node-opcua-server-configuration 2.98.0 → 2.98.1

package/dist/clientTools/index.d.ts

@@ -0,0 +1 @@
+export * from "./push_certificate_management_client";

package/dist/clientTools/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./push_certificate_management_client"), exports);
+//# sourceMappingURL=index.js.map

package/dist/clientTools/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../source/clientTools/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,uEAAoD"}

package/dist/clientTools/push_certificate_management_client.d.ts

@@ -0,0 +1,176 @@
+/// <reference types="node" />
+/**
+ * @module node-opcua-server-configuration.client
+ */
+import { ByteString } from "node-opcua-basic-types";
+import { NodeId } from "node-opcua-nodeid";
+import { IBasicSession } from "node-opcua-pseudo-session";
+import { StatusCode } from "node-opcua-status-code";
+import { ClientFile } from "node-opcua-file-transfer";
+import { QualifiedNameLike } from "node-opcua-data-model";
+import { Certificate, PrivateKey } from "node-opcua-crypto";
+import { TrustListDataType } from "node-opcua-types";
+import { CreateSigningRequestResult, GetRejectedListResult, PushCertificateManager, UpdateCertificateResult } from "../push_certificate_manager";
+import { ITrustList } from "../trust_list";
+import { TrustListMasks } from "../server/trust_list_server";
+export declare class TrustListClient extends ClientFile implements ITrustList {
+    nodeId: NodeId;
+    private closeAndUpdateNodeId?;
+    private addCertificateNodeId?;
+    private removeCertificateNodeId?;
+    private openWithMasksNodeId?;
+    constructor(session: IBasicSession, nodeId: NodeId);
+    /**
+     * @private
+     */
+    _extractMethodIds(): Promise<void>;
+    protected extractMethodsIds(): Promise<void>;
+    openWithMasks(trustListMask: TrustListMasks): Promise<number>;
+    closeAndUpdate(applyChangesRequired: boolean): Promise<boolean>;
+    addCertificate(certificate: Certificate, isTrustedCertificate: boolean): Promise<StatusCode>;
+    removeCertificate(thumbprint: string, isTrustedCertificate: boolean): Promise<StatusCode>;
+    /**
+     * helper function to retrieve the list of certificates ...
+     * @returns
+     */
+    readTrustedCertificateList(): Promise<TrustListDataType>;
+    readTrustedCertificateListWithMasks(trustListMask: TrustListMasks): Promise<TrustListDataType>;
+    writeTrustedCertificateList(trustedList: TrustListDataType): Promise<boolean>;
+}
+export declare class CertificateGroup {
+    session: IBasicSession;
+    nodeId: NodeId;
+    constructor(session: IBasicSession, nodeId: NodeId);
+    getCertificateTypes(): Promise<NodeId[]>;
+    getTrustList(): Promise<TrustListClient>;
+}
+export declare class ClientPushCertificateManagement implements PushCertificateManager {
+    static rsaSha256ApplicationCertificateType: NodeId;
+    session: IBasicSession;
+    constructor(session: IBasicSession);
+    /**
+     * CreateSigningRequest Method asks the Server to create a PKCS #10 DER encoded
+     * Certificate Request that is signed with the Server’s private key. This request can be then used
+     * to request a Certificate from a CA that expects requests in this format.
+     * This Method requires an encrypted channel and that the Client provide credentials with
+     * administrative rights on the Server.
+     *
+     * @param certificateGroupId  - The NodeId of the Certificate Group Object which is affected by the request.
+     *                              If null the DefaultApplicationGroup is used.
+     * @param certificateTypeId   - The type of Certificate being requested. The set of permitted types is specified by
+     *                              the CertificateTypes Property belonging to the Certificate Group.
+     * @param subjectName         - The subject name to use in the Certificate Request.
+     *                              If not specified the SubjectName from the current Certificate is used.
+     *                              The subjectName parameter is a sequence of X.500 name value pairs separated by a ‘/’. For
+     *                              example: CN=ApplicationName/OU=Group/O=Company.
+     *                              If the certificateType is a subtype of ApplicationCertificateType the Certificate subject name
+     *                              shall have an organization (O=) or domain name (DC=) field. The public key length shall meet
+     *                              the length restrictions for the CertificateType. The domain name field specified in the subject
+     *                              name is a logical domain used to qualify the subject name that may or may not be the same
+     *                              as a domain or IP address in the subjectAltName field of the Certificate.
