Enforce Valid Certificate Store configuration (#3023)

* fix Null Reference Exceptions on nonconfigured certificate stores

* try to fix gds tests

* Use explicit null check

* Validate Certificate Store configuration on startup in SecurityConfiguration.Validate.
Remove Obsolete CertificateStore Properties.

* remove unecessary fields

* fix tests

* fix client config

* Validate Stores by opening them

* fix typo

* check stores instead of storepath

* fix ClientTest

* Add Tests for Validate Mehtod of SecurityConfiguration

* Update ApplicationConfiguration xsd to respect stricter validation

Author: romanett

Applications/ConsoleReferenceClient/Quickstarts.ReferenceClient.Config.xml

@@ -80,12 +80,17 @@
     <AddAppCertToTrustedStore>false</AddAppCertToTrustedStore>
     <SendCertificateChain>true</SendCertificateChain>
 
+    <!-- Where the User issers list is stored-->
+    <UserIssuerCertificates>
+      <StoreType>Directory</StoreType>
+      <StorePath>%LocalApplicationData%/OPC Foundation/pki/userIssuer</StorePath>
+    </UserIssuerCertificates>
+    
     <!-- Where the User trust list is stored-->
     <TrustedUserCertificates>
       <StoreType>Directory</StoreType>
       <StorePath>%LocalApplicationData%/OPC Foundation/pki/trustedUser</StorePath>
     </TrustedUserCertificates>
-
   </SecurityConfiguration>
 
   <TransportConfigurations></TransportConfigurations>

Libraries/Opc.Ua.Server/Configuration/ConfigurationNodeManager.cs

@@ -88,24 +88,35 @@ ApplicationConfiguration configuration
                 IssuerStore = new CertificateStoreIdentifier(configuration.SecurityConfiguration.TrustedIssuerCertificates.StorePath),
                 TrustedStore = new CertificateStoreIdentifier(configuration.SecurityConfiguration.TrustedPeerCertificates.StorePath)
             };
+            m_certificateGroups.Add(defaultApplicationGroup);
 
-            ServerCertificateGroup defaultUserGroup = new ServerCertificateGroup {
-                NodeId = Opc.Ua.ObjectIds.ServerConfiguration_CertificateGroups_DefaultUserTokenGroup,
-                BrowseName = Opc.Ua.BrowseNames.DefaultUserTokenGroup,
-                CertificateTypes = new NodeId[] { },
-                ApplicationCertificates = new CertificateIdentifierCollection(),
-                IssuerStore = new CertificateStoreIdentifier(configuration.SecurityConfiguration.UserIssuerCertificates?.StorePath),
-                TrustedStore = new CertificateStoreIdentifier(configuration.SecurityConfiguration.TrustedUserCertificates?.StorePath)
-            };
-
-            ServerCertificateGroup defaultHttpsGroup = new ServerCertificateGroup {
-                NodeId = Opc.Ua.ObjectIds.ServerConfiguration_CertificateGroups_DefaultHttpsGroup,
-                BrowseName = Opc.Ua.BrowseNames.DefaultHttpsGroup,
-                CertificateTypes = new NodeId[] { },
-                ApplicationCertificates = new CertificateIdentifierCollection(),
-                IssuerStore = new CertificateStoreIdentifier(configuration.SecurityConfiguration.HttpsIssuerCertificates?.StorePath),
-                TrustedStore = new CertificateStoreIdentifier(configuration.SecurityConfiguration.TrustedHttpsCertificates?.StorePath)
-            };
+            if (configuration.SecurityConfiguration.UserIssuerCertificates != null && configuration.SecurityConfiguration.TrustedUserCertificates != null)
+            {
+                ServerCertificateGroup defaultUserGroup = new ServerCertificateGroup {
+                    NodeId = Opc.Ua.ObjectIds.ServerConfiguration_CertificateGroups_DefaultUserTokenGroup,
+                    BrowseName = Opc.Ua.BrowseNames.DefaultUserTokenGroup,
+                    CertificateTypes = new NodeId[] { },
+                    ApplicationCertificates = new CertificateIdentifierCollection(),
+                    IssuerStore = new CertificateStoreIdentifier(configuration.SecurityConfiguration.UserIssuerCertificates.StorePath),
+                    TrustedStore = new CertificateStoreIdentifier(configuration.SecurityConfiguration.TrustedUserCertificates.StorePath)
+                };
+
+                m_certificateGroups.Add(defaultUserGroup);
+            }
+            ServerCertificateGroup defaultHttpsGroup = null;
+            if (configuration.SecurityConfiguration.HttpsIssuerCertificates != null && configuration.SecurityConfiguration.TrustedHttpsCertificates != null)
+            {
+                defaultHttpsGroup = new ServerCertificateGroup {
+                    NodeId = Opc.Ua.ObjectIds.ServerConfiguration_CertificateGroups_DefaultHttpsGroup,
+                    BrowseName = Opc.Ua.BrowseNames.DefaultHttpsGroup,
+                    CertificateTypes = new NodeId[] { },
+                    ApplicationCertificates = new CertificateIdentifierCollection(),
+                    IssuerStore = new CertificateStoreIdentifier(configuration.SecurityConfiguration.HttpsIssuerCertificates.StorePath),
+                    TrustedStore = new CertificateStoreIdentifier(configuration.SecurityConfiguration.TrustedHttpsCertificates.StorePath)
+                };
+
+                m_certificateGroups.Add(defaultHttpsGroup);
+            }
 
