node-opcua-pki 6.8.2 → 6.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/bin/pki.mjs +261 -6
- package/dist/bin/pki.mjs.map +1 -1
- package/dist/index.d.mts +129 -0
- package/dist/index.d.ts +129 -0
- package/dist/index.js +251 -0
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +263 -8
- package/dist/index.mjs.map +1 -1
- package/package.json +4 -4
- package/readme.md +78 -0
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "node-opcua-pki",
|
|
3
|
-
"version": "6.
|
|
3
|
+
"version": "6.9.0",
|
|
4
4
|
"description": "PKI management for node-opcua",
|
|
5
5
|
"type": "commonjs",
|
|
6
6
|
"main": "./dist/index.js",
|
|
@@ -39,7 +39,7 @@
|
|
|
39
39
|
"author": "Etienne Rossignon",
|
|
40
40
|
"license": "MIT",
|
|
41
41
|
"dependencies": {
|
|
42
|
-
"@ster5/global-mutex": "^3.
|
|
42
|
+
"@ster5/global-mutex": "^3.3.0",
|
|
43
43
|
"byline": "^5.0.0",
|
|
44
44
|
"chalk": "4.1.2",
|
|
45
45
|
"chokidar": "4.0.3",
|
|
@@ -48,7 +48,7 @@
|
|
|
48
48
|
"node-opcua-crypto": "5.3.0",
|
|
49
49
|
"progress": "^2.0.3",
|
|
50
50
|
"wget-improved-2": "^3.3.0",
|
|
51
|
-
"yauzl": "^3.2.
|
|
51
|
+
"yauzl": "^3.2.1"
|
|
52
52
|
},
|
|
53
|
-
"gitHead": "
|
|
53
|
+
"gitHead": "a6e377401bb0628e1dc120da40f31aab138643ce"
|
|
54
54
|
}
|
package/readme.md
CHANGED
|
@@ -252,6 +252,84 @@ await cm.createSelfSignedCertificate({
|
|
|
252
252
|
| `issuersCrlFolder` | `{location}/issuers/crl` |
|
|
253
253
|
| `rootDir` | `{location}` |
|
|
254
254
|
|
|
255
|
+
### CertificateAuthority API
|
|
256
|
+
|
|
257
|
+
The `CertificateAuthority` class manages an OpenSSL-based CA directory structure for issuing, revoking, and tracking certificates.
|
|
258
|
+
|
|
259
|
+
```typescript
|
|
260
|
+
import { CertificateAuthority } from "node-opcua-pki";
|
|
261
|
+
|
|
262
|
+
const ca = new CertificateAuthority({
|
|
263
|
+
location: "./my_ca",
|
|
264
|
+
keySize: 2048,
|
|
265
|
+
});
|
|
266
|
+
await ca.initialize();
|
|
267
|
+
```
|
|
268
|
+
|
|
269
|
+
#### Buffer Accessors
|
|
270
|
+
|
|
271
|
+
| Method | Returns | Description |
|
|
272
|
+
| ------------------------ | -------- | ---------------------------------------- |
|
|
273
|
+
| `getCACertificateDER()` | `Buffer` | CA certificate as DER |
|
|
274
|
+
| `getCACertificatePEM()` | `string` | CA certificate as PEM |
|
|
275
|
+
| `getCRLDER()` | `Buffer` | Current CRL as DER (empty if none) |
|
|
276
|
+
| `getCRLPEM()` | `string` | Current CRL as PEM |
|
|
277
|
+
|
|
278
|
+
#### Buffer Operations
|
|
279
|
+
|
|
280
|
+
| Method | Returns | Description |
|
|
281
|
+
| --- | --- | --- |
|
|
282
|
+
| `signCertificateRequestFromDER(csrDer, options?)` | `Promise<Buffer>` | Sign a DER-encoded CSR, return signed cert as DER. Handles temp files internally. |
|
|
283
|
+
| `revokeCertificateDER(certDer, reason?)` | `Promise<void>` | Revoke a DER-encoded certificate. Looks up the stored cert by serial number. |
|
|
284
|
+
|
|
285
|
+
```typescript
|
|
286
|
+
// Sign a CSR from a DER buffer
|
|
287
|
+
const certDer = await ca.signCertificateRequestFromDER(csrDer, {
|
|
288
|
+
validity: 365,
|
|
289
|
+
});
|
|
290
|
+
|
|
291
|
+
// Revoke a certificate from its DER buffer
|
|
292
|
+
await ca.revokeCertificateDER(certDer, "keyCompromise");
|
|
293
|
+
```
|
|
294
|
+
|
|
295
|
+
#### Certificate Database
|
|
296
|
+
|
|
297
|
+
These methods parse the OpenSSL `index.txt` database to query issued certificate status. Certificate files are read from the CA's `certs/` directory.
|
|
298
|
+
|
|
299
|
+
| Method | Returns | Description |
|
|
300
|
+
| --- | --- | --- |
|
|
301
|
+
| `getIssuedCertificates()` | `IssuedCertificateRecord[]` | All records from `index.txt` |
|
|
302
|
+
| `getIssuedCertificateCount()` | `number` | Total number of issued certificates |
|
|
303
|
+
| `getCertificateStatus(serial)` | `string \| undefined` | `"valid"`, `"revoked"`, or `"expired"` |
|
|
304
|
+
| `getCertificateBySerial(serial)` | `Buffer \| undefined` | DER buffer from `certs/<serial>.pem` |
|
|
305
|
+
|
|
306
|
+
```typescript
|
|
307
|
+
// List all issued certificates
|
|
308
|
+
const records = ca.getIssuedCertificates();
|
|
309
|
+
for (const r of records) {
|
|
310
|
+
console.log(`${r.serial}: ${r.status} — ${r.subject}`);
|
|
311
|
+
}
|
|
312
|
+
|
|
313
|
+
// Check if a specific certificate is revoked
|
|
314
|
+
const status = ca.getCertificateStatus("1000");
|
|
315
|
+
if (status === "revoked") {
|
|
316
|
+
console.log("Certificate 1000 has been revoked");
|
|
317
|
+
}
|
|
318
|
+
|
|
319
|
+
// Read a certificate by serial number
|
|
320
|
+
const der = ca.getCertificateBySerial("1000");
|
|
321
|
+
```
|
|
322
|
+
|
|
323
|
+
**`IssuedCertificateRecord`** fields:
|
|
324
|
+
|
|
325
|
+
| Field | Type | Description |
|
|
326
|
+
| --- | --- | --- |
|
|
327
|
+
| `serial` | `string` | Hex serial (e.g. `"1000"`) |
|
|
328
|
+
| `status` | `"valid" \| "revoked" \| "expired"` | Certificate status |
|
|
329
|
+
| `subject` | `string` | X.500 subject (slash-delimited) |
|
|
330
|
+
| `expiryDate` | `string` | ISO-8601 expiry date |
|
|
331
|
+
| `revocationDate` | `string?` | ISO-8601 revocation date (if revoked) |
|
|
332
|
+
|
|
255
333
|
### File Watching
|
|
256
334
|
|
|
257
335
|
`CertificateManager` uses [chokidar](https://github.com/paulmillr/chokidar) to watch the PKI folders for changes. By default, it uses **native OS events** (inotify, FSEvents, ReadDirectoryChangesW) for near-real-time detection.
|