node-opcua-pki 3.0.2 → 3.1.1

package/dist/pki/certificate_authority.js

@@ -1,482 +1,482 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.CertificateAuthority = exports.defaultSubject = void 0;
-// ---------------------------------------------------------------------------------------------------------------------
-// node-opcua
-// ---------------------------------------------------------------------------------------------------------------------
-// Copyright (c) 2014-2022 - Etienne Rossignon - etienne.rossignon (at) gadz.org
-// Copyright (c) 2022 - Sterfive.com
-// ---------------------------------------------------------------------------------------------------------------------
-//
-// This  project is licensed under the terms of the MIT license.
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
-// documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
-// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
-// permit persons to whom the Software is furnished to do so,  subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
-// Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
-// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
-// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-// ---------------------------------------------------------------------------------------------------------------------
-// tslint:disable:no-shadowed-variable
-const assert = require("assert");
-const async = require("async");
-const chalk = require("chalk");
-const fs = require("fs");
-const path = require("path");
-const toolbox_1 = require("./toolbox");
-const subject_1 = require("../misc/subject");
-const node_opcua_crypto_1 = require("node-opcua-crypto");
-exports.defaultSubject = "/C=FR/ST=IDF/L=Paris/O=Local NODE-OPCUA Certificate Authority/CN=NodeOPCUA-CA";
-const config = {
-    certificateDir: "INVALID",
-    forceCA: false,
-    pkiDir: "INVALID",
-};
-const n = toolbox_1.make_path;
-const q = toolbox_1.quote;
-// convert 'c07b9179'  to    "192.123.145.121"
-function octetStringToIpAddress(a) {
-    return (parseInt(a.substr(0, 2), 16).toString() +
-        "." +
-        parseInt(a.substr(2, 2), 16).toString() +
-        "." +
-        parseInt(a.substr(4, 2), 16).toString() +
-        "." +
-        parseInt(a.substr(6, 2), 16).toString());
-}
-function construct_CertificateAuthority(certificateAuthority, callback) {
-    // create the CA directory store
-    // create the CA directory store
-    //
-    // PKI/CA
-    //     |
-    //     +-+> private
-    //     |
-    //     +-+> public
-    //     |
-    //     +-+> certs
-    //     |
-    //     +-+> crl
-    //     |
-    //     +-+> conf
-    //     |
-    //     +-f: serial
-    //     +-f: crlNumber
-    //     +-f: index.txt
-    //
-    const subject = certificateAuthority.subject;
-    const caRootDir = certificateAuthority.rootDir;
-    function make_folders() {
-        (0, toolbox_1.mkdir)(caRootDir);
-        (0, toolbox_1.mkdir)(path.join(caRootDir, "private"));
-        (0, toolbox_1.mkdir)(path.join(caRootDir, "public"));
-        // xx execute("chmod 700 private");
-        (0, toolbox_1.mkdir)(path.join(caRootDir, "certs"));
-        (0, toolbox_1.mkdir)(path.join(caRootDir, "crl"));
-        (0, toolbox_1.mkdir)(path.join(caRootDir, "conf"));
-    }
-    make_folders();
-    function construct_default_files() {
-        const serial = path.join(caRootDir, "serial");
-        if (!fs.existsSync(serial)) {
-            fs.writeFileSync(serial, "1000");
-        }
-        const crlNumber = path.join(caRootDir, "crlnumber");
-        if (!fs.existsSync(crlNumber)) {
-            fs.writeFileSync(crlNumber, "1000");
-        }
-        const indexFile = path.join(caRootDir, "index.txt");
-        if (!fs.existsSync(indexFile)) {
-            fs.writeFileSync(indexFile, "");
-        }
-    }
-    construct_default_files();
-    if (fs.existsSync(path.join(caRootDir, "private/cakey.pem")) && !config.forceCA) {
-        // certificate already exists => do not overwrite
-        (0, toolbox_1.debugLog)("CA private key already exists ... skipping");
-        return callback();
-    }
-    // tslint:disable:no-empty
-    (0, toolbox_1.displayTitle)("Create Certificate Authority (CA)", (_err) => { });
-    const indexFileAttr = path.join(caRootDir, "index.txt.attr");
-    if (!fs.existsSync(indexFileAttr)) {
-        fs.writeFileSync(indexFileAttr, "unique_subject = no");
-    }
-    const caConfigFile = certificateAuthority.configFile;
-    // eslint-disable-next-line no-constant-condition
-    if (1 || !fs.existsSync(caConfigFile)) {
-        let data = toolbox_1.configurationFileTemplate; // inlineText(configurationFile);
-        data = data.replace(/%%ROOT_FOLDER%%/, (0, toolbox_1.make_path)(caRootDir));
-        fs.writeFileSync(caConfigFile, data);
-    }
-    // http://www.akadia.com/services/ssh_test_certificate.html
-    const subjectOpt = " -subj \"" + subject.toString() + "\" ";
-    const options = { cwd: caRootDir };
-    (0, toolbox_1.processAltNames)({});
-    const configFile = (0, toolbox_1.generateStaticConfig)("conf/caconfig.cnf", options);
-    const configOption = " -config " + q(n(configFile));
-    const keySize = certificateAuthority.keySize;
-    const randomFile = "random.rnd";
-    const tasks = [
-        (callback) => (0, toolbox_1.displayTitle)("Creating random file random.rnd", callback),
-        (callback) => (0, toolbox_1.createRandomFileIfNotExist)(randomFile, options, callback),
-        (callback) => (0, toolbox_1.displayTitle)("Generate the CA private Key - " + keySize, callback),
-        // The first step is to create your RSA Private Key.
-        // This key is a 1025,2048,3072 or 2038 bit RSA key which is encrypted using
-        // Triple-DES and stored in a PEM format so that it is readable as ASCII text.
