GDS: add Method CheckRevocationStatus to Client & Server

Libraries/Opc.Ua.Gds.Client.Common/GlobalDiscoveryServerClient.cs

@@ -584,6 +584,36 @@
             return null;
         }
 
+        /// <summary>
+        /// Checks the provided certificate for validity
+        /// </summary>
+        /// <param name="certificate">The DER encoded form of the Certificate to check.</param>
+        /// <param name="certificateStatus">The first error encountered when validating the Certificate.</param>
+        /// <param name="validityTime">When the result expires and should be rechecked. DateTime.MinValue if this is unknown.</param>
+        public void CheckRevocationStatus(byte[] certificate,
+            out StatusCode certificateStatus,
+            out DateTime validityTime)
+        {
+            certificateStatus = StatusCodes.Good;
+            validityTime = DateTime.MinValue;
+
+            if (!IsConnected)
+            {
+                Connect();
+            }
+
+            var outputArguments = Session.Call(
+                ExpandedNodeId.ToNodeId(Opc.Ua.Gds.ObjectIds.Directory, Session.NamespaceUris),
+                ExpandedNodeId.ToNodeId(Opc.Ua.Gds.MethodIds.CertificateDirectoryType_CheckRevocationStatus, Session.NamespaceUris),
+                certificate);
+
+            if (outputArguments.Count >= 2)
+            {
+                certificateStatus = (StatusCode)outputArguments[0];
+                validityTime = (DateTime)outputArguments[1];
+            }
+        }
+
         /// <summary>
         /// Updates the application.
         /// </summary>

Libraries/Opc.Ua.Gds.Server.Common/ApplicationsNodeManager.cs

@@ -72,6 +72,8 @@
             SystemContext.NodeIdFactory = this;
 
             // get the configuration for the node manager.
+            m_securityConfiguration = configuration.SecurityConfiguration;
+
             m_configuration = configuration.ParseExtension<GlobalDiscoveryServerConfiguration>();
 
             // use suitable defaults if no configuration exists.
@@ -417,6 +419,7 @@
                     activeNode.GetTrustList.OnCall = new GetTrustListMethodStateMethodCallHandler(OnGetTrustList);
                     activeNode.GetCertificateStatus.OnCall = new GetCertificateStatusMethodStateMethodCallHandler(OnGetCertificateStatus);
                     activeNode.StartSigningRequest.OnCall = new StartSigningRequestMethodStateMethodCallHandler(OnStartSigningRequest);
+                    activeNode.CheckRevocationStatus.OnCall = new CheckRevocationStatusMethodStateMethodCallHandler(OnCheckRevocationStatus);
                     // TODO
                     //activeNode.RevokeCertificate.OnCall = new RevokeCertificateMethodStateMethodCallHandler(OnRevokeCertificate);
 
@@ -606,6 +609,44 @@
             return ServiceResult.Good;
         }
 
+        private ServiceResult OnCheckRevocationStatus(
+        ISystemContext context,
+        MethodState method,
+        NodeId objectId,
+        byte[] certificate,
+        ref StatusCode certificateStatus,
+        ref DateTime validityTime)
+        {
+            //Check if connected using a secure channel
+            OperationContext operationContext = (context as SystemContext)?.OperationContext as OperationContext;
+            if (operationContext != null)
+            {
+                if (operationContext.ChannelContext?.EndpointDescription?.SecurityMode != MessageSecurityMode.SignAndEncrypt)
+                {
+                    throw new ServiceResultException(StatusCodes.BadUserAccessDenied, "Method has to be called from an authenticated secure channel.");
+                }
+            }
+
+                //create CertificateValidator with secure defaults
+                var certificateValidator = new CertificateValidator();
+            certificateValidator.Update(m_securityConfiguration.TrustedIssuerCertificates, null, null);
+
+
+            validityTime = DateTime.MinValue;
+
+            try
+            {
+                certificateValidator.Validate(new X509Certificate2(certificate));
+            }
+            catch (ServiceResultException se)
+            {
+                certificateStatus = se.StatusCode;
+            }
+
+            return ServiceResult.Good;
+        }
+
+
         private ServiceResult CheckHttpsDomain(ApplicationRecordDataType application, string commonName)
         {
             if (application.ApplicationType == ApplicationType.Client)
@@ -1379,6 +1420,7 @@
         private bool m_autoApprove;
         private uint m_nextNodeId;
         private GlobalDiscoveryServerConfiguration m_configuration;
+        private SecurityConfiguration m_securityConfiguration;
         private IApplicationsDatabase m_database;
         private ICertificateRequest m_request;
         private ICertificateGroup m_certificateGroupFactory;

Tests/Opc.Ua.Gds.Tests/ClientTest.cs

@@ -968,6 +968,19 @@ public void GetInvalidCertificateStatus()
             }
         }
 
+        [Test, Order(700)]
+        public void CheckGoodRevocationStatus()
+        {
+            AssertIgnoreTestWithoutGoodRegistration();
+            ConnectGDS(false);
+            foreach (var application in m_goodApplicationTestSet)
+            {
+                m_gdsClient.GDSClient.CheckRevocationStatus(application.Certificate, out StatusCode certificateStatus, out DateTime validityTime);
+                Assert.Equals(StatusCodes.Good, certificateStatus);
+                Assert.NotNull(validityTime);
+            }
+        }
+
         [Test, Order(900)]
         public void UnregisterGoodApplications()
         {
@@ -979,6 +992,19 @@ public void UnregisterGoodApplications()
             }
         }
 
+        [Test, Order(910)]
+        public void CheckRevocationStatusUnregisteredApplications()
+        {
+            AssertIgnoreTestWithoutGoodRegistration();
+            ConnectGDS(false);
+            foreach (var application in m_goodApplicationTestSet)
+            {
+                m_gdsClient.GDSClient.CheckRevocationStatus(application.Certificate, out StatusCode certificateStatus, out DateTime validityTime);
+                Assert.Equals(StatusCodes.BadCertificateRevoked, certificateStatus);
+                Assert.NotNull(validityTime);
+            }
+        }
+
         [Test, Order(910)]
         public void UnregisterInvalidApplications()
         {