diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index d097d992d..315a23c25 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -161565,6 +161565,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, + ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", + minimumVersion: void 0 + }, ["overlay_analysis" /* OverlayAnalysis */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", diff --git a/lib/analyze-action.js b/lib/analyze-action.js index c0288403b..6ecc30459 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -107633,6 +107633,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, + ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", + minimumVersion: void 0 + }, ["overlay_analysis" /* OverlayAnalysis */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 416cc2272..c90d8260a 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -103966,6 +103966,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, + ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", + minimumVersion: void 0 + }, ["overlay_analysis" /* OverlayAnalysis */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 44e368f8a..7c78b04de 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -164959,6 +164959,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, + ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", + minimumVersion: void 0 + }, ["overlay_analysis" /* OverlayAnalysis */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", diff --git a/lib/init-action.js b/lib/init-action.js index 8607b2391..cf31b2fea 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -105166,6 +105166,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, + ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", + minimumVersion: void 0 + }, ["overlay_analysis" /* OverlayAnalysis */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index a84107251..467bf7dc6 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -103957,6 +103957,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, + ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", + minimumVersion: void 0 + }, ["overlay_analysis" /* OverlayAnalysis */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index c01ec64f5..923c55946 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -103867,6 +103867,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, + ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", + minimumVersion: void 0 + }, ["overlay_analysis" /* OverlayAnalysis */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index c29841a85..ae88c8481 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -160971,6 +160971,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, + ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", + minimumVersion: void 0 + }, ["overlay_analysis" /* OverlayAnalysis */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 2bc50871b..cdfa65d1b 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -120659,6 +120659,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, + ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", + minimumVersion: void 0 + }, ["overlay_analysis" /* OverlayAnalysis */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", @@ -121742,7 +121747,18 @@ var CERT_SUBJECT = [ value: "San Francisco" } ]; -function generateCertificateAuthority() { +var extraExtensions = [ + { + name: "keyUsage", + critical: true, + keyCertSign: true, + cRLSign: true, + digitalSignature: true + }, + { name: "subjectKeyIdentifier" }, + { name: "authorityKeyIdentifier", keyIdentifier: true } +]; +function generateCertificateAuthority(newCertGenFF) { const keys = import_node_forge.pki.rsa.generateKeyPair(KEY_SIZE); const cert = import_node_forge.pki.createCertificate(); cert.publicKey = keys.publicKey; @@ -121754,19 +121770,16 @@ function generateCertificateAuthority() { ); cert.setSubject(CERT_SUBJECT); cert.setIssuer(CERT_SUBJECT); - cert.setExtensions([ - { name: "basicConstraints", cA: true }, - { - name: "keyUsage", - critical: true, - keyCertSign: true, - cRLSign: true, - digitalSignature: true - }, - { name: "subjectKeyIdentifier" }, - { name: "authorityKeyIdentifier", keyIdentifier: true } - ]); - cert.sign(keys.privateKey, import_node_forge.md.sha256.create()); + const extensions = [{ name: "basicConstraints", cA: true }]; + if (newCertGenFF) { + extensions.push(...extraExtensions); + } + cert.setExtensions(extensions); + if (newCertGenFF) { + cert.sign(keys.privateKey, import_node_forge.md.sha256.create()); + } else { + cert.sign(keys.privateKey); + } const pem = import_node_forge.pki.certificateToPem(cert); const key = import_node_forge.pki.privateKeyToPem(keys.privateKey); return { cert: pem, key }; @@ -121892,7 +121905,9 @@ async function run(startedAt) { `Credentials loaded for the following registries: ${credentials.map((c) => credentialToStr(c)).join("\n")}` ); - const ca = generateCertificateAuthority(); + const ca = generateCertificateAuthority( + await features.getValue("improved_proxy_certificates" /* ImprovedProxyCertificates */) + ); const proxyConfig = { all_credentials: credentials, ca diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 0fa50e396..dd5df4522 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -107026,6 +107026,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, + ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", + minimumVersion: void 0 + }, ["overlay_analysis" /* OverlayAnalysis */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index a733e8c04..d3153d437 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -161133,6 +161133,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, + ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", + minimumVersion: void 0 + }, ["overlay_analysis" /* OverlayAnalysis */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index edc784084..6669f74d8 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -106821,6 +106821,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: void 0 }, + ["improved_proxy_certificates" /* ImprovedProxyCertificates */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", + minimumVersion: void 0 + }, ["overlay_analysis" /* OverlayAnalysis */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", diff --git a/src/feature-flags.ts b/src/feature-flags.ts index ea8cc1767..cd9f148b2 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -46,6 +46,7 @@ export enum Feature { DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled", ExportDiagnosticsEnabled = "export_diagnostics_enabled", IgnoreGeneratedFiles = "ignore_generated_files", + ImprovedProxyCertificates = "improved_proxy_certificates", OverlayAnalysis = "overlay_analysis", OverlayAnalysisActions = "overlay_analysis_actions", OverlayAnalysisCodeScanningActions = "overlay_analysis_code_scanning_actions", @@ -167,6 +168,11 @@ export const featureConfig = { envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", minimumVersion: undefined, }, + [Feature.ImprovedProxyCertificates]: { + defaultValue: false, + envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES", + minimumVersion: undefined, + }, [Feature.OverlayAnalysis]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", diff --git a/src/start-proxy-action.ts b/src/start-proxy-action.ts index 76be2b34f..b4e65b157 100644 --- a/src/start-proxy-action.ts +++ b/src/start-proxy-action.ts @@ -76,7 +76,9 @@ async function run(startedAt: Date) { .join("\n")}`, ); - const ca = generateCertificateAuthority(); + const ca = generateCertificateAuthority( + await features.getValue(Feature.ImprovedProxyCertificates), + ); const proxyConfig: ProxyConfig = { all_credentials: credentials, diff --git a/src/start-proxy/ca.ts b/src/start-proxy/ca.ts index 79a123786..c2f36969f 100644 --- a/src/start-proxy/ca.ts +++ b/src/start-proxy/ca.ts @@ -32,7 +32,32 @@ const CERT_SUBJECT = [ }, ]; -export function generateCertificateAuthority(): CertificateAuthority { +type Extension = { + name: string; + [key: string]: unknown; +}; + +const extraExtensions: Extension[] = [ + { + name: "keyUsage", + critical: true, + keyCertSign: true, + cRLSign: true, + digitalSignature: true, + }, + { name: "subjectKeyIdentifier" }, + { name: "authorityKeyIdentifier", keyIdentifier: true }, +]; + +/** + * Generates a CA certificate for the proxy. + * + * @param newCertGenFF Whether to use the updated certificate generation. + * @returns The private and public keys. + */ +export function generateCertificateAuthority( + newCertGenFF: boolean, +): CertificateAuthority { const keys = pki.rsa.generateKeyPair(KEY_SIZE); const cert = pki.createCertificate(); cert.publicKey = keys.publicKey; @@ -45,19 +70,22 @@ export function generateCertificateAuthority(): CertificateAuthority { cert.setSubject(CERT_SUBJECT); cert.setIssuer(CERT_SUBJECT); - cert.setExtensions([ - { name: "basicConstraints", cA: true }, - { - name: "keyUsage", - critical: true, - keyCertSign: true, - cRLSign: true, - digitalSignature: true, - }, - { name: "subjectKeyIdentifier" }, - { name: "authorityKeyIdentifier", keyIdentifier: true }, - ]); - cert.sign(keys.privateKey, md.sha256.create()); + + const extensions: Extension[] = [{ name: "basicConstraints", cA: true }]; + + // Add the extra CA extensions if the FF is enabled. + if (newCertGenFF) { + extensions.push(...extraExtensions); + } + + cert.setExtensions(extensions); + + // Specifically use SHA256 when the FF is enabled. + if (newCertGenFF) { + cert.sign(keys.privateKey, md.sha256.create()); + } else { + cert.sign(keys.privateKey); + } const pem = pki.certificateToPem(cert); const key = pki.privateKeyToPem(keys.privateKey);