-        (callback) => (0, toolbox_1.execute_openssl)("genrsa " + " -out  private/cakey.pem" + ((0, toolbox_1.useRandFile)() ? " -rand " + randomFile : "") + " " + keySize, options, callback),
-        (callback) => (0, toolbox_1.displayTitle)("Generate a certificate request for the CA key", callback),
-        // Once the private key is generated a Certificate Signing Request can be generated.
-        // The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as
-        // Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate.
-        // The second option is to self-sign the CSR, which will be demonstrated in the next section
-        (callback) => (0, toolbox_1.execute_openssl)("req -new" +
-            " -sha256 " +
-            " -text " +
-            " -extensions v3_ca" +
-            configOption +
-            " -key private/cakey.pem " +
-            " -out private/cakey.csr " +
-            subjectOpt, options, callback),
-        // xx // Step 3: Remove Passphrase from Key
-        // xx execute("cp private/cakey.pem private/cakey.pem.org");
-        // xx execute(openssl_path + " rsa -in private/cakey.pem.org -out private/cakey.pem -passin pass:"+paraphrase);
-        (callback) => (0, toolbox_1.displayTitle)("Generate CA Certificate (self-signed)", callback),
-        (callback) => (0, toolbox_1.execute_openssl)(" x509 -sha256 -req -days 3650 " +
-            " -text " +
-            " -extensions v3_ca" +
-            " -extfile " +
-            q(n(configFile)) +
-            " -in private/cakey.csr " +
-            " -signkey private/cakey.pem " +
-            " -out public/cacert.pem", options, callback),
-        (callback) => (0, toolbox_1.displaySubtitle)("generate initial CRL (Certificate Revocation List)", callback),
-        (callback) => regenerateCrl(certificateAuthority.revocationList, configOption, options, callback),
-        (callback) => (0, toolbox_1.displayTitle)("Create Certificate Authority (CA) ---> DONE", callback),
-    ];
-    async.series(tasks, callback);
-}
-function regenerateCrl(revocationList, configOption, options, callback) {
-    const tasks = [
-        (callback) => (0, toolbox_1.displaySubtitle)("regenerate CRL (Certificate Revocation List)", callback),
-        (callback) => 
-        // produce a CRL in PEM format
-        (0, toolbox_1.execute_openssl)("ca -gencrl " + configOption + " -out crl/revocation_list.crl", options, callback),
-        (callback) => (0, toolbox_1.execute_openssl)("crl " + " -in  crl/revocation_list.crl -out  crl/revocation_list.der " + " -outform der", options, callback),
-        (callback) => (0, toolbox_1.displaySubtitle)("Display (Certificate Revocation List)", callback),
-        (callback) => (0, toolbox_1.execute_openssl)("crl " + " -in " + q(n(revocationList)) + " -text " + " -noout", options, callback),
-    ];
-    async.series(tasks, callback);
-}
-class CertificateAuthority {
-    constructor(options) {
-        assert(Object.prototype.hasOwnProperty.call(options, "location"));
-        assert(Object.prototype.hasOwnProperty.call(options, "keySize"));
-        this.location = options.location;
-        this.keySize = options.keySize || 2048;
-        this.subject = new subject_1.Subject(options.subject || exports.defaultSubject);
-    }
-    get rootDir() {
-        return this.location;
-    }
-    get configFile() {
-        return path.normalize(path.join(this.rootDir, "./conf/caconfig.cnf"));
-    }
-    get caCertificate() {
-        // the Certificate Authority Certificate
-        return (0, toolbox_1.make_path)(this.rootDir, "./public/cacert.pem");
-    }
-    /**
-     * the file name where  the current Certificate Revocation List is stored (in DER format)
-     */
-    get revocationListDER() {
-        return (0, toolbox_1.make_path)(this.rootDir, "./crl/revocation_list.der");
-    }
-    /**
-     * the file name where  the current Certificate Revocation List is stored (in PEM format)
-     */
-    get revocationList() {
-        return (0, toolbox_1.make_path)(this.rootDir, "./crl/revocation_list.crl");
-    }
-    get caCertificateWithCrl() {
-        return (0, toolbox_1.make_path)(this.rootDir, "./public/cacertificate_with_crl.pem");
-    }
-    initialize(callback) {
-        assert(typeof callback === "function");
-        construct_CertificateAuthority(this, callback);
-    }
-    constructCACertificateWithCRL(callback) {
-        assert(typeof callback === "function");
-        const cacertWithCRL = this.caCertificateWithCrl;
-        // note : in order to check if the certificate is revoked,
-        // you need to specify -crl_check and have both the CA cert and the (applicable) CRL in your trust store.
-        // There are two ways to do that:
-        // 1. concatenate cacert.pem and crl.pem into one file and use that for -CAfile.
