node-opcua-server-configuration 2.163.1 → 2.165.0

package/source/server/push_certificate_manager_server_impl.ts

@@ -1,77 +1,44 @@
 /**
  * @module node-opcua-server-configuration-server
  */
-import { EventEmitter } from "events";
-import fs from "fs";
-import path from "path";
-import { rimraf } from "rimraf";
-import { SubjectOptions } from "node-opcua-pki";
+import { EventEmitter } from "node:events";
 import { assert } from "node-opcua-assert";
-import { ByteString, StatusCodes } from "node-opcua-basic-types";
-import {
-    convertPEMtoDER,
-    exploreCertificate,
-    makeSHA1Thumbprint,
-    toPem,
-    PrivateKey,
-    certificateMatchesPrivateKey,
-    coercePEMorDerToPrivateKey,
-    coercePrivateKeyPem,
-} from "node-opcua-crypto/web";
-
-import { readPrivateKey, readCertificate } from "node-opcua-crypto";
-
-// fixme: use the one from node-opcua-crypto
-export interface DirectoryName {
-    stateOrProvinceName?: string;
-    localityName?: string;
-    organizationName?: string;
-    organizationUnitName?: string;
-    commonName?: string;
-    countryName?: string;
-}
-
-import { checkDebugFlag, make_debugLog, make_errorLog, make_warningLog } from "node-opcua-debug";
-import { NodeId, resolveNodeId, sameNodeId } from "node-opcua-nodeid";
+import type { ISessionContext } from "node-opcua-address-space-base";
+import type { ByteString } from "node-opcua-basic-types";
 import { CertificateManager } from "node-opcua-certificate-manager";
-import { StatusCode } from "node-opcua-status-code";
-
-import {
+import { make_errorLog } from "node-opcua-debug";
+import type { NodeId } from "node-opcua-nodeid";
+import type { SubjectOptions } from "node-opcua-pki";
+import type { StatusCode } from "node-opcua-status-code";
+import { rsaCertificateTypesArray } from "../clientTools/certificate_types.js";
+import type {
     CreateSigningRequestResult,
     GetRejectedListResult,
     PushCertificateManager,
     UpdateCertificateResult
-} from "../push_certificate_manager";
+} from "../push_certificate_manager.js";
+import { executeApplyChanges } from "./push_certificate_manager/apply_changes.js";
+import { executeCreateSigningRequest } from "./push_certificate_manager/create_signing_request.js";
+import { executeGetRejectedList } from "./push_certificate_manager/get_rejected_list.js";
+import { PushCertificateManagerInternalContext } from "./push_certificate_manager/internal_context.js";
+import { executeUpdateCertificate } from "./push_certificate_manager/update_certificate.js";
 
-// node 14 onward : import {  readFile, writeFile, readdir } from "fs/promises";
-const { readFile, writeFile, readdir } = fs.promises;
-
-const debugLog = make_debugLog("ServerConfiguration");
 const errorLog = make_errorLog("ServerConfiguration");
-const warningLog = make_warningLog("ServerConfiguration");
-const doDebug = checkDebugFlag("ServerConfiguration");
-doDebug;
-
-const defaultApplicationGroup = resolveNodeId("ServerConfiguration_CertificateGroups_DefaultApplicationGroup");
-const defaultHttpsGroup = resolveNodeId("ServerConfiguration_CertificateGroups_DefaultHttpsGroup");
-const defaultUserTokenGroup = resolveNodeId("ServerConfiguration_CertificateGroups_DefaultUserTokenGroup");
-
-
 
