tenseleyflow/hyprkvm / ce63a95

+[[package]]

+name = "block-buffer"

+version = "0.10.4"

+source = "registry+https://github.com/rust-lang/crates.io-index"

+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"

+dependencies = [

+ "generic-array",

+]

+

+[[package]]

+name = "cpufeatures"

+version = "0.2.17"

+source = "registry+https://github.com/rust-lang/crates.io-index"

+checksum = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280"

+dependencies = [

+ "libc",

+]

+

+[[package]]

+name = "crypto-common"

+version = "0.1.7"

+source = "registry+https://github.com/rust-lang/crates.io-index"

+checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"

+dependencies = [

+ "generic-array",

+ "typenum",

+]

+

+[[package]]

+name = "digest"

+version = "0.10.7"

+source = "registry+https://github.com/rust-lang/crates.io-index"

+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"

+dependencies = [

+ "block-buffer",

+ "crypto-common",

+]

+

+[[package]]

+name = "generic-array"

+version = "0.14.7"

+source = "registry+https://github.com/rust-lang/crates.io-index"

+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"

+dependencies = [

+ "typenum",

+ "version_check",

+]

+

+ "sha2",

+ "time",

+[[package]]

+name = "sha2"

+version = "0.10.9"

+source = "registry+https://github.com/rust-lang/crates.io-index"

+checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"

+dependencies = [

+ "cfg-if",

+ "cpufeatures",

+ "digest",

+]

+

+[[package]]

+name = "typenum"

+version = "1.19.0"

+source = "registry+https://github.com/rust-lang/crates.io-index"

+checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb"

+

+[[package]]

+name = "version_check"

+version = "0.9.5"

+source = "registry+https://github.com/rust-lang/crates.io-index"

+checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"

+

+rustls = { version = "0.23", features = ["aws_lc_rs"] }

+sha2 = "0.10"

+time = "0.3"

+sha2 = { workspace = true }

+time = { workspace = true }

+//! Known hosts management for TOFU (Trust On First Use)

+//!

+//! Stores trusted certificate fingerprints for peer machines.

+

+use std::collections::HashMap;

+use std::fs;

+use std::path::{Path, PathBuf};

+

+use serde::{Deserialize, Serialize};

+

+use super::tls::Fingerprint;

+

+/// Known hosts storage

+#[derive(Debug, Clone, Serialize, Deserialize, Default)]

+pub struct KnownHosts {

+    /// Map of machine name to trusted fingerprint

+    #[serde(default)]

+    pub hosts: HashMap<String, KnownHost>,

+}

+

+/// A known host entry

+#[derive(Debug, Clone, Serialize, Deserialize)]

+pub struct KnownHost {

+    /// Certificate fingerprint (SHA-256, hex encoded)

+    pub fingerprint: String,

+    /// When this host was first seen

+    #[serde(default = "default_timestamp")]

+    pub first_seen: String,

+    /// When this host was last seen

+    #[serde(default = "default_timestamp")]

+    pub last_seen: String,

+    /// Optional notes

+    #[serde(default, skip_serializing_if = "Option::is_none")]

+    pub notes: Option<String>,

+}

+

+fn default_timestamp() -> String {

+    chrono_lite_now()

+}

+

+/// Simple timestamp without chrono dependency

+fn chrono_lite_now() -> String {

+    use std::time::{SystemTime, UNIX_EPOCH};

+    let duration = SystemTime::now()

+        .duration_since(UNIX_EPOCH)

+        .unwrap_or_default();

+    format!("{}", duration.as_secs())

+}

+

+impl KnownHosts {

+    /// Get the default known hosts file path

+    pub fn default_path() -> PathBuf {

+        dirs::config_dir()

+            .map(|d| d.join("hyprkvm").join("known_hosts.toml"))

+            .unwrap_or_else(|| PathBuf::from("known_hosts.toml"))

+    }

+

+    /// Load known hosts from file, or create empty if not exists

+    pub fn load(path: &Path) -> Result<Self, KnownHostsError> {

+        if !path.exists() {

+            tracing::debug!("Known hosts file not found, starting fresh");

+            return Ok(Self::default());

