node-opcua-server 2.165.2 → 2.167.0

package/package.json

@@ -1,13 +1,14 @@
 {
     "name": "node-opcua-server",
-    "version": "2.165.2",
+    "version": "2.167.0",
     "description": "pure nodejs OPCUA SDK - module server",
     "scripts": {
         "build": "tsc -b",
         "lint": "eslint source test",
         "format": "prettier --write source test",
         "clean": "npx rimraf -g node_modules dist *.tsbuildinfo certificates",
-        "test": "mocha"
+        "test": "mocha",
+        "test:check": "tsc --noEmit -p test/tsconfig.json"
     },
     "main": "./dist/index.js",
     "types": "./dist/index.d.ts",
@@ -19,53 +20,53 @@
         "chalk": "4.1.2",
         "dequeue": "^1.0.5",
         "lodash": "4.17.23",
-        "node-opcua-address-space": "2.165.2",
-        "node-opcua-address-space-base": "2.165.0",
+        "node-opcua-address-space": "2.167.0",
+        "node-opcua-address-space-base": "2.167.0",
         "node-opcua-assert": "2.164.0",
-        "node-opcua-basic-types": "2.165.0",
-        "node-opcua-binary-stream": "2.165.0",
-        "node-opcua-certificate-manager": "2.165.2",
-        "node-opcua-client": "2.165.2",
-        "node-opcua-common": "2.165.0",
+        "node-opcua-basic-types": "2.167.0",
+        "node-opcua-binary-stream": "2.167.0",
+        "node-opcua-certificate-manager": "2.167.0",
+        "node-opcua-client": "2.167.0",
+        "node-opcua-common": "2.167.0",
         "node-opcua-constants": "2.157.0",
-        "node-opcua-crypto": "5.3.0",
-        "node-opcua-data-model": "2.165.0",
-        "node-opcua-data-value": "2.165.0",
-        "node-opcua-date-time": "2.165.0",
+        "node-opcua-crypto": "5.3.3",
+        "node-opcua-data-model": "2.167.0",
+        "node-opcua-data-value": "2.167.0",
+        "node-opcua-date-time": "2.167.0",
         "node-opcua-debug": "2.165.0",
-        "node-opcua-extension-object": "2.165.0",
-        "node-opcua-factory": "2.165.0",
-        "node-opcua-hostname": "2.165.0",
-        "node-opcua-nodeid": "2.165.0",
+        "node-opcua-extension-object": "2.167.0",
+        "node-opcua-factory": "2.167.0",
+        "node-opcua-hostname": "2.167.0",
+        "node-opcua-nodeid": "2.167.0",
         "node-opcua-nodesets": "2.163.1",
-        "node-opcua-numeric-range": "2.165.0",
+        "node-opcua-numeric-range": "2.167.0",
         "node-opcua-object-registry": "2.165.0",
-        "node-opcua-pki": "6.10.1",
-        "node-opcua-secure-channel": "2.165.2",
-        "node-opcua-service-browse": "2.165.0",
-        "node-opcua-service-call": "2.165.0",
-        "node-opcua-service-discovery": "2.165.0",
-        "node-opcua-service-endpoints": "2.165.0",
-        "node-opcua-service-filter": "2.165.0",
-        "node-opcua-service-history": "2.165.0",
-        "node-opcua-service-node-management": "2.165.0",
-        "node-opcua-service-query": "2.165.0",
-        "node-opcua-service-read": "2.165.0",
-        "node-opcua-service-register-node": "2.165.0",
-        "node-opcua-service-secure-channel": "2.165.0",
-        "node-opcua-service-session": "2.165.0",
-        "node-opcua-service-subscription": "2.165.2",
-        "node-opcua-service-translate-browse-path": "2.165.0",
-        "node-opcua-service-write": "2.165.0",
-        "node-opcua-status-code": "2.165.0",
-        "node-opcua-transport": "2.165.0",
-        "node-opcua-types": "2.165.0",
+        "node-opcua-pki": "6.12.0",
+        "node-opcua-secure-channel": "2.167.0",
+        "node-opcua-service-browse": "2.167.0",
+        "node-opcua-service-call": "2.167.0",
+        "node-opcua-service-discovery": "2.167.0",
+        "node-opcua-service-endpoints": "2.167.0",
+        "node-opcua-service-filter": "2.167.0",
+        "node-opcua-service-history": "2.167.0",
+        "node-opcua-service-node-management": "2.167.0",
+        "node-opcua-service-query": "2.167.0",
+        "node-opcua-service-read": "2.167.0",
+        "node-opcua-service-register-node": "2.167.0",
+        "node-opcua-service-secure-channel": "2.167.0",
+        "node-opcua-service-session": "2.167.0",
+        "node-opcua-service-subscription": "2.167.0",
+        "node-opcua-service-translate-browse-path": "2.167.0",
+        "node-opcua-service-write": "2.167.0",
+        "node-opcua-status-code": "2.167.0",
+        "node-opcua-transport": "2.167.0",
+        "node-opcua-types": "2.167.0",
         "node-opcua-utils": "2.165.0",
-        "node-opcua-variant": "2.165.0",
+        "node-opcua-variant": "2.167.0",
         "thenify-ex": "4.4.0"
     },
     "devDependencies": {
-        "node-opcua-data-access": "2.165.0",
+        "node-opcua-data-access": "2.167.0",
         "node-opcua-leak-detector": "2.165.0",
         "node-opcua-test-helpers": "2.157.0"
     },
@@ -84,7 +85,7 @@
         "internet of things"
     ],
     "homepage": "http://node-opcua.github.io/",
-    "gitHead": "4002059a60bf085329c59f5f404f73415f4b640a",
+    "gitHead": "5decfa86ee53a36ecd3bb454e7bf6e3dd27c7a4e",
     "files": [
         "dist",
         "source"

