Skip to content

Commit 5c80f9b

Browse files
authored
[Client & Server] Remove all usages of SoftwareCertificates (#3443)
* remove all usages of SoftwareCertificates - Client - Server As per spec they are not relevant for security. If an SDK User wants to use the SoftwareCertificates ActivateSession can be overriden * remove from SessionClientBatchTests
1 parent 7ec6788 commit 5c80f9b

File tree

10 files changed

+6
-304
lines changed

10 files changed

+6
-304
lines changed

Libraries/Opc.Ua.Client/Session/Session.cs

Lines changed: 2 additions & 84 deletions
Original file line numberDiff line numberDiff line change
@@ -1196,8 +1196,6 @@ await m_configuration
11961196
byte[] serverCertificateData = response.ServerCertificate;
11971197
SignatureData serverSignature = response.ServerSignature;
11981198
EndpointDescriptionCollection serverEndpoints = response.ServerEndpoints;
1199-
SignedSoftwareCertificateCollection serverSoftwareCertificates = response
1200-
.ServerSoftwareCertificates;
12011199

12021200
m_sessionTimeout = response.RevisedSessionTimeout;
12031201
m_maxRequestMessageSize = response.MaxRequestMessageSize;
@@ -1232,8 +1230,6 @@ await m_configuration
12321230
clientCertificateChainData,
12331231
clientNonce);
12341232

1235-
HandleSignedSoftwareCertificates(serverSoftwareCertificates);
1236-
12371233
// process additional header
12381234
ProcessResponseAdditionalHeader(response.ResponseHeader, serverCertificate);
12391235

@@ -1280,10 +1276,6 @@ await m_configuration
12801276
m_instanceCertificateChain,
12811277
m_endpoint.Description.SecurityMode != MessageSecurityMode.None);
12821278

1283-
// send the software certificates assigned to the client.
1284-
SignedSoftwareCertificateCollection clientSoftwareCertificates
1285-
= GetSoftwareCertificates();
1286-
12871279
// copy the preferred locales if provided.
12881280
if (preferredLocales != null && preferredLocales.Count > 0)
12891281
{
@@ -1294,7 +1286,7 @@ SignedSoftwareCertificateCollection clientSoftwareCertificates
12941286
ActivateSessionResponse activateResponse = await ActivateSessionAsync(
12951287
null,
12961288
clientSignature,
1297-
clientSoftwareCertificates,
1289+
null,
12981290
m_preferredLocales,
12991291
new ExtensionObject(identityToken),
13001292
userTokenSignature,
@@ -1320,12 +1312,6 @@ SignedSoftwareCertificateCollection clientSoftwareCertificates
13201312
}
13211313
}
13221314

1323-
if (clientSoftwareCertificates?.Count > 0 &&
1324-
(certificateResults == null || certificateResults.Count == 0))
1325-
{
1326-
m_logger.LogInformation("Empty results were received for the ActivateSession call.");
1327-
}
1328-
13291315
// fetch namespaces.
13301316
await FetchNamespaceTablesAsync(ct).ConfigureAwait(false);
13311317

@@ -1487,14 +1473,10 @@ public async Task UpdateSessionAsync(
14871473
m_instanceCertificateChain,
14881474
m_endpoint.Description.SecurityMode != MessageSecurityMode.None);
14891475

1490-
// send the software certificates assigned to the client.
1491-
SignedSoftwareCertificateCollection clientSoftwareCertificates
1492-
= GetSoftwareCertificates();
1493-
14941476
ActivateSessionResponse response = await ActivateSessionAsync(
14951477
null,
14961478
clientSignature,
1497-
clientSoftwareCertificates,
1479+
null,
14981480
preferredLocales,
14991481
new ExtensionObject(identityToken),
15001482
userTokenSignature,
@@ -2339,10 +2321,6 @@ public async Task ReconnectAsync(
23392321
m_instanceCertificateChain,
23402322
m_endpoint.Description.SecurityMode != MessageSecurityMode.None);
23412323

