node-opcua-pki 6.7.0 → 6.7.2

package/dist/index.js

@@ -1204,10 +1204,28 @@ var configurationFileSimpleTemplate = simple_config_template_cnf_default;
 var fsWriteFile = import_node_fs9.default.promises.writeFile;
 function getOrComputeInfo(entry) {
   if (!entry.info) {
-    entry.info = (0, import_node_opcua_crypto5.exploreCertificate)(entry.certificate);
+    entry.info = exploreCertificateCached(entry.certificate);
   }
   return entry.info;
 }
+var EXPLORE_CACHE_MAX = 8;
+var _exploreCache = /* @__PURE__ */ new Map();
+function exploreCertificateCached(certificate) {
+  const key = (0, import_node_opcua_crypto5.makeSHA1Thumbprint)(certificate).toString("hex");
+  const cached = _exploreCache.get(key);
+  if (cached) {
+    _exploreCache.delete(key);
+    _exploreCache.set(key, cached);
+    return cached;
+  }
+  const info = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
+  _exploreCache.set(key, info);
+  if (_exploreCache.size > EXPLORE_CACHE_MAX) {
+    const oldest = _exploreCache.keys().next().value;
+    if (oldest) _exploreCache.delete(oldest);
+  }
+  return info;
+}
 var VerificationStatus = /* @__PURE__ */ ((VerificationStatus2) => {
   VerificationStatus2["BadCertificateInvalid"] = "BadCertificateInvalid";
   VerificationStatus2["BadSecurityChecksFailed"] = "BadSecurityChecksFailed";
@@ -1238,7 +1256,7 @@ var forbiddenChars = /[\x00-\x1F<>:"/\\|?*]/g;
 function buildIdealCertificateName(certificate) {
   const fingerprint = makeFingerprint(certificate);
   try {
-    const commonName = (0, import_node_opcua_crypto5.exploreCertificate)(certificate).tbsCertificate.subject.commonName || "";
+    const commonName = exploreCertificateCached(certificate).tbsCertificate.subject.commonName || "";
     const sanitizedCommonName = commonName.replace(forbiddenChars, "_");
     return `${sanitizedCommonName}[${fingerprint}]`;
   } catch (_err) {
@@ -1255,14 +1273,14 @@ function isSelfSigned2(info) {
   return info.tbsCertificate.extensions?.subjectKeyIdentifier === info.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier;
 }
 function isSelfSigned3(certificate) {
-  const info = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
+  const info = exploreCertificateCached(certificate);
   return isSelfSigned2(info);
 }
 function findIssuerCertificateInChain(certificate, chain) {
   if (!certificate) {
     return null;
   }
-  const certInfo = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
+  const certInfo = exploreCertificateCached(certificate);
   if (isSelfSigned2(certInfo)) {
     return certificate;
   }
@@ -1272,7 +1290,7 @@ function findIssuerCertificateInChain(certificate, chain) {
     return null;
   }
   const potentialIssuers = chain.filter((c) => {
-    const info = (0, import_node_opcua_crypto5.exploreCertificate)(c);
+    const info = exploreCertificateCached(c);
     return info.tbsCertificate.extensions && info.tbsCertificate.extensions.subjectKeyIdentifier === wantedIssuerKey;
   });
   if (potentialIssuers.length === 1) {
@@ -1508,7 +1526,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
     }
     const chain = (0, import_node_opcua_crypto5.split_der)(certificate);
     debugLog("NB CERTIFICATE IN CHAIN = ", chain.length);
-    const info = (0, import_node_opcua_crypto5.exploreCertificate)(chain[0]);
+    const info = exploreCertificateCached(chain[0]);
     let hasValidIssuer = false;
     let hasTrustedIssuer = false;
     const hasIssuerKey = info.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier;
@@ -1785,7 +1803,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
     await this.#readCertificates();
   }
   async withLock2(action) {
-    const lockFileName = import_node_path6.default.join(this.rootDir, "mutex.lock");
+    const lockFileName = import_node_path6.default.join(this.rootDir, "mutex");
     return (0, import_global_mutex.withLock)({ fileToLock: lockFileName }, async () => {
       return await action();
     });
@@ -1996,7 +2014,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
    * @param target - "issuers", "trusted", or "all" (default "all")
    */
   async removeRevocationListsForIssuer(issuerCertificate, target = "all") {
-    const issuerInfo = (0, import_node_opcua_crypto5.exploreCertificate)(issuerCertificate);
+    const issuerInfo = exploreCertificateCached(issuerCertificate);
     const issuerFingerprint = issuerInfo.tbsCertificate.subjectFingerPrint;
     const processIndex = async (index) => {
       const crlData = index.get(issuerFingerprint);
@@ -2042,7 +2060,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
     const certificates = (0, import_node_opcua_crypto5.split_der)(certificateChain);
     const leafCertificate = certificates[0];
     try {
-      (0, import_node_opcua_crypto5.exploreCertificate)(leafCertificate);
+      exploreCertificateCached(leafCertificate);
     } catch (_err) {
       return "BadCertificateInvalid" /* BadCertificateInvalid */;
     }
@@ -2102,7 +2120,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
    *
    */
   async findIssuerCertificate(certificate) {
-    const certInfo = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
+    const certInfo = exploreCertificateCached(certificate);
     if (isSelfSigned2(certInfo)) {
       return certificate;
     }
@@ -2183,7 +2201,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
     });
   }
   #findAssociatedCRLs(issuerCertificate) {
