npm - @naylence/advanced-security - Versions diffs - 0.3.5-test.101 → 0.3.5-test.102 - Mend

@naylence/advanced-security 0.3.5-test.101 → 0.3.5-test.102

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (127) hide show

package/dist/cjs/naylence/fame/security/cert/default-ca-service.js CHANGED Viewed

@@ -4,6 +4,8 @@
  * Wraps InternalCAService (CASigningService) with automatic credential
  * loading from environment variables and test CA fallback.
  */
+import { sha256 } from "@noble/hashes/sha256.js";
+import { X509Certificate } from "@peculiar/x509";
 import { CAService } from "./ca-types.js";
 import { CASigningService, createTestCA } from "./internal-ca-service.js";
 /**
@@ -133,7 +135,7 @@ export class DefaultCAService extends CAService {
         }
         // Node.js environment
         try {
-            const fs = await import("fs/promises");
+            const fs = await import("node:fs/promises");
             const stats = await fs.stat(filePath);
             if (stats.isFile()) {
                 return await fs.readFile(filePath, "utf-8");
@@ -259,5 +261,104 @@ export class DefaultCAService extends CAService {
             throw error;
         }
     }
+    async getTrustBundle() {
+        const credentials = await this.getCACredentials();
+        const rootCandidates = [];
+        if (credentials.rootCaCertPem) {
+            rootCandidates.push(credentials.rootCaCertPem);
+        }
+        if (credentials.signingCertPem) {
+            rootCandidates.push(credentials.signingCertPem);
+        }
+        if (credentials.intermediateChainPem) {
+            rootCandidates.push(...this.parseCertificateChain(credentials.intermediateChainPem));
+        }
+        if (rootCandidates.length === 0) {
+            return null;
+        }
+        const roots = buildTrustBundleRoots(rootCandidates);
+        if (roots.length === 0) {
+            return null;
+        }
+        const issuedAt = new Date().toISOString();
+        const validUntil = computeEarliestExpiry(roots);
+        const version = computeBundleVersion(roots);
+        return {
+            version,
+            issuedAt,
+            validUntil,
+            roots,
+        };
+    }
+}
+function normalizeCertificatePem(pem) {
+    const trimmed = pem.trim();
+    return trimmed.endsWith("\n") ? trimmed : `${trimmed}\n`;
+}
+function analyseCertificate(pem) {
+    try {
+        const cert = new X509Certificate(pem);
+        const details = cert;
+        const notBefore = details.notBefore instanceof Date
+            ? details.notBefore.toISOString()
+            : undefined;
+        const notAfter = details.notAfter instanceof Date
+            ? details.notAfter.toISOString()
+            : undefined;
+        return {
+            notBefore,
+            notAfter,
+        };
+    }
+    catch {
+        return {};
+    }
+}
+function buildTrustBundleRoots(candidates) {
+    const seen = new Set();
+    const roots = [];
+    for (const candidate of candidates) {
+        if (!candidate) {
+            continue;
+        }
+        const normalized = normalizeCertificatePem(candidate);
+        if (seen.has(normalized)) {
+            continue;
+        }
+        seen.add(normalized);
+        const metadata = analyseCertificate(normalized);
+        roots.push({
+            pem: normalized,
+            ...metadata,
+        });
+    }
+    return roots;
+}
+function computeEarliestExpiry(roots) {
+    let earliest = null;
+    for (const root of roots) {
+        if (!root.notAfter) {
+            continue;
+        }
+        const timestamp = Date.parse(root.notAfter);
+        if (Number.isNaN(timestamp)) {
+            continue;
+        }
+        if (earliest === null || timestamp < earliest) {
+            earliest = timestamp;
+        }
+    }
+    return earliest === null ? null : new Date(earliest).toISOString();
+}
+function computeBundleVersion(roots) {
+    const encoder = new TextEncoder();
+    const serialized = roots.map((root) => root.pem).join("\n");
+    const digest = sha256(encoder.encode(serialized));
+    const hex = Array.from(digest)
+        .map((byte) => byte.toString(16).padStart(2, "0"))
+        .join("");
+    const versionHex = hex.slice(0, 12);
+    const value = Number.parseInt(versionHex, 16);
+    return Number.isNaN(value) ? 1 : Math.max(1, value);
 }
 //# sourceMappingURL=default-ca-service.js.map

