node-opcua-server 2.74.0 → 2.76.1

package/dist/validate_filter.js

@@ -1,61 +1,61 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateFilter = void 0;
-/**
- * @module node-opcua-server
- */
-const node_opcua_assert_1 = require("node-opcua-assert");
-const node_opcua_data_model_1 = require("node-opcua-data-model");
-const node_opcua_data_model_2 = require("node-opcua-data-model");
-const node_opcua_nodeid_1 = require("node-opcua-nodeid");
-const node_opcua_service_filter_1 = require("node-opcua-service-filter");
-const node_opcua_service_subscription_1 = require("node-opcua-service-subscription");
-const node_opcua_status_code_1 = require("node-opcua-status-code");
-function __validateDataChangeFilter(filter, itemToMonitor, node) {
-    (0, node_opcua_assert_1.assert)(itemToMonitor.attributeId === node_opcua_data_model_1.AttributeIds.Value);
-    if (node.nodeClass !== node_opcua_data_model_2.NodeClass.Variable) {
-        return node_opcua_status_code_1.StatusCodes.BadNodeIdInvalid;
-    }
-    (0, node_opcua_assert_1.assert)(node.nodeClass === node_opcua_data_model_2.NodeClass.Variable);
-    // if node is not Numerical=> DataChangeFilter
-    (0, node_opcua_assert_1.assert)(node.dataType instanceof node_opcua_nodeid_1.NodeId);
-    const dataType = node.addressSpace.findDataType(node.dataType);
-    const dataTypeNumber = node.addressSpace.findDataType("Number");
-    if (filter.deadbandType !== node_opcua_service_subscription_1.DeadbandType.None) {
-        if (!dataType.isSupertypeOf(dataTypeNumber)) {
-            return node_opcua_status_code_1.StatusCodes.BadFilterNotAllowed;
-        }
-    }
-    if (filter.deadbandType === node_opcua_service_subscription_1.DeadbandType.Percent) {
-        if (filter.deadbandValue < 0 || filter.deadbandValue > 100) {
-            return node_opcua_status_code_1.StatusCodes.BadDeadbandFilterInvalid;
-        }
-        // node must also have a valid euRange
-        if (!node.euRange) {
-            // tslint:disable:no-console
-            console.log(" node has no euRange ! Dead band Percent cannot be used on node " + node.nodeId.toString());
-            return node_opcua_status_code_1.StatusCodes.BadMonitoredItemFilterUnsupported;
-        }
-    }
-    return node_opcua_status_code_1.StatusCodes.Good;
-}
-function validateFilter(filter, itemToMonitor, node) {
-    // handle filter information
-    if (filter && filter instanceof node_opcua_service_filter_1.EventFilter && itemToMonitor.attributeId !== node_opcua_data_model_1.AttributeIds.EventNotifier) {
-        // invalid filter on Event
-        return node_opcua_status_code_1.StatusCodes.BadFilterNotAllowed;
-    }
-    if (filter && filter instanceof node_opcua_service_filter_1.DataChangeFilter && itemToMonitor.attributeId !== node_opcua_data_model_1.AttributeIds.Value) {
-        // invalid DataChange filter on non Value Attribute
-        return node_opcua_status_code_1.StatusCodes.BadFilterNotAllowed;
-    }
-    if (filter && itemToMonitor.attributeId !== node_opcua_data_model_1.AttributeIds.EventNotifier && itemToMonitor.attributeId !== node_opcua_data_model_1.AttributeIds.Value) {
-        return node_opcua_status_code_1.StatusCodes.BadFilterNotAllowed;
-    }
-    if (filter instanceof node_opcua_service_filter_1.DataChangeFilter) {
-        return __validateDataChangeFilter(filter, itemToMonitor, node);
-    }
-    return node_opcua_status_code_1.StatusCodes.Good;
-}
-exports.validateFilter = validateFilter;
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateFilter = void 0;
+/**
+ * @module node-opcua-server
+ */
+const node_opcua_assert_1 = require("node-opcua-assert");
+const node_opcua_data_model_1 = require("node-opcua-data-model");
+const node_opcua_data_model_2 = require("node-opcua-data-model");
+const node_opcua_nodeid_1 = require("node-opcua-nodeid");
+const node_opcua_service_filter_1 = require("node-opcua-service-filter");
+const node_opcua_service_subscription_1 = require("node-opcua-service-subscription");
