Fix decode of empty CRLs

Libraries/Opc.Ua.Client.ComplexTypes/Types/StructureDefinitionAttribute.cs

@@ -56,7 +56,7 @@ public enum StructureBaseDataType
     /// Attribute for a base complex type structure definition.
     /// </summary>
     [AttributeUsage(AttributeTargets.Class | AttributeTargets.Struct)]
-    public class StructureDefinitionAttribute : Attribute
+    public sealed class StructureDefinitionAttribute : Attribute
     {
         #region Constructors
         /// <summary>

Libraries/Opc.Ua.Client.ComplexTypes/Types/StructureFieldAttribute.cs

@@ -35,7 +35,7 @@ namespace Opc.Ua.Client.ComplexTypes
     /// Attribute for a base complex type field definition.
     /// </summary>
     [AttributeUsage(AttributeTargets.Property)]
-    public class StructureFieldAttribute : Attribute
+    public sealed class StructureFieldAttribute : Attribute
     {
         #region Constructors
         /// <summary>

Libraries/Opc.Ua.Security.Certificates/X509Crl/CrlBuilder.cs

@@ -49,7 +49,7 @@
         /// <param name="crl">The decoded CRL</param>
         public static CrlBuilder Create(IX509CRL crl)
         {
             return new CrlBuilder(crl);
         }
 
         /// <summary>
@@ -238,7 +238,7 @@
         public IX509CRL CreateSignature(X509SignatureGenerator generator)
         {
             byte[] tbsRawData = Encode();
             byte[] signatureAlgorithm = generator.GetSignatureAlgorithmIdentifier(HashAlgorithmName);
             byte[] signature = generator.SignData(tbsRawData, HashAlgorithmName);
             var crlSigner = new X509Signature(tbsRawData, signature, signatureAlgorithm);
             RawData = crlSigner.Encode();
@@ -329,39 +329,44 @@
                 // this update
                 WriteTime(crlWriter, ThisUpdate);
 
+                // next update is OPTIONAL
                 if (NextUpdate != DateTime.MinValue &&
                     NextUpdate > ThisUpdate)
                 {
                     // next update
                     WriteTime(crlWriter, NextUpdate);
                 }
 
-                // sequence to start the revoked certificates.
-                crlWriter.PushSequence();
-
-                foreach (RevokedCertificate revokedCert in RevokedCertificates)
+                // revocedCertificates is OPTIONAL
+                if (RevokedCertificates.Count > 0)
                 {
+                    // sequence to start the revoked certificates.
                     crlWriter.PushSequence();
 
-                    var srlNumberValue = new BigInteger(revokedCert.UserCertificate);
-                    crlWriter.WriteInteger(srlNumberValue);
-                    WriteTime(crlWriter, revokedCert.RevocationDate);
-
-                    if (revokedCert.CrlEntryExtensions.Count > 0)
+                    foreach (RevokedCertificate revokedCert in RevokedCertificates)
                     {
                         crlWriter.PushSequence();
-                        foreach (X509Extension crlEntryExt in revokedCert.CrlEntryExtensions)
+
+                        var srlNumberValue = new BigInteger(revokedCert.UserCertificate);
+                        crlWriter.WriteInteger(srlNumberValue);
+                        WriteTime(crlWriter, revokedCert.RevocationDate);
+
+                        if (revokedCert.CrlEntryExtensions.Count > 0)
                         {
-                            crlWriter.WriteExtension(crlEntryExt);
+                            crlWriter.PushSequence();
+                            foreach (X509Extension crlEntryExt in revokedCert.CrlEntryExtensions)
+                            {
+                                crlWriter.WriteExtension(crlEntryExt);
+                            }
+                            crlWriter.PopSequence();
                         }
                         crlWriter.PopSequence();
                     }
+
                     crlWriter.PopSequence();
                 }
 
-                crlWriter.PopSequence();
-
-                // CRL extensions
+                // CRL extensions OPTIONAL
                 if (CrlExtensions.Count > 0)
                 {
                     // [0]  EXPLICIT Extensions OPTIONAL

