node-opcua-server-configuration 2.163.1 → 2.165.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/clientTools/certificate_types.d.ts +15 -0
- package/dist/clientTools/certificate_types.js +19 -0
- package/dist/clientTools/certificate_types.js.map +1 -0
- package/dist/clientTools/get_certificate_key_type.d.ts +6 -0
- package/dist/clientTools/get_certificate_key_type.js +55 -0
- package/dist/clientTools/get_certificate_key_type.js.map +1 -0
- package/dist/clientTools/index.d.ts +2 -1
- package/dist/clientTools/index.js +2 -17
- package/dist/clientTools/index.js.map +1 -1
- package/dist/clientTools/push_certificate_management_client.d.ts +10 -10
- package/dist/clientTools/push_certificate_management_client.js +85 -89
- package/dist/clientTools/push_certificate_management_client.js.map +1 -1
- package/dist/index.d.ts +9 -7
- package/dist/index.js +9 -23
- package/dist/index.js.map +1 -1
- package/dist/push_certificate_manager.d.ts +6 -5
- package/dist/push_certificate_manager.js +1 -2
- package/dist/server/certificate_validation.d.ts +15 -0
- package/dist/server/certificate_validation.js +76 -0
- package/dist/server/certificate_validation.js.map +1 -0
- package/dist/server/file_transaction_manager.d.ts +30 -0
- package/dist/server/file_transaction_manager.js +223 -0
- package/dist/server/file_transaction_manager.js.map +1 -0
- package/dist/server/install_certificate_file_watcher.d.ts +1 -1
- package/dist/server/install_certificate_file_watcher.js +8 -14
- package/dist/server/install_certificate_file_watcher.js.map +1 -1
- package/dist/server/install_push_certitifate_management.d.ts +6 -6
- package/dist/server/install_push_certitifate_management.js +59 -81
- package/dist/server/install_push_certitifate_management.js.map +1 -1
- package/dist/server/promote_trust_list.d.ts +1 -1
- package/dist/server/promote_trust_list.js +348 -82
- package/dist/server/promote_trust_list.js.map +1 -1
- package/dist/server/push_certificate_manager/apply_changes.d.ts +4 -0
- package/dist/server/push_certificate_manager/apply_changes.js +65 -0
- package/dist/server/push_certificate_manager/apply_changes.js.map +1 -0
- package/dist/server/push_certificate_manager/create_signing_request.d.ts +5 -0
- package/dist/server/push_certificate_manager/create_signing_request.js +108 -0
- package/dist/server/push_certificate_manager/create_signing_request.js.map +1 -0
- package/dist/server/push_certificate_manager/get_rejected_list.d.ts +3 -0
- package/dist/server/push_certificate_manager/get_rejected_list.js +46 -0
- package/dist/server/push_certificate_manager/get_rejected_list.js.map +1 -0
- package/dist/server/push_certificate_manager/internal_context.d.ts +35 -0
- package/dist/server/push_certificate_manager/internal_context.js +45 -0
- package/dist/server/push_certificate_manager/internal_context.js.map +1 -0
- package/dist/server/push_certificate_manager/subject_to_string.d.ts +3 -0
- package/dist/server/push_certificate_manager/subject_to_string.js +27 -0
- package/dist/server/push_certificate_manager/subject_to_string.js.map +1 -0
- package/dist/server/push_certificate_manager/update_certificate.d.ts +5 -0
- package/dist/server/push_certificate_manager/update_certificate.js +134 -0
- package/dist/server/push_certificate_manager/update_certificate.js.map +1 -0
- package/dist/server/push_certificate_manager/util.d.ts +29 -0
- package/dist/server/push_certificate_manager/util.js +117 -0
- package/dist/server/push_certificate_manager/util.js.map +1 -0
- package/dist/server/push_certificate_manager_helpers.d.ts +5 -2
- package/dist/server/push_certificate_manager_helpers.js +110 -113
- package/dist/server/push_certificate_manager_helpers.js.map +1 -1
- package/dist/server/push_certificate_manager_server_impl.d.ts +37 -30
- package/dist/server/push_certificate_manager_server_impl.js +58 -438
- package/dist/server/push_certificate_manager_server_impl.js.map +1 -1
- package/dist/server/roles_and_permissions.d.ts +1 -1
- package/dist/server/roles_and_permissions.js +24 -27
- package/dist/server/roles_and_permissions.js.map +1 -1
- package/dist/server/tools.d.ts +1 -1
- package/dist/server/tools.js +7 -13
- package/dist/server/tools.js.map +1 -1
- package/dist/server/trust_list_server.d.ts +2 -2
- package/dist/server/trust_list_server.js +40 -29
- package/dist/server/trust_list_server.js.map +1 -1
- package/dist/standard_certificate_types.js +6 -9
- package/dist/standard_certificate_types.js.map +1 -1
- package/dist/trust_list.d.ts +2 -2
- package/dist/trust_list.js +1 -2
- package/dist/trust_list_impl.js +1 -2
- package/dist/trust_list_impl.js.map +1 -1
- package/package.json +30 -30
- package/source/clientTools/certificate_types.ts +21 -0
- package/source/clientTools/get_certificate_key_type.ts +73 -0
- package/source/clientTools/index.ts +2 -1
- package/source/clientTools/push_certificate_management_client.ts +49 -44
- package/source/index.ts +9 -7
- package/source/push_certificate_manager.ts +17 -18
- package/source/server/certificate_validation.ts +103 -0
- package/source/server/file_transaction_manager.ts +253 -0
- package/source/server/install_certificate_file_watcher.ts +15 -11
- package/source/server/install_push_certitifate_management.ts +52 -68
- package/source/server/promote_trust_list.ts +392 -73
- package/source/server/push_certificate_manager/apply_changes.ts +73 -0
- package/source/server/push_certificate_manager/create_signing_request.ts +137 -0
- package/source/server/push_certificate_manager/get_rejected_list.ts +63 -0
- package/source/server/push_certificate_manager/internal_context.ts +63 -0
- package/source/server/push_certificate_manager/subject_to_string.ts +25 -0
- package/source/server/push_certificate_manager/update_certificate.ts +203 -0
- package/source/server/push_certificate_manager/util.ts +145 -0
- package/source/server/push_certificate_manager_helpers.ts +62 -52
- package/source/server/push_certificate_manager_server_impl.ts +133 -552
- package/source/server/roles_and_permissions.ts +7 -8
- package/source/server/tools.ts +2 -5
- package/source/server/trust_list_server.ts +24 -9
- package/source/standard_certificate_types.ts +2 -3
- package/source/trust_list.ts +26 -33
|
@@ -0,0 +1,108 @@
|
|
|
1
|
+
import crypto from "node:crypto";
|
|
2
|
+
import fs from "node:fs";
|
|
3
|
+
import path from "node:path";
|
|
4
|
+
import { CertificateManager } from "node-opcua-certificate-manager";
|
|
5
|
+
import { convertPEMtoDER, exploreCertificate, readCertificate } from "node-opcua-crypto";
|
|
6
|
+
import { checkDebugFlag, make_debugLog, make_errorLog, make_warningLog } from "node-opcua-debug";
|
|
7
|
+
import { NodeId, resolveNodeId, sameNodeId } from "node-opcua-nodeid";
|
|
8
|
+
import { StatusCodes } from "node-opcua-status-code";
|
|
9
|
+
import { subjectToString } from "./subject_to_string.js";
