@certd/plugin-lib 1.37.17 → 1.38.0

package/CHANGELOG.md

@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+# [1.38.0](https://github.com/certd/certd/compare/v1.37.17...v1.38.0) (2026-01-13)
+
+### Features
+
+* 【破坏性更新】插件改为metadata加载模式，plugin-cert、plugin-lib包部分代码转移到certd-server中，影响自定义插件，需要修改相关import引用 ([a3fb249](https://github.com/certd/certd/commit/a3fb24993d7ac8fbb0bb354fa02ef067f609021e))
+
 ## [1.37.17](https://github.com/certd/certd/compare/v1.37.16...v1.37.17) (2025-12-29)
 
 **Note:** Version bump only for package @certd/plugin-lib

package/dist/cert/cert-reader.d.ts

@@ -0,0 +1,62 @@
+import { CertificateInfo } from "@certd/acme-client";
+import { ILogger } from "@certd/basic";
+export type CertInfo = {
+    crt: string;
+    key: string;
+    csr: string;
+    oc?: string;
+    ic?: string;
+    pfx?: string;
+    der?: string;
+    jks?: string;
+    one?: string;
+    p7b?: string;
+};
+export type CertReaderHandleContext = {
+    reader: CertReader;
+    tmpCrtPath: string;
+    tmpKeyPath: string;
+    tmpOcPath?: string;
+    tmpPfxPath?: string;
+    tmpDerPath?: string;
+    tmpIcPath?: string;
+    tmpJksPath?: string;
+    tmpOnePath?: string;
+    tmpP7bPath?: string;
+};
+export type CertReaderHandle = (ctx: CertReaderHandleContext) => Promise<void>;
+export type HandleOpts = {
+    logger: ILogger;
+    handle: CertReaderHandle;
+};
+export declare class CertReader {
+    cert: CertInfo;
+    detail: CertificateInfo;
+    effective: number;
+    expires: number;
+    constructor(certInfo: CertInfo);
+    getIc(): string;
+    getOc(): string;
+    toCertInfo(format?: string): CertInfo;
+    getCrtDetail(crt?: string): {
+        detail: CertificateInfo;
+        effective: Date;
+        expires: Date;
+    };
+    static readCertDetail(crt: string): {
+        detail: CertificateInfo;
+        effective: Date;
+        expires: Date;
+    };
+    getAllDomains(): any;
+    getAltNames(): string[];
+    static getMainDomain(crt: string): string;
+    getMainDomain(): string;
+    static getMainDomainFromDetail(detail: CertificateInfo): string;
+    saveToFile(type: "crt" | "key" | "pfx" | "der" | "oc" | "one" | "ic" | "jks" | "p7b", filepath?: string): string;
+    readCertFile(opts: HandleOpts): Promise<void>;
+    buildCertFileName(suffix: string, applyTime: any, prefix?: string): string;
+    buildCertName(prefix?: string): string;
+    static appendTimeSuffix(name?: string): string;
+    static buildCertName(cert: any): string;
+}

