npm - node-opcua-pki - Versions diffs - 6.5.1 → 6.7.0 - Mend

node-opcua-pki 6.5.1 → 6.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/bin/pki.mjs CHANGED Viewed

@@ -342,6 +342,7 @@ var init_simple_config_template_cnf = __esm({
 });
 // packages/node-opcua-pki/lib/pki/certificate_manager.ts
+import { EventEmitter } from "events";
 import fs4 from "fs";
 import path2 from "path";
 import { withLock } from "@ster5/global-mutex";
@@ -354,6 +355,7 @@ import {
   generatePrivateKeyFile,
   makeSHA1Thumbprint,
   readCertificate,
+  readCertificateAsync,
   readCertificateRevocationList,
   split_der,
   toPem,
@@ -434,7 +436,7 @@ var init_certificate_manager = __esm({
     configurationFileSimpleTemplate = simple_config_template_cnf_default;
     fsWriteFile = fs4.promises.writeFile;
     forbiddenChars = /[\x00-\x1F<>:"/\\|?*]/g;
-    CertificateManager = class _CertificateManager {
+    CertificateManager = class _CertificateManager extends EventEmitter {
       // ── Global instance registry ─────────────────────────────────
       // Tracks all initialized CertificateManager instances so their
       // file watchers can be closed automatically on process exit,
@@ -521,6 +523,7 @@ var init_certificate_manager = __esm({
       keySize;
       #location;
       #watchers = [];
+      #pendingUnrefs = /* @__PURE__ */ new Set();
       #readCertificatesCalled = false;
       #filenameToHash = /* @__PURE__ */ new Map();
       #initializingPromise;
@@ -543,6 +546,7 @@ var init_certificate_manager = __esm({
        * @param options - configuration options
        */
       constructor(options) {
+        super();
         options.keySize = options.keySize || 2048;
         if (!options.location) {
           throw new Error("CertificateManager: missing 'location' option");
@@ -743,7 +747,7 @@ var init_certificate_manager = __esm({
         let isTimeInvalid = false;
         if (certificateInfo.notBefore.getTime() > now.getTime()) {
           debugLog(
-            chalk3.red("certificate is invalid : certificate is not active yet !") + "  not before date =" + certificateInfo.notBefore
+            `${chalk3.red("certificate is invalid : certificate is not active yet !")} not before date =${certificateInfo.notBefore}`
           );
           if (!options.acceptPendingCertificate) {
             isTimeInvalid = true;
@@ -886,6 +890,10 @@ var init_certificate_manager = __esm({
         }
         try {
           this.state = 3 /* Disposing */;
+          for (const unreff of this.#pendingUnrefs) {
+            unreff();
+          }
+          this.#pendingUnrefs.clear();
           await Promise.all(this.#watchers.map((w) => w.close()));
           this.#watchers.forEach((w) => {
             w.removeAllListeners();
@@ -1167,6 +1175,9 @@ var init_certificate_manager = __esm({
        * verifies that each issuer is already registered via
        * {@link addIssuer} before trusting the leaf.
        *
+       * If one of the certificates in the chain is not registered in the issuers store,
+       * the leaf certificate will be rejected.
+       *
        * @param certificateChain - DER-encoded certificate or chain
        * @returns `VerificationStatus.Good` on success, or an error
        *  status indicating why the certificate was rejected.
@@ -1184,23 +1195,10 @@ var init_certificate_manager = __esm({
           return "BadCertificateInvalid" /* BadCertificateInvalid */;
         }
         if (certificates.length > 1) {
-          const issuerFolder = this.issuersCertFolder;
-          const issuerThumbprints = /* @__PURE__ */ new Set();
-          const files = await fs4.promises.readdir(issuerFolder);
-          for (const file of files) {
-            const ext = path2.extname(file).toLowerCase();
-            if (ext === ".pem" || ext === ".der") {
-              try {
-                const issuerCert = readCertificate(path2.join(issuerFolder, file));
-                const fp = makeFingerprint(issuerCert);
-                issuerThumbprints.add(fp);
-              } catch (_err) {
-              }
-            }
-          }
+          await this.#scanCertFolder(this.issuersCertFolder, this.#thumbs.issuers.certs);
           for (const issuerCert of certificates.slice(1)) {
             const thumbprint = makeFingerprint(issuerCert);
-            if (!issuerThumbprints.has(thumbprint)) {
+            if (!await this.hasIssuer(thumbprint)) {
               return "BadCertificateChainIncomplete" /* BadCertificateChainIncomplete */;
             }
           }
@@ -1373,7 +1371,7 @@ var init_certificate_manager = __esm({
         return "Good" /* Good */;
       }
       #pendingCrlToProcess = 0;
-      #onCrlProcess;
+      #onCrlProcessWaiters = [];
       #queue = [];
       #onCrlFileAdded(index, filename) {
         this.#queue.push({ index, filename });
@@ -1409,10 +1407,10 @@ var init_certificate_manager = __esm({
         }
         this.#pendingCrlToProcess -= 1;
         if (this.#pendingCrlToProcess === 0) {
