npm - node-opcua-server-configuration - Versions diffs - 2.168.0 → 2.169.0 - Mend

node-opcua-server-configuration 2.168.0 → 2.169.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/dist/index.d.ts +1 -0
package/dist/index.js +1 -0
package/dist/index.js.map +1 -1
package/dist/server/file_transaction_manager.d.ts +10 -0
package/dist/server/file_transaction_manager.js +23 -0
package/dist/server/file_transaction_manager.js.map +1 -1
package/dist/server/install_push_certificate_management.d.ts +1 -1
package/dist/server/install_push_certificate_management.js +142 -1
package/dist/server/install_push_certificate_management.js.map +1 -1
package/dist/server/promote_trust_list.js +153 -1
package/dist/server/promote_trust_list.js.map +1 -1
package/dist/server/push_certificate_manager/create_signing_request.js +19 -13
package/dist/server/push_certificate_manager/create_signing_request.js.map +1 -1
package/dist/server/push_certificate_manager/update_certificate.js +19 -7
package/dist/server/push_certificate_manager/update_certificate.js.map +1 -1
package/dist/server/trust_list_server.js +5 -0
package/dist/server/trust_list_server.js.map +1 -1
package/package.json +23 -23
package/source/index.ts +1 -0
package/source/server/file_transaction_manager.ts +25 -0
package/source/server/install_push_certificate_management.ts +175 -3
package/source/server/promote_trust_list.ts +175 -1
package/source/server/push_certificate_manager/create_signing_request.ts +26 -16
package/source/server/push_certificate_manager/update_certificate.ts +23 -6
package/source/server/trust_list_server.ts +5 -0

package/source/server/push_certificate_manager/create_signing_request.ts CHANGED Viewed

@@ -118,20 +118,30 @@ export async function executeCreateSigningRequest(
         });
     }
-    const options = {
-        applicationUri: serverImpl.applicationUri,
-        subject: subjectName
-    };
-    const activeCertificateManager = serverImpl.tmpCertificateManager || certificateManager;
-    await activeCertificateManager.initialize();
-    const csrFile = await activeCertificateManager.createCertificateRequest(options);
-    const csrPEM = await fs.promises.readFile(csrFile, "utf8");
-    const certificateSigningRequest = convertPEMtoDER(csrPEM);
-    return {
-        certificateSigningRequest,
-        statusCode: StatusCodes.Good
-    };
+    try {
+        const options = {
+            applicationUri: serverImpl.applicationUri,
+            subject: subjectName
+        };
+        const activeCertificateManager = serverImpl.tmpCertificateManager || certificateManager;
+        await activeCertificateManager.initialize();
+        const csrFile = await activeCertificateManager.createCertificateRequest(options);
+        const csrPEM = await fs.promises.readFile(csrFile, "utf8");
+        const certificateSigningRequest = convertPEMtoDER(csrPEM);
+        return {
+            certificateSigningRequest,
+            statusCode: StatusCodes.Good
+        };
+    } catch (err) {
+        errorLog(
+            "CreateSigningRequest failed during CSR generation:",
+            (err as Error).message,
+            "subject=", subjectName,
+            "applicationUri=", serverImpl.applicationUri
+        );
+        return { statusCode: StatusCodes.BadInternalError };
+    }
 }

package/source/server/push_certificate_manager/update_certificate.ts CHANGED Viewed

@@ -6,8 +6,10 @@ import type { CertificateManager, OPCUACertificateManager } from "node-opcua-cer
 import { exploreCertificate, readPrivateKey } from "node-opcua-crypto";
 import {
     certificateMatchesPrivateKey,
+    type Certificate,
     coercePEMorDerToPrivateKey,
     coercePrivateKeyPem,
+    combine_der,
     makeSHA1Thumbprint,
     type PrivateKey,
     toPem
@@ -52,18 +54,33 @@ async function preInstallIssuerCertificates(
 }
 // Helper: Stage main certificate to temporary files
+//
+// The PEM file contains the full chain (leaf + issuer CAs) so that
+// getCertificateChain() returns the complete chain.  This allows
+// OpenSecureChannel and CreateSession to present the full chain to
+// connecting clients, enabling them to build and verify the trust
+// path without needing all CA certificates pre-installed.
 async function preInstallCertificate(
     serverImpl: PushCertificateManagerInternalContext,
     certificateManager: CertificateManager,
-    certificate: Buffer
+    certificate: Certificate,
+    issuerCertificates?: Certificate[]
 ): Promise<void> {
     const certFolder = certificateManager.ownCertFolder;
-    const destDER = path.join(certFolder, "certificate.der");
     const destPEM = path.join(certFolder, "certificate.pem");
-    const certificatePEM = toPem(certificate, "CERTIFICATE");
-    await serverImpl.fileTransactionManager.stageFile(destDER, certificate);
+    // Build the full chain: leaf first, then issuer CAs
+    const certificateChain: Certificate[] = [certificate, ...(issuerCertificates ?? [])];
+    const certificatePEM = toPem(combine_der(certificateChain), "CERTIFICATE");
     await serverImpl.fileTransactionManager.stageFile(destPEM, certificatePEM, "utf-8");
+    // Clean up any leftover certificate.der from previous installations.
+    // Since DER is no longer written, a stale file would be misleading.
+    const legacyDER = path.join(certFolder, "certificate.der");
+    if (fs.existsSync(legacyDER)) {
+        serverImpl.fileTransactionManager.stageFileRemoval(legacyDER);
+    }
 }
 // Helper: Stage private key to temporary file
@@ -164,7 +181,7 @@ export async function executeUpdateCertificate(
             }
             await preInstallIssuerCertificates(serverImpl, certificateManager, issuerCertificates);
-            await preInstallCertificate(serverImpl, certificateManager, certificate);
+            await preInstallCertificate(serverImpl, certificateManager, certificate, issuerCertificates);
             serverImpl.emit("certificateUpdated", certificateGroupId, certificate);
             return { statusCode: StatusCodes.Good, applyChangesRequired: true };
         } else {
@@ -203,7 +220,7 @@ export async function executeUpdateCertificate(
             await preInstallPrivateKey(serverImpl, certificateManager, privateKeyFormat, tempPrivateKey);
             await preInstallIssuerCertificates(serverImpl, certificateManager, issuerCertificates);
-            await preInstallCertificate(serverImpl, certificateManager, certificate);
+            await preInstallCertificate(serverImpl, certificateManager, certificate, issuerCertificates);
             serverImpl.emit("certificateUpdated", certificateGroupId, certificate);
             return { statusCode: StatusCodes.Good, applyChangesRequired: true };

package/source/server/trust_list_server.ts CHANGED Viewed

@@ -22,6 +22,11 @@ async function readAll(folder: string): Promise<Buffer[]> {
         const ext = path.extname(file);
         if (ext === ".der" || ext === ".pem") {
             const chain = await readCertificateChainAsync(file);
+            // Return the full chain as a single ByteString.
+            // When addTrustedCertificateFromChain stores a chain-on-disk
+            // (leaf + issuer CAs in a single PEM), we preserve that
+            // chain so clients reading the TrustList can use it for
+            // chain-building.
             const concatenated = Buffer.concat(chain);
             results.push(concatenated);
         } else if (ext === ".crl") {