npm - node-opcua-server-configuration - Versions diffs - 2.73.1 → 2.76.0 - Mend

node-opcua-server-configuration 2.73.1 → 2.76.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

package/LICENSE +3 -1
package/dist/clientTools/index.d.ts +1 -1
package/dist/clientTools/index.js +17 -17
package/dist/clientTools/push_certificate_management_client.d.ts +176 -176
package/dist/clientTools/push_certificate_management_client.js +463 -463
package/dist/index.d.ts +10 -10
package/dist/index.js +27 -27
package/dist/push_certificate_manager.d.ts +141 -141
package/dist/push_certificate_manager.js +2 -2
package/dist/server/install_certificate_file_watcher.d.ts +5 -5
package/dist/server/install_certificate_file_watcher.js +23 -23
package/dist/server/install_push_certitifate_management.d.ts +19 -19
package/dist/server/install_push_certitifate_management.js +213 -213
package/dist/server/promote_trust_list.d.ts +6 -6
package/dist/server/promote_trust_list.js +175 -175
package/dist/server/push_certificate_manager_helpers.d.ts +4 -4
package/dist/server/push_certificate_manager_helpers.js +410 -409
package/dist/server/push_certificate_manager_helpers.js.map +1 -1
package/dist/server/push_certificate_manager_server_impl.d.ts +49 -49
package/dist/server/push_certificate_manager_server_impl.js +522 -522
package/dist/server/roles_and_permissions.d.ts +3 -3
package/dist/server/roles_and_permissions.js +40 -40
package/dist/server/tools.d.ts +3 -3
package/dist/server/tools.js +19 -19
package/dist/server/trust_list_server.d.ts +13 -13
package/dist/server/trust_list_server.js +89 -89
package/dist/standard_certificate_types.d.ts +6 -6
package/dist/standard_certificate_types.js +13 -13
package/dist/trust_list.d.ts +79 -79
package/dist/trust_list.js +2 -2
package/dist/trust_list_impl.js +25 -25
package/package.json +28 -28
package/source/server/push_certificate_manager_helpers.ts +3 -3
package/dist/server/install_CertificateAlarm.d.ts +0 -11
package/dist/server/install_CertificateAlarm.js +0 -46
package/dist/server/install_CertificateAlarm.js.map +0 -1
package/source/server/install_CertificateAlarm.ts +0 -56

package/dist/clientTools/push_certificate_management_client.js CHANGED Viewed

@@ -1,464 +1,464 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ClientPushCertificateManagement = exports.CertificateGroup = exports.TrustListClient = void 0;
-const node_opcua_nodeid_1 = require("node-opcua-nodeid");
-const node_opcua_status_code_1 = require("node-opcua-status-code");
-const node_opcua_variant_1 = require("node-opcua-variant");
-const node_opcua_file_transfer_1 = require("node-opcua-file-transfer");
-const node_opcua_data_model_1 = require("node-opcua-data-model");
-const node_opcua_service_translate_browse_path_1 = require("node-opcua-service-translate-browse-path");
-const node_opcua_types_1 = require("node-opcua-types");
-const node_opcua_binary_stream_1 = require("node-opcua-binary-stream");
-const serverConfigurationNodeId = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration");
-const createSigningRequestMethod = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CreateSigningRequest");
-const getRejectedListMethod = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_GetRejectedList");
-const updateCertificateMethod = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_UpdateCertificate");
-const certificateGroups = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CertificateGroups");
-const applyChangesMethod = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_ApplyChanges");
-const supportedPrivateKeyFormatsNodeId = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_SupportedPrivateKeyFormats");
-const defaultApplicationGroup = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CertificateGroups_DefaultApplicationGroup");
-const defaultHttpsGroup = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CertificateGroups_DefaultHttpsGroup");
-const defaultUserTokenGroup = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CertificateGroups_DefaultUserTokenGroup");
-function findCertificateGroupName(certificateGroupNodeId) {
-    return "todo";
-}
-function findCertificateGroupNodeId(certificateGroup) {
-    if (certificateGroup instanceof node_opcua_nodeid_1.NodeId) {
-        return certificateGroup;
-    }
-    switch (certificateGroup) {
-        case "DefaultApplicationGroup":
-            return defaultApplicationGroup;
-        case "DefaultHttpsGroup":
-            return defaultHttpsGroup;
-        case "DefaultUserTokenGroup":
-            return defaultUserTokenGroup;
-        default:
-            return (0, node_opcua_nodeid_1.resolveNodeId)(certificateGroup);
-    }
-}
-function findCertificateTypeIdNodeId(certificateTypeId) {
-    if (certificateTypeId instanceof node_opcua_nodeid_1.NodeId) {
-        return certificateTypeId;
-    }
-    return (0, node_opcua_nodeid_1.resolveNodeId)(certificateTypeId);
-}
-class TrustListClient extends node_opcua_file_transfer_1.ClientFile {
-    constructor(session, nodeId) {
-        super(session, nodeId);
-        this.nodeId = nodeId;
-    }
-    /**
-     * @private
-     */
-    _extractMethodIds() {
-        return __awaiter(this, void 0, void 0, function* () {