package/dist/cjs/naylence/fame/security/cert/default-ca-service.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"default-ca-service.js","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/cert/default-ca-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC1C,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAE1E;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,mBAAmB,CAAC;AACzD,MAAM,CAAC,MAAM,oBAAoB,GAAG,kBAAkB,CAAC;AACvD,MAAM,CAAC,MAAM,oBAAoB,GAAG,kBAAkB,CAAC;AACvD,MAAM,CAAC,MAAM,mBAAmB,GAAG,iBAAiB,CAAC;AACrD,MAAM,CAAC,MAAM,gCAAgC,GAAG,8BAA8B,CAAC;AAC/E,MAAM,CAAC,MAAM,+BAA+B,GAAG,6BAA6B,CAAC;AAC7E,MAAM,CAAC,MAAM,0BAA0B,GAAG,wBAAwB,CAAC;AACnE,MAAM,CAAC,MAAM,yBAAyB,GAAG,uBAAuB,CAAC;AACjE,MAAM,CAAC,MAAM,yBAAyB,GAAG,uBAAuB,CAAC;AACjE,MAAM,CAAC,MAAM,wBAAwB,GAAG,sBAAsB,CAAC;AAoC/D;;;;;;;GAOG;AACH,MAAM,OAAO,gBAAiB,SAAQ,SAAS;IAQ7C,YAAY,UAAmC,EAAE;QAC/C,KAAK,EAAE,CAAC;QAER,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QACnC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,IAAI,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC;QACzD,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;QAC7C,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;QAC3C,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,UAAU,CAAC;IAC/C,CAAC;IAED,IAAI,UAAU;QACZ,OAAO,IAAI,CAAC,kBAAkB,IAAI,IAAI,CAAC;IACzC,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,gBAAgB;QAC5B,IAAI,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAC/B,IAAI,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC7B,IAAI,oBAAoB,GAAG,IAAI,CAAC,oBAAoB,CAAC;QACrD,IAAI,cAAc,GAAG,IAAI,CAAC,cAAc,CAAC;QACzC,IAAI,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC;QAEvC,4CAA4C;QAC5C,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;YACtD,IAAI,UAAU,EAAE,CAAC;gBACf,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;YACtD,CAAC;YACD,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;YACpD,IAAI,SAAS,EAAE,CAAC;gBACd,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;YACpD,CAAC;YACD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,MAAM,qBAAqB,GACzB,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;YAChD,IAAI,qBAAqB,EAAE,CAAC;gBAC1B,oBAAoB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAChD,qBAAqB,CACtB,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBAC1B,oBAAoB,GAAG,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;YAChE,IAAI,eAAe,EAAE,CAAC;gBACpB,cAAc,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,eAAe,CAAC,CAAC;YAChE,CAAC;YACD,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;YAC9D,IAAI,cAAc,EAAE,CAAC;gBACnB,aAAa,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAC,CAAC;YAC9D,CAAC;YACD,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC,SAAS,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CACV,mEAAmE,CACpE,CAAC;YACF,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;YACjD,OAAO;gBACL,aAAa,EAAE,QAAQ;gBACvB,YAAY,EAAE,OAAO;gBACrB,oBAAoB;gBACpB,cAAc;gBACd,aAAa;aACd,CAAC;QACJ,CAAC;QAED,OAAO;YACL,aAAa,EAAE,SAAS;YACxB,YAAY,EAAE,QAAQ;YACtB,oBAAoB;YACpB,cAAc;YACd,aAAa;SACd,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,gBAAgB,CAC5B,QAAgB;QAEhB,4CAA4C;QAC5C,IAAI,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YACpE,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,sBAAsB;QACtB,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;YACvC,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACtC,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;gBACnB,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sCAAsC;QACxC,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;OAKG;IACK,qBAAqB,CAAC,QAAgB;QAC5C,MAAM,YAAY,GAAa,EAAE,CAAC;QAClC,IAAI,WAAW,GAAG,EAAE,CAAC;QACrB,IAAI,MAAM,GAAG,KAAK,CAAC;QAEnB,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACxC,IAAI,IAAI,CAAC,QAAQ,CAAC,6BAA6B,CAAC,EAAE,CAAC;gBACjD,MAAM,GAAG,IAAI,CAAC;gBACd,WAAW,GAAG,IAAI,GAAG,IAAI,CAAC;YAC5B,CAAC;iBAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,2BAA2B,CAAC,EAAE,CAAC;gBACtD,WAAW,IAAI,IAAI,GAAG,IAAI,CAAC;gBAC3B,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC;gBACtC,WAAW,GAAG,EAAE,CAAC;gBACjB,MAAM,GAAG,KAAK,CAAC;YACjB,CAAC;iBAAM,IAAI,MAAM,EAAE,CAAC;gBAClB,WAAW,IAAI,IAAI,GAAG,IAAI,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,gBAAgB,CACpB,GAA8B;QAE9B,kDAAkD;QAClD,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAElD,yDAAyD;QACzD,IAAI,cAAgC,CAAC;QAErC,IAAI,WAAW,CAAC,cAAc,IAAI,WAAW,CAAC,aAAa,EAAE,CAAC;YAC5D,gEAAgE;YAChE,cAAc,GAAG,IAAI,gBAAgB,CAAC;gBACpC,WAAW,EAAE,WAAW,CAAC,cAAc;gBACvC,UAAU,EAAE,WAAW,CAAC,aAAa;aACtC,CAAC,CAAC;YACH,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;QAC3E,CAAC;aAAM,IAAI,WAAW,CAAC,oBAAoB,EAAE,CAAC;YAC5C,2DAA2D;YAC3D,MAAM,iBAAiB,GAAG,IAAI,CAAC,qBAAqB,CAClD,WAAW,CAAC,oBAAoB,CACjC,CAAC;YACF,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,IAAI,WAAW,CAAC,aAAa,EAAE,CAAC;gBAC9D,