nono-proxy 0.62.0

Network filtering proxy for the nono sandbox
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299

//! Per-hostname leaf certificate minting and cache.
//!
//! The cache lives for the duration of one proxy session. Each entry is a
//! freshly minted ECDSA P-256 leaf certificate signed by the session's
//! [`EphemeralCa`] and matched against the SNI hostname presented by the
//! agent during the inner TLS handshake.
//!
//! ## Why no LRU eviction
//!
//! Typical agent workloads hit a handful of distinct hosts (`api.openai.com`,
//! `api.anthropic.com`, `api.github.com`, …). The cache is naturally bounded
//! by the per-session host set and is dropped — along with the CA — when the
//! proxy shuts down. An LRU policy would add complexity without payoff.
//!
//! ## Failure mode
//!
//! When `resolve()` is invoked by rustls during a handshake and minting
//! fails, the resolver returns `None`. rustls then fails the handshake,
//! the agent sees a TLS error, and the proxy's CONNECT handler records
//! the failure as a denied audit event. This matches the design constraint
//! "hard fail on cert pinning": we never silently fall back to a transparent
//! tunnel for a route that asked for L7 visibility.

use crate::error::{ProxyError, Result};
use crate::tls_intercept::ca::EphemeralCa;
use rcgen::{
    CertificateParams, DistinguishedName, DnType, KeyPair, PKCS_ECDSA_P256_SHA256, SanType,
};
use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
use rustls::server::{ClientHello, ResolvesServerCert};
use rustls::sign::CertifiedKey;
use std::collections::HashMap;
use std::sync::{Arc, Mutex};
use std::time::SystemTime;
use time::OffsetDateTime;
use tracing::{debug, warn};

/// Per-hostname leaf certificate cache backed by the session's [`EphemeralCa`].
pub struct CertCache {
    ca: Arc<EphemeralCa>,
    /// Hostname → minted leaf. Kept behind a `Mutex` because rustls' cert
    /// resolver is invoked from sync handshake context.
    cache: Mutex<HashMap<String, Arc<CertifiedKey>>>,
}

impl CertCache {
    /// Construct a new cache backed by `ca`.
    #[must_use]
    pub fn new(ca: Arc<EphemeralCa>) -> Self {
        Self {
            ca,
            cache: Mutex::new(HashMap::new()),
        }
    }

    /// Number of cached entries (test-only visibility).
    #[cfg(test)]
    fn len(&self) -> usize {
        self.cache
            .lock()
            .map(|guard| guard.len())
            .unwrap_or_default()
    }

    /// Look up or mint a leaf certificate for `hostname`.
    ///
    /// Used by tests; production code goes through [`ResolvesServerCert`].
    pub fn get_or_mint(&self, hostname: &str) -> Result<Arc<CertifiedKey>> {
        // Reject empty hostnames defensively. rustls already validates SNI
        // shape, but we don't trust upstream invariants for a key path.
        if hostname.is_empty() {
            return Err(ProxyError::Config(
                "cannot mint leaf certificate for empty hostname".to_string(),
            ));
        }

        let mut cache = self.cache.lock().map_err(|_| {
            ProxyError::Config("tls_intercept cert cache mutex poisoned".to_string())
        })?;
        if let Some(existing) = cache.get(hostname) {
            return Ok(Arc::clone(existing));
        }
        let minted = mint_leaf(self.ca.as_ref(), hostname)?;
        cache.insert(hostname.to_string(), Arc::clone(&minted));
        debug!("tls_intercept: minted leaf certificate for {}", hostname);
        Ok(minted)
    }
}

impl std::fmt::Debug for CertCache {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let len = self.cache.lock().map(|g| g.len()).unwrap_or(0);
        f.debug_struct("CertCache")
            .field("entries", &len)
            .field("ca", &self.ca)
            .finish()
    }
}

impl ResolvesServerCert for CertCache {
    /// rustls invokes this synchronously during the server-side handshake.
    /// We extract the SNI hostname, look up (or mint) a leaf, and return it.
    /// On failure — empty SNI, mint error, mutex poison — we return `None`,
    /// causing rustls to fail the handshake. That's what we want: the agent
    /// sees a TLS error, the CONNECT handler records the failure, no
    /// silent fallback occurs.
    fn resolve(&self, client_hello: ClientHello<'_>) -> Option<Arc<CertifiedKey>> {
        let hostname = client_hello.server_name()?;
        match self.get_or_mint(hostname) {
            Ok(ck) => Some(ck),
            Err(e) => {
                warn!(
                    "tls_intercept: failed to mint leaf for SNI '{}': {}",
                    hostname, e
                );
                None
            }
        }
    }
}

