node-opcua-server-configuration 2.163.1 → 2.165.0

package/source/clientTools/push_certificate_management_client.ts

@@ -1,27 +1,26 @@
 /**
  * @module node-opcua-server-configuration.client
  */
-import { ByteString } from "node-opcua-basic-types";
-import { NodeId, resolveNodeId } from "node-opcua-nodeid";
-import { CallMethodRequestLike, IBasicSessionAsync } from "node-opcua-pseudo-session";
-import { StatusCode, StatusCodes } from "node-opcua-status-code";
-import { DataType, VariantArrayType, VariantLike } from "node-opcua-variant";
+import type { ByteString } from "node-opcua-basic-types";
+import { BinaryStream } from "node-opcua-binary-stream";
+import type { Certificate } from "node-opcua-crypto/web";
+import { AttributeIds, coerceQualifiedName, type QualifiedNameLike } from "node-opcua-data-model";
 import { ClientFile, OpenFileMode } from "node-opcua-file-transfer";
-import { AttributeIds, QualifiedNameLike, coerceQualifiedName } from "node-opcua-data-model";
+import { NodeId, resolveNodeId } from "node-opcua-nodeid";
+import type { CallMethodRequestLike, IBasicSessionAsync } from "node-opcua-pseudo-session";
 import { makeBrowsePath } from "node-opcua-service-translate-browse-path";
-import { Certificate } from "node-opcua-crypto/web";
+import { type StatusCode, StatusCodes } from "node-opcua-status-code";
 import { TrustListDataType } from "node-opcua-types";
-import { BinaryStream } from "node-opcua-binary-stream";
+import { DataType, VariantArrayType, type VariantLike } from "node-opcua-variant";
 
-import {
+import type {
     CreateSigningRequestResult,
     GetRejectedListResult,
     PushCertificateManager,
     UpdateCertificateResult
-} from "../push_certificate_manager";
-
-import { ITrustList } from "../trust_list";
-import { TrustListMasks } from "../server/trust_list_server";
+} from "../push_certificate_manager.js";
+import type { TrustListMasks } from "../server/trust_list_server.js";
+import type { ITrustList } from "../trust_list.js";
 
 const serverConfigurationNodeId = resolveNodeId("ServerConfiguration");
 const createSigningRequestMethod = resolveNodeId("ServerConfiguration_CreateSigningRequest");
@@ -34,7 +33,6 @@ const defaultApplicationGroup = resolveNodeId("ServerConfiguration_CertificateGr
 const defaultHttpsGroup = resolveNodeId("ServerConfiguration_CertificateGroups_DefaultHttpsGroup");
 const defaultUserTokenGroup = resolveNodeId("ServerConfiguration_CertificateGroups_DefaultUserTokenGroup");
 
-
 function findCertificateGroupNodeId(certificateGroup: NodeId | string): NodeId {
     if (certificateGroup instanceof NodeId) {
         return certificateGroup;
@@ -64,7 +62,10 @@ export class TrustListClient extends ClientFile implements ITrustList {
     private removeCertificateNodeId?: NodeId;
     private openWithMasksNodeId?: NodeId;
 
-    constructor(session: IBasicSessionAsync, public nodeId: NodeId) {
+    constructor(
+        session: IBasicSessionAsync,
+        public nodeId: NodeId
+    ) {
         super(session, nodeId);
     }
     /**
@@ -78,12 +79,12 @@ export class TrustListClient extends ClientFile implements ITrustList {
             makeBrowsePath(this.nodeId, "/OpenWithMasks") // OpenWithMasks Mandatory
         ]);
 
-        this.closeAndUpdateNodeId = browseResults[0].targets![0].targetId;
-        this.addCertificateNodeId = browseResults[1].targets![0].targetId;
-        this.removeCertificateNodeId = browseResults[2].targets![0].targetId;
-        this.openWithMasksNodeId = browseResults[3].targets![0].targetId;
+        this.closeAndUpdateNodeId = browseResults[0].targets?.[0].targetId;
+        this.addCertificateNodeId = browseResults[1].targets?.[0].targetId;
+        this.removeCertificateNodeId = browseResults[2].targets?.[0].targetId;
+        this.openWithMasksNodeId = browseResults[3].targets?.[0].targetId;
 
