Skip to content

refactor: Use string-based encryption APIs in UnityTransport #2238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
simon-lemay-unity merged 4 commits into from
Oct 6, 2022
Merged

refactor: Use string-based encryption APIs in UnityTransport #2238

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d876618
Add missing XML documentation
simon-lemay-unity Oct 5, 2022
cec74cc
Use string-based secure APIs from UTP
simon-lemay-unity Oct 5, 2022
2c95355
Merge branch 'develop' into refactor/use-new-encryption-apis
ashwinimurt Oct 6, 2022
9d00a16
Merge branch 'develop' into refactor/use-new-encryption-apis
simon-lemay-unity Oct 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 23 additions & 1 deletion com.unity.netcode.gameobjects/Runtime/Transports/UTP/SecretsLoaderHelper.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,8 @@ private void Awake()
[Tooltip("Hostname")]
[SerializeField]
private string m_ServerCommonName = "localhost";

/// <summary>Common name of the server (typically its hostname).</summary>
public string ServerCommonName
{
get => m_ServerCommonName;
Expand All @@ -92,6 +94,8 @@ public string ServerCommonName
[Tooltip("Client CA filepath. Useful with self-signed certificates")]
[SerializeField]
private string m_ClientCAFilePath = "Assets/Secure/myGameClientCA.pem";

/// <summary>Client CA filepath. Useful with self-signed certificates</summary>
public string ClientCAFilePath
{
get => m_ClientCAFilePath;
Expand All @@ -101,6 +105,11 @@ public string ClientCAFilePath
[Tooltip("Client CA Override. Only useful for development with self-signed certificates. Certificate content, for platforms that lack file access (WebGL)")]
[SerializeField]
private string m_ClientCAOverride = "";

/// <summary>
/// Client CA Override. Only useful for development with self-signed certificates.
/// Certificate content, for platforms that lack file access (WebGL)
/// </summary>
public string ClientCAOverride
{
get => m_ClientCAOverride;
Expand All @@ -110,21 +119,28 @@ public string ClientCAOverride
[Tooltip("Server Certificate filepath")]
[SerializeField]
private string m_ServerCertificateFilePath = "Assets/Secure/myGameServerCertificate.pem";

/// <summary>Server Certificate filepath</summary>
public string ServerCertificateFilePath
{
get => m_ServerCertificateFilePath;
set => m_ServerCertificateFilePath = value;
}
[Tooltip("Server Private Keyfilepath")]

[Tooltip("Server Private Key filepath")]
[SerializeField]
private string m_ServerPrivateFilePath = "Assets/Secure/myGameServerPrivate.pem";

/// <summary>Server Private Key filepath</summary>
public string ServerPrivateFilePath
{
get => m_ServerPrivateFilePath;
set => m_ServerPrivate = value;
}

private string m_ClientCA;

/// <summary>CA certificate used by the client.</summary>
public string ClientCA
{
get
Expand All @@ -137,13 +153,19 @@ public string ClientCA
}
set => m_ClientCA = value;
}

private string m_ServerCertificate;

/// <summary>Certificate used by the server.</summary>
public string ServerCertificate
{
get => ReadFile(m_ServerCertificateFilePath, "Server Certificate");
set => m_ServerCertificate = value;
}

private string m_ServerPrivate;

/// <summary>Private key used by the server.</summary>
public string ServerPrivate
{
get => ReadFile(m_ServerPrivateFilePath, "Server Key");
Expand Down
65 changes: 32 additions & 33 deletions com.unity.netcode.gameobjects/Runtime/Transports/UTP/UnityTransport.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1425,34 +1425,33 @@ private void ConfigureSimulatorForUtp1()
}
#endif

private FixedString4096Bytes m_ServerPrivate;
private FixedString4096Bytes m_ServerCertificate;
private string m_ServerPrivateKey;
private string m_ServerCertificate;

private FixedString512Bytes m_ServerCommonName;
private FixedString4096Bytes m_ClientCertificate;
private string m_ServerCommonName;
private string m_ClientCaCertificate;

/// <summary>Set the server parameters for encryption.</summary>
/// <param name="serverCertificate">Public certificate for the server (PEM format).</param>
/// <param name="serverPrivateKey">Private key for the server (PEM format).</param>
public void SetServerSecrets(string serverCertificate, string serverPrivateKey)
{
if (serverPrivateKey.Length > m_ServerPrivate.Capacity ||
serverCertificate.Length > m_ServerCertificate.Capacity)
{
throw new Exception("Secret lengths are above what Unity Transport allows.");
}

m_ServerPrivate = serverPrivateKey;
m_ServerPrivateKey = serverPrivateKey;
m_ServerCertificate = serverCertificate;
}

public void SetClientSecrets(string serverCommonName, string clientCertificate = null)
/// <summary>Set the client parameters for encryption.</summary>
/// <remarks>
/// If the CA certificate is not provided, validation will be done against the OS/browser
/// certificate store. This is what you'd want if using certificates from a known provider.
/// For self-signed certificates, the CA certificate needs to be provided.
/// </remarks>
/// <param name="serverCommonName">Common name of the server (typically hostname).</param>
/// <param name="caCertificate">CA certificate used to validate the server's authenticity.</param>
public void SetClientSecrets(string serverCommonName, string caCertificate = null)
{
if (serverCommonName.Length > m_ServerCommonName.Capacity ||
clientCertificate?.Length > m_ClientCertificate.Capacity)
{
throw new Exception("Secret lengths are above what Unity Transport allows.");
}

m_ServerCommonName = serverCommonName;
m_ClientCertificate = clientCertificate;
m_ClientCaCertificate = caCertificate;
}

/// <summary>
Expand Down Expand Up @@ -1505,41 +1504,41 @@ public void CreateDriver(UnityTransport transport, out NetworkDriver driver,
// log an error because we have mismatched configuration
Debug.LogError("Mismatched security configuration, between Relay and local NetworkManager settings");
}
else
{
if (m_UseWebSockets)
{
// Todo: new code to support Relay+WSS
throw new NotImplementedException();
}
}

// No need to to anything else if using Relay because UTP will handle the
// configuration of the security parameters on its own.
}
else
{
try
{
if (NetworkManager.IsServer)
{
if (m_ServerCertificate.Length == 0 ||
m_ServerPrivate.Length == 0)
if (m_ServerCertificate.Length == 0 || m_ServerPrivateKey.Length == 0)
{
throw new Exception("In order to use encrypted communications, when hosting, you must set the server certificate and key.");
}
m_NetworkSettings.WithSecureServerParameters(certificate: ref m_ServerCertificate,
privateKey: ref m_ServerPrivate);
m_NetworkSettings.WithSecureServerParameters(m_ServerCertificate, m_ServerPrivateKey);
}
else
{
if (m_ServerCommonName.Length == 0)
{
throw new Exception("In order to use encrypted communications, clients must set the server common name.");
}
m_NetworkSettings.WithSecureClientParameters(serverName: ref m_ServerCommonName, caCertificate: ref m_ClientCertificate);
else if (m_ClientCaCertificate == null)
{
m_NetworkSettings.WithSecureClientParameters(m_ServerCommonName);
}
else
{
m_NetworkSettings.WithSecureClientParameters(m_ClientCaCertificate, m_ServerCommonName));
}
}
}
catch(Exception e)
{
Debug.LogException(e,this);
Debug.LogException(e