2342-
// send the software certificates assigned to the client.
2343-
SignedSoftwareCertificateCollection clientSoftwareCertificates
2344-
= GetSoftwareCertificates();
2345-
23462324
m_logger.LogInformation("Session REPLACING channel for {SessionId}.", SessionId);
23472325

23482326
if (connection != null)
@@ -2640,14 +2618,6 @@ public bool RemoveTransferredSubscription(Subscription subscription)
26402618
return true;
26412619
}
26422620

2643-
/// <summary>
2644-
/// Returns the software certificates assigned to the application.
2645-
/// </summary>
2646-
protected virtual SignedSoftwareCertificateCollection GetSoftwareCertificates()
2647-
{
2648-
return [];
2649-
}
2650-
26512621
/// <summary>
26522622
/// Handles an error when validating the application instance certificate provided by the server.
26532623
/// </summary>
@@ -2659,26 +2629,6 @@ protected virtual void OnApplicationCertificateError(
26592629
throw new ServiceResultException(result);
26602630
}
26612631

2662-
/// <summary>
2663-
/// Handles an error when validating software certificates provided by the server.
2664-
/// </summary>
2665-
/// <exception cref="ServiceResultException"></exception>
2666-
protected virtual void OnSoftwareCertificateError(
2667-
SignedSoftwareCertificate signedCertificate,
2668-
ServiceResult result)
2669-
{
2670-
throw new ServiceResultException(result);
2671-
}
2672-
2673-
/// <summary>
2674-
/// Inspects the software certificates provided by the server.
2675-
/// </summary>
2676-
protected virtual void ValidateSoftwareCertificates(
2677-
List<SoftwareCertificate> softwareCertificates)
2678-
{
2679-
// always accept valid certificates.
2680-
}
2681-
26822632
/// <summary>
26832633
/// Starts a timer to check that the connection to the server is still available.
26842634
/// </summary>
@@ -4175,38 +4125,6 @@ private static void UpdateDescription(
41754125
return currentToken?.ServerNonce;
41764126
}
41774127

4178-
/// <summary>
4179-
/// Handles the validation of server software certificates and application callback.
4180-
/// </summary>
4181-
private void HandleSignedSoftwareCertificates(
4182-
SignedSoftwareCertificateCollection serverSoftwareCertificates)
4183-
{
4184-
// get a validator to check certificates provided by server.
4185-
CertificateValidator validator = m_configuration.CertificateValidator;
4186-
4187-
// validate software certificates.
4188-
var softwareCertificates = new List<SoftwareCertificate>();
4189-
4190-
foreach (SignedSoftwareCertificate signedCertificate in serverSoftwareCertificates)
4191-
{
4192-
ServiceResult result = SoftwareCertificate.Validate(
4193-
validator,
4194-
signedCertificate.CertificateData,
4195-
m_telemetry,
4196-
out SoftwareCertificate softwareCertificate);
4197-
4198-
if (ServiceResult.IsBad(result))
4199-
{
4200-
OnSoftwareCertificateError(signedCertificate, result);
4201-
}
4202-
4203-
softwareCertificates.Add(softwareCertificate);
4204-
}
4205-
4206-
// check if software certificates meet application requirements.
4207-
ValidateSoftwareCertificates(softwareCertificates);
4208-
}
4209-
42104128
/// <summary>
42114129
/// Processes the response from a publish request.
42124130
/// </summary>

Libraries/Opc.Ua.Server/Diagnostics/AuditEvents.cs

Lines changed: 0 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1021,14 +1021,12 @@ public static void ReportAuditCreateSessionEvent(
10211021
/// <param name="logger">A contextual logger to log to</param>
10221022
/// <param name="auditEntryId">The audit entry id.</param>
10231023
/// <param name="session">The session that is activated.</param>
1024-
/// <param name="softwareCertificates">The software certificates</param>
10251024
/// <param name="exception">The exception received during activate session request</param>
10261025
public static void ReportAuditActivateSessionEvent(
10271026
this IAuditEventServer server,
10281027
ILogger logger,
10291028
string auditEntryId,
10301029
ISession session,
1031-
IList<SoftwareCertificate> softwareCertificates,
10321030
Exception exception = null)
10331031
{
10341032
if (server?.Auditing != true)
@@ -1078,25 +1076,6 @@ public static void ReportAuditActivateSessionEvent(
10781076
Utils.Clone(session?.IdentityToken),
10791077
false);
10801078

