Gate updated cert gen behind FF

src/feature-flags.ts

@@ -46,6 +46,7 @@ export enum Feature {
   DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled",
   ExportDiagnosticsEnabled = "export_diagnostics_enabled",
   IgnoreGeneratedFiles = "ignore_generated_files",
+  ImprovedProxyCertificates = "improved_proxy_certificates",
   OverlayAnalysis = "overlay_analysis",
   OverlayAnalysisActions = "overlay_analysis_actions",
   OverlayAnalysisCodeScanningActions = "overlay_analysis_code_scanning_actions",
@@ -167,6 +168,11 @@ export const featureConfig = {
     envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES",
     minimumVersion: undefined,
   },
+  [Feature.ImprovedProxyCertificates]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_IMPROVED_PROXY_CERTIFICATES",
+    minimumVersion: undefined,
+  },
   [Feature.OverlayAnalysis]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",

src/start-proxy-action.ts

@@ -76,7 +76,9 @@ async function run(startedAt: Date) {
         .join("\n")}`,
     );
 
-    const ca = generateCertificateAuthority();
+    const ca = generateCertificateAuthority(
+      await features.getValue(Feature.ImprovedProxyCertificates),
+    );
 
     const proxyConfig: ProxyConfig = {
       all_credentials: credentials,

src/start-proxy/ca.ts

@@ -32,7 +32,32 @@ const CERT_SUBJECT = [
   },
 ];
 
-export function generateCertificateAuthority(): CertificateAuthority {
+type Extension = {
+  name: string;
+  [key: string]: unknown;
+};
+
+const extraExtensions: Extension[] = [
+  {
+    name: "keyUsage",
+    critical: true,
+    keyCertSign: true,
+    cRLSign: true,
+    digitalSignature: true,
+  },
+  { name: "subjectKeyIdentifier" },
+  { name: "authorityKeyIdentifier", keyIdentifier: true },
+];
+
+/**
+ * Generates a CA certificate for the proxy.
+ *
+ * @param newCertGenFF Whether to use the updated certificate generation.
+ * @returns The private and public keys.
+ */
+export function generateCertificateAuthority(
+  newCertGenFF: boolean,
+): CertificateAuthority {
   const keys = pki.rsa.generateKeyPair(KEY_SIZE);
   const cert = pki.createCertificate();
   cert.publicKey = keys.publicKey;
@@ -45,19 +70,22 @@ export function generateCertificateAuthority(): CertificateAuthority {
 
   cert.setSubject(CERT_SUBJECT);
   cert.setIssuer(CERT_SUBJECT);
-  cert.setExtensions([
-    { name: "basicConstraints", cA: true },
-    {
-      name: "keyUsage",
-      critical: true,
-      keyCertSign: true,
-      cRLSign: true,
-      digitalSignature: true,
-    },
-    { name: "subjectKeyIdentifier" },
-    { name: "authorityKeyIdentifier", keyIdentifier: true },
-  ]);
-  cert.sign(keys.privateKey, md.sha256.create());
+
+  const extensions: Extension[] = [{ name: "basicConstraints", cA: true }];
+
+  // Add the extra CA extensions if the FF is enabled.
+  if (newCertGenFF) {
+    extensions.push(...extraExtensions);
+  }
+
+  cert.setExtensions(extensions);
+
+  // Specifically use SHA256 when the FF is enabled.
+  if (newCertGenFF) {
+    cert.sign(keys.privateKey, md.sha256.create());
+  } else {
+    cert.sign(keys.privateKey);
+  }
 
   const pem = pki.certificateToPem(cert);
   const key = pki.privateKeyToPem(keys.privateKey);