node-opcua-pki 4.12.0 → 4.13.0

package/dist/lib/ca/certificate_authority.d.ts

@@ -0,0 +1,61 @@
+import { Subject, SubjectOptions } from "node-opcua-crypto";
+import { ErrorCallback, Filename, KeySize, Params } from "../toolbox";
+export declare const defaultSubject = "/C=FR/ST=IDF/L=Paris/O=Local NODE-OPCUA Certificate Authority/CN=NodeOPCUA-CA";
+export declare const configurationFileTemplate: string;
+export interface CertificateAuthorityOptions {
+    keySize: KeySize;
+    location: string;
+    subject?: string | SubjectOptions;
+}
+export declare class CertificateAuthority {
+    readonly keySize: KeySize;
+    readonly location: string;
+    readonly subject: Subject;
+    constructor(options: CertificateAuthorityOptions);
+    get rootDir(): string;
+    get configFile(): string;
+    get caCertificate(): string;
+    /**
+     * the file name where  the current Certificate Revocation List is stored (in DER format)
+     */
+    get revocationListDER(): string;
+    /**
+     * the file name where  the current Certificate Revocation List is stored (in PEM format)
+     */
+    get revocationList(): string;
+    get caCertificateWithCrl(): string;
+    initialize(): Promise<void>;
+    initialize(callback: ErrorCallback): void;
+    constructCACertificateWithCRL(): Promise<void>;
+    constructCACertificateWithCRL(callback: ErrorCallback): void;
+    constructCertificateChain(certificate: Filename): Promise<void>;
+    constructCertificateChain(certificate: Filename, callback: ErrorCallback): void;
+    createSelfSignedCertificate(certificateFile: Filename, privateKey: Filename, params: Params): Promise<void>;
+    createSelfSignedCertificate(certificateFile: Filename, privateKey: Filename, params: Params, callback: ErrorCallback): void;
+    /**
+     * revoke a certificate and update the CRL
+     *
+     * @method revokeCertificate
+     * @param certificate -  the certificate to revoke
+     * @param params
+     * @param [params.reason = "keyCompromise" {String}]
+     * @param callback
+     * @async
+     */
+    revokeCertificate(certificate: Filename, params: Params, callback: ErrorCallback): void;
+    revokeCertificate(certificate: Filename, params: Params): Promise<void>;
+    /**
+     *
+     * @param certificate            - the certificate filename to generate
+     * @param certificateSigningRequestFilename   - the certificate signing request
+     * @param params                 - parameters
+     * @param params.applicationUri  - the applicationUri
+     * @param params.startDate       - startDate of the certificate
+     * @param params.validity        - number of day of validity of the certificate
+     * @param callback
+     */
+    signCertificateRequest(certificate: Filename, certificateSigningRequestFilename: Filename, params: Params): Promise<Filename>;
+    signCertificateRequest(certificate: Filename, certificateSigningRequestFilename: Filename, params: Params, callback: (err: Error | null, certificate?: Filename) => void): void;
+    verifyCertificate(certificate: Filename): Promise<void>;
+    verifyCertificate(certificate: Filename, callback: ErrorCallback): void;
+}

package/dist/lib/ca/certificate_authority.js

@@ -0,0 +1,497 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CertificateAuthority = exports.configurationFileTemplate = exports.defaultSubject = void 0;
+// ---------------------------------------------------------------------------------------------------------------------
+// node-opcua
+// ---------------------------------------------------------------------------------------------------------------------
+// Copyright (c) 2014-2022 - Etienne Rossignon - etienne.rossignon (at) gadz.org
+// Copyright (c) 2022-2024 - Sterfive.com
+// ---------------------------------------------------------------------------------------------------------------------
+//
+// This  project is licensed under the terms of the MIT license.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+// documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+// permit persons to whom the Software is furnished to do so,  subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+// Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+// WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+// ---------------------------------------------------------------------------------------------------------------------