+        }

+

+        let content = fs::read_to_string(path)

+            .map_err(|e| KnownHostsError::Io(format!("Failed to read {:?}: {}", path, e)))?;

+

+        toml::from_str(&content)

+            .map_err(|e| KnownHostsError::Parse(format!("Failed to parse {:?}: {}", path, e)))

+    }

+

+    /// Save known hosts to file

+    pub fn save(&self, path: &Path) -> Result<(), KnownHostsError> {

+        // Ensure parent directory exists

+        if let Some(parent) = path.parent() {

+            fs::create_dir_all(parent)

+                .map_err(|e| KnownHostsError::Io(format!("Failed to create directory: {}", e)))?;

+        }

+

+        let content = toml::to_string_pretty(self)

+            .map_err(|e| KnownHostsError::Serialize(e.to_string()))?;

+

+        fs::write(path, content)

+            .map_err(|e| KnownHostsError::Io(format!("Failed to write {:?}: {}", path, e)))?;

+

+        tracing::debug!("Saved known hosts to {:?}", path);

+        Ok(())

+    }

+

+    /// Check if a host is known with the given fingerprint

+    pub fn is_trusted(&self, machine_name: &str, fingerprint: &Fingerprint) -> TrustStatus {

+        match self.hosts.get(machine_name) {

+            None => TrustStatus::Unknown,

+            Some(host) => {

+                if host.fingerprint == fingerprint.to_hex() {

+                    TrustStatus::Trusted

+                } else {

+                    TrustStatus::Changed {

+                        old_fingerprint: host.fingerprint.clone(),

+                        new_fingerprint: fingerprint.to_hex(),

+                    }

+                }

+            }

+        }

+    }

+

+    /// Add or update a trusted host

+    pub fn trust_host(&mut self, machine_name: &str, fingerprint: &Fingerprint) {

+        let now = chrono_lite_now();

+        let fp_hex = fingerprint.to_hex();

+

+        if let Some(existing) = self.hosts.get_mut(machine_name) {

+            existing.fingerprint = fp_hex;

+            existing.last_seen = now;

+            tracing::info!("Updated known host: {}", machine_name);

+        } else {

+            self.hosts.insert(

+                machine_name.to_string(),

+                KnownHost {

+                    fingerprint: fp_hex,

+                    first_seen: now.clone(),

+                    last_seen: now,

+                    notes: None,

+                },

+            );

+            tracing::info!("Added new known host: {}", machine_name);

+        }

+    }

+

+    /// Remove a host from known hosts

+    pub fn remove_host(&mut self, machine_name: &str) -> bool {

+        self.hosts.remove(machine_name).is_some()

+    }

+

+    /// Get fingerprint for a known host

+    pub fn get_fingerprint(&self, machine_name: &str) -> Option<Fingerprint> {

+        self.hosts

+            .get(machine_name)

+            .and_then(|h| Fingerprint::from_hex(&h.fingerprint).ok())

+    }

+

+    /// Update last_seen timestamp for a host

+    pub fn touch(&mut self, machine_name: &str) {

+        if let Some(host) = self.hosts.get_mut(machine_name) {

+            host.last_seen = chrono_lite_now();

+        }

+    }

+}

+

+/// Result of checking trust status

+#[derive(Debug, Clone, PartialEq)]

+pub enum TrustStatus {

+    /// Host is not in known_hosts

+    Unknown,

+    /// Host is known and fingerprint matches

+    Trusted,

+    /// Host is known but fingerprint changed (potential MITM!)

+    Changed {

+        old_fingerprint: String,

+        new_fingerprint: String,

+    },

+}

+

+impl TrustStatus {

+    pub fn is_trusted(&self) -> bool {

+        matches!(self, TrustStatus::Trusted)

+    }

+

+    pub fn is_unknown(&self) -> bool {

+        matches!(self, TrustStatus::Unknown)

+    }

+

+    pub fn is_changed(&self) -> bool {

+        matches!(self, TrustStatus::Changed { .. })

+    }

+}

+

+#[derive(Debug, thiserror::Error)]

+pub enum KnownHostsError {

+    #[error("IO error: {0}")]

