Harden PKI: constrain CA, fail-hard secrets, cert TTL

* Fail hard when /dev/urandom is unavailable for secret generation

* Constrain CA pathlen to 0 and replace Docker SANs with Apple Container

* Set 365-day certificate validity instead of effectively-infinite

Author: persimmon16

crates/openshell-bootstrap/Cargo.toml

@@ -15,6 +15,7 @@ libc = "0.2"
 miette = { workspace = true }
 rcgen = { workspace = true }
 serde = { workspace = true }
+time = "0.3"
 serde_json = { workspace = true }
 tokio = { workspace = true }
 tracing = { workspace = true }

crates/openshell-bootstrap/src/pki.rs

@@ -4,6 +4,7 @@
 use miette::{IntoDiagnostic, Result, WrapErr};
 use rcgen::{BasicConstraints, CertificateParams, DnType, Ia5String, IsCa, KeyPair, SanType};
 use std::net::IpAddr;
+use time::{Duration, OffsetDateTime};
 
 /// All PEM-encoded materials produced by [`generate_pki`].
 #[allow(clippy::struct_field_names)]
@@ -20,35 +21,35 @@ pub struct PkiBundle {
 /// Default SANs always included on the server certificate.
 const DEFAULT_SERVER_SANS: &[&str] = &[
     "openshell",
-    "openshell.openshell.svc",
-    "openshell.openshell.svc.cluster.local",
     "localhost",
-    "host.docker.internal",
+    "host.containers.internal",
     "127.0.0.1",
 ];
 
-/// SANs for the container bridge daemon certificate (macOS host).
-///
-/// `host.containers.internal` is the hostname Apple Container VMs use to reach
-/// the host, analogous to Docker's `host.docker.internal`.
+/// SANs for the server certificate. `host.containers.internal` is the hostname
+/// Apple Container VMs use to reach the macOS host.
 
 /// Generate a complete PKI bundle: CA, server cert, and client cert.
 ///
 /// `extra_sans` are additional Subject Alternative Names to add to the server
 /// certificate (e.g. the remote host's IP or hostname for remote deployments).
 ///
-/// Certificate validity uses the `rcgen` defaults (1975–4096), which effectively
-/// never expire. This is appropriate for an internal dev-cluster PKI where certs
-/// are ephemeral to the cluster's lifetime.
+/// Certificates are valid for 365 days from generation. Regenerate the PKI
+/// bundle before expiry.
 pub fn generate_pki(extra_sans: &[String]) -> Result<PkiBundle> {
+    let now = OffsetDateTime::now_utc();
+    let expiry = now + Duration::days(365);
+
     // --- CA ---
     let ca_key = KeyPair::generate()
         .into_diagnostic()
         .wrap_err("failed to generate CA key")?;
     let mut ca_params = CertificateParams::new(Vec::<String>::new())
         .into_diagnostic()
         .wrap_err("failed to create CA params")?;
-    ca_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+    ca_params.is_ca = IsCa::Ca(BasicConstraints::Constrained(0));
+    ca_params.not_before = now;
+    ca_params.not_after = expiry;
     ca_params
         .distinguished_name
         .push(DnType::OrganizationName, "openshell");
@@ -70,6 +71,8 @@ pub fn generate_pki(extra_sans: &[String]) -> Result<PkiBundle> {
         .into_diagnostic()
         .wrap_err("failed to create server cert params")?;
     server_params.subject_alt_names = server_sans;
+    server_params.not_before = now;
+    server_params.not_after = expiry;
     server_params
         .distinguished_name
         .push(DnType::CommonName, "openshell-server");
@@ -86,6 +89,8 @@ pub fn generate_pki(extra_sans: &[String]) -> Result<PkiBundle> {
     let mut client_params = CertificateParams::new(Vec::<String>::new())
         .into_diagnostic()
         .wrap_err("failed to create client cert params")?;
+    client_params.not_before = now;
+    client_params.not_after = expiry;
     client_params
         .distinguished_name
         .push(DnType::CommonName, "openshell-client");

crates/openshell-bootstrap/src/runtime_apple.rs

@@ -130,7 +130,7 @@ impl AppleContainerRuntime {
         let server_bin = find_server_binary()?;
 
         // Generate SSH handshake secret.
-        let secret = generate_secret();
+        let secret = generate_secret()?;
 
         // Build server arguments.
         let db_url = format!("sqlite://{}/openshell.db", data_dir.display());
@@ -489,11 +489,11 @@ fn find_server_binary() -> Result<PathBuf> {
 }
 
 /// Generate a random hex secret for SSH handshake HMAC.
-fn generate_secret() -> String {
+fn generate_secret() -> Result<String> {
     use std::io::Read;
     let mut bytes = [0u8; 32];
     std::fs::File::open("/dev/urandom")
         .and_then(|mut f| f.read_exact(&mut bytes))
-        .unwrap_or_default();
-    bytes.iter().map(|b| format!("{b:02x}")).collect()
+        .map_err(|e| miette::miette!("cannot read /dev/urandom for secret generation: {e}"))?;
+    Ok(bytes.iter().map(|b| format!("{b:02x}")).collect())
 }