node-opcua-common 2.165.0 → 2.168.0

package/dist/applicationurn.js.map

@@ -1 +1 @@
-{"version":3,"file":"applicationurn.js","sourceRoot":"","sources":["../source/applicationurn.ts"],"names":[],"mappings":";;AAOA,gDAgBC;AAvBD;;GAEG;AACH,mCAAkC;AAElC,yDAA2C;AAE3C,SAAgB,kBAAkB,CAAC,QAAgB,EAAE,MAAc;IAE/D,IAAA,0BAAM,EAAC,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,6BAA6B,CAAC,CAAC;IAC7D,sEAAsE;IACtE,2DAA2D;IAC3D,wEAAwE;IACxE,eAAe;IACf,IAAI,YAAY,GAAG,QAAQ,CAAC;IAC5B,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;QAChD,0DAA0D;QAC1D,kCAAkC;QAClC,YAAY,GAAG,IAAA,mBAAU,EAAC,KAAK,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrF,CAAC;IACD,MAAM,cAAc,GAAG,MAAM,GAAG,YAAY,GAAG,GAAG,GAAG,MAAM,CAAC;IAC5D,IAAA,0BAAM,EAAC,cAAc,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IACpC,OAAO,cAAc,CAAC;AAC1B,CAAC"}
+{"version":3,"file":"applicationurn.js","sourceRoot":"","sources":["../source/applicationurn.ts"],"names":[],"mappings":";;AAOA,gDAeC;AAtBD;;GAEG;AACH,mCAAoC;AAEpC,yDAA2C;AAE3C,SAAgB,kBAAkB,CAAC,QAAgB,EAAE,MAAc;IAC/D,IAAA,0BAAM,EAAC,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,6BAA6B,CAAC,CAAC;IAC7D,sEAAsE;IACtE,2DAA2D;IAC3D,wEAAwE;IACxE,eAAe;IACf,IAAI,YAAY,GAAG,QAAQ,CAAC;IAC5B,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;QAChD,0DAA0D;QAC1D,kCAAkC;QAClC,YAAY,GAAG,IAAA,mBAAU,EAAC,KAAK,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrF,CAAC;IACD,MAAM,cAAc,GAAG,MAAM,GAAG,YAAY,GAAG,GAAG,GAAG,MAAM,CAAC;IAC5D,IAAA,0BAAM,EAAC,cAAc,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IACpC,OAAO,cAAc,CAAC;AAC1B,CAAC"}

package/dist/certificate_chain_provider.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Pluggable certificate chain provider for OPC UA endpoints.
+ *
+ * Abstracts how an endpoint obtains its certificate chain and private key,
+ * allowing both static (in-memory) and dynamic (disk-based) strategies
+ * without monkey-patching.
+ *
+ * @module node-opcua-common
+ */
+import type { Certificate, PrivateKey } from "node-opcua-crypto/web";
+import type { ICertificateKeyPairProvider } from "./opcua_secure_object";
+/**
+ * Provides a certificate chain and private key to an OPC UA endpoint.
+ *
+ * Implementations may read from memory, disk, or any other source.
+ * See also {@link SecretHolder} which implements this interface for
+ * disk-based access with lazy caching.
+ */
+export interface ICertificateChainProvider extends ICertificateKeyPairProvider {
+    /**
+     * Invalidate any cached values so the next access re-reads
+     * from the underlying source. No-op for static providers.
+     */
+    invalidate(): void;
+}
+/**
+ * Holds a certificate chain and private key in memory.
+ *
+ * Used as the default provider when push certificate management
+ * is NOT installed. The chain can be replaced in-place via `update()`.
+ */
+export declare class StaticCertificateChainProvider implements ICertificateChainProvider {
+    #private;
+    constructor(chain: Certificate[], key: PrivateKey);
+    getCertificate(): Certificate;
+    getCertificateChain(): Certificate[];
+    getPrivateKey(): PrivateKey;
+    /**
+     * No-op for static provider — the chain is already in memory.
+     * Use `update()` to replace the chain explicitly.
+     */
+    invalidate(): void;
+    /**
+     * Replace the certificate chain and optionally the private key.
+     *
+     * This immediately affects all consumers that call
+     * `getCertificateChain()` on this provider (including
+     * endpoint descriptions with dynamic `serverCertificate` getters).
+     */
+    update(chain: Certificate[], key?: PrivateKey): void;
+    toJSON(): Record<string, string>;
+}

package/dist/certificate_chain_provider.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StaticCertificateChainProvider = void 0;
+/**
+ * Holds a certificate chain and private key in memory.
+ *
+ * Used as the default provider when push certificate management
+ * is NOT installed. The chain can be replaced in-place via `update()`.
+ */
+class StaticCertificateChainProvider {
+    #chain;
+    #key;
+    constructor(chain, key) {
+        this.#chain = chain;
+        this.#key = key;
+    }
+    getCertificate() {
+        return this.#chain[0];
+    }
+    getCertificateChain() {
+        return this.#chain;
+    }
+    getPrivateKey() {
+        return this.#key;
+    }
+    /**
+     * No-op for static provider — the chain is already in memory.
+     * Use `update()` to replace the chain explicitly.
+     */
+    invalidate() {
+        // nothing to invalidate for a static provider
+    }
+    /**
+     * Replace the certificate chain and optionally the private key.
+     *
+     * This immediately affects all consumers that call
+     * `getCertificateChain()` on this provider (including
+     * endpoint descriptions with dynamic `serverCertificate` getters).
+     */
+    update(chain, key) {
+        if (chain.length === 0) {
+            throw new Error("StaticCertificateChainProvider.update: chain must not be empty");
+        }
+        this.#chain = chain;
+        if (key !== undefined) {
+            this.#key = key;
+        }
+    }
+    // Prevent secrets from leaking through JSON serialization
+    toJSON() {
+        return { provider: "StaticCertificateChainProvider" };
+    }
+    // Prevent secrets from leaking through console.log / util.inspect
+    [Symbol.for("nodejs.util.inspect.custom")]() {
+        return "StaticCertificateChainProvider { <in-memory> }";
+    }
+}
+exports.StaticCertificateChainProvider = StaticCertificateChainProvider;
+//# sourceMappingURL=certificate_chain_provider.js.map

package/dist/certificate_chain_provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"certificate_chain_provider.js","sourceRoot":"","sources":["../source/certificate_chain_provider.ts"],"names":[],"mappings":";;;AA4BA;;;;;GAKG;AACH,MAAa,8BAA8B;IACvC,MAAM,CAAgB;IACtB,IAAI,CAAa;IAEjB,YAAY,KAAoB,EAAE,GAAe;QAC7C,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;IACpB,CAAC;IAEM,cAAc;QACjB,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;IAEM,mBAAmB;QACtB,OAAO,IAAI,CAAC,MAAM,CAAC;IACvB,CAAC;IAEM,aAAa;QAChB,OAAO,IAAI,CAAC,IAAI,CAAC;IACrB,CAAC;IAED;;;OAGG;IACI,UAAU;QACb,8CAA8C;IAClD,CAAC;IAED;;;;;;OAMG;IACI,MAAM,CAAC,KAAoB,EAAE,GAAgB;QAChD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;QACtF,CAAC;QACD,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YACpB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QACpB,CAAC;IACL,CAAC;IAED,0DAA0D;IACnD,MAAM;QACT,OAAO,EAAE,QAAQ,EAAE,gCAAgC,EAAE,CAAC;IAC1D,CAAC;IAED,kEAAkE;IAC3D,CAAC,MAAM,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;QAC7C,OAAO,gDAAgD,CAAC;IAC5D,CAAC;CACJ;AAvDD,wEAuDC"}