+    Io(String),

+

+    #[error("Parse error: {0}")]

+    Parse(String),

+

+    #[error("Serialize error: {0}")]

+    Serialize(String),

+}

+

+#[cfg(test)]

+mod tests {

+    use super::*;

+    use tempfile::tempdir;

+

+    #[test]

+    fn test_trust_workflow() {

+        let mut known_hosts = KnownHosts::default();

+        let fp = Fingerprint([0xAB; 32]);

+

+        // Initially unknown

+        assert!(known_hosts.is_trusted("test-machine", &fp).is_unknown());

+

+        // Trust it

+        known_hosts.trust_host("test-machine", &fp);

+        assert!(known_hosts.is_trusted("test-machine", &fp).is_trusted());

+

+        // Different fingerprint should be detected

+        let fp2 = Fingerprint([0xCD; 32]);

+        assert!(known_hosts.is_trusted("test-machine", &fp2).is_changed());

+    }

+

+    #[test]

+    fn test_save_load() {

+        let dir = tempdir().unwrap();

+        let path = dir.path().join("known_hosts.toml");

+

+        let mut known_hosts = KnownHosts::default();

+        let fp = Fingerprint([0xAB; 32]);

+        known_hosts.trust_host("test-machine", &fp);

+

+        known_hosts.save(&path).unwrap();

+

+        let loaded = KnownHosts::load(&path).unwrap();

+        assert!(loaded.is_trusted("test-machine", &fp).is_trusted());

+    }

+}

+#[allow(dead_code)]

+pub mod known_hosts;

+pub mod tls;

+pub use known_hosts::{KnownHosts, TrustStatus};

+pub use tls::{

+    create_tls_acceptor, create_tls_connector, ensure_certificate, get_cert_fingerprint,

+    Fingerprint, TlsError,

+};

+pub use transport::{connect, connect_tls, FramedConnection, Server, TransportError};

+//! TLS certificate management for HyprKVM

+//!

+//! Handles certificate generation, loading, and fingerprint calculation.

+

+use std::fs;

+use std::io::{self, BufReader};

+use std::path::Path;

+use std::sync::Arc;

+

+use rcgen::{CertificateParams, DistinguishedName, DnType, KeyPair, PKCS_ECDSA_P256_SHA256};

+use rustls::pki_types::{CertificateDer, PrivateKeyDer};

+use rustls::{ClientConfig, ServerConfig};

+use rustls_pemfile::{certs, private_key};

+use sha2::{Digest, Sha256};

+use tokio_rustls::{TlsAcceptor, TlsConnector};

+

+/// TLS-related errors

+#[derive(Debug, thiserror::Error)]

+pub enum TlsError {

+    #[error("IO error: {0}")]

+    Io(#[from] io::Error),

+

+    #[error("Certificate generation error: {0}")]

+    CertGen(String),

+

+    #[error("Certificate loading error: {0}")]

+    CertLoad(String),

+

+    #[error("TLS configuration error: {0}")]

+    Config(String),

+

+    #[error("Certificate verification failed: {0}")]

+    Verification(String),

+}

+

+/// Certificate fingerprint (SHA-256)

+#[derive(Debug, Clone, PartialEq, Eq)]

+pub struct Fingerprint(pub [u8; 32]);

+

+impl Fingerprint {

+    /// Calculate fingerprint from DER-encoded certificate

+    pub fn from_der(der: &[u8]) -> Self {

+        let mut hasher = Sha256::new();

+        hasher.update(der);

+        let result = hasher.finalize();

+        let mut bytes = [0u8; 32];

+        bytes.copy_from_slice(&result);

+        Self(bytes)

+    }

+

+    /// Convert to hex string (colon-separated, uppercase)

+    pub fn to_hex(&self) -> String {

+        self.0

+            .iter()

+            .map(|b| format!("{:02X}", b))

+            .collect::<Vec<_>>()

+            .join(":")

+    }

+

+    /// Parse from hex string (colon-separated or continuous)

+    pub fn from_hex(s: &str) -> Result<Self, TlsError> {

+        let clean: String = s.chars().filter(|c| c.is_ascii_hexdigit()).collect();

