node-opcua-pki 6.8.2 → 6.10.0

package/dist/index.d.mts

@@ -148,6 +148,25 @@ interface CertificateAuthorityOptions {
  * await ca.initialize();
  * ```
  */
+/**
+ * A record from the OpenSSL CA certificate database
+ * (`index.txt`).
+ */
+interface IssuedCertificateRecord {
+    /** Hex-encoded serial number (e.g. `"1000"`). */
+    serial: string;
+    /** Certificate status. */
+    status: "valid" | "revoked" | "expired";
+    /** X.500 subject string (slash-delimited). */
+    subject: string;
+    /** Certificate expiry date as ISO-8601 string. */
+    expiryDate: string;
+    /**
+     * Revocation date as ISO-8601 string.
+     * Only present when `status === "revoked"`.
+     */
+    revocationDate?: string;
+}
 declare class CertificateAuthority {
     /** RSA key size used when generating the CA private key. */
     readonly keySize: KeySize;
@@ -177,6 +196,116 @@ declare class CertificateAuthority {
      * Used by OpenSSL for CRL-based verification.
      */
     get caCertificateWithCrl(): string;
+    /**
+     * Return the CA certificate as a DER-encoded buffer.
+     *
+     * @throws if the CA certificate file does not exist
+     *   (call {@link initialize} first).
+     */
+    getCACertificateDER(): Buffer;
+    /**
+     * Return the CA certificate as a PEM-encoded string.
+     *
+     * @throws if the CA certificate file does not exist
+     *   (call {@link initialize} first).
+     */
+    getCACertificatePEM(): string;
+    /**
+     * Return the current Certificate Revocation List as a
+     * DER-encoded buffer.
+     *
+     * Returns an empty buffer if no CRL has been generated yet.
+     */
+    getCRLDER(): Buffer;
+    /**
+     * Return the current Certificate Revocation List as a
+     * PEM-encoded string.
+     *
+     * Returns an empty string if no CRL has been generated yet.
+     */
+    getCRLPEM(): string;
+    /**
+     * Return a list of all issued certificates recorded in the
+     * OpenSSL `index.txt` database.
+     *
+     * Each entry includes the serial number, subject, status,
+     * expiry date, and (for revoked certs) the revocation date.
+     */
+    getIssuedCertificates(): IssuedCertificateRecord[];
+    /**
+     * Return the total number of certificates recorded in
+     * `index.txt`.
+     */
+    getIssuedCertificateCount(): number;
+    /**
+     * Return the status of a certificate by its serial number.
+     *
+     * @param serial - hex-encoded serial number (e.g. `"1000"`)
+     * @returns `"valid"`, `"revoked"`, `"expired"`, or
+     *   `undefined` if not found
+     */
+    getCertificateStatus(serial: string): "valid" | "revoked" | "expired" | undefined;
+    /**
+     * Read a specific issued certificate by serial number and
+     * return its content as a DER-encoded buffer.
+     *
+     * OpenSSL stores signed certificates in the `certs/`
+     * directory using the naming convention `<SERIAL>.pem`.
+     *
+     * @param serial - hex-encoded serial number (e.g. `"1000"`)
+     * @returns the DER buffer, or `undefined` if not found
+     */
+    getCertificateBySerial(serial: string): Buffer | undefined;
+    /**
+     * Path to the OpenSSL certificate database file.
+     */
+    get indexFile(): string;
+    /**
+     * Parse the OpenSSL `index.txt` certificate database.
+     *
+     * Each line has tab-separated fields:
+     * ```
+     * status  expiry  [revocationDate]  serial  unknown  subject
+     * ```
+     *
+     * - status: `V` (valid), `R` (revoked), `E` (expired)
+     * - expiry: `YYMMDDHHmmssZ`
+     * - revocationDate: present only for revoked certs
+     * - serial: hex string
+     * - unknown: always `"unknown"`
+     * - subject: X.500 slash-delimited string
+     */
+    private _parseIndexTxt;
+    /**
+     * Sign a DER-encoded Certificate Signing Request and return
+     * the signed certificate as a DER buffer.
+     *
+     * This method handles temp-file creation and cleanup
+     * internally so that callers can work with in-memory
+     * buffers only.