+     *                              If the certificateType is a subtype of HttpsCertificateType the Certificate common name (CN=)
+     *                              shall be the same as a domain from a DiscoveryUrl which uses HTTPS and the subject name
+     *                              shall have an organization (O=) field.
+     *                              If the subjectName is blank or null the CertificateManager generates a suitable default.
+     * @param regeneratePrivateKey  If TRUE the Server shall create a new Private Key which it stores until the
+     *                              matching signed Certificate is uploaded with the UpdateCertificate Method.
+     *                              Previously created Private Keys may be discarded if UpdateCertificate was not
+     *                              called before calling this method again. If FALSE the Server uses its existing
+     *                              Private Key.
+     * @param nonce                 Additional entropy which the caller shall provide if regeneratePrivateKey is TRUE.
+     *                              It shall be at least 32 bytes long.
+     *
+     * @return                      The PKCS #10 DER encoded Certificate Request.
+     *
+     * Result Code                  Description
+     * BadInvalidArgument          The certificateTypeId, certificateGroupId or subjectName is not valid.
+     * BadUserAccessDenied          The current user does not have the rights required.
+     */
+    createSigningRequest(certificateGroupId: NodeId | string, certificateTypeId: NodeId | string, subjectName: string | null, regeneratePrivateKey?: boolean, nonce?: ByteString): Promise<CreateSigningRequestResult>;
+    /**
+     * GetRejectedList Method returns the list of Certificates that have been rejected by the Server.
+     * rules are defined for how the Server updates this list or how long a Certificate is kept in
+     * the list. It is recommended that every valid but untrusted Certificate be added to the rejected
+     * list as long as storage is available. Servers should omit older entries from the list returned if
+     * the maximum message size is not large enough to allow the entire list to be returned.
+     * This Method requires an encrypted channel and that the Client provides credentials with
+     * administrative rights on the Server
+     *
+     * @return certificates The DER encoded form of the Certificates rejected by the Server
+     */
+    getRejectedList(): Promise<GetRejectedListResult>;
+    /**
+     * UpdateCertificate is used to update a Certificate for a Server.
+     * There are the following three use cases for this Method:
+     *   • The new Certificate was created based on a signing request created with the Method
+     *     CreateSigningRequest. In this case there is no privateKey provided.
+     *   • A new privateKey and Certificate was created outside the Server and both are updated
+     *     with this Method.
+     *   • A new Certificate was created and signed with the information from the old Certificate.
+     *    In this case there is no privateKey provided.
+     *
+     * The Server will do all normal integrity checks on the Certificate and all of the issuer
+     * Certificates. If errors occur the BadSecurityChecksFailed error is returned.
+     * The Server will report an error if the public key does not match the existing Certificate and
+     * the privateKey was not provided.
+     * If the Server returns applyChangesRequired=FALSE then it is indicating that it is able to
+     * satisfy the requirements specified for the ApplyChanges Method.
+     * This Method requires an encrypted channel and that the Client provides credentials with
+     * administrative rights on the Server.
+     *
+     * @param certificateGroupId - The NodeId of the Certificate Group Object which is affected by the update.
+     *                             If null the DefaultApplicationGroup is used.
+     * @param certificateTypeId  - The type of Certificate being updated. The set of permitted types is specified by
+     *                             the CertificateTypes Property belonging to the Certificate Group
+     * @param certificate        - The DER encoded Certificate which replaces the existing Certificate.
+     * @param issuerCertificates - The issuer Certificates needed to verify the signature on the new Certificate
+     * @return retVal.applyChangesRequired - Indicates that the ApplyChanges Method shall be called before the new
+     *                               Certificate will be used.
+     *
+     *
+     */
+    updateCertificate(certificateGroupId: NodeId | string, certificateTypeId: NodeId | string, certificate: Buffer, issuerCertificates: Buffer[]): Promise<UpdateCertificateResult>;
+    /**
+     *
+     * @param certificateGroupId
+     * @param certificateTypeId
+     * @param certificate
+     * @param issuerCertificates
+     * @param privateKeyFormat   - The format of the Private Key (PEM or PFX). If the privateKey is not specified
+     *                             the privateKeyFormat is null or empty
+     * @param privateKey         - The Private Key encoded in the privateKeyFormat
+     *
+     */
+    updateCertificate(certificateGroupId: NodeId | string, certificateTypeId: NodeId | string, certificate: Buffer, issuerCertificates: Buffer[], privateKeyFormat: string, privateKey: Buffer | string | PrivateKey): Promise<UpdateCertificateResult>;
+    /**
+     * ApplyChanges tells the Server to apply any security changes.
