node-opcua-pki 6.12.1 → 6.12.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/bin/pki.mjs +60 -30
  2. package/dist/bin/pki.mjs.map +1 -1
  3. package/dist/index.d.mts +5 -5
  4. package/dist/index.d.ts +5 -5
  5. package/dist/index.js +60 -30
  6. package/dist/index.js.map +1 -1
  7. package/dist/index.mjs +60 -30
  8. package/dist/index.mjs.map +1 -1
  9. package/package.json +4 -4
package/dist/bin/pki.mjs CHANGED
@@ -384,9 +384,10 @@ function short(stringToShorten) {
384
384
  return stringToShorten.substring(0, 10);
385
385
  }
386
386
  function buildIdealCertificateName(certificate) {
387
- const fingerprint2 = makeFingerprint(certificate);
387
+ const chain = coerceCertificateChain(certificate);
388
+ const fingerprint2 = makeFingerprint(chain);
388
389
  try {
389
- const commonName = exploreCertificate(certificate).tbsCertificate.subject.commonName || "";
390
+ const commonName = exploreCertificate(chain[0]).tbsCertificate.subject.commonName || "";
390
391
  const sanitizedCommonName = commonName.replace(forbiddenChars, "_");
391
392
  return `${sanitizedCommonName}[${fingerprint2}]`;
392
393
  } catch (_err) {
@@ -615,18 +616,18 @@ var init_certificate_manager = __esm({
615
616
  /**
616
617
  * Move a certificate to the rejected store.
617
618
  * If the certificate was previously trusted, it will be removed from the trusted folder.
618
- * @param certificate - the DER-encoded certificate
619
+ * @param certificateOrChain - the DER-encoded certificate or certificate chain
619
620
  */
620
- async rejectCertificate(certificate) {
621
- await this.#moveCertificate(certificate, "rejected");
621
+ async rejectCertificate(certificateOrChain) {
622
+ await this.#moveCertificate(certificateOrChain, "rejected");
622
623
  }
623
624
  /**
624
625
  * Move a certificate to the trusted store.
625
626
  * If the certificate was previously rejected, it will be removed from the rejected folder.
626
- * @param certificate - the DER-encoded certificate
627
+ * @param certificateOrChain - the DER-encoded certificate or certificate chain
627
628
  */
628
- async trustCertificate(certificate) {
629
- await this.#moveCertificate(certificate, "trusted");
629
+ async trustCertificate(certificateOrChain) {
630
+ await this.#moveCertificate(certificateOrChain, "trusted");
630
631
  }
631
632
  /**
632
633
  * Check whether the trusted certificate store is empty.
@@ -680,31 +681,40 @@ var init_certificate_manager = __esm({
680
681
  * @returns `"Good"` if trusted, `"BadCertificateUntrusted"` if rejected/unknown,
681
682
  * or `"BadCertificateInvalid"` if the certificate cannot be parsed.
682
683
  */
683
- async isCertificateTrusted(certificate) {
684
- let fingerprint2;
684
+ async isCertificateTrusted(certificateOrCertificateChain) {
685
685
  try {
686
- fingerprint2 = makeFingerprint(certificate);
687
- } catch (_err) {
688
- return "BadCertificateInvalid";
689
- }
690
- if (this.#thumbs.trusted.has(fingerprint2)) {
691
- return "Good";
692
- }
693
- if (!this.#thumbs.rejected.has(fingerprint2)) {
694
- if (!this.untrustUnknownCertificate) {
695
- return "Good";
686
+ const chain = coerceCertificateChain(certificateOrCertificateChain);
687
+ const leafCertificate = chain[0];
688
+ if (chain.length < 1) {
689
+ return "BadCertificateInvalid";
696
690
  }
691
+ let fingerprint2;
697
692
  try {
698
- exploreCertificateInfo(certificate);
693
+ fingerprint2 = makeFingerprint(chain[0]);
699
694
  } catch (_err) {
700
695
  return "BadCertificateInvalid";
701
696
  }
702
- const filename = path2.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
703
