[Client & Server] Remove all usages of SoftwareCertificates (#3443)

* remove all usages of SoftwareCertificates
- Client
- Server

As per spec they are not relevant for security.
If an SDK User wants to use the SoftwareCertificates ActivateSession can be overriden

* remove from SessionClientBatchTests

Author: romanett

Libraries/Opc.Ua.Client/Session/Session.cs

@@ -1196,8 +1196,6 @@ await m_configuration
             byte[] serverCertificateData = response.ServerCertificate;
             SignatureData serverSignature = response.ServerSignature;
             EndpointDescriptionCollection serverEndpoints = response.ServerEndpoints;
-            SignedSoftwareCertificateCollection serverSoftwareCertificates = response
-                .ServerSoftwareCertificates;
 
             m_sessionTimeout = response.RevisedSessionTimeout;
             m_maxRequestMessageSize = response.MaxRequestMessageSize;
@@ -1232,8 +1230,6 @@ await m_configuration
                     clientCertificateChainData,
                     clientNonce);
 
-                HandleSignedSoftwareCertificates(serverSoftwareCertificates);
-
                 //  process additional header
                 ProcessResponseAdditionalHeader(response.ResponseHeader, serverCertificate);
 
@@ -1280,10 +1276,6 @@ await m_configuration
                     m_instanceCertificateChain,
                     m_endpoint.Description.SecurityMode != MessageSecurityMode.None);
 
-                // send the software certificates assigned to the client.
-                SignedSoftwareCertificateCollection clientSoftwareCertificates
-                    = GetSoftwareCertificates();
-
                 // copy the preferred locales if provided.
                 if (preferredLocales != null && preferredLocales.Count > 0)
                 {
@@ -1294,7 +1286,7 @@ SignedSoftwareCertificateCollection clientSoftwareCertificates
                 ActivateSessionResponse activateResponse = await ActivateSessionAsync(
                         null,
                         clientSignature,
-                        clientSoftwareCertificates,
+                        null,
                         m_preferredLocales,
                         new ExtensionObject(identityToken),
                         userTokenSignature,
@@ -1320,12 +1312,6 @@ SignedSoftwareCertificateCollection clientSoftwareCertificates
                     }
                 }
 
-                if (clientSoftwareCertificates?.Count > 0 &&
-                    (certificateResults == null || certificateResults.Count == 0))
-                {
-                    m_logger.LogInformation("Empty results were received for the ActivateSession call.");
-                }
-
                 // fetch namespaces.
                 await FetchNamespaceTablesAsync(ct).ConfigureAwait(false);
 
@@ -1487,14 +1473,10 @@ public async Task UpdateSessionAsync(
                 m_instanceCertificateChain,
                 m_endpoint.Description.SecurityMode != MessageSecurityMode.None);
 
-            // send the software certificates assigned to the client.
-            SignedSoftwareCertificateCollection clientSoftwareCertificates
-                = GetSoftwareCertificates();
-
             ActivateSessionResponse response = await ActivateSessionAsync(
                 null,
                 clientSignature,
-                clientSoftwareCertificates,
+                null,
                 preferredLocales,
                 new ExtensionObject(identityToken),
                 userTokenSignature,
@@ -2339,10 +2321,6 @@ public async Task ReconnectAsync(
                     m_instanceCertificateChain,
                     m_endpoint.Description.SecurityMode != MessageSecurityMode.None);
 
-                // send the software certificates assigned to the client.
-                SignedSoftwareCertificateCollection clientSoftwareCertificates
-                    = GetSoftwareCertificates();
-
                 m_logger.LogInformation("Session REPLACING channel for {SessionId}.", SessionId);
 
                 if (connection != null)
@@ -2640,14 +2618,6 @@ public bool RemoveTransferredSubscription(Subscription subscription)
             return true;
         }
 
-        /// <summary>
-        /// Returns the software certificates assigned to the application.
-        /// </summary>
-        protected virtual SignedSoftwareCertificateCollection GetSoftwareCertificates()
-        {
-            return [];
-        }
-
         /// <summary>
         /// Handles an error when validating the application instance certificate provided by the server.
         /// </summary>
@@ -2659,26 +2629,6 @@ protected virtual void OnApplicationCertificateError(
             throw new ServiceResultException(result);
         }
 
-        /// <summary>
-        /// Handles an error when validating software certificates provided by the server.
-        /// </summary>
-        /// <exception cref="ServiceResultException"></exception>
-        protected virtual void OnSoftwareCertificateError(
-            SignedSoftwareCertificate signedCertificate,
-            ServiceResult result)
-        {
-            throw new ServiceResultException(result);
-        }
-
-        /// <summary>
-        /// Inspects the software certificates provided by the server.
-        /// </summary>
-        protected virtual void ValidateSoftwareCertificates(
-            List<SoftwareCertificate> softwareCertificates)
-        {
-            // always accept valid certificates.
-        }
-
         /// <summary>
         /// Starts a timer to check that the connection to the server is still available.
         /// </summary>
@@ -4175,38 +4125,6 @@ private static void UpdateDescription(
             return currentToken?.ServerNonce;
         }
 
