npm - node-opcua-pki - Versions diffs - 6.13.0 → 6.15.0 - Mend

node-opcua-pki 6.13.0 → 6.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/bin/pki.mjs CHANGED Viewed

@@ -1944,9 +1944,15 @@ function setEnv(varName, value) {
     process.env[varName] = value;
   }
 }
+function hasEnv(varName) {
+  return Object.prototype.hasOwnProperty.call(exportedEnvVars, varName);
+}
 function getEnv(varName) {
   return exportedEnvVars[varName];
 }
+function unsetEnv(varName) {
+  delete exportedEnvVars[varName];
+}
 function getEnvironmentVarNames() {
   return Object.keys(exportedEnvVars).map((varName) => {
     return { key: varName, pattern: `\\$ENV\\:\\:${varName}` };
@@ -2416,10 +2422,17 @@ function openssl_require2DigitYearInDate() {
   }
   return g_config.opensslVersion.match(/OpenSSL 0\.9/);
 }
+function stripConditionalBlocks(template) {
+  return template.replace(/\{\{#([A-Z_][A-Z0-9_]*)\}\}([\s\S]*?)\{\{\/\1\}\}\r?\n?/g, (_match, key, content) => {
+    const keep = hasEnv(key) && getEnv(key) !== "";
+    return keep ? content : "";
+  });
+}
 function generateStaticConfig(configPath, options) {
   const prePath = options?.cwd || "";
   const originalFilename = !path4.isAbsolute(configPath) ? path4.join(prePath, configPath) : configPath;
   let staticConfig = fs7.readFileSync(originalFilename, { encoding: "utf8" });
+  staticConfig = stripConditionalBlocks(staticConfig);
   for (const envVar of getEnvironmentVarNames()) {
     staticConfig = staticConfig.replace(new RegExp(envVar.pattern, "gi"), getEnv(envVar.key));
   }
@@ -2672,7 +2685,9 @@ nsComment                 = ''OpenSSL Generated Certificate''
 #nsSslServerName          =
 keyUsage                  = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement
 extendedKeyUsage          = critical,serverAuth ,clientAuth
+{{#CDP_URL}}crlDistributionPoints     = URI:$ENV::CDP_URL
+{{/CDP_URL}}{{#AIA_VALUE}}authorityInfoAccess       = $ENV::AIA_VALUE
+{{/AIA_VALUE}}
 [ v3_req ]
 basicConstraints          = critical, CA:FALSE
 keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
@@ -2683,21 +2698,21 @@ nsComment                 = "CA Generated by Node-OPCUA Certificate utility usin
 subjectKeyIdentifier      = hash
 basicConstraints          = CA:TRUE
 keyUsage                  = critical, cRLSign, keyCertSign
+subjectAltName            = $ENV::ALTNAME
 nsComment                 = "CA CSR generated by Node-OPCUA Certificate utility using openssl"
 [ v3_ca ]
 subjectKeyIdentifier      = hash
 authorityKeyIdentifier    = keyid:always,issuer:always
 basicConstraints          = CA:TRUE
 keyUsage                  = critical, cRLSign, keyCertSign
+subjectAltName            = $ENV::ALTNAME
 nsComment                 = "CA Certificate generated by Node-OPCUA Certificate utility using openssl"
 #nsCertType                 = sslCA, emailCA
-#subjectAltName             = email:copy
 #issuerAltName              = issuer:copy
 #obj                        = DER:02:03
-crlDistributionPoints     = @crl_info
-[ crl_info ]
-URI.0                     = http://localhost:8900/crl.pem
-[ v3_selfsigned]
+{{#CDP_URL}}crlDistributionPoints     = URI:$ENV::CDP_URL
+{{/CDP_URL}}{{#AIA_VALUE}}authorityInfoAccess       = $ENV::AIA_VALUE
+{{/AIA_VALUE}}[ v3_selfsigned]
 basicConstraints          = critical, CA:FALSE
 keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
 extendedKeyUsage          = critical,serverAuth ,clientAuth
@@ -2787,7 +2802,9 @@ async function construct_CertificateAuthority(certificateAuthority) {
     await fs10.promises.writeFile(caConfigFile, data);
   }
   const subjectOpt = ` -subj "${subject.toString()}" `;
-  processAltNames({});
+  const caCommonName = subject.commonName || "NodeOPCUA-CA";
+  setEnv("ALTNAME", `URI:urn:${caCommonName}`);
+  certificateAuthority._wireRevocationEnvVars();
   const options = { cwd: caRootDir };
   const configFile = generateStaticConfig("conf/caconfig.cnf", options);
   const configOption = ` -config ${q4(n5(configFile))}`;
@@ -2841,6 +2858,33 @@ function parseOpenSSLDate(dateStr) {
   const sec = raw.substring(10, 12);
   return `${year}-${month}-${day}T${hour}:${min}:${sec}Z`;
 }
+function validateRevocationUrl(url2, fieldName) {
+  if (url2 === void 0) {
+    return void 0;
+  }
+  if (url2 === "") {
+    throw new Error(`${fieldName} must not be empty \u2014 pass undefined to disable the extension`);
+  }
+  let parsed;
+  try {
+    parsed = new URL(url2);
+  } catch {
+    throw new Error(`${fieldName} is not a valid URL: ${url2}`);
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error(`${fieldName} must use http: or https: (got ${parsed.protocol} in ${url2})`);
+  }
+  if (!parsed.pathname || parsed.pathname === "/") {
+    throw new Error(`${fieldName} must include a path component (got ${url2})`);
+  }
+  const isLoopback = parsed.hostname === "localhost" || parsed.hostname === "::1" || parsed.hostname.startsWith("127.");
+  if (isLoopback) {
+    console.warn(
+      `[node-opcua-pki] ${fieldName} points at loopback (${url2}) \u2014 certificates issued with this URL will be unreachable from any other host.`
+    );
+  }
+  return url2;
+}
