Certificate manager and ref counted certificate type

Applications/ConsoleReferenceClient/ClientSamples.cs

@@ -1101,6 +1101,7 @@ ArrayOf<BrowseDescription> browseDescriptionCollection
         /// Outputs elapsed time information for perf testing and lists all
         /// types that were successfully added to the session encodeable type factory.
         /// </remarks>
+        /// <exception cref="ServiceResultException"></exception>
         public async Task LoadTypeSystemAsync(ComplexTypeSystem complexTypeSystem, CancellationToken ct = default)
         {
             m_logger.LogInformation("Load the server type system.");

Applications/ConsoleReferenceClient/ConnectTester.cs

@@ -28,7 +28,6 @@
  * ======================================================================*/
 
 using System;
-using System.Collections;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
@@ -40,6 +39,7 @@
 using Opc.Ua;
 using Opc.Ua.Client;
 using Opc.Ua.Configuration;
+using Opc.Ua.Security.Certificates;
 
 namespace Quickstarts
 {
@@ -87,20 +87,22 @@ public async Task RunAsync(CancellationToken ct)
                 // Define the UA Client application
                 var passwordProvider = new CertificatePasswordProvider([]);
 
-                var application = new ApplicationInstance(m_telemetry)
+#pragma warning disable CA2007
+                await using var application = new ApplicationInstance(m_telemetry)
                 {
                     ApplicationName = applicationName,
                     ApplicationType = ApplicationType.Client,
                     ConfigSectionName = configSectionName,
                     CertificatePasswordProvider = passwordProvider
                 };
+#pragma warning restore CA2007
 
                 // load the application configuration.
                 ApplicationConfiguration configuration = m_configuration = await application
                     .LoadApplicationConfigurationAsync(silent: false, ct: ct)
                     .ConfigureAwait(false);
 
-                m_configuration.CertificateValidator.CertificateValidation += CertificateValidation;
+                m_configuration.CertificateManager.AcceptError = AcceptCertificate;
 
                 // check the application certificate.
                 bool haveAppCertificate = await application
@@ -121,7 +123,7 @@ public async Task RunAsync(CancellationToken ct)
 
                 var endpointConfiguration = EndpointConfiguration.Create(m_configuration);
                 var sessionFactory = new DefaultSessionFactory(m_telemetry);
-                var userNameidentity = new UserIdentity(kUserName, new UTF8Encoding(false).GetBytes(kPassword));
+                using var userNameidentity = new UserIdentity(kUserName, new UTF8Encoding(false).GetBytes(kPassword));
 
                 foreach (EndpointDescription ii in endpoints.ToArray())
                 {
@@ -252,6 +254,7 @@ internal async Task<SessionWrapper> RunTestAsync(
                 endpointConfiguration);
 
             // Create the session
+#pragma warning disable CA2000 // Dispose objects before losing scope
             ISession isession = await sessionFactory
                 .CreateAsync(
                     m_configuration,
@@ -266,6 +269,7 @@ internal async Task<SessionWrapper> RunTestAsync(
                     ct
                 )
                 .ConfigureAwait(false);
+#pragma warning restore CA2000 // Dispose objects before losing scope
 
             SessionWrapper wrapper = m_wrapper = new SessionWrapper { Session = isession };
 
@@ -288,23 +292,25 @@ internal async Task<SessionWrapper> RunTestAsync(
             return wrapper;
         }
 
+#if NET8_0_OR_GREATER
         private async Task<UserIdentity> LoadUserCertificateAsync(
             string thumbprint,
             string password,
             CancellationToken ct)
         {
             CertificateTrustList store = m_configuration.SecurityConfiguration.TrustedUserCertificates;
-#if NET8_0_OR_GREATER
             // get user certificate with matching thumbprint
-            X509Certificate2Collection certificates =
+            using CertificateCollection certificates =
                 await store.GetCertificatesAsync(m_telemetry, ct).ConfigureAwait(false);
-            X509Certificate2 hit = certificates
+            using Certificate hit = certificates
                 .Find(X509FindType.FindByThumbprint, thumbprint, false)
                 .FirstOrDefault();
 