kFAAkF;gBAClF,MAAM,WAAW,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC;gBACzC,cAAc,GAAG,IAAI,gBAAgB,CAAC;oBACpC,WAAW,EAAE,WAAY;oBACzB,UAAU,EAAE,WAAW,CAAC,aAAa;iBACtC,CAAC,CAAC;gBACH,OAAO,CAAC,KAAK,CACX,yCAAyC,EACzC,GAAG,CAAC,WAAW,CAChB,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,kDAAkD;gBAClD,cAAc,GAAG,IAAI,gBAAgB,CAAC;oBACpC,WAAW,EAAE,WAAW,CAAC,aAAa;oBACtC,UAAU,EAAE,WAAW,CAAC,YAAY;iBACrC,CAAC,CAAC;gBACH,OAAO,CAAC,IAAI,CACV,wDAAwD,EACxD,GAAG,CAAC,WAAW,CAChB,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,oBAAoB;YACpB,cAAc,GAAG,IAAI,gBAAgB,CAAC;gBACpC,WAAW,EAAE,WAAW,CAAC,aAAa;gBACtC,UAAU,EAAE,WAAW,CAAC,YAAY;aACrC,CAAC,CAAC;YACH,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;QAC/D,CAAC;QAED,6DAA6D;QAC7D,IAAI,CAAC;YACH,MAAM,EAAE,cAAc,EAAE,SAAS,EAAE,GACjC,MAAM,cAAc,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;YAE7C,MAAM,UAAU,GAAa,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC;YACrD,MAAM,WAAW,GAAG,WAAW,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC;YACtD,MAAM,cAAc,GAAG,WAAW,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC;YAE1D,MAAM,aAAa,GAAG,CAAC,GAAuB,EAAsB,EAAE,CACpE,GAAG,EAAE,IAAI,EAAE,CAAC;YAEd,IAAI,WAAW,CAAC,oBAAoB,EAAE,CAAC;gBACrC,MAAM,iBAAiB,GAAG,IAAI,CAAC,qBAAqB,CAClD,WAAW,CAAC,oBAAoB,CACjC,CAAC;gBAEF,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;oBACxC,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;oBAC1C,IAAI,CAAC,UAAU,EAAE,CAAC;wBAChB,SAAS;oBACX,CAAC;oBAED,IAAI,UAAU,KAAK,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;wBACjC,SAAS;oBACX,CAAC;oBAED,IAAI,WAAW,IAAI,UAAU,KAAK,WAAW,EAAE,CAAC;wBAC9C,SAAS;oBACX,CAAC;oBAED,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBAC9B,CAAC;YACH,CAAC;iBAAM,IAAI,cAAc,IAAI,cAAc,KAAK,WAAW,EAAE,CAAC;gBAC5D,IAAI,cAAc,KAAK,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;oBACrC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;gBAClC,CAAC;YACH,CAAC;YAED,MAAM,mBAAmB,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAElD,OAAO;gBACL,cAAc;gBACd,mBAAmB;gBACnB,SAAS;aACV,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,8BAA8B,EAAE,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YACtE,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;CACF"}
1	+ {"version":3,"file":"default-ca-service.js","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/cert/default-ca-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,yBAAyB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AASjD,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC1C,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAE1E;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,mBAAmB,CAAC;AACzD,MAAM,CAAC,MAAM,oBAAoB,GAAG,kBAAkB,CAAC;AACvD,MAAM,CAAC,MAAM,oBAAoB,GAAG,kBAAkB,CAAC;AACvD,MAAM,CAAC,MAAM,mBAAmB,GAAG,iBAAiB,CAAC;AACrD,MAAM,CAAC,MAAM,gCAAgC,GAAG,8BAA8B,CAAC;AAC/E,MAAM,CAAC,MAAM,+BAA+B,GAAG,6BAA6B,CAAC;AAC7E,MAAM,CAAC,MAAM,0BAA0B,GAAG,wBAAwB,CAAC;AACnE,MAAM,CAAC,MAAM,yBAAyB,GAAG,uBAAuB,CAAC;AACjE,MAAM,CAAC,MAAM,yBAAyB,GAAG,uBAAuB,CAAC;AACjE,MAAM,CAAC,MAAM,wBAAwB,GAAG,sBAAsB,CAAC;AAoC/D;;;;;;;GAOG;AACH,MAAM,OAAO,gBAAiB,SAAQ,SAAS;IAQ7C,YAAY,UAAmC,EAAE;QAC/C,KAAK,EAAE,CAAC;QAER,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QACnC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,IAAI,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC;QACzD,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;QAC7C,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;QAC3C,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,UAAU,CAAC;IAC/C,CAAC;IAED,IAAI,UAAU;QACZ,OAAO,IAAI,CAAC,kBAAkB,IAAI,IAAI,CAAC;IACzC,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,gBAAgB;QAC5B,IAAI,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAC/B,IAAI,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC7B,IAAI,oBAAoB,GAAG,IAAI,CAAC,oBAAoB,CAAC;QACrD,IAAI,cAAc,GAAG,IAAI,CAAC,cAAc,CAAC;QACzC,IAAI,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC;QAEvC,4CAA4C;QAC5C,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;YACtD,IAAI,UAAU,EAAE,CAAC;gBACf,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;YACtD,CAAC;YACD,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;YACpD,IAAI,SAAS,EAAE,CAAC;gBACd,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;YACpD,CAAC;YACD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,MAAM,qBAAqB,GACzB,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;YAChD,IAAI,qBAAqB,EAAE,CAAC;gBAC1B,oBAAoB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAChD,qBAAqB,CACtB,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBAC1B,oBAAoB,GAAG,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;YAChE,IAAI,eAAe,EAAE,CAAC;gBACpB,cAAc,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,eAAe,CAAC,CAAC;YAChE,CAAC;YACD,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;YAC9D,IAAI,cAAc,EAAE,CAAC;gBACnB,aAAa,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAC,CAAC;YAC9D,CAAC;YACD,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC,SAAS,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CACV,mEAAmE,CACpE,CAAC;YACF,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,MAAM,YAAY,EAAE,CAAC;YACjD,OAAO;gBACL,aAAa,EAAE,QAAQ;gBACvB,YAAY,EAAE,OAAO;gBACrB,oBAAoB;gBACpB,cAAc;gBACd,aAAa;aACd,CAAC;QACJ,CAAC;QAED,OAAO;YACL,aAAa,EAAE,SAAS;YACxB,YAAY,EAAE,QAAQ;YACtB,oBAAoB;YACpB,cAAc;YACd,aAAa;SACd,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,gBAAgB,CAC5B,QAAgB;QAEhB,4CAA4C;QAC5C,IAAI,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YACpE,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,sBAAsB;QACtB,IAAI,CAAC;YACP,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;YACxC,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACtC,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;gBACnB,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sCAAsC;QACxC,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;OAKG;IACK,qBAAqB,CAAC,QAAgB;QAC5C,MAAM,YAAY,GAAa,EAAE,CAAC;QAClC,IAAI,WAAW,GAAG,EAAE,CAAC;QACrB,IAAI,MAAM,GAAG,KAAK,CAAC;QAEnB,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACxC,IAAI,IAAI,CAAC,QAAQ,CAAC,6BAA6B,CAAC,EAAE,CAAC;gBACjD,MAAM,GAAG,IAAI,CAAC;gBACd,WAAW,GAAG,IAAI,GAAG,IAAI,CAAC;YAC5B,CAAC;iBAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,2BAA2B,CAAC,EAAE,CAAC;gBACtD,WAAW,IAAI,IAAI,GAAG,IAAI,CAAC;gBAC3B,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC;gBACtC,WAAW,GAAG,EAAE,CAAC;gBACjB,MAAM,GAAG,KAAK,CAAC;YACjB,CAAC;iBAAM,IAAI,MAAM,EAAE,CAAC;gBAClB,WAAW,IAAI,IAAI,GAAG,IAAI,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,gBAAgB,CACpB,GAA8B;QAE9B,kDAAkD;QAClD,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAElD,yDAAyD;QACzD,IAAI,cAAgC,CAAC;QAErC,IAAI,WAAW,CAAC,cAAc,IAAI,WAAW,CAAC,aAAa,EAAE,CAAC;YAC5D,gEAAgE;YAChE,cAAc,GAAG,IAAI,gBAAgB,CAAC;gBACpC,WAAW,EAAE,WAAW,CAAC,cAAc;gBACvC,UAAU,EAAE,WAAW,CAAC,aAAa;aACtC,CAAC,CAAC;YACH,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;QAC3E,CAAC;aAAM,IAAI,WAAW,CAAC,oBAAoB,EAAE,CAAC;YAC5C,2DAA2D;YAC3D,MAAM,iBAAiB,GAAG,IAAI,CAAC,qBAAqB,CAClD,WAAW,CAAC,oBAAoB,CACjC,CAAC;YACF,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,IAAI,WAAW,CAAC,aAAa,EAAE,CAAC;gBAC9D,kFAAkF;gBAClF,MAAM,WAAW,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC;gBACzC,cAAc,GAAG,IAAI,gBAAgB,CAAC;oBACpC,WAAW,EAAE,WAAY;oBACzB,UAAU,EAAE,WAAW,CAAC,aAAa;iBACtC,CAAC,CAAC;gBACH,OAAO,CAAC,KAAK,CACX,yCAAyC,EACzC,GAAG,CAAC,WAAW,CAChB,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,kDAAkD;gBAClD,cAAc,GAAG,IAAI,gBAAgB,CAAC;oBACpC,WAAW,EAAE,WAAW,CAAC,aAAa;oBACtC,UAAU,EAAE,WAAW,CAAC,YAAY;iBACrC,CAAC,CAAC;gBACH,OAAO,CAAC,IAAI,CACV,wDAAwD,EACxD,GAAG,CAAC,WAAW,CAChB,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,oBAAoB;YACpB,cAAc,GAAG,IAAI,gBAAgB,CAAC;gBACpC,WAAW,EAAE,WAAW,CAAC,aAAa;gBACtC,UAAU,EAAE,WAAW,CAAC,YAAY;aACrC,CAAC,CAAC;YACH,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;QAC/D,CAAC;QAED,6DAA6D;QAC7D,IAAI,CAAC;YACH,MAAM,EAAE,cAAc,EAAE,SAAS,EAAE,GACjC,MAAM,cAAc,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;YAE7C,MAAM,UAAU,GAAa,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC;YACrD,MAAM,WAAW,GAAG,WAAW,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC;YACtD,MAAM,cAAc,GAAG,WAAW,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC;YAE1D,MAAM,aAAa,GAAG,CAAC,GAAuB,EAAsB,EAAE,CACpE,GAAG,EAAE,IAAI,EAAE,CAAC;YAEd,IAAI,WAAW,CAAC,oBAAoB,EAAE,CAAC;gBACrC,MAAM,iBAAiB,GAAG,IAAI,CAAC,qBAAqB,CAClD,WAAW,CAAC,oBAAoB,CACjC,CAAC;gBAEF,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;oBACxC,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;oBAC1C,IAAI,CAAC,UAAU,EAAE,CAAC;wBAChB,SAAS;oBACX,CAAC;oBAED,IAAI,UAAU,KAAK,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;wBACjC,SAAS;oBACX,CAAC;oBAED,IAAI,WAAW,IAAI,UAAU,KAAK,WAAW,EAAE,CAAC;wBAC9C,SAAS;oBACX,CAAC;oBAED,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBAC9B,CAAC;YACH,CAAC;iBAAM,IAAI,cAAc,IAAI,cAAc,KAAK,WAAW,EAAE,CAAC;gBAC5D,IAAI,cAAc,KAAK,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;oBACrC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;gBAClC,CAAC;YACH,CAAC;YAED,MAAM,mBAAmB,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAElD,OAAO;gBACL,cAAc;gBACd,mBAAmB;gBACnB,SAAS;aACV,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,8BAA8B,EAAE,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