Superminaren
/
kvm
mirror of https://github.com/jetkvm/kvm.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat(tls): add simple tls support

This commit is contained in:
Siyuan Miao 2025-03-07 20:14:22 +01:00
parent 0f6199d18b
commit 8c07e71d01
3 changed files with 137 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config.go
View File

@ -37,6 +37,7 @@ type Config struct {
DisplayMaxBrightness int `json:"display_max_brightness"` DisplayMaxBrightness int `json:"display_max_brightness"`
DisplayDimAfterSec int `json:"display_dim_after_sec"` DisplayDimAfterSec int `json:"display_dim_after_sec"`
DisplayOffAfterSec int `json:"display_off_after_sec"` DisplayOffAfterSec int `json:"display_off_after_sec"`
TLSMode string `json:"tls_mode"`
UsbConfig *UsbConfig `json:"usb_config"` UsbConfig *UsbConfig `json:"usb_config"`
} }
@ -50,6 +51,7 @@ var defaultConfig = &Config{
DisplayMaxBrightness: 64, DisplayMaxBrightness: 64,
DisplayDimAfterSec: 120, // 2 minutes DisplayDimAfterSec: 120, // 2 minutes
DisplayOffAfterSec: 1800, // 30 minutes DisplayOffAfterSec: 1800, // 30 minutes
TLSMode: "",
UsbConfig: &UsbConfig{ UsbConfig: &UsbConfig{
VendorId: "0x1d6b", //The Linux Foundation VendorId: "0x1d6b", //The Linux Foundation
ProductId: "0x0104", //Multifunction Composite Gadget ProductId: "0x0104", //Multifunction Composite Gadget

3
main.go
View File

@ -68,6 +68,9 @@ func Main() {
}() }()
//go RunFuseServer() //go RunFuseServer()
go RunWebServer() go RunWebServer()
if config.TLSMode != "" {
go RunWebSecureServer()
}
// If the cloud token isn't set, the client won't be started by default. // If the cloud token isn't set, the client won't be started by default.
// However, if the user adopts the device via the web interface, handleCloudRegister will start the client. // However, if the user adopts the device via the web interface, handleCloudRegister will start the client.
if config.CloudToken != "" { if config.CloudToken != "" {

132
web_tls.go Normal file
View File

@ -0,0 +1,132 @@
package kvm
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"log"
"math/big"
"net"
"net/http"
"strings"
"sync"
"time"
)
const (
WebSecureListen = ":443"
WebSecureSelfSignedDefaultDomain = "jetkvm.local"
WebSecureSelfSignedDuration = 365 * 24 * time.Hour
)
var (
tlsCerts = make(map[string]*tls.Certificate)
tlsCertLock = &sync.Mutex{}
)
// RunWebSecureServer runs a web server with TLS.
func RunWebSecureServer() {
r := setupRouter()
server := &http.Server{
Addr: WebSecureListen,
Handler: r,
TLSConfig: &tls.Config{
// TODO: cache certificate in persistent storage
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
hostname := WebSecureSelfSignedDefaultDomain
if info.ServerName != "" {
hostname = info.ServerName
} else {
hostname = strings.Split(info.Conn.LocalAddr().String(), ":")[0]
}
logger.Infof("TLS handshake for %s, SupportedProtos: %v", hostname, info.SupportedProtos)
cert := createSelfSignedCert(hostname)
return cert, nil
},
},
}
logger.Infof("Starting websecure server on %s", RunWebSecureServer)
err := server.ListenAndServeTLS("", "")
if err != nil {
panic(err)
}
return
}
func createSelfSignedCert(hostname string) *tls.Certificate {
if tlsCert := tlsCerts[hostname]; tlsCert != nil {
return tlsCert
}
tlsCertLock.Lock()
defer tlsCertLock.Unlock()
logger.Infof("Creating self-signed certificate for %s", hostname)
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
log.Fatalf("Failed to generate private key: %v", err)
}
keyUsage := x509.KeyUsageDigitalSignature
notBefore := time.Now()
notAfter := notBefore.AddDate(1, 0, 0)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
logger.Errorf("Failed to generate serial number: %v", err)
}
dnsName := hostname
ip := net.ParseIP(hostname)
if ip != nil {
dnsName = WebSecureSelfSignedDefaultDomain
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
CommonName: hostname,
Organization: []string{"JetKVM"},
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: keyUsage,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
DNSNames: []string{dnsName},
IPAddresses: []net.IP{},
}
if ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
}
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
logger.Errorf("Failed to create certificate: %v", err)
}
cert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
if cert == nil {
logger.Errorf("Failed to encode certificate")
}
tlsCert := &tls.Certificate{
Certificate: [][]byte{derBytes},
PrivateKey: priv,
}
tlsCerts[hostname] = tlsCert
return tlsCert
}