+     * This Method should only be called if a previous call to a Method that changed the
+     * configuration returns applyChangesRequired=true (see 7.7.4).
+     * If the Server Certificate has changed, Secure Channels using the old Certificate will
+     * eventually be interrupted. The only leeway the Server has is with the timing. In the best case,
+     * the Server can close the TransportConnections for the affected Endpoints and leave any
+     * Subscriptions intact. This should appear no different than a network interruption from the
+     * perspective of the Client. The Client should be prepared to deal with Certificate changes
+     * during its reconnect logic. In the worst case, a full shutdown which affects all connected
+     * Clients will be necessary. In the latter case, the Server shall advertise its intent to interrupt
+     * connections by setting the SecondsTillShutdown and ShutdownReason Properties in the
+     * ServerStatus Variable.
+     * If the Secure Channel being used to call this Method will be affected by the Certificate change
+     * then the Server shall introduce a delay long enough to allow the caller to receive a reply.
+     * This Method requires an encrypted channel and that the Client provide credentials with
+     * administrative rights on the Server.
+     *
+     * Result Code            Description
+     * BadUserAccessDenied   The current user does not have the rights required.
+     */
+    applyChanges(): Promise<StatusCode>;
+    getSupportedPrivateKeyFormats(): Promise<string[]>;
+    getCertificateGroupId(certificateGroupName: string): Promise<NodeId>;
+    /**
+     *
+     * @param browseName
+     */
+    getCertificateGroup(browseName: QualifiedNameLike | "DefaultApplicationGroup" | "DefaultUserTokenGroup"): Promise<CertificateGroup>;
+    getApplicationGroup(): Promise<CertificateGroup>;
+    getUserTokenGroup(): Promise<CertificateGroup>;
+}

package/dist/clientTools/push_certificate_management_client.js

@@ -0,0 +1,464 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClientPushCertificateManagement = exports.CertificateGroup = exports.TrustListClient = void 0;
+const node_opcua_nodeid_1 = require("node-opcua-nodeid");
+const node_opcua_status_code_1 = require("node-opcua-status-code");
+const node_opcua_variant_1 = require("node-opcua-variant");
+const node_opcua_file_transfer_1 = require("node-opcua-file-transfer");
+const node_opcua_data_model_1 = require("node-opcua-data-model");
+const node_opcua_service_translate_browse_path_1 = require("node-opcua-service-translate-browse-path");
+const node_opcua_types_1 = require("node-opcua-types");
+const node_opcua_binary_stream_1 = require("node-opcua-binary-stream");
+const serverConfigurationNodeId = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration");
+const createSigningRequestMethod = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CreateSigningRequest");
+const getRejectedListMethod = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_GetRejectedList");
+const updateCertificateMethod = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_UpdateCertificate");
+const certificateGroups = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CertificateGroups");
+const applyChangesMethod = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_ApplyChanges");
+const supportedPrivateKeyFormatsNodeId = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_SupportedPrivateKeyFormats");
+const defaultApplicationGroup = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CertificateGroups_DefaultApplicationGroup");
+const defaultHttpsGroup = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CertificateGroups_DefaultHttpsGroup");
+const defaultUserTokenGroup = (0, node_opcua_nodeid_1.resolveNodeId)("ServerConfiguration_CertificateGroups_DefaultUserTokenGroup");
+function findCertificateGroupName(certificateGroupNodeId) {
+    return "todo";
+}
+function findCertificateGroupNodeId(certificateGroup) {
+    if (certificateGroup instanceof node_opcua_nodeid_1.NodeId) {
+        return certificateGroup;
+    }
+    switch (certificateGroup) {
+        case "DefaultApplicationGroup":
+            return defaultApplicationGroup;
+        case "DefaultHttpsGroup":
+            return defaultHttpsGroup;
+        case "DefaultUserTokenGroup":
+            return defaultUserTokenGroup;
+        default:
+            return (0, node_opcua_nodeid_1.resolveNodeId)(certificateGroup);
+    }
+}
+function findCertificateTypeIdNodeId(certificateTypeId) {
+    if (certificateTypeId instanceof node_opcua_nodeid_1.NodeId) {
+        return certificateTypeId;
+    }
+    return (0, node_opcua_nodeid_1.resolveNodeId)(certificateTypeId);
+}
+class TrustListClient extends node_opcua_file_transfer_1.ClientFile {
+    constructor(session, nodeId) {
+        super(session, nodeId);
+        this.nodeId = nodeId;
+    }
+    /**
+     * @private
+     */
