node-opcua-server-configuration 2.163.0 → 2.164.2

package/source/server/push_certificate_manager/create_signing_request.ts

@@ -0,0 +1,137 @@
+import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+import { CertificateManager } from "node-opcua-certificate-manager";
+import { convertPEMtoDER, type DirectoryName, exploreCertificate, readCertificate } from "node-opcua-crypto";
+import { checkDebugFlag, make_debugLog, make_errorLog, make_warningLog } from "node-opcua-debug";
+import { NodeId, resolveNodeId, sameNodeId } from "node-opcua-nodeid";
+import type { SubjectOptions } from "node-opcua-pki";
+import { StatusCodes } from "node-opcua-status-code";
+
+import type { CreateSigningRequestResult } from "../../push_certificate_manager.js";
+import type { PushCertificateManagerInternalContext } from "./internal_context.js";
+import { subjectToString } from "./subject_to_string.js";
+import { resolveCertificateGroupContext } from "./util.js";
+
+const warningLog = make_warningLog("ServerConfiguration");
+const errorLog = make_errorLog("ServerConfiguration");
+const debugLog = make_debugLog("ServerConfiguration");
+const doDebug = checkDebugFlag("ServerConfiguration");
+
+export async function executeCreateSigningRequest(
+    serverImpl: PushCertificateManagerInternalContext,
+    certificateGroupId: NodeId | string,
+    certificateTypeId: NodeId | string,
+    subjectName: string | SubjectOptions | null,
+    regeneratePrivateKey?: boolean,
+    nonce?: Buffer
+): Promise<CreateSigningRequestResult> {
+    // Resolve context using our util
+    const context = resolveCertificateGroupContext(serverImpl, certificateGroupId);
+    if (context.statusCode.isNotGood() || !context.certificateManager) {
+        doDebug && debugLog(" cannot find group ", certificateGroupId);
+        return { statusCode: StatusCodes.BadInvalidArgument };
+    }
+
+    const { certificateManager, allowedTypes } = context;
+
+    // Validate Certificate Type
+    if (certificateTypeId) {
+        let typeNodeId: NodeId;
+        if (typeof certificateTypeId === "string") {
+            if (certificateTypeId !== "") {
+                try {
+                    typeNodeId = resolveNodeId(certificateTypeId);
+                } catch {
+                    warningLog("Invalid certificateTypeId string:", certificateTypeId);
+                    return { statusCode: StatusCodes.BadInvalidArgument };
+                }
+                if (!sameNodeId(typeNodeId, NodeId.nullNodeId)) {
+                    const isValidType = allowedTypes?.some((t) => sameNodeId(t, typeNodeId));
+                    if (!isValidType) {
+                        warningLog("certificateTypeId is not in the allowed types for this certificate group:", certificateTypeId);
+                        return { statusCode: StatusCodes.BadNotSupported };
+                    }
+                }
+            }
+        } else {
+            typeNodeId = certificateTypeId;
+            if (!sameNodeId(typeNodeId, NodeId.nullNodeId)) {
+                const isValidType = allowedTypes?.some((t) => sameNodeId(t, typeNodeId));
+                if (!isValidType) {
+                    warningLog("certificateTypeId is not in the allowed types for this certificate group:", certificateTypeId);
+                    return { statusCode: StatusCodes.BadNotSupported };
+                }
+            }
+        }
+    }
+
+    // Resolve Subject Name
+    if (!subjectName) {
+        const currentCertificateFilename = path.join(certificateManager.rootDir, "own/certs/certificate.pem");
+        try {
+            const certificate = readCertificate(currentCertificateFilename);
+            const e = exploreCertificate(certificate);
+            subjectName = subjectToString(e.tbsCertificate.subject as SubjectOptions & DirectoryName);
