WIP

milo-examples/server-examples/src/main/java/org/eclipse/milo/examples/server/ExampleServer.java

@@ -37,8 +37,6 @@
 import org.eclipse.milo.opcua.stack.core.UaRuntimeException;
 import org.eclipse.milo.opcua.stack.core.security.CertificateManager;
 import org.eclipse.milo.opcua.stack.core.security.DefaultCertificateManager;
-import org.eclipse.milo.opcua.stack.core.security.DefaultServerCertificateValidator;
-import org.eclipse.milo.opcua.stack.core.security.DefaultTrustListManager;
 import org.eclipse.milo.opcua.stack.core.security.SecurityPolicy;
 import org.eclipse.milo.opcua.stack.core.transport.TransportProfile;
 import org.eclipse.milo.opcua.stack.core.types.builtin.DateTime;
@@ -118,9 +116,6 @@ public X509Certificate[] createCertificateChain(NodeId certificateTypeId, KeyPai
             }
         );
 
-        var trustListManager = new DefaultTrustListManager(pkiDir);
-        var certificateValidator = new DefaultServerCertificateValidator(trustListManager);
-
         var identityValidator = new UsernameIdentityValidator(
             true,
             authChallenge -> {
@@ -162,8 +157,6 @@ public X509Certificate[] createCertificateChain(NodeId certificateTypeId, KeyPai
                     OpcUaServer.SDK_VERSION,
                     "", DateTime.now()))
             .setCertificateManager(certificateManager)
-//            .setTrustListManager(trustListManager)
-            .setCertificateValidator(certificateValidator)
             .setIdentityValidator(new CompositeValidator(identityValidator, x509IdentityValidator))
             .setProductUri("urn:eclipse:milo:example-server")
             .build();

opc-ua-sdk/integration-tests/src/test/java/org/eclipse/milo/opcua/sdk/test/TestServer.java

@@ -32,8 +32,6 @@
 import org.eclipse.milo.opcua.stack.core.UaRuntimeException;
 import org.eclipse.milo.opcua.stack.core.security.CertificateManager;
 import org.eclipse.milo.opcua.stack.core.security.DefaultCertificateManager;
-import org.eclipse.milo.opcua.stack.core.security.DefaultServerCertificateValidator;
-import org.eclipse.milo.opcua.stack.core.security.DefaultTrustListManager;
 import org.eclipse.milo.opcua.stack.core.security.SecurityPolicy;
 import org.eclipse.milo.opcua.stack.core.transport.TransportProfile;
 import org.eclipse.milo.opcua.stack.core.types.builtin.DateTime;
@@ -108,11 +106,6 @@ public X509Certificate[] createCertificateChain(NodeId certificateTypeId, KeyPai
             }
         );
 
-        DefaultTrustListManager trustListManager = new DefaultTrustListManager(pkiDir);
-
-        DefaultServerCertificateValidator certificateValidator =
-            new DefaultServerCertificateValidator(trustListManager);
-
         KeyPair httpsKeyPair = SelfSignedCertificateGenerator.generateRsaKeyPair(2048);
 
         SelfSignedHttpsCertificateBuilder httpsCertificateBuilder =
@@ -159,8 +152,6 @@ public X509Certificate[] createCertificateChain(NodeId certificateTypeId, KeyPai
                     OpcUaServer.SDK_VERSION,
                     "", DateTime.now()))
             .setCertificateManager(certificateManager)
-//            .setTrustListManager(trustListManager)
-            .setCertificateValidator(certificateValidator)
             .setIdentityValidator(identityValidator)
             .setProductUri("urn:eclipse:milo:example-server")
             .build();

opc-ua-sdk/sdk-server/src/main/java/org/eclipse/milo/opcua/sdk/server/OpcUaServer.java

@@ -61,7 +61,6 @@
 import org.eclipse.milo.opcua.stack.core.encoding.EncodingContext;
 import org.eclipse.milo.opcua.stack.core.encoding.EncodingManager;
 import org.eclipse.milo.opcua.stack.core.security.CertificateManager;
-import org.eclipse.milo.opcua.stack.core.security.CertificateValidator;
 import org.eclipse.milo.opcua.stack.core.security.SecurityPolicy;
 import org.eclipse.milo.opcua.stack.core.transport.TransportProfile;
 import org.eclipse.milo.opcua.stack.core.types.DataTypeManager;
@@ -422,11 +421,6 @@ public CertificateManager getCertificateManager() {
             return config.getCertificateManager();
         }
 