YACtE,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAEe,KAAK,CAAC,cAAc;QAClC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAElD,MAAM,cAAc,GAAa,EAAE,CAAC;QACpC,IAAI,WAAW,CAAC,aAAa,EAAE,CAAC;YAC9B,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;QACjD,CAAC;QACD,IAAI,WAAW,CAAC,cAAc,EAAE,CAAC;YAC/B,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC;QAClD,CAAC;QACD,IAAI,WAAW,CAAC,oBAAoB,EAAE,CAAC;YACrC,cAAc,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,oBAAoB,CAAC,CAAC,CAAC;QACvF,CAAC;QAED,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,qBAAqB,CAAC,cAAc,CAAC,CAAC;QACpD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC1C,MAAM,UAAU,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;QAE5C,OAAO;YACL,OAAO;YACP,QAAQ;YACR,UAAU;YACV,KAAK;SACN,CAAC;IACJ,CAAC;CACF;AAED,SAAS,uBAAuB,CAAC,GAAW;IAC1C,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,OAAO,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,IAAI,CAAC;AAC3D,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAW;IACrC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,IAGf,CAAC;QAEF,MAAM,SAAS,GACb,OAAO,CAAC,SAAS,YAAY,IAAI;YAC/B,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE;YACjC,CAAC,CAAC,SAAS,CAAC;QAChB,MAAM,QAAQ,GACZ,OAAO,CAAC,QAAQ,YAAY,IAAI;YAC9B,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE;YAChC,CAAC,CAAC,SAAS,CAAC;QAEhB,OAAO;YACL,SAAS;YACT,QAAQ;SACT,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,UAA4B;IACzD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,KAAK,GAAsB,EAAE,CAAC;IAEpC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,SAAS;QACX,CAAC;QAED,MAAM,UAAU,GAAG,uBAAuB,CAAC,SAAS,CAAC,CAAC;QACtD,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;YACzB,SAAS;QACX,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACrB,MAAM,QAAQ,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC;YACT,GAAG,EAAE,UAAU;YACf,GAAG,QAAQ;SACZ,CAAC,CAAC;IACL,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAiC;IAC9D,IAAI,QAAQ,GAAkB,IAAI,CAAC;IAEnC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,SAAS;QACX,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5B,SAAS;QACX,CAAC;QAED,IAAI,QAAQ,KAAK,IAAI,IAAI,SAAS,GAAG,QAAQ,EAAE,CAAC;YAC9C,QAAQ,GAAG,SAAS,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;AACrE,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAiC;IAC7D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,UAAU,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;IAClD,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;SAC3B,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SACjD,IAAI,CAAC,EAAE,CAAC,CAAC;IACZ,MAAM,UAAU,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC9C,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;AACtD,CAAC"}

package/dist/cjs/naylence/fame/security/cert/default-certificate-manager.js CHANGED Viewed

@@ -1,9 +1,10 @@
 import { SigningMaterial } from "@naylence/core";
-import { AuthInjectionStrategyFactory, getLogger, SigningConfigClass, } from "@naylence/runtime/node";
+import { AuthInjectionStrategyFactory, getLogger, SigningConfigClass, } from "@naylence/runtime";
 import { CAServiceClient, } from "./ca-service-client.js";
 import { CertificateRequestError } from "./ca-types.js";
 import { GRANT_PURPOSE_CA_SIGN } from "./grants.js";
 import { validateJwkX5cCertificate } from "./util.js";
+import { createEd25519CsrFromPem } from "./node-ed25519-csr.js";
 const logger = getLogger("naylence.fame.security.cert.default_certificate_manager");
 const ENV_VAR_FAME_CA_CERTS = "FAME_CA_CERTS";
 const CONNECTION_GRANTS_CAMEL = "connectionGrants";
@@ -18,6 +19,10 @@ export class DefaultCertificateManager {
         this.caServiceUrl = options.caServiceUrl ?? null;
         this.cryptoProviderOverride =
             options.cryptoProvider ?? options.crypto_provider ?? null;
+        this.certificateMaterialResolver = normalizeCertificateMaterialResolver(options.certificateMaterial ?? null);
+        this.trustStorePemResolver = normalizeTrustStorePemResolver(options.trustStorePem ?? null);
+        this.certificatePersistenceHook =
+            normalizeCertificatePersistenceHook(options.persistCertificateMaterial ?? null);
     }
     setSigning(signing) {
         this.signing = normalizeSigningConfig(signing);
@@ -134,11 +139,14 @@ export class DefaultCertificateManager {
                 });
             }
         }
+        if (!material) {
+            material = await this.resolveCertificateMaterialFromInjectedSources(cryptoProvider, nodeId);
+        }
         if (!material) {
             logger.debug("attempting_certificate_resolution_from_environment", {