+            warningLog("reusing existing certificate subjectName = ", subjectName);
+        } catch (err) {
+            errorLog(
+                "Cannot find existing certificate to extract subjectName",
+                currentCertificateFilename,
+                ":",
+                (err as Error).message
+            );
+            return { statusCode: StatusCodes.BadInvalidState };
+        }
+    }
+
+    if (typeof subjectName !== "string") {
+        return { statusCode: StatusCodes.BadInternalError };
+    }
+
+    // Regenerate Private Key Logic
+    if (regeneratePrivateKey) {
+        if (!nonce || nonce.length < 32) {
+            warningLog("nonce should be provided when regeneratePrivateKey is set, and length shall be at least 32 bytes");
+            return { statusCode: StatusCodes.BadInvalidArgument };
+        }
+
+        const volatileTmp = await serverImpl.fileTransactionManager.getTmpDir();
+        const tmpPKI = path.join(volatileTmp, `pki${crypto.randomUUID()}`);
+
+        const tempCertificateManager = new CertificateManager({
+            keySize: certificateManager.keySize,
+            location: tmpPKI
+        });
+
+        doDebug && debugLog("generating a new private key ...");
+        await tempCertificateManager.initialize();
+
+        serverImpl.tmpCertificateManager = tempCertificateManager;
+
+        const generatedPrivateKeyPEM = await fs.promises.readFile(tempCertificateManager.privateKey, "utf8");
+        await serverImpl.fileTransactionManager.stageFile(certificateManager.privateKey, generatedPrivateKeyPEM, "utf8");
+
+        serverImpl.fileTransactionManager.addCleanupTask(async () => {
+            await tempCertificateManager.dispose();
+            serverImpl.tmpCertificateManager = undefined;
+        });
+    }
+
+    const options = {
+        applicationUri: serverImpl.applicationUri,
+        subject: subjectName
+    };
+
+    const activeCertificateManager = serverImpl.tmpCertificateManager || certificateManager;
+
+    await activeCertificateManager.initialize();
+    const csrFile = await activeCertificateManager.createCertificateRequest(options);
+    const csrPEM = await fs.promises.readFile(csrFile, "utf8");
+    const certificateSigningRequest = convertPEMtoDER(csrPEM);
+
+    return {
+        certificateSigningRequest,
+        statusCode: StatusCodes.Good
+    };
+}

package/source/server/push_certificate_manager/get_rejected_list.ts

@@ -0,0 +1,63 @@
+import fs from "node:fs";
+import path from "node:path";
+import type { CertificateManager } from "node-opcua-certificate-manager";
+import { convertPEMtoDER } from "node-opcua-crypto";
+import { StatusCodes } from "node-opcua-status-code";
+import type { GetRejectedListResult } from "../../push_certificate_manager.js";
+import type { PushCertificateManagerInternalContext } from "./internal_context.js";
+
+interface FileData {
+    filename: string;
+    stat: {
+        mtime: Date;
+    };
+}
+
+async function extractRejectedList(group: CertificateManager | undefined, certificateList: FileData[]): Promise<void> {
+    if (!group) {
+        return;
+    }
+    const rejectedFolder = path.join(group.rootDir, "rejected");
+    try {
+        const files = await fs.promises.readdir(rejectedFolder);
+
+        const promises: Promise<fs.Stats>[] = [];
+        for (const certFile of files) {
+            promises.push(fs.promises.stat(path.join(rejectedFolder, certFile)));
+        }
+        const stats = await Promise.all(promises);
+
+        for (let i = 0; i < stats.length; i++) {
+            certificateList.push({
+                filename: path.join(rejectedFolder, files[i]),
+                stat: stats[i]
+            });
+        }
+    } catch (_err) {