-        // 2. use some linked
-        // ( from http://security.stackexchange.com/a/58305/59982)
-        if (fs.existsSync(this.revocationList)) {
-            fs.writeFileSync(cacertWithCRL, fs.readFileSync(this.caCertificate, "utf8") + fs.readFileSync(this.revocationList, "utf8"));
-        }
-        else {
-            // there is no revocation list yet
-            fs.writeFileSync(cacertWithCRL, fs.readFileSync(this.caCertificate));
-        }
-        callback();
-    }
-    constructCertificateChain(certificate, callback) {
-        assert(typeof callback === "function");
-        assert(fs.existsSync(certificate));
-        assert(fs.existsSync(this.caCertificate));
-        (0, toolbox_1.debugLog)(chalk.yellow("        certificate file :"), chalk.cyan(certificate));
-        // append
-        fs.writeFileSync(certificate, fs.readFileSync(certificate, "utf8") + fs.readFileSync(this.caCertificate, "utf8")
-        //   + fs.readFileSync(this.revocationList)
-        );
-        callback();
-    }
-    createSelfSignedCertificate(certificateFile, privateKey, params, callback) {
-        assert(typeof privateKey === "string");
-        assert(fs.existsSync(privateKey));
-        assert(typeof callback === "function");
-        if (!(0, toolbox_1.certificateFileExist)(certificateFile)) {
-            return callback();
-        }
-        (0, toolbox_1.adjustDate)(params);
-        (0, toolbox_1.adjustApplicationUri)(params);
-        (0, toolbox_1.processAltNames)(params);
-        const csrFile = certificateFile + "_csr";
-        assert(csrFile);
-        const configFile = (0, toolbox_1.generateStaticConfig)(this.configFile);
-        const options = {
-            cwd: this.rootDir,
-            openssl_conf: (0, toolbox_1.make_path)(configFile),
-        };
-        const configOption = "";
-        const subject = params.subject ? new subject_1.Subject(params.subject).toString() : "";
-        const subjectOptions = subject && subject.length > 1 ? " -subj " + subject + " " : "";
-        const tasks = [];
-        tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- the certificate signing request", callback));
-        tasks.push((callback) => (0, toolbox_1.execute_openssl)("req " +
-            " -new -sha256 -text " +
-            configOption +
-            subjectOptions +
-            " -batch -key " +
-            q(n(privateKey)) +
-            " -out " +
-            q(n(csrFile)), options, callback));
-        tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- creating the self-signed certificate", callback));
-        tasks.push((callback) => (0, toolbox_1.execute_openssl)("ca " +
-            " -selfsign " +
-            " -keyfile " +
-            q(n(privateKey)) +
-            " -startdate " +
-            (0, toolbox_1.x509Date)(params.startDate) +
-            " -enddate " +
-            (0, toolbox_1.x509Date)(params.endDate) +
-            " -batch -out " +
-            q(n(certificateFile)) +
-            " -in " +
-            q(n(csrFile)), options, callback));
-        tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- dump the certificate for a check", callback));
-        tasks.push((callback) => (0, toolbox_1.execute_openssl)("x509 -in " + q(n(certificateFile)) + "  -dates -fingerprint -purpose -noout", {}, callback));
-        tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- verify self-signed certificate", callback));
-        tasks.push((callback) => (0, toolbox_1.execute_openssl_no_failure)("verify -verbose -CAfile " + q(n(certificateFile)) + " " + q(n(certificateFile)), options, callback));
-        tasks.push((callback) => fs.unlink(csrFile, callback));
-        async.series(tasks, (err) => {
-            callback(err);
-        });
-    }
-    revokeCertificate(certificate, params, callback) {
-        assert(typeof callback === "function");
-        const crlReasons = [
-            "unspecified",
-            "keyCompromise",
-            "CACompromise",
-            "affiliationChanged",
-            "superseded",
-            "cessationOfOperation",
-            "certificateHold",
-            "removeFromCRL",
-        ];
-        const configFile = (0, toolbox_1.generateStaticConfig)("conf/caconfig.cnf", { cwd: this.rootDir });
-        const options = {
-            cwd: this.rootDir,
-            openssl_conf: (0, toolbox_1.make_path)(configFile),
-        };
-        (0, toolbox_1.setEnv)("ALTNAME", "");
-        const randomFile = path.join(this.rootDir, "random.rnd");
-        (0, toolbox_1.setEnv)("RANDFILE", randomFile);
-        // // tslint:disable-next-line:no-string-literal
-        // if (!fs.existsSync((process.env as any)["OPENSSL_CONF"])) {
-        //     throw new Error("Cannot find OPENSSL_CONF");
-        // }
-        const configOption = " -config " + q(n(configFile));
-        const reason = params.reason || "keyCompromise";
-        assert(crlReasons.indexOf(reason) >= 0);
-        const tasks = [
-            (callback) => (0, toolbox_1.displayTitle)("Revoking certificate  " + certificate, callback),
-            (callback) => (0, toolbox_1.displaySubtitle)("Make sure random file exists" + randomFile, callback),
-            (callback) => (0, toolbox_1.createRandomFileIfNotExist)(randomFile, {}, callback),
-            (callback) => (0, toolbox_1.displaySubtitle)("Revoke certificate", callback),
-            (callback) => {
-                (0, toolbox_1.execute_openssl_no_failure)("ca -verbose " + configOption + " -revoke " + q(certificate) + " -crl_reason " + reason, options, callback);
-            },
-            // regenerate CRL (Certificate Revocation List)
-            (callback) => regenerateCrl(this.revocationList, configOption, options, callback),
-            (callback) => (0, toolbox_1.displaySubtitle)("Verify that certificate is revoked  ", callback),
-            (callback) => {
-                (0, toolbox_1.execute_openssl_no_failure)("verify -verbose" +
-                    // configOption +
-                    " -CRLfile " +
-                    q(n(this.revocationList)) +
-                    " -CAfile " +
-                    q(n(this.caCertificate)) +
-                    " -crl_check " +
-                    q(n(certificate)), options, (err, output) => {
-                    callback();
-                });
-            },
-            // produce CRL in DER format
-            (callback) => (0, toolbox_1.displaySubtitle)("Produce CRL in DER form ", callback),