                 system_id: nodeId,
             });
-            material = await resolveCertificateMaterial();
+            material = await resolveCertificateMaterialFromEnvironment();
         }
         if (!material) {
             logger.warning("certificate_material_not_found", {
@@ -148,7 +156,7 @@ export class DefaultCertificateManager {
             });
             return false;
         }
-        const stored = storeCertificateMaterial(cryptoProvider, material);
+        const stored = await this.storeCertificateMaterial(cryptoProvider, material, nodeId);
         if (!stored) {
             logger.warning("certificate_storage_not_supported", {
                 system_id: nodeId,
@@ -232,6 +240,49 @@ export class DefaultCertificateManager {
         });
         return true;
     }
+    async resolveCertificateMaterialFromInjectedSources(provider, nodeId) {
+        const providerMaterial = await this.resolveCertificateMaterialFromProvider(provider, nodeId);
+        if (providerMaterial) {
+            logger.debug("certificate_material_resolved_from_provider", {
+                system_id: nodeId,
+            });
+            return providerMaterial;
+        }
+        if (this.certificateMaterialResolver) {
+            try {
+                const material = await this.certificateMaterialResolver();
+                if (material) {
+                    logger.debug("certificate_material_resolved_from_options", {
+                        system_id: nodeId,
+                    });
+                    return material;
+                }
+            }
+            catch (error) {
+                logger.debug("certificate_material_option_resolution_failed", {
+                    system_id: nodeId,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+            }
+        }
+        return null;
+    }
+    async resolveCertificateMaterialFromProvider(provider, nodeId) {
+        if (typeof provider.resolveCertificateMaterial !== "function") {
+            return null;
+        }
+        try {
+            const material = await provider.resolveCertificateMaterial();
+            return normalizeCertificateMaterial(material ?? null);
+        }
+        catch (error) {
+            logger.debug("provider_certificate_material_resolution_failed", {
+                system_id: nodeId,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return null;
+        }
+    }
     getCaSignGrant(connectionGrants) {
         if (!Array.isArray(connectionGrants)) {
             return null;
@@ -279,22 +330,8 @@ export class DefaultCertificateManager {
         const logicals = Array.isArray(welcomeFrame.acceptedLogicals)
             ? welcomeFrame.acceptedLogicals.filter((value) => typeof value === "string")
             : [];
-        if (typeof provider.createCsr !== "function") {
-            logger.warning("crypto_provider_missing_create_csr", {
-                node_id: nodeId,
-            });
-            return null;
-        }
-        let csrPem;
-        try {
-            const result = provider.createCsr(nodeId, physicalPath, logicals);
-            csrPem = typeof result === "string" ? result : await result;
-        }
-        catch (error) {
-            logger.error("csr_generation_failed", {
-                node_id: nodeId,
-                error: error instanceof Error ? error.message : String(error),
-            });
+        const csrPem = await this.buildCertificateSigningRequest(provider, nodeId, physicalPath, logicals);
+        if (!csrPem) {
             return null;
         }
         const caServiceUrl = options?.caServiceUrl ?? this.caServiceUrl ?? grant.url;
@@ -376,11 +413,11 @@ export class DefaultCertificateManager {
         return AuthInjectionStrategyFactory.createAuthInjectionStrategy(normalizedConfig);
     }
     async validateProviderCertificate(provider, nodeId) {
-        const trustStorePem = await resolveTrustStorePem();
+        const { pem: trustStorePem, reason } = await this.resolveTrustStorePemValue(provider, nodeId);
         if (!trustStorePem) {
             logger.error("trust_anchor_validation_failed", {
                 node_id: nodeId,
-                reason: `${ENV_VAR_FAME_CA_CERTS}_not_set`,
+                reason: reason ?? "trust_store_unavailable",
             });
             return false;
         }
@@ -448,6 +485,125 @@ export class DefaultCertificateManager {
             return false;
         }
     }
+    async resolveTrustStorePemValue(provider, nodeId) {
+        const providerPem = await this.resolveTrustStorePemFromProvider(provider, nodeId);
+        if (providerPem) {
