GetAbsoluteFilePath(m_application.CertificatePrivateKeyPath, true, false, false) ?? m_application.CertificatePrivateKeyPath;
file = new FileInfo(absoluteCertificatePrivateKeyPath);
if (file.Exists)
{
result = MessageBox.Show(
Parent,
"Replace private key " +
absoluteCertificatePrivateKeyPath +
"?",
Parent.Text,
MessageBoxButtons.YesNo,
MessageBoxIcon.Exclamation);
}
if (result == DialogResult.Yes)
{
if (file.Exists)
{
byte[] pkcsData = File.ReadAllBytes(absoluteCertificatePrivateKeyPath);
X509Certificate2 oldCertificate = CertificateFactory.CreateCertificateFromPKCS12(pkcsData, m_certificatePassword);
newCert = CertificateFactory.CreateCertificateWithPrivateKey(newCert, oldCertificate);
pkcsData = newCert.Export(X509ContentType.Pfx, m_certificatePassword);
File.WriteAllBytes(absoluteCertificatePrivateKeyPath, pkcsData);
if (privateKeyPFX != null)
{
throw new ServiceResultException("Did not expect a private key for this operation.");
}
}
else
{
File.WriteAllBytes(absoluteCertificatePrivateKeyPath, privateKeyPFX);
}
}
}
}
// update trust list.
if (!String.IsNullOrEmpty(m_application.TrustListStorePath))
{
using (ICertificateStore store = CertificateStoreIdentifier.OpenStore(m_application.TrustListStorePath))
{
foreach (byte[] issuerCertificate in issuerCertificates)
{
X509Certificate2 x509 = new X509Certificate2(issuerCertificate);
X509Certificate2Collection certs = await store.FindByThumbprint(x509.Thumbprint);
if (certs.Count == 0)
{
await store.Add(new X509Certificate2(issuerCertificate));
}
}
}
}
m_certificate = newCert;
}
else
{
if (privateKeyPFX != null && privateKeyPFX.Length > 0)
{
var x509 = new X509Certificate2(privateKeyPFX, m_certificatePassword, X509KeyStorageFlags.Exportable);
privateKeyPFX = x509.Export(X509ContentType.Pfx);
}
bool applyChanges = m_server.UpdateCertificate(
null,
m_server.ApplicationCertificateType,
certificate,
(privateKeyPFX != null) ? "PFX" : null,
privateKeyPFX,
issuerCertificates);
if (applyChanges)
{
MessageBox.Show(
Parent,
"The certificate was updated, however, the apply changes command must be sent before the server will use the new certificate.",
Parent.Text,
MessageBoxButtons.OK,
MessageBoxIcon.Information);
ApplyChangesButton.Enabled = true;
}
}
CertificateControl.ShowValue(null, "Application Certificate", new CertificateWrapper()
{
Certificate = m_certificate
}, true);
}
catch (Exception exception)
{
if (exception is ServiceResultException sre && sre.StatusCode == StatusCodes.BadNothingToDo)
{
return;
}
RequestProgressLabel.Visible = false;
CertificateRequestTimer.Enabled = false;
Opc.Ua.Client.Controls.ExceptionDlg.Show(Text, exception);
}
}
private async Task RequestNewCertificatePullMode(object sender, EventArgs e)
{
try
{
// check if we already have a private key
NodeId requestId = null;
if (!string.IsNullOrEmpty(m_application.CertificateStorePath))
{
CertificateIdentifier id = new CertificateIdentifier
{
StoreType = CertificateStoreIdentifier.DetermineStoreType(m_application.CertificateStorePath),
StorePath = m_application.CertificateStorePath,
SubjectName = m_application.CertificateSubjectName.Replace("localhost", Utils.GetHostName())
};
m_certificate = await id.Find(true);
if (m_certificate != null &&
m_certificate.HasPrivateKey)
{
m_certificate = await id.LoadPrivateKey(m_certificatePassword);
}
}
bool hasPrivateKeyFile = false;
if (!string.IsNullOrEmpty(m_application.CertificatePrivateKeyPath))
{
FileInfo file = new FileInfo(m_application.CertificatePrivateKeyPath);
hasPrivateKeyFile = file.Exists;
}
var domainNames = m_application.GetDomainNames(m_certificate);
if (m_certificate == null)
{
// no private key
requestId = m_gds.StartNewKeyPairRequest(
m_application.ApplicationId,
null,
null,