-        // istanbul ignore next
+        // c8 ignore next
         if (!this.openWithMasksNodeId || this.openWithMasksNodeId.isEmpty()) {
             throw new Error("Cannot find mandatory method OpenWithMask on object");
         }
@@ -95,12 +96,12 @@ export class TrustListClient extends ClientFile implements ITrustList {
     }
 
     async openWithMasks(trustListMask: TrustListMasks): Promise<number> {
-        // istanbul ignore next
+        // c8 ignore next
         if (this.fileHandle) {
             throw new Error("File has already be opened");
         }
         await this.ensureInitialized();
-        // istanbul ignore next
+        // c8 ignore next
         if (!this.openWithMasksNodeId) {
             throw new Error("OpenWithMasks doesn't exist");
         }
@@ -114,11 +115,11 @@ export class TrustListClient extends ClientFile implements ITrustList {
         if (callMethodResult.statusCode.isNotGood()) {
             throw new Error(callMethodResult.statusCode.name);
         }
-        this.fileHandle = callMethodResult.outputArguments![0].value as number;
+        this.fileHandle = callMethodResult.outputArguments?.[0].value as number;
         return this.fileHandle;
     }
 
-    async closeAndUpdate(applyChangesRequired: boolean): Promise<boolean> {
+    async closeAndUpdate(): Promise<boolean> {
         if (!this.fileHandle) {
             throw new Error("File has node been opened yet");
         }
@@ -126,10 +127,7 @@ export class TrustListClient extends ClientFile implements ITrustList {
         if (!this.closeAndUpdateNodeId) {
             throw new Error("CloseAndUpdateMethod doesn't exist");
         }
-        const inputArguments = [
-            { dataType: DataType.UInt32, value: this.fileHandle },
-            { dataType: DataType.Boolean, value: !!applyChangesRequired }
-        ];
+        const inputArguments = [{ dataType: DataType.UInt32, value: this.fileHandle }];
         const methodToCall: CallMethodRequestLike = {
             inputArguments,
             methodId: this.closeAndUpdateNodeId,
@@ -139,7 +137,8 @@ export class TrustListClient extends ClientFile implements ITrustList {
         if (callMethodResult.statusCode.isNotGood()) {
             throw new Error(callMethodResult.statusCode.name);
         }
-        return callMethodResult.outputArguments![0].value as boolean;
+        this.fileHandle = 0;
+        return callMethodResult.outputArguments?.[0].value as boolean;
     }
 
     async addCertificate(certificate: Certificate, isTrustedCertificate: boolean): Promise<StatusCode> {
@@ -200,21 +199,25 @@ export class TrustListClient extends ClientFile implements ITrustList {
     }
 
     async writeTrustedCertificateList(trustedList: TrustListDataType): Promise<boolean> {
-        await this.open(OpenFileMode.Write);
+        await this.open(OpenFileMode.WriteEraseExisting);
         const s = trustedList.binaryStoreSize();
         const stream = new BinaryStream(s);
         trustedList.encode(stream);
-        return await this.closeAndUpdate(true);
+        await this.write(stream.buffer);
+        return await this.closeAndUpdate();
     }
 }
 export class CertificateGroup {
-    constructor(public session: IBasicSessionAsync, public nodeId: NodeId) {}
+    constructor(
+        public session: IBasicSessionAsync,
+        public nodeId: NodeId
+    ) {}
     async getCertificateTypes(): Promise<NodeId[]> {
         const browsePathResult = await this.session.translateBrowsePath(makeBrowsePath(this.nodeId, "/CertificateTypes"));
         if (browsePathResult.statusCode.isNotGood()) {
             throw new Error(browsePathResult.statusCode.name);
         }
-        const certificateTypesNodeId = browsePathResult.targets![0].targetId;
+        const certificateTypesNodeId = browsePathResult.targets?.[0].targetId;
         const dataValue = await this.session.read({ nodeId: certificateTypesNodeId, attributeId: AttributeIds.Value });
         if (dataValue.statusCode.isNotGood()) {
             throw new Error(browsePathResult.statusCode.name);
@@ -226,7 +229,10 @@ export class CertificateGroup {
         if (browsePathResult.statusCode.isNotGood()) {
             throw new Error(browsePathResult.statusCode.name);
         }
-        const trustListNodeId = browsePathResult.targets![0].targetId;
+        const trustListNodeId = browsePathResult.targets?.[0].targetId;
+        if (!trustListNodeId) {
+            throw new Error("TrustList node not found");
+        }
         return new TrustListClient(this.session, trustListNodeId);
     }
 }
@@ -302,7 +308,7 @@ export class ClientPushCertificateManagement implements PushCertificateManager {
 