+    _extractMethodIds() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const browseResults = yield this.session.translateBrowsePath([
+                (0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/CloseAndUpdate"),
+                (0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/AddCertificate"),
+                (0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/RemoveCertificate"),
+                (0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/OpenWithMasks") // OpenWithMasks Mandatory
+            ]);
+            this.closeAndUpdateNodeId = browseResults[0].targets[0].targetId;
+            this.addCertificateNodeId = browseResults[1].targets[0].targetId;
+            this.removeCertificateNodeId = browseResults[2].targets[0].targetId;
+            this.openWithMasksNodeId = browseResults[3].targets[0].targetId;
+            // istanbul ignore next
+            if (!this.openWithMasksNodeId || this.openWithMasksNodeId.isEmpty()) {
+                throw new Error("Cannot find mandatory method OpenWithMask on object");
+            }
+        });
+    }
+    extractMethodsIds() {
+        const _super = Object.create(null, {
+            extractMethodsIds: { get: () => super.extractMethodsIds }
+        });
+        return __awaiter(this, void 0, void 0, function* () {
+            yield _super.extractMethodsIds.call(this);
+            yield this._extractMethodIds();
+        });
+    }
+    openWithMasks(trustListMask) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // istanbul ignore next
+            if (this.fileHandle) {
+                throw new Error("File has already be opened");
+            }
+            yield this.ensureInitialized();
+            // istanbul ignore next
+            if (!this.openWithMasksNodeId) {
+                throw new Error("OpenWithMasks doesn't exist");
+            }
+            const inputArguments = [{ dataType: node_opcua_variant_1.DataType.UInt32, value: trustListMask }];
+            const methodToCall = {
+                inputArguments,
+                methodId: this.openWithMasksNodeId,
+                objectId: this.nodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            if (callMethodResult.statusCode.isNotGood()) {
+                throw new Error(callMethodResult.statusCode.name);
+            }
+            this.fileHandle = callMethodResult.outputArguments[0].value;
+            return this.fileHandle;
+        });
+    }
+    closeAndUpdate(applyChangesRequired) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!this.fileHandle) {
+                throw new Error("File has node been opened yet");
+            }
+            yield this.ensureInitialized();
+            if (!this.closeAndUpdateNodeId) {
+                throw new Error("CloseAndUpdateMethod doesn't exist");
+            }
+            const inputArguments = [
+                { dataType: node_opcua_variant_1.DataType.UInt32, value: this.fileHandle },
+                { dataType: node_opcua_variant_1.DataType.Boolean, value: !!applyChangesRequired }
+            ];
+            const methodToCall = {
+                inputArguments,
+                methodId: this.closeAndUpdateNodeId,
+                objectId: this.nodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            if (callMethodResult.statusCode.isNotGood()) {
+                throw new Error(callMethodResult.statusCode.name);
+            }
+            return callMethodResult.outputArguments[0].value;
+        });
+    }
+    addCertificate(certificate, isTrustedCertificate) {
+        return __awaiter(this, void 0, void 0, function* () {
+            yield this.ensureInitialized();
+            const inputArguments = [
+                { dataType: node_opcua_variant_1.DataType.ByteString, value: certificate },
+                { dataType: node_opcua_variant_1.DataType.Boolean, value: !!isTrustedCertificate }
+            ];
+            const methodToCall = {
+                inputArguments,
+                methodId: this.addCertificateNodeId,
+                objectId: this.nodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            return callMethodResult.statusCode;
+        });
+    }
+    removeCertificate(thumbprint, isTrustedCertificate) {
+        return __awaiter(this, void 0, void 0, function* () {
+            yield this.ensureInitialized();
+            const inputArguments = [
+                { dataType: node_opcua_variant_1.DataType.String, value: thumbprint },
+                { dataType: node_opcua_variant_1.DataType.Boolean, value: !!isTrustedCertificate }
+            ];
+            const methodToCall = {
+                inputArguments,
+                methodId: this.removeCertificateNodeId,
+                objectId: this.nodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            return callMethodResult.statusCode;
+        });
+    }
+    /**
+     * helper function to retrieve the list of certificates ...
