npm - node-opcua-pki - Versions diffs - 6.12.0 → 6.12.1 - Mend

node-opcua-pki 6.12.0 → 6.12.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/bin/pki.mjs CHANGED Viewed

@@ -336,7 +336,7 @@ var init_simple_config_template_cnf = __esm({
   "packages/node-opcua-pki/lib/pki/templates/simple_config_template.cnf.ts"() {
     "use strict";
     init_esm_shims();
-    config = '##################################################################################################\n## SIMPLE OPENSSL CONFIG FILE FOR SELF-SIGNED CERTIFICATE GENERATION\n################################################################################################################\n\ndistinguished_name       = req_distinguished_name\ndefault_md               = sha1\n\ndefault_md                = sha256                      # The default digest algorithm\n\n[ v3_ca ]\nsubjectKeyIdentifier        = hash\nauthorityKeyIdentifier      = keyid:always,issuer:always\n\n# authorityKeyIdentifier    = keyid\nbasicConstraints            = CA:TRUE\nkeyUsage                    = critical, cRLSign, keyCertSign\nnsComment                   = "Self-signed Certificate for CA generated by Node-OPCUA Certificate utility"\n#nsCertType                 = sslCA, emailCA\n#subjectAltName             = email:copy\n#issuerAltName              = issuer:copy\n#obj                        = DER:02:03\n# crlDistributionPoints       = @crl_info\n# [ crl_info ]\n# URI.0                     = http://localhost:8900/crl.pem\nsubjectAltName              = $ENV::ALTNAME\n\n[ req ]\ndays                      = 390\nreq_extensions            = v3_req\nx509_extensions           = v3_ca\n\n[v3_req]\nbasicConstraints       = CA:false\nkeyUsage               = critical, cRLSign, keyCertSign\nsubjectAltName         = $ENV::ALTNAME\n\n[ v3_ca_signed]\nsubjectKeyIdentifier      = hash\nauthorityKeyIdentifier    = keyid,issuer\nbasicConstraints          = critical, CA:FALSE\nkeyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign\nextendedKeyUsage          = clientAuth,serverAuth \nnsComment                 = "certificate generated by Node-OPCUA Certificate utility and signed by a CA"\nsubjectAltName            = $ENV::ALTNAME\n[ v3_selfsigned]\nsubjectKeyIdentifier      = hash\nauthorityKeyIdentifier    = keyid,issuer\nbasicConstraints          = critical, CA:FALSE\nkeyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign\nextendedKeyUsage          = clientAuth,serverAuth \nnsComment                 = "Self-signed certificate generated by Node-OPCUA Certificate utility"\nsubjectAltName            = $ENV::ALTNAME\n[ req_distinguished_name ]\ncountryName             = Country Name (2 letter code)\ncountryName_default     = FR\ncountryName_min         = 2\ncountryName_max         = 2\n# stateOrProvinceName     = State or Province Name (full name)\n# stateOrProvinceName_default = Ile de France\n# localityName            = Locality Name (city, district)\n# localityName_default    = Paris\norganizationName          = Organization Name (company)\norganizationName_default  = NodeOPCUA\n# organizationalUnitName  = Organizational Unit Name (department, division)\n# organizationalUnitName_default = R&D\ncommonName                = Common Name (hostname, FQDN, IP, or your name)\ncommonName_max            = 256\ncommonName_default        = NodeOPCUA\n# emailAddress            = Email Address\n# emailAddress_max        = 40\n# emailAddress_default    = node-opcua (at) node-opcua (dot) com\nsubjectAltName            = $ENV::ALTNAME';
+    config = '##################################################################################################\n## SIMPLE OPENSSL CONFIG FILE FOR SELF-SIGNED CERTIFICATE GENERATION\n################################################################################################################\n\ndistinguished_name       = req_distinguished_name\ndefault_md               = sha1\n\ndefault_md                = sha256                      # The default digest algorithm\n\n[ v3_ca ]\nsubjectKeyIdentifier        = hash\nauthorityKeyIdentifier      = keyid:always,issuer:always\n\n# authorityKeyIdentifier    = keyid\nbasicConstraints            = CA:TRUE\nkeyUsage                    = critical, cRLSign, keyCertSign\nnsComment                   = "Self-signed Certificate for CA generated by Node-OPCUA Certificate utility"\n#nsCertType                 = sslCA, emailCA\n#subjectAltName             = email:copy\n#issuerAltName              = issuer:copy\n#obj                        = DER:02:03\n# crlDistributionPoints       = @crl_info\n# [ crl_info ]\n# URI.0                     = http://localhost:8900/crl.pem\nsubjectAltName              = $ENV::ALTNAME\n\n[ req ]\ndays                      = 390\nreq_extensions            = v3_req\nx509_extensions           = v3_ca\n\n[v3_req]\nbasicConstraints       = CA:false\nkeyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment\nsubjectAltName         = $ENV::ALTNAME\n\n[ v3_ca_signed]\nsubjectKeyIdentifier      = hash\nauthorityKeyIdentifier    = keyid,issuer\nbasicConstraints          = critical, CA:FALSE\nkeyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment\nextendedKeyUsage          = clientAuth,serverAuth \nnsComment                 = "certificate generated by Node-OPCUA Certificate utility and signed by a CA"\nsubjectAltName            = $ENV::ALTNAME\n[ v3_selfsigned]\nsubjectKeyIdentifier      = hash\nauthorityKeyIdentifier    = keyid,issuer\nbasicConstraints          = critical, CA:FALSE\nkeyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment\nextendedKeyUsage          = clientAuth,serverAuth \nnsComment                 = "Self-signed certificate generated by Node-OPCUA Certificate utility"\nsubjectAltName            = $ENV::ALTNAME\n[ req_distinguished_name ]\ncountryName             = Country Name (2 letter code)\ncountryName_default     = FR\ncountryName_min         = 2\ncountryName_max         = 2\n# stateOrProvinceName     = State or Province Name (full name)\n# stateOrProvinceName_default = Ile de France\n# localityName            = Locality Name (city, district)\n# localityName_default    = Paris\norganizationName          = Organization Name (company)\norganizationName_default  = NodeOPCUA\n# organizationalUnitName  = Organizational Unit Name (department, division)\n# organizationalUnitName_default = R&D\ncommonName                = Common Name (hostname, FQDN, IP, or your name)\ncommonName_max            = 256\ncommonName_default        = NodeOPCUA\n# emailAddress            = Email Address\n# emailAddress_max        = 40\n# emailAddress_default    = node-opcua (at) node-opcua (dot) com\nsubjectAltName            = $ENV::ALTNAME';
     simple_config_template_cnf_default = config;
   }
 });
@@ -367,8 +367,17 @@ function getOrComputeInfo(entry) {
   }
   return entry.info;
 }
+function coerceCertificateChain(certificate) {
+  if (Array.isArray(certificate)) {
+    if (certificate.length === 0) return [];
+    return certificate.reduce((acc, cert) => {
+      return acc.concat(split_der(cert));
+    }, []);
+  }
+  return split_der(certificate);
+}
 function makeFingerprint(certificate) {
-  const chain = Array.isArray(certificate) ? certificate : split_der(certificate);
+  const chain = coerceCertificateChain(certificate);
   return makeSHA1Thumbprint(chain[0]).toString("hex");
 }
 function short(stringToShorten) {
@@ -417,7 +426,8 @@ function isIssuer(certificate) {
   }
 }
 function findIssuerCertificateInChain(certificate, chain) {
-  const firstCertificate = Array.isArray(certificate) ? certificate[0] : certificate;
+  const coercedCertificate = coerceCertificateChain(certificate);
+  const firstCertificate = coercedCertificate[0];
   if (!firstCertificate) {
     return null;
   }
@@ -430,7 +440,8 @@ function findIssuerCertificateInChain(certificate, chain) {
     debugLog("Certificate has no extension 3");
     return null;
   }
-  const potentialIssuers = chain.filter((c) => {
+  const coercedChain = coerceCertificateChain(chain);
+  const potentialIssuers = coercedChain.filter((c) => {
     const info = exploreCertificate(c);
     return info.tbsCertificate.extensions && info.tbsCertificate.extensions.subjectKeyIdentifier === wantedIssuerKey;
   });
@@ -699,7 +710,7 @@ var init_certificate_manager = __esm({
         if (level >= 5) {
           return "BadSecurityChecksFailed" /* BadSecurityChecksFailed */;
         }
-        const chain = Array.isArray(certificateOrChain) ? certificateOrChain : [certificateOrChain];
+        const chain = coerceCertificateChain(certificateOrChain);
         debugLog("NB CERTIFICATE IN CHAIN = ", chain.length);
         const info = exploreCertificate(chain[0]);
         let hasValidIssuer = false;
@@ -754,7 +765,7 @@ var init_certificate_manager = __esm({
               return "BadSecurityChecksFailed" /* BadSecurityChecksFailed */;
             }
             hasValidIssuer = true;
-            let revokedStatus = await this.isCertificateRevoked(certificateOrChain);
+            let revokedStatus = await this.isCertificateRevoked(chain, issuerCertificate);
             if (revokedStatus === "BadCertificateRevocationUnknown" /* BadCertificateRevocationUnknown */) {
