170 lines
5.8 KiB
Python
170 lines
5.8 KiB
Python
# Copyright 2022 - The Android Open Source Project
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
r"""Mkcert entry point.
|
|
|
|
Mkcert will handle the SSL certificates process to secure WEB browser of
|
|
a local or remote instance of an Android Virtual Device.
|
|
"""
|
|
|
|
import filecmp
|
|
import logging
|
|
import os
|
|
import platform
|
|
import shutil
|
|
import stat
|
|
|
|
from acloud.internal import constants
|
|
from acloud.internal.lib import utils
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
_CA_NAME = constants.SSL_CA_NAME
|
|
_CERT_DIR = os.path.join(os.path.expanduser("~"), constants.SSL_DIR)
|
|
_CA_KEY_PATH = os.path.join(_CERT_DIR, f"{_CA_NAME}.key")
|
|
_CA_CRT_PATH = os.path.join(_CERT_DIR, f"{_CA_NAME}.pem")
|
|
_CERT_KEY_PATH = os.path.join(_CERT_DIR, "server.key")
|
|
_CERT_CSR_PATH = os.path.join(_CERT_DIR, "server.csr")
|
|
_CERT_CRT_PATH = os.path.join(_CERT_DIR, "server.crt")
|
|
_CA_EXT = "keyUsage=critical,keyCertSign"
|
|
_CA_SUBJ="/OU=acloud/O=acloud development CA/CN=localhost"
|
|
_CERT_SUBJ = "/OU=%s/O=acloud development CA" % platform.node()
|
|
_TRUST_CA_PATH = os.path.join(constants.SSL_TRUST_CA_DIR,
|
|
f"{_CA_NAME}.crt")
|
|
_CERT_CRT_EXT = ";".join(f"echo \"{ext}\"" for ext in [
|
|
"keyUsage = critical, digitalSignature, keyEncipherment",
|
|
"extendedKeyUsage = serverAuth",
|
|
"subjectAltName = DNS.1:localhost, IP.1:0.0.0.0, IP.2:::1"])
|
|
|
|
# Generate a Root SSL Certificate.
|
|
_CA_CMD = (f"openssl req -new -x509 -days 9999 -newkey rsa:2048 "
|
|
f"-sha256 -nodes -keyout \"{_CA_KEY_PATH}\" "
|
|
f"-out \"{_CA_CRT_PATH}\" -extensions v3_ca "
|
|
f"-subj \"{_CA_SUBJ}\" -addext \"{_CA_EXT}\"")
|
|
|
|
# Trust the Root SSL Certificate.
|
|
_TRUST_CA_COPY_CMD = f"sudo cp -p {_CA_CRT_PATH} {_TRUST_CA_PATH}"
|
|
_UPDATE_TRUST_CA_CMD = "sudo update-ca-certificates"
|
|
_TRUST_CHROME_CMD = (
|
|
"certutil -d sql:$HOME/.pki/nssdb -A -t TC "
|
|
f"-n \"{_CA_NAME}\" -i \"{_TRUST_CA_PATH}\"")
|
|
|
|
# Generate an SSL SAN Certificate with the Root Certificate.
|
|
_CERT_KEY_CMD = f"openssl genrsa -out \"{_CERT_KEY_PATH}\" 2048"
|
|
_CERT_CSR_CMD = (f"openssl req -new -key \"{_CERT_KEY_PATH}\" "
|
|
f"-out \"{_CERT_CSR_PATH}\" -subj \"{_CERT_SUBJ}\"")
|
|
_CERT_CRT_CMD = (
|
|
f"openssl x509 -req -days 9999 -in \"{_CERT_CSR_PATH}\" "
|
|
f"-CA \"{_CA_CRT_PATH}\" -CAkey \"{_CA_KEY_PATH}\" "
|
|
f"-CAcreateserial -out \"{_CERT_CRT_PATH}\" "
|
|
f"-extfile <({_CERT_CRT_EXT};)")
|
|
|
|
# UnInstall the Root SSL Certificate.
|
|
_UNDO_TRUST_CA_CMD = f"sudo rm {_TRUST_CA_PATH}"
|
|
_UNDO_TRUST_CHROME_CMD = f"certutil -D -d sql:$HOME/.pki/nssdb -n \"{_CA_NAME}\""
|
|
|
|
|
|
def Install():
|
|
"""Install Root SSL Certificates by the openssl tool.