+        if clean.len() != 64 {

+            return Err(TlsError::Verification(format!(

+                "Invalid fingerprint length: expected 64 hex chars, got {}",

+                clean.len()

+            )));

+        }

+

+        let mut bytes = [0u8; 32];

+        for (i, chunk) in clean.as_bytes().chunks(2).enumerate() {

+            let hex = std::str::from_utf8(chunk).unwrap();

+            bytes[i] = u8::from_str_radix(hex, 16)

+                .map_err(|e| TlsError::Verification(format!("Invalid hex: {}", e)))?;

+        }

+

+        Ok(Self(bytes))

+    }

+}

+

+impl std::fmt::Display for Fingerprint {

+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {

+        write!(f, "{}", self.to_hex())

+    }

+}

+

+/// Generate a self-signed ECDSA P-256 certificate

+pub fn generate_certificate(machine_name: &str) -> Result<(String, String), TlsError> {

+    tracing::info!("Generating new self-signed certificate for '{}'", machine_name);

+

+    // Generate ECDSA P-256 key pair

+    let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)

+        .map_err(|e| TlsError::CertGen(format!("Failed to generate key pair: {}", e)))?;

+

+    // Build certificate parameters

+    let mut params = CertificateParams::default();

+

+    // Set distinguished name

+    let mut dn = DistinguishedName::new();

+    dn.push(DnType::CommonName, machine_name);

+    dn.push(DnType::OrganizationName, "HyprKVM");

+    params.distinguished_name = dn;

+

+    // Set validity (10 years)

+    params.not_before = time::OffsetDateTime::now_utc();

+    params.not_after = params.not_before + time::Duration::days(3650);

+

+    // Add Subject Alternative Names

+    params.subject_alt_names = vec![

+        rcgen::SanType::DnsName(machine_name.try_into().map_err(|e| {

+            TlsError::CertGen(format!("Invalid machine name for SAN: {}", e))

+        })?),

+    ];

+

+    // Generate certificate

+    let cert = params

+        .self_signed(&key_pair)

+        .map_err(|e| TlsError::CertGen(format!("Failed to generate certificate: {}", e)))?;

+

+    // Serialize to PEM

+    let cert_pem = cert.pem();

+    let key_pem = key_pair.serialize_pem();

+

+    tracing::info!("Certificate generated successfully");

+

+    Ok((cert_pem, key_pem))

+}

+

+/// Ensure certificate exists, generating if needed

+pub fn ensure_certificate(

+    cert_path: &Path,

+    key_path: &Path,

+    machine_name: &str,

+) -> Result<(), TlsError> {

+    if cert_path.exists() && key_path.exists() {

+        tracing::debug!("Certificate files exist: {:?}, {:?}", cert_path, key_path);

+        return Ok(());

+    }

+

+    tracing::info!("Certificate files not found, generating new certificate");

+

+    let (cert_pem, key_pem) = generate_certificate(machine_name)?;

+

+    // Ensure parent directories exist

+    if let Some(parent) = cert_path.parent() {

+        fs::create_dir_all(parent)?;

+    }

+    if let Some(parent) = key_path.parent() {

+        fs::create_dir_all(parent)?;

+    }

+

+    // Write certificate

+    fs::write(cert_path, &cert_pem)?;

+    tracing::info!("Wrote certificate to {:?}", cert_path);

+

+    // Write private key with restrictive permissions

+    #[cfg(unix)]

+    {

+        use std::os::unix::fs::OpenOptionsExt;

+        let mut opts = fs::OpenOptions::new();

+        opts.write(true).create(true).truncate(true).mode(0o600);

+        let mut file = opts.open(key_path)?;

+        std::io::Write::write_all(&mut file, key_pem.as_bytes())?;

+    }

+    #[cfg(not(unix))]

+    {

+        fs::write(key_path, &key_pem)?;

+    }

+    tracing::info!("Wrote private key to {:?}", key_path);

+

+    Ok(())

+}

+

+/// Load certificate chain from PEM file

+pub fn load_certs(path: &Path) -> Result<Vec<CertificateDer<'static>>, TlsError> {

+    let file = fs::File::open(path)

