diff options
author | Devaev Maxim <[email protected]> | 2021-02-12 05:21:06 +0300 |
---|---|---|
committer | Devaev Maxim <[email protected]> | 2021-02-12 05:23:07 +0300 |
commit | 4760a0bddaa0361dd699cca33df5c727885fae02 (patch) | |
tree | 48b2fd01db3dd413fe6b9ebd7eb9292f9475d3b8 | |
parent | a71f5269ae6a7fdab90f035937812ef2d5f43b1f (diff) |
refactoring of x509
-rw-r--r-- | Makefile | 1 | ||||
-rw-r--r-- | kvmd/apps/__init__.py | 4 | ||||
-rw-r--r-- | kvmd/apps/vnc/__init__.py | 2 | ||||
-rw-r--r-- | kvmd/apps/vnc/rfb/__init__.py | 32 | ||||
-rw-r--r-- | kvmd/apps/vnc/rfb/crypto.py | 35 | ||||
-rw-r--r-- | kvmd/apps/vnc/server.py | 8 |
6 files changed, 36 insertions, 46 deletions
@@ -173,6 +173,7 @@ run-vnc: testenv cp /usr/share/kvmd/configs.default/kvmd/*.yaml /etc/kvmd \ && cp /usr/share/kvmd/configs.default/kvmd/*passwd /etc/kvmd \ && cp /usr/share/kvmd/configs.default/kvmd/main/$(if $(P),$(P),$(DEFAULT_PLATFORM)).yaml /etc/kvmd/main.yaml \ + && cp -a /testenv/.ssl /etc/kvmd/nginx/ssl \ && cp /testenv/$(if $(P),$(P),$(DEFAULT_PLATFORM)).override.yaml /etc/kvmd/override.yaml \ && $(if $(CMD),$(CMD),python -m kvmd.apps.vnc --run) \ " diff --git a/kvmd/apps/__init__.py b/kvmd/apps/__init__.py index 708c50f9..d126a949 100644 --- a/kvmd/apps/__init__.py +++ b/kvmd/apps/__init__.py @@ -586,6 +586,10 @@ def _get_config_scheme() -> Dict: "tls": { "ciphers": Option("ALL:@SECLEVEL=0", type=_make_ifarg(valid_ssl_ciphers, "")), "timeout": Option(5.0, type=valid_float_f01), + "x509": { + "cert": Option("", type=_make_ifarg(valid_abs_file, "")), + "key": Option("", type=_make_ifarg(valid_abs_file, "")), + }, }, }, diff --git a/kvmd/apps/vnc/__init__.py b/kvmd/apps/vnc/__init__.py index 7aeb283e..682bd89a 100644 --- a/kvmd/apps/vnc/__init__.py +++ b/kvmd/apps/vnc/__init__.py @@ -68,6 +68,8 @@ def main(argv: Optional[List[str]]=None) -> None: tls_ciphers=config.server.tls.ciphers, tls_timeout=config.server.tls.timeout, + x509_cert_path=config.server.tls.x509.cert, + x509_key_path=config.server.tls.x509.key, desired_fps=config.desired_fps, keymap_path=config.keymap, diff --git a/kvmd/apps/vnc/rfb/__init__.py b/kvmd/apps/vnc/rfb/__init__.py index 86ae3370..48805f27 100644 --- a/kvmd/apps/vnc/rfb/__init__.py +++ b/kvmd/apps/vnc/rfb/__init__.py @@ -42,7 +42,6 @@ from .encodings import RfbClientEncodings from .crypto import rfb_make_challenge from .crypto import rfb_encrypt_challenge -from .crypto import create_self_signed_cert_if_nonexistent, key_file_name, cert_file_name from .stream import RfbClientStream @@ -53,12 +52,14 @@ class RfbClient(RfbClientStream): # pylint: disable=too-many-instance-attribute # https://www.toptal.com/java/implementing-remote-framebuffer-server-java # https://github.com/TigerVNC/tigervnc - def __init__( + def __init__( # pylint: disable=too-many-arguments self, reader: asyncio.StreamReader, writer: asyncio.StreamWriter, tls_ciphers: str, tls_timeout: float, + x509_cert_path: str, + x509_key_path: str, width: int, height: int, @@ -71,6 +72,8 @@ class RfbClient(RfbClientStream): # pylint: disable=too-many-instance-attribute self.__tls_ciphers = tls_ciphers self.__tls_timeout = tls_timeout + self.__x509_cert_path = x509_cert_path + self.__x509_key_path = x509_key_path self._width = width self._height = height @@ -245,7 +248,7 @@ class RfbClient(RfbClientStream): # pylint: disable=too-many-instance-attribute get_logger(0).info("[main] %s: Using %s security type", self._remote, sec_name) await handler() - async def __handshake_security_vencrypt(self) -> None: + async def __handshake_security_vencrypt(self) -> None: # pylint: disable=too-many-branches await self._write_struct("BB", 0, 2) # VeNCrypt 0.2 vencrypt_version = "%d.%d" % (await self._read_struct("BB")) @@ -256,21 +259,27 @@ class RfbClient(RfbClientStream): # pylint: disable=too-many-instance-attribute await self._write_struct("B", 0) if self.__none_auth_only: - auth_types = {1: ("VeNCrypt/None", False, self.__handshake_security_none)} + auth_types = {1: ("VeNCrypt/None", 0, self.__handshake_security_none)} if self.__tls_ciphers: - auth_types[257] = ("VeNCrypt/TLSNone", True, self.__handshake_security_none) + if self.__x509_cert_path: + auth_types[260] = ("VeNCrypt/X509None", 2, self.__handshake_security_none) + auth_types[257] = ("VeNCrypt/TLSNone", 1, self.__handshake_security_none) else: - auth_types = {256: ("VeNCrypt/Plain", False, self.__handshake_security_vencrypt_userpass)} + auth_types = {256: ("VeNCrypt/Plain", 0, self.