node-opcua-pki 6.14.0 → 6.16.0

package/dist/index.mjs

@@ -31,9 +31,17 @@ function adjustDate(params) {
   assert(params instanceof Object);
   params.startDate = params.startDate || /* @__PURE__ */ new Date();
   assert(params.startDate instanceof Date);
-  params.validity = params.validity || 365;
-  params.endDate = new Date(params.startDate.getTime());
-  params.endDate.setDate(params.startDate.getDate() + params.validity);
+  if (params.validityMs !== void 0) {
+    if (params.validityMs <= 0) {
+      throw new RangeError(`validityMs must be > 0 (got ${params.validityMs})`);
+    }
+    params.endDate = new Date(params.startDate.getTime() + params.validityMs);
+    params.validity = Math.ceil(params.validityMs / 864e5);
+  } else {
+    params.validity = params.validity || 365;
+    params.endDate = new Date(params.startDate.getTime());
+    params.endDate.setDate(params.startDate.getDate() + params.validity);
+  }
   assert(params.endDate instanceof Date);
   assert(params.startDate instanceof Date);
 }
@@ -120,9 +128,15 @@ function setEnv(varName, value) {
     process.env[varName] = value;
   }
 }
+function hasEnv(varName) {
+  return Object.prototype.hasOwnProperty.call(exportedEnvVars, varName);
+}
 function getEnv(varName) {
   return exportedEnvVars[varName];
 }
+function unsetEnv(varName) {
+  delete exportedEnvVars[varName];
+}
 function getEnvironmentVarNames() {
   return Object.keys(exportedEnvVars).map((varName) => {
     return { key: varName, pattern: `\\$ENV\\:\\:${varName}` };
@@ -639,10 +653,17 @@ function openssl_require2DigitYearInDate() {
 }
 g_config.opensslVersion = "";
 var _counter = 0;
+function stripConditionalBlocks(template) {
+  return template.replace(/\{\{#([A-Z_][A-Z0-9_]*)\}\}([\s\S]*?)\{\{\/\1\}\}\r?\n?/g, (_match, key, content) => {
+    const keep = hasEnv(key) && getEnv(key) !== "";
+    return keep ? content : "";
+  });
+}
 function generateStaticConfig(configPath, options) {
   const prePath = options?.cwd || "";
   const originalFilename = !path3.isAbsolute(configPath) ? path3.join(prePath, configPath) : configPath;
   let staticConfig = fs5.readFileSync(originalFilename, { encoding: "utf8" });
+  staticConfig = stripConditionalBlocks(staticConfig);
   for (const envVar of getEnvironmentVarNames()) {
     staticConfig = staticConfig.replace(new RegExp(envVar.pattern, "gi"), getEnv(envVar.key));
   }
@@ -797,7 +818,9 @@ nsComment                 = ''OpenSSL Generated Certificate''
 #nsSslServerName          =
 keyUsage                  = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement
 extendedKeyUsage          = critical,serverAuth ,clientAuth
-
+{{#CDP_URL}}crlDistributionPoints     = URI:$ENV::CDP_URL
+{{/CDP_URL}}{{#AIA_VALUE}}authorityInfoAccess       = $ENV::AIA_VALUE
+{{/AIA_VALUE}}
 [ v3_req ]
 basicConstraints          = critical, CA:FALSE
 keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
@@ -820,10 +843,9 @@ nsComment                 = "CA Certificate generated by Node-OPCUA Certificate
 #nsCertType                 = sslCA, emailCA
 #issuerAltName              = issuer:copy
 #obj                        = DER:02:03
-crlDistributionPoints     = @crl_info
-[ crl_info ]
-URI.0                     = http://localhost:8900/crl.pem
-[ v3_selfsigned]
+{{#CDP_URL}}crlDistributionPoints     = URI:$ENV::CDP_URL
+{{/CDP_URL}}{{#AIA_VALUE}}authorityInfoAccess       = $ENV::AIA_VALUE
+{{/AIA_VALUE}}[ v3_selfsigned]
 basicConstraints          = critical, CA:FALSE
 keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
 extendedKeyUsage          = critical,serverAuth ,clientAuth