+     * @returns
+     */
+    readTrustedCertificateList() {
+        return __awaiter(this, void 0, void 0, function* () {
+            // const size = await this.size();
+            const fileHandle = yield this.open(node_opcua_file_transfer_1.OpenFileMode.Read);
+            const buff = yield this.read(65525);
+            yield this.close();
+            const stream = new node_opcua_binary_stream_1.BinaryStream(buff);
+            const trustList = new node_opcua_types_1.TrustListDataType();
+            trustList.decode(stream);
+            return trustList;
+        });
+    }
+    readTrustedCertificateListWithMasks(trustListMask) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // const size = await this.size();
+            const fileHandle = yield this.openWithMasks(trustListMask);
+            const buff = yield this.read(65525);
+            yield this.close();
+            const stream = new node_opcua_binary_stream_1.BinaryStream(buff);
+            const trustList = new node_opcua_types_1.TrustListDataType();
+            trustList.decode(stream);
+            return trustList;
+        });
+    }
+    writeTrustedCertificateList(trustedList) {
+        return __awaiter(this, void 0, void 0, function* () {
+            yield this.open(node_opcua_file_transfer_1.OpenFileMode.Write);
+            const s = trustedList.binaryStoreSize();
+            const stream = new node_opcua_binary_stream_1.BinaryStream(s);
+            trustedList.encode(stream);
+            return yield this.closeAndUpdate(true);
+        });
+    }
+}
+exports.TrustListClient = TrustListClient;
+class CertificateGroup {
+    constructor(session, nodeId) {
+        this.session = session;
+        this.nodeId = nodeId;
+    }
+    getCertificateTypes() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const browsePathResult = yield this.session.translateBrowsePath((0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/CertificateTypes"));
+            if (browsePathResult.statusCode.isNotGood()) {
+                throw new Error(browsePathResult.statusCode.name);
+            }
+            const certificateTypesNodeId = browsePathResult.targets[0].targetId;
+            const dataValue = yield this.session.read({ nodeId: certificateTypesNodeId, attributeId: node_opcua_data_model_1.AttributeIds.Value });
+            if (dataValue.statusCode.isNotGood()) {
+                throw new Error(browsePathResult.statusCode.name);
+            }
+            return dataValue.value.value;
+        });
+    }
+    getTrustList() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const browsePathResult = yield this.session.translateBrowsePath((0, node_opcua_service_translate_browse_path_1.makeBrowsePath)(this.nodeId, "/TrustList"));
+            if (browsePathResult.statusCode.isNotGood()) {
+                throw new Error(browsePathResult.statusCode.name);
+            }
+            const trustListNodeId = browsePathResult.targets[0].targetId;
+            return new TrustListClient(this.session, trustListNodeId);
+        });
+    }
+}
+exports.CertificateGroup = CertificateGroup;
+class ClientPushCertificateManagement {
+    constructor(session) {
+        this.session = session;
+    }
+    /**
+     * CreateSigningRequest Method asks the Server to create a PKCS #10 DER encoded
+     * Certificate Request that is signed with the Server’s private key. This request can be then used
+     * to request a Certificate from a CA that expects requests in this format.
+     * This Method requires an encrypted channel and that the Client provide credentials with
+     * administrative rights on the Server.
+     *
+     * @param certificateGroupId  - The NodeId of the Certificate Group Object which is affected by the request.
+     *                              If null the DefaultApplicationGroup is used.
+     * @param certificateTypeId   - The type of Certificate being requested. The set of permitted types is specified by
+     *                              the CertificateTypes Property belonging to the Certificate Group.
+     * @param subjectName         - The subject name to use in the Certificate Request.
+     *                              If not specified the SubjectName from the current Certificate is used.
+     *                              The subjectName parameter is a sequence of X.500 name value pairs separated by a ‘/’. For
+     *                              example: CN=ApplicationName/OU=Group/O=Company.
+     *                              If the certificateType is a subtype of ApplicationCertificateType the Certificate subject name
+     *                              shall have an organization (O=) or domain name (DC=) field. The public key length shall meet
+     *                              the length restrictions for the CertificateType. The domain name field specified in the subject
+     *                              name is a logical domain used to qualify the subject name that may or may not be the same
+     *                              as a domain or IP address in the subjectAltName field of the Certificate.