1081-
if (softwareCertificates != null)
1082-
{
1083-
// build the list of SignedSoftwareCertificate
1084-
var signedSoftwareCertificates = new List<SignedSoftwareCertificate>();
1085-
foreach (SoftwareCertificate softwareCertificate in softwareCertificates)
1086-
{
1087-
var item = new SignedSoftwareCertificate
1088-
{
1089-
CertificateData = softwareCertificate.SignedCertificate.RawData
1090-
};
1091-
signedSoftwareCertificates.Add(item);
1092-
}
1093-
e.SetChildValue(
1094-
systemContext,
1095-
BrowseNames.ClientSoftwareCertificates,
1096-
signedSoftwareCertificates.ToArray(),
1097-
false);
1098-
}
1099-
11001079
server.ReportAuditEvent(systemContext, e);
11011080
}
11021081
catch (Exception e)

Libraries/Opc.Ua.Server/Server/StandardServer.cs

Lines changed: 1 addition & 79 deletions
Original file line numberDiff line numberDiff line change
@@ -346,7 +346,6 @@ public override async Task<CreateSessionResponse> CreateSessionAsync(
346346
byte[] serverNonce;
347347
byte[] serverCertificate = null;
348348
EndpointDescriptionCollection serverEndpoints = null;
349-
SignedSoftwareCertificateCollection serverSoftwareCertificates = null;
350349
SignatureData serverSignature = null;
351350
uint maxRequestMessageSize = (uint)MessageContext.MaxMessageSize;
352351

@@ -528,9 +527,6 @@ X509Certificate2Collection clientCertificateChain
528527
// return the endpoints supported by the server.
529528
serverEndpoints = GetEndpointDescriptions(endpointUrl, BaseAddresses, null);
530529

531-
// return the software certificates assigned to the server.
532-
serverSoftwareCertificates = [.. ServerProperties.SoftwareCertificates];
533-
534530
// sign the nonce provided by the client.
535531
serverSignature = null;
536532

@@ -580,7 +576,6 @@ X509Certificate2Collection clientCertificateChain
580576
ServerNonce = serverNonce,
581577
ServerCertificate = serverCertificate,
582578
ServerEndpoints = serverEndpoints,
583-
ServerSoftwareCertificates = serverSoftwareCertificates,
584579
ServerSignature = serverSignature,
585580
MaxRequestMessageSize = maxRequestMessageSize
586581
};
@@ -724,75 +719,14 @@ public override async Task<ActivateSessionResponse> ActivateSessionAsync(
724719
DiagnosticInfoCollection diagnosticInfos = null;
725720

726721
OperationContext context = ValidateRequest(secureChannelContext, requestHeader, RequestType.ActivateSession);
727-
// validate client's software certificates.
728-
var softwareCertificates = new List<SoftwareCertificate>();
729722