m_application.CertificateSubjectName.Replace("localhost", Utils.GetHostName()),
domainNames,
"PFX",
m_certificatePassword);
}
else
{
X509Certificate2 csrCertificate = null;
if (m_certificate.HasPrivateKey)
{
csrCertificate = m_certificate;
}
else
{
string absoluteCertificatePrivateKeyPath = Utils.GetAbsoluteFilePath(m_application.CertificatePrivateKeyPath, true, false, false);
byte[] pkcsData = File.ReadAllBytes(absoluteCertificatePrivateKeyPath);
if (m_application.GetPrivateKeyFormat(m_server?.GetSupportedKeyFormats()) == "PFX")
{
csrCertificate = CertificateFactory.CreateCertificateFromPKCS12(pkcsData, m_certificatePassword);
}
else
{
csrCertificate = CertificateFactory.CreateCertificateWithPEMPrivateKey(m_certificate, pkcsData, m_certificatePassword);
}
}
byte[] certificateRequest = CertificateFactory.CreateSigningRequest(csrCertificate, domainNames);
requestId = m_gds.StartSigningRequest(m_application.ApplicationId, null, null, certificateRequest);
}
m_application.CertificateRequestId = requestId.ToString();
CertificateRequestTimer.Enabled = true;
RequestProgressLabel.Visible = true;
WarningLabel.Visible = false;
}
catch (Exception ex)
{
Opc.Ua.Client.Controls.ExceptionDlg.Show(Text, ex);
}
}
/// <inheritdoc/>
public IApplicationConfigurationBuilderSecurityOptions AddSecurityConfiguration(
string subjectName,
string pkiRoot = null,
string appRoot = null,
string rejectedRoot = null
)
{
pkiRoot = DefaultPKIRoot(pkiRoot);
appRoot = appRoot == null ? pkiRoot : DefaultPKIRoot(appRoot);
rejectedRoot = rejectedRoot == null ? pkiRoot : DefaultPKIRoot(rejectedRoot);
var appStoreType = CertificateStoreIdentifier.DetermineStoreType(appRoot);
var pkiRootType = CertificateStoreIdentifier.DetermineStoreType(pkiRoot);
var rejectedRootType = CertificateStoreIdentifier.DetermineStoreType(rejectedRoot);
ApplicationConfiguration.SecurityConfiguration = new SecurityConfiguration {
// app cert store
ApplicationCertificate = new CertificateIdentifier()
{
StoreType = appStoreType,
StorePath = DefaultCertificateStorePath(TrustlistType.Application, appRoot),
SubjectName = Utils.ReplaceDCLocalhost(subjectName)
},
// App trusted & issuer
TrustedPeerCertificates = new CertificateTrustList()
{
StoreType = pkiRootType,
StorePath = DefaultCertificateStorePath(TrustlistType.Trusted, pkiRoot)
},
TrustedIssuerCertificates = new CertificateTrustList()
{
StoreType = pkiRootType,
StorePath = DefaultCertificateStorePath(TrustlistType.Issuer, pkiRoot)
},
// Https trusted & issuer
TrustedHttpsCertificates = new CertificateTrustList()
{
StoreType = pkiRootType,
StorePath = DefaultCertificateStorePath(TrustlistType.TrustedHttps, pkiRoot)
},
HttpsIssuerCertificates = new CertificateTrustList()
{
StoreType = pkiRootType,
StorePath = DefaultCertificateStorePath(TrustlistType.IssuerHttps, pkiRoot)
},
// User trusted & issuer
TrustedUserCertificates = new CertificateTrustList()
{
StoreType = pkiRootType,
StorePath = DefaultCertificateStorePath(TrustlistType.TrustedUser, pkiRoot)
},
UserIssuerCertificates = new CertificateTrustList()
{
StoreType = pkiRootType,
StorePath = DefaultCertificateStorePath(TrustlistType.IssuerUser, pkiRoot)
},
// rejected store
RejectedCertificateStore = new CertificateTrustList()
{
StoreType = rejectedRootType,
StorePath = DefaultCertificateStorePath(TrustlistType.Rejected, rejectedRoot)
},
// ensure secure default settings
AutoAcceptUntrustedCertificates = false,
AddAppCertToTrustedStore = false,
RejectSHA1SignedCertificates = true,
RejectUnknownRevocationStatus = true,
SuppressNonceValidationErrors = false,
SendCertificateChain = false,
MinimumCertificateKeySize = CertificateFactory.DefaultKeySize
};
return(this);
}
/// <summary>
/// Determine the default store path for a given trust list type.