-            (callback) => (0, toolbox_1.execute_openssl)("crl " + " -in " + q(n(this.revocationList)) + " -out " + "crl/revocation_list.der " + " -outform der", options, callback),
-            // produce CRL in PEM format with text
-            (callback) => (0, toolbox_1.displaySubtitle)("Produce CRL in PEM form ", callback),
-            (callback) => (0, toolbox_1.execute_openssl)("crl " +
-                " -in " +
-                q(n(this.revocationList)) +
-                " -out " +
-                "crl/revocation_list.pem " +
-                " -outform pem" +
-                " -text ", options, callback),
-        ];
-        async.series(tasks, callback);
-    }
-    signCertificateRequest(certificate, certificateSigningRequestFilename, params, callback) {
-        // istanbul ignore next
-        if (!callback) {
-            throw new Error("Internal Error");
-        }
-        (0, toolbox_1.ensure_openssl_installed)(() => {
-            try {
-                assert(fs.existsSync(certificateSigningRequestFilename));
-                assert(typeof callback === "function");
-                if (!(0, toolbox_1.certificateFileExist)(certificate)) {
-                    return callback(null);
-                }
-                (0, toolbox_1.adjustDate)(params);
-                (0, toolbox_1.adjustApplicationUri)(params);
-                (0, toolbox_1.processAltNames)(params);
-                const options = { cwd: this.rootDir };
-                let configFile;
-                const tasks = [];
-                let csrInfo;
-                // note :
-                // subjectAltName is not copied across
-                //  see https://github.com/openssl/openssl/issues/10458
-                tasks.push((callback) => {
-                    (0, node_opcua_crypto_1.readCertificateSigningRequest)(certificateSigningRequestFilename)
-                        .then((csr) => {
-                        csrInfo = (0, node_opcua_crypto_1.exploreCertificateSigningRequest)(csr);
-                        callback();
-                    })
-                        .catch((err) => callback(err));
-                });
-                tasks.push((callback) => {
-                    const applicationUri = csrInfo.extensionRequest.subjectAltName.uniformResourceIdentifier[0];
-                    if (typeof applicationUri !== "string") {
-                        return callback(new Error("Cannot find applicationUri in CSR"));
-                    }
-                    const dns = csrInfo.extensionRequest.subjectAltName.dNSName || [];
-                    let ip = csrInfo.extensionRequest.subjectAltName.iPAddress || [];
-                    ip = ip.map(octetStringToIpAddress);
-                    const params = {
-                        applicationUri,
-                        dns,
-                        ip,
-                    };
-                    (0, toolbox_1.processAltNames)(params);
-                    configFile = (0, toolbox_1.generateStaticConfig)("conf/caconfig.cnf", options);
-                    callback();
-                });
-                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- then we ask the authority to sign the certificate signing request", callback));
-                tasks.push((callback) => {
-                    const configOption = " -config " + configFile;
-                    (0, toolbox_1.execute_openssl)("ca " +
-                        configOption +
-                        " -startdate " +
-                        (0, toolbox_1.x509Date)(params.startDate) +
-                        " -enddate " +
-                        (0, toolbox_1.x509Date)(params.endDate) +
-                        " -batch -out " +
-                        q(n(certificate)) +
-                        " -in " +
-                        q(n(certificateSigningRequestFilename)), options, callback);
-                });
-                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- dump the certificate for a check", callback));
-                tasks.push((callback) => (0, toolbox_1.execute_openssl)("x509 -in " + q(n(certificate)) + "  -dates -fingerprint -purpose -noout", options, callback));
-                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- construct CA certificate with CRL", callback));
-                tasks.push((callback) => {
-                    this.constructCACertificateWithCRL(callback);
-                });
-                // construct certificate chain
-                //   concatenate certificate with CA Certificate and revocation list
-                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- construct certificate chain", callback));
-                tasks.push((callback) => {
-                    this.constructCertificateChain(certificate, callback);
-                });
-                // todo
-                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- verify certificate against the root CA", callback));
-                tasks.push((callback) => {
-                    this.verifyCertificate(certificate, callback);
-                });
-                async.series(tasks, (err) => {
-                    // istanbul ignore next
-                    if (err) {
-                        return callback(err);
-                    }
-                    callback(null, certificate);
-                });
-            }
-            catch (err) {
-                callback(err);
-            }
-        });
-    }
-    verifyCertificate(certificate, callback) {
-        // openssl verify crashes on windows! we cannot use it reliably
-        // istanbul ignore next
-        const isImplemented = false;
-        // istanbul ignore next
-        if (isImplemented) {
-            const options = { cwd: this.rootDir };
-            const configFile = (0, toolbox_1.generateStaticConfig)("conf/caconfig.cnf", options);
-            (0, toolbox_1.setEnv)("OPENSSL_CONF", (0, toolbox_1.make_path)(configFile));
-            const configOption = " -config " + configFile;
-            (0, toolbox_1.execute_openssl_no_failure)("verify -verbose " + " -CAfile " + q(n(this.caCertificateWithCrl)) + " " + q(n(certificate)), options, (err) => {
-                callback(err ? err : undefined);
-            });
-        }
-        else {
-            return callback();
-        }
-    }
-}
-exports.CertificateAuthority = CertificateAuthority;
-// tslint:disable:no-var-requires
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const thenify = require("thenify");
-const opts = { multiArgs: false };
