node-opcua-pki 6.12.1 → 6.12.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/bin/pki.mjs +60 -30
  2. package/dist/bin/pki.mjs.map +1 -1
  3. package/dist/index.d.mts +5 -5
  4. package/dist/index.d.ts +5 -5
  5. package/dist/index.js +60 -30
  6. package/dist/index.js.map +1 -1
  7. package/dist/index.mjs +60 -30
  8. package/dist/index.mjs.map +1 -1
  9. package/package.json +4 -4
package/dist/index.mjs CHANGED
@@ -1921,9 +1921,10 @@ function short(stringToShorten) {
1921
1921
  }
1922
1922
  var forbiddenChars = /[\x00-\x1F<>:"/\\|?*]/g;
1923
1923
  function buildIdealCertificateName(certificate) {
1924
- const fingerprint = makeFingerprint(certificate);
1924
+ const chain = coerceCertificateChain(certificate);
1925
+ const fingerprint = makeFingerprint(chain);
1925
1926
  try {
1926
- const commonName = exploreCertificate2(certificate).tbsCertificate.subject.commonName || "";
1927
+ const commonName = exploreCertificate2(chain[0]).tbsCertificate.subject.commonName || "";
1927
1928
  const sanitizedCommonName = commonName.replace(forbiddenChars, "_");
1928
1929
  return `${sanitizedCommonName}[${fingerprint}]`;
1929
1930
  } catch (_err) {
@@ -2170,18 +2171,18 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
2170
2171
  /**
2171
2172
  * Move a certificate to the rejected store.
2172
2173
  * If the certificate was previously trusted, it will be removed from the trusted folder.
2173
- * @param certificate - the DER-encoded certificate
2174
+ * @param certificateOrChain - the DER-encoded certificate or certificate chain
2174
2175
  */
2175
- async rejectCertificate(certificate) {
2176
- await this.#moveCertificate(certificate, "rejected");
2176
+ async rejectCertificate(certificateOrChain) {
2177
+ await this.#moveCertificate(certificateOrChain, "rejected");
2177
2178
  }
2178
2179
  /**
2179
2180
  * Move a certificate to the trusted store.
2180
2181
  * If the certificate was previously rejected, it will be removed from the rejected folder.
2181
- * @param certificate - the DER-encoded certificate
2182
+ * @param certificateOrChain - the DER-encoded certificate or certificate chain
2182
2183
  */
2183
- async trustCertificate(certificate) {
2184
- await this.#moveCertificate(certificate, "trusted");
2184
+ async trustCertificate(certificateOrChain) {
2185
+ await this.#moveCertificate(certificateOrChain, "trusted");
2185
2186
  }
2186
2187
  /**
2187
2188
  * Check whether the trusted certificate store is empty.
@@ -2235,31 +2236,40 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
2235
2236
  * @returns `"Good"` if trusted, `"BadCertificateUntrusted"` if rejected/unknown,
2236
2237
  * or `"BadCertificateInvalid"` if the certificate cannot be parsed.
