node-opcua-server-configuration 2.167.0 → 2.169.0

package/source/server/promote_trust_list.ts

@@ -2,6 +2,9 @@
  * @module node-opcua-server-configuration
  */
 
+import fs from "node:fs";
+import path from "node:path";
+
 import { fs as MemFs } from "memfs";
 
 import type {
@@ -25,11 +28,10 @@ import { VerificationStatus } from "node-opcua-pki";
 import { type CallbackT, type StatusCode, StatusCodes } from "node-opcua-status-code";
 import { type CallMethodResultOptions, TrustListDataType } from "node-opcua-types";
 import { DataType, Variant } from "node-opcua-variant";
+import type { PushCertificateManagerServerImpl } from "./push_certificate_manager_server_impl.js";
 import { rolePermissionAdminOnly } from "./roles_and_permissions.js";
-
 import { hasEncryptedChannel, hasExpectedUserAccess } from "./tools.js";
 import { TrustListMasks, writeTrustList } from "./trust_list_server.js";
-import type { PushCertificateManagerServerImpl } from "./push_certificate_manager_server_impl.js";
 
 const debugLog = make_debugLog("ServerConfiguration");
 const doDebug = checkDebugFlag("ServerConfiguration");
@@ -46,13 +48,14 @@ function emitTrustListUpdated(trustList: UATrustList): void {
         const certificateGroup = trustList.parent;
         const groupName = certificateGroup?.browseName?.name ?? "Unknown";
 
-        const serverConfiguration = trustList.addressSpace.rootFolder
-            .objects.server.getChildByName("ServerConfiguration");
+        const serverConfiguration = trustList.addressSpace.rootFolder.objects.server.getChildByName("ServerConfiguration");
         if (!serverConfiguration) return;
 
-        const pushManager = (serverConfiguration as unknown as {
-            $pushCertificateManager?: PushCertificateManagerServerImpl;
-        }).$pushCertificateManager;
+        const pushManager = (
+            serverConfiguration as unknown as {
+                $pushCertificateManager?: PushCertificateManagerServerImpl;
+            }
+        ).$pushCertificateManager;
 
         if (pushManager) {
             pushManager.emit("trustListUpdated", groupName);
@@ -97,6 +100,151 @@ function updateLastUpdateTime(trustList: UATrustList): void {
     }
 }
 