-            const browseResults = yield this.session.translateBrowsePath([
-                (0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/CloseAndUpdate"),
-                (0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/AddCertificate"),
-                (0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/RemoveCertificate"),
-                (0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/OpenWithMasks") // OpenWithMasks Mandatory
-            ]);
-            this.closeAndUpdateNodeId = browseResults[0].targets[0].targetId;
-            this.addCertificateNodeId = browseResults[1].targets[0].targetId;
-            this.removeCertificateNodeId = browseResults[2].targets[0].targetId;
-            this.openWithMasksNodeId = browseResults[3].targets[0].targetId;
-            // istanbul ignore next
-            if (!this.openWithMasksNodeId || this.openWithMasksNodeId.isEmpty()) {
-                throw new Error("Cannot find mandatory method OpenWithMask on object");
-            }
-        });
-    }
-    extractMethodsIds() {
-        const _super = Object.create(null, {
-            extractMethodsIds: { get: () => super.extractMethodsIds }
-        });
-        return __awaiter(this, void 0, void 0, function* () {
-            yield _super.extractMethodsIds.call(this);
-            yield this._extractMethodIds();
-        });
-    }
-    openWithMasks(trustListMask) {
-        return __awaiter(this, void 0, void 0, function* () {
-            // istanbul ignore next
-            if (this.fileHandle) {
-                throw new Error("File has already be opened");
-            }
-            yield this.ensureInitialized();
-            // istanbul ignore next
-            if (!this.openWithMasksNodeId) {
-                throw new Error("OpenWithMasks doesn't exist");
-            }
-            const inputArguments = [{ dataType: node_opcua_variant_1.DataType.UInt32, value: trustListMask }];
-            const methodToCall = {
-                inputArguments,
-                methodId: this.openWithMasksNodeId,
-                objectId: this.nodeId
-            };
-            const callMethodResult = yield this.session.call(methodToCall);
-            if (callMethodResult.statusCode !== node_opcua_status_code_1.StatusCodes.Good) {
-                throw new Error(callMethodResult.statusCode.name);
-            }
-            this.fileHandle = callMethodResult.outputArguments[0].value;
-            return this.fileHandle;
-        });
-    }
-    closeAndUpdate(applyChangesRequired) {
-        return __awaiter(this, void 0, void 0, function* () {
-            if (!this.fileHandle) {
-                throw new Error("File has node been opened yet");
-            }
-            yield this.ensureInitialized();
-            if (!this.closeAndUpdateNodeId) {
-                throw new Error("CloseAndUpdateMethod doesn't exist");
-            }
-            const inputArguments = [
-                { dataType: node_opcua_variant_1.DataType.UInt32, value: this.fileHandle },
-                { dataType: node_opcua_variant_1.DataType.Boolean, value: !!applyChangesRequired }
-            ];
-            const methodToCall = {
-                inputArguments,
-                methodId: this.closeAndUpdateNodeId,
-                objectId: this.nodeId
-            };
-            const callMethodResult = yield this.session.call(methodToCall);
-            if (callMethodResult.statusCode !== node_opcua_status_code_1.StatusCodes.Good) {
-                throw new Error(callMethodResult.statusCode.name);
-            }
-            return callMethodResult.outputArguments[0].value;
-        });
-    }
-    addCertificate(certificate, isTrustedCertificate) {
-        return __awaiter(this, void 0, void 0, function* () {
-            yield this.ensureInitialized();
-            const inputArguments = [
-                { dataType: node_opcua_variant_1.DataType.ByteString, value: certificate },
-                { dataType: node_opcua_variant_1.DataType.Boolean, value: !!isTrustedCertificate }
-            ];
-            const methodToCall = {
-                inputArguments,
-                methodId: this.addCertificateNodeId,
-                objectId: this.nodeId
-            };
-            const callMethodResult = yield this.session.call(methodToCall);
-            return callMethodResult.statusCode;
-        });
-    }
-    removeCertificate(thumbprint, isTrustedCertificate) {
-        return __awaiter(this, void 0, void 0, function* () {
-            yield this.ensureInitialized();
-            const inputArguments = [
-                { dataType: node_opcua_variant_1.DataType.String, value: thumbprint },
-                { dataType: node_opcua_variant_1.DataType.Boolean, value: !!isTrustedCertificate }
-            ];
-            const methodToCall = {
-                inputArguments,
-                methodId: this.removeCertificateNodeId,
-                objectId: this.nodeId
-            };
-            const callMethodResult = yield this.session.call(methodToCall);
-            return callMethodResult.statusCode;
-        });
-    }
-    /**
-     * helper function to retrieve the list of certificates ...
