Merge with latest master

.azurepipelines/signlistDebug.txt

@@ -4,7 +4,8 @@ Stack\Opc.Ua.Core\bin\Debug\net472\Opc.Ua.Core.dll
 Stack\Opc.Ua.Core\bin\Debug\net48\Opc.Ua.Core.dll
 Stack\Opc.Ua.Core\bin\Debug\net6.0\Opc.Ua.Core.dll
 Stack\Opc.Ua.Core\bin\Debug\net8.0\Opc.Ua.Core.dll
-Stack\Opc.Ua.Bindings.Https\bin\Debug\netcoreapp3.1\Opc.Ua.Bindings.Https.dll
+Stack\Opc.Ua.Bindings.Https\bin\Debug\netstandard2.0\Opc.Ua.Bindings.Https.dll
+Stack\Opc.Ua.Bindings.Https\bin\Debug\netstandard2.1\Opc.Ua.Bindings.Https.dll
 Stack\Opc.Ua.Bindings.Https\bin\Debug\net472\Opc.Ua.Bindings.Https.dll
 Stack\Opc.Ua.Bindings.Https\bin\Debug\net48\Opc.Ua.Bindings.Https.dll
 Stack\Opc.Ua.Bindings.Https\bin\Debug\net6.0\Opc.Ua.Bindings.Https.dll
@@ -22,6 +23,7 @@ Libraries\Opc.Ua.Client\bin\Debug\net48\Opc.Ua.Client.dll
 Libraries\Opc.Ua.Client\bin\Debug\net6.0\Opc.Ua.Client.dll
 Libraries\Opc.Ua.Client\bin\Debug\net8.0\Opc.Ua.Client.dll
 Libraries\Opc.Ua.Client.ComplexTypes\bin\Debug\netstandard2.1\Opc.Ua.Client.ComplexTypes.dll
+Libraries\Opc.Ua.Client.ComplexTypes\bin\Debug\net462\Opc.Ua.Client.ComplexTypes.dll
 Libraries\Opc.Ua.Client.ComplexTypes\bin\Debug\net472\Opc.Ua.Client.ComplexTypes.dll
 Libraries\Opc.Ua.Client.ComplexTypes\bin\Debug\net48\Opc.Ua.Client.ComplexTypes.dll
 Libraries\Opc.Ua.Client.ComplexTypes\bin\Debug\net6.0\Opc.Ua.Client.ComplexTypes.dll

.azurepipelines/signlistRelease.txt

@@ -4,7 +4,8 @@ Stack\Opc.Ua.Core\bin\Release\net472\Opc.Ua.Core.dll
 Stack\Opc.Ua.Core\bin\Release\net48\Opc.Ua.Core.dll
 Stack\Opc.Ua.Core\bin\Release\net6.0\Opc.Ua.Core.dll
 Stack\Opc.Ua.Core\bin\Release\net8.0\Opc.Ua.Core.dll
-Stack\Opc.Ua.Bindings.Https\bin\Release\netcoreapp3.1\Opc.Ua.Bindings.Https.dll
+Stack\Opc.Ua.Bindings.Https\bin\Release\netstandard2.0\Opc.Ua.Bindings.Https.dll
+Stack\Opc.Ua.Bindings.Https\bin\Release\netstandard2.1\Opc.Ua.Bindings.Https.dll
 Stack\Opc.Ua.Bindings.Https\bin\Release\net472\Opc.Ua.Bindings.Https.dll
 Stack\Opc.Ua.Bindings.Https\bin\Release\net48\Opc.Ua.Bindings.Https.dll
 Stack\Opc.Ua.Bindings.Https\bin\Release\net6.0\Opc.Ua.Bindings.Https.dll
@@ -22,6 +23,7 @@ Libraries\Opc.Ua.Client\bin\Release\net48\Opc.Ua.Client.dll
 Libraries\Opc.Ua.Client\bin\Release\net6.0\Opc.Ua.Client.dll
 Libraries\Opc.Ua.Client\bin\Release\net8.0\Opc.Ua.Client.dll
 Libraries\Opc.Ua.Client.ComplexTypes\bin\Release\netstandard2.1\Opc.Ua.Client.ComplexTypes.dll
+Libraries\Opc.Ua.Client.ComplexTypes\bin\Release\net462\Opc.Ua.Client.ComplexTypes.dll
 Libraries\Opc.Ua.Client.ComplexTypes\bin\Release\net472\Opc.Ua.Client.ComplexTypes.dll
 Libraries\Opc.Ua.Client.ComplexTypes\bin\Release\net48\Opc.Ua.Client.ComplexTypes.dll
 Libraries\Opc.Ua.Client.ComplexTypes\bin\Release\net6.0\Opc.Ua.Client.ComplexTypes.dll

