feat(v0.4.8): 修复 Windows 10 证书信任问题（Issue #9）

重写 TLS 证书 profile 为 v2，解决 Win10 Schannel CRYPT_E_NO_REVOCATION_CHECK：
- CA 去掉 CRLSign 位 + 设 MaxPathLen=0
- 服务器证书加 KeyEncipherment / ClientAuth / 127.0.0.1 IP SAN
- TLS 握手发送叶子+CA 完整链
- init 自动检测并迁移 v0.4.7 及更早旧 profile CA
- 补充全套证书 profile 与迁移单元测试

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: DASungta

CHANGELOG.md

@@ -2,6 +2,21 @@
 
 All notable changes to this project will be documented in this file.
 
+## [v0.4.8] - 2026-04-17
+
+### Bug Fixes
+
+- **Windows 10 证书信任修复（Issue #9 后续）**：v0.4.7 修复了安装校验，但证书 profile 与 Windows 10 Schannel / Chromium 130 的严格校验不兼容，导致 `CRYPT_E_NO_REVOCATION_CHECK (0x80092012)` 及 TLS 握手 `EOF`。本次重写证书 profile 至"v2"标准：
+  - **CA 证书**：去掉 `KeyUsageCRLSign`（该位声明 CRL 能力却无 CDP 扩展，正是 Schannel 触发吊销校验的根因）；添加 `MaxPathLen=0, MaxPathLenZero=true`，防止被继续用于签发中间 CA。
+  - **服务器证书**：补充 `KeyUsageKeyEncipherment`（旧版 Schannel/TLS 栈仍要求此位）；`ExtKeyUsage` 加入 `ClientAuth`（最大兼容性）；`IPAddresses` 加入 `127.0.0.1`（覆盖 Electron 代理路径用 IP SNI 的场景）。
+  - **TLS 握手链**：服务端在握手时主动发送"叶子 + CA"完整链，Schannel/Chromium 无需依赖 ROOT 存储 AKI 匹配来构建链。
+
+### Migration
+
+- **自动迁移旧 CA**：`trae-proxy init` 在检测到 v0.4.7 及更早版本生成的旧 profile CA（有 `CRLSign` 位或缺少 v2 版本标记）时，自动执行：卸载旧 CA 信任 → 删除旧证书文件 → 重新生成 v2 profile CA 和服务器证书 → 重新安装信任。用户只需执行 `trae-proxy update && trae-proxy init` 即可完成迁移，无需任何手动操作。
+
+---
+
 ## [v0.4.7] - 2026-04-17
 
 ### Features

cmd/trae-proxy/main.go

@@ -133,6 +133,16 @@ func initCmd() *cobra.Command {
 				if err := tlsutil.GenerateCA(caDir); err != nil {
 					return fmt.Errorf("generate CA: %w", err)
 				}
+			} else if tlsutil.CANeedsRegeneration(caDir) {
+				fmt.Println("[init] detected legacy CA profile (v0.4.7 or earlier), regenerating for Windows 10 compatibility...")
+				caCertPath := filepath.Join(caDir, "root-ca.pem")
+				_ = tlsutil.UninstallCA(caCertPath) // best-effort: remove old trust entry
+				for _, f := range []string{"root-ca.pem", "root-ca-key.pem", "server.pem", "server-key.pem"} {
+					os.Remove(filepath.Join(caDir, f))
+				}
+				if err := tlsutil.GenerateCA(caDir); err != nil {
+					return fmt.Errorf("generate CA: %w", err)
+				}
 			} else {
 				fmt.Println("[init] CA already exists")
 			}

internal/tls/ca.go

@@ -10,6 +10,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"math/big"
+	"net"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -20,6 +21,9 @@ import (
 
 const rootCACommonName = "trae-proxy Root CA"
 
+// certProfileVersion is stamped as Subject.OrganizationalUnit to enable migration detection.
+const certProfileVersion = "v2"
+
 var (
 	currentGOOS        = runtime.GOOS
 	execCombinedOutput = func(name string, args ...string) ([]byte, error) {
@@ -37,14 +41,19 @@ func GenerateCA(dir string) error {
 	tmpl := &x509.Certificate{
 		SerialNumber: serial,
 		Subject: pkix.Name{
-			Organization: []string{"trae-proxy"},
-			CommonName:   rootCACommonName,
+			Organization:       []string{"trae-proxy"},
+			OrganizationalUnit: []string{certProfileVersion},
+			CommonName:         rootCACommonName,
 		},
-		NotBefore:             time.Now(),
-		NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour),
-		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(10 * 365 * 24 * time.Hour),
+		// KeyUsageCertSign only — omitting CRLSign so Schannel does not expect
+		// a CRL Distribution Point and fail with CRYPT_E_NO_REVOCATION_CHECK.
+		KeyUsage:              x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
 		IsCA:                  true,
+		MaxPathLen:            0,
+		MaxPathLenZero:        true,
 	}
 