-        @Override
-        public CertificateValidator getCertificateValidator() {
-            return config.getCertificateValidator();
-        }
-
         @Override
         public Long getNextSecureChannelId() {
             return secureChannelIds.getAndIncrement();

opc-ua-sdk/sdk-server/src/main/java/org/eclipse/milo/opcua/sdk/server/OpcUaServerConfig.java

@@ -23,8 +23,6 @@
 import org.eclipse.milo.opcua.stack.core.channel.EncodingLimits;
 import org.eclipse.milo.opcua.stack.core.security.CertificateManager;
 import org.eclipse.milo.opcua.stack.core.security.SecurityPolicy;
-import org.eclipse.milo.opcua.stack.core.security.ServerCertificateValidator;
-import org.eclipse.milo.opcua.stack.core.security.TrustListManager;
 import org.eclipse.milo.opcua.stack.core.types.builtin.LocalizedText;
 import org.eclipse.milo.opcua.stack.core.types.enumerated.UserTokenType;
 import org.eclipse.milo.opcua.stack.core.types.structured.ApplicationDescription;
@@ -128,16 +126,6 @@ public interface OpcUaServerConfig {
      */
     CertificateManager getCertificateManager();
 
-    /**
-     * @return the {@link TrustListManager} for this server.
-     */
-//    TrustListManager getTrustListManager();
-
-    /**
-     * @return the {@link ServerCertificateValidator} for this server.
-     */
-    ServerCertificateValidator getCertificateValidator();
-
     /**
      * @return the {@link ExecutorService} for this server.
      */
@@ -175,8 +163,6 @@ static OpcUaServerConfigBuilder copy(OpcUaServerConfig config) {
         builder.setLimits(config.getLimits());
         builder.setIdentityValidator(config.getIdentityValidator());
         builder.setCertificateManager(config.getCertificateManager());
-//        builder.setTrustListManager(config.getTrustListManager());
-        builder.setCertificateValidator(config.getCertificateValidator());
         builder.setExecutor(config.getExecutor());
         builder.setScheduledExecutor(config.getScheduledExecutorService());
 

opc-ua-sdk/sdk-server/src/main/java/org/eclipse/milo/opcua/sdk/server/OpcUaServerConfigBuilder.java

@@ -20,8 +20,6 @@
 import org.eclipse.milo.opcua.stack.core.Stack;
 import org.eclipse.milo.opcua.stack.core.channel.EncodingLimits;
 import org.eclipse.milo.opcua.stack.core.security.CertificateManager;
-import org.eclipse.milo.opcua.stack.core.security.ServerCertificateValidator;
-import org.eclipse.milo.opcua.stack.core.security.TrustListManager;
 import org.eclipse.milo.opcua.stack.core.types.builtin.DateTime;
 import org.eclipse.milo.opcua.stack.core.types.builtin.LocalizedText;
 import org.eclipse.milo.opcua.stack.core.types.structured.BuildInfo;
@@ -53,8 +51,6 @@ public class OpcUaServerConfigBuilder {
     private OpcUaServerConfigLimits limits = new OpcUaServerConfigLimits() {};
 
     private CertificateManager certificateManager;
-    private TrustListManager trustListManager;
-    private ServerCertificateValidator certificateValidator;
 
     private ExecutorService executor;
     private ScheduledExecutorService scheduledExecutor;
@@ -105,16 +101,6 @@ public OpcUaServerConfigBuilder setCertificateManager(CertificateManager certifi
         return this;
     }
 
-//    public OpcUaServerConfigBuilder setTrustListManager(TrustListManager trustListManager) {
-//        this.trustListManager = trustListManager;
-//        return this;
-//    }
-
-    public OpcUaServerConfigBuilder setCertificateValidator(ServerCertificateValidator certificateValidator) {
-        this.certificateValidator = certificateValidator;
-        return this;
-    }
-
     public OpcUaServerConfigBuilder setExecutor(ExecutorService executor) {
         this.executor = executor;
         return this;
@@ -143,8 +129,6 @@ public OpcUaServerConfig build() {
             encodingLimits,
             limits,
             certificateManager,
-//            trustListManager,
-            certificateValidator,
             executor,
             scheduledExecutor
         );
@@ -162,8 +146,6 @@ public static final class OpcUaServerConfigImpl implements OpcUaServerConfig {
         private final EncodingLimits encodingLimits;
         private final OpcUaServerConfigLimits limits;
         private final CertificateManager certificateManager;
-//        private final TrustListManager trustListManager;
-        private final ServerCertificateValidator certificateValidator;
         private final ExecutorService executor;
         private final ScheduledExecutorService scheduledExecutorService;
 