package/dist/cert/cert-reader.js

@@ -0,0 +1,205 @@
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { crypto } from "@certd/acme-client";
+import dayjs from "dayjs";
+import { uniq } from "lodash-es";
+const formats = {
+    pem: ["crt", "key", "ic"],
+    one: ["one"],
+    pfx: ["pfx"],
+    der: ["der"],
+    jks: ["jks"],
+    p7b: ["p7b", "key"],
+};
+export class CertReader {
+    cert;
+    detail;
+    //毫秒时间戳
+    effective;
+    //毫秒时间戳
+    expires;
+    constructor(certInfo) {
+        this.cert = certInfo;
+        if (!certInfo.ic) {
+            this.cert.ic = this.getIc();
+        }
+        if (!certInfo.oc) {
+            this.cert.oc = this.getOc();
+        }
+        if (!certInfo.one) {
+            this.cert.one = this.cert.crt + "\n" + this.cert.key;
+        }
+        try {
+            const { detail, effective, expires } = this.getCrtDetail(this.cert.crt);
+            this.detail = detail;
+            this.effective = effective.getTime();
+            this.expires = expires.getTime();
+        }
+        catch (e) {
+            throw new Error("证书解析失败:" + e.message);
+        }
+    }
+    getIc() {
+        //中间证书ic， 就是crt的第一个 -----END CERTIFICATE----- 之后的内容
+        const endStr = "-----END CERTIFICATE-----";
+        const firstBlockEndIndex = this.cert.crt.indexOf(endStr);
+        const start = firstBlockEndIndex + endStr.length + 1;
+        if (this.cert.crt.length <= start) {
+            return "";
+        }
+        const ic = this.cert.crt.substring(start);
+        if (ic == null) {
+            return "";
+        }
+        return ic?.trim();
+    }
+    getOc() {
+        //原始证书 就是crt的第一个 -----END CERTIFICATE----- 之前的内容
+        const endStr = "-----END CERTIFICATE-----";
+        const arr = this.cert.crt.split(endStr);
+        return arr[0] + endStr;
+    }
+    toCertInfo(format) {
+        if (!format) {
+            return this.cert;
+        }
+        const formatArr = formats[format];
+        const res = {};
+        formatArr.forEach((key) => {
+            res[key] = this.cert[key];
+        });
+        return res;
+    }
+    getCrtDetail(crt = this.cert.crt) {
+        return CertReader.readCertDetail(crt);
+    }
+    static readCertDetail(crt) {
+        const detail = crypto.readCertificateInfo(crt.toString());
+        const effective = detail.notBefore;
+        const expires = detail.notAfter;
+        return { detail, effective, expires };
+    }
+    getAllDomains() {
+        const { detail } = this.getCrtDetail();
+        const domains = [];
+        if (detail.domains?.commonName) {
+            domains.push(detail.domains.commonName);
+        }
+        domains.push(...detail.domains.altNames);
+        //去重
+        return uniq(domains);
+    }
+    getAltNames() {
+        const { detail } = this.getCrtDetail();
+        return detail.domains.altNames;
+    }
+    static getMainDomain(crt) {
+        const { detail } = CertReader.readCertDetail(crt);
+        return CertReader.getMainDomainFromDetail(detail);
+    }
+    getMainDomain() {
+        const { detail } = this.getCrtDetail();
+        return CertReader.getMainDomainFromDetail(detail);
+    }
+    static getMainDomainFromDetail(detail) {
+        let domain = detail?.domains?.commonName;
+        if (domain == null) {
+            domain = detail?.domains?.altNames?.[0];
+        }
+        if (domain == null) {
+            domain = "unknown";
+        }
+        return domain;
+    }
+    saveToFile(type, filepath) {
+        if (!this.cert[type]) {
+            return;
+        }
+        if (filepath == null) {
+            //写入临时目录
+            filepath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + `_cert.${type}`);
+        }
+        const dir = path.dirname(filepath);
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+        if (type === "crt" || type === "key" || type === "ic" || type === "oc" || type === "one" || type === "p7b") {
+            fs.writeFileSync(filepath, this.cert[type]);
+        }
+        else {
+            fs.writeFileSync(filepath, Buffer.from(this.cert[type], "base64"));
+        }
+        return filepath;
+    }
+    async readCertFile(opts) {
+        const logger = opts.logger;
+        logger.info("将证书写入本地缓存文件");
+        const tmpCrtPath = this.saveToFile("crt");
+        const tmpKeyPath = this.saveToFile("key");
+        const tmpPfxPath = this.saveToFile("pfx");
+        const tmpIcPath = this.saveToFile("ic");
+        const tmpOcPath = this.saveToFile("oc");
+        const tmpDerPath = this.saveToFile("der");
+        const tmpJksPath = this.saveToFile("jks");
+        const tmpOnePath = this.saveToFile("one");
+        const tmpP7bPath = this.saveToFile("p7b");
+        logger.info("本地文件写入成功");
+        try {
+            return await opts.handle({
+                reader: this,
+                tmpCrtPath,
+                tmpKeyPath,
+                tmpPfxPath,
+                tmpDerPath,
+                tmpIcPath,
+                tmpJksPath,
+                tmpOcPath,
+                tmpP7bPath,
+                tmpOnePath,
+            });
+        }
+        catch (err) {
+            logger.error("处理失败", err);
+            throw err;
+        }
+        finally {
+            //删除临时文件
+            logger.info("清理临时文件");
+            function removeFile(filepath) {
+                if (filepath) {
+                    fs.unlinkSync(filepath);
+                }
+            }
+            removeFile(tmpCrtPath);
+            removeFile(tmpKeyPath);
+            removeFile(tmpPfxPath);
+            removeFile(tmpOcPath);
+            removeFile(tmpDerPath);
+            removeFile(tmpIcPath);
+            removeFile(tmpJksPath);
+            removeFile(tmpOnePath);
+            removeFile(tmpP7bPath);
+        }
+    }
+    buildCertFileName(suffix, applyTime, prefix = "cert") {
+        let domain = this.getMainDomain();
+        domain = domain.replaceAll(".", "_").replaceAll("*", "_");
+        const timeStr = dayjs(applyTime).format("YYYYMMDDHHmmss");
+        return `${prefix}_${domain}_${timeStr}.${suffix}`;
+    }
+    buildCertName(prefix = "") {
+        let domain = this.getMainDomain();
+        domain = domain.replaceAll(".", "_").replaceAll("*", "_");
+        return `${prefix}_${domain}_${dayjs().format("YYYYMMDDHHmmssSSS")}`;
+    }
+    static appendTimeSuffix(name) {
+        if (name == null) {
+            name = "certd";
+        }
+        return name + "_" + dayjs().format("YYYYMMDDHHmmssSSS");
+    }
+    static buildCertName(cert) {
+        return new CertReader(cert).buildCertName();
+    }
+}