             // For each certificate in ApplicationCertificates, add the certificate type to ServerConfiguration_CertificateGroups_DefaultApplicationGroup
             // under the CertificateTypes field.
@@ -114,16 +125,13 @@ ApplicationConfiguration configuration
                 defaultApplicationGroup.CertificateTypes = defaultApplicationGroup.CertificateTypes.Concat(new NodeId[] { cert.CertificateType }).ToArray();
                 defaultApplicationGroup.ApplicationCertificates.Add(cert);
 
-                if (cert.CertificateType == ObjectTypeIds.HttpsCertificateType)
+                if (cert.CertificateType == ObjectTypeIds.HttpsCertificateType && defaultHttpsGroup != null)
                 {
                     defaultHttpsGroup.CertificateTypes = defaultHttpsGroup.CertificateTypes.Concat(new NodeId[] { cert.CertificateType }).ToArray();
                     defaultHttpsGroup.ApplicationCertificates.Add(cert);
                 }
             }
 
-            m_certificateGroups.Add(defaultApplicationGroup);
-            m_certificateGroups.Add(defaultHttpsGroup);
-            m_certificateGroups.Add(defaultUserGroup);
         }
         #endregion
 
@@ -557,6 +565,11 @@ private ServiceResult UpdateCertificate(
                     {
                         using (ICertificateStore appStore = existingCertIdentifier.OpenStore())
                         {
+                            if (appStore == null)
+                            {
+                                throw new ServiceResultException(StatusCodes.BadConfigurationError, "Failed to open application certificate store.");
+                            }
+
                             Utils.LogCertificate(Utils.TraceMasks.Security, "Delete application certificate: ", existingCertIdentifier.Certificate);
                             appStore.Delete(existingCertIdentifier.Thumbprint).Wait();
                             Utils.LogCertificate(Utils.TraceMasks.Security, "Add new application certificate: ", updateCertificate.CertificateWithPrivateKey);
@@ -573,6 +586,11 @@ private ServiceResult UpdateCertificate(
                         ICertificateStore issuerStore = certificateGroup.IssuerStore.OpenStore();
                         try
                         {
+                            if (issuerStore == null)
+                            {
+                                throw new ServiceResultException(StatusCodes.BadConfigurationError, "Failed to open issuer certificate store.");
+                            }
+
                             foreach (var issuer in updateCertificate.IssuerCollection)
                             {
                                 try
@@ -769,13 +787,16 @@ private ServiceResult GetRejectedList(
             ICertificateStore store = m_rejectedStore.OpenStore();
             try
             {
-                X509Certificate2Collection collection = store.Enumerate().Result;
-                List<byte[]> rawList = new List<byte[]>();
-                foreach (var cert in collection)
+                if (store != null)
                 {
-                    rawList.Add(cert.RawData);
+                    X509Certificate2Collection collection = store.Enumerate().Result;
+                    List<byte[]> rawList = new List<byte[]>();
+                    foreach (var cert in collection)
+                    {
+                        rawList.Add(cert.RawData);
+                    }
+                    certificates = rawList.ToArray();
                 }
-                certificates = rawList.ToArray();
             }
             finally
             {

