feat(tls): rewrite tls feature

2025-04-07 13:23:16 +02:00 · 2025-04-07 13:23:16 +02:00 · 34067c13c7
parent c939a02f33
commit 34067c13c7
8 changed files with 322 additions and 27 deletions
--- a/3
+++ b/3
@ -8,6 +8,9 @@ VERSION := 0.3.8
 PROMETHEUS_TAG := github.com/prometheus/common/version
 KVM_PKG_NAME := github.com/jetkvm/kvm

+PROMETHEUS_TAG := github.com/prometheus/common/version
+KVM_PKG_NAME := github.com/jetkvm/kvm
+
 GO_LDFLAGS := \
  -s -w \
  -X $(PROMETHEUS_TAG).Branch=$(BRANCH) \
--- a/config.go
+++ b/config.go
@ -90,7 +90,7 @@ type Config struct {
 	DisplayMaxBrightness int                `json:"display_max_brightness"`
 	DisplayDimAfterSec   int                `json:"display_dim_after_sec"`
 	DisplayOffAfterSec   int                `json:"display_off_after_sec"`
-	TLSMode              string             `json:"tls_mode"`
+	TLSMode              string             `json:"tls_mode"` // options: "self-signed", "user-defined", ""
 	UsbConfig            *usbgadget.Config  `json:"usb_config"`
 	UsbDevices           *usbgadget.Devices `json:"usb_devices"`
 }
--- a/internal/websecure/selfsign.go
+++ b/internal/websecure/selfsign.go
@ -29,7 +29,14 @@ type SelfSigner struct {
 	DefaultOU     string
 }

-func NewSelfSigner(store *CertStore, log logging.LeveledLogger, defaultDomain, defaultOrg, defaultOU, caName string) *SelfSigner {
+func NewSelfSigner(
+	store *CertStore,
+	log logging.LeveledLogger,
+	defaultDomain,
+	defaultOrg,
+	defaultOU,
+	caName string,
+) *SelfSigner {
 	return &SelfSigner{
 		store:         store,
 		log:           log,
@ -177,6 +184,5 @@ func (s *SelfSigner) GetCertificate(info *tls.ClientHelloInfo) (*tls.Certificate
 	}

 	cert := s.createSelfSignedCert(hostname)
-
 	return cert, nil
 }
--- a/internal/websecure/store.go
+++ b/internal/websecure/store.go
@ -95,6 +95,51 @@ func (s *CertStore) loadCertificate(hostname string) {
 	s.log.Infof("Loaded certificate for %s", hostname)
 }

+// GetCertificate returns the certificate for the given hostname
+// returns nil if the certificate is not found
+func (s *CertStore) GetCertificate(hostname string) *tls.Certificate {
+	s.certLock.Lock()
+	defer s.certLock.Unlock()
+
+	return s.certificates[hostname]
+}
+
+// ValidateAndSaveCertificate validates the certificate and saves it to the store
+// returns are:
+// - error: if the certificate is invalid or if there's any error during saving the certificate
+// - error: if there's any warning or error during saving the certificate
+func (s *CertStore) ValidateAndSaveCertificate(hostname string, cert string, key string, ignoreWarning bool) (error, error) {
+	tlsCert, err := tls.X509KeyPair([]byte(cert), []byte(key))
+	if err != nil {
+		return fmt.Errorf("Failed to parse certificate: %w", err), nil
+	}
+
+	// this can be skipped as current implementation supports one custom certificate only
+	if tlsCert.Leaf != nil {
+		// add recover to avoid panic
+		defer func() {
+			if r := recover(); r != nil {
+				s.log.Errorf("Failed to verify hostname: %v", r)
+			}
+		}()
+
+		if err = tlsCert.Leaf.VerifyHostname(hostname); err != nil {
+			if !ignoreWarning {
+				return nil, fmt.Errorf("Certificate does not match hostname: %w", err)
+			}
+			s.log.Warnf("Certificate does not match hostname: %v", err)
+		}
+	}
+
+	s.certLock.Lock()
+	s.certificates[hostname] = &tlsCert
+	s.certLock.Unlock()
+
+	s.saveCertificate(hostname)
+
+	return nil, nil
+}
+
 func (s *CertStore) saveCertificate(hostname string) {
 	// check if certificate already exists
 	tlsCert := s.certificates[hostname]
--- a/jsonrpc.go
+++ b/jsonrpc.go
@ -95,7 +95,7 @@ func onRPCMessage(message webrtc.DataChannelMessage, session *Session) {
 		return
 	}

