src/node/util.ts: Make certificate generation "modern"

Now we add a subject alt name, set extendedKeyUsage and use the
correct certificate extension.

The above allow it to be properly trusted by iOS.

See https://support.apple.com/en-us/HT210176

*.cert isn't a real extension for certificates, *.crt is correct
for it to be recognized by e.g. keychain or when importing as a profile
into iOS.

Updates #1566

I've been able to successfully connect from my iPad Pro now to my
code-server instance with a self signed certificate! Next commit
will be docs.
This commit is contained in:
Anmol Sethi 2020-10-30 04:35:08 -04:00
parent 10b3028196
commit 8b85006996
No known key found for this signature in database
GPG Key ID: 8CEF1878FF10ADEB
2 changed files with 21 additions and 5 deletions

View File

@ -145,7 +145,7 @@ pass in an existing certificate by providing the path to `--cert` and the path t
the key with `--cert-key`.
The self signed certificate will be generated into
`~/.local/share/code-server/self-signed.cert`.
`~/.local/share/code-server/self-signed.crt`.
If `code-server` has been passed a certificate it will also respond to HTTPS
requests and will redirect all HTTP requests to HTTPS.

View File

@ -55,7 +55,7 @@ export function humanPath(p?: string): string {
}
export const generateCertificate = async (): Promise<{ cert: string; certKey: string }> => {
const certPath = path.join(paths.data, "self-signed.cert")
const certPath = path.join(paths.data, "self-signed.crt")
const certKeyPath = path.join(paths.data, "self-signed.key")
const checks = await Promise.all([fs.pathExists(certPath), fs.pathExists(certKeyPath)])
@ -64,9 +64,25 @@ export const generateCertificate = async (): Promise<{ cert: string; certKey: st
// generate certificates.
const pem = require("pem") as typeof import("pem")
const certs = await new Promise<import("pem").CertificateCreationResult>((resolve, reject): void => {
pem.createCertificate({ selfSigned: true }, (error, result) => {
pem.createCertificate(
{
selfSigned: true,
config: `
[req]
req_extensions = v3_req
[ v3_req ]
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
`,
},
(error, result) => {
return error ? reject(error) : resolve(result)
})
},
)
})
await fs.mkdirp(paths.data)
await Promise.all([fs.writeFile(certPath, certs.certificate), fs.writeFile(certKeyPath, certs.serviceKey)])