Superminaren
/
kvm
mirror of https://github.com/jetkvm/kvm.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat(tls): rewrite tls feature

This commit is contained in:
Siyuan Miao 2025-04-07 13:23:16 +02:00
parent 8f6671f7f9
commit a12e081c2e
9 changed files with 356 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Makefile
View File

@ -8,6 +8,9 @@ VERSION := 0.3.8
PROMETHEUS_TAG := github.com/prometheus/common/version
KVM_PKG_NAME := github.com/jetkvm/kvm
PROMETHEUS_TAG := github.com/prometheus/common/version
KVM_PKG_NAME := github.com/jetkvm/kvm
GO_LDFLAGS := \
-s -w \
-X $(PROMETHEUS_TAG).Branch=$(BRANCH) \

2
config.go
View File

@ -31,7 +31,7 @@ type Config struct {
DisplayMaxBrightness int `json:"display_max_brightness"`
DisplayDimAfterSec int `json:"display_dim_after_sec"`
DisplayOffAfterSec int `json:"display_off_after_sec"`
TLSMode string `json:"tls_mode"`
TLSMode string `json:"tls_mode"` // options: "self-signed", "user-defined", ""
UsbConfig *usbgadget.Config `json:"usb_config"`
UsbDevices *usbgadget.Devices `json:"usb_devices"`
}

10
internal/websecure/selfsign.go
View File

@ -29,7 +29,14 @@ type SelfSigner struct {
DefaultOU string
}
func NewSelfSigner(store *CertStore, log logging.LeveledLogger, defaultDomain, defaultOrg, defaultOU, caName string) *SelfSigner {
func NewSelfSigner(
store *CertStore,
log logging.LeveledLogger,
defaultDomain,
defaultOrg,
defaultOU,
caName string,
) *SelfSigner {
return &SelfSigner{
store: store,
log: log,
@ -177,6 +184,5 @@ func (s *SelfSigner) GetCertificate(info *tls.ClientHelloInfo) (*tls.Certificate
}
cert := s.createSelfSignedCert(hostname)
return cert, nil
}

45
internal/websecure/store.go
View File

@ -95,6 +95,51 @@ func (s *CertStore) loadCertificate(hostname string) {
s.log.Infof("Loaded certificate for %s", hostname)
}
// GetCertificate returns the certificate for the given hostname
// returns nil if the certificate is not found
func (s *CertStore) GetCertificate(hostname string) *tls.Certificate {
s.certLock.Lock()
defer s.certLock.Unlock()
return s.certificates[hostname]
}
// ValidateAndSaveCertificate validates the certificate and saves it to the store
// returns are:
// - error: if the certificate is invalid or if there's any error during saving the certificate
// - error: if there's any warning or error during saving the certificate
func (s *CertStore) ValidateAndSaveCertificate(hostname string, cert string, key string, ignoreWarning bool) (error, error) {
tlsCert, err := tls.X509KeyPair([]byte(cert), []byte(key))
if err != nil {
return fmt.Errorf("Failed to parse certificate: %w", err), nil
}
// this can be skipped as current implementation supports one custom certificate only
if tlsCert.Leaf != nil {
// add recover to avoid panic
defer func() {
if r := recover(); r != nil {
s.log.Errorf("Failed to verify hostname: %v", r)
}
}()
if err = tlsCert.Leaf.VerifyHostname(hostname); err != nil {
if !ignoreWarning {
return nil, fmt.Errorf("Certificate does not match hostname: %w", err)
}
s.log.Warnf("Certificate does not match hostname: %v", err)
}
}
s.certLock.Lock()
s.certificates[hostname] = &tlsCert
s.certLock.Unlock()
s.saveCertificate(hostname)
return nil, nil
}
func (s *CertStore) saveCertificate(hostname string) {
// check if certificate already exists
tlsCert := s.certificates[hostname]

