node-opcua-pki 6.2.0 → 6.4.0

package/dist/index.mjs

@@ -1086,7 +1086,7 @@ var CertificateAuthority = class {
 };
 
 // packages/node-opcua-pki/lib/ca/crypto_create_CA.ts
-import assert11 from "assert";
+import assert10 from "assert";
 import fs10 from "fs";
 import { createRequire } from "module";
 import os4 from "os";
@@ -1167,7 +1167,6 @@ function getFullyQualifiedDomainName(optional_max_length) {
 prepareFQDN();
 
 // packages/node-opcua-pki/lib/pki/certificate_manager.ts
-import assert10 from "assert";
 import fs9 from "fs";
 import path7 from "path";
 import { withLock } from "@ster5/global-mutex";
@@ -1183,6 +1182,7 @@ import {
   readCertificateRevocationList,
   split_der,
   toPem,
+  verifyCertificateChain,
   verifyCertificateSignature
 } from "node-opcua-crypto";
 
@@ -1268,6 +1268,12 @@ var simple_config_template_cnf_default = config3;
 // packages/node-opcua-pki/lib/pki/certificate_manager.ts
 var configurationFileSimpleTemplate = simple_config_template_cnf_default;
 var fsWriteFile = fs9.promises.writeFile;
+function getOrComputeInfo(entry) {
+  if (!entry.info) {
+    entry.info = exploreCertificate(entry.certificate);
+  }
+  return entry.info;
+}
 var VerificationStatus = /* @__PURE__ */ ((VerificationStatus2) => {
   VerificationStatus2["BadCertificateInvalid"] = "BadCertificateInvalid";
   VerificationStatus2["BadSecurityChecksFailed"] = "BadSecurityChecksFailed";
@@ -1305,11 +1311,10 @@ function buildIdealCertificateName(certificate) {
   }
 }
 function findMatchingIssuerKey(entries, wantedIssuerKey) {
-  const selected = entries.filter(({ certificate }) => {
-    const info = exploreCertificate(certificate);
+  return entries.filter((entry) => {
+    const info = getOrComputeInfo(entry);
     return info.tbsCertificate.extensions && info.tbsCertificate.extensions.subjectKeyIdentifier === wantedIssuerKey;
   });
-  return selected;
 }
 function isSelfSigned2(info) {
   return info.tbsCertificate.extensions?.subjectKeyIdentifier === info.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier;
@@ -1355,26 +1360,35 @@ var CertificateManagerState = /* @__PURE__ */ ((CertificateManagerState2) => {
 var CertificateManager = class {
   untrustUnknownCertificate = true;
   state = 0 /* Uninitialized */;
+  /** @deprecated Use {@link folderPollingInterval} instead (typo fix). */
   folderPoolingInterval = 5e3;
+  /** Interval in milliseconds for file-system polling (when enabled). */
+  get folderPollingInterval() {
+    return this.folderPoolingInterval;
+  }
+  set folderPollingInterval(value) {
+    this.folderPoolingInterval = value;
+  }
   keySize;
   location;
   _watchers = [];
   _readCertificatesCalled = false;
-  _filenameToHash = {};
+  _filenameToHash = /* @__PURE__ */ new Map();
+  _initializingPromise;
   _thumbs = {
-    rejected: {},
-    trusted: {},
+    rejected: /* @__PURE__ */ new Map(),
+    trusted: /* @__PURE__ */ new Map(),
     issuers: {
-      certs: {}
+      certs: /* @__PURE__ */ new Map()
     },
-    crl: {},
-    issuersCrl: {}
+    crl: /* @__PURE__ */ new Map(),
+    issuersCrl: /* @__PURE__ */ new Map()
   };
   constructor(options) {
     options.keySize = options.keySize || 2048;
-    assert10(Object.prototype.hasOwnProperty.call(options, "location"));
-    assert10(Object.prototype.hasOwnProperty.call(options, "keySize"));
-    assert10(this.state === 0 /* Uninitialized */);
+    if (!options.location) {
+      throw new Error("CertificateManager: missing 'location' option");
+    }
     this.location = makePath(options.location, "");
     this.keySize = options.keySize;
     mkdirRecursiveSync(options.location);
@@ -1402,15 +1416,11 @@ var CertificateManager = class {
     await this.initialize();
     let status = await this._checkRejectedOrTrusted(certificate);
     if (status === "unknown") {
-      assert10(certificate instanceof Buffer);
       const pem = toPem(certificate, "CERTIFICATE");
       const fingerprint2 = makeFingerprint(certificate);
       const filename = path7.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
       await fs9.promises.writeFile(filename, pem);
-      this._thumbs.rejected[fingerprint2] = {
-        certificate,
-        filename
-      };
+      this._thumbs.rejected.set(fingerprint2, { certificate, filename });
       status = "rejected";
     }
     return status;
