node-opcua-pki 6.12.1 → 6.12.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/bin/pki.mjs +60 -30
- package/dist/bin/pki.mjs.map +1 -1
- package/dist/index.d.mts +5 -5
- package/dist/index.d.ts +5 -5
- package/dist/index.js +60 -30
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +60 -30
- package/dist/index.mjs.map +1 -1
- package/package.json +4 -4
package/dist/index.d.mts
CHANGED
|
@@ -919,15 +919,15 @@ declare class CertificateManager extends EventEmitter {
|
|
|
919
919
|
/**
|
|
920
920
|
* Move a certificate to the rejected store.
|
|
921
921
|
* If the certificate was previously trusted, it will be removed from the trusted folder.
|
|
922
|
-
* @param
|
|
922
|
+
* @param certificateOrChain - the DER-encoded certificate or certificate chain
|
|
923
923
|
*/
|
|
924
|
-
rejectCertificate(
|
|
924
|
+
rejectCertificate(certificateOrChain: Certificate | Certificate[]): Promise<void>;
|
|
925
925
|
/**
|
|
926
926
|
* Move a certificate to the trusted store.
|
|
927
927
|
* If the certificate was previously rejected, it will be removed from the rejected folder.
|
|
928
|
-
* @param
|
|
928
|
+
* @param certificateOrChain - the DER-encoded certificate or certificate chain
|
|
929
929
|
*/
|
|
930
|
-
trustCertificate(
|
|
930
|
+
trustCertificate(certificateOrChain: Certificate | Certificate[]): Promise<void>;
|
|
931
931
|
/**
|
|
932
932
|
* Check whether the trusted certificate store is empty.
|
|
933
933
|
*
|
|
@@ -962,7 +962,7 @@ declare class CertificateManager extends EventEmitter {
|
|
|
962
962
|
* @returns `"Good"` if trusted, `"BadCertificateUntrusted"` if rejected/unknown,
|
|
963
963
|
* or `"BadCertificateInvalid"` if the certificate cannot be parsed.
|
|
964
964
|
*/
|
|
965
|
-
isCertificateTrusted(
|
|
965
|
+
isCertificateTrusted(certificateOrCertificateChain: Certificate | Certificate[]): Promise<"Good" | "BadCertificateUntrusted" | "BadCertificateInvalid">;
|
|
966
966
|
/**
|
|
967
967
|
* Internal verification hook called by {@link verifyCertificate}.
|
|
968
968
|
*
|
package/dist/index.d.ts
CHANGED
|
@@ -919,15 +919,15 @@ declare class CertificateManager extends EventEmitter {
|
|
|
919
919
|
/**
|
|
920
920
|
* Move a certificate to the rejected store.
|
|
921
921
|
* If the certificate was previously trusted, it will be removed from the trusted folder.
|
|
922
|
-
* @param
|
|
922
|
+
* @param certificateOrChain - the DER-encoded certificate or certificate chain
|
|
923
923
|
*/
|
|
924
|
-
rejectCertificate(
|
|
924
|
+
rejectCertificate(certificateOrChain: Certificate | Certificate[]): Promise<void>;
|
|
925
925
|
/**
|
|
926
926
|
* Move a certificate to the trusted store.
|
|
927
927
|
* If the certificate was previously rejected, it will be removed from the rejected folder.
|
|
928
|
-
* @param
|
|
928
|
+
* @param certificateOrChain - the DER-encoded certificate or certificate chain
|
|
929
929
|
*/
|
|
930
|
-
trustCertificate(
|
|
930
|
+
trustCertificate(certificateOrChain: Certificate | Certificate[]): Promise<void>;
|
|
931
931
|
/**
|
|
932
932
|
* Check whether the trusted certificate store is empty.
|
|
933
933
|
*
|
|
@@ -962,7 +962,7 @@ declare class CertificateManager extends EventEmitter {
|
|
|
962
962
|
* @returns `"Good"` if trusted, `"BadCertificateUntrusted"` if rejected/unknown,
|
|
963
963
|
* or `"BadCertificateInvalid"` if the certificate cannot be parsed.
|
|
964
964
|
*/
|
|
965
|
-
isCertificateTrusted(
|
|
965
|
+
isCertificateTrusted(certificateOrCertificateChain: Certificate | Certificate[]): Promise<"Good" | "BadCertificateUntrusted" | "BadCertificateInvalid">;
|
|
966
966
|
/**
|
|
967
967
|
* Internal verification hook called by {@link verifyCertificate}.
