plugins: generate certificates with required extensions

Recent versions of urllib3 fail certificate verification if certificates
lack the Authority Key Identifier or Key Usages extensions:

```
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: CA cert does not include key usage extension (_ssl.c:1032)
```

Luckily, rcgen offers parameters in its CertificateParams structure to
add these extensions. Let's use them.

Changelog-Fixed: Certificates auto-generated by grpc-plugin, rest-plugin, and wss-proxy-plugin now include the required Authority Key Identifier and Key Usages extensions.

Author: whitslack

plugins/grpc-plugin/src/tls.rs

@@ -96,14 +96,19 @@ fn generate_or_load_identity(
         // Configure the certificate we want.
         let subject_alt_names = vec!["cln".to_string(), "localhost".to_string()];
         let mut params = rcgen::CertificateParams::new(subject_alt_names)?;
-        params.is_ca = if parent.is_none() {
-            rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained)
+        if parent.is_none() {
+            params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained);
+            params.key_usages.push(rcgen::KeyUsagePurpose::KeyCertSign);
         } else {
-            rcgen::IsCa::NoCa
-        };
+            params.is_ca = rcgen::IsCa::NoCa;
+            params.key_usages.push(rcgen::KeyUsagePurpose::DigitalSignature);
+            params.key_usages.push(rcgen::KeyUsagePurpose::KeyEncipherment);
+            params.key_usages.push(rcgen::KeyUsagePurpose::KeyAgreement);
+        }
         params
             .distinguished_name
             .push(rcgen::DnType::CommonName, name);
+        params.use_authority_key_identifier_extension = true;
 
         let cert = match parent {
             None => params.self_signed(&keypair),

plugins/rest-plugin/src/certs.rs

@@ -12,6 +12,8 @@ pub fn generate_certificates(certs_path: &PathBuf, rest_host: &str) -> Result<()
         "localhost".to_string(),
     ])?;
     ca_params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained);
+    ca_params.key_usages.push(rcgen::KeyUsagePurpose::KeyCertSign);
+    ca_params.use_authority_key_identifier_extension = true;
     let ca_key = KeyPair::generate()?;
     let ca_cert = ca_params.self_signed(&ca_key)?;
 
@@ -30,6 +32,10 @@ pub fn generate_certificates(certs_path: &PathBuf, rest_host: &str) -> Result<()
         "localhost".to_string(),
     ])?;
     server_params.is_ca = rcgen::IsCa::NoCa;
+    server_params.key_usages.push(rcgen::KeyUsagePurpose::DigitalSignature);
+    server_params.key_usages.push(rcgen::KeyUsagePurpose::KeyEncipherment);
+    server_params.key_usages.push(rcgen::KeyUsagePurpose::KeyAgreement);
+    server_params.use_authority_key_identifier_extension = true;
     server_params.distinguished_name = DistinguishedName::new();
     server_params
         .distinguished_name

plugins/wss-proxy-plugin/src/certs.rs

@@ -18,6 +18,8 @@ pub fn generate_certificates(certs_path: &PathBuf, wss_host: &[String]) -> Resul
         "localhost".to_string(),
     ])?;
     ca_params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained);
+    ca_params.key_usages.push(rcgen::KeyUsagePurpose::KeyCertSign);
+    ca_params.use_authority_key_identifier_extension = true;
     let ca_key = KeyPair::generate()?;
     let ca_cert = ca_params.self_signed(&ca_key)?;
 
@@ -36,6 +38,10 @@ pub fn generate_certificates(certs_path: &PathBuf, wss_host: &[String]) -> Resul
         "localhost".to_string(),
     ])?;
     server_params.is_ca = rcgen::IsCa::NoCa;
+    server_params.key_usages.push(rcgen::KeyUsagePurpose::DigitalSignature);
+    server_params.key_usages.push(rcgen::KeyUsagePurpose::KeyEncipherment);
+    server_params.key_usages.push(rcgen::KeyUsagePurpose::KeyAgreement);
+    server_params.use_authority_key_identifier_extension = true;
     server_params.distinguished_name = DistinguishedName::new();
     server_params
         .distinguished_name