feat: add TLS encryption for client-agent communication

Implement TLS support using Ed25519 self-signed certificates to encrypt
communication between dutctl client and dutagent server. TLS is enabled
by default with an --insecure flag available for HTTP support.
This provides encryption only, not client authentication. Any client
can connect to the agent.

Signed-off-by: Fabian Wienand <fabian.wienand@9elements.com>

Author: RiSKeD

cmds/dutagent/dutagent.go

@@ -9,6 +9,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"flag"
 	"fmt"
@@ -18,10 +19,12 @@ import (
 	"os"
 	"os/signal"
 	"syscall"
+	"time"
 
 	"connectrpc.com/connect"
 	"github.com/BlindspotSoftware/dutctl/internal/buildinfo"
 	"github.com/BlindspotSoftware/dutctl/internal/dutagent"
+	"github.com/BlindspotSoftware/dutctl/internal/tlsutil"
 	"github.com/BlindspotSoftware/dutctl/pkg/dut"
 	"github.com/BlindspotSoftware/dutctl/pkg/rpc"
 	"github.com/BlindspotSoftware/dutctl/protobuf/gen/dutctl/v1/dutctlv1connect"
@@ -54,6 +57,9 @@ func newAgent(stdout io.Writer, exitFunc func(int), args []string) *agent {
 	fs.BoolVar(&agt.dryRun, "dry-run", false, dryRunInfo)
 	fs.StringVar(&agt.server, "server", "", serverInfo)
 	fs.BoolVar(&agt.versionFlag, "v", false, versionFlagInfo)
+	fs.BoolVar(&agt.insecure, "insecure", false, "Disable TLS (use plain HTTP)")
+	fs.StringVar(&agt.tlsCertPath, "tls-cert", "/etc/dutagent/tls/cert.pem", "Path to TLS certificate file (auto-generated if missing)")
+	fs.StringVar(&agt.tlsKeyPath, "tls-key", "/etc/dutagent/tls/key.pem", "Path to TLS key file (auto-generated if missing)")
 	//nolint:errcheck // flag.Parse always returns no error because of flag.ExitOnError
 	fs.Parse(args[1:])
 
@@ -72,6 +78,9 @@ type agent struct {
 	checkConfig bool
 	dryRun      bool
 	server      string
+	insecure    bool
+	tlsCertPath string
+	tlsKeyPath  string
 
 	// state
 	config config
@@ -152,6 +161,10 @@ func printInitErr(err error) {
 	log.Print(err)
 }
 
+const (
+	readHeaderTimeout = 10 * time.Second
+)
+
 // startRPCService starts the RPC service, that ideally listens for incoming
 // connections forever. It always returns an non-nil error.
 func (agt *agent) startRPCService() error {
@@ -163,18 +176,44 @@ func (agt *agent) startRPCService() error {
 	path, handler := dutctlv1connect.NewDeviceServiceHandler(service)
 	mux.Handle(path, handler)
 
-	//nolint:gosec
-	return http.ListenAndServe(
-		agt.address,
-		// Use h2c so we can serve HTTP/2 without TLS.
-		h2c.NewHandler(mux, &http2.Server{}),
-	)
+	if agt.insecure {
+		// Use h2c so we can serve HTTP/2 without TLS
+		log.Printf("Starting in INSECURE mode (plain HTTP) on %s", agt.address)
+		//nolint:gosec
+		return http.ListenAndServe(
+			agt.address,
+			h2c.NewHandler(mux, &http2.Server{}),
+		)
+	}
+
+	// Use TLS mode (default) - load or auto-generate certificate
+	cert, err := tlsutil.LoadOrGenerateCert(agt.tlsCertPath, agt.tlsKeyPath)
+	if err != nil {
+		return fmt.Errorf("failed to load/generate TLS certificate: %w", err)
+	}
+
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		MinVersion:   tls.VersionTLS13,
+	}
+
+	server := &http.Server{
+		Addr:              agt.address,
+		Handler:           mux,
+		TLSConfig:         tlsConfig,
+		ReadHeaderTimeout: readHeaderTimeout,
+	}
+
+	log.Printf("Starting TLS-enabled RPC service on %s", agt.address)
+
+	// ListenAndServeTLS with empty cert/key paths since we've already loaded them in tlsConfig
+	return server.ListenAndServeTLS("", "")
 }
 
 func (agt *agent) registerWithServer() error {
 	log.Printf("Registering with server %q", agt.server)
 
