Remove FF gate for improved CA generation

2026-04-02 17:52:19 +00:00 · 2026-02-24 11:25:57 +00:00
parent c4dca28336
commit 83c236af2b
16 changed files with 15 additions and 130 deletions
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -161595,11 +161595,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
    minimumVersion: void 0
  },
-  ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
-    minimumVersion: void 0
-  },
  ["java_network_debugging" /* JavaNetworkDebugging */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -107706,11 +107706,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
    minimumVersion: void 0
  },
-  ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
-    minimumVersion: void 0
-  },
  ["java_network_debugging" /* JavaNetworkDebugging */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
--- a/lib/autobuild-action.js
+++ b/lib/autobuild-action.js
@@ -103996,11 +103996,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
    minimumVersion: void 0
  },
-  ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
-    minimumVersion: void 0
-  },
  ["java_network_debugging" /* JavaNetworkDebugging */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -165073,11 +165073,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
    minimumVersion: void 0
  },
-  ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
-    minimumVersion: void 0
-  },
  ["java_network_debugging" /* JavaNetworkDebugging */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
--- a/lib/init-action.js
+++ b/lib/init-action.js
@@ -105223,11 +105223,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
    minimumVersion: void 0
  },
-  ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
-    minimumVersion: void 0
-  },
  ["java_network_debugging" /* JavaNetworkDebugging */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
--- a/lib/resolve-environment-action.js
+++ b/lib/resolve-environment-action.js
@@ -103987,11 +103987,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
    minimumVersion: void 0
  },
-  ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
-    minimumVersion: void 0
-  },
  ["java_network_debugging" /* JavaNetworkDebugging */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
--- a/lib/setup-codeql-action.js
+++ b/lib/setup-codeql-action.js
@@ -103896,11 +103896,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
    minimumVersion: void 0
  },
-  ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
-    minimumVersion: void 0
-  },
  ["java_network_debugging" /* JavaNetworkDebugging */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -161001,11 +161001,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
    minimumVersion: void 0
  },
-  ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
-    minimumVersion: void 0
-  },
  ["java_network_debugging" /* JavaNetworkDebugging */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -120688,11 +120688,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
    minimumVersion: void 0
  },
-  ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
-    minimumVersion: void 0
-  },
  ["java_network_debugging" /* JavaNetworkDebugging */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
@@ -121829,7 +121824,8 @@ var CERT_SUBJECT = [
    value: "San Francisco"
  }
 ];
-var extraExtensions = [
+var allExtensions = [
+  { name: "basicConstraints", cA: true },
  {
    name: "keyUsage",
    critical: true,
@@ -121840,7 +121836,7 @@ var extraExtensions = [
  { name: "subjectKeyIdentifier" },
  { name: "authorityKeyIdentifier", keyIdentifier: true }
 ];
-function generateCertificateAuthority(newCertGenFF) {
+function generateCertificateAuthority() {
  const keys = import_node_forge.pki.rsa.generateKeyPair(KEY_SIZE);
  const cert = import_node_forge.pki.createCertificate();
  cert.publicKey = keys.publicKey;
@@ -121852,16 +121848,8 @@ function generateCertificateAuthority(newCertGenFF) {
  );
  cert.setSubject(CERT_SUBJECT);
  cert.setIssuer(CERT_SUBJECT);
-  const extensions = [{ name: "basicConstraints", cA: true }];
-  if (newCertGenFF) {
-    extensions.push(...extraExtensions);
-  }
-  cert.setExtensions(extensions);
-  if (newCertGenFF) {
-    cert.sign(keys.privateKey, import_node_forge.md.sha256.create());
-  } else {
-    cert.sign(keys.privateKey);
-  }
+  cert.setExtensions(allExtensions);
+  cert.sign(keys.privateKey, import_node_forge.md.sha256.create());
  const pem = import_node_forge.pki.certificateToPem(cert);
  const key = import_node_forge.pki.privateKeyToPem(keys.privateKey);
  return { cert: pem, key };
@@ -122138,9 +122126,7 @@ async function run(startedAt) {
        );
      }
    }
-    const ca = generateCertificateAuthority(
-      await features.getValue("improved_proxy_certificates" /* ImprovedProxyCertificates */)
-    );
+    const ca = generateCertificateAuthority();
    const proxyConfig = {
      all_credentials: credentials,
      ca
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -107155,11 +107155,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
    minimumVersion: void 0
  },
-  ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
-    minimumVersion: void 0
-  },
  ["java_network_debugging" /* JavaNetworkDebugging */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -161163,11 +161163,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
    minimumVersion: void 0
  },
-  ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
-    minimumVersion: void 0
-  },
  ["java_network_debugging" /* JavaNetworkDebugging */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -106880,11 +106880,6 @@ var featureConfig = {
    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
    minimumVersion: void 0
  },
-  ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
-    minimumVersion: void 0
-  },
  ["java_network_debugging" /* JavaNetworkDebugging */]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
--- a/src/feature-flags.ts
+++ b/src/feature-flags.ts
@@ -47,7 +47,6 @@ export enum Feature {
  ExportDiagnosticsEnabled = "export_diagnostics_enabled",
  ForceNightly = "force_nightly",
  IgnoreGeneratedFiles = "ignore_generated_files",
-  ImprovedProxyCertificates = "improved_proxy_certificates",
  JavaNetworkDebugging = "java_network_debugging",
  OverlayAnalysis = "overlay_analysis",
  OverlayAnalysisActions = "overlay_analysis_actions",
@@ -175,11 +174,6 @@ export const featureConfig = {
    envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
    minimumVersion: undefined,
  },
-  [Feature.ImprovedProxyCertificates]: {
-    defaultValue: false,
-    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
-    minimumVersion: undefined,
-  },
  [Feature.JavaNetworkDebugging]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING",
--- a/src/start-proxy-action.ts
+++ b/src/start-proxy-action.ts
@@ -90,9 +90,7 @@ async function run(startedAt: Date) {
      }
    }