-CertificateAuthority.prototype.initialize = thenify.withCallback(CertificateAuthority.prototype.initialize, opts);
-CertificateAuthority.prototype.constructCACertificateWithCRL = thenify.withCallback(CertificateAuthority.prototype.constructCACertificateWithCRL, opts);
-CertificateAuthority.prototype.constructCertificateChain = thenify.withCallback(CertificateAuthority.prototype.constructCertificateChain, opts);
-CertificateAuthority.prototype.createSelfSignedCertificate = thenify.withCallback(CertificateAuthority.prototype.createSelfSignedCertificate, opts);
-CertificateAuthority.prototype.revokeCertificate = thenify.withCallback(CertificateAuthority.prototype.revokeCertificate, opts);
-CertificateAuthority.prototype.verifyCertificate = thenify.withCallback(CertificateAuthority.prototype.verifyCertificate, opts);
-CertificateAuthority.prototype.signCertificateRequest = thenify.withCallback(CertificateAuthority.prototype.signCertificateRequest, opts);
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CertificateAuthority = exports.defaultSubject = void 0;
+// ---------------------------------------------------------------------------------------------------------------------
+// node-opcua
+// ---------------------------------------------------------------------------------------------------------------------
+// Copyright (c) 2014-2022 - Etienne Rossignon - etienne.rossignon (at) gadz.org
+// Copyright (c) 2022 - Sterfive.com
+// ---------------------------------------------------------------------------------------------------------------------
+//
+// This  project is licensed under the terms of the MIT license.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+// documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+// permit persons to whom the Software is furnished to do so,  subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+// Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+// ---------------------------------------------------------------------------------------------------------------------
+// tslint:disable:no-shadowed-variable
+const assert = require("assert");
+const async = require("async");
+const chalk = require("chalk");
+const fs = require("fs");
+const path = require("path");
+const toolbox_1 = require("./toolbox");
+const subject_1 = require("../misc/subject");
+const node_opcua_crypto_1 = require("node-opcua-crypto");
+exports.defaultSubject = "/C=FR/ST=IDF/L=Paris/O=Local NODE-OPCUA Certificate Authority/CN=NodeOPCUA-CA";
+const config = {
+    certificateDir: "INVALID",
+    forceCA: false,
+    pkiDir: "INVALID",
+};
+const n = toolbox_1.make_path;
+const q = toolbox_1.quote;
+// convert 'c07b9179'  to    "192.123.145.121"
+function octetStringToIpAddress(a) {
+    return (parseInt(a.substr(0, 2), 16).toString() +
+        "." +
+        parseInt(a.substr(2, 2), 16).toString() +
+        "." +
+        parseInt(a.substr(4, 2), 16).toString() +
+        "." +
+        parseInt(a.substr(6, 2), 16).toString());
+}
+function construct_CertificateAuthority(certificateAuthority, callback) {
+    // create the CA directory store
+    // create the CA directory store
+    //
+    // PKI/CA
+    //     |
+    //     +-+> private
+    //     |
+    //     +-+> public
+    //     |
+    //     +-+> certs
+    //     |
+    //     +-+> crl
+    //     |
+    //     +-+> conf
+    //     |
+    //     +-f: serial
+    //     +-f: crlNumber
+    //     +-f: index.txt
+    //
+    const subject = certificateAuthority.subject;
+    const caRootDir = certificateAuthority.rootDir;
+    function make_folders() {
+        (0, toolbox_1.mkdir)(caRootDir);
+        (0, toolbox_1.mkdir)(path.join(caRootDir, "private"));
+        (0, toolbox_1.mkdir)(path.join(caRootDir, "public"));
+        // xx execute("chmod 700 private");
+        (0, toolbox_1.mkdir)(path.join(caRootDir, "certs"));
+        (0, toolbox_1.mkdir)(path.join(caRootDir, "crl"));
+        (0, toolbox_1.mkdir)(path.join(caRootDir, "conf"));
+    }
+    make_folders();
+    function construct_default_files() {
+        const serial = path.join(caRootDir, "serial");
+        if (!fs.existsSync(serial)) {
+            fs.writeFileSync(serial, "1000");
+        }
+        const crlNumber = path.join(caRootDir, "crlnumber");
+        if (!fs.existsSync(crlNumber)) {
+            fs.writeFileSync(crlNumber, "1000");
+        }
+        const indexFile = path.join(caRootDir, "index.txt");
+        if (!fs.existsSync(indexFile)) {
+            fs.writeFileSync(indexFile, "");
+        }
+    }
+    construct_default_files();
+    if (fs.existsSync(path.join(caRootDir, "private/cakey.pem")) && !config.forceCA) {
+        // certificate already exists => do not overwrite
+        (0, toolbox_1.debugLog)("CA private key already exists ... skipping");
+        return callback();
+    }
+    // tslint:disable:no-empty
+    (0, toolbox_1.displayTitle)("Create Certificate Authority (CA)", (_err) => { });
+    const indexFileAttr = path.join(caRootDir, "index.txt.attr");
+    if (!fs.existsSync(indexFileAttr)) {
+        fs.writeFileSync(indexFileAttr, "unique_subject = no");
+    }
+    const caConfigFile = certificateAuthority.configFile;
+    // eslint-disable-next-line no-constant-condition
+    if (1 || !fs.existsSync(caConfigFile)) {
+        let data = toolbox_1.configurationFileTemplate; // inlineText(configurationFile);
+        data = data.replace(/%%ROOT_FOLDER%%/, (0, toolbox_1.make_path)(caRootDir));
+        fs.writeFileSync(caConfigFile, data);
+    }
+    // http://www.akadia.com/services/ssh_test_certificate.html
+    const subjectOpt = " -subj \"" + subject.toString() + "\" ";
+    const options = { cwd: caRootDir };
+    (0, toolbox_1.processAltNames)({});
+    const configFile = (0, toolbox_1.generateStaticConfig)("conf/caconfig.cnf", options);
+    const configOption = " -config " + q(n(configFile));
+    const keySize = certificateAuthority.keySize;
+    const randomFile = "random.rnd";
+    const tasks = [
+        (callback) => (0, toolbox_1.displayTitle)("Creating random file random.rnd", callback),
+        (callback) => (0, toolbox_1.createRandomFileIfNotExist)(randomFile, options, callback),
+        (callback) => (0, toolbox_1.displayTitle)("Generate the CA private Key - " + keySize, callback),
+        // The first step is to create your RSA Private Key.
+        // This key is a 1025,2048,3072 or 2038 bit RSA key which is encrypted using
+        // Triple-DES and stored in a PEM format so that it is readable as ASCII text.
