node-opcua / node-opcua-pki / 25743456608

90%

push

github

feat(ca): opt-in CDP & AIA extensions in issued certificates

CertificateAuthority gains three configurable revocation-discovery
URLs — crlDistributionUrl, ocspResponderUrl, caIssuersUrl — set
either through the constructor options or via the matching setters.
When configured, every certificate issued by the CA carries the
corresponding X.509v3 extension:

  - crlDistributionPoints: URI:<crlDistributionUrl>
  - authorityInfoAccess:   OCSP;URI:<ocspResponderUrl>,
                           caIssuers;URI:<caIssuersUrl>

When a URL is left undefined, the matching extension is OMITTED
from the cert. This replaces the previous behaviour where the CA
template hardcoded a CDP URL of http://localhost:8900/crl.pem on
the CA's own cert — useless in any deployment outside dev — and no
CDP at all on end-entity certs.

Setter validation runs synchronously and throws on empty string,
non-http(s) protocol, missing path, or any URL.parse failure.
Loopback hostnames produce a warning but are accepted (tests + dev).

Implementation:
  - unsetEnv + Mustache-style {{#KEY}}...{{/KEY}} conditional blocks
    in the OpenSSL config templates, stripped at substitution time
    by generateStaticConfig when the matching env var is absent or
    empty.
  - _wireRevocationEnvVars() populates the env vars from the
    configured URLs and is invoked before every config rendering
    that signs a cert (CA self-sign, subordinate CA sign, end-entity
    sign).

Tests cover all eight combinations of {none, CDP, OCSP, caIssuers,
all-three} plus full setter-validation surface, verified against
openssl x509 -text -noout output — i.e. the way every relying
party actually reads the certs.

Refs: US-202

489 of 658 branches covered (74.32%)

48 of 48 new or added lines in 3 files covered. (100.0%)

1464 of 1621 relevant lines covered (90.31%)

250.15 hits per line