-     * @returns
-     */
-    readTrustedCertificateList() {
-        return __awaiter(this, void 0, void 0, function* () {
-            // const size = await this.size();
-            const fileHandle = yield this.open(node_opcua_file_transfer_1.OpenFileMode.Read);
-            const buff = yield this.read(65525);
-            yield this.close();
-            const stream = new node_opcua_binary_stream_1.BinaryStream(buff);
-            const trustList = new node_opcua_types_1.TrustListDataType();
-            trustList.decode(stream);
-            return trustList;
-        });
-    }
-    readTrustedCertificateListWithMasks(trustListMask) {
-        return __awaiter(this, void 0, void 0, function* () {
-            // const size = await this.size();
-            const fileHandle = yield this.openWithMasks(trustListMask);
-            const buff = yield this.read(65525);
-            yield this.close();
-            const stream = new node_opcua_binary_stream_1.BinaryStream(buff);
-            const trustList = new node_opcua_types_1.TrustListDataType();
-            trustList.decode(stream);
-            return trustList;
-        });
-    }
-    writeTrustedCertificateList(trustedList) {
-        return __awaiter(this, void 0, void 0, function* () {
-            yield this.open(node_opcua_file_transfer_1.OpenFileMode.Write);
-            const s = trustedList.binaryStoreSize();
-            const stream = new node_opcua_binary_stream_1.BinaryStream(s);
-            trustedList.encode(stream);
-            return yield this.closeAndUpdate(true);
-        });
-    }
-}
-exports.TrustListClient = TrustListClient;
-class CertificateGroup {
-    constructor(session, nodeId) {
-        this.session = session;
-        this.nodeId = nodeId;
-    }
-    getCertificateTypes() {
-        return __awaiter(this, void 0, void 0, function* () {
-            const browsePathResult = yield this.session.translateBrowsePath((0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/CertificateTypes"));
-            if (browsePathResult.statusCode !== node_opcua_status_code_1.StatusCodes.Good) {
-                throw new Error(browsePathResult.statusCode.name);
-            }
-            const certificateTypesNodeId = browsePathResult.targets[0].targetId;
-            const dataValue = yield this.session.read({ nodeId: certificateTypesNodeId, attributeId: node_opcua_data_model_1.AttributeIds.Value });
-            if (dataValue.statusCode !== node_opcua_status_code_1.StatusCodes.Good) {
-                throw new Error(browsePathResult.statusCode.name);
-            }
-            return dataValue.value.value;
-        });
-    }
-    getTrustList() {
-        return __awaiter(this, void 0, void 0, function* () {
-            const browsePathResult = yield this.session.translateBrowsePath((0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/TrustList"));
-            if (browsePathResult.statusCode !== node_opcua_status_code_1.StatusCodes.Good) {
-                throw new Error(browsePathResult.statusCode.name);
-            }
-            const trustListNodeId = browsePathResult.targets[0].targetId;
-            return new TrustListClient(this.session, trustListNodeId);
-        });
-    }
-}
-exports.CertificateGroup = CertificateGroup;
-class ClientPushCertificateManagement {
-    constructor(session) {
-        this.session = session;
-    }
-    /**
-     * CreateSigningRequest Method asks the Server to create a PKCS #10 DER encoded
-     * Certificate Request that is signed with the Server’s private key. This request can be then used
-     * to request a Certificate from a CA that expects requests in this format.
-     * This Method requires an encrypted channel and that the Client provide credentials with
-     * administrative rights on the Server.
-     *
-     * @param certificateGroupId  - The NodeId of the Certificate Group Object which is affected by the request.
-     *                              If null the DefaultApplicationGroup is used.
-     * @param certificateTypeId   - The type of Certificate being requested. The set of permitted types is specified by
-     *                              the CertificateTypes Property belonging to the Certificate Group.
-     * @param subjectName         - The subject name to use in the Certificate Request.
-     *                              If not specified the SubjectName from the current Certificate is used.
-     *                              The subjectName parameter is a sequence of X.500 name value pairs separated by a ‘/’. For
-     *                              example: CN=ApplicationName/OU=Group/O=Company.
-     *                              If the certificateType is a subtype of ApplicationCertificateType the Certificate subject name
-     *                              shall have an organization (O=) or domain name (DC=) field. The public key length shall meet
-     *                              the length restrictions for the CertificateType. The domain name field specified in the subject
-     *                              name is a logical domain used to qualify the subject name that may or may not be the same
-     *                              as a domain or IP address in the subjectAltName field of the Certificate.
-     *                              If the certificateType is a subtype of HttpsCertificateType the Certificate common name (CN=)
-     *                              shall be the same as a domain from a DiscoveryUrl which uses HTTPS and the subject name
-     *                              shall have an organization (O=) field.
-     *                              If the subjectName is blank or null the CertificateManager generates a suitable default.
-     * @param regeneratePrivateKey  If TRUE the Server shall create a new Private Key which it stores until the
-     *                              matching signed Certificate is uploaded with the UpdateCertificate Method.
-     *                              Previously created Private Keys may be discarded if UpdateCertificate was not
-     *                              called before calling this method again. If FALSE the Server uses its existing
-     *                              Private Key.
-     * @param nonce                 Additional entropy which the caller shall provide if regeneratePrivateKey is TRUE.
-     *                              It shall be at least 32 bytes long.
-     *
-     * @return                      The PKCS #10 DER encoded Certificate Request.
-     *
-     * Result Code                  Description
-     * BadInvalidArgument          The certificateTypeId, certificateGroupId or subjectName is not valid.
-     * BadUserAccessDenied          The current user does not have the rights required.
-     */
-    createSigningRequest(certificateGroupId, certificateTypeId, subjectName, regeneratePrivateKey, nonce) {
-        return __awaiter(this, void 0, void 0, function* () {
-            nonce = nonce || Buffer.alloc(0);
-            const inputArguments = [
-                { dataType: node_opcua_variant_1.DataType.NodeId, value: findCertificateGroupNodeId(certificateGroupId) },
-                { dataType: node_opcua_variant_1.DataType.NodeId, value: findCertificateTypeIdNodeId(certificateTypeId) },
-                { dataType: node_opcua_variant_1.DataType.String, value: subjectName },
-                { dataType: node_opcua_variant_1.DataType.Boolean, value: !!regeneratePrivateKey },
-                { dataType: node_opcua_variant_1.DataType.ByteString, value: nonce }
-            ];
-            const methodToCall = {
-                inputArguments,
-                methodId: createSigningRequestMethod,
-                objectId: serverConfigurationNodeId
-            };
-            const callMethodResult = yield this.session.call(methodToCall);
-            if (callMethodResult.statusCode === node_opcua_status_code_1.StatusCodes.Good) {
-                // xx console.log(callMethodResult.toString());
-                return {
-                    certificateSigningRequest: callMethodResult.outputArguments[0].value,
-                    statusCode: callMethodResult.statusCode
-                };
-            }
-            else {
-                return { statusCode: callMethodResult.statusCode };
-            }
-        });
-    }
-    /**
-     * GetRejectedList Method returns the list of Certificates that have been rejected by the Server.