-function findCertificateGroupName(certificateGroupNodeId: NodeId | string): string {
-    if (typeof certificateGroupNodeId === "string") {
-        return certificateGroupNodeId;
-    }
-    if (sameNodeId(certificateGroupNodeId, NodeId.nullNodeId) || sameNodeId(certificateGroupNodeId, defaultApplicationGroup)) {
-        return "DefaultApplicationGroup";
-    }
-    if (sameNodeId(certificateGroupNodeId, defaultHttpsGroup)) {
-        return "DefaultHttpsGroup";
-    }
-    if (sameNodeId(certificateGroupNodeId, defaultUserTokenGroup)) {
-        return "DefaultUserTokenGroup";
-    }
-    return "";
+/**
+ * Type-safe event map for PushCertificateManagerServerImpl.
+ *
+ * - `applyChangesCompleted` — fired after a successful `applyChanges()` call.
+ * - `certificateUpdated`    — fired after a successful `updateCertificate()` call,
+ *                             with the resolved group id and the leaf certificate.
+ * - `trustListUpdated`      — fired after a successful TrustList mutation
+ *                             (`CloseAndUpdate`, `AddCertificate`, `RemoveCertificate`),
+ *                             with the certificate-group browse-name.
+ */
+export interface PushCertificateManagerEvents {
+    applyChangesCompleted: (context?: ISessionContext) => void;
+    certificateUpdated: (certificateGroupId: NodeId | string, certificate: Buffer) => void;
+    trustListUpdated: (certificateGroupId: string) => void;
 }
 
 export interface PushCertificateManagerServerOptions {
@@ -80,76 +47,15 @@ export interface PushCertificateManagerServerOptions {
     httpsGroup?: CertificateManager;
 
     applicationUri: string;
-}
-
-type Functor = () => Promise<void>;
 
-export async function copyFile(source: string, dest: string): Promise<void> {
-    try {
-        debugLog("copying file \n source ", source, "\n =>\n dest ", dest);
-        const sourceExist = fs.existsSync(source);
-        if (sourceExist) {
-            await fs.promises.copyFile(source, dest);
-        }
-    } catch (err) {
-        errorLog(err);
-    }
-}
-
-export async function deleteFile(file: string): Promise<void> {
-    try {
-        const exists = await fs.existsSync(file);
-        if (exists) {
-            debugLog("deleting file ", file);
-            await fs.promises.unlink(file);
-        }
-    } catch (err) {
-        errorLog(err);
-    }
-}
-
-export async function moveFile(source: string, dest: string): Promise<void> {
-    debugLog("moving file file \n source ", source, "\n =>\n dest ", dest);
-    try {
-        await copyFile(source, dest);
-        await deleteFile(source);
-    } catch (err) {
-        errorLog(err);
-    }
-}
-
-export async function moveFileWithBackup(source: string, dest: string): Promise<void> {
-    // let make a copy of the destination file
-    debugLog("moveFileWithBackup file \n source ", source, "\n =>\n dest ", dest);
-    await copyFile(dest, dest + "_old");
-    await moveFile(source, dest);
+    // Optional: Allowed certificate types for each group
+    // These should be read from the CertificateTypes Property of the CertificateGroup objects in the AddressSpace
+    // If not provided, defaults to all known OPC UA certificate types (backward compatibility)
+    applicationGroupCertificateTypes?: NodeId[];
+    userTokenGroupCertificateTypes?: NodeId[];
+    httpsGroupCertificateTypes?: NodeId[];
 }
 
-
-export function subjectToString(subject: SubjectOptions & DirectoryName): string {
-    let s = "";
-    subject.commonName && (s += `/CN=${subject.commonName}`);
-
-    subject.country && (s += `/C=${subject.country}`);
-    subject.countryName && (s += `/C=${subject.countryName}`);
-
-    subject.domainComponent && (s += `/DC=${subject.domainComponent}`);
-
-    subject.locality && (s += `/L=${subject.locality}`);
-    subject.localityName && (s += `/L=${subject.localityName}`);
-
-    subject.organization && (s += `/O=${subject.organization}`);
-    subject.organizationName && (s += `/O=${subject.organizationName}`);
-
-    subject.organizationUnitName && (s += `/OU=${subject.organizationUnitName}`);
-
-    subject.state && (s += `/ST=${subject.state}`);
-    subject.stateOrProvinceName && (s += `/ST=${subject.stateOrProvinceName}`);
-
-    return s;
-}
-let fileCounter = 0;
-
 export type ActionQueue = (() => Promise<void>)[];
 
 export class PushCertificateManagerServerImpl extends EventEmitter implements PushCertificateManager {
@@ -157,15 +63,38 @@ export class PushCertificateManagerServerImpl extends EventEmitter implements Pu
     public userTokenGroup?: CertificateManager;
     public httpsGroup?: CertificateManager;
 