-    const ca = generateCertificateAuthority(
-      await features.getValue(Feature.ImprovedProxyCertificates),
-    );
+    const ca = generateCertificateAuthority();

    const proxyConfig: ProxyConfig = {
      all_credentials: credentials,
--- a/src/start-proxy/ca.test.ts
+++ b/src/start-proxy/ca.test.ts
@@ -32,33 +32,7 @@ function checkCertAttributes(
 }

 test("generateCertificateAuthority - generates certificates", (t) => {
-  const result = ca.generateCertificateAuthority(false);
-  const cert = pki.certificateFromPem(result.cert);
-  const key = pki.privateKeyFromPem(result.key);
-
-  t.truthy(cert);
-  t.truthy(key);
-
-  checkCertAttributes(t, cert);
-
-  // Check the validity.
-  t.true(
-    cert.validity.notBefore <= new Date(),
-    "notBefore date is in the future",
-  );
-  t.true(cert.validity.notAfter > new Date(), "notAfter date is in the past");
-
-  // Check that the extensions are set as we'd expect.
-  const exts = cert.extensions as ca.Extension[];
-  t.is(exts.length, 1);
-  t.is(exts[0].name, "basicConstraints");
-  t.is(exts[0].cA, true);
-
-  t.truthy(cert.siginfo);
-});
-
-test("generateCertificateAuthority - generates certificates with FF", (t) => {
-  const result = ca.generateCertificateAuthority(true);
+  const result = ca.generateCertificateAuthority();
  const cert = pki.certificateFromPem(result.cert);
  const key = pki.privateKeyFromPem(result.key);

--- a/src/start-proxy/ca.ts
+++ b/src/start-proxy/ca.ts
@@ -37,7 +37,8 @@ export type Extension = {
  [key: string]: unknown;
 };

-const extraExtensions: Extension[] = [
+const allExtensions: Extension[] = [
+  { name: "basicConstraints", cA: true },
  {
    name: "keyUsage",
    critical: true,
@@ -52,12 +53,9 @@ const extraExtensions: Extension[] = [
 /**
 * Generates a CA certificate for the proxy.
 *
- * @param newCertGenFF Whether to use the updated certificate generation.
 * @returns The private and public keys.
 */
-export function generateCertificateAuthority(
-  newCertGenFF: boolean,
-): CertificateAuthority {
+export function generateCertificateAuthority(): CertificateAuthority {
  const keys = pki.rsa.generateKeyPair(KEY_SIZE);
  const cert = pki.createCertificate();
  cert.publicKey = keys.publicKey;
@@ -71,21 +69,11 @@ export function generateCertificateAuthority(
  cert.setSubject(CERT_SUBJECT);
  cert.setIssuer(CERT_SUBJECT);

-  const extensions: Extension[] = [{ name: "basicConstraints", cA: true }];
+  // Set the CA extensions for the certificate.
+  cert.setExtensions(allExtensions);

-  // Add the extra CA extensions if the FF is enabled.
-  if (newCertGenFF) {
-    extensions.push(...extraExtensions);
-  }
-
-  cert.setExtensions(extensions);
-
-  // Specifically use SHA256 when the FF is enabled.
-  if (newCertGenFF) {
-    cert.sign(keys.privateKey, md.sha256.create());
-  } else {
-    cert.sign(keys.privateKey);
-  }
+  // Specifically use SHA256 to ensure consistency and compatibility.
+  cert.sign(keys.privateKey, md.sha256.create());

  const pem = pki.certificateToPem(cert);
  const key = pki.privateKeyToPem(keys.privateKey);