/// </summary>
/// <param name="trustListType">The trust list type.</param>
/// <param name="pkiRoot">A PKI root for which the store path is needed.</param>
private string DefaultCertificateStorePath(TrustlistType trustListType, string pkiRoot)
{
var pkiRootType = CertificateStoreIdentifier.DetermineStoreType(pkiRoot);
if (pkiRootType.Equals(CertificateStoreType.Directory, StringComparison.OrdinalIgnoreCase))
{
string leafPath = "";
// see https://reference.opcfoundation.org/v104/GDS/docs/F.1/
switch (trustListType)
{
case TrustlistType.Application: leafPath = "own"; break;
case TrustlistType.Trusted: leafPath = "trusted"; break;
case TrustlistType.Issuer: leafPath = "issuer"; break;
case TrustlistType.TrustedHttps: leafPath = "trustedHttps"; break;
case TrustlistType.IssuerHttps: leafPath = "issuerHttps"; break;
case TrustlistType.TrustedUser: leafPath = "trustedUser"; break;
case TrustlistType.IssuerUser: leafPath = "issuerUser"; break;
case TrustlistType.Rejected: leafPath = "rejected"; break;
}
// Caller may have already provided the leaf path, then no need to add.
int startIndex = pkiRoot.Length - leafPath.Length;
char lastChar = pkiRoot.Last();
if (lastChar == Path.DirectorySeparatorChar ||
lastChar == Path.AltDirectorySeparatorChar)
{
startIndex--;
}
if (startIndex > 0)
{
if (pkiRoot.Substring(startIndex, leafPath.Length).Equals(leafPath, StringComparison.OrdinalIgnoreCase))
{
return(pkiRoot);
}
}
return(Path.Combine(pkiRoot, leafPath));
}
else if (pkiRootType.Equals(CertificateStoreType.X509Store, StringComparison.OrdinalIgnoreCase))
{
switch (trustListType)
{
case TrustlistType.Application:
#if !NETFRAMEWORK
if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows) &&
pkiRoot.StartsWith(CertificateStoreIdentifier.CurrentUser, StringComparison.OrdinalIgnoreCase))
{
return(pkiRoot + "My");
}
#endif
return(pkiRoot + "UA_MachineDefault");
case TrustlistType.Trusted:
return(pkiRoot + "UA_Trusted");
case TrustlistType.Issuer:
return(pkiRoot + "UA_Issuer");
case TrustlistType.TrustedHttps:
return(pkiRoot + "UA_Trusted_Https");
case TrustlistType.IssuerHttps:
return(pkiRoot + "UA_Issuer_Https");
case TrustlistType.TrustedUser:
return(pkiRoot + "UA_Trusted_User");
case TrustlistType.IssuerUser:
return(pkiRoot + "UA_Issuer_User");
case TrustlistType.Rejected:
return(pkiRoot + "UA_Rejected");
}
}
throw new NotSupportedException("Unsupported store type.");
}
/// <summary>
/// Revoke the CA signed certificate.
/// The issuer CA public key, the private key and the crl reside in the storepath.
/// The CRL number is increased by one and existing CRL for the issuer are deleted from the store.