-     * rules are defined for how the Server updates this list or how long a Certificate is kept in
-     * the list. It is recommended that every valid but untrusted Certificate be added to the rejected
-     * list as long as storage is available. Servers should omit older entries from the list returned if
-     * the maximum message size is not large enough to allow the entire list to be returned.
-     * This Method requires an encrypted channel and that the Client provides credentials with
-     * administrative rights on the Server
-     *
-     * @return certificates The DER encoded form of the Certificates rejected by the Server
-     */
-    getRejectedList() {
-        return __awaiter(this, void 0, void 0, function* () {
-            const inputArguments = [];
-            const methodToCall = {
-                inputArguments,
-                methodId: getRejectedListMethod,
-                objectId: serverConfigurationNodeId
-            };
-            const callMethodResult = yield this.session.call(methodToCall);
-            if (callMethodResult.statusCode === node_opcua_status_code_1.StatusCodes.Good) {
-                if (callMethodResult.outputArguments[0].dataType !== node_opcua_variant_1.DataType.ByteString) {
-                    return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
-                }
-                return {
-                    certificates: callMethodResult.outputArguments[0].value,
-                    statusCode: callMethodResult.statusCode
-                };
-            }
-            else {
-                return {
-                    statusCode: callMethodResult.statusCode
-                };
-            }
-        });
-    }
-    updateCertificate(certificateGroupId, certificateTypeId, certificate, issuerCertificates, privateKeyFormat, privateKey) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const inputArguments = [
-                { dataType: node_opcua_variant_1.DataType.NodeId, value: findCertificateGroupNodeId(certificateGroupId) },
-                { dataType: node_opcua_variant_1.DataType.NodeId, value: findCertificateTypeIdNodeId(certificateTypeId) },
-                { dataType: node_opcua_variant_1.DataType.ByteString, value: certificate },
-                { dataType: node_opcua_variant_1.DataType.ByteString, arrayType: node_opcua_variant_1.VariantArrayType.Array, value: issuerCertificates },
-                { dataType: node_opcua_variant_1.DataType.String, value: privateKeyFormat || "" },
-                { dataType: node_opcua_variant_1.DataType.ByteString, value: privateKeyFormat ? privateKey : Buffer.alloc(0) }
-            ];
-            const methodToCall = {
-                inputArguments,
-                methodId: updateCertificateMethod,
-                objectId: serverConfigurationNodeId
-            };
-            const callMethodResult = yield this.session.call(methodToCall);
-            if (callMethodResult.statusCode === node_opcua_status_code_1.StatusCodes.Good) {
-                if (!callMethodResult.outputArguments || callMethodResult.outputArguments.length !== 1) {
-                    return {
-                        statusCode: node_opcua_status_code_1.StatusCodes.BadInternalError
-                    };
-                    // throw Error("Internal Error, expecting 1 output result");
-                }
-                return {
-                    applyChangesRequired: callMethodResult.outputArguments[0].value,
-                    statusCode: callMethodResult.statusCode
-                };
-            }
-            else {
-                return { statusCode: callMethodResult.statusCode };
-            }
-        });
-    }
-    /**
-     * ApplyChanges tells the Server to apply any security changes.
-     * This Method should only be called if a previous call to a Method that changed the
-     * configuration returns applyChangesRequired=true (see 7.7.4).
-     * If the Server Certificate has changed, Secure Channels using the old Certificate will
-     * eventually be interrupted. The only leeway the Server has is with the timing. In the best case,
-     * the Server can close the TransportConnections for the affected Endpoints and leave any
-     * Subscriptions intact. This should appear no different than a network interruption from the
-     * perspective of the Client. The Client should be prepared to deal with Certificate changes
-     * during its reconnect logic. In the worst case, a full shutdown which affects all connected
-     * Clients will be necessary. In the latter case, the Server shall advertise its intent to interrupt
-     * connections by setting the SecondsTillShutdown and ShutdownReason Properties in the
-     * ServerStatus Variable.
-     * If the Secure Channel being used to call this Method will be affected by the Certificate change
-     * then the Server shall introduce a delay long enough to allow the caller to receive a reply.
-     * This Method requires an encrypted channel and that the Client provide credentials with
-     * administrative rights on the Server.
-     *
-     * Result Code            Description
-     * BadUserAccessDenied   The current user does not have the rights required.