+const node_opcua_status_code_1 = require("node-opcua-status-code");
+function __validateDataChangeFilter(filter, itemToMonitor, node) {
+    (0, node_opcua_assert_1.assert)(itemToMonitor.attributeId === node_opcua_data_model_1.AttributeIds.Value);
+    if (node.nodeClass !== node_opcua_data_model_2.NodeClass.Variable) {
+        return node_opcua_status_code_1.StatusCodes.BadNodeIdInvalid;
+    }
+    (0, node_opcua_assert_1.assert)(node.nodeClass === node_opcua_data_model_2.NodeClass.Variable);
+    // if node is not Numerical=> DataChangeFilter
+    (0, node_opcua_assert_1.assert)(node.dataType instanceof node_opcua_nodeid_1.NodeId);
+    const dataType = node.addressSpace.findDataType(node.dataType);
+    const dataTypeNumber = node.addressSpace.findDataType("Number");
+    if (filter.deadbandType !== node_opcua_service_subscription_1.DeadbandType.None) {
+        if (!dataType.isSupertypeOf(dataTypeNumber)) {
+            return node_opcua_status_code_1.StatusCodes.BadFilterNotAllowed;
+        }
+    }
+    if (filter.deadbandType === node_opcua_service_subscription_1.DeadbandType.Percent) {
+        if (filter.deadbandValue < 0 || filter.deadbandValue > 100) {
+            return node_opcua_status_code_1.StatusCodes.BadDeadbandFilterInvalid;
+        }
+        // node must also have a valid euRange
+        if (!node.euRange) {
+            // tslint:disable:no-console
+            console.log(" node has no euRange ! Dead band Percent cannot be used on node " + node.nodeId.toString());
+            return node_opcua_status_code_1.StatusCodes.BadMonitoredItemFilterUnsupported;
+        }
+    }
+    return node_opcua_status_code_1.StatusCodes.Good;
+}
+function validateFilter(filter, itemToMonitor, node) {
+    // handle filter information
+    if (filter && filter instanceof node_opcua_service_filter_1.EventFilter && itemToMonitor.attributeId !== node_opcua_data_model_1.AttributeIds.EventNotifier) {
+        // invalid filter on Event
+        return node_opcua_status_code_1.StatusCodes.BadFilterNotAllowed;
+    }
+    if (filter && filter instanceof node_opcua_service_filter_1.DataChangeFilter && itemToMonitor.attributeId !== node_opcua_data_model_1.AttributeIds.Value) {
+        // invalid DataChange filter on non Value Attribute
+        return node_opcua_status_code_1.StatusCodes.BadFilterNotAllowed;
+    }
+    if (filter && itemToMonitor.attributeId !== node_opcua_data_model_1.AttributeIds.EventNotifier && itemToMonitor.attributeId !== node_opcua_data_model_1.AttributeIds.Value) {
+        return node_opcua_status_code_1.StatusCodes.BadFilterNotAllowed;
+    }
+    if (filter instanceof node_opcua_service_filter_1.DataChangeFilter) {
+        return __validateDataChangeFilter(filter, itemToMonitor, node);
+    }
+    return node_opcua_status_code_1.StatusCodes.Good;
+}
+exports.validateFilter = validateFilter;
 //# sourceMappingURL=validate_filter.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "node-opcua-server",
-    "version": "2.74.0",
+    "version": "2.76.1",
     "description": "pure nodejs OPCUA SDK - module -server",
     "scripts": {
         "build": "tsc -b",
@@ -13,62 +13,61 @@
     "types": "./dist/index.d.ts",
     "dependencies": {
         "@ster5/global-mutex": "^1.2.0",
-        "@types/underscore": "^1.11.4",
         "async": "^3.2.4",
+        "chalk": "4.1.2",
         "dequeue": "^1.0.5",
         "lodash": "4.17.21",
-        "node-opcua-address-space": "2.74.0",
-        "node-opcua-assert": "2.74.0",
-        "node-opcua-basic-types": "2.74.0",
-        "node-opcua-binary-stream": "2.74.0",
-        "node-opcua-certificate-manager": "2.74.0",
-        "node-opcua-client": "2.74.0",
-        "node-opcua-client-dynamic-extension-object": "2.74.0",
-        "node-opcua-common": "2.74.0",
+        "node-opcua-address-space": "2.76.1",
+        "node-opcua-address-space-base": "2.76.0",
+        "node-opcua-assert": "2.76.0",
+        "node-opcua-basic-types": "2.76.0",
+        "node-opcua-binary-stream": "2.76.0",