package/dist/index.d.ts

@@ -23,12 +23,13 @@
 /**
  * @module node-opcua-common
  */
-export { ServerState, ServerStatusDataType, // ServerStatus
+export { BuildInfo, DataTypeDefinition, EnumValueType, ModelChangeStructureDataType, // ModelChangeStructure
 RedundantServerDataType, // RedundantServer
-ModelChangeStructureDataType, // ModelChangeStructure
-SubscriptionDiagnosticsDataType, // SubscriptionDiagnostics
 SamplingIntervalDiagnosticsDataType, //  SamplingIntervalDiagnostics
 SemanticChangeStructureDataType, // SemanticChangeStructure
-ServerDiagnosticsSummaryDataType, SessionSecurityDiagnosticsDataType, ServiceCounterDataType, SessionDiagnosticsDataType, BuildInfo, DataTypeDefinition, EnumValueType, TimeZoneDataType, } from "node-opcua-types";
+ServerDiagnosticsSummaryDataType, ServerState, ServerStatusDataType, // ServerStatus
+ServiceCounterDataType, SessionDiagnosticsDataType, SessionSecurityDiagnosticsDataType, SubscriptionDiagnosticsDataType, // SubscriptionDiagnostics
+TimeZoneDataType } from "node-opcua-types";
 export * from "./applicationurn";
+export * from "./certificate_chain_provider";
 export * from "./opcua_secure_object";

package/dist/index.js

@@ -14,7 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TimeZoneDataType = exports.EnumValueType = exports.DataTypeDefinition = exports.BuildInfo = exports.SessionDiagnosticsDataType = exports.ServiceCounterDataType = exports.SessionSecurityDiagnosticsDataType = exports.ServerDiagnosticsSummaryDataType = exports.SemanticChangeStructureDataType = exports.SamplingIntervalDiagnosticsDataType = exports.SubscriptionDiagnosticsDataType = exports.ModelChangeStructureDataType = exports.RedundantServerDataType = exports.ServerStatusDataType = exports.ServerState = void 0;
+exports.TimeZoneDataType = exports.SubscriptionDiagnosticsDataType = exports.SessionSecurityDiagnosticsDataType = exports.SessionDiagnosticsDataType = exports.ServiceCounterDataType = exports.ServerStatusDataType = exports.ServerState = exports.ServerDiagnosticsSummaryDataType = exports.SemanticChangeStructureDataType = exports.SamplingIntervalDiagnosticsDataType = exports.RedundantServerDataType = exports.ModelChangeStructureDataType = exports.EnumValueType = exports.DataTypeDefinition = exports.BuildInfo = void 0;
 /*!
  * The MIT License (MIT)
  * Copyright (c) 2022-2025  Sterfive SAS - 833264583 RCS ORLEANS - France  (https://www.sterfive.com)
@@ -41,21 +41,22 @@ exports.TimeZoneDataType = exports.EnumValueType = exports.DataTypeDefinition =
  * @module node-opcua-common
  */
 var node_opcua_types_1 = require("node-opcua-types");
-Object.defineProperty(exports, "ServerState", { enumerable: true, get: function () { return node_opcua_types_1.ServerState; } });
-Object.defineProperty(exports, "ServerStatusDataType", { enumerable: true, get: function () { return node_opcua_types_1.ServerStatusDataType; } });
-Object.defineProperty(exports, "RedundantServerDataType", { enumerable: true, get: function () { return node_opcua_types_1.RedundantServerDataType; } });
+Object.defineProperty(exports, "BuildInfo", { enumerable: true, get: function () { return node_opcua_types_1.BuildInfo; } });
+Object.defineProperty(exports, "DataTypeDefinition", { enumerable: true, get: function () { return node_opcua_types_1.DataTypeDefinition; } });
+Object.defineProperty(exports, "EnumValueType", { enumerable: true, get: function () { return node_opcua_types_1.EnumValueType; } });
 Object.defineProperty(exports, "ModelChangeStructureDataType", { enumerable: true, get: function () { return node_opcua_types_1.ModelChangeStructureDataType; } });
-Object.defineProperty(exports, "SubscriptionDiagnosticsDataType", { enumerable: true, get: function () { return node_opcua_types_1.SubscriptionDiagnosticsDataType; } });
+Object.defineProperty(exports, "RedundantServerDataType", { enumerable: true, get: function () { return node_opcua_types_1.RedundantServerDataType; } });
 Object.defineProperty(exports, "SamplingIntervalDiagnosticsDataType", { enumerable: true, get: function () { return node_opcua_types_1.SamplingIntervalDiagnosticsDataType; } });
 Object.defineProperty(exports, "SemanticChangeStructureDataType", { enumerable: true, get: function () { return node_opcua_types_1.SemanticChangeStructureDataType; } });
 Object.defineProperty(exports, "ServerDiagnosticsSummaryDataType", { enumerable: true, get: function () { return node_opcua_types_1.ServerDiagnosticsSummaryDataType; } });
-Object.defineProperty(exports, "SessionSecurityDiagnosticsDataType", { enumerable: true, get: function () { return node_opcua_types_1.SessionSecurityDiagnosticsDataType; } });
+Object.defineProperty(exports, "ServerState", { enumerable: true, get: function () { return node_opcua_types_1.ServerState; } });
+Object.defineProperty(exports, "ServerStatusDataType", { enumerable: true, get: function () { return node_opcua_types_1.ServerStatusDataType; } });
 Object.defineProperty(exports, "ServiceCounterDataType", { enumerable: true, get: function () { return node_opcua_types_1.ServiceCounterDataType; } });
 Object.defineProperty(exports, "SessionDiagnosticsDataType", { enumerable: true, get: function () { return node_opcua_types_1.SessionDiagnosticsDataType; } });
-Object.defineProperty(exports, "BuildInfo", { enumerable: true, get: function () { return node_opcua_types_1.BuildInfo; } });
-Object.defineProperty(exports, "DataTypeDefinition", { enumerable: true, get: function () { return node_opcua_types_1.DataTypeDefinition; } });
-Object.defineProperty(exports, "EnumValueType", { enumerable: true, get: function () { return node_opcua_types_1.EnumValueType; } });
+Object.defineProperty(exports, "SessionSecurityDiagnosticsDataType", { enumerable: true, get: function () { return node_opcua_types_1.SessionSecurityDiagnosticsDataType; } });
+Object.defineProperty(exports, "SubscriptionDiagnosticsDataType", { enumerable: true, get: function () { return node_opcua_types_1.SubscriptionDiagnosticsDataType; } });
 Object.defineProperty(exports, "TimeZoneDataType", { enumerable: true, get: function () { return node_opcua_types_1.TimeZoneDataType; } });
 __exportStar(require("./applicationurn"), exports);
+__exportStar(require("./certificate_chain_provider"), exports);
 __exportStar(require("./opcua_secure_object"), exports);
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../source/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH;;GAEG;AACH,qDAgB0B;AAftB,+GAAA,WAAW,OAAA;AACX,wHAAA,oBAAoB,OAAA;AACpB,2HAAA,uBAAuB,OAAA;AACvB,gIAAA,4BAA4B,OAAA;AAC5B,mIAAA,+BAA+B,OAAA;AAC/B,uIAAA,mCAAmC,OAAA;AACnC,mIAAA,+BAA+B,OAAA;AAC/B,oIAAA,gCAAgC,OAAA;AAChC,sIAAA,kCAAkC,OAAA;AAClC,0HAAA,sBAAsB,OAAA;AACtB,8HAAA,0BAA0B,OAAA;AAC1B,6GAAA,SAAS,OAAA;AACT,sHAAA,kBAAkB,OAAA;AAClB,iHAAA,aAAa,OAAA;AACb,oHAAA,gBAAgB,OAAA;AAGpB,mDAAiC;AACjC,wDAAsC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../source/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH;;GAEG;AACH,qDAgB0B;AAftB,6GAAA,SAAS,OAAA;AACT,sHAAA,kBAAkB,OAAA;AAClB,iHAAA,aAAa,OAAA;AACb,gIAAA,4BAA4B,OAAA;AAC5B,2HAAA,uBAAuB,OAAA;AACvB,uIAAA,mCAAmC,OAAA;AACnC,mIAAA,+BAA+B,OAAA;AAC/B,oIAAA,gCAAgC,OAAA;AAChC,+GAAA,WAAW,OAAA;AACX,wHAAA,oBAAoB,OAAA;AACpB,0HAAA,sBAAsB,OAAA;AACtB,8HAAA,0BAA0B,OAAA;AAC1B,sIAAA,kCAAkC,OAAA;AAClC,mIAAA,+BAA+B,OAAA;AAC/B,oHAAA,gBAAgB,OAAA;AAGpB,mDAAiC;AACjC,+DAA6C;AAC7C,wDAAsC"}

