node-opcua-pki 6.8.2 → 6.10.0

package/dist/bin/pki.mjs

@@ -2393,8 +2393,7 @@ subjectAltName            = $ENV::ALTNAME
 nsComment                 = "CA Generated by Node-OPCUA Certificate utility using openssl"
 [ v3_ca ]
 subjectKeyIdentifier      = hash
-authorityKeyIdentifier    = keyid:always,issuer:always
-# authorityKeyIdentifier    = keyid
+authorityKeyIdentifier    = keyid
 basicConstraints          = CA:TRUE
 keyUsage                  = critical, cRLSign, keyCertSign
 nsComment                 = "CA Certificate generated by Node-OPCUA Certificate utility using openssl"
@@ -2423,13 +2422,18 @@ authorityKeyIdentifier    = keyid:always,issuer:always
 // packages/node-opcua-pki/lib/ca/certificate_authority.ts
 import assert9 from "assert";
 import fs9 from "fs";
+import os4 from "os";
 import path6 from "path";
 import chalk6 from "chalk";
 import {
+  convertPEMtoDER,
+  exploreCertificate as exploreCertificate2,
   exploreCertificateSigningRequest,
   generatePrivateKeyFile as generatePrivateKeyFile2,
+  readCertificatePEM,
   readCertificateSigningRequest,
-  Subject as Subject4
+  Subject as Subject4,
+  toPem as toPem2
 } from "node-opcua-crypto";
 function octetStringToIpAddress(a) {
   return parseInt(a.substring(0, 2), 16).toString() + "." + parseInt(a.substring(2, 4), 16).toString() + "." + parseInt(a.substring(4, 6), 16).toString() + "." + parseInt(a.substring(6, 8), 16).toString();
@@ -2507,6 +2511,18 @@ async function regenerateCrl(revocationList, configOption, options) {
   displaySubtitle("Display (Certificate Revocation List)");
   await execute_openssl(`crl  -in ${q3(n4(revocationList))} -text  -noout`, options);
 }
+function parseOpenSSLDate(dateStr) {
+  const raw = dateStr?.split(",")[0] ?? "";
+  if (raw.length < 12) return "";
+  const yy = parseInt(raw.substring(0, 2), 10);
+  const year = yy >= 70 ? 1900 + yy : 2e3 + yy;
+  const month = raw.substring(2, 4);
+  const day = raw.substring(4, 6);
+  const hour = raw.substring(6, 8);
+  const min = raw.substring(8, 10);
+  const sec = raw.substring(10, 12);
+  return `${year}-${month}-${day}T${hour}:${min}:${sec}Z`;
+}
 var defaultSubject, configurationFileTemplate, config3, n4, q3, CertificateAuthority;
 var init_certificate_authority = __esm({
   "packages/node-opcua-pki/lib/ca/certificate_authority.ts"() {
@@ -2572,6 +2588,244 @@ var init_certificate_authority = __esm({
       get caCertificateWithCrl() {
         return makePath(this.rootDir, "./public/cacertificate_with_crl.pem");
       }
+      // ---------------------------------------------------------------
+      // Buffer-based accessors (US-059)
+      // ---------------------------------------------------------------
+      /**
+       * Return the CA certificate as a DER-encoded buffer.
+       *
+       * @throws if the CA certificate file does not exist
+       *   (call {@link initialize} first).
+       */
+      getCACertificateDER() {
+        const pem = readCertificatePEM(this.caCertificate);
+        return convertPEMtoDER(pem);
+      }
+      /**
+       * Return the CA certificate as a PEM-encoded string.
+       *
+       * @throws if the CA certificate file does not exist
+       *   (call {@link initialize} first).
+       */
+      getCACertificatePEM() {
+        const raw = readCertificatePEM(this.caCertificate);
+        const beginMarker = "-----BEGIN CERTIFICATE-----";
+        const idx = raw.indexOf(beginMarker);
+        if (idx > 0) {
+          return raw.substring(idx);
+        }
+        return raw;
+      }
+      /**
+       * Return the current Certificate Revocation List as a
+       * DER-encoded buffer.
+       *
+       * Returns an empty buffer if no CRL has been generated yet.
+       */
+      getCRLDER() {
+        const crlPath = this.revocationListDER;
+        if (!fs9.existsSync(crlPath)) {
+          return Buffer.alloc(0);
+        }
+        return fs9.readFileSync(crlPath);
+      }
+      /**
+       * Return the current Certificate Revocation List as a
+       * PEM-encoded string.
+       *
+       * Returns an empty string if no CRL has been generated yet.