             // create Certificate Identifier
-            var cid = new CertificateIdentifier(hit)
+            var cid = new CertificateIdentifier
             {
+                Thumbprint = hit.Thumbprint,
+                SubjectName = hit.Subject,
                 StorePath = store.StorePath,
                 StoreType = store.StoreType
             };
@@ -314,11 +320,18 @@ private async Task<UserIdentity> LoadUserCertificateAsync(
                 new CertificatePasswordProvider(new UTF8Encoding(false).GetBytes(password)),
                 m_telemetry,
                 ct).ConfigureAwait(false);
+        }
 #else
-            await Task.Delay(1, ct).ConfigureAwait(false);
-            throw new NotSupportedException("User certificate identity is only supported on .NET 8 or greater.");
-#endif
+        private Task<UserIdentity> LoadUserCertificateAsync(
+            string thumbprint,
+            string password,
+            CancellationToken ct)
+        {
+            return Task.FromException<UserIdentity>(
+                new NotSupportedException(
+                    "User certificate identity is only supported on .NET 8 or greater."));
         }
+#endif
 
         private static async ValueTask<ArrayOf<EndpointDescription>> GetEndpointsAsync(
             ApplicationConfiguration application,
@@ -336,38 +349,29 @@ private static async ValueTask<ArrayOf<EndpointDescription>> GetEndpointsAsync(
             return await client.GetEndpointsAsync(default, ct).ConfigureAwait(false);
         }
 
-        private void CertificateValidation(
-            CertificateValidator sender,
-            CertificateValidationEventArgs e)
+        private bool AcceptCertificate(Certificate certificate, ServiceResult error)
         {
-            bool certificateAccepted = false;
-
             // ****
             // Implement a custom logic to decide if the certificate should be
-            // accepted or not and set certificateAccepted flag accordingly.
-            // The certificate can be retrieved from the e.Certificate field
+            // accepted. Return true to accept, false to reject.
             // ***
-
-            ServiceResult error = e.Error;
             m_logger.LogInformation("{ServiceResult}", error);
-            if (error.StatusCode == StatusCodes.BadCertificateUntrusted)
-            {
-                certificateAccepted = true;
-            }
+            bool certificateAccepted = error.StatusCode == StatusCodes.BadCertificateUntrusted;
 
             if (certificateAccepted)
             {
                 m_logger.LogInformation(
                     "Untrusted Certificate accepted. Subject = {Subject}",
-                    e.Certificate.Subject);
-                e.Accept = true;
+                    certificate.Subject);
             }
             else
             {
                 m_logger.LogInformation(
                     "Untrusted Certificate rejected. Subject = {Subject}",
-                    e.Certificate.Subject);
+                    certificate.Subject);
             }
+
+            return certificateAccepted;
         }
 
         /// <summary>
@@ -487,8 +491,8 @@ internal sealed class SessionWrapper : IUAClient
         private SessionReconnectHandler m_reconnectHandler;
         private ApplicationConfiguration m_configuration;
         private SessionWrapper m_wrapper;
-        private ILogger m_logger;
-        private ITelemetryContext m_telemetry;
+        private readonly ILogger m_logger;
+        private readonly ITelemetryContext m_telemetry;
         private readonly ManualResetEvent m_quitEvent;
 
         private const string kServerUrl = "opc.tcp://localhost:62541";

Applications/ConsoleReferenceClient/Program.cs

@@ -30,7 +30,6 @@
 using System;
 using System.Collections.Generic;
 using System.CommandLine;
-using System.Diagnostics.CodeAnalysis;
 using System.Globalization;
 using System.IO;
 using System.Linq;
@@ -43,6 +42,7 @@
 using Opc.Ua.Client;
 using Opc.Ua.Client.ComplexTypes;
 using Opc.Ua.Configuration;
+using Opc.Ua.Security.Certificates;
 
 namespace Quickstarts.ConsoleReferenceClient
 {
@@ -249,7 +249,7 @@ public static Task<int> Main(string[] args)
                 bool enableDurableSubscriptions =
                     parseResult.GetValue(durableSubscriptionOption);
                 var serverUrl = new Uri(parseResult.GetValue(serverUrlArgument));
-                var testallEndpoints = parseResult.GetValue(testallEndpointsOption);
+                bool testallEndpoints = parseResult.GetValue(testallEndpointsOption);
 