package/dist/opcua_secure_object.d.ts

@@ -1,32 +1,76 @@
 /**
  * @module node-opcua-common
  */
-import { EventEmitter } from "events";
-import { Certificate, PrivateKey } from "node-opcua-crypto/web";
+import { EventEmitter } from "node:events";
+import { type Certificate, type PrivateKey } from "node-opcua-crypto/web";
+import type { ICertificateChainProvider } from "./certificate_chain_provider";
 export interface ICertificateKeyPairProvider {
     getCertificate(): Certificate;
-    getCertificateChain(): Certificate;
+    getCertificateChain(): Certificate[];
     getPrivateKey(): PrivateKey;
 }
-export interface ICertificateKeyPairProviderPriv extends ICertificateKeyPairProvider {
-    $$certificate: null | Certificate;
-    $$certificateChain: null | Certificate;
-    $$privateKey: null | PrivateKey;
+export interface IHasCertificateFile {
+    readonly certificateFile: string;
+    readonly privateKeyFile: string;
 }
-export declare function getPartialCertificateChain1(certificateChain?: Buffer | null, maxSize?: number): Buffer | undefined;
-export declare function getPartialCertificateChain(certificateChain?: Buffer | null, maxSize?: number): Buffer | undefined;
+/**
+ * Holds cryptographic secrets (certificate chain and private key) for a
+ * certificate/key file pair. Secrets are lazily loaded from disk on first
+ * access and kept in truly private `#`-fields so they never appear in
+ * `JSON.stringify`, `console.log`, `Object.keys`, or `util.inspect`.
+ */
+export declare class SecretHolder implements ICertificateChainProvider {
+    #private;
+    constructor(obj: IHasCertificateFile);
+    getCertificate(): Certificate;
+    getCertificateChain(): Certificate[];
+    getPrivateKey(): PrivateKey;
+    /**
+     * Clears cached secrets so the GC can reclaim sensitive material.
+     * After calling dispose the holder will re-read from disk on next access.
+     */
+    dispose(): void;
+    /**
+     * Alias for {@link dispose}.
+     * Implements `ICertificateChainProvider.invalidate()`.
+     */
+    invalidate(): void;
+    toJSON(): Record<string, string>;
+}
+/**
+ * Invalidate any cached certificate chain and private key for the given
+ * provider so that the next `getCertificate()` / `getPrivateKey()` call
+ * re-reads from disk.
+ *
+ * This is the public replacement for the old `$$certificateChain = null`
+ * / `$$privateKey = null` pattern.
+ */
+export declare function invalidateCachedSecrets(obj: ICertificateKeyPairProvider): void;
+/**
+ * Extract a partial certificate chain from a certificate chain so that the
+ * total size of the chain does not exceed maxSize.
+ * If maxSize is not provided, the full certificate chain is returned.
+ * If the first certificate in the chain already exceeds maxSize, an error is thrown.
+ *
+ * @param certificateChain - full certificate chain (single DER buffer or array)
+ * @param maxSize          - optional byte budget
+ * @returns the truncated chain as an array of individual certificates
+ */
+export declare function getPartialCertificateChain(certificateChain?: Certificate | Certificate[] | null, maxSize?: number): Certificate[];
 export interface IOPCUASecureObjectOptions {
     certificateFile?: string;
     privateKeyFile?: string;
 }
 /**
- * an object that provides a certificate and a privateKey
+ * An object that provides a certificate and a privateKey.
+ * Secrets are loaded lazily and stored in a module-private WeakMap
+ * so they never appear on the instance.
  */
-export declare class OPCUASecureObject extends EventEmitter implements ICertificateKeyPairProvider {
+export declare class OPCUASecureObject<T extends Record<string | symbol, any> = any> extends EventEmitter<T> implements ICertificateKeyPairProvider, IHasCertificateFile {
     readonly certificateFile: string;
     readonly privateKeyFile: string;
     constructor(options: IOPCUASecureObjectOptions);
     getCertificate(): Certificate;
-    getCertificateChain(): Certificate;
+    getCertificateChain(): Certificate[];
     getPrivateKey(): PrivateKey;
 }

