node-opcua-pki 6.15.0 → 6.17.0

package/dist/index.mjs

@@ -31,9 +31,17 @@ function adjustDate(params) {
   assert(params instanceof Object);
   params.startDate = params.startDate || /* @__PURE__ */ new Date();
   assert(params.startDate instanceof Date);
-  params.validity = params.validity || 365;
-  params.endDate = new Date(params.startDate.getTime());
-  params.endDate.setDate(params.startDate.getDate() + params.validity);
+  if (params.validityMs !== void 0) {
+    if (params.validityMs <= 0) {
+      throw new RangeError(`validityMs must be > 0 (got ${params.validityMs})`);
+    }
+    params.endDate = new Date(params.startDate.getTime() + params.validityMs);
+    params.validity = Math.ceil(params.validityMs / 864e5);
+  } else {
+    params.validity = params.validity || 365;
+    params.endDate = new Date(params.startDate.getTime());
+    params.endDate.setDate(params.startDate.getDate() + params.validity);
+  }
   assert(params.endDate instanceof Date);
   assert(params.startDate instanceof Date);
 }
@@ -1354,14 +1362,15 @@ var CertificateAuthority = class {
    * @returns the signed certificate as a DER-encoded buffer
    */
   async signCertificateRequestFromDER(csrDer, options) {
-    const validity = options?.validity ?? 365;
     const tmpDir = await fs7.promises.mkdtemp(path5.join(os3.tmpdir(), "pki-sign-"));
     try {
       const csrFile = path5.join(tmpDir, "request.csr");
       const certFile = path5.join(tmpDir, "certificate.pem");
       const csrPem = toPem(csrDer, "CERTIFICATE REQUEST");
       await fs7.promises.writeFile(csrFile, csrPem, "utf-8");
-      const signingParams = { validity };
+      const signingParams = {};
+      if (options?.validityMs !== void 0) signingParams.validityMs = options.validityMs;
+      else signingParams.validity = options?.validity ?? 365;
       if (options?.startDate) signingParams.startDate = options.startDate;
       if (options?.dns) signingParams.dns = options.dns;
       if (options?.ip) signingParams.ip = options.ip;
@@ -1377,6 +1386,35 @@ var CertificateAuthority = class {
       });
     }
   }
+  /**
+   * Advertise the validity limits this CA can honor.
+   *
+   * Consumers (notably the GDS server in [`cert_auth.ts`](https://github.com/sterfive/node-opcua-gds))
+   * clamp a requested validity against these bounds before calling
+   * {@link signCertificateRequestFromDER}, so a misconfigured
+   * `defaultCertValidity` cannot ask the CA for something it cannot
+   * produce.
+   *
+   * Defaults match the OpenSSL-backed implementation:
+   * - `minValidityMs = 60_000` (1 minute) — practical floor; the
+   *   X.509 spec floor is 1 second but very short certs are rarely
+   *   useful and pathological for any real deployment.
+   * - `maxValidityMs = 10 * 365 * 86_400_000` (≈ 10 years) — long
+   *   enough for root CAs.
+   * - `validityGranularityMs = 1_000` (1 second) — RFC 5280 §4.1.2.5
+   *   floor on `notBefore` / `notAfter`.
+   * - `nativeUnit = "second"` — what `x509Date()` actually encodes.
+   *
+   * @see US-208 — the consumer-side capability story.
+   */
+  getCapabilities() {
+    return {
+      minValidityMs: 6e4,
+      maxValidityMs: 10 * 365 * 864e5,
+      validityGranularityMs: 1e3,
+      nativeUnit: "second"
+    };
+  }
   /**
    * Generate a new RSA key pair, create an internal CSR, sign it
    * with this CA, and return both the certificate and private key
@@ -1394,7 +1432,6 @@ var CertificateAuthority = class {
    */
   async generateKeyPairAndSignDER(options) {
     const keySize = options.keySize ?? 2048;
-    const validity = options.validity ?? 365;
     const startDate = options.startDate ?? /* @__PURE__ */ new Date();
     const tmpDir = await fs7.promises.mkdtemp(path5.join(os3.tmpdir(), "pki-keygen-"));
     try {
@@ -1414,13 +1451,15 @@ var CertificateAuthority = class {
         purpose: CertificatePurpose.ForApplication
       });
       const certFile = path5.join(tmpDir, "certificate.pem");
-      await this.signCertificateRequest(certFile, csrFile, {
+      const signingParams = {
         applicationUri: options.applicationUri,
         dns: options.dns,
         ip: options.ip,
-        startDate,
-        validity
-      });
+        startDate
+      };
+      if (options.validityMs !== void 0) signingParams.validityMs = options.validityMs;
+      else signingParams.validity = options.validity ?? 365;
+      await this.signCertificateRequest(certFile, csrFile, signingParams);
       const certPem = readCertificatePEM(certFile);
       const certificateDer = convertPEMtoDER(certPem);
       const privateKey = readPrivateKey(privateKeyFile);
@@ -1445,7 +1484,6 @@ var CertificateAuthority = class {
    */
   async generateKeyPairAndSignPFX(options) {
     const keySize = options.keySize ?? 2048;
-    const validity = options.validity ?? 365;
     const startDate = options.startDate ?? /* @__PURE__ */ new Date();
     const passphrase = options.passphrase ?? "";
     const tmpDir = await fs7.promises.mkdtemp(path5.join(os3.tmpdir(), "pki-keygen-pfx-"));
@@ -1466,13 +1504,15 @@ var CertificateAuthority = class {
         purpose: CertificatePurpose.ForApplication
       });
       const certFile = path5.join(tmpDir, "certificate.pem");
-      await this.signCertificateRequest(certFile, csrFile, {
+      const signingParams = {
         applicationUri: options.applicationUri,
         dns: options.dns,
         ip: options.ip,
-        startDate,
-        validity
-      });
+        startDate
+      };
+      if (options.validityMs !== void 0) signingParams.validityMs = options.validityMs;
+      else signingParams.validity = options.validity ?? 365;
+      await this.signCertificateRequest(certFile, csrFile, signingParams);
       const pfxFile = path5.join(tmpDir, "bundle.pfx");
       await createPFX({
         certificateFile: certFile,