                 ReverseConnectManager reverseConnectManager = null;
                 using var telemetry = new ConsoleTelemetry();
@@ -363,24 +363,26 @@ await application.DeleteApplicationInstanceCertificateAsync(ct: cancellationToke
                     // set user identity of type certificate
                     if (!string.IsNullOrEmpty(userCertificateThumbprint))
                     {
-                        CertificateIdentifier userCertificateIdentifier
-                                = await FindUserCertificateIdentifierAsync(
-                                    userCertificateThumbprint,
-                                    application.ApplicationConfiguration.SecurityConfiguration
-                                        .TrustedUserCertificates,
-                                    telemetry,
-                                    ct
-                                )
-                                .ConfigureAwait(true);
+                        CertificateIdentifier userCertificateIdentifier =
+                            await FindUserCertificateIdentifierAsync(
+                                userCertificateThumbprint,
+                                application.ApplicationConfiguration.SecurityConfiguration
+                                    .TrustedUserCertificates,
+                                telemetry,
+                                ct).ConfigureAwait(true);
 
                         if (userCertificateIdentifier != null)
                         {
-                            userIdentity = UserIdentity.CreateAsync(
-                                userCertificateIdentifier,
-                                new CertificatePasswordProvider(userCertificatePassword),
-                                telemetry,
-                                ct
-                            ).GetAwaiter().GetResult();
+#pragma warning disable CA2025 // Do not pass 'IDisposable' instances into unawaited tasks
+                            userIdentity = UserIdentity
+                                .CreateAsync(
+                                    userCertificateIdentifier,
+                                    new CertificatePasswordProvider(userCertificatePassword),
+                                    telemetry,
+                                    ct)
+                                .GetAwaiter()
+                                .GetResult();
+#pragma warning restore CA2025 // Do not pass 'IDisposable' instances into unawaited tasks
 
                             Console.WriteLine($"Connect with user certificate with Thumbprint {userCertificateThumbprint}");
                         }
@@ -775,18 +777,20 @@ private static async Task<CertificateIdentifier> FindUserCertificateIdentifierAs
         {
             CertificateIdentifier userCertificateIdentifier = null;
 
-            X509Certificate2Collection userCertificatesWithMatchingThumbprint =
+            using CertificateCollection certificates =
                 await trustedUserCertificates.GetCertificatesAsync(telemetry, ct).ConfigureAwait(false);
             // get user certificate with matching thumbprint
-            userCertificatesWithMatchingThumbprint =
-                userCertificatesWithMatchingThumbprint.Find(X509FindType.FindByThumbprint, thumbprint, false);
+            using CertificateCollection userCertificatesWithMatchingThumbprint =
+                certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);
 
             // create Certificate Identifier
             if (userCertificatesWithMatchingThumbprint.Count == 1)
             {
-                userCertificateIdentifier = new CertificateIdentifier(
-                    userCertificatesWithMatchingThumbprint[0])
+                Certificate userCert = userCertificatesWithMatchingThumbprint[0];
+                userCertificateIdentifier = new CertificateIdentifier
                 {
+                    Thumbprint = userCert.Thumbprint,
+                    SubjectName = userCert.Subject,
                     StorePath = trustedUserCertificates.StorePath,
                     StoreType = trustedUserCertificates.StoreType
                 };

Applications/ConsoleReferenceClient/UAClient.cs

@@ -34,6 +34,7 @@
 using Microsoft.Extensions.Logging;
 using Opc.Ua;
 using Opc.Ua.Client;
+using Opc.Ua.Security.Certificates;
 
 namespace Quickstarts
 {
@@ -70,7 +71,9 @@ public UAClient(
             m_logger = telemetry.CreateLogger<UAClient>();
             m_telemetry = telemetry;
             m_configuration = configuration;
-            m_configuration.CertificateValidator.CertificateValidation += CertificateValidation;
+            // Modern global accept hook on ICertificateManager — fires for
+            // every certificate validation done via this manager.
+            m_configuration.CertificateManager.AcceptError = AcceptCertificate;
             m_reverseConnectManager = reverseConnectManager;
         }
 