@@ -1461,30 +1471,27 @@ var CertificateManager = class {
    */
   async isCertificateTrusted(certificate) {
     const fingerprint2 = makeFingerprint(certificate);
-    const certificateInTrust = this._thumbs.trusted[fingerprint2]?.certificate;
-    if (certificateInTrust) {
+    if (this._thumbs.trusted.has(fingerprint2)) {
       return "Good";
-    } else {
-      const certificateInRejected = this._thumbs.rejected[fingerprint2];
-      if (!certificateInRejected) {
-        const certificateFilenameInRejected = path7.join(
-          this.rejectedFolder,
-          `${buildIdealCertificateName(certificate)}.pem`
-        );
-        if (!this.untrustUnknownCertificate) {
-          return "Good";
-        }
-        try {
-          const _certificateInfo = exploreCertificateInfo(certificate);
-          _certificateInfo;
-        } catch (_err) {
-          return "BadCertificateInvalid";
-        }
-        debugLog("certificate has never been seen before and is now rejected (untrusted) ", certificateFilenameInRejected);
-        await fsWriteFile(certificateFilenameInRejected, toPem(certificate, "CERTIFICATE"));
+    }
+    if (!this._thumbs.rejected.has(fingerprint2)) {
+      if (!this.untrustUnknownCertificate) {
+        return "Good";
+      }
+      try {
+        exploreCertificateInfo(certificate);
+      } catch (_err) {
+        return "BadCertificateInvalid";
       }
-      return "BadCertificateUntrusted";
+      const filename = path7.join(
+        this.rejectedFolder,
+        `${buildIdealCertificateName(certificate)}.pem`
+      );
+      debugLog("certificate has never been seen before and is now rejected (untrusted) ", filename);
+      await fsWriteFile(filename, toPem(certificate, "CERTIFICATE"));
+      this._thumbs.rejected.set(fingerprint2, { certificate, filename });
     }
+    return "BadCertificateUntrusted";
   }
   async _innerVerifyCertificateAsync(certificate, _isIssuer, level, options) {
     if (level >= 5) {
@@ -1579,7 +1586,7 @@ var CertificateManager = class {
       return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
     }
     const _c2 = chain[1] ? exploreCertificateInfo(chain[1]) : "non";
-    _c2;
+    debugLog("chain[1] info=", _c2);
     const certificateInfo = exploreCertificateInfo(certificate);
     const now = /* @__PURE__ */ new Date();
     let isTimeInvalid = false;
@@ -1602,7 +1609,6 @@ var CertificateManager = class {
     if (status === "trusted") {
       return isTimeInvalid ? "BadCertificateTimeInvalid" /* BadCertificateTimeInvalid */ : "Good" /* Good */;
     }
-    assert10(status === "unknown");
     if (hasIssuerKey) {
       if (!hasTrustedIssuer) {
         return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
@@ -1645,7 +1651,9 @@ var CertificateManager = class {
       return;
     }
     this.state = 1 /* Initializing */;
-    await this._initialize();
+    this._initializingPromise = this._initialize();
+    await this._initializingPromise;
+    this._initializingPromise = void 0;
     this.state = 2 /* Initialized */;
   }
   async _initialize() {
@@ -1664,11 +1672,9 @@ var CertificateManager = class {
     mkdirRecursiveSync(path7.join(pkiDir, "issuers/crl"));
     if (!fs9.existsSync(this.configFile) || !fs9.existsSync(this.privateKey)) {
       return await this.withLock2(async () => {
-        assert10(this.state !== 3 /* Disposing */);
-        if (this.state === 4 /* Disposed */) {
+        if (this.state === 3 /* Disposing */ || this.state === 4 /* Disposed */) {
           return;
         }
-        assert10(this.state === 1 /* Initializing */);
         if (!fs9.existsSync(this.configFile)) {
           fs9.writeFileSync(this.configFile, configurationFileSimpleTemplate);
         }
@@ -1698,8 +1704,9 @@ var CertificateManager = class {
       return;
     }
     if (this.state === 1 /* Initializing */) {
-      await new Promise((resolve) => setTimeout(resolve, 100));
-      return await this.dispose();
+      if (this._initializingPromise) {
+        await this._initializingPromise;
+      }
     }
     try {
       this.state = 3 /* Disposing */;
@@ -1712,6 +1719,30 @@ var CertificateManager = class {
       this.state = 4 /* Disposed */;
     }
   }
+  /**
+   * Force a full re-scan of all PKI folders, rebuilding
+   * the in-memory `_thumbs` index from scratch.
