node-opcua-pki 6.13.0 → 6.15.0

package/dist/index.d.mts

@@ -161,6 +161,28 @@ interface CertificateAuthorityOptions {
      * The parent CA must be initialized before this CA.
      */
     issuerCA?: CertificateAuthority;
+    /**
+     * Public URL (http/https) where the CRL produced by this CA is
+     * reachable. When set, every issued certificate carries an
+     * X.509v3 `crlDistributionPoints` extension pointing at this URL.
+     *
+     * Leave undefined to omit the extension entirely (opt-in — see
+     * US-202).  Validated synchronously at construction / setter call.
+     */
+    crlDistributionUrl?: string;
+    /**
+     * Public URL of the OCSP responder. When set, every issued cert
+     * carries an `authorityInfoAccess` extension with an `OCSP` leg
+     * pointing at this URL. Leave undefined to omit (US-202).
+     */
+    ocspResponderUrl?: string;
+    /**
+     * Public URL where the issuer's certificate can be fetched.
+     * When set, the `authorityInfoAccess` extension on every issued
+     * cert carries a `caIssuers` leg pointing at this URL (chain
+     * repair). Leave undefined to omit (US-202).
+     */
+    caIssuersUrl?: string;
 }
 /**
  * An OpenSSL-based Certificate Authority (CA) that can create,
@@ -270,7 +292,61 @@ declare class CertificateAuthority {
     readonly subject: Subject;
     /** @internal Parent CA (undefined for root CAs). */
     readonly _issuerCA?: CertificateAuthority;
+    /** @internal Configured CDP / AIA URLs (US-202). */
+    private _crlDistributionUrl?;
+    private _ocspResponderUrl?;
+    private _caIssuersUrl?;
     constructor(options: CertificateAuthorityOptions);
+    /**
+     * Public URL where the CRL produced by this CA is reachable, or
+     * `undefined` if no CDP extension should be emitted on issued certs.
+     */
+    get crlDistributionUrl(): string | undefined;
+    /**
+     * Public URL of the OCSP responder, or `undefined` if no AIA OCSP
+     * leg should be emitted on issued certs.
+     */
+    get ocspResponderUrl(): string | undefined;
+    /**
+     * Public URL where the issuer's certificate can be fetched, or
+     * `undefined` if no AIA caIssuers leg should be emitted.
+     */
+    get caIssuersUrl(): string | undefined;
+    /**
+     * Configure the URL embedded as `crlDistributionPoints` in every
+     * subsequently-issued certificate. Pass `undefined` to disable
+     * the extension entirely. Validated synchronously — throws on
+     * empty string, non-http(s) protocol, missing path. Warns (does
+     * not throw) when the URL points at loopback.
+     *
+     * @see US-202
+     */
+    setCrlDistributionUrl(url: string | undefined): void;
+    /**
+     * Configure the OCSP responder URL embedded as the `OCSP` leg of
+     * the `authorityInfoAccess` extension on every subsequently-issued
+     * certificate. Pass `undefined` to disable.
+     *
+     * @see US-202
+     */
+    setOcspResponderUrl(url: string | undefined): void;
+    /**
+     * Configure the caIssuers URL embedded as the `caIssuers` leg of
+     * the `authorityInfoAccess` extension on every subsequently-issued
+     * certificate. Pass `undefined` to disable.
+     *
+     * @see US-202
+     */
+    setCaIssuersUrl(url: string | undefined): void;
+    /**
+     * @internal
+     * Populate the OpenSSL config substitution env vars (`CDP_URL` and
+     * `AIA_VALUE`) from the configured URLs, or unset them so the
+     * matching `{{#KEY}}...{{/KEY}}` blocks in the templates are
+     * stripped. MUST be called before every `generateStaticConfig`
+     * invocation that signs a certificate.
+     */
+    _wireRevocationEnvVars(): void;
     /** Absolute path to the CA root directory (alias for {@link location}). */
     get rootDir(): string;
     /** Path to the OpenSSL configuration file (`conf/caconfig.cnf`). */

package/dist/index.d.ts

@@ -161,6 +161,28 @@ interface CertificateAuthorityOptions {
      * The parent CA must be initialized before this CA.
      */
     issuerCA?: CertificateAuthority;
+    /**
+     * Public URL (http/https) where the CRL produced by this CA is
+     * reachable. When set, every issued certificate carries an
+     * X.509v3 `crlDistributionPoints` extension pointing at this URL.
+     *
+     * Leave undefined to omit the extension entirely (opt-in — see
+     * US-202).  Validated synchronously at construction / setter call.
+     */
+    crlDistributionUrl?: string;
+    /**
+     * Public URL of the OCSP responder. When set, every issued cert
+     * carries an `authorityInfoAccess` extension with an `OCSP` leg
+     * pointing at this URL. Leave undefined to omit (US-202).