-    private readonly _map: { [key: string]: CertificateManager } = {};
-    private readonly _pendingTasks: Functor[] = [];
-    private _tmpCertificateManager?: CertificateManager;
-    private $$actionQueue: ActionQueue = [];
+    // Use a true private reference (could be upgraded to #context in recent ES)
+    private readonly _context: PushCertificateManagerInternalContext;
+
+    /** @hidden */
+    public applicationUri: string;
+
+    // ── typed event helpers ──────────────────────────────────────────
+    public on<K extends keyof PushCertificateManagerEvents>(
+        event: K,
+        listener: PushCertificateManagerEvents[K]
+    ): this;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    public on(event: string | symbol, listener: (...args: any[]) => void): this;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    public on(event: string | symbol, listener: (...args: any[]) => void): this {
+        return super.on(event, listener);
+    }
 
-    private applicationUri: string;
+    public once<K extends keyof PushCertificateManagerEvents>(
+        event: K,
+        listener: PushCertificateManagerEvents[K]
+    ): this;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    public once(event: string | symbol, listener: (...args: any[]) => void): this;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    public once(event: string | symbol, listener: (...args: any[]) => void): this {
+        return super.once(event, listener);
+    }
 
     constructor(options: PushCertificateManagerServerOptions) {
         super();
+        this._context = new PushCertificateManagerInternalContext(this);
 
         this.applicationUri = options ? options.applicationUri : "";
 
@@ -174,23 +103,38 @@ export class PushCertificateManagerServerImpl extends EventEmitter implements Pu
             this.userTokenGroup = options.userTokenGroup;
             this.httpsGroup = options.httpsGroup;
             if (this.userTokenGroup) {
-                this._map.DefaultUserTokenGroup = this.userTokenGroup;
-
-                // istanbul ignore next
+                this._context.map.DefaultUserTokenGroup = this.userTokenGroup;
+                // Store allowed certificate types, or use all known types as default
+                this._context.certificateTypes.DefaultUserTokenGroup = options.userTokenGroupCertificateTypes || [
+                    // [...rsaCertificateTypes, ...eccCertificateTypes];
+                    ...rsaCertificateTypesArray
+                ]; // FIXME: ECC is not yet supported
+
+                // c8 ignore next
                 if (!(this.userTokenGroup instanceof CertificateManager)) {
                     errorLog(
                         "Expecting this.userTokenGroup to be instanceof CertificateManager :",
-                        (this.userTokenGroup as any).constructor.name
+                        (this.userTokenGroup as unknown as { constructor: { name: string } }).constructor.name
                     );
                     throw new Error("Expecting this.userTokenGroup to be instanceof CertificateManager ");
                 }
             }
             if (this.applicationGroup) {
-                this._map.DefaultApplicationGroup = this.applicationGroup;
+                this._context.map.DefaultApplicationGroup = this.applicationGroup;
+                // Store allowed certificate types, or use all known types as default
+                this._context.certificateTypes.DefaultApplicationGroup = options.applicationGroupCertificateTypes || [
+                    // [...rsaCertificateTypes, ...eccCertificateTypes];
+                    ...rsaCertificateTypesArray
+                ]; // FIXME: ECC is not yet supported
                 assert(this.applicationGroup instanceof CertificateManager);
             }
             if (this.httpsGroup) {
-                this._map.DefaultHttpsGroup = this.httpsGroup;
+                this._context.map.DefaultHttpsGroup = this.httpsGroup;
+                // Store allowed certificate types, or use all known types as default
+                this._context.certificateTypes.DefaultHttpsGroup = options.httpsGroupCertificateTypes || [
+                    // [...rsaCertificateTypes, ...eccCertificateTypes];
+                    ...rsaCertificateTypesArray
+                ]; // FIXME: ECC is not yet supported
                 assert(this.httpsGroup instanceof CertificateManager);
             }
         }
@@ -213,7 +157,7 @@ export class PushCertificateManagerServerImpl extends EventEmitter implements Pu
     }
 