+   *
+   * Call this after external processes have modified the
+   * PKI folders (e.g. via `writeTrustList` or CLI tools)
+   * to ensure the CertificateManager sees the latest
+   * state without waiting for file-system events.
+   */
+  async reloadCertificates() {
+    await Promise.all(this._watchers.map((w) => w.close()));
+    for (const w of this._watchers) {
+      w.removeAllListeners();
+    }
+    this._watchers.splice(0);
+    this._thumbs.rejected.clear();
+    this._thumbs.trusted.clear();
+    this._thumbs.issuers.certs.clear();
+    this._thumbs.crl.clear();
+    this._thumbs.issuersCrl.clear();
+    this._filenameToHash.clear();
+    this._readCertificatesCalled = false;
+    await this._readCertificates();
+  }
   async withLock2(action) {
     const lockFileName = path7.join(this.rootDir, "mutex.lock");
     return withLock({ fileToLock: lockFileName }, async () => {
@@ -1724,7 +1755,9 @@ var CertificateManager = class {
    *
    */
   async createSelfSignedCertificate(params) {
-    assert10(typeof params.applicationUri === "string", "expecting applicationUri");
+    if (typeof params.applicationUri !== "string") {
+      throw new Error("createSelfSignedCertificate: expecting applicationUri to be a string");
+    }
     if (!fs9.existsSync(this.privateKey)) {
       throw new Error(`Cannot find private key ${this.privateKey}`);
     }
@@ -1740,14 +1773,13 @@ var CertificateManager = class {
     });
   }
   async createCertificateRequest(params) {
-    assert10(params);
+    if (!params) {
+      throw new Error("params is required");
+    }
     const _params = params;
     if (Object.prototype.hasOwnProperty.call(_params, "rootDir")) {
       throw new Error("rootDir should not be specified ");
     }
-    assert10(!_params.rootDir);
-    assert10(!_params.configFile);
-    assert10(!_params.privateKey);
     _params.rootDir = path7.resolve(this.rootDir);
     _params.configFile = path7.resolve(this.configFile);
     _params.privateKey = path7.resolve(this.privateKey);
@@ -1776,12 +1808,12 @@ var CertificateManager = class {
     }
     const pemCertificate = toPem(certificate, "CERTIFICATE");
     const fingerprint2 = makeFingerprint(certificate);
-    if (this._thumbs.issuers.certs[fingerprint2]) {
+    if (this._thumbs.issuers.certs.has(fingerprint2)) {
       return "Good" /* Good */;
     }
     const filename = path7.join(this.issuersCertFolder, `issuer_${buildIdealCertificateName(certificate)}.pem`);
     await fs9.promises.writeFile(filename, pemCertificate, "ascii");
-    this._thumbs.issuers.certs[fingerprint2] = { certificate, filename };
+    this._thumbs.issuers.certs.set(fingerprint2, { certificate, filename });
     if (addInTrustList) {
       await this.trustCertificate(certificate);
     }
@@ -1799,8 +1831,8 @@ var CertificateManager = class {
         const folder = target === "trusted" ? this.crlFolder : this.issuersCrlFolder;
         const crlInfo = exploreCertificateRevocationList(crl);
         const key = crlInfo.tbsCertList.issuerFingerprint;
-        if (!index[key]) {
-          index[key] = { crls: [], serialNumbers: {} };
+        if (!index.has(key)) {
+          index.set(key, { crls: [], serialNumbers: {} });
         }
         const pemCertificate = toPem(crl, "X509 CRL");
         const filename = path7.join(folder, `crl_${buildIdealCertificateName(crl)}.pem`);
@@ -1835,9 +1867,7 @@ var CertificateManager = class {
           throw err;
         }
       }
-      for (const key of Object.keys(index)) {
-        delete index[key];
-      }
+      index.clear();
     };
     if (target === "issuers" || target === "all") {
       await clearFolder(this.issuersCrlFolder, this._thumbs.issuersCrl);
@@ -1854,7 +1884,7 @@ var CertificateManager = class {
   async hasIssuer(thumbprint) {
     await this._readCertificates();
     const normalized = thumbprint.toLowerCase();
-    return Object.prototype.hasOwnProperty.call(this._thumbs.issuers.certs, normalized);
+    return this._thumbs.issuers.certs.has(normalized);
   }
   /**
    * Remove a trusted certificate identified by its SHA-1 thumbprint.