+// tslint:disable:no-shadowed-variable
+const assert_1 = __importDefault(require("assert"));
+const async_1 = __importDefault(require("async"));
+const chalk_1 = __importDefault(require("chalk"));
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const node_opcua_crypto_1 = require("node-opcua-crypto");
+const toolbox_1 = require("../toolbox");
+const with_openssl_1 = require("../toolbox/with_openssl");
+const create_private_key_1 = require("../toolbox/without_openssl/create_private_key");
+exports.defaultSubject = "/C=FR/ST=IDF/L=Paris/O=Local NODE-OPCUA Certificate Authority/CN=NodeOPCUA-CA";
+const ca_config_template_cnf_1 = __importDefault(require("./templates/ca_config_template.cnf"));
+// tslint:disable-next-line:variable-name
+exports.configurationFileTemplate = ca_config_template_cnf_1.default;
+const config = {
+    certificateDir: "INVALID",
+    forceCA: false,
+    pkiDir: "INVALID",
+};
+const n = toolbox_1.make_path;
+const q = toolbox_1.quote;
+// convert 'c07b9179'  to    "192.123.145.121"
+function octetStringToIpAddress(a) {
+    return (parseInt(a.substring(0, 2), 16).toString() +
+        "." +
+        parseInt(a.substring(2, 4), 16).toString() +
+        "." +
+        parseInt(a.substring(4, 6), 16).toString() +
+        "." +
+        parseInt(a.substring(6, 8), 16).toString());
+}
+(0, assert_1.default)(octetStringToIpAddress("c07b9179") === "192.123.145.121");
+function construct_CertificateAuthority(certificateAuthority, callback) {
+    // create the CA directory store
+    // create the CA directory store
+    //
+    // PKI/CA
+    //     |
+    //     +-+> private
+    //     |
+    //     +-+> public
+    //     |
+    //     +-+> certs
+    //     |
+    //     +-+> crl
+    //     |
+    //     +-+> conf
+    //     |
+    //     +-f: serial
+    //     +-f: crlNumber
+    //     +-f: index.txt
+    //
+    const subject = certificateAuthority.subject;
+    const caRootDir = certificateAuthority.rootDir;
+    function make_folders() {
+        (0, toolbox_1.mkdir)(caRootDir);
+        (0, toolbox_1.mkdir)(path_1.default.join(caRootDir, "private"));
+        (0, toolbox_1.mkdir)(path_1.default.join(caRootDir, "public"));
+        // xx execute("chmod 700 private");
+        (0, toolbox_1.mkdir)(path_1.default.join(caRootDir, "certs"));
+        (0, toolbox_1.mkdir)(path_1.default.join(caRootDir, "crl"));
+        (0, toolbox_1.mkdir)(path_1.default.join(caRootDir, "conf"));
+    }
+    make_folders();
+    function construct_default_files() {
+        const serial = path_1.default.join(caRootDir, "serial");
+        if (!fs_1.default.existsSync(serial)) {
+            fs_1.default.writeFileSync(serial, "1000");
+        }
+        const crlNumber = path_1.default.join(caRootDir, "crlnumber");
+        if (!fs_1.default.existsSync(crlNumber)) {
+            fs_1.default.writeFileSync(crlNumber, "1000");
+        }
+        const indexFile = path_1.default.join(caRootDir, "index.txt");
+        if (!fs_1.default.existsSync(indexFile)) {
+            fs_1.default.writeFileSync(indexFile, "");
+        }
+    }
+    construct_default_files();
+    if (fs_1.default.existsSync(path_1.default.join(caRootDir, "private/cakey.pem")) && !config.forceCA) {
+        // certificate already exists => do not overwrite
+        (0, toolbox_1.debugLog)("CA private key already exists ... skipping");
+        return callback();
+    }
+    // tslint:disable:no-empty
+    (0, toolbox_1.displayTitle)("Create Certificate Authority (CA)", (_err) => {
+        /** */
+        _err;
+    });
+    const indexFileAttr = path_1.default.join(caRootDir, "index.txt.attr");
+    if (!fs_1.default.existsSync(indexFileAttr)) {
+        fs_1.default.writeFileSync(indexFileAttr, "unique_subject = no");
+    }
+    const caConfigFile = certificateAuthority.configFile;
+    // eslint-disable-next-line no-constant-condition
+    if (1 || !fs_1.default.existsSync(caConfigFile)) {