package/dist/opcua_secure_object.js

@@ -3,52 +3,159 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.OPCUASecureObject = void 0;
-exports.getPartialCertificateChain1 = getPartialCertificateChain1;
+exports.OPCUASecureObject = exports.SecretHolder = void 0;
+exports.invalidateCachedSecrets = invalidateCachedSecrets;
 exports.getPartialCertificateChain = getPartialCertificateChain;
 /**
  * @module node-opcua-common
  */
-const events_1 = require("events");
-const fs_1 = __importDefault(require("fs"));
+const node_events_1 = require("node:events");
+const node_fs_1 = __importDefault(require("node:fs"));
 const node_opcua_assert_1 = require("node-opcua-assert");
-const web_1 = require("node-opcua-crypto/web");
 const node_opcua_crypto_1 = require("node-opcua-crypto");
-function _load_certificate(certificateFilename) {
-    const der = (0, node_opcua_crypto_1.readCertificate)(certificateFilename);
-    return der;
+const web_1 = require("node-opcua-crypto/web");
+/**
+ * Holds cryptographic secrets (certificate chain and private key) for a
+ * certificate/key file pair. Secrets are lazily loaded from disk on first
+ * access and kept in truly private `#`-fields so they never appear in
+ * `JSON.stringify`, `console.log`, `Object.keys`, or `util.inspect`.
+ */
+class SecretHolder {
+    #certificateChain = null;
+    #privateKey = null;
+    #obj;
+    constructor(obj) {
+        this.#obj = obj;
+    }
+    getCertificate() {
+        // Ensure the chain is loaded before accessing [0]
+        const chain = this.getCertificateChain();
+        return chain[0];
+    }
+    getCertificateChain() {
+        if (!this.#certificateChain) {
+            const file = this.#obj.certificateFile;
+            if (!node_fs_1.default.existsSync(file)) {
+                throw new Error(`Certificate file must exist: ${file}`);
+            }
+            const chain = (0, node_opcua_crypto_1.readCertificateChain)(file);
+            if (!chain || chain.length === 0) {
+                throw new Error(`Invalid certificate chain (length=0) ${file}`);
+            }
+            this.#certificateChain = chain;
+        }
+        return this.#certificateChain;
+    }
+    getPrivateKey() {
+        if (!this.#privateKey) {
+            const file = this.#obj.privateKeyFile;
+            if (!node_fs_1.default.existsSync(file)) {
+                throw new Error(`Private key file must exist: ${file}`);
+            }
+            const key = (0, node_opcua_crypto_1.readPrivateKey)(file);
+            if (key instanceof Buffer) {
+                throw new Error(`Invalid private key ${file}. Should not be a buffer`);
+            }
+            this.#privateKey = key;
+        }
+        return this.#privateKey;
+    }
+    /**
+     * Clears cached secrets so the GC can reclaim sensitive material.
+     * After calling dispose the holder will re-read from disk on next access.
+     */
+    dispose() {
+        this.#certificateChain = null;
+        this.#privateKey = null;
+    }
+    /**
+     * Alias for {@link dispose}.
+     * Implements `ICertificateChainProvider.invalidate()`.
+     */
+    invalidate() {
+        this.dispose();
+    }
+    // Prevent secrets from leaking through JSON serialization
+    toJSON() {
+        return { certificateFile: this.#obj.certificateFile, privateKeyFile: this.#obj.privateKeyFile };
+    }
+    // Prevent secrets from leaking through console.log / util.inspect
+    [Symbol.for("nodejs.util.inspect.custom")]() {
+        return `SecretHolder { certificateFile: "${this.#obj.certificateFile}", privateKeyFile: "${this.#obj.privateKeyFile}" }`;
+    }
 }
-function _load_private_key(privateKeyFilename) {
-    return (0, node_opcua_crypto_1.readPrivateKey)(privateKeyFilename);
+exports.SecretHolder = SecretHolder;
+/**
+ * Module-private WeakMap that associates an ICertificateKeyPairProvider
+ * with its SecretHolder. Using a WeakMap means:
+ * - The secret holder is invisible from the outside (no enumerable property)
+ * - If the owning object is GC'd, the SecretHolder is automatically collected
+ */
+const secretHolders = new WeakMap();
+function getSecretHolder(obj) {
+    let holder = secretHolders.get(obj);
+    if (!holder) {
+        holder = new SecretHolder(obj);
+        secretHolders.set(obj, holder);
+    }
+    return holder;
 }
-function getPartialCertificateChain1(certificateChain, maxSize) {
-    return certificateChain || undefined;
+/**
+ * Invalidate any cached certificate chain and private key for the given
+ * provider so that the next `getCertificate()` / `getPrivateKey()` call
+ * re-reads from disk.
+ *
+ * This is the public replacement for the old `$$certificateChain = null`
+ * / `$$privateKey = null` pattern.
+ */
+function invalidateCachedSecrets(obj) {
+    const holder = secretHolders.get(obj);
+    if (holder) {
+        holder.dispose();
+    }
 }
+/**
+ * Extract a partial certificate chain from a certificate chain so that the
+ * total size of the chain does not exceed maxSize.
+ * If maxSize is not provided, the full certificate chain is returned.
+ * If the first certificate in the chain already exceeds maxSize, an error is thrown.
+ *
+ * @param certificateChain - full certificate chain (single DER buffer or array)
+ * @param maxSize          - optional byte budget
+ * @returns the truncated chain as an array of individual certificates
+ */
 function getPartialCertificateChain(certificateChain, maxSize) {
-    if (!certificateChain || certificateChain.length === 0) {
-        return undefined;
+    if (!certificateChain ||
+        (Array.isArray(certificateChain) && certificateChain.length === 0) ||
+        (certificateChain instanceof Buffer && certificateChain.length === 0)) {
+        return [];
     }
+    const certificates = Array.isArray(certificateChain) ? certificateChain : (0, web_1.split_der)(certificateChain);
     if (maxSize === undefined) {
-        return certificateChain;
+        return certificates;
     }
-    const certificates = (0, web_1.split_der)(certificateChain);
     // at least include first certificate
-    let buffer = certificates.length == 1 ? certificateChain : Buffer.from(certificates[0]);
+    const chainToReturn = [certificates[0]];
+    let cumulatedLength = certificates[0].length;
     // Throw if first certificate already exceed maxSize
-    if (buffer.length > maxSize) {
-        throw new Error(`getPartialCertificateChain not enough space for leaf certificate ${maxSize} < ${buffer.length}`);
+    if (cumulatedLength > maxSize) {
+        throw new Error(`getPartialCertificateChain not enough space for leaf certificate ${maxSize} < ${cumulatedLength}`);
     }
     let index = 1;
-    while (index < certificates.length && buffer.length + certificates[index].length < maxSize) {
-        buffer = Buffer.concat([buffer, certificates[index]]);
+    while (index < certificates.length && cumulatedLength + certificates[index].length <= maxSize) {
+        chainToReturn.push(certificates[index]);
+        cumulatedLength += certificates[index].length;
         index++;
     }
-    return buffer;
+    return chainToReturn;
 }
 /**
- * an object that provides a certificate and a privateKey
+ * An object that provides a certificate and a privateKey.
+ * Secrets are loaded lazily and stored in a module-private WeakMap
+ * so they never appear on the instance.
  */
-class OPCUASecureObject extends events_1.EventEmitter {
+// biome-ignore lint/suspicious/noExplicitAny: EventEmitter use any
+class OPCUASecureObject extends node_events_1.EventEmitter {
     certificateFile;
     privateKeyFile;
     constructor(options) {
@@ -59,34 +166,13 @@ class OPCUASecureObject extends events_1.EventEmitter {
         this.privateKeyFile = options.privateKeyFile || "invalid private key file";
     }
     getCertificate() {
-        const priv = this;
-        if (!priv.$$certificate) {
-            const certChain = this.getCertificateChain();
-            priv.$$certificate = (0, web_1.split_der)(certChain)[0];
-        }
-        return priv.$$certificate;
+        return getSecretHolder(this).getCertificate();
     }
     getCertificateChain() {
-        const priv = this;
-        if (!priv.$$certificateChain) {
-            (0, node_opcua_assert_1.assert)(fs_1.default.existsSync(this.certificateFile), "Certificate file must exist :" + this.certificateFile);
-            priv.$$certificateChain = _load_certificate(this.certificateFile);
-            if (priv.$$certificateChain && priv.$$certificateChain.length === 0) {
-                // do it again for debug purposes
-                priv.$$certificateChain = _load_certificate(this.certificateFile);
-                throw new Error("Invalid certificate length = 0 " + this.certificateFile);
-            }
-        }
-        return priv.$$certificateChain;
+        return getSecretHolder(this).getCertificateChain();
     }
     getPrivateKey() {
-        const priv = this;
-        if (!priv.$$privateKey) {
-            (0, node_opcua_assert_1.assert)(fs_1.default.existsSync(this.privateKeyFile), "private file must exist :" + this.privateKeyFile);
-            priv.$$privateKey = _load_private_key(this.privateKeyFile);
-        }
-        (0, node_opcua_assert_1.assert)(!(priv.$$privateKey instanceof Buffer), "should not be a buffer");
-        return priv.$$privateKey;
+        return getSecretHolder(this).getPrivateKey();
     }
 }
 exports.OPCUASecureObject = OPCUASecureObject;