+        "node-opcua-certificate-manager": "2.76.0",
+        "node-opcua-client": "2.76.1",
+        "node-opcua-client-dynamic-extension-object": "2.76.0",
+        "node-opcua-common": "2.76.0",
         "node-opcua-constants": "2.74.0",
         "node-opcua-crypto": "^1.11.0",
-        "node-opcua-data-access": "2.74.0",
-        "node-opcua-data-model": "2.74.0",
-        "node-opcua-data-value": "2.74.0",
-        "node-opcua-date-time": "2.74.0",
-        "node-opcua-debug": "2.74.0",
-        "node-opcua-enum": "2.74.0",
-        "node-opcua-extension-object": "2.74.0",
-        "node-opcua-factory": "2.74.0",
-        "node-opcua-hostname": "2.74.0",
-        "node-opcua-nodeid": "2.74.0",
-        "node-opcua-nodeset-ua": "2.74.0",
+        "node-opcua-data-access": "2.76.0",
+        "node-opcua-data-model": "2.76.0",
+        "node-opcua-data-value": "2.76.0",
+        "node-opcua-date-time": "2.76.0",
+        "node-opcua-debug": "2.76.0",
+        "node-opcua-extension-object": "2.76.0",
+        "node-opcua-factory": "2.76.0",
+        "node-opcua-hostname": "2.76.0",
+        "node-opcua-nodeid": "2.76.0",
         "node-opcua-nodesets": "2.74.0",
-        "node-opcua-numeric-range": "2.74.0",
-        "node-opcua-object-registry": "2.74.0",
-        "node-opcua-pki": "^2.17.0",
-        "node-opcua-secure-channel": "2.74.0",
-        "node-opcua-service-browse": "2.74.0",
-        "node-opcua-service-call": "2.74.0",
-        "node-opcua-service-discovery": "2.74.0",
-        "node-opcua-service-endpoints": "2.74.0",
-        "node-opcua-service-filter": "2.74.0",
-        "node-opcua-service-history": "2.74.0",
-        "node-opcua-service-node-management": "2.74.0",
-        "node-opcua-service-query": "2.74.0",
-        "node-opcua-service-read": "2.74.0",
-        "node-opcua-service-register-node": "2.74.0",
-        "node-opcua-service-secure-channel": "2.74.0",
-        "node-opcua-service-session": "2.74.0",
-        "node-opcua-service-subscription": "2.74.0",
-        "node-opcua-service-translate-browse-path": "2.74.0",
-        "node-opcua-service-write": "2.74.0",
-        "node-opcua-status-code": "2.74.0",
-        "node-opcua-transport": "2.74.0",
-        "node-opcua-types": "2.74.0",
-        "node-opcua-utils": "2.74.0",
-        "node-opcua-variant": "2.74.0"
+        "node-opcua-numeric-range": "2.76.0",
+        "node-opcua-object-registry": "2.76.0",
+        "node-opcua-secure-channel": "2.76.0",
+        "node-opcua-service-browse": "2.76.0",
+        "node-opcua-service-call": "2.76.0",
+        "node-opcua-service-discovery": "2.76.0",
+        "node-opcua-service-endpoints": "2.76.0",
+        "node-opcua-service-filter": "2.76.0",
+        "node-opcua-service-history": "2.76.0",
+        "node-opcua-service-node-management": "2.76.0",
+        "node-opcua-service-query": "2.76.0",
+        "node-opcua-service-read": "2.76.0",
+        "node-opcua-service-register-node": "2.76.0",
+        "node-opcua-service-secure-channel": "2.76.0",
+        "node-opcua-service-session": "2.76.0",
+        "node-opcua-service-subscription": "2.76.0",
+        "node-opcua-service-translate-browse-path": "2.76.0",
+        "node-opcua-service-write": "2.76.0",
+        "node-opcua-status-code": "2.76.0",
+        "node-opcua-types": "2.76.0",
+        "node-opcua-utils": "2.76.0",
+        "node-opcua-variant": "2.76.0",
+        "thenify": "^3.3.1"
     },
     "devDependencies": {
-        "node-opcua-leak-detector": "2.74.0",
+        "node-opcua-leak-detector": "2.76.0",
         "node-opcua-test-helpers": "2.74.0",
         "should": "^13.2.3",
-        "sinon": "^14.0.0"
+        "sinon": "^14.0.0",
+        "underscore": "^1.13.4"
     },
     "author": "Etienne Rossignon",
     "license": "MIT",
@@ -85,5 +84,5 @@
         "internet of things"
     ],
     "homepage": "http://node-opcua.github.io/",
-    "gitHead": "003ee041795f3b737afaaef5721045ee31ea9f77"
+    "gitHead": "d87d1dc4ab8f153a442f83552e3264621f0a409b"
 }