package/dist/cert/consts.d.ts

@@ -0,0 +1,2 @@
+export declare const CertApplyPluginNames: string[];
+export declare const EVENT_CERT_APPLY_SUCCESS = "CertApply.success";

package/dist/cert/consts.js

@@ -0,0 +1,2 @@
+export const CertApplyPluginNames = [":cert:"];
+export const EVENT_CERT_APPLY_SUCCESS = "CertApply.success";

package/dist/cert/convert.d.ts

@@ -0,0 +1,24 @@
+import { ILogger } from "@certd/basic";
+import type { CertInfo } from "./cert-reader.js";
+import { CertReaderHandleContext } from "./cert-reader.js";
+export declare class CertConverter {
+    logger: ILogger;
+    constructor(opts: {
+        logger: ILogger;
+    });
+    convert(opts: {
+        cert: CertInfo;
+        pfxPassword: string;
+        pfxArgs: string;
+    }): Promise<{
+        pfx: string;
+        der: string;
+        jks: string;
+        p7b: string;
+    }>;
+    exec(cmd: string): Promise<void>;
+    private convertPfx;
+    private convertDer;
+    convertP7b(opts: CertReaderHandleContext): Promise<string>;
+    convertJks(opts: CertReaderHandleContext, pfxPassword?: string): Promise<string>;
+}

