node-opcua-pki 6.6.0 → 6.7.1

package/dist/bin/pki.mjs

@@ -364,10 +364,26 @@ import {
 } from "node-opcua-crypto";
 function getOrComputeInfo(entry) {
   if (!entry.info) {
-    entry.info = exploreCertificate(entry.certificate);
+    entry.info = exploreCertificateCached(entry.certificate);
   }
   return entry.info;
 }
+function exploreCertificateCached(certificate) {
+  const key = makeSHA1Thumbprint(certificate).toString("hex");
+  const cached = _exploreCache.get(key);
+  if (cached) {
+    _exploreCache.delete(key);
+    _exploreCache.set(key, cached);
+    return cached;
+  }
+  const info = exploreCertificate(certificate);
+  _exploreCache.set(key, info);
+  if (_exploreCache.size > EXPLORE_CACHE_MAX) {
+    const oldest = _exploreCache.keys().next().value;
+    if (oldest) _exploreCache.delete(oldest);
+  }
+  return info;
+}
 function makeFingerprint(certificate) {
   const chain = split_der(certificate);
   return makeSHA1Thumbprint(chain[0]).toString("hex");
@@ -378,7 +394,7 @@ function short(stringToShorten) {
 function buildIdealCertificateName(certificate) {
   const fingerprint2 = makeFingerprint(certificate);
   try {
-    const commonName = exploreCertificate(certificate).tbsCertificate.subject.commonName || "";
+    const commonName = exploreCertificateCached(certificate).tbsCertificate.subject.commonName || "";
     const sanitizedCommonName = commonName.replace(forbiddenChars, "_");
     return `${sanitizedCommonName}[${fingerprint2}]`;
   } catch (_err) {
@@ -395,14 +411,14 @@ function isSelfSigned2(info) {
   return info.tbsCertificate.extensions?.subjectKeyIdentifier === info.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier;
 }
 function isSelfSigned3(certificate) {
-  const info = exploreCertificate(certificate);
+  const info = exploreCertificateCached(certificate);
   return isSelfSigned2(info);
 }
 function findIssuerCertificateInChain(certificate, chain) {
   if (!certificate) {
     return null;
   }
-  const certInfo = exploreCertificate(certificate);
+  const certInfo = exploreCertificateCached(certificate);
   if (isSelfSigned2(certInfo)) {
     return certificate;
   }
@@ -412,7 +428,7 @@ function findIssuerCertificateInChain(certificate, chain) {
     return null;
   }
   const potentialIssuers = chain.filter((c) => {
-    const info = exploreCertificate(c);
+    const info = exploreCertificateCached(c);
     return info.tbsCertificate.extensions && info.tbsCertificate.extensions.subjectKeyIdentifier === wantedIssuerKey;
   });
   if (potentialIssuers.length === 1) {
@@ -424,7 +440,7 @@ function findIssuerCertificateInChain(certificate, chain) {
   }
   return null;
 }
-var configurationFileSimpleTemplate, fsWriteFile, forbiddenChars, CertificateManager;
+var configurationFileSimpleTemplate, fsWriteFile, EXPLORE_CACHE_MAX, _exploreCache, forbiddenChars, CertificateManager;
 var init_certificate_manager = __esm({
   "packages/node-opcua-pki/lib/pki/certificate_manager.ts"() {
     "use strict";
@@ -435,6 +451,8 @@ var init_certificate_manager = __esm({
     init_simple_config_template_cnf();
     configurationFileSimpleTemplate = simple_config_template_cnf_default;
     fsWriteFile = fs4.promises.writeFile;
+    EXPLORE_CACHE_MAX = 8;
+    _exploreCache = /* @__PURE__ */ new Map();
     forbiddenChars = /[\x00-\x1F<>:"/\\|?*]/g;
     CertificateManager = class _CertificateManager extends EventEmitter {
       // ── Global instance registry ─────────────────────────────────
@@ -652,7 +670,7 @@ var init_certificate_manager = __esm({
         }
         const chain = split_der(certificate);
         debugLog("NB CERTIFICATE IN CHAIN = ", chain.length);
-        const info = exploreCertificate(chain[0]);
+        const info = exploreCertificateCached(chain[0]);
         let hasValidIssuer = false;
         let hasTrustedIssuer = false;
         const hasIssuerKey = info.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier;
@@ -929,7 +947,7 @@ var init_certificate_manager = __esm({
         await this.#readCertificates();
       }
       async withLock2(action) {
-        const lockFileName = path2.join(this.rootDir, "mutex.lock");
+        const lockFileName = path2.join(this.rootDir, "mutex");
         return withLock({ fileToLock: lockFileName }, async () => {
           return await action();
         });
@@ -1140,7 +1158,7 @@ var init_certificate_manager = __esm({
        * @param target - "issuers", "trusted", or "all" (default "all")
        */
       async removeRevocationListsForIssuer(issuerCertificate, target = "all") {
-        const issuerInfo = exploreCertificate(issuerCertificate);
+        const issuerInfo = exploreCertificateCached(issuerCertificate);
         const issuerFingerprint = issuerInfo.tbsCertificate.subjectFingerPrint;
         const processIndex = async (index) => {
           const crlData = index.get(issuerFingerprint);
@@ -1186,7 +1204,7 @@ var init_certificate_manager = __esm({
         const certificates = split_der(certificateChain);
