node-opcua-pki 6.15.0 → 6.16.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/bin/pki.mjs +55 -15
- package/dist/bin/pki.mjs.map +1 -1
- package/dist/index.d.mts +76 -1
- package/dist/index.d.ts +76 -1
- package/dist/index.js +55 -15
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +55 -15
- package/dist/index.mjs.map +1 -1
- package/package.json +2 -2
package/dist/bin/pki.mjs
CHANGED
|
@@ -248,9 +248,17 @@ function adjustDate(params) {
|
|
|
248
248
|
assert4(params instanceof Object);
|
|
249
249
|
params.startDate = params.startDate || /* @__PURE__ */ new Date();
|
|
250
250
|
assert4(params.startDate instanceof Date);
|
|
251
|
-
params.
|
|
252
|
-
|
|
253
|
-
|
|
251
|
+
if (params.validityMs !== void 0) {
|
|
252
|
+
if (params.validityMs <= 0) {
|
|
253
|
+
throw new RangeError(`validityMs must be > 0 (got ${params.validityMs})`);
|
|
254
|
+
}
|
|
255
|
+
params.endDate = new Date(params.startDate.getTime() + params.validityMs);
|
|
256
|
+
params.validity = Math.ceil(params.validityMs / 864e5);
|
|
257
|
+
} else {
|
|
258
|
+
params.validity = params.validity || 365;
|
|
259
|
+
params.endDate = new Date(params.startDate.getTime());
|
|
260
|
+
params.endDate.setDate(params.startDate.getDate() + params.validity);
|
|
261
|
+
}
|
|
254
262
|
assert4(params.endDate instanceof Date);
|
|
255
263
|
assert4(params.startDate instanceof Date);
|
|
256
264
|
}
|
|
@@ -3259,14 +3267,15 @@ var init_certificate_authority = __esm({
|
|
|
3259
3267
|
* @returns the signed certificate as a DER-encoded buffer
|
|
3260
3268
|
*/
|
|
3261
3269
|
async signCertificateRequestFromDER(csrDer, options) {
|
|
3262
|
-
const validity = options?.validity ?? 365;
|
|
3263
3270
|
const tmpDir = await fs10.promises.mkdtemp(path6.join(os4.tmpdir(), "pki-sign-"));
|
|
3264
3271
|
try {
|
|
3265
3272
|
const csrFile = path6.join(tmpDir, "request.csr");
|
|
3266
3273
|
const certFile = path6.join(tmpDir, "certificate.pem");
|
|
3267
3274
|
const csrPem = toPem2(csrDer, "CERTIFICATE REQUEST");
|
|
3268
3275
|
await fs10.promises.writeFile(csrFile, csrPem, "utf-8");
|
|
3269
|
-
const signingParams = {
|
|
3276
|
+
const signingParams = {};
|
|
3277
|
+
if (options?.validityMs !== void 0) signingParams.validityMs = options.validityMs;
|
|
3278
|
+
else signingParams.validity = options?.validity ?? 365;
|
|
3270
3279
|
if (options?.startDate) signingParams.startDate = options.startDate;
|
|
3271
3280
|
if (options?.dns) signingParams.dns = options.dns;
|
|
3272
3281
|
if (options?.ip) signingParams.ip = options.ip;
|
|
@@ -3282,6 +3291,35 @@ var init_certificate_authority = __esm({
|
|
|
3282
3291
|
});
|
|
3283
3292
|
}
|
|
3284
3293
|
}
|
|
3294
|
+
/**
|
|
3295
|
+
* Advertise the validity limits this CA can honor.
|
|
3296
|
+
*
|
|
3297
|
+
* Consumers (notably the GDS server in [`cert_auth.ts`](https://github.com/sterfive/node-opcua-gds))
|
|
3298
|
+
* clamp a requested validity against these bounds before calling
|
|
3299
|
+
* {@link signCertificateRequestFromDER}, so a misconfigured
|
|
3300
|
+
* `defaultCertValidity` cannot ask the CA for something it cannot
|
|
3301
|
+
* produce.
|
|
3302
|
+
*
|
|
3303
|
+
* Defaults match the OpenSSL-backed implementation:
|
|
3304
|
+
* - `minValidityMs = 60_000` (1 minute) — practical floor; the
|
|
3305
|
+
* X.509 spec floor is 1 second but very short certs are rarely
|
|
3306
|
+
* useful and pathological for any real deployment.
|
|
3307
|
+
* - `maxValidityMs = 10 * 365 * 86_400_000` (≈ 10 years) — long
|
|
3308
|
+
* enough for root CAs.
|
|
3309
|
+
* - `validityGranularityMs = 1_000` (1 second) — RFC 5280 §4.1.2.5
|
|
3310
|
+
* floor on `notBefore` / `notAfter`.
