node-opcua-pki 6.14.0 → 6.15.0

package/dist/bin/pki.mjs

@@ -1944,9 +1944,15 @@ function setEnv(varName, value) {
     process.env[varName] = value;
   }
 }
+function hasEnv(varName) {
+  return Object.prototype.hasOwnProperty.call(exportedEnvVars, varName);
+}
 function getEnv(varName) {
   return exportedEnvVars[varName];
 }
+function unsetEnv(varName) {
+  delete exportedEnvVars[varName];
+}
 function getEnvironmentVarNames() {
   return Object.keys(exportedEnvVars).map((varName) => {
     return { key: varName, pattern: `\\$ENV\\:\\:${varName}` };
@@ -2416,10 +2422,17 @@ function openssl_require2DigitYearInDate() {
   }
   return g_config.opensslVersion.match(/OpenSSL 0\.9/);
 }
+function stripConditionalBlocks(template) {
+  return template.replace(/\{\{#([A-Z_][A-Z0-9_]*)\}\}([\s\S]*?)\{\{\/\1\}\}\r?\n?/g, (_match, key, content) => {
+    const keep = hasEnv(key) && getEnv(key) !== "";
+    return keep ? content : "";
+  });
+}
 function generateStaticConfig(configPath, options) {
   const prePath = options?.cwd || "";
   const originalFilename = !path4.isAbsolute(configPath) ? path4.join(prePath, configPath) : configPath;
   let staticConfig = fs7.readFileSync(originalFilename, { encoding: "utf8" });
+  staticConfig = stripConditionalBlocks(staticConfig);
   for (const envVar of getEnvironmentVarNames()) {
     staticConfig = staticConfig.replace(new RegExp(envVar.pattern, "gi"), getEnv(envVar.key));
   }
@@ -2672,7 +2685,9 @@ nsComment                 = ''OpenSSL Generated Certificate''
 #nsSslServerName          =
 keyUsage                  = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement
 extendedKeyUsage          = critical,serverAuth ,clientAuth
-
+{{#CDP_URL}}crlDistributionPoints     = URI:$ENV::CDP_URL
+{{/CDP_URL}}{{#AIA_VALUE}}authorityInfoAccess       = $ENV::AIA_VALUE
+{{/AIA_VALUE}}
 [ v3_req ]
 basicConstraints          = critical, CA:FALSE
 keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
@@ -2695,10 +2710,9 @@ nsComment                 = "CA Certificate generated by Node-OPCUA Certificate
 #nsCertType                 = sslCA, emailCA
 #issuerAltName              = issuer:copy
 #obj                        = DER:02:03
-crlDistributionPoints     = @crl_info
-[ crl_info ]
-URI.0                     = http://localhost:8900/crl.pem
-[ v3_selfsigned]
+{{#CDP_URL}}crlDistributionPoints     = URI:$ENV::CDP_URL
+{{/CDP_URL}}{{#AIA_VALUE}}authorityInfoAccess       = $ENV::AIA_VALUE
+{{/AIA_VALUE}}[ v3_selfsigned]
 basicConstraints          = critical, CA:FALSE
 keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
 extendedKeyUsage          = critical,serverAuth ,clientAuth
@@ -2790,6 +2804,7 @@ async function construct_CertificateAuthority(certificateAuthority) {
   const subjectOpt = ` -subj "${subject.toString()}" `;
   const caCommonName = subject.commonName || "NodeOPCUA-CA";
   setEnv("ALTNAME", `URI:urn:${caCommonName}`);
+  certificateAuthority._wireRevocationEnvVars();
   const options = { cwd: caRootDir };
   const configFile = generateStaticConfig("conf/caconfig.cnf", options);
   const configOption = ` -config ${q4(n5(configFile))}`;
@@ -2843,6 +2858,33 @@ function parseOpenSSLDate(dateStr) {
   const sec = raw.substring(10, 12);
   return `${year}-${month}-${day}T${hour}:${min}:${sec}Z`;
 }
+function validateRevocationUrl(url2, fieldName) {
+  if (url2 === void 0) {
+    return void 0;
+  }
+  if (url2 === "") {
+    throw new Error(`${fieldName} must not be empty \u2014 pass undefined to disable the extension`);
+  }
+  let parsed;
+  try {
+    parsed = new URL(url2);
+  } catch {
+    throw new Error(`${fieldName} is not a valid URL: ${url2}`);
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error(`${fieldName} must use http: or https: (got ${parsed.protocol} in ${url2})`);
+  }
+  if (!parsed.pathname || parsed.pathname === "/") {
+    throw new Error(`${fieldName} must include a path component (got ${url2})`);
+  }
+  const isLoopback = parsed.hostname === "localhost" || parsed.hostname === "::1" || parsed.hostname.startsWith("127.");
+  if (isLoopback) {
+    console.warn(
+      `[node-opcua-pki] ${fieldName} points at loopback (${url2}) \u2014 certificates issued with this URL will be unreachable from any other host.`
+    );
+  }
+  return url2;
+}
 var defaultSubject, configurationFileTemplate, configurationFileSimpleTemplate2, config3, n5, q4, CertificateAuthority;
 var init_certificate_authority = __esm({
   "packages/node-opcua-pki/lib/ca/certificate_authority.ts"() {
@@ -2873,6 +2915,10 @@ var init_certificate_authority = __esm({
       subject;
       /** @internal Parent CA (undefined for root CAs). */
       _issuerCA;
+      /** @internal Configured CDP / AIA URLs (US-202). */
+      _crlDistributionUrl;
+      _ocspResponderUrl;
+      _caIssuersUrl;
       constructor(options) {
         assert10(Object.prototype.hasOwnProperty.call(options, "location"));
         assert10(Object.prototype.hasOwnProperty.call(options, "keySize"));
@@ -2880,6 +2926,93 @@ var init_certificate_authority = __esm({
         this.keySize = options.keySize || 2048;
         this.subject = new Subject4(options.subject || defaultSubject);
         this._issuerCA = options.issuerCA;
+        if (options.crlDistributionUrl !== void 0) {
+          this.setCrlDistributionUrl(options.crlDistributionUrl);
+        }
+        if (options.ocspResponderUrl !== void 0) {
+          this.setOcspResponderUrl(options.ocspResponderUrl);
+        }
+        if (options.caIssuersUrl !== void 0) {
+          this.setCaIssuersUrl(options.caIssuersUrl);
+        }
+      }
+      /**
+       * Public URL where the CRL produced by this CA is reachable, or
+       * `undefined` if no CDP extension should be emitted on issued certs.
