npm - node-opcua-pki - Versions diffs - 6.12.2 → 6.13.0 - Mend

node-opcua-pki 6.12.2 → 6.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/bin/pki.mjs CHANGED Viewed

@@ -455,7 +455,7 @@ function findIssuerCertificateInChain(certificate, chain) {
   }
   return null;
 }
-var configurationFileSimpleTemplate, fsWriteFile, forbiddenChars, CertificateManager;
+var configurationFileSimpleTemplate, fsWriteFile, forbiddenChars, ChainCompletionStatus, CertificateManager;
 var init_certificate_manager = __esm({
   "packages/node-opcua-pki/lib/pki/certificate_manager.ts"() {
     "use strict";
@@ -467,6 +467,14 @@ var init_certificate_manager = __esm({
     configurationFileSimpleTemplate = simple_config_template_cnf_default;
     fsWriteFile = fs4.promises.writeFile;
     forbiddenChars = /[\x00-\x1F<>:"/\\|?*]/g;
+    ChainCompletionStatus = /* @__PURE__ */ ((ChainCompletionStatus2) => {
+      ChainCompletionStatus2["AlreadyComplete"] = "AlreadyComplete";
+      ChainCompletionStatus2["ChainCompleted"] = "ChainCompleted";
+      ChainCompletionStatus2["IssuerNotFound"] = "IssuerNotFound";
+      ChainCompletionStatus2["EmptyChain"] = "EmptyChain";
+      ChainCompletionStatus2["MaxDepthReached"] = "MaxDepthReached";
+      return ChainCompletionStatus2;
+    })(ChainCompletionStatus || {});
     CertificateManager = class _CertificateManager extends EventEmitter {
       // ── Global instance registry ─────────────────────────────────
       // Tracks all initialized CertificateManager instances so their
@@ -559,6 +567,7 @@ var init_certificate_manager = __esm({
       #filenameToHash = /* @__PURE__ */ new Map();
       #initializingPromise;
       #addCertValidation;
+      #disableFileWatchers;
       #thumbs = {
         rejected: /* @__PURE__ */ new Map(),
         trusted: /* @__PURE__ */ new Map(),
@@ -592,6 +601,7 @@ var init_certificate_manager = __esm({
           ignoreMissingRevocationList: v.ignoreMissingRevocationList ?? false,
           maxChainLength: v.maxChainLength ?? 5
         };
+        this.#disableFileWatchers = options.disableFileWatchers ?? process.env.OPCUA_PKI_DISABLE_FILE_WATCHERS === "true";
         mkdirRecursiveSync(options.location);
         if (!fs4.existsSync(this.#location)) {
           throw new Error(`CertificateManager cannot access location ${this.#location}`);
@@ -1456,6 +1466,75 @@ var init_certificate_manager = __esm({
         }
         return selectedTrustedCertificates.length > 0 ? selectedTrustedCertificates[0].certificate : null;
       }
+      /**
+       * Outcome status for {@link CertificateManager.completeCertificateChain}.
+       */
+      static ChainCompletionStatus = ChainCompletionStatus;
+      /**
+       * Complete a certificate chain by walking the issuer store.
+       *
+       * Starting from the last certificate in the provided chain, this method
+       * repeatedly calls {@link findIssuerCertificate} to locate the parent
+       * certificate until it reaches a self-signed root or can no longer find
+       * an issuer.
+       *
+       * @param chain - the (potentially partial) certificate chain, leaf first
+       * @param maxDepth - maximum number of issuers to append (default: 10)
+       * @returns a {@link ChainCompletionResult} containing the (possibly completed)
+       *          chain, a status code, and an optional diagnostic message.
+       */
+      async completeCertificateChain(chain, maxDepth = 10) {
+        if (chain.length === 0) {
+          return {
+            chain,
+            status: "EmptyChain" /* EmptyChain */,
+            message: "Input chain is empty \u2014 nothing to complete."