         if (callMethodResult.statusCode.isGood()) {
             return {
-                certificateSigningRequest: callMethodResult.outputArguments![0].value,
+                certificateSigningRequest: callMethodResult.outputArguments?.[0].value,
                 statusCode: callMethodResult.statusCode
             };
         } else {
@@ -330,11 +336,11 @@ export class ClientPushCertificateManagement implements PushCertificateManager {
         };
         const callMethodResult = await this.session.call(methodToCall);
         if (callMethodResult.statusCode.isGood()) {
-            if (callMethodResult.outputArguments![0].dataType !== DataType.ByteString) {
+            if (callMethodResult.outputArguments?.[0].dataType !== DataType.ByteString) {
                 return { statusCode: StatusCodes.BadInvalidArgument };
             }
             return {
-                certificates: callMethodResult.outputArguments![0].value,
+                certificates: callMethodResult.outputArguments?.[0].value,
                 statusCode: callMethodResult.statusCode
             };
         } else {
@@ -422,22 +428,21 @@ export class ClientPushCertificateManagement implements PushCertificateManager {
         };
         const callMethodResult = await this.session.call(methodToCall);
         if (callMethodResult.statusCode.isGood()) {
-            if (!callMethodResult.outputArguments || callMethodResult.outputArguments!.length !== 1) {
+            if (!callMethodResult.outputArguments || callMethodResult.outputArguments.length !== 1) {
                 return {
                     statusCode: StatusCodes.BadInternalError,
-                    applyChangesRequired: false,
+                    applyChangesRequired: false
                 };
                 // throw Error("Internal Error, expecting 1 output result");
             }
             return {
-                applyChangesRequired: !!callMethodResult.outputArguments![0].value,
+                applyChangesRequired: !!callMethodResult.outputArguments?.[0].value,
                 statusCode: callMethodResult.statusCode
             };
         } else {
-            return { 
+            return {
                 statusCode: callMethodResult.statusCode,
                 applyChangesRequired: false
-
             };
         }
     }
@@ -471,7 +476,7 @@ export class ClientPushCertificateManagement implements PushCertificateManager {
         };
         const callMethodResult = await this.session.call(methodToCall);
 
-        if (callMethodResult.outputArguments && callMethodResult.outputArguments.length) {
+        if (callMethodResult.outputArguments?.length) {
             throw new Error("Invalid  output arguments");
         }
         return callMethodResult.statusCode;
@@ -507,7 +512,7 @@ export class ClientPushCertificateManagement implements PushCertificateManager {
         if (browseName.toString() === "DefaultUserTokenGroup") {
             return new CertificateGroup(this.session, defaultUserTokenGroup);
         }
-        // istanbul ignore next
+        // c8 ignore next
         throw new Error("Not Implemented yet");
     }
     public async getApplicationGroup(): Promise<CertificateGroup> {

package/source/index.ts

@@ -2,11 +2,13 @@
  * @module node-opcua-server-configuration
  */
 // export * from "./trust_list_impl";
-export * from "./push_certificate_manager";
-export * from "./clientTools/push_certificate_management_client";
-export * from "./standard_certificate_types";
 
