From ef5cf2131b9f1006eebacad617af34ed6b288b4f Mon Sep 17 00:00:00 2001 From: Erik Jaegervall Date: Fri, 10 May 2024 13:34:26 +0200 Subject: [PATCH] Remove client key/cert support. Not actively supported anyway and current handling for ws did not work after removing default certs --- kuksa-client/kuksa_client/__main__.py | 23 ---------------- .../kuksa_client/cli_backend/__init__.py | 2 -- kuksa-client/kuksa_client/cli_backend/grpc.py | 6 ----- kuksa-client/kuksa_client/cli_backend/ws.py | 2 -- kuksa-client/kuksa_client/grpc/__init__.py | 14 +--------- kuksa-client/tests/conftest.py | 2 +- kuksa-client/tests/resources/test-client.key | 27 ------------------- kuksa-client/tests/resources/test-client.pem | 22 --------------- kuksa-client/tests/test_grpc.py | 2 -- 9 files changed, 2 insertions(+), 98 deletions(-) delete mode 100644 kuksa-client/tests/resources/test-client.key delete mode 100644 kuksa-client/tests/resources/test-client.pem diff --git a/kuksa-client/kuksa_client/__main__.py b/kuksa-client/kuksa_client/__main__.py index e0fac36..2b29623 100755 --- a/kuksa-client/kuksa_client/__main__.py +++ b/kuksa-client/kuksa_client/__main__.py @@ -47,8 +47,6 @@ DEFAULT_KUKSA_ADDRESS = os.environ.get("KUKSA_ADDRESS", "grpc://127.0.0.1:55555") DEFAULT_TOKEN_OR_TOKENFILE = os.environ.get("TOKEN_OR_TOKENFILE", None) -DEFAULT_CERTIFICATE = os.environ.get("CERTIFICATE", None) -DEFAULT_KEYFILE = os.environ.get("KEYFILE", None) DEFAULT_CACERTIFICATE = os.environ.get("CACERTIFICATE", None) DEFAULT_TLS_SERVER_NAME = os.environ.get("TLS_SERVER_NAME", None) @@ -317,8 +315,6 @@ def __init__( self, server=None, token_or_tokenfile=None, - certificate=None, - keyfile=None, cacertificate=None, tls_server_name=None, ): @@ -340,8 +336,6 @@ def __init__( self.subscribeIds = set() self.commThread = None self.token_or_tokenfile = token_or_tokenfile - self.certificate = certificate - self.keyfile = keyfile self.cacertificate = cacertificate self.tls_server_name = tls_server_name @@ -612,10 +606,6 @@ def connect(self): # Configs should only be added if they actually have a value if self.token_or_tokenfile is not None: config["token_or_tokenfile"] = self.token_or_tokenfile - if self.certificate is not None: - config["certificate"] = self.certificate - if self.keyfile is not None: - config["keyfile"] = self.keyfile if self.cacertificate is not None: config["cacertificate"] = self.cacertificate if self.tls_server_name is not None: @@ -684,17 +674,6 @@ def main(): ) # Add TLS arguments - # Note: Databroker does not yet support mutual authentication, so no need to use two first arguments - parser.add_argument( - "--certificate", - default=DEFAULT_CERTIFICATE, - help="Client cert file(.pem), only needed for mutual authentication", - ) - parser.add_argument( - "--keyfile", - default=DEFAULT_KEYFILE, - help="Client private key file (.key), only needed for mutual authentication", - ) parser.add_argument( "--cacertificate", default=DEFAULT_CACERTIFICATE, @@ -716,8 +695,6 @@ def main(): clientApp = TestClient( args.server, token_or_tokenfile=args.token_or_tokenfile, - certificate=args.certificate, - keyfile=args.keyfile, cacertificate=args.cacertificate, tls_server_name=args.tls_server_name, ) diff --git a/kuksa-client/kuksa_client/cli_backend/__init__.py b/kuksa-client/kuksa_client/cli_backend/__init__.py index 4d1936a..69d6d78 100644 --- a/kuksa-client/kuksa_client/cli_backend/__init__.py +++ b/kuksa-client/kuksa_client/cli_backend/__init__.py @@ -29,8 +29,6 @@ def __init__(self, config): # If no CA Certificate is given we will use an insecure connection, requested or not if self.cacertificate is None: self.insecure = True - self.certificate = config.get('certificate', None) - self.keyfile = config.get('keyfile', None) self.tls_server_name = config.get('tls_server_name', "") self.token_or_tokenfile = config.get('token_or_tokenfile', None) diff --git a/kuksa-client/kuksa_client/cli_backend/grpc.py b/kuksa-client/kuksa_client/cli_backend/grpc.py index 15a0ce7..11ab1ae 100644 --- a/kuksa-client/kuksa_client/cli_backend/grpc.py +++ b/kuksa-client/kuksa_client/cli_backend/grpc.py @@ -66,10 +66,6 @@ def __init__(self, config): super().__init__(config) if self.cacertificate is not None: self.cacertificate = pathlib.Path(self.cacertificate) - if self.keyfile is not None: - self.keyfile = pathlib.Path(self.keyfile) - if self.certificate is not None: - self.certificate = pathlib.Path(self.certificate) if self.token_or_tokenfile is not None: if os.path.isfile(self.token_or_tokenfile): self.token_or_tokenfile = pathlib.Path(self.token_or_tokenfile) @@ -285,8 +281,6 @@ async def mainLoop(self): self.serverIP, self.serverPort, root_certificates=self.cacertificate, - private_key=self.keyfile, - certificate_chain=self.certificate, tls_server_name=self.tls_server_name, token=self.token ) as vss_client: diff --git a/kuksa-client/kuksa_client/cli_backend/ws.py b/kuksa-client/kuksa_client/cli_backend/ws.py index effd204..76b754b 100644 --- a/kuksa-client/kuksa_client/cli_backend/ws.py +++ b/kuksa-client/kuksa_client/cli_backend/ws.py @@ -297,8 +297,6 @@ async def connect(self, _=None): subprotocols = ["VISSv2"] if not self.insecure: context = ssl.create_default_context() - context.load_cert_chain( - certfile=self.certificate, keyfile=self.keyfile) context.load_verify_locations(cafile=self.cacertificate) # We want host name to match # For example certificates we use subjectAltName to make it match for Server, localahost and 127.0.0.1 diff --git a/kuksa-client/kuksa_client/grpc/__init__.py b/kuksa-client/kuksa_client/grpc/__init__.py index 492f326..173c558 100644 --- a/kuksa-client/kuksa_client/grpc/__init__.py +++ b/kuksa-client/kuksa_client/grpc/__init__.py @@ -559,8 +559,6 @@ def __init__( port: int, token: Optional[str] = None, root_certificates: Optional[Path] = None, - private_key: Optional[Path] = None, - certificate_chain: Optional[Path] = None, ensure_startup_connection: bool = True, connected: bool = False, tls_server_name: Optional[str] = None @@ -569,8 +567,6 @@ def __init__( self.authorization_header = self.get_authorization_header(token) self.target_host = f'{host}:{port}' self.root_certificates = root_certificates - self.private_key = private_key - self.certificate_chain = certificate_chain self.tls_server_name = tls_server_name self.ensure_startup_connection = ensure_startup_connection self.connected = connected @@ -580,15 +576,7 @@ def _load_creds(self) -> Optional[grpc.ChannelCredentials]: if self.root_certificates: logger.info(f"Using TLS with Root CA from {self.root_certificates}") root_certificates = self.root_certificates.read_bytes() - if self.private_key and self.certificate_chain: - private_key = self.private_key.read_bytes() - certificate_chain = self.certificate_chain.read_bytes() - # As of today there is no option in KUKSA.val Databroker to require client authentication - logger.info("Using client private key and certificates, mutual TLS supported if supported by server") - return grpc.ssl_channel_credentials(root_certificates, private_key, certificate_chain) - else: - logger.info("No client certificates provided, mutual TLS not supported!") - return grpc.ssl_channel_credentials(root_certificates) + return grpc.ssl_channel_credentials(root_certificates) logger.info("No Root CA present, it will not be possible to use a secure connection!") return None diff --git a/kuksa-client/tests/conftest.py b/kuksa-client/tests/conftest.py index 0bdbb30..16fa22a 100644 --- a/kuksa-client/tests/conftest.py +++ b/kuksa-client/tests/conftest.py @@ -65,7 +65,7 @@ async def secure_val_server_fixture(unused_tcp_port, resources_path, val_service (resources_path / 'test-server.pem').read_bytes(), )], root_certificates=(resources_path / 'test-ca.pem').read_bytes(), - require_client_auth=True, + require_client_auth=False, )) await server.start() try: diff --git a/kuksa-client/tests/resources/test-client.key b/kuksa-client/tests/resources/test-client.key deleted file mode 100644 index 36c3370..0000000 --- a/kuksa-client/tests/resources/test-client.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAqK0JCRJLLgjlSiq8nwosJv6YoIoyr/WBkXzMo9PkhkhLyDzU -XsiOj05TQfin2dckYTnLEVVJDu4a8ACRKzHW64wc5NTmIu1m6e1sAN+xbRKFksV1 -FK+TqhypoGkW+6yP/SprjiERQeeG1WYTT/zCjyRWWfwfk2eIXP9b4n4zbKRDO0/w -Sy5ONPuOaAgvioFfzDWfhGPRWRu0y5+PfQWv4kXx4JwYdpvM8i+ttL7YuR8iVyK2 -/DPs9LMl/FbP8xCHUdyAZWLZnpjEvXVLC2lpBYoiBZz6ZUOu8QtHLEO+rNPv6Wzw -kkhIm9cOFXnChTSZY/hhm58JvZWywXywOg+29QIDAQABAoIBAEgT8Ql8VL3uNTTV -QFbhvO5I2yW3CGPikCSAZN4Y/M1Y9XEydTmvkCOyv6cwP2G6KqSVUq4seJS1sLMg -OuhvWry62dn7FACW2+RYfU9+R04pnQST9i0JvhryNpYCcjzHh5wSVXWdsccszZRB -Ez2Z7/XE/FVlhISzuDStNjF55jWk5c2P3Sbl7XigLOCFU/z0mkDdSbCC3OMWITyh -cxy7V9mEQCnZkA7OXTWNwEFDfkDka9HLXy/i5RJU2UJllQ4jjVeLpXyYSsoClnvt -pDy2Xrcgiq6kPrDe5NnPaTkyq8Sl2xpb6R/qpZdk6phxYYoFrSHUu3ORniEpwIP1 -grktiAECgYEA3glULImpmbU8tZNUud9qOiS3XtgteRDXSxI5ZOzcPpgdupMTHLcU -850NDBKumwzUC78LhOV0xGRbudF2Xjc5nnBIUME5iQlVSu6VeyTlq1JIdVQ1H/g3 -ypGxTwwPS4HhsJJykMvEgNCiC6db9F+CNmtBU8Ct6HaXWtsnJLnzggECgYEAwnos -vKDBaJgn4lvaJljqH+jIs+1WpXP2TrIgIz+dSLHdBfLPmaZ510Ic3XGnYI/B4+dv -R9oMWOs5amanFDZhljmunPMnGV4HYtKFPUWfnirnV73uCMMDquLRcdqaxJXyn95/ -HlpwrgY32j317nCECggskjVSEPisL1oW2SFsTPUCgYEArfU9H4/TcvvNzqzZiq8B -uQAfMo3IQrvxEX37vZjdjaT8Vbr5FFxUa/E10ampZw0L7RAG5F4pt9yxCMqVJIe7 -+ugZoDti6nyHeKeoMczcq/dRkash3CRLAchX1IisSwo9WmvCmrMrB4luDBdZMgLK -L/ykOAwTtLeFKcfdySZvJAECgYBqJTjps2wc5H9QYwXMTFdtFycEXZQfNg3Hoh08 -X+o+1SVnq8F3gY+a17DdhLzwTUZsV9M7Cl4W4jwyQNkMhSn6Tn1pmKVMiS/K1lB2 -wtt9/rjKARY8ngQQb0AVvlUe2yDT9SK4tHAv66Dsc0kZ3TuUJiX9nzCtpqyEI824 -sS9lSQKBgQCi4puuw5BmjEF2/jb/v8pw58xV2l82rOhEpLibiIh53dkZdu8tZpbN -iu5DAQB/mJsFbsMfgVTIiN5uSCYZL0W2DhZGYdn5sayaJZm+Ug3hLfr11t2O9ZZo -w0bKOF5Mq6IE31qC5Qr92ajdCd/YX/CnOio2kawC8aNSI3PGtMygiQ== ------END RSA PRIVATE KEY----- diff --git a/kuksa-client/tests/resources/test-client.pem b/kuksa-client/tests/resources/test-client.pem deleted file mode 100644 index c31bc48..0000000 --- a/kuksa-client/tests/resources/test-client.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDpjCCAo4CFHYXJH9/kkqRFe59+EdvnDJMiH7CMA0GCSqGSIb3DQEBCwUAMIGQ -MQswCQYDVQQGEwJERTELMAkGA1UECAwCQlcxDDAKBgNVBAcMA1JuZzEaMBgGA1UE -CgwRUm9iZXJ0IEJvc2NoIEdtYkgxCzAJBgNVBAsMAkNSMRUwEwYDVQQDDAxsb2Nh -bGhvc3QtY2ExJjAkBgkqhkiG9w0BCQEWF0NJLkhvdGxpbmVAZGUuYm9zY2guY29t -MB4XDTIyMTEwNzE1NTEwOFoXDTMyMTEwNDE1NTEwOFowgY0xCzAJBgNVBAYTAkRF -MQswCQYDVQQIDAJCVzEMMAoGA1UEBwwDUm5nMRowGAYDVQQKDBFSb2JlcnQgQm9z -Y2ggR21iSDELMAkGA1UECwwCQ1IxEjAQBgNVBAMMCWxvY2FsaG9zdDEmMCQGCSqG -SIb3DQEJARYXQ0kuSG90bGluZUBkZS5ib3NjaC5jb20wggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQCorQkJEksuCOVKKryfCiwm/pigijKv9YGRfMyj0+SG -SEvIPNReyI6PTlNB+KfZ1yRhOcsRVUkO7hrwAJErMdbrjBzk1OYi7Wbp7WwA37Ft -EoWSxXUUr5OqHKmgaRb7rI/9KmuOIRFB54bVZhNP/MKPJFZZ/B+TZ4hc/1vifjNs -pEM7T/BLLk40+45oCC+KgV/MNZ+EY9FZG7TLn499Ba/iRfHgnBh2m8zyL620vti5 -HyJXIrb8M+z0syX8Vs/zEIdR3IBlYtmemMS9dUsLaWkFiiIFnPplQ67xC0csQ76s -0+/pbPCSSEib1w4VecKFNJlj+GGbnwm9lbLBfLA6D7b1AgMBAAEwDQYJKoZIhvcN -AQELBQADggEBAFtVT1HMuHjLgmiF7ytZ9/IO1Wdx822XeJyeYZrOg2kQX8D+c8UU -z4Vi0yrWrlALxLIcOwMTadWJm07gh6xNNyBWGftelUeCjiwHcYxuTsh3Pt190c8Z -ymvkXfFw37XHyc3q8lFtWQHMtgq7nvIZYbfIsEn7S+7SNENpDMlktyT1aB3rNIpW -t9r1je3IUGvc0cgYm67ISxqJRp1EwuEQqUi03r0BzNkPYUpGnePjsTQTiEqVpMhG -iGlYoIUcnxF/cRXKFNrZCy77mUQz78srKq7p+nwpVgPtpXcqyTbNTJXxJ5SD2HuU -J85F+EAyWtfmuH8elpnd+I53eKqLgv3Spss= ------END CERTIFICATE----- diff --git a/kuksa-client/tests/test_grpc.py b/kuksa-client/tests/test_grpc.py index 7648aef..687801f 100644 --- a/kuksa-client/tests/test_grpc.py +++ b/kuksa-client/tests/test_grpc.py @@ -406,8 +406,6 @@ async def test_secure_connection(self, unused_tcp_port, resources_path, val_serv name='test_server', version='1.2.3') async with VSSClient('localhost', unused_tcp_port, root_certificates=resources_path / 'test-ca.pem', - private_key=resources_path / 'test-client.key', - certificate_chain=resources_path / 'test-client.pem', ensure_startup_connection=True ): assert val_servicer.GetServerInfo.call_count == 1