[ECC] Implicitly set CertificateType of Certificate Identifier & allow Revocation with ECC Issuer Certificate & fix VerifyECDsaKeyPair (#2924)

romanett · web-flow · commit 6038a696560b · 2025-01-13T17:08:37.000+02:00
* implicitly set certificate type of certificate identifier
extend CertificateFactory to allow Revocation with ECC Issuer Certificate

* Add Crl tests for ECC

* fix X509 PFXUtils VerifyECDsaKeyPair
diff --git a/Libraries/Opc.Ua.Security.Certificates/X509Certificate/X509PfxUtils.cs b/Libraries/Opc.Ua.Security.Certificates/X509Certificate/X509PfxUtils.cs
@@ -257,8 +257,8 @@ public static bool VerifyECDsaKeyPair(
             bool throwOnError = false)
         {
             bool result = false;
-            using (ECDsa ecdsaPublicKey = certWithPrivateKey.GetECDsaPublicKey())
-            using (ECDsa ecdsaPrivateKey = certWithPublicKey.GetECDsaPrivateKey())
+            using (ECDsa ecdsaPublicKey = certWithPublicKey.GetECDsaPublicKey())
+            using (ECDsa ecdsaPrivateKey = certWithPrivateKey.GetECDsaPrivateKey())
             {
                 try
                 {
diff --git a/Stack/Opc.Ua.Core/Schema/ApplicationConfiguration.cs b/Stack/Opc.Ua.Core/Schema/ApplicationConfiguration.cs
@@ -3067,7 +3067,7 @@ public CertificateIdentifier()
         public CertificateIdentifier(X509Certificate2 certificate)
         {
             Initialize();
-            m_certificate = certificate;
+            Certificate = certificate;
         }
 
         /// <summary>
@@ -3076,7 +3076,7 @@ public CertificateIdentifier(X509Certificate2 certificate)
         public CertificateIdentifier(X509Certificate2 certificate, CertificateValidationOptions validationOptions)
         {
             Initialize();
-            m_certificate = certificate;
+            Certificate = certificate;
             m_validationOptions = validationOptions;
         }
 
@@ -3087,7 +3087,7 @@ public CertificateIdentifier(X509Certificate2 certificate, CertificateValidation
         public CertificateIdentifier(byte[] rawData)
         {
             Initialize();
-            m_certificate = CertificateFactory.Create(rawData, true);
+            Certificate = CertificateFactory.Create(rawData, true);
         }
 
         /// <summary>
@@ -3324,6 +3324,7 @@ public byte[] RawData
                 m_certificate = CertificateFactory.Create(value, true);
                 m_subjectName = m_certificate.Subject;
                 m_thumbprint = m_certificate.Thumbprint;
+                m_certificateType = GetCertificateType(m_certificate);
             }
         }
 
diff --git a/Stack/Opc.Ua.Core/Security/Certificates/CertificateFactory.cs b/Stack/Opc.Ua.Core/Security/Certificates/CertificateFactory.cs
@@ -292,7 +292,19 @@ DateTime nextUpdate
                 .SetNextUpdate(nextUpdate)
                 .AddCRLExtension(X509Extensions.BuildAuthorityKeyIdentifier(issuerCertificate))
                 .AddCRLExtension(X509Extensions.BuildCRLNumber(crlSerialNumber + 1));
-            return new X509CRL(crlBuilder.CreateForRSA(issuerCertificate));
+
+            if (X509PfxUtils.IsECDsaSignature(issuerCertificate))
+            {
+#if ECC_SUPPORT
+                return new X509CRL(crlBuilder.CreateForECDsa(issuerCertificate));
+#else
+                throw new NotSupportedException("CRL can only be created for an RSA Certificate on this system");
+#endif
+            }
+            else
+            {
+                return new X509CRL(crlBuilder.CreateForRSA(issuerCertificate));
+            }
         }
 