+        .map_err(|e| TlsError::CertLoad(format!("Failed to open {:?}: {}", path, e)))?;

+    let mut reader = BufReader::new(file);

+

+    let certs: Vec<CertificateDer<'static>> = certs(&mut reader)

+        .collect::<Result<Vec<_>, _>>()

+        .map_err(|e| TlsError::CertLoad(format!("Failed to parse certificates: {}", e)))?;

+

+    if certs.is_empty() {

+        return Err(TlsError::CertLoad("No certificates found in file".into()));

+    }

+

+    Ok(certs)

+}

+

+/// Load private key from PEM file

+pub fn load_private_key(path: &Path) -> Result<PrivateKeyDer<'static>, TlsError> {

+    let file = fs::File::open(path)

+        .map_err(|e| TlsError::CertLoad(format!("Failed to open {:?}: {}", path, e)))?;

+    let mut reader = BufReader::new(file);

+

+    private_key(&mut reader)

+        .map_err(|e| TlsError::CertLoad(format!("Failed to parse private key: {}", e)))?

+        .ok_or_else(|| TlsError::CertLoad("No private key found in file".into()))

+}

+

+/// Get fingerprint of certificate file

+pub fn get_cert_fingerprint(path: &Path) -> Result<Fingerprint, TlsError> {

+    let certs = load_certs(path)?;

+    if let Some(cert) = certs.first() {

+        Ok(Fingerprint::from_der(cert.as_ref()))

+    } else {

+        Err(TlsError::CertLoad("No certificate in file".into()))

+    }

+}

+

+/// Create a TLS acceptor for server-side connections

+pub fn create_tls_acceptor(cert_path: &Path, key_path: &Path) -> Result<TlsAcceptor, TlsError> {

+    let certs = load_certs(cert_path)?;

+    let key = load_private_key(key_path)?;

+

+    let config = ServerConfig::builder()

+        .with_no_client_auth()

+        .with_single_cert(certs, key)

+        .map_err(|e| TlsError::Config(format!("Failed to create server config: {}", e)))?;

+

+    Ok(TlsAcceptor::from(Arc::new(config)))

+}

+

+/// Custom certificate verifier that supports TOFU and fingerprint pinning

+#[derive(Debug)]

+pub struct HyprkvmCertVerifier {

+    /// Expected fingerprint (if pinned)

+    expected_fingerprint: Option<Fingerprint>,

+    /// Callback to handle TOFU (returns true to accept, false to reject)

+    /// If None, TOFU is disabled

+    tofu_enabled: bool,

+}

+

+impl HyprkvmCertVerifier {

+    /// Create verifier with pinned fingerprint

+    pub fn with_fingerprint(fingerprint: Fingerprint) -> Self {

+        Self {

+            expected_fingerprint: Some(fingerprint),

+            tofu_enabled: false,

+        }

+    }

+

+    /// Create verifier with TOFU enabled

+    pub fn with_tofu() -> Self {

+        Self {

+            expected_fingerprint: None,

+            tofu_enabled: true,

+        }

+    }

+

+    /// Create verifier with fingerprint, falling back to TOFU if not set

+    pub fn new(fingerprint: Option<Fingerprint>, tofu_enabled: bool) -> Self {

+        Self {

+            expected_fingerprint: fingerprint,

+            tofu_enabled,

+        }

+    }

+}

+

+impl rustls::client::danger::ServerCertVerifier for HyprkvmCertVerifier {

+    fn verify_server_cert(

+        &self,

+        end_entity: &CertificateDer<'_>,

+        _intermediates: &[CertificateDer<'_>],

+        _server_name: &rustls::pki_types::ServerName<'_>,

+        _ocsp_response: &[u8],

+        _now: rustls::pki_types::UnixTime,

+    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {

+        let fingerprint = Fingerprint::from_der(end_entity.as_ref());

+

+        if let Some(ref expected) = self.expected_fingerprint {

+            // Fingerprint pinning mode

+            if fingerprint == *expected {

+                tracing::debug!("Certificate fingerprint matches pinned value");

+                return Ok(rustls::client::danger::ServerCertVerified::assertion());