         const leafCertificate = certificates[0];
         try {
-          exploreCertificate(leafCertificate);
+          exploreCertificateCached(leafCertificate);
         } catch (_err) {
           return "BadCertificateInvalid" /* BadCertificateInvalid */;
         }
@@ -1195,6 +1213,7 @@ var init_certificate_manager = __esm({
           return "BadCertificateInvalid" /* BadCertificateInvalid */;
         }
         if (certificates.length > 1) {
+          await this.#scanCertFolder(this.issuersCertFolder, this.#thumbs.issuers.certs);
           for (const issuerCert of certificates.slice(1)) {
             const thumbprint = makeFingerprint(issuerCert);
             if (!await this.hasIssuer(thumbprint)) {
@@ -1245,7 +1264,7 @@ var init_certificate_manager = __esm({
        *
        */
       async findIssuerCertificate(certificate) {
-        const certInfo = exploreCertificate(certificate);
+        const certInfo = exploreCertificateCached(certificate);
         if (isSelfSigned2(certInfo)) {
           return certificate;
         }
@@ -1326,7 +1345,7 @@ var init_certificate_manager = __esm({
         });
       }
       #findAssociatedCRLs(issuerCertificate) {
-        const issuerCertificateInfo = exploreCertificate(issuerCertificate);
+        const issuerCertificateInfo = exploreCertificateCached(issuerCertificate);
         const key = issuerCertificateInfo.tbsCertificate.subjectFingerPrint;
         return this.#thumbs.issuersCrl.get(key) ?? this.#thumbs.crl.get(key) ?? null;
       }
@@ -1360,7 +1379,7 @@ var init_certificate_manager = __esm({
         if (!crls) {
           return "BadCertificateRevocationUnknown" /* BadCertificateRevocationUnknown */;
         }
-        const certInfo = exploreCertificate(certificate);
+        const certInfo = exploreCertificateCached(certificate);
         const serialNumber = certInfo.tbsCertificate.serialNumber || certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.serial || "";
         const key = certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint || "<unknown>";
         const crl2 = this.#thumbs.crl.get(key) ?? null;
@@ -1471,7 +1490,7 @@ var init_certificate_manager = __esm({
             const stat = await fs4.promises.stat(filename);
             if (!stat.isFile()) continue;
             const certificate = await readCertificateAsync(filename);
-            const info = exploreCertificate(certificate);
+            const info = exploreCertificateCached(certificate);
             const fingerprint2 = makeFingerprint(certificate);
             index.set(fingerprint2, { certificate, filename, info });
             this.#filenameToHash.set(filename, fingerprint2);
@@ -1545,17 +1564,16 @@ var init_certificate_manager = __esm({
           const h = this.#filenameToHash.get(filename);
           if (h && index.has(h)) {
             index.delete(h);
-            if (ready) {
-              this.emit("certificateRemoved", { store, fingerprint: h, filename });
-            }
+            this.emit("certificateRemoved", { store, fingerprint: h, filename });
           }
         });
         w.on("add", (filename) => {
           debugLog(chalk3.cyan(`add in folder ${folder}`), filename);
           try {
             const certificate = readCertificate(filename);
-            const info = exploreCertificate(certificate);
+            const info = exploreCertificateCached(certificate);
             const fingerprint2 = makeFingerprint(certificate);
+            const isNew = !index.has(fingerprint2);
             index.set(fingerprint2, { certificate, filename, info });
             this.#filenameToHash.set(filename, fingerprint2);
             debugLog(
@@ -1564,7 +1582,7 @@ var init_certificate_manager = __esm({
               info.tbsCertificate.serialNumber,
               info.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint
             );
-            if (ready) {
+            if (ready || isNew) {
               this.emit("certificateAdded", { store, certificate, fingerprint: fingerprint2, filename });
             }
           } catch (err) {
@@ -1581,11 +1599,9 @@ var init_certificate_manager = __esm({
             if (oldHash && oldHash !== newFingerprint) {
               index.delete(oldHash);
             }
-            index.set(newFingerprint, { certificate, filename: changedPath, info: exploreCertificate(certificate) });
+            index.set(newFingerprint, { certificate, filename: changedPath, info: exploreCertificateCached(certificate) });
             this.#filenameToHash.set(changedPath, newFingerprint);
-            if (ready) {
-              this.emit("certificateChange", { store, certificate, fingerprint: newFingerprint, filename: changedPath });
-            }
+            this.emit("certificateChange", { store, certificate, fingerprint: newFingerprint, filename: changedPath });
           } catch (err) {
             debugLog(`change event: failed to re-read ${changedPath}`, err);
           }