|
|
|
|
Generates a Root SSL Certificates and setup the host environment
|
|
to build a secure browser for WebRTC AVD.
|
|
|
|
Returns:
|
|
True when the Root SSL Certificates are generated and setup.
|
|
"""
|
|
if os.path.isdir(_CERT_DIR):
|
|
shutil.rmtree(_CERT_DIR)
|
|
os.mkdir(_CERT_DIR)
|
|
|
|
if os.path.exists(_TRUST_CA_PATH):
|
|
UnInstall()
|
|
|
|
utils.Popen(_CA_CMD, shell=True)
|
|
# The rootCA.pem file should grant READ permission to others.
|
|
if not os.stat(_CA_CRT_PATH).st_mode & stat.S_IROTH:
|
|
os.chmod(_CA_CRT_PATH, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
|
|
utils.Popen(_TRUST_CA_COPY_CMD, shell=True)
|
|
utils.Popen(_UPDATE_TRUST_CA_CMD, shell=True)
|
|
utils.Popen(_TRUST_CHROME_CMD, shell=True)
|
|
|
|
return IsRootCAReady()
|
|
|
|
|
|
def AllocateLocalHostCert():
|
|
"""Allocate localhost certificate by the openssl tool.
|
|
|
|
Generate an SSL SAN Certificate with the Root Certificate.
|
|
|
|
Returns:
|
|
True if the certificates is exist.
|
|
"""
|
|
if not IsRootCAReady():
|
|
logger.debug("Can't load CA files.")
|
|
return False
|
|
|
|
if not os.path.exists(_CERT_KEY_PATH):
|
|
utils.Popen(_CERT_KEY_CMD, shell=True)
|
|
if not os.path.exists(_CERT_CSR_PATH):
|
|
utils.Popen(_CERT_CSR_CMD, shell=True)
|
|
if not os.path.exists(_CERT_CRT_PATH):
|
|
utils.Popen(_CERT_CRT_CMD, shell=True)
|
|
|
|
return IsCertificateReady()
|
|
|
|
|
|
def IsRootCAReady():
|
|
"""Check if the Root SSL Certificates are all ready.
|
|
|
|
Returns:
|
|
True if the Root SSL Certificates are exist.
|
|
"""
|
|
for cert_file_name in [_CA_KEY_PATH, _CA_CRT_PATH, _TRUST_CA_PATH]:
|
|
if not os.path.exists(cert_file_name):
|
|
logger.debug("Root SSL Certificate: %s, does not exist",
|
|
cert_file_name)
|
|
return False
|
|
# TODO: this check can be delete when the mkcert mechanism is stable.
|
|
if not os.stat(_TRUST_CA_PATH).st_mode & stat.S_IROTH:
|
|
return False
|
|
|
|
if not filecmp.cmp(_CA_CRT_PATH, _TRUST_CA_PATH):
|
|
logger.debug("The trusted CA %s file is not the same with %s ",
|
|
_TRUST_CA_PATH, _CA_CRT_PATH)
|
|
return False
|
|
return True
|
|
|
|
|
|
def IsCertificateReady():
|
|
"""Check if the SSL SAN Certificates files are all ready.
|
|
|
|
Returns:
|
|
True if the SSL SAN Certificates files existed.
|
|
"""
|
|
for cert_file_name in [_CERT_KEY_PATH, _CERT_CRT_PATH]:
|
|
if not os.path.exists(cert_file_name):
|
|
logger.debug("SSL SAN Certificate: %s, does not exist",
|
|
cert_file_name)
|
|
return False
|
|
return True
|
|
|
|
|
|
def UnInstall():
|
|
"""Uninstall a Root SSL Certificate.
|
|
|
|
Undo the Root SSL Certificate host setup.
|
|
"""
|
|
utils.Popen(_UNDO_TRUST_CA_CMD, shell=True)
|
|
utils.Popen(_UPDATE_TRUST_CA_CMD, shell=True)
|
|
utils.Popen(_UNDO_TRUST_CHROME_CMD, shell=True)
|