Implement AutoAcceptUntrustedCertificates flag for Client side also. F…

…ixes #1228 (#1380)
OPCFoundation · Apr 26, 2021 · f0c4674 · f0c4674
1 parent e34eb9b
commit f0c4674
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 39 deletions.
diff --git a/Libraries/Opc.Ua.Configuration/ApplicationInstance.cs b/Libraries/Opc.Ua.Configuration/ApplicationInstance.cs
@@ -185,11 +185,6 @@ public async Task Start(ServerBase server)
                 await LoadApplicationConfiguration(false).ConfigureAwait(false);
             }
 
-            if (m_applicationConfiguration.CertificateValidator != null)
-            {
-                m_applicationConfiguration.CertificateValidator.CertificateValidation += CertificateValidator_CertificateValidation;
-            }
-
             server.Start(m_applicationConfiguration);
         }
 
@@ -438,27 +433,6 @@ public async Task<ApplicationConfiguration> LoadApplicationConfiguration(bool si
         #endregion
 
         #region Private Methods
-        /// <summary>
-        /// Handles a certificate validation error.
-        /// </summary>
-        private void CertificateValidator_CertificateValidation(CertificateValidator validator, CertificateValidationEventArgs e)
-        {
-            try
-            {
-                if (m_applicationConfiguration.SecurityConfiguration != null
-                    && m_applicationConfiguration.SecurityConfiguration.AutoAcceptUntrustedCertificates
-                    && e.Error != null && e.Error.Code == StatusCodes.BadCertificateUntrusted)
-                {
-                    e.Accept = true;
-                    Utils.Trace(Utils.TraceMasks.Security, "Automatically accepted certificate: {0}", e.Certificate.Subject);
-                }
-            }
-            catch (Exception exception)
-            {
-                Utils.Trace(exception, "Error accepting certificate.");
-            }
-        }
-
         /// <summary>
         /// Creates an application instance certificate if one does not already exist.
         /// </summary>

diff --git a/Stack/Opc.Ua.Core/Security/Certificates/CertificateValidator.cs b/Stack/Opc.Ua.Core/Security/Certificates/CertificateValidator.cs
@@ -33,6 +33,7 @@ public class CertificateValidator : ICertificateValidator
         public CertificateValidator()
         {
             m_validatedCertificates = new Dictionary<string, X509Certificate2>();
+            m_autoAcceptUntrustedCertificates = false;
             m_rejectSHA1SignedCertificates = CertificateFactory.DefaultHashSize >= 256;
             m_rejectUnknownRevocationStatus = false;
             m_minimumCertificateKeySize = CertificateFactory.DefaultKeySize;
@@ -172,6 +173,7 @@ public virtual async Task Update(SecurityConfiguration configuration)
                     configuration.TrustedIssuerCertificates,
                     configuration.TrustedPeerCertificates,
                     configuration.RejectedCertificateStore);
+                m_autoAcceptUntrustedCertificates = configuration.AutoAcceptUntrustedCertificates;
                 m_rejectSHA1SignedCertificates = configuration.RejectSHA1SignedCertificates;
                 m_rejectUnknownRevocationStatus = configuration.RejectUnknownRevocationStatus;
                 m_minimumCertificateKeySize = configuration.MinimumCertificateKeySize;
@@ -781,22 +783,25 @@ protected virtual async Task InternalValidate(X509Certificate2Collection certifi
                 }
             }
 
-            // check if certificate issuer is trusted.
-            if (issuedByCA && !isIssuerTrusted && trustedCertificate == null)
+            if (!m_autoAcceptUntrustedCertificates)
             {
-                var message = CertificateMessage("Certificate Issuer is not trusted.", certificate);
-                sresult = new ServiceResult(StatusCodes.BadCertificateUntrusted,
-                    null, null, message, null, sresult);
-            }
-
-            // check if certificate is trusted.
-            if (trustedCertificate == null && !isIssuerTrusted)
-            {
-                if (m_applicationCertificate == null || !Utils.IsEqual(m_applicationCertificate.RawData, certificate.RawData))
+                // check if certificate issuer is trusted.
+                if (issuedByCA && !isIssuerTrusted && trustedCertificate == null)
                 {
-                    var message = CertificateMessage("Certificate is not trusted.", certificate);
+                    var message = CertificateMessage("Certificate Issuer is not trusted.", certificate);
                     sresult = new ServiceResult(StatusCodes.BadCertificateUntrusted,
-                    null, null, message, null, sresult);
+                        null, null, message, null, sresult);
+                }
+
+                // check if certificate is trusted.
+                if (trustedCertificate == null && !isIssuerTrusted)
+                {
+                    if (m_applicationCertificate == null || !Utils.IsEqual(m_applicationCertificate.RawData, certificate.RawData))
+                    {
+                        var message = CertificateMessage("Certificate is not trusted.", certificate);
+                        sresult = new ServiceResult(StatusCodes.BadCertificateUntrusted,
+                        null, null, message, null, sresult);
+                    }
                 }
             }
 
@@ -1146,6 +1151,7 @@ private bool FindDomain(X509Certificate2 serverCertificate, ConfiguredEndpoint e
         private event CertificateValidationEventHandler m_CertificateValidation;
         private event CertificateUpdateEventHandler m_CertificateUpdate;
         private X509Certificate2 m_applicationCertificate;
+        private bool m_autoAcceptUntrustedCertificates;
         private bool m_rejectSHA1SignedCertificates;
         private bool m_rejectUnknownRevocationStatus;
         private ushort m_minimumCertificateKeySize;