+        let data = exports.configurationFileTemplate; // inlineText(configurationFile);
+        data = data.replace(/%%ROOT_FOLDER%%/, (0, toolbox_1.make_path)(caRootDir));
+        fs_1.default.writeFileSync(caConfigFile, data);
+    }
+    // http://www.akadia.com/services/ssh_test_certificate.html
+    const subjectOpt = ' -subj "' + subject.toString() + '" ';
+    const options = { cwd: caRootDir };
+    (0, with_openssl_1.processAltNames)({});
+    const configFile = (0, with_openssl_1.generateStaticConfig)("conf/caconfig.cnf", options);
+    const configOption = " -config " + q(n(configFile));
+    const keySize = certificateAuthority.keySize;
+    const privateKeyFilename = path_1.default.join(caRootDir, "private/cakey.pem");
+    const csrFilename = path_1.default.join(caRootDir, "private/cakey.csr");
+    const tasks = [
+        (callback) => (0, toolbox_1.displayTitle)("Generate the CA private Key - " + keySize, callback),
+        // The first step is to create your RSA Private Key.
+        // This key is a 1025,2048,3072 or 2038 bit RSA key which is encrypted using
+        // Triple-DES and stored in a PEM format so that it is readable as ASCII text.
+        (callback) => (0, create_private_key_1.generatePrivateKeyFileCallback)(privateKeyFilename, keySize, callback),
+        (callback) => (0, toolbox_1.displayTitle)("Generate a certificate request for the CA key", callback),
+        // Once the private key is generated a Certificate Signing Request can be generated.
+        // The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as
+        // Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate.
+        // The second option is to self-sign the CSR, which will be demonstrated in the next section
+        (callback) => (0, with_openssl_1.execute_openssl)("req -new" +
+            " -sha256 " +
+            " -text " +
+            " -extensions v3_ca" +
+            configOption +
+            " -key " +
+            q(n(privateKeyFilename)) +
+            " -out " +
+            q(n(csrFilename)) +
+            " " +
+            subjectOpt, options, callback),
+        // xx // Step 3: Remove Passphrase from Key
+        // xx execute("cp private/cakey.pem private/cakey.pem.org");
+        // xx execute(openssl_path + " rsa -in private/cakey.pem.org -out private/cakey.pem -passin pass:"+paraphrase);
+        (callback) => (0, toolbox_1.displayTitle)("Generate CA Certificate (self-signed)", callback),
+        (callback) => (0, with_openssl_1.execute_openssl)(" x509 -sha256 -req -days 3650 " +
+            " -text " +
+            " -extensions v3_ca" +
+            " -extfile " +
+            q(n(configFile)) +
+            " -in private/cakey.csr " +
+            " -signkey " +
+            q(n(privateKeyFilename)) +
+            " -out public/cacert.pem", options, callback),
+        (callback) => (0, toolbox_1.displaySubtitle)("generate initial CRL (Certificate Revocation List)", callback),
+        (callback) => regenerateCrl(certificateAuthority.revocationList, configOption, options, callback),
+        (callback) => (0, toolbox_1.displayTitle)("Create Certificate Authority (CA) ---> DONE", callback),
+    ];
+    async_1.default.series(tasks, callback);
+}
+function regenerateCrl(revocationList, configOption, options, callback) {
+    const tasks = [
+        (callback) => (0, toolbox_1.displaySubtitle)("regenerate CRL (Certificate Revocation List)", callback),
+        (callback) => 
+        // produce a CRL in PEM format
+        (0, with_openssl_1.execute_openssl)("ca -gencrl " + configOption + " -out crl/revocation_list.crl", options, callback),
+        (callback) => (0, with_openssl_1.execute_openssl)("crl " + " -in  crl/revocation_list.crl -out  crl/revocation_list.der " + " -outform der", options, callback),
+        (callback) => (0, toolbox_1.displaySubtitle)("Display (Certificate Revocation List)", callback),
+        (callback) => (0, with_openssl_1.execute_openssl)("crl " + " -in " + q(n(revocationList)) + " -text " + " -noout", options, callback),
+    ];
+    async_1.default.series(tasks, callback);
+}
+class CertificateAuthority {