+     *                              If the certificateType is a subtype of HttpsCertificateType the Certificate common name (CN=)
+     *                              shall be the same as a domain from a DiscoveryUrl which uses HTTPS and the subject name
+     *                              shall have an organization (O=) field.
+     *                              If the subjectName is blank or null the CertificateManager generates a suitable default.
+     * @param regeneratePrivateKey  If TRUE the Server shall create a new Private Key which it stores until the
+     *                              matching signed Certificate is uploaded with the UpdateCertificate Method.
+     *                              Previously created Private Keys may be discarded if UpdateCertificate was not
+     *                              called before calling this method again. If FALSE the Server uses its existing
+     *                              Private Key.
+     * @param nonce                 Additional entropy which the caller shall provide if regeneratePrivateKey is TRUE.
+     *                              It shall be at least 32 bytes long.
+     *
+     * @return                      The PKCS #10 DER encoded Certificate Request.
+     *
+     * Result Code                  Description
+     * BadInvalidArgument          The certificateTypeId, certificateGroupId or subjectName is not valid.
+     * BadUserAccessDenied          The current user does not have the rights required.
+     */
+    createSigningRequest(certificateGroupId, certificateTypeId, subjectName, regeneratePrivateKey, nonce) {
+        return __awaiter(this, void 0, void 0, function* () {
+            nonce = nonce || Buffer.alloc(0);
+            const inputArguments = [
+                { dataType: node_opcua_variant_1.DataType.NodeId, value: findCertificateGroupNodeId(certificateGroupId) },
+                { dataType: node_opcua_variant_1.DataType.NodeId, value: findCertificateTypeIdNodeId(certificateTypeId) },
+                { dataType: node_opcua_variant_1.DataType.String, value: subjectName },
+                { dataType: node_opcua_variant_1.DataType.Boolean, value: !!regeneratePrivateKey },
+                { dataType: node_opcua_variant_1.DataType.ByteString, value: nonce }
+            ];
+            const methodToCall = {
+                inputArguments,
+                methodId: createSigningRequestMethod,
+                objectId: serverConfigurationNodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            if (callMethodResult.statusCode.isGood()) {
+                // xx console.log(callMethodResult.toString());
+                return {
+                    certificateSigningRequest: callMethodResult.outputArguments[0].value,
+                    statusCode: callMethodResult.statusCode
+                };
+            }
+            else {
+                return { statusCode: callMethodResult.statusCode };
+            }
+        });
+    }
+    /**
+     * GetRejectedList Method returns the list of Certificates that have been rejected by the Server.
+     * rules are defined for how the Server updates this list or how long a Certificate is kept in
+     * the list. It is recommended that every valid but untrusted Certificate be added to the rejected
+     * list as long as storage is available. Servers should omit older entries from the list returned if
+     * the maximum message size is not large enough to allow the entire list to be returned.
+     * This Method requires an encrypted channel and that the Client provides credentials with
+     * administrative rights on the Server
+     *
+     * @return certificates The DER encoded form of the Certificates rejected by the Server
+     */
+    getRejectedList() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const inputArguments = [];
+            const methodToCall = {
+                inputArguments,
+                methodId: getRejectedListMethod,
+                objectId: serverConfigurationNodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            if (callMethodResult.statusCode.isGood()) {
+                if (callMethodResult.outputArguments[0].dataType !== node_opcua_variant_1.DataType.ByteString) {
+                    return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
+                }
+                return {
+                    certificates: callMethodResult.outputArguments[0].value,
+                    statusCode: callMethodResult.statusCode
+                };
+            }
+            else {
+                return {
+                    statusCode: callMethodResult.statusCode
+                };
+            }
+        });
+    }
+    updateCertificate(certificateGroupId, certificateTypeId, certificate, issuerCertificates, privateKeyFormat, privateKey) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const inputArguments = [
+                { dataType: node_opcua_variant_1.DataType.NodeId, value: findCertificateGroupNodeId(certificateGroupId) },
+                { dataType: node_opcua_variant_1.DataType.NodeId, value: findCertificateTypeIdNodeId(certificateTypeId) },
+                { dataType: node_opcua_variant_1.DataType.ByteString, value: certificate },
+                { dataType: node_opcua_variant_1.DataType.ByteString, arrayType: node_opcua_variant_1.VariantArrayType.Array, value: issuerCertificates },
+                { dataType: node_opcua_variant_1.DataType.String, value: privateKeyFormat || "" },
+                { dataType: node_opcua_variant_1.DataType.ByteString, value: privateKeyFormat ? privateKey : Buffer.alloc(0) }
+            ];
+            const methodToCall = {
+                inputArguments,
+                methodId: updateCertificateMethod,
+                objectId: serverConfigurationNodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            if (callMethodResult.statusCode.isGood()) {
+                if (!callMethodResult.outputArguments || callMethodResult.outputArguments.length !== 1) {
+                    return {
+                        statusCode: node_opcua_status_code_1.StatusCodes.BadInternalError
+                    };
+                    // throw Error("Internal Error, expecting 1 output result");
+                }
+                return {
+                    applyChangesRequired: callMethodResult.outputArguments[0].value,
+                    statusCode: callMethodResult.statusCode
+                };
+            }
+            else {
+                return { statusCode: callMethodResult.statusCode };
+            }
+        });
+    }
+    /**
+     * ApplyChanges tells the Server to apply any security changes.