+     *
+     * @param csrDer - the CSR as a DER-encoded buffer
+     * @param options - signing options
+     * @param options.validity - certificate validity in days
+     *   (default: 365)
+     * @returns the signed certificate as a DER-encoded buffer
+     */
+    signCertificateRequestFromDER(csrDer: Buffer, options?: {
+        validity?: number;
+    }): Promise<Buffer>;
+    /**
+     * Revoke a DER-encoded certificate and regenerate the CRL.
+     *
+     * Extracts the serial number from the certificate, then
+     * uses the stored cert file at `certs/<serial>.pem` for
+     * revocation — avoiding temp-file PEM format mismatches.
+     *
+     * @param certDer - the certificate as a DER-encoded buffer
+     * @param reason - CRL reason code
+     *   (default: `"keyCompromise"`)
+     * @throws if the certificate's serial is not found in the CA
+     */
+    revokeCertificateDER(certDer: Buffer, reason?: string): Promise<void>;
     /**
      * Initialize the CA directory structure, generate the CA
      * private key and self-signed certificate if they do not

package/dist/index.d.ts

@@ -148,6 +148,25 @@ interface CertificateAuthorityOptions {
  * await ca.initialize();
  * ```
  */
+/**
+ * A record from the OpenSSL CA certificate database
+ * (`index.txt`).
+ */
+interface IssuedCertificateRecord {
+    /** Hex-encoded serial number (e.g. `"1000"`). */
+    serial: string;
+    /** Certificate status. */
+    status: "valid" | "revoked" | "expired";
+    /** X.500 subject string (slash-delimited). */
+    subject: string;
+    /** Certificate expiry date as ISO-8601 string. */
+    expiryDate: string;
+    /**
+     * Revocation date as ISO-8601 string.
+     * Only present when `status === "revoked"`.
+     */
+    revocationDate?: string;
+}
 declare class CertificateAuthority {
     /** RSA key size used when generating the CA private key. */
     readonly keySize: KeySize;
@@ -177,6 +196,116 @@ declare class CertificateAuthority {
      * Used by OpenSSL for CRL-based verification.
      */
     get caCertificateWithCrl(): string;
+    /**
+     * Return the CA certificate as a DER-encoded buffer.
+     *
+     * @throws if the CA certificate file does not exist
+     *   (call {@link initialize} first).
+     */
+    getCACertificateDER(): Buffer;
+    /**
+     * Return the CA certificate as a PEM-encoded string.
+     *
+     * @throws if the CA certificate file does not exist
+     *   (call {@link initialize} first).
+     */
+    getCACertificatePEM(): string;
+    /**
+     * Return the current Certificate Revocation List as a
+     * DER-encoded buffer.
+     *
+     * Returns an empty buffer if no CRL has been generated yet.
+     */
+    getCRLDER(): Buffer;
+    /**
+     * Return the current Certificate Revocation List as a
+     * PEM-encoded string.
+     *
+     * Returns an empty string if no CRL has been generated yet.
+     */
+    getCRLPEM(): string;
+    /**
+     * Return a list of all issued certificates recorded in the
+     * OpenSSL `index.txt` database.
+     *
+     * Each entry includes the serial number, subject, status,
+     * expiry date, and (for revoked certs) the revocation date.
+     */
+    getIssuedCertificates(): IssuedCertificateRecord[];
+    /**
+     * Return the total number of certificates recorded in
+     * `index.txt`.
+     */
+    getIssuedCertificateCount(): number;
+    /**
+     * Return the status of a certificate by its serial number.
+     *
+     * @param serial - hex-encoded serial number (e.g. `"1000"`)
+     * @returns `"valid"`, `"revoked"`, `"expired"`, or
+     *   `undefined` if not found
+     */
+    getCertificateStatus(serial: string): "valid" | "revoked" | "expired" | undefined;
+    /**
+     * Read a specific issued certificate by serial number and
+     * return its content as a DER-encoded buffer.
+     *
+     * OpenSSL stores signed certificates in the `certs/`
+     * directory using the naming convention `<SERIAL>.pem`.
+     *
+     * @param serial - hex-encoded serial number (e.g. `"1000"`)
+     * @returns the DER buffer, or `undefined` if not found
+     */
+    getCertificateBySerial(serial: string): Buffer | undefined;
+    /**
+     * Path to the OpenSSL certificate database file.
+     */
+    get indexFile(): string;
+    /**
+     * Parse the OpenSSL `index.txt` certificate database.