package/dist/opcua_secure_object.js.map

@@ -1 +1 @@
-{"version":3,"file":"opcua_secure_object.js","sourceRoot":"","sources":["../source/opcua_secure_object.ts"],"names":[],"mappings":";;;;;;AA4BA,kEAGC;AACD,gEAsBC;AAtDD;;GAEG;AACH,mCAAsC;AACtC,4CAAoB;AAEpB,yDAA2C;AAC3C,+CAA2E;AAC3E,yDAAoE;AAWpE,SAAS,iBAAiB,CAAC,mBAA2B;IAClD,MAAM,GAAG,GAAG,IAAA,mCAAe,EAAC,mBAAmB,CAAC,CAAC;IACjD,OAAO,GAAG,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB,CAAC,kBAA0B;IACjD,OAAO,IAAA,kCAAc,EAAC,kBAAkB,CAAC,CAAC;AAC9C,CAAC;AAED,SAAgB,2BAA2B,CAAC,gBAA+B,EAAE,OAAgB;IAEzF,OAAO,gBAAgB,IAAK,SAAS,CAAC;AAC1C,CAAC;AACD,SAAgB,0BAA0B,CAAC,gBAAgC,EAAE,OAAgB;IAEzF,IAAI,CAAC,gBAAgB,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,OAAO,SAAS,CAAC;IACtB,CAAC;IACD,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QACxB,OAAO,gBAAgB,CAAC;IAC5B,CAAC;IACD,MAAM,YAAY,GAAG,IAAA,eAAS,EAAC,gBAAgB,CAAC,CAAC;IACjD,qCAAqC;IACrC,IAAI,MAAM,GAAG,YAAY,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;IACxF,oDAAoD;IACpD,IAAI,MAAM,CAAC,MAAM,GAAE,OAAO,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,oEAAoE,OAAO,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IACtH,CAAC;IACD,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,OAAO,KAAK,GAAG,YAAY,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,OAAO,EAAE,CAAC;QACzF,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACtD,KAAK,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,MAAM,CAAC;AAElB,CAAC;AAOD;;GAEG;AACH,MAAa,iBAAkB,SAAQ,qBAAY;IAC/B,eAAe,CAAS;IACxB,cAAc,CAAS;IAEvC,YAAY,OAAkC;QAC1C,KAAK,EAAE,CAAC;QACR,IAAA,0BAAM,EAAC,OAAO,OAAO,CAAC,eAAe,KAAK,QAAQ,CAAC,CAAC;QACpD,IAAA,0BAAM,EAAC,OAAO,OAAO,CAAC,cAAc,KAAK,QAAQ,CAAC,CAAC;QAEnD,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,0BAA0B,CAAC;QAC7E,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,0BAA0B,CAAC;IAC/E,CAAC;IAEM,cAAc;QACjB,MAAM,IAAI,GAAG,IAAkD,CAAC;QAChE,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACtB,MAAM,SAAS,GAAG,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC7C,IAAI,CAAC,aAAa,GAAG,IAAA,eAAS,EAAC,SAAS,CAAC,CAAC,CAAC,CAAgB,CAAC;QAChE,CAAC;QACD,OAAO,IAAI,CAAC,aAAa,CAAC;IAC9B,CAAC;IAEM,mBAAmB;QACtB,MAAM,IAAI,GAAG,IAAkD,CAAC;QAChE,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC3B,IAAA,0BAAM,EAAC,YAAE,CAAC,UAAU,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE,+BAA+B,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC;YACpG,IAAI,CAAC,kBAAkB,GAAG,iBAAiB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YAClE,IAAI,IAAI,CAAC,kBAAkB,IAAI,IAAI,CAAC,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAClE,iCAAiC;gBACjC,IAAI,CAAC,kBAAkB,GAAG,iBAAiB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;gBAClE,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC;YAC9E,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC,kBAAkB,CAAC;IACnC,CAAC;IAEM,aAAa;QAChB,MAAM,IAAI,GAAG,IAAkD,CAAC;QAChE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACrB,IAAA,0BAAM,EAAC,YAAE,CAAC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,2BAA2B,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC;YAC9F,IAAI,CAAC,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC/D,CAAC;QACD,IAAA,0BAAM,EAAC,CAAC,CAAC,IAAI,CAAC,YAAY,YAAY,MAAM,CAAC,EAAE,wBAAwB,CAAC,CAAC;QACzE,OAAO,IAAI,CAAC,YAAY,CAAC;IAC7B,CAAC;CACJ;AA7CD,8CA6CC"}
+{"version":3,"file":"opcua_secure_object.js","sourceRoot":"","sources":["../source/opcua_secure_object.ts"],"names":[],"mappings":";;;;;;AA8HA,0DAKC;AAYD,gEA0BC;AAzKD;;GAEG;AACH,6CAA2C;AAC3C,sDAAyB;AACzB,yDAA2C;AAC3C,yDAAyE;AACzE,+CAAqF;AAerF;;;;;GAKG;AACH,MAAa,YAAY;IACrB,iBAAiB,GAAyB,IAAI,CAAC;IAC/C,WAAW,GAAsB,IAAI,CAAC;IACtC,IAAI,CAAsB;IAE1B,YAAY,GAAwB;QAChC,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;IACpB,CAAC;IAEM,cAAc;QACjB,kDAAkD;QAClD,MAAM,KAAK,GAAG,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzC,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAEM,mBAAmB;QACtB,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC;YACvC,IAAI,CAAC,iBAAE,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAI,EAAE,CAAC,CAAC;YAC5D,CAAC;YACD,MAAM,KAAK,GAAG,IAAA,wCAAoB,EAAC,IAAI,CAAC,CAAC;YACzC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/B,MAAM,IAAI,KAAK,CAAC,wCAAwC,IAAI,EAAE,CAAC,CAAC;YACpE,CAAC;YACD,IAAI,CAAC,iBAAiB,GAAG,KAAK,CAAC;QACnC,CAAC;QACD,OAAO,IAAI,CAAC,iBAAiB,CAAC;IAClC,CAAC;IAEM,aAAa;QAChB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACpB,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC;YACtC,IAAI,CAAC,iBAAE,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAI,EAAE,CAAC,CAAC;YAC5D,CAAC;YACD,MAAM,GAAG,GAAG,IAAA,kCAAc,EAAC,IAAI,CAAC,CAAC;YACjC,IAAI,GAAG,YAAY,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,0BAA0B,CAAC,CAAC;YAC3E,CAAC;YACD,IAAI,CAAC,WAAW,GAAG,GAAG,CAAC;QAC3B,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAC;IAC5B,CAAC;IAED;;;OAGG;IACI,OAAO;QACV,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC;QAC9B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;IAC5B,CAAC;IAED;;;OAGG;IACI,UAAU;QACb,IAAI,CAAC,OAAO,EAAE,CAAC;IACnB,CAAC;IAED,0DAA0D;IACnD,MAAM;QACT,OAAO,EAAE,eAAe,EAAE,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,cAAc,EAAE,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;IACpG,CAAC;IAED,kEAAkE;IAC3D,CAAC,MAAM,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;QAC7C,OAAO,oCAAoC,IAAI,CAAC,IAAI,CAAC,eAAe,uBAAuB,IAAI,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC;IAC7H,CAAC;CACJ;AAvED,oCAuEC;AAED;;;;;GAKG;AACH,MAAM,aAAa,GAAG,IAAI,OAAO,EAAwB,CAAC;AAE1D,SAAS,eAAe,CAAC,GAAsD;IAC3E,IAAI,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,CAAC,MAAM,EAAE,CAAC;QACV,MAAM,GAAG,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC;QAC/B,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,MAAM,CAAC;AAClB,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,uBAAuB,CAAC,GAAgC;IACpE,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,MAAM,EAAE,CAAC;QACT,MAAM,CAAC,OAAO,EAAE,CAAC;IACrB,CAAC;AACL,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,0BAA0B,CAAC,gBAAqD,EAAE,OAAgB;IAC9G,IACI,CAAC,gBAAgB;QACjB,CAAC,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,CAAC;QAClE,CAAC,gBAAgB,YAAY,MAAM,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,CAAC,EACvE,CAAC;QACC,OAAO,EAAE,CAAC;IACd,CAAC;IACD,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAA,eAAS,EAAC,gBAAgB,CAAC,CAAC;IACtG,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QACxB,OAAO,YAAY,CAAC;IACxB,CAAC;IACD,qCAAqC;IACrC,MAAM,aAAa,GAAkB,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;IACvD,IAAI,eAAe,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAC7C,oDAAoD;IACpD,IAAI,eAAe,GAAG,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,oEAAoE,OAAO,MAAM,eAAe,EAAE,CAAC,CAAC;IACxH,CAAC;IACD,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,OAAO,KAAK,GAAG,YAAY,CAAC,MAAM,IAAI,eAAe,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,MAAM,IAAI,OAAO,EAAE,CAAC;QAC5F,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;QACxC,eAAe,IAAI,YAAY,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;QAC9C,KAAK,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,aAAa,CAAC;AACzB,CAAC;AAOD;;;;GAIG;AAEH,mEAAmE;AACnE,MAAa,iBACT,SAAQ,0BAAe;IAGP,eAAe,CAAS;IACxB,cAAc,CAAS;IAEvC,YAAY,OAAkC;QAC1C,KAAK,EAAE,CAAC;QACR,IAAA,0BAAM,EAAC,OAAO,OAAO,CAAC,eAAe,KAAK,QAAQ,CAAC,CAAC;QACpD,IAAA,0BAAM,EAAC,OAAO,OAAO,CAAC,cAAc,KAAK,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,0BAA0B,CAAC;QAC7E,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,0BAA0B,CAAC;IAC/E,CAAC;IAEM,cAAc;QACjB,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,cAAc,EAAE,CAAC;IAClD,CAAC;IAEM,mBAAmB;QACtB,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,mBAAmB,EAAE,CAAC;IACvD,CAAC;IAEM,aAAa;QAChB,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,CAAC;IACjD,CAAC;CACJ;AA1BD,8CA0BC"}