+    constructor(options) {
+        (0, assert_1.default)(Object.prototype.hasOwnProperty.call(options, "location"));
+        (0, assert_1.default)(Object.prototype.hasOwnProperty.call(options, "keySize"));
+        this.location = options.location;
+        this.keySize = options.keySize || 2048;
+        this.subject = new node_opcua_crypto_1.Subject(options.subject || exports.defaultSubject);
+    }
+    get rootDir() {
+        return this.location;
+    }
+    get configFile() {
+        return path_1.default.normalize(path_1.default.join(this.rootDir, "./conf/caconfig.cnf"));
+    }
+    get caCertificate() {
+        // the Certificate Authority Certificate
+        return (0, toolbox_1.make_path)(this.rootDir, "./public/cacert.pem");
+    }
+    /**
+     * the file name where  the current Certificate Revocation List is stored (in DER format)
+     */
+    get revocationListDER() {
+        return (0, toolbox_1.make_path)(this.rootDir, "./crl/revocation_list.der");
+    }
+    /**
+     * the file name where  the current Certificate Revocation List is stored (in PEM format)
+     */
+    get revocationList() {
+        return (0, toolbox_1.make_path)(this.rootDir, "./crl/revocation_list.crl");
+    }
+    get caCertificateWithCrl() {
+        return (0, toolbox_1.make_path)(this.rootDir, "./public/cacertificate_with_crl.pem");
+    }
+    initialize(callback) {
+        (0, assert_1.default)(typeof callback === "function");
+        construct_CertificateAuthority(this, callback);
+    }
+    constructCACertificateWithCRL(callback) {
+        (0, assert_1.default)(typeof callback === "function");
+        const cacertWithCRL = this.caCertificateWithCrl;
+        // note : in order to check if the certificate is revoked,
+        // you need to specify -crl_check and have both the CA cert and the (applicable) CRL in your trust store.
+        // There are two ways to do that:
+        // 1. concatenate cacert.pem and crl.pem into one file and use that for -CAfile.
+        // 2. use some linked
+        // ( from http://security.stackexchange.com/a/58305/59982)
+        if (fs_1.default.existsSync(this.revocationList)) {
+            fs_1.default.writeFileSync(cacertWithCRL, fs_1.default.readFileSync(this.caCertificate, "utf8") + fs_1.default.readFileSync(this.revocationList, "utf8"));
+        }
+        else {
+            // there is no revocation list yet
+            fs_1.default.writeFileSync(cacertWithCRL, fs_1.default.readFileSync(this.caCertificate));
+        }
+        callback();
+    }
+    constructCertificateChain(certificate, callback) {
+        (0, assert_1.default)(typeof callback === "function");
+        (0, assert_1.default)(fs_1.default.existsSync(certificate));
+        (0, assert_1.default)(fs_1.default.existsSync(this.caCertificate));
+        (0, toolbox_1.debugLog)(chalk_1.default.yellow("        certificate file :"), chalk_1.default.cyan(certificate));
+        // append
+        fs_1.default.writeFileSync(certificate, fs_1.default.readFileSync(certificate, "utf8") + fs_1.default.readFileSync(this.caCertificate, "utf8")
+        //   + fs.readFileSync(this.revocationList)
+        );
+        callback();
+    }
+    createSelfSignedCertificate(certificateFile, privateKey, params, callback) {
+        (0, assert_1.default)(typeof privateKey === "string");
+        (0, assert_1.default)(fs_1.default.existsSync(privateKey));
+        (0, assert_1.default)(typeof callback === "function");
+        if (!(0, toolbox_1.certificateFileExist)(certificateFile)) {
+            return callback();
+        }
+        (0, toolbox_1.adjustDate)(params);
+        (0, toolbox_1.adjustApplicationUri)(params);
+        (0, with_openssl_1.processAltNames)(params);
+        const csrFile = certificateFile + "_csr";
+        (0, assert_1.default)(csrFile);
+        const configFile = (0, with_openssl_1.generateStaticConfig)(this.configFile);
+        const options = {
+            cwd: this.rootDir,
+            openssl_conf: (0, toolbox_1.make_path)(configFile),
+        };
+        const configOption = "";
+        const subject = params.subject ? new node_opcua_crypto_1.Subject(params.subject).toString() : "";