+            } else {

+                tracing::error!(

+                    "Certificate fingerprint mismatch! Expected: {}, Got: {}",

+                    expected,

+                    fingerprint

+                );

+                return Err(rustls::Error::General(

+                    "Certificate fingerprint mismatch".into(),

+                ));

+            }

+        }

+

+        if self.tofu_enabled {

+            // TOFU mode - accept any certificate but log for manual verification

+            tracing::warn!(

+                "TOFU: Accepting certificate with fingerprint: {}",

+                fingerprint

+            );

+            tracing::warn!("TOFU: Add this fingerprint to config to pin the certificate");

+            return Ok(rustls::client::danger::ServerCertVerified::assertion());

+        }

+

+        Err(rustls::Error::General(

+            "No verification method configured".into(),

+        ))

+    }

+

+    fn verify_tls12_signature(

+        &self,

+        message: &[u8],

+        cert: &CertificateDer<'_>,

+        dss: &rustls::DigitallySignedStruct,

+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {

+        rustls::crypto::verify_tls12_signature(

+            message,

+            cert,

+            dss,

+            &rustls::crypto::aws_lc_rs::default_provider().signature_verification_algorithms,

+        )

+    }

+

+    fn verify_tls13_signature(

+        &self,

+        message: &[u8],

+        cert: &CertificateDer<'_>,

+        dss: &rustls::DigitallySignedStruct,

+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {

+        rustls::crypto::verify_tls13_signature(

+            message,

+            cert,

+            dss,

+            &rustls::crypto::aws_lc_rs::default_provider().signature_verification_algorithms,

+        )

+    }

+

+    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {

+        rustls::crypto::aws_lc_rs::default_provider()

+            .signature_verification_algorithms

+            .supported_schemes()

+    }

+}

+

+/// Create a TLS connector for client-side connections

+pub fn create_tls_connector(

+    expected_fingerprint: Option<&str>,

+    tofu_enabled: bool,

+) -> Result<TlsConnector, TlsError> {

+    let fingerprint = match expected_fingerprint {

+        Some(fp) => Some(Fingerprint::from_hex(fp)?),

+        None => None,

+    };

+

+    let verifier = HyprkvmCertVerifier::new(fingerprint, tofu_enabled);

+

+    let config = ClientConfig::builder()

+        .dangerous()

+        .with_custom_certificate_verifier(Arc::new(verifier))

+        .with_no_client_auth();

+

+    Ok(TlsConnector::from(Arc::new(config)))

+}

+

+#[cfg(test)]

+mod tests {

+    use super::*;

+    use tempfile::tempdir;

+

+    #[test]

+    fn test_fingerprint_roundtrip() {

+        let bytes = [0xABu8; 32];

+        let fp = Fingerprint(bytes);

+        let hex = fp.to_hex();

+        let parsed = Fingerprint::from_hex(&hex).unwrap();

+        assert_eq!(fp, parsed);

+    }

+

+    #[test]

+    fn test_generate_certificate() {

+        let (cert_pem, key_pem) = generate_certificate("test-machine").unwrap();

+        assert!(cert_pem.contains("-----BEGIN CERTIFICATE-----"));

+        assert!(key_pem.contains("-----BEGIN PRIVATE KEY-----"));

+    }

+

+    #[test]

+    fn test_ensure_certificate() {

+        let dir = tempdir().unwrap();

+        let cert_path = dir.path().join("cert.pem");

+        let key_path = dir.path().join("key.pem");

+

+        ensure_certificate(&cert_path, &key_path, "test-machine").unwrap();

+

+        assert!(cert_path.exists());

+        assert!(key_path.exists());

+

+        // Second call should not regenerate

+        let cert_content = fs::read_to_string(&cert_path).unwrap();

+        ensure_certificate(&cert_path, &key_path, "test-machine").unwrap();

+        let cert_content2 = fs::read_to_string(&cert_path).unwrap();

+        assert_eq!(cert_content, cert_content2);

+    }

+

+    #[test]

+    fn test_fingerprint_calculation() {

+        let dir = tempdir().unwrap();

+        let cert_path = dir.path().join("cert.pem");

+        let key_path = dir.path().join("key.pem");

+

+        ensure_certificate(&cert_path, &key_path, "test-machine").unwrap();

+

+        let fp = get_cert_fingerprint(&cert_path).unwrap();

+        assert_eq!(fp.to_hex().len(), 95); // 32 bytes * 2 + 31 colons

+    }

+}

+//! TCP/TLS transport layer for HyprKVM

+//! Provides message framing and transport over TCP with optional TLS encryption.