package/package.json

@@ -1,9 +1,10 @@
 {
     "name": "node-opcua-common",
-    "version": "2.165.0",
+    "version": "2.168.0",
     "description": "pure nodejs OPCUA SDK - module common",
     "scripts": {
         "test": "mocha",
+        "test:check": "tsc --noEmit -p test/tsconfig.json",
         "clean": "npx rimraf -g node_modules dist *.tsbuildinfo",
         "build": "tsc -b",
         "lint": "eslint source/**/*.ts"
@@ -12,8 +13,8 @@
     "types": "./dist/index.d.ts",
     "dependencies": {
         "node-opcua-assert": "2.164.0",
-        "node-opcua-crypto": "5.3.0",
-        "node-opcua-types": "2.165.0"
+        "node-opcua-crypto": "5.3.3",
+        "node-opcua-types": "2.168.0"
     },
     "author": "Etienne Rossignon",
     "license": "MIT",
@@ -30,7 +31,7 @@
         "internet of things"
     ],
     "homepage": "http://node-opcua.github.io/",
-    "gitHead": "fe53ac03427fcb223996446c991f7496635ba193",
+    "gitHead": "653b6d6df801ca17298308089dee32e5b12102b6",
     "files": [
         "dist",
         "source"

package/source/applicationurn.ts

@@ -1,12 +1,11 @@
 /**
  * @module node-opcua-common
  */
-import {createHash} from "crypto";
+import { createHash } from "crypto";
 
 import { assert } from "node-opcua-assert";
 
 export function makeApplicationUrn(hostname: string, suffix: string): string {
-    
     assert(!suffix.match(/urn:/), "already a application URN ?");
     // beware : Openssl doesn't support urn with length greater than 64 !!
     //          sometimes hostname length could be too long ...