|
|
968
968
|
*
|
package/dist/index.js
CHANGED
|
@@ -1949,9 +1949,10 @@ function short(stringToShorten) {
|
|
|
1949
1949
|
}
|
|
1950
1950
|
var forbiddenChars = /[\x00-\x1F<>:"/\\|?*]/g;
|
|
1951
1951
|
function buildIdealCertificateName(certificate) {
|
|
1952
|
-
const
|
|
1952
|
+
const chain = coerceCertificateChain(certificate);
|
|
1953
|
+
const fingerprint = makeFingerprint(chain);
|
|
1953
1954
|
try {
|
|
1954
|
-
const commonName = (0, import_node_opcua_crypto5.exploreCertificate)(
|
|
1955
|
+
const commonName = (0, import_node_opcua_crypto5.exploreCertificate)(chain[0]).tbsCertificate.subject.commonName || "";
|
|
1955
1956
|
const sanitizedCommonName = commonName.replace(forbiddenChars, "_");
|
|
1956
1957
|
return `${sanitizedCommonName}[${fingerprint}]`;
|
|
1957
1958
|
} catch (_err) {
|
|
@@ -2198,18 +2199,18 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
|
|
|
2198
2199
|
/**
|
|
2199
2200
|
* Move a certificate to the rejected store.
|
|
2200
2201
|
* If the certificate was previously trusted, it will be removed from the trusted folder.
|
|
2201
|
-
* @param
|
|
2202
|
+
* @param certificateOrChain - the DER-encoded certificate or certificate chain
|
|
2202
2203
|
*/
|
|
2203
|
-
async rejectCertificate(
|
|
2204
|
-
await this.#moveCertificate(
|
|
2204
|
+
async rejectCertificate(certificateOrChain) {
|
|
2205
|
+
await this.#moveCertificate(certificateOrChain, "rejected");
|
|
2205
2206
|
}
|
|
2206
2207
|
/**
|
|
2207
2208
|
* Move a certificate to the trusted store.
|
|
2208
2209
|
* If the certificate was previously rejected, it will be removed from the rejected folder.
|
|
2209
|
-
* @param
|
|
2210
|
+
* @param certificateOrChain - the DER-encoded certificate or certificate chain
|
|
2210
2211
|
*/
|
|
2211
|
-
async trustCertificate(
|
|
2212
|
-
await this.#moveCertificate(
|
|
2212
|
+
async trustCertificate(certificateOrChain) {
|
|
2213
|
+
await this.#moveCertificate(certificateOrChain, "trusted");
|
|
2213
2214
|
}
|
|
2214
2215
|
/**
|
|
2215
2216
|
* Check whether the trusted certificate store is empty.
|
|
@@ -2263,31 +2264,40 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
|
|
|
2263
2264
|
* @returns `"Good"` if trusted, `"BadCertificateUntrusted"` if rejected/unknown,
|
|
2264
2265
|
* or `"BadCertificateInvalid"` if the certificate cannot be parsed.
|
|
2265
2266
|
*/
|
|
2266
|
-
async isCertificateTrusted(
|
|
2267
|
-
let fingerprint;
|
|
2267
|
+
async isCertificateTrusted(certificateOrCertificateChain) {
|
|
2268
2268
|
try {
|
|
2269
|
-
|
|
2270
|
-
|
|
2271
|
-
|
|
2272
|
-
|
|
2273
|
-
if (this.#thumbs.trusted.has(fingerprint)) {
|
|
2274
|
-
return "Good";
|
|
2275
|
-
}
|
|
2276
|
-
if (!this.#thumbs.rejected.has(fingerprint)) {
|
|
2277
|
-
if (!this.untrustUnknownCertificate) {
|
|
2278
|
-
return "Good";
|
|
2269
|
+
const chain = coerceCertificateChain(certificateOrCertificateChain);
|
|
2270
|
+
const leafCertificate = chain[0];
|
|
2271
|
+
if (chain.length < 1) {
|
|
2272
|
+
return "BadCertificateInvalid";
|
|
2279
2273
|
}
|
|
2274
|
+
let fingerprint;
|
|
2280
2275
|
try {
|
|
2281
|
-
(0
|
|
2276
|
+
fingerprint = makeFingerprint(chain[0]);
|
|
2282
2277
|
} catch (_err) {
|
|
2283
2278
|
return "BadCertificateInvalid";
|
|
2284
2279
|
}
|
|
2285
|
-
|
|
2286
|
-
|
|
2287
|
-
|
|
2288
|
-
this.#thumbs.rejected.
