add optional ssl support

fsagbuya · fsagbuya · commit 800e8a84ac3f · 2025-03-20T16:41:38.000+08:00
Signed-off-by: Florian Agbuya &lt;fa@m-labs.ph&gt;
diff --git a/doc/index.rst b/doc/index.rst
@@ -65,7 +65,7 @@ Remote Procedure Call tool
 
 This tool is the preferred way of handling simple RPC servers.
 Instead of writing a client for simple cases, you can simply use this tool
-to call remote functions of an RPC server.
+to call remote functions of an RPC server. For secure connections, see `SSL Setup`_.
 
 * Listing existing targets
 
@@ -127,3 +127,56 @@ Command-line details:
 .. argparse::
    :ref: sipyco.sipyco_rpctool.get_argparser
    :prog: sipyco_rpctool
+
+
+SSL Setup
+=========
+
+SiPyCo supports SSL/TLS encryption with mutual authentication for secure communication, but it is disabled by default. To enable and use SSL, follow these steps:
+
+**Generate key and certificate:**
+
+Run the following command twice. Once with server filenames (e.g., ``server.key``, ``server.pem``) and once with client filenames (e.g., ``client.key``, ``client.pem``):
+
+.. code-block:: bash
+
+   openssl req -x509 -newkey rsa -keyout OUTPUT.key -nodes -out OUTPUT.pem -sha256 -subj "/" --addext "subjectAltName=IP:127.0.0.1"
+
+.. note::
+    The ``--addext "subjectAltName=IP:127.0.0.1"`` parameter must specify a valid IP address that will be included in the certificate. You should replace this with the actual IP address that will be used for connections.
+
+    Examples for different network configurations:
+
+    - For IPv6 localhost: ``--addext "subjectAltName=IP:::1"``
+    - For local network IP: ``--addext "subjectAltName=IP:192.168.1.100"``
+    - For multiple IPs: ``--addext "subjectAltName=IP:127.0.0.1,IP:::1"``
+    - For hostname (if needed): ``--addext "subjectAltName=DNS:your.hostname.com"``
+
+This creates:
+
+- A server certificate (``server.pem``) and key (``server.key``)
+- A client certificate (``client.pem``) and key (``client.key``)
+
+
+Enabling SSL
+------------
+
+To start with SSL enabled, the server requires its own key and certificate, as well as the certificate of a client to trust. Similarly, the client requires its own key and certificate, as well as the certificate of a server to trust.
+
+**For servers:**
+
+.. code-block:: python
+
+   simple_server_loop(targets, host, port,
+                     local_cert="path/to/server.pem",
+                     local_key="path/to/server.key",
+                     peer_cert="path/to/client.pem")
+
+**For clients:**
+
+.. code-block:: python
+
+   client = Client(host, port,
+                  local_cert="path/to/client.pem",
+                  local_key="path/to/client.key",
+                  peer_cert="path/to/server.pem")
diff --git a/sipyco/broadcast.py b/sipyco/broadcast.py
@@ -1,7 +1,7 @@
 import asyncio
 
 from sipyco import keepalive, pyon
-from sipyco.asyncio_tools import AsyncioServer
+from sipyco.tools import AsyncioServer
 
 
 _init_string = b"ARTIQ broadcast\n"
diff --git a/sipyco/logging_tools.py b/sipyco/logging_tools.py
@@ -3,7 +3,7 @@
 import re
 
 from sipyco import keepalive
-from sipyco.asyncio_tools import TaskObject, AsyncioServer
+from sipyco.tools import TaskObject, AsyncioServer
 
 
 logging.TRACE = 5
diff --git a/sipyco/pc_rpc.py b/sipyco/pc_rpc.py
@@ -20,7 +20,7 @@
 from operator import itemgetter
 
 from sipyco import keepalive, pyon
-from sipyco.asyncio_tools import SignalHandler, AsyncioServer as _AsyncioServer
+from sipyco.tools import SignalHandler, AsyncioServer as _AsyncioServer, configure_ssl_context
 from sipyco.packed_exceptions import *
 
 logger = logging.getLogger(__name__)
@@ -97,6 +97,9 @@ class Client:
         Use ``None`` to skip selecting a target. The list of targets can then
         be retrieved using :meth:`~sipyco.pc_rpc.Client.get_rpc_id`
         and then one can be selected later using :meth:`~sipyco.pc_rpc.Client.select_rpc_target`.
+    :param local_cert: Client's certificate file. Providing this enables SSL.
+    :param local_key: Client's private key file. Required when local_cert is provided.
+    :param peer_cert: Server's SSL certificate file to trust. Required when local_cert is provided.
     :param timeout: Socket operation timeout. Use ``None`` for blocking
         (default), ``0`` for non-blocking, and a finite value to raise
         ``socket.timeout`` if an operation does not complete within the
@@ -106,9 +109,12 @@ class Client:
         client).
     """
 
