feat: enhance SSL/TLS certificate management and update encryption setup

Author: twisti-dev

cert_new/INSTRUCTIONS.md

@@ -0,0 +1,174 @@
+# SSL Certificate Generation Guide for Netty Server and Clients
+
+This guide explains how to generate and manage SSL/TLS certificates for your Netty-based server and
+clients using OpenSSL. Properly generated certificates ensure secure communication between your
+server and clients.
+
+> **Note:** If you already have a server set up and only need to add a new client, you can skip directly
+> to **[Step 4](#step-4-generate-client-certificates-repeatable-for-each-client)**. Ensure the following files are already present in your working directory:
+> - `openssl.cnf`
+> - `ca.key`
+> - `ca.crt`
+
+---
+
+## Prerequisites
+
+- Install [OpenSSL](https://slproweb.com/products/Win32OpenSSL.html) or use WSL/Git Bash.
+- Ensure OpenSSL is available in your command prompt:
+
+```bash
+openssl version
+```
+
+---
+
+## Step-by-Step Guide
+
+### Step 1: Create an OpenSSL Configuration File (`openssl.cnf`)
+
+Create a file named `openssl.cnf` in your working directory:
+
+```ini
+[ req ]
+default_bits       = 2048
+distinguished_name = req_distinguished_name
+req_extensions     = v3_req
+prompt             = no
+
+[ req_distinguished_name ]
+C  = DE
+ST = Remote
+L  = Internet
+O  = Surf Cloud
+CN = YOUR_SERVER_IP_OR_DNS
+
+[ v3_req ]
+subjectAltName = @alt_names
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+
+[ alt_names ]
+IP.1 = YOUR_SERVER_IP
+DNS.1 = YOUR_SERVER_DNS
+```
+
+Replace `YOUR_SERVER_IP` and `YOUR_SERVER_DNS` with your actual server IP address and DNS name.
+
+Example:
+
+```ini
+CN = 192.168.1.23
+
+[ alt_names ]
+IP.1 = 192.168.1.23
+DNS.1 = myserver.local
+```
+
+---
+
+### Step 2: Generate Your Own Certificate Authority (CA)
+
+Run the following commands once to create your CA:
+
+```bash
+openssl genrsa -out ca.key 2048
+
+openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/C=DE/ST=Remote/L=Internet/O=Surf Cloud/CN=SurfCloud CA"
+```
+
+**Important:**
+
+- `ca.key`: Private key of your CA (keep this secret and safe).
+- `ca.crt`: Public certificate of your CA (clients and server use this to establish trust).
+
+---
+
+### Step 3: Generate Server Certificate
+
+```bash
+# Generate private key
+openssl genrsa -out server.key 2048
+
+# Generate CSR (Certificate Signing Request)
+openssl req -new -key server.key -out server.csr -config openssl.cnf
+
+# Sign CSR with your CA
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -extfile openssl.cnf -extensions v3_req
+```
+
+**Files produced:**
+
+- `server.key`: Server's private key (use on your Netty server).
+- `server.crt`: Server's signed certificate (distribute to clients).
+
+---
+
+### Step 4: Generate Client Certificates (repeatable for each client)
+
+Modify `openssl.cnf` by changing the `CN` to your client name (`client01`, `client02`, etc.):
+
+```ini
+CN = test-server01
+```
+
+Then run:
+
+```bash
+openssl genrsa -out client.key 2048
+
+openssl req -new -key client.key -out client.csr -config openssl.cnf
+
+openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -extfile openssl.cnf -extensions v3_req
+```
+
+**Files produced:**
+
+- `client.key`: Client's private key (keep secret and only on the client).
+- `client.crt`: Client's signed certificate (put this on your server to authenticate the
+  client).
+
+---
+
+## File Management
+
+### Files to Keep and Their Usage
+
+| File         | Purpose                                      | Store on                             |
+|--------------|----------------------------------------------|--------------------------------------|
+| `ca.key`     | CA private key (needed for signing)          | Secure offline storage (never share) |
+| `ca.crt`     | CA certificate (trusted by all participants) | Server and Clients                   |
+| `server.key` | Server private key                           | Server (secure)                      |
+| `server.crt` | Server certificate (signed by CA)            | Server (send to clients)             |
+| `client.key` | Client private key                           | Client (secure)                      |
+| `client.crt` | Client certificate (signed by CA)            | Server (trust this certificate)      |
+
+### Directory Structure
+
+**On Server:**
+
+```
+certificates/
+├── server.key
+├── server.crt
+└── ca.crt
+```
+
+**On Client:**
+
+```
+certificates/
+├── client.key
+├── client.crt
+└── ca.crt
+```
+
+---
+
+## Common Errors and Fixes
+
+- **Hostname/IP undefined:** Ensure your server certificate includes the correct IP/DNS in SAN.
+- **certificate_unknown:** Ensure the client certificate is correctly placed in
+  `certificates/clients/` and signed by the CA.
+
+---

surf-cloud-api/surf-cloud-api-common/src/main/kotlin/dev/slne/surf/cloud/api/common/netty/network/codec/kotlinx/java/UUIDSerializer.kt