@@ -1866,7 +1896,7 @@ var CertificateManager = class {
   async removeTrustedCertificate(thumbprint) {
     await this._readCertificates();
     const normalized = thumbprint.toLowerCase();
-    const entry = this._thumbs.trusted[normalized];
+    const entry = this._thumbs.trusted.get(normalized);
     if (!entry) {
       return null;
     }
@@ -1877,7 +1907,7 @@ var CertificateManager = class {
         throw err;
       }
     }
-    delete this._thumbs.trusted[normalized];
+    this._thumbs.trusted.delete(normalized);
     return entry.certificate;
   }
   /**
@@ -1890,7 +1920,7 @@ var CertificateManager = class {
   async removeIssuer(thumbprint) {
     await this._readCertificates();
     const normalized = thumbprint.toLowerCase();
-    const entry = this._thumbs.issuers.certs[normalized];
+    const entry = this._thumbs.issuers.certs.get(normalized);
     if (!entry) {
       return null;
     }
@@ -1901,7 +1931,7 @@ var CertificateManager = class {
         throw err;
       }
     }
-    delete this._thumbs.issuers.certs[normalized];
+    this._thumbs.issuers.certs.delete(normalized);
     return entry.certificate;
   }
   /**
@@ -1914,7 +1944,7 @@ var CertificateManager = class {
     const issuerInfo = exploreCertificate(issuerCertificate);
     const issuerFingerprint = issuerInfo.tbsCertificate.subjectFingerPrint;
     const processIndex = async (index) => {
-      const crlData = index[issuerFingerprint];
+      const crlData = index.get(issuerFingerprint);
       if (!crlData) return;
       for (const crlEntry of crlData.crls) {
         try {
@@ -1925,7 +1955,7 @@ var CertificateManager = class {
           }
         }
       }
-      delete index[issuerFingerprint];
+      index.delete(issuerFingerprint);
     };
     if (target === "issuers" || target === "all") {
       await processIndex(this._thumbs.issuersCrl);
@@ -1958,16 +1988,28 @@ var CertificateManager = class {
     } catch (_err) {
       return "BadCertificateInvalid" /* BadCertificateInvalid */;
     }
-    const status = await this.verifyCertificate(leafCertificate, {
-      ignoreMissingRevocationList: true
-    });
-    if (status !== "Good" /* Good */ && status !== "BadCertificateUntrusted" /* BadCertificateUntrusted */) {
-      return status;
+    const result = await verifyCertificateChain([leafCertificate]);
+    if (result.status !== "Good") {
+      return "BadCertificateInvalid" /* BadCertificateInvalid */;
     }
     if (certificates.length > 1) {
+      const issuerFolder = this.issuersCertFolder;
+      const issuerThumbprints = /* @__PURE__ */ new Set();
+      const files = await fs9.promises.readdir(issuerFolder);
+      for (const file of files) {
+        const ext = path7.extname(file).toLowerCase();
+        if (ext === ".pem" || ext === ".der") {
+          try {
+            const issuerCert = readCertificate(path7.join(issuerFolder, file));
+            const fp = makeFingerprint(issuerCert);
+            issuerThumbprints.add(fp);
+          } catch (_err) {
+          }
+        }
+      }
       for (const issuerCert of certificates.slice(1)) {
         const thumbprint = makeFingerprint(issuerCert);
-        if (!Object.prototype.hasOwnProperty.call(this._thumbs.issuers.certs, thumbprint)) {
+        if (!issuerThumbprints.has(thumbprint)) {
           return "BadCertificateChainIncomplete" /* BadCertificateChainIncomplete */;
         }
       }
@@ -1989,7 +2031,7 @@ var CertificateManager = class {
    */
   async isIssuerInUseByTrustedCertificate(issuerCertificate) {
     await this._readCertificates();
-    for (const entry of Object.values(this._thumbs.trusted)) {
+    for (const entry of this._thumbs.trusted.values()) {
       if (!entry.certificate) continue;
       try {
         if (verifyCertificateSignature(entry.certificate, issuerCertificate)) {
@@ -2024,7 +2066,7 @@ var CertificateManager = class {
       debugLog("Certificate has no extension 3");
       return null;
     }
-    const issuerCertificates = Object.values(this._thumbs.issuers.certs);
+    const issuerCertificates = [...this._thumbs.issuers.certs.values()];