Libraries/Opc.Ua.Server/Configuration/TrustList.cs

@@ -144,6 +144,11 @@ private ServiceResult Open(
                 ICertificateStore store = m_trustedStore.OpenStore();
                 try
                 {
+                    if (store == null)
+                    {
+                        throw new ServiceResultException(StatusCodes.BadConfigurationError, "Failed to open trusted certificate store.");
+                    }
+
                     if ((masks & TrustListMasks.TrustedCertificates) != 0)
                     {
                         X509Certificate2Collection certificates = store.Enumerate().GetAwaiter().GetResult();
@@ -160,6 +165,7 @@ private ServiceResult Open(
                             trustList.TrustedCrls.Add(crl.RawData);
                         }
                     }
+
                 }
                 finally
                 {
@@ -169,6 +175,12 @@ private ServiceResult Open(
                 store = m_issuerStore.OpenStore();
                 try
                 {
+
+                    if (store == null)
+                    {
+                        throw new ServiceResultException(StatusCodes.BadConfigurationError, "Failed to open issuer certificate store.");
+                    }
+
                     if ((masks & TrustListMasks.IssuerCertificates) != 0)
                     {
                         X509Certificate2Collection certificates = store.Enumerate().GetAwaiter().GetResult();
@@ -185,6 +197,7 @@ private ServiceResult Open(
                             trustList.IssuerCrls.Add(crl.RawData);
                         }
                     }
+
                 }
                 finally
                 {
@@ -524,6 +537,11 @@ private ServiceResult RemoveCertificate(
                     var storeIdentifier = isTrustedCertificate ? m_trustedStore : m_issuerStore;
                     using (ICertificateStore store = storeIdentifier.OpenStore())
                     {
+                        if (store == null)
+                        {
+                            throw new ServiceResultException(StatusCodes.BadConfigurationError, "Failed to open certificate store.");
+                        }
+
                         var certCollection = store.FindByThumbprint(thumbprint).GetAwaiter().GetResult();
 
                         if (certCollection.Count == 0)
@@ -563,6 +581,7 @@ private ServiceResult RemoveCertificate(
                                 }
                             }
                         }
+
                     }
 
                     m_node.LastUpdateTime.Value = DateTime.UtcNow;
@@ -622,6 +641,11 @@ private async Task<bool> UpdateStoreCrls(
                 ICertificateStore store = storeIdentifier.OpenStore();
                 try
                 {
+                    if (store == null)
+                    {
+                        throw new ServiceResultException(StatusCodes.BadConfigurationError, "Failed to open certificate store.");
+                    }
+
                     var storeCrls = await store.EnumerateCRLs().ConfigureAwait(false);
                     foreach (var crl in storeCrls)
                     {
@@ -664,6 +688,11 @@ private async Task<bool> UpdateStoreCertificates(
                 ICertificateStore store = storeIdentifier.OpenStore();
                 try
                 {
+                    if (store == null)
+                    {
+                        throw new ServiceResultException(StatusCodes.BadConfigurationError, "Failed to open certificate store.");
+                    }
+
                     var storeCerts = await store.Enumerate().ConfigureAwait(false);
                     foreach (var cert in storeCerts)
                     {

