Resolve certificate generation

The server certificate was mistakenly using the public key of the CA and private key of itself, instead of the reverse.

We additionally bump the CA size to 2048 bytes.

README.md

@@ -37,8 +37,8 @@ Invoke WSC-Patcher similar to the following:
 ```
 
 Throughout its operation, the patcher will perform the following:
- - Version 20 (latest, as of writing) of the Wii Shop Channel will be downloaded to `cache/original.wad`.
+ - Version 21 (latest, as of writing) of the Wii Shop Channel will be downloaded to `cache/original.wad`.
- - If `output/root.cer` is not present, a 1024-bit (RSA), SHA-1 CA certificate will be generated.
+ - If `output/root.cer` is not present, a 2048-bit (RSA), SHA-1 CA certificate will be generated.
    - At the same time, `*.<basedomain>` will be issued for ease of use. See `output/server.pem` and `output/server.key` for usage with nginx or similar servers.
  - Modifications are made to the application's main `.arc` (within content index 2) to permit Opera loading the base domain, and the customized certificates.
  - Patches to the application's main dol are also performed. Please see `docs/patch_<name>.md` for more information on what these contain.

cert_store.go

@@ -6,7 +6,6 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
-	"log"
 	"math/big"
 	"time"
 )
@@ -17,9 +16,7 @@ import (
 func generateSerial() *big.Int {
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
+	check(err)
-		log.Fatalf("Failed to generate serial number: %v", err)
-	}
 
 	return serialNumber
 }
@@ -28,7 +25,7 @@ func createCertificates() []byte {
 	////////////////////////////////////
 	//        Generate root CA        //
 	////////////////////////////////////
-	rootCA := x509.Certificate{
+	rootCAFormat := x509.Certificate{
 		SignatureAlgorithm: x509.SHA1WithRSA,
 		SerialNumber:       generateSerial(),
 		Subject: pkix.Name{
@@ -41,18 +38,16 @@ func createCertificates() []byte {
 		IsCA:                  true,
 	}
 
-	// Sadly, 2048 bits can cause compatability issues with IOS. We must use 1024.
+	rootPriv, err := rsa.GenerateKey(rand.Reader, 2048)
-	// TODO(spotlightishere): Is it possible to raise to 2048 anyway?
-	rootPriv, err := rsa.GenerateKey(rand.Reader, 1024)
 	check(err)
 
-	rootCertBytes, err := x509.CreateCertificate(rand.Reader, &rootCA, &rootCA, &rootPriv.PublicKey, rootPriv)
+	rootCert, err := x509.CreateCertificate(rand.Reader, &rootCAFormat, &rootCAFormat, &rootPriv.PublicKey, rootPriv)
 	check(err)
 
 	////////////////////////////////////
 	//  Issue server TLS certificate  //
 	////////////////////////////////////
-	serverCert := x509.Certificate{
+	serverCertFormat := x509.Certificate{
 		SignatureAlgorithm: x509.SHA1WithRSA,
 		SerialNumber:       generateSerial(),
 		// We'll issue with a primary common name for our base domain.
@@ -63,10 +58,9 @@ func createCertificates() []byte {
 		DNSNames: []string{
 			"*." + baseDomain,
 		},
-		NotBefore: time.Now(),
+		NotBefore:      time.Now(),
-		NotAfter:  time.Now().AddDate(10, 0, 0),
+		NotAfter:       time.Now().AddDate(10, 0, 0),
-		// TODO: what's non-repudiation
+		KeyUsage:       x509.KeyUsageKeyAgreement | x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		KeyUsage:       x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:    []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		IsCA:           false,
 		MaxPathLenZero: true,
@@ -75,24 +69,24 @@ func createCertificates() []byte {
 	serverPriv, err := rsa.GenerateKey(rand.Reader, 2048)
 	check(err)
 
-	serverCertBytes, err := x509.CreateCertificate(rand.Reader, &serverCert, &rootCA, &rootPriv.PublicKey, serverPriv)
+	serverCert, err := x509.CreateCertificate(rand.Reader, &serverCertFormat, &rootCAFormat, &serverPriv.PublicKey, rootPriv)
 	check(err)
 
 	////////////////////////////
 	//  Persist certificates  //
 	////////////////////////////
-	rootCertPem := pemEncode("CERTIFICATE", rootCertBytes)
+	rootCertPem := pemEncode("CERTIFICATE", rootCert)
 	rootKeyPem := pemEncode("RSA PRIVATE KEY", x509.MarshalPKCS1PrivateKey(rootPriv))
-	serverCertPem := pemEncode("CERTIFICATE", serverCertBytes)
+	serverCertPem := pemEncode("CERTIFICATE", serverCert)
 	serverKeyPem := pemEncode("RSA PRIVATE KEY", x509.MarshalPKCS1PrivateKey(serverPriv))
 
 	writeOut("root.pem", rootCertPem)
-	writeOut("root.cer", rootCertBytes)
+	writeOut("root.cer", rootCert)
 	writeOut("root.key", rootKeyPem)
 	writeOut("server.pem", serverCertPem)
 	writeOut("server.key", serverKeyPem)
 
-	return rootCertBytes
+	return rootCert
 }
 
 func pemEncode(typeName string, bytes []byte) []byte {