Libraries/Opc.Ua.Security.Certificates/X509Crl/X509Crl.cs

@@ -67,7 +67,7 @@
         public X509CRL(IX509CRL crl)
         {
             m_decoded = true;
             m_issuerName = crl.IssuerName;
             m_hashAlgorithmName = crl.HashAlgorithmName;
             m_thisUpdate = crl.ThisUpdate;
             m_nextUpdate = crl.NextUpdate;
@@ -173,7 +173,7 @@
                 var signature = new X509Signature(RawData);
                 result = signature.Verify(issuer);
             }
             catch (Exception)
             {
                 result = false;
             }
@@ -189,7 +189,7 @@
         /// </summary>
         public bool IsRevoked(X509Certificate2 certificate)
         {
             if (certificate.IssuerName.Equals(IssuerName))
             {
                 throw new CryptographicException("Certificate was not created by the CRL Issuer.");
             }
@@ -228,8 +228,7 @@
             try
             {
                 var crlReader = new AsnReader(tbs, AsnEncodingRules.DER);
-                Asn1Tag tag = Asn1Tag.Sequence;
-                AsnReader seqReader = crlReader.ReadSequence(tag);
+                AsnReader seqReader = crlReader.ReadSequence(Asn1Tag.Sequence);
                 crlReader.ThrowIfNotEmpty();
                 if (seqReader != null)
                 {
@@ -267,52 +266,56 @@
                     // nextUpdate is OPTIONAL
                     m_nextUpdate = X509CRL.ReadTime(seqReader, optional: true);
 
-                    var seqTag = new Asn1Tag(UniversalTagNumber.Sequence, true);
-                    peekTag = seqReader.PeekTag();
-                    if (peekTag == seqTag)
+                    // revokedCertificates is OPTIONAL
+                    if (seqReader.HasData)
                     {
-                        // revoked certificates
-                        AsnReader revReader = seqReader.ReadSequence(tag);
-                        var revokedCertificates = new List<RevokedCertificate>();
-                        while (revReader.HasData)
+                        var seqTag = new Asn1Tag(UniversalTagNumber.Sequence, true);
+                        peekTag = seqReader.PeekTag();
+                        if (peekTag == seqTag)
                         {
-                            AsnReader crlEntry = revReader.ReadSequence();
-                            System.Numerics.BigInteger serial = crlEntry.ReadInteger();
-                            var revokedCertificate = new RevokedCertificate(serial.ToByteArray());
-                            revokedCertificate.RevocationDate = X509CRL.ReadTime(crlEntry, optional: false);
-                            if (version == 1 &&
-                                crlEntry.HasData)
+                            // revoked certificates
+                            AsnReader revReader = seqReader.ReadSequence(Asn1Tag.Sequence);
+                            var revokedCertificates = new List<RevokedCertificate>();
+                            while (revReader.HasData)
                             {
-                                // CRL entry extensions
-                                AsnReader crlEntryExtensions = crlEntry.ReadSequence();
-                                while (crlEntryExtensions.HasData)
+                                AsnReader crlEntry = revReader.ReadSequence();
+                                System.Numerics.BigInteger serial = crlEntry.ReadInteger();
+                                var revokedCertificate = new RevokedCertificate(serial.ToByteArray());
+                                revokedCertificate.RevocationDate = X509CRL.ReadTime(crlEntry, optional: false);
+                                if (version == 1 &&
+                                    crlEntry.HasData)
                                 {
-                                    X509Extension extension = crlEntryExtensions.ReadExtension();
-                                    revokedCertificate.CrlEntryExtensions.Add(extension);
+                                    // CRL entry extensions
+                                    AsnReader crlEntryExtensions = crlEntry.ReadSequence();
+                                    while (crlEntryExtensions.HasData)
+                                    {
+                                        X509Extension extension = crlEntryExtensions.ReadExtension();
+                                        revokedCertificate.CrlEntryExtensions.Add(extension);
+                                    }
+                                    crlEntryExtensions.ThrowIfNotEmpty();
                                 }
-                                crlEntryExtensions.ThrowIfNotEmpty();
+                                crlEntry.ThrowIfNotEmpty();
+                                revokedCertificates.Add(revokedCertificate);
                             }
-                            crlEntry.ThrowIfNotEmpty();
-                            revokedCertificates.Add(revokedCertificate);
+                            revReader.ThrowIfNotEmpty();
+                            m_revokedCertificates = revokedCertificates;
                         }
-                        revReader.ThrowIfNotEmpty();
-                        m_revokedCertificates = revokedCertificates;
-                    }
 
-                    // CRL extensions OPTIONAL
-                    if (version == 1 &&
-                        seqReader.HasData)
-                    {
-                        var extTag = new Asn1Tag(TagClass.ContextSpecific, 0);
-                        AsnReader optReader = seqReader.ReadSequence(extTag);
-                        var crlExtensionList = new X509ExtensionCollection();
-                        AsnReader crlExtensions = optReader.ReadSequence();
-                        while (crlExtensions.HasData)
+                        // CRL extensions OPTIONAL
+                        if (version == 1 &&
+                            seqReader.HasData)
                         {
-                            X509Extension extension = crlExtensions.ReadExtension();
-                            crlExtensionList.Add(extension);
+                            var extTag = new Asn1Tag(TagClass.ContextSpecific, 0);
+                            AsnReader optReader = seqReader.ReadSequence(extTag);
+                            var crlExtensionList = new X509ExtensionCollection();
+                            AsnReader crlExtensions = optReader.ReadSequence();
+                            while (crlExtensions.HasData)
+                            {
+                                X509Extension extension = crlExtensions.ReadExtension();
+                                crlExtensionList.Add(extension);
+                            }
+                            m_crlExtensions = crlExtensionList;
                         }
-                        m_crlExtensions = crlExtensionList;
                     }
                     seqReader.ThrowIfNotEmpty();
                     m_decoded = true;