-    def __init__(self, host, port, target_name=AutoTarget, timeout=None):
+    def __init__(self, host, port, target_name=AutoTarget,
+                 local_cert=None, local_key=None, peer_cert=None, timeout=None):
         self.__socket = socket.create_connection((host, port), timeout)
-
+        if local_cert is not None:
+            ssl_context = configure_ssl_context(local_cert, local_key, peer_cert)
+            self.__socket = ssl_context.wrap_socket(self.__socket, server_hostname=host)
         try:
             self.__socket.sendall(_init_string)
 
@@ -206,12 +212,17 @@ def __init__(self):
         self.__description = None
         self.__valid_methods = set()
 
-    async def connect_rpc(self, host, port, target_name=AutoTarget):
+    async def connect_rpc(self, host, port, target_name=AutoTarget,
+                          local_cert=None, local_key=None, peer_cert=None):
         """Connects to the server. This cannot be done in __init__ because
         this method is a coroutine. See :class:`sipyco.pc_rpc.Client` for a description of the
         parameters."""
+        if local_cert is None:
+            ssl_context = None
+        else:
+            ssl_context = configure_ssl_context(local_cert, local_key, peer_cert)
         self.__reader, self.__writer = \
-            await keepalive.async_open_connection(host, port, limit=100 * 1024 * 1024)
+            await keepalive.async_open_connection(host, port, ssl=ssl_context, limit=100 * 1024 * 1024)
         try:
             self.__writer.write(_init_string)
             server_identification = await self.__recv()
@@ -303,17 +314,22 @@ class BestEffortClient:
     RPC calls that failed because of network errors return ``None``. Other RPC
     calls are blocking and return the correct value.
 
+    See :class:`sipyco.pc_rpc.Client` for a description of the other parameters.
+
     :param firstcon_timeout: Timeout to use during the first (blocking)
         connection attempt at object initialization.
     :param retry: Amount of time to wait between retries when reconnecting
         in the background.
     """
 
-    def __init__(self, host, port, target_name,
-                 firstcon_timeout=1.0, retry=5.0):
+    def __init__(self, host, port, target_name, local_cert=None,
+                 local_key=None, peer_cert=None, firstcon_timeout=1.0, retry=5.0):
         self.__host = host
         self.__port = port
         self.__target_name = target_name
+        self.__local_cert = local_cert
+        self.__local_key = local_key
+        self.__peer_cert = peer_cert
         self.__retry = retry
 
         self.__conretry_terminate = False
@@ -337,6 +353,9 @@ def __coninit(self, timeout):
         else:
             self.__socket = socket.create_connection(
                 (self.__host, self.__port), timeout)
+        if self.__local_cert is not None:
+            ssl_context = configure_ssl_context(self.__local_cert, self.__local_key, self.__peer_cert)
+            self.__socket = ssl_context.wrap_socket(self.__socket, server_hostname=self.__host)
         self.__socket.sendall(_init_string)
         server_identification = self.__recv()
         target_name = _validate_target_name(self.__target_name,
@@ -635,7 +654,8 @@ async def wait_terminate(self):
         await self._terminate_request.wait()
 
 
-def simple_server_loop(targets, host, port, description=None, allow_parallel=False, *, loop=None):
+def simple_server_loop(targets, host, port, description=None, allow_parallel=False, *, loop=None,
+                       local_cert=None, local_key=None, peer_cert=None):
     """Runs a server until an exception is raised (e.g. the user hits Ctrl-C)
     or termination is requested by a client.
 