package/source/base_server.ts

@@ -13,7 +13,7 @@ import chalk from "chalk";
 import { assert } from "node-opcua-assert";
 import { getDefaultCertificateManager, makeSubject, type OPCUACertificateManager } from "node-opcua-certificate-manager";
 import { performCertificateSanityCheck } from "node-opcua-client";
-import { type IOPCUASecureObjectOptions, makeApplicationUrn, OPCUASecureObject } from "node-opcua-common";
+import { type IOPCUASecureObjectOptions, invalidateCachedSecrets, makeApplicationUrn, OPCUASecureObject } from "node-opcua-common";
 import { exploreCertificate } from "node-opcua-crypto/web";
 import { coerceLocalizedText } from "node-opcua-data-model";
 import { installPeriodicClockAdjustment, uninstallPeriodicClockAdjustment } from "node-opcua-date-time";
@@ -339,9 +339,7 @@ export class OPCUABaseServer extends OPCUASecureObject {
         // recreate with current hostnames
         await this.createDefaultCertificate();
         // invalidate cached cert so next getCertificate() reloads from disk
-        const priv = this as unknown as { $$certificate: null; $$certificateChain: null };
-        priv.$$certificate = null;
-        priv.$$certificateChain = null;
+        invalidateCachedSecrets(this);
     }
 
