node-opcua-pki 6.14.0 → 6.16.0

package/dist/bin/pki.mjs

@@ -248,9 +248,17 @@ function adjustDate(params) {
   assert4(params instanceof Object);
   params.startDate = params.startDate || /* @__PURE__ */ new Date();
   assert4(params.startDate instanceof Date);
-  params.validity = params.validity || 365;
-  params.endDate = new Date(params.startDate.getTime());
-  params.endDate.setDate(params.startDate.getDate() + params.validity);
+  if (params.validityMs !== void 0) {
+    if (params.validityMs <= 0) {
+      throw new RangeError(`validityMs must be > 0 (got ${params.validityMs})`);
+    }
+    params.endDate = new Date(params.startDate.getTime() + params.validityMs);
+    params.validity = Math.ceil(params.validityMs / 864e5);
+  } else {
+    params.validity = params.validity || 365;
+    params.endDate = new Date(params.startDate.getTime());
+    params.endDate.setDate(params.startDate.getDate() + params.validity);
+  }
   assert4(params.endDate instanceof Date);
   assert4(params.startDate instanceof Date);
 }
@@ -1944,9 +1952,15 @@ function setEnv(varName, value) {
     process.env[varName] = value;
   }
 }
+function hasEnv(varName) {
+  return Object.prototype.hasOwnProperty.call(exportedEnvVars, varName);
+}
 function getEnv(varName) {
   return exportedEnvVars[varName];
 }
+function unsetEnv(varName) {
+  delete exportedEnvVars[varName];
+}
 function getEnvironmentVarNames() {
   return Object.keys(exportedEnvVars).map((varName) => {
     return { key: varName, pattern: `\\$ENV\\:\\:${varName}` };
@@ -2416,10 +2430,17 @@ function openssl_require2DigitYearInDate() {
   }
   return g_config.opensslVersion.match(/OpenSSL 0\.9/);
 }
+function stripConditionalBlocks(template) {
+  return template.replace(/\{\{#([A-Z_][A-Z0-9_]*)\}\}([\s\S]*?)\{\{\/\1\}\}\r?\n?/g, (_match, key, content) => {
+    const keep = hasEnv(key) && getEnv(key) !== "";
+    return keep ? content : "";
+  });
+}
 function generateStaticConfig(configPath, options) {
   const prePath = options?.cwd || "";
   const originalFilename = !path4.isAbsolute(configPath) ? path4.join(prePath, configPath) : configPath;
   let staticConfig = fs7.readFileSync(originalFilename, { encoding: "utf8" });
+  staticConfig = stripConditionalBlocks(staticConfig);
   for (const envVar of getEnvironmentVarNames()) {
     staticConfig = staticConfig.replace(new RegExp(envVar.pattern, "gi"), getEnv(envVar.key));
   }
@@ -2672,7 +2693,9 @@ nsComment                 = ''OpenSSL Generated Certificate''
 #nsSslServerName          =
 keyUsage                  = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement
 extendedKeyUsage          = critical,serverAuth ,clientAuth
-
+{{#CDP_URL}}crlDistributionPoints     = URI:$ENV::CDP_URL
+{{/CDP_URL}}{{#AIA_VALUE}}authorityInfoAccess       = $ENV::AIA_VALUE
+{{/AIA_VALUE}}
 [ v3_req ]
 basicConstraints          = critical, CA:FALSE
 keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
@@ -2695,10 +2718,9 @@ nsComment                 = "CA Certificate generated by Node-OPCUA Certificate
 #nsCertType                 = sslCA, emailCA
 #issuerAltName              = issuer:copy
 #obj                        = DER:02:03
-crlDistributionPoints     = @crl_info
-[ crl_info ]
-URI.0                     = http://localhost:8900/crl.pem
-[ v3_selfsigned]
+{{#CDP_URL}}crlDistributionPoints     = URI:$ENV::CDP_URL
+{{/CDP_URL}}{{#AIA_VALUE}}authorityInfoAccess       = $ENV::AIA_VALUE
+{{/AIA_VALUE}}[ v3_selfsigned]
 basicConstraints          = critical, CA:FALSE
 keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
 extendedKeyUsage          = critical,serverAuth ,clientAuth
@@ -2790,6 +2812,7 @@ async function construct_CertificateAuthority(certificateAuthority) {
   const subjectOpt = ` -subj "${subject.toString()}" `;
   const caCommonName = subject.commonName || "NodeOPCUA-CA";
