refactoring of x509

Makefile

@@ -173,6 +173,7 @@ run-vnc: testenv
 			cp /usr/share/kvmd/configs.default/kvmd/*.yaml /etc/kvmd \
 			&& cp /usr/share/kvmd/configs.default/kvmd/*passwd /etc/kvmd \
 			&& cp /usr/share/kvmd/configs.default/kvmd/main/$(if $(P),$(P),$(DEFAULT_PLATFORM)).yaml /etc/kvmd/main.yaml \
+			&& cp -a /testenv/.ssl /etc/kvmd/nginx/ssl \
 			&& cp /testenv/$(if $(P),$(P),$(DEFAULT_PLATFORM)).override.yaml /etc/kvmd/override.yaml \
 			&& $(if $(CMD),$(CMD),python -m kvmd.apps.vnc --run) \
 		"

kvmd/apps/__init__.py

@@ -586,6 +586,10 @@ def _get_config_scheme() -> Dict:
                 "tls": {
                     "ciphers": Option("ALL:@SECLEVEL=0", type=_make_ifarg(valid_ssl_ciphers, "")),
                     "timeout": Option(5.0, type=valid_float_f01),
+                    "x509": {
+                        "cert": Option("", type=_make_ifarg(valid_abs_file, "")),
+                        "key":  Option("", type=_make_ifarg(valid_abs_file, "")),
+                    },
                 },
             },
 

kvmd/apps/vnc/__init__.py

@@ -68,6 +68,8 @@ def main(argv: Optional[List[str]]=None) -> None:
 
         tls_ciphers=config.server.tls.ciphers,
         tls_timeout=config.server.tls.timeout,
+        x509_cert_path=config.server.tls.x509.cert,
+        x509_key_path=config.server.tls.x509.key,
 
         desired_fps=config.desired_fps,
         keymap_path=config.keymap,

kvmd/apps/vnc/rfb/__init__.py

@@ -42,7 +42,6 @@ from .encodings import RfbClientEncodings
 
 from .crypto import rfb_make_challenge
 from .crypto import rfb_encrypt_challenge
-from .crypto import create_self_signed_cert_if_nonexistent, key_file_name, cert_file_name
 
 from .stream import RfbClientStream
 
@@ -53,12 +52,14 @@ class RfbClient(RfbClientStream):  # pylint: disable=too-many-instance-attribute
     # https://www.toptal.com/java/implementing-remote-framebuffer-server-java
     # https://github.com/TigerVNC/tigervnc
 
-    def __init__(
+    def __init__(  # pylint: disable=too-many-arguments
         self,
         reader: asyncio.StreamReader,
         writer: asyncio.StreamWriter,
         tls_ciphers: str,
         tls_timeout: float,
+        x509_cert_path: str,
+        x509_key_path: str,
 
         width: int,
         height: int,
@@ -71,6 +72,8 @@ class RfbClient(RfbClientStream):  # pylint: disable=too-many-instance-attribute
 
         self.__tls_ciphers = tls_ciphers
         self.__tls_timeout = tls_timeout
+        self.__x509_cert_path = x509_cert_path
+        self.__x509_key_path = x509_key_path
 
         self._width = width
         self._height = height
@@ -245,7 +248,7 @@ class RfbClient(RfbClientStream):  # pylint: disable=too-many-instance-attribute
         get_logger(0).info("[main] %s: Using %s security type", self._remote, sec_name)
         await handler()
 
-    async def __handshake_security_vencrypt(self) -> None:
+    async def __handshake_security_vencrypt(self) -> None:  # pylint: disable=too-many-branches
         await self._write_struct("BB", 0, 2)  # VeNCrypt 0.2
 
         vencrypt_version = "%d.%d" % (await self._read_struct("BB"))
@@ -256,21 +259,27 @@ class RfbClient(RfbClientStream):  # pylint: disable=too-many-instance-attribute
         await self._write_struct("B", 0)
 
         if self.__none_auth_only:
-            auth_types = {1: ("VeNCrypt/None", False, self.__handshake_security_none)}
+            auth_types = {1: ("VeNCrypt/None", 0, self.__handshake_security_none)}
             if self.__tls_ciphers:
-                auth_types[257] = ("VeNCrypt/TLSNone", True, self.__handshake_security_none)
+                if self.__x509_cert_path:
+                    auth_types[260] = ("VeNCrypt/X509None", 2, self.__handshake_security_none)
+                auth_types[257] = ("VeNCrypt/TLSNone", 1, self.__handshake_security_none)
         else:
-            auth_types = {256: ("VeNCrypt/Plain", False, self.__handshake_security_vencrypt_userpass)}
+            auth_types = {256: ("VeNCrypt/Plain", 0, self.__handshake_security_vencrypt_userpass)}
             if self.__tls_ciphers:
-                auth_types[262] = ("VeNCrypt/X509Plain", True, self.__handshake_security_vencrypt_userpass)
+                if self.__x509_cert_path:
+                    auth_types[262] = ("VeNCrypt/X509Plain", 2, self.__handshake_security_vencrypt_userpass)
+                auth_types[259] = ("VeNCrypt/TLSPlain", 1, self.__handshake_security_vencrypt_userpass)
             if self.__vnc_passwds:
                 # Vinagre не умеет работать с VNC Auth через VeNCrypt, но это его проблемы,
                 # так как он своеобразно трактует рекомендации VeNCrypt.
                 # Подробнее: https://bugzilla.redhat.com/show_bug.cgi?id=692048
                 # Hint: используйте любой другой нормальный VNC-клиент.
-                auth_types[2] = ("VeNCrypt/VNCAuth", False, self.__handshake_security_vnc_auth)
+                auth_types[2] = ("VeNCrypt/VNCAuth", 0, self.__handshake_security_vnc_auth)
                 if self.__tls_ciphers:
-                    auth_types[258] = ("VeNCrypt/TLSVNCAuth", True, self.__handshake_security_vnc_auth)
+                    if self.__x509_cert_path:
+                        auth_types[261] = ("VeNCrypt/X509VNCAuth", 2, self.__handshake_security_vnc_auth)
+                    auth_types[258] = ("VeNCrypt/TLSVNCAuth", 1, self.__handshake_security_vnc_auth)
 