               if (options?.ignoreMissingRevocationList) {
                 revokedStatus = "Good" /* Good */;
@@ -779,11 +790,11 @@ var init_certificate_manager = __esm({
               debugLog("Self-signed Certificate signature is not valid");
               return "BadSecurityChecksFailed" /* BadSecurityChecksFailed */;
             }
-            const revokedStatus = await this.isCertificateRevoked(certificateOrChain);
+            const revokedStatus = await this.isCertificateRevoked(chain);
             debugLog("revokedStatus of self signed certificate:", revokedStatus);
           }
         }
-        const status = await this.#checkRejectedOrTrusted(certificateOrChain);
+        const status = await this.#checkRejectedOrTrusted(chain[0]);
         if (status === "rejected") {
           if (!(options.acceptCertificateWithValidIssuerChain && hasValidIssuer && hasTrustedIssuer)) {
             return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
@@ -841,17 +852,15 @@ var init_certificate_manager = __esm({
        * @returns the verification status code
        */
       async verifyCertificateAsync(certificate, options) {
-        if (!Array.isArray(certificate)) {
+        const chain = coerceCertificateChain(certificate);
+        for (const element of chain) {
           try {
-            const derElements = split_der(certificate);
-            for (const element of derElements) {
-              exploreCertificateInfo(element);
-            }
+            exploreCertificateInfo(element);
           } catch (_err) {
             return "BadCertificateInvalid" /* BadCertificateInvalid */;
           }
         }
-        const status1 = await this.#innerVerifyCertificateAsync(certificate, false, 0, options);
+        const status1 = await this.#innerVerifyCertificateAsync(chain, false, 0, options);
         return status1;
       }
       /**
@@ -1281,7 +1290,7 @@ var init_certificate_manager = __esm({
       async #addTrustedCertificateFromChainImpl(certificateChain) {
         let certificates;
         try {
-          certificates = Array.isArray(certificateChain) ? certificateChain : split_der(certificateChain);
+          certificates = coerceCertificateChain(certificateChain);
         } catch (_err) {
           return "BadCertificateInvalid" /* BadCertificateInvalid */;
         }
@@ -1408,7 +1417,7 @@ var init_certificate_manager = __esm({
        *
        */
       async findIssuerCertificate(certificate) {
-        const firstCertificate = Array.isArray(certificate) ? certificate[0] : certificate;
+        const firstCertificate = coerceCertificateChain(certificate)[0];
         const certInfo = exploreCertificate(firstCertificate);
         if (isSelfSigned2(certInfo)) {
           return firstCertificate;
@@ -1445,7 +1454,7 @@ var init_certificate_manager = __esm({
        * @private
        */
       async #checkRejectedOrTrusted(certificate) {
-        const firstCertificate = Array.isArray(certificate) ? certificate[0] : certificate;
+        const firstCertificate = coerceCertificateChain(certificate)[0];
         const fingerprint2 = makeFingerprint(firstCertificate);
         debugLog("#checkRejectedOrTrusted fingerprint ", short(fingerprint2));
         await this.#readCertificates();
@@ -1512,13 +1521,17 @@ var init_certificate_manager = __esm({
        *   found.
        */
       async isCertificateRevoked(certificate, issuerCertificate) {
-        const firstCertificate = Array.isArray(certificate) ? certificate[0] : certificate;
+        const chain = coerceCertificateChain(certificate);
+        const firstCertificate = chain[0];
         if (isSelfSigned3(firstCertificate)) {
           return "Good" /* Good */;
         }
         if (!issuerCertificate) {
           issuerCertificate = await this.findIssuerCertificate(firstCertificate);
         }
+        if (!issuerCertificate) {
+          issuerCertificate = findIssuerCertificateInChain(firstCertificate, chain);
+        }
         if (!issuerCertificate) {
           return "BadCertificateChainIncomplete" /* BadCertificateChainIncomplete */;
         }
@@ -2544,7 +2557,7 @@ nsComment                 = ''OpenSSL Generated Certificate''
 #nsRenewalUrl             =
 #nsCaPolicyUrl            =
 #nsSslServerName          =
-keyUsage                  = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
+keyUsage                  = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement
 extendedKeyUsage          = critical,serverAuth ,clientAuth
 [ v3_req ]