     const selectedIssuerCertificates = findMatchingIssuerKey(issuerCertificates, wantedIssuerKey);
     if (selectedIssuerCertificates.length > 0) {
       if (selectedIssuerCertificates.length > 1) {
@@ -2032,7 +2074,7 @@ var CertificateManager = class {
       }
       return selectedIssuerCertificates[0].certificate || null;
     }
-    const trustedCertificates = Object.values(this._thumbs.trusted);
+    const trustedCertificates = [...this._thumbs.trusted.values()];
     const selectedTrustedCertificates = findMatchingIssuerKey(trustedCertificates, wantedIssuerKey);
     if (selectedTrustedCertificates.length > 1) {
       warningLog(
@@ -2048,48 +2090,47 @@ var CertificateManager = class {
    * @private
    */
   async _checkRejectedOrTrusted(certificate) {
-    assert10(certificate instanceof Buffer);
     const fingerprint2 = makeFingerprint(certificate);
     debugLog("_checkRejectedOrTrusted fingerprint ", short(fingerprint2));
     await this._readCertificates();
-    if (Object.prototype.hasOwnProperty.call(this._thumbs.rejected, fingerprint2)) {
+    if (this._thumbs.rejected.has(fingerprint2)) {
       return "rejected";
     }
-    if (Object.prototype.hasOwnProperty.call(this._thumbs.trusted, fingerprint2)) {
+    if (this._thumbs.trusted.has(fingerprint2)) {
       return "trusted";
     }
     return "unknown";
   }
   async _moveCertificate(certificate, newStatus) {
-    assert10(certificate instanceof Buffer);
-    const fingerprint2 = makeFingerprint(certificate);
-    const status = await this.getCertificateStatus(certificate);
-    debugLog("_moveCertificate", fingerprint2.substring(0, 10), "from", status, "to", newStatus);
-    assert10(status === "rejected" || status === "trusted");
-    if (status !== newStatus) {
-      const indexSrc = status === "rejected" ? this._thumbs.rejected : this._thumbs.trusted;
-      const certificateSrc = indexSrc[fingerprint2]?.filename;
-      if (!certificateSrc) {
-        debugLog(" cannot find certificate ", fingerprint2.substring(0, 10), " in", this._thumbs, [status]);
-        throw new Error("internal");
+    await this.withLock2(async () => {
+      const fingerprint2 = makeFingerprint(certificate);
+      const status = await this.getCertificateStatus(certificate);
+      debugLog("_moveCertificate", fingerprint2.substring(0, 10), "from", status, "to", newStatus);
+      if (status !== "rejected" && status !== "trusted") {
+        throw new Error(`_moveCertificate: unexpected status '${status}' for certificate ${fingerprint2.substring(0, 10)}`);
       }
-      const destFolder = newStatus === "rejected" ? this.rejectedFolder : newStatus === "trusted" ? this.trustedFolder : this.rejectedFolder;
-      const certificateDest = path7.join(destFolder, path7.basename(certificateSrc));
-      debugLog("_moveCertificate1", fingerprint2.substring(0, 10), "old name", certificateSrc);
-      debugLog("_moveCertificate1", fingerprint2.substring(0, 10), "new name", certificateDest);
-      await fs9.promises.rename(certificateSrc, certificateDest);
-      delete indexSrc[fingerprint2];
-      const indexDest = newStatus === "rejected" ? this._thumbs.rejected : newStatus === "trusted" ? this._thumbs.trusted : this._thumbs.rejected;
-      indexDest[fingerprint2] = {
-        certificate,
-        filename: certificateDest
-      };
-    }
+      if (status !== newStatus) {
+        const indexSrc = status === "rejected" ? this._thumbs.rejected : this._thumbs.trusted;
+        const srcEntry = indexSrc.get(fingerprint2);
+        if (!srcEntry) {
+          debugLog(" cannot find certificate ", fingerprint2.substring(0, 10), " in", status);
+          throw new Error(`_moveCertificate: certificate ${fingerprint2.substring(0, 10)} not found in ${status} index`);
+        }
+        const destFolder = newStatus === "trusted" ? this.trustedFolder : this.rejectedFolder;
+        const certificateDest = path7.join(destFolder, path7.basename(srcEntry.filename));
+        debugLog("_moveCertificate", fingerprint2.substring(0, 10), "old name", srcEntry.filename);