+use std::path::Path;

+use std::pin::Pin;

+use std::sync::Arc;

+use std::task::{Context, Poll};

+use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt, ReadBuf};

+use tokio_rustls::client::TlsStream as ClientTlsStream;

+use tokio_rustls::server::TlsStream as ServerTlsStream;

+use tokio_rustls::{TlsAcceptor, TlsConnector};

+use super::tls::{self, Fingerprint};

+

+/// Stream type - either plain TCP or TLS-wrapped

+pub enum Stream {

+    Plain(TcpStream),

+    TlsClient(ClientTlsStream<TcpStream>),

+    TlsServer(ServerTlsStream<TcpStream>),

+}

+

+impl AsyncRead for Stream {

+    fn poll_read(

+        self: Pin<&mut Self>,

+        cx: &mut Context<'_>,

+        buf: &mut ReadBuf<'_>,

+    ) -> Poll<io::Result<()>> {

+        match self.get_mut() {

+            Stream::Plain(s) => Pin::new(s).poll_read(cx, buf),

+            Stream::TlsClient(s) => Pin::new(s).poll_read(cx, buf),

+            Stream::TlsServer(s) => Pin::new(s).poll_read(cx, buf),

+        }

+    }

+}

+

+impl AsyncWrite for Stream {

+    fn poll_write(

+        self: Pin<&mut Self>,

+        cx: &mut Context<'_>,

+        buf: &[u8],

+    ) -> Poll<io::Result<usize>> {

+        match self.get_mut() {

+            Stream::Plain(s) => Pin::new(s).poll_write(cx, buf),

+            Stream::TlsClient(s) => Pin::new(s).poll_write(cx, buf),

+            Stream::TlsServer(s) => Pin::new(s).poll_write(cx, buf),

+        }

+    }

+

+    fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {

+        match self.get_mut() {

+            Stream::Plain(s) => Pin::new(s).poll_flush(cx),

+            Stream::TlsClient(s) => Pin::new(s).poll_flush(cx),

+            Stream::TlsServer(s) => Pin::new(s).poll_flush(cx),

+        }

+    }

+

+    fn poll_shutdown(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<io::Result<()>> {

+        match self.get_mut() {

+            Stream::Plain(s) => Pin::new(s).poll_shutdown(cx),

+            Stream::TlsClient(s) => Pin::new(s).poll_shutdown(cx),

+            Stream::TlsServer(s) => Pin::new(s).poll_shutdown(cx),

+        }

+    }

+}

+

+    stream: Stream,

+    /// Peer certificate fingerprint (if TLS)

+    peer_fingerprint: Option<Fingerprint>,

+    /// Create a new framed connection from a plain TcpStream

+            stream: Stream::Plain(stream),

+            peer_fingerprint: None,

+    /// Create a new framed connection from a client TLS stream

+    pub fn from_tls_client(

+        stream: ClientTlsStream<TcpStream>,

+        remote_addr: SocketAddr,

+        peer_fingerprint: Option<Fingerprint>,

+    ) -> Self {

+        Self {

+            stream: Stream::TlsClient(stream),

+            read_buf: BytesMut::with_capacity(8192),

+            write_buf: BytesMut::with_capacity(8192),

+            remote_addr,

+            peer_fingerprint,

+        }

+    }

+

+    /// Create a new framed connection from a server TLS stream

+    pub fn from_tls_server(

+        stream: ServerTlsStream<TcpStream>,

+        remote_addr: SocketAddr,

+    ) -> Self {

+        Self {

+            stream: Stream::TlsServer(stream),

+            read_buf: BytesMut::with_capacity(8192),

+            write_buf: BytesMut::with_capacity(8192),

+            remote_addr,

+            peer_fingerprint: None,

+        }

+    }

+

+    /// Get the peer's certificate fingerprint (if TLS connection)