   setEnv("ALTNAME", `URI:urn:${caCommonName}`);
+  certificateAuthority._wireRevocationEnvVars();
   const options = { cwd: caRootDir };
   const configFile = generateStaticConfig("conf/caconfig.cnf", options);
   const configOption = ` -config ${q4(n5(configFile))}`;
@@ -2843,6 +2866,33 @@ function parseOpenSSLDate(dateStr) {
   const sec = raw.substring(10, 12);
   return `${year}-${month}-${day}T${hour}:${min}:${sec}Z`;
 }
+function validateRevocationUrl(url2, fieldName) {
+  if (url2 === void 0) {
+    return void 0;
+  }
+  if (url2 === "") {
+    throw new Error(`${fieldName} must not be empty \u2014 pass undefined to disable the extension`);
+  }
+  let parsed;
+  try {
+    parsed = new URL(url2);
+  } catch {
+    throw new Error(`${fieldName} is not a valid URL: ${url2}`);
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error(`${fieldName} must use http: or https: (got ${parsed.protocol} in ${url2})`);
+  }
+  if (!parsed.pathname || parsed.pathname === "/") {
+    throw new Error(`${fieldName} must include a path component (got ${url2})`);
+  }
+  const isLoopback = parsed.hostname === "localhost" || parsed.hostname === "::1" || parsed.hostname.startsWith("127.");
+  if (isLoopback) {
+    console.warn(
+      `[node-opcua-pki] ${fieldName} points at loopback (${url2}) \u2014 certificates issued with this URL will be unreachable from any other host.`
+    );
+  }
+  return url2;
+}
 var defaultSubject, configurationFileTemplate, configurationFileSimpleTemplate2, config3, n5, q4, CertificateAuthority;
 var init_certificate_authority = __esm({
   "packages/node-opcua-pki/lib/ca/certificate_authority.ts"() {
@@ -2873,6 +2923,10 @@ var init_certificate_authority = __esm({
       subject;
       /** @internal Parent CA (undefined for root CAs). */
       _issuerCA;
+      /** @internal Configured CDP / AIA URLs (US-202). */
+      _crlDistributionUrl;
+      _ocspResponderUrl;
+      _caIssuersUrl;
       constructor(options) {
         assert10(Object.prototype.hasOwnProperty.call(options, "location"));
         assert10(Object.prototype.hasOwnProperty.call(options, "keySize"));
@@ -2880,6 +2934,93 @@ var init_certificate_authority = __esm({
         this.keySize = options.keySize || 2048;
         this.subject = new Subject4(options.subject || defaultSubject);
         this._issuerCA = options.issuerCA;
+        if (options.crlDistributionUrl !== void 0) {
+          this.setCrlDistributionUrl(options.crlDistributionUrl);
+        }
+        if (options.ocspResponderUrl !== void 0) {
+          this.setOcspResponderUrl(options.ocspResponderUrl);
+        }
+        if (options.caIssuersUrl !== void 0) {
+          this.setCaIssuersUrl(options.caIssuersUrl);
+        }
+      }
+      /**
+       * Public URL where the CRL produced by this CA is reachable, or
+       * `undefined` if no CDP extension should be emitted on issued certs.
+       */
+      get crlDistributionUrl() {
+        return this._crlDistributionUrl;
+      }
+      /**
+       * Public URL of the OCSP responder, or `undefined` if no AIA OCSP
+       * leg should be emitted on issued certs.
+       */
+      get ocspResponderUrl() {
+        return this._ocspResponderUrl;
+      }
+      /**
+       * Public URL where the issuer's certificate can be fetched, or
+       * `undefined` if no AIA caIssuers leg should be emitted.
+       */
+      get caIssuersUrl() {
+        return this._caIssuersUrl;
+      }
+      /**
+       * Configure the URL embedded as `crlDistributionPoints` in every
+       * subsequently-issued certificate. Pass `undefined` to disable
+       * the extension entirely. Validated synchronously — throws on
+       * empty string, non-http(s) protocol, missing path. Warns (does
+       * not throw) when the URL points at loopback.