Stack/Opc.Ua.Core/Schema/ApplicationConfiguration.cs

@@ -884,7 +884,7 @@ public CertificateIdentifierCollection ApplicationCertificates
         /// <summary>
         /// The store containing any additional issuer certificates.
         /// </summary>
-        [DataMember(IsRequired = false, EmitDefaultValue = false, Order = 2)]
+        [DataMember(IsRequired = true, EmitDefaultValue = false, Order = 2)]
         public CertificateTrustList TrustedIssuerCertificates
         {
             get
@@ -901,7 +901,7 @@ public CertificateTrustList TrustedIssuerCertificates
         /// <summary>
         /// The trusted certificate store.
         /// </summary>
-        [DataMember(IsRequired = false, EmitDefaultValue = false, Order = 4)]
+        [DataMember(IsRequired = true, EmitDefaultValue = false, Order = 4)]
         public CertificateTrustList TrustedPeerCertificates
         {
             get
@@ -2052,7 +2052,7 @@ public bool HttpsMutualTls
         /// Enable / disable support for durable subscriptions
         /// </summary>
         /// <value><c>true</c> if durable subscriptions are enabled; otherwise, <c>false</c>.</value>
-        [DataMember(IsRequired = false, EmitDefaultValue = false, Order = 38)]
+        [DataMember(IsRequired = false, EmitDefaultValue = false, Order = 39)]
         public bool DurableSubscriptionsEnabled
         {
             get { return m_DurableSubscriptionsEnabled; }
@@ -2063,7 +2063,7 @@ public bool DurableSubscriptionsEnabled
         /// The maximum number of notifications saved in the durable queue for each monitored item.
         /// </summary>
         /// <value>The maximum size of the durable notification queue.</value>
-        [DataMember(IsRequired = false, Order = 39)]
+        [DataMember(IsRequired = false, Order = 40)]
         public int MaxDurableNotificationQueueSize
         {
             get { return m_maxDurableNotificationQueueSize; }
@@ -2074,7 +2074,7 @@ public int MaxDurableNotificationQueueSize
         /// The max size of the durable event queue.
         /// </summary>
         /// <value>The max size of the durable event queue.</value>
-        [DataMember(IsRequired = false, Order = 40)]
+        [DataMember(IsRequired = false, Order = 41)]
         public int MaxDurableEventQueueSize
         {
             get { return m_maxDurableEventQueueSize; }
@@ -2085,7 +2085,7 @@ public int MaxDurableEventQueueSize
         /// How long the durable subscriptions will remain open without a publish from the client.
         /// </summary>
         /// <value>The maximum durable subscription lifetime.</value>
-        [DataMember(IsRequired = false, Order = 41)]
+        [DataMember(IsRequired = false, Order = 42)]
         public int MaxDurableSubscriptionLifetimeInHours
         {
             get { return m_maxDurableSubscriptionLifetimeInHours; }
@@ -2920,11 +2920,6 @@ public string StoreType
         {
             get
             {
-                if (!String.IsNullOrEmpty(m_storeName))
-                {
-                    return CertificateStoreType.X509Store;
-                }
-
                 return m_storeType;
             }
 
@@ -2947,16 +2942,6 @@ public string StorePath
         {
             get
             {
-                if (!String.IsNullOrEmpty(m_storeName))
-                {
-                    if (String.IsNullOrEmpty(m_storeLocation))
-                    {
-                        return CurrentUser + m_storeName;
-                    }
-
-                    return Utils.Format("{0}\\{1}", m_storeLocation, m_storeName);
-                }
-
                 return m_storePath;
             }
 
@@ -2974,28 +2959,6 @@ public string StorePath
             }
         }
 
-        /// <summary>
-        /// The name of the certificate store that contains the trusted certificates. 
-        /// </summary>
-        [DataMember(IsRequired = false, EmitDefaultValue = false, Order = 2)]
-        [Obsolete("Use StoreType/StorePath instead")]
-        public string StoreName
-        {
-            get { return m_storeName; }
-            set { m_storeName = value; }
-        }
-
-        /// <summary>
-        /// The location of the certificate store that contains the trusted certificates. 
-        /// </summary>
-        [DataMember(IsRequired = false, EmitDefaultValue = false, Order = 3)]
-        [Obsolete("Use StoreType/StorePath instead")]
-        public string StoreLocation
-        {
-            get { return m_storeLocation; }
-            set { m_storeLocation = value; }
-        }
-
         /// <summary>
         /// Options that can be used to suppress certificate validation errors.
         /// </summary>
@@ -3010,8 +2973,6 @@ private int XmlEncodedValidationOptions
         #region Private Fields
         private string m_storeType;
         private string m_storePath;
-        private string m_storeLocation;
-        private string m_storeName;
         private CertificateValidationOptions m_validationOptions;
         #endregion
     }