From bf8ff84522e79339e1a6b13a5669e3a9e6bc35b6 Mon Sep 17 00:00:00 2001 From: Aiden McClelland Date: Thu, 18 Dec 2025 05:56:51 -0700 Subject: [PATCH] inconsequential ssl changes --- core/startos/src/account.rs | 6 +++--- core/startos/src/net/ssl.rs | 31 ++++++++++++++----------------- core/startos/src/tunnel/web.rs | 6 +++--- 3 files changed, 20 insertions(+), 23 deletions(-) diff --git a/core/startos/src/account.rs b/core/startos/src/account.rs index 87e127d17..d583c95f7 100644 --- a/core/startos/src/account.rs +++ b/core/startos/src/account.rs @@ -7,7 +7,7 @@ use openssl::x509::X509; use crate::db::model::DatabaseModel; use crate::hostname::{Hostname, generate_hostname, generate_id}; -use crate::net::ssl::{generate_key, make_root_cert}; +use crate::net::ssl::{gen_nistp256, make_root_cert}; use crate::net::tor::TorSecretKey; use crate::prelude::*; use crate::util::serde::Pem; @@ -37,7 +37,7 @@ impl AccountInfo { let server_id = generate_id(); let hostname = generate_hostname(); let tor_key = vec![TorSecretKey::generate()]; - let root_ca_key = generate_key()?; + let root_ca_key = gen_nistp256()?; let root_ca_cert = make_root_cert(&root_ca_key, &hostname, start_time)?; let ssh_key = ssh_key::PrivateKey::from(ssh_key::private::Ed25519Keypair::random( &mut ssh_key::rand_core::OsRng::default(), @@ -128,7 +128,7 @@ impl AccountInfo { cert_store .as_root_cert_mut() .ser(Pem::new_ref(&self.root_ca_cert))?; - let int_key = crate::net::ssl::generate_key()?; + let int_key = crate::net::ssl::gen_nistp256()?; let int_cert = crate::net::ssl::make_int_cert((&self.root_ca_key, &self.root_ca_cert), &int_key)?; cert_store.as_int_key_mut().ser(&Pem(int_key))?; diff --git a/core/startos/src/net/ssl.rs b/core/startos/src/net/ssl.rs index c2bca2411..2e5110a18 100644 --- a/core/startos/src/net/ssl.rs +++ b/core/startos/src/net/ssl.rs @@ -13,7 +13,6 @@ use openssl::bn::{BigNum, MsbOption}; use openssl::ec::{EcGroup, EcKey}; use openssl::error::ErrorStack; use openssl::hash::MessageDigest; -use openssl::nid::Nid; use openssl::pkey::{PKey, Private}; use openssl::x509::extension::{ AuthorityKeyIdentifier, BasicConstraints, KeyUsage, SubjectAlternativeName, @@ -42,12 +41,6 @@ use crate::net::web_server::{Accept, ExtractVisitor, TcpMetadata, extract}; use crate::prelude::*; use crate::util::serde::Pem; -pub fn gen_nistp256() -> Result, ErrorStack> { - PKey::from_ec_key(EcKey::generate(&*EcGroup::from_curve_name( - Nid::X9_62_PRIME256V1, - )?)?) -} - pub fn should_use_cert(cert: &X509Ref) -> Result { Ok(cert .not_before() @@ -71,7 +64,7 @@ pub struct CertStore { } impl CertStore { pub fn new(account: &AccountInfo) -> Result { - let int_key = generate_key()?; + let int_key = gen_nistp256()?; let int_cert = make_int_cert((&account.root_ca_key, &account.root_ca_cert), &int_key)?; Ok(Self { root_key: Pem::new(account.root_ca_key.clone()), @@ -283,10 +276,8 @@ fn rand_serial() -> Result { Ok(asn1) } #[instrument(skip_all)] -pub fn generate_key() -> Result, Error> { - let new_key = EcKey::generate(EC_GROUP.as_ref())?; - let key = PKey::from_ec_key(new_key)?; - Ok(key) +pub fn gen_nistp256() -> Result, Error> { + Ok(PKey::from_ec_key(EcKey::generate(EC_GROUP.as_ref())?)