-export * from "./server/install_push_certitifate_management";
-export * from "./server/push_certificate_manager_server_impl";
-export * from "./server/push_certificate_manager_helpers";
-export * from "./server/promote_trust_list";
+export * from "./clientTools/certificate_types.js";
+export * from "./clientTools/push_certificate_management_client.js";
+export * from "./push_certificate_manager.js";
+export * from "./server/install_push_certitifate_management.js";
+export * from "./server/promote_trust_list.js";
+export * from "./server/push_certificate_manager/subject_to_string.js";
+export * from "./server/push_certificate_manager_helpers.js";
+export * from "./server/push_certificate_manager_server_impl.js";
+export * from "./standard_certificate_types.js";

package/source/push_certificate_manager.ts

@@ -1,9 +1,10 @@
 /**
  * @module node-opcua-server-configuration
  */
-import { ByteString, UAString } from "node-opcua-basic-types";
-import { NodeId } from "node-opcua-nodeid";
-import { StatusCode } from "node-opcua-status-code";
+import type { ISessionContext } from "node-opcua-address-space-base";
+import type { ByteString, UAString } from "node-opcua-basic-types";
+import type { NodeId } from "node-opcua-nodeid";
+import type { StatusCode } from "node-opcua-status-code";
 
 export interface CreateSigningRequestResult {
     statusCode: StatusCode;
@@ -21,7 +22,6 @@ export interface UpdateCertificateResult {
 }
 
 export interface PushCertificateManager {
-
     /**
      * The SupportedPrivateKeyFormats specifies the private key formats supported by the Server.
      * Possible values include “PEM” (see RFC 5958) or “PFX” (see PKCS #12). The array is empty
@@ -65,12 +65,12 @@ export interface PushCertificateManager {
      *
      */
     updateCertificate(
-      certificateGroupId: NodeId | string,
-      certificateTypeId: NodeId | string,
-      certificate: ByteString,
-      issuerCertificates: ByteString[],
-      privateKeyFormat: UAString,
-      privateKey: ByteString
+        certificateGroupId: NodeId | string,
+        certificateTypeId: NodeId | string,
+        certificate: ByteString,
+        issuerCertificates: ByteString[],
+        privateKeyFormat?: UAString,
+        privateKey?: ByteString
     ): Promise<UpdateCertificateResult>;
 
     /**
@@ -102,7 +102,7 @@ export interface PushCertificateManager {
      * Result Code               Description
      * Bad_UserAccessDenied      The current user does not have the rights required.
      */
-    applyChanges(): Promise<StatusCode>;
+    applyChanges(context?: ISessionContext): Promise<StatusCode>;
 
     /**
      * The CreateSigningRequest Method asks the Server to create a PKCS #10 encoded Certificate
@@ -136,11 +136,11 @@ export interface PushCertificateManager {
      * Bad_UserAccessDenied          The current user does not have the rights required.
      */
     createSigningRequest(
-      certificateGroupId: NodeId | string,
-      certificateTypeId: NodeId | string,
-      subjectName: string | null,
-      regeneratePrivateKey?: boolean,
-      nonce?: ByteString
+        certificateGroupId: NodeId | string,
+        certificateTypeId: NodeId | string,
+        subjectName: string | null,
+        regeneratePrivateKey?: boolean,
+        nonce?: ByteString
     ): Promise<CreateSigningRequestResult>;
 
     /**
@@ -159,6 +159,5 @@ export interface PushCertificateManager {
      *  Bad_UserAccessDenied  The current user does not have the rights required
      */
 
-    getRejectedList(): Promise</*certificates*/GetRejectedListResult>;
-
+    getRejectedList(): Promise</*certificates*/ GetRejectedListResult>;
 }