-     */
-    applyChanges() {
-        return __awaiter(this, void 0, void 0, function* () {
-            const methodToCall = {
-                inputArguments: [],
-                methodId: applyChangesMethod,
-                objectId: serverConfigurationNodeId
-            };
-            const callMethodResult = yield this.session.call(methodToCall);
-            if (callMethodResult.outputArguments && callMethodResult.outputArguments.length) {
-                throw new Error("Invalid  output arguments");
-            }
-            return callMethodResult.statusCode;
-        });
-    }
-    getSupportedPrivateKeyFormats() {
-        return __awaiter(this, void 0, void 0, function* () {
-            const dataValue = yield this.session.read({
-                attributeId: node_opcua_data_model_1.AttributeIds.Value,
-                nodeId: supportedPrivateKeyFormatsNodeId
-            });
-            return dataValue.value.value;
-        });
-    }
-    getCertificateGroupId(certificateGroupName) {
-        return __awaiter(this, void 0, void 0, function* () {
-            if (certificateGroupName === "DefaultApplicationGroup") {
-                return defaultApplicationGroup;
-            }
-            // toDO
-            throw new Error("Not Implemented yet");
-        });
-    }
-    /**
-     *
-     * @param browseName
-     */
-    getCertificateGroup(browseName) {
-        return __awaiter(this, void 0, void 0, function* () {
-            browseName = (0, node_opcua_data_model_1.coerceQualifiedName)(browseName);
-            if (browseName.toString() === "DefaultApplicationGroup") {
-                return new CertificateGroup(this.session, defaultApplicationGroup);
-            }
-            if (browseName.toString() === "DefaultUserTokenGroup") {
-                return new CertificateGroup(this.session, defaultUserTokenGroup);
-            }
-            // istanbul ignore next
-            throw new Error("Not Implemented yet");
-        });
-    }
-    getApplicationGroup() {
-        return __awaiter(this, void 0, void 0, function* () {
-            return this.getCertificateGroup("DefaultApplicationGroup");
-        });
-    }
-    getUserTokenGroup() {
-        return __awaiter(this, void 0, void 0, function* () {
-            return this.getCertificateGroup("DefaultUserTokenGroup");
-        });
-    }
-}
-exports.ClientPushCertificateManagement = ClientPushCertificateManagement;
-ClientPushCertificateManagement.rsaSha256ApplicationCertificateType = (0, node_opcua_nodeid_1.resolveNodeId)("i=12560");
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClientPushCertificateManagement = exports.CertificateGroup = exports.TrustListClient = void 0;
+const node_opcua_nodeid_1 = require("node-opcua-nodeid");
+const node_opcua_status_code_1 = require("node-opcua-status-code");
+const node_opcua_variant_1 = require("node-opcua-variant");
+const node_opcua_file_transfer_1 = require("node-opcua-file-transfer");
+const node_opcua_data_model_1 = require("node-opcua-data-model");
+const node_opcua_service_translate_browse_path_1 = require("node-opcua-service-translate-browse-path");
+const node_opcua_types_1 = require("node-opcua-types");
+const node_opcua_binary_stream_1 = require("node-opcua-binary-stream");
+const serverConfigurationNodeId = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration");
+const createSigningRequestMethod = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CreateSigningRequest");
+const getRejectedListMethod = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_GetRejectedList");
+const updateCertificateMethod = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_UpdateCertificate");
+const certificateGroups = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CertificateGroups");
+const applyChangesMethod = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_ApplyChanges");
+const supportedPrivateKeyFormatsNodeId = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_SupportedPrivateKeyFormats");
+const defaultApplicationGroup = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CertificateGroups_DefaultApplicationGroup");
+const defaultHttpsGroup = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CertificateGroups_DefaultHttpsGroup");
+const defaultUserTokenGroup = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CertificateGroups_DefaultUserTokenGroup");
+function findCertificateGroupName(certificateGroupNodeId) {
+    return "todo";
+}
+function findCertificateGroupNodeId(certificateGroup) {
+    if (certificateGroup instanceof node_opcua_nodeid_1.NodeId) {
+        return certificateGroup;
+    }
+    switch (certificateGroup) {
+        case "DefaultApplicationGroup":
+            return defaultApplicationGroup;
+        case "DefaultHttpsGroup":
+            return defaultHttpsGroup;
+        case "DefaultUserTokenGroup":
+            return defaultUserTokenGroup;
+        default:
+            return (0, node_opcua_nodeid_1.resolveNodeId)(certificateGroup);
+    }
+}
+function findCertificateTypeIdNodeId(certificateTypeId) {
+    if (certificateTypeId instanceof node_opcua_nodeid_1.NodeId) {
+        return certificateTypeId;
+    }
+    return (0, node_opcua_nodeid_1.resolveNodeId)(certificateTypeId);
+}
+class TrustListClient extends node_opcua_file_transfer_1.ClientFile {
+    constructor(session, nodeId) {
+        super(session, nodeId);
+        this.nodeId = nodeId;
+    }
+    /**
+     * @private
+     */
+    _extractMethodIds() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const browseResults = yield this.session.translateBrowsePath([
+                (0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/CloseAndUpdate"),
+                (0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/AddCertificate"),
+                (0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/RemoveCertificate"),
+                (0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/OpenWithMasks") // OpenWithMasks Mandatory
+            ]);
+            this.closeAndUpdateNodeId = browseResults[0].targets[0].targetId;
+            this.addCertificateNodeId = browseResults[1].targets[0].targetId;
+            this.removeCertificateNodeId = browseResults[2].targets[0].targetId;
+            this.openWithMasksNodeId = browseResults[3].targets[0].targetId;
+            // istanbul ignore next
+            if (!this.openWithMasksNodeId || this.openWithMasksNodeId.isEmpty()) {
+                throw new Error("Cannot find mandatory method OpenWithMask on object");
+            }
+        });
+    }
+    extractMethodsIds() {
+        const _super = Object.create(null, {
+            extractMethodsIds: { get: () => super.extractMethodsIds }
+        });
+        return __awaiter(this, void 0, void 0, function* () {
+            yield _super.extractMethodsIds.call(this);
+            yield this._extractMethodIds();
+        });
+    }
+    openWithMasks(trustListMask) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // istanbul ignore next
+            if (this.fileHandle) {