|
|
10
|
+
import { resolveCertificateGroupContext } from "./util.js";
|
|
11
|
+
const warningLog = make_warningLog("ServerConfiguration");
|
|
12
|
+
const errorLog = make_errorLog("ServerConfiguration");
|
|
13
|
+
const debugLog = make_debugLog("ServerConfiguration");
|
|
14
|
+
const doDebug = checkDebugFlag("ServerConfiguration");
|
|
15
|
+
export async function executeCreateSigningRequest(serverImpl, certificateGroupId, certificateTypeId, subjectName, regeneratePrivateKey, nonce) {
|
|
16
|
+
// Resolve context using our util
|
|
17
|
+
const context = resolveCertificateGroupContext(serverImpl, certificateGroupId);
|
|
18
|
+
if (context.statusCode.isNotGood() || !context.certificateManager) {
|
|
19
|
+
doDebug && debugLog(" cannot find group ", certificateGroupId);
|
|
20
|
+
return { statusCode: StatusCodes.BadInvalidArgument };
|
|
21
|
+
}
|
|
22
|
+
const { certificateManager, allowedTypes } = context;
|
|
23
|
+
// Validate Certificate Type
|
|
24
|
+
if (certificateTypeId) {
|
|
25
|
+
let typeNodeId;
|
|
26
|
+
if (typeof certificateTypeId === "string") {
|
|
27
|
+
if (certificateTypeId !== "") {
|
|
28
|
+
try {
|
|
29
|
+
typeNodeId = resolveNodeId(certificateTypeId);
|
|
30
|
+
}
|
|
31
|
+
catch {
|
|
32
|
+
warningLog("Invalid certificateTypeId string:", certificateTypeId);
|
|
33
|
+
return { statusCode: StatusCodes.BadInvalidArgument };
|
|
34
|
+
}
|
|
35
|
+
if (!sameNodeId(typeNodeId, NodeId.nullNodeId)) {
|
|
36
|
+
const isValidType = allowedTypes?.some((t) => sameNodeId(t, typeNodeId));
|
|
37
|
+
if (!isValidType) {
|
|
38
|
+
warningLog("certificateTypeId is not in the allowed types for this certificate group:", certificateTypeId);
|
|
39
|
+
return { statusCode: StatusCodes.BadNotSupported };
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
else {
|
|
45
|
+
typeNodeId = certificateTypeId;
|
|
46
|
+
if (!sameNodeId(typeNodeId, NodeId.nullNodeId)) {
|
|
47
|
+
const isValidType = allowedTypes?.some((t) => sameNodeId(t, typeNodeId));
|
|
48
|
+
if (!isValidType) {
|
|
49
|
+
warningLog("certificateTypeId is not in the allowed types for this certificate group:", certificateTypeId);
|
|
50
|
+
return { statusCode: StatusCodes.BadNotSupported };
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
// Resolve Subject Name
|
|
56
|
+
if (!subjectName) {
|
|
57
|
+
const currentCertificateFilename = path.join(certificateManager.rootDir, "own/certs/certificate.pem");
|
|
58
|
+
try {
|
|
59
|
+
const certificate = readCertificate(currentCertificateFilename);
|
|
60
|
+
const e = exploreCertificate(certificate);
|
|
61
|
+
subjectName = subjectToString(e.tbsCertificate.subject);
|
|
62
|
+
warningLog("reusing existing certificate subjectName = ", subjectName);
|
|
63
|
+
}
|
|
64
|
+
catch (err) {
|
|
65
|
+
errorLog("Cannot find existing certificate to extract subjectName", currentCertificateFilename, ":", err.message);
|
|
66
|
+
return { statusCode: StatusCodes.BadInvalidState };
|
|
67
|
+
}
|
|
68
|
+
}
|
|
69
|
+
if (typeof subjectName !== "string") {
|
|
70
|
+
return { statusCode: StatusCodes.BadInternalError };
|
|
71
|
+
}
|
|
72
|
+
// Regenerate Private Key Logic
|
|
73
|
+
if (regeneratePrivateKey) {
|
|
74
|
+
if (!nonce || nonce.length < 32) {
|
|
75
|
+
warningLog("nonce should be provided when regeneratePrivateKey is set, and length shall be at least 32 bytes");
|
|
76
|
+
return { statusCode: StatusCodes.BadInvalidArgument };
|
|
77
|
+
}
|
|
78
|
+
const volatileTmp = await serverImpl.fileTransactionManager.getTmpDir();
|
|
79
|
+
const tmpPKI = path.join(volatileTmp, `pki${crypto.randomUUID()}`);
|
|
80
|
+
const tempCertificateManager = new CertificateManager({
|
|
81
|
+
keySize: certificateManager.keySize,
|
|
82
|
+
location: tmpPKI
|
|
83
|
+
});
|
|
84
|
+
doDebug && debugLog("generating a new private key ...");
|
|
85
|
+
await tempCertificateManager.initialize();
|
|
86
|
+
serverImpl.tmpCertificateManager = tempCertificateManager;
|
|
87
|
+
const generatedPrivateKeyPEM = await fs.promises.readFile(tempCertificateManager.privateKey, "utf8");
|
|
88
|
+
await serverImpl.fileTransactionManager.stageFile(certificateManager.privateKey, generatedPrivateKeyPEM, "utf8");
|
|
89
|
+
serverImpl.fileTransactionManager.addCleanupTask(async () => {
|
|
90
|
+
await tempCertificateManager.dispose();
|
|
91
|
+
serverImpl.tmpCertificateManager = undefined;
|
|
92
|
+
});
|
|
93
|
+
}
|
|
94
|
+
const options = {
|
|
95
|
+
applicationUri: serverImpl.applicationUri,
|
|
96
|
+
subject: subjectName
|
|
97
|
+
};
|
|
98
|
+
const activeCertificateManager = serverImpl.tmpCertificateManager || certificateManager;
|
|
99
|
+
await activeCertificateManager.initialize();
|
|
100
|
+
const csrFile = await activeCertificateManager.createCertificateRequest(options);
|
|
101
|
+
const csrPEM = await fs.promises.readFile(csrFile, "utf8");
|
|
102
|
+
const certificateSigningRequest = convertPEMtoDER(csrPEM);
|
|
103
|
+
return {
|
|
104
|
+
certificateSigningRequest,
|
|
105
|
+
statusCode: StatusCodes.Good
|
|
106
|
+
};
|
|
107
|
+
}
|
|
108
|
+
//# sourceMappingURL=create_signing_request.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"create_signing_request.js","sourceRoot":"","sources":["../../../source/server/push_certificate_manager/create_signing_request.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAC;AACpE,OAAO,EAAE,eAAe,EAAsB,kBAAkB,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAC7G,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACjG,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAEtE,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAIrD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,8BAA8B,EAAE,MAAM,WAAW,CAAC;AAE3D,MAAM,UAAU,GAAG,eAAe,CAAC,qBAAqB,CAAC,CAAC;AAC1D,MAAM,QAAQ,GAAG,aAAa,CAAC,qBAAqB,CAAC,CAAC;AACtD,MAAM,QAAQ,GAAG,aAAa,CAAC,qBAAqB,CAAC,CAAC;AACtD,MAAM,OAAO,GAAG,cAAc,CAAC,qBAAqB,CAAC,CAAC;AAEtD,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC7C,UAAiD,EACjD,kBAAmC,EACnC,iBAAkC,EAClC,WAA2C,EAC3C,oBAA8B,EAC9B,KAAc;IAEd,iCAAiC;IACjC,MAAM,OAAO,GAAG,8BAA8B,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAC;IAC/E,IAAI,OAAO,CAAC,UAAU,CAAC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAChE,OAAO,IAAI,QAAQ,CAAC,qBAAqB,EAAE,kBAAkB,CAAC,CAAC;QAC/D,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,kBAAkB,EAAE,CAAC;IAC1D,CAAC;IAED,MAAM,EAAE,kBAAkB,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC;IAErD,4BAA4B;IAC5B,IAAI,iBAAiB,EAAE,CAAC;QACpB,IAAI,UAAkB,CAAC;QACvB,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;YACxC,IAAI,iBAAiB,KAAK,EAAE,EAAE,CAAC;gBAC3B,IAAI,CAAC;oBACD,UAAU,GAAG,aAAa,CAAC,iBAAiB,CAAC,CAAC;gBAClD,CAAC;gBAAC,MAAM,CAAC;oBACL,UAAU,CAAC,mCAAmC,EAAE,iBAAiB,CAAC,CAAC;oBACnE,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,kBAAkB,EAAE,CAAC;gBAC1D,CAAC;gBACD,