@@ -651,7 +671,7 @@ def simple_server_loop(targets, host, port, description=None, allow_parallel=Fal
         signal_handler.setup()
         try:
             server = Server(targets, description, True, allow_parallel)
-            used_loop.run_until_complete(server.start(host, port))
+            used_loop.run_until_complete(server.start(host, port, local_cert, local_key, peer_cert))
             try:
                 _, pending = used_loop.run_until_complete(asyncio.wait(
                     [used_loop.create_task(signal_handler.wait_terminate()),
diff --git a/sipyco/sipyco_rpctool.py b/sipyco/sipyco_rpctool.py
@@ -18,6 +18,11 @@ def get_argparser():
                         help="hostname or IP of the controller to connect to")
     parser.add_argument("port", metavar="PORT", type=int,
                         help="TCP port to use to connect to the controller")
+    parser.add_argument("--ssl", nargs=3, metavar=('CERT', 'KEY', 'PEER'),
+                        help="Enable SSL authentication: "
+                             "CERT: client certificate file, "
+                             "KEY: client private key, "
+                             "PEER: server certificate to trust")
     subparsers = parser.add_subparsers(dest="action")
     subparsers.add_parser("list-targets", help="list existing targets")
     parser_list_methods = subparsers.add_parser("list-methods",
@@ -97,8 +102,12 @@ def main():
     args = get_argparser().parse_args()
     if not args.action:
         args.target = None
+    if args.ssl:
+        cert, key, peer = args.ssl
+    else:
+        cert, key, peer = None, None, None
 
-    remote = Client(args.server, args.port, None)
+    remote = Client(args.server, args.port, None, local_cert=cert, local_key=key, peer_cert=peer)
     targets, description = remote.get_rpc_id()
     if args.action != "list-targets":
         if not args.target:
diff --git a/sipyco/sync_struct.py b/sipyco/sync_struct.py
@@ -18,7 +18,7 @@
 import logging
 
 from sipyco import keepalive, pyon
-from sipyco.asyncio_tools import AsyncioServer
+from sipyco.tools import AsyncioServer
 
 
 logger = logging.getLogger(__name__)
diff --git a/sipyco/tools.py b/sipyco/tools.py
@@ -1,6 +1,7 @@
 import asyncio
 import signal
 import socket
+import ssl
 import atexit
 import collections
 import logging
@@ -11,6 +12,30 @@
 logger = logging.getLogger(__name__)
 
 
+def configure_ssl_context(local_cert=None, local_key=None, peer_cert=None, server_mode=False):
+    """Configure an SSL context with mutual authentication.
+
+    :param local_cert: Certificate file. Providing this enables SSL.
+    :param local_key: Private key file. Required when local_cert is provided.
+    :param peer_cert: Peer's certificate file to trust. Required when local_cert is provided.
+    :param server_mode: If True, create a server context, otherwise client context.
+    """
+    if local_key is None:
+        raise ValueError("local_key is required when local_cert is provided")
+    if peer_cert is None:
+        raise ValueError("peer_cert is required when local_cert is provided")
+
+    if server_mode:
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+        context.verify_mode = ssl.CERT_REQUIRED
+    else:
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+
+    context.load_verify_locations(cafile=peer_cert)
+    context.load_cert_chain(local_cert, local_key)
+    return context
+
+
 class TaskObject:
     def start(self, *, loop=None):
         """loop must be specified unless this is called from a running event loop."""
@@ -47,7 +72,7 @@ class AsyncioServer:
     def __init__(self):
         self._client_tasks = set()
 
-    async def start(self, host, port):
+    async def start(self, host, port, local_cert=None, local_key=None, peer_cert=None):
         """Starts the server.
 
         The user must call :meth:`stop`
@@ -58,9 +83,17 @@ async def start(self, host, port):
         :param host: Bind address of the server (see ``asyncio.start_server``
             from the Python standard library).
         :param port: TCP port to bind to.
+        :param local_cert: Server's SSL certificate file. Providing this enables SSL.
+        :param local_key: Server's private key file. Required when local_cert is provided.
+        :param peer_cert: Client's SSL certificate file to trust. Required when local_cert is provided.
         """
+        if local_cert is None:
+            ssl_context = None
+        else:
+            ssl_context = configure_ssl_context(local_cert, local_key, peer_cert, server_mode=True)
         self.server = await asyncio.start_server(self._handle_connection,
                                                  host, port,
+                                                 ssl=ssl_context,
                                                  limit=4*1024*1024)
 
     async def stop(self):