/// Mint a fresh leaf certificate for `hostname`, signed by `ca`.
///
/// The returned `CertifiedKey` contains a two-cert chain: [leaf, CA].
/// Go's TLS verifier (via `SecTrustEvaluateWithError`) requires the full
/// chain to be presented by the server even when the CA is in the user
/// trust store.
fn mint_leaf(ca: &EphemeralCa, hostname: &str) -> Result<Arc<CertifiedKey>> {
    // Generate a new key pair for this leaf. Distinct from the CA key:
    // we never expose the CA's signing key in any TLS handshake.
    let leaf_key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)
        .map_err(|e| ProxyError::Config(format!("failed to generate leaf key pair: {}", e)))?;
    let leaf_key_der = leaf_key.serialize_der();

    let mut params = CertificateParams::default();
    params.subject_alt_names = vec![dns_san(hostname)?];
    // RFC 5280 §4.2.1.1 requires Authority Key Identifier on certs issued
    // by a CA; rcgen defaults the flag to false. Stricter verifiers
    // (OpenSSL 3.6+, BoringSSL) reject leaves without AKI with
    // "Missing Authority Key Identifier".
    params.use_authority_key_identifier_extension = true;

    let now = SystemTime::now();
    let ca_not_after = ca.not_after();
    if ca_not_after <= now {
        return Err(ProxyError::Config(format!(
            "CA certificate has expired; cannot mint leaf for '{hostname}'"
        )));
    }
    params.not_before = system_time_to_offset(now)?;
    params.not_after = system_time_to_offset(ca_not_after)?;

    let mut dn = DistinguishedName::new();
    dn.push(DnType::CommonName, hostname);
    params.distinguished_name = dn;

    let cert = params
        .signed_by(&leaf_key, ca.issuer())
        .map_err(|e| ProxyError::Config(format!("failed to sign leaf certificate: {}", e)))?;
    let leaf_der = cert.der().clone();
    let ca_der = CertificateDer::from(ca.cert_der().to_vec());

    let private_key_der = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(leaf_key_der));
    let signing_key = rustls::crypto::ring::sign::any_supported_type(&private_key_der)
        .map_err(|e| ProxyError::Config(format!("rustls rejected minted leaf key: {}", e)))?;

    Ok(Arc::new(CertifiedKey::new(
        vec![leaf_der, ca_der],
        signing_key,
    )))
}

/// Build a Subject Alternative Name entry for `hostname`. Reject anything
/// that isn't a plausible DNS name to avoid emitting bogus certs for
/// IP-literal or malformed CONNECT targets.
fn dns_san(hostname: &str) -> Result<SanType> {
    if !is_plausible_dns_name(hostname) {
        return Err(ProxyError::Config(format!(
            "tls_intercept: refusing to mint leaf for non-DNS hostname '{}'",
            hostname
        )));
    }
    Ok(SanType::DnsName(hostname.to_string().try_into().map_err(
        |e| ProxyError::Config(format!("invalid DNS name '{}': {}", hostname, e)),
    )?))
}

