dohertj2/lmxopcua
1
0
Fork 0
Code Issues 21 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Auto: opcuaclient-5 — CRL/revocation handling

Browse Source 
Adds explicit revoked-vs-untrusted distinction to the OpcUaClient driver's
server-cert validation hook, plus three new knobs on a new
OpcUaCertificateValidationOptions sub-record:

  RejectSHA1SignedCertificates  (default true — SHA-1 is OPC UA spec-deprecated;
                                 this is a deliberately tighter default)
  RejectUnknownRevocationStatus (default false — keeps brownfield deployments
                                 without CRL infrastructure working)
  MinimumCertificateKeySize     (default 2048)

The validator hook now runs whether or not AutoAcceptCertificates is set:
revoked / issuer-revoked certs are always rejected with a distinct
"REVOKED" log line; SHA-1 + small-key certs are rejected per policy;
unknown-revocation gates on the new flag; untrusted still honours
AutoAccept.

Decision pipeline factored into a static EvaluateCertificateValidation
helper with a CertificateValidationDecision record so unit tests cover
all branches without needing to spin up an SDK CertificateValidator.

CRL files themselves: the OPC UA SDK reads them automatically from the
crl/ subdir of each cert store — no driver-side wiring needed.
Documented on the new options record.

Tests (12 new) cover defaults, every branch of the decision pipeline,
SHA-1 detection (custom X509SignatureGenerator since .NET 10's
CreateSelfSigned refuses SHA-1), and key-size detection. All 127
OpcUaClient unit tests still pass.

Closes #277

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Joseph Doherty
2026-04-25 16:05:50 -04:00
parent d57e24a7fa
commit 4a3860ae92
3 changed files with 418 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
src/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient/OpcUaClientDriver.cs
View File