-	//logger.Infof("Received RPC request: Method=%s, Params=%v, ID=%d", request.Method, request.Params, request.ID)
+	logger.Tracef("Received RPC request: Method=%s, Params=%v, ID=%w", request.Method, request.Params, request.ID)
 	handler, ok := rpcHandlers[request.Method]
 	if !ok {
 		errorResponse := JSONRPCResponse{
@ -110,6 +110,7 @@ func onRPCMessage(message webrtc.DataChannelMessage, session *Session) {
 		return
 	}

+	logger.Tracef("Calling RPC handler: %s, ID=%w", request.Method, request.ID)
 	result, err := callRPCHandler(handler, request.Params)
 	if err != nil {
 		errorResponse := JSONRPCResponse{
@ -125,6 +126,7 @@ func onRPCMessage(message webrtc.DataChannelMessage, session *Session) {
 		return
 	}

+	logger.Tracef("RPC handler returned: %v, ID=%w", result, request.ID)
 	response := JSONRPCResponse{
 		JSONRPC: "2.0",
 		Result:  result,
@ -141,6 +143,30 @@ func rpcGetDeviceID() (string, error) {
 	return GetDeviceID(), nil
 }

+func rpcReboot(force bool) error {
+	logger.Info("Got reboot request from JSONRPC, rebooting...")
+
+	args := []string{}
+	if force {
+		args = append(args, "-f")
+	}
+
+	cmd := exec.Command("reboot", args...)
+	err := cmd.Start()
+	if err != nil {
+		logger.Errorf("failed to reboot: %v", err)
+		return fmt.Errorf("failed to reboot: %w", err)
+	}
+
+	// If the reboot command is successful, exit the program after 5 seconds
+	go func() {
+		time.Sleep(5 * time.Second)
+		os.Exit(0)
+	}()
+
+	return nil
+}
+
 var streamFactor = 1.0

 func rpcGetStreamQualityFactor() (float64, error) {
@ -375,6 +401,14 @@ func rpcSetSSHKeyState(sshKey string) error {
 	return nil
 }

+func rpcGetTLSState() TLSState {
+	return getTLSState()
+}
+
+func rpcSetTLSState(tlsState TLSState) error {
+	return setTLSState(tlsState)
+}
+
 func callRPCHandler(handler RPCHandler, params map[string]interface{}) (interface{}, error) {
 	handlerValue := reflect.ValueOf(handler.Func)
 	handlerType := handlerValue.Type()
@ -892,6 +926,7 @@ func setKeyboardMacros(params KeyboardMacrosParams) (interface{}, error) {