     private _checkCertificateSanMismatch(): void {

package/source/extract_password_from_blob.ts

@@ -0,0 +1,74 @@
+/**
+ * @module node-opcua-server
+ */
+import type { Nonce } from "node-opcua-crypto/web";
+
+export interface ExtractPasswordResult {
+    valid: boolean;
+    password: string;
+}
+
+/**
+ * Extract the password from a decrypted UserNameIdentityToken
+ * password blob.
+ *
+ * The plaintext layout (OPC UA Part 4 §7.36.3) is:
+ *
+ *   ┌─────────────────┬──────────────┬──────────────┐
+ *   │ UInt32 length    │ password     │ serverNonce  │
+ *   │ (LE, 4 bytes)    │ (variable)   │ (32 bytes)   │
+ *   └─────────────────┴──────────────┴──────────────┘
+ *
+ *  `length` = password.length + serverNonce.length
+ *
+ * After extracting the password, the trailing bytes **must**
+ * equal the session's `serverNonce` to confirm nonce binding.
+ *
+ * @param decryptedBuffer - the RSA-decrypted blob
+ * @param serverNonce     - the nonce that was sent during
+ *                          CreateSession / last ActivateSession
+ */
+export function extractPasswordFromDecryptedBlob(
+    decryptedBuffer: Buffer,
+    serverNonce: Nonce
+): ExtractPasswordResult {
+    const invalidResult: ExtractPasswordResult = {
+        valid: false,
+        password: ""
+    };
+
+    // need at least 4 bytes for the length field
+    if (!decryptedBuffer || decryptedBuffer.length < 4) {
+        return invalidResult;
+    }
+
+    const totalLength = decryptedBuffer.readUInt32LE(0);
+    const passwordLength = totalLength - serverNonce.length;
+
+    // bounds check: password length must be non-negative
+    // and the buffer must be large enough
+    if (passwordLength < 0) {
+        return invalidResult;
+    }
+
+    const expectedBufferSize = 4 + passwordLength + serverNonce.length;
+    if (decryptedBuffer.length < expectedBufferSize) {
+        return invalidResult;
+    }
+
+    const password = decryptedBuffer
+        .subarray(4, 4 + passwordLength)
+        .toString("utf-8");
+
+    // verify that the trailing bytes match the server nonce
+    // (nonce binding — ensures session integrity)
+    const trailingNonce = decryptedBuffer.subarray(
+        4 + passwordLength,
+        4 + passwordLength + serverNonce.length
+    );
+    if (!trailingNonce.equals(serverNonce)) {
+        return invalidResult;
+    }
+
+    return { valid: true, password };
+}

package/source/opcua_server.ts

@@ -37,7 +37,7 @@ import { assert } from "node-opcua-assert";
 import type { ByteString, UAString } from "node-opcua-basic-types";
 import { getDefaultCertificateManager, type OPCUACertificateManager } from "node-opcua-certificate-manager";
 import { ServerState } from "node-opcua-common";
-import { type Certificate, exploreCertificate, type Nonce } from "node-opcua-crypto/web";
+import { type Certificate, combine_der, exploreCertificate, type Nonce } from "node-opcua-crypto/web";
 import {
     AttributeIds,
     filterDiagnosticOperationLevel,
@@ -149,6 +149,7 @@ import { DataType, type Variant, VariantArrayType } from "node-opcua-variant";
 import { withCallback } from "thenify-ex";
 
 import { OPCUABaseServer, type OPCUABaseServerOptions } from "./base_server";
+import { extractPasswordFromDecryptedBlob } from "./extract_password_from_blob";
 import { Factory } from "./factory";
 import type { IChannelData } from "./i_channel_data";
 import type { IRegisterServerManager } from "./i_register_server_manager";
@@ -159,7 +160,14 @@ import { RegisterServerManagerHidden } from "./register_server_manager_hidden";
 import { RegisterServerManagerMDNSONLY } from "./register_server_manager_mdns_only";
 import type { SamplingFunc } from "./sampling_func";
 import type { ServerCapabilitiesOptions } from "./server_capabilities";
-import { type AdvertisedEndpoint, type EndpointDescriptionEx, type IServerTransportSettings, OPCUAServerEndPoint, normalizeAdvertisedEndpoints, parseOpcTcpUrl } from "./server_end_point";
+import {
+    type AdvertisedEndpoint,
+    type EndpointDescriptionEx,
+    type IServerTransportSettings,
+    normalizeAdvertisedEndpoints,
+    OPCUAServerEndPoint,
+    parseOpcTcpUrl
+} from "./server_end_point";
 import { type ClosingReason, type CreateSessionOption, ServerEngine } from "./server_engine";
 import type { ServerSession } from "./server_session";
 import type { CreateMonitoredItemHook, DeleteMonitoredItemHook, Subscription } from "./server_subscription";
@@ -1877,14 +1885,12 @@ export class OPCUAServer extends OPCUABaseServer {
 
             const buff = cryptoFactory.asymmetricDecrypt(password, serverPrivateKey);
 