@@ -4,7 +4,7 @@ import dev.slne.surf.cloud.api.common.netty.network.codec.kotlinx.CloudBufSerial
 import dev.slne.surf.cloud.api.common.netty.protocol.buffer.SurfByteBuf
 import kotlinx.serialization.Serializable
 import kotlinx.serialization.descriptors.buildClassSerialDescriptor
-import org.gradle.internal.impldep.kotlinx.serialization.descriptors.element
+import kotlinx.serialization.descriptors.element
 import java.util.UUID
 
 typealias SerializableUUID = @Serializable(with = UUIDSerializer::class) UUID

surf-cloud-core/surf-cloud-core-client/src/main/kotlin/dev/slne/surf/cloud/core/client/netty/network/ClientEncryptionManager.kt

@@ -1,40 +1,41 @@
 package dev.slne.surf.cloud.core.client.netty.network
 
-import dev.slne.surf.cloud.api.common.config.properties.CloudProperties
+import dev.slne.surf.cloud.core.common.config.cloudConfig
 import dev.slne.surf.cloud.core.common.netty.network.EncryptionManager
 import dev.slne.surf.cloud.core.common.netty.network.HandlerNames
 import dev.slne.surf.surfapi.core.api.util.logger
 import io.netty.channel.Channel
 import io.netty.handler.ssl.SslContext
 import io.netty.handler.ssl.SslContextBuilder
+import io.netty.handler.ssl.SslProvider
+import kotlin.io.path.div
 
 object ClientEncryptionManager : EncryptionManager() {
-    private val log = logger()
     private lateinit var sslContext: SslContext
 
-    private val clientCertificateFile =
-        certificatesFolder.resolve("${CloudProperties.SERVER_NAME}.crt").toFile()
-    private val clientKeyFile =
-        certificatesFolder.resolve("${CloudProperties.SERVER_NAME}.key").toFile()
-    private val serverCertificate = certificatesFolder.resolve("server.crt").toFile()
+    private val clientCertificateFile = (certificatesFolder / "client.crt").toFile()
+    private val clientKeyFile = (certificatesFolder / "client.key").toFile()
+    private val trustManagerFile = (certificatesFolder / "ca.crt").toFile()
 
     override fun setupEncryption(ch: Channel) {
+        val config = cloudConfig.connectionConfig.nettyConfig
         ch.pipeline().addFirst(
             HandlerNames.SSL_HANDLER,
-            sslContext.newHandler(ch.alloc())
+            sslContext.newHandler(ch.alloc(), config.host, config.port)
         )
     }
 
     override suspend fun init() {
-        waitForFiles(clientCertificateFile, clientKeyFile, serverCertificate)
+        waitForFiles(clientCertificateFile, clientKeyFile, trustManagerFile)
         sslContext = buildSslContext()
     }
 
     private fun buildSslContext(): SslContext {
         return SslContextBuilder
             .forClient()
             .keyManager(clientCertificateFile, clientKeyFile)
-            .trustManager(serverCertificate)
+            .trustManager(trustManagerFile)
+            .sslProvider(SslProvider.JDK)
             .build()
     }
 }

surf-cloud-core/surf-cloud-core-common/src/main/kotlin/dev/slne/surf/cloud/core/common/netty/network/ConnectionImpl.kt

@@ -25,16 +25,15 @@ import dev.slne.surf.surfapi.core.api.util.logger
 import io.netty.bootstrap.Bootstrap
 import io.netty.channel.*
 import io.netty.channel.epoll.Epoll
-import io.netty.channel.epoll.EpollEventLoopGroup
+import io.netty.channel.epoll.EpollIoHandler
 import io.netty.channel.epoll.EpollSocketChannel
-import io.netty.channel.nio.NioEventLoopGroup
+import io.netty.channel.nio.NioIoHandler
 import io.netty.channel.socket.SocketChannel
 import io.netty.channel.socket.nio.NioSocketChannel
 import io.netty.handler.codec.EncoderException
 import io.netty.handler.codec.compression.ZstdDecoder
 import io.netty.handler.codec.compression.ZstdEncoder
 import io.netty.handler.flow.FlowControlHandler
-import io.netty.handler.logging.LogLevel
 import io.netty.handler.logging.LoggingHandler
 import io.netty.handler.timeout.ReadTimeoutHandler
 import io.netty.handler.timeout.TimeoutException
@@ -981,24 +980,22 @@ class ConnectionImpl(
     companion object {
         private val log = logger()
 