+            logger.debug("trust_store_resolved_from_provider", {
+                node_id: nodeId,
+            });
+            return { pem: providerPem };
+        }
+        if (this.trustStorePemResolver) {
+            try {
+                const pem = await this.trustStorePemResolver();
+                const normalized = normalizePemOrNull(pem);
+                if (normalized) {
+                    logger.debug("trust_store_resolved_from_options", {
+                        node_id: nodeId,
+                    });
+                    return { pem: normalized };
+                }
+            }
+            catch (error) {
+                logger.debug("trust_store_option_resolution_failed", {
+                    node_id: nodeId,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+            }
+        }
+        const envPem = await resolveTrustStorePemFromEnvironment();
+        return {
+            pem: envPem,
+            reason: envPem ? undefined : `${ENV_VAR_FAME_CA_CERTS}_not_set`,
+        };
+    }
+    async resolveTrustStorePemFromProvider(provider, nodeId) {
+        if (typeof provider.resolveTrustStorePem !== "function") {
+            return null;
+        }
+        try {
+            const pem = await provider.resolveTrustStorePem();
+            return normalizePemOrNull(pem);
+        }
+        catch (error) {
+            logger.debug("provider_trust_store_resolution_failed", {
+                node_id: nodeId,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return null;
+        }
+    }
+    async storeCertificateMaterial(provider, material, nodeId) {
+        let stored = false;
+        if (typeof provider.storeSignedCertificate === "function") {
+            try {
+                await provider.storeSignedCertificate(material.certificatePem, material.certificateChainPem);
+                stored = true;
+            }
+            catch (error) {
+                logger.warning("failed_to_store_certificate", {
+                    error: error instanceof Error ? error.message : String(error),
+                });
+            }
+        }
+        const persistenceHooks = [];
+        if (typeof provider.persistSignedCertificate === "function") {
+            persistenceHooks.push((hookMaterial, context) => provider.persistSignedCertificate(hookMaterial, context));
+        }
+        if (this.certificatePersistenceHook) {
+            persistenceHooks.push(this.certificatePersistenceHook);
+        }
+        for (const hook of persistenceHooks) {
+            try {
+                await hook(material, { nodeId });
+                stored = true;
+            }
+            catch (error) {
+                logger.debug("certificate_persistence_hook_failed", {
+                    node_id: nodeId,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+            }
+        }
+        return stored;
+    }
+    async buildCertificateSigningRequest(provider, nodeId, physicalPath, logicals) {
+        const trimmedPath = physicalPath.trim();
+        if (!trimmedPath) {
+            logger.warning("certificate_request_missing_physical_path", {
+                node_id: nodeId,
+            });
+            return null;
+        }
+        const pemSource = provider;
+        const privateKeyPem = pemSource.signingPrivatePem?.trim() ?? "";
+        const publicKeyPem = pemSource.signingPublicPem?.trim() ?? "";
+        if (!privateKeyPem || !publicKeyPem) {
+            logger.error("crypto_provider_missing_signing_material", {
+                node_id: nodeId,
+                has_private: Boolean(privateKeyPem),
+                has_public: Boolean(publicKeyPem),
+            });
+            return null;
+        }
+        const sanitizedLogicals = logicals.filter((value) => typeof value === "string" && value.trim().length > 0);
+        try {
+            const { csrPem } = await createEd25519CsrFromPem({
+                privateKeyPem,
+                publicKeyPem,
+                commonName: nodeId,
+                logicals: sanitizedLogicals,
+            });
+            return csrPem;
+        }
+        catch (error) {
+            logger.error("csr_generation_failed", {
+                node_id: nodeId,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return null;
+        }
+    }
 }
 function normalizeSigningConfig(value) {
     if (value instanceof SigningConfigClass) {
@@ -458,7 +614,49 @@ function normalizeSigningConfig(value) {
     }
     return new SigningConfigClass();
 }
-async function resolveCertificateMaterial() {
+function normalizeCertificateMaterial(material) {