Libraries/Opc.Ua.Security.Certificates/X509Crl/X509Signature.cs

@@ -28,7 +28,6 @@
  * ======================================================================*/
 
 using System;
-using System.Diagnostics;
 using System.Formats.Asn1;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;

Tests/Opc.Ua.Security.Certificates.Tests/CRLTests.cs

@@ -122,24 +122,30 @@ public void CrlInternalBuilderTest()
         /// Validate the full CRL encoder and decoder pass.
         /// </summary>
         [Theory]
-        public void CrlBuilderTest(KeyHashPair keyHashPair)
+        public void CrlBuilderTest(bool empty, bool noExtensions, KeyHashPair keyHashPair)
         {
             var crlBuilder = CrlBuilder.Create(m_issuerCert.SubjectName, keyHashPair.HashAlgorithmName)
                 .SetThisUpdate(DateTime.UtcNow.Date)
                 .SetNextUpdate(DateTime.UtcNow.Date.AddDays(30));
 
-            // little endian byte array as serial number?
             byte[] serial = new byte[] { 4, 5, 6, 7 };
-            var revokedarray = new RevokedCertificate(serial) {
-                RevocationDate = DateTime.UtcNow.AddDays(30)
-            };
-            crlBuilder.RevokedCertificates.Add(revokedarray);
             string serstring = "123456789101";
-            var revokedstring = new RevokedCertificate(serstring);
-            crlBuilder.RevokedCertificates.Add(revokedstring);
+            if (!empty)
+            {
+                // little endian byte array as serial number?
+                var revokedarray = new RevokedCertificate(serial) {
+                    RevocationDate = DateTime.UtcNow.AddDays(30)
+                };
+                crlBuilder.RevokedCertificates.Add(revokedarray);
+                var revokedstring = new RevokedCertificate(serstring);
+                crlBuilder.RevokedCertificates.Add(revokedstring);
+            }
 
-            crlBuilder.CrlExtensions.Add(X509Extensions.BuildCRLNumber(1111));
-            crlBuilder.CrlExtensions.Add(X509Extensions.BuildAuthorityKeyIdentifier(m_issuerCert));
+            if (!noExtensions)
+            {
+                crlBuilder.CrlExtensions.Add(X509Extensions.BuildCRLNumber(1111));
+                crlBuilder.CrlExtensions.Add(X509Extensions.BuildAuthorityKeyIdentifier(m_issuerCert));
+            }
 
             var i509Crl = crlBuilder.CreateForRSA(m_issuerCert);
             X509CRL x509Crl = new X509CRL(i509Crl.RawData);
@@ -149,10 +155,27 @@ public void CrlBuilderTest(KeyHashPair keyHashPair)
             Assert.AreEqual(m_issuerCert.SubjectName.RawData, x509Crl.IssuerName.RawData);
             Assert.AreEqual(crlBuilder.ThisUpdate, x509Crl.ThisUpdate);
             Assert.AreEqual(crlBuilder.NextUpdate, x509Crl.NextUpdate);
-            Assert.AreEqual(2, x509Crl.RevokedCertificates.Count);
-            Assert.AreEqual(serial, x509Crl.RevokedCertificates[0].UserCertificate);
-            Assert.AreEqual(serstring, x509Crl.RevokedCertificates[1].SerialNumber);
-            Assert.AreEqual(2, x509Crl.CrlExtensions.Count);
+
+            if (empty)
+            {
+                Assert.AreEqual(0, x509Crl.RevokedCertificates.Count);
+            }
+            else
+            {
+                Assert.AreEqual(2, x509Crl.RevokedCertificates.Count);
+                Assert.AreEqual(serial, x509Crl.RevokedCertificates[0].UserCertificate);
+                Assert.AreEqual(serstring, x509Crl.RevokedCertificates[1].SerialNumber);
+            }
+
+            if (noExtensions)
+            {
+                Assert.AreEqual(0, x509Crl.CrlExtensions.Count);
+            }
+            else
+            {
+                Assert.AreEqual(2, x509Crl.CrlExtensions.Count);
+            }
+
             using (var issuerPubKey = new X509Certificate2(m_issuerCert.RawData))
             {
                 Assert.True(x509Crl.VerifySignature(issuerPubKey, true));