+/**
+ * Scan the PKI store folders (trusted/certs, trusted/crl, issuers/certs,
+ * issuers/crl) and return the most recent modification time across all
+ * files. Returns null if no files are found.
+ *
+ * Uses async fs.promises to avoid blocking the event loop on startup
+ * when PKI directories are large or on slow filesystems.
+ */
+async function getNewestMtimeFromPkiStore(
+    cm: OPCUACertificateManager,
+    isAborted?: () => boolean
+): Promise<Date | null> {
+    const dirs = [cm.trustedFolder, cm.crlFolder, cm.issuersCertFolder, cm.issuersCrlFolder];
+    let newest: Date | null = null;
+    
+    for (const dir of dirs) {
+        if (isAborted?.()) break;
+
+        try {
+            await fs.promises.access(dir);
+        } catch {
+            continue;
+        }
+        let entries: string[];
+        try {
+            entries = await fs.promises.readdir(dir);
+        } catch {
+            continue;
+        }
+        
+        // Process stats sequentially to avoid threadpool exhaustion
+        // and event-loop lag when directories have thousands of files.
+        for (const entry of entries) {
+            if (isAborted?.()) return null;
+            try {
+                const stat = await fs.promises.stat(path.join(dir, entry));
+                if (stat.isFile() && (!newest || stat.mtime > newest)) {
+                    newest = stat.mtime;
+                }
+            } catch {
+                // skip unreadable entries
+            }
+        }
+    }
+    return newest;
+}
+
+/**
+ * Initialize the LastUpdateTime property from the PKI store's
+ * filesystem timestamps. This avoids displaying MinDate
+ * (0001-01-01T00:00:00Z) when the trust store already contains
+ * certificates or CRLs (e.g. populated by selfOnboard or addIssuer).
+ *
+ * Also subscribes to the CertificateManager's filesystem watcher
+ * events (certificateAdded, certificateRemoved, certificateChange,
+ * crlAdded, crlRemoved) so that LastUpdateTime stays current even
+ * when the trust store is modified externally (e.g. manual file
+ * copy, programmatic addIssuer/trustCertificate calls).
+ *
+ * Listeners are installed at most once per TrustList node
+ * (guarded by $$listenersInstalled) and are removed via
+ * addressSpace.registerShutdownTask to prevent leaks.
+ */
+async function _initializeLastUpdateTimeFromFilesystem(trustList: UATrustListEx): Promise<void> {
+    const cm = trustList.$$certificateManager;
+    if (!cm) return;
+
+    if (trustList.$$initaliseMTimePromise) {
+        return await trustList.$$initaliseMTimePromise;
+    }
+
+    trustList.$$initaliseMTimePromise = (async () => {
+        const startTime = Date.now();
+        let isAborted = false;
+        
+        // Note: Removed abortHandler from registerShutdownTask because AddressSpace 
+        // does not have an unregister mechanism, which causes `_shutdownTasks` to leak 
+        // continuously if promoteTrustList is called multiple times.
+        // Sequential scanning is fast enough that it won't block shutdown significantly.
+
+        try {
+            const lastUpdateTimeNode = trustList.lastUpdateTime;
+            if (!lastUpdateTimeNode) return;
+
+            // Seed the initial timestamp from the filesystem only when
+            // the current value is still unset (MinDate).  The event
+            // listeners below must always be installed regardless, so we
+            // must NOT return early here.
+            const currentValue = lastUpdateTimeNode.readValue().value.value as Date | undefined;
+            if (!currentValue || currentValue.getTime() <= 0) {
+                const newest = await getNewestMtimeFromPkiStore(cm, () => isAborted);
+                if (isAborted) {
+                    console.log(`[node-opcua] _initializeLastUpdateTimeFromFilesystem aborted for ${trustList.browseName.toString()}`);
+                    return;
+                }
+                if (newest) {
+                    lastUpdateTimeNode.setValueFromSource({
+                        dataType: DataType.DateTime,
+                        value: newest
+                    });
+                    doDebug && debugLog("Initialized LastUpdateTime from filesystem:", newest.toISOString());
+                }
+            }
+
+            // Guard: install listeners at most once per TrustList node
+            // to prevent duplicate handler invocation on re-promotion.
+            if (trustList.$$listenersInstalled) {
+                return;
+            }
+            trustList.$$listenersInstalled = true;
+
+            // Subscribe to CertificateManager filesystem watcher events
+            // so LastUpdateTime stays current when the store is modified
+            // outside of OPC UA methods (e.g. addIssuer, trustCertificate,
+            // or manual file operations).
+            const _updateNow = () => {
+                updateLastUpdateTime(trustList);
+            };
+
+            const events = ["certificateAdded", "certificateRemoved", "certificateChange", "crlAdded", "crlRemoved"] as const;
+            for (const event of events) {
+                cm.on(event, _updateNow);
+            }
+
+            // Clean up listeners when the address space shuts down
+            // to avoid MaxListenersExceededWarning and memory leaks.
+            // Guard: addressSpace may be null if dispose() was called
+            // concurrently (e.g. fast test teardown).
+            if (trustList.addressSpace) {
+                trustList.addressSpace.registerShutdownTask(() => {
+                    for (const event of events) {
+                        cm.removeListener(event, _updateNow);
+                    }
+                    trustList.$$listenersInstalled = false;
+                });
+            }
+
+            console.log(`[node-opcua] _initializeLastUpdateTimeFromFilesystem took ${Date.now() - startTime}ms for ${trustList.browseName.toString()}`);
+        } finally {
+            trustList.$$initaliseMTimePromise = undefined;
+        }
+    })();
+    return await trustList.$$initaliseMTimePromise;
+}
+
 interface UAMethodEx extends UAMethod {
     _asyncExecutionFunction?: MethodFunctor;
 }
@@ -104,6 +252,8 @@ interface UATrustListEx extends UATrustList {
     $$certificateManager: OPCUACertificateManager;
     $$filename: string;
     $$openedForWrite: boolean;
+    $$listenersInstalled: boolean;
+    $$initaliseMTimePromise?: Promise<void>;
 }
 
 async function applyTrustListChanges(cm: OPCUACertificateManager, trustListData: TrustListDataType): Promise<StatusCode> {
@@ -445,10 +595,18 @@ async function _removeCertificate(
 let counter = 0;
 
 export async function promoteTrustList(trustList: UATrustList) {
+    const trustListEx = trustList as UATrustListEx & { $$promoted?: boolean };
+    
+    // Prevent double-binding if called multiple times testing
+    if (trustListEx.$$promoted) {
+        await _initializeLastUpdateTimeFromFilesystem(trustListEx);
+        return;
+    }
+    trustListEx.$$promoted = true;
+
     const filename = `/tmpFile${counter}`;
     counter += 1;
 