@@ -1,3 +1,4 @@
using System.Security.Cryptography.X509Certificates;
using Opc.Ua;
using Opc.Ua.Client;
using Opc.Ua.Configuration;
@@ -248,17 +249,11 @@ public sealed class OpcUaClientDriver(OpcUaClientDriverOptions options, string d
await config.ValidateAsync(ApplicationType.Client, ct).ConfigureAwait(false);
// Attach a cert-validator handler that honours the AutoAccept flag. Without this,
// AutoAcceptUntrustedCertificates on the config alone isn't always enough in newer
// SDK versions — the validator raises an event the app has to handle.
if (_options.AutoAcceptCertificates)
{
config.CertificateValidator.CertificateValidation += (s, e) =>
{
if (e.Error.StatusCode == StatusCodes.BadCertificateUntrusted)
e.Accept = true;
};
}
// Attach a cert-validator handler. The SDK's AutoAcceptUntrustedCertificates flag
// alone isn't always enough in newer SDK versions — the validator raises an event
// the app has to handle. We also use this hook to enforce the
// CertificateValidation policy (revoked, SHA-1, key size) regardless of AutoAccept.
config.CertificateValidator.CertificateValidation += OnCertificateValidation;
// Ensure an application certificate exists. The SDK auto-generates one if missing.
app.ApplicationConfiguration = config;
@@ -268,6 +263,128 @@ public sealed class OpcUaClientDriver(OpcUaClientDriverOptions options, string d
return config;
}
/// <summary>
/// Cert-validator callback. Funnels into <see cref="EvaluateCertificateValidation"/>
/// for testability — the static helper takes the cert + status code + options and
/// returns the decision, which this method then applies to the SDK's event args.
/// </summary>
private void OnCertificateValidation(object sender, Opc.Ua.CertificateValidationEventArgs e)
{
var decision = EvaluateCertificateValidation(
e.Certificate,
e.Error.StatusCode,
_options.AutoAcceptCertificates,
_options.CertificateValidation);
if (decision.LogMessage is { Length: > 0 })
{
// Use the SDK's trace surface — no driver-side ILogger is plumbed today, and the
// SDK trace is already wired up by the host. Warning level for rejections so
// operators surface them without code changes. The non-telemetry overload is
// marked obsolete in the latest SDK; suppress locally to keep the gateway-driver
// surface free of an ITelemetryContext plumb-through (parity with the same
// pattern in BuildApplicationConfigurationAsync).
#pragma warning disable CS0618
Opc.Ua.Utils.LogWarning(
"OpcUaClient[{0}] cert-validation: {1} (subject={2}, status=0x{3:X8})",
driverInstanceId, decision.LogMessage,
e.Certificate?.Subject ?? "<null>",
(uint)e.Error.StatusCode.Code);
#pragma warning restore CS0618
}
e.Accept = decision.Accept;
}
/// <summary>
/// Cert-validation decision pipeline. Pulled out as a static helper so unit tests can
/// drive each branch without standing up an OPC UA SDK <c>CertificateValidator</c>.
/// Order matters: revoked &gt; SHA-1 &gt; key-size &gt; revocation-unknown &gt; auto-accept-untrusted.
/// </summary>
/// <param name="cert">Server certificate the SDK is asking us to validate. May be null in pathological cases.</param>
/// <param name="status">The SDK's validation result. <c>Good</c> = no failure to inspect.</param>
/// <param name="autoAcceptUntrusted">Mirror of <see cref="OpcUaClientDriverOptions.AutoAcceptCertificates"/>.</param>
/// <param name="opts">The cert-validation knobs.</param>
internal static CertificateValidationDecision EvaluateCertificateValidation(
System.Security.Cryptography.X509Certificates.X509Certificate2? cert,
Opc.Ua.StatusCode status,
bool autoAcceptUntrusted,
OpcUaCertificateValidationOptions opts)
{
// Revoked certs are always a hard fail — never auto-accept regardless of flags.
if (status.Code == Opc.Ua.StatusCodes.BadCertificateRevoked)
return new CertificateValidationDecision(false, "REVOKED server certificate — rejecting");
if (status.Code == Opc.Ua.StatusCodes.BadCertificateIssuerRevoked)
return new CertificateValidationDecision(false, "REVOKED issuer certificate — rejecting");
// SHA-1 signature detection runs even when the SDK didn't surface a status —
// we want to reject SHA-1 certs on policy, not just when the SDK happens to flag them.
if (opts.RejectSHA1SignedCertificates && IsSha1Signed(cert))
return new CertificateValidationDecision(false, "SHA-1 signed certificate rejected by policy");
// Key-size check: only meaningful for RSA keys; ECC bypasses.
if (cert is not null && TryGetRsaKeySize(cert, out var keyBits) && keyBits < opts.MinimumCertificateKeySize)
return new CertificateValidationDecision(false,
$"RSA key size {keyBits} bits below minimum {opts.MinimumCertificateKeySize}");
// Unknown revocation status — reject only if policy says so.
if (status.Code == Opc.Ua.StatusCodes.BadCertificateRevocationUnknown
|| status.Code == Opc.Ua.StatusCodes.BadCertificateIssuerRevocationUnknown)
{
if (opts.RejectUnknownRevocationStatus)
return new CertificateValidationDecision(false, "revocation status unknown (no/stale CRL) — rejecting per policy");
return new CertificateValidationDecision(true, "revocation status unknown (no/stale CRL) — accepting per policy");
}
// Untrusted: SDK couldn't chain the cert to a trusted issuer. Honour AutoAccept.
if (status.Code == Opc.Ua.StatusCodes.BadCertificateUntrusted)
{
if (autoAcceptUntrusted) return new CertificateValidationDecision(true, null);
return new CertificateValidationDecision(false, "untrusted certificate — rejecting (AutoAcceptCertificates=false)");
}
// Anything else is an SDK-level failure — let the SDK's default disposition stand
// (don't accept by default; surface the status code in the log).
if (status.Code != Opc.Ua.StatusCodes.Good)
return new CertificateValidationDecision(false, $"validation failed (status=0x{(uint)status.Code:X8})");
return new CertificateValidationDecision(true, null);
}
/// <summary>
/// True when the cert's signature algorithm OID matches a SHA-1 RSA signature
/// (<c>1.2.840.113549.1.1.5</c>) or a SHA-1 ECDSA signature (<c>1.2.840.10045.4.1</c>).
/// Friendly-name prefix match is unreliable across .NET runtimes, so we use OIDs.
/// </summary>
internal static bool IsSha1Signed(System.Security.Cryptography.X509Certificates.X509Certificate2? cert)
{
if (cert is null) return false;
var oid = cert.SignatureAlgorithm?.Value;
return oid is "1.2.840.113549.1.1.5" // sha1RSA
or "1.2.840.10045.4.1"; // sha1ECDSA
}
/// <summary>
/// Read the RSA public key size in bits if the cert has an RSA key. Returns false for
/// non-RSA (ECC, DSA) certs so the key-size check is skipped on them.
/// </summary>
internal static bool TryGetRsaKeySize(
System.Security.Cryptography.X509Certificates.X509Certificate2 cert,
out int keyBits)
{
using var rsa = cert.GetRSAPublicKey();
if (rsa is null) { keyBits = 0; return false; }
keyBits = rsa.KeySize;
return true;
}
/// <summary>
/// Outcome of <see cref="EvaluateCertificateValidation"/>. <see cref="LogMessage"/>
/// is null when the decision is silently "accept (Good)" — no need to log healthy
/// validations.
/// </summary>
internal readonly record struct CertificateValidationDecision(bool Accept, string? LogMessage);
/// <summary>
/// Resolve the ordered failover candidate list. <c>EndpointUrls</c> wins when
/// non-empty; otherwise fall back to <c>EndpointUrl</c> as a single-URL shortcut so