+        const subjectOptions = subject && subject.length > 1 ? " -subj " + subject + " " : "";
+        const tasks = [];
+        tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- the certificate signing request", callback));
+        tasks.push((callback) => (0, with_openssl_1.execute_openssl)("req " +
+            " -new -sha256 -text " +
+            configOption +
+            subjectOptions +
+            " -batch -key " +
+            q(n(privateKey)) +
+            " -out " +
+            q(n(csrFile)), options, callback));
+        tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- creating the self-signed certificate", callback));
+        tasks.push((callback) => (0, with_openssl_1.execute_openssl)("ca " +
+            " -selfsign " +
+            " -keyfile " +
+            q(n(privateKey)) +
+            " -startdate " +
+            (0, with_openssl_1.x509Date)(params.startDate) +
+            " -enddate " +
+            (0, with_openssl_1.x509Date)(params.endDate) +
+            " -batch -out " +
+            q(n(certificateFile)) +
+            " -in " +
+            q(n(csrFile)), options, callback));
+        tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- dump the certificate for a check", callback));
+        tasks.push((callback) => (0, with_openssl_1.execute_openssl)("x509 -in " + q(n(certificateFile)) + "  -dates -fingerprint -purpose -noout", {}, callback));
+        tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- verify self-signed certificate", callback));
+        tasks.push((callback) => (0, with_openssl_1.execute_openssl_no_failure)("verify -verbose -CAfile " + q(n(certificateFile)) + " " + q(n(certificateFile)), options, callback));
+        tasks.push((callback) => fs_1.default.unlink(csrFile, callback));
+        async_1.default.series(tasks, (err) => {
+            callback(err);
+        });
+    }
+    revokeCertificate(certificate, params, callback) {
+        (0, assert_1.default)(typeof callback === "function");
+        const crlReasons = [
+            "unspecified",
+            "keyCompromise",
+            "CACompromise",
+            "affiliationChanged",
+            "superseded",
+            "cessationOfOperation",
+            "certificateHold",
+            "removeFromCRL",
+        ];
+        const configFile = (0, with_openssl_1.generateStaticConfig)("conf/caconfig.cnf", { cwd: this.rootDir });
+        const options = {
+            cwd: this.rootDir,
+            openssl_conf: (0, toolbox_1.make_path)(configFile),
+        };
+        (0, with_openssl_1.setEnv)("ALTNAME", "");
+        const randomFile = path_1.default.join(this.rootDir, "random.rnd");
+        (0, with_openssl_1.setEnv)("RANDFILE", randomFile);
+        // // tslint:disable-next-line:no-string-literal
+        // if (!fs.existsSync((process.env as any)["OPENSSL_CONF"])) {
+        //     throw new Error("Cannot find OPENSSL_CONF");
+        // }
+        const configOption = " -config " + q(n(configFile));
+        const reason = params.reason || "keyCompromise";
+        (0, assert_1.default)(crlReasons.indexOf(reason) >= 0);
+        const tasks = [
+            (callback) => (0, toolbox_1.displayTitle)("Revoking certificate  " + certificate, callback),
+            (callback) => (0, toolbox_1.displaySubtitle)("Revoke certificate", callback),
+            (callback) => {
+                (0, with_openssl_1.execute_openssl_no_failure)("ca -verbose " + configOption + " -revoke " + q(certificate) + " -crl_reason " + reason, options, callback);
+            },
+            // regenerate CRL (Certificate Revocation List)
+            (callback) => regenerateCrl(this.revocationList, configOption, options, callback),
+            (callback) => (0, toolbox_1.displaySubtitle)("Verify that certificate is revoked  ", callback),
+            (callback) => {
+                (0, with_openssl_1.execute_openssl_no_failure)("verify -verbose" +
+                    // configOption +
+                    " -CRLfile " +
+                    q(n(this.revocationList)) +
+                    " -CAfile " +