+       */
+      get crlDistributionUrl() {
+        return this._crlDistributionUrl;
+      }
+      /**
+       * Public URL of the OCSP responder, or `undefined` if no AIA OCSP
+       * leg should be emitted on issued certs.
+       */
+      get ocspResponderUrl() {
+        return this._ocspResponderUrl;
+      }
+      /**
+       * Public URL where the issuer's certificate can be fetched, or
+       * `undefined` if no AIA caIssuers leg should be emitted.
+       */
+      get caIssuersUrl() {
+        return this._caIssuersUrl;
+      }
+      /**
+       * Configure the URL embedded as `crlDistributionPoints` in every
+       * subsequently-issued certificate. Pass `undefined` to disable
+       * the extension entirely. Validated synchronously — throws on
+       * empty string, non-http(s) protocol, missing path. Warns (does
+       * not throw) when the URL points at loopback.
+       *
+       * @see US-202
+       */
+      setCrlDistributionUrl(url2) {
+        this._crlDistributionUrl = validateRevocationUrl(url2, "crlDistributionUrl");
+      }
+      /**
+       * Configure the OCSP responder URL embedded as the `OCSP` leg of
+       * the `authorityInfoAccess` extension on every subsequently-issued
+       * certificate. Pass `undefined` to disable.
+       *
+       * @see US-202
+       */
+      setOcspResponderUrl(url2) {
+        this._ocspResponderUrl = validateRevocationUrl(url2, "ocspResponderUrl");
+      }
+      /**
+       * Configure the caIssuers URL embedded as the `caIssuers` leg of
+       * the `authorityInfoAccess` extension on every subsequently-issued
+       * certificate. Pass `undefined` to disable.
+       *
+       * @see US-202
+       */
+      setCaIssuersUrl(url2) {
+        this._caIssuersUrl = validateRevocationUrl(url2, "caIssuersUrl");
+      }
+      /**
+       * @internal
+       * Populate the OpenSSL config substitution env vars (`CDP_URL` and
+       * `AIA_VALUE`) from the configured URLs, or unset them so the
+       * matching `{{#KEY}}...{{/KEY}}` blocks in the templates are
+       * stripped. MUST be called before every `generateStaticConfig`
+       * invocation that signs a certificate.
+       */
+      _wireRevocationEnvVars() {
+        unsetEnv("CDP_URL");
+        unsetEnv("AIA_VALUE");
+        if (this._crlDistributionUrl) {
+          setEnv("CDP_URL", this._crlDistributionUrl);
+        }
+        const aiaLegs = [];
+        if (this._ocspResponderUrl) {
+          aiaLegs.push(`OCSP;URI:${this._ocspResponderUrl}`);
+        }
+        if (this._caIssuersUrl) {
+          aiaLegs.push(`caIssuers;URI:${this._caIssuersUrl}`);
+        }
+        if (aiaLegs.length > 0) {
+          setEnv("AIA_VALUE", aiaLegs.join(","));
+        }
       }
       /** Absolute path to the CA root directory (alias for {@link location}). */
       get rootDir() {
@@ -3482,6 +3615,7 @@ var init_certificate_authority = __esm({
       async signCACertificateRequest(certFile, csrFile, params) {
         const caRootDir = path6.resolve(this.rootDir);
         const options = { cwd: caRootDir };
+        this._wireRevocationEnvVars();
         const configFile = generateStaticConfig("conf/caconfig.cnf", options);
         const validity = params.validity ?? 3650;
         await execute_openssl(
@@ -3648,6 +3782,7 @@ var init_certificate_authority = __esm({
           ip
         };
         processAltNames(params);
+        this._wireRevocationEnvVars();
         const configFile = generateStaticConfig("conf/caconfig.cnf", options);
         displaySubtitle("- then we ask the authority to sign the certificate signing request");
         const configOption = ` -config ${configFile}`;