node-opcua-pki 6.5.0 → 6.6.0

package/dist/bin/pki.mjs

@@ -342,6 +342,7 @@ var init_simple_config_template_cnf = __esm({
 });
 
 // packages/node-opcua-pki/lib/pki/certificate_manager.ts
+import { EventEmitter } from "events";
 import fs4 from "fs";
 import path2 from "path";
 import { withLock } from "@ster5/global-mutex";
@@ -354,6 +355,7 @@ import {
   generatePrivateKeyFile,
   makeSHA1Thumbprint,
   readCertificate,
+  readCertificateAsync,
   readCertificateRevocationList,
   split_der,
   toPem,
@@ -434,7 +436,7 @@ var init_certificate_manager = __esm({
     configurationFileSimpleTemplate = simple_config_template_cnf_default;
     fsWriteFile = fs4.promises.writeFile;
     forbiddenChars = /[\x00-\x1F<>:"/\\|?*]/g;
-    CertificateManager = class _CertificateManager {
+    CertificateManager = class _CertificateManager extends EventEmitter {
       // ── Global instance registry ─────────────────────────────────
       // Tracks all initialized CertificateManager instances so their
       // file watchers can be closed automatically on process exit,
@@ -474,7 +476,7 @@ var init_certificate_manager = __esm({
        */
       static async disposeAll() {
         const instances = [..._CertificateManager.#activeInstances];
-        await Promise.all(instances.map((cm) => cm.dispose()));
+        await Promise.all(instances.map((cm) => _CertificateManager.prototype.dispose.call(cm)));
       }
       /**
        * Assert that all CertificateManager instances have been
@@ -521,6 +523,7 @@ var init_certificate_manager = __esm({
       keySize;
       #location;
       #watchers = [];
+      #pendingUnrefs = /* @__PURE__ */ new Set();
       #readCertificatesCalled = false;
       #filenameToHash = /* @__PURE__ */ new Map();
       #initializingPromise;
@@ -543,6 +546,7 @@ var init_certificate_manager = __esm({
        * @param options - configuration options
        */
       constructor(options) {
+        super();
         options.keySize = options.keySize || 2048;
         if (!options.location) {
           throw new Error("CertificateManager: missing 'location' option");
@@ -743,7 +747,7 @@ var init_certificate_manager = __esm({
         let isTimeInvalid = false;
         if (certificateInfo.notBefore.getTime() > now.getTime()) {
           debugLog(
-            chalk3.red("certificate is invalid : certificate is not active yet !") + "  not before date =" + certificateInfo.notBefore
+            `${chalk3.red("certificate is invalid : certificate is not active yet !")} not before date =${certificateInfo.notBefore}`
           );
           if (!options.acceptPendingCertificate) {
             isTimeInvalid = true;
@@ -886,6 +890,10 @@ var init_certificate_manager = __esm({
         }
         try {
           this.state = 3 /* Disposing */;
+          for (const unreff of this.#pendingUnrefs) {
+            unreff();
+          }
+          this.#pendingUnrefs.clear();
           await Promise.all(this.#watchers.map((w) => w.close()));
           this.#watchers.forEach((w) => {
             w.removeAllListeners();
@@ -1167,6 +1175,9 @@ var init_certificate_manager = __esm({
        * verifies that each issuer is already registered via
        * {@link addIssuer} before trusting the leaf.
        *
+       * If one of the certificates in the chain is not registered in the issuers store,
+       * the leaf certificate will be rejected.
+       *
        * @param certificateChain - DER-encoded certificate or chain
        * @returns `VerificationStatus.Good` on success, or an error
        *  status indicating why the certificate was rejected.