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC7C,MAAM,WAAW,GAAG,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;oBACzE,IAAI,CAAC,WAAW,EAAE,CAAC;wBACf,UAAU,CAAC,2EAA2E,EAAE,iBAAiB,CAAC,CAAC;wBAC3G,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,eAAe,EAAE,CAAC;oBACvD,CAAC;gBACL,CAAC;YACL,CAAC;QACL,CAAC;aAAM,CAAC;YACJ,UAAU,GAAG,iBAAiB,CAAC;YAC/B,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC7C,MAAM,WAAW,GAAG,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;gBACzE,IAAI,CAAC,WAAW,EAAE,CAAC;oBACf,UAAU,CAAC,2EAA2E,EAAE,iBAAiB,CAAC,CAAC;oBAC3G,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,eAAe,EAAE,CAAC;gBACvD,CAAC;YACL,CAAC;QACL,CAAC;IACL,CAAC;IAED,uBAAuB;IACvB,IAAI,CAAC,WAAW,EAAE,CAAC;QACf,MAAM,0BAA0B,GAAG,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,2BAA2B,CAAC,CAAC;QACtG,IAAI,CAAC;YACD,MAAM,WAAW,GAAG,eAAe,CAAC,0BAA0B,CAAC,CAAC;YAChE,MAAM,CAAC,GAAG,kBAAkB,CAAC,WAAW,CAAC,CAAC;YAC1C,WAAW,GAAG,eAAe,CAAC,CAAC,CAAC,cAAc,CAAC,OAAyC,CAAC,CAAC;YAC1F,UAAU,CAAC,6CAA6C,EAAE,WAAW,CAAC,CAAC;QAC3E,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,QAAQ,CACJ,yDAAyD,EACzD,0BAA0B,EAC1B,GAAG,EACF,GAAa,CAAC,OAAO,CACzB,CAAC;YACF,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,eAAe,EAAE,CAAC;QACvD,CAAC;IACL,CAAC;IAED,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;QAClC,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,gBAAgB,EAAE,CAAC;IACxD,CAAC;IAED,+BAA+B;IAC/B,IAAI,oBAAoB,EAAE,CAAC;QACvB,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC9B,UAAU,CAAC,kGAAkG,CAAC,CAAC;YAC/G,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,kBAAkB,EAAE,CAAC;QAC1D,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,UAAU,CAAC,sBAAsB,CAAC,SAAS,EAAE,CAAC;QACxE,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QAEnE,MAAM,sBAAsB,GAAG,IAAI,kBAAkB,CAAC;YAClD,OAAO,EAAE,kBAAkB,CAAC,OAAO;YACnC,QAAQ,EAAE,MAAM;SACnB,CAAC,CAAC;QAEH,OAAO,IAAI,QAAQ,CAAC,kCAAkC,CAAC,CAAC;QACxD,MAAM,sBAAsB,CAAC,UAAU,EAAE,CAAC;QAE1C,UAAU,CAAC,qBAAqB,GAAG,sBAAsB,CAAC;QAE1D,MAAM,sBAAsB,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,sBAAsB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACrG,MAAM,UAAU,CAAC,sBAAsB,CAAC,SAAS,CAAC,kBAAkB,CAAC,UAAU,EAAE,sBAAsB,EAAE,MAAM,CAAC,CAAC;QAEjH,UAAU,CAAC,sBAAsB,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;YACxD,MAAM,sBAAsB,CAAC,OAAO,EAAE,CAAC;YACvC,UAAU,CAAC,qBAAqB,GAAG,SAAS,CAAC;QACjD,CAAC,CAAC,CAAC;IACP,CAAC;IAED,MAAM,OAAO,GAAG;QACZ,cAAc,EAAE,UAAU,CAAC,cAAc;QACzC,OAAO,EAAE,WAAW;KACvB,CAAC;IAEF,MAAM,wBAAwB,GAAG,UAAU,CAAC,qBAAqB,IAAI,kBAAkB,CAAC;IAExF,MAAM,wBAAwB,CAAC,UAAU,EAAE,CAAC;IAC5C,MAAM,OAAO,GAAG,MAAM,wBAAwB,CAAC,wBAAwB,CAAC,OAAO,CAAC,CAAC;IACjF,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3D,MAAM,yBAAyB,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IAE1D,OAAO;QACH,yBAAyB;QACzB,UAAU,EAAE,WAAW,CAAC,IAAI;KAC/B,CAAC;AACN,CAAC"}
|
|
@@ -0,0 +1,3 @@
|
|
|
1
|
+
import type { GetRejectedListResult } from "../../push_certificate_manager.js";
|
|
2
|
+
import type { PushCertificateManagerInternalContext } from "./internal_context.js";
|
|
3
|
+
export declare function executeGetRejectedList(serverImpl: PushCertificateManagerInternalContext): Promise<GetRejectedListResult>;
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
import fs from "node:fs";
|
|
2
|
+
import path from "node:path";
|
|
3
|
+
import { convertPEMtoDER } from "node-opcua-crypto";
|
|
4
|
+
import { StatusCodes } from "node-opcua-status-code";
|
|
5
|
+
async function extractRejectedList(group, certificateList) {
|
|
6
|
+
if (!group) {
|
|
7
|
+
return;
|
|
8
|
+
}
|
|
9
|
+
const rejectedFolder = path.join(group.rootDir, "rejected");
|
|
10
|
+
try {
|
|
11
|
+
const files = await fs.promises.readdir(rejectedFolder);
|
|
12
|
+
const promises = [];
|
|
13
|
+
for (const certFile of files) {
|
|
14
|
+
promises.push(fs.promises.stat(path.join(rejectedFolder, certFile)));
|
|
15
|
+
}
|
|
16
|
+
const stats = await Promise.all(promises);
|
|
17
|
+
for (let i = 0; i < stats.length; i++) {
|
|
18
|
+
certificateList.push({
|
|
19
|
+
filename: path.join(rejectedFolder, files[i]),
|
|
20
|
+
stat: stats[i]
|
|
21
|
+
});
|
|
22
|
+
}
|
|
23
|
+
}
|
|
24
|
+
catch (_err) {
|
|
25
|
+
// Directory might not exist yet, ignore
|
|
26
|
+
}
|
|
27
|
+
}
|
|
28
|
+
export async function executeGetRejectedList(serverImpl) {
|
|
29
|
+
const list = [];
|
|
30
|
+
await extractRejectedList(serverImpl.applicationGroup, list);
|
|
31
|
+
await extractRejectedList(serverImpl.userTokenGroup, list);
|
|
32
|
+
await extractRejectedList(serverImpl.httpsGroup, list);
|
|
33
|
+
// sort list from newer file to older file
|
|
34
|
+
list.sort((a, b) => b.stat.mtime.getTime() - a.stat.mtime.getTime());
|
|
35
|
+
const promises = [];
|
|
36
|
+
for (const item of list) {
|
|
37
|
+
promises.push(fs.promises.readFile(item.filename, "utf8"));
|
|
38
|
+
}
|
|
39
|
+
const certificatesPEM = await Promise.all(promises);
|
|
40
|
+
const certificates = certificatesPEM.map(convertPEMtoDER);
|
|
41
|
+
return {
|
|
42
|
+
certificates,
|
|
43
|
+
statusCode: StatusCodes.Good
|
|
44
|
+
};
|
|
45
|
+
}
|
|
46
|
+
//# sourceMappingURL=get_rejected_list.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"get_rejected_list.js","sourceRoot":"","sources":["../../../source/server/push_certificate_manager/get_rejected_list.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAWrD,KAAK,UAAU,mBAAmB,CAAC,KAAqC,EAAE,eAA2B;IACjG,IAAI,CAAC,KAAK,EAAE,CAAC;QACT,OAAO;IACX,CAAC;IACD,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAC5D,IAAI,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QAExD,MAAM,QAAQ,GAAwB,EAAE,CAAC;QACzC,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;YAC3B,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC;QACzE,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAE1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACpC,eAAe,CAAC,IAAI,CAAC;gBACjB,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC7C,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;aACjB,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAAC,OAAO,IAAI,EAAE,CAAC;QACZ,wCAAwC;IAC5C,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,UAAiD;IAC1F,MAAM,IAAI,GAAe,EAAE,CAAC;IAE5B,MAAM,mBAAmB,CAAC,UAAU,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC;IAC7D,MAAM,mBAAmB,CAAC,UAAU,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;IAC3D,MAAM,mBAAmB,CAAC,UAAU,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAEvD,0CAA0C;IAC1C,IAAI,CAAC,IAAI,CAAC,CAAC,CAAW,EAAE,CAAW,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAEzF,MAAM,QAAQ,GAAsB,EAAE,CAAC;IACvC,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,CAAC;QACtB,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;IAC/D,CAAC;IACD,MAAM,eAAe,GAAa,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAE9D,MAAM,YAAY,GAAa,eAAe,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAEpE,OAAO;QACH,YAAY;QACZ,UAAU,EAAE,WAAW,CAAC,IAAI;KAC/B,CAAC;AACN,CAAC"}