+        debugLog("_moveCertificate", fingerprint2.substring(0, 10), "new name", certificateDest);
+        await fs9.promises.rename(srcEntry.filename, certificateDest);
+        indexSrc.delete(fingerprint2);
+        const indexDest = newStatus === "trusted" ? this._thumbs.trusted : this._thumbs.rejected;
+        indexDest.set(fingerprint2, { certificate, filename: certificateDest });
+      }
+    });
   }
   _findAssociatedCRLs(issuerCertificate) {
     const issuerCertificateInfo = exploreCertificate(issuerCertificate);
     const key = issuerCertificateInfo.tbsCertificate.subjectFingerPrint;
-    return this._thumbs.issuersCrl[key] ? this._thumbs.issuersCrl[key] : this._thumbs.crl[key] ? this._thumbs.crl[key] : null;
+    return this._thumbs.issuersCrl.get(key) ?? this._thumbs.crl.get(key) ?? null;
   }
   async isCertificateRevoked(certificate, issuerCertificate) {
     if (isSelfSigned3(certificate)) {
@@ -2108,7 +2149,7 @@ var CertificateManager = class {
     const certInfo = exploreCertificate(certificate);
     const serialNumber = certInfo.tbsCertificate.serialNumber || certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.serial || "";
     const key = certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint || "<unknown>";
-    const crl2 = this._thumbs.crl[key] || null;
+    const crl2 = this._thumbs.crl.get(key) ?? null;
     if (crls.serialNumbers[serialNumber] || crl2?.serialNumbers[serialNumber]) {
       return "BadCertificateRevoked" /* BadCertificateRevoked */;
     }
@@ -2133,19 +2174,18 @@ var CertificateManager = class {
       const crlInfo = exploreCertificateRevocationList(crl);
       debugLog(chalk6.cyan("add CRL in folder "), filename);
       const fingerprint2 = crlInfo.tbsCertList.issuerFingerprint;
-      index[fingerprint2] = index[fingerprint2] || {
-        crls: [],
-        serialNumbers: {}
-      };
-      index[fingerprint2].crls.push({ crlInfo, filename });
-      const serialNumbers = index[fingerprint2].serialNumbers;
+      if (!index.has(fingerprint2)) {
+        index.set(fingerprint2, { crls: [], serialNumbers: {} });
+      }
+      const data = index.get(fingerprint2) || { crls: [], serialNumbers: {} };
+      data.crls.push({ crlInfo, filename });
       for (const revokedCertificate of crlInfo.tbsCertList.revokedCertificates) {
         const serialNumber = revokedCertificate.userCertificate;
-        if (!serialNumbers[serialNumber]) {
-          serialNumbers[serialNumber] = revokedCertificate.revocationDate;
+        if (!data.serialNumbers[serialNumber]) {
+          data.serialNumbers[serialNumber] = revokedCertificate.revocationDate;
         }
       }
-      debugLog(chalk6.cyan("CRL"), fingerprint2, "serial numbers = ", Object.keys(serialNumbers));
+      debugLog(chalk6.cyan("CRL"), fingerprint2, "serial numbers = ", Object.keys(data.serialNumbers));
     } catch (err) {
       debugLog("CRL filename error =");
       debugLog(err);
@@ -2165,28 +2205,28 @@ var CertificateManager = class {
       return;
     }
     this._readCertificatesCalled = true;
+    const usePolling = process.env.OPCUA_PKI_USE_POLLING === "true";
     const options = {
-      usePolling: true,
-      interval: Math.min(10 * 60 * 1e3, Math.max(100, this.folderPoolingInterval)),
-      persistent: false,
-      awaitWriteFinish: {
-        stabilityThreshold: 2e3,
-        pollInterval: 600
-      }
+      usePolling,
+      ...usePolling ? { interval: Math.min(10 * 60 * 1e3, Math.max(100, this.folderPoolingInterval)) } : {},
+      persistent: false
     };
     async function _walkCRLFiles(folder, index) {
       await new Promise((resolve, _reject) => {
         const w = chokidar.watch(folder, options);
-        w.on("unlink", (filename, stat) => {
-          filename;
-          stat;
+        w.on("unlink", (filename) => {
+          for (const [key, data] of index.entries()) {
+            data.crls = data.crls.filter((c) => c.filename !== filename);
+            if (data.crls.length === 0) {
+              index.delete(key);
+            }
+          }
         });
-        w.on("add", (filename, stat) => {
-          stat;