-    const trustListEx = trustList as UATrustListEx;
     // Store filename for use in _closeAndUpdate
     trustListEx.$$filename = filename;
     // Initialize write lock flag
@@ -507,7 +665,9 @@ export async function promoteTrustList(trustList: UATrustList) {
                     callback(err, { statusCode: StatusCodes.BadInternalError });
                 });
         } else {
-            warningLog("certificateManager is not defined on trustlist do something to update the trust list document before we open it");
+            warningLog(
+                "certificateManager is not defined on trustlist do something to update the trust list document before we open it"
+            );
             return _open_asyncExecutionFunction.call(this, inputArgs, context, callback);
         }
     }
@@ -539,6 +699,17 @@ export async function promoteTrustList(trustList: UATrustList) {
     addCertificate.bindMethod(_addCertificate);
     removeCertificate.bindMethod(_removeCertificate);
 
+    function _closeCallback(
+        this: UAMethod,
+        inputArgs: Variant[],
+        context: ISessionContext,
+        callback: CallbackT<CallMethodResultOptions>
+    ) {
+        trustListEx.$$openedForWrite = false;
+        _close_asyncExecutionFunction.call(this, inputArgs, context, callback);
+    }
+    close.bindMethod(_closeCallback);
+
     // Wrapper to pass the underlying close method to _closeAndUpdate
     closeAndUpdate?.bindMethod(async function (
         this: UAMethod,
@@ -554,12 +725,17 @@ export async function promoteTrustList(trustList: UATrustList) {
             return;
         }
         fileType.open?.bindMethod(_openCallback);
+        fileType.close?.bindMethod(_closeCallback);
         fileType.addCertificate.bindMethod(_addCertificate);
         fileType.removeCertificate.bindMethod(_removeCertificate);
         fileType.openWithMasks?.bindMethod(_openWithMaskCallback);
         fileType.closeAndUpdate?.bindMethod(_closeAndUpdate);
     }
     install_method_handle_on_TrustListType(trustList.addressSpace);
+
+    // Initialize LastUpdateTime from the PKI store's filesystem timestamps
+    // so it doesn't show MinDate (0001-01-01) when files already exist.
+    await _initializeLastUpdateTimeFromFilesystem(trustListEx);
 }
 
 export function installAccessRestrictionOnTrustList(trustList: UAVariable | UAObject) {

package/source/server/push_certificate_manager/create_signing_request.ts

@@ -2,7 +2,7 @@ import crypto from "node:crypto";
 import fs from "node:fs";
 import path from "node:path";
 import { CertificateManager } from "node-opcua-certificate-manager";
-import { convertPEMtoDER, exploreCertificate, readCertificateChain, type DirectoryName } from "node-opcua-crypto";
+import { convertPEMtoDER, type DirectoryName, exploreCertificate, readCertificateChain } from "node-opcua-crypto";
 import { checkDebugFlag, make_debugLog, make_errorLog, make_warningLog } from "node-opcua-debug";
 import { NodeId, resolveNodeId, sameNodeId } from "node-opcua-nodeid";
 import type { SubjectOptions } from "node-opcua-pki";
@@ -118,20 +118,30 @@ export async function executeCreateSigningRequest(
         });
     }
 
-    const options = {
-        applicationUri: serverImpl.applicationUri,
-        subject: subjectName
-    };
-
-    const activeCertificateManager = serverImpl.tmpCertificateManager || certificateManager;
-
-    await activeCertificateManager.initialize();
-    const csrFile = await activeCertificateManager.createCertificateRequest(options);
-    const csrPEM = await fs.promises.readFile(csrFile, "utf8");
-    const certificateSigningRequest = convertPEMtoDER(csrPEM);
-
-    return {
-        certificateSigningRequest,
-        statusCode: StatusCodes.Good
-    };
+    try {
+        const options = {
+            applicationUri: serverImpl.applicationUri,
+            subject: subjectName
+        };
+
+        const activeCertificateManager = serverImpl.tmpCertificateManager || certificateManager;
+
+        await activeCertificateManager.initialize();
+        const csrFile = await activeCertificateManager.createCertificateRequest(options);
+        const csrPEM = await fs.promises.readFile(csrFile, "utf8");
+        const certificateSigningRequest = convertPEMtoDER(csrPEM);
+
+        return {
+            certificateSigningRequest,
+            statusCode: StatusCodes.Good
+        };
+    } catch (err) {
+        errorLog(
+            "CreateSigningRequest failed during CSR generation:",
+            (err as Error).message,
+            "subject=", subjectName,
+            "applicationUri=", serverImpl.applicationUri
+        );
+        return { statusCode: StatusCodes.BadInternalError };
+    }
 }