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
import type { CertificateManager } from "node-opcua-certificate-manager";
|
|
2
|
+
import type { NodeId } from "node-opcua-nodeid";
|
|
3
|
+
import { FileTransactionManager } from "../file_transaction_manager.js";
|
|
4
|
+
export type ActionQueue = (() => Promise<void>)[];
|
|
5
|
+
export interface IPushCertificateManagerServer {
|
|
6
|
+
applicationGroup?: CertificateManager;
|
|
7
|
+
userTokenGroup?: CertificateManager;
|
|
8
|
+
httpsGroup?: CertificateManager;
|
|
9
|
+
applicationUri: string;
|
|
10
|
+
getCertificateManager(groupName: string): CertificateManager | null;
|
|
11
|
+
getCertificateTypes(groupName: string): NodeId[] | undefined;
|
|
12
|
+
emit(eventName: string | symbol, ...args: unknown[]): boolean;
|
|
13
|
+
}
|
|
14
|
+
export declare class PushCertificateManagerInternalContext {
|
|
15
|
+
private readonly server;
|
|
16
|
+
readonly map: {
|
|
17
|
+
[key: string]: CertificateManager;
|
|
18
|
+
};
|
|
19
|
+
readonly certificateTypes: {
|
|
20
|
+
[key: string]: NodeId[];
|
|
21
|
+
};
|
|
22
|
+
readonly fileTransactionManager: FileTransactionManager;
|
|
23
|
+
tmpCertificateManager?: CertificateManager;
|
|
24
|
+
actionQueue: ActionQueue;
|
|
25
|
+
operationInProgress: boolean;
|
|
26
|
+
constructor(server: IPushCertificateManagerServer);
|
|
27
|
+
get applicationGroup(): CertificateManager | undefined;
|
|
28
|
+
get userTokenGroup(): CertificateManager | undefined;
|
|
29
|
+
get httpsGroup(): CertificateManager | undefined;
|
|
30
|
+
get applicationUri(): string;
|
|
31
|
+
getCertificateManager(groupName: string): CertificateManager | null;
|
|
32
|
+
getCertificateTypes(groupName: string): NodeId[] | undefined;
|
|
33
|
+
emit(eventName: string | symbol, ...args: unknown[]): boolean;
|
|
34
|
+
dispose(): Promise<void>;
|
|
35
|
+
}
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
import { FileTransactionManager } from "../file_transaction_manager.js";
|
|
2
|
+
export class PushCertificateManagerInternalContext {
|
|
3
|
+
server;
|
|
4
|
+
map = {};
|
|
5
|
+
certificateTypes = {};
|
|
6
|
+
fileTransactionManager = new FileTransactionManager();
|
|
7
|
+
tmpCertificateManager;
|
|
8
|
+
actionQueue = [];
|
|
9
|
+
operationInProgress = false;
|
|
10
|
+
constructor(server) {
|
|
11
|
+
this.server = server;
|
|
12
|
+
}
|
|
13
|
+
get applicationGroup() {
|
|
14
|
+
return this.server.applicationGroup;
|
|
15
|
+
}
|
|
16
|
+
get userTokenGroup() {
|
|
17
|
+
return this.server.userTokenGroup;
|
|
18
|
+
}
|
|
19
|
+
get httpsGroup() {
|
|
20
|
+
return this.server.httpsGroup;
|
|
21
|
+
}
|
|
22
|
+
get applicationUri() {
|
|
23
|
+
return this.server.applicationUri;
|
|
24
|
+
}
|
|
25
|
+
getCertificateManager(groupName) {
|
|
26
|
+
return this.server.getCertificateManager(groupName);
|
|
27
|
+
}
|
|
28
|
+
getCertificateTypes(groupName) {
|
|
29
|
+
return this.server.getCertificateTypes(groupName);
|
|
30
|
+
}
|
|
31
|
+
emit(eventName, ...args) {
|
|
32
|
+
return this.server.emit(eventName, ...args);
|
|
33
|
+
}
|
|
34
|
+
async dispose() {
|
|
35
|
+
if (this.tmpCertificateManager) {
|
|
36
|
+
await this.tmpCertificateManager.dispose();
|
|
37
|
+
this.tmpCertificateManager = undefined;
|
|
38
|
+
}
|
|
39
|
+
if (this.fileTransactionManager) {
|
|
40
|
+
await this.fileTransactionManager.abortTransaction();
|
|
41
|
+
}
|
|
42
|
+
this.actionQueue.length = 0;
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
//# sourceMappingURL=internal_context.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"internal_context.js","sourceRoot":"","sources":["../../../source/server/push_certificate_manager/internal_context.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,sBAAsB,EAAE,MAAM,gCAAgC,CAAC;AAexE,MAAM,OAAO,qCAAqC;IAQjB;IAPb,GAAG,GAA0C,EAAE,CAAC;IAChD,gBAAgB,GAAgC,EAAE,CAAC;IACnD,sBAAsB,GAAG,IAAI,sBAAsB,EAAE,CAAC;IAC/D,qBAAqB,CAAsB;IAC3C,WAAW,GAAgB,EAAE,CAAC;IAC9B,mBAAmB,GAAG,KAAK,CAAC;IAEnC,YAA6B,MAAqC;QAArC,WAAM,GAAN,MAAM,CAA+B;IAAG,CAAC;IAEtE,IAAI,gBAAgB;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC;IACxC,CAAC;IACD,IAAI,cAAc;QACd,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;IACtC,CAAC;IACD,IAAI,UAAU;QACV,OAAO,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC;IAClC,CAAC;IACD,IAAI,cAAc;QACd,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;IACtC,CAAC;IAED,qBAAqB,CAAC,SAAiB;QACnC,OAAO,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC;IACxD,CAAC;IACD,mBAAmB,CAAC,SAAiB;QACjC,OAAO,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,CAAC,SAA0B,EAAE,GAAG,IAAe;QAC/C,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,IAAI,CAAC,CAAC;IAChD,CAAC;IAEM,KAAK,CAAC,OAAO;QAChB,IAAI,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAC7B,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,EAAE,CAAC;YAC3C,IAAI,CAAC,qBAAqB,GAAG,SAAS,CAAC;QAC3C,CAAC;QAED,IAAI,IAAI,CAAC,sBAAsB,EAAE,CAAC;YAC9B,MAAM,IAAI,CAAC,sBAAsB,CAAC,gBAAgB,EAAE,CAAC;QACzD,CAAC;QAED,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC;IAChC,CAAC;CACJ"}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
export function subjectToString(subject) {
|
|
2
|
+
let s = "";
|
|
3
|
+
if (subject.commonName)
|
|
4
|
+
s += `/CN=${subject.commonName}`;
|
|
5
|
+
if (subject.country)
|
|
6
|
+
s += `/C=${subject.country}`;
|
|
7
|
+
if (subject.countryName)
|
|
8
|
+
s += `/C=${subject.countryName}`;
|
|
9
|
+
if (subject.domainComponent)
|
|
10
|
+
s += `/DC=${subject.domainComponent}`;
|
|
11
|
+
if (subject.locality)
|
|
12
|
+
s += `/L=${subject.locality}`;
|
|
13
|
+
if (subject.localityName)
|
|
14
|
+
s += `/L=${subject.localityName}`;
|
|
15
|
+
if (subject.organization)
|
|
16
|
+
s += `/O=${subject.organization}`;
|
|
17
|
+
if (subject.organizationName)
|
|
18
|
+
s += `/O=${subject.organizationName}`;
|
|
19
|
+
if (subject.organizationUnitName)
|
|
20
|
+
s += `/OU=${subject.organizationUnitName}`;
|
|
21
|
+
if (subject.state)
|
|
22
|
+
s += `/ST=${subject.state}`;
|
|
23
|
+
if (subject.stateOrProvinceName)
|
|
24
|
+
s += `/ST=${subject.stateOrProvinceName}`;
|
|
25
|
+
return s;
|
|
26
|
+
}
|
|
27
|
+
