[Test] Add ECC Certificates to various tests (#2961)

romanett · web-flow · commit 7cbeee715519 · 2025-02-11T14:20:21.000+02:00
* Generate ECC Certificates in Client Tests

* Add more tests

* reenable check of certificate

* fix tests

* Dont use random in test

* fix unsupported certificate types

* fix Hash algorithm for nistP384 curve on linux as the friendly name is ECDSA_P384 instead of nistP384

* use friendly name by default and add special case only for linux while taking care of nullability

* disable special casing for finding correct certificates

* fix tests on net 462

* update Certificate Identifier
diff --git a/Libraries/Opc.Ua.Gds.Server.Common/CertificateGroup.cs b/Libraries/Opc.Ua.Gds.Server.Common/CertificateGroup.cs
@@ -82,7 +82,8 @@ [Optional] string trustedIssuerCertificatesStorePath
                 {
                     if (!Utils.IsSupportedCertificateType(certificateType))
                     {
-                        throw new NotImplementedException($"Unsupported certificate type {certificateType}");
+                        Utils.LogError("Certificate type {0} specified for Certificate Group is not supported on this platform", certificateType);
+                        continue;
                     }
 
                     CertificateTypes.Add(certificateType);
@@ -356,7 +357,10 @@ public virtual async Task<X509Certificate2> SigningRequestAsync(
 
 #if ECC_SUPPORT
                     certificate = TryGetECCCurve(certificateType, out ECCurve curve) ?
-                       builder.SetIssuer(signingKey).SetECDsaPublicKey(info.SubjectPublicKeyInfo.GetEncoded()).CreateForECDsa() :
+                       builder
+                       .SetIssuer(signingKey)
+                       .SetECDsaPublicKey(info.SubjectPublicKeyInfo.GetEncoded())
+                       .CreateForECDsa() :
                        builder.SetHashAlgorithm(X509Utils.GetRSAHashAlgorithmName(Configuration.DefaultCertificateHashSize))
                                 .SetIssuer(signingKey)
                                 .SetRSAPublicKey(info.SubjectPublicKeyInfo.GetEncoded())
diff --git a/Libraries/Opc.Ua.Security.Certificates/X509Certificate/CertificateBuilderBase.cs b/Libraries/Opc.Ua.Security.Certificates/X509Certificate/CertificateBuilderBase.cs
@@ -291,7 +291,9 @@ public virtual ICertificateBuilderIssuer SetIssuer(X509Certificate2 issuerCertif
         private void SetHashAlgorithmSize(ECCurve curve)
         {
             if (curve.Oid.FriendlyName.CompareTo(ECCurve.NamedCurves.nistP384.Oid.FriendlyName) == 0 ||
-               (curve.Oid.FriendlyName.CompareTo(ECCurve.NamedCurves.brainpoolP384r1.Oid.FriendlyName) == 0))
+                curve.Oid.FriendlyName.CompareTo(ECCurve.NamedCurves.brainpoolP384r1.Oid.FriendlyName) == 0 ||
+                // special case for linux where friendly name could be ECDSA_P384 instead of nistP384
+                (curve.Oid?.Value != null && curve.Oid.Value.CompareTo(ECCurve.NamedCurves.nistP384.Oid.Value) == 0))
             {
                 SetHashAlgorithm(HashAlgorithmName.SHA384);
             }
@@ -388,7 +390,7 @@ protected virtual void NewSerialNumber()
         /// </summary>
         private protected ECCurve? m_curve;
 #endif
-#endregion
+        #endregion
 
         #region Private Fields
         private X509Certificate2 m_issuerCAKeyCert;
diff --git a/Libraries/Opc.Ua.Server/Configuration/ConfigurationNodeManager.cs b/Libraries/Opc.Ua.Server/Configuration/ConfigurationNodeManager.cs
@@ -433,7 +433,7 @@ private ServiceResult UpdateCertificate(
                 // identify the existing certificate to be updated
                 // it should be of the same type and same subject name as the new certificate
                 CertificateIdentifier existingCertIdentifier = certificateGroup.ApplicationCertificates.FirstOrDefault(cert =>
-                    X509Utils.CompareDistinguishedName(cert.Certificate.Subject, newCert.Subject) &&
+                    X509Utils.CompareDistinguishedName(cert.SubjectName, newCert.Subject) &&
                     cert.CertificateType == certificateTypeId);
 
