How to use the node-opcua-service-secure-channel.MessageSecurityMode.SIGNANDENCRYPT function in node-opcua-service-secure-channel

ClientSecureChannelLayer.prototype._construct_security_header = function () {

    const self = this;
    assert(self.hasOwnProperty("securityMode"));
    assert(self.hasOwnProperty("securityPolicy"));


    self.receiverCertificate = self.serverCertificate;

    let securityHeader = null;
    switch (self.securityMode.value) {
        case MessageSecurityMode.SIGN.value:
        case MessageSecurityMode.SIGNANDENCRYPT.value:
            assert(self.securityPolicy !== SecurityPolicy.None);
            // get the thumbprint of the client certificate
            const thumbprint = self.receiverCertificate ? crypto_utils.makeSHA1Thumbprint(self.receiverCertificate) : null;
            securityHeader = new AsymmetricAlgorithmSecurityHeader({
                securityPolicyUri: securityPolicy_m.toURI(self.securityPolicy),
                senderCertificate: self.getCertificateChain(),  // certificate of the private key used to sign the message
                receiverCertificateThumbprint: thumbprint       // thumbprint of the public key used to encrypt the message
            });
            break;
        default:
            /* istanbul ignore next */
            assert(false, "invalid security mode");
    }
    //xx console.log("xxxx security Header",securityHeader.toJSON());
    //xx console.log("xxxx receiverCertificate",self.receiverCertificate.toString("base64").cyan);
    self.securityHeader = securityHeader;

// SecurityToken may have expired, in this case the MessageBuilder shall reject the message
    if (securityTokenData.securityToken.expired) {
        this._report_error("Security token has expired : tokenId " + securityTokenData.securityToken.tokenId);
        return false;
    }

    // We shall decrypt it with the receiver private key.
    const buf = binaryStream._buffer.slice(binaryStream.length);

    const derivedKeys = securityTokenData.derivedKeys;

    assert(derivedKeys !== null);
    assert(derivedKeys.signatureLength, " must provide a signature length");

    if (this.securityMode === MessageSecurityMode.SIGNANDENCRYPT) {

        const decryptedBuffer = crypto_utils.decryptBufferWithDerivedKeys(buf, derivedKeys);

        // replace decrypted buffer in initial buffer
        decryptedBuffer.copy(binaryStream._buffer, binaryStream.length);

        // adjust length
        binaryStream._buffer = binaryStream._buffer.slice(0, binaryStream.length + decryptedBuffer.length);

        /* istanbul ignore next */
        if (doDebug) {
            debugLog("DE-----------------------------".cyan);
            debugLog(hexDump(binaryStream._buffer));
            debugLog("-------------------------------".cyan);
        }
    }

//   This field shall be null if the message is not encrypted.
    switch (request.securityMode.value) {
        case MessageSecurityMode.NONE.value:
            assert(
                !message.securityHeader ||
                    message.securityHeader.securityPolicyUri === "http://opcfoundation.org/UA/SecurityPolicy#None"
            );
            securityHeader = new AsymmetricAlgorithmSecurityHeader({
                securityPolicyUri: "http://opcfoundation.org/UA/SecurityPolicy#None",
                senderCertificate: null, // message not signed
                receiverCertificateThumbprint: null // message not encrypted
            });

            break;
        case MessageSecurityMode.SIGN.value:
        case MessageSecurityMode.SIGNANDENCRYPT.value:
            // get the thumbprint of the client certificate
            const thumbprint = self.receiverCertificate
                ? crypto_utils.makeSHA1Thumbprint(self.receiverCertificate)
                : null;

            securityHeader = new AsymmetricAlgorithmSecurityHeader({
                securityPolicyUri: self.clientSecurityHeader.securityPolicyUri,
                senderCertificate: self.getCertificateChain(), // certificate of the private key used to sign the message
                receiverCertificateThumbprint: thumbprint // message not encrypted (????)
            });
            break;
    }
    return securityHeader;
}

}
    }

    // now check signature ....
    const chunk = binaryStream._buffer;

    const signatureIsOK = crypto_utils.verifyChunkSignatureWithDerivedKeys(chunk, derivedKeys);
    if (!signatureIsOK) {
        this._report_error("SIGN and ENCRYPT : Invalid packet signature");
        return false;
    }

    // remove signature
    binaryStream._buffer = crypto_utils.reduceLength(binaryStream._buffer, derivedKeys.signatureLength);

    if (this.securityMode === MessageSecurityMode.SIGNANDENCRYPT) {
        // remove padding
        binaryStream._buffer = crypto_utils.removePadding(binaryStream._buffer);
    }

    return true;
};

function getOptionsForSymmetricSignAndEncrypt(securityMode, derivedKeys) {
    assert(derivedKeys.hasOwnProperty("signatureLength"));
    assert(securityMode !== MessageSecurityMode.NONE && securityMode !== MessageSecurityMode.INVALID);

    let options = {
        signatureLength: derivedKeys.signatureLength,
        signingFunc: function (chunk) {
            return crypto_utils.makeMessageChunkSignatureWithDerivedKeys(chunk, derivedKeys);
        }
    };
    if (securityMode === MessageSecurityMode.SIGNANDENCRYPT) {

        options = _.extend(options, {
            plainBlockSize: derivedKeys.encryptingBlockSize,
            cipherBlockSize: derivedKeys.encryptingBlockSize,
            encrypt_buffer: function (chunk) {
                return crypto_utils.encryptBufferWithDerivedKeys(chunk, derivedKeys);
            }
        });
    }
    return options;
}
exports.getOptionsForSymmetricSignAndEncrypt = getOptionsForSymmetricSignAndEncrypt;