package/source/server/certificate_validation.ts

@@ -0,0 +1,103 @@
+/**
+ * @module node-opcua-server-configuration-server
+ */
+import type { ByteString } from "node-opcua-basic-types";
+import type { OPCUACertificateManager } from "node-opcua-certificate-manager";
+import { type CertificateInternals, exploreCertificate, verifyCertificateChain } from "node-opcua-crypto/web";
+import { make_errorLog, make_warningLog } from "node-opcua-debug";
+import { type StatusCode, StatusCodes } from "node-opcua-status-code";
+
+const warningLog = make_warningLog("ServerConfiguration");
+const errorLog = make_errorLog("ServerConfiguration");
+
+/**
+ * Validates the certificate and its issuer chain, including parsing, date validity,
+ * chain verification, and trust verification.
+ * @returns Object with statusCode. If Good, also contains the concatenated certificateChain.
+ */
+export async function validateCertificateAndChain(
+    certificateManager: OPCUACertificateManager,
+    isApplicationGroup: boolean,
+    certificate: Buffer,
+    issuerCertificates: ByteString[] | null | undefined
+): Promise<{ statusCode: StatusCode; certificateChain?: Buffer }> {
+    let certInfo: CertificateInternals;
+    try {
+        certInfo = exploreCertificate(certificate);
+    } catch (err) {
+        errorLog("Cannot parse certificate:", (err as Error).message);
+        return { statusCode: StatusCodes.BadCertificateInvalid };
+    }
+
+    const issuerCertBuffers = (issuerCertificates || []).filter((cert): cert is Buffer => {
+        return Buffer.isBuffer(cert) && cert.length > 0;
+    });
+
+    if ((issuerCertificates || []).length !== issuerCertBuffers.length) {
+        warningLog("issuerCertificates contains invalid entries");
+        return { statusCode: StatusCodes.BadCertificateInvalid };
+    }
+
+    for (const issuerCert of issuerCertBuffers) {
+        try {
+            const issuerInfo = exploreCertificate(issuerCert);
+            const nowIssuer = new Date();
+            if (issuerInfo.tbsCertificate.validity.notBefore.getTime() > nowIssuer.getTime()) {
+                warningLog("Issuer certificate is not yet valid");
+                return { statusCode: StatusCodes.BadSecurityChecksFailed };
+            }
+            if (issuerInfo.tbsCertificate.validity.notAfter.getTime() < nowIssuer.getTime()) {
+                warningLog("Issuer certificate is out of date");
+                return { statusCode: StatusCodes.BadSecurityChecksFailed };
+            }
+        } catch (err) {
+            errorLog("Cannot parse issuer certificate:", (err as Error).message);
+            return { statusCode: StatusCodes.BadCertificateInvalid };
+        }
+    }
+
+    if (issuerCertBuffers.length > 0) {
+        const chainCheck = await verifyCertificateChain([certificate, ...issuerCertBuffers]);
+        if (chainCheck.status !== "Good") {
+            warningLog("Issuer chain validation failed:", chainCheck.status, chainCheck.reason);
+            return { statusCode: StatusCodes.BadSecurityChecksFailed };
+        }
+    }
+
+    const certificateChain = Buffer.concat([certificate, ...issuerCertBuffers]);
+
+    // Trust validation is only relevant for client certificates, not the server's own certificate
+    if (!isApplicationGroup) {
+        if (certificateManager.verifyCertificate) {
+            const status = await certificateManager.verifyCertificate(certificateChain, {
+                acceptCertificateWithValidIssuerChain: true
+            });
+            if (status !== "Good") {
+                warningLog("Certificate trust validation failed:", status);
+                return { statusCode: StatusCodes.BadSecurityChecksFailed };
+            }
+        }
+    }
+
+    const now = new Date();
+    if (certInfo.tbsCertificate.validity.notBefore.getTime() > now.getTime()) {
+        warningLog(
+            "Certificate is not yet valid : not before ",
+            certInfo.tbsCertificate.validity.notBefore.toISOString(),
+            "now = ",
+            now.toISOString()
+        );
+        return { statusCode: StatusCodes.BadSecurityChecksFailed };
+    }
+    if (certInfo.tbsCertificate.validity.notAfter.getTime() < now.getTime()) {
+        warningLog(
+            "Certificate is already out of date : not after ",
+            certInfo.tbsCertificate.validity.notAfter.toISOString(),
+            "now = ",
+            now.toISOString()
+        );
+        return { statusCode: StatusCodes.BadSecurityChecksFailed };
+    }
+
+    return { statusCode: StatusCodes.Good, certificateChain };
+}