|
|
3311
|
+
* - `nativeUnit = "second"` — what `x509Date()` actually encodes.
|
|
3312
|
+
*
|
|
3313
|
+
* @see US-208 — the consumer-side capability story.
|
|
3314
|
+
*/
|
|
3315
|
+
getCapabilities() {
|
|
3316
|
+
return {
|
|
3317
|
+
minValidityMs: 6e4,
|
|
3318
|
+
maxValidityMs: 10 * 365 * 864e5,
|
|
3319
|
+
validityGranularityMs: 1e3,
|
|
3320
|
+
nativeUnit: "second"
|
|
3321
|
+
};
|
|
3322
|
+
}
|
|
3285
3323
|
/**
|
|
3286
3324
|
* Generate a new RSA key pair, create an internal CSR, sign it
|
|
3287
3325
|
* with this CA, and return both the certificate and private key
|
|
@@ -3299,7 +3337,6 @@ var init_certificate_authority = __esm({
|
|
|
3299
3337
|
*/
|
|
3300
3338
|
async generateKeyPairAndSignDER(options) {
|
|
3301
3339
|
const keySize = options.keySize ?? 2048;
|
|
3302
|
-
const validity = options.validity ?? 365;
|
|
3303
3340
|
const startDate = options.startDate ?? /* @__PURE__ */ new Date();
|
|
3304
3341
|
const tmpDir = await fs10.promises.mkdtemp(path6.join(os4.tmpdir(), "pki-keygen-"));
|
|
3305
3342
|
try {
|
|
@@ -3319,13 +3356,15 @@ var init_certificate_authority = __esm({
|
|
|
3319
3356
|
purpose: CertificatePurpose2.ForApplication
|
|
3320
3357
|
});
|
|
3321
3358
|
const certFile = path6.join(tmpDir, "certificate.pem");
|
|
3322
|
-
|
|
3359
|
+
const signingParams = {
|
|
3323
3360
|
applicationUri: options.applicationUri,
|
|
3324
3361
|
dns: options.dns,
|
|
3325
3362
|
ip: options.ip,
|
|
3326
|
-
startDate
|
|
3327
|
-
|
|
3328
|
-
|
|
3363
|
+
startDate
|
|
3364
|
+
};
|
|
3365
|
+
if (options.validityMs !== void 0) signingParams.validityMs = options.validityMs;
|
|
3366
|
+
else signingParams.validity = options.validity ?? 365;
|
|
3367
|
+
await this.signCertificateRequest(certFile, csrFile, signingParams);
|
|
3329
3368
|
const certPem = readCertificatePEM(certFile);
|
|
3330
3369
|
const certificateDer = convertPEMtoDER(certPem);
|
|
3331
3370
|
const privateKey = readPrivateKey(privateKeyFile);
|
|
@@ -3350,7 +3389,6 @@ var init_certificate_authority = __esm({
|
|
|
3350
3389
|
*/
|
|
3351
3390
|
async generateKeyPairAndSignPFX(options) {
|
|
3352
3391
|
const keySize = options.keySize ?? 2048;
|
|
3353
|
-
const validity = options.validity ?? 365;
|
|
3354
3392
|
const startDate = options.startDate ?? /* @__PURE__ */ new Date();
|
|
3355
3393
|
const passphrase = options.passphrase ?? "";
|
|
3356
3394
|
const tmpDir = await fs10.promises.mkdtemp(path6.join(os4.tmpdir(), "pki-keygen-pfx-"));
|
|
@@ -3371,13 +3409,15 @@ var init_certificate_authority = __esm({
|
|
|
3371
3409
|
purpose: CertificatePurpose2.ForApplication
|
|
3372
3410
|
});
|
|
3373
3411
|
const certFile = path6.join(tmpDir, "certificate.pem");
|
|
3374
|
-
|
|
3412
|
+
const signingParams = {
|
|
3375
3413
|
applicationUri: options.applicationUri,
|
|
3376
3414
|
dns: options.dns,
|
|
3377
3415
|
ip: options.ip,
|
|
3378
|
-
startDate
|
|
3379
|
-
|
|
3380
|
-
|
|
3416
|
+
startDate
|
|
3417
|
+
};
|
|
3418
|
+
if (options.validityMs !== void 0) signingParams.validityMs = options.validityMs;
|
|
3419
|
+
else signingParams.validity = options.validity ?? 365;
|
|
3420
|
+
await this.signCertificateRequest(certFile, csrFile, signingParams);
|
|
3381
3421
|
const pfxFile = path6.join(tmpDir, "bundle.pfx");
|
|
3382
3422
|
await createPFX({
|
|
3383
3423
|
certificateFile: certFile,
|