     public async getSupportedPrivateKeyFormats(): Promise<string[]> {
-        return this.supportedPrivateKeyFormats;
+        return ["PEM"];
     }
 
     public async createSigningRequest(
@@ -223,157 +167,20 @@ export class PushCertificateManagerServerImpl extends EventEmitter implements Pu
         regeneratePrivateKey?: boolean,
         nonce?: Buffer
     ): Promise<CreateSigningRequestResult> {
-        let certificateManager = this.getCertificateManager(certificateGroupId);
-
-        if (!certificateManager) {
-            debugLog(" cannot find group ", certificateGroupId);
-            return {
-                statusCode: StatusCodes.BadInvalidArgument
-            };
-        }
-
-        if (!subjectName) {
-            // reuse existing subjectName
-            const currentCertificateFilename = path.join(certificateManager.rootDir, "own/certs/certificate.pem");
-            if (!fs.existsSync(currentCertificateFilename)) {
-                errorLog("Cannot find existing certificate to extract subjectName", currentCertificateFilename);
-                return {
-                    statusCode: StatusCodes.BadInvalidState
-                };
-            }
-            const certificate = readCertificate(currentCertificateFilename);
-            const e = exploreCertificate(certificate);
-            subjectName = subjectToString(e.tbsCertificate.subject);
-            warningLog("reusing existing certificate subjectAltName = ", subjectName);
-        }
-
-        // todo : at this time regenerate private key is not supported
-        if (regeneratePrivateKey) {
-            // The Server shall create a new Private Key which it stores until the
-            // matching signed Certificate is uploaded with the UpdateCertificate Method.
-            // Previously created Private Keys may be discarded if UpdateCertificate was not
-            // called before calling this method again.
-
-            // Additional entropy which the caller shall provide if regeneratePrivateKey is TRUE.
-            // It shall be at least 32 bytes long
-            if (!nonce || nonce.length < 32) {
-                make_warningLog(
-                    " nonce should be provided when regeneratePrivateKey is set, and length shall be greater than 32 bytes"
-                );
-                return {
-                    statusCode: StatusCodes.BadInvalidArgument
-                };
-            }
-
-            const location = path.join(certificateManager.rootDir, "tmp");
-            if (fs.existsSync(location)) {
-                await rimraf.rimraf(path.join(location));
-            }
-            if (!fs.existsSync(location)) {
-                await fs.promises.mkdir(location);
-            }
-
-            const destCertificateManager = certificateManager;
-            const keySize = (certificateManager as any).keySize; // because keySize is private !
-            certificateManager = new CertificateManager({
-                keySize,
-                location
-            });
-            debugLog("generating a new private key ...");
-            await certificateManager.initialize();
-
-            this._tmpCertificateManager = certificateManager;
-
-            this.addPendingTask(async () => {
-                await moveFileWithBackup(certificateManager!.privateKey, destCertificateManager.privateKey);
-            });
-            this.addPendingTask(async () => {
-                await rimraf.rimraf(path.join(location));
-            });
-        } else {
-            // The Server uses its existing Private Key
-        }
-
-        if (typeof subjectName !== "string") {
-            return { statusCode: StatusCodes.BadInternalError };
-        }
-        const options = {
-            applicationUri: this.applicationUri,
-            subject: subjectName!
-        };
-        await certificateManager.initialize();
-        const csrFile = await certificateManager.createCertificateRequest(options);
-        const csrPEM = await readFile(csrFile, "utf8");
-        const certificateSigningRequest = convertPEMtoDER(csrPEM);
-
-        this.addPendingTask(() => deleteFile(csrFile));
-
-        return {
-            certificateSigningRequest,
-            statusCode: StatusCodes.Good
-        };
+        return await executeCreateSigningRequest(
+            this._context,
+            certificateGroupId,
+            certificateTypeId,
+            subjectName,
+            regeneratePrivateKey,
+            nonce
+        );
     }
 