@@ -1184,23 +1195,9 @@ var init_certificate_manager = __esm({
           return "BadCertificateInvalid" /* BadCertificateInvalid */;
         }
         if (certificates.length > 1) {
-          const issuerFolder = this.issuersCertFolder;
-          const issuerThumbprints = /* @__PURE__ */ new Set();
-          const files = await fs4.promises.readdir(issuerFolder);
-          for (const file of files) {
-            const ext = path2.extname(file).toLowerCase();
-            if (ext === ".pem" || ext === ".der") {
-              try {
-                const issuerCert = readCertificate(path2.join(issuerFolder, file));
-                const fp = makeFingerprint(issuerCert);
-                issuerThumbprints.add(fp);
-              } catch (_err) {
-              }
-            }
-          }
           for (const issuerCert of certificates.slice(1)) {
             const thumbprint = makeFingerprint(issuerCert);
-            if (!issuerThumbprints.has(thumbprint)) {
+            if (!await this.hasIssuer(thumbprint)) {
               return "BadCertificateChainIncomplete" /* BadCertificateChainIncomplete */;
             }
           }
@@ -1373,7 +1370,7 @@ var init_certificate_manager = __esm({
         return "Good" /* Good */;
       }
       #pendingCrlToProcess = 0;
-      #onCrlProcess;
+      #onCrlProcessWaiters = [];
       #queue = [];
       #onCrlFileAdded(index, filename) {
         this.#queue.push({ index, filename });
@@ -1409,10 +1406,10 @@ var init_certificate_manager = __esm({
         }
         this.#pendingCrlToProcess -= 1;
         if (this.#pendingCrlToProcess === 0) {
-          if (this.#onCrlProcess) {
-            this.#onCrlProcess();
-            this.#onCrlProcess = void 0;
+          for (const waiter of this.#onCrlProcessWaiters) {
+            waiter();
           }
+          this.#onCrlProcessWaiters.length = 0;
         } else {
           this.#processNextCrl();
         }
@@ -1423,9 +1420,11 @@ var init_certificate_manager = __esm({
         }
         this.#readCertificatesCalled = true;
         const usePolling = process.env.OPCUA_PKI_USE_POLLING === "true";
+        const envInterval = process.env.OPCUA_PKI_POLLING_INTERVAL ? parseInt(process.env.OPCUA_PKI_POLLING_INTERVAL, 10) : void 0;
+        const pollingInterval = Math.min(10 * 60 * 1e3, Math.max(100, envInterval ?? this.folderPollingInterval));
         const chokidarOptions = {
           usePolling,
-          ...usePolling ? { interval: Math.min(10 * 60 * 1e3, Math.max(100, this.folderPoolingInterval)) } : {},
+          ...usePolling ? { interval: pollingInterval } : {},
           persistent: false
         };
         const createUnreffedWatcher = (folder) => {
@@ -1445,47 +1444,110 @@ var init_certificate_manager = __esm({
           };
           return { w, capturedHandles, unreffAll };
         };
-        const promises = [
-          this.#walkAllFiles(this.trustedFolder, this.#thumbs.trusted, createUnreffedWatcher),
-          this.#walkAllFiles(this.issuersCertFolder, this.#thumbs.issuers.certs, createUnreffedWatcher),
-          this.#walkAllFiles(this.rejectedFolder, this.#thumbs.rejected, createUnreffedWatcher),
-          this.#walkCRLFiles(this.crlFolder, this.#thumbs.crl, createUnreffedWatcher),
-          this.#walkCRLFiles(this.issuersCrlFolder, this.#thumbs.issuersCrl, createUnreffedWatcher)
-        ];
-        await Promise.all(promises);
+        await Promise.all([
+          this.#scanCertFolder(this.trustedFolder, this.#thumbs.trusted),
+          this.#scanCertFolder(this.issuersCertFolder, this.#thumbs.issuers.certs),
+          this.#scanCertFolder(this.rejectedFolder, this.#thumbs.rejected),
+          this.#scanCrlFolder(this.crlFolder, this.#thumbs.crl),
+          this.#scanCrlFolder(this.issuersCrlFolder, this.#thumbs.issuersCrl)
+        ]);
+        this.#startWatcher(this.trustedFolder, this.#thumbs.trusted, createUnreffedWatcher, "trusted");
+        this.#startWatcher(this.issuersCertFolder, this.#thumbs.issuers.certs, createUnreffedWatcher, "issuersCerts");
+        this.#startWatcher(this.rejectedFolder, this.#thumbs.rejected, createUnreffedWatcher, "rejected");
+        this.#startCrlWatcher(this.crlFolder, this.#thumbs.crl, createUnreffedWatcher, "crl");
+        this.#startCrlWatcher(this.issuersCrlFolder, this.#thumbs.issuersCrl, createUnreffedWatcher, "issuersCrl");
+      }
+      /**
+       * Scan a certificate folder and populate the in-memory index.
+       * Uses async readdir/stat to yield the event loop between
+       * file reads, preventing main-loop stalls with large folders.
+       */
+      async #scanCertFolder(folder, index) {
+        if (!fs4.existsSync(folder)) return;
+        const files = await fs4.promises.readdir(folder);
+        for (const file of files) {
+          const filename = path2.join(folder, file);
+          try {
+            const stat = await fs4.promises.stat(filename);
+            if (!stat.isFile()) continue;
+            const certificate = await readCertificateAsync(filename);
+            const info = exploreCertificate(certificate);
+            const fingerprint2 = makeFingerprint(certificate);
+            index.set(fingerprint2, { certificate, filename, info });
+            this.#filenameToHash.set(filename, fingerprint2);
+          } catch (err) {
+            debugLog(`scanCertFolder: skipping ${filename}`, err);
+          }
+        }
+      }
+      /**
+       * Scan a CRL folder and populate the in-memory CRL index.