+        w.on("add", (filename) => {
           this._on_crl_file_added(index, filename);
         });
-        w.on("change", (path9, stat) => {
-          debugLog("change in folder ", folder, path9, stat);
+        w.on("change", (changedPath) => {
+          debugLog("change in folder ", folder, changedPath);
         });
         this._watchers.push(w);
         w.on("ready", () => {
@@ -2196,26 +2236,21 @@ var CertificateManager = class {
     }
     async function _walkAllFiles(folder, index) {
       const w = chokidar.watch(folder, options);
-      w.on("unlink", (filename, stat) => {
-        stat;
+      w.on("unlink", (filename) => {
         debugLog(chalk6.cyan(`unlink in folder ${folder}`), filename);
-        const h = this._filenameToHash[filename];
-        if (h && index[h]) {
-          delete index[h];
+        const h = this._filenameToHash.get(filename);
+        if (h && index.has(h)) {
+          index.delete(h);
         }
       });
-      w.on("add", (filename, stat) => {
-        stat;
+      w.on("add", (filename) => {
         debugLog(chalk6.cyan(`add in folder ${folder}`), filename);
         try {
           const certificate = readCertificate(filename);
           const info = exploreCertificate(certificate);
           const fingerprint2 = makeFingerprint(certificate);
-          index[fingerprint2] = {
-            certificate,
-            filename
-          };
-          this._filenameToHash[filename] = fingerprint2;
+          index.set(fingerprint2, { certificate, filename, info });
+          this._filenameToHash.set(filename, fingerprint2);
           debugLog(
             chalk6.magenta("CERT"),
             info.tbsCertificate.subjectFingerPrint,
@@ -2227,15 +2262,26 @@ var CertificateManager = class {
           debugLog(err);
         }
       });
-      w.on("change", (path9, stat) => {
-        stat;
-        debugLog("change in folder ", folder, path9);
+      w.on("change", (changedPath) => {
+        debugLog(chalk6.cyan(`change in folder ${folder}`), changedPath);
+        try {
+          const certificate = readCertificate(changedPath);
+          const newFingerprint = makeFingerprint(certificate);
+          const oldHash = this._filenameToHash.get(changedPath);
+          if (oldHash && oldHash !== newFingerprint) {
+            index.delete(oldHash);
+          }
+          index.set(newFingerprint, { certificate, filename: changedPath, info: exploreCertificate(certificate) });
+          this._filenameToHash.set(changedPath, newFingerprint);
+        } catch (err) {
+          debugLog(`change event: failed to re-read ${changedPath}`, err);
+        }
       });
       this._watchers.push(w);
       await new Promise((resolve, _reject) => {
         w.on("ready", () => {
           debugLog("ready");
-          debugLog(Object.entries(index).map((kv) => kv[0].substring(0, 10)));
+          debugLog([...index.keys()].map((k) => k.substring(0, 10)));
           resolve();
         });
       });
@@ -2281,8 +2327,8 @@ var next_year = get_offset_date(today, 365);
 var gLocalConfig = {};
 var g_certificateAuthority;
 async function construct_CertificateAuthority2(subject) {
-  assert11(typeof gLocalConfig.CAFolder === "string", "expecting a CAFolder in config");
-  assert11(typeof gLocalConfig.keySize === "number", "expecting a keySize in config");
+  assert10(typeof gLocalConfig.CAFolder === "string", "expecting a CAFolder in config");
+  assert10(typeof gLocalConfig.keySize === "number", "expecting a keySize in config");
   if (!g_certificateAuthority) {
     g_certificateAuthority = new CertificateAuthority({
       keySize: gLocalConfig.keySize,
@@ -2294,7 +2340,7 @@ async function construct_CertificateAuthority2(subject) {
 }
 var certificateManager;
 async function construct_CertificateManager() {
-  assert11(typeof gLocalConfig.PKIFolder === "string", "expecting a PKIFolder in config");
+  assert10(typeof gLocalConfig.PKIFolder === "string", "expecting a PKIFolder in config");
   if (!certificateManager) {
     certificateManager = new CertificateManager({
       keySize: gLocalConfig.keySize,
