/// <summary> /// Shows the dialog. /// </summary> /// <param name="e">The <see cref="Opc.Ua.CertificateValidationEventArgs"/> instance containing the event data.</param> /// <returns>True if the certificate was accepted.</returns> public AcceptCertificateOptions ShowDialog(CertificateValidationEventArgs e) { SubjectTB.Text = Utils.Format("{0}", e.Certificate.Subject); IssuerTB.Text = Utils.Format("{0}", (e.Certificate.Subject == e.Certificate.Issuer)?"Self-signed":e.Certificate.Issuer); ValidFromTB.Text = Utils.Format("{0:yyyy-MM-dd}", e.Certificate.NotBefore); ValidToTB.Text = Utils.Format("{0:yyyy-MM-dd}", e.Certificate.NotAfter); ThumbprintTB.Text = Utils.Format("{0}", e.Certificate.Thumbprint); AlwaysAcceptAllRB.Enabled = false; AlwaysAcceptSingleRB.Enabled = false; AlwaysRejectRB.Enabled = false; OneTimeAcceptRB.Checked = true; if (ShowDialog() != DialogResult.OK) { return AcceptCertificateOptions.RejectOnce; } if (OneTimeAcceptRB.Checked) { return AcceptCertificateOptions.AcceptOnceForCurrent; } return AcceptCertificateOptions.RejectOnce; }
/// <summary> /// Called when a certificate cannot be validated. /// </summary> /// <param name="sender">The sender.</param> /// <param name="e">The <see cref="Opc.Ua.CertificateValidationEventArgs"/> instance containing the event data.</param> void CertificateValidator_CertificateValidation(CertificateValidator sender, CertificateValidationEventArgs e) { // need to dispatch to the main UI thread. if (InvokeRequired) { Invoke(new CertificateValidationEventHandler(CertificateValidator_CertificateValidation), sender, e); return; } try { e.Accept = true; /* // prompt user. switch (new AcceptCertificateDlg().ShowDialog(e)) { case AcceptCertificateOptions.AcceptAlwaysForAll: case AcceptCertificateOptions.AcceptAlwaysForCurrent: case AcceptCertificateOptions.AcceptOnceForCurrent: { // TBD - update configuration to make the acceptance permenent. e.Accept = true; break; } case AcceptCertificateOptions.RejectAlways: { // TBD - update configuration to make the rejection permenent. e.Accept = false; break; } } */ } catch (Exception exception) { MessageBox.Show(exception.Message); } }
/// <summary> /// Handles a certificate validation error. /// </summary> void CertificateValidator_CertificateValidation(CertificateValidator validator, CertificateValidationEventArgs e) { try { Opc.Ua.Client.Controls.GuiUtils.HandleCertificateValidationError(this, validator, e); } catch (Exception exception) { Opc.Ua.Client.Controls.GuiUtils.HandleException(this.Text, MethodBase.GetCurrentMethod(), exception); } }
/// <summary> /// Validates a certificate. /// </summary> /// <remarks> /// Each UA application may have a list of trusted certificates that is different from /// all other UA applications that may be running on the same machine. As a result, the /// certificate validator cannot rely completely on the Windows certificate store and /// user or machine specific CTLs (certificate trust lists). /// /// The validator constructs the trust chain for the certificate and follows the chain /// until it finds a certification that is in the application trust list. Non-fatal trust /// chain errors (i.e. certificate expired) are ignored if the certificate is in the /// application trust list. /// /// If no certificate in the chain is trusted then the validator will still accept the /// certification if there are no trust chain errors. /// /// The validator may be configured to ignore the application trust list and/or trust chain. /// </remarks> public virtual void Validate(X509Certificate2Collection chain) { X509Certificate2 certificate = chain[0]; try { InternalValidate(chain); // add to list of validated certificates. lock (m_lock) { m_validatedCertificates[certificate.Thumbprint] = certificate; } } catch (ServiceResultException e) { // check for errors that may be suppressed. switch (e.StatusCode) { case StatusCodes.BadCertificateHostNameInvalid: case StatusCodes.BadCertificateIssuerRevocationUnknown: case StatusCodes.BadCertificateIssuerTimeInvalid: case StatusCodes.BadCertificateIssuerUseNotAllowed: case StatusCodes.BadCertificateRevocationUnknown: case StatusCodes.BadCertificateTimeInvalid: case StatusCodes.BadCertificateUriInvalid: case StatusCodes.BadCertificateUseNotAllowed: case StatusCodes.BadCertificateUntrusted: { break; } default: { throw new ServiceResultException(e, StatusCodes.BadCertificateInvalid); } } // invoke callback. bool accept = false; lock (m_callbackLock) { if (m_CertificateValidation != null) { CertificateValidationEventArgs args = new CertificateValidationEventArgs(new ServiceResult(e), certificate); m_CertificateValidation(this, args); accept = args.Accept; } } // throw if rejected. if (!accept) { // write the invalid certificate to a directory if specified. lock (m_lock) { Utils.Trace((int)Utils.TraceMasks.Error, "Certificate '{0}' rejected. Reason={1}", certificate.Subject, (StatusCode)e.StatusCode); if (m_rejectedCertificateStore != null) { Utils.Trace((int)Utils.TraceMasks.Error, "Writing rejected certificate to directory: {0}", m_rejectedCertificateStore); SaveCertificate(certificate); } } throw new ServiceResultException(e, StatusCodes.BadCertificateInvalid); } // add to list of peers. lock (m_lock) { m_validatedCertificates[certificate.Thumbprint] = certificate; } } }
/// <summary> /// Handles an error validating the server certificate. /// </summary> /// <remarks> /// Applications should never accept certificates silently. Doing do will create the illusion of security /// that will come back to haunt the vendor in the future. Compliance tests by the OPC Foundation will /// fail products that silently accept untrusted certificates. /// </remarks> static void CertificateValidator_CertificateValidation(CertificateValidator validator, CertificateValidationEventArgs e) { e.Accept = true; Console.WriteLine("WARNING: Accepting Untrusted Certificate: {0}", e.Certificate.Subject); }
/// <summary> /// Prompts the user to accept an untrusted certificate. /// </summary> private void CertificateValidator_CertificateValidation(CertificateValidator sender, CertificateValidationEventArgs e) { if (this.InvokeRequired) { this.Invoke(new CertificateValidationEventHandler(CertificateValidator_CertificateValidation), sender, e); return; } try { DialogResult result = MessageBox.Show( e.Certificate.Subject, "Untrusted Certificate", MessageBoxButtons.YesNo, MessageBoxIcon.Warning); e.Accept = (result == DialogResult.Yes); } catch (Exception exception) { MessageBox.Show(exception.Message, this.Text, MessageBoxButtons.OK, MessageBoxIcon.Error); } }
private static void CertificateValidator_CertificateValidation(CertificateValidator validator, CertificateValidationEventArgs e) { if (e.Error.StatusCode == StatusCodes.BadCertificateUntrusted) { e.Accept = false; Console.WriteLine("Rejected Certificate: {0}", e.Certificate.Subject); } }
/// <summary> /// Handles a certificate validation error. /// </summary> private static void CertificateValidator_CertificateValidation(CertificateValidator validator, CertificateValidationEventArgs e) { try { if (e.Error != null && e.Error.Code == StatusCodes.BadCertificateUntrusted) { e.Accept = true; Utils.Trace((int)Utils.TraceMasks.Security, "Automatically accepted certificate: {0}", e.Certificate.Subject); } } catch (Exception exception) { Utils.Trace(exception, "Error accepting certificate."); } }
/// <summary> /// Validates a certificate. /// </summary> /// <remarks> /// Each UA application may have a list of trusted certificates that is different from /// all other UA applications that may be running on the same machine. As a result, the /// certificate validator cannot rely completely on the Windows certificate store and /// user or machine specific CTLs (certificate trust lists). /// /// The validator constructs the trust chain for the certificate and follows the chain /// until it finds a certification that is in the application trust list. Non-fatal trust /// chain errors (i.e. certificate expired) are ignored if the certificate is in the /// application trust list. /// /// If no certificate in the chain is trusted then the validator will still accept the /// certification if there are no trust chain errors. /// /// The validator may be configured to ignore the application trust list and/or trust chain. /// </remarks> public virtual void Validate(X509Certificate2Collection chain) { X509Certificate2 certificate = chain[0]; try { lock (m_lock) { InternalValidate(chain).GetAwaiter().GetResult(); // add to list of validated certificates. m_validatedCertificates[certificate.Thumbprint] = new X509Certificate2(certificate.RawData); } } catch (ServiceResultException se) { // check for errors that may be suppressed. switch (se.StatusCode) { case StatusCodes.BadCertificateHostNameInvalid: case StatusCodes.BadCertificateIssuerRevocationUnknown: case StatusCodes.BadCertificateChainIncomplete: case StatusCodes.BadCertificateIssuerTimeInvalid: case StatusCodes.BadCertificateIssuerUseNotAllowed: case StatusCodes.BadCertificateRevocationUnknown: case StatusCodes.BadCertificateTimeInvalid: case StatusCodes.BadCertificatePolicyCheckFailed: case StatusCodes.BadCertificateUseNotAllowed: case StatusCodes.BadCertificateUntrusted: { Utils.Trace("Certificate Vaildation failed for '{0}'. Reason={1}", certificate.Subject, (StatusCode)se.StatusCode); break; } default: { // write the invalid certificate to rejected store if specified. Utils.Trace((int)Utils.TraceMasks.Error, "Certificate '{0}' rejected. Reason={1}", certificate.Subject, (StatusCode)se.StatusCode); SaveCertificate(certificate); throw new ServiceResultException(se, StatusCodes.BadCertificateInvalid); } } // invoke callback. bool accept = false; lock (m_callbackLock) { if (m_CertificateValidation != null) { CertificateValidationEventArgs args = new CertificateValidationEventArgs(new ServiceResult(se), certificate); m_CertificateValidation(this, args); accept = args.Accept; } } // throw if rejected. if (!accept) { // write the invalid certificate to rejected store if specified. Utils.Trace((int)Utils.TraceMasks.Error, "Certificate '{0}' rejected. Reason={1}", certificate.Subject, (StatusCode)se.StatusCode); SaveCertificate(certificate); throw new ServiceResultException(se, StatusCodes.BadCertificateInvalid); } // add to list of peers. lock (m_lock) { Utils.Trace("Validation error suppressed for '{0}'.", certificate.Subject); m_validatedCertificates[certificate.Thumbprint] = new X509Certificate2(certificate.RawData); } } }
/// <summary> /// Always accept server certificates. /// </summary> void CertificateValidator_CertificateValidation(CertificateValidator validator, CertificateValidationEventArgs e) { e.Accept = true; }
/// <summary> /// Validates a certificate. /// </summary> /// <remarks> /// Each UA application may have a list of trusted certificates that is different from /// all other UA applications that may be running on the same machine. As a result, the /// certificate validator cannot rely completely on the Windows certificate store and /// user or machine specific CTLs (certificate trust lists). /// /// The validator constructs the trust chain for the certificate and follows the chain /// until it finds a certification that is in the application trust list. Non-fatal trust /// chain errors (i.e. certificate expired) are ignored if the certificate is in the /// application trust list. /// /// If no certificate in the chain is trusted then the validator will still accept the /// certification if there are no trust chain errors. /// /// The validator may be configured to ignore the application trust list and/or trust chain. /// </remarks> public virtual void Validate(X509Certificate2Collection chain) { X509Certificate2 certificate = chain[0]; try { lock (m_lock) { InternalValidate(chain).Wait(); // add to list of validated certificates. m_validatedCertificates[certificate.Thumbprint] = certificate; } } catch (AggregateException ae) { foreach (ServiceResultException e in ae.InnerExceptions) { // check for errors that may be suppressed. switch (e.StatusCode) { case StatusCodes.BadCertificateHostNameInvalid: case StatusCodes.BadCertificateIssuerRevocationUnknown: case StatusCodes.BadCertificateIssuerTimeInvalid: case StatusCodes.BadCertificateIssuerUseNotAllowed: case StatusCodes.BadCertificateRevocationUnknown: case StatusCodes.BadCertificateTimeInvalid: case StatusCodes.BadCertificateUriInvalid: case StatusCodes.BadCertificateUseNotAllowed: case StatusCodes.BadCertificateUntrusted: { Utils.Trace("Cert Validate failed: {0}", (StatusCode)e.StatusCode); break; } default: { throw new