__handshake_security_vencrypt_userpass)} if self.__tls_ciphers: - auth_types[262] = ("VeNCrypt/X509Plain", True, self.__handshake_security_vencrypt_userpass) + if self.__x509_cert_path: + auth_types[262] = ("VeNCrypt/X509Plain", 2, self.__handshake_security_vencrypt_userpass) + auth_types[259] = ("VeNCrypt/TLSPlain", 1, self.__handshake_security_vencrypt_userpass) if self.__vnc_passwds: # Vinagre не умеет работать с VNC Auth через VeNCrypt, но это его проблемы, # так как он своеобразно трактует рекомендации VeNCrypt. # Подробнее: https://bugzilla.redhat.com/show_bug.cgi?id=692048 # Hint: используйте любой другой нормальный VNC-клиент. - auth_types[2] = ("VeNCrypt/VNCAuth", False, self.__handshake_security_vnc_auth) + auth_types[2] = ("VeNCrypt/VNCAuth", 0, self.__handshake_security_vnc_auth) if self.__tls_ciphers: - auth_types[258] = ("VeNCrypt/TLSVNCAuth", True, self.__handshake_security_vnc_auth) + if self.__x509_cert_path: + auth_types[261] = ("VeNCrypt/X509VNCAuth", 2, self.__handshake_security_vnc_auth) + auth_types[258] = ("VeNCrypt/TLSVNCAuth", 1, self.__handshake_security_vnc_auth) await self._write_struct("B" + "L" * len(auth_types), len(auth_types), *auth_types) @@ -285,8 +294,9 @@ class RfbClient(RfbClientStream): # pylint: disable=too-many-instance-attribute assert self.__tls_ciphers, (self.__tls_ciphers, auth_name, tls, handler) await self._write_struct("B", 1) # Ack ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) - create_self_signed_cert_if_nonexistent(key_file_name, cert_file_name) - ssl_context.load_cert_chain(keyfile=key_file_name, certfile=cert_file_name) + if tls == 2: + assert self.__x509_cert_path + ssl_context.load_cert_chain(self.__x509_cert_path, (self.__x509_key_path or None)) ssl_context.set_ciphers(self.__tls_ciphers) await self._start_tls(ssl_context, self.__tls_timeout) diff --git a/kvmd/apps/vnc/rfb/crypto.py b/kvmd/apps/vnc/rfb/crypto.py index 951a8002..7b364cb1 100644 --- a/kvmd/apps/vnc/rfb/crypto.py +++ b/kvmd/apps/vnc/rfb/crypto.py @@ -26,14 +26,6 @@ from typing import List import passlib.crypto.des -from OpenSSL import crypto, SSL -from socket import gethostname -from pprint import pprint -from time import gmtime, mktime -import os.path - -key_file_name = "private_vnc.key" -cert_file_name = "self_signed_cert.crt" # ===== def rfb_make_challenge() -> bytes: @@ -59,30 +51,3 @@ def _make_key(passwd: bytes) -> bytes: btgt = btgt | (1 << 7 - index) key.append(btgt) return bytes(key) - - -def create_self_signed_cert_if_nonexistent(key_file, cert_file): - if os.path.isfile(key_file) and os.path.isfile(cert_file): - return - - key = crypto.PKey() - key.generate_key(crypto.TYPE_RSA, 2048) - - cert = crypto.X509() - cert.get_subject().C = "CA" - cert.get_subject().ST = "Toronto" - cert.get_subject().L = "Toronto" - cert.get_subject().O = "Company Ltd" - cert.get_subject().OU = "Company Ltd" - cert.get_subject().CN = gethostname() - cert.set_serial_number(1000) - cert.gmtime_adj_notBefore(0) - cert.gmtime_adj_notAfter(100*365*24*60*60) - cert.set_issuer(cert.get_subject()) - cert.set_pubkey(key) - cert.sign(key, 'sha256') - - open(key_file, "wt").write( - crypto.dump_privatekey(crypto.FILETYPE_PEM, key).decode('utf-8')) - open(cert_file, "wt").write( - crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8')) diff --git a/kvmd/apps/vnc/server.py b/kvmd/apps/vnc/server.py index b2e6846c..e0bc5b57 100644 --- a/kvmd/apps/vnc/server.py +++ b/kvmd/apps/vnc/server.py @@ -79,6 +79,8 @@ class _Client(RfbClient): # pylint: disable=too-many-instance-attributes writer: asyncio.StreamWriter, tls_ciphers: str, tls_timeout: float, + x509_cert_path: str, + x509_key_path: str, desired_fps: int, keymap_name: str, @@ -99,6 +101,8 @@ class _Client(RfbClient): # pylint: disable=too-many-instance-attributes writer=writer, tls_ciphers=tls_ciphers, tls_timeout=tls_timeout, + x509_cert_path=x509_cert_path, + x509_key_path=x509_key_path, vnc_passwds=list(vnc_credentials), none_auth_only=none_auth_only, **dataclasses.asdict(shared_params), @@ -406,6 +410,8 @@ class VncServer: # pylint: disable=too-many-instance-attributes tls_ciphers: str, tls_timeout: float, + x509_cert_path: str, + x509_key_path: str, desired_fps: int, keymap_path: str, @@ -456,6 +462,8 @@ class VncServer: # pylint: disable=too-many-instance-attributes writer=writer, tls_ciphers=tls_ciphers, tls_timeout=tls_timeout, + x509_cert_path=x509_cert_path, + x509_key_path=x509_key_path, desired_fps=desired_fps, keymap_name=keymap_name, symmap=symmap, |