node-opcua-pki 6.8.2 → 6.10.0

package/dist/index.mjs

@@ -1,13 +1,18 @@
 // packages/node-opcua-pki/lib/ca/certificate_authority.ts
 import assert6 from "assert";
 import fs6 from "fs";
+import os3 from "os";
 import path5 from "path";
 import chalk5 from "chalk";
 import {
+  convertPEMtoDER,
+  exploreCertificate,
   exploreCertificateSigningRequest,
   generatePrivateKeyFile,
+  readCertificatePEM,
   readCertificateSigningRequest,
-  Subject as Subject2
+  Subject as Subject2,
+  toPem
 } from "node-opcua-crypto";
 
 // packages/node-opcua-pki/lib/toolbox/common.ts
@@ -707,8 +712,7 @@ subjectAltName            = $ENV::ALTNAME
 nsComment                 = "CA Generated by Node-OPCUA Certificate utility using openssl"
 [ v3_ca ]
 subjectKeyIdentifier      = hash
-authorityKeyIdentifier    = keyid:always,issuer:always
-# authorityKeyIdentifier    = keyid
+authorityKeyIdentifier    = keyid
 basicConstraints          = CA:TRUE
 keyUsage                  = critical, cRLSign, keyCertSign
 nsComment                 = "CA Certificate generated by Node-OPCUA Certificate utility using openssl"
@@ -819,6 +823,18 @@ async function regenerateCrl(revocationList, configOption, options) {
   displaySubtitle("Display (Certificate Revocation List)");
   await execute_openssl(`crl  -in ${q(n2(revocationList))} -text  -noout`, options);
 }
+function parseOpenSSLDate(dateStr) {
+  const raw = dateStr?.split(",")[0] ?? "";
+  if (raw.length < 12) return "";
+  const yy = parseInt(raw.substring(0, 2), 10);
+  const year = yy >= 70 ? 1900 + yy : 2e3 + yy;
+  const month = raw.substring(2, 4);
+  const day = raw.substring(4, 6);
+  const hour = raw.substring(6, 8);
+  const min = raw.substring(8, 10);
+  const sec = raw.substring(10, 12);
+  return `${year}-${month}-${day}T${hour}:${min}:${sec}Z`;
+}
 var CertificateAuthority = class {
   /** RSA key size used when generating the CA private key. */
   keySize;
@@ -866,6 +882,244 @@ var CertificateAuthority = class {
   get caCertificateWithCrl() {
     return makePath(this.rootDir, "./public/cacertificate_with_crl.pem");
   }
+  // ---------------------------------------------------------------
+  // Buffer-based accessors (US-059)
+  // ---------------------------------------------------------------
+  /**
+   * Return the CA certificate as a DER-encoded buffer.
+   *
+   * @throws if the CA certificate file does not exist
+   *   (call {@link initialize} first).
+   */
+  getCACertificateDER() {
+    const pem = readCertificatePEM(this.caCertificate);
+    return convertPEMtoDER(pem);
+  }
+  /**
+   * Return the CA certificate as a PEM-encoded string.
+   *
+   * @throws if the CA certificate file does not exist
+   *   (call {@link initialize} first).
+   */
+  getCACertificatePEM() {
+    const raw = readCertificatePEM(this.caCertificate);
+    const beginMarker = "-----BEGIN CERTIFICATE-----";
+    const idx = raw.indexOf(beginMarker);
+    if (idx > 0) {
+      return raw.substring(idx);
+    }
+    return raw;
+  }
+  /**
+   * Return the current Certificate Revocation List as a
+   * DER-encoded buffer.
+   *
+   * Returns an empty buffer if no CRL has been generated yet.
+   */
+  getCRLDER() {
+    const crlPath = this.revocationListDER;
+    if (!fs6.existsSync(crlPath)) {
+      return Buffer.alloc(0);
+    }
+    return fs6.readFileSync(crlPath);
+  }
+  /**
+   * Return the current Certificate Revocation List as a
+   * PEM-encoded string.
+   *
+   * Returns an empty string if no CRL has been generated yet.
+   */
+  getCRLPEM() {
+    const crlPath = this.revocationList;
+    if (!fs6.existsSync(crlPath)) {
+      return "";
+    }
+    const raw = fs6.readFileSync(crlPath, "utf-8");
+    const beginMarker = "-----BEGIN X509 CRL-----";
+    const idx = raw.indexOf(beginMarker);
+    if (idx > 0) {
+      return raw.substring(idx);
+    }
+    return raw;
+  }
+  // ---------------------------------------------------------------
+  // Certificate database API (US-057)
+  // ---------------------------------------------------------------
+  /**
+   * Return a list of all issued certificates recorded in the
+   * OpenSSL `index.txt` database.