+                throw new Error("File has already be opened");
+            }
+            yield this.ensureInitialized();
+            // istanbul ignore next
+            if (!this.openWithMasksNodeId) {
+                throw new Error("OpenWithMasks doesn't exist");
+            }
+            const inputArguments = [{ dataType: node_opcua_variant_1.DataType.UInt32, value: trustListMask }];
+            const methodToCall = {
+                inputArguments,
+                methodId: this.openWithMasksNodeId,
+                objectId: this.nodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            if (callMethodResult.statusCode !== node_opcua_status_code_1.StatusCodes.Good) {
+                throw new Error(callMethodResult.statusCode.name);
+            }
+            this.fileHandle = callMethodResult.outputArguments[0].value;
+            return this.fileHandle;
+        });
+    }
+    closeAndUpdate(applyChangesRequired) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!this.fileHandle) {
+                throw new Error("File has node been opened yet");
+            }
+            yield this.ensureInitialized();
+            if (!this.closeAndUpdateNodeId) {
+                throw new Error("CloseAndUpdateMethod doesn't exist");
+            }
+            const inputArguments = [
+                { dataType: node_opcua_variant_1.DataType.UInt32, value: this.fileHandle },
+                { dataType: node_opcua_variant_1.DataType.Boolean, value: !!applyChangesRequired }
+            ];
+            const methodToCall = {
+                inputArguments,
+                methodId: this.closeAndUpdateNodeId,
+                objectId: this.nodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            if (callMethodResult.statusCode !== node_opcua_status_code_1.StatusCodes.Good) {
+                throw new Error(callMethodResult.statusCode.name);
+            }
+            return callMethodResult.outputArguments[0].value;
+        });
+    }
+    addCertificate(certificate, isTrustedCertificate) {
+        return __awaiter(this, void 0, void 0, function* () {
+            yield this.ensureInitialized();
+            const inputArguments = [
+                { dataType: node_opcua_variant_1.DataType.ByteString, value: certificate },
+                { dataType: node_opcua_variant_1.DataType.Boolean, value: !!isTrustedCertificate }
+            ];
+            const methodToCall = {
+                inputArguments,
+                methodId: this.addCertificateNodeId,
+                objectId: this.nodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            return callMethodResult.statusCode;
+        });
+    }
+    removeCertificate(thumbprint, isTrustedCertificate) {
+        return __awaiter(this, void 0, void 0, function* () {
+            yield this.ensureInitialized();
+            const inputArguments = [
+                { dataType: node_opcua_variant_1.DataType.String, value: thumbprint },
+                { dataType: node_opcua_variant_1.DataType.Boolean, value: !!isTrustedCertificate }
+            ];
+            const methodToCall = {
+                inputArguments,
+                methodId: this.removeCertificateNodeId,
+                objectId: this.nodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            return callMethodResult.statusCode;
+        });
+    }
+    /**
+     * helper function to retrieve the list of certificates ...
+     * @returns
+     */
+    readTrustedCertificateList() {
+        return __awaiter(this, void 0, void 0, function* () {
+            // const size = await this.size();
+            const fileHandle = yield this.open(node_opcua_file_transfer_1.OpenFileMode.Read);
+            const buff = yield this.read(65525);
+            yield this.close();
+            const stream = new node_opcua_binary_stream_1.BinaryStream(buff);
+            const trustList = new node_opcua_types_1.TrustListDataType();
+            trustList.decode(stream);
+            return trustList;
+        });
+    }
+    readTrustedCertificateListWithMasks(trustListMask) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // const size = await this.size();
+            const fileHandle = yield this.openWithMasks(trustListMask);
+            const buff = yield this.read(65525);
+            yield this.close();
+            const stream = new node_opcua_binary_stream_1.BinaryStream(buff);
+            const trustList = new node_opcua_types_1.TrustListDataType();
+            trustList.decode(stream);
+            return trustList;
+        });
+    }
+    writeTrustedCertificateList(trustedList) {
+        return __awaiter(this, void 0, void 0, function* () {
+            yield this.open(node_opcua_file_transfer_1.OpenFileMode.Write);
+            const s = trustedList.binaryStoreSize();
+            const stream = new node_opcua_binary_stream_1.BinaryStream(s);
+            trustedList.encode(stream);
+            return yield this.closeAndUpdate(true);
+        });
+    }
+}
+exports.TrustListClient = TrustListClient;
+class CertificateGroup {
+    constructor(session, nodeId) {
+        this.session = session;
+        this.nodeId = nodeId;
+    }
+    getCertificateTypes() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const browsePathResult = yield this.session.translateBrowsePath((0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/CertificateTypes"));
+            if (browsePathResult.statusCode !== node_opcua_status_code_1.StatusCodes.Good) {
+                throw new Error(browsePathResult.statusCode.name);
+            }
+            const certificateTypesNodeId = browsePathResult.targets[0].targetId;
+            const dataValue = yield this.session.read({ nodeId: certificateTypesNodeId, attributeId: node_opcua_data_model_1.AttributeIds.Value });
+            if (dataValue.statusCode !== node_opcua_status_code_1.StatusCodes.Good) {
+                throw new Error(browsePathResult.statusCode.name);
+            }
+            return dataValue.value.value;
+        });
+    }
+    getTrustList() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const browsePathResult = yield this.session.translateBrowsePath((0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/TrustList"));
+            if (browsePathResult.statusCode !== node_opcua_status_code_1.StatusCodes.Good) {
+                throw new Error(browsePathResult.statusCode.name);
+            }
+            const trustListNodeId = browsePathResult.targets[0].targetId;
+            return new TrustListClient(this.session, trustListNodeId);
+        });
+    }
+}
+exports.CertificateGroup = CertificateGroup;
+class ClientPushCertificateManagement {
+    constructor(session) {
+        this.session = session;
+    }
+    /**
+     * CreateSigningRequest Method asks the Server to create a PKCS #10 DER encoded
+     * Certificate Request that is signed with the Server’s private key. This request can be then used
+     * to request a Certificate from a CA that expects requests in this format.