package/dist/cert/convert.js

@@ -0,0 +1,122 @@
+import { sp } from "@certd/basic";
+import { CertReader } from "./cert-reader.js";
+import path from "path";
+import os from "os";
+import fs from "fs";
+export class CertConverter {
+    logger;
+    constructor(opts) {
+        this.logger = opts.logger;
+    }
+    async convert(opts) {
+        const certReader = new CertReader(opts.cert);
+        let pfx;
+        let der;
+        let jks;
+        let p7b;
+        const handle = async (ctx) => {
+            // 调用openssl 转pfx
+            pfx = await this.convertPfx(ctx, opts.pfxPassword, opts.pfxArgs);
+            // 转der
+            der = await this.convertDer(ctx);
+            jks = await this.convertJks(ctx, opts.pfxPassword);
+            p7b = await this.convertP7b(ctx);
+        };
+        await certReader.readCertFile({ logger: this.logger, handle });
+        return {
+            pfx,
+            der,
+            jks,
+            p7b,
+        };
+    }
+    async exec(cmd) {
+        process.env.LANG = "zh_CN.GBK";
+        await sp.spawn({
+            cmd: cmd,
+            logger: this.logger,
+        });
+    }
+    async convertPfx(opts, pfxPassword, pfxArgs) {
+        const { tmpCrtPath, tmpKeyPath } = opts;
+        const pfxPath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + "_cert.pfx");
+        const dir = path.dirname(pfxPath);
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+        let passwordArg = "-passout pass:";
+        if (pfxPassword) {
+            passwordArg = `-password pass:${pfxPassword}`;
+        }
+        // 兼容server 2016，旧版本不能用sha256
+        const oldPfxCmd = `openssl pkcs12 ${pfxArgs} -export -out ${pfxPath} -inkey ${tmpKeyPath} -in ${tmpCrtPath} ${passwordArg}`;
+        // const newPfx = `openssl pkcs12 -export -out ${pfxPath} -inkey ${tmpKeyPath} -in ${tmpCrtPath} ${passwordArg}`;
+        await this.exec(oldPfxCmd);
+        const fileBuffer = fs.readFileSync(pfxPath);
+        const pfxCert = fileBuffer.toString("base64");
+        fs.unlinkSync(pfxPath);
+        return pfxCert;
+        //
+        // const applyTime = new Date().getTime();
+        // const filename = reader.buildCertFileName("pfx", applyTime);
+        // this.saveFile(filename, fileBuffer);
+    }
+    async convertDer(opts) {
+        const { tmpCrtPath } = opts;
+        const derPath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + `_cert.der`);
+        const dir = path.dirname(derPath);
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+        await this.exec(`openssl x509 -outform der -in ${tmpCrtPath} -out ${derPath}`);
+        const fileBuffer = fs.readFileSync(derPath);
+        const derCert = fileBuffer.toString("base64");
+        fs.unlinkSync(derPath);
+        return derCert;
+    }
+    async convertP7b(opts) {
+        const { tmpCrtPath } = opts;
+        const p7bPath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + `_cert.p7b`);
+        const dir = path.dirname(p7bPath);
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+        //openssl crl2pkcs7 -nocrl \
+        //     -certfile your_domain.crt \
+        //     -certfile intermediate.crt \
+        //     -out chain.p7b
+        await this.exec(`openssl crl2pkcs7 -nocrl -certfile ${tmpCrtPath} -out ${p7bPath}`);
+        const fileBuffer = fs.readFileSync(p7bPath);
+        const p7bCert = fileBuffer.toString();
+        fs.unlinkSync(p7bPath);
+        return p7bCert;
+    }
+    async convertJks(opts, pfxPassword = "") {
+        const jksPassword = pfxPassword || "123456";
+        try {
+            const randomStr = Math.floor(Math.random() * 1000000) + "";
+            const p12Path = path.join(os.tmpdir(), "/certd/tmp/", randomStr + `_cert.p12`);
+            const { tmpCrtPath, tmpKeyPath } = opts;
+            let passwordArg = "-passout pass:";
+            if (jksPassword) {
+                passwordArg = `-password pass:${jksPassword}`;
+            }
+            await this.exec(`openssl pkcs12 -export -in ${tmpCrtPath} -inkey ${tmpKeyPath} -out ${p12Path} -name certd ${passwordArg}`);
+            const jksPath = path.join(os.tmpdir(), "/certd/tmp/", randomStr + `_cert.jks`);
+            const dir = path.dirname(jksPath);
+            if (!fs.existsSync(dir)) {
+                fs.mkdirSync(dir, { recursive: true });
+            }
+            await this.exec(`keytool -importkeystore -srckeystore ${p12Path} -srcstoretype PKCS12 -srcstorepass "${jksPassword}" -destkeystore ${jksPath} -deststoretype PKCS12 -deststorepass "${jksPassword}" `);
+            fs.unlinkSync(p12Path);
+            const fileBuffer = fs.readFileSync(jksPath);
+            const certBase64 = fileBuffer.toString("base64");
+            fs.unlinkSync(jksPath);
+            return certBase64;
+        }
+        catch (e) {
+            this.logger.error("转换jks失败", e);
+            return;
+        }
+    }
+}

