refactor: Use string-based encryption APIs in UnityTransport (#2238)

* Add missing XML documentation

* Use string-based secure APIs from UTP

Co-authored-by: ashwini <[email protected]>

Author: simon-lemay-unity

com.unity.netcode.gameobjects/Runtime/Transports/UTP/SecretsLoaderHelper.cs

@@ -83,6 +83,8 @@ private void Awake()
         [Tooltip("Hostname")]
         [SerializeField]
         private string m_ServerCommonName = "localhost";
+
+        /// <summary>Common name of the server (typically its hostname).</summary>
         public string ServerCommonName
         {
             get => m_ServerCommonName;
@@ -92,6 +94,8 @@ public string ServerCommonName
         [Tooltip("Client CA filepath. Useful with self-signed certificates")]
         [SerializeField]
         private string m_ClientCAFilePath = "Assets/Secure/myGameClientCA.pem";
+
+        /// <summary>Client CA filepath. Useful with self-signed certificates</summary>
         public string ClientCAFilePath
         {
             get => m_ClientCAFilePath;
@@ -101,6 +105,11 @@ public string ClientCAFilePath
         [Tooltip("Client CA Override. Only useful for development with self-signed certificates. Certificate content, for platforms that lack file access (WebGL)")]
         [SerializeField]
         private string m_ClientCAOverride = "";
+
+        /// <summary>
+        /// Client CA Override. Only useful for development with self-signed certificates.
+        /// Certificate content, for platforms that lack file access (WebGL)
+        /// </summary>
         public string ClientCAOverride
         {
             get => m_ClientCAOverride;
@@ -110,21 +119,28 @@ public string ClientCAOverride
         [Tooltip("Server Certificate filepath")]
         [SerializeField]
         private string m_ServerCertificateFilePath = "Assets/Secure/myGameServerCertificate.pem";
+
+        /// <summary>Server Certificate filepath</summary>
         public string ServerCertificateFilePath
         {
             get => m_ServerCertificateFilePath;
             set => m_ServerCertificateFilePath = value;
         }
-        [Tooltip("Server Private Keyfilepath")]
+
+        [Tooltip("Server Private Key filepath")]
         [SerializeField]
         private string m_ServerPrivateFilePath = "Assets/Secure/myGameServerPrivate.pem";
+
+        /// <summary>Server Private Key filepath</summary>
         public string ServerPrivateFilePath
         {
             get => m_ServerPrivateFilePath;
             set => m_ServerPrivate = value;
         }
 
         private string m_ClientCA;
+
+        /// <summary>CA certificate used by the client.</summary>
         public string ClientCA
         {
             get
@@ -137,13 +153,19 @@ public string ClientCA
             }
             set => m_ClientCA = value;
         }
+
         private string m_ServerCertificate;
+
+        /// <summary>Certificate used by the server.</summary>
         public string ServerCertificate
         {
             get => ReadFile(m_ServerCertificateFilePath, "Server Certificate");
             set => m_ServerCertificate = value;
         }
+
         private string m_ServerPrivate;
+
+        /// <summary>Private key used by the server.</summary>
         public string ServerPrivate
         {
             get => ReadFile(m_ServerPrivateFilePath, "Server Key");

com.unity.netcode.gameobjects/Runtime/Transports/UTP/UnityTransport.cs

@@ -1367,34 +1367,33 @@ private void ConfigureSimulatorForUtp1()
         }
 #endif
 
-        private FixedString4096Bytes m_ServerPrivate;
-        private FixedString4096Bytes m_ServerCertificate;
+        private string m_ServerPrivateKey;
+        private string m_ServerCertificate;
 
-        private FixedString512Bytes m_ServerCommonName;
-        private FixedString4096Bytes m_ClientCertificate;
+        private string m_ServerCommonName;
+        private string m_ClientCaCertificate;
 