package/source/server/push_certificate_manager/update_certificate.ts

@@ -3,11 +3,13 @@ import path from "node:path";
 import { assert } from "node-opcua-assert";
 import type { ByteString } from "node-opcua-basic-types";
 import type { CertificateManager, OPCUACertificateManager } from "node-opcua-certificate-manager";
-import { readPrivateKey, exploreCertificate } from "node-opcua-crypto";
+import { exploreCertificate, readPrivateKey } from "node-opcua-crypto";
 import {
     certificateMatchesPrivateKey,
+    type Certificate,
     coercePEMorDerToPrivateKey,
     coercePrivateKeyPem,
+    combine_der,
     makeSHA1Thumbprint,
     type PrivateKey,
     toPem
@@ -19,7 +21,7 @@ import { StatusCodes } from "node-opcua-status-code";
 import type { UpdateCertificateResult } from "../../push_certificate_manager.js";
 import { validateCertificateAndChain } from "../certificate_validation.js";
 import type { PushCertificateManagerInternalContext } from "./internal_context.js";
-import { resolveCertificateGroupContext, validateCertificateType, findCertificateGroupName } from "./util.js";
+import { findCertificateGroupName, resolveCertificateGroupContext, validateCertificateType } from "./util.js";
 
 const warningLog = make_warningLog("ServerConfiguration");
 const debugLog = make_debugLog("ServerConfiguration");
@@ -52,18 +54,33 @@ async function preInstallIssuerCertificates(
 }
 
 // Helper: Stage main certificate to temporary files
+//
+// The PEM file contains the full chain (leaf + issuer CAs) so that
+// getCertificateChain() returns the complete chain.  This allows
+// OpenSecureChannel and CreateSession to present the full chain to
+// connecting clients, enabling them to build and verify the trust
+// path without needing all CA certificates pre-installed.
 async function preInstallCertificate(
     serverImpl: PushCertificateManagerInternalContext,
     certificateManager: CertificateManager,
-    certificate: Buffer
+    certificate: Certificate,
+    issuerCertificates?: Certificate[]
 ): Promise<void> {
     const certFolder = certificateManager.ownCertFolder;
-    const destDER = path.join(certFolder, "certificate.der");
     const destPEM = path.join(certFolder, "certificate.pem");
-    const certificatePEM = toPem(certificate, "CERTIFICATE");
 
-    await serverImpl.fileTransactionManager.stageFile(destDER, certificate);
+    // Build the full chain: leaf first, then issuer CAs
+    const certificateChain: Certificate[] = [certificate, ...(issuerCertificates ?? [])];
+    const certificatePEM = toPem(combine_der(certificateChain), "CERTIFICATE");
+
     await serverImpl.fileTransactionManager.stageFile(destPEM, certificatePEM, "utf-8");
+
+    // Clean up any leftover certificate.der from previous installations.
+    // Since DER is no longer written, a stale file would be misleading.
+    const legacyDER = path.join(certFolder, "certificate.der");
+    if (fs.existsSync(legacyDER)) {
+        serverImpl.fileTransactionManager.stageFileRemoval(legacyDER);
+    }
 }
 
 // Helper: Stage private key to temporary file
@@ -164,7 +181,7 @@ export async function executeUpdateCertificate(
             }
 
             await preInstallIssuerCertificates(serverImpl, certificateManager, issuerCertificates);
-            await preInstallCertificate(serverImpl, certificateManager, certificate);
+            await preInstallCertificate(serverImpl, certificateManager, certificate, issuerCertificates);
             serverImpl.emit("certificateUpdated", certificateGroupId, certificate);
             return { statusCode: StatusCodes.Good, applyChangesRequired: true };
         } else {
@@ -203,7 +220,7 @@ export async function executeUpdateCertificate(
 
             await preInstallPrivateKey(serverImpl, certificateManager, privateKeyFormat, tempPrivateKey);
             await preInstallIssuerCertificates(serverImpl, certificateManager, issuerCertificates);
-            await preInstallCertificate(serverImpl, certificateManager, certificate);
+            await preInstallCertificate(serverImpl, certificateManager, certificate, issuerCertificates);
 
