use X509IdentityTokenHandler from secure-channel-enhancements-2025-11

Author: mrsuciu

Stack/Opc.Ua.Core/Stack/Types/X509IdentityTokenHandler.cs

@@ -43,6 +43,13 @@ public sealed class X509IdentityTokenHandler : IUserIdentityTokenHandler
         public X509IdentityTokenHandler(X509IdentityToken token)
         {
             m_token = token;
+
+            if (m_token.CertificateData != null)
+            {
+                m_certificate = CertificateFactory.Create(m_token.CertificateData);
+            }
+
+            m_ownsCertificate = true;
         }
 
         /// <summary>
@@ -66,12 +73,29 @@ public X509IdentityTokenHandler(X509Certificate2 certificate)
             }
 
             Certificate = certificate;
+            m_ownsCertificate = true;
             m_token = new X509IdentityToken
             {
                 CertificateData = certificate.RawData
             };
         }
 
+        /// <summary>
+        /// Private constructor for <see cref="Clone"/>. The cloned handler
+        /// shares the certificate reference but does not own it, so it will
+        /// not dispose the certificate. This is necessary because the
+        /// certificate's private key may reside in protected storage and
+        /// cannot be deep-copied.
+        /// </summary>
+        private X509IdentityTokenHandler(
+            X509IdentityToken token,
+            X509Certificate2 certificate)
+        {
+            m_token = token;
+            m_certificate = certificate;
+            m_ownsCertificate = false;
+        }
+
         /// <summary>
         /// The certificate associated with the token.
         /// </summary>
@@ -134,16 +158,13 @@ public SignatureData Sign(
             byte[] dataToSign,
             string securityPolicyUri)
         {
-            X509Certificate2 certificate = Certificate ??
-                CertificateFactory.Create(m_token.CertificateData);
+            var info = SecurityPolicies.GetInfo(securityPolicyUri);
 
-            SignatureData signatureData = SecurityPolicies.CreateSignatureData(
-                securityPolicyUri,
-                certificate,
+            var signatureData = SecurityPolicies.CreateSignatureData(
+                info,
+                m_certificate,
                 dataToSign);
 
-            m_token.CertificateData = certificate.RawData;
-
             return signatureData;
         }
 
@@ -155,17 +176,14 @@ public bool Verify(
         {
             try
             {
-                X509Certificate2 certificate = Certificate ??
-                    CertificateFactory.Create(m_token.CertificateData);
+                var info = SecurityPolicies.GetInfo(securityPolicyUri);
 
                 bool valid = SecurityPolicies.VerifySignatureData(
                     signatureData,
-                    securityPolicyUri,
-                    certificate,
+                    info,
+                    m_certificate,
                     dataToVerify);
 
-                m_token.CertificateData = certificate.RawData;
-
                 return valid;
             }
             catch (Exception e)
@@ -180,19 +198,19 @@ public bool Verify(
         /// <inheritdoc/>
         public void Dispose()
         {
-            // TODOL Utils.SilentDispose(m_certificate);
+            if (m_ownsCertificate)
+            {
+                Utils.SilentDispose(m_certificate);
+            }
             m_certificate = null;
         }
 
         /// <inheritdoc/>
         public object Clone()
         {
-            return new X509IdentityTokenHandler(Utils.Clone(m_token))
-            {
-                // Keep the in-memory certificate instance so private key operations
-                // continue to work when cloned handlers are used for signing.
-                Certificate = m_certificate
-            };
+            return new X509IdentityTokenHandler(
+                Utils.Clone(m_token),
+                m_certificate);
         }
 
         /// <inheritdoc/>
@@ -206,6 +224,7 @@ public bool Equals(IUserIdentityTokenHandler other)
         }
 
         private readonly X509IdentityToken m_token;
+        private readonly bool m_ownsCertificate;
         private X509Certificate2 m_certificate;
     }
 }