39
jsonrpc.go
View File

@ -95,7 +95,7 @@ func onRPCMessage(message webrtc.DataChannelMessage, session *Session) {
return
}
//logger.Infof("Received RPC request: Method=%s, Params=%v, ID=%d", request.Method, request.Params, request.ID)
logger.Tracef("Received RPC request: Method=%s, Params=%v, ID=%w", request.Method, request.Params, request.ID)
handler, ok := rpcHandlers[request.Method]
if !ok {
errorResponse := JSONRPCResponse{
@ -110,6 +110,7 @@ func onRPCMessage(message webrtc.DataChannelMessage, session *Session) {
return
}
logger.Tracef("Calling RPC handler: %s, ID=%w", request.Method, request.ID)
result, err := callRPCHandler(handler, request.Params)
if err != nil {
errorResponse := JSONRPCResponse{
@ -125,6 +126,7 @@ func onRPCMessage(message webrtc.DataChannelMessage, session *Session) {
return
}
logger.Tracef("RPC handler returned: %v, ID=%w", result, request.ID)
response := JSONRPCResponse{
JSONRPC: "2.0",
Result: result,
@ -141,6 +143,30 @@ func rpcGetDeviceID() (string, error) {
return GetDeviceID(), nil
}
func rpcReboot(force bool) error {
logger.Info("Got reboot request from JSONRPC, rebooting...")
args := []string{}
if force {
args = append(args, "-f")
}
cmd := exec.Command("reboot", args...)
err := cmd.Start()
if err != nil {
logger.Errorf("failed to reboot: %v", err)
return fmt.Errorf("failed to reboot: %w", err)
}
// If the reboot command is successful, exit the program after 5 seconds
go func() {
time.Sleep(5 * time.Second)
os.Exit(0)
}()
return nil
}
var streamFactor = 1.0
func rpcGetStreamQualityFactor() (float64, error) {
@ -375,6 +401,14 @@ func rpcSetSSHKeyState(sshKey string) error {
return nil
}
func rpcGetTLSState() TLSState {
return getTLSState()
}
func rpcSetTLSState(tlsState TLSState) error {
return setTLSState(tlsState)
}
func callRPCHandler(handler RPCHandler, params map[string]interface{}) (interface{}, error) {
handlerValue := reflect.ValueOf(handler.Func)
handlerType := handlerValue.Type()
@ -794,6 +828,7 @@ func rpcSetScrollSensitivity(sensitivity string) error {
var rpcHandlers = map[string]RPCHandler{
"ping": {Func: rpcPing},
"reboot": {Func: rpcReboot, Params: []string{"force"}},
"getDeviceID": {Func: rpcGetDeviceID},
"deregisterDevice": {Func: rpcDeregisterDevice},
"getCloudState": {Func: rpcGetCloudState},
@ -822,6 +857,8 @@ var rpcHandlers = map[string]RPCHandler{
"setDevModeState": {Func: rpcSetDevModeState, Params: []string{"enabled"}},
"getSSHKeyState": {Func: rpcGetSSHKeyState},
"setSSHKeyState": {Func: rpcSetSSHKeyState, Params: []string{"sshKey"}},
"getTLSState": {Func: rpcGetTLSState},
"setTLSState": {Func: rpcSetTLSState, Params: []string{"state"}},
"setMassStorageMode": {Func: rpcSetMassStorageMode, Params: []string{"mode"}},
"getMassStorageMode": {Func: rpcGetMassStorageMode},
"isUpdatePending": {Func: rpcIsUpdatePending},

1
main.go
View File

@ -69,6 +69,7 @@ func Main() {
}()
//go RunFuseServer()
go RunWebServer()
if config.TLSMode != "" {
initCertStore()
go RunWebSecureServer()

33
ntp.go
View File

@ -5,6 +5,7 @@ import (
"fmt"
"net/http"
"os/exec"
"strconv"
"time"
"github.com/beevik/ntp"
@ -20,13 +21,41 @@ const (
)
var (
builtTimestamp string
timeSyncRetryInterval = 0 * time.Second
timeSyncSuccess = false
defaultNTPServers = []string{
"time.cloudflare.com",
"time.apple.com",
}
)
func isTimeSyncNeeded() bool {
if builtTimestamp == "" {
logger.Warnf("Built timestamp is not set, time sync is needed")
return true
}
ts, err := strconv.Atoi(builtTimestamp)
if err != nil {
logger.Warnf("Failed to parse built timestamp: %v", err)
return true
}
// builtTimestamp is UNIX timestamp in seconds
builtTime := time.Unix(int64(ts), 0)
now := time.Now()
logger.Tracef("Built time: %v, now: %v", builtTime, now)
if now.Sub(builtTime) < 0 {
logger.Warnf("System time is behind the built time, time sync is needed")
return true
}
return false
}
func TimeSyncLoop() {
for {
if !networkState.checked {
@ -40,6 +69,9 @@ func TimeSyncLoop() {
continue
}
// check if time sync is needed, but do nothing for now
isTimeSyncNeeded()
logger.Infof("Syncing system time")
start := time.Now()
err := SyncSystemTime()
@ -56,6 +88,7 @@ func TimeSyncLoop() {
continue
}
timeSyncSuccess = true
logger.Infof("Time sync successful, now is: %v, time taken: %v", time.Now(), time.Since(start))
time.Sleep(timeSyncInterval) // after the first sync is done
}