package/source/certificate_chain_provider.ts

@@ -0,0 +1,90 @@
+/**
+ * Pluggable certificate chain provider for OPC UA endpoints.
+ *
+ * Abstracts how an endpoint obtains its certificate chain and private key,
+ * allowing both static (in-memory) and dynamic (disk-based) strategies
+ * without monkey-patching.
+ *
+ * @module node-opcua-common
+ */
+import type { Certificate, PrivateKey } from "node-opcua-crypto/web";
+
+import type { ICertificateKeyPairProvider } from "./opcua_secure_object";
+
+/**
+ * Provides a certificate chain and private key to an OPC UA endpoint.
+ *
+ * Implementations may read from memory, disk, or any other source.
+ * See also {@link SecretHolder} which implements this interface for
+ * disk-based access with lazy caching.
+ */
+export interface ICertificateChainProvider extends ICertificateKeyPairProvider {
+    /**
+     * Invalidate any cached values so the next access re-reads
+     * from the underlying source. No-op for static providers.
+     */
+    invalidate(): void;
+}
+
+/**
+ * Holds a certificate chain and private key in memory.
+ *
+ * Used as the default provider when push certificate management
+ * is NOT installed. The chain can be replaced in-place via `update()`.
+ */
+export class StaticCertificateChainProvider implements ICertificateChainProvider {
+    #chain: Certificate[];
+    #key: PrivateKey;
+
+    constructor(chain: Certificate[], key: PrivateKey) {
+        this.#chain = chain;
+        this.#key = key;
+    }
+
+    public getCertificate(): Certificate {
+        return this.#chain[0];
+    }
+
+    public getCertificateChain(): Certificate[] {
+        return this.#chain;
+    }
+
+    public getPrivateKey(): PrivateKey {
+        return this.#key;
+    }
+
+    /**
+     * No-op for static provider — the chain is already in memory.
+     * Use `update()` to replace the chain explicitly.
+     */
+    public invalidate(): void {
+        // nothing to invalidate for a static provider
+    }
+
+    /**
+     * Replace the certificate chain and optionally the private key.
+     *
+     * This immediately affects all consumers that call
+     * `getCertificateChain()` on this provider (including
+     * endpoint descriptions with dynamic `serverCertificate` getters).
+     */
+    public update(chain: Certificate[], key?: PrivateKey): void {
+        if (chain.length === 0) {
+            throw new Error("StaticCertificateChainProvider.update: chain must not be empty");
+        }
+        this.#chain = chain;
+        if (key !== undefined) {
+            this.#key = key;
+        }
+    }
+
+    // Prevent secrets from leaking through JSON serialization
+    public toJSON(): Record<string, string> {
+        return { provider: "StaticCertificateChainProvider" };
+    }
+
+    // Prevent secrets from leaking through console.log / util.inspect
+    public [Symbol.for("nodejs.util.inspect.custom")](): string {
+        return "StaticCertificateChainProvider { <in-memory> }";
+    }
+}

package/source/index.ts

@@ -9,10 +9,10 @@
  * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
  * the Software, and to permit persons to whom the Software is furnished to do so,
  * subject to the following conditions:
- * 
+ *
  *   The above copyright notice and this permission notice shall be included in all
  *   copies or substantial portions of the Software.
- * 
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
  * FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
@@ -24,22 +24,23 @@
  * @module node-opcua-common
  */
 export {
-    ServerState,
-    ServerStatusDataType,            // ServerStatus
-    RedundantServerDataType,         // RedundantServer
-    ModelChangeStructureDataType,    // ModelChangeStructure
-    SubscriptionDiagnosticsDataType, // SubscriptionDiagnostics
+    BuildInfo,
+    DataTypeDefinition,
+    EnumValueType,
+    ModelChangeStructureDataType, // ModelChangeStructure
+    RedundantServerDataType, // RedundantServer
     SamplingIntervalDiagnosticsDataType, //  SamplingIntervalDiagnostics
     SemanticChangeStructureDataType, // SemanticChangeStructure
     ServerDiagnosticsSummaryDataType,
-    SessionSecurityDiagnosticsDataType,
+    ServerState,
+    ServerStatusDataType, // ServerStatus
     ServiceCounterDataType,
     SessionDiagnosticsDataType,
-    BuildInfo,
-    DataTypeDefinition,
-    EnumValueType,
-    TimeZoneDataType,
+    SessionSecurityDiagnosticsDataType,
+    SubscriptionDiagnosticsDataType, // SubscriptionDiagnostics
+    TimeZoneDataType
 } from "node-opcua-types";
 
 export * from "./applicationurn";
+export * from "./certificate_chain_provider";
 export * from "./opcua_secure_object";

package/source/opcua_secure_object.ts

@@ -1,57 +1,172 @@
 /**
  * @module node-opcua-common
  */
-import { EventEmitter } from "events";
-import fs from "fs";
-
+import { EventEmitter } from "node:events";
+import fs from "node:fs";
 import { assert } from "node-opcua-assert";
-import { Certificate, PrivateKey, split_der } from "node-opcua-crypto/web";
-import { readCertificate, readPrivateKey } from "node-opcua-crypto";
+import { readCertificateChain, readPrivateKey } from "node-opcua-crypto";
+import { type Certificate, type PrivateKey, split_der } from "node-opcua-crypto/web";
+
+import type { ICertificateChainProvider } from "./certificate_chain_provider";
+
 export interface ICertificateKeyPairProvider {
     getCertificate(): Certificate;
-    getCertificateChain(): Certificate;
+    getCertificateChain(): Certificate[];
     getPrivateKey(): PrivateKey;
 }
-export interface ICertificateKeyPairProviderPriv extends ICertificateKeyPairProvider {
-    $$certificate: null | Certificate;
-    $$certificateChain: null | Certificate;
-    $$privateKey: null | PrivateKey;
-}
-function _load_certificate(certificateFilename: string): Certificate {
-    const der = readCertificate(certificateFilename);
-    return der;
+
+export interface IHasCertificateFile {
+    readonly certificateFile: string;
+    readonly privateKeyFile: string;
 }
 
-function _load_private_key(privateKeyFilename: string): PrivateKey {
-    return readPrivateKey(privateKeyFilename);
+/**
+ * Holds cryptographic secrets (certificate chain and private key) for a
+ * certificate/key file pair. Secrets are lazily loaded from disk on first
+ * access and kept in truly private `#`-fields so they never appear in
+ * `JSON.stringify`, `console.log`, `Object.keys`, or `util.inspect`.
+ */
+export class SecretHolder implements ICertificateChainProvider {
+    #certificateChain: Certificate[] | null = null;
+    #privateKey: PrivateKey | null = null;
+    #obj: IHasCertificateFile;
+
+    constructor(obj: IHasCertificateFile) {
+        this.#obj = obj;
+    }
+
+    public getCertificate(): Certificate {
+        // Ensure the chain is loaded before accessing [0]
+        const chain = this.getCertificateChain();
+        return chain[0];
+    }
+
+    public getCertificateChain(): Certificate[] {
+        if (!this.#certificateChain) {
+            const file = this.#obj.certificateFile;
+            if (!fs.existsSync(file)) {
+                throw new Error(`Certificate file must exist: ${file}`);
+            }
+            const chain = readCertificateChain(file);
+            if (!chain || chain.length === 0) {
+                throw new Error(`Invalid certificate chain (length=0) ${file}`);
+            }
+            this.#certificateChain = chain;
+        }
+        return this.#certificateChain;
+    }
+
+    public getPrivateKey(): PrivateKey {
+        if (!this.#privateKey) {
+            const file = this.#obj.privateKeyFile;
+            if (!fs.existsSync(file)) {
+                throw new Error(`Private key file must exist: ${file}`);
+            }
+            const key = readPrivateKey(file);
+            if (key instanceof Buffer) {
+                throw new Error(`Invalid private key ${file}. Should not be a buffer`);
+            }
+            this.#privateKey = key;
+        }
+        return this.#privateKey;
+    }
+
+    /**
+     * Clears cached secrets so the GC can reclaim sensitive material.
+     * After calling dispose the holder will re-read from disk on next access.
+     */
+    public dispose(): void {
+        this.#certificateChain = null;
+        this.#privateKey = null;
+    }
+
+    /**
+     * Alias for {@link dispose}.
+     * Implements `ICertificateChainProvider.invalidate()`.
+     */
+    public invalidate(): void {
+        this.dispose();
+    }
+
+    // Prevent secrets from leaking through JSON serialization
+    public toJSON(): Record<string, string> {
+        return { certificateFile: this.#obj.certificateFile, privateKeyFile: this.#obj.privateKeyFile };
+    }
+
+    // Prevent secrets from leaking through console.log / util.inspect
+    public [Symbol.for("nodejs.util.inspect.custom")](): string {
+        return `SecretHolder { certificateFile: "${this.#obj.certificateFile}", privateKeyFile: "${this.#obj.privateKeyFile}" }`;
+    }
 }
 