             serverImpl.emit("certificateUpdated", certificateGroupId, certificate);
             return { statusCode: StatusCodes.Good, applyChangesRequired: true };

package/source/server/push_certificate_manager_helpers.ts

@@ -17,7 +17,7 @@ import {
 import { EventNotifierFlags, type UAObject, type UAVariable } from "node-opcua-address-space-base";
 import type { ByteString, UAString } from "node-opcua-basic-types";
 import { ObjectIds, ObjectTypeIds } from "node-opcua-constants";
-import { readCertificateChainAsync, type Certificate } from "node-opcua-crypto";
+import { type Certificate, readCertificateChainAsync } from "node-opcua-crypto";
 import { AccessRestrictionsFlag, BrowseDirection, coerceQualifiedName, NodeClass } from "node-opcua-data-model";
 import { make_debugLog, make_errorLog, make_warningLog } from "node-opcua-debug";
 import { NodeId, resolveNodeId } from "node-opcua-nodeid";

package/source/server/push_certificate_manager_server_impl.ts

@@ -2,8 +2,8 @@
  * @module node-opcua-server-configuration-server
  */
 import { EventEmitter } from "node:events";
-import { assert } from "node-opcua-assert";
 import type { ISessionContext } from "node-opcua-address-space-base";
+import { assert } from "node-opcua-assert";
 import type { ByteString } from "node-opcua-basic-types";
 import { CertificateManager } from "node-opcua-certificate-manager";
 import { make_errorLog } from "node-opcua-debug";
@@ -70,10 +70,7 @@ export class PushCertificateManagerServerImpl extends EventEmitter implements Pu
     public applicationUri: string;
 
     // ── typed event helpers ──────────────────────────────────────────
-    public on<K extends keyof PushCertificateManagerEvents>(
-        event: K,
-        listener: PushCertificateManagerEvents[K]
-    ): this;
+    public on<K extends keyof PushCertificateManagerEvents>(event: K, listener: PushCertificateManagerEvents[K]): this;
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     public on(event: string | symbol, listener: (...args: any[]) => void): this;
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -81,10 +78,7 @@ export class PushCertificateManagerServerImpl extends EventEmitter implements Pu
         return super.on(event, listener);
     }
 
-    public once<K extends keyof PushCertificateManagerEvents>(
-        event: K,
-        listener: PushCertificateManagerEvents[K]
-    ): this;
+    public once<K extends keyof PushCertificateManagerEvents>(event: K, listener: PushCertificateManagerEvents[K]): this;
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     public once(event: string | symbol, listener: (...args: any[]) => void): this;
     // eslint-disable-next-line @typescript-eslint/no-explicit-any

package/source/server/trust_list_server.ts

@@ -11,8 +11,8 @@ const errorLog = make_errorLog("TrustListServer");
 
 /**
  * Read all certificate (chains) and CRLs in a folder
- * @param folder 
- * @returns 
+ * @param folder
+ * @returns
  */
 async function readAll(folder: string): Promise<Buffer[]> {
     const results: Buffer[] = [];
@@ -22,6 +22,11 @@ async function readAll(folder: string): Promise<Buffer[]> {
         const ext = path.extname(file);
         if (ext === ".der" || ext === ".pem") {
             const chain = await readCertificateChainAsync(file);
+            // Return the full chain as a single ByteString.
+            // When addTrustedCertificateFromChain stores a chain-on-disk
+            // (leaf + issuer CAs in a single PEM), we preserve that
+            // chain so clients reading the TrustList can use it for
+            // chain-building.
             const concatenated = Buffer.concat(chain);
             results.push(concatenated);
         } else if (ext === ".crl") {