+       */
+      getCRLPEM() {
+        const crlPath = this.revocationList;
+        if (!fs9.existsSync(crlPath)) {
+          return "";
+        }
+        const raw = fs9.readFileSync(crlPath, "utf-8");
+        const beginMarker = "-----BEGIN X509 CRL-----";
+        const idx = raw.indexOf(beginMarker);
+        if (idx > 0) {
+          return raw.substring(idx);
+        }
+        return raw;
+      }
+      // ---------------------------------------------------------------
+      // Certificate database API (US-057)
+      // ---------------------------------------------------------------
+      /**
+       * Return a list of all issued certificates recorded in the
+       * OpenSSL `index.txt` database.
+       *
+       * Each entry includes the serial number, subject, status,
+       * expiry date, and (for revoked certs) the revocation date.
+       */
+      getIssuedCertificates() {
+        return this._parseIndexTxt();
+      }
+      /**
+       * Return the total number of certificates recorded in
+       * `index.txt`.
+       */
+      getIssuedCertificateCount() {
+        return this._parseIndexTxt().length;
+      }
+      /**
+       * Return the status of a certificate by its serial number.
+       *
+       * @param serial - hex-encoded serial number (e.g. `"1000"`)
+       * @returns `"valid"`, `"revoked"`, `"expired"`, or
+       *   `undefined` if not found
+       */
+      getCertificateStatus(serial) {
+        const upper = serial.toUpperCase();
+        const record = this._parseIndexTxt().find((r) => r.serial.toUpperCase() === upper);
+        return record?.status;
+      }
+      /**
+       * Read a specific issued certificate by serial number and
+       * return its content as a DER-encoded buffer.
+       *
+       * OpenSSL stores signed certificates in the `certs/`
+       * directory using the naming convention `<SERIAL>.pem`.
+       *
+       * @param serial - hex-encoded serial number (e.g. `"1000"`)
+       * @returns the DER buffer, or `undefined` if not found
+       */
+      getCertificateBySerial(serial) {
+        const upper = serial.toUpperCase();
+        const certFile = path6.join(this.rootDir, "certs", `${upper}.pem`);
+        if (!fs9.existsSync(certFile)) {
+          return void 0;
+        }
+        const pem = readCertificatePEM(certFile);
+        return convertPEMtoDER(pem);
+      }
+      /**
+       * Path to the OpenSSL certificate database file.
+       */
+      get indexFile() {
+        return path6.join(this.rootDir, "index.txt");
+      }
+      /**
+       * Parse the OpenSSL `index.txt` certificate database.
+       *
+       * Each line has tab-separated fields:
+       * ```
+       * status  expiry  [revocationDate]  serial  unknown  subject
+       * ```
+       *
+       * - status: `V` (valid), `R` (revoked), `E` (expired)
+       * - expiry: `YYMMDDHHmmssZ`
+       * - revocationDate: present only for revoked certs
+       * - serial: hex string
+       * - unknown: always `"unknown"`
+       * - subject: X.500 slash-delimited string
+       */
+      _parseIndexTxt() {
+        const indexPath = this.indexFile;
+        if (!fs9.existsSync(indexPath)) {
+          return [];
+        }
+        const content = fs9.readFileSync(indexPath, "utf-8");
+        const lines = content.split("\n").filter((l) => l.trim().length > 0);
+        const records = [];
+        for (const line of lines) {
+          const fields = line.split("	");
+          if (fields.length < 4) continue;
+          const statusChar = fields[0];
+          const expiryStr = fields[1];
+          let serial;
+          let subject;
+          let revocationDate;
+          if (statusChar === "R") {
+            revocationDate = fields[2];
+            serial = fields[3];
+            subject = fields.length >= 6 ? fields[5] : "";
+          } else {
+            serial = fields[3];
+            subject = fields.length >= 6 ? fields[5] : "";
+          }
+          let status;
+          switch (statusChar) {
+            case "V":
+              status = "valid";
+              break;
+            case "R":
+              status = "revoked";
+              break;
+            case "E":
+              status = "expired";
+              break;
+            default:
+              continue;
+          }
+          records.push({
+            serial,
+            status,
+            subject,
+            expiryDate: parseOpenSSLDate(expiryStr),
+            revocationDate: revocationDate ? parseOpenSSLDate(revocationDate) : void 0
+          });
+        }
+        return records;
+      }
+      // ---------------------------------------------------------------
+      // Buffer-based CA operations (US-058)
+      // ---------------------------------------------------------------
+      /**
+       * Sign a DER-encoded Certificate Signing Request and return
+       * the signed certificate as a DER buffer.
+       *
+       * This method handles temp-file creation and cleanup
+       * internally so that callers can work with in-memory
+       * buffers only.