+     *
+     * Each line has tab-separated fields:
+     * ```
+     * status  expiry  [revocationDate]  serial  unknown  subject
+     * ```
+     *
+     * - status: `V` (valid), `R` (revoked), `E` (expired)
+     * - expiry: `YYMMDDHHmmssZ`
+     * - revocationDate: present only for revoked certs
+     * - serial: hex string
+     * - unknown: always `"unknown"`
+     * - subject: X.500 slash-delimited string
+     */
+    private _parseIndexTxt;
+    /**
+     * Sign a DER-encoded Certificate Signing Request and return
+     * the signed certificate as a DER buffer.
+     *
+     * This method handles temp-file creation and cleanup
+     * internally so that callers can work with in-memory
+     * buffers only.
+     *
+     * @param csrDer - the CSR as a DER-encoded buffer
+     * @param options - signing options
+     * @param options.validity - certificate validity in days
+     *   (default: 365)
+     * @returns the signed certificate as a DER-encoded buffer
+     */
+    signCertificateRequestFromDER(csrDer: Buffer, options?: {
+        validity?: number;
+    }): Promise<Buffer>;
+    /**
+     * Revoke a DER-encoded certificate and regenerate the CRL.
+     *
+     * Extracts the serial number from the certificate, then
+     * uses the stored cert file at `certs/<serial>.pem` for
+     * revocation — avoiding temp-file PEM format mismatches.
+     *
+     * @param certDer - the certificate as a DER-encoded buffer
+     * @param reason - CRL reason code
+     *   (default: `"keyCompromise"`)
+     * @throws if the certificate's serial is not found in the CA
+     */
+    revokeCertificateDER(certDer: Buffer, reason?: string): Promise<void>;
     /**
      * Initialize the CA directory structure, generate the CA
      * private key and self-signed certificate if they do not

package/dist/index.js

@@ -53,6 +53,7 @@ module.exports = __toCommonJS(lib_exports);
 // packages/node-opcua-pki/lib/ca/certificate_authority.ts
 var import_node_assert6 = __toESM(require("assert"));
 var import_node_fs6 = __toESM(require("fs"));
+var import_node_os3 = __toESM(require("os"));
 var import_node_path5 = __toESM(require("path"));
 var import_chalk5 = __toESM(require("chalk"));
 var import_node_opcua_crypto2 = require("node-opcua-crypto");
@@ -754,8 +755,7 @@ subjectAltName            = $ENV::ALTNAME
 nsComment                 = "CA Generated by Node-OPCUA Certificate utility using openssl"
 [ v3_ca ]
 subjectKeyIdentifier      = hash
-authorityKeyIdentifier    = keyid:always,issuer:always
-# authorityKeyIdentifier    = keyid
+authorityKeyIdentifier    = keyid
 basicConstraints          = CA:TRUE
 keyUsage                  = critical, cRLSign, keyCertSign
 nsComment                 = "CA Certificate generated by Node-OPCUA Certificate utility using openssl"
@@ -866,6 +866,18 @@ async function regenerateCrl(revocationList, configOption, options) {
   displaySubtitle("Display (Certificate Revocation List)");
   await execute_openssl(`crl  -in ${q(n2(revocationList))} -text  -noout`, options);
 }
+function parseOpenSSLDate(dateStr) {
+  const raw = dateStr?.split(",")[0] ?? "";
+  if (raw.length < 12) return "";
+  const yy = parseInt(raw.substring(0, 2), 10);
+  const year = yy >= 70 ? 1900 + yy : 2e3 + yy;
+  const month = raw.substring(2, 4);
+  const day = raw.substring(4, 6);
+  const hour = raw.substring(6, 8);
+  const min = raw.substring(8, 10);
+  const sec = raw.substring(10, 12);
+  return `${year}-${month}-${day}T${hour}:${min}:${sec}Z`;
+}
 var CertificateAuthority = class {
   /** RSA key size used when generating the CA private key. */
   keySize;
@@ -913,6 +925,244 @@ var CertificateAuthority = class {
   get caCertificateWithCrl() {
     return makePath(this.rootDir, "./public/cacertificate_with_crl.pem");
   }
+  // ---------------------------------------------------------------
+  // Buffer-based accessors (US-059)
+  // ---------------------------------------------------------------
+  /**
+   * Return the CA certificate as a DER-encoded buffer.
+   *
+   * @throws if the CA certificate file does not exist
+   *   (call {@link initialize} first).