@@ -177,8 +159,6 @@ public OpcUaServerConfigImpl(
             EncodingLimits encodingLimits,
             OpcUaServerConfigLimits limits,
             CertificateManager certificateManager,
-//            TrustListManager trustListManager,
-            ServerCertificateValidator certificateValidator,
             ExecutorService executor,
             ScheduledExecutorService scheduledExecutorService
         ) {
@@ -192,8 +172,6 @@ public OpcUaServerConfigImpl(
             this.encodingLimits = encodingLimits;
             this.limits = limits;
             this.certificateManager = certificateManager;
-//            this.trustListManager = trustListManager;
-            this.certificateValidator = certificateValidator;
             this.executor = executor;
             this.scheduledExecutorService = scheduledExecutorService;
         }
@@ -243,16 +221,6 @@ public CertificateManager getCertificateManager() {
             return certificateManager;
         }
 
-//        @Override
-//        public TrustListManager getTrustListManager() {
-//            return trustListManager;
-//        }
-
-        @Override
-        public ServerCertificateValidator getCertificateValidator() {
-            return certificateValidator;
-        }
-
         @Override
         public ExecutorService getExecutor() {
             return executor;

opc-ua-sdk/sdk-server/src/main/java/org/eclipse/milo/opcua/sdk/server/SessionManager.java

@@ -33,6 +33,7 @@
 import org.eclipse.milo.opcua.stack.core.UaException;
 import org.eclipse.milo.opcua.stack.core.UaRuntimeException;
 import org.eclipse.milo.opcua.stack.core.channel.SecureChannel;
+import org.eclipse.milo.opcua.stack.core.security.CertificateManager.CertificateGroup;
 import org.eclipse.milo.opcua.stack.core.security.SecurityAlgorithm;
 import org.eclipse.milo.opcua.stack.core.security.SecurityPolicy;
 import org.eclipse.milo.opcua.stack.core.types.builtin.ByteString;
@@ -58,6 +59,7 @@
 import org.eclipse.milo.opcua.stack.core.types.structured.SignedSoftwareCertificate;
 import org.eclipse.milo.opcua.stack.core.types.structured.UserIdentityToken;
 import org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy;
+import org.eclipse.milo.opcua.stack.core.util.CertificateUtil;
 import org.eclipse.milo.opcua.stack.core.util.EndpointUtil;
 import org.eclipse.milo.opcua.stack.core.util.NonceUtil;
 import org.eclipse.milo.opcua.stack.core.util.SignatureUtil;
@@ -97,7 +99,7 @@ public class SessionManager {
     /**
      * Kill the session identified by {@code nodeId} and optionally delete all its subscriptions.
      *
-     * @param nodeId              the {@link NodeId} identifying the session to kill.
+     * @param nodeId the {@link NodeId} identifying the session to kill.
      * @param deleteSubscriptions {@code true} if all its subscriptions should be deleted as well.
      */
     public void killSession(NodeId nodeId, boolean deleteSubscriptions) {
@@ -272,7 +274,26 @@ public CreateSessionResponse createSession(
                 );
             }
 
-            server.getConfig().getCertificateValidator().validateCertificateChain(
+            X509Certificate serverCertificate =
+                securityConfiguration.getServerCertificate();
+
+            if (serverCertificate == null) {
+                throw new UaException(
+                    StatusCodes.Bad_InternalError,
+                    "server certificate must be non-null"
+                );
+            }
+
+            CertificateGroup certificateGroup = server.getConfig()
+                .getCertificateManager()
+                .getCertificateGroup(CertificateUtil.thumbprint(serverCertificate))
+                .orElseThrow(() ->
+                    new UaException(
+                        StatusCodes.Bad_ConfigurationError,
+                        "no certificate group for server certificate")
+                );
+
+            certificateGroup.getCertificateValidator().validateCertificateChain(
                 clientCertificateChain,
                 clientDescription.getApplicationUri()
             );
@@ -377,7 +398,7 @@ private SecurityConfiguration createSecurityConfiguration(SecureChannel secureCh
     }
 