48
src/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient/OpcUaClientDriverOptions.cs
View File

@@ -141,8 +141,56 @@ public sealed class OpcUaClientDriverOptions
/// values so existing deployments see no behaviour change.
/// </summary>
public OpcUaSubscriptionDefaults Subscriptions { get; init; } = new();
/// <summary>
/// Server-certificate validation knobs applied during the
/// <c>CertificateValidator.CertificateValidation</c> callback. Surfaces explicit
/// handling for revoked certs (always rejected, never auto-accepted), unknown
/// revocation status (rejected only when <see cref="OpcUaCertificateValidationOptions.RejectUnknownRevocationStatus"/>
/// is set), SHA-1 signature rejection, and minimum RSA key size. Defaults preserve
/// existing behaviour wherever possible — the one tightening is
/// <see cref="OpcUaCertificateValidationOptions.RejectSHA1SignedCertificates"/>=true
/// since SHA-1 is spec-deprecated for OPC UA.
/// </summary>
public OpcUaCertificateValidationOptions CertificateValidation { get; init; } = new();
}
/// <summary>
/// Knobs governing the server-certificate validation callback. Plumbed onto
/// <see cref="OpcUaClientDriverOptions.CertificateValidation"/> rather than the top-level
/// options to keep cert-related config grouped together.
/// </summary>
/// <remarks>
/// <para>
/// <b>CRL discovery:</b> the OPC UA SDK reads CRL files automatically from the
/// <c>crl/</c> sub-directory of each cert store (own, trusted, issuers). Drop the
/// issuer's <c>.crl</c> in that folder and the SDK picks it up — no driver-side wiring
/// required. When the directory is absent or empty, the SDK reports
/// <c>BadCertificateRevocationUnknown</c>, which this driver gates with
/// <see cref="RejectUnknownRevocationStatus"/>.
/// </para>
/// </remarks>
/// <param name="RejectSHA1SignedCertificates">
/// Reject server certificates whose signature uses SHA-1. Default <c>true</c> — SHA-1 was
/// deprecated by the OPC UA spec and is treated as a hard fail in production. Flip to
/// <c>false</c> only for short-term interop with legacy controllers.
/// </param>
/// <param name="RejectUnknownRevocationStatus">
/// When the SDK can't determine revocation status (no CRL present, or stale CRL),
/// reject the cert if <c>true</c>; allow if <c>false</c>. Default <c>false</c> — many
/// plant deployments don't run CRL infrastructure, and a hard-fail default would break
/// them on first connection. Set <c>true</c> in environments with a managed PKI.
/// </param>
/// <param name="MinimumCertificateKeySize">
/// Minimum RSA key size (bits) accepted. Certs with shorter keys are rejected. Default
/// <c>2048</c> matches the current OPC UA spec floor; raise to 3072 or 4096 for stricter
/// deployments. Non-RSA keys (ECC) bypass this check.
/// </param>
public sealed record OpcUaCertificateValidationOptions(
bool RejectSHA1SignedCertificates = true,
bool RejectUnknownRevocationStatus = false,
int MinimumCertificateKeySize = 2048);
/// <summary>
/// Tuning surface for OPC UA subscriptions created by <see cref="OpcUaClientDriver"/>.
/// Lifted from the per-call hard-coded literals so operators can tune publish cadence,