package/source/filter/check_where_clause_on_address_space.ts

@@ -0,0 +1,29 @@
+import { IAddressSpace, ISessionContext, IEventData } from "node-opcua-address-space-base";
+import { checkFilter } from "node-opcua-service-filter";
+import { FilterContextOnAddressSpace } from "node-opcua-service-filter";
+import { ContentFilter } from "node-opcua-types";
+
+export function checkWhereClauseOnAdressSpace(
+    addressSpace: IAddressSpace,
+    sessionContext: ISessionContext,
+    whereClause: ContentFilter,
+    eventData: IEventData
+): boolean {
+
+    
+    // const filterContext: FilterContext = {
+    //     addressSpace,
+    //     sessionContext,
+    //     rootNode: eventData.$eventDataSource!,
+    //     extractValue(operand: FilterOperand) {
+    //         if (operand instanceof SimpleAttributeOperand) {
+    //             return extractEventFields(filterContext.sessionContext, [operand], eventData)[0];
+    //         } else {
+    //             return new Variant({ dataType: DataType.Null });
+    //         }
+    //     }
+    // };
+    const filterContext = new FilterContextOnAddressSpace(sessionContext, eventData);
+    
+    return checkFilter(filterContext, whereClause);
+}

package/source/filter/extract_event_fields.ts

@@ -0,0 +1,21 @@
+import { IEventData, ISessionContext } from "node-opcua-address-space-base";
+import { extractEventFieldsBase } from "node-opcua-service-filter";
+import { FilterContextOnAddressSpace } from "node-opcua-service-filter";
+import { SimpleAttributeOperand } from "node-opcua-types";
+import { Variant } from "node-opcua-variant";
+//
+
+/**
+ * @method extractEventFields
+ * extract a array of eventFields from a event node, matching the selectClauses
+ * @param selectClauses
+ * @param eventData : a pseudo Node that provides a browse Method and a readValue(nodeId)
+ */
+export function extractEventFields(
+    sessionContext: ISessionContext,
+    selectClauses: SimpleAttributeOperand[],
+    eventData: IEventData
+): Variant[] {
+    const context = new FilterContextOnAddressSpace(sessionContext, eventData);
+    return extractEventFieldsBase(context, selectClauses);
+}