|
|
2280
|
+
if (this.#thumbs.trusted.has(fingerprint)) {
|
|
2281
|
+
return "Good";
|
|
2282
|
+
}
|
|
2283
|
+
if (!this.#thumbs.rejected.has(fingerprint)) {
|
|
2284
|
+
if (!this.untrustUnknownCertificate) {
|
|
2285
|
+
return "Good";
|
|
2286
|
+
}
|
|
2287
|
+
try {
|
|
2288
|
+
(0, import_node_opcua_crypto5.exploreCertificateInfo)(chain[0]);
|
|
2289
|
+
} catch (_err) {
|
|
2290
|
+
return "BadCertificateInvalid";
|
|
2291
|
+
}
|
|
2292
|
+
const filename = import_node_path6.default.join(this.rejectedFolder, `${buildIdealCertificateName(leafCertificate)}.pem`);
|
|
2293
|
+
debugLog("certificate has never been seen before and is now rejected (untrusted) ", filename);
|
|
2294
|
+
await fsWriteFile(filename, (0, import_node_opcua_crypto5.toPem)(chain, "CERTIFICATE"));
|
|
2295
|
+
this.#thumbs.rejected.set(fingerprint, { certificate: leafCertificate, filename });
|
|
2296
|
+
}
|
|
2297
|
+
return "BadCertificateUntrusted";
|
|
2298
|
+
} catch (_err) {
|
|
2299
|
+
return "BadCertificateInvalid";
|
|
2289
2300
|
}
|
|
2290
|
-
return "BadCertificateUntrusted";
|
|
2291
2301
|
}
|
|
2292
2302
|
async #innerVerifyCertificateAsync(certificateOrChain, _isIssuer, level, options) {
|
|
2293
2303
|
if (level >= 5) {
|
|
@@ -2957,7 +2967,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
|
|
|
2957
2967
|
return "BadCertificateInvalid" /* BadCertificateInvalid */;
|
|
2958
2968
|
}
|
|
2959
2969
|
}
|
|
2960
|
-
await this.trustCertificate(
|
|
2970
|
+
await this.trustCertificate(certificates);
|
|
2961
2971
|
return "Good" /* Good */;
|
|
2962
2972
|
}
|
|
2963
2973
|
/**
|
|
@@ -3049,12 +3059,14 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
|
|
|
3049
3059
|
}
|
|
3050
3060
|
return "unknown";
|
|
3051
3061
|
}
|
|
3052
|
-
async #moveCertificate(
|
|
3062
|
+
async #moveCertificate(certificateOrChain, newStatus) {
|
|
3053
3063
|
await this.withLock2(async () => {
|
|
3064
|
+
const chain = coerceCertificateChain(certificateOrChain);
|
|
3065
|
+
const certificate = chain[0];
|
|
3054
3066
|
const fingerprint = makeFingerprint(certificate);
|
|
3055
3067
|
let status = await this.#checkRejectedOrTrusted(certificate);
|
|
3056
3068
|
if (status === "unknown") {
|
|
3057
|
-
const pem = (0, import_node_opcua_crypto5.toPem)(
|
|
3069
|
+
const pem = (0, import_node_opcua_crypto5.toPem)(chain, "CERTIFICATE");
|
|
3058
3070
|
const filename = import_node_path6.default.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
|
|
3059
3071
|
await import_node_fs10.default.promises.writeFile(filename, pem);
|
|
3060
3072
|
this.#thumbs.rejected.set(fingerprint, { certificate, filename });
|
|
@@ -3241,7 +3253,25 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
|
|
|
3241
3253
|
try {
|
|
3242
3254
|
const stat = await import_node_fs10.default.promises.stat(filename);
|
|
3243
3255
|
if (!stat.isFile()) continue;
|
|
3244
|
-
const
|
|
3256
|
+
const certs = await (0, import_node_opcua_crypto5.readCertificateChainAsync)(filename);
|
|
3257
|
+
if (certs.length === 0) continue;
|
|
3258
|
+
const certificate = certs[0];
|
|
3259
|
+
if (certs.length > 1) {
|
|
3260
|
+
try {
|
|
3261
|
+
await import_node_fs10.default.promises.writeFile(filename, (0, import_node_opcua_crypto5.toPem)(certs, "CERTIFICATE"), "ascii");
|
|
3262
|
+
} catch (writeErr) {
|
|
3263
|
+
debugLog(`scanCertFolder: could not rewrite legacy PEM ${filename} (read-only fs?)`, writeErr);
|
|
3264
|
+
}
|
|
3265
|
+
for (let i = 1; i < certs.length; i++) {
|
|
3266
|
+
if (isIssuer(certs[i])) {
|
|
3267
|
+
try {
|
|
3268
|
+
await this.addIssuer(certs[i]);
|
|
3269
|
+
} catch (issuerErr) {
|
|
3270
|
+
debugLog(`scanCertFolder: could not auto-register issuer from ${filename}`, issuerErr);
|
|
3271
|
+
}
|
|
3272
|
+
}
|
|
3273
|
+
}
|
|
3274
|
+
}
|
|
3245
3275
|
const info = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
|
|
3246
3276
|
const fingerprint = makeFingerprint(certificate);
|
|
3247
3277
|
index.set(fingerprint, { certificate, filename, info });
|