Applications/ConsoleReferenceClient/Quickstarts.ReferenceClient.Config.xml

@@ -66,7 +66,8 @@
       <StoreType>Directory</StoreType>
       <StorePath>%LocalApplicationData%/OPC Foundation/pki/rejected</StorePath>
     </RejectedCertificateStore>
-
+    <MaxRejectedCertificates>5</MaxRejectedCertificates>
+
     <!-- WARNING: The following setting (to automatically accept untrusted certificates) should be used
     for easy debugging purposes ONLY and turned off for production deployments! -->
     <AutoAcceptUntrustedCertificates>false</AutoAcceptUntrustedCertificates>

Applications/ConsoleReferenceServer/Quickstarts.ReferenceServer.Config.xml

@@ -68,6 +68,7 @@
       <StoreType>Directory</StoreType>
       <StorePath>%LocalApplicationData%/OPC Foundation/pki/rejected</StorePath>
     </RejectedCertificateStore>
+    <MaxRejectedCertificates>5</MaxRejectedCertificates>
 
     <!-- WARNING: The following setting (to automatically accept untrusted certificates) should be used
     for easy debugging purposes ONLY and turned off for production deployments! -->

Fuzzing/Encoders/Fuzz.Tests/Opc.Ua.Encoders.Fuzz.Tests.csproj

@@ -18,7 +18,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.11.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.11.1" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="NUnit" Version="4.1.0" />
     <PackageReference Include="NUnit.Console" Version="3.18.1" />

Libraries/Opc.Ua.Client/Session/Session.cs

@@ -1,7 +1,7 @@
 /* ========================================================================
  * Copyright (c) 2005-2020 The OPC Foundation, Inc. All rights reserved.
  *
- * OPC Foundation MIT License 1.00
+ * OPC Foundation MIT License 1.00 
  *
  * Permission is hereby granted, free of charge, to any person
  * obtaining a copy of this software and associated documentation
@@ -4390,7 +4390,7 @@ private Node ProcessReadResponse(
 
                     value = attributes[Attributes.EventNotifier];
 
-                    if (value == null)
+                    if (value == null || value.Value is null)
                     {
                         throw ServiceResultException.Create(StatusCodes.BadUnexpectedError, "Object does not support the EventNotifier attribute.");
                     }

Libraries/Opc.Ua.Configuration/ApplicationConfigurationBuilder.cs

@@ -449,6 +449,13 @@ public IApplicationConfigurationBuilderSecurityOptions SetApplicationCertificate
             return this;
         }
 
+        /// <inheritdoc/>
+        public IApplicationConfigurationBuilderSecurityOptions SetMaxRejectedCertificates(int maxRejectedCertificates)
+        {
+            ApplicationConfiguration.SecurityConfiguration.MaxRejectedCertificates = maxRejectedCertificates;
+            return this;
+        }
+
         /// <inheritdoc/>
         public IApplicationConfigurationBuilderSecurityOptions SetAutoAcceptUntrustedCertificates(bool autoAccept)
         {
@@ -1163,6 +1170,7 @@ private void SetSecureDefaults(SecurityConfiguration securityConfiguration)
             securityConfiguration.SuppressNonceValidationErrors = false;
             securityConfiguration.SendCertificateChain = true;
             securityConfiguration.MinimumCertificateKeySize = CertificateFactory.DefaultKeySize;
+            securityConfiguration.MaxRejectedCertificates = 5;
         }
 