730723
try
731724
{
732-
if (context?.SecurityPolicyUri != SecurityPolicies.None)
733-
{
734-
bool diagnosticsExist = false;
735-
736-
if ((context.DiagnosticsMask & DiagnosticsMasks.OperationAll) != 0)
737-
{
738-
diagnosticInfos = [];
739-
}
740-
741-
results = [];
742-
diagnosticInfos = [];
743-
744-
foreach (SignedSoftwareCertificate signedCertificate in clientSoftwareCertificates)
745-
{
746-
ServiceResult result = SoftwareCertificate.Validate(
747-
CertificateValidator,
748-
signedCertificate.CertificateData,
749-
m_serverInternal.Telemetry,
750-
out SoftwareCertificate softwareCertificate);
751-
752-
if (ServiceResult.IsBad(result))
753-
{
754-
results.Add(result.Code);
755-
756-
// add diagnostics if requested.
757-
if ((context.DiagnosticsMask & DiagnosticsMasks.OperationAll) != 0)
758-
{
759-
DiagnosticInfo diagnosticInfo = ServerUtils.CreateDiagnosticInfo(
760-
ServerInternal,
761-
context,
762-
result,
763-
m_logger);
764-
diagnosticInfos.Add(diagnosticInfo);
765-
diagnosticsExist = true;
766-
}
767-
}
768-
else
769-
{
770-
softwareCertificates.Add(softwareCertificate);
771-
results.Add(StatusCodes.Good);
772-
773-
// add diagnostics if requested.
774-
if ((context.DiagnosticsMask & DiagnosticsMasks.OperationAll) != 0)
775-
{
776-
diagnosticInfos.Add(null);
777-
}
778-
}
779-
}
780-
781-
if (!diagnosticsExist && diagnosticInfos != null)
782-
{
783-
diagnosticInfos.Clear();
784-
}
785-
}
786-
787-
// check if certificates meet the server's requirements.
788-
ValidateSoftwareCertificates(softwareCertificates);
789-
790725
// activate the session.
791726
(bool identityChanged, serverNonce) = await ServerInternal.SessionManager.ActivateSessionAsync(
792727
context,
793728
requestHeader.AuthenticationToken,
794729
clientSignature,
795-
softwareCertificates,
796730
userIdentityToken,
797731
userTokenSignature,
798732
localeIds,
@@ -817,8 +751,7 @@ public override async Task<ActivateSessionResponse> ActivateSessionAsync(
817751
ServerInternal.ReportAuditActivateSessionEvent(
818752
m_logger,
819753
context?.AuditEntryId,
820-
session,
821-
softwareCertificates);
754+
session);
822755

823756
ResponseHeader responseHeader = CreateResponse(requestHeader, StatusCodes.Good);
824757

@@ -845,7 +778,6 @@ public override async Task<ActivateSessionResponse> ActivateSessionAsync(
845778
m_logger,
846779
context?.AuditEntryId,
847780
session,
848-
softwareCertificates,
849781
e);
850782

851783
lock (ServerInternal.DiagnosticsWriteLock)
@@ -2728,16 +2660,6 @@ protected virtual void OnApplicationCertificateError(
27282660
throw new ServiceResultException(result);
27292661
}
27302662

2731-
/// <summary>
2732-
/// Inspects the software certificates provided by the server.
2733-
/// </summary>
2734-
/// <param name="softwareCertificates">The software certificates.</param>
2735-
protected virtual void ValidateSoftwareCertificates(
2736-
List<SoftwareCertificate> softwareCertificates)
2737-
{
2738-
// always accept valid certificates.
2739-
}
2740-
27412663
/// <summary>
27422664
/// Verifies that the request header is valid.
27432665
/// </summary>

Libraries/Opc.Ua.Server/Session/ISession.cs

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,6 @@ public interface ISession : IDisposable
113113
/// </summary>
114114
bool Activate(
115115
OperationContext context,
116-
List<SoftwareCertificate> clientSoftwareCertificates,
117116
UserIdentityToken identityToken,
118117
IUserIdentity identity,
119118
IUserIdentity effectiveIdentity,
@@ -187,7 +186,6 @@ bool Activate(
187186
void ValidateBeforeActivate(
188187
OperationContext context,
189188
SignatureData clientSignature,
190-
List<SoftwareCertificate> clientSoftwareCertificates,
191189
ExtensionObject userIdentityToken,
192190
SignatureData userTokenSignature,
193191
out UserIdentityToken identityToken,

Libraries/Opc.Ua.Server/Session/ISessionManager.cs

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -123,7 +123,6 @@ ValueTask<CreateSessionResult> CreateSessionAsync(
123123
OperationContext context,
124124
NodeId authenticationToken,
125125
SignatureData clientSignature,
126-
List<SoftwareCertificate> clientSoftwareCertificates,
127126
ExtensionObject userIdentityToken,
128127
SignatureData userTokenSignature,
129128
StringCollection localeIds,

0 commit comments

Comments
 (0)