package/dist/cert/dns-provider/api.d.ts

@@ -0,0 +1,76 @@
+import { HttpClient, ILogger, utils } from "@certd/basic";
+import { IAccess, IServiceGetter, Registrable } from "@certd/pipeline";
+export type DnsProviderDefine = Registrable & {
+    accessType: string;
+    icon?: string;
+};
+export type CreateRecordOptions = {
+    domain: string;
+    fullRecord: string;
+    hostRecord: string;
+    type: string;
+    value: any;
+};
+export type RemoveRecordOptions<T> = {
+    recordReq: CreateRecordOptions;
+    recordRes: T;
+};
+export type DnsProviderContext = {
+    access: IAccess;
+    logger: ILogger;
+    http: HttpClient;
+    utils: typeof utils;
+    domainParser: IDomainParser;
+    serviceGetter: IServiceGetter;
+};
+export interface IDnsProvider<T = any> {
+    onInstance(): Promise<void>;
+    /**
+     * 中文转英文
+     * @param domain
+     */
+    punyCodeEncode(domain: string): string;
+    /**
+     * 转中文域名
+     * @param domain
+     */
+    punyCodeDecode(domain: string): string;
+    createRecord(options: CreateRecordOptions): Promise<T>;
+    removeRecord(options: RemoveRecordOptions<T>): Promise<void>;
+    setCtx(ctx: DnsProviderContext): void;
+    usePunyCode(): boolean;
+}
+export interface ISubDomainsGetter {
+    getSubDomains(): Promise<string[]>;
+}
+export interface IDomainParser {
+    parse(fullDomain: string): Promise<string>;
+}
+export type DnsVerifier = {
+    dnsProviderType?: string;
+    dnsProviderAccessId?: number;
+};
+export type CnameVerifier = {
+    hostRecord: string;
+    domain: string;
+    recordValue: string;
+};
+export type HttpVerifier = {
+    httpUploaderType: string;
+    httpUploaderAccess: number;
+    httpUploadRootDir: string;
+};
+export type DomainVerifier = {
+    domain: string;
+    mainDomain: string;
+    type: string;
+    dns?: DnsVerifier;
+    cname?: CnameVerifier;
+    http?: HttpVerifier;
+};
+export type DomainVerifiers = {
+    [key: string]: DomainVerifier;
+};
+export interface IDomainVerifierGetter {
+    getVerifiers(domains: string[]): Promise<DomainVerifiers>;
+}

package/dist/cert/dns-provider/api.js

@@ -0,0 +1 @@
+export {};