                 // if no cert was found search by ApplicationUri
@@ -566,6 +566,8 @@ private ServiceResult UpdateCertificate(
                             var certOnly = X509CertificateLoader.LoadCertificate(updateCertificate.CertificateWithPrivateKey.RawData);
                             updateCertificate.CertificateWithPrivateKey.Dispose();
                             updateCertificate.CertificateWithPrivateKey = certOnly;
+                            //update certificate identifier with new certificate
+                            existingCertIdentifier.Find(m_configuration.ApplicationUri).GetAwaiter().GetResult();
                         }
 
                         ICertificateStore issuerStore = certificateGroup.IssuerStore.OpenStore();
@@ -800,7 +802,7 @@ private ServiceResult GetCertificates(
             }
 
             certificateTypeIds = certificateGroup.CertificateTypes;
-            certificates = certificateGroup.ApplicationCertificates.Select(s => s.Certificate.RawData).ToArray();
+            certificates = certificateGroup.ApplicationCertificates.Select(s => s.Certificate?.RawData).ToArray();
 
             return ServiceResult.Good;
         }
diff --git a/Stack/Opc.Ua.Core/Security/Certificates/CertificateIdentifier.cs b/Stack/Opc.Ua.Core/Security/Certificates/CertificateIdentifier.cs
@@ -577,6 +577,10 @@ public static NodeId GetCertificateType(X509Certificate2 certificate)
         /// <param name="certificateType">The NodeId of the certificate type.</param>
         public static bool ValidateCertificateType(X509Certificate2 certificate, NodeId certificateType)
         {
+            if (certificateType == null)
+            {
+                return true;
+            }
             switch (certificate.SignatureAlgorithm.Value)
             {
                 case Oids.ECDsaWithSha1:
@@ -594,18 +598,21 @@ public static bool ValidateCertificateType(X509Certificate2 certificate, NodeId
                     }
 
 
-                    // special cases
-                    if (certType == ObjectTypeIds.EccNistP384ApplicationCertificateType &&
-                        certificateType == ObjectTypeIds.EccNistP256ApplicationCertificateType)
-                    {
-                        return true;
-                    }
-
-                    if (certType == ObjectTypeIds.EccBrainpoolP384r1ApplicationCertificateType &&
-                        certificateType == ObjectTypeIds.EccBrainpoolP256r1ApplicationCertificateType)
-                    {
-                        return true;
-                    }
+                    // not needed: An end entity Certificate shall use P-256.
+                    // http://opcfoundation.org/UA/SecurityPolicy#ECC_nistP256
+                    //if (certType == ObjectTypeIds.EccNistP384ApplicationCertificateType &&
+                    //    certificateType == ObjectTypeIds.EccNistP256ApplicationCertificateType)
+                    //{
+                    //    return true;
+                    //}
+
+                    // not needed: An end entity Certificate shall use P256r1.
+                    // http://opcfoundation.org/UA/SecurityPolicy#ECC_brainpoolP256r1
+                    //if (certType == ObjectTypeIds.EccBrainpoolP384r1ApplicationCertificateType &&
+                    //    certificateType == ObjectTypeIds.EccBrainpoolP256r1ApplicationCertificateType)
+                    //{
+                    //    return true;
+                    //}
 
                     break;
 
diff --git a/Stack/Opc.Ua.Core/Security/Certificates/CertificateValidator.cs b/Stack/Opc.Ua.Core/Security/Certificates/CertificateValidator.cs
@@ -257,10 +257,9 @@ public virtual async Task UpdateCertificateAsync(SecurityConfiguration securityC
 
             try
             {
-
+                m_applicationCertificates.Clear();
                 foreach (var applicationCertificate in securityConfiguration.ApplicationCertificates)
                 {
-                    m_applicationCertificates.RemoveAll(cert => Utils.IsEqual(cert.RawData, applicationCertificate.RawData));
                     applicationCertificate.DisposeCertificate();
                 }
 
diff --git a/Tests/Opc.Ua.Gds.Tests/ClientTest.cs b/Tests/Opc.Ua.Gds.Tests/ClientTest.cs
@@ -36,6 +36,7 @@
 using System.Threading;
 using System.Threading.Tasks;
 using NUnit.Framework;
+using Opc.Ua.Gds.Server;
 using Assert = NUnit.Framework.Legacy.ClassicAssert;
 