+        /// <summary>Set the server parameters for encryption.</summary>
+        /// <param name="serverCertificate">Public certificate for the server (PEM format).</param>
+        /// <param name="serverPrivateKey">Private key for the server (PEM format).</param>
         public void SetServerSecrets(string serverCertificate, string serverPrivateKey)
         {
-            if (serverPrivateKey.Length > m_ServerPrivate.Capacity ||
-                serverCertificate.Length > m_ServerCertificate.Capacity)
-            {
-                throw new Exception("Secret lengths are above what Unity Transport allows.");
-            }
-
-            m_ServerPrivate = serverPrivateKey;
+            m_ServerPrivateKey = serverPrivateKey;
             m_ServerCertificate = serverCertificate;
         }
 
-        public void SetClientSecrets(string serverCommonName, string clientCertificate = null)
+        /// <summary>Set the client parameters for encryption.</summary>
+        /// <remarks>
+        /// If the CA certificate is not provided, validation will be done against the OS/browser
+        /// certificate store. This is what you'd want if using certificates from a known provider.
+        /// For self-signed certificates, the CA certificate needs to be provided.
+        /// </remarks>
+        /// <param name="serverCommonName">Common name of the server (typically hostname).</param>
+        /// <param name="caCertificate">CA certificate used to validate the server's authenticity.</param>
+        public void SetClientSecrets(string serverCommonName, string caCertificate = null)
         {
-            if (serverCommonName.Length > m_ServerCommonName.Capacity ||
-                clientCertificate?.Length > m_ClientCertificate.Capacity)
-            {
-                throw new Exception("Secret lengths are above what Unity Transport allows.");
-            }
-
             m_ServerCommonName = serverCommonName;
-            m_ClientCertificate = clientCertificate;
+            m_ClientCaCertificate = caCertificate;
         }
 
         /// <summary>
@@ -1447,41 +1446,41 @@ public void CreateDriver(UnityTransport transport, out NetworkDriver driver,
                         // log an error because we have mismatched configuration
                         Debug.LogError("Mismatched security configuration, between Relay and local NetworkManager settings");
                     }
-                    else
-                    {
-                        if (m_UseWebSockets)
-                        {
-                            // Todo: new code to support Relay+WSS
-                            throw new NotImplementedException();
-                        }
-                    }
+
+                    // No need to to anything else if using Relay because UTP will handle the
+                    // configuration of the security parameters on its own.
                 }
                 else
                 {
                     try
                     {
                         if (NetworkManager.IsServer)
                         {
-                            if (m_ServerCertificate.Length == 0 ||
-                                m_ServerPrivate.Length == 0)
+                            if (m_ServerCertificate.Length == 0 || m_ServerPrivateKey.Length == 0)
                             {
                                 throw new Exception("In order to use encrypted communications, when hosting, you must set the server certificate and key.");
                             }
-                            m_NetworkSettings.WithSecureServerParameters(certificate: ref m_ServerCertificate,
-                                privateKey: ref m_ServerPrivate);
+                            m_NetworkSettings.WithSecureServerParameters(m_ServerCertificate, m_ServerPrivateKey);
                         }
                         else
                         {
                             if (m_ServerCommonName.Length == 0)
                             {
                                 throw new Exception("In order to use encrypted communications, clients must set the server common name.");
                             }
-                            m_NetworkSettings.WithSecureClientParameters(serverName: ref m_ServerCommonName, caCertificate: ref m_ClientCertificate);
+                            else if (m_ClientCaCertificate == null)
+                            {
+                                m_NetworkSettings.WithSecureClientParameters(m_ServerCommonName);
+                            }
+                            else
+                            {
+                                m_NetworkSettings.WithSecureClientParameters(m_ClientCaCertificate, m_ServerCommonName));
+                            }
                         }
                     }
                     catch(Exception e)
                     {
-                        Debug.LogException(e,this);
+                        Debug.LogException(e, this);
                     }
                 }
             }