diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index d1068dc55e..b82d8b5809 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -161595,11 +161595,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, - ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", - minimumVersion: void 0 - }, ["java_network_debugging" /* JavaNetworkDebugging */]: { defaultValue: false, envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", diff --git a/lib/analyze-action.js b/lib/analyze-action.js index d97d19c515..6ad384010f 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -107706,11 +107706,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, - ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", - minimumVersion: void 0 - }, ["java_network_debugging" /* JavaNetworkDebugging */]: { defaultValue: false, envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index d39e634000..8650b0c53e 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -103996,11 +103996,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, - ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", - minimumVersion: void 0 - }, ["java_network_debugging" /* JavaNetworkDebugging */]: { defaultValue: false, envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", diff --git a/lib/init-action-post.js b/lib/init-action-post.js index f4bc19ecf9..8b01a91a2b 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -165073,11 +165073,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, - ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", - minimumVersion: void 0 - }, ["java_network_debugging" /* JavaNetworkDebugging */]: { defaultValue: false, envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", diff --git a/lib/init-action.js b/lib/init-action.js index ca0b47a854..349d97b2ea 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -105223,11 +105223,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, - ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", - minimumVersion: void 0 - }, ["java_network_debugging" /* JavaNetworkDebugging */]: { defaultValue: false, envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 93eee7f4c4..b140d4faff 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -103987,11 +103987,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, - ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", - minimumVersion: void 0 - }, ["java_network_debugging" /* JavaNetworkDebugging */]: { defaultValue: false, envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 95a380ab4b..fa3cdc5036 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -103896,11 +103896,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, - ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", - minimumVersion: void 0 - }, ["java_network_debugging" /* JavaNetworkDebugging */]: { defaultValue: false, envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 76abe6d2f3..aed843fc9e 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -161001,11 +161001,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, - ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", - minimumVersion: void 0 - }, ["java_network_debugging" /* JavaNetworkDebugging */]: { defaultValue: false, envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index e7d3871203..709fddfc3b 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -120688,11 +120688,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, - ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", - minimumVersion: void 0 - }, ["java_network_debugging" /* JavaNetworkDebugging */]: { defaultValue: false, envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", @@ -121829,7 +121824,8 @@ var CERT_SUBJECT = [ value: "San Francisco" } ]; -var extraExtensions = [ +var allExtensions = [ + { name: "basicConstraints", cA: true }, { name: "keyUsage", critical: true, @@ -121840,7 +121836,7 @@ var extraExtensions = [ { name: "subjectKeyIdentifier" }, { name: "authorityKeyIdentifier", keyIdentifier: true } ]; -function generateCertificateAuthority(newCertGenFF) { +function generateCertificateAuthority() { const keys = import_node_forge.pki.rsa.generateKeyPair(KEY_SIZE); const cert = import_node_forge.pki.createCertificate(); cert.publicKey = keys.publicKey; @@ -121852,16 +121848,8 @@ function generateCertificateAuthority(newCertGenFF) { ); cert.setSubject(CERT_SUBJECT); cert.setIssuer(CERT_SUBJECT); - const extensions = [{ name: "basicConstraints", cA: true }]; - if (newCertGenFF) { - extensions.push(...extraExtensions); - } - cert.setExtensions(extensions); - if (newCertGenFF) { - cert.sign(keys.privateKey, import_node_forge.md.sha256.create()); - } else { - cert.sign(keys.privateKey); - } + cert.setExtensions(allExtensions); + cert.sign(keys.privateKey, import_node_forge.md.sha256.create()); const pem = import_node_forge.pki.certificateToPem(cert); const key = import_node_forge.pki.privateKeyToPem(keys.privateKey); return { cert: pem, key }; @@ -122138,9 +122126,7 @@ async function run(startedAt) { ); } } - const ca = generateCertificateAuthority( - await features.getValue("improved_proxy_certificates" /* ImprovedProxyCertificates */) - ); + const ca = generateCertificateAuthority(); const proxyConfig = { all_credentials: credentials, ca diff --git a/lib/upload-lib.js b/lib/upload-lib.js index fcec315ba3..b16047dfff 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -107155,11 +107155,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, - ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", - minimumVersion: void 0 - }, ["java_network_debugging" /* JavaNetworkDebugging */]: { defaultValue: false, envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 707ab28353..7aa9b2f5f6 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -161163,11 +161163,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, - ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", - minimumVersion: void 0 - }, ["java_network_debugging" /* JavaNetworkDebugging */]: { defaultValue: false, envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 071fe3b0ca..81a17fc4d7 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -106880,11 +106880,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, - ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", - minimumVersion: void 0 - }, ["java_network_debugging" /* JavaNetworkDebugging */]: { defaultValue: false, envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", diff --git a/src/feature-flags.ts b/src/feature-flags.ts index f2a6c90a21..77557743c9 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -47,7 +47,6 @@ export enum Feature { ExportDiagnosticsEnabled = "export_diagnostics_enabled", ForceNightly = "force_nightly", IgnoreGeneratedFiles = "ignore_generated_files", - ImprovedProxyCertificates = "improved_proxy_certificates", JavaNetworkDebugging = "java_network_debugging", OverlayAnalysis = "overlay_analysis", OverlayAnalysisActions = "overlay_analysis_actions", @@ -175,11 +174,6 @@ export const featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: undefined, }, - [Feature.ImprovedProxyCertificates]: { - defaultValue: false, - envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", - minimumVersion: undefined, - }, [Feature.JavaNetworkDebugging]: { defaultValue: false, envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", diff --git a/src/start-proxy-action.ts b/src/start-proxy-action.ts index df6c9a3328..39d2bc2d45 100644 --- a/src/start-proxy-action.ts +++ b/src/start-proxy-action.ts @@ -90,9 +90,7 @@ async function run(startedAt: Date) { } } - const ca = generateCertificateAuthority( - await features.getValue(Feature.ImprovedProxyCertificates), - ); + const ca = generateCertificateAuthority(); const proxyConfig: ProxyConfig = { all_credentials: credentials, diff --git a/src/start-proxy/ca.test.ts b/src/start-proxy/ca.test.ts index ae4e22e9ad..7b88fc54ba 100644 --- a/src/start-proxy/ca.test.ts +++ b/src/start-proxy/ca.test.ts @@ -32,33 +32,7 @@ function checkCertAttributes( } test("generateCertificateAuthority - generates certificates", (t) => { - const result = ca.generateCertificateAuthority(false); - const cert = pki.certificateFromPem(result.cert); - const key = pki.privateKeyFromPem(result.key); - - t.truthy(cert); - t.truthy(key); - - checkCertAttributes(t, cert); - - // Check the validity. - t.true( - cert.validity.notBefore <= new Date(), - "notBefore date is in the future", - ); - t.true(cert.validity.notAfter > new Date(), "notAfter date is in the past"); - - // Check that the extensions are set as we'd expect. - const exts = cert.extensions as ca.Extension[]; - t.is(exts.length, 1); - t.is(exts[0].name, "basicConstraints"); - t.is(exts[0].cA, true); - - t.truthy(cert.siginfo); -}); - -test("generateCertificateAuthority - generates certificates with FF", (t) => { - const result = ca.generateCertificateAuthority(true); + const result = ca.generateCertificateAuthority(); const cert = pki.certificateFromPem(result.cert); const key = pki.privateKeyFromPem(result.key); diff --git a/src/start-proxy/ca.ts b/src/start-proxy/ca.ts index 80d976f7bc..8f9b8de138 100644 --- a/src/start-proxy/ca.ts +++ b/src/start-proxy/ca.ts @@ -37,7 +37,8 @@ export type Extension = { [key: string]: unknown; }; -const extraExtensions: Extension[] = [ +const allExtensions: Extension[] = [ + { name: "basicConstraints", cA: true }, { name: "keyUsage", critical: true, @@ -52,12 +53,9 @@ const extraExtensions: Extension[] = [ /** * Generates a CA certificate for the proxy. * - * @param newCertGenFF Whether to use the updated certificate generation. * @returns The private and public keys. */ -export function generateCertificateAuthority( - newCertGenFF: boolean, -): CertificateAuthority { +export function generateCertificateAuthority(): CertificateAuthority { const keys = pki.rsa.generateKeyPair(KEY_SIZE); const cert = pki.createCertificate(); cert.publicKey = keys.publicKey; @@ -71,21 +69,11 @@ export function generateCertificateAuthority( cert.setSubject(CERT_SUBJECT); cert.setIssuer(CERT_SUBJECT); - const extensions: Extension[] = [{ name: "basicConstraints", cA: true }]; + // Set the CA extensions for the certificate. + cert.setExtensions(allExtensions); - // Add the extra CA extensions if the FF is enabled. - if (newCertGenFF) { - extensions.push(...extraExtensions); - } - - cert.setExtensions(extensions); - - // Specifically use SHA256 when the FF is enabled. - if (newCertGenFF) { - cert.sign(keys.privateKey, md.sha256.create()); - } else { - cert.sign(keys.privateKey); - } + // Specifically use SHA256 to ensure consistency and compatibility. + cert.sign(keys.privateKey, md.sha256.create()); const pem = pki.certificateToPem(cert); const key = pki.privateKeyToPem(keys.privateKey);