-            // server certificate may be invalid and asymmetricDecrypt may fail
-            if (!buff || buff.length < 4) {
+            const result = extractPasswordFromDecryptedBlob(buff, serverNonce);
+            if (!result.valid) {
                 setImmediate(() => callback(null, false));
                 return;
             }
-
-            const length = buff.readUInt32LE(0) - serverNonce.length;
-            password = buff.subarray(4, 4 + length).toString("utf-8");
+            password = result.password;
         }
 
         this.userManager
@@ -2114,7 +2120,7 @@ export class OPCUAServer extends OPCUABaseServer {
             // If the securityPolicyUri is None and none of the UserTokenPolicies requires
             // encryption, the Server shall not send an ApplicationInstanceCertificate and the Client
             // shall ignore the ApplicationInstanceCertificate.
-            serverCertificate: hasEncryption ? serverCertificateChain : undefined,
+            serverCertificate: hasEncryption && serverCertificateChain.length > 0 ? combine_der(serverCertificateChain) : undefined,
 
             // The endpoints provided by the server.
             // The Server shall return a set of EndpointDescriptions available for the serverUri
@@ -3819,7 +3825,7 @@ export class OPCUAServer extends OPCUABaseServer {
             // xx                hostname,
             resourcePath: serverOption.resourcePath || "",
 
-            advertisedEndpoints: endpointOptions.advertisedEndpoints,
+            advertisedEndpoints: endpointOptions.advertisedEndpoints
 
             // TODO  userTokenTypes: endpointOptions.userTokenTypes || undefined,
 
@@ -4048,7 +4054,7 @@ export interface RaiseEventAuditActivateSessionEventData extends RaiseEventAudit
 }
 
 // tslint:disable:no-empty-interface
-export interface RaiseEventTransitionEventData extends RaiseEventData { }
+export interface RaiseEventTransitionEventData extends RaiseEventData {}
 
 export interface RaiseEventAuditUrlMismatchEventTypeData extends RaiseEventData {
     endpointUrl: PseudoVariantString;
@@ -4078,7 +4084,7 @@ export interface RaiseAuditCertificateDataMismatchEventData extends RaiseAuditCe
      */
     invalidUri: PseudoVariantString;
 }
-export interface RaiseAuditCertificateUntrustedEventData extends RaiseAuditCertificateEventData { }
+export interface RaiseAuditCertificateUntrustedEventData extends RaiseAuditCertificateEventData {}
 /**
  * This EventType inherits all Properties of the AuditCertificateEventType.
  *
@@ -4090,7 +4096,7 @@ export interface RaiseAuditCertificateUntrustedEventData extends RaiseAuditCerti
  * There are no additional Properties defined for this EventType.
  *
  */
-export interface RaiseAuditCertificateExpiredEventData extends RaiseAuditCertificateEventData { }
+export interface RaiseAuditCertificateExpiredEventData extends RaiseAuditCertificateEventData {}
 /**
  * This EventType inherits all Properties of the AuditCertificateEventType.
  *
@@ -4100,7 +4106,7 @@ export interface RaiseAuditCertificateExpiredEventData extends RaiseAuditCertifi
  *
  * There are no additional Properties defined for this EventType.
  */
-export interface RaiseAuditCertificateInvalidEventData extends RaiseAuditCertificateEventData { }
+export interface RaiseAuditCertificateInvalidEventData extends RaiseAuditCertificateEventData {}
 /**
  * This EventType inherits all Properties of the AuditCertificateEventType.
  *
@@ -4110,7 +4116,7 @@ export interface RaiseAuditCertificateInvalidEventData extends RaiseAuditCertifi
  * If a trust chain is involved then the certificate that failed in the trust chain should be described.
  * There are no additional Properties defined for this EventType.
  */
-export interface RaiseAuditCertificateUntrustedEventData extends RaiseAuditCertificateEventData { }
+export interface RaiseAuditCertificateUntrustedEventData extends RaiseAuditCertificateEventData {}
 /**
  * This EventType inherits all Properties of the AuditCertificateEventType.
  *
@@ -4133,7 +4139,7 @@ export interface RaiseAuditCertificateRevokedEventData extends RaiseAuditCertifi
  *
  * There are no additional Properties defined for this EventType
  */
-export interface RaiseAuditCertificateMismatchEventData extends RaiseAuditCertificateEventData { }
+export interface RaiseAuditCertificateMismatchEventData extends RaiseAuditCertificateEventData {}
 
 const opts = { multiArgs: false };
 OPCUAServer.prototype.initialize = withCallback(OPCUAServer.prototype.initialize, opts);