/// Lightweight DNS-name shape check. Not a full RFC 1035 validator —
/// rustls will reject syntactically malformed certs at handshake time —
/// but keeps obvious garbage out of the cache key.
fn is_plausible_dns_name(s: &str) -> bool {
    if s.is_empty() || s.len() > 253 {
        return false;
    }
    s.chars()
        .all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '.')
        && s.contains(|c: char| c.is_ascii_alphabetic())
}

fn system_time_to_offset(t: SystemTime) -> Result<OffsetDateTime> {
    OffsetDateTime::from_unix_timestamp(
        t.duration_since(SystemTime::UNIX_EPOCH)
            .map_err(|e| ProxyError::Config(format!("system time before unix epoch: {}", e)))?
            .as_secs()
            .try_into()
            .map_err(|_| ProxyError::Config("system time exceeds i64::MAX".to_string()))?,
    )
    .map_err(|e| ProxyError::Config(format!("invalid system time for cert validity: {}", e)))
}

#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
    use super::*;

    fn fresh_cache() -> CertCache {
        CertCache::new(Arc::new(EphemeralCa::generate().unwrap()))
    }

    #[test]
    fn mint_returns_well_formed_cert() {
        let cache = fresh_cache();
        let ck = cache.get_or_mint("api.openai.com").unwrap();
        assert_eq!(ck.cert.len(), 2, "chain should be [leaf, CA]");
        assert!(
            !ck.cert[0].as_ref().is_empty(),
            "leaf DER body must be non-empty"
        );
        assert!(
            !ck.cert[1].as_ref().is_empty(),
            "CA DER body must be non-empty"
        );
        // The first byte of an X.509 certificate's DER encoding is 0x30
        // (SEQUENCE). A trivial sanity check that we produced something
        // shaped like a certificate.
        assert_eq!(ck.cert[0].as_ref()[0], 0x30);
        assert_eq!(ck.cert[1].as_ref()[0], 0x30);
    }

    #[test]
    fn minted_leaf_carries_authority_key_identifier() {
        // OpenSSL 3.6+ (Python 3.14) rejects issued certs without AKI with
        // "Missing Authority Key Identifier". rcgen defaults the flag off,
        // so we set it explicitly in `mint_leaf`. Verify the extension OID
        // 2.5.29.35 (DER bytes 06 03 55 1d 23) is present in the leaf DER.
        let cache = fresh_cache();
        let ck = cache.get_or_mint("api.example.com").unwrap();
        let der = ck.cert[0].as_ref();
        let aki_oid = [0x06, 0x03, 0x55, 0x1d, 0x23];
        assert!(
            der.windows(aki_oid.len()).any(|w| w == aki_oid),
            "minted leaf must include Authority Key Identifier (OID 2.5.29.35)"
        );
    }

    #[test]
    fn cache_hits_on_repeated_lookup() {
        let cache = fresh_cache();
        let a = cache.get_or_mint("api.example.com").unwrap();
        let b = cache.get_or_mint("api.example.com").unwrap();
        assert!(Arc::ptr_eq(&a, &b), "second lookup should be a cache hit");
        assert_eq!(cache.len(), 1);
    }

    #[test]
    fn distinct_hostnames_get_distinct_certs() {
        let cache = fresh_cache();
        let a = cache.get_or_mint("api.openai.com").unwrap();
        let b = cache.get_or_mint("api.anthropic.com").unwrap();
        assert!(!Arc::ptr_eq(&a, &b));
        assert_ne!(a.cert[0].as_ref(), b.cert[0].as_ref());
        assert_eq!(cache.len(), 2);
    }

    #[test]
    fn empty_hostname_rejected() {
        let cache = fresh_cache();
        assert!(cache.get_or_mint("").is_err());
    }

    #[test]
    fn ip_literal_rejected() {
        // We refuse to mint for IP-literal CONNECT targets — the SNI shape
        // would be wrong and the agent would reject the cert anyway.
        let cache = fresh_cache();
        assert!(cache.get_or_mint("127.0.0.1").is_err());
        assert!(cache.get_or_mint("::1").is_err());
    }

    #[test]
    fn plausible_dns_name_filter() {
        assert!(is_plausible_dns_name("api.openai.com"));
        assert!(is_plausible_dns_name("internal-service.corp"));
        assert!(!is_plausible_dns_name(""));
        assert!(!is_plausible_dns_name("127.0.0.1")); // no alphabetic
        assert!(!is_plausible_dns_name("evil host"));
        assert!(!is_plausible_dns_name(&"a".repeat(254)));
    }
}