package/source/monitored_item.ts

@@ -4,16 +4,9 @@
 import { EventEmitter } from "events";
 import * as chalk from "chalk";
 import { assert } from "node-opcua-assert";
-import {
-    BaseNode,
-    IEventData,
-    extractEventFields,
-    makeAttributeEventName,
-    SessionContext,
-    UAVariable,
-    checkWhereClause,
-    AddressSpace
-} from "node-opcua-address-space";
+import { BaseNode, IEventData, makeAttributeEventName, SessionContext, UAVariable, AddressSpace } from "node-opcua-address-space";
+
+import { extractEventFields } from "node-opcua-service-filter";
 import { DateTime, UInt32 } from "node-opcua-basic-types";
 import { NodeClass, QualifiedNameOptions } from "node-opcua-data-model";
 import { AttributeIds } from "node-opcua-data-model";
@@ -61,6 +54,7 @@ import { sameVariant, Variant } from "node-opcua-variant";
 
 import { appendToTimer, removeFromTimer } from "./node_sampler";
 import { validateFilter } from "./validate_filter";
+import { checkWhereClauseOnAdressSpace } from "./filter/check_where_clause_on_address_space";
 
 export type QueueItem = MonitoredItemNotification | EventFieldList;
 
@@ -925,7 +919,7 @@ export class MonitoredItem extends EventEmitter {
 
         const addressSpace: AddressSpace = eventData.$eventDataSource?.addressSpace as AddressSpace;
 
-        if (!checkWhereClause(addressSpace, SessionContext.defaultContext, this.filter.whereClause, eventData)) {
+        if (!checkWhereClauseOnAdressSpace(addressSpace, SessionContext.defaultContext, this.filter.whereClause, eventData)) {
             return;
         }
 

package/source/opcua_server.ts

@@ -1,3 +1,4 @@
+/* eslint-disable complexity */
 /**
  * @module node-opcua-server
  */
@@ -38,7 +39,8 @@ import {
     ISessionContext,
     UAView,
     EventTypeLike,
-    UAObjectType
+    UAObjectType,
+    PseudoVariantStringPredefined
 } from "node-opcua-address-space";
 import { getDefaultCertificateManager, OPCUACertificateManager } from "node-opcua-certificate-manager";
 import { ServerState } from "node-opcua-common";
@@ -146,13 +148,15 @@ import {
     MonitoredItemCreateResult,
     IssuedIdentityToken,
     BrowseResultOptions,
-    ServiceFault
+    ServiceFault,
+    ServerDiagnosticsSummaryDataType
 } from "node-opcua-types";
 import { DataType } from "node-opcua-variant";
 import { VariantArrayType } from "node-opcua-variant";
 import { matchUri } from "node-opcua-utils";
 
 import { UAString } from "node-opcua-basic-types";
+import { ObjectIds, ObjectTypeIds } from "node-opcua-constants";
 import { OPCUABaseServer, OPCUABaseServerOptions } from "./base_server";
 import { Factory } from "./factory";
 import { IRegisterServerManager } from "./i_register_server_manager";
@@ -262,11 +266,8 @@ async function _attempt_to_close_some_old_unactivated_session(server: OPCUAServe
 
 function getRequiredEndpointInfo(endpoint: EndpointDescription) {
     assert(endpoint instanceof EndpointDescription);
-    // It is recommended that Servers only include the server.applicationUri,  endpointUrl, securityMode,
-    // securityPolicyUri, userIdentityTokens, transportProfileUri and securityLevel with all
-    // other parameters set to null. Only the recommended parameters shall be verified by
-    // the client.
-
+    // https://reference.opcfoundation.org/v104/Core/docs/Part4/5.6.2/
+    // https://reference.opcfoundation.org/v105/Core/docs/Part4/5.6.2/
     const e = new EndpointDescription({
         endpointUrl: endpoint.endpointUrl,
         securityLevel: endpoint.securityLevel,
@@ -275,14 +276,13 @@ function getRequiredEndpointInfo(endpoint: EndpointDescription) {
         server: {
             applicationUri: endpoint.server.applicationUri,
             applicationType: endpoint.server.applicationType,
-            applicationName: endpoint.server.applicationName
-            // ... to be continued after verifying what fields are actually needed
+            applicationName: endpoint.server.applicationName,
+            productUri: endpoint.server.productUri
         },
         transportProfileUri: endpoint.transportProfileUri,
         userIdentityTokens: endpoint.userIdentityTokens
     });
     // reduce even further by explicitly setting unwanted members to null
-    e.server.productUri = null;
     e.server.applicationName = null as any;
     // xx e.server.applicationType = null as any;
     e.server.gatewayServerUri = null;
@@ -299,10 +299,8 @@ function getRequiredEndpointInfo(endpoint: EndpointDescription) {
 function _serverEndpointsForCreateSessionResponse(server: OPCUAServer, endpointUrl: string | null, serverUri: string | null) {
     serverUri = null; // unused then
 