/// </summary>
public static async Task <X509CRL> RevokeCertificateAsync(
string storePath,
X509Certificate2 certificate,
string issuerKeyFilePassword = null
)
{
X509CRL updatedCRL = null;
string subjectName = certificate.IssuerName.Name;
string keyId = null;
string serialNumber = null;
// caller may want to create empty CRL using the CA cert itself
bool isCACert = X509Utils.IsCertificateAuthority(certificate);
// find the authority key identifier.
X509AuthorityKeyIdentifierExtension authority = X509Extensions.FindExtension <X509AuthorityKeyIdentifierExtension>(certificate);
if (authority != null)
{
keyId = authority.KeyIdentifier;
serialNumber = authority.SerialNumber;
}
else
{
throw new ArgumentException("Certificate does not contain an Authority Key");
}
if (!isCACert)
{
if (serialNumber == certificate.SerialNumber ||
X509Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer))
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Cannot revoke self signed certificates");
}
}
X509Certificate2 certCA = null;
using (ICertificateStore store = CertificateStoreIdentifier.OpenStore(storePath))
{
if (store == null)
{
throw new ArgumentException("Invalid store path/type");
}
certCA = await X509Utils.FindIssuerCABySerialNumberAsync(store, certificate.Issuer, serialNumber).ConfigureAwait(false);
if (certCA == null)
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Cannot find issuer certificate in store.");
}
if (!certCA.HasPrivateKey)
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Issuer certificate has no private key, cannot revoke certificate.");
}
CertificateIdentifier certCAIdentifier = new CertificateIdentifier(certCA)
{
StorePath = storePath,
StoreType = CertificateStoreIdentifier.DetermineStoreType(storePath)
};
X509Certificate2 certCAWithPrivateKey = await certCAIdentifier.LoadPrivateKey(issuerKeyFilePassword).ConfigureAwait(false);
if (certCAWithPrivateKey == null)
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Failed to load issuer private key. Is the password correct?");
}
List <X509CRL> certCACrl = store.EnumerateCRLs(certCA, false);
var certificateCollection = new X509Certificate2Collection()
{
};
if (!isCACert)
{
certificateCollection.Add(certificate);
}
updatedCRL = CertificateFactory.RevokeCertificate(certCAWithPrivateKey, certCACrl, certificateCollection);
store.AddCRL(updatedCRL);
// delete outdated CRLs from store
foreach (X509CRL caCrl in certCACrl)
{
store.DeleteCRL(caCrl);
}
store.Close();
}
return(updatedCRL);
}
/// <summary>
/// Determine the default store path for a given trust list type.
/// </summary>
/// <param name="trustListType">The trust list type.</param>
/// <param name="pkiRoot">A PKI root for which the store path is needed.</param>
private string DefaultCertificateStorePath(TrustlistType trustListType, string pkiRoot)
{
var pkiRootType = CertificateStoreIdentifier.DetermineStoreType(pkiRoot);
if (pkiRootType.Equals(CertificateStoreType.Directory, StringComparison.OrdinalIgnoreCase))
{
switch (trustListType)
{
case TrustlistType.Application:
return(pkiRoot + "/own");
case TrustlistType.Trusted:
return(pkiRoot + "/trusted");
case TrustlistType.Issuer:
return(pkiRoot + "/issuer");
case TrustlistType.TrustedHttps:
return(pkiRoot + "/trustedHttps");
case TrustlistType.IssuerHttps:
return(pkiRoot + "/issuerHttps");
case TrustlistType.TrustedUser:
return(pkiRoot + "/trustedUser");
case TrustlistType.IssuerUser:
return(pkiRoot + "/issuerUser");
case TrustlistType.Rejected:
return(pkiRoot + "/rejected");
}
}
else if (pkiRootType.Equals(CertificateStoreType.X509Store, StringComparison.OrdinalIgnoreCase))