+       *
+       * @see US-202
+       */
+      setCrlDistributionUrl(url2) {
+        this._crlDistributionUrl = validateRevocationUrl(url2, "crlDistributionUrl");
+      }
+      /**
+       * Configure the OCSP responder URL embedded as the `OCSP` leg of
+       * the `authorityInfoAccess` extension on every subsequently-issued
+       * certificate. Pass `undefined` to disable.
+       *
+       * @see US-202
+       */
+      setOcspResponderUrl(url2) {
+        this._ocspResponderUrl = validateRevocationUrl(url2, "ocspResponderUrl");
+      }
+      /**
+       * Configure the caIssuers URL embedded as the `caIssuers` leg of
+       * the `authorityInfoAccess` extension on every subsequently-issued
+       * certificate. Pass `undefined` to disable.
+       *
+       * @see US-202
+       */
+      setCaIssuersUrl(url2) {
+        this._caIssuersUrl = validateRevocationUrl(url2, "caIssuersUrl");
+      }
+      /**
+       * @internal
+       * Populate the OpenSSL config substitution env vars (`CDP_URL` and
+       * `AIA_VALUE`) from the configured URLs, or unset them so the
+       * matching `{{#KEY}}...{{/KEY}}` blocks in the templates are
+       * stripped. MUST be called before every `generateStaticConfig`
+       * invocation that signs a certificate.
+       */
+      _wireRevocationEnvVars() {
+        unsetEnv("CDP_URL");
+        unsetEnv("AIA_VALUE");
+        if (this._crlDistributionUrl) {
+          setEnv("CDP_URL", this._crlDistributionUrl);
+        }
+        const aiaLegs = [];
+        if (this._ocspResponderUrl) {
+          aiaLegs.push(`OCSP;URI:${this._ocspResponderUrl}`);
+        }
+        if (this._caIssuersUrl) {
+          aiaLegs.push(`caIssuers;URI:${this._caIssuersUrl}`);
+        }
+        if (aiaLegs.length > 0) {
+          setEnv("AIA_VALUE", aiaLegs.join(","));
+        }
       }
       /** Absolute path to the CA root directory (alias for {@link location}). */
       get rootDir() {
@@ -3126,14 +3267,15 @@ var init_certificate_authority = __esm({
        * @returns the signed certificate as a DER-encoded buffer
        */
       async signCertificateRequestFromDER(csrDer, options) {
-        const validity = options?.validity ?? 365;
         const tmpDir = await fs10.promises.mkdtemp(path6.join(os4.tmpdir(), "pki-sign-"));
         try {
           const csrFile = path6.join(tmpDir, "request.csr");
           const certFile = path6.join(tmpDir, "certificate.pem");
           const csrPem = toPem2(csrDer, "CERTIFICATE REQUEST");
           await fs10.promises.writeFile(csrFile, csrPem, "utf-8");
-          const signingParams = { validity };
+          const signingParams = {};
+          if (options?.validityMs !== void 0) signingParams.validityMs = options.validityMs;
+          else signingParams.validity = options?.validity ?? 365;
           if (options?.startDate) signingParams.startDate = options.startDate;
           if (options?.dns) signingParams.dns = options.dns;
           if (options?.ip) signingParams.ip = options.ip;
@@ -3149,6 +3291,35 @@ var init_certificate_authority = __esm({
           });
         }
       }
+      /**
+       * Advertise the validity limits this CA can honor.
+       *
+       * Consumers (notably the GDS server in [`cert_auth.ts`](https://github.com/sterfive/node-opcua-gds))
+       * clamp a requested validity against these bounds before calling
+       * {@link signCertificateRequestFromDER}, so a misconfigured
+       * `defaultCertValidity` cannot ask the CA for something it cannot
+       * produce.
+       *
+       * Defaults match the OpenSSL-backed implementation:
+       * - `minValidityMs = 60_000` (1 minute) — practical floor; the
+       *   X.509 spec floor is 1 second but very short certs are rarely
+       *   useful and pathological for any real deployment.
