milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Some comment updates

Browse source
This commit is contained in:
Reinier Criel 2025-12-03 09:20:54 -08:00
parent b1da6af30b
commit cfedb6df99
1 changed files with 5 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

25
packages/safe-chain/src/registryProxy/certUtils.js
View file

@ -92,7 +92,7 @@ export function generateCertForHost(hostname) {
Needed for Python virtualenv SSL validation and certificate path validation. Needed for Python virtualenv SSL validation and certificate path validation.
This extension identifies the public key corresponding to the private key used to sign This extension identifies the public key corresponding to the private key used to sign
this certificate. It links this certificate to its issuing CA certificate. this certificate. It links this certificate to its issuing CA certificate.
Without this, Python virtualenv certificate validation might fail Without this, Python virtualenv certificate validation might fail (for instance for Poetry)
https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1 https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
*/ */
name: "authorityKeyIdentifier", name: "authorityKeyIdentifier",
@ -126,6 +126,7 @@ function loadCa() {
existingPrivateKey = privateKey; existingPrivateKey = privateKey;
// Don't return a cert that is valid for less than 1 hour // Don't return a cert that is valid for less than 1 hour
// Some extensions were added in a later phase, ensure it has them or regenerate
const oneHourFromNow = new Date(Date.now() + 60 * 60 * 1000); const oneHourFromNow = new Date(Date.now() + 60 * 60 * 1000);
/** @type {any} */ /** @type {any} */
const basicConstraints = certificate.getExtension("basicConstraints"); const basicConstraints = certificate.getExtension("basicConstraints");
@ -157,6 +158,8 @@ function loadCa() {
} }
/** /**
* Reconstruct the public key from the existing private key so renewed/self-signed CA certificates keep the same key material,
* preserving SKI/AKI continuity
* @param {forge.pki.PrivateKey} [existingPrivateKey] * @param {forge.pki.PrivateKey} [existingPrivateKey]
*/ */
function generateCa(existingPrivateKey) { function generateCa(existingPrivateKey) {
@ -185,7 +188,7 @@ function generateCa(existingPrivateKey) {
{ {
name: "basicConstraints", name: "basicConstraints",
cA: true, cA: true,
critical: true, critical: true, // Marking basicConstraints as critical is required for CA certificates so clients must process it to trust the cert as a CA
}, },
{ {
name: "keyUsage", name: "keyUsage",
@ -194,28 +197,10 @@ function generateCa(existingPrivateKey) {
keyEncipherment: true, keyEncipherment: true,
}, },
{ {
/*
Subject Key Identifier (SKI)
Needed for Python virtualenv SSL validation and certificate chain building.
This extension provides a means of identifying certificates containing a particular public key.
Python virtualenv environments require this for proper certificate chain validation.
System Python installations may be more lenient.
https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2
*/
name: "subjectKeyIdentifier", name: "subjectKeyIdentifier",
subjectKeyIdentifier: keyIdentifier, subjectKeyIdentifier: keyIdentifier,
}, },
{ {
/*
Authority Key Identifier (AKI)
Needed for Python virtualenv SSL validation and certificate path validation.
This extension identifies the public key corresponding to the private key used to sign
this certificate. It links this certificate to its issuing CA certificate.
Without this, Python virtualenv certificate validation might fail
https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
*/
name: "authorityKeyIdentifier", name: "authorityKeyIdentifier",
keyIdentifier, keyIdentifier,
}, },