177
ui/src/routes/devices.$id.settings.access._index.tsx
View File

@ -18,6 +18,13 @@ import { isOnDevice } from "@/main";
import { LocalDevice } from "./devices.$id";
import { SettingsItem } from "./devices.$id.settings";
import { CloudState } from "./adopt";
import { TextAreaWithLabel } from "@components/TextArea";
export interface TLSState {
mode: "selfsigned" | "custom" | "disabled";
certificate?: string;
privateKey?: string;
};
export const loader = async () => {
if (isOnDevice) {
@ -44,6 +51,9 @@ export default function SettingsAccessIndexRoute() {
// Use a simple string identifier for the selected provider
const [selectedProvider, setSelectedProvider] = useState<string>("jetkvm");
const [tlsMode, setTlsMode] = useState<string>("self-signed");
const [tlsCert, setTlsCert] = useState<string>("");
const [tlsKey, setTlsKey] = useState<string>("");
const getCloudState = useCallback(() => {
send("getCloudState", {}, resp => {
@ -66,6 +76,17 @@ export default function SettingsAccessIndexRoute() {
});
}, [send]);
const getTLSState = useCallback(() => {
send("getTLSState", {}, resp => {
if ("error" in resp) return console.error(resp.error);
const tlsState = resp.result as TLSState;
setTlsMode(tlsState.mode);
if (tlsState.certificate) setTlsCert(tlsState.certificate);
if (tlsState.privateKey) setTlsKey(tlsState.privateKey);
});
}, [send]);
const deregisterDevice = async () => {
send("deregisterDevice", {}, resp => {
if ("error" in resp) {
@ -126,15 +147,51 @@ export default function SettingsAccessIndexRoute() {
}
};
// Handle TLS mode change
const handleTlsModeChange = (value: string) => {
setTlsMode(value);
};
const handleTlsCertChange = (value: string) => {
setTlsCert(value);
};
const handleTlsKeyChange = (value: string) => {
setTlsKey(value);
};
const handleTlsUpdate = useCallback(() => {
send("setTLSState", { state: { mode: tlsMode, certificate: tlsCert, privateKey: tlsKey } as TLSState }, resp => {
if ("error" in resp) {
notifications.error(`Failed to update TLS settings: ${resp.error.data || "Unknown error"}`);
return;
}
notifications.success("TLS settings updated successfully");
});
}, [send, tlsMode, tlsCert, tlsKey]);
const handleReboot = useCallback(() => {
send("reboot", { force: false }, resp => {
if ("error" in resp) {
notifications.error(`Failed to reboot: ${resp.error.data || "Unknown error"}`);
return;
}
notifications.success("Device will restart shortly, it might take a few seconds to boot up again.");
});
}, [send]);
// Fetch device ID and cloud state on component mount
useEffect(() => {
getCloudState();
getTLSState();
send("getDeviceID", {}, async resp => {
if ("error" in resp) return console.error(resp.error);
setDeviceId(resp.result as string);
});
}, [send, getCloudState]);
}, [send, getCloudState, getTLSState]);
return (
<div className="space-y-4">
@ -150,30 +207,106 @@ export default function SettingsAccessIndexRoute() {
title="Local"
description="Manage the mode of local access to the device"
/>
<SettingsItem
title="Authentication Mode"
description={`Current mode: ${loaderData.authMode === "password" ? "Password protected" : "No password"}`}
>
{loaderData.authMode === "password" ? (
<Button
<>
<SettingsItem
title="HTTPS/TLS Mode"
description={<>
Select the TLS mode for your device (beta)<br />
<small>changing this setting might restart the device</small>
</>}
>
<SelectMenuBasic
size="SM"
theme="light"
text="Disable Protection"
onClick={() => {
navigateTo("./local-auth", { state: { init: "deletePassword" } });
}}
/>
) : (
<Button
size="SM"
theme="light"
text="Enable Password"
onClick={() => {
navigateTo("./local-auth", { state: { init: "createPassword" } });
}}
value={tlsMode}
onChange={e => handleTlsModeChange(e.target.value)}
options={[
{ value: "selfsigned", label: "Self-signed" },
{ value: "custom", label: "Custom" },
{ value: "disabled", label: "Disabled" },
]}
/>
</SettingsItem>
<div className="space-y-4">
<p className="text-xs text-slate-600 dark:text-slate-400">
If TLS wasn't enabled before, you'll need to <strong>reboot</strong> the device to apply the changes.<br />
</p>
<div className="flex items-center gap-x-2">
<Button
size="SM"
theme="primary"
text="Update TLS Settings"
onClick={handleTlsUpdate}
/>
<Button
size="SM"
theme="danger"
text="Reboot"
onClick={handleReboot}
/>
</div>
</div>
{tlsMode === "custom" && (
<div className="mt-4 space-y-4">
<div className="space-y-4">
<SettingsItem
title="TLS Certificate"
description="Enter your TLS certificate here, if intermediate or root CA is used, you can paste the entire chain here too"
/>
<div className="space-y-4">
<TextAreaWithLabel
label="Certificate"
rows={3}
placeholder={"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"}
value={tlsCert}
onChange={e => handleTlsCertChange(e.target.value)}
/>
</div>
<div className="space-y-4">
<div className="space-y-4">
<TextAreaWithLabel
label="Private Key"
rows={3}
placeholder={"-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"}
value={tlsKey}
onChange={e => handleTlsKeyChange(e.target.value)}
/>
<p className="text-xs text-slate-600 dark:text-slate-400">
Private key won't be shown again after saving.
</p>
</div>
</div>
</div>
</div>
)}
</SettingsItem>
<SettingsItem
title="Authentication Mode"
description={`Current mode: ${loaderData.authMode === "password" ? "Password protected" : "No password"}`}
>
{loaderData.authMode === "password" ? (
<Button
size="SM"
theme="light"
text="Disable Protection"
onClick={() => {
navigateTo("./local-auth", { state: { init: "deletePassword" } });
}}
/>
) : (
<Button
size="SM"
theme="light"
text="Enable Password"
onClick={() => {
navigateTo("./local-auth", { state: { init: "createPassword" } });
}}
/>
)}
</SettingsItem>
</>
{loaderData.authMode === "password" && (
<SettingsItem