+    pub fn peer_fingerprint(&self) -> Option<&Fingerprint> {

+        self.peer_fingerprint.as_ref()

+    }

+

+    /// Check if this is a TLS connection

+    pub fn is_tls(&self) -> bool {

+        !matches!(self.stream, Stream::Plain(_))

+    }

+

+/// TLS-enabled TCP server that accepts connections

+    tls_acceptor: Option<TlsAcceptor>,

+    /// Bind to an address and start listening (plain TCP)

+        tracing::info!("Server listening on {} (plain TCP)", local_addr);

+            tls_acceptor: None,

+        })

+    }

+

+    /// Bind to an address with TLS

+    pub async fn bind_tls(

+        addr: SocketAddr,

+        cert_path: &Path,

+        key_path: &Path,

+    ) -> Result<Self, TransportError> {

+        let listener = TcpListener::bind(addr).await.map_err(TransportError::Io)?;

+        let local_addr = listener.local_addr().map_err(TransportError::Io)?;

+

+        let acceptor = tls::create_tls_acceptor(cert_path, key_path)

+            .map_err(|e| TransportError::Tls(e.to_string()))?;

+

+        tracing::info!("Server listening on {} (TLS)", local_addr);

+        Ok(Self {

+            listener,

+            local_addr,

+            tls_acceptor: Some(acceptor),

+    /// Check if TLS is enabled

+    pub fn is_tls(&self) -> bool {

+        self.tls_acceptor.is_some()

+    }

+

+

+        if let Some(ref acceptor) = self.tls_acceptor {

+            tracing::debug!("Performing TLS handshake with {}", addr);

+            let tls_stream = acceptor

+                .accept(stream)

+                .await

+                .map_err(|e| TransportError::Tls(format!("TLS handshake failed: {}", e)))?;

+

+            tracing::info!("Accepted TLS connection from {}", addr);

+            Ok(FramedConnection::from_tls_server(tls_stream, addr))

+        } else {

+            tracing::info!("Accepted connection from {}", addr);

+            FramedConnection::new(stream).map_err(TransportError::Io)

+        }

+/// Connect to a remote server (plain TCP)

+    tracing::info!("Connecting to {} (plain TCP)", addr);

+/// Connect to a remote server with TLS

+pub async fn connect_tls(

+    addr: SocketAddr,

+    server_name: &str,

+    expected_fingerprint: Option<&str>,

+    tofu_enabled: bool,

+) -> Result<FramedConnection, TransportError> {

+    tracing::info!("Connecting to {} (TLS, server_name={})", addr, server_name);

+

+    let stream = TcpStream::connect(addr).await.map_err(TransportError::Io)?;

+    stream.set_nodelay(true).map_err(TransportError::Io)?;

+

+    let connector = tls::create_tls_connector(expected_fingerprint, tofu_enabled)

+        .map_err(|e| TransportError::Tls(e.to_string()))?;

+

+    let server_name = rustls::pki_types::ServerName::try_from(server_name.to_string())

+        .map_err(|e| TransportError::Tls(format!("Invalid server name: {}", e)))?;

+

+    tracing::debug!("Performing TLS handshake with {}", addr);

+    let tls_stream = connector

+        .connect(server_name, stream)

+        .await

+        .map_err(|e| TransportError::Tls(format!("TLS handshake failed: {}", e)))?;

+

+    // Extract peer certificate fingerprint

+    let peer_fingerprint = tls_stream

+        .get_ref()

+        .1

+        .peer_certificates()

+        .and_then(|certs| certs.first())

+        .map(|cert| Fingerprint::from_der(cert.as_ref()));

+

+    if let Some(ref fp) = peer_fingerprint {

+        tracing::info!("Connected to {} (TLS), peer fingerprint: {}", addr, fp);

+    } else {

+        tracing::info!("Connected to {} (TLS)", addr);

+    }

+

+    Ok(FramedConnection::from_tls_client(tls_stream, addr, peer_fingerprint))

+}

+

+    #[error("TLS error: {0}")]

+    Tls(String),

+