@@ -906,6 +928,7 @@ async function construct_CertificateAuthority(certificateAuthority) {
   const subjectOpt = ` -subj "${subject.toString()}" `;
   const caCommonName = subject.commonName || "NodeOPCUA-CA";
   setEnv("ALTNAME", `URI:urn:${caCommonName}`);
+  certificateAuthority._wireRevocationEnvVars();
   const options = { cwd: caRootDir };
   const configFile = generateStaticConfig("conf/caconfig.cnf", options);
   const configOption = ` -config ${q3(n4(configFile))}`;
@@ -959,6 +982,33 @@ function parseOpenSSLDate(dateStr) {
   const sec = raw.substring(10, 12);
   return `${year}-${month}-${day}T${hour}:${min}:${sec}Z`;
 }
+function validateRevocationUrl(url2, fieldName) {
+  if (url2 === void 0) {
+    return void 0;
+  }
+  if (url2 === "") {
+    throw new Error(`${fieldName} must not be empty \u2014 pass undefined to disable the extension`);
+  }
+  let parsed;
+  try {
+    parsed = new URL(url2);
+  } catch {
+    throw new Error(`${fieldName} is not a valid URL: ${url2}`);
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error(`${fieldName} must use http: or https: (got ${parsed.protocol} in ${url2})`);
+  }
+  if (!parsed.pathname || parsed.pathname === "/") {
+    throw new Error(`${fieldName} must include a path component (got ${url2})`);
+  }
+  const isLoopback = parsed.hostname === "localhost" || parsed.hostname === "::1" || parsed.hostname.startsWith("127.");
+  if (isLoopback) {
+    console.warn(
+      `[node-opcua-pki] ${fieldName} points at loopback (${url2}) \u2014 certificates issued with this URL will be unreachable from any other host.`
+    );
+  }
+  return url2;
+}
 var CertificateAuthority = class {
   /** RSA key size used when generating the CA private key. */
   keySize;
@@ -968,6 +1018,10 @@ var CertificateAuthority = class {
   subject;
   /** @internal Parent CA (undefined for root CAs). */
   _issuerCA;
+  /** @internal Configured CDP / AIA URLs (US-202). */
+  _crlDistributionUrl;
+  _ocspResponderUrl;
+  _caIssuersUrl;
   constructor(options) {
     assert7(Object.prototype.hasOwnProperty.call(options, "location"));
     assert7(Object.prototype.hasOwnProperty.call(options, "keySize"));
@@ -975,6 +1029,93 @@ var CertificateAuthority = class {
     this.keySize = options.keySize || 2048;
     this.subject = new Subject2(options.subject || defaultSubject);
     this._issuerCA = options.issuerCA;
+    if (options.crlDistributionUrl !== void 0) {
+      this.setCrlDistributionUrl(options.crlDistributionUrl);
+    }
+    if (options.ocspResponderUrl !== void 0) {
+      this.setOcspResponderUrl(options.ocspResponderUrl);
+    }
+    if (options.caIssuersUrl !== void 0) {
+      this.setCaIssuersUrl(options.caIssuersUrl);
+    }
+  }
+  /**
+   * Public URL where the CRL produced by this CA is reachable, or
+   * `undefined` if no CDP extension should be emitted on issued certs.
+   */
+  get crlDistributionUrl() {
+    return this._crlDistributionUrl;
+  }
+  /**
+   * Public URL of the OCSP responder, or `undefined` if no AIA OCSP
+   * leg should be emitted on issued certs.
+   */
+  get ocspResponderUrl() {
+    return this._ocspResponderUrl;
+  }
+  /**
+   * Public URL where the issuer's certificate can be fetched, or
+   * `undefined` if no AIA caIssuers leg should be emitted.
+   */
+  get caIssuersUrl() {
+    return this._caIssuersUrl;
+  }
+  /**
+   * Configure the URL embedded as `crlDistributionPoints` in every
+   * subsequently-issued certificate. Pass `undefined` to disable
+   * the extension entirely. Validated synchronously — throws on
+   * empty string, non-http(s) protocol, missing path. Warns (does
+   * not throw) when the URL points at loopback.