+   */
+  getCACertificateDER() {
+    const pem = (0, import_node_opcua_crypto2.readCertificatePEM)(this.caCertificate);
+    return (0, import_node_opcua_crypto2.convertPEMtoDER)(pem);
+  }
+  /**
+   * Return the CA certificate as a PEM-encoded string.
+   *
+   * @throws if the CA certificate file does not exist
+   *   (call {@link initialize} first).
+   */
+  getCACertificatePEM() {
+    const raw = (0, import_node_opcua_crypto2.readCertificatePEM)(this.caCertificate);
+    const beginMarker = "-----BEGIN CERTIFICATE-----";
+    const idx = raw.indexOf(beginMarker);
+    if (idx > 0) {
+      return raw.substring(idx);
+    }
+    return raw;
+  }
+  /**
+   * Return the current Certificate Revocation List as a
+   * DER-encoded buffer.
+   *
+   * Returns an empty buffer if no CRL has been generated yet.
+   */
+  getCRLDER() {
+    const crlPath = this.revocationListDER;
+    if (!import_node_fs6.default.existsSync(crlPath)) {
+      return Buffer.alloc(0);
+    }
+    return import_node_fs6.default.readFileSync(crlPath);
+  }
+  /**
+   * Return the current Certificate Revocation List as a
+   * PEM-encoded string.
+   *
+   * Returns an empty string if no CRL has been generated yet.
+   */
+  getCRLPEM() {
+    const crlPath = this.revocationList;
+    if (!import_node_fs6.default.existsSync(crlPath)) {
+      return "";
+    }
+    const raw = import_node_fs6.default.readFileSync(crlPath, "utf-8");
+    const beginMarker = "-----BEGIN X509 CRL-----";
+    const idx = raw.indexOf(beginMarker);
+    if (idx > 0) {
+      return raw.substring(idx);
+    }
+    return raw;
+  }
+  // ---------------------------------------------------------------
+  // Certificate database API (US-057)
+  // ---------------------------------------------------------------
+  /**
+   * Return a list of all issued certificates recorded in the
+   * OpenSSL `index.txt` database.
+   *
+   * Each entry includes the serial number, subject, status,
+   * expiry date, and (for revoked certs) the revocation date.
+   */
+  getIssuedCertificates() {
+    return this._parseIndexTxt();
+  }
+  /**
+   * Return the total number of certificates recorded in
+   * `index.txt`.
+   */
+  getIssuedCertificateCount() {
+    return this._parseIndexTxt().length;
+  }
+  /**
+   * Return the status of a certificate by its serial number.
+   *
+   * @param serial - hex-encoded serial number (e.g. `"1000"`)
+   * @returns `"valid"`, `"revoked"`, `"expired"`, or
+   *   `undefined` if not found
+   */
+  getCertificateStatus(serial) {
+    const upper = serial.toUpperCase();
+    const record = this._parseIndexTxt().find((r) => r.serial.toUpperCase() === upper);
+    return record?.status;
+  }
+  /**
+   * Read a specific issued certificate by serial number and
+   * return its content as a DER-encoded buffer.
+   *
+   * OpenSSL stores signed certificates in the `certs/`
+   * directory using the naming convention `<SERIAL>.pem`.
+   *
+   * @param serial - hex-encoded serial number (e.g. `"1000"`)
+   * @returns the DER buffer, or `undefined` if not found
+   */
+  getCertificateBySerial(serial) {
+    const upper = serial.toUpperCase();
+    const certFile = import_node_path5.default.join(this.rootDir, "certs", `${upper}.pem`);
+    if (!import_node_fs6.default.existsSync(certFile)) {
+      return void 0;
+    }
+    const pem = (0, import_node_opcua_crypto2.readCertificatePEM)(certFile);
+    return (0, import_node_opcua_crypto2.convertPEMtoDER)(pem);
+  }
+  /**
+   * Path to the OpenSSL certificate database file.
+   */
+  get indexFile() {
+    return import_node_path5.default.join(this.rootDir, "index.txt");
+  }
+  /**
+   * Parse the OpenSSL `index.txt` certificate database.