+     */
+    ocspResponderUrl?: string;
+    /**
+     * Public URL where the issuer's certificate can be fetched.
+     * When set, the `authorityInfoAccess` extension on every issued
+     * cert carries a `caIssuers` leg pointing at this URL (chain
+     * repair). Leave undefined to omit (US-202).
+     */
+    caIssuersUrl?: string;
 }
 /**
  * An OpenSSL-based Certificate Authority (CA) that can create,
@@ -270,7 +292,61 @@ declare class CertificateAuthority {
     readonly subject: Subject;
     /** @internal Parent CA (undefined for root CAs). */
     readonly _issuerCA?: CertificateAuthority;
+    /** @internal Configured CDP / AIA URLs (US-202). */
+    private _crlDistributionUrl?;
+    private _ocspResponderUrl?;
+    private _caIssuersUrl?;
     constructor(options: CertificateAuthorityOptions);
+    /**
+     * Public URL where the CRL produced by this CA is reachable, or
+     * `undefined` if no CDP extension should be emitted on issued certs.
+     */
+    get crlDistributionUrl(): string | undefined;
+    /**
+     * Public URL of the OCSP responder, or `undefined` if no AIA OCSP
+     * leg should be emitted on issued certs.
+     */
+    get ocspResponderUrl(): string | undefined;
+    /**
+     * Public URL where the issuer's certificate can be fetched, or
+     * `undefined` if no AIA caIssuers leg should be emitted.
+     */
+    get caIssuersUrl(): string | undefined;
+    /**
+     * Configure the URL embedded as `crlDistributionPoints` in every
+     * subsequently-issued certificate. Pass `undefined` to disable
+     * the extension entirely. Validated synchronously — throws on
+     * empty string, non-http(s) protocol, missing path. Warns (does
+     * not throw) when the URL points at loopback.
+     *
+     * @see US-202
+     */
+    setCrlDistributionUrl(url: string | undefined): void;
+    /**
+     * Configure the OCSP responder URL embedded as the `OCSP` leg of
+     * the `authorityInfoAccess` extension on every subsequently-issued
+     * certificate. Pass `undefined` to disable.
+     *
+     * @see US-202
+     */
+    setOcspResponderUrl(url: string | undefined): void;
+    /**
+     * Configure the caIssuers URL embedded as the `caIssuers` leg of
+     * the `authorityInfoAccess` extension on every subsequently-issued
+     * certificate. Pass `undefined` to disable.
+     *
+     * @see US-202
+     */
+    setCaIssuersUrl(url: string | undefined): void;
+    /**
+     * @internal
+     * Populate the OpenSSL config substitution env vars (`CDP_URL` and
+     * `AIA_VALUE`) from the configured URLs, or unset them so the
+     * matching `{{#KEY}}...{{/KEY}}` blocks in the templates are
+     * stripped. MUST be called before every `generateStaticConfig`
+     * invocation that signs a certificate.
+     */
+    _wireRevocationEnvVars(): void;
     /** Absolute path to the CA root directory (alias for {@link location}). */
     get rootDir(): string;
     /** Path to the OpenSSL configuration file (`conf/caconfig.cnf`). */

package/dist/index.js

@@ -166,9 +166,15 @@ function setEnv(varName, value) {
     process.env[varName] = value;
   }
 }
+function hasEnv(varName) {
+  return Object.prototype.hasOwnProperty.call(exportedEnvVars, varName);
+}
 function getEnv(varName) {
   return exportedEnvVars[varName];
 }
+function unsetEnv(varName) {
+  delete exportedEnvVars[varName];
+}
 function getEnvironmentVarNames() {
   return Object.keys(exportedEnvVars).map((varName) => {
     return { key: varName, pattern: `\\$ENV\\:\\:${varName}` };
@@ -685,10 +691,17 @@ function openssl_require2DigitYearInDate() {
 }
 g_config.opensslVersion = "";
 var _counter = 0;
+function stripConditionalBlocks(template) {
+  return template.replace(/\{\{#([A-Z_][A-Z0-9_]*)\}\}([\s\S]*?)\{\{\/\1\}\}\r?\n?/g, (_match, key, content) => {
+    const keep = hasEnv(key) && getEnv(key) !== "";
+    return keep ? content : "";
+  });
+}
 function generateStaticConfig(configPath, options) {
   const prePath = options?.cwd || "";
   const originalFilename = !import_node_path3.default.isAbsolute(configPath) ? import_node_path3.default.join(prePath, configPath) : configPath;
   let staticConfig = import_node_fs5.default.readFileSync(originalFilename, { encoding: "utf8" });
+  staticConfig = stripConditionalBlocks(staticConfig);
   for (const envVar of getEnvironmentVarNames()) {
     staticConfig = staticConfig.replace(new RegExp(envVar.pattern, "gi"), getEnv(envVar.key));
   }
@@ -843,7 +856,9 @@ nsComment                 = ''OpenSSL Generated Certificate''
 #nsSslServerName          =
 keyUsage                  = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement
 extendedKeyUsage          = critical,serverAuth ,clientAuth