     public async getRejectedList(): Promise<GetRejectedListResult> {
-        interface FileData {
-            filename: string;
-            stat: {
-                mtime: Date;
-            };
-        }
-
-        // rejectedList comes from each group
-        async function extractRejectedList(group: CertificateManager | undefined, certificateList: FileData[]): Promise<void> {
-            if (!group) {
-                return;
-            }
-            const rejectedFolder = path.join(group.rootDir, "rejected");
-            const files = await readdir(rejectedFolder);
-
-            const stat = fs.promises.stat;
-
-            const promises1: Promise<fs.Stats>[] = [];
-            for (const certFile of files) {
-                // read date
-                promises1.push(stat(path.join(rejectedFolder, certFile)));
-            }
-            const stats = await Promise.all(promises1);
-
-            for (let i = 0; i < stats.length; i++) {
-                certificateList.push({
-                    filename: path.join(rejectedFolder, files[i]),
-                    stat: stats[i]
-                });
-            }
-        }
-
-        const list: FileData[] = [];
-        await extractRejectedList(this.applicationGroup, list);
-        await extractRejectedList(this.userTokenGroup, list);
-        await extractRejectedList(this.httpsGroup, list);
-
-        // now sort list from newer file to older file
-        list.sort((a: FileData, b: FileData) => b.stat.mtime.getTime() - a.stat.mtime.getTime());
-
-        const promises: Promise<string>[] = [];
-        for (const item of list) {
-            promises.push(readFile(item.filename, "utf8"));
-        }
-        const certificatesPEM: string[] = await Promise.all(promises);
-
-        const certificates: Buffer[] = certificatesPEM.map(convertPEMtoDER);
-        return {
-            certificates,
-            statusCode: StatusCodes.Good
-        };
+        return await executeGetRejectedList(this._context);
     }
 