 var defaultSubject, configurationFileTemplate, configurationFileSimpleTemplate2, config3, n5, q4, CertificateAuthority;
 var init_certificate_authority = __esm({
   "packages/node-opcua-pki/lib/ca/certificate_authority.ts"() {
@@ -2871,6 +2915,10 @@ var init_certificate_authority = __esm({
       subject;
       /** @internal Parent CA (undefined for root CAs). */
       _issuerCA;
+      /** @internal Configured CDP / AIA URLs (US-202). */
+      _crlDistributionUrl;
+      _ocspResponderUrl;
+      _caIssuersUrl;
       constructor(options) {
         assert10(Object.prototype.hasOwnProperty.call(options, "location"));
         assert10(Object.prototype.hasOwnProperty.call(options, "keySize"));
@@ -2878,6 +2926,93 @@ var init_certificate_authority = __esm({
         this.keySize = options.keySize || 2048;
         this.subject = new Subject4(options.subject || defaultSubject);
         this._issuerCA = options.issuerCA;
+        if (options.crlDistributionUrl !== void 0) {
+          this.setCrlDistributionUrl(options.crlDistributionUrl);
+        }
+        if (options.ocspResponderUrl !== void 0) {
+          this.setOcspResponderUrl(options.ocspResponderUrl);
+        }
+        if (options.caIssuersUrl !== void 0) {
+          this.setCaIssuersUrl(options.caIssuersUrl);
+        }
+      }
+      /**
+       * Public URL where the CRL produced by this CA is reachable, or
+       * `undefined` if no CDP extension should be emitted on issued certs.
+       */
+      get crlDistributionUrl() {
+        return this._crlDistributionUrl;
+      }
+      /**
+       * Public URL of the OCSP responder, or `undefined` if no AIA OCSP
+       * leg should be emitted on issued certs.
+       */
+      get ocspResponderUrl() {
+        return this._ocspResponderUrl;
+      }
+      /**
+       * Public URL where the issuer's certificate can be fetched, or
+       * `undefined` if no AIA caIssuers leg should be emitted.
+       */
+      get caIssuersUrl() {
+        return this._caIssuersUrl;
+      }
+      /**
+       * Configure the URL embedded as `crlDistributionPoints` in every
+       * subsequently-issued certificate. Pass `undefined` to disable
+       * the extension entirely. Validated synchronously — throws on
+       * empty string, non-http(s) protocol, missing path. Warns (does
+       * not throw) when the URL points at loopback.
+       *
+       * @see US-202
+       */
+      setCrlDistributionUrl(url2) {
+        this._crlDistributionUrl = validateRevocationUrl(url2, "crlDistributionUrl");
+      }
+      /**
+       * Configure the OCSP responder URL embedded as the `OCSP` leg of
+       * the `authorityInfoAccess` extension on every subsequently-issued
+       * certificate. Pass `undefined` to disable.
+       *
+       * @see US-202
+       */
+      setOcspResponderUrl(url2) {
+        this._ocspResponderUrl = validateRevocationUrl(url2, "ocspResponderUrl");
+      }
+      /**
+       * Configure the caIssuers URL embedded as the `caIssuers` leg of
+       * the `authorityInfoAccess` extension on every subsequently-issued
+       * certificate. Pass `undefined` to disable.
+       *
+       * @see US-202
+       */
+      setCaIssuersUrl(url2) {
+        this._caIssuersUrl = validateRevocationUrl(url2, "caIssuersUrl");
+      }
+      /**
+       * @internal
+       * Populate the OpenSSL config substitution env vars (`CDP_URL` and
+       * `AIA_VALUE`) from the configured URLs, or unset them so the
+       * matching `{{#KEY}}...{{/KEY}}` blocks in the templates are
+       * stripped. MUST be called before every `generateStaticConfig`
+       * invocation that signs a certificate.
+       */
+      _wireRevocationEnvVars() {
+        unsetEnv("CDP_URL");
+        unsetEnv("AIA_VALUE");
+        if (this._crlDistributionUrl) {
+          setEnv("CDP_URL", this._crlDistributionUrl);
+        }
+        const aiaLegs = [];
+        if (this._ocspResponderUrl) {
+          aiaLegs.push(`OCSP;URI:${this._ocspResponderUrl}`);
+        }
+        if (this._caIssuersUrl) {
+          aiaLegs.push(`caIssuers;URI:${this._caIssuersUrl}`);
+        }
+        if (aiaLegs.length > 0) {
+          setEnv("AIA_VALUE", aiaLegs.join(","));
+        }
       }
       /** Absolute path to the CA root directory (alias for {@link location}). */
       get rootDir() {
@@ -3480,6 +3615,7 @@ var init_certificate_authority = __esm({
       async signCACertificateRequest(certFile, csrFile, params) {
         const caRootDir = path6.resolve(this.rootDir);
         const options = { cwd: caRootDir };
+        this._wireRevocationEnvVars();
         const configFile = generateStaticConfig("conf/caconfig.cnf", options);
         const validity = params.validity ?? 3650;
         await execute_openssl(
@@ -3646,6 +3782,7 @@ var init_certificate_authority = __esm({
           ip
         };
         processAltNames(params);
+        this._wireRevocationEnvVars();
         const configFile = generateStaticConfig("conf/caconfig.cnf", options);
         displaySubtitle("- then we ask the authority to sign the certificate signing request");
         const configOption = ` -config ${configFile}`;