         await self._write_struct("B" + "L" * len(auth_types), len(auth_types), *auth_types)
 
@@ -285,8 +294,9 @@ class RfbClient(RfbClientStream):  # pylint: disable=too-many-instance-attribute
             assert self.__tls_ciphers, (self.__tls_ciphers, auth_name, tls, handler)
             await self._write_struct("B", 1)  # Ack
             ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
-            create_self_signed_cert_if_nonexistent(key_file_name, cert_file_name)
+            if tls == 2:
-            ssl_context.load_cert_chain(keyfile=key_file_name, certfile=cert_file_name)
+                assert self.__x509_cert_path
+                ssl_context.load_cert_chain(self.__x509_cert_path, (self.__x509_key_path or None))
             ssl_context.set_ciphers(self.__tls_ciphers)
             await self._start_tls(ssl_context, self.__tls_timeout)
 

kvmd/apps/vnc/rfb/crypto.py

@@ -26,14 +26,6 @@ from typing import List
 
 import passlib.crypto.des
 
-from OpenSSL import crypto, SSL
-from socket import gethostname
-from pprint import pprint
-from time import gmtime, mktime
-import os.path
-
-key_file_name = "private_vnc.key"
-cert_file_name = "self_signed_cert.crt"
 
 # =====
 def rfb_make_challenge() -> bytes:
@@ -59,30 +51,3 @@ def _make_key(passwd: bytes) -> bytes:
                 btgt = btgt | (1 << 7 - index)
         key.append(btgt)
     return bytes(key)
-
-
-def create_self_signed_cert_if_nonexistent(key_file, cert_file):
-    if os.path.isfile(key_file) and os.path.isfile(cert_file):
-        return
-
-    key = crypto.PKey()
-    key.generate_key(crypto.TYPE_RSA, 2048)
-
-    cert = crypto.X509()
-    cert.get_subject().C = "CA"
-    cert.get_subject().ST = "Toronto"
-    cert.get_subject().L = "Toronto"
-    cert.get_subject().O = "Company Ltd"
-    cert.get_subject().OU = "Company Ltd"
-    cert.get_subject().CN = gethostname()
-    cert.set_serial_number(1000)
-    cert.gmtime_adj_notBefore(0)
-    cert.gmtime_adj_notAfter(100*365*24*60*60)
-    cert.set_issuer(cert.get_subject())
-    cert.set_pubkey(key)
-    cert.sign(key, 'sha256')
-
-    open(key_file, "wt").write(
-        crypto.dump_privatekey(crypto.FILETYPE_PEM, key).decode('utf-8'))
-    open(cert_file, "wt").write(
-        crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8'))

kvmd/apps/vnc/server.py

@@ -79,6 +79,8 @@ class _Client(RfbClient):  # pylint: disable=too-many-instance-attributes
         writer: asyncio.StreamWriter,
         tls_ciphers: str,
         tls_timeout: float,
+        x509_cert_path: str,
+        x509_key_path: str,
 
         desired_fps: int,
         keymap_name: str,
@@ -99,6 +101,8 @@ class _Client(RfbClient):  # pylint: disable=too-many-instance-attributes
             writer=writer,
             tls_ciphers=tls_ciphers,
             tls_timeout=tls_timeout,
+            x509_cert_path=x509_cert_path,
+            x509_key_path=x509_key_path,
             vnc_passwds=list(vnc_credentials),
             none_auth_only=none_auth_only,
             **dataclasses.asdict(shared_params),
@@ -406,6 +410,8 @@ class VncServer:  # pylint: disable=too-many-instance-attributes
 
         tls_ciphers: str,
         tls_timeout: float,
+        x509_cert_path: str,
+        x509_key_path: str,
 
         desired_fps: int,
         keymap_path: str,
@@ -456,6 +462,8 @@ class VncServer:  # pylint: disable=too-many-instance-attributes
                     writer=writer,
                     tls_ciphers=tls_ciphers,
                     tls_timeout=tls_timeout,
+                    x509_cert_path=x509_cert_path,
+                    x509_key_path=x509_key_path,
                     desired_fps=desired_fps,
                     keymap_name=keymap_name,
                     symmap=symmap,