+          };
+        }
+        await this.#scanCertFolder(this.issuersCertFolder, this.#thumbs.issuers.certs);
+        const result = [...chain];
+        let depth = 0;
+        while (depth < maxDepth) {
+          const lastCert = result[result.length - 1];
+          const lastInfo = exploreCertificate(lastCert);
+          if (isSelfSigned2(lastInfo)) {
+            const wasExtended = result.length > chain.length;
+            return {
+              chain: result,
+              status: wasExtended ? "ChainCompleted" /* ChainCompleted */ : "AlreadyComplete" /* AlreadyComplete */,
+              message: wasExtended ? `Chain completed: ${result.length - chain.length} issuer(s) appended, ending at self-signed root "${lastInfo.tbsCertificate.subject.commonName}".` : `Chain is already complete (self-signed root "${lastInfo.tbsCertificate.subject.commonName}").`
+            };
+          }
+          const issuerCert = await this.findIssuerCertificate(lastCert);
+          if (!issuerCert) {
+            const cn = lastInfo.tbsCertificate.subject.commonName ?? "?";
+            const akid = lastInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier ?? "?";
+            const msg = `Cannot find issuer for "${cn}" (authorityKeyIdentifier: ${akid}). Ensure the CA certificate is present in the issuers/certs folder.`;
+            warningLog(`completeCertificateChain: ${msg}`);
+            return {
+              chain: result,
+              status: "IssuerNotFound" /* IssuerNotFound */,
+              message: msg
+            };
+          }
+          const issuerFingerprint = makeFingerprint(issuerCert);
+          const alreadyInChain = result.some((c) => makeFingerprint(c) === issuerFingerprint);
+          if (alreadyInChain) {
+            return {
+              chain: result,
+              status: "AlreadyComplete" /* AlreadyComplete */,
+              message: `Chain ends at root "${exploreCertificate(issuerCert).tbsCertificate.subject.commonName}" (already present in chain).`
+            };
+          }
+          result.push(issuerCert);
+          depth++;
+        }
+        return {
+          chain: result,
+          status: "MaxDepthReached" /* MaxDepthReached */,
+          message: `Chain completion stopped after ${maxDepth} iterations \u2014 possible circular chain or very deep hierarchy.`
+        };
+      }
       /**
        *
        * check if the certificate explicitly appear in the trust list, the reject list or none.
@@ -1651,11 +1730,15 @@ var init_certificate_manager = __esm({
           this.#scanCrlFolder(this.crlFolder, this.#thumbs.crl),
           this.#scanCrlFolder(this.issuersCrlFolder, this.#thumbs.issuersCrl)
         ]);
-        this.#startWatcher(this.trustedFolder, this.#thumbs.trusted, createUnreffedWatcher, "trusted");
-        this.#startWatcher(this.issuersCertFolder, this.#thumbs.issuers.certs, createUnreffedWatcher, "issuersCerts");
-        this.#startWatcher(this.rejectedFolder, this.#thumbs.rejected, createUnreffedWatcher, "rejected");
-        this.#startCrlWatcher(this.crlFolder, this.#thumbs.crl, createUnreffedWatcher, "crl");
-        this.#startCrlWatcher(this.issuersCrlFolder, this.#thumbs.issuersCrl, createUnreffedWatcher, "issuersCrl");
+        if (this.#disableFileWatchers) {
+          fs4.watch = origWatch;
+        } else {
+          this.#startWatcher(this.trustedFolder, this.#thumbs.trusted, createUnreffedWatcher, "trusted");
+          this.#startWatcher(this.issuersCertFolder, this.#thumbs.issuers.certs, createUnreffedWatcher, "issuersCerts");
+          this.#startWatcher(this.rejectedFolder, this.#thumbs.rejected, createUnreffedWatcher, "rejected");
+          this.#startCrlWatcher(this.crlFolder, this.#thumbs.crl, createUnreffedWatcher, "crl");
+          this.#startCrlWatcher(this.issuersCrlFolder, this.#thumbs.issuersCrl, createUnreffedWatcher, "issuersCrl");
+        }
       }
       /**
        * Scan a certificate folder and populate the in-memory index.