+                    q(n(this.caCertificate)) +
+                    " -crl_check " +
+                    q(n(certificate)), options, (err, output) => {
+                    err;
+                    output;
+                    callback();
+                });
+            },
+            // produce CRL in DER format
+            (callback) => (0, toolbox_1.displaySubtitle)("Produce CRL in DER form ", callback),
+            (callback) => (0, with_openssl_1.execute_openssl)("crl " + " -in " + q(n(this.revocationList)) + " -out " + "crl/revocation_list.der " + " -outform der", options, callback),
+            // produce CRL in PEM format with text
+            (callback) => (0, toolbox_1.displaySubtitle)("Produce CRL in PEM form ", callback),
+            (callback) => (0, with_openssl_1.execute_openssl)("crl " +
+                " -in " +
+                q(n(this.revocationList)) +
+                " -out " +
+                "crl/revocation_list.pem " +
+                " -outform pem" +
+                " -text ", options, callback),
+        ];
+        async_1.default.series(tasks, callback);
+    }
+    signCertificateRequest(certificate, certificateSigningRequestFilename, params, callback) {
+        // istanbul ignore next
+        if (!callback) {
+            throw new Error("Internal Error");
+        }
+        (0, with_openssl_1.ensure_openssl_installed)(() => {
+            try {
+                (0, assert_1.default)(fs_1.default.existsSync(certificateSigningRequestFilename));
+                (0, assert_1.default)(typeof callback === "function");
+                if (!(0, toolbox_1.certificateFileExist)(certificate)) {
+                    return callback(null);
+                }
+                (0, toolbox_1.adjustDate)(params);
+                (0, toolbox_1.adjustApplicationUri)(params);
+                (0, with_openssl_1.processAltNames)(params);
+                const options = { cwd: this.rootDir };
+                let configFile;
+                const tasks = [];
+                let csrInfo;
+                // note :
+                // subjectAltName is not copied across
+                //  see https://github.com/openssl/openssl/issues/10458
+                tasks.push((callback) => {
+                    (0, node_opcua_crypto_1.readCertificateSigningRequest)(certificateSigningRequestFilename)
+                        .then((csr) => {
+                        csrInfo = (0, node_opcua_crypto_1.exploreCertificateSigningRequest)(csr);
+                        callback();
+                    })
+                        .catch((err) => callback(err));
+                });
+                tasks.push((callback) => {
+                    const applicationUri = csrInfo.extensionRequest.subjectAltName.uniformResourceIdentifier[0];
+                    if (typeof applicationUri !== "string") {
+                        return callback(new Error("Cannot find applicationUri in CSR"));
+                    }
+                    const dns = csrInfo.extensionRequest.subjectAltName.dNSName || [];
+                    let ip = csrInfo.extensionRequest.subjectAltName.iPAddress || [];
+                    ip = ip.map(octetStringToIpAddress);
+                    const params = {
+                        applicationUri,
+                        dns,
+                        ip,
+                    };
+                    (0, with_openssl_1.processAltNames)(params);
+                    configFile = (0, with_openssl_1.generateStaticConfig)("conf/caconfig.cnf", options);
+                    callback();
+                });
+                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- then we ask the authority to sign the certificate signing request", callback));
+                tasks.push((callback) => {
+                    const configOption = " -config " + configFile;
+                    (0, with_openssl_1.execute_openssl)("ca " +
+                        configOption +
+                        " -startdate " +
+                        (0, with_openssl_1.x509Date)(params.startDate) +
+                        " -enddate " +
+                        (0, with_openssl_1.x509Date)(params.endDate) +