-        /// <summary>
-        /// Handles the validation of server software certificates and application callback.
-        /// </summary>
-        private void HandleSignedSoftwareCertificates(
-            SignedSoftwareCertificateCollection serverSoftwareCertificates)
-        {
-            // get a validator to check certificates provided by server.
-            CertificateValidator validator = m_configuration.CertificateValidator;
-
-            // validate software certificates.
-            var softwareCertificates = new List<SoftwareCertificate>();
-
-            foreach (SignedSoftwareCertificate signedCertificate in serverSoftwareCertificates)
-            {
-                ServiceResult result = SoftwareCertificate.Validate(
-                    validator,
-                    signedCertificate.CertificateData,
-                    m_telemetry,
-                    out SoftwareCertificate softwareCertificate);
-
-                if (ServiceResult.IsBad(result))
-                {
-                    OnSoftwareCertificateError(signedCertificate, result);
-                }
-
-                softwareCertificates.Add(softwareCertificate);
-            }
-
-            // check if software certificates meet application requirements.
-            ValidateSoftwareCertificates(softwareCertificates);
-        }
-
         /// <summary>
         /// Processes the response from a publish request.
         /// </summary>

Libraries/Opc.Ua.Server/Diagnostics/AuditEvents.cs

@@ -1021,14 +1021,12 @@ public static void ReportAuditCreateSessionEvent(
         /// <param name="logger">A contextual logger to log to</param>
         /// <param name="auditEntryId">The audit entry id.</param>
         /// <param name="session">The session that is activated.</param>
-        /// <param name="softwareCertificates">The software certificates</param>
         /// <param name="exception">The exception received during activate session request</param>
         public static void ReportAuditActivateSessionEvent(
             this IAuditEventServer server,
             ILogger logger,
             string auditEntryId,
             ISession session,
-            IList<SoftwareCertificate> softwareCertificates,
             Exception exception = null)
         {
             if (server?.Auditing != true)
@@ -1078,25 +1076,6 @@ public static void ReportAuditActivateSessionEvent(
                     Utils.Clone(session?.IdentityToken),
                     false);
 
-                if (softwareCertificates != null)
-                {
-                    // build the list of SignedSoftwareCertificate
-                    var signedSoftwareCertificates = new List<SignedSoftwareCertificate>();
-                    foreach (SoftwareCertificate softwareCertificate in softwareCertificates)
-                    {
-                        var item = new SignedSoftwareCertificate
-                        {
-                            CertificateData = softwareCertificate.SignedCertificate.RawData
-                        };
-                        signedSoftwareCertificates.Add(item);
-                    }
-                    e.SetChildValue(
-                        systemContext,
-                        BrowseNames.ClientSoftwareCertificates,
-                        signedSoftwareCertificates.ToArray(),
-                        false);
-                }
-
                 server.ReportAuditEvent(systemContext, e);
             }
             catch (Exception e)

Libraries/Opc.Ua.Server/Server/StandardServer.cs

@@ -346,7 +346,6 @@ public override async Task<CreateSessionResponse> CreateSessionAsync(
             byte[] serverNonce;
             byte[] serverCertificate = null;
             EndpointDescriptionCollection serverEndpoints = null;
-            SignedSoftwareCertificateCollection serverSoftwareCertificates = null;
             SignatureData serverSignature = null;
             uint maxRequestMessageSize = (uint)MessageContext.MaxMessageSize;
 
@@ -528,9 +527,6 @@ X509Certificate2Collection clientCertificateChain
                     // return the endpoints supported by the server.
                     serverEndpoints = GetEndpointDescriptions(endpointUrl, BaseAddresses, null);
 
-                    // return the software certificates assigned to the server.
-                    serverSoftwareCertificates = [.. ServerProperties.SoftwareCertificates];
-
                     // sign the nonce provided by the client.
                     serverSignature = null;
 
@@ -580,7 +576,6 @@ X509Certificate2Collection clientCertificateChain
                     ServerNonce = serverNonce,
                     ServerCertificate = serverCertificate,
                     ServerEndpoints = serverEndpoints,
-                    ServerSoftwareCertificates = serverSoftwareCertificates,
                     ServerSignature = serverSignature,
                     MaxRequestMessageSize = maxRequestMessageSize
                 };
@@ -724,75 +719,14 @@ public override async Task<ActivateSessionResponse> ActivateSessionAsync(
             DiagnosticInfoCollection diagnosticInfos = null;
 
