Authenticate client with mtls

Author: NickCao

packages/jumpstarter/jumpstarter/client/client.py

@@ -9,8 +9,8 @@
 from jumpstarter_protocol import jumpstarter_pb2_grpc
 
 from jumpstarter.client import DriverClient
-from jumpstarter.common.importlib import import_class
 from jumpstarter.common.grpc import aio_secure_channel
+from jumpstarter.common.importlib import import_class
 
 
 @asynccontextmanager
@@ -41,8 +41,12 @@ async def client_from_channel(
             if endpoint.certificate:
                 attempted_channel = aio_secure_channel(
                     endpoint.endpoint,
-                    grpc.ssl_channel_credentials(root_certificates=endpoint.certificate.encode()),
-                )  # TODO: set token
+                    grpc.ssl_channel_credentials(
+                        root_certificates=endpoint.certificate.encode(),
+                        private_key=endpoint.client_private_key.encode(),
+                        certificate_chain=endpoint.client_certificate.encode(),
+                    ),
+                )
                 try:
                     response = await jumpstarter_pb2_grpc.ExporterServiceStub(attempted_channel).GetReport(
                         empty_pb2.Empty()

packages/jumpstarter/jumpstarter/exporter/tls.py

@@ -41,6 +41,7 @@ def with_alternative_endpoints(server, endpoints: list[str]):
                 sans.append(x509.IPAddress(host))
 
     key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend())
+    client_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend())
 
     crt = (
         x509.CertificateBuilder()
@@ -53,6 +54,16 @@ def with_alternative_endpoints(server, endpoints: list[str]):
         .add_extension(x509.SubjectAlternativeName(sans), critical=False)
         .sign(private_key=key, algorithm=hashes.SHA256(), backend=default_backend())
     )
+    client_crt = (
+        x509.CertificateBuilder()
+        .subject_name(x509.Name([]))
+        .issuer_name(x509.Name([]))
+        .public_key(client_key.public_key())
+        .serial_number(x509.random_serial_number())
+        .not_valid_before(datetime.now())
+        .not_valid_after(datetime.now() + timedelta(days=365))
+        .sign(private_key=client_key, algorithm=hashes.SHA256(), backend=default_backend())
+    )
 
     pem_crt = crt.public_bytes(serialization.Encoding.PEM)
     pem_key = key.private_bytes(
@@ -61,14 +72,27 @@ def with_alternative_endpoints(server, endpoints: list[str]):
         encryption_algorithm=serialization.NoEncryption(),
     )
 
-    server_credentials = grpc.ssl_server_credentials([(pem_key, pem_crt)])
+    pem_client_crt = client_crt.public_bytes(serialization.Encoding.PEM)
+    pem_client_key = client_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.TraditionalOpenSSL,
+        encryption_algorithm=serialization.NoEncryption(),
+    )
+
+    server_credentials = grpc.ssl_server_credentials(
+        [(pem_key, pem_crt)], root_certificates=pem_client_crt, require_client_auth=True
+    )
 
     endpoints_pb = []
     for endpoint in endpoints:
         server.add_secure_port(endpoint, server_credentials)
-        # FIXME: generate and check token
         endpoints_pb.append(
-            jumpstarter_pb2.Endpoint(endpoint=endpoint, token="", certificate=pem_crt),
+            jumpstarter_pb2.Endpoint(
+                endpoint=endpoint,
+                certificate=pem_crt,
+                client_certificate=pem_client_crt,
+                client_private_key=pem_client_key,
+            ),
         )
 
     return endpoints_pb