package/dist/cert/dns-provider/base.d.ts

@@ -0,0 +1,27 @@
+import { CreateRecordOptions, DnsProviderContext, IDnsProvider, RemoveRecordOptions } from "./api.js";
+import { HttpClient, ILogger } from "@certd/basic";
+export declare abstract class AbstractDnsProvider<T = any> implements IDnsProvider<T> {
+    ctx: DnsProviderContext;
+    http: HttpClient;
+    logger: ILogger;
+    usePunyCode(): boolean;
+    /**
+     * 中文转英文
+     * @param domain
+     */
+    punyCodeEncode(domain: string): any;
+    /**
+     * 转中文域名
+     * @param domain
+     */
+    punyCodeDecode(domain: string): any;
+    setCtx(ctx: DnsProviderContext): void;
+    parseDomain(fullDomain: string): Promise<string>;
+    abstract createRecord(options: CreateRecordOptions): Promise<T>;
+    abstract onInstance(): Promise<void>;
+    abstract removeRecord(options: RemoveRecordOptions<T>): Promise<void>;
+}
+export declare function createDnsProvider(opts: {
+    dnsProviderType: string;
+    context: DnsProviderContext;
+}): Promise<IDnsProvider>;

package/dist/cert/dns-provider/base.js

@@ -0,0 +1,48 @@
+import { dnsProviderRegistry } from "./registry.js";
+import punycode from "punycode.js";
+export class AbstractDnsProvider {
+    ctx;
+    http;
+    logger;
+    usePunyCode() {
+        //是否使用punycode来添加解析记录
+        //默认都使用原始中文域名来添加
+        return false;
+    }
+    /**
+     * 中文转英文
+     * @param domain
+     */
+    punyCodeEncode(domain) {
+        return punycode.toASCII(domain);
+    }
+    /**
+     * 转中文域名
+     * @param domain
+     */
+    punyCodeDecode(domain) {
+        return punycode.toUnicode(domain);
+    }
+    setCtx(ctx) {
+        this.ctx = ctx;
+        this.logger = ctx.logger;
+        this.http = ctx.http;
+    }
+    async parseDomain(fullDomain) {
+        return await this.ctx.domainParser.parse(fullDomain);
+    }
+}
+export async function createDnsProvider(opts) {
+    const { dnsProviderType, context } = opts;
+    const dnsProviderPlugin = dnsProviderRegistry.get(dnsProviderType);
+    const DnsProviderClass = await dnsProviderPlugin.target();
+    const dnsProviderDefine = dnsProviderPlugin.define;
+    if (dnsProviderDefine.deprecated) {
+        context.logger.warn(dnsProviderDefine.deprecated);
+    }
+    // @ts-ignore
+    const dnsProvider = new DnsProviderClass();
+    dnsProvider.setCtx(context);
+    await dnsProvider.onInstance();
+    return dnsProvider;
+}

package/dist/cert/dns-provider/decorator.d.ts

@@ -0,0 +1,3 @@
+import { DnsProviderDefine } from "./api.js";
+export declare const DNS_PROVIDER_CLASS_KEY = "pipeline:dns-provider";
+export declare function IsDnsProvider(define: DnsProviderDefine): ClassDecorator;

package/dist/cert/dns-provider/decorator.js

@@ -0,0 +1,20 @@
+import { dnsProviderRegistry } from "./registry.js";
+import { Decorator } from "@certd/pipeline";
+// 提供一个唯一 key
+export const DNS_PROVIDER_CLASS_KEY = "pipeline:dns-provider";
+export function IsDnsProvider(define) {
+    return (target) => {
+        if (process.env.certd_plugin_loadmode === "metadata") {
+            return;
+        }
+        target = Decorator.target(target);
+        Reflect.defineMetadata(DNS_PROVIDER_CLASS_KEY, define, target);
+        target.define = define;
+        dnsProviderRegistry.register(define.name, {
+            define,
+            target: async () => {
+                return target;
+            },
+        });
+    };
+}

package/dist/cert/dns-provider/domain-parser.d.ts

@@ -0,0 +1,9 @@
+import { IDomainParser, ISubDomainsGetter } from "./api";
+import { ILogger } from "@certd/basic";
+export declare class DomainParser implements IDomainParser {
+    subDomainsGetter: ISubDomainsGetter;
+    logger: ILogger;
+    constructor(subDomainsGetter: ISubDomainsGetter, logger?: ILogger);
+    parseDomainByPsl(fullDomain: string): string;
+    parse(fullDomain: string): Promise<any>;
+}