 #if NETSTANDARD2_1 || NET472_OR_GREATER || NET5_0_OR_GREATER
diff --git a/Stack/Opc.Ua.Core/Security/Certificates/CertificateIdentifier.cs b/Stack/Opc.Ua.Core/Security/Certificates/CertificateIdentifier.cs
@@ -145,7 +145,14 @@ public CertificateValidationOptions ValidationOptions
         public X509Certificate2 Certificate
         {
             get { return m_certificate; }
-            set { m_certificate = value; }
+            set
+            {
+                m_certificate = value;
+                if (m_certificate != null)
+                {
+                    m_certificateType = GetCertificateType(m_certificate);
+                }
+            }
         }
         #endregion
 
diff --git a/Tests/Opc.Ua.Security.Certificates.Tests/CRLTests.cs b/Tests/Opc.Ua.Security.Certificates.Tests/CRLTests.cs
@@ -30,6 +30,7 @@
 
 using System;
 using System.Globalization;
+using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
@@ -44,6 +45,7 @@ namespace Opc.Ua.Security.Certificates.Tests
     /// </summary>
     [TestFixture, Category("CRL")]
     [Parallelizable]
+    [TestFixtureSource(nameof(FixtureArgs))]
     [SetCulture("en-us")]
     public class CRLTests
     {
@@ -58,16 +60,48 @@ public class CRLTests
             { 4096, HashAlgorithmName.SHA512 } }.ToArray();
         #endregion
 
+        /// <summary>
+        /// store types to run the tests with
+        /// </summary>
+        public static readonly object[] FixtureArgs = {
+            new object [] { nameof(Opc.Ua.ObjectTypeIds.RsaSha256ApplicationCertificateType)},
+            new object [] { nameof(Opc.Ua.ObjectTypeIds.EccNistP256ApplicationCertificateType)}
+        };
+
+        public CRLTests(string certificateType)
+        {
+            if (certificateType == CertificateStoreType.X509Store && !RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                Assert.Ignore("X509 Store with crls is only supported on Windows, skipping test run");
+            }
+            m_certifiateType = certificateType;
+        }
+
+
         #region Test Setup
         /// <summary>
         /// Set up a Global Discovery Server and Client instance and connect the session
         /// </summary>
         [OneTimeSetUp]
         protected void OneTimeSetUp()
         {
-            m_issuerCert = CertificateBuilder.Create("CN=Root CA, O=OPC Foundation")
-                .SetCAConstraint()
-                .CreateForRSA();
+            if (m_certifiateType == nameof(Opc.Ua.ObjectTypeIds.RsaSha256ApplicationCertificateType))
+            {
+                m_issuerCert = CertificateBuilder.Create("CN=Root CA, O=OPC Foundation")
+                    .SetCAConstraint()
+                    .CreateForRSA();
+            }
+            else if (m_certifiateType == nameof(Opc.Ua.ObjectTypeIds.EccNistP256ApplicationCertificateType))
+            {
+                m_issuerCert = CertificateBuilder.Create("CN=Root CA, O=OPC Foundation")
+                    .SetCAConstraint()
+                    .SetECCurve(ECCurve.NamedCurves.nistP256)
+                    .CreateForECDsa();
+            }
+            else
+            {
+                throw new NotImplementedException();
+            }
         }
 
         /// <summary>
@@ -144,8 +178,16 @@ public void CrlBuilderTest(bool empty, bool noExtensions, KeyHashPair keyHashPai
                 crlBuilder.CrlExtensions.Add(X509Extensions.BuildCRLNumber(1111));
                 crlBuilder.CrlExtensions.Add(X509Extensions.BuildAuthorityKeyIdentifier(m_issuerCert));
             }
+            IX509CRL i509Crl;
+            if (X509PfxUtils.IsECDsaSignature(m_issuerCert))
+            {
 
-            var i509Crl = crlBuilder.CreateForRSA(m_issuerCert);
+                i509Crl = crlBuilder.CreateForECDsa(m_issuerCert);
+            }
+            else
+            {
+                i509Crl = crlBuilder.CreateForRSA(m_issuerCert);
+            }
             X509CRL x509Crl = new X509CRL(i509Crl.RawData);
             Assert.NotNull(x509Crl);
             Assert.NotNull(x509Crl.CrlExtensions);
@@ -203,10 +245,21 @@ public void CrlBuilderTestWithSignatureGenerator(KeyHashPair keyHashPair)
             crlBuilder.CrlExtensions.Add(X509Extensions.BuildAuthorityKeyIdentifier(m_issuerCert));
 