@@ -2321,7 +2367,7 @@ function default_template_content() {
     return default_config_template2;
   }
   const default_config_template = find_default_config_template();
-  assert11(fs10.existsSync(default_config_template));
+  assert10(fs10.existsSync(default_config_template));
   const default_config_template_content = fs10.readFileSync(default_config_template, "utf8");
   return default_config_template_content;
 }
@@ -2333,7 +2379,7 @@ function find_module_root_folder() {
     }
     rootFolder = path8.join(rootFolder, "..");
   }
-  assert11(fs10.existsSync(path8.join(rootFolder, "package.json")), "root folder must have a package.json file");
+  assert10(fs10.existsSync(path8.join(rootFolder, "package.json")), "root folder must have a package.json file");
   return rootFolder;
 }
 async function readConfiguration(argv) {
@@ -2362,10 +2408,10 @@ async function readConfiguration(argv) {
     return makePath(tmp);
   }
   certificateDir = argv.root;
-  assert11(typeof certificateDir === "string");
+  assert10(typeof certificateDir === "string");
   certificateDir = prepare(certificateDir);
   mkdirRecursiveSync(certificateDir);
-  assert11(fs10.existsSync(certificateDir));
+  assert10(fs10.existsSync(certificateDir));
   const default_config = path8.join(certificateDir, "config.js");
   if (!fs10.existsSync(default_config)) {
     debugLog(chalk7.yellow(" Creating default g_config file "), chalk7.cyan(default_config));
@@ -2430,7 +2476,7 @@ async function readConfiguration(argv) {
   }
 }
 async function createDefaultCertificate(base_name, prefix, key_length, applicationUri, dev) {
-  assert11(key_length === 1024 || key_length === 2048 || key_length === 3072 || key_length === 4096);
+  assert10(key_length === 1024 || key_length === 2048 || key_length === 3072 || key_length === 4096);
   const private_key_file = makePath(base_name, `${prefix}key_${key_length}.pem`);
   const public_key_file = makePath(base_name, `${prefix}public_key_${key_length}.pub`);
   const certificate_file = makePath(base_name, `${prefix}cert_${key_length}.pem`);
@@ -2536,9 +2582,9 @@ async function wrap(func) {
   }
 }
 async function create_default_certificates(dev) {
-  assert11(gLocalConfig);
+  assert10(gLocalConfig);
   const base_name = gLocalConfig.certificateDir || "";
-  assert11(fs10.existsSync(base_name));
+  assert10(fs10.existsSync(base_name));
   let clientURN;
   let serverURN;
   let discoveryServerURN;
@@ -2693,7 +2739,7 @@ ${epilog}`
       await readConfiguration(local_argv);
       if (local_argv.clean) {
         displayTitle("Cleaning old certificates");
-        assert11(gLocalConfig);
+        assert10(gLocalConfig);
         const certificateDir = gLocalConfig.certificateDir || "";
         const files = await fs10.promises.readdir(certificateDir);
         for (const file of files) {
@@ -2805,7 +2851,7 @@ ${epilog}`
       await readConfiguration(local_argv2);
       await construct_CertificateManager();
       await construct_CertificateAuthority2("");
-      assert11(fs10.existsSync(gLocalConfig.CAFolder || ""), " CA folder must exist");
+      assert10(fs10.existsSync(gLocalConfig.CAFolder || ""), " CA folder must exist");
       gLocalConfig.privateKey = void 0;
       gLocalConfig.subject = local_argv2.subject && local_argv2.subject.length > 1 ? local_argv2.subject : gLocalConfig.subject;
       const csr_file = await certificateManager.createCertificateRequest(
@@ -2824,7 +2870,7 @@ ${epilog}`
         csr_file,
         gLocalConfig
       );
-      assert11(typeof gLocalConfig.outputFile === "string");
+      assert10(typeof gLocalConfig.outputFile === "string");
       fs10.writeFileSync(gLocalConfig.outputFile || "", fs10.readFileSync(certificate, "ascii"));
     }
     await wrap(async () => await command_certificate(local_argv));
@@ -2958,7 +3004,7 @@ ${epilog}`
         csr_file,
         gLocalConfig
       );
-      assert11(typeof gLocalConfig.outputFile === "string");
+      assert10(typeof gLocalConfig.outputFile === "string");
       fs10.writeFileSync(gLocalConfig.outputFile || "", fs10.readFileSync(certificate, "ascii"));
     });
     return;