-    // The Server shall return a set of EndpointDescriptions available for the serverUri specified in the request.
-    // It is recommended that Servers only include the endpointUrl, securityMode,
-    // securityPolicyUri, userIdentityTokens, transportProfileUri and securityLevel with all other parameters
-    // set to null. Only the recommended parameters shall be verified by the client.
+    // https://reference.opcfoundation.org/v104/Core/docs/Part4/5.6.2/
+    // https://reference.opcfoundation.org/v105/Core/docs/Part4/5.6.2/
     return server
         ._get_endpoints(endpointUrl)
         .filter((e) => !(e as any).restricted) // remove restricted endpoints
@@ -1356,6 +1354,19 @@ export class OPCUAServer extends OPCUABaseServer {
         }
     }
 
+    public raiseEvent(eventType: "AuditSessionEventType", options: RaiseEventAuditSessionEventData): void;
+    public raiseEvent(eventType: "AuditCreateSessionEventType", options: RaiseEventAuditCreateSessionEventData): void;
+    public raiseEvent(eventType: "AuditActivateSessionEventType", options: RaiseEventAuditActivateSessionEventData): void;
+    public raiseEvent(eventType: "AuditCreateSessionEventType", options: RaiseEventData): void;
+    public raiseEvent(eventType: "AuditConditionCommentEventType", options: RaiseEventAuditConditionCommentEventData): void;
+    public raiseEvent(eventType: "AuditUrlMismatchEventType", options: RaiseEventAuditUrlMismatchEventTypeData): void;
+    public raiseEvent(eventType: "TransitionEventType", options: RaiseEventTransitionEventData): void;
+    public raiseEvent(eventType: "AuditCertificateInvalidEventType", options: RaiseAuditCertificateInvalidEventData): void;
+    public raiseEvent(eventType: "AuditCertificateExpiredEventType", options: RaiseAuditCertificateExpiredEventData): void;
+    public raiseEvent(eventType: "AuditCertificateUntrustedEventType", options: RaiseAuditCertificateUntrustedEventData): void;
+    public raiseEvent(eventType: "AuditCertificateRevokedEventType", options: RaiseAuditCertificateRevokedEventData): void;
+    public raiseEvent(eventType: "AuditCertificateMismatchEventType", options: RaiseAuditCertificateMismatchEventData): void;
+
     public raiseEvent(eventType: EventTypeLike | UAObjectType, options: RaiseEventData): void {
         /* istanbul ignore next */
         if (!this.engine.addressSpace) {
@@ -1496,6 +1507,8 @@ export class OPCUAServer extends OPCUABaseServer {
         }
 
         if (!userTokenSignature || !userTokenSignature.signature) {
+            this.raiseEvent("AuditCreateSessionEventType", {});
+
             return callback(null, StatusCodes.BadUserSignatureInvalid);
         }
 