 var rpcHandlers = map[string]RPCHandler{
 	"ping":                   {Func: rpcPing},
+	"reboot":                 {Func: rpcReboot, Params: []string{"force"}},
 	"getDeviceID":            {Func: rpcGetDeviceID},
 	"deregisterDevice":       {Func: rpcDeregisterDevice},
 	"getCloudState":          {Func: rpcGetCloudState},
@ -920,6 +955,8 @@ var rpcHandlers = map[string]RPCHandler{
 	"setDevModeState":        {Func: rpcSetDevModeState, Params: []string{"enabled"}},
 	"getSSHKeyState":         {Func: rpcGetSSHKeyState},
 	"setSSHKeyState":         {Func: rpcSetSSHKeyState, Params: []string{"sshKey"}},
+	"getTLSState":            {Func: rpcGetTLSState},
+	"setTLSState":            {Func: rpcSetTLSState, Params: []string{"state"}},
 	"setMassStorageMode":     {Func: rpcSetMassStorageMode, Params: []string{"mode"}},
 	"getMassStorageMode":     {Func: rpcGetMassStorageMode},
 	"isUpdatePending":        {Func: rpcIsUpdatePending},
--- a/main.go
+++ b/main.go
@ -69,6 +69,7 @@ func Main() {
 	}()
 	//go RunFuseServer()
 	go RunWebServer()
+
 	if config.TLSMode != "" {
 		initCertStore()
 		go RunWebSecureServer()
--- a/ui/src/routes/devices.$id.settings.access._index.tsx
+++ b/ui/src/routes/devices.$id.settings.access._index.tsx
@ -18,6 +18,13 @@ import { isOnDevice } from "@/main";
 import { LocalDevice } from "./devices.$id";
 import { SettingsItem } from "./devices.$id.settings";
 import { CloudState } from "./adopt";
+import { TextAreaWithLabel } from "@components/TextArea";
+
+export interface TLSState {
+  mode: "selfsigned" | "custom" | "disabled";
+  certificate?: string;
+  privateKey?: string;
+};

 export const loader = async () => {
  if (isOnDevice) {
@ -44,6 +51,9 @@ export default function SettingsAccessIndexRoute() {

  // Use a simple string identifier for the selected provider
  const [selectedProvider, setSelectedProvider] = useState<string>("jetkvm");
+  const [tlsMode, setTlsMode] = useState<string>("self-signed");
+  const [tlsCert, setTlsCert] = useState<string>("");
+  const [tlsKey, setTlsKey] = useState<string>("");

  const getCloudState = useCallback(() => {
    send("getCloudState", {}, resp => {
@ -66,6 +76,17 @@ export default function SettingsAccessIndexRoute() {
    });
  }, [send]);

+  const getTLSState = useCallback(() => {
+    send("getTLSState", {}, resp => {
+      if ("error" in resp) return console.error(resp.error);
+      const tlsState = resp.result as TLSState;
+
+      setTlsMode(tlsState.mode);
+      if (tlsState.certificate) setTlsCert(tlsState.certificate);
+      if (tlsState.privateKey) setTlsKey(tlsState.privateKey);
+    });
+  }, [send]);
+
  const deregisterDevice = async () => {
    send("deregisterDevice", {}, resp => {
      if ("error" in resp) {
@ -126,15 +147,51 @@ export default function SettingsAccessIndexRoute() {
    }
  };

+  // Handle TLS mode change
+  const handleTlsModeChange = (value: string) => {
+    setTlsMode(value);
+  };
+
+  const handleTlsCertChange = (value: string) => {
+    setTlsCert(value);
+  };
+
+  const handleTlsKeyChange = (value: string) => {
+    setTlsKey(value);
+  };
+
+  const handleTlsUpdate = useCallback(() => {
+    send("setTLSState", { state: { mode: tlsMode, certificate: tlsCert, privateKey: tlsKey } as TLSState }, resp => {
+      if ("error" in resp) {
+        notifications.error(`Failed to update TLS settings: ${resp.error.data || "Unknown error"}`);
+        return;
+      }
+
+      notifications.success("TLS settings updated successfully");
+    });
+  }, [send, tlsMode, tlsCert, tlsKey]);
+
+  const handleReboot = useCallback(() => {
+    send("reboot", { force: false }, resp => {
+      if ("error" in resp) {
+        notifications.error(`Failed to reboot: ${resp.error.data || "Unknown error"}`);
+        return;
+      }
+
+      notifications.success("Device will restart shortly, it might take a few seconds to boot up again.");
+    });
+  }, [send]);
+
  // Fetch device ID and cloud state on component mount
  useEffect(() => {
    getCloudState();
+    getTLSState();