+   *
+   * @see US-202
+   */
+  setCrlDistributionUrl(url2) {
+    this._crlDistributionUrl = validateRevocationUrl(url2, "crlDistributionUrl");
+  }
+  /**
+   * Configure the OCSP responder URL embedded as the `OCSP` leg of
+   * the `authorityInfoAccess` extension on every subsequently-issued
+   * certificate. Pass `undefined` to disable.
+   *
+   * @see US-202
+   */
+  setOcspResponderUrl(url2) {
+    this._ocspResponderUrl = validateRevocationUrl(url2, "ocspResponderUrl");
+  }
+  /**
+   * Configure the caIssuers URL embedded as the `caIssuers` leg of
+   * the `authorityInfoAccess` extension on every subsequently-issued
+   * certificate. Pass `undefined` to disable.
+   *
+   * @see US-202
+   */
+  setCaIssuersUrl(url2) {
+    this._caIssuersUrl = validateRevocationUrl(url2, "caIssuersUrl");
+  }
+  /**
+   * @internal
+   * Populate the OpenSSL config substitution env vars (`CDP_URL` and
+   * `AIA_VALUE`) from the configured URLs, or unset them so the
+   * matching `{{#KEY}}...{{/KEY}}` blocks in the templates are
+   * stripped. MUST be called before every `generateStaticConfig`
+   * invocation that signs a certificate.
+   */
+  _wireRevocationEnvVars() {
+    unsetEnv("CDP_URL");
+    unsetEnv("AIA_VALUE");
+    if (this._crlDistributionUrl) {
+      setEnv("CDP_URL", this._crlDistributionUrl);
+    }
+    const aiaLegs = [];
+    if (this._ocspResponderUrl) {
+      aiaLegs.push(`OCSP;URI:${this._ocspResponderUrl}`);
+    }
+    if (this._caIssuersUrl) {
+      aiaLegs.push(`caIssuers;URI:${this._caIssuersUrl}`);
+    }
+    if (aiaLegs.length > 0) {
+      setEnv("AIA_VALUE", aiaLegs.join(","));
+    }
   }
   /** Absolute path to the CA root directory (alias for {@link location}). */
   get rootDir() {
@@ -1221,14 +1362,15 @@ var CertificateAuthority = class {
    * @returns the signed certificate as a DER-encoded buffer
    */
   async signCertificateRequestFromDER(csrDer, options) {
-    const validity = options?.validity ?? 365;
     const tmpDir = await fs7.promises.mkdtemp(path5.join(os3.tmpdir(), "pki-sign-"));
     try {
       const csrFile = path5.join(tmpDir, "request.csr");
       const certFile = path5.join(tmpDir, "certificate.pem");
       const csrPem = toPem(csrDer, "CERTIFICATE REQUEST");
       await fs7.promises.writeFile(csrFile, csrPem, "utf-8");
-      const signingParams = { validity };
+      const signingParams = {};
+      if (options?.validityMs !== void 0) signingParams.validityMs = options.validityMs;
+      else signingParams.validity = options?.validity ?? 365;
       if (options?.startDate) signingParams.startDate = options.startDate;
       if (options?.dns) signingParams.dns = options.dns;
       if (options?.ip) signingParams.ip = options.ip;
@@ -1244,6 +1386,35 @@ var CertificateAuthority = class {
       });
     }
   }
+  /**
+   * Advertise the validity limits this CA can honor.
+   *
+   * Consumers (notably the GDS server in [`cert_auth.ts`](https://github.com/sterfive/node-opcua-gds))
+   * clamp a requested validity against these bounds before calling
+   * {@link signCertificateRequestFromDER}, so a misconfigured
+   * `defaultCertValidity` cannot ask the CA for something it cannot
+   * produce.
+   *
+   * Defaults match the OpenSSL-backed implementation:
+   * - `minValidityMs = 60_000` (1 minute) — practical floor; the
+   *   X.509 spec floor is 1 second but very short certs are rarely
+   *   useful and pathological for any real deployment.