-	client := spawnClient(agt.server)
+	client := spawnClient(agt.server, agt.insecure)
 	req := connect.NewRequest(&pb.RegisterRequest{
 		Devices: agt.config.Devices.Names(),
 		Address: agt.address,
@@ -191,15 +230,20 @@ func (agt *agent) registerWithServer() error {
 }
 
 // spawnClient creates a new client to the DUT server specified by the server address.
-// TODO: refactor into pkg and reuse in dutctl and dutserver.
 //
 //nolint:ireturn
-func spawnClient(agendURL string) dutctlv1connect.RelayServiceClient {
-	log.Printf("Spawning new client for agent %q", agendURL)
+func spawnClient(serverURL string, insecure bool) dutctlv1connect.RelayServiceClient {
+	client, scheme := rpc.NewClient(insecure)
+
+	if insecure {
+		log.Printf("Spawning insecure client for server %q", serverURL)
+	} else {
+		log.Printf("Spawning TLS client for server %q", serverURL)
+	}
 
 	return dutctlv1connect.NewRelayServiceClient(
-		rpc.NewInsecureClient(),
-		fmt.Sprintf("http://%s", agendURL),
+		client,
+		fmt.Sprintf("%s://%s", scheme, serverURL),
 		connect.WithGRPC(),
 	)
 }

cmds/dutctl/dutctl.go

@@ -77,6 +77,7 @@ func newApp(stdin io.Reader, stdout, stderr io.Writer, exitFunc func(int), args
 	fs.StringVar(&app.outputFormat, "f", "", outputFormatInfo)
 	fs.BoolVar(&app.verbose, "v", false, verboseInfo)
 	fs.BoolVar(&app.noColor, "no-color", false, noColorInfo)
+	fs.BoolVar(&app.insecure, "insecure", false, "Disable TLS (use plain HTTP)")
 
 	//nolint:errcheck // flag.Parse always returns no error because of flag.ExitOnError
 	fs.Parse(args[1:])
@@ -105,6 +106,7 @@ type application struct {
 	outputFormat      string
 	verbose           bool
 	noColor           bool
+	insecure          bool
 	args              []string
 	printFlagDefaults func()
 
@@ -113,13 +115,13 @@ type application struct {
 }
 
 func (app *application) setupRPCClient() {
-	client := dutctlv1connect.NewDeviceServiceClient(
-		rpc.NewInsecureClient(),
-		fmt.Sprintf("http://%s", app.serverAddr),
+	client, scheme := rpc.NewClient(app.insecure)
+
+	app.rpcClient = dutctlv1connect.NewDeviceServiceClient(
+		client,
+		fmt.Sprintf("%s://%s", scheme, app.serverAddr),
 		connect.WithGRPC(),
 	)
-
-	app.rpcClient = client
 }
 
 var errInvalidCmdline = fmt.Errorf("invalid command line")