-    public async updateCertificate(
-        certificateGroupId: NodeId | string,
-        certificateTypeId: NodeId | string,
-        certificate: Buffer,
-        issuerCertificates: ByteString[]
-    ): Promise<UpdateCertificateResult>;
     // eslint-disable-next-line max-statements
     public async updateCertificate(
         certificateGroupId: NodeId | string,
@@ -383,292 +190,66 @@ export class PushCertificateManagerServerImpl extends EventEmitter implements Pu
         privateKeyFormat?: string,
         privateKey?: Buffer | string
     ): Promise<UpdateCertificateResult> {
-        // Result Code                Description
-        // BadInvalidArgument        The certificateTypeId or certificateGroupId is not valid.
-        // BadCertificateInvalid     The Certificate is invalid or the format is not supported.
-        // BadNotSupported           The Private Key is invalid or the format is not supported.
-        // BadUserAccessDenied       The current user does not have the rights required.
-        // BadSecurityChecksFailed   Some failure occurred verifying the integrity of the Certificate.
-        const certificateManager = this.getCertificateManager(certificateGroupId)!;
-
-        if (!certificateManager) {
-            debugLog(" cannot find group ", certificateGroupId);
-            return {
-                statusCode: StatusCodes.BadInvalidArgument,
-                applyChangesRequired: false
-            };
-        }
-
-        async function preInstallCertificate(self: PushCertificateManagerServerImpl) {
-            const certFolder = path.join(certificateManager.rootDir, "own/certs");
-            const certificateFileDER = path.join(certFolder, `_pending_certificate${fileCounter++}.der`);
-            const certificateFilePEM = path.join(certFolder, `_pending_certificate${fileCounter++}.pem`);
-
-            await writeFile(certificateFileDER, certificate, "binary");
-            await writeFile(certificateFilePEM, toPem(certificate, "CERTIFICATE"));
-
-            const destDER = path.join(certFolder, "certificate.der");
-            const destPEM = path.join(certFolder, "certificate.pem");
-
-            // put existing file in security by backing them up
-            self.addPendingTask(() => moveFileWithBackup(certificateFileDER, destDER));
-            self.addPendingTask(() => moveFileWithBackup(certificateFilePEM, destPEM));
-        }
-
-        async function preInstallPrivateKey(self: PushCertificateManagerServerImpl) {
-            assert(privateKeyFormat!.toUpperCase() === "PEM");
-
-            const ownPrivateFolder = path.join(certificateManager.rootDir, "own/private");
-            const privateKeyFilePEM = path.join(ownPrivateFolder, `_pending_private_key${fileCounter++}.pem`);
-
-            if (privateKey) {
-                const privateKey1 = coercePEMorDerToPrivateKey(privateKey);
-                const privateKeyPEM = await coercePrivateKeyPem(privateKey1);
-                await writeFile(privateKeyFilePEM, privateKeyPEM, "utf-8");
-                self.addPendingTask(() => moveFileWithBackup(privateKeyFilePEM, certificateManager.privateKey));
-            }
-        }
-
-        // OPC Unified Architecture, Part 12 42 Release 1.04:
-        //
-        // UpdateCertificate is used to update a Certificate for a Server.
-        // There are the following three use cases for this Method:
-        //
-        //  - The new Certificate was created based on a signing request created with the Method
-        //    In this case there is no privateKey provided.
-        //  - A new privateKey and Certificate was created outside the Server and both are updated
-        //    with this Method.
-        //  - A new Certificate was created and signed with the information from the old Certificate.
-        //    In this case there is no privateKey provided.
-
-        // The Server shall do all normal integrity checks on the Certificate and all of the issuer
-        // Certificates. If errors occur the BadSecurityChecksFailed error is returned.
-        // todo : all normal integrity check on the certificate
-        const certInfo = exploreCertificate(certificate);
-
-        const now = new Date();
-        if (certInfo.tbsCertificate.validity.notBefore.getTime() > now.getTime()) {
-            // certificate is not yet valid
-            warningLog(
-                "Certificate is not yet valid : not before ",
-                certInfo.tbsCertificate.validity.notBefore.toISOString(),
-                "now = ",
-                now.toISOString()
-            );
-            return {
-                statusCode: StatusCodes.BadSecurityChecksFailed,
-                applyChangesRequired: false
-            };
-        }
-        if (certInfo.tbsCertificate.validity.notAfter.getTime() < now.getTime()) {
-            // certificate is already out of date
-            warningLog(
-                "Certificate is already out of date : not after ",
-                certInfo.tbsCertificate.validity.notAfter.toISOString(),