+    if (!material) {
+        return null;
+    }
+    const certificatePem = normalizePemOrNull(material.certificatePem);
+    if (!certificatePem) {
+        return null;
+    }
+    const certificateChainPem = normalizePemOrNull(material.certificateChainPem ?? null);
+    return {
+        certificatePem,
+        certificateChainPem,
+    };
+}
+function normalizeCertificateMaterialResolver(source) {
+    if (!source) {
+        return null;
+    }
+    if (typeof source === "function") {
+        return async () => normalizeCertificateMaterial(await source());
+    }
+    const normalized = normalizeCertificateMaterial(source);
+    return normalized ? async () => normalized : null;
+}
+function normalizeTrustStorePemResolver(source) {
+    if (!source) {
+        return null;
+    }
+    if (typeof source === "function") {
+        return async () => normalizePemOrNull(await source());
+    }
+    const normalized = normalizePemOrNull(source);
+    return normalized ? async () => normalized : null;
+}
+function normalizeCertificatePersistenceHook(hook) {
+    if (!hook) {
+        return null;
+    }
+    return async (material, context) => {
+        await hook(material, context);
+    };
+}
+async function resolveCertificateMaterialFromEnvironment() {
     const certificatePem = await resolvePemFromEnvironment("FAME_NODE_CERT_PEM", "FAME_NODE_CERT_FILE");
     if (!certificatePem) {
         return null;
@@ -474,8 +672,9 @@ async function resolvePemFromEnvironment(envVar, fileVar) {
         return null;
     }
     const inlineValue = process.env?.[envVar];
-    if (inlineValue && inlineValue.trim().length > 0) {
-        return normalizePem(inlineValue);
+    const inline = normalizePemOrNull(inlineValue ?? null);
+    if (inline) {
+        return inline;
     }
     const filePath = process.env?.[fileVar];
     if (!filePath || filePath.trim().length === 0) {
@@ -490,7 +689,7 @@ async function resolvePemFromEnvironment(envVar, fileVar) {
     try {
         const fs = await import("node:fs/promises");
         const content = await fs.readFile(filePath, "utf8");
-        return normalizePem(content);
+        return normalizePemOrNull(content);
     }
     catch (error) {
         logger.warning("failed_to_read_certificate_file", {
@@ -503,6 +702,13 @@ async function resolvePemFromEnvironment(envVar, fileVar) {
 function normalizePem(value) {
     return value.replace(/\r/g, "").trim();
 }
+function normalizePemOrNull(value) {
+    if (!value) {
+        return null;
+    }
+    const normalized = normalizePem(value);
+    return normalized.length > 0 ? normalized : null;
+}
 function hasProcessEnv() {
     return typeof process !== "undefined" && !!process?.env;
 }
@@ -534,21 +740,6 @@ function providerHasCertificate(provider) {
     }
     return false;
 }
-function storeCertificateMaterial(provider, material) {
-    if (typeof provider.storeSignedCertificate !== "function") {
-        return false;
-    }
-    try {
-        provider.storeSignedCertificate(material.certificatePem, material.certificateChainPem);
-        return true;
-    }
-    catch (error) {
-        logger.warning("failed_to_store_certificate", {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return false;
-    }
-}
 function readFrameValue(frame, ...keys) {
     const record = frame;
     for (const key of keys) {
@@ -603,7 +794,7 @@ function normalizeAuthConfig(candidate) {
     }
     return normalized;
 }
-async function resolveTrustStorePem() {
+async function resolveTrustStorePemFromEnvironment() {
     if (!hasProcessEnv()) {
         return null;
     }
@@ -611,8 +802,9 @@ async function resolveTrustStorePem() {
     if (!rawValue || rawValue.trim().length === 0) {
         return null;
     }
-    if (rawValue.trim().startsWith("-----BEGIN")) {
-        return rawValue.replace(/\r/g, "").trim();
+    const trimmed = rawValue.trim();
+    if (trimmed.startsWith("-----BEGIN")) {
+        return normalizePem(trimmed);
     }
     if (!isNodeProcess()) {
         logger.debug("trust_store_file_unavailable_in_browser", {
@@ -620,11 +812,14 @@ async function resolveTrustStorePem() {
         });
         return null;
     }
-    const filePath = rawValue.trim();
+    const filePath = trimmed;
+    if (!filePath) {
+        return null;
+    }
     try {
         const fs = await import("node:fs/promises");
         const content = await fs.readFile(filePath, "utf8");
-        return content.replace(/\r/g, "").trim();
+        return normalizePemOrNull(content);
     }
     catch (error) {
         logger.error("failed_to_read_trust_store", {