    send("getDeviceID", {}, async resp => {
      if ("error" in resp) return console.error(resp.error);
      setDeviceId(resp.result as string);
    });
-  }, [send, getCloudState]);
+  }, [send, getCloudState, getTLSState]);

  return (
    <div className="space-y-4">
@ -150,30 +207,106 @@ export default function SettingsAccessIndexRoute() {
              title="Local"
              description="Manage the mode of local access to the device"
            />
-            <SettingsItem
-              title="Authentication Mode"
-              description={`Current mode: ${loaderData.authMode === "password" ? "Password protected" : "No password"}`}
-            >
-              {loaderData.authMode === "password" ? (
-                <Button
+            <>
+              <SettingsItem
+                title="HTTPS/TLS Mode"
+                description={<>
+                  Select the TLS mode for your device (beta)<br />
+                  <small>changing this setting might restart the device</small>
+                </>}
+              >
+                <SelectMenuBasic
                  size="SM"
-                  theme="light"
-                  text="Disable Protection"
-                  onClick={() => {
-                    navigateTo("./local-auth", { state: { init: "deletePassword" } });
-                  }}
-                />
-              ) : (
-                <Button
-                  size="SM"
-                  theme="light"
-                  text="Enable Password"
-                  onClick={() => {
-                    navigateTo("./local-auth", { state: { init: "createPassword" } });
-                  }}
+                  value={tlsMode}
+                  onChange={e => handleTlsModeChange(e.target.value)}
+                  options={[
+                    { value: "selfsigned", label: "Self-signed" },
+                    { value: "custom", label: "Custom" },
+                    { value: "disabled", label: "Disabled" },
+                  ]}
                />
+              </SettingsItem>
+
+              <div className="space-y-4">
+                <p className="text-xs text-slate-600 dark:text-slate-400">
+                  If TLS wasn't enabled before, you'll need to <strong>reboot</strong> the device to apply the changes.<br />
+                </p>
+
+                <div className="flex items-center gap-x-2">
+                  <Button
+                    size="SM"
+                    theme="primary"
+                    text="Update TLS Settings"
+                    onClick={handleTlsUpdate}
+                  />
+                  <Button
+                    size="SM"
+                    theme="danger"
+                    text="Reboot"
+                    onClick={handleReboot}
+                  />
+                </div>
+              </div>
+
+              {tlsMode === "custom" && (
+                <div className="mt-4 space-y-4">
+                  <div className="space-y-4">
+                    <SettingsItem
+                      title="TLS Certificate"
+                      description="Enter your TLS certificate here, if intermediate or root CA is used, you can paste the entire chain here too"
+                    />
+                    <div className="space-y-4">
+                      <TextAreaWithLabel
+                        label="Certificate"
+                        rows={3}
+                        placeholder={"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"}
+                        value={tlsCert}
+                        onChange={e => handleTlsCertChange(e.target.value)}
+                      />
+                    </div>
+
+                    <div className="space-y-4">
+                      <div className="space-y-4">
+                        <TextAreaWithLabel
+                          label="Private Key"
+                          rows={3}
+                          placeholder={"-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"}
+                          value={tlsKey}
+                          onChange={e => handleTlsKeyChange(e.target.value)}
+                        />
+                        <p className="text-xs text-slate-600 dark:text-slate-400">
+                          Private key won't be shown again after saving.
+                        </p>
+                      </div>
+                    </div>
+                  </div>
+                </div>
              )}
-            </SettingsItem>
+              <SettingsItem
+                title="Authentication Mode"
+                description={`Current mode: ${loaderData.authMode === "password" ? "Password protected" : "No password"}`}
+              >
+                {loaderData.authMode === "password" ? (
+                  <Button
+                    size="SM"
+                    theme="light"
+                    text="Disable Protection"
+                    onClick={() => {
+                      navigateTo("./local-auth", { state: { init: "deletePassword" } });
+                    }}
+                  />
+                ) : (
+                  <Button
+                    size="SM"
+                    theme="light"
+                    text="Enable Password"
+                    onClick={() => {
+                      navigateTo("./local-auth", { state: { init: "createPassword" } });
+                    }}
+                  />
+                )}
+              </SettingsItem>
+            </>