+   *
+   * Each line has tab-separated fields:
+   * ```
+   * status  expiry  [revocationDate]  serial  unknown  subject
+   * ```
+   *
+   * - status: `V` (valid), `R` (revoked), `E` (expired)
+   * - expiry: `YYMMDDHHmmssZ`
+   * - revocationDate: present only for revoked certs
+   * - serial: hex string
+   * - unknown: always `"unknown"`
+   * - subject: X.500 slash-delimited string
+   */
+  _parseIndexTxt() {
+    const indexPath = this.indexFile;
+    if (!import_node_fs6.default.existsSync(indexPath)) {
+      return [];
+    }
+    const content = import_node_fs6.default.readFileSync(indexPath, "utf-8");
+    const lines = content.split("\n").filter((l) => l.trim().length > 0);
+    const records = [];
+    for (const line of lines) {
+      const fields = line.split("	");
+      if (fields.length < 4) continue;
+      const statusChar = fields[0];
+      const expiryStr = fields[1];
+      let serial;
+      let subject;
+      let revocationDate;
+      if (statusChar === "R") {
+        revocationDate = fields[2];
+        serial = fields[3];
+        subject = fields.length >= 6 ? fields[5] : "";
+      } else {
+        serial = fields[3];
+        subject = fields.length >= 6 ? fields[5] : "";
+      }
+      let status;
+      switch (statusChar) {
+        case "V":
+          status = "valid";
+          break;
+        case "R":
+          status = "revoked";
+          break;
+        case "E":
+          status = "expired";
+          break;
+        default:
+          continue;
+      }
+      records.push({
+        serial,
+        status,
+        subject,
+        expiryDate: parseOpenSSLDate(expiryStr),
+        revocationDate: revocationDate ? parseOpenSSLDate(revocationDate) : void 0
+      });
+    }
+    return records;
+  }
+  // ---------------------------------------------------------------
+  // Buffer-based CA operations (US-058)
+  // ---------------------------------------------------------------
+  /**
+   * Sign a DER-encoded Certificate Signing Request and return
+   * the signed certificate as a DER buffer.
+   *
+   * This method handles temp-file creation and cleanup
+   * internally so that callers can work with in-memory
+   * buffers only.
+   *
+   * @param csrDer - the CSR as a DER-encoded buffer
+   * @param options - signing options
+   * @param options.validity - certificate validity in days
+   *   (default: 365)
+   * @returns the signed certificate as a DER-encoded buffer
+   */
+  async signCertificateRequestFromDER(csrDer, options) {
+    const validity = options?.validity ?? 365;
+    const tmpDir = await import_node_fs6.default.promises.mkdtemp(import_node_path5.default.join(import_node_os3.default.tmpdir(), "pki-sign-"));
+    try {
+      const csrFile = import_node_path5.default.join(tmpDir, "request.csr");
+      const certFile = import_node_path5.default.join(tmpDir, "certificate.pem");
+      const csrPem = (0, import_node_opcua_crypto2.toPem)(csrDer, "CERTIFICATE REQUEST");
+      await import_node_fs6.default.promises.writeFile(csrFile, csrPem, "utf-8");
+      await this.signCertificateRequest(certFile, csrFile, { validity });
+      const certPem = (0, import_node_opcua_crypto2.readCertificatePEM)(certFile);
+      return (0, import_node_opcua_crypto2.convertPEMtoDER)(certPem);
+    } finally {
+      await import_node_fs6.default.promises.rm(tmpDir, {
+        recursive: true,
+        force: true
+      });
+    }
+  }
+  /**
+   * Revoke a DER-encoded certificate and regenerate the CRL.
+   *
+   * Extracts the serial number from the certificate, then
+   * uses the stored cert file at `certs/<serial>.pem` for
+   * revocation — avoiding temp-file PEM format mismatches.
+   *
+   * @param certDer - the certificate as a DER-encoded buffer
+   * @param reason - CRL reason code
+   *   (default: `"keyCompromise"`)
+   * @throws if the certificate's serial is not found in the CA
+   */
+  async revokeCertificateDER(certDer, reason) {
+    const info = (0, import_node_opcua_crypto2.exploreCertificate)(certDer);
+    const serial = info.tbsCertificate.serialNumber.replace(/:/g, "").toUpperCase();
+    const storedCertFile = import_node_path5.default.join(this.rootDir, "certs", `${serial}.pem`);
+    if (!import_node_fs6.default.existsSync(storedCertFile)) {
+      throw new Error(`Cannot revoke: no stored certificate found for serial ${serial} at ${storedCertFile}`);
+    }
+    await this.revokeCertificate(storedCertFile, {
+      reason: reason ?? "keyCompromise"
+    });
+  }
   /**
    * Initialize the CA directory structure, generate the CA
    * private key and self-signed certificate if they do not