//# sourceMappingURL=subject_to_string.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"subject_to_string.js","sourceRoot":"","sources":["../../../source/server/push_certificate_manager/subject_to_string.ts"],"names":[],"mappings":"AAGA,MAAM,UAAU,eAAe,CAAC,OAAuC;IACnE,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,IAAI,OAAO,CAAC,UAAU;QAAE,CAAC,IAAI,OAAO,OAAO,CAAC,UAAU,EAAE,CAAC;IAEzD,IAAI,OAAO,CAAC,OAAO;QAAE,CAAC,IAAI,MAAM,OAAO,CAAC,OAAO,EAAE,CAAC;IAClD,IAAI,OAAO,CAAC,WAAW;QAAE,CAAC,IAAI,MAAM,OAAO,CAAC,WAAW,EAAE,CAAC;IAE1D,IAAI,OAAO,CAAC,eAAe;QAAE,CAAC,IAAI,OAAO,OAAO,CAAC,eAAe,EAAE,CAAC;IAEnE,IAAI,OAAO,CAAC,QAAQ;QAAE,CAAC,IAAI,MAAM,OAAO,CAAC,QAAQ,EAAE,CAAC;IACpD,IAAI,OAAO,CAAC,YAAY;QAAE,CAAC,IAAI,MAAM,OAAO,CAAC,YAAY,EAAE,CAAC;IAE5D,IAAI,OAAO,CAAC,YAAY;QAAE,CAAC,IAAI,MAAM,OAAO,CAAC,YAAY,EAAE,CAAC;IAC5D,IAAI,OAAO,CAAC,gBAAgB;QAAE,CAAC,IAAI,MAAM,OAAO,CAAC,gBAAgB,EAAE,CAAC;IAEpE,IAAI,OAAO,CAAC,oBAAoB;QAAE,CAAC,IAAI,OAAO,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAE7E,IAAI,OAAO,CAAC,KAAK;QAAE,CAAC,IAAI,OAAO,OAAO,CAAC,KAAK,EAAE,CAAC;IAC/C,IAAI,OAAO,CAAC,mBAAmB;QAAE,CAAC,IAAI,OAAO,OAAO,CAAC,mBAAmB,EAAE,CAAC;IAE3E,OAAO,CAAC,CAAC;AACb,CAAC"}
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
import type { ByteString } from "node-opcua-basic-types";
|
|
2
|
+
import type { NodeId } from "node-opcua-nodeid";
|
|
3
|
+
import type { UpdateCertificateResult } from "../../push_certificate_manager.js";
|
|
4
|
+
import type { PushCertificateManagerInternalContext } from "./internal_context.js";
|
|
5
|
+
export declare function executeUpdateCertificate(serverImpl: PushCertificateManagerInternalContext, certificateGroupId: NodeId | string, certificateTypeId: NodeId | string, certificate: Buffer, issuerCertificates: ByteString[], privateKeyFormat?: string, privateKey?: Buffer | string): Promise<UpdateCertificateResult>;
|
|
@@ -0,0 +1,134 @@
|
|
|
1
|
+
import fs from "node:fs";
|
|
2
|
+
import path from "node:path";
|
|
3
|
+
import { assert } from "node-opcua-assert";
|
|
4
|
+
import { readPrivateKey } from "node-opcua-crypto";
|
|
5
|
+
import { certificateMatchesPrivateKey, coercePEMorDerToPrivateKey, coercePrivateKeyPem, makeSHA1Thumbprint, toPem } from "node-opcua-crypto/web";
|
|
6
|
+
import { checkDebugFlag, make_debugLog, make_warningLog } from "node-opcua-debug";
|
|
7
|
+
import { StatusCodes } from "node-opcua-status-code";
|
|
8
|
+
import { validateCertificateAndChain } from "../certificate_validation.js";
|
|
9
|
+
import { resolveCertificateGroupContext, validateCertificateType } from "./util.js";
|
|
10
|
+
const warningLog = make_warningLog("ServerConfiguration");
|
|
11
|
+
const debugLog = make_debugLog("ServerConfiguration");
|
|
12
|
+
const doDebug = checkDebugFlag("ServerConfiguration");
|
|
13
|
+
// Helper: Stage issuer certificates to temporary files
|
|
14
|
+
async function preInstallIssuerCertificates(serverImpl, certificateManager, issuerCertificates) {
|
|
15
|
+
if (issuerCertificates && issuerCertificates.length > 0) {
|
|
16
|
+
const issuerFolder = certificateManager.issuersCertFolder;
|
|
17
|
+
await fs.promises.mkdir(issuerFolder, { recursive: true });
|
|
18
|
+
for (let i = 0; i < issuerCertificates.length; i++) {
|
|
19
|
+
const issuerCert = issuerCertificates[i];
|
|
20
|
+
const thumbprint = makeSHA1Thumbprint(issuerCert).toString("hex");
|
|
21
|
+
const finalIssuerFileDER = path.join(issuerFolder, `issuer_${thumbprint}.der`);
|
|
22
|
+
const finalIssuerFilePEM = path.join(issuerFolder, `issuer_${thumbprint}.pem`);
|
|
23
|
+
const issuerCertPEM = toPem(issuerCert, "CERTIFICATE");
|
|
24
|
+
await serverImpl.fileTransactionManager.stageFile(finalIssuerFileDER, issuerCert);
|
|
25
|
+
await serverImpl.fileTransactionManager.stageFile(finalIssuerFilePEM, issuerCertPEM, "utf-8");
|
|
26
|
+
doDebug && debugLog(`Staged issuer certificate ${i + 1}/${issuerCertificates.length}: ${thumbprint}`);
|
|
27
|
+
}
|
|
28
|
+
}
|
|
29
|
+
}
|
|
30
|
+
// Helper: Stage main certificate to temporary files
|
|
31
|
+
async function preInstallCertificate(serverImpl, certificateManager, certificate) {
|
|
32
|
+
const certFolder = certificateManager.ownCertFolder;
|
|
33
|
+
const destDER = path.join(certFolder, "certificate.der");
|
|
34
|
+
const destPEM = path.join(certFolder, "certificate.pem");
|
|
35
|
+
const certificatePEM = toPem(certificate, "CERTIFICATE");
|
|
36
|
+
await serverImpl.fileTransactionManager.stageFile(destDER, certificate);
|
|
37
|
+
await serverImpl.fileTransactionManager.stageFile(destPEM, certificatePEM, "utf-8");
|
|
38
|
+
}
|
|
39
|
+
// Helper: Stage private key to temporary file
|
|
40
|
+
async function preInstallPrivateKey(serverImpl, certificateManager, privateKeyFormat, privateKey) {
|
|
41
|
+
assert(privateKeyFormat.toUpperCase() === "PEM");
|
|
42
|
+
if (privateKey) {
|
|
43
|
+
const privateKeyObj = coercePEMorDerToPrivateKey(privateKey);
|
|
44
|
+
const privateKeyPEM = coercePrivateKeyPem(privateKeyObj);
|
|
45
|
+
await serverImpl.fileTransactionManager.stageFile(certificateManager.privateKey, privateKeyPEM, "utf-8");
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
// Main Execute Function
|
|
49
|
+
export async function executeUpdateCertificate(serverImpl, certificateGroupId, certificateTypeId, certificate, issuerCertificates, privateKeyFormat, privateKey) {
|
|
50
|
+
if (serverImpl.operationInProgress) {
|
|
51
|
+
return { statusCode: StatusCodes.BadTooManyOperations, applyChangesRequired: false };
|
|
52
|
+
}
|
|
53
|
+
serverImpl.operationInProgress = true;
|
|
54
|
+
try {
|
|
55
|
+
const context = resolveCertificateGroupContext(serverImpl, certificateGroupId);
|
|
56
|
+
if (context.statusCode.isNotGood() || !context.certificateManager) {
|
|
57
|
+
debugLog(" cannot find group ", certificateGroupId);
|
|
58
|
+
return { statusCode: StatusCodes.BadInvalidArgument, applyChangesRequired: false };
|
|
59
|
+
}
|
|
60
|
+
const { certificateManager, allowedTypes } = context;
|
|
61
|
+
if (!validateCertificateType(certificate, certificateTypeId, allowedTypes ?? [], warningLog)) {
|
|
62
|
+
warningLog(`Certificate type ${certificateTypeId} does not match expected certificateTypeId \n allowed types: ${allowedTypes?.map((t) => t.toString()).join(", ")} \n certificate: ${certificate.toString("base64")}`);
|
|
63
|
+
return { statusCode: StatusCodes.BadCertificateInvalid, applyChangesRequired: false };
|
|
64
|
+
}
|
|
65
|
+
const isApplicationGroup = certificateManager === serverImpl.applicationGroup;
|
|
66
|
+
const validationResult = await validateCertificateAndChain(certificateManager, isApplicationGroup, certificate, issuerCertificates);
|
|
67
|
+
if (validationResult.statusCode !== StatusCodes.Good) {
|
|
68
|
+
await serverImpl.fileTransactionManager.abortTransaction();
|
|
69
|
+
return { statusCode: validationResult.statusCode, applyChangesRequired: false };
|
|
70
|
+
}
|
|
71
|
+
doDebug && debugLog(" updateCertificate ", makeSHA1Thumbprint(certificate).toString("hex"));
|
|
72
|
+
const hasPrivateKeyFormat = privateKeyFormat !== undefined && privateKeyFormat !== null && privateKeyFormat !== "";
|
|
73
|
+
const hasPrivateKey = privateKey !== undefined &&
|
|
74
|
+
privateKey !== null &&
|
|
75
|
+
privateKey !== "" &&
|
|
76
|
+
!(privateKey instanceof Buffer && privateKey.length === 0);
|
|
77
|
+
if (hasPrivateKeyFormat !== hasPrivateKey) {
