From 502b179eef2e2a9af181d7032aea580c92480042 Mon Sep 17 00:00:00 2001
From: Chris Guida <chrisguida@users.noreply.github.com>
Date: Tue, 11 Jan 2022 21:11:53 -0600
Subject: [PATCH] add .embassy domains to system-generated ssl certs (#1052)

---
 appmgr/src/net/mod.rs   |  2 +-
 appmgr/src/net/nginx.rs |  8 ++++++--
 appmgr/src/net/ssl.rs   | 23 ++++++++++++++++-------
 3 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/appmgr/src/net/mod.rs b/appmgr/src/net/mod.rs
index d7296df98..ec07ffb1f 100644
--- a/appmgr/src/net/mod.rs
+++ b/appmgr/src/net/mod.rs
@@ -169,7 +169,7 @@ impl NetController {
             let dns_base = OnionAddressV3::from(&key.public()).get_address_without_dot_onion();
             let ssl_path_key = package_path.join(format!("{}.key.pem", id));
             let ssl_path_cert = package_path.join(format!("{}.cert.pem", id));
-            let (key, chain) = self.ssl.certificate_for(&dns_base).await?;
+            let (key, chain) = self.ssl.certificate_for(&dns_base, pkg_id).await?;
             tokio::try_join!(
                 crate::net::ssl::export_key(&key, &ssl_path_key),
                 crate::net::ssl::export_cert(&chain, &ssl_path_cert)
diff --git a/appmgr/src/net/nginx.rs b/appmgr/src/net/nginx.rs
index 247d8761a..655e00db4 100644
--- a/appmgr/src/net/nginx.rs
+++ b/appmgr/src/net/nginx.rs
@@ -58,7 +58,9 @@ impl NginxControllerInner {
             interfaces: BTreeMap::new(),
         };
         // write main ssl key/cert to fs location
-        let (key, cert) = ssl_manager.certificate_for(&get_hostname().await?).await?;
+        let (key, cert) = ssl_manager
+            .certificate_for(&get_hostname().await?, &"embassy".parse().unwrap())
+            .await?;
         let ssl_path_key = nginx_root.join(format!("ssl/embassy_main.key.pem"));
         let ssl_path_cert = nginx_root.join(format!("ssl/embassy_main.cert.pem"));
         tokio::try_join!(
@@ -102,7 +104,9 @@ impl NginxControllerInner {
                         }
                         let ssl_path_key = package_path.join(format!("{}.key.pem", id));
                         let ssl_path_cert = package_path.join(format!("{}.cert.pem", id));
-                        let (key, chain) = ssl_manager.certificate_for(&meta.dns_base).await?;
+                        let (key, chain) = ssl_manager
+                            .certificate_for(&meta.dns_base, &package)
+                            .await?;
                         tokio::try_join!(
                             crate::net::ssl::export_key(&key, &ssl_path_key),
                             crate::net::ssl::export_cert(&chain, &ssl_path_cert)
diff --git a/appmgr/src/net/ssl.rs b/appmgr/src/net/ssl.rs
index a59926fde..7120cb07f 100644
--- a/appmgr/src/net/ssl.rs
+++ b/appmgr/src/net/ssl.rs
@@ -15,6 +15,7 @@ use sqlx::SqlitePool;
 use tokio::sync::Mutex;
 use tracing::instrument;
 
+use crate::s9pk::manifest::PackageId;
 use crate::{Error, ErrorKind, ResultExt};
 
 static CERTIFICATE_VERSION: i32 = 2; // X509 version 3 is actually encoded as '2' in the cert because fuck you.
@@ -240,11 +241,15 @@ impl SslManager {
     pub async fn certificate_for(
         &self,
         dns_base: &str,
+        package_id: &PackageId,
     ) -> Result<(PKey<Private>, Vec<X509>), Error> {
         let (key, cert) = match self.store.load_certificate(dns_base).await? {
             None => {
                 let key = generate_key()?;
-                let cert = make_leaf_cert((&self.int_key, &self.int_cert), (&key, dns_base))?;
+                let cert = make_leaf_cert(
+                    (&self.int_key, &self.int_cert),
+                    (&key, dns_base, package_id),
+                )?;
                 self.store.save_certificate(&key, &cert, dns_base).await?;
                 Ok::<_, Error>((key, cert))
             }
@@ -253,7 +258,10 @@ impl SslManager {
                 let expiration = cert.not_after();
                 if expiration.compare(&window_end)? == Ordering::Less {
                     let key = generate_key()?;
-                    let cert = make_leaf_cert((&self.int_key, &self.int_cert), (&key, dns_base))?;
+                    let cert = make_leaf_cert(
+                        (&self.int_key, &self.int_cert),
+                        (&key, dns_base, package_id),
+                    )?;
                     self.store.update_certificate(&key, &cert, dns_base).await?;
                     Ok((key, cert))
                 } else {
@@ -414,7 +422,7 @@ fn make_int_cert(
 #[instrument]
 fn make_leaf_cert(
     signer: (&PKey<Private>, &X509),
-    applicant: (&PKey<Private>, &str),
+    applicant: (&PKey<Private>, &str, &PackageId),
 ) -> Result<X509, Error> {
     let mut builder = X509Builder::new()?;
     builder.set_version(CERTIFICATE_VERSION)?;
@@ -467,8 +475,8 @@ fn make_leaf_cert(
         Some(&ctx),
         Nid::SUBJECT_ALT_NAME,
         &format!(
-            "DNS:{}.local,DNS:*.{}.local,DNS:{}.onion,DNS:*.{}.onion",
-            &applicant.1, &applicant.1, &applicant.1, &applicant.1
+            "DNS:{}.local,DNS:*.{}.local,DNS:{}.onion,DNS:*.{}.onion,DNS:{}.embassy,DNS:*.{}.embassy",
+            &applicant.1, &applicant.1, &applicant.1, &applicant.1, &applicant.2, &applicant.2,
         ),
     )?;
     builder.append_extension(subject_key_identifier)?;
@@ -514,8 +522,9 @@ async fn certificate_details_persist() -> Result<(), Error> {
         .execute(&pool)
         .await?;
     let mgr = SslManager::init(pool.clone()).await?;
-    let (key0, cert_chain0) = mgr.certificate_for("start9").await?;
-    let (key1, cert_chain1) = mgr.certificate_for("start9").await?;
+    let package_id = "bitcoind".parse().unwrap();
+    let (key0, cert_chain0) = mgr.certificate_for("start9", &package_id).await?;
+    let (key1, cert_chain1) = mgr.certificate_for("start9", &package_id).await?;
 
     assert_eq!(
         key0.private_key_to_pem_pkcs8()?,