+        // Directory might not exist yet, ignore
+    }
+}
+
+export async function executeGetRejectedList(serverImpl: PushCertificateManagerInternalContext): Promise<GetRejectedListResult> {
+    const list: FileData[] = [];
+
+    await extractRejectedList(serverImpl.applicationGroup, list);
+    await extractRejectedList(serverImpl.userTokenGroup, list);
+    await extractRejectedList(serverImpl.httpsGroup, list);
+
+    // sort list from newer file to older file
+    list.sort((a: FileData, b: FileData) => b.stat.mtime.getTime() - a.stat.mtime.getTime());
+
+    const promises: Promise<string>[] = [];
+    for (const item of list) {
+        promises.push(fs.promises.readFile(item.filename, "utf8"));
+    }
+    const certificatesPEM: string[] = await Promise.all(promises);
+
+    const certificates: Buffer[] = certificatesPEM.map(convertPEMtoDER);
+
+    return {
+        certificates,
+        statusCode: StatusCodes.Good
+    };
+}

package/source/server/push_certificate_manager/internal_context.ts

@@ -0,0 +1,63 @@
+import type { CertificateManager } from "node-opcua-certificate-manager";
+import type { NodeId } from "node-opcua-nodeid";
+import { FileTransactionManager } from "../file_transaction_manager.js";
+
+export type ActionQueue = (() => Promise<void>)[];
+
+export interface IPushCertificateManagerServer {
+    applicationGroup?: CertificateManager;
+    userTokenGroup?: CertificateManager;
+    httpsGroup?: CertificateManager;
+    applicationUri: string;
+
+    getCertificateManager(groupName: string): CertificateManager | null;
+    getCertificateTypes(groupName: string): NodeId[] | undefined;
+    emit(eventName: string | symbol, ...args: unknown[]): boolean;
+}
+
+export class PushCertificateManagerInternalContext {
+    public readonly map: { [key: string]: CertificateManager } = {};
+    public readonly certificateTypes: { [key: string]: NodeId[] } = {};
+    public readonly fileTransactionManager = new FileTransactionManager();
+    public tmpCertificateManager?: CertificateManager;
+    public actionQueue: ActionQueue = [];
+    public operationInProgress = false;
+
+    constructor(private readonly server: IPushCertificateManagerServer) {}
+
+    get applicationGroup() {
+        return this.server.applicationGroup;
+    }
+    get userTokenGroup() {
+        return this.server.userTokenGroup;
+    }
+    get httpsGroup() {
+        return this.server.httpsGroup;
+    }
+    get applicationUri() {
+        return this.server.applicationUri;
+    }
+
+    getCertificateManager(groupName: string) {
+        return this.server.getCertificateManager(groupName);
+    }
+    getCertificateTypes(groupName: string) {
+        return this.server.getCertificateTypes(groupName);
+    }
+    emit(eventName: string | symbol, ...args: unknown[]) {
+        return this.server.emit(eventName, ...args);
+    }
+
+    public async dispose(): Promise<void> {
+        if (this.tmpCertificateManager) {
+            await this.tmpCertificateManager.dispose();
+            this.tmpCertificateManager = undefined;
+        }
+
+        if (this.fileTransactionManager) {
+            await this.fileTransactionManager.abortTransaction();
+        }
+
+        this.actionQueue.length = 0;
+    }
+}

package/source/server/push_certificate_manager/subject_to_string.ts

@@ -0,0 +1,25 @@
+import type { DirectoryName } from "node-opcua-crypto/web";
+import type { SubjectOptions } from "node-opcua-pki";
+
+export function subjectToString(subject: SubjectOptions & DirectoryName): string {
+    let s = "";
+    if (subject.commonName) s += `/CN=${subject.commonName}`;
+
+    if (subject.country) s += `/C=${subject.country}`;
+    if (subject.countryName) s += `/C=${subject.countryName}`;
+
+    if (subject.domainComponent) s += `/DC=${subject.domainComponent}`;