+                        " -batch -out " +
+                        q(n(certificate)) +
+                        " -in " +
+                        q(n(certificateSigningRequestFilename)), options, callback);
+                });
+                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- dump the certificate for a check", callback));
+                tasks.push((callback) => (0, with_openssl_1.execute_openssl)("x509 -in " + q(n(certificate)) + "  -dates -fingerprint -purpose -noout", options, callback));
+                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- construct CA certificate with CRL", callback));
+                tasks.push((callback) => {
+                    this.constructCACertificateWithCRL(callback);
+                });
+                // construct certificate chain
+                //   concatenate certificate with CA Certificate and revocation list
+                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- construct certificate chain", callback));
+                tasks.push((callback) => {
+                    this.constructCertificateChain(certificate, callback);
+                });
+                // todo
+                tasks.push((callback) => (0, toolbox_1.displaySubtitle)("- verify certificate against the root CA", callback));
+                tasks.push((callback) => {
+                    this.verifyCertificate(certificate, callback);
+                });
+                async_1.default.series(tasks, (err) => {
+                    // istanbul ignore next
+                    if (err) {
+                        return callback(err);
+                    }
+                    callback(null, certificate);
+                });
+            }
+            catch (err) {
+                callback(err);
+            }
+        });
+    }
+    verifyCertificate(certificate, callback) {
+        // openssl verify crashes on windows! we cannot use it reliably
+        // istanbul ignore next
+        const isImplemented = false;
+        // istanbul ignore next
+        if (isImplemented) {
+            const options = { cwd: this.rootDir };
+            const configFile = (0, with_openssl_1.generateStaticConfig)("conf/caconfig.cnf", options);
+            (0, with_openssl_1.setEnv)("OPENSSL_CONF", (0, toolbox_1.make_path)(configFile));
+            const configOption = " -config " + configFile;
+            configOption;
+            (0, with_openssl_1.execute_openssl_no_failure)("verify -verbose " + " -CAfile " + q(n(this.caCertificateWithCrl)) + " " + q(n(certificate)), options, (err) => {
+                callback(err ? err : undefined);
+            });
+        }
+        else {
+            return callback();
+        }
+    }
+}
+exports.CertificateAuthority = CertificateAuthority;
+// tslint:disable:no-var-requires
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const thenify = require("thenify");
+const opts = { multiArgs: false };
+CertificateAuthority.prototype.initialize = thenify.withCallback(CertificateAuthority.prototype.initialize, opts);
+CertificateAuthority.prototype.constructCACertificateWithCRL = thenify.withCallback(CertificateAuthority.prototype.constructCACertificateWithCRL, opts);
+CertificateAuthority.prototype.constructCertificateChain = thenify.withCallback(CertificateAuthority.prototype.constructCertificateChain, opts);
+CertificateAuthority.prototype.createSelfSignedCertificate = thenify.withCallback(CertificateAuthority.prototype.createSelfSignedCertificate, opts);
+CertificateAuthority.prototype.revokeCertificate = thenify.withCallback(CertificateAuthority.prototype.revokeCertificate, opts);
+CertificateAuthority.prototype.verifyCertificate = thenify.withCallback(CertificateAuthority.prototype.verifyCertificate, opts);
+CertificateAuthority.prototype.signCertificateRequest = thenify.withCallback(CertificateAuthority.prototype.signCertificateRequest, opts);
+//# sourceMappingURL=certificate_authority.js.map

package/dist/lib/ca/crypto_create_CA.d.ts

@@ -0,0 +1,2 @@
+import { ErrorCallback } from "../toolbox";
+export declare function main(argumentsList: string, _done?: ErrorCallback): void;