Add script to generate intermediate expo go cert from existing root cert

[wschurman]

Why

This adds a script to generate a new Expo Go intermediate certificate from our existing Expo Go root certificate (stored elsewhere). The function generateExpoGoIntermediateCertificate is taken from generateExampleCertificates.ts which is the script that was originally used to generate the full set of keys.

How

This script reads in our existing root certificate and private key and generates a new intermediate certificate for Expo Go, which is used to generate development code signing leaf certs by the Expo server.

Test Plan

Inspect the output cert to ensure that all the metadata, etc matches that of the old Expo Go intermediate certificate, and the only thing different is the new begin/end validity dates.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.04%. Comparing base (312d125) to head (13d8c35).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #14   +/-   ##
=======================================
  Coverage   84.04%   84.04%           
=======================================
  Files           2        2           
  Lines          94       94           
  Branches       11       11           
=======================================
  Hits           79       79           
  Misses          4        4           
  Partials       11       11           

Flag	Coverage Δ
unittest	84.04% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ide]

Thanks for doing this! In the future, it might be neat to integrate with 1Password's CLI. Then the private key doesn't need to ever be on disk in plaintext, just in memory.

[wschurman]

In the future, it might be neat to integrate with 1Password's CLI. Then the private key doesn't need to ever be on disk in plaintext, just in memory.

Potentially. This repo is public so I'm a little hesitant to try to integrate with our 1Password. Could theoretically add a new script to our private repo that uses this and talks to 1Password though.

[wschurman]

Test failure is due to leap day bug in our code and will resolve tomorrow.

For CSR generation, we do:

certificate.validity.notBefore = new Date();
  certificate.validity.notBefore.setDate(certificate.validity.notBefore.getDate() - 1);
  certificate.validity.notAfter = new Date();
  certificate.validity.notAfter.setDate(certificate.validity.notBefore.getDate() + 30);

const b = new Date()
b.setDate(b.getDate() - 1)
// Thu Feb 29 2024 12:26:34 GMT-0800 (Pacific Standard Time)

const a = new Date()
a.setDate(b.getDate() + 30)
// Sun Apr 28 2024 12:27:12 GMT-0700 (Pacific Daylight Time)

Dates are hard. I guess this means we've been vending extra-validity-duration development certs during the day today, which is fine. So I'm not going to mess with the logic since dates are hard and I'll likely screw it up.