 
@@ -108,6 +109,14 @@ protected async Task OneTimeSetUp()
             m_invalidRegistrationOk = false;
             m_goodNewKeyPairRequestOk = false;
             m_gdsRegisteredTestClient = false;
+
+            //get supported CertificateTypes from GDS
+            m_supportedCertificateTypes = m_server.Config.ParseExtension<GlobalDiscoveryServerConfiguration>().CertificateGroups
+                .Where(cg => cg.Id == "Default")
+                .SelectMany(cg => cg.CertificateTypes)
+                .Select(s => typeof(Ua.ObjectTypeIds).GetField(s).GetValue(null) as NodeId)
+                .Where(n => n != null && Utils.IsSupportedCertificateType(n))
+                .ToList();
         }
 
         /// <summary>
@@ -652,8 +661,12 @@ public void StartGoodNewKeyPairRequests()
         {
             AssertIgnoreTestWithoutGoodRegistration();
             ConnectGDS(true);
+            int certificateTypeIndex = 0;
             foreach (var application in m_goodApplicationTestSet)
             {
+                application.CertificateTypeId = m_supportedCertificateTypes[certificateTypeIndex];
+                certificateTypeIndex = (certificateTypeIndex + 1) % m_supportedCertificateTypes.Count;
+
                 Assert.Null(application.CertificateRequestId);
                 NodeId requestId = m_gdsClient.GDSClient.StartNewKeyPairRequest(
                     application.ApplicationRecord.ApplicationId,
@@ -875,7 +888,7 @@ out byte[][] issuerCertificates
 
         }
 
-        
+
         [Test, Order(540)]
         public void GetGoodCertificates()
         {
@@ -1531,6 +1544,7 @@ private int GoodServersOnNetworkCount()
         private bool m_goodRegistrationOk;
         private bool m_invalidRegistrationOk;
         private bool m_gdsRegisteredTestClient;
+        private List<NodeId> m_supportedCertificateTypes;
         private bool m_goodNewKeyPairRequestOk;
         private string m_storeType;
         #endregion
diff --git a/Tests/Opc.Ua.Gds.Tests/GlobalDiscoveryTestServer.cs b/Tests/Opc.Ua.Gds.Tests/GlobalDiscoveryTestServer.cs
@@ -216,7 +216,13 @@ private static async Task<ApplicationConfiguration> Load(ApplicationInstance app
                 {
                     new CertificateGroupConfiguration() {
                         Id = "Default",
-                        CertificateType = "RsaSha256ApplicationCertificateType",
+                        CertificateTypes = new StringCollection() {
+                            "RsaSha256ApplicationCertificateType",
+                            "EccNistP256ApplicationCertificateType",
+                            "EccNistP384ApplicationCertificateType",
+                            "EccBrainpoolP256r1ApplicationCertificateType",
+                            "EccBrainpoolP384r1ApplicationCertificateType"
+                        },
                         SubjectName = "CN=GDS Test CA, O=OPC Foundation",
                         BaseStorePath = Path.Combine(gdsRoot, "CA", "default"),
                         DefaultCertificateHashSize = 256,
diff --git a/Tests/Opc.Ua.Gds.Tests/Opc.Ua.GlobalDiscoveryTestServer.Config.xml b/Tests/Opc.Ua.Gds.Tests/Opc.Ua.GlobalDiscoveryTestServer.Config.xml
@@ -17,6 +17,30 @@
         <SubjectName>CN=Global Discovery Test Server, O=OPC Foundation, DC=localhost</SubjectName>
         <CertificateTypeString>RsaSha256</CertificateTypeString>
       </CertificateIdentifier>
+      <CertificateIdentifier>
+        <StoreType>Directory</StoreType>
+        <StorePath>%LocalApplicationData%/OPC/GDS/own</StorePath>
+        <SubjectName>CN=Global Discovery Test Server, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>NistP256</CertificateTypeString>
+      </CertificateIdentifier>
+      <CertificateIdentifier>
+        <StoreType>Directory</StoreType>
+        <StorePath>%LocalApplicationData%/OPC/GDS/own</StorePath>
+        <SubjectName>CN=Global Discovery Test Server, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>NistP384</CertificateTypeString>
+      </CertificateIdentifier>
+      <CertificateIdentifier>
+        <StoreType>Directory</StoreType>
+        <StorePath>%LocalApplicationData%/OPC/GDS/own</StorePath>
+        <SubjectName>CN=Global Discovery Test Server, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>BrainpoolP256r1</CertificateTypeString>
+      </CertificateIdentifier>
+      <CertificateIdentifier>
+        <StoreType>Directory</StoreType>
+        <StorePath>%LocalApplicationData%/OPC/GDS/own</StorePath>
+        <SubjectName>CN=Global Discovery Test Server, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>BrainpoolP384r1</CertificateTypeString>
+      </CertificateIdentifier>
     </ApplicationCertificates>
 