|
|
78
|
+
warningLog("privateKeyFormat and privateKey must both be provided or both be omitted");
|
|
79
|
+
await serverImpl.fileTransactionManager.abortTransaction();
|
|
80
|
+
return { statusCode: StatusCodes.BadInvalidArgument, applyChangesRequired: false };
|
|
81
|
+
}
|
|
82
|
+
if (!hasPrivateKeyFormat && !hasPrivateKey) {
|
|
83
|
+
const privateKeyObj = readPrivateKey(serverImpl.tmpCertificateManager ? serverImpl.tmpCertificateManager.privateKey : certificateManager.privateKey);
|
|
84
|
+
if (!certificateMatchesPrivateKey(certificate, privateKeyObj)) {
|
|
85
|
+
warningLog("certificate doesn't match privateKey");
|
|
86
|
+
await serverImpl.fileTransactionManager.abortTransaction();
|
|
87
|
+
return { statusCode: StatusCodes.BadSecurityChecksFailed, applyChangesRequired: false };
|
|
88
|
+
}
|
|
89
|
+
await preInstallIssuerCertificates(serverImpl, certificateManager, issuerCertificates);
|
|
90
|
+
await preInstallCertificate(serverImpl, certificateManager, certificate);
|
|
91
|
+
serverImpl.emit("certificateUpdated", certificateGroupId, certificate);
|
|
92
|
+
return { statusCode: StatusCodes.Good, applyChangesRequired: true };
|
|
93
|
+
}
|
|
94
|
+
else {
|
|
95
|
+
if (privateKeyFormat !== "PEM" && privateKeyFormat !== "PFX") {
|
|
96
|
+
warningLog(` the private key format is invalid privateKeyFormat =${privateKeyFormat}`);
|
|
97
|
+
await serverImpl.fileTransactionManager.abortTransaction();
|
|
98
|
+
return { statusCode: StatusCodes.BadNotSupported, applyChangesRequired: false };
|
|
99
|
+
}
|
|
100
|
+
if (privateKeyFormat !== "PEM") {
|
|
101
|
+
warningLog(`in NodeOPCUA we only support PEM for the moment privateKeyFormat =${privateKeyFormat}`);
|
|
102
|
+
await serverImpl.fileTransactionManager.abortTransaction();
|
|
103
|
+
return { statusCode: StatusCodes.BadNotSupported, applyChangesRequired: false };
|
|
104
|
+
}
|
|
105
|
+
let privateKeyObj;
|
|
106
|
+
let tempPrivateKey = privateKey;
|
|
107
|
+
if (tempPrivateKey instanceof Buffer || typeof tempPrivateKey === "string") {
|
|
108
|
+
if (tempPrivateKey instanceof Buffer) {
|
|
109
|
+
assert(privateKeyFormat === "PEM");
|
|
110
|
+
tempPrivateKey = tempPrivateKey.toString("utf-8");
|
|
111
|
+
}
|
|
112
|
+
privateKeyObj = coercePEMorDerToPrivateKey(tempPrivateKey);
|
|
113
|
+
}
|
|
114
|
+
if (!privateKeyObj) {
|
|
115
|
+
await serverImpl.fileTransactionManager.abortTransaction();
|
|
116
|
+
return { statusCode: StatusCodes.BadNotSupported, applyChangesRequired: false };
|
|
117
|
+
}
|
|
118
|
+
if (!certificateMatchesPrivateKey(certificate, privateKeyObj)) {
|
|
119
|
+
warningLog("certificate doesn't match privateKey");
|
|
120
|
+
await serverImpl.fileTransactionManager.abortTransaction();
|
|
121
|
+
return { statusCode: StatusCodes.BadSecurityChecksFailed, applyChangesRequired: false };
|
|
122
|
+
}
|
|
123
|
+
await preInstallPrivateKey(serverImpl, certificateManager, privateKeyFormat, tempPrivateKey);
|
|
124
|
+
await preInstallIssuerCertificates(serverImpl, certificateManager, issuerCertificates);
|
|
125
|
+
await preInstallCertificate(serverImpl, certificateManager, certificate);
|
|
126
|
+
serverImpl.emit("certificateUpdated", certificateGroupId, certificate);
|
|
127
|
+
return { statusCode: StatusCodes.Good, applyChangesRequired: true };
|
|
128
|
+
}
|
|
129
|
+
}
|
|
130
|
+
finally {
|
|
131
|
+
serverImpl.operationInProgress = false;
|
|
132
|
+
}
|
|
133
|
+
}
|
|
134
|
+
//# sourceMappingURL=update_certificate.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"update_certificate.js","sourceRoot":"","sources":["../../../source/server/push_certificate_manager/update_certificate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAG3C,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EACH,4BAA4B,EAC5B,0BAA0B,EAC1B,mBAAmB,EACnB,kBAAkB,EAElB,KAAK,EACR,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAElF,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAGrD,OAAO,EAAE,2BAA2B,EAAE,MAAM,8BAA8B,CAAC;AAE3E,OAAO,EAAE,8BAA8B,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AAEpF,MAAM,UAAU,GAAG,eAAe,CAAC,qBAAqB,CAAC,CAAC;AAC1D,MAAM,QAAQ,GAAG,aAAa,CAAC,qBAAqB,CAAC,CAAC;AACtD,MAAM,OAAO,GAAG,cAAc,CAAC,qBAAqB,CAAC,CAAC;AAEtD,uDAAuD;AACvD,KAAK,UAAU,4BAA4B,CACvC,UAAiD,EACjD,kBAAsC,EACtC,kBAA4C;IAE5C,IAAI,kBAAkB,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtD,MAAM,YAAY,GAAG,kBAAkB,CAAC,iBAAiB,CAAC;QAC1D,MAAM,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,kBAAkB,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACjD,MAAM,UAAU,GAAG,kBAAkB,CAAC,CAAC,CAAC,CAAC;YACzC,MAAM,UAAU,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAElE,MAAM,kBAAkB,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,UAAU,UAAU,MAAM,CAAC,CAAC;YAC/E,MAAM,kBAAkB,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,UAAU,UAAU,MAAM,CAAC,CAAC;YAC/E,MAAM,aAAa,GAAG,KAAK,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;YAEvD,MAAM,UAAU,CAAC,sBAAsB,CAAC,SAAS,CAAC,kBAAkB,EAAE,UAAU,CAAC,CAAC;YAClF,MAAM,UAAU,CAAC,sBAAsB,CAAC,SAAS,CAAC,kBAAkB,EAAE,aAAa,EAAE,OAAO,CAAC,CAAC;YAE9F,OAAO,IAAI,QAAQ,CAAC,6BAA6B,CAAC,GAAG,CAAC,IAAI,kBAAkB,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC,CAAC;QAC1G,CAAC;IACL,CAAC;AACL,CAAC;AAED,oDAAoD;AACpD,KAAK,UAAU,qBAAqB,CAChC,UAAiD,EACjD,kBAAsC,EACtC,WAAmB;IAEnB,MAAM,UAAU,GAAG,kBAAkB,CAAC,aAAa,CAAC;IACpD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IACzD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IACzD,MAAM,cAAc,GAAG,KAAK,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;IAEzD,MAAM,UAAU,CAAC,sBAAsB,CAAC,SAAS,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IACxE,MAAM,UAAU,CAAC,sBAAsB,CAAC,SAAS,CAAC,OAAO,EAAE,cAAc,EAAE,OAAO,CAAC,CAAC;AACxF,CAAC;AAED,8CAA8C;AAC9C,KAAK,UAAU,oBAAoB,CAC/B,UAAiD,EACjD,kBAAsC,EACtC,gBAAwB,EACxB,UAAuC;IAEvC,MAAM,CAAC,gBAAgB,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,CAAC;IAEjD,IAAI,UAAU,EAAE,CAAC;QACb,MAAM,aAAa,GAAG,0BAA0B,CAAC,UAA6B,CAAC,CAAC;QAChF,MAAM,aAAa,GAAG,mBAAmB,CAAC,aAAa,CAAC,CAAC;QACzD,MAAM,UAAU,CAAC,sBAAsB,CAAC,SAAS,CAAC,kBAAkB,CAAC,UAAU,EAAE,aAAa,EAAE,OAAO,CAAC,CAAC;IAC7G,CAAC;AACL,CAAC;AAED,wBAAwB;AACxB,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC1C,UAAiD,EACjD,kBAAmC,EACnC,iBAAkC,EAClC,WAAmB,EACnB,kBAAgC,EAChC,gBAAyB,EACzB,UAA4B;IAE5B,IAAI,UAAU,CAAC,mBAAmB,EAAE,CAAC;QACjC,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,oBAAoB,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;IACzF,CAAC;IAED,UAAU,CAAC,mBAAmB,GAAG,IAAI,CAAC;IACtC,IAAI,CAAC;QACD,MAAM,OAAO,GAAG,8BAA8B,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAC;QAC/E,IAAI,OAAO,CAAC,UAAU,CAAC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC;YAChE,QAAQ,CAAC,qBAAqB,EAAE,kBAAkB,CAAC,CAAC;YACpD,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,kBAAkB,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