+        (callback) => (0, toolbox_1.execute_openssl)("genrsa " + " -out  private/cakey.pem" + ((0, toolbox_1.useRandFile)() ? " -rand " + randomFile : "") + " " + keySize, options, callback),
+        (callback) => (0, toolbox_1.displayTitle)("Generate a certificate request for the CA key", callback),
+        // Once the private key is generated a Certificate Signing Request can be generated.
+        // The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as
+        // Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate.
+        // The second option is to self-sign the CSR, which will be demonstrated in the next section
+        (callback) => (0, toolbox_1.execute_openssl)("req -new" +
+            " -sha256 " +
+            " -text " +
+            " -extensions v3_ca" +
+            configOption +
+            " -key private/cakey.pem " +
+            " -out private/cakey.csr " +
+            subjectOpt, options, callback),
+        // xx // Step 3: Remove Passphrase from Key
+        // xx execute("cp private/cakey.pem private/cakey.pem.org");
+        // xx execute(openssl_path + " rsa -in private/cakey.pem.org -out private/cakey.pem -passin pass:"+paraphrase);
+        (callback) => (0, toolbox_1.displayTitle)("Generate CA Certificate (self-signed)", callback),
+        (callback) => (0, toolbox_1.execute_openssl)(" x509 -sha256 -req -days 3650 " +
+            " -text " +
+            " -extensions v3_ca" +
+            " -extfile " +
+            q(n(configFile)) +
+            " -in private/cakey.csr " +
+            " -signkey private/cakey.pem " +
+            " -out public/cacert.pem", options, callback),
+        (callback) => (0, toolbox_1.displaySubtitle)("generate initial CRL (Certificate Revocation List)", callback),
+        (callback) => regenerateCrl(certificateAuthority.revocationList, configOption, options, callback),
+        (callback) => (0, toolbox_1.displayTitle)("Create Certificate Authority (CA) ---> DONE", callback),
+    ];
+    async.series(tasks, callback);
+}
+function regenerateCrl(revocationList, configOption, options, callback) {
+    const tasks = [
+        (callback) => (0, toolbox_1.displaySubtitle)("regenerate CRL (Certificate Revocation List)", callback),
+        (callback) => 
+        // produce a CRL in PEM format
+        (0, toolbox_1.execute_openssl)("ca -gencrl " + configOption + " -out crl/revocation_list.crl", options, callback),
+        (callback) => (0, toolbox_1.execute_openssl)("crl " + " -in  crl/revocation_list.crl -out  crl/revocation_list.der " + " -outform der", options, callback),
+        (callback) => (0, toolbox_1.displaySubtitle)("Display (Certificate Revocation List)", callback),
+        (callback) => (0, toolbox_1.execute_openssl)("crl " + " -in " + q(n(revocationList)) + " -text " + " -noout", options, callback),
+    ];
+    async.series(tasks, callback);
+}
+class CertificateAuthority {
+    constructor(options) {
+        assert(Object.prototype.hasOwnProperty.call(options, "location"));
+        assert(Object.prototype.hasOwnProperty.call(options, "keySize"));
+        this.location = options.location;
+        this.keySize = options.keySize || 2048;
+        this.subject = new subject_1.Subject(options.subject || exports.defaultSubject);
+    }
+    get rootDir() {
+        return this.location;
+    }
+    get configFile() {
+        return path.normalize(path.join(this.rootDir, "./conf/caconfig.cnf"));
+    }
+    get caCertificate() {
+        // the Certificate Authority Certificate
+        return (0, toolbox_1.make_path)(this.rootDir, "./public/cacert.pem");
+    }
+    /**
+     * the file name where  the current Certificate Revocation List is stored (in DER format)
+     */
+    get revocationListDER() {
+        return (0, toolbox_1.make_path)(this.rootDir, "./crl/revocation_list.der");
+    }
+    /**
+     * the file name where  the current Certificate Revocation List is stored (in PEM format)
+     */
+    get revocationList() {
+        return (0, toolbox_1.make_path)(this.rootDir, "./crl/revocation_list.crl");
+    }
+    get caCertificateWithCrl() {
+        return (0, toolbox_1.make_path)(this.rootDir, "./public/cacertificate_with_crl.pem");
+    }
+    initialize(callback) {
+        assert(typeof callback === "function");
+        construct_CertificateAuthority(this, callback);
+    }
+    constructCACertificateWithCRL(callback) {
+        assert(typeof callback === "function");
+        const cacertWithCRL = this.caCertificateWithCrl;
+        // note : in order to check if the certificate is revoked,
+        // you need to specify -crl_check and have both the CA cert and the (applicable) CRL in your trust store.
+        // There are two ways to do that:
+        // 1. concatenate cacert.pem and crl.pem into one file and use that for -CAfile.