             OperationContext context = ValidateRequest(secureChannelContext, requestHeader, RequestType.ActivateSession);
-            // validate client's software certificates.
-            var softwareCertificates = new List<SoftwareCertificate>();
 
             try
             {
-                if (context?.SecurityPolicyUri != SecurityPolicies.None)
-                {
-                    bool diagnosticsExist = false;
-
-                    if ((context.DiagnosticsMask & DiagnosticsMasks.OperationAll) != 0)
-                    {
-                        diagnosticInfos = [];
-                    }
-
-                    results = [];
-                    diagnosticInfos = [];
-
-                    foreach (SignedSoftwareCertificate signedCertificate in clientSoftwareCertificates)
-                    {
-                        ServiceResult result = SoftwareCertificate.Validate(
-                            CertificateValidator,
-                            signedCertificate.CertificateData,
-                            m_serverInternal.Telemetry,
-                            out SoftwareCertificate softwareCertificate);
-
-                        if (ServiceResult.IsBad(result))
-                        {
-                            results.Add(result.Code);
-
-                            // add diagnostics if requested.
-                            if ((context.DiagnosticsMask & DiagnosticsMasks.OperationAll) != 0)
-                            {
-                                DiagnosticInfo diagnosticInfo = ServerUtils.CreateDiagnosticInfo(
-                                    ServerInternal,
-                                    context,
-                                    result,
-                                    m_logger);
-                                diagnosticInfos.Add(diagnosticInfo);
-                                diagnosticsExist = true;
-                            }
-                        }
-                        else
-                        {
-                            softwareCertificates.Add(softwareCertificate);
-                            results.Add(StatusCodes.Good);
-
-                            // add diagnostics if requested.
-                            if ((context.DiagnosticsMask & DiagnosticsMasks.OperationAll) != 0)
-                            {
-                                diagnosticInfos.Add(null);
-                            }
-                        }
-                    }
-
-                    if (!diagnosticsExist && diagnosticInfos != null)
-                    {
-                        diagnosticInfos.Clear();
-                    }
-                }
-
-                // check if certificates meet the server's requirements.
-                ValidateSoftwareCertificates(softwareCertificates);
-
                 // activate the session.
                 (bool identityChanged, serverNonce) = await ServerInternal.SessionManager.ActivateSessionAsync(
                         context,
                         requestHeader.AuthenticationToken,
                         clientSignature,
-                        softwareCertificates,
                         userIdentityToken,
                         userTokenSignature,
                         localeIds,
@@ -817,8 +751,7 @@ public override async Task<ActivateSessionResponse> ActivateSessionAsync(
                 ServerInternal.ReportAuditActivateSessionEvent(
                     m_logger,
                     context?.AuditEntryId,
-                    session,
-                    softwareCertificates);
+                    session);
 
                 ResponseHeader responseHeader = CreateResponse(requestHeader, StatusCodes.Good);
 
@@ -845,7 +778,6 @@ public override async Task<ActivateSessionResponse> ActivateSessionAsync(
                     m_logger,
                     context?.AuditEntryId,
                     session,
-                    softwareCertificates,
                     e);
 
                 lock (ServerInternal.DiagnosticsWriteLock)
@@ -2728,16 +2660,6 @@ protected virtual void OnApplicationCertificateError(
             throw new ServiceResultException(result);
         }
 
-        /// <summary>
-        /// Inspects the software certificates provided by the server.
-        /// </summary>
-        /// <param name="softwareCertificates">The software certificates.</param>
-        protected virtual void ValidateSoftwareCertificates(
-            List<SoftwareCertificate> softwareCertificates)
-        {
-            // always accept valid certificates.
-        }
-
         /// <summary>
         /// Verifies that the request header is valid.
         /// </summary>

Libraries/Opc.Ua.Server/Session/ISession.cs

@@ -113,7 +113,6 @@ public interface ISession : IDisposable
         /// </summary>
         bool Activate(
             OperationContext context,
-            List<SoftwareCertificate> clientSoftwareCertificates,
             UserIdentityToken identityToken,
             IUserIdentity identity,
             IUserIdentity effectiveIdentity,
@@ -187,7 +186,6 @@ bool Activate(
         void ValidateBeforeActivate(
             OperationContext context,
             SignatureData clientSignature,
-            List<SoftwareCertificate> clientSoftwareCertificates,
             ExtensionObject userIdentityToken,
             SignatureData userTokenSignature,
             out UserIdentityToken identityToken,

Libraries/Opc.Ua.Server/Session/ISessionManager.cs

@@ -123,7 +123,6 @@ ValueTask<CreateSessionResult> CreateSessionAsync(
             OperationContext context,
             NodeId authenticationToken,
             SignatureData clientSignature,
-            List<SoftwareCertificate> clientSoftwareCertificates,
             ExtensionObject userIdentityToken,
             SignatureData userTokenSignature,
             StringCollection localeIds,