;QACvF,CAAC;QAED,MAAM,EAAE,kBAAkB,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC;QAErD,IAAI,CAAC,uBAAuB,CAAC,WAAW,EAAE,iBAAiB,EAAE,YAAY,IAAI,EAAE,EAAE,UAAU,CAAC,EAAE,CAAC;YAC3F,UAAU,CACN,oBAAoB,iBAAiB,gEAAgE,YAAY,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,oBAAoB,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAC7M,CAAC;YACF,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,qBAAqB,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;QAC1F,CAAC;QAED,MAAM,kBAAkB,GAAG,kBAAkB,KAAK,UAAU,CAAC,gBAAgB,CAAC;QAC9E,MAAM,gBAAgB,GAAG,MAAM,2BAA2B,CACtD,kBAA6C,EAC7C,kBAAkB,EAClB,WAAW,EACX,kBAAkB,CACrB,CAAC;QAEF,IAAI,gBAAgB,CAAC,UAAU,KAAK,WAAW,CAAC,IAAI,EAAE,CAAC;YACnD,MAAM,UAAU,CAAC,sBAAsB,CAAC,gBAAgB,EAAE,CAAC;YAC3D,OAAO,EAAE,UAAU,EAAE,gBAAgB,CAAC,UAAU,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;QACpF,CAAC;QAED,OAAO,IAAI,QAAQ,CAAC,qBAAqB,EAAE,kBAAkB,CAAC,WAAW,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;QAE5F,MAAM,mBAAmB,GAAG,gBAAgB,KAAK,SAAS,IAAI,gBAAgB,KAAK,IAAI,IAAI,gBAAgB,KAAK,EAAE,CAAC;QACnH,MAAM,aAAa,GACf,UAAU,KAAK,SAAS;YACxB,UAAU,KAAK,IAAI;YACnB,UAAU,KAAK,EAAE;YACjB,CAAC,CAAC,UAAU,YAAY,MAAM,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC;QAE/D,IAAI,mBAAmB,KAAK,aAAa,EAAE,CAAC;YACxC,UAAU,CAAC,0EAA0E,CAAC,CAAC;YACvF,MAAM,UAAU,CAAC,sBAAsB,CAAC,gBAAgB,EAAE,CAAC;YAC3D,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,kBAAkB,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;QACvF,CAAC;QAED,IAAI,CAAC,mBAAmB,IAAI,CAAC,aAAa,EAAE,CAAC;YACzC,MAAM,aAAa,GAAG,cAAc,CAChC,UAAU,CAAC,qBAAqB,CAAC,CAAC,CAAC,UAAU,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAC,CAAC,kBAAkB,CAAC,UAAU,CACjH,CAAC;YAEF,IAAI,CAAC,4BAA4B,CAAC,WAAW,EAAE,aAAa,CAAC,EAAE,CAAC;gBAC5D,UAAU,CAAC,sCAAsC,CAAC,CAAC;gBACnD,MAAM,UAAU,CAAC,sBAAsB,CAAC,gBAAgB,EAAE,CAAC;gBAC3D,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,uBAAuB,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;YAC5F,CAAC;YAED,MAAM,4BAA4B,CAAC,UAAU,EAAE,kBAAkB,EAAE,kBAAkB,CAAC,CAAC;YACvF,MAAM,qBAAqB,CAAC,UAAU,EAAE,kBAAkB,EAAE,WAAW,CAAC,CAAC;YACzE,UAAU,CAAC,IAAI,CAAC,oBAAoB,EAAE,kBAAkB,EAAE,WAAW,CAAC,CAAC;YACvE,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,IAAI,EAAE,oBAAoB,EAAE,IAAI,EAAE,CAAC;QACxE,CAAC;aAAM,CAAC;YACJ,IAAI,gBAAgB,KAAK,KAAK,IAAI,gBAAgB,KAAK,KAAK,EAAE,CAAC;gBAC3D,UAAU,CAAC,wDAAwD,gBAAgB,EAAE,CAAC,CAAC;gBACvF,MAAM,UAAU,CAAC,sBAAsB,CAAC,gBAAgB,EAAE,CAAC;gBAC3D,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,eAAe,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;YACpF,CAAC;YACD,IAAI,gBAAgB,KAAK,KAAK,EAAE,CAAC;gBAC7B,UAAU,CAAC,qEAAqE,gBAAgB,EAAE,CAAC,CAAC;gBACpG,MAAM,UAAU,CAAC,sBAAsB,CAAC,gBAAgB,EAAE,CAAC;gBAC3D,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,eAAe,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;YACpF,CAAC;YAED,IAAI,aAAqC,CAAC;YAC1C,IAAI,cAAc,GAAG,UAAU,CAAC;YAEhC,IAAI,cAAc,YAAY,MAAM,IAAI,OAAO,cAAc,KAAK,QAAQ,EAAE,CAAC;gBACzE,IAAI,cAAc,YAAY,MAAM,EAAE,CAAC;oBACnC,MAAM,CAAC,gBAAgB,KAAK,KAAK,CAAC,CAAC;oBACnC,cAAc,GAAG,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBACtD,CAAC;gBACD,aAAa,GAAG,0BAA0B,CAAC,cAAc,CAAC,CAAC;YAC/D,CAAC;YAED,IAAI,CAAC,aAAa,EAAE,CAAC;gBACjB,MAAM,UAAU,CAAC,sBAAsB,CAAC,gBAAgB,EAAE,CAAC;gBAC3D,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,eAAe,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;YACpF,CAAC;YAED,IAAI,CAAC,4BAA4B,CAAC,WAAW,EAAE,aAAa,CAAC,EAAE,CAAC;gBAC5D,UAAU,CAAC,sCAAsC,CAAC,CAAC;gBACnD,MAAM,UAAU,CAAC,sBAAsB,CAAC,gBAAgB,EAAE,CAAC;gBAC3D,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,uBAAuB,EAAE,oBAAoB,EAAE,KAAK,EAAE,CAAC;YAC5F,CAAC;YAED,MAAM,oBAAoB,CAAC,UAAU,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,cAAc,CAAC,CAAC;YAC7F,MAAM,4BAA4B,CAAC,UAAU,EAAE,kBAAkB,EAAE,kBAAkB,CAAC,CAAC;YACvF,MAAM,qBAAqB,CAAC,UAAU,EAAE,kBAAkB,EAAE,WAAW,CAAC,CAAC;YAEzE,UAAU,CAAC,IAAI,CAAC,oBAAoB,EAAE,kBAAkB,EAAE,WAAW,CAAC,CAAC;YACvE,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,IAAI,EAAE,oBAAoB,EAAE,IAAI,EAAE,CAAC;QACxE,CAAC;IACL,CAAC;YAAS,CAAC;QACP,UAAU,CAAC,mBAAmB,GAAG,KAAK,CAAC;IAC3C,CAAC;AACL,CAAC"}
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
import type { CertificateManager } from "node-opcua-certificate-manager";
|
|
2
|
+
import { NodeId } from "node-opcua-nodeid";
|
|
3
|
+
import { type StatusCode } from "node-opcua-status-code";
|
|
4
|
+
import type { PushCertificateManagerInternalContext } from "./internal_context.js";
|
|
5
|
+
/**
|
|
6
|
+
* Find the name of a certificate group based on its NodeId.
|
|
7
|
+
* @param certificateGroupNodeId The NodeId of the certificate group
|
|
8
|
+
* @returns The name of the certificate group (e.g. "DefaultApplicationGroup") or empty string if not recognized
|
|
9
|
+
*/
|
|
10
|
+
export declare function findCertificateGroupName(certificateGroupNodeId: NodeId | string): string;
|
|
11
|
+
/**
|
|
12
|
+
* Validate that the certificate type matches the expected type from certificateTypeId
|
|
13
|
+
*
|
|
14
|
+
* @param certificate The certificate to validate
|
|
15
|
+
* @param certificateTypeId The NodeId of the expected certificate type
|
|
16
|
+
* @param allowedTypes The list of allowed certificate types for this group
|
|
17
|
+
* @param warningLog Function to log warnings
|
|
18
|
+
* @returns true if valid or if validation is not applicable
|
|
19
|
+
*/
|
|
20
|
+
export declare function validateCertificateType(certificate: Buffer, certificateTypeId: NodeId | string, allowedTypes: NodeId[], warningLog: (msg: string, ...args: unknown[]) => void): boolean;
|
|
21
|
+
export interface ResolvedGroupContext {
|
|
22
|
+
statusCode: StatusCode;
|
|
23
|
+
certificateManager?: CertificateManager;
|
|
24
|
+
allowedTypes?: NodeId[];
|
|
25
|
+
}
|
|
26
|
+
/**
|
|
27
|
+
* Resolves the CertificateManager and its allowed types for a given certificate group
|
|
28
|
+
*/
|
|
29
|
+
export declare function resolveCertificateGroupContext(serverImpl: PushCertificateManagerInternalContext, certificateGroupId: NodeId | string): ResolvedGroupContext;
|
|
@@ -0,0 +1,117 @@
|
|
|
1
|
+
import { NodeId, resolveNodeId, sameNodeId } from "node-opcua-nodeid";
|
|
2
|
+
import { StatusCodes } from "node-opcua-status-code";
|
|
3
|
+
import { eccCertificateTypesArray, rsaCertificateTypesArray } from "../../clientTools/certificate_types.js";
|
|
4
|
+
import { getCertificateKeyType } from "../../clientTools/get_certificate_key_type.js";
|
|
5
|
+
const defaultApplicationGroup = resolveNodeId("ServerConfiguration_CertificateGroups_DefaultApplicationGroup");
|
|
6
|
+
const defaultHttpsGroup = resolveNodeId("ServerConfiguration_CertificateGroups_DefaultHttpsGroup");
|
|
7
|
+
const defaultUserTokenGroup = resolveNodeId("ServerConfiguration_CertificateGroups_DefaultUserTokenGroup");
|
|
8
|
+
/**
|
|
9
|
+
* Find the name of a certificate group based on its NodeId.
