Merge pull request #3504 from github/mbg/ff/remove-ImprovedProxyCertificates

Remove FF gate for improved CA generation

src/feature-flags.ts

@@ -47,7 +47,6 @@ export enum Feature {
   ExportDiagnosticsEnabled = "export_diagnostics_enabled",
   ForceNightly = "force_nightly",
   IgnoreGeneratedFiles = "ignore_generated_files",
-  ImprovedProxyCertificates = "improved_proxy_certificates",
   JavaNetworkDebugging = "java_network_debugging",
   OverlayAnalysis = "overlay_analysis",
   OverlayAnalysisActions = "overlay_analysis_actions",
@@ -177,11 +176,6 @@ export const featureConfig = {
     envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
     minimumVersion: undefined,
   },
-  [Feature.ImprovedProxyCertificates]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
-    minimumVersion: undefined,
-  },
   [Feature.JavaNetworkDebugging]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",

src/start-proxy-action.ts

@@ -90,9 +90,7 @@ async function run(startedAt: Date) {
       }
     }
 
-    const ca = generateCertificateAuthority(
-      await features.getValue(Feature.ImprovedProxyCertificates),
-    );
+    const ca = generateCertificateAuthority();
 
     const proxyConfig: ProxyConfig = {
       all_credentials: credentials,

src/start-proxy/ca.test.ts

@@ -32,33 +32,7 @@ function checkCertAttributes(
 }
 
 test("generateCertificateAuthority - generates certificates", (t) => {
-  const result = ca.generateCertificateAuthority(false);
-  const cert = pki.certificateFromPem(result.cert);
-  const key = pki.privateKeyFromPem(result.key);
-
-  t.truthy(cert);
-  t.truthy(key);
-
-  checkCertAttributes(t, cert);
-
-  // Check the validity.
-  t.true(
-    cert.validity.notBefore <= new Date(),
-    "notBefore date is in the future",
-  );
-  t.true(cert.validity.notAfter > new Date(), "notAfter date is in the past");
-
-  // Check that the extensions are set as we'd expect.
-  const exts = cert.extensions as ca.Extension[];
-  t.is(exts.length, 1);
-  t.is(exts[0].name, "basicConstraints");
-  t.is(exts[0].cA, true);
-
-  t.truthy(cert.siginfo);
-});
-
-test("generateCertificateAuthority - generates certificates with FF", (t) => {
-  const result = ca.generateCertificateAuthority(true);
+  const result = ca.generateCertificateAuthority();
   const cert = pki.certificateFromPem(result.cert);
   const key = pki.privateKeyFromPem(result.key);
 

src/start-proxy/ca.ts

@@ -37,7 +37,8 @@ export type Extension = {
   [key: string]: unknown;
 };
 
-const extraExtensions: Extension[] = [
+const allExtensions: Extension[] = [
+  { name: "basicConstraints", cA: true },
   {
     name: "keyUsage",
     critical: true,
@@ -52,12 +53,9 @@ const extraExtensions: Extension[] = [
 /**
  * Generates a CA certificate for the proxy.
  *
- * @param newCertGenFF Whether to use the updated certificate generation.
  * @returns The private and public keys.
  */
-export function generateCertificateAuthority(
-  newCertGenFF: boolean,
-): CertificateAuthority {
+export function generateCertificateAuthority(): CertificateAuthority {
   const keys = pki.rsa.generateKeyPair(KEY_SIZE);
   const cert = pki.createCertificate();
   cert.publicKey = keys.publicKey;
@@ -71,21 +69,11 @@ export function generateCertificateAuthority(
   cert.setSubject(CERT_SUBJECT);
   cert.setIssuer(CERT_SUBJECT);
 
-  const extensions: Extension[] = [{ name: "basicConstraints", cA: true }];
+  // Set the CA extensions for the certificate.
+  cert.setExtensions(allExtensions);
 
-  // Add the extra CA extensions if the FF is enabled.
-  if (newCertGenFF) {
-    extensions.push(...extraExtensions);
-  }
-
-  cert.setExtensions(extensions);
-
-  // Specifically use SHA256 when the FF is enabled.
-  if (newCertGenFF) {
-    cert.sign(keys.privateKey, md.sha256.create());
-  } else {
-    cert.sign(keys.privateKey);
-  }
+  // Specifically use SHA256 to ensure consistency and compatibility.
+  cert.sign(keys.privateKey, md.sha256.create());
 
   const pem = pki.certificateToPem(cert);
   const key = pki.privateKeyToPem(keys.privateKey);