-export function getPartialCertificateChain1(certificateChain?: Buffer| null, maxSize?: number ): Buffer| undefined {
+/**
+ * Module-private WeakMap that associates an ICertificateKeyPairProvider
+ * with its SecretHolder. Using a WeakMap means:
+ * - The secret holder is invisible from the outside (no enumerable property)
+ * - If the owning object is GC'd, the SecretHolder is automatically collected
+ */
+const secretHolders = new WeakMap<object, SecretHolder>();
 
-    return certificateChain  || undefined;
+function getSecretHolder(obj: ICertificateKeyPairProvider & IHasCertificateFile): SecretHolder {
+    let holder = secretHolders.get(obj);
+    if (!holder) {
+        holder = new SecretHolder(obj);
+        secretHolders.set(obj, holder);
+    }
+    return holder;
 }
-export function getPartialCertificateChain(certificateChain?: Buffer | null, maxSize?: number): Buffer | undefined {
-    
-    if (!certificateChain || certificateChain.length === 0) {
-         return undefined;
+
+/**
+ * Invalidate any cached certificate chain and private key for the given
+ * provider so that the next `getCertificate()` / `getPrivateKey()` call
+ * re-reads from disk.
+ *
+ * This is the public replacement for the old `$$certificateChain = null`
+ * / `$$privateKey = null` pattern.
+ */
+export function invalidateCachedSecrets(obj: ICertificateKeyPairProvider): void {
+    const holder = secretHolders.get(obj);
+    if (holder) {
+        holder.dispose();
     }
+}
+
+/**
+ * Extract a partial certificate chain from a certificate chain so that the
+ * total size of the chain does not exceed maxSize.
+ * If maxSize is not provided, the full certificate chain is returned.
+ * If the first certificate in the chain already exceeds maxSize, an error is thrown.
+ *
+ * @param certificateChain - full certificate chain (single DER buffer or array)
+ * @param maxSize          - optional byte budget
+ * @returns the truncated chain as an array of individual certificates
+ */
+export function getPartialCertificateChain(certificateChain?: Certificate | Certificate[] | null, maxSize?: number): Certificate[] {
+    if (
+        !certificateChain ||
+        (Array.isArray(certificateChain) && certificateChain.length === 0) ||
+        (certificateChain instanceof Buffer && certificateChain.length === 0)
+    ) {
+        return [];
+    }
+    const certificates = Array.isArray(certificateChain) ? certificateChain : split_der(certificateChain);
     if (maxSize === undefined) {
-        return certificateChain;
+        return certificates;
     }
-    const certificates = split_der(certificateChain);
     // at least include first certificate
-    let buffer = certificates.length == 1 ? certificateChain : Buffer.from(certificates[0]);
+    const chainToReturn: Certificate[] = [certificates[0]];
+    let cumulatedLength = certificates[0].length;
     // Throw if first certificate already exceed maxSize
-    if (buffer.length> maxSize) {
-        throw new Error(`getPartialCertificateChain not enough space for leaf certificate ${maxSize} < ${buffer.length}`);
+    if (cumulatedLength > maxSize) {
+        throw new Error(`getPartialCertificateChain not enough space for leaf certificate ${maxSize} < ${cumulatedLength}`);
     }
     let index = 1;
-    while (index < certificates.length && buffer.length + certificates[index].length < maxSize) {
-        buffer = Buffer.concat([buffer, certificates[index]]);
+    while (index < certificates.length && cumulatedLength + certificates[index].length <= maxSize) {
+        chainToReturn.push(certificates[index]);
+        cumulatedLength += certificates[index].length;
         index++;
     }
-    return buffer;
-
+    return chainToReturn;
 }
 
 export interface IOPCUASecureObjectOptions {
@@ -60,9 +175,16 @@ export interface IOPCUASecureObjectOptions {
 }
 
 /**
- * an object that provides a certificate and a privateKey
+ * An object that provides a certificate and a privateKey.
+ * Secrets are loaded lazily and stored in a module-private WeakMap
+ * so they never appear on the instance.
  */
-export class OPCUASecureObject extends EventEmitter implements ICertificateKeyPairProvider {
+
+// biome-ignore lint/suspicious/noExplicitAny: EventEmitter use any
+export class OPCUASecureObject<T extends Record<string | symbol, any> = any>
+    extends EventEmitter<T>
+    implements ICertificateKeyPairProvider, IHasCertificateFile
+{
     public readonly certificateFile: string;
     public readonly privateKeyFile: string;
 
@@ -70,41 +192,19 @@ export class OPCUASecureObject extends EventEmitter implements ICertificateKeyPa
         super();
         assert(typeof options.certificateFile === "string");
         assert(typeof options.privateKeyFile === "string");
-
         this.certificateFile = options.certificateFile || "invalid certificate file";
         this.privateKeyFile = options.privateKeyFile || "invalid private key file";
     }
 
     public getCertificate(): Certificate {
-        const priv = this as unknown as ICertificateKeyPairProviderPriv;
-        if (!priv.$$certificate) {
-            const certChain = this.getCertificateChain();
-            priv.$$certificate = split_der(certChain)[0] as Certificate;
-        }
-        return priv.$$certificate;
-    }
-
-    public getCertificateChain(): Certificate {
-        const priv = this as unknown as ICertificateKeyPairProviderPriv;
-        if (!priv.$$certificateChain) {
-            assert(fs.existsSync(this.certificateFile), "Certificate file must exist :" + this.certificateFile);
-            priv.$$certificateChain = _load_certificate(this.certificateFile);
-            if (priv.$$certificateChain && priv.$$certificateChain.length === 0) {
-                // do it again for debug purposes
-                priv.$$certificateChain = _load_certificate(this.certificateFile);
-                throw new Error("Invalid certificate length = 0 " + this.certificateFile);
-            }
-        }
-        return priv.$$certificateChain;
+        return getSecretHolder(this).getCertificate();
+    }
+
+    public getCertificateChain(): Certificate[] {
+        return getSecretHolder(this).getCertificateChain();
     }
 
     public getPrivateKey(): PrivateKey {
-        const priv = this as unknown as ICertificateKeyPairProviderPriv;
-        if (!priv.$$privateKey) {
-            assert(fs.existsSync(this.privateKeyFile), "private file must exist :" + this.privateKeyFile);
-            priv.$$privateKey = _load_private_key(this.privateKeyFile);
-        }
-        assert(!(priv.$$privateKey instanceof Buffer), "should not be a buffer");
-        return priv.$$privateKey;
+        return getSecretHolder(this).getPrivateKey();
     }
 }