 	certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
@@ -103,14 +112,19 @@ func GenerateServerCert(dir string, caCert *x509.Certificate, caKey *ecdsa.Priva
 	tmpl := &x509.Certificate{
 		SerialNumber: serial,
 		Subject: pkix.Name{
-			Organization: []string{"trae-proxy"},
-			CommonName:   domain,
+			Organization:       []string{"trae-proxy"},
+			OrganizationalUnit: []string{certProfileVersion},
+			CommonName:         domain,
 		},
-		DNSNames:              []string{domain},
-		NotBefore:             time.Now(),
-		NotAfter:              time.Now().Add(365 * 24 * time.Hour),
-		KeyUsage:              x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		DNSNames:  []string{domain},
+		IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(365 * 24 * time.Hour),
+		// KeyEncipherment is required by strict Schannel / older TLS stacks even
+		// when using ECDSA (ECDHE never uses encryption, but some validators still check).
+		KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		// ClientAuth is included for maximum compatibility; it does not affect server role.
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
 		BasicConstraintsValid: true,
 		IsCA:                  false,
 	}
@@ -131,6 +145,9 @@ func GenerateServerCert(dir string, caCert *x509.Certificate, caKey *ecdsa.Priva
 	return writePEM(filepath.Join(dir, "server-key.pem"), "EC PRIVATE KEY", keyDER)
 }
 
+// LoadServerTLSConfig loads the server cert and appends the CA cert to the
+// TLS chain so clients (Schannel, Chromium) can build the chain deterministically
+// without relying solely on AKI lookup in the system trust store.
 func LoadServerTLSConfig(dir string) (*tls.Config, error) {
 	cert, err := tls.LoadX509KeyPair(
 		filepath.Join(dir, "server.pem"),
@@ -139,11 +156,25 @@ func LoadServerTLSConfig(dir string) (*tls.Config, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	caPEM, err := os.ReadFile(filepath.Join(dir, "root-ca.pem"))
+	if err != nil {
+		return nil, fmt.Errorf("read CA cert for chain: %w", err)
+	}
+	block, _ := pem.Decode(caPEM)
+	if block == nil {
+		return nil, fmt.Errorf("failed to decode CA cert PEM for chain")
+	}
+	cert.Certificate = append(cert.Certificate, block.Bytes)
+
 	return &tls.Config{
 		Certificates: []tls.Certificate{cert},
 	}, nil
 }
 
+// NeedsRegeneration reports whether the server cert should be re-issued.
+// Returns true for missing/unreadable certs, expiring certs, domain mismatches,
+// and legacy v1 profile certs (missing KeyEncipherment or OU version marker).
 func NeedsRegeneration(dir string, domain string) bool {
 	certPEM, err := os.ReadFile(filepath.Join(dir, "server.pem"))
 	if err != nil {
@@ -163,6 +194,12 @@ func NeedsRegeneration(dir string, domain string) bool {
 	if cert.NotAfter.Sub(cert.NotBefore) > 398*24*time.Hour {
 		return true
 	}
+	if cert.KeyUsage&x509.KeyUsageKeyEncipherment == 0 {
+		return true // legacy v1 profile
+	}
+	if !containsOU(cert.Subject.OrganizationalUnit, certProfileVersion) {
+		return true // legacy v1 profile
+	}
 	for _, name := range cert.DNSNames {
 		if name == domain {
 			return false
@@ -171,6 +208,40 @@ func NeedsRegeneration(dir string, domain string) bool {
 	return true
 }
 
+// CANeedsRegeneration reports whether the root CA should be re-generated.
+// Returns true for missing/unreadable CA files and legacy v1 profile CAs
+// (those with CRLSign bit or missing OU version marker).
+func CANeedsRegeneration(dir string) bool {
+	caPEM, err := os.ReadFile(filepath.Join(dir, "root-ca.pem"))
+	if err != nil {
+		return true
+	}
+	block, _ := pem.Decode(caPEM)
+	if block == nil {
+		return true
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return true
+	}
+	if cert.KeyUsage&x509.KeyUsageCRLSign != 0 {
+		return true // legacy v1 profile — CRLSign triggers Schannel revocation check
+	}
+	if !containsOU(cert.Subject.OrganizationalUnit, certProfileVersion) {
+		return true // legacy v1 profile
+	}
+	return false
+}
+
+func containsOU(ous []string, target string) bool {
+	for _, ou := range ous {
+		if ou == target {
+			return true
+		}
+	}
+	return false
+}
+
 func InstallCA(caCertPath string) error {
 	switch currentGOOS {
 	case "darwin":