+
+    if (subject.locality) s += `/L=${subject.locality}`;
+    if (subject.localityName) s += `/L=${subject.localityName}`;
+
+    if (subject.organization) s += `/O=${subject.organization}`;
+    if (subject.organizationName) s += `/O=${subject.organizationName}`;
+
+    if (subject.organizationUnitName) s += `/OU=${subject.organizationUnitName}`;
+
+    if (subject.state) s += `/ST=${subject.state}`;
+    if (subject.stateOrProvinceName) s += `/ST=${subject.stateOrProvinceName}`;
+
+    return s;
+}

package/source/server/push_certificate_manager/update_certificate.ts

@@ -0,0 +1,201 @@
+import fs from "node:fs";
+import path from "node:path";
+import { assert } from "node-opcua-assert";
+import type { ByteString } from "node-opcua-basic-types";
+import type { CertificateManager, OPCUACertificateManager } from "node-opcua-certificate-manager";
+import { readPrivateKey } from "node-opcua-crypto";
+import {
+    certificateMatchesPrivateKey,
+    coercePEMorDerToPrivateKey,
+    coercePrivateKeyPem,
+    makeSHA1Thumbprint,
+    type PrivateKey,
+    toPem
+} from "node-opcua-crypto/web";
+import { checkDebugFlag, make_debugLog, make_warningLog } from "node-opcua-debug";
+import type { NodeId } from "node-opcua-nodeid";
+import { StatusCodes } from "node-opcua-status-code";
+
+import type { UpdateCertificateResult } from "../../push_certificate_manager.js";
+import { validateCertificateAndChain } from "../certificate_validation.js";
+import type { PushCertificateManagerInternalContext } from "./internal_context.js";
+import { resolveCertificateGroupContext, validateCertificateType } from "./util.js";
+
+const warningLog = make_warningLog("ServerConfiguration");
+const debugLog = make_debugLog("ServerConfiguration");
+const doDebug = checkDebugFlag("ServerConfiguration");
+
+// Helper: Stage issuer certificates to temporary files
+async function preInstallIssuerCertificates(
+    serverImpl: PushCertificateManagerInternalContext,
+    certificateManager: CertificateManager,
+    issuerCertificates: ByteString[] | undefined
+): Promise<void> {
+    if (issuerCertificates && issuerCertificates.length > 0) {
+        const issuerFolder = certificateManager.issuersCertFolder;
+        await fs.promises.mkdir(issuerFolder, { recursive: true });
+
+        for (let i = 0; i < issuerCertificates.length; i++) {
+            const issuerCert = issuerCertificates[i];
+            const thumbprint = makeSHA1Thumbprint(issuerCert).toString("hex");
+
+            const finalIssuerFileDER = path.join(issuerFolder, `issuer_${thumbprint}.der`);
+            const finalIssuerFilePEM = path.join(issuerFolder, `issuer_${thumbprint}.pem`);
+            const issuerCertPEM = toPem(issuerCert, "CERTIFICATE");
+
+            await serverImpl.fileTransactionManager.stageFile(finalIssuerFileDER, issuerCert);
+            await serverImpl.fileTransactionManager.stageFile(finalIssuerFilePEM, issuerCertPEM, "utf-8");
+
+            doDebug && debugLog(`Staged issuer certificate ${i + 1}/${issuerCertificates.length}: ${thumbprint}`);
+        }
+    }
+}
+
+// Helper: Stage main certificate to temporary files
+async function preInstallCertificate(
+    serverImpl: PushCertificateManagerInternalContext,
+    certificateManager: CertificateManager,
+    certificate: Buffer
+): Promise<void> {
+    const certFolder = certificateManager.ownCertFolder;
+    const destDER = path.join(certFolder, "certificate.der");
+    const destPEM = path.join(certFolder, "certificate.pem");
+    const certificatePEM = toPem(certificate, "CERTIFICATE");
+
+    await serverImpl.fileTransactionManager.stageFile(destDER, certificate);
+    await serverImpl.fileTransactionManager.stageFile(destPEM, certificatePEM, "utf-8");
+}
+