2237
2238
  */
2238
- async isCertificateTrusted(certificate) {
2239
- let fingerprint;
2239
+ async isCertificateTrusted(certificateOrCertificateChain) {
2240
2240
  try {
2241
- fingerprint = makeFingerprint(certificate);
2242
- } catch (_err) {
2243
- return "BadCertificateInvalid";
2244
- }
2245
- if (this.#thumbs.trusted.has(fingerprint)) {
2246
- return "Good";
2247
- }
2248
- if (!this.#thumbs.rejected.has(fingerprint)) {
2249
- if (!this.untrustUnknownCertificate) {
2250
- return "Good";
2241
+ const chain = coerceCertificateChain(certificateOrCertificateChain);
2242
+ const leafCertificate = chain[0];
2243
+ if (chain.length < 1) {
2244
+ return "BadCertificateInvalid";
2251
2245
  }
2246
+ let fingerprint;
2252
2247
  try {
2253
- exploreCertificateInfo(certificate);
2248
+ fingerprint = makeFingerprint(chain[0]);
2254
2249
  } catch (_err) {
2255
2250
  return "BadCertificateInvalid";
2256
2251
  }
2257
- const filename = path6.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
2258
- debugLog("certificate has never been seen before and is now rejected (untrusted) ", filename);
2259
- await fsWriteFile(filename, toPem2(certificate, "CERTIFICATE"));
2260
- this.#thumbs.rejected.set(fingerprint, { certificate, filename });
2252
+ if (this.#thumbs.trusted.has(fingerprint)) {
2253
+ return "Good";
2254
+ }
2255
+ if (!this.#thumbs.rejected.has(fingerprint)) {
2256
+ if (!this.untrustUnknownCertificate) {
2257
+ return "Good";
2258
+ }
2259
+ try {
2260
+ exploreCertificateInfo(chain[0]);
2261
+ } catch (_err) {
2262
+ return "BadCertificateInvalid";
2263
+ }
2264
+ const filename = path6.join(this.rejectedFolder, `${buildIdealCertificateName(leafCertificate)}.pem`);
2265
+ debugLog("certificate has never been seen before and is now rejected (untrusted) ", filename);
2266
+ await fsWriteFile(filename, toPem2(chain, "CERTIFICATE"));
2267
+ this.#thumbs.rejected.set(fingerprint, { certificate: leafCertificate, filename });
2268
+ }
2269
+ return "BadCertificateUntrusted";
2270
+ } catch (_err) {
2271
+ return "BadCertificateInvalid";
2261
2272
  }
2262
- return "BadCertificateUntrusted";
2263
2273
  }
2264
2274
  async #innerVerifyCertificateAsync(certificateOrChain, _isIssuer, level, options) {
2265
2275
  if (level >= 5) {
@@ -2929,7 +2939,7 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
2929
2939
  return "BadCertificateInvalid" /* BadCertificateInvalid */;
2930
2940
  }
2931
2941
  }
2932
- await this.trustCertificate(leafCertificate);
2942
+ await this.trustCertificate(certificates);
2933
2943
  return "Good" /* Good */;
2934
2944
  }
2935
2945
  /**
@@ -3021,12 +3031,14 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
3021
3031
  }
3022
3032
  return "unknown";
3023
3033
  }
3024
- async #moveCertificate(certificate, newStatus) {
3034
+ async #moveCertificate(certificateOrChain, newStatus) {
3025
3035
  await this.withLock2(async () => {
3036
+ const chain = coerceCertificateChain(certificateOrChain);
3037
+ const certificate = chain[0];
3026
3038
  const fingerprint = makeFingerprint(certificate);
3027
3039
  let status = await this.#checkRejectedOrTrusted(certificate);
3028
3040
  if (status === "unknown") {
3029
- const pem = toPem2(certificate, "CERTIFICATE");
3041
+ const pem = toPem2(chain, "CERTIFICATE");
3030
3042
  const filename = path6.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
3031
3043
  await fs10.promises.writeFile(filename, pem);
3032
3044
  this.#thumbs.rejected.set(fingerprint, { certificate, filename });
@@ -3213,7 +3225,25 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
3213
3225
  try {
3214
3226
  const stat = await fs10.promises.stat(filename);
3215
3227
  if (!stat.isFile()) continue;
3216
- const certificate = (await readCertificateChainAsync(filename))[0];
3228
+ const certs = await readCertificateChainAsync(filename);
3229
+ if (certs.length === 0) continue;
3230
+ const certificate = certs[0];
3231
+ if (certs.length > 1) {
3232
+ try {
3233
+ await fs10.promises.writeFile(filename, toPem2(certs, "CERTIFICATE"), "ascii");
3234
+ } catch (writeErr) {
3235
+ debugLog(`scanCertFolder: could not rewrite legacy PEM ${filename} (read-only fs?)`, writeErr);
3236
+ }
3237
+ for (let i = 1; i < certs.length; i++) {
3238
+ if (isIssuer(certs[i])) {
3239
+ try {
3240
+ await this.addIssuer(certs[i]);
3241
+ } catch (issuerErr) {
3242
+ debugLog(`scanCertFolder: could not auto-register issuer from ${filename}`, issuerErr);
3243
+ }
3244
+ }
3245
+ }
3246
+ }
3217
3247
  const info = exploreCertificate2(certificate);
3218
3248
  const fingerprint = makeFingerprint(certificate);
3219
3249
  index.set(fingerprint, { certificate, filename, info });