-        val NETWORK_WORKER_GROUP: NioEventLoopGroup by lazy {
-            NioEventLoopGroup(
+        val NETWORK_WORKER_GROUP: MultiThreadIoEventLoopGroup by lazy {
+            MultiThreadIoEventLoopGroup(
                 threadFactory {
                     nameFormat("Netty Client IO #%d")
                     daemon(true)
                     uncaughtExceptionHandler(DefaultUncaughtExceptionHandlerWithName(log))
-                }
+                }, NioIoHandler.newFactory()
             )
         }
 
-        val NETWORK_EPOLL_WORKER_GROUP: EpollEventLoopGroup by lazy {
-            EpollEventLoopGroup(
-                threadFactory {
-                    nameFormat("Netty Epoll Client IO #%d")
-                    daemon(true)
-                    uncaughtExceptionHandler(DefaultUncaughtExceptionHandlerWithName(log))
-                }
-            )
+        val NETWORK_EPOLL_WORKER_GROUP: MultiThreadIoEventLoopGroup by lazy {
+            MultiThreadIoEventLoopGroup(threadFactory {
+                nameFormat("Netty Epoll Client IO #%d")
+                daemon(true)
+                uncaughtExceptionHandler(DefaultUncaughtExceptionHandlerWithName(log))
+            }, EpollIoHandler.newFactory())
         }
 
         private val INITIAL_PROTOCOL = HandshakeProtocols.SERVERBOUND

surf-cloud-core/surf-cloud-core-common/src/main/kotlin/dev/slne/surf/cloud/core/common/netty/network/EncryptionManager.kt

@@ -1,18 +1,18 @@
 package dev.slne.surf.cloud.core.common.netty.network
 
 import dev.slne.surf.cloud.core.common.coreCloudInstance
-import dev.slne.surf.surfapi.core.api.util.logger
 import io.netty.channel.Channel
 import kotlinx.coroutines.delay
 import java.io.File
 import java.nio.file.Path
+import kotlin.io.path.createDirectories
+import kotlin.io.path.div
 import kotlin.time.Duration.Companion.seconds
 
 abstract class EncryptionManager {
-    private val log = logger()
 
     protected val certificatesFolder: Path by lazy {
-        coreCloudInstance.dataFolder.resolve("certificates").also { it.toFile().mkdirs() }
+        (coreCloudInstance.dataFolder / "certificates").createDirectories()
     }
 
     abstract fun setupEncryption(ch: Channel)
@@ -24,8 +24,10 @@ abstract class EncryptionManager {
         val missingFiles = files.filter { !it.exists() }.toMutableList()
 
         while (missingFiles.isNotEmpty()) {
-            log.atInfo()
-                .log("Waiting for missing files: ${missingFiles.joinToString { it.path }}")
+//            log.atInfo()
+//                .log("Waiting for missing files: ${missingFiles.joinToString { it.path }}")
+
+            println("[INFO] ${this::class.simpleName}: Waiting for missing files: ${missingFiles.joinToString { it.path }}")
 
             delay(5.seconds)
             missingFiles.removeIf { it.exists() }

surf-cloud-standalone/src/main/kotlin/dev/slne/surf/cloud/standalone/netty/server/connection/ServerConnectionListener.kt

@@ -19,9 +19,11 @@ import io.netty.bootstrap.ServerBootstrap
 import io.netty.channel.*
 import io.netty.channel.epoll.Epoll
 import io.netty.channel.epoll.EpollEventLoopGroup
+import io.netty.channel.epoll.EpollIoHandler
 import io.netty.channel.epoll.EpollServerDomainSocketChannel
 import io.netty.channel.epoll.EpollServerSocketChannel
 import io.netty.channel.nio.NioEventLoopGroup
+import io.netty.channel.nio.NioIoHandler
 import io.netty.channel.socket.nio.NioServerSocketChannel
 import io.netty.channel.unix.DomainSocketAddress
 import io.netty.handler.flush.FlushConsolidationHandler
@@ -215,22 +217,20 @@ class ServerConnectionListener(val server: NettyServerImpl) {
         private val log = logger()
 
         val SERVER_EVENT_GROUP by lazy {
-            NioEventLoopGroup(
-                threadFactory {
-                    nameFormat("Netty Server IO #%d")
-                    daemon(true)
-                    uncaughtExceptionHandler(DefaultUncaughtExceptionHandlerWithName(log))
-                }
-            )
+            MultiThreadIoEventLoopGroup(threadFactory {
+                nameFormat("Netty Server IO #%d")
+                daemon(true)
+                uncaughtExceptionHandler(DefaultUncaughtExceptionHandlerWithName(log))
+            }, NioIoHandler.newFactory())
         }
 
         val SERVER_EPOLL_EVENT_GROUP by lazy {
-            EpollEventLoopGroup(
+            MultiThreadIoEventLoopGroup(
                 threadFactory {
                     nameFormat("Netty Epoll Server IO #%d")
                     daemon(true)
                     uncaughtExceptionHandler(DefaultUncaughtExceptionHandlerWithName(log))
-                }
+                }, EpollIoHandler.newFactory()
             )
         }
     }