+        // 2. use some linked
+        // ( from http://security.stackexchange.com/a/58305/59982)
+        if (fs.existsSync(this.revocationList)) {
+            fs.writeFileSync(cacertWithCRL, fs.readFileSync(this.caCertificate, "utf8") + fs.readFileSync(this.revocationList, "utf8"));
+        }
+        else {
+            // there is no revocation list yet
+            fs.writeFileSync(cacertWithCRL, fs.readFileSync(this.caCertificate));
+        }
+        callback();
+    }
+    constructCertificateChain(certificate, callback) {
+        assert(typeof callback === "function");
+        assert(fs.existsSync(certificate));
+        assert(fs.existsSync(this.caCertificate));
+        (0, toolbox_1.debugLog)(chalk.yellow("        certificate file :"), chalk.cyan(certificate));
+        // append
+        fs.writeFileSync(certificate, fs.readFileSync(certificate, "utf8") + fs.readFileSync(this.caCertificate, "utf8")
+        //   + fs.readFileSync(this.revocationList)
+        );
+        callback();
+    }
+    createSelfSignedCertificate(certificateFile, privateKey, params, callback) {
+        assert(typeof privateKey === "string");
+        assert(fs.existsSync(privateKey));
+        assert(typeof callback === "function");
+        if (!(0, toolbox_1.certificateFileExist)(certificateFile)) {
+            return callback();
+        }
+        (0, toolbox_1.adjustDate)(params);
+        (0, toolbox_1.adjustApplicationUri)(params);
+        (0, toolbox_1.processAltNames)(params);
+        const csrFile = certificateFile + "_csr";
+        assert(csrFile);
+        const configFile = (0, toolbox_1.generateStaticConfig)(this.configFile);
+        const options = {
+            cwd: this.rootDir,
+            openssl_conf: (0, toolbox_1.make_path)(configFile),
+        };
+        const configOption = "";
+        const subject = params.subject ? new subject_1.Subject(params.subject).toString() : "";
+        const subjectOptions = subject && subject.length > 1 ? " -subj " + subject + " " : "";
+        const tasks = [];
+        tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- the certificate signing request", callback));
+        tasks.push((callback) => (0, toolbox_1.execute_openssl)("req " +
+            " -new -sha256 -text " +
+            configOption +
+            subjectOptions +
+            " -batch -key " +
+            q(n(privateKey)) +
+            " -out " +
+            q(n(csrFile)), options, callback));
+        tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- creating the self-signed certificate", callback));
+        tasks.push((callback) => (0, toolbox_1.execute_openssl)("ca " +
+            " -selfsign " +
+            " -keyfile " +
+            q(n(privateKey)) +
+            " -startdate " +
+            (0, toolbox_1.x509Date)(params.startDate) +
+            " -enddate " +
+            (0, toolbox_1.x509Date)(params.endDate) +
+            " -batch -out " +
+            q(n(certificateFile)) +
+            " -in " +
+            q(n(csrFile)), options, callback));
+        tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- dump the certificate for a check", callback));
+        tasks.push((callback) => (0, toolbox_1.execute_openssl)("x509 -in " + q(n(certificateFile)) + "  -dates -fingerprint -purpose -noout", {}, callback));
+        tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- verify self-signed certificate", callback));
+        tasks.push((callback) => (0, toolbox_1.execute_openssl_no_failure)("verify -verbose -CAfile " + q(n(certificateFile)) + " " + q(n(certificateFile)), options, callback));
+        tasks.push((callback) => fs.unlink(csrFile, callback));
+        async.series(tasks, (err) => {
+            callback(err);
+        });
+    }
+    revokeCertificate(certificate, params, callback) {
+        assert(typeof callback === "function");
+        const crlReasons = [
+            "unspecified",
+            "keyCompromise",
+            "CACompromise",
+            "affiliationChanged",
+            "superseded",
+            "cessationOfOperation",
+            "certificateHold",
+            "removeFromCRL",
+        ];
+        const configFile = (0, toolbox_1.generateStaticConfig)("conf/caconfig.cnf", { cwd: this.rootDir });
+        const options = {
+            cwd: this.rootDir,
+            openssl_conf: (0, toolbox_1.make_path)(configFile),
+        };
+        (0, toolbox_1.setEnv)("ALTNAME", "");
+        const randomFile = path.join(this.rootDir, "random.rnd");
+        (0, toolbox_1.setEnv)("RANDFILE", randomFile);
+        // // tslint:disable-next-line:no-string-literal
+        // if (!fs.existsSync((process.env as any)["OPENSSL_CONF"])) {
+        //     throw new Error("Cannot find OPENSSL_CONF");
+        // }
+        const configOption = " -config " + q(n(configFile));
+        const reason = params.reason || "keyCompromise";
+        assert(crlReasons.indexOf(reason) >= 0);
+        const tasks = [
+            (callback) => (0, toolbox_1.displayTitle)("Revoking certificate  " + certificate, callback),
+            (callback) => (0, toolbox_1.displaySubtitle)("Make sure random file exists" + randomFile, callback),
+            (callback) => (0, toolbox_1.createRandomFileIfNotExist)(randomFile, {}, callback),
+            (callback) => (0, toolbox_1.displaySubtitle)("Revoke certificate", callback),
+            (callback) => {
+                (0, toolbox_1.execute_openssl_no_failure)("ca -verbose " + configOption + " -revoke " + q(certificate) + " -crl_reason " + reason, options, callback);
+            },
+            // regenerate CRL (Certificate Revocation List)
+            (callback) => regenerateCrl(this.revocationList, configOption, options, callback),
+            (callback) => (0, toolbox_1.displaySubtitle)("Verify that certificate is revoked  ", callback),
+            (callback) => {
+                (0, toolbox_1.execute_openssl_no_failure)("verify -verbose" +
+                    // configOption +
+                    " -CRLfile " +
+                    q(n(this.revocationList)) +
+                    " -CAfile " +
+                    q(n(this.caCertificate)) +
+                    " -crl_check " +
+                    q(n(certificate)), options, (err, output) => {
+                    callback();
+                });
+            },
+            // produce CRL in DER format
+            (callback) => (0, toolbox_1.displaySubtitle)("Produce CRL in DER form ", callback),
+            (callback) => (0, toolbox_1.execute_openssl)("crl " + " -in " + q(n(this.revocationList)) + " -out " + "crl/revocation_list.der " + " -outform der", options, callback),
+            // produce CRL in PEM format with text
+            (callback) => (0, toolbox_1.displaySubtitle)("Produce CRL in PEM form ", callback),
+            (callback) => (0, toolbox_1.execute_openssl)("crl " +
+                " -in " +
+                q(n(this.revocationList)) +
+                " -out " +
+                "crl/revocation_list.pem " +