@@ -95,7 +98,7 @@ protected virtual void Dispose(bool disposing)
             {
                 m_reconnectHandler?.Dispose();
                 Session?.Dispose();
-                m_configuration.CertificateValidator.CertificateValidation -= CertificateValidation;
+                m_configuration.CertificateManager.AcceptError = null;
             }
             m_disposed = true;
         }
@@ -216,13 +219,10 @@ public async Task<bool> ConnectAsync(
                                 cts.Token);
                             connection = await m_reverseConnectManager
                                 .WaitForConnectionAsync(new Uri(serverUrl), null, linkedCTS.Token)
-                                .ConfigureAwait(false);
-                            if (connection == null)
-                            {
+                                .ConfigureAwait(false) ??
                                 throw new ServiceResultException(
                                     StatusCodes.BadTimeout,
                                     "Waiting for a reverse connection timed out.");
-                            }
                             if (endpointDescription == null)
                             {
                                 Console.WriteLine("Discover reverse connection endpoints....");
@@ -455,41 +455,37 @@ private void Client_ReconnectComplete(object sender, EventArgs e)
         }
 
         /// <summary>
-        /// Handles the certificate validation event.
-        /// This event is triggered every time an untrusted certificate is received from the server.
+        /// Per-error accept callback invoked by the new
+        /// <see cref="ICertificateValidatorEx.AcceptError"/> hook every time
+        /// an untrusted certificate is received from the server. Returns
+        /// <see langword="true"/> to accept the error, <see langword="false"/>
+        /// to reject it.
         /// </summary>
-        protected virtual void CertificateValidation(
-            CertificateValidator sender,
-            CertificateValidationEventArgs e)
+        protected virtual bool AcceptCertificate(Certificate certificate, ServiceResult error)
         {
-            bool certificateAccepted = false;
-
             // ****
             // Implement a custom logic to decide if the certificate should be
-            // accepted or not and set certificateAccepted flag accordingly.
-            // The certificate can be retrieved from the e.Certificate field
+            // accepted or not. Return true to accept, false to reject.
             // ***
-
-            ServiceResult error = e.Error;
             m_logger.LogInformation("{Error}", error);
-            if (error.StatusCode == StatusCodes.BadCertificateUntrusted && AutoAccept)
-            {
-                certificateAccepted = true;
-            }
+
+            bool certificateAccepted =
+                error.StatusCode == StatusCodes.BadCertificateUntrusted && AutoAccept;
 
             if (certificateAccepted)
             {
                 m_logger.LogInformation(
                     "Untrusted Certificate accepted. Subject = {Subject}",
-                    e.Certificate.Subject);
-                e.Accept = true;
+                    certificate.Subject);
             }
             else
             {
                 m_logger.LogInformation(
                     "Untrusted Certificate rejected. Subject = {Subject}",
-                    e.Certificate.Subject);
+                    certificate.Subject);
             }
+
+            return certificateAccepted;
         }
 
         private readonly Lock m_lock = new();

Applications/ConsoleReferencePublisher/Program.cs

@@ -819,4 +819,4 @@ private static PublishedDataSetDataType CreatePublishedDataSetAllTypes()
             return publishedDataSetAllTypes;
         }
     }
-}
+}

Applications/ConsoleReferenceServer/ConsoleUtils.cs

@@ -174,12 +174,14 @@ public void ConfigureLogging(
                 string outputFilePath = configuration.TraceConfiguration.OutputFilePath;
                 if (!string.IsNullOrWhiteSpace(outputFilePath))
                 {
+#pragma warning disable CA1305 // Specify IFormatProvider
                     loggerConfiguration.WriteTo.File(
                         Utils.ReplaceSpecialFolderNames(outputFilePath),
-                        outputTemplate: "{Timestamp:yyyy-MM-dd HH:mm:ss.fff} [{Level:u3}] {Message:lj}{NewLine}{Exception}",
                         restrictedToMinimumLevel: (LogEventLevel)fileLevel,
+                        outputTemplate: "{Timestamp:yyyy-MM-dd HH:mm:ss.fff} [{Level:u3}] {Message:lj}{NewLine}{Exception}",
                         rollOnFileSizeLimit: true
                     );
+#pragma warning restore CA1305 // Specify IFormatProvider
                 }
             }