         /// <summary>

Libraries/Opc.Ua.Configuration/ApplicationInstance.cs

@@ -1007,12 +1007,20 @@ private static async Task DeleteApplicationInstanceCertificateAsync(ApplicationC
 
                 if (!string.IsNullOrEmpty(thumbprint))
                 {
-                    using (ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore())
+                    ICertificateStore store = configuration.SecurityConfiguration.TrustedPeerCertificates.OpenStore();
+                    if (store != null)
                     {
-                        bool deleted = await store.Delete(thumbprint).ConfigureAwait(false);
-                        if (deleted)
+                        try
                         {
-                            Utils.LogInfo(TraceMasks.Security, "Application Instance Certificate [{0}] deleted from trusted store.", thumbprint);
+                            bool deleted = await store.Delete(thumbprint).ConfigureAwait(false);
+                            if (deleted)
+                            {
+                                Utils.LogInfo(TraceMasks.Security, "Application Instance Certificate [{0}] deleted from trusted store.", thumbprint);
+                            }
+                        }
+                        finally
+                        {
+                            store.Close();
                         }
                     }
                 }

Libraries/Opc.Ua.Configuration/IApplicationConfigurationBuilder.cs

@@ -497,6 +497,16 @@ public interface IApplicationConfigurationBuilderSecurityOptions :
         /// <param name="certIdList">A list of Certificate identifiers</param>
         IApplicationConfigurationBuilderSecurityOptions SetApplicationCertificates(CertificateIdentifierCollection certIdList);
 
+        /// <summary>
+        /// The number of rejected certificates to keep in the store.
+        /// </summary>
+        /// <param name="maxRejectedCertificates">
+        /// The number of certificates to keep in the rejected store before it is updated.
+        /// <see langword="0"/> to keep all rejected certificates.
+        /// A negative number to keep no history.
+        /// </param>
+        IApplicationConfigurationBuilderSecurityOptions SetMaxRejectedCertificates(int maxRejectedCertificates);
+
         /// <summary>
         /// Whether an unknown application certificate should be accepted
         /// once all other security checks passed.

Libraries/Opc.Ua.Gds.Server.Common/ApplicationsNodeManager.cs

@@ -291,7 +291,9 @@ protected async Task<ICertificateGroup> InitializeCertificateGroup(CertificateGr
             }
 
             ICertificateGroup certificateGroup = m_certificateGroupFactory.Create(
-                m_globalDiscoveryServerConfiguration.AuthoritiesStorePath, certificateGroupConfiguration, m_configuration.SecurityConfiguration.TrustedIssuerCertificates.StorePath);
+                m_globalDiscoveryServerConfiguration.AuthoritiesStorePath,
+                certificateGroupConfiguration,
+                m_configuration.SecurityConfiguration.TrustedIssuerCertificates.StorePath);
             SetCertificateGroupNodes(certificateGroup);
             await certificateGroup.Init().ConfigureAwait(false);
 
@@ -654,12 +656,12 @@ private ServiceResult OnGetApplication(
         }
 
         private ServiceResult OnCheckRevocationStatus(
-        ISystemContext context,
-        MethodState method,
-        NodeId objectId,
-        byte[] certificate,
-        ref StatusCode certificateStatus,
-        ref DateTime validityTime)
+            ISystemContext context,
+            MethodState method,
+            NodeId objectId,
+            byte[] certificate,
+            ref StatusCode certificateStatus,
+            ref DateTime validityTime)
         {
             AuthorizationHelper.HasAuthenticatedSecureChannel(context);
 
@@ -673,11 +675,20 @@ private ServiceResult OnCheckRevocationStatus(
                 chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
                 chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
 