+// Helper: Stage private key to temporary file
+async function preInstallPrivateKey(
+    serverImpl: PushCertificateManagerInternalContext,
+    certificateManager: CertificateManager,
+    privateKeyFormat: string,
+    privateKey: Buffer | string | undefined
+): Promise<void> {
+    assert(privateKeyFormat.toUpperCase() === "PEM");
+
+    if (privateKey) {
+        const privateKeyObj = coercePEMorDerToPrivateKey(privateKey as string | Buffer);
+        const privateKeyPEM = coercePrivateKeyPem(privateKeyObj);
+        await serverImpl.fileTransactionManager.stageFile(certificateManager.privateKey, privateKeyPEM, "utf-8");
+    }
+}
+
+// Main Execute Function
+export async function executeUpdateCertificate(
+    serverImpl: PushCertificateManagerInternalContext,
+    certificateGroupId: NodeId | string,
+    certificateTypeId: NodeId | string,
+    certificate: Buffer,
+    issuerCertificates: ByteString[],
+    privateKeyFormat?: string,
+    privateKey?: Buffer | string
+): Promise<UpdateCertificateResult> {
+    if (serverImpl.operationInProgress) {
+        return { statusCode: StatusCodes.BadTooManyOperations, applyChangesRequired: false };
+    }
+
+    serverImpl.operationInProgress = true;
+    try {
+        const context = resolveCertificateGroupContext(serverImpl, certificateGroupId);
+        if (context.statusCode.isNotGood() || !context.certificateManager) {
+            debugLog(" cannot find group ", certificateGroupId);
+            return { statusCode: StatusCodes.BadInvalidArgument, applyChangesRequired: false };
+        }
+
+        const { certificateManager, allowedTypes } = context;
+
+        if (!validateCertificateType(certificate, certificateTypeId, allowedTypes ?? [], warningLog)) {
+            warningLog(
+                `Certificate type ${certificateTypeId} does not match expected certificateTypeId \n allowed types: ${allowedTypes?.map((t) => t.toString()).join(", ")} \n certificate: ${certificate.toString("base64")}`
+            );
+            return { statusCode: StatusCodes.BadCertificateInvalid, applyChangesRequired: false };
+        }
+
+        const isApplicationGroup = certificateManager === serverImpl.applicationGroup;
+        const validationResult = await validateCertificateAndChain(
+            certificateManager as OPCUACertificateManager,
+            isApplicationGroup,
+            certificate,
+            issuerCertificates
+        );
+
+        if (validationResult.statusCode !== StatusCodes.Good) {
+            await serverImpl.fileTransactionManager.abortTransaction();
+            return { statusCode: validationResult.statusCode, applyChangesRequired: false };
+        }
+
+        doDebug && debugLog(" updateCertificate ", makeSHA1Thumbprint(certificate).toString("hex"));
+
+        const hasPrivateKeyFormat = privateKeyFormat !== undefined && privateKeyFormat !== null && privateKeyFormat !== "";
+        const hasPrivateKey =
+            privateKey !== undefined &&
+            privateKey !== null &&
+            privateKey !== "" &&
+            !(privateKey instanceof Buffer && privateKey.length === 0);
+
+        if (hasPrivateKeyFormat !== hasPrivateKey) {
+            warningLog("privateKeyFormat and privateKey must both be provided or both be omitted");
+            await serverImpl.fileTransactionManager.abortTransaction();
+            return { statusCode: StatusCodes.BadInvalidArgument, applyChangesRequired: false };
+        }
+
+        if (!hasPrivateKeyFormat && !hasPrivateKey) {
+            const privateKeyObj = readPrivateKey(
+                serverImpl.tmpCertificateManager ? serverImpl.tmpCertificateManager.privateKey : certificateManager.privateKey
+            );
+
+            if (!certificateMatchesPrivateKey(certificate, privateKeyObj)) {