-
+{{#CDP_URL}}crlDistributionPoints     = URI:$ENV::CDP_URL
+{{/CDP_URL}}{{#AIA_VALUE}}authorityInfoAccess       = $ENV::AIA_VALUE
+{{/AIA_VALUE}}
 [ v3_req ]
 basicConstraints          = critical, CA:FALSE
 keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
@@ -854,21 +869,21 @@ nsComment                 = "CA Generated by Node-OPCUA Certificate utility usin
 subjectKeyIdentifier      = hash
 basicConstraints          = CA:TRUE
 keyUsage                  = critical, cRLSign, keyCertSign
+subjectAltName            = $ENV::ALTNAME
 nsComment                 = "CA CSR generated by Node-OPCUA Certificate utility using openssl"
 [ v3_ca ]
 subjectKeyIdentifier      = hash
 authorityKeyIdentifier    = keyid:always,issuer:always
 basicConstraints          = CA:TRUE
 keyUsage                  = critical, cRLSign, keyCertSign
+subjectAltName            = $ENV::ALTNAME
 nsComment                 = "CA Certificate generated by Node-OPCUA Certificate utility using openssl"
 #nsCertType                 = sslCA, emailCA
-#subjectAltName             = email:copy
 #issuerAltName              = issuer:copy
 #obj                        = DER:02:03
-crlDistributionPoints     = @crl_info
-[ crl_info ]
-URI.0                     = http://localhost:8900/crl.pem
-[ v3_selfsigned]
+{{#CDP_URL}}crlDistributionPoints     = URI:$ENV::CDP_URL
+{{/CDP_URL}}{{#AIA_VALUE}}authorityInfoAccess       = $ENV::AIA_VALUE
+{{/AIA_VALUE}}[ v3_selfsigned]
 basicConstraints          = critical, CA:FALSE
 keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
 extendedKeyUsage          = critical,serverAuth ,clientAuth
@@ -949,7 +964,9 @@ async function construct_CertificateAuthority(certificateAuthority) {
     await import_node_fs7.default.promises.writeFile(caConfigFile, data);
   }
   const subjectOpt = ` -subj "${subject.toString()}" `;
-  processAltNames({});
+  const caCommonName = subject.commonName || "NodeOPCUA-CA";
+  setEnv("ALTNAME", `URI:urn:${caCommonName}`);
+  certificateAuthority._wireRevocationEnvVars();
   const options = { cwd: caRootDir };
   const configFile = generateStaticConfig("conf/caconfig.cnf", options);
   const configOption = ` -config ${q3(n4(configFile))}`;
@@ -1003,6 +1020,33 @@ function parseOpenSSLDate(dateStr) {
   const sec = raw.substring(10, 12);
   return `${year}-${month}-${day}T${hour}:${min}:${sec}Z`;
 }
+function validateRevocationUrl(url2, fieldName) {
+  if (url2 === void 0) {
+    return void 0;
+  }
+  if (url2 === "") {
+    throw new Error(`${fieldName} must not be empty \u2014 pass undefined to disable the extension`);
+  }
+  let parsed;
+  try {
+    parsed = new URL(url2);
+  } catch {
+    throw new Error(`${fieldName} is not a valid URL: ${url2}`);
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error(`${fieldName} must use http: or https: (got ${parsed.protocol} in ${url2})`);
+  }
+  if (!parsed.pathname || parsed.pathname === "/") {
+    throw new Error(`${fieldName} must include a path component (got ${url2})`);
+  }
+  const isLoopback = parsed.hostname === "localhost" || parsed.hostname === "::1" || parsed.hostname.startsWith("127.");
+  if (isLoopback) {
+    console.warn(
+      `[node-opcua-pki] ${fieldName} points at loopback (${url2}) \u2014 certificates issued with this URL will be unreachable from any other host.`
+    );
+  }
+  return url2;
+}
 var CertificateAuthority = class {
   /** RSA key size used when generating the CA private key. */
   keySize;
@@ -1012,6 +1056,10 @@ var CertificateAuthority = class {
   subject;
   /** @internal Parent CA (undefined for root CAs). */
   _issuerCA;
+  /** @internal Configured CDP / AIA URLs (US-202). */
+  _crlDistributionUrl;
+  _ocspResponderUrl;
+  _caIssuersUrl;
   constructor(options) {
     (0, import_node_assert7.default)(Object.prototype.hasOwnProperty.call(options, "location"));
     (0, import_node_assert7.default)(Object.prototype.hasOwnProperty.call(options, "keySize"));
@@ -1019,6 +1067,93 @@ var CertificateAuthority = class {
     this.keySize = options.keySize || 2048;
     this.subject = new import_node_opcua_crypto2.Subject(options.subject || defaultSubject);
     this._issuerCA = options.issuerCA;
+    if (options.crlDistributionUrl !== void 0) {
+      this.setCrlDistributionUrl(options.crlDistributionUrl);
+    }
+    if (options.ocspResponderUrl !== void 0) {
+      this.setOcspResponderUrl(options.ocspResponderUrl);
+    }
+    if (options.caIssuersUrl !== void 0) {
+      this.setCaIssuersUrl(options.caIssuersUrl);
+    }
+  }
+  /**
+   * Public URL where the CRL produced by this CA is reachable, or
+   * `undefined` if no CDP extension should be emitted on issued certs.