-                "now = ",
-                now.toISOString()
-            );
-            return {
-                statusCode: StatusCodes.BadSecurityChecksFailed,
-                applyChangesRequired: false
-            };
-        }
-
-        // If the Server returns applyChangesRequired=FALSE then it is indicating that it is able to
-        // satisfy the requirements specified for the ApplyChanges Method.
-
-        debugLog(" updateCertificate ", makeSHA1Thumbprint(certificate).toString("hex"));
-
-        if (!privateKeyFormat || !privateKey) {
-            // first of all we need to find the future private key;
-            // this one may have been created during the creation of the certificate signing request
-            // but is not active yet
-            const privateKey1 = readPrivateKey(
-                this._tmpCertificateManager ? this._tmpCertificateManager.privateKey : certificateManager.privateKey
-            );
-
-            // The Server shall report an error if the public key does not match the existing Certificate and
-            // the privateKey was not provided.
-            // privateKey is not provided, so check that the public key matches the existing certificate
-            if (!certificateMatchesPrivateKey(certificate, privateKey1)) {
-                // certificate doesn't match privateKey
-                warningLog("certificate doesn't match privateKey");
-                /* debug code */
-                const certificatePEM = toPem(certificate, "CERTIFICATE");
-                certificatePEM;
-                //xx const privateKeyPEM = toPem(privateKeyDER, "RSA PRIVATE KEY");
-                //xx const initialBuffer = Buffer.from("Lorem Ipsum");
-                //xx const encryptedBuffer = publicEncrypt_long(initialBuffer, certificatePEM, 256, 11);
-                //xx const decryptedBuffer = privateDecrypt_long(encryptedBuffer, privateKeyPEM, 256);
-                return { 
-                    statusCode: StatusCodes.BadSecurityChecksFailed,
-                    applyChangesRequired: false,
-                };
-            }
-            // a new certificate is provided for us,
-            // we keep our private key
-            // we do this in two stages
-            await preInstallCertificate(this);
-
-            return {
-                statusCode: StatusCodes.Good,
-                applyChangesRequired: true,
-            };
-        } else if (privateKey) {
-            // a private key has been provided by the caller !
-            if (!privateKeyFormat) {
-                warningLog("the privateKeyFormat must be specified " + privateKeyFormat);
-                return { statusCode: StatusCodes.BadNotSupported, applyChangesRequired: false};
-            }
-            if (privateKeyFormat !== "PEM" && privateKeyFormat !== "PFX") {
-                warningLog(" the private key format is invalid privateKeyFormat =" + privateKeyFormat);
-                return { statusCode: StatusCodes.BadNotSupported, applyChangesRequired: false };
-            }
-            if (privateKeyFormat !== "PEM") {
-                warningLog("in NodeOPCUA we only support PEM for the moment privateKeyFormat =" + privateKeyFormat);
-                return { statusCode: StatusCodes.BadNotSupported , applyChangesRequired: false };
-            }
-
-            let privateKey1: PrivateKey | undefined;
-            if (privateKey && (privateKey instanceof Buffer || typeof privateKey === "string")) {
-                if (privateKey instanceof Buffer) {
-                    assert(privateKeyFormat === "PEM");
-                    privateKey = privateKey.toString("utf-8");
-                }
-                privateKey1 = coercePEMorDerToPrivateKey(privateKey);
-            }
-            if (!privateKey1) {
-                return { statusCode: StatusCodes.BadNotSupported, applyChangesRequired: false };
-            }
-            // privateKey is  provided, so check that the public key matches provided private key
-            if (!certificateMatchesPrivateKey(certificate, privateKey1!)) {
-                // certificate doesn't match privateKey
-                warningLog("certificate doesn't match privateKey");
-                return { statusCode: StatusCodes.BadSecurityChecksFailed, applyChangesRequired: false };
-            }
-
-            await preInstallPrivateKey(this);
-
-            await preInstallCertificate(this);
-
-          
-
-            return {
-                statusCode: StatusCodes.Good,
-                applyChangesRequired: true
-            };
-        } else {
-            // todo !
-            return {
-                statusCode: StatusCodes.BadNotSupported,
-                applyChangesRequired: true
-            };
-        }
+        return await executeUpdateCertificate(
+            this._context,
+            certificateGroupId,
+            certificateTypeId,
+            certificate,
+            issuerCertificates,
+            privateKeyFormat,
+            privateKey
+        );
     }
 