+     * This Method should only be called if a previous call to a Method that changed the
+     * configuration returns applyChangesRequired=true (see 7.7.4).
+     * If the Server Certificate has changed, Secure Channels using the old Certificate will
+     * eventually be interrupted. The only leeway the Server has is with the timing. In the best case,
+     * the Server can close the TransportConnections for the affected Endpoints and leave any
+     * Subscriptions intact. This should appear no different than a network interruption from the
+     * perspective of the Client. The Client should be prepared to deal with Certificate changes
+     * during its reconnect logic. In the worst case, a full shutdown which affects all connected
+     * Clients will be necessary. In the latter case, the Server shall advertise its intent to interrupt
+     * connections by setting the SecondsTillShutdown and ShutdownReason Properties in the
+     * ServerStatus Variable.
+     * If the Secure Channel being used to call this Method will be affected by the Certificate change
+     * then the Server shall introduce a delay long enough to allow the caller to receive a reply.
+     * This Method requires an encrypted channel and that the Client provide credentials with
+     * administrative rights on the Server.
+     *
+     * Result Code            Description
+     * BadUserAccessDenied   The current user does not have the rights required.
+     */
+    applyChanges() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const methodToCall = {
+                inputArguments: [],
+                methodId: applyChangesMethod,
+                objectId: serverConfigurationNodeId
+            };
+            const callMethodResult = yield this.session.call(methodToCall);
+            if (callMethodResult.outputArguments && callMethodResult.outputArguments.length) {
+                throw new Error("Invalid  output arguments");
+            }
+            return callMethodResult.statusCode;
+        });
+    }
+    getSupportedPrivateKeyFormats() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const dataValue = yield this.session.read({
+                attributeId: node_opcua_data_model_1.AttributeIds.Value,
+                nodeId: supportedPrivateKeyFormatsNodeId
+            });
+            return dataValue.value.value;
+        });
+    }
+    getCertificateGroupId(certificateGroupName) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (certificateGroupName === "DefaultApplicationGroup") {
+                return defaultApplicationGroup;
+            }
+            // toDO
+            throw new Error("Not Implemented yet");
+        });
+    }
+    /**
+     *
+     * @param browseName
+     */
+    getCertificateGroup(browseName) {
+        return __awaiter(this, void 0, void 0, function* () {
+            browseName = (0, node_opcua_data_model_1.coerceQualifiedName)(browseName);
+            if (browseName.toString() === "DefaultApplicationGroup") {
+                return new CertificateGroup(this.session, defaultApplicationGroup);
+            }
+            if (browseName.toString() === "DefaultUserTokenGroup") {
+                return new CertificateGroup(this.session, defaultUserTokenGroup);
+            }
+            // istanbul ignore next
+            throw new Error("Not Implemented yet");
+        });
+    }
+    getApplicationGroup() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this.getCertificateGroup("DefaultApplicationGroup");
+        });
+    }
+    getUserTokenGroup() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this.getCertificateGroup("DefaultUserTokenGroup");
+        });
+    }
+}
+ClientPushCertificateManagement.rsaSha256ApplicationCertificateType = (0, node_opcua_nodeid_1.resolveNodeId)("i=12560");
+exports.ClientPushCertificateManagement = ClientPushCertificateManagement;
+//# sourceMappingURL=push_certificate_management_client.js.map