ServiceResultException(e, StatusCodes.BadCertificateInvalid); } } // invoke callback. bool accept = false; lock (m_callbackLock) { if (m_CertificateValidation != null) { CertificateValidationEventArgs args = new CertificateValidationEventArgs(new ServiceResult(e), certificate); m_CertificateValidation(this, args); accept = args.Accept; } } // throw if rejected. if (!accept) { // write the invalid certificate to a directory if specified. lock (m_lock) { Utils.Trace((int)Utils.TraceMasks.Error, "Certificate '{0}' rejected. Reason={1}", certificate.Subject, (StatusCode)e.StatusCode); if (m_rejectedCertificateStore != null) { Utils.Trace((int)Utils.TraceMasks.Error, "Writing rejected certificate to directory: {0}", m_rejectedCertificateStore); SaveCertificate(certificate); } } throw new ServiceResultException(e, StatusCodes.BadCertificateInvalid); } // add to list of peers. lock (m_lock) { m_validatedCertificates[certificate.Thumbprint] = certificate; } break; } } }
/// <summary> /// Validates a certificate with domain validation check. /// <see cref="Validate(X509Certificate2Collection)"/> /// </summary> public virtual void Validate(X509Certificate2Collection chain, ConfiguredEndpoint endpoint) { X509Certificate2 certificate = chain[0]; try { lock (m_lock) { InternalValidate(chain, endpoint).GetAwaiter().GetResult(); // add to list of validated certificates. m_validatedCertificates[certificate.Thumbprint] = new X509Certificate2(certificate.RawData); } } catch (ServiceResultException se) { // check for errors that may be suppressed. if (ContainsUnsuppressibleSC(se.Result)) { SaveCertificate(certificate); Utils.Trace(Utils.TraceMasks.Error, "Certificate '{0}' rejected. Reason={1}.", certificate.Subject, se.Result.ToString()); TraceInnerServiceResults(se.Result); throw new ServiceResultException(se, StatusCodes.BadCertificateInvalid); } else { Utils.Trace("Certificate Vaildation failed for '{0}'. Reason={1}", certificate.Subject, se.ToLongString()); TraceInnerServiceResults(se.Result); } // invoke callback. bool accept = false; ServiceResult serviceResult = se.Result; lock (m_callbackLock) { if (m_CertificateValidation != null) { do { CertificateValidationEventArgs args = new CertificateValidationEventArgs(serviceResult, certificate); m_CertificateValidation(this, args); if (args.AcceptAll) { accept = true; serviceResult = null; break; } accept = args.Accept; if (accept) { serviceResult = serviceResult.InnerResult; } else { // report the rejected service result se = new ServiceResultException(serviceResult); } } while (accept && serviceResult != null); } } // throw if rejected. if (!accept) { // write the invalid certificate to rejected store if specified. Utils.Trace(Utils.TraceMasks.Error, "Certificate '{0}' rejected. Reason={1}", certificate.Subject, serviceResult.ToString()); SaveCertificate(certificate); throw new ServiceResultException(se, StatusCodes.BadCertificateInvalid); } // add to list of peers. lock (m_lock) { Utils.Trace("Validation error suppressed for '{0}'.", certificate.Subject); m_validatedCertificates[certificate.Thumbprint] = new X509Certificate2(certificate.RawData); } } }
/// <summary> /// Handles a certificate validation error. /// </summary> private void CertificateValidator_CertificateValidation(CertificateValidator sender, CertificateValidationEventArgs e) { if (this.InvokeRequired) { this.Invoke(new CertificateValidationEventHandler(CertificateValidator_CertificateValidation), sender, e); return; } try { e.Accept = m_configuration.SecurityConfiguration.AutoAcceptUntrustedCertificates; if (!m_configuration.SecurityConfiguration.AutoAcceptUntrustedCertificates) { DialogResult result = MessageBox.Show( e.Certificate.Subject, "Untrusted Certificate", MessageBoxButtons.YesNo, MessageBoxIcon.Warning); e.Accept = (result == DialogResult.Yes); } } catch (Exception exception) { ClientUtils.HandleException(this.Text, exception); } }
private void validateCerts(Opc.Ua.CertificateValidator sender, Opc.Ua.CertificateValidationEventArgs e) { e.Accept = true; }
/// <summary> /// Handles a certificate validation error. /// </summary> private void CertificateValidator_CertificateValidation(CertificateValidator sender, CertificateValidationEventArgs e) { e.Accept = true; }