-          if (this.#onCrlProcess) {
-            this.#onCrlProcess();
-            this.#onCrlProcess = void 0;
+          for (const waiter of this.#onCrlProcessWaiters) {
+            waiter();
           }
+          this.#onCrlProcessWaiters.length = 0;
         } else {
           this.#processNextCrl();
         }
@@ -1423,9 +1421,11 @@ var init_certificate_manager = __esm({
         }
         this.#readCertificatesCalled = true;
         const usePolling = process.env.OPCUA_PKI_USE_POLLING === "true";
+        const envInterval = process.env.OPCUA_PKI_POLLING_INTERVAL ? parseInt(process.env.OPCUA_PKI_POLLING_INTERVAL, 10) : void 0;
+        const pollingInterval = Math.min(10 * 60 * 1e3, Math.max(100, envInterval ?? this.folderPollingInterval));
         const chokidarOptions = {
           usePolling,
-          ...usePolling ? { interval: Math.min(10 * 60 * 1e3, Math.max(100, this.folderPoolingInterval)) } : {},
+          ...usePolling ? { interval: pollingInterval } : {},
           persistent: false
         };
         const createUnreffedWatcher = (folder) => {
@@ -1445,47 +1445,108 @@ var init_certificate_manager = __esm({
           };
           return { w, capturedHandles, unreffAll };
         };
-        const promises = [
-          this.#walkAllFiles(this.trustedFolder, this.#thumbs.trusted, createUnreffedWatcher),
-          this.#walkAllFiles(this.issuersCertFolder, this.#thumbs.issuers.certs, createUnreffedWatcher),
-          this.#walkAllFiles(this.rejectedFolder, this.#thumbs.rejected, createUnreffedWatcher),
-          this.#walkCRLFiles(this.crlFolder, this.#thumbs.crl, createUnreffedWatcher),
-          this.#walkCRLFiles(this.issuersCrlFolder, this.#thumbs.issuersCrl, createUnreffedWatcher)
-        ];
-        await Promise.all(promises);
+        await Promise.all([
+          this.#scanCertFolder(this.trustedFolder, this.#thumbs.trusted),
+          this.#scanCertFolder(this.issuersCertFolder, this.#thumbs.issuers.certs),
+          this.#scanCertFolder(this.rejectedFolder, this.#thumbs.rejected),
+          this.#scanCrlFolder(this.crlFolder, this.#thumbs.crl),
+          this.#scanCrlFolder(this.issuersCrlFolder, this.#thumbs.issuersCrl)
+        ]);
+        this.#startWatcher(this.trustedFolder, this.#thumbs.trusted, createUnreffedWatcher, "trusted");
+        this.#startWatcher(this.issuersCertFolder, this.#thumbs.issuers.certs, createUnreffedWatcher, "issuersCerts");
+        this.#startWatcher(this.rejectedFolder, this.#thumbs.rejected, createUnreffedWatcher, "rejected");
+        this.#startCrlWatcher(this.crlFolder, this.#thumbs.crl, createUnreffedWatcher, "crl");
+        this.#startCrlWatcher(this.issuersCrlFolder, this.#thumbs.issuersCrl, createUnreffedWatcher, "issuersCrl");
+      }
+      /**
+       * Scan a certificate folder and populate the in-memory index.
+       * Uses async readdir/stat to yield the event loop between
+       * file reads, preventing main-loop stalls with large folders.
+       */
+      async #scanCertFolder(folder, index) {
+        if (!fs4.existsSync(folder)) return;
+        const files = await fs4.promises.readdir(folder);
+        for (const file of files) {
+          const filename = path2.join(folder, file);
+          try {
+            const stat = await fs4.promises.stat(filename);
+            if (!stat.isFile()) continue;
+            const certificate = await readCertificateAsync(filename);
+            const info = exploreCertificate(certificate);
+            const fingerprint2 = makeFingerprint(certificate);
+            index.set(fingerprint2, { certificate, filename, info });
+            this.#filenameToHash.set(filename, fingerprint2);
+          } catch (err) {
+            debugLog(`scanCertFolder: skipping ${filename}`, err);
+          }
+        }
+      }
+      /**
+       * Scan a CRL folder and populate the in-memory CRL index.
+       */
+      async #scanCrlFolder(folder, index) {
+        if (!fs4.existsSync(folder)) return;
+        const files = await fs4.promises.readdir(folder);
+        for (const file of files) {
+          const filename = path2.join(folder, file);
+          try {
+            const stat = await fs4.promises.stat(filename);
+            if (!stat.isFile()) continue;
+            this.#onCrlFileAdded(index, filename);
+          } catch (err) {
+            debugLog(`scanCrlFolder: skipping ${filename}`, err);
+          }
+        }
         await this.#waitAndCheckCRLProcessingStatus();
       }
-      async #walkCRLFiles(folder, index, createUnreffedWatcher) {
-        await new Promise((resolve, _reject) => {
-          const { w, unreffAll } = createUnreffedWatcher(folder);
-          w.on("unlink", (filename) => {
-            for (const [key, data] of index.entries()) {
-              data.crls = data.crls.filter((c) => c.filename !== filename);
-              if (data.crls.length === 0) {
-                index.delete(key);
-              }
+      /**
+       * Start a chokidar watcher for a CRL folder.