     /**
-     * 
-     * ApplyChanges is used to apply pending Certificate and TrustList updates 
+     *
+     * ApplyChanges is used to apply pending Certificate and TrustList updates
      * and to complete a transaction as described in 7.10.2.
-     * 
+     *
      * ApplyChanges returns Bad_InvalidState if any TrustList is still open for writing.
      * No changes are applied and ApplyChanges can be called again after the TrustList is closed.
-     * 
+     *
      * If a Session is closed or abandoned then the transaction is closed and all pending changes are discarded.
-     * 
-     * If ApplyChanges is called and there is no active transaction then the Server returns Bad_NothingToDo. 
+     *
+     * If ApplyChanges is called and there is no active transaction then the Server returns Bad_NothingToDo.
      * If there is an active transaction, however, no changes are pending the result is Good and the transaction is closed.
-     * 
+     *
      * When a Server Certificate or TrustList changes active SecureChannels are not immediately affected.
-     * This ensures the caller of ApplyChanges can get a response to the Method call. 
-     * Once the Method response is returned the Server shall force existing SecureChannels affected by 
+     * This ensures the caller of ApplyChanges can get a response to the Method call.
+     * Once the Method response is returned the Server shall force existing SecureChannels affected by
      * the changes to renegotiate and use the new Server Certificate and/or TrustLists.
-     * 
-     * Servers may close SecureChannels without discarding any Sessions or Subscriptions. 
-     * This will seem like a network interruption from the perspective of the Client and the Client reconnect 
-     * logic (see OPC 10000-4) allows them to recover their Session and Subscriptions. 
+     *
+     * Servers may close SecureChannels without discarding any Sessions or Subscriptions.
+     * This will seem like a network interruption from the perspective of the Client and the Client reconnect
+     * logic (see OPC 10000-4) allows them to recover their Session and Subscriptions.
      * Note that some Clients may not be able to reconnect because they are no longer trusted.
-     * 
+     *
      * Other Servers may need to do a complete shutdown.
-     * 
-     * In this case, the Server shall advertise its intent to interrupt connections by setting the 
+     *
+     * In this case, the Server shall advertise its intent to interrupt connections by setting the
      * SecondsTillShutdown and ShutdownReason Properties in the ServerStatus Variable.
-     * 
-     * If a TrustList change only affects UserIdentity associated with a Session then Servers 
-     * shall re-evaluate the UserIdentity and if it is no longer valid the Session and associated 
+     *
+     * If a TrustList change only affects UserIdentity associated with a Session then Servers
+     * shall re-evaluate the UserIdentity and if it is no longer valid the Session and associated
      * Subscriptions are closed.
-     * 
-     * This Method shall be called from an authenticated SecureChannel and from the Session that 
+     *
+     * This Method shall be called from an authenticated SecureChannel and from the Session that
      * created the transaction and has access to the SecurityAdmin Role (see 7.2).
-     * 
+     *
      */
-    public async applyChanges(): Promise<StatusCode> {
-        // ApplyChanges is used to tell the Server to apply any security changes.
-        // This Method should only be called if a previous call to a Method that changed the
-        // configuration returns applyChangesRequired=true.
-        //
-        // If the Server Certificate has changed, Secure Channels using the old Certificate will
-        // eventually be interrupted.
-
-        this.emit("CertificateAboutToChange", this.$$actionQueue);
-        await this.flushActionQueue();
-
-        try {
-            await this.applyPendingTasks();
-        } catch (err) {
-            debugLog("err ", err);
-            return StatusCodes.BadInternalError;
-        }
-        this.emit("CertificateChanged", this.$$actionQueue);
-        await this.flushActionQueue();
-
-        // The only leeway the Server has is with the timing.
-        // In the best case, the Server can close the TransportConnections for the affected Endpoints and leave any
-        // Subscriptions intact. This should appear no different than a network interruption from the
-        // perspective of the Client. The Client should be prepared to deal with Certificate changes
-        // during its reconnect logic. In the worst case, a full shutdown which affects all connected
-        // Clients will be necessary. In the latter case, the Server shall advertise its intent to interrupt
-        // connections by setting the SecondsTillShutdown and ShutdownReason Properties in the
-        // ServerStatus Variable.
-
-        // If the Secure Channel being used to call this Method will be affected by the Certificate change
-        // then the Server shall introduce a delay long enough to allow the caller to receive a reply.
-        return StatusCodes.Good;
-    }
-
-    private getCertificateManager(certificateGroupId: NodeId | string): CertificateManager | null {
-        const groupName = findCertificateGroupName(certificateGroupId);
-        return this._map[groupName] || null;
+    public async applyChanges(context?: ISessionContext): Promise<StatusCode> {
+        return await executeApplyChanges(this._context, context);
     }
 
-    private addPendingTask(functor: () => Promise<void>): void {
-        this._pendingTasks.push(functor);
+    public getCertificateManager(groupName: string): CertificateManager | null {
+        return this._context.map[groupName] || null;
     }
 
-    private async applyPendingTasks(): Promise<void> {
-        debugLog("start applyPendingTasks");
-        const promises: Promise<void>[] = [];
-        const t = this._pendingTasks.splice(0);
-
-        if (false) {
-            // node 10.2 and above
-            for await (const task of t) {
-                await task();
-            }
-        } else {
-            while (t.length) {
-                const task = t.shift()!;
-                await task();
-            }
-        }
-        await Promise.all(promises);
-        debugLog("end applyPendingTasks");
+    public getCertificateTypes(groupName: string): NodeId[] | undefined {
+        return this._context.certificateTypes[groupName];
     }
 
-    private async flushActionQueue(): Promise<void> {
-        while (this.$$actionQueue.length) {
-            const first = this.$$actionQueue.pop()!;
-            await first!();
-        }
+    public async dispose(): Promise<void> {
+        await this._context.dispose();
     }
 }