+   * - `maxValidityMs = 10 * 365 * 86_400_000` (≈ 10 years) — long
+   *   enough for root CAs.
+   * - `validityGranularityMs = 1_000` (1 second) — RFC 5280 §4.1.2.5
+   *   floor on `notBefore` / `notAfter`.
+   * - `nativeUnit = "second"` — what `x509Date()` actually encodes.
+   *
+   * @see US-208 — the consumer-side capability story.
+   */
+  getCapabilities() {
+    return {
+      minValidityMs: 6e4,
+      maxValidityMs: 10 * 365 * 864e5,
+      validityGranularityMs: 1e3,
+      nativeUnit: "second"
+    };
+  }
   /**
    * Generate a new RSA key pair, create an internal CSR, sign it
    * with this CA, and return both the certificate and private key
@@ -1261,7 +1432,6 @@ var CertificateAuthority = class {
    */
   async generateKeyPairAndSignDER(options) {
     const keySize = options.keySize ?? 2048;
-    const validity = options.validity ?? 365;
     const startDate = options.startDate ?? /* @__PURE__ */ new Date();
     const tmpDir = await fs7.promises.mkdtemp(path5.join(os3.tmpdir(), "pki-keygen-"));
     try {
@@ -1281,13 +1451,15 @@ var CertificateAuthority = class {
         purpose: CertificatePurpose.ForApplication
       });
       const certFile = path5.join(tmpDir, "certificate.pem");
-      await this.signCertificateRequest(certFile, csrFile, {
+      const signingParams = {
         applicationUri: options.applicationUri,
         dns: options.dns,
         ip: options.ip,
-        startDate,
-        validity
-      });
+        startDate
+      };
+      if (options.validityMs !== void 0) signingParams.validityMs = options.validityMs;
+      else signingParams.validity = options.validity ?? 365;
+      await this.signCertificateRequest(certFile, csrFile, signingParams);
       const certPem = readCertificatePEM(certFile);
       const certificateDer = convertPEMtoDER(certPem);
       const privateKey = readPrivateKey(privateKeyFile);
@@ -1312,7 +1484,6 @@ var CertificateAuthority = class {
    */
   async generateKeyPairAndSignPFX(options) {
     const keySize = options.keySize ?? 2048;
-    const validity = options.validity ?? 365;
     const startDate = options.startDate ?? /* @__PURE__ */ new Date();
     const passphrase = options.passphrase ?? "";
     const tmpDir = await fs7.promises.mkdtemp(path5.join(os3.tmpdir(), "pki-keygen-pfx-"));
@@ -1333,13 +1504,15 @@ var CertificateAuthority = class {
         purpose: CertificatePurpose.ForApplication
       });
       const certFile = path5.join(tmpDir, "certificate.pem");
-      await this.signCertificateRequest(certFile, csrFile, {
+      const signingParams = {
         applicationUri: options.applicationUri,
         dns: options.dns,
         ip: options.ip,
-        startDate,
-        validity
-      });
+        startDate
+      };
+      if (options.validityMs !== void 0) signingParams.validityMs = options.validityMs;
+      else signingParams.validity = options.validity ?? 365;
+      await this.signCertificateRequest(certFile, csrFile, signingParams);
       const pfxFile = path5.join(tmpDir, "bundle.pfx");
       await createPFX({
         certificateFile: certFile,
@@ -1577,6 +1750,7 @@ var CertificateAuthority = class {
   async signCACertificateRequest(certFile, csrFile, params) {
     const caRootDir = path5.resolve(this.rootDir);
     const options = { cwd: caRootDir };
+    this._wireRevocationEnvVars();
     const configFile = generateStaticConfig("conf/caconfig.cnf", options);
     const validity = params.validity ?? 3650;
     await execute_openssl(
@@ -1743,6 +1917,7 @@ var CertificateAuthority = class {
       ip
     };
     processAltNames(params);
+    this._wireRevocationEnvVars();
     const configFile = generateStaticConfig("conf/caconfig.cnf", options);
     displaySubtitle("- then we ask the authority to sign the certificate signing request");
     const configOption = ` -config ${configFile}`;