74
web_tls.go
View File

@ -2,6 +2,8 @@ package kvm
import (
"crypto/tls"
"encoding/pem"
"fmt"
"net/http"
"github.com/jetkvm/kvm/internal/websecure"
@ -14,6 +16,7 @@ const (
webSecureSelfSignedCAName = "JetKVM Self-Signed CA"
webSecureSelfSignedOrganization = "JetKVM"
webSecureSelfSignedOU = "JetKVM Self-Signed"
webSecureCustomCertificateName = "user-defined"
)
var (
@ -21,6 +24,12 @@ var (
certSigner *websecure.SelfSigner
)
type TLSState struct {
Mode string `json:"mode"`
Certificate string `json:"certificate"`
PrivateKey string `json:"privateKey"`
}
func initCertStore() {
certStore = websecure.NewCertStore(tlsStorePath)
certStore.LoadCertificates()
@ -35,6 +44,67 @@ func initCertStore() {
)
}
func getCertificate(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
if config.TLSMode == "self-signed" {
if isTimeSyncNeeded() || !timeSyncSuccess {
return nil, fmt.Errorf("time is not synced")
}
return certSigner.GetCertificate(info)
} else if config.TLSMode == "custom" {
return certStore.GetCertificate(webSecureCustomCertificateName), nil
}
logger.Infof("TLS mode is disabled but WebSecure is running, returning nil")
return nil, nil
}
func getTLSState() TLSState {
s := TLSState{}
switch config.TLSMode {
case "disabled":
s.Mode = "disabled"
case "custom":
s.Mode = "custom"
cert := certStore.GetCertificate(webSecureCustomCertificateName)
if cert != nil {
var certPEM []byte
// convert to pem format
for _, c := range cert.Certificate {
block := pem.Block{
Type: "CERTIFICATE",
Bytes: c,
}
certPEM = append(certPEM, pem.EncodeToMemory(&block)...)
}
s.Certificate = string(certPEM)
}
case "self-signed":
s.Mode = "self-signed"
}
return s
}
func setTLSState(s TLSState) error {
switch s.Mode {
case "disabled":
config.TLSMode = ""
case "custom":
// parse pem to cert and key
err, _ := certStore.ValidateAndSaveCertificate(webSecureCustomCertificateName, s.Certificate, s.PrivateKey, true)
// warn doesn't matter as ... we don't know the hostname yet
if err != nil {
return fmt.Errorf("Failed to save certificate: %w", err)
}
config.TLSMode = "custom"
case "self-signed":
config.TLSMode = "self-signed"
}
SaveConfig()
return nil
}
// RunWebSecureServer runs a web server with TLS.
func RunWebSecureServer() {
r := setupRouter()
@ -45,10 +115,10 @@ func RunWebSecureServer() {
TLSConfig: &tls.Config{
MaxVersion: tls.VersionTLS13,
CurvePreferences: []tls.CurveID{},
GetCertificate: certSigner.GetCertificate,
GetCertificate: getCertificate,
},
}
logger.Infof("Starting websecure server on %s", RunWebSecureServer)
logger.Infof("Starting websecure server on %s", webSecureListen)
err := server.ListenAndServeTLS("", "")
if err != nil {
panic(err)