GDS: Trust own CA & add revoked Certificates to CRL

[romanett]

Proposed changes

With this Pull Request i improve the reusability of the Code by changing reverences to CertificateGroup to the Interface ICertificateGroup, through this change users can extend the functionality of CertificateGroup by providing an own implementation.
Furthermore I fix two issues of the GDS:

• The GDS does not trust its own CA Certificate, therefore it rejects connection attempts from clients with a CA signed certificate (e.g. after a sucessful registration & a new CA signed Application certificate received -> Client tries to connect with the new certificate to get the TrustList -> gets rejected)
  -> new Method AddOwnCertificateToTrustedStoreAsync added to Class ApplicationInstance
  -> you can call this after starting the GDS Server with CA-Certificate of the GDS as parameter

• The GDS does not revoke Certificate in the TrustedList Store CRL, so OPC UA Applications can´t get revoked certs
  -> this is fixed by adding a call to UpdateAuthorityCertInTrustedList to the method RevokeCertificateAsync

Related Issues

• Fixes GDS does not trust it´s own CA Certificate #2327
• FIxes GDS does not revoke Certificate in the TrustedList Store CRL, so OPC UA Applications can´t get revoked certs #2332

Types of changes

What types of changes does your code introduce?
Put an x in the boxes that apply. You can also fill these out after creating the PR.

• Bugfix (non-breaking change which fixes an issue)
• Enhancement (non-breaking change which adds functionality)
• Test enhancement (non-breaking change to increase test coverage)
• Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
• Documentation Update (if none of the other choices apply)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

• I have read the CONTRIBUTING doc.
• I have signed the CLA.
• I ran tests locally with my changes, all passed.
• I fixed all failing tests in the CI pipelines.
• I fixed all introduced issues with CodeQL and LGTM.
• I have added tests that prove my fix is effective or that my feature works and increased code coverage.
• I have added necessary documentation (if appropriate).
• Any dependent changes have been merged and published in downstream modules.

Further comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...

[CLAassistant]

All committers have signed the CLA.

[mregen]

nice work, thanks!

[codecov]

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Comparison is base (343f7b0) 53.82% compared to head (ebe623a) 51.83%.

Files	Patch %	Lines
...raries/Opc.Ua.Configuration/ApplicationInstance.cs	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2333      +/-   ##
==========================================
- Coverage   53.82%   51.83%   -2.00%     
==========================================
  Files         331      313      -18     
  Lines       63952    61358    -2594     
  Branches    13120    12623     -497     
==========================================
- Hits        34420    31802    -2618     
- Misses      25803    26053     +250     
+ Partials     3729     3503     -226     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[romanett]

@mregen I pushed the commits without a valid git email, do I have to recreate this pull-request, or can we somehow get around this?

[mregen]

@romanett can you try to directly add a dummy commit from github? e.g. add/remove some blanks. this may pick up you as a verified user?

[ThomasNehring]

I'd approve if the comment is resolved.

[mregen]

lgtm, nice work! I could have merged without the latest sync to master.

[mregen]

Hi @romanett , due to flaky builds I'm unable to merge. Could you merge your GDS PRs with master to get the updated ci build definition? Hopefully I can merge then...