+       * - `maxValidityMs = 10 * 365 * 86_400_000` (≈ 10 years) — long
+       *   enough for root CAs.
+       * - `validityGranularityMs = 1_000` (1 second) — RFC 5280 §4.1.2.5
+       *   floor on `notBefore` / `notAfter`.
+       * - `nativeUnit = "second"` — what `x509Date()` actually encodes.
+       *
+       * @see US-208 — the consumer-side capability story.
+       */
+      getCapabilities() {
+        return {
+          minValidityMs: 6e4,
+          maxValidityMs: 10 * 365 * 864e5,
+          validityGranularityMs: 1e3,
+          nativeUnit: "second"
+        };
+      }
       /**
        * Generate a new RSA key pair, create an internal CSR, sign it
        * with this CA, and return both the certificate and private key
@@ -3166,7 +3337,6 @@ var init_certificate_authority = __esm({
        */
       async generateKeyPairAndSignDER(options) {
         const keySize = options.keySize ?? 2048;
-        const validity = options.validity ?? 365;
         const startDate = options.startDate ?? /* @__PURE__ */ new Date();
         const tmpDir = await fs10.promises.mkdtemp(path6.join(os4.tmpdir(), "pki-keygen-"));
         try {
@@ -3186,13 +3356,15 @@ var init_certificate_authority = __esm({
             purpose: CertificatePurpose2.ForApplication
           });
           const certFile = path6.join(tmpDir, "certificate.pem");
-          await this.signCertificateRequest(certFile, csrFile, {
+          const signingParams = {
             applicationUri: options.applicationUri,
             dns: options.dns,
             ip: options.ip,
-            startDate,
-            validity
-          });
+            startDate
+          };
+          if (options.validityMs !== void 0) signingParams.validityMs = options.validityMs;
+          else signingParams.validity = options.validity ?? 365;
+          await this.signCertificateRequest(certFile, csrFile, signingParams);
           const certPem = readCertificatePEM(certFile);
           const certificateDer = convertPEMtoDER(certPem);
           const privateKey = readPrivateKey(privateKeyFile);
@@ -3217,7 +3389,6 @@ var init_certificate_authority = __esm({
        */
       async generateKeyPairAndSignPFX(options) {
         const keySize = options.keySize ?? 2048;
-        const validity = options.validity ?? 365;
         const startDate = options.startDate ?? /* @__PURE__ */ new Date();
         const passphrase = options.passphrase ?? "";
         const tmpDir = await fs10.promises.mkdtemp(path6.join(os4.tmpdir(), "pki-keygen-pfx-"));
@@ -3238,13 +3409,15 @@ var init_certificate_authority = __esm({
             purpose: CertificatePurpose2.ForApplication
           });
           const certFile = path6.join(tmpDir, "certificate.pem");
-          await this.signCertificateRequest(certFile, csrFile, {
+          const signingParams = {
             applicationUri: options.applicationUri,
             dns: options.dns,
             ip: options.ip,
-            startDate,
-            validity
-          });
+            startDate
+          };
+          if (options.validityMs !== void 0) signingParams.validityMs = options.validityMs;
+          else signingParams.validity = options.validity ?? 365;
+          await this.signCertificateRequest(certFile, csrFile, signingParams);
           const pfxFile = path6.join(tmpDir, "bundle.pfx");
           await createPFX({
             certificateFile: certFile,
@@ -3482,6 +3655,7 @@ var init_certificate_authority = __esm({
       async signCACertificateRequest(certFile, csrFile, params) {
         const caRootDir = path6.resolve(this.rootDir);
         const options = { cwd: caRootDir };
+        this._wireRevocationEnvVars();
         const configFile = generateStaticConfig("conf/caconfig.cnf", options);
         const validity = params.validity ?? 3650;
         await execute_openssl(
@@ -3648,6 +3822,7 @@ var init_certificate_authority = __esm({
           ip
         };
         processAltNames(params);
+        this._wireRevocationEnvVars();
         const configFile = generateStaticConfig("conf/caconfig.cnf", options);
         displaySubtitle("- then we ask the authority to sign the certificate signing request");
         const configOption = ` -config ${configFile}`;