+       *
+       * @param csrDer - the CSR as a DER-encoded buffer
+       * @param options - signing options
+       * @param options.validity - certificate validity in days
+       *   (default: 365)
+       * @returns the signed certificate as a DER-encoded buffer
+       */
+      async signCertificateRequestFromDER(csrDer, options) {
+        const validity = options?.validity ?? 365;
+        const tmpDir = await fs9.promises.mkdtemp(path6.join(os4.tmpdir(), "pki-sign-"));
+        try {
+          const csrFile = path6.join(tmpDir, "request.csr");
+          const certFile = path6.join(tmpDir, "certificate.pem");
+          const csrPem = toPem2(csrDer, "CERTIFICATE REQUEST");
+          await fs9.promises.writeFile(csrFile, csrPem, "utf-8");
+          await this.signCertificateRequest(certFile, csrFile, { validity });
+          const certPem = readCertificatePEM(certFile);
+          return convertPEMtoDER(certPem);
+        } finally {
+          await fs9.promises.rm(tmpDir, {
+            recursive: true,
+            force: true
+          });
+        }
+      }
+      /**
+       * Revoke a DER-encoded certificate and regenerate the CRL.
+       *
+       * Extracts the serial number from the certificate, then
+       * uses the stored cert file at `certs/<serial>.pem` for
+       * revocation — avoiding temp-file PEM format mismatches.
+       *
+       * @param certDer - the certificate as a DER-encoded buffer
+       * @param reason - CRL reason code
+       *   (default: `"keyCompromise"`)
+       * @throws if the certificate's serial is not found in the CA
+       */
+      async revokeCertificateDER(certDer, reason) {
+        const info = exploreCertificate2(certDer);
+        const serial = info.tbsCertificate.serialNumber.replace(/:/g, "").toUpperCase();
+        const storedCertFile = path6.join(this.rootDir, "certs", `${serial}.pem`);
+        if (!fs9.existsSync(storedCertFile)) {
+          throw new Error(`Cannot revoke: no stored certificate found for serial ${serial} at ${storedCertFile}`);
+        }
+        await this.revokeCertificate(storedCertFile, {
+          reason: reason ?? "keyCompromise"
+        });
+      }
       /**
        * Initialize the CA directory structure, generate the CA
        * private key and self-signed certificate if they do not
@@ -2781,7 +3035,7 @@ var init_certificate_authority = __esm({
 import assert10 from "assert";
 import fs10 from "fs";
 import { createRequire } from "module";
-import os4 from "os";
+import os5 from "os";
 import path7 from "path";
 import chalk7 from "chalk";
 import { CertificatePurpose as CertificatePurpose2, generatePrivateKeyFile as generatePrivateKeyFile3, Subject as Subject5 } from "node-opcua-crypto";
@@ -2854,7 +3108,7 @@ async function readConfiguration(argv) {
     g_config.silent = false;
   }
   const fqdn2 = await extractFullyQualifiedDomainName();
-  const hostname = os4.hostname();
+  const hostname = os5.hostname();
   let certificateDir;
   function performSubstitution(str) {
     str = str.replace("{CWD}", process.cwd());
@@ -2950,7 +3204,7 @@ async function createDefaultCertificate(base_name, prefix, key_length, applicati
   const certificate_revoked = makePath(base_name, `${prefix}cert_${key_length}_revoked.pem`);
   const self_signed_certificate_file = makePath(base_name, `${prefix}selfsigned_cert_${key_length}.pem`);
   const fqdn2 = getFullyQualifiedDomainName();
-  const hostname = os4.hostname();
+  const hostname = os5.hostname();
   const dns2 = [
     // for conformance reason, localhost shall not be present in the DNS field of COP
     // ***FORBIDEN** "localhost",
@@ -2971,7 +3225,7 @@ async function createDefaultCertificate(base_name, prefix, key_length, applicati
   async function createCertificate(certificate, privateKey, applicationUri2, startDate, validity) {
     const certificateSigningRequestFile = `${certificate}.csr`;
     const configFile = makePath(base_name, "../certificates/PKI/own/openssl.cnf");
-    const dns3 = [os4.hostname()];
+    const dns3 = [os5.hostname()];
     const ip2 = ["127.0.0.1"];
     const params = {
       applicationUri: applicationUri2,
@@ -3055,7 +3309,7 @@ async function create_default_certificates(dev) {
   let discoveryServerURN;
   wrap(async () => {
     await extractFullyQualifiedDomainName();
-    const hostname = os4.hostname();
+    const hostname = os5.hostname();
     const fqdn2 = getFullyQualifiedDomainName();
     warningLog(chalk7.yellow("     hostname = "), chalk7.cyan(hostname));
     warningLog(chalk7.yellow("     fqdn     = "), chalk7.cyan(fqdn2));