+                " -outform pem" +
+                " -text ", options, callback),
+        ];
+        async.series(tasks, callback);
+    }
+    signCertificateRequest(certificate, certificateSigningRequestFilename, params, callback) {
+        // istanbul ignore next
+        if (!callback) {
+            throw new Error("Internal Error");
+        }
+        (0, toolbox_1.ensure_openssl_installed)(() => {
+            try {
+                assert(fs.existsSync(certificateSigningRequestFilename));
+                assert(typeof callback === "function");
+                if (!(0, toolbox_1.certificateFileExist)(certificate)) {
+                    return callback(null);
+                }
+                (0, toolbox_1.adjustDate)(params);
+                (0, toolbox_1.adjustApplicationUri)(params);
+                (0, toolbox_1.processAltNames)(params);
+                const options = { cwd: this.rootDir };
+                let configFile;
+                const tasks = [];
+                let csrInfo;
+                // note :
+                // subjectAltName is not copied across
+                //  see https://github.com/openssl/openssl/issues/10458
+                tasks.push((callback) => {
+                    (0, node_opcua_crypto_1.readCertificateSigningRequest)(certificateSigningRequestFilename)
+                        .then((csr) => {
+                        csrInfo = (0, node_opcua_crypto_1.exploreCertificateSigningRequest)(csr);
+                        callback();
+                    })
+                        .catch((err) => callback(err));
+                });
+                tasks.push((callback) => {
+                    const applicationUri = csrInfo.extensionRequest.subjectAltName.uniformResourceIdentifier[0];
+                    if (typeof applicationUri !== "string") {
+                        return callback(new Error("Cannot find applicationUri in CSR"));
+                    }
+                    const dns = csrInfo.extensionRequest.subjectAltName.dNSName || [];
+                    let ip = csrInfo.extensionRequest.subjectAltName.iPAddress || [];
+                    ip = ip.map(octetStringToIpAddress);
+                    const params = {
+                        applicationUri,
+                        dns,
+                        ip,
+                    };
+                    (0, toolbox_1.processAltNames)(params);
+                    configFile = (0, toolbox_1.generateStaticConfig)("conf/caconfig.cnf", options);
+                    callback();
+                });
+                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- then we ask the authority to sign the certificate signing request", callback));
+                tasks.push((callback) => {
+                    const configOption = " -config " + configFile;
+                    (0, toolbox_1.execute_openssl)("ca " +
+                        configOption +
+                        " -startdate " +
+                        (0, toolbox_1.x509Date)(params.startDate) +
+                        " -enddate " +
+                        (0, toolbox_1.x509Date)(params.endDate) +
+                        " -batch -out " +
+                        q(n(certificate)) +
+                        " -in " +
+                        q(n(certificateSigningRequestFilename)), options, callback);
+                });
+                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- dump the certificate for a check", callback));
+                tasks.push((callback) => (0, toolbox_1.execute_openssl)("x509 -in " + q(n(certificate)) + "  -dates -fingerprint -purpose -noout", options, callback));
+                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- construct CA certificate with CRL", callback));
+                tasks.push((callback) => {
+                    this.constructCACertificateWithCRL(callback);
+                });
+                // construct certificate chain
+                //   concatenate certificate with CA Certificate and revocation list
+                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- construct certificate chain", callback));
+                tasks.push((callback) => {
+                    this.constructCertificateChain(certificate, callback);
+                });
+                // todo
+                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- verify certificate against the root CA", callback));
+                tasks.push((callback) => {
+                    this.verifyCertificate(certificate, callback);
+                });
+                async.series(tasks, (err) => {
+                    // istanbul ignore next
+                    if (err) {
+                        return callback(err);
+                    }
+                    callback(null, certificate);
+                });
+            }
+            catch (err) {
+                callback(err);
+            }
+        });
+    }
+    verifyCertificate(certificate, callback) {
+        // openssl verify crashes on windows! we cannot use it reliably
+        // istanbul ignore next
+        const isImplemented = false;
+        // istanbul ignore next
+        if (isImplemented) {
+            const options = { cwd: this.rootDir };
+            const configFile = (0, toolbox_1.generateStaticConfig)("conf/caconfig.cnf", options);
+            (0, toolbox_1.setEnv)("OPENSSL_CONF", (0, toolbox_1.make_path)(configFile));
+            const configOption = " -config " + configFile;
+            (0, toolbox_1.execute_openssl_no_failure)("verify -verbose " + " -CAfile " + q(n(this.caCertificateWithCrl)) + " " + q(n(certificate)), options, (err) => {
+                callback(err ? err : undefined);
+            });
+        }
+        else {
+            return callback();
+        }
+    }
+}
+exports.CertificateAuthority = CertificateAuthority;
+// tslint:disable:no-var-requires
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const thenify = require("thenify");
+const opts = { multiArgs: false };
+CertificateAuthority.prototype.initialize = thenify.withCallback(CertificateAuthority.prototype.initialize, opts);
+CertificateAuthority.prototype.constructCACertificateWithCRL = thenify.withCallback(CertificateAuthority.prototype.constructCACertificateWithCRL, opts);
+CertificateAuthority.prototype.constructCertificateChain = thenify.withCallback(CertificateAuthority.prototype.constructCertificateChain, opts);
+CertificateAuthority.prototype.createSelfSignedCertificate = thenify.withCallback(CertificateAuthority.prototype.createSelfSignedCertificate, opts);
+CertificateAuthority.prototype.revokeCertificate = thenify.withCallback(CertificateAuthority.prototype.revokeCertificate, opts);
+CertificateAuthority.prototype.verifyCertificate = thenify.withCallback(CertificateAuthority.prototype.verifyCertificate, opts);
+CertificateAuthority.prototype.signCertificateRequest = thenify.withCallback(CertificateAuthority.prototype.signCertificateRequest, opts);
 //# sourceMappingURL=certificate_authority.js.map