Skip to content

Commit

Permalink
Merge pull request #768 from AlinMoldovean/master
Browse files Browse the repository at this point in the history 
Copy invalid certificate to rejected store for all validation errors.
  • Loading branch information
@AlinMoldovean
AlinMoldovean authored Jul 23, 2019
2 parents de838b7 + b53ec37 commit 30c8768
Showing 1 changed file with 29 additions and 26 deletions.
55 changes: 29 additions & 26 deletions Stack/Opc.Ua.Core/Security/Certificates/CertificateValidator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -270,6 +270,10 @@ public virtual void Validate(X509Certificate2Collection chain)

default:
{
// write the invalid certificate to rejected store if specified.
Utils.Trace((int)Utils.TraceMasks.Error, "Certificate '{0}' rejected. Reason={1}", certificate.Subject, (StatusCode)se.StatusCode);
SaveCertificate(certificate);

throw new ServiceResultException(se, StatusCodes.BadCertificateInvalid);
}
}
Expand All @@ -290,17 +294,9 @@ public virtual void Validate(X509Certificate2Collection chain)
// throw if rejected.
if (!accept)
{
// write the invalid certificate to a directory if specified.
lock (m_lock)
{
Utils.Trace((int)Utils.TraceMasks.Error, "Certificate '{0}' rejected. Reason={1}", certificate.Subject, (StatusCode)se.StatusCode);

if (m_rejectedCertificateStore != null)
{
Utils.Trace((int)Utils.TraceMasks.Error, "Writing rejected certificate to directory: {0}", m_rejectedCertificateStore);
SaveCertificate(certificate);
}
}
// write the invalid certificate to rejected store if specified.
Utils.Trace((int)Utils.TraceMasks.Error, "Certificate '{0}' rejected. Reason={1}", certificate.Subject, (StatusCode)se.StatusCode);
SaveCertificate(certificate);

throw new ServiceResultException(se, StatusCodes.BadCertificateInvalid);
}
Expand All @@ -314,28 +310,35 @@ public virtual void Validate(X509Certificate2Collection chain)
}

/// <summary>
/// Saves the certificate in the invalid certificate directory.
/// Saves the certificate in the rejected certificate store.
/// </summary>
private void SaveCertificate(X509Certificate2 certificate)
{
try
lock (m_lock)
{
ICertificateStore store = m_rejectedCertificateStore.OpenStore();

try
if (m_rejectedCertificateStore != null)
{
store.Delete(certificate.Thumbprint);
store.Add(certificate);
}
finally
{
store.Close();
Utils.Trace((int)Utils.TraceMasks.Error, "Writing rejected certificate to directory: {0}", m_rejectedCertificateStore);
try
{
ICertificateStore store = m_rejectedCertificateStore.OpenStore();

try
{
store.Delete(certificate.Thumbprint);
store.Add(certificate);
}
finally
{
store.Close();
}
}
catch (Exception e)
{
Utils.Trace(e, "Could not write certificate to directory: {0}", m_rejectedCertificateStore);
}
}
}
catch (Exception e)
{
Utils.Trace(e, "Could not write certificate to directory: {0}", m_rejectedCertificateStore);
}
}

/// <summary>
Expand Down

0 comments on commit 30c8768

Please sign in to comment.