package/dist/server/install_push_certitifate_management.js

@@ -1,144 +0,0 @@
-/**
- * @module node-opcua-server-configuration-server
- */
-import fs from "node:fs";
-import path from "node:path";
-import chalk from "chalk";
-import { assert } from "node-opcua-assert";
-import { invalidateCachedSecrets } from "node-opcua-common";
-import { readPrivateKey } from "node-opcua-crypto";
-import { combine_der, convertPEMtoDER, split_der } from "node-opcua-crypto/web";
-import { checkDebugFlag, make_debugLog, make_errorLog } from "node-opcua-debug";
-import { getFullyQualifiedDomainName, getIpAddresses } from "node-opcua-hostname";
-import { installPushCertificateManagement } from "./push_certificate_manager_helpers.js";
-const debugLog = make_debugLog("ServerConfiguration");
-const errorLog = make_errorLog("ServerConfiguration");
-const doDebug = checkDebugFlag("ServerConfiguration");
-function getCertificateChainEP() {
-    const certificateFile = path.join(this.certificateManager.rootDir, "own/certs/certificate.pem");
-    const certificatePEM = fs.readFileSync(certificateFile, "utf8");
-    return split_der(convertPEMtoDER(certificatePEM));
-}
-function getPrivateKeyEP() {
-    return readPrivateKey(this.certificateManager.privateKey);
-}
-async function onCertificateAboutToChange(server) {
-    doDebug && debugLog(chalk.yellow(" onCertificateAboutToChange => Suspending End points"));
-    await server.suspendEndPoints();
-    doDebug && debugLog(chalk.yellow(" onCertificateAboutToChange => End points suspended"));
-}
-/**
- * onCertificateChange is called when the serverConfiguration notifies
- * that the server certificate and/or private key has changed.
- *
- * This function invalidates the cached secrets so that the next
- * getCertificate() / getPrivateKey() call re-reads from disk,
- * then shuts down all channels and resumes endpoints.
- *
- * @param server
- */
-async function onCertificateChange(server) {
-    doDebug && debugLog("on CertificateChanged");
-    // Invalidate the cached certificate chain and private key.
-    // The SecretHolder will re-read from disk on next access.
-    invalidateCachedSecrets(server);
-    setTimeout(async () => {
-        try {
-            doDebug && debugLog(chalk.yellow(" onCertificateChange => shutting down channels"));
-            await server.shutdownChannels();
-            doDebug && debugLog(chalk.yellow(" onCertificateChange => channels shut down"));
-            doDebug && debugLog(chalk.yellow(" onCertificateChange => resuming end points"));
-            await server.resumeEndPoints();
-            doDebug && debugLog(chalk.yellow(" onCertificateChange => end points resumed"));
-            debugLog(chalk.yellow("channels have been closed -> client should reconnect "));
-        }
-        catch (err) {
-            errorLog("Error in CertificateChanged handler ", err.message);
-            debugLog("err = ", err);
-        }
-    }, 2000);
-}
-/**
- * Install push certificate management on the server.
- *
- * This redirects `getCertificate`, `getCertificateChain` and
- * `getPrivateKey` to read from the serverCertificateManager's
- * PEM files, and wires up the push certificate management
- * address-space nodes.
- */
-async function install() {
-    doDebug && debugLog("install push certificate management", this.serverCertificateManager.rootDir);
-    Object.defineProperty(this, "privateKeyFile", {
-        get: () => this.serverCertificateManager.privateKey,
-        configurable: true
-    });
-    Object.defineProperty(this, "certificateFile", {
-        get: () => path.join(this.serverCertificateManager.rootDir, "own/certs/certificate.pem"),
-        configurable: true
-    });
-    const certificateFile = this.certificateFile;
-    if (!fs.existsSync(certificateFile)) {
-        // this is the first time server is launched
-        // let's create a default self signed certificate with limited validity
-        const fqdn = getFullyQualifiedDomainName();
-        const ipAddresses = getIpAddresses();
-        const applicationUri = (this.serverInfo ? this.serverInfo.applicationUri : null) || "uri:MISSING";
-        const options = {
-            applicationUri,
-            dns: [fqdn],
-            ip: ipAddresses,
-            subject: `/CN=${applicationUri};/L=Paris`,
-            startDate: new Date(),
-            validity: 365 * 5, // five years
-            outputFile: certificateFile
-        };
-        doDebug && debugLog("creating self signed certificate", options);
-        await this.serverCertificateManager.createSelfSignedCertificate(options);
-    }
-    // Invalidate any previously cached secrets so that
-    // getCertificateChain() / getPrivateKey() will re-read from disk.
-    invalidateCachedSecrets(this);
-}
-export async function installPushCertificateManagementOnServer(server) {
-    if (!server.engine || !server.engine.addressSpace) {
-        throw new Error("Server must have a valid address space." +
-            "you need to call installPushCertificateManagementOnServer after server has been initialized");
-    }
-    await install.call(server);
-    for (const endpoint of server.endpoints) {
-        const endpointPriv = endpoint;
-        endpointPriv._certificateChain = null;
-        endpointPriv._privateKey = null;
-        endpoint.getCertificateChain = getCertificateChainEP;
-        endpoint.getPrivateKey = getPrivateKeyEP;
-        for (const e of endpoint.endpointDescriptions()) {
-            Object.defineProperty(e, "serverCertificate", {
-                get: () => combine_der(endpoint.getCertificateChain()),
-                configurable: true
-            });
-        }
-    }
-    await installPushCertificateManagement(server.engine.addressSpace, {
-        applicationGroup: server.serverCertificateManager,
-        userTokenGroup: server.userCertificateManager,
-        applicationUri: server.serverInfo.applicationUri || "InvalidURI"
-    });
-    const serverConfiguration = server.engine.addressSpace.rootFolder.objects.server.getChildByName("ServerConfiguration");
-    const serverConfigurationPriv = serverConfiguration;
-    assert(serverConfigurationPriv.$pushCertificateManager);
-    serverConfigurationPriv.$pushCertificateManager.on("CertificateAboutToChange", (actionQueue) => {
-        actionQueue.push(async () => {
-            doDebug && debugLog("CertificateAboutToChange Event received");
-            await onCertificateAboutToChange(server);
-            doDebug && debugLog("CertificateAboutToChange Event processed");
-        });
-    });
-    serverConfigurationPriv.$pushCertificateManager.on("CertificateChanged", (actionQueue) => {
-        actionQueue.push(async () => {
-            doDebug && debugLog("CertificateChanged Event received");
-            await onCertificateChange(server);
-            doDebug && debugLog("CertificateChanged Event processed");
-        });
-    });
-}
-//# sourceMappingURL=install_push_certitifate_management.js.map

