jason/socktop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

agent: fix rcgen usage for self-signed cert generation

Browse Source
This commit is contained in:
jasonwitty 2025-08-22 10:48:01 -07:00
parent d1c8a64418
commit 59432ab1d3
1 changed files with 15 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
socktop_agent/src/tls.rs
View File

@ -1,4 +1,4 @@
use rcgen::{Certificate, CertificateParams, DistinguishedName, DnType, IsCa, KeyPair, SanType}; use rcgen::{CertificateParams, DistinguishedName, DnType, IsCa, SanType};
use std::{ use std::{
fs, fs,
io::Write, io::Write,
@ -32,11 +32,8 @@ pub fn ensure_self_signed_cert() -> anyhow::Result<(PathBuf, PathBuf)> {
.and_then(|s| s.into_string().ok()) .and_then(|s| s.into_string().ok())
.unwrap_or_else(|| "localhost".to_string()); .unwrap_or_else(|| "localhost".to_string());
let mut params = CertificateParams::new(vec![hostname.clone(), "localhost".into()]); let mut params = CertificateParams::new(vec![hostname.clone(), "localhost".into()])?;
// Add IP SANs params.subject_alt_names.push(SanType::IpAddress(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1))));
params
.subject_alt_names
.push(SanType::IpAddress(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1))));
params params
.subject_alt_names .subject_alt_names
.push(SanType::IpAddress(IpAddr::V6(::std::net::Ipv6Addr::LOCALHOST))); .push(SanType::IpAddress(IpAddr::V6(::std::net::Ipv6Addr::LOCALHOST)));
@ -44,23 +41,20 @@ pub fn ensure_self_signed_cert() -> anyhow::Result<(PathBuf, PathBuf)> {
.subject_alt_names .subject_alt_names
.push(SanType::IpAddress(IpAddr::V4(Ipv4Addr::UNSPECIFIED))); .push(SanType::IpAddress(IpAddr::V4(Ipv4Addr::UNSPECIFIED)));
params.distinguished_name = DistinguishedName::new(); let mut dn = DistinguishedName::new();
params dn.push(DnType::CommonName, hostname.clone());
.distinguished_name params.distinguished_name = dn;
.push(DnType::CommonName, hostname.clone());
params.is_ca = IsCa::NoCa; params.is_ca = IsCa::NoCa;
// 397 days like previous implementation // Keep default validity (30 days) but extend to ~1 year (397 days)
params.not_before = rcgen::date_time_ymd(2024, 1, 1); // stable starting point // rcgen 0.13 doesn't have validity_days; use not_before/not_after
params.not_after = params.not_before + rcgen::PKCS_EPOCH_DURATION * 0; // overwritten below params.not_before = rcgen::date_time_ymd(2024, 1, 1);
// rcgen doesn't allow direct relative days for not_after while keeping not_before now; use validity_days params.not_after = rcgen::date_time_ymd(2025, 2, 2); // ~397 days later
params.validity_days = 397;
// Use modern defaults (Ed25519) for key; fallback to RSA if necessary // Generate key pair (default is ECDSA P256 SHA256)
// Keep RSA to maximize compatibility with older clients let key_pair = rcgen::KeyPair::generate()?; // defaults to ECDSA P256 SHA256
params.alg = &rcgen::PKCS_ECDSA_P256_SHA256; // widely supported let cert = params.self_signed(&key_pair)?;
let cert = Certificate::from_params(params)?; let cert_pem = cert.pem();
let cert_pem = cert.serialize_pem()?; let key_pem = key_pair.serialize_pem();
let key_pem = cert.serialize_private_key_pem();
let mut f = fs::File::create(&cert_path)?; let mut f = fs::File::create(&cert_path)?;
f.write_all(cert_pem.as_bytes())?; f.write_all(cert_pem.as_bytes())?;