     <TrustedIssuerCertificates>
@@ -143,6 +167,8 @@
               <ua:String>RsaSha256ApplicationCertificateType</ua:String>
               <ua:String>EccNistP256ApplicationCertificateType</ua:String>
               <ua:String>EccNistP384ApplicationCertificateType</ua:String>
+              <ua:String>EccBrainpoolP256r1ApplicationCertificateType</ua:String>
+              <ua:String>EccBrainpoolP384r1ApplicationCertificateType</ua:String>
             </CertificateTypes>
             <SubjectName>CN=GDS Test CA, O=OPC Foundation</SubjectName>
             <BaseStorePath>%LocalApplicationData%/OPC/GDS/CA/default</BaseStorePath>
diff --git a/Tests/Opc.Ua.Gds.Tests/Opc.Ua.GlobalDiscoveryTestServerX509Stores.Config.xml b/Tests/Opc.Ua.Gds.Tests/Opc.Ua.GlobalDiscoveryTestServerX509Stores.Config.xml
@@ -17,6 +17,30 @@
         <SubjectName>CN=Global Discovery Test Server, O=OPC Foundation, DC=localhost</SubjectName>
         <CertificateTypeString>RsaSha256</CertificateTypeString>
       </CertificateIdentifier>
+      <CertificateIdentifier>
+        <StoreType>X509Store</StoreType>
+        <StorePath>CurrentUser\UA_Test_GDS_Server_own</StorePath>
+        <SubjectName>CN=Global Discovery Test Server, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>NistP256</CertificateTypeString>
+      </CertificateIdentifier>
+      <CertificateIdentifier>
+        <StoreType>X509Store</StoreType>
+        <StorePath>CurrentUser\UA_Test_GDS_Server_own</StorePath>
+        <SubjectName>CN=Global Discovery Test Server, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>NistP384</CertificateTypeString>
+      </CertificateIdentifier>
+      <CertificateIdentifier>
+        <StoreType>X509Store</StoreType>
+        <StorePath>CurrentUser\UA_Test_GDS_Server_own</StorePath>
+        <SubjectName>CN=Global Discovery Test Server, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>BrainpoolP256r1</CertificateTypeString>
+      </CertificateIdentifier>
+      <CertificateIdentifier>
+        <StoreType>X509Store</StoreType>
+        <StorePath>CurrentUser\UA_Test_GDS_Server_own</StorePath>
+        <SubjectName>CN=Global Discovery Test Server, O=OPC Foundation, DC=localhost</SubjectName>
+        <CertificateTypeString>BrainpoolP384r1</CertificateTypeString>
+      </CertificateIdentifier>
     </ApplicationCertificates>
 
     <TrustedIssuerCertificates>
@@ -143,6 +167,8 @@
               <ua:String>RsaSha256ApplicationCertificateType</ua:String>
               <ua:String>EccNistP256ApplicationCertificateType</ua:String>
               <ua:String>EccNistP384ApplicationCertificateType</ua:String>
+              <ua:String>EccBrainpoolP256r1ApplicationCertificateType</ua:String>
+              <ua:String>EccBrainpoolP384r1ApplicationCertificateType</ua:String>
             </CertificateTypes>
             <SubjectName>CN=GDS Test CA, O=OPC Foundation</SubjectName>
             <BaseStorePath>%LocalApplicationData%/OPC/GDS/CA/default</BaseStorePath>
diff --git a/Tests/Opc.Ua.Gds.Tests/PushTest.cs b/Tests/Opc.Ua.Gds.Tests/PushTest.cs
diff --git a/Tests/Opc.Ua.Gds.Tests/X509TestUtils.cs b/Tests/Opc.Ua.Gds.Tests/X509TestUtils.cs
diff --git a/Tests/Opc.Ua.Security.Certificates.Tests/CRLTests.cs b/Tests/Opc.Ua.Security.Certificates.Tests/CRLTests.cs