+       * Non-blocking — does NOT await "ready".
+       */
+      #startCrlWatcher(folder, index, createUnreffedWatcher, store) {
+        const { w, unreffAll } = createUnreffedWatcher(folder);
+        let ready = false;
+        w.on("unlink", (filename) => {
+          for (const [key, data] of index.entries()) {
+            data.crls = data.crls.filter((c) => c.filename !== filename);
+            if (data.crls.length === 0) {
+              index.delete(key);
             }
-          });
-          w.on("add", (filename) => {
+          }
+          if (ready) {
+            this.emit("crlRemoved", { store, filename });
+          }
+        });
+        w.on("add", (filename) => {
+          if (ready) {
             this.#onCrlFileAdded(index, filename);
-          });
-          w.on("change", (changedPath) => {
-            debugLog("change in folder ", folder, changedPath);
-          });
-          this.#watchers.push(w);
-          w.on("ready", () => {
-            unreffAll();
-            resolve();
-          });
+            this.emit("crlAdded", { store, filename });
+          }
+        });
+        w.on("change", (changedPath) => {
+          debugLog("change in folder ", folder, changedPath);
+        });
+        this.#watchers.push(w);
+        this.#pendingUnrefs.add(unreffAll);
+        w.on("ready", () => {
+          ready = true;
+          this.#pendingUnrefs.delete(unreffAll);
+          unreffAll();
         });
       }
-      async #walkAllFiles(folder, index, createUnreffedWatcher) {
+      /**
+       * Start a chokidar watcher for a certificate folder.
+       * Non-blocking — does NOT await "ready".
+       */
+      #startWatcher(folder, index, createUnreffedWatcher, store) {
         const { w, unreffAll } = createUnreffedWatcher(folder);
+        let ready = false;
         w.on("unlink", (filename) => {
           debugLog(chalk3.cyan(`unlink in folder ${folder}`), filename);
           const h = this.#filenameToHash.get(filename);
           if (h && index.has(h)) {
             index.delete(h);
+            this.emit("certificateRemoved", { store, fingerprint: h, filename });
           }
         });
         w.on("add", (filename) => {
@@ -1494,6 +1555,7 @@ var init_certificate_manager = __esm({
             const certificate = readCertificate(filename);
             const info = exploreCertificate(certificate);
             const fingerprint2 = makeFingerprint(certificate);
+            const isNew = !index.has(fingerprint2);
             index.set(fingerprint2, { certificate, filename, info });
             this.#filenameToHash.set(filename, fingerprint2);
             debugLog(
@@ -1502,6 +1564,9 @@ var init_certificate_manager = __esm({
               info.tbsCertificate.serialNumber,
               info.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint
             );
+            if (ready || isNew) {
+              this.emit("certificateAdded", { store, certificate, fingerprint: fingerprint2, filename });
+            }
           } catch (err) {
             debugLog(`Walk files in folder ${folder} with file ${filename}`);
             debugLog(err);
@@ -1518,31 +1583,29 @@ var init_certificate_manager = __esm({
             }
             index.set(newFingerprint, { certificate, filename: changedPath, info: exploreCertificate(certificate) });
             this.#filenameToHash.set(changedPath, newFingerprint);
+            this.emit("certificateChange", { store, certificate, fingerprint: newFingerprint, filename: changedPath });
           } catch (err) {
             debugLog(`change event: failed to re-read ${changedPath}`, err);
           }
         });
         this.#watchers.push(w);
-        await new Promise((resolve, _reject) => {
-          w.on("ready", () => {
-            unreffAll();
-            debugLog("ready");
-            debugLog([...index.keys()].map((k) => k.substring(0, 10)));
-            resolve();
-          });
+        this.#pendingUnrefs.add(unreffAll);
+        w.on("ready", () => {
+          ready = true;
+          this.#pendingUnrefs.delete(unreffAll);
+          unreffAll();
+          debugLog("ready");
+          debugLog([...index.keys()].map((k) => k.substring(0, 10)));
         });
       }
       // make sure that all crls have been processed.
       async #waitAndCheckCRLProcessingStatus() {
-        return new Promise((resolve, reject) => {
+        return new Promise((resolve, _reject) => {
           if (this.#pendingCrlToProcess === 0) {
             setImmediate(resolve);
             return;
           }
-          if (this.#onCrlProcess) {
-            return reject(new Error("Internal Error"));
-          }
-          this.#onCrlProcess = resolve;
+          this.#onCrlProcessWaiters.push(resolve);
         });
       }
     };