?) } #[instrument(skip_all)] @@ -324,6 +315,11 @@ pub fn make_root_cert( let ctx = builder.x509v3_context(None, Some(&cfg)); // subjectKeyIdentifier = hash let subject_key_identifier = SubjectKeyIdentifier::new().build(&ctx)?; + // authorityKeyIdentifier = keyid,issuer:always + let authority_key_identifier = AuthorityKeyIdentifier::new() + .keyid(false) + .issuer(true) + .build(&ctx)?; // basicConstraints = critical, CA:true, pathlen:0 let basic_constraints = BasicConstraints::new().critical().ca().build()?; // keyUsage = critical, digitalSignature, cRLSign, keyCertSign @@ -334,6 +330,7 @@ pub fn make_root_cert( .key_cert_sign() .build()?; builder.append_extension(subject_key_identifier)?; + builder.append_extension(authority_key_identifier)?; builder.append_extension(basic_constraints)?; builder.append_extension(key_usage)?; builder.sign(&root_key, MessageDigest::sha256())?; @@ -370,9 +367,9 @@ pub fn make_int_cert( // subjectKeyIdentifier = hash let subject_key_identifier = SubjectKeyIdentifier::new().build(&ctx)?; - // authorityKeyIdentifier = keyid:always,issuer + // authorityKeyIdentifier = keyid:always,issuer:always let authority_key_identifier = AuthorityKeyIdentifier::new() - .keyid(false) + .keyid(true) .issuer(true) .build(&ctx)?; // basicConstraints = critical, CA:true, pathlen:0 @@ -478,7 +475,7 @@ pub fn make_leaf_cert( // Google Apple and Mozilla reject certificate horizons longer than 398 days // https://techbeacon.com/security/google-apple-mozilla-enforce-1-year-max-security-certifications - let expiration = Asn1Time::days_from_now(365)?; + let expiration = Asn1Time::days_from_now(397)?; builder.set_not_after(&expiration)?; builder.set_serial_number(&*rand_serial()?)?; @@ -508,8 +505,8 @@ pub fn make_leaf_cert( let subject_key_identifier = SubjectKeyIdentifier::new().build(&ctx)?; let authority_key_identifier = AuthorityKeyIdentifier::new() - .keyid(false) - .issuer(true) + .keyid(true) + .issuer(false) .build(&ctx)?; let subject_alt_name = applicant.1.x509_extension().build(&ctx)?; let basic_constraints = BasicConstraints::new().build()?; diff --git a/core/startos/src/tunnel/web.rs b/core/startos/src/tunnel/web.rs index 662752d0b..35d18f643 100644 --- a/core/startos/src/tunnel/web.rs +++ b/core/startos/src/tunnel/web.rs @@ -289,16 +289,16 @@ pub async fn generate_certificate( ) -> Result>, Error> { let saninfo = SANInfo::new(&subject.into_iter().collect()); - let root_key = crate::net::ssl::generate_key()?; + let root_key = crate::net::ssl::gen_nistp256()?; let root_cert = crate::net::ssl::make_root_cert( &root_key, &Hostname("start-tunnel".into()), root_ca_start_time().await, )?; - let int_key = crate::net::ssl::generate_key()?; + let int_key = crate::net::ssl::gen_nistp256()?; let int_cert = crate::net::ssl::make_int_cert((&root_key, &root_cert), &int_key)?; - let key = crate::net::ssl::generate_key()?; + let key = crate::net::ssl::gen_nistp256()?; let cert = crate::net::ssl::make_leaf_cert((&int_key, &int_cert), (&key, &saninfo))?; let chain = Pem(vec![cert, int_cert, root_cert]);