     /**
-     * @param endpoint             an {@link EndpointDescription}.
+     * @param endpoint an {@link EndpointDescription}.
      * @param requestedEndpointUrl an endpoint URL.
      * @return {@code true} if the host in {@code endpoint} matches the host in {@code requestedEndpointUrl}.
      */
@@ -674,7 +695,7 @@ private static void verifyClientSignature(Session session, ActivateSessionReques
      * Null or empty tokens are interpreted as {@link AnonymousIdentityToken}, as per the spec.
      *
      * @param identityTokenXo the {@link ExtensionObject} to decode.
-     * @param tokenPolicies   the {@link UserTokenPolicy}s from the Session's Endpoint.
+     * @param tokenPolicies the {@link UserTokenPolicy}s from the Session's Endpoint.
      * @return a {@link UserIdentityToken} object.
      */
     @NotNull
@@ -726,7 +747,7 @@ private Object validateIdentityToken(
      * Validates the policyId on a {@link UserIdentityToken} Object is a policyId that exists on the Endpoint that
      * {@code session} is connected to.
      *
-     * @param session     the current {@link Session}
+     * @param session the current {@link Session}
      * @param tokenObject the {@link UserIdentityToken} Object from the client.
      * @return the first {@link UserTokenPolicy} on the Endpoint matching the policyId.
      * @throws UaException if the token object is invalid or no matching policy is found.

opc-ua-sdk/sdk-server/src/test/java/org/eclipse/milo/opcua/sdk/server/OpcUaServerConfigTest.java

@@ -17,7 +17,6 @@
 
 import org.eclipse.milo.opcua.sdk.server.identity.AnonymousIdentityValidator;
 import org.eclipse.milo.opcua.stack.core.security.DefaultCertificateManager;
-import org.eclipse.milo.opcua.stack.core.security.DefaultServerCertificateValidator;
 import org.eclipse.milo.opcua.stack.core.security.DefaultTrustListManager;
 import org.eclipse.milo.opcua.stack.core.types.builtin.DateTime;
 import org.eclipse.milo.opcua.stack.core.types.structured.BuildInfo;
@@ -37,8 +36,6 @@ public void testCopy() throws IOException {
 
         OpcUaServerConfig original = OpcUaServerConfig.builder()
             .setCertificateManager(new DefaultCertificateManager())
-//            .setTrustListManager(trustListManager)
-            .setCertificateValidator(new DefaultServerCertificateValidator(trustListManager))
             .setIdentityValidator(AnonymousIdentityValidator.INSTANCE)
             .setBuildInfo(new BuildInfo("a", "b", "c", "d", "e", DateTime.MIN_VALUE))
             .setLimits(new OpcUaServerConfigLimits() {})

opc-ua-sdk/sdk-tests/src/test/java/org/eclipse/milo/opcua/sdk/client/TestCertificateManager.java

@@ -17,6 +17,8 @@
 import java.util.Optional;
 
 import org.eclipse.milo.opcua.stack.core.security.CertificateManager;
+import org.eclipse.milo.opcua.stack.core.security.MemoryKeyManager;
+import org.eclipse.milo.opcua.stack.core.security.MemoryTrustListManager;
 import org.eclipse.milo.opcua.stack.core.types.builtin.ByteString;
 import org.eclipse.milo.opcua.stack.core.types.builtin.NodeId;
 
@@ -25,9 +27,27 @@ public class TestCertificateManager implements CertificateManager {
     private final KeyPair keyPair;
     private final X509Certificate certificate;
 
+    private final CertificateGroup certificateGroup;
+
     public TestCertificateManager(KeyPair keyPair, X509Certificate certificate) {
         this.keyPair = keyPair;
         this.certificate = certificate;
+
+        certificateGroup = new DefaultApplicationGroup(
+            new MemoryKeyManager(),
+            new MemoryTrustListManager(),
+            new CertificateFactory() {
+                @Override
+                public KeyPair createKeyPair(NodeId certificateTypeId) {
+                    return keyPair;
+                }
+
+                @Override
+                public X509Certificate[] createCertificateChain(NodeId certificateTypeId, KeyPair keyPair) {
+                    return new X509Certificate[]{certificate};
+                }
+            }
+        );
     }
 
     @Override
@@ -45,14 +65,19 @@ public Optional<X509Certificate[]> getCertificateChain(ByteString thumbprint) {
         return getCertificate(thumbprint).map(c -> new X509Certificate[]{c});
     }
 
+    @Override
+    public Optional<CertificateGroup> getCertificateGroup(ByteString thumbprint) {
+        return Optional.of(certificateGroup);
+    }
+
     @Override
     public Optional<CertificateGroup> getCertificateGroup(NodeId certificateGroupId) {
-        return Optional.empty();
+        return Optional.of(certificateGroup);
     }
 
     @Override
     public List<CertificateGroup> getCertificateGroups() {
-        return Collections.emptyList();
+        return List.of(certificateGroup);
     }
 
     @Override