+       */
+      async #scanCrlFolder(folder, index) {
+        if (!fs4.existsSync(folder)) return;
+        const files = await fs4.promises.readdir(folder);
+        for (const file of files) {
+          const filename = path2.join(folder, file);
+          try {
+            const stat = await fs4.promises.stat(filename);
+            if (!stat.isFile()) continue;
+            this.#onCrlFileAdded(index, filename);
+          } catch (err) {
+            debugLog(`scanCrlFolder: skipping ${filename}`, err);
+          }
+        }
         await this.#waitAndCheckCRLProcessingStatus();
       }
-      async #walkCRLFiles(folder, index, createUnreffedWatcher) {
-        await new Promise((resolve, _reject) => {
-          const { w, unreffAll } = createUnreffedWatcher(folder);
-          w.on("unlink", (filename) => {
-            for (const [key, data] of index.entries()) {
-              data.crls = data.crls.filter((c) => c.filename !== filename);
-              if (data.crls.length === 0) {
-                index.delete(key);
-              }
+      /**
+       * Start a chokidar watcher for a CRL folder.
+       * Non-blocking — does NOT await "ready".
+       */
+      #startCrlWatcher(folder, index, createUnreffedWatcher, store) {
+        const { w, unreffAll } = createUnreffedWatcher(folder);
+        let ready = false;
+        w.on("unlink", (filename) => {
+          for (const [key, data] of index.entries()) {
+            data.crls = data.crls.filter((c) => c.filename !== filename);
+            if (data.crls.length === 0) {
+              index.delete(key);
             }
-          });
-          w.on("add", (filename) => {
+          }
+          if (ready) {
+            this.emit("crlRemoved", { store, filename });
+          }
+        });
+        w.on("add", (filename) => {
+          if (ready) {
             this.#onCrlFileAdded(index, filename);
-          });
-          w.on("change", (changedPath) => {
-            debugLog("change in folder ", folder, changedPath);
-          });
-          this.#watchers.push(w);
-          w.on("ready", () => {
-            unreffAll();
-            resolve();
-          });
+            this.emit("crlAdded", { store, filename });
+          }
+        });
+        w.on("change", (changedPath) => {
+          debugLog("change in folder ", folder, changedPath);
+        });
+        this.#watchers.push(w);
+        this.#pendingUnrefs.add(unreffAll);
+        w.on("ready", () => {
+          ready = true;
+          this.#pendingUnrefs.delete(unreffAll);
+          unreffAll();
         });
       }
-      async #walkAllFiles(folder, index, createUnreffedWatcher) {
+      /**
+       * Start a chokidar watcher for a certificate folder.
+       * Non-blocking — does NOT await "ready".
+       */
+      #startWatcher(folder, index, createUnreffedWatcher, store) {
         const { w, unreffAll } = createUnreffedWatcher(folder);
+        let ready = false;
         w.on("unlink", (filename) => {
           debugLog(chalk3.cyan(`unlink in folder ${folder}`), filename);
           const h = this.#filenameToHash.get(filename);
           if (h && index.has(h)) {
             index.delete(h);
+            if (ready) {
+              this.emit("certificateRemoved", { store, fingerprint: h, filename });
+            }
           }
         });
         w.on("add", (filename) => {
@@ -1502,6 +1564,9 @@ var init_certificate_manager = __esm({
               info.tbsCertificate.serialNumber,
               info.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint
             );
+            if (ready) {
+              this.emit("certificateAdded", { store, certificate, fingerprint: fingerprint2, filename });
+            }
           } catch (err) {
             debugLog(`Walk files in folder ${folder} with file ${filename}`);
             debugLog(err);
@@ -1518,31 +1583,31 @@ var init_certificate_manager = __esm({
             }
             index.set(newFingerprint, { certificate, filename: changedPath, info: exploreCertificate(certificate) });
             this.#filenameToHash.set(changedPath, newFingerprint);
+            if (ready) {
+              this.emit("certificateChange", { store, certificate, fingerprint: newFingerprint, filename: changedPath });
+            }
           } catch (err) {
             debugLog(`change event: failed to re-read ${changedPath}`, err);
           }
         });
         this.#watchers.push(w);
-        await new Promise((resolve, _reject) => {
-          w.on("ready", () => {
-            unreffAll();
-            debugLog("ready");
-            debugLog([...index.keys()].map((k) => k.substring(0, 10)));
-            resolve();
-          });
+        this.#pendingUnrefs.add(unreffAll);
+        w.on("ready", () => {
+          ready = true;
+          this.#pendingUnrefs.delete(unreffAll);
+          unreffAll();
+          debugLog("ready");
+          debugLog([...index.keys()].map((k) => k.substring(0, 10)));
         });
       }
       // make sure that all crls have been processed.
       async #waitAndCheckCRLProcessingStatus() {
-        return new Promise((resolve, reject) => {
+        return new Promise((resolve, _reject) => {
           if (this.#pendingCrlToProcess === 0) {
             setImmediate(resolve);
             return;
           }
-          if (this.#onCrlProcess) {
-            return reject(new Error("Internal Error"));
-          }
-          this.#onCrlProcess = resolve;
+          this.#onCrlProcessWaiters.push(resolve);
         });
       }
     };