+                warningLog("certificate doesn't match privateKey");
+                await serverImpl.fileTransactionManager.abortTransaction();
+                return { statusCode: StatusCodes.BadSecurityChecksFailed, applyChangesRequired: false };
+            }
+
+            await preInstallIssuerCertificates(serverImpl, certificateManager, issuerCertificates);
+            await preInstallCertificate(serverImpl, certificateManager, certificate);
+            return { statusCode: StatusCodes.Good, applyChangesRequired: true };
+        } else {
+            if (privateKeyFormat !== "PEM" && privateKeyFormat !== "PFX") {
+                warningLog(` the private key format is invalid privateKeyFormat =${privateKeyFormat}`);
+                await serverImpl.fileTransactionManager.abortTransaction();
+                return { statusCode: StatusCodes.BadNotSupported, applyChangesRequired: false };
+            }
+            if (privateKeyFormat !== "PEM") {
+                warningLog(`in NodeOPCUA we only support PEM for the moment privateKeyFormat =${privateKeyFormat}`);
+                await serverImpl.fileTransactionManager.abortTransaction();
+                return { statusCode: StatusCodes.BadNotSupported, applyChangesRequired: false };
+            }
+
+            let privateKeyObj: PrivateKey | undefined;
+            let tempPrivateKey = privateKey;
+
+            if (tempPrivateKey instanceof Buffer || typeof tempPrivateKey === "string") {
+                if (tempPrivateKey instanceof Buffer) {
+                    assert(privateKeyFormat === "PEM");
+                    tempPrivateKey = tempPrivateKey.toString("utf-8");
+                }
+                privateKeyObj = coercePEMorDerToPrivateKey(tempPrivateKey);
+            }
+
+            if (!privateKeyObj) {
+                await serverImpl.fileTransactionManager.abortTransaction();
+                return { statusCode: StatusCodes.BadNotSupported, applyChangesRequired: false };
+            }
+
+            if (!certificateMatchesPrivateKey(certificate, privateKeyObj)) {
+                warningLog("certificate doesn't match privateKey");
+                await serverImpl.fileTransactionManager.abortTransaction();
+                return { statusCode: StatusCodes.BadSecurityChecksFailed, applyChangesRequired: false };
+            }
+
+            await preInstallPrivateKey(serverImpl, certificateManager, privateKeyFormat, tempPrivateKey);
+            await preInstallIssuerCertificates(serverImpl, certificateManager, issuerCertificates);
+            await preInstallCertificate(serverImpl, certificateManager, certificate);
+
+            return { statusCode: StatusCodes.Good, applyChangesRequired: true };
+        }
+    } finally {
+        serverImpl.operationInProgress = false;
+    }
+}

package/source/server/push_certificate_manager/util.ts

@@ -0,0 +1,145 @@
+import type { CertificateManager } from "node-opcua-certificate-manager";
+import { NodeId, resolveNodeId, sameNodeId } from "node-opcua-nodeid";
+import { type StatusCode, StatusCodes } from "node-opcua-status-code";
+import { eccCertificateTypesArray, rsaCertificateTypesArray } from "../../clientTools/certificate_types.js";
+import { getCertificateKeyType } from "../../clientTools/get_certificate_key_type.js";
+import type { PushCertificateManagerInternalContext } from "./internal_context.js";
+
+const defaultApplicationGroup = resolveNodeId("ServerConfiguration_CertificateGroups_DefaultApplicationGroup");
+const defaultHttpsGroup = resolveNodeId("ServerConfiguration_CertificateGroups_DefaultHttpsGroup");
+const defaultUserTokenGroup = resolveNodeId("ServerConfiguration_CertificateGroups_DefaultUserTokenGroup");
+
+/**
+ * Find the name of a certificate group based on its NodeId.