+   *
+   * Each entry includes the serial number, subject, status,
+   * expiry date, and (for revoked certs) the revocation date.
+   */
+  getIssuedCertificates() {
+    return this._parseIndexTxt();
+  }
+  /**
+   * Return the total number of certificates recorded in
+   * `index.txt`.
+   */
+  getIssuedCertificateCount() {
+    return this._parseIndexTxt().length;
+  }
+  /**
+   * Return the status of a certificate by its serial number.
+   *
+   * @param serial - hex-encoded serial number (e.g. `"1000"`)
+   * @returns `"valid"`, `"revoked"`, `"expired"`, or
+   *   `undefined` if not found
+   */
+  getCertificateStatus(serial) {
+    const upper = serial.toUpperCase();
+    const record = this._parseIndexTxt().find((r) => r.serial.toUpperCase() === upper);
+    return record?.status;
+  }
+  /**
+   * Read a specific issued certificate by serial number and
+   * return its content as a DER-encoded buffer.
+   *
+   * OpenSSL stores signed certificates in the `certs/`
+   * directory using the naming convention `<SERIAL>.pem`.
+   *
+   * @param serial - hex-encoded serial number (e.g. `"1000"`)
+   * @returns the DER buffer, or `undefined` if not found
+   */
+  getCertificateBySerial(serial) {
+    const upper = serial.toUpperCase();
+    const certFile = path5.join(this.rootDir, "certs", `${upper}.pem`);
+    if (!fs6.existsSync(certFile)) {
+      return void 0;
+    }
+    const pem = readCertificatePEM(certFile);
+    return convertPEMtoDER(pem);
+  }
+  /**
+   * Path to the OpenSSL certificate database file.
+   */
+  get indexFile() {
+    return path5.join(this.rootDir, "index.txt");
+  }
+  /**
+   * Parse the OpenSSL `index.txt` certificate database.
+   *
+   * Each line has tab-separated fields:
+   * ```
+   * status  expiry  [revocationDate]  serial  unknown  subject
+   * ```
+   *
+   * - status: `V` (valid), `R` (revoked), `E` (expired)
+   * - expiry: `YYMMDDHHmmssZ`
+   * - revocationDate: present only for revoked certs
+   * - serial: hex string
+   * - unknown: always `"unknown"`
+   * - subject: X.500 slash-delimited string
+   */
+  _parseIndexTxt() {
+    const indexPath = this.indexFile;
+    if (!fs6.existsSync(indexPath)) {
+      return [];
+    }
+    const content = fs6.readFileSync(indexPath, "utf-8");
+    const lines = content.split("\n").filter((l) => l.trim().length > 0);
+    const records = [];
+    for (const line of lines) {
+      const fields = line.split("	");
+      if (fields.length < 4) continue;
+      const statusChar = fields[0];
+      const expiryStr = fields[1];
+      let serial;
+      let subject;
+      let revocationDate;
+      if (statusChar === "R") {
+        revocationDate = fields[2];
+        serial = fields[3];
+        subject = fields.length >= 6 ? fields[5] : "";
+      } else {
+        serial = fields[3];
+        subject = fields.length >= 6 ? fields[5] : "";
+      }
+      let status;
+      switch (statusChar) {
+        case "V":
+          status = "valid";
+          break;
+        case "R":
+          status = "revoked";
+          break;
+        case "E":
+          status = "expired";
+          break;
+        default:
+          continue;
+      }
+      records.push({
+        serial,
+        status,
+        subject,
+        expiryDate: parseOpenSSLDate(expiryStr),
+        revocationDate: revocationDate ? parseOpenSSLDate(revocationDate) : void 0
+      });
+    }
+    return records;
+  }
+  // ---------------------------------------------------------------
+  // Buffer-based CA operations (US-058)
+  // ---------------------------------------------------------------
+  /**
+   * Sign a DER-encoded Certificate Signing Request and return
+   * the signed certificate as a DER buffer.
+   *
+   * This method handles temp-file creation and cleanup
+   * internally so that callers can work with in-memory
+   * buffers only.