+     * This Method requires an encrypted channel and that the Client provide credentials with
+     * administrative rights on the Server.
+     *
+     * @param certificateGroupId  - The NodeId of the Certificate Group Object which is affected by the request.
+     *                              If null the DefaultApplicationGroup is used.
+     * @param certificateTypeId   - The type of Certificate being requested. The set of permitted types is specified by
+     *                              the CertificateTypes Property belonging to the Certificate Group.
+     * @param subjectName         - The subject name to use in the Certificate Request.
+     *                              If not specified the SubjectName from the current Certificate is used.
+     *                              The subjectName parameter is a sequence of X.500 name value pairs separated by a ‘/’. For
+     *                              example: CN=ApplicationName/OU=Group/O=Company.
+     *                              If the certificateType is a subtype of ApplicationCertificateType the Certificate subject name
+     *                              shall have an organization (O=) or domain name (DC=) field. The public key length shall meet
+     *                              the length restrictions for the CertificateType. The domain name field specified in the subject
+     *                              name is a logical domain used to qualify the subject name that may or may not be the same
+     *                              as a domain or IP address in the subjectAltName field of the Certificate.
+     *                              If the certificateType is a subtype of HttpsCertificateType the Certificate common name (CN=)
+     *                              shall be the same as a domain from a DiscoveryUrl which uses HTTPS and the subject name
+     *                              shall have an organization (O=) field.
+     *                              If the subjectName is blank or null the CertificateManager generates a suitable default.
+     * @param regeneratePrivateKey  If TRUE the Server shall create a new Private Key which it stores until the
+     *                              matching signed Certificate is uploaded with the UpdateCertificate Method.
+     *                              Previously created Private Keys may be discarded if UpdateCertificate was not
+     *                              called before calling this method again. If FALSE the Server uses its existing
+     *                              Private Key.
+     * @param nonce                 Additional entropy which the caller shall provide if regeneratePrivateKey is TRUE.
+     *                              It shall be at least 32 bytes long.
+     *
+     * @return                      The PKCS #10 DER encoded Certificate Request.
+     *
+     * Result Code                  Description
+     * BadInvalidArgument          The certificateTypeId, certificateGroupId or subjectName is not valid.
+     * BadUserAccessDenied          The current user does not have the rights required.
+     */
+    createSigningRequest(certificateGroupId, certificateTypeId, subjectName, regeneratePrivateKey, nonce) {
+        return __awaiter(this, void 0, void 0, function* () {
+            nonce = nonce || Buffer.alloc(0);
+            const inputArguments = [
+                { dataType: node_opcua_variant_1.DataType.NodeId, value: findCertificateGroupNodeId(certificateGroupId) },
+                { dataType: node_opcua_variant_1.DataType.NodeId, value: findCertificateTypeIdNodeId(certificateTypeId) },
+                { dataType: node_opcua_variant_1.DataType.String, value: subjectName },
+                { dataType: node_opcua_variant_1.DataType.Boolean, value: !!regeneratePrivateKey },
+                { dataType: node_opcua_variant_1.DataType.ByteString, value: nonce }
+            ];
+            const methodToCall = {
+                inputArguments,
+                methodId: createSigningRequestMethod,
+                objectId: serverConfigurationNodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            if (callMethodResult.statusCode === node_opcua_status_code_1.StatusCodes.Good) {
+                // xx console.log(callMethodResult.toString());
+                return {
+                    certificateSigningRequest: callMethodResult.outputArguments[0].value,
+                    statusCode: callMethodResult.statusCode
+                };
+            }
+            else {
+                return { statusCode: callMethodResult.statusCode };
+            }
+        });
+    }
+    /**
+     * GetRejectedList Method returns the list of Certificates that have been rejected by the Server.
+     * rules are defined for how the Server updates this list or how long a Certificate is kept in
+     * the list. It is recommended that every valid but untrusted Certificate be added to the rejected
+     * list as long as storage is available. Servers should omit older entries from the list returned if
+     * the maximum message size is not large enough to allow the entire list to be returned.