- debugLog("certificate has never been seen before and is now rejected (untrusted) ", filename);
704
- await fsWriteFile(filename, toPem(certificate, "CERTIFICATE"));
705
- this.#thumbs.rejected.set(fingerprint2, { certificate, filename });
697
+ if (this.#thumbs.trusted.has(fingerprint2)) {
698
+ return "Good";
699
+ }
700
+ if (!this.#thumbs.rejected.has(fingerprint2)) {
701
+ if (!this.untrustUnknownCertificate) {
702
+ return "Good";
703
+ }
704
+ try {
705
+ exploreCertificateInfo(chain[0]);
706
+ } catch (_err) {
707
+ return "BadCertificateInvalid";
708
+ }
709
+ const filename = path2.join(this.rejectedFolder, `${buildIdealCertificateName(leafCertificate)}.pem`);
710
+ debugLog("certificate has never been seen before and is now rejected (untrusted) ", filename);
711
+ await fsWriteFile(filename, toPem(chain, "CERTIFICATE"));
712
+ this.#thumbs.rejected.set(fingerprint2, { certificate: leafCertificate, filename });
713
+ }
714
+ return "BadCertificateUntrusted";
715
+ } catch (_err) {
716
+ return "BadCertificateInvalid";
706
717
  }
707
- return "BadCertificateUntrusted";
708
718
  }
709
719
  async #innerVerifyCertificateAsync(certificateOrChain, _isIssuer, level, options) {
710
720
  if (level >= 5) {
@@ -1374,7 +1384,7 @@ var init_certificate_manager = __esm({
1374
1384
  return "BadCertificateInvalid" /* BadCertificateInvalid */;
1375
1385
  }
1376
1386
  }
1377
- await this.trustCertificate(leafCertificate);
1387
+ await this.trustCertificate(certificates);
1378
1388
  return "Good" /* Good */;
1379
1389
  }
1380
1390
  /**
@@ -1466,12 +1476,14 @@ var init_certificate_manager = __esm({
1466
1476
  }
1467
1477
  return "unknown";
1468
1478
  }
1469
- async #moveCertificate(certificate, newStatus) {
1479
+ async #moveCertificate(certificateOrChain, newStatus) {
1470
1480
  await this.withLock2(async () => {
1481
+ const chain = coerceCertificateChain(certificateOrChain);
1482
+ const certificate = chain[0];
1471
1483
  const fingerprint2 = makeFingerprint(certificate);
1472
1484
  let status = await this.#checkRejectedOrTrusted(certificate);
1473
1485
  if (status === "unknown") {
1474
- const pem = toPem(certificate, "CERTIFICATE");
1486
+ const pem = toPem(chain, "CERTIFICATE");
1475
1487
  const filename = path2.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
1476
1488
  await fs4.promises.writeFile(filename, pem);
1477
1489
  this.#thumbs.rejected.set(fingerprint2, { certificate, filename });
@@ -1658,7 +1670,25 @@ var init_certificate_manager = __esm({
1658
1670
  try {
1659
1671
  const stat = await fs4.promises.stat(filename);
1660
1672
  if (!stat.isFile()) continue;
1661
- const certificate = (await readCertificateChainAsync(filename))[0];
1673
+ const certs = await readCertificateChainAsync(filename);
1674
+ if (certs.length === 0) continue;
1675
+ const certificate = certs[0];
1676
+ if (certs.length > 1) {
1677
+ try {
1678
+ await fs4.promises.writeFile(filename, toPem(certs, "CERTIFICATE"), "ascii");
1679
+ } catch (writeErr) {
1680
+ debugLog(`scanCertFolder: could not rewrite legacy PEM ${filename} (read-only fs?)`, writeErr);
1681
+ }
1682
+ for (let i = 1; i < certs.length; i++) {
1683
+ if (isIssuer(certs[i])) {
1684
+ try {
1685
+ await this.addIssuer(certs[i]);
1686
+ } catch (issuerErr) {
1687
+ debugLog(`scanCertFolder: could not auto-register issuer from ${filename}`, issuerErr);
1688
+ }
1689
+ }
1690
+ }
1691
+ }
1662
1692
  const info = exploreCertificate(certificate);
1663
1693
  const fingerprint2 = makeFingerprint(certificate);
1664
1694
  index.set(fingerprint2, { certificate, filename, info });