package/dist/server/install_push_certitifate_management.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"install_push_certitifate_management.js","sourceRoot":"","sources":["../../source/server/install_push_certitifate_management.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,KAAK,MAAM,OAAO,CAAC;AAG1B,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAE3C,OAAO,EAAoC,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AAC9F,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAoB,WAAW,EAAE,eAAe,EAAmB,SAAS,EAAE,MAAM,uBAAuB,CAAC;AACnH,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAChF,OAAO,EAAE,2BAA2B,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAIlF,OAAO,EAAE,gCAAgC,EAAE,MAAM,uCAAuC,CAAC;AAGzF,MAAM,QAAQ,GAAG,aAAa,CAAC,qBAAqB,CAAC,CAAC;AACtD,MAAM,QAAQ,GAAG,aAAa,CAAC,qBAAqB,CAAC,CAAC;AACtD,MAAM,OAAO,GAAG,cAAc,CAAC,qBAAqB,CAAC,CAAC;AAUtD,SAAS,qBAAqB;IAC1B,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,2BAA2B,CAAC,CAAC;IAChG,MAAM,cAAc,GAAG,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAChE,OAAO,SAAS,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,eAAe;IACpB,OAAO,cAAc,CAAC,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;AAC9D,CAAC;AAED,KAAK,UAAU,0BAA0B,CAAC,MAAmB;IACzD,OAAO,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,sDAAsD,CAAC,CAAC,CAAC;IAC1F,MAAM,MAAM,CAAC,gBAAgB,EAAE,CAAC;IAChC,OAAO,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,qDAAqD,CAAC,CAAC,CAAC;AAC7F,CAAC;AAED;;;;;;;;;GASG;AACH,KAAK,UAAU,mBAAmB,CAAC,MAAmB;IAClD,OAAO,IAAI,QAAQ,CAAC,uBAAuB,CAAC,CAAC;IAE7C,2DAA2D;IAC3D,0DAA0D;IAC1D,uBAAuB,CAAC,MAAM,CAAC,CAAC;IAEhC,UAAU,CAAC,KAAK,IAAI,EAAE;QAClB,IAAI,CAAC;YACD,OAAO,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,gDAAgD,CAAC,CAAC,CAAC;YACpF,MAAM,MAAM,CAAC,gBAAgB,EAAE,CAAC;YAChC,OAAO,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,4CAA4C,CAAC,CAAC,CAAC;YAEhF,OAAO,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,6CAA6C,CAAC,CAAC,CAAC;YACjF,MAAM,MAAM,CAAC,eAAe,EAAE,CAAC;YAC/B,OAAO,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,4CAA4C,CAAC,CAAC,CAAC;YAEhF,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,uDAAuD,CAAC,CAAC,CAAC;QACpF,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,QAAQ,CAAC,sCAAsC,EAAG,GAAa,CAAC,OAAO,CAAC,CAAC;YACzE,QAAQ,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5B,CAAC;IACL,CAAC,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AAED;;;;;;;GAOG;AACH,KAAK,UAAU,OAAO;IAClB,OAAO,IAAI,QAAQ,CAAC,qCAAqC,EAAE,IAAI,CAAC,wBAAwB,CAAC,OAAO,CAAC,CAAC;IAElG,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,gBAAgB,EAAE;QAC1C,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,wBAAwB,CAAC,UAAU;QACnD,YAAY,EAAE,IAAI;KACrB,CAAC,CAAC;IACH,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,iBAAiB,EAAE;QAC3C,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,OAAO,EAAE,2BAA2B,CAAC;QACxF,YAAY,EAAE,IAAI;KACrB,CAAC,CAAC;IAEH,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;IAC7C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;QAClC,4CAA4C;QAC5C,uEAAuE;QACvE,MAAM,IAAI,GAAG,2BAA2B,EAAE,CAAC;QAC3C,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;QAErC,MAAM,cAAc,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,aAAa,CAAC;QAElG,MAAM,OAAO,GAAG;YACZ,cAAc;YACd,GAAG,EAAE,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,WAAW;YACf,OAAO,EAAE,OAAO,cAAc,WAAW;YACzC,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,QAAQ,EAAE,GAAG,GAAG,CAAC,EAAE,aAAa;YAChC,UAAU,EAAE,eAAe;SAC9B,CAAC;QAEF,OAAO,IAAI,QAAQ,CAAC,kCAAkC,EAAE,OAAO,CAAC,CAAC;QACjE,MAAM,IAAI,CAAC,wBAAwB,CAAC,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAC7E,CAAC;IAED,mDAAmD;IACnD,kEAAkE;IAClE,uBAAuB,CAAC,IAAI,CAAC,CAAC;AAClC,CAAC;AAWD,MAAM,CAAC,KAAK,UAAU,wCAAwC,CAAC,MAAmB;IAC9E,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CACX,yCAAyC;YACrC,6FAA6F,CACpG,CAAC;IACN,CAAC;IACD,MAAM,OAAO,CAAC,IAAI,CAAC,MAAuC,CAAC,CAAC;IAE5D,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACtC,MAAM,YAAY,GAA0B,QAA4C,CAAC;QACzF,YAAY,CAAC,iBAAiB,GAAG,IAAI,CAAC;QACtC,YAAY,CAAC,WAAW,GAAG,IAAI,CAAC;QAEhC,QAAQ,CAAC,mBAAmB,GAAG,qBAAqB,CAAC;QACrD,QAAQ,CAAC,aAAa,GAAG,eAAe,CAAC;QAEzC,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE,CAAC;YAC9C,MAAM,CAAC,cAAc,CAAC,CAAC,EAAE,mBAAmB,EAAE;gBAC1C,GAAG,EAAE,GAAG,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,mBAAmB,EAAE,CAAC;gBACtD,YAAY,EAAE,IAAI;aACrB,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,MAAM,gCAAgC,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE;QAC/D,gBAAgB,EAAE,MAAM,CAAC,wBAAwB;QACjD,cAAc,EAAE,MAAM,CAAC,sBAAsB;QAE7C,cAAc,EAAE,MAAM,CAAC,UAAU,CAAC,cAAc,IAAI,YAAY;KACnE,CAAC,CAAC;IAEH,MAAM,mBAAmB,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,qBAAqB,CAAC,CAAC;IACvH,MAAM,uBAAuB,GAAG,mBAA8C,CAAC;IAC/E,MAAM,CAAC,uBAAuB,CAAC,uBAAuB,CAAC,CAAC;IAExD,uBAAuB,CAAC,uBAAuB,CAAC,EAAE,CAAC,0BAA0B,EAAE,CAAC,WAAwB,EAAE,EAAE;QACxG,WAAW,CAAC,IAAI,CAAC,KAAK,IAAmB,EAAE;YACvC,OAAO,IAAI,QAAQ,CAAC,yCAAyC,CAAC,CAAC;YAC/D,MAAM,0BAA0B,CAAC,MAAM,CAAC,CAAC;YACzC,OAAO,IAAI,QAAQ,CAAC,0CAA0C,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IACH,uBAAuB,CAAC,uBAAuB,CAAC,EAAE,CAAC,oBAAoB,EAAE,CAAC,WAAwB,EAAE,EAAE;QAClG,WAAW,CAAC,IAAI,CAAC,KAAK,IAAmB,EAAE;YACvC,OAAO,IAAI,QAAQ,CAAC,mCAAmC,CAAC,CAAC;YACzD,MAAM,mBAAmB,CAAC,MAAM,CAAC,CAAC;YAClC,OAAO,IAAI,QAAQ,CAAC,oCAAoC,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;AACP,CAAC"}