@@ -1525,6 +1538,45 @@ export class OPCUAServer extends OPCUABaseServer {
             if (err) {
                 return callback(err);
             }
+            if (this.isAuditing) {
+                switch (certificateStatus) {
+                    case StatusCodes.Good:
+                        break;
+                    case StatusCodes.BadCertificateUntrusted:
+                        this.raiseEvent("AuditCertificateUntrustedEventType", {
+                            certificate: { dataType: DataType.ByteString, value: certificate },
+                            sourceName: { dataType: DataType.String, value: "Security/Certificate" }
+                        });
+                        break;
+                    case StatusCodes.BadCertificateTimeInvalid:
+                    case StatusCodes.BadCertificateIssuerTimeInvalid:
+                        this.raiseEvent("AuditCertificateExpiredEventType", {
+                            certificate: { dataType: DataType.ByteString, value: certificate },
+                            sourceName: { dataType: DataType.String, value: "Security/Certificate" },
+                            comment: { dataType: DataType.String, value: certificateStatus.toString() }
+                        });
+                        break;
+                    case StatusCodes.BadCertificateRevoked:
+                    case StatusCodes.BadCertificateRevocationUnknown:
+                    case StatusCodes.BadCertificateIssuerRevocationUnknown:
+                        this.raiseEvent("AuditCertificateRevokedEventType", {
+                            certificate: { dataType: DataType.ByteString, value: certificate },
+                            sourceName: { dataType: DataType.String, value: "Security/Certificate" },
+                            comment: { dataType: DataType.String, value: certificateStatus.toString() }
+                        });
+                        break;
+                    case StatusCodes.BadCertificateIssuerUseNotAllowed:
+                    case StatusCodes.BadCertificateUseNotAllowed:
+                    case StatusCodes.BadSecurityChecksFailed:
+                        this.raiseEvent("AuditCertificateMismatchEventType", {
+                            certificate: { dataType: DataType.ByteString, value: certificate },
+                            sourceName: { dataType: DataType.String, value: "Security/Certificate" },
+                            comment: { dataType: DataType.String, value: certificateStatus.toString() }
+                        });
+                        break;
+                    
+                }
+            }
             if (
                 StatusCodes.BadCertificateUntrusted === certificateStatus ||
                 StatusCodes.BadCertificateTimeInvalid === certificateStatus ||
@@ -1538,6 +1590,7 @@ export class OPCUAServer extends OPCUABaseServer {
                 StatusCodes.Good !== certificateStatus
             ) {
                 debugLog("isValidX509IdentityToken => certificateStatus = ", certificateStatus?.toString());
+
                 return callback(null, StatusCodes.BadIdentityTokenRejected);
             }
             if (StatusCodes.Good !== certificateStatus) {
@@ -3642,6 +3695,87 @@ export interface RaiseEventTransitionEventData extends RaiseEventData {}
 export interface RaiseEventAuditUrlMismatchEventTypeData extends RaiseEventData {
     endpointUrl: PseudoVariantString;
 }
+
+/**
+ * The SourceName for Events of this type shall be “Security/Certificate”.
+ */
+export interface RaiseAuditCertificateEventData extends RaiseEventData {
+    certificate: PseudoVariantByteString;
+    sourceName: PseudoVariantStringPredefined<"Security/Certificate">;
+}
+
+/**
+ * This EventType inherits all Properties of the AuditCertificateEventType.
+ * Either the InvalidHostname or InvalidUri shall be provided.
+ */
+export interface RaiseAuditCertificateDataMismatchEventData extends RaiseAuditCertificateEventData {
+    /**
+     * InvalidHostname is the string that represents the host name passed in as part of the URL
+     * that is found to be invalid. If the host name was not invalid it can be null.
+     */
+    invalidHostname: PseudoVariantString;
+    /*
+     * InvalidUri is the URI that was passed in and found to not match what is contained in
+     * the certificate. If the URI was not invalid it can be null.
+     */
+    invalidUri: PseudoVariantString;
+}
+export interface RaiseAuditCertificateUntrustedEventData extends RaiseAuditCertificateEventData {}
+/**
+ * This EventType inherits all Properties of the AuditCertificateEventType.
+ *
+ * The SourceName for Events of this type shall be “Security/Certificate”.
+ *
+ * The Message Variable shall include a description of why the certificate was expired
+ * (i.e. time before start or time after end).
+ *
+ * There are no additional Properties defined for this EventType.
+ *
+ */
+export interface RaiseAuditCertificateExpiredEventData extends RaiseAuditCertificateEventData {}
+/**
+ * This EventType inherits all Properties of the AuditCertificateEventType.
+ *
+ * The SourceName for Events of this type shall be “Security/Certificate”.
+ *
+ * The Message shall include a description of why the certificate is invalid.
+ *
+ * There are no additional Properties defined for this EventType.
+ */
+export interface RaiseAuditCertificateInvalidEventData extends RaiseAuditCertificateEventData {}
+/**
+ * This EventType inherits all Properties of the AuditCertificateEventType.
+ *
+ * The SourceName for Events of this type shall be “Security/Certificate”.
+ *
+ * The Message Variable shall include a description of why the certificate is not trusted.
+ * If a trust chain is involved then the certificate that failed in the trust chain should be described.
+ * There are no additional Properties defined for this EventType.
+ */
+export interface RaiseAuditCertificateUntrustedEventData extends RaiseAuditCertificateEventData {}
+/**
+ * This EventType inherits all Properties of the AuditCertificateEventType.
+ *
+ * The SourceName for Events of this type shall be “Security/Certificate”.
+ *
+ * The Message Variable shall include a description of why the certificate is revoked
+ * (was the revocation list unavailable or was the certificate on the list).
+ *
+ *  There are no additional Properties defined for this EventType.
+ */
+export interface RaiseAuditCertificateRevokedEventData extends RaiseAuditCertificateEventData {
+    sourceName: PseudoVariantStringPredefined<"Security/Certificate">;
+}
+/**
+ * This EventType inherits all Properties of the AuditCertificateEventType.
+ *
+ * The SourceName for Events of this type shall be “Security/Certificate”.
+ *
+ * The Message Variable shall include a description of misuse of the certificate.
+ *
+ * There are no additional Properties defined for this EventType
+ */
+export interface RaiseAuditCertificateMismatchEventData extends RaiseAuditCertificateEventData {}
 export interface OPCUAServer {
     /**
      * @internal
@@ -3661,6 +3795,12 @@ export interface OPCUAServer {
     raiseEvent(eventType: "AuditUrlMismatchEventType", options: RaiseEventAuditUrlMismatchEventTypeData): void;
 