internal/tlsutil/tlsutil.go

@@ -0,0 +1,203 @@
+// Copyright 2025 Blindspot Software
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tlsutil
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"log"
+	"math/big"
+	"net"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+const (
+	// File and directory permissions.
+	certFileMode = 0644 // Public read, owner write.
+	keyFileMode  = 0600 // Owner read/write only
+	dirMode      = 0755 // Standard directory permissions.
+
+	// Certificate serial number bit size.
+	serialNumberBits = 128
+)
+
+// GenerateSelfSignedCert creates a new self-signed TLS certificate and private key.
+// The certificate is valid for 10 years and includes localhost and system hostname in SANs.
+// Uses Ed25519 for better performance and security compared to RSA.
+func GenerateSelfSignedCert(certPath, keyPath string) error {
+	// Generate Ed25519 private key (much faster than RSA)
+	publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return fmt.Errorf("failed to generate keys: %w", err)
+	}
+
+	// Create self-signed certificate
+	derBytes, err := createSelfSignedCertificate(publicKey, privateKey)
+	if err != nil {
+		return err
+	}
+
+	err = writeCertificate(certPath, derBytes)
+	if err != nil {
+		return err
+	}
+
+	err = writePrivateKey(keyPath, privateKey)
+	if err != nil {
+		return err
+	}
+
+	log.Printf("Generated self-signed TLS certificate: %s", certPath)
+	log.Printf("Generated private key: %s", keyPath)
+
+	return nil
+}
+
+func createSelfSignedCertificate(publicKey ed25519.PublicKey, privateKey ed25519.PrivateKey) ([]byte, error) {
+	// Generate a random serial number
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), serialNumberBits)
+
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate serial number: %w", err)
+	}
+
+	// Get system hostname for SANs
+	hostname, err := os.Hostname()
+	if err != nil {
+		hostname = "localhost" // Fallback if hostname detection fails
+	}
+
+	template := &x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Organization: []string{"Blindspot Software"},
+			CommonName:   "dutagent",
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour), // 10 years
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		DNSNames:              []string{"localhost", hostname},
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")},
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, template, template, publicKey, privateKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create certificate: %w", err)
+	}
+
+	return derBytes, nil
+}
+
+func writeCertificate(certPath string, derBytes []byte) error {
+	certOut, err := os.OpenFile(certPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, certFileMode)
+	if err != nil {
+		return fmt.Errorf("failed to create certificate file: %w", err)
+	}
+	defer certOut.Close()
+
+	err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	if err != nil {
+		return fmt.Errorf("failed to write certificate: %w", err)
+	}
+
+	return nil
+}
+
+func writePrivateKey(keyPath string, privateKey ed25519.PrivateKey) error {
+	// Marshal Ed25519 private key in PKCS8 format
+	privBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	if err != nil {
+		return fmt.Errorf("failed to marshal private key: %w", err)
+	}
+
+	keyOut, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, keyFileMode)
+	if err != nil {
+		return fmt.Errorf("failed to create key file: %w", err)
+	}
+	defer keyOut.Close()
+
+	err = pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes})
+	if err != nil {
+		return fmt.Errorf("failed to write private key: %w", err)
+	}
+
+	return nil
+}
+
+// LoadOrGenerateCert attempts to load an existing TLS certificate/key pair.
+// If the files don't exist, it generates a new self-signed certificate.
+// If the files exist but cannot be loaded, it returns an error without overwriting them.
+func LoadOrGenerateCert(certPath, keyPath string) (tls.Certificate, error) {
+	// Check if certificate and key files exist
+	certExists := fileExists(certPath)
+	keyExists := fileExists(keyPath)
+
+	// If either file exists, we must load them (don't auto-generate)
+	if certExists || keyExists {
+		cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+		if err != nil {
+			return tls.Certificate{}, fmt.Errorf("certificate/key files exist but failed to load (cert exists: %v, key exists: %v): %w",
+				certExists, keyExists, err)
+		}
+
+		log.Printf("Loaded existing TLS certificate from: %s", certPath)
+
+		return cert, nil
+	}
+
+	// Neither file exists, generate new certificate
+	log.Printf("TLS certificate not found, generating new self-signed certificate...")
+
+	// Derive directory from cert path
+	certDir := filepath.Dir(certPath)
+	keyDir := filepath.Dir(keyPath)
+
+	// Ensure directories exist
+	err := os.MkdirAll(certDir, dirMode)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("failed to create certificate directory: %w", err)
+	}
+
+	if certDir != keyDir {
+		err := os.MkdirAll(keyDir, dirMode)
+		if err != nil {
+			return tls.Certificate{}, fmt.Errorf("failed to create key directory: %w", err)
+		}
+	}
+
+	// Generate certificate
+	err = GenerateSelfSignedCert(certPath, keyPath)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	// Load the newly generated certificate
+	cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("failed to load generated certificate: %w", err)
+	}
+
+	return cert, nil
+}
+
+// fileExists checks if a file exists and is not a directory.
+func fileExists(path string) bool {
+	info, err := os.Stat(path)
+	if err != nil {
+		return false
+	}
+
+	return !info.IsDir()
+}