{
switch (trustListType)
{
case TrustlistType.Application:
#if !NETFRAMEWORK
if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows) &&
pkiRoot.StartsWith(CertificateStoreIdentifier.CurrentUser, StringComparison.OrdinalIgnoreCase))
{
return(pkiRoot + "My");
}
#endif
return(pkiRoot + "UA_MachineDefault");
case TrustlistType.Trusted:
return(pkiRoot + "UA_Trusted");
case TrustlistType.Issuer:
return(pkiRoot + "UA_Issuer");
case TrustlistType.TrustedHttps:
return(pkiRoot + "UA_Trusted_Https");
case TrustlistType.IssuerHttps:
return(pkiRoot + "UA_Issuer_Https");
case TrustlistType.TrustedUser:
return(pkiRoot + "UA_Trusted_User");
case TrustlistType.IssuerUser:
return(pkiRoot + "UA_Issuer_User");
case TrustlistType.Rejected:
return(pkiRoot + "UA_Rejected");
}
}
throw new NotSupportedException("Unsupported store type.");
}
private void RequestNewButton_Click(object sender, EventArgs e)
{
try
{
NodeId requestId = null;
bool newPrivateKeyRequired = false;
if (!String.IsNullOrEmpty(m_application.CertificatePrivateKeyPath))
{
string path = Utils.GetAbsoluteFilePath(m_application.CertificatePrivateKeyPath, true, false, false);
newPrivateKeyRequired = path == null;
}
else if (!String.IsNullOrEmpty(m_application.CertificateStorePath))
{
CertificateIdentifier id = new CertificateIdentifier();
id.StoreType = CertificateStoreIdentifier.DetermineStoreType(m_application.CertificateStorePath);
id.StorePath = m_application.CertificateStorePath;
id.SubjectName = m_application.CertificateSubjectName.Replace("localhost", System.Net.Dns.GetHostName());
newPrivateKeyRequired = id.Find(true) == null;
}
else if (!String.IsNullOrEmpty(m_application.ServerUrl))
{
newPrivateKeyRequired = true;
}
byte[] certificateRequest = null;
if (m_application.RegistrationType == RegistrationType.ServerPush)
{
byte[] nonce = new byte[32];
System.Security.Cryptography.RandomNumberGenerator.Create().GetBytes(nonce);
certificateRequest = m_server.CreateCertificateRequest(null, null, null, false, nonce);
newPrivateKeyRequired = false;
if (m_server.Endpoint != null && m_server.Endpoint.Description.ServerCertificate != null)
{
m_certificate = new X509Certificate2(m_server.Endpoint.Description.ServerCertificate);
}
}
if (newPrivateKeyRequired || RequestNewPrivateKey || m_certificate == null)
{
m_certificatePassword = null; // Guid.NewGuid().ToString();
string privateKeyFormat = GetPrivateKeyFormat();
string[] domainNames = GetDomainNames();
string subjectName = GetSubjectName(domainNames);
requestId = m_gds.StartNewKeyPairRequest(
m_application.ApplicationId,
null,
null,
subjectName,
domainNames,
privateKeyFormat,
m_certificatePassword);
}
else
{
if (certificateRequest == null)
{
var certificate = m_certificate;
byte[] privateKey = null;
bool isPemKey = false;
if (!certificate.HasPrivateKey)
{
if (!String.IsNullOrEmpty(m_application.CertificatePrivateKeyPath))
{
string path = Utils.GetAbsoluteFilePath(m_application.CertificatePrivateKeyPath, true, false, false);
if (path != null)
{
privateKey = File.ReadAllBytes(path);
isPemKey = path.EndsWith("PEM", StringComparison.OrdinalIgnoreCase);
}
}
}
certificateRequest = CertificateAuthority.CreateRequest(
certificate,
privateKey,
isPemKey,
null,
null,
null,
null,
256);
}
requestId = m_gds.StartSigningRequest(m_application.ApplicationId, null, null, certificateRequest);
}
m_application.CertificateRequestId = requestId.ToString();
CertificateRequestTimer.Enabled = true;
RequestProgressLabel.Visible = true;
WarningLabel.Visible = false;
}
catch (Exception exception)
{
MessageBox.Show(Parent.Text + ": " + exception.Message);
}
}