|
|
10
|
+
* @param certificateGroupNodeId The NodeId of the certificate group
|
|
11
|
+
* @returns The name of the certificate group (e.g. "DefaultApplicationGroup") or empty string if not recognized
|
|
12
|
+
*/
|
|
13
|
+
export function findCertificateGroupName(certificateGroupNodeId) {
|
|
14
|
+
// Convert string to NodeId if needed to check for null NodeId
|
|
15
|
+
let nodeId;
|
|
16
|
+
if (typeof certificateGroupNodeId === "string") {
|
|
17
|
+
try {
|
|
18
|
+
nodeId = resolveNodeId(certificateGroupNodeId);
|
|
19
|
+
}
|
|
20
|
+
catch {
|
|
21
|
+
// Invalid NodeId string - treat as literal group name
|
|
22
|
+
return certificateGroupNodeId;
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
else {
|
|
26
|
+
nodeId = certificateGroupNodeId;
|
|
27
|
+
}
|
|
28
|
+
// Check if it's null NodeId or DefaultApplicationGroup
|
|
29
|
+
if (sameNodeId(nodeId, NodeId.nullNodeId) || sameNodeId(nodeId, defaultApplicationGroup)) {
|
|
30
|
+
return "DefaultApplicationGroup";
|
|
31
|
+
}
|
|
32
|
+
if (sameNodeId(nodeId, defaultHttpsGroup)) {
|
|
33
|
+
return "DefaultHttpsGroup";
|
|
34
|
+
}
|
|
35
|
+
if (sameNodeId(nodeId, defaultUserTokenGroup)) {
|
|
36
|
+
return "DefaultUserTokenGroup";
|
|
37
|
+
}
|
|
38
|
+
// If it's a valid NodeId but not recognized, return empty string
|
|
39
|
+
// If it was originally a string (and not a standard group), return the string as group name
|
|
40
|
+
return typeof certificateGroupNodeId === "string" ? certificateGroupNodeId : "";
|
|
41
|
+
}
|
|
42
|
+
/**
|
|
43
|
+
* Validate that the certificate type matches the expected type from certificateTypeId
|
|
44
|
+
*
|
|
45
|
+
* @param certificate The certificate to validate
|
|
46
|
+
* @param certificateTypeId The NodeId of the expected certificate type
|
|
47
|
+
* @param allowedTypes The list of allowed certificate types for this group
|
|
48
|
+
* @param warningLog Function to log warnings
|
|
49
|
+
* @returns true if valid or if validation is not applicable
|
|
50
|
+
*/
|
|
51
|
+
export function validateCertificateType(certificate, certificateTypeId, allowedTypes, warningLog) {
|
|
52
|
+
// If certificateTypeId is null or not specified, skip validation
|
|
53
|
+
if (!certificateTypeId || (certificateTypeId instanceof NodeId && sameNodeId(certificateTypeId, NodeId.nullNodeId))) {
|
|
54
|
+
return true;
|
|
55
|
+
}
|
|
56
|
+
const keyType = getCertificateKeyType(certificate);
|
|
57
|
+
if (!keyType) {
|
|
58
|
+
// If we can't determine the key type, allow it (backward compatibility)
|
|
59
|
+
return true;
|
|
60
|
+
}
|
|
61
|
+
// Convert to NodeId if string
|
|
62
|
+
let typeNodeId;
|
|
63
|
+
if (typeof certificateTypeId === "string") {
|
|
64
|
+
try {
|
|
65
|
+
typeNodeId = resolveNodeId(certificateTypeId);
|
|
66
|
+
}
|
|
67
|
+
catch {
|
|
68
|
+
// Invalid NodeId string, skip validation
|
|
69
|
+
return true;
|
|
70
|
+
}
|
|
71
|
+
}
|
|
72
|
+
else {
|
|
73
|
+
typeNodeId = certificateTypeId;
|
|
74
|
+
}
|
|
75
|
+
// Check again after conversion - empty string becomes null NodeId
|
|
76
|
+
if (sameNodeId(typeNodeId, NodeId.nullNodeId)) {
|
|
77
|
+
return true;
|
|
78
|
+
}
|
|
79
|
+
// Check if the certificateTypeId is in the list of allowed types for this group
|
|
80
|
+
const isAllowed = allowedTypes.some((t) => sameNodeId(t, typeNodeId));
|
|
81
|
+
if (!isAllowed) {
|
|
82
|
+
warningLog("Certificate typeId is not in the allowed types for this certificate group:", certificateTypeId);
|
|
83
|
+
return false;
|
|
84
|
+
}
|
|
85
|
+
// Additional validation: check if the certificate's actual key type matches the declared type
|
|
86
|
+
const isRsaType = rsaCertificateTypesArray.some((t) => sameNodeId(t, typeNodeId));
|
|
87
|
+
const isEccType = eccCertificateTypesArray.some((t) => sameNodeId(t, typeNodeId));
|
|
88
|
+
if (keyType === "RSA" && !isRsaType) {
|
|
89
|
+
warningLog("Certificate has RSA key but certificateTypeId is not an RSA type:", certificateTypeId);
|
|
90
|
+
return false;
|
|
91
|
+
}
|
|
92
|
+
if (keyType === "ECC" && !isEccType) {
|
|
93
|
+
warningLog("Certificate has ECC key but certificateTypeId is not an ECC type:", certificateTypeId);
|
|
94
|
+
return false;
|
|
95
|
+
}
|
|
96
|
+
return true;
|
|
97
|
+
}
|
|
98
|
+
/**
|
|
99
|
+
* Resolves the CertificateManager and its allowed types for a given certificate group
|
|
100
|
+
*/
|
|
101
|
+
export function resolveCertificateGroupContext(serverImpl, certificateGroupId) {
|
|
102
|
+
const groupName = findCertificateGroupName(certificateGroupId);
|
|
103
|
+
if (!groupName) {
|
|
104
|
+
return { statusCode: StatusCodes.BadInvalidArgument };
|
|
105
|
+
}
|
|
106
|
+
const certificateManager = serverImpl.getCertificateManager(groupName);
|
|
107
|
+
if (!certificateManager) {
|
|
108
|
+
return { statusCode: StatusCodes.BadInvalidArgument };
|
|
109
|
+
}
|
|
110
|
+
const allowedTypes = serverImpl.getCertificateTypes(groupName);
|
|
111
|
+
return {
|
|
112
|
+
statusCode: StatusCodes.Good,
|
|
113
|
+
certificateManager,
|
|
114
|
+
allowedTypes
|
|
115
|
+
};
|
|
116
|
+
}
|
|
117
|
+
//# sourceMappingURL=util.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"util.js","sourceRoot":"","sources":["../../../source/server/push_certificate_manager/util.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAmB,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACtE,OAAO,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,wCAAwC,CAAC;AAC5G,OAAO,EAAE,qBAAqB,EAAE,MAAM,+CAA+C,CAAC;AAGtF,MAAM,uBAAuB,GAAG,aAAa,CAAC,+DAA+D,CAAC,CAAC;AAC/G,MAAM,iBAAiB,GAAG,aAAa,CAAC,yDAAyD,CAAC,CAAC;AACnG,MAAM,qBAAqB,GAAG,aAAa,CAAC,6DAA6D,CAAC,CAAC;AAE3G;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CAAC,sBAAuC;IAC5E,8DAA8D;IAC9D,IAAI,MAAc,CAAC;IACnB,IAAI,OAAO,sBAAsB,KAAK,QAAQ,EAAE,CAAC;QAC7C,IAAI,CAAC;YACD,MAAM,GAAG,aAAa,CAAC,sBAAsB,CAAC,CAAC;QACnD,CAAC;QAAC,MAAM,CAAC;YACL,sDAAsD;YACtD,OAAO,sBAAsB,CAAC;QAClC,CAAC;IACL,CAAC;SAAM,CAAC;QACJ,MAAM,GAAG,sBAAsB,CAAC;IACpC,CAAC;IAED,uDAAuD;IACvD,IAAI,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,CAAC;QACvF,OAAO,yBAAyB,CAAC;IACrC,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,EAAE,iBAAiB,CAAC,EAAE,CAAC;QACxC,OAAO,mBAAmB,CAAC;IAC/B,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,EAAE,qBAAqB,CAAC,EAAE,CAAC;QAC5C,OAAO,uBAAuB,CAAC;IACnC,CAAC;IAED,iEAAiE;IACjE,4FAA4F;IAC5F,OAAO,OAAO,sBAAsB,KAAK,QAAQ,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,EAAE,CAAC;AACpF,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,uBAAuB,CACnC,WAAmB,EACnB,iBAAkC,EAClC,YAAsB,EACtB,UAAqD;IAErD,iEAAiE;IACjE,IAAI,CAAC,iBAAiB,IAAI,CAAC,iBAAiB,YAAY,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;QAClH,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,MAAM,OAAO,GAAG,qBAAqB,CAAC,WAAW,CAAC,CAAC;IACnD,IAAI,CAAC,OAAO,EAAE,CAAC;QACX,wEAAwE;QACxE,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,8BAA8B;IAC9B,IAAI,UAAkB,CAAC;IACvB,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;QACxC,IAAI,CAAC;YACD,UAAU,GAAG,aAAa,CAAC,iBAAiB,CAAC,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACL,yCAAyC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;IACL,CAAC;SAAM,CAAC;QACJ,UAAU,GAAG,iBAAiB,CAAC;IACnC,CAAC;IAED,kEAAkE;IAClE,IAAI,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5C,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,gFAAgF;IAChF,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;IAEtE,IAAI,CAAC,SAAS,EAAE,CAAC;QACb,UAAU,CAAC,4EAA4E,EAAE,iBAAiB,CAAC,CAAC;QAC5G,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,8FAA8F;IAC9F,MAAM,SAAS,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;IAClF,MAAM,SAAS,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;IAElF,IAAI,OAAO,KAAK,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;QAClC,UAAU,CAAC,mEAAmE,EAAE,iBAAiB,CAAC,CAAC;QACnG,OAAO,KAAK,CAAC;IACjB,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;QAClC,UAAU,CAAC,mEAAmE,EAAE,iBAAiB,CAAC,CAAC;QACnG,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,OAAO,IAAI,CAAC;AAChB,CAAC;AAQD;;GAEG;AACH,MAAM,UAAU,8BAA8B,CAC1C,UAAiD,EACjD,kBAAmC;IAEnC,MAAM,SAAS,GAAG,wBAAwB,CAAC,kBAAkB,CAAC,CAAC;IAC/D,IAAI,CAAC,SAAS,EAAE,CAAC;QACb,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,kBAAkB,EAAE,CAAC;IAC1D,CAAC;IAED,MAAM,kBAAkB,GAAG,UAAU,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC;IACvE,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACtB,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,kBAAkB,EAAE,CAAC;IAC1D,CAAC;IAED,MAAM,YAAY,GAAG,UAAU,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;IAE/D,OAAO;QACH,UAAU,EAAE,WAAW,CAAC,IAAI;QAC5B,kBAAkB;QAClB,YAAY;KACf,CAAC;AACN,CAAC"}
|
|
@@ -1,4 +1,7 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
1
|
+
/**
|
|
2
|
+
* @module node-opcua-server-configuration
|
|
3
|
+
*/
|
|
4
|
+
import { type AddressSpace, type UACertificateGroup } from "node-opcua-address-space";
|
|
5
|
+
import { type PushCertificateManagerServerOptions } from "./push_certificate_manager_server_impl.js";
|
|
3
6
|
export declare function promoteCertificateGroup(certificateGroup: UACertificateGroup): Promise<void>;
|
|
4
7
|
export declare function installPushCertificateManagement(addressSpace: AddressSpace, options: PushCertificateManagerServerOptions): Promise<void>;
|