+   */
+  get crlDistributionUrl() {
+    return this._crlDistributionUrl;
+  }
+  /**
+   * Public URL of the OCSP responder, or `undefined` if no AIA OCSP
+   * leg should be emitted on issued certs.
+   */
+  get ocspResponderUrl() {
+    return this._ocspResponderUrl;
+  }
+  /**
+   * Public URL where the issuer's certificate can be fetched, or
+   * `undefined` if no AIA caIssuers leg should be emitted.
+   */
+  get caIssuersUrl() {
+    return this._caIssuersUrl;
+  }
+  /**
+   * Configure the URL embedded as `crlDistributionPoints` in every
+   * subsequently-issued certificate. Pass `undefined` to disable
+   * the extension entirely. Validated synchronously — throws on
+   * empty string, non-http(s) protocol, missing path. Warns (does
+   * not throw) when the URL points at loopback.
+   *
+   * @see US-202
+   */
+  setCrlDistributionUrl(url2) {
+    this._crlDistributionUrl = validateRevocationUrl(url2, "crlDistributionUrl");
+  }
+  /**
+   * Configure the OCSP responder URL embedded as the `OCSP` leg of
+   * the `authorityInfoAccess` extension on every subsequently-issued
+   * certificate. Pass `undefined` to disable.
+   *
+   * @see US-202
+   */
+  setOcspResponderUrl(url2) {
+    this._ocspResponderUrl = validateRevocationUrl(url2, "ocspResponderUrl");
+  }
+  /**
+   * Configure the caIssuers URL embedded as the `caIssuers` leg of
+   * the `authorityInfoAccess` extension on every subsequently-issued
+   * certificate. Pass `undefined` to disable.
+   *
+   * @see US-202
+   */
+  setCaIssuersUrl(url2) {
+    this._caIssuersUrl = validateRevocationUrl(url2, "caIssuersUrl");
+  }
+  /**
+   * @internal
+   * Populate the OpenSSL config substitution env vars (`CDP_URL` and
+   * `AIA_VALUE`) from the configured URLs, or unset them so the
+   * matching `{{#KEY}}...{{/KEY}}` blocks in the templates are
+   * stripped. MUST be called before every `generateStaticConfig`
+   * invocation that signs a certificate.
+   */
+  _wireRevocationEnvVars() {
+    unsetEnv("CDP_URL");
+    unsetEnv("AIA_VALUE");
+    if (this._crlDistributionUrl) {
+      setEnv("CDP_URL", this._crlDistributionUrl);
+    }
+    const aiaLegs = [];
+    if (this._ocspResponderUrl) {
+      aiaLegs.push(`OCSP;URI:${this._ocspResponderUrl}`);
+    }
+    if (this._caIssuersUrl) {
+      aiaLegs.push(`caIssuers;URI:${this._caIssuersUrl}`);
+    }
+    if (aiaLegs.length > 0) {
+      setEnv("AIA_VALUE", aiaLegs.join(","));
+    }
   }
   /** Absolute path to the CA root directory (alias for {@link location}). */
   get rootDir() {
@@ -1621,6 +1756,7 @@ var CertificateAuthority = class {
   async signCACertificateRequest(certFile, csrFile, params) {
     const caRootDir = import_node_path5.default.resolve(this.rootDir);
     const options = { cwd: caRootDir };
+    this._wireRevocationEnvVars();
     const configFile = generateStaticConfig("conf/caconfig.cnf", options);
     const validity = params.validity ?? 3650;
     await execute_openssl(
@@ -1787,6 +1923,7 @@ var CertificateAuthority = class {
       ip
     };
     processAltNames(params);
+    this._wireRevocationEnvVars();
     const configFile = generateStaticConfig("conf/caconfig.cnf", options);
     displaySubtitle("- then we ask the authority to sign the certificate signing request");
     const configOption = ` -config ${configFile}`;