             IX509CRL ix509Crl;
-            using (RSA rsa = m_issuerCert.GetRSAPrivateKey())
+            if (X509PfxUtils.IsECDsaSignature(m_issuerCert))
             {
-                X509SignatureGenerator generator = X509SignatureGenerator.CreateForRSA(rsa, RSASignaturePadding.Pkcs1);
-                ix509Crl = crlBuilder.CreateSignature(generator);
+                using (ECDsa ecdsa = m_issuerCert.GetECDsaPrivateKey())
+                {
+                    X509SignatureGenerator generator = X509SignatureGenerator.CreateForECDsa(ecdsa);
+                    ix509Crl = crlBuilder.CreateSignature(generator);
+                }
+            }
+            else
+            {
+                using (RSA rsa = m_issuerCert.GetRSAPrivateKey())
+                {
+                    X509SignatureGenerator generator = X509SignatureGenerator.CreateForRSA(rsa, RSASignaturePadding.Pkcs1);
+                    ix509Crl = crlBuilder.CreateSignature(generator);
+                }
             }
             X509CRL x509Crl = new X509CRL(ix509Crl);
             Assert.NotNull(x509Crl);
@@ -322,6 +375,7 @@ private void ValidateCRL(
 
         #region Private Fields
         X509Certificate2 m_issuerCert;
+        private string m_certifiateType;
         #endregion
     }
 

Original file line number	Diff line number	Diff line change
`@@ -257,8 +257,8 @@ public static bool VerifyECDsaKeyPair(`
`257`	`257`	`bool throwOnError = false)`
`258`	`258`	`{`
`259`	`259`	`bool result = false;`
`260`		`- using (ECDsa ecdsaPublicKey = certWithPrivateKey.GetECDsaPublicKey())`
`261`		`- using (ECDsa ecdsaPrivateKey = certWithPublicKey.GetECDsaPrivateKey())`
	`260`	`+ using (ECDsa ecdsaPublicKey = certWithPublicKey.GetECDsaPublicKey())`
	`261`	`+ using (ECDsa ecdsaPrivateKey = certWithPrivateKey.GetECDsaPrivateKey())`
`262`	`262`	`{`
`263`	`263`	`try`
`264`	`264`	`{`
Original file line number	Diff line number	Diff line change
`@@ -3067,7 +3067,7 @@ public CertificateIdentifier()`
`3067`	`3067`	`public CertificateIdentifier(X509Certificate2 certificate)`
`3068`	`3068`	`{`
`3069`	`3069`	`Initialize();`
`3070`		`- m_certificate = certificate;`
	`3070`	`+ Certificate = certificate;`
`3071`	`3071`	`}`
`3072`	`3072`
`3073`	`3073`	`/// <summary>`
`@@ -3076,7 +3076,7 @@ public CertificateIdentifier(X509Certificate2 certificate)`
`3076`	`3076`	`public CertificateIdentifier(X509Certificate2 certificate, CertificateValidationOptions validationOptions)`
`3077`	`3077`	`{`
`3078`	`3078`	`Initialize();`
`3079`		`- m_certificate = certificate;`
	`3079`	`+ Certificate = certificate;`
`3080`	`3080`	`m_validationOptions = validationOptions;`
`3081`	`3081`	`}`
`3082`	`3082`
`@@ -3087,7 +3087,7 @@ public CertificateIdentifier(X509Certificate2 certificate, CertificateValidation`
`3087`	`3087`	`public CertificateIdentifier(byte[] rawData)`
`3088`	`3088`	`{`
`3089`	`3089`	`Initialize();`
`3090`		`- m_certificate = CertificateFactory.Create(rawData, true);`
	`3090`	`+ Certificate = CertificateFactory.Create(rawData, true);`
`3091`	`3091`	`}`
`3092`	`3092`
`3093`	`3093`	`/// <summary>`
`@@ -3324,6 +3324,7 @@ public byte[] RawData`
`3324`	`3324`	`m_certificate = CertificateFactory.Create(value, true);`
`3325`	`3325`	`m_subjectName = m_certificate.Subject;`
`3326`	`3326`	`m_thumbprint = m_certificate.Thumbprint;`
	`3327`	`+ m_certificateType = GetCertificateType(m_certificate);`
`3327`	`3328`	`}`
`3328`	`3329`	`}`
`3329`	`3330`