+ * @param certificateGroupNodeId The NodeId of the certificate group
+ * @returns The name of the certificate group (e.g. "DefaultApplicationGroup") or empty string if not recognized
+ */
+export function findCertificateGroupName(certificateGroupNodeId: NodeId | string): string {
+    // Convert string to NodeId if needed to check for null NodeId
+    let nodeId: NodeId;
+    if (typeof certificateGroupNodeId === "string") {
+        try {
+            nodeId = resolveNodeId(certificateGroupNodeId);
+        } catch {
+            // Invalid NodeId string - treat as literal group name
+            return certificateGroupNodeId;
+        }
+    } else {
+        nodeId = certificateGroupNodeId;
+    }
+
+    // Check if it's null NodeId or DefaultApplicationGroup
+    if (sameNodeId(nodeId, NodeId.nullNodeId) || sameNodeId(nodeId, defaultApplicationGroup)) {
+        return "DefaultApplicationGroup";
+    }
+    if (sameNodeId(nodeId, defaultHttpsGroup)) {
+        return "DefaultHttpsGroup";
+    }
+    if (sameNodeId(nodeId, defaultUserTokenGroup)) {
+        return "DefaultUserTokenGroup";
+    }
+
+    // If it's a valid NodeId but not recognized, return empty string
+    // If it was originally a string (and not a standard group), return the string as group name
+    return typeof certificateGroupNodeId === "string" ? certificateGroupNodeId : "";
+}
+
+/**
+ * Validate that the certificate type matches the expected type from certificateTypeId
+ *
+ * @param certificate The certificate to validate
+ * @param certificateTypeId The NodeId of the expected certificate type
+ * @param allowedTypes The list of allowed certificate types for this group
+ * @param warningLog Function to log warnings
+ * @returns true if valid or if validation is not applicable
+ */
+export function validateCertificateType(
+    certificate: Buffer,
+    certificateTypeId: NodeId | string,
+    allowedTypes: NodeId[],
+    warningLog: (msg: string, ...args: unknown[]) => void
+): boolean {
+    // If certificateTypeId is null or not specified, skip validation
+    if (!certificateTypeId || (certificateTypeId instanceof NodeId && sameNodeId(certificateTypeId, NodeId.nullNodeId))) {
+        return true;
+    }
+
+    const keyType = getCertificateKeyType(certificate);
+    if (!keyType) {
+        // If we can't determine the key type, allow it (backward compatibility)
+        return true;
+    }
+
+    // Convert to NodeId if string
+    let typeNodeId: NodeId;
+    if (typeof certificateTypeId === "string") {
+        try {
+            typeNodeId = resolveNodeId(certificateTypeId);
+        } catch {
+            // Invalid NodeId string, skip validation
+            return true;
+        }
+    } else {
+        typeNodeId = certificateTypeId;
+    }
+
+    // Check again after conversion - empty string becomes null NodeId
+    if (sameNodeId(typeNodeId, NodeId.nullNodeId)) {
+        return true;
+    }
+
+    // Check if the certificateTypeId is in the list of allowed types for this group
+    const isAllowed = allowedTypes.some((t) => sameNodeId(t, typeNodeId));
+
+    if (!isAllowed) {
+        warningLog("Certificate typeId is not in the allowed types for this certificate group:", certificateTypeId);
+        return false;
+    }
+
+    // Additional validation: check if the certificate's actual key type matches the declared type
+    const isRsaType = rsaCertificateTypesArray.some((t) => sameNodeId(t, typeNodeId));
+    const isEccType = eccCertificateTypesArray.some((t) => sameNodeId(t, typeNodeId));
+
+    if (keyType === "RSA" && !isRsaType) {
+        warningLog("Certificate has RSA key but certificateTypeId is not an RSA type:", certificateTypeId);
+        return false;
+    }
+    if (keyType === "ECC" && !isEccType) {
+        warningLog("Certificate has ECC key but certificateTypeId is not an ECC type:", certificateTypeId);
+        return false;
+    }
+
+    return true;
+}
+
+export interface ResolvedGroupContext {
+    statusCode: StatusCode;
+    certificateManager?: CertificateManager;
+    allowedTypes?: NodeId[];
+}
+
+/**
+ * Resolves the CertificateManager and its allowed types for a given certificate group
+ */
+export function resolveCertificateGroupContext(
+    serverImpl: PushCertificateManagerInternalContext,
+    certificateGroupId: NodeId | string
+): ResolvedGroupContext {
+    const groupName = findCertificateGroupName(certificateGroupId);
+    if (!groupName) {
+        return { statusCode: StatusCodes.BadInvalidArgument };
+    }
+
+    const certificateManager = serverImpl.getCertificateManager(groupName);
+    if (!certificateManager) {
+        return { statusCode: StatusCodes.BadInvalidArgument };
+    }
+
+    const allowedTypes = serverImpl.getCertificateTypes(groupName);
+
+    return {
+        statusCode: StatusCodes.Good,
+        certificateManager,
+        allowedTypes
+    };
+}