            {loaderData.authMode === "password" && (
              <SettingsItem
--- a/web_tls.go
+++ b/web_tls.go
@ -2,6 +2,8 @@ package kvm

 import (
 	"crypto/tls"
+	"encoding/pem"
+	"fmt"
 	"net/http"

 	"github.com/jetkvm/kvm/internal/websecure"
@ -14,6 +16,7 @@ const (
 	webSecureSelfSignedCAName        = "JetKVM Self-Signed CA"
 	webSecureSelfSignedOrganization  = "JetKVM"
 	webSecureSelfSignedOU            = "JetKVM Self-Signed"
+	webSecureCustomCertificateName   = "user-defined"
 )

 var (
@ -21,6 +24,12 @@ var (
 	certSigner *websecure.SelfSigner
 )

+type TLSState struct {
+	Mode        string `json:"mode"`
+	Certificate string `json:"certificate"`
+	PrivateKey  string `json:"privateKey"`
+}
+
 func initCertStore() {
 	certStore = websecure.NewCertStore(tlsStorePath)
 	certStore.LoadCertificates()
@ -35,6 +44,67 @@ func initCertStore() {
 	)
 }

+func getCertificate(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if config.TLSMode == "self-signed" {
+		if isTimeSyncNeeded() || !timeSyncSuccess {
+			return nil, fmt.Errorf("time is not synced")
+		}
+		return certSigner.GetCertificate(info)
+	} else if config.TLSMode == "custom" {
+		return certStore.GetCertificate(webSecureCustomCertificateName), nil
+	}
+
+	logger.Infof("TLS mode is disabled but WebSecure is running, returning nil")
+	return nil, nil
+}
+
+func getTLSState() TLSState {
+	s := TLSState{}
+	switch config.TLSMode {
+	case "disabled":
+		s.Mode = "disabled"
+	case "custom":
+		s.Mode = "custom"
+		cert := certStore.GetCertificate(webSecureCustomCertificateName)
+		if cert != nil {
+			var certPEM []byte
+			// convert to pem format
+			for _, c := range cert.Certificate {
+				block := pem.Block{
+					Type:  "CERTIFICATE",
+					Bytes: c,
+				}
+
+				certPEM = append(certPEM, pem.EncodeToMemory(&block)...)
+			}
+			s.Certificate = string(certPEM)
+		}
+	case "self-signed":
+		s.Mode = "self-signed"
+	}
+
+	return s
+}
+
+func setTLSState(s TLSState) error {
+	switch s.Mode {
+	case "disabled":
+		config.TLSMode = ""
+	case "custom":
+		// parse pem to cert and key
+		err, _ := certStore.ValidateAndSaveCertificate(webSecureCustomCertificateName, s.Certificate, s.PrivateKey, true)
+		// warn doesn't matter as ... we don't know the hostname yet
+		if err != nil {
+			return fmt.Errorf("Failed to save certificate: %w", err)
+		}
+		config.TLSMode = "custom"
+	case "self-signed":
+		config.TLSMode = "self-signed"
+	}
+	SaveConfig()
+	return nil
+}
+
 // RunWebSecureServer runs a web server with TLS.
 func RunWebSecureServer() {
 	r := setupRouter()
@ -45,7 +115,7 @@ func RunWebSecureServer() {
 		TLSConfig: &tls.Config{
 			MaxVersion:       tls.VersionTLS13,
 			CurvePreferences: []tls.CurveID{},
-			GetCertificate:   certSigner.GetCertificate,
+			GetCertificate:   getCertificate,
 		},
 	}
 	logger.Info().Str("listen", WebSecureListen).Msg("Starting websecure server")