-    const issuerCertificateInfo = (0, import_node_opcua_crypto5.exploreCertificate)(issuerCertificate);
+    const issuerCertificateInfo = exploreCertificateCached(issuerCertificate);
     const key = issuerCertificateInfo.tbsCertificate.subjectFingerPrint;
     return this.#thumbs.issuersCrl.get(key) ?? this.#thumbs.crl.get(key) ?? null;
   }
@@ -2217,7 +2235,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
     if (!crls) {
       return "BadCertificateRevocationUnknown" /* BadCertificateRevocationUnknown */;
     }
-    const certInfo = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
+    const certInfo = exploreCertificateCached(certificate);
     const serialNumber = certInfo.tbsCertificate.serialNumber || certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.serial || "";
     const key = certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint || "<unknown>";
     const crl2 = this.#thumbs.crl.get(key) ?? null;
@@ -2284,22 +2302,31 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
       ...usePolling ? { interval: pollingInterval } : {},
       persistent: false
     };
-    const createUnreffedWatcher = (folder) => {
-      const capturedHandles = [];
-      const origWatch = import_node_fs9.default.watch;
-      import_node_fs9.default.watch = ((...args) => {
-        const handle = origWatch.apply(import_node_fs9.default, args);
-        capturedHandles.push(handle);
-        return handle;
+    const allCapturedHandles = [];
+    const origWatch = import_node_fs9.default.watch;
+    let watcherReadyCount = 0;
+    const totalWatchers = 5;
+    import_node_fs9.default.watch = ((...args) => {
+      const handle = origWatch.apply(import_node_fs9.default, args);
+      handle.setMaxListeners(handle.getMaxListeners() + 1);
+      handle.on("error", () => {
       });
+      allCapturedHandles.push(handle);
+      return handle;
+    });
+    const createUnreffedWatcher = (folder) => {
+      const startIdx = allCapturedHandles.length;
       const w = import_chokidar.default.watch(folder, chokidarOptions);
       const unreffAll = () => {
-        import_node_fs9.default.watch = origWatch;
-        for (const h of capturedHandles) {
-          h.unref();
+        for (let i = startIdx; i < allCapturedHandles.length; i++) {
+          allCapturedHandles[i].unref();
+        }
+        watcherReadyCount++;
+        if (watcherReadyCount >= totalWatchers) {
+          import_node_fs9.default.watch = origWatch;
         }
       };
-      return { w, capturedHandles, unreffAll };
+      return { w, capturedHandles: allCapturedHandles.slice(startIdx), unreffAll };
     };
     await Promise.all([
       this.#scanCertFolder(this.trustedFolder, this.#thumbs.trusted),
@@ -2328,7 +2355,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
         const stat = await import_node_fs9.default.promises.stat(filename);
         if (!stat.isFile()) continue;
         const certificate = await (0, import_node_opcua_crypto5.readCertificateAsync)(filename);
-        const info = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
+        const info = exploreCertificateCached(certificate);
         const fingerprint = makeFingerprint(certificate);
         index.set(fingerprint, { certificate, filename, info });
         this.#filenameToHash.set(filename, fingerprint);
@@ -2361,6 +2388,9 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
    */
   #startCrlWatcher(folder, index, createUnreffedWatcher, store) {
     const { w, unreffAll } = createUnreffedWatcher(folder);
+    w.on("error", (err) => {
+      debugLog(`chokidar CRL watcher error on ${folder}:`, err);
+    });
     let ready = false;
     w.on("unlink", (filename) => {
       for (const [key, data] of index.entries()) {
@@ -2396,6 +2426,9 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
    */
   #startWatcher(folder, index, createUnreffedWatcher, store) {
     const { w, unreffAll } = createUnreffedWatcher(folder);
+    w.on("error", (err) => {
+      debugLog(`chokidar cert watcher error on ${folder}:`, err);
+    });
     let ready = false;
     w.on("unlink", (filename) => {
       debugLog(import_chalk6.default.cyan(`unlink in folder ${folder}`), filename);
@@ -2409,7 +2442,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
       debugLog(import_chalk6.default.cyan(`add in folder ${folder}`), filename);
       try {
         const certificate = (0, import_node_opcua_crypto5.readCertificate)(filename);
-        const info = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
+        const info = exploreCertificateCached(certificate);
         const fingerprint = makeFingerprint(certificate);
         const isNew = !index.has(fingerprint);
         index.set(fingerprint, { certificate, filename, info });
@@ -2437,7 +2470,7 @@ var CertificateManager = class _CertificateManager extends import_node_events.Ev
         if (oldHash && oldHash !== newFingerprint) {
           index.delete(oldHash);
         }
-        index.set(newFingerprint, { certificate, filename: changedPath, info: (0, import_node_opcua_crypto5.exploreCertificate)(certificate) });
+        index.set(newFingerprint, { certificate, filename: changedPath, info: exploreCertificateCached(certificate) });
         this.#filenameToHash.set(changedPath, newFingerprint);
         this.emit("certificateChange", { store, certificate, fingerprint: newFingerprint, filename: changedPath });
       } catch (err) {