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,8 @@ [Optional] string trustedIssuerCertificatesStorePath`
`82`	`82`	`{`
`83`	`83`	`if (!Utils.IsSupportedCertificateType(certificateType))`
`84`	`84`	`{`
`85`		`- throw new NotImplementedException($"Unsupported certificate type {certificateType}");`
	`85`	`+ Utils.LogError("Certificate type {0} specified for Certificate Group is not supported on this platform", certificateType);`
	`86`	`+ continue;`
`86`	`87`	`}`
`87`	`88`
`88`	`89`	`CertificateTypes.Add(certificateType);`
`@@ -356,7 +357,10 @@ public virtual async Task<X509Certificate2> SigningRequestAsync(`
`356`	`357`
`357`	`358`	`#if ECC_SUPPORT`
`358`	`359`	`certificate = TryGetECCCurve(certificateType, out ECCurve curve) ?`
`359`		`- builder.SetIssuer(signingKey).SetECDsaPublicKey(info.SubjectPublicKeyInfo.GetEncoded()).CreateForECDsa() :`
	`360`	`+ builder`
	`361`	`+ .SetIssuer(signingKey)`
	`362`	`+ .SetECDsaPublicKey(info.SubjectPublicKeyInfo.GetEncoded())`
	`363`	`+ .CreateForECDsa() :`
`360`	`364`	`builder.SetHashAlgorithm(X509Utils.GetRSAHashAlgorithmName(Configuration.DefaultCertificateHashSize))`
`361`	`365`	`.SetIssuer(signingKey)`
`362`	`366`	`.SetRSAPublicKey(info.SubjectPublicKeyInfo.GetEncoded())`
Original file line number	Diff line number	Diff line change
`@@ -291,7 +291,9 @@ public virtual ICertificateBuilderIssuer SetIssuer(X509Certificate2 issuerCertif`
`291`	`291`	`private void SetHashAlgorithmSize(ECCurve curve)`
`292`	`292`	`{`
`293`	`293`	`if (curve.Oid.FriendlyName.CompareTo(ECCurve.NamedCurves.nistP384.Oid.FriendlyName) == 0 \|\|`
`294`		`- (curve.Oid.FriendlyName.CompareTo(ECCurve.NamedCurves.brainpoolP384r1.Oid.FriendlyName) == 0))`
	`294`	`+ curve.Oid.FriendlyName.CompareTo(ECCurve.NamedCurves.brainpoolP384r1.Oid.FriendlyName) == 0 \|\|`
	`295`	`+ // special case for linux where friendly name could be ECDSA_P384 instead of nistP384`
	`296`	`+ (curve.Oid?.Value != null && curve.Oid.Value.CompareTo(ECCurve.NamedCurves.nistP384.Oid.Value) == 0))`
`295`	`297`	`{`
`296`	`298`	`SetHashAlgorithm(HashAlgorithmName.SHA384);`
`297`	`299`	`}`
`@@ -388,7 +390,7 @@ protected virtual void NewSerialNumber()`
`388`	`390`	`/// </summary>`
`389`	`391`	`private protected ECCurve? m_curve;`
`390`	`392`	`#endif`
`391`		`-#endregion`
	`393`	`+ #endregion`
`392`	`394`
`393`	`395`	`#region Private Fields`
`394`	`396`	`private X509Certificate2 m_issuerCAKeyCert;`
Original file line number	Diff line number	Diff line change
`@@ -257,10 +257,9 @@ public virtual async Task UpdateCertificateAsync(SecurityConfiguration securityC`
`257`	`257`
`258`	`258`	`try`
`259`	`259`	`{`
`260`		`-`
	`260`	`+ m_applicationCertificates.Clear();`
`261`	`261`	`foreach (var applicationCertificate in securityConfiguration.ApplicationCertificates)`
`262`	`262`	`{`
`263`		`- m_applicationCertificates.RemoveAll(cert => Utils.IsEqual(cert.RawData, applicationCertificate.RawData));`
`264`	`263`	`applicationCertificate.DisposeCertificate();`
`265`	`264`	`}`
`266`	`265`