+   *
+   * @param csrDer - the CSR as a DER-encoded buffer
+   * @param options - signing options
+   * @param options.validity - certificate validity in days
+   *   (default: 365)
+   * @returns the signed certificate as a DER-encoded buffer
+   */
+  async signCertificateRequestFromDER(csrDer, options) {
+    const validity = options?.validity ?? 365;
+    const tmpDir = await fs6.promises.mkdtemp(path5.join(os3.tmpdir(), "pki-sign-"));
+    try {
+      const csrFile = path5.join(tmpDir, "request.csr");
+      const certFile = path5.join(tmpDir, "certificate.pem");
+      const csrPem = toPem(csrDer, "CERTIFICATE REQUEST");
+      await fs6.promises.writeFile(csrFile, csrPem, "utf-8");
+      await this.signCertificateRequest(certFile, csrFile, { validity });
+      const certPem = readCertificatePEM(certFile);
+      return convertPEMtoDER(certPem);
+    } finally {
+      await fs6.promises.rm(tmpDir, {
+        recursive: true,
+        force: true
+      });
+    }
+  }
+  /**
+   * Revoke a DER-encoded certificate and regenerate the CRL.
+   *
+   * Extracts the serial number from the certificate, then
+   * uses the stored cert file at `certs/<serial>.pem` for
+   * revocation — avoiding temp-file PEM format mismatches.
+   *
+   * @param certDer - the certificate as a DER-encoded buffer
+   * @param reason - CRL reason code
+   *   (default: `"keyCompromise"`)
+   * @throws if the certificate's serial is not found in the CA
+   */
+  async revokeCertificateDER(certDer, reason) {
+    const info = exploreCertificate(certDer);
+    const serial = info.tbsCertificate.serialNumber.replace(/:/g, "").toUpperCase();
+    const storedCertFile = path5.join(this.rootDir, "certs", `${serial}.pem`);
+    if (!fs6.existsSync(storedCertFile)) {
+      throw new Error(`Cannot revoke: no stored certificate found for serial ${serial} at ${storedCertFile}`);
+    }
+    await this.revokeCertificate(storedCertFile, {
+      reason: reason ?? "keyCompromise"
+    });
+  }
   /**
    * Initialize the CA directory structure, generate the CA
    * private key and self-signed certificate if they do not
@@ -1077,7 +1331,7 @@ import { drainPendingLocks, withLock } from "@ster5/global-mutex";
 import chalk6 from "chalk";
 import chokidar from "chokidar";
 import {
-  exploreCertificate,
+  exploreCertificate as exploreCertificate2,
   exploreCertificateInfo,
   exploreCertificateRevocationList,
   generatePrivateKeyFile as generatePrivateKeyFile2,
@@ -1086,7 +1340,7 @@ import {
   readCertificateAsync,
   readCertificateRevocationList,
   split_der,
-  toPem,
+  toPem as toPem2,
   verifyCertificateChain,
   verifyCertificateSignature
 } from "node-opcua-crypto";
@@ -1189,7 +1443,7 @@ function exploreCertificateCached(certificate) {
     _exploreCache.set(key, cached);
     return cached;
   }
-  const info = exploreCertificate(certificate);
+  const info = exploreCertificate2(certificate);
   _exploreCache.set(key, info);
   if (_exploreCache.size > EXPLORE_CACHE_MAX) {
     const oldest = _exploreCache.keys().next().value;
@@ -1503,7 +1757,7 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
       }
       const filename = path6.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
       debugLog("certificate has never been seen before and is now rejected (untrusted) ", filename);
-      await fsWriteFile(filename, toPem(certificate, "CERTIFICATE"));
+      await fsWriteFile(filename, toPem2(certificate, "CERTIFICATE"));
       this.#thumbs.rejected.set(fingerprint, { certificate, filename });
     }
     return "BadCertificateUntrusted";
@@ -1868,7 +2122,7 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
         return status;
       }
     }
-    const pemCertificate = toPem(certificate, "CERTIFICATE");
+    const pemCertificate = toPem2(certificate, "CERTIFICATE");
     const fingerprint = makeFingerprint(certificate);
     if (this.#thumbs.issuers.certs.has(fingerprint)) {
       return "Good" /* Good */;
@@ -1896,7 +2150,7 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
         if (!index.has(key)) {
           index.set(key, { crls: [], serialNumbers: {} });
         }
-        const pemCertificate = toPem(crl, "X509 CRL");
+        const pemCertificate = toPem2(crl, "X509 CRL");
         const filename = path6.join(folder, `crl_${buildIdealCertificateName(crl)}.pem`);
         await fs9.promises.writeFile(filename, pemCertificate, "ascii");
         await this.#onCrlFileAdded(index, filename);
@@ -2161,7 +2415,7 @@ var CertificateManager = class _CertificateManager extends EventEmitter {
       const fingerprint = makeFingerprint(certificate);
       let status = await this.#checkRejectedOrTrusted(certificate);
       if (status === "unknown") {
-        const pem = toPem(certificate, "CERTIFICATE");
+        const pem = toPem2(certificate, "CERTIFICATE");
         const filename = path6.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
         await fs9.promises.writeFile(filename, pem);
         this.#thumbs.rejected.set(fingerprint, { certificate, filename });