-                //add GDS Issuer Cert Store Certificates to the Chain validation for consitent behaviour on all Platforms
-                using (ICertificateStore store = CertificateStoreIdentifier.OpenStore(m_configuration.SecurityConfiguration.TrustedIssuerCertificates.StorePath))
+                //add GDS Issuer Cert Store Certificates to the Chain validation for consistent behaviour on all Platforms
+                ICertificateStore store = m_configuration.SecurityConfiguration.TrustedIssuerCertificates.OpenStore();
+                if (store != null)
                 {
-                    chain.ChainPolicy.ExtraStore.AddRange(store.Enumerate().GetAwaiter().GetResult());
+                    try
+                    {
+                        chain.ChainPolicy.ExtraStore.AddRange(store.Enumerate().GetAwaiter().GetResult());
+                    }
+                    finally
+                    {
+                        store.Close();
+                    }
                 }
+
                 using (var x509 = new X509Certificate2(certificate))
                 {
                     if (chain.Build(x509))
@@ -747,13 +758,13 @@ private ServiceResult OnCheckRevocationStatus(
         }
 
         private ServiceResult OnGetCertificates(
-        ISystemContext context,
-        MethodState method,
-        NodeId objectId,
-        NodeId applicationId,
-        NodeId certificateGroupId,
-        ref NodeId[] certificateTypeIds,
-        ref byte[][] certificates)
+            ISystemContext context,
+            MethodState method,
+            NodeId objectId,
+            NodeId applicationId,
+            NodeId certificateGroupId,
+            ref NodeId[] certificateTypeIds,
+            ref byte[][] certificates)
         {
             AuthorizationHelper.HasAuthorization(context, AuthorizationHelper.CertificateAuthorityAdminOrSelfAdmin);
 
@@ -797,7 +808,7 @@ private ServiceResult OnGetCertificates(
 
             return ServiceResult.Good;
         }
-       
+
         private ServiceResult CheckHttpsDomain(ApplicationRecordDataType application, string commonName)
         {
             if (application.ApplicationType == ApplicationType.Client)
@@ -1302,9 +1313,10 @@ out privateKeyPassword
             issuerCertificates[0] = certificateGroup.Certificate.RawData;
 
             // store new app certificate
-            using (ICertificateStore store = CertificateStoreIdentifier.OpenStore(m_globalDiscoveryServerConfiguration.ApplicationCertificatesStorePath))
+            var certificateStoreIdentifier = new CertificateStoreIdentifier(m_globalDiscoveryServerConfiguration.ApplicationCertificatesStorePath);
+            using (ICertificateStore store = certificateStoreIdentifier.OpenStore())
             {
-                store.Add(certificate).Wait();
+                store?.Add(certificate).Wait();
             }
 
             m_database.SetApplicationCertificate(applicationId, m_certTypeMap[certificateGroup.CertificateType], signedCertificate);
@@ -1505,7 +1517,7 @@ protected override NodeState ValidateNode(
             handle.Validated = true;
             return handle.Node;
         }
-#endregion
+        #endregion
 
         #region Overridden Methods
         #endregion
@@ -1551,17 +1563,17 @@ protected void SetCertificateGroupNodes(ICertificateGroup certificateGroup)
             {
                 certificateGroup.DefaultTrustList.Handle = new TrustList(
                     certificateGroup.DefaultTrustList,
-                    certificateGroup.Configuration.TrustedListPath,
-                    certificateGroup.Configuration.IssuerListPath,
+                    new CertificateStoreIdentifier(certificateGroup.Configuration.TrustedListPath),
+                    new CertificateStoreIdentifier(certificateGroup.Configuration.IssuerListPath),
                     new TrustList.SecureAccess(HasTrustListAccess),
                     new TrustList.SecureAccess(HasTrustListAccess));
             }
         }
 
         #region AuthorizationHelpers
-        private void HasTrustListAccess(ISystemContext context, string trustedStorePath)
+        private void HasTrustListAccess(ISystemContext context, CertificateStoreIdentifier trustedStore)
         {
-            AuthorizationHelper.HasTrustListAccess(context, trustedStorePath, m_certTypeMap, m_database);
+            AuthorizationHelper.HasTrustListAccess(context, trustedStore, m_certTypeMap, m_database);
         }
         #endregion