+     * This Method requires an encrypted channel and that the Client provides credentials with
+     * administrative rights on the Server
+     *
+     * @return certificates The DER encoded form of the Certificates rejected by the Server
+     */
+    getRejectedList() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const inputArguments = [];
+            const methodToCall = {
+                inputArguments,
+                methodId: getRejectedListMethod,
+                objectId: serverConfigurationNodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            if (callMethodResult.statusCode === node_opcua_status_code_1.StatusCodes.Good) {
+                if (callMethodResult.outputArguments[0].dataType !== node_opcua_variant_1.DataType.ByteString) {
+                    return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
+                }
+                return {
+                    certificates: callMethodResult.outputArguments[0].value,
+                    statusCode: callMethodResult.statusCode
+                };
+            }
+            else {
+                return {
+                    statusCode: callMethodResult.statusCode
+                };
+            }
+        });
+    }
+    updateCertificate(certificateGroupId, certificateTypeId, certificate, issuerCertificates, privateKeyFormat, privateKey) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const inputArguments = [
+                { dataType: node_opcua_variant_1.DataType.NodeId, value: findCertificateGroupNodeId(certificateGroupId) },
+                { dataType: node_opcua_variant_1.DataType.NodeId, value: findCertificateTypeIdNodeId(certificateTypeId) },
+                { dataType: node_opcua_variant_1.DataType.ByteString, value: certificate },
+                { dataType: node_opcua_variant_1.DataType.ByteString, arrayType: node_opcua_variant_1.VariantArrayType.Array, value: issuerCertificates },
+                { dataType: node_opcua_variant_1.DataType.String, value: privateKeyFormat || "" },
+                { dataType: node_opcua_variant_1.DataType.ByteString, value: privateKeyFormat ? privateKey : Buffer.alloc(0) }
+            ];
+            const methodToCall = {
+                inputArguments,
+                methodId: updateCertificateMethod,
+                objectId: serverConfigurationNodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            if (callMethodResult.statusCode === node_opcua_status_code_1.StatusCodes.Good) {
+                if (!callMethodResult.outputArguments || callMethodResult.outputArguments.length !== 1) {
+                    return {
+                        statusCode: node_opcua_status_code_1.StatusCodes.BadInternalError
+                    };
+                    // throw Error("Internal Error, expecting 1 output result");
+                }
+                return {
+                    applyChangesRequired: callMethodResult.outputArguments[0].value,
+                    statusCode: callMethodResult.statusCode
+                };
+            }
+            else {
+                return { statusCode: callMethodResult.statusCode };
+            }
+        });
+    }
+    /**
+     * ApplyChanges tells the Server to apply any security changes.
+     * This Method should only be called if a previous call to a Method that changed the
+     * configuration returns applyChangesRequired=true (see 7.7.4).
+     * If the Server Certificate has changed, Secure Channels using the old Certificate will
+     * eventually be interrupted. The only leeway the Server has is with the timing. In the best case,
+     * the Server can close the TransportConnections for the affected Endpoints and leave any
+     * Subscriptions intact. This should appear no different than a network interruption from the
+     * perspective of the Client. The Client should be prepared to deal with Certificate changes
+     * during its reconnect logic. In the worst case, a full shutdown which affects all connected
+     * Clients will be necessary. In the latter case, the Server shall advertise its intent to interrupt
+     * connections by setting the SecondsTillShutdown and ShutdownReason Properties in the
+     * ServerStatus Variable.
+     * If the Secure Channel being used to call this Method will be affected by the Certificate change
+     * then the Server shall introduce a delay long enough to allow the caller to receive a reply.
+     * This Method requires an encrypted channel and that the Client provide credentials with
+     * administrative rights on the Server.
+     *
+     * Result Code            Description
+     * BadUserAccessDenied   The current user does not have the rights required.
+     */
+    applyChanges() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const methodToCall = {
+                inputArguments: [],
+                methodId: applyChangesMethod,
+                objectId: serverConfigurationNodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            if (callMethodResult.outputArguments && callMethodResult.outputArguments.length) {
+                throw new Error("Invalid  output arguments");
+            }
+            return callMethodResult.statusCode;
+        });
+    }
+    getSupportedPrivateKeyFormats() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const dataValue = yield this.session.read({
+                attributeId: node_opcua_data_model_1.AttributeIds.Value,
+                nodeId: supportedPrivateKeyFormatsNodeId
+            });
+            return dataValue.value.value;
+        });
+    }
+    getCertificateGroupId(certificateGroupName) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (certificateGroupName === "DefaultApplicationGroup") {
+                return defaultApplicationGroup;
+            }
+            // toDO
+            throw new Error("Not Implemented yet");
+        });
+    }
+    /**
+     *
+     * @param browseName
+     */
+    getCertificateGroup(browseName) {
+        return __awaiter(this, void 0, void 0, function* () {
+            browseName = (0, node_opcua_data_model_1.coerceQualifiedName)(browseName);
+            if (browseName.toString() === "DefaultApplicationGroup") {
+                return new CertificateGroup(this.session, defaultApplicationGroup);
+            }
+            if (browseName.toString() === "DefaultUserTokenGroup") {
+                return new CertificateGroup(this.session, defaultUserTokenGroup);
+            }
+            // istanbul ignore next
+            throw new Error("Not Implemented yet");
+        });
+    }
+    getApplicationGroup() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this.getCertificateGroup("DefaultApplicationGroup");
+        });
+    }
+    getUserTokenGroup() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this.getCertificateGroup("DefaultUserTokenGroup");
+        });
+    }
+}
+exports.ClientPushCertificateManagement = ClientPushCertificateManagement;
+ClientPushCertificateManagement.rsaSha256ApplicationCertificateType = (0, node_opcua_nodeid_1.resolveNodeId)("i=12560");
 //# sourceMappingURL=push_certificate_management_client.js.map