| # Copyright 2022 - The Android Open Source Project |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| r"""Mkcert entry point. |
| |
| Mkcert will handle the SSL certificates process to secure WEB browser of |
| a local or remote instance of an Android Virtual Device. |
| """ |
| |
| import filecmp |
| import logging |
| import os |
| import platform |
| import shutil |
| import stat |
| |
| from acloud.internal import constants |
| from acloud.internal.lib import utils |
| |
| logger = logging.getLogger(__name__) |
| |
| _CA_NAME = constants.SSL_CA_NAME |
| _CERT_DIR = os.path.join(os.path.expanduser("~"), constants.SSL_DIR) |
| _CA_KEY_PATH = os.path.join(_CERT_DIR, f"{_CA_NAME}.key") |
| _CA_CRT_PATH = os.path.join(_CERT_DIR, f"{_CA_NAME}.pem") |
| _CERT_KEY_PATH = os.path.join(_CERT_DIR, "server.key") |
| _CERT_CSR_PATH = os.path.join(_CERT_DIR, "server.csr") |
| _CERT_CRT_PATH = os.path.join(_CERT_DIR, "server.crt") |
| _CA_EXT = "keyUsage=critical,keyCertSign" |
| _CA_SUBJ="/OU=acloud/O=acloud development CA/CN=localhost" |
| _CERT_SUBJ = "/OU=%s/O=acloud development CA" % platform.node() |
| _TRUST_CA_PATH = os.path.join(constants.SSL_TRUST_CA_DIR, |
| f"{_CA_NAME}.crt") |
| _CERT_CRT_EXT = ";".join(f"echo \"{ext}\"" for ext in [ |
| "keyUsage = critical, digitalSignature, keyEncipherment", |
| "extendedKeyUsage = serverAuth", |
| "subjectAltName = DNS.1:localhost, IP.1:0.0.0.0, IP.2:::1"]) |
| |
| # Generate a Root SSL Certificate. |
| _CA_CMD = (f"openssl req -new -x509 -days 9999 -newkey rsa:2048 " |
| f"-sha256 -nodes -keyout \"{_CA_KEY_PATH}\" " |
| f"-out \"{_CA_CRT_PATH}\" -extensions v3_ca " |
| f"-subj \"{_CA_SUBJ}\" -addext \"{_CA_EXT}\"") |
| |
| # Trust the Root SSL Certificate. |
| _TRUST_CA_COPY_CMD = f"sudo cp -p {_CA_CRT_PATH} {_TRUST_CA_PATH}" |
| _UPDATE_TRUST_CA_CMD = "sudo update-ca-certificates" |
| _TRUST_CHROME_CMD = ( |
| "certutil -d sql:$HOME/.pki/nssdb -A -t TC " |
| f"-n \"{_CA_NAME}\" -i \"{_TRUST_CA_PATH}\"") |
| |
| # Generate an SSL SAN Certificate with the Root Certificate. |
| _CERT_KEY_CMD = f"openssl genrsa -out \"{_CERT_KEY_PATH}\" 2048" |
| _CERT_CSR_CMD = (f"openssl req -new -key \"{_CERT_KEY_PATH}\" " |
| f"-out \"{_CERT_CSR_PATH}\" -subj \"{_CERT_SUBJ}\"") |
| _CERT_CRT_CMD = ( |
| f"openssl x509 -req -days 9999 -in \"{_CERT_CSR_PATH}\" " |
| f"-CA \"{_CA_CRT_PATH}\" -CAkey \"{_CA_KEY_PATH}\" " |
| f"-CAcreateserial -out \"{_CERT_CRT_PATH}\" " |
| f"-extfile <({_CERT_CRT_EXT};)") |
| |
| # UnInstall the Root SSL Certificate. |
| _UNDO_TRUST_CA_CMD = f"sudo rm {_TRUST_CA_PATH}" |
| _UNDO_TRUST_CHROME_CMD = f"certutil -D -d sql:$HOME/.pki/nssdb -n \"{_CA_NAME}\"" |
| |
| |
| def Install(): |
| """Install Root SSL Certificates by the openssl tool. |
| |
| Generates a Root SSL Certificates and setup the host environment |
| to build a secure browser for WebRTC AVD. |
| |
| Returns: |
| True when the Root SSL Certificates are generated and setup. |
| """ |
| if os.path.isdir(_CERT_DIR): |
| shutil.rmtree(_CERT_DIR) |
| os.mkdir(_CERT_DIR) |
| |
| if os.path.exists(_TRUST_CA_PATH): |
| UnInstall() |
| |
| utils.Popen(_CA_CMD, shell=True) |
| # The rootCA.pem file should grant READ permission to others. |
| if not os.stat(_CA_CRT_PATH).st_mode & stat.S_IROTH: |
| os.chmod(_CA_CRT_PATH, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) |
| utils.Popen(_TRUST_CA_COPY_CMD, shell=True) |
| utils.Popen(_UPDATE_TRUST_CA_CMD, shell=True) |
| utils.Popen(_TRUST_CHROME_CMD, shell=True) |
| |
| return IsRootCAReady() |
| |
| |
| def AllocateLocalHostCert(): |
| """Allocate localhost certificate by the openssl tool. |
| |
| Generate an SSL SAN Certificate with the Root Certificate. |
| |
| Returns: |
| True if the certificates is exist. |
| """ |
| if not IsRootCAReady(): |
| logger.debug("Can't load CA files.") |
| return False |
| |
| if not os.path.exists(_CERT_KEY_PATH): |
| utils.Popen(_CERT_KEY_CMD, shell=True) |
| if not os.path.exists(_CERT_CSR_PATH): |
| utils.Popen(_CERT_CSR_CMD, shell=True) |
| if not os.path.exists(_CERT_CRT_PATH): |
| utils.Popen(_CERT_CRT_CMD, shell=True) |
| |
| return IsCertificateReady() |
| |
| |
| def IsRootCAReady(): |
| """Check if the Root SSL Certificates are all ready. |
| |
| Returns: |
| True if the Root SSL Certificates are exist. |
| """ |
| for cert_file_name in [_CA_KEY_PATH, _CA_CRT_PATH, _TRUST_CA_PATH]: |
| if not os.path.exists(cert_file_name): |
| logger.debug("Root SSL Certificate: %s, does not exist", |
| cert_file_name) |
| return False |
| # TODO: this check can be delete when the mkcert mechanism is stable. |
| if not os.stat(_TRUST_CA_PATH).st_mode & stat.S_IROTH: |
| return False |
| |
| if not filecmp.cmp(_CA_CRT_PATH, _TRUST_CA_PATH): |
| logger.debug("The trusted CA %s file is not the same with %s ", |
| _TRUST_CA_PATH, _CA_CRT_PATH) |
| return False |
| return True |
| |
| |
| def IsCertificateReady(): |
| """Check if the SSL SAN Certificates files are all ready. |
| |
| Returns: |
| True if the SSL SAN Certificates files existed. |
| """ |
| for cert_file_name in [_CERT_KEY_PATH, _CERT_CRT_PATH]: |
| if not os.path.exists(cert_file_name): |
| logger.debug("SSL SAN Certificate: %s, does not exist", |
| cert_file_name) |
| return False |
| return True |
| |
| |
| def UnInstall(): |
| """Uninstall a Root SSL Certificate. |
| |
| Undo the Root SSL Certificate host setup. |
| """ |
| utils.Popen(_UNDO_TRUST_CA_CMD, shell=True) |
| utils.Popen(_UPDATE_TRUST_CA_CMD, shell=True) |
| utils.Popen(_UNDO_TRUST_CHROME_CMD, shell=True) |