     raiseEvent(eventType: "TransitionEventType", options: RaiseEventTransitionEventData): void;
+
+    raiseEvent(eventType: "AuditCertificateInvalidEventType", options: RaiseAuditCertificateInvalidEventData): void;
+    raiseEvent(eventType: "AuditCertificateExpiredEventType", options: RaiseAuditCertificateExpiredEventData): void;
+    raiseEvent(eventType: "AuditCertificateUntrustedEventType", options: RaiseAuditCertificateUntrustedEventData): void;
+    raiseEvent(eventType: "AuditCertificateRevokedEventType", options: RaiseAuditCertificateRevokedEventData): void;
+    raiseEvent(eventType: "AuditCertificateMismatchEventType", options: RaiseAuditCertificateMismatchEventData): void;
 }
 
 export interface OPCUAServer extends EventEmitter {

package/source/server_subscription.ts

@@ -6,9 +6,7 @@
 import { EventEmitter } from "events";
 import * as chalk from "chalk";
 
-import { AddressSpace, BaseNode, Duration, UAObjectType } from "node-opcua-address-space";
-import { checkSelectClauses } from "node-opcua-address-space";
-import { SessionContext } from "node-opcua-address-space";
+import { SessionContext,AddressSpace, BaseNode, Duration, UAObjectType } from "node-opcua-address-space";
 import { assert } from "node-opcua-assert";
 import { Byte, UInt32 } from "node-opcua-basic-types";
 import { SubscriptionDiagnosticsDataType } from "node-opcua-common";
@@ -18,7 +16,7 @@ import { checkDebugFlag, make_debugLog, make_warningLog } from "node-opcua-debug
 import { NodeId } from "node-opcua-nodeid";
 import { ObjectRegistry } from "node-opcua-object-registry";
 import { SequenceNumberGenerator } from "node-opcua-secure-channel";
-import { EventFilter } from "node-opcua-service-filter";
+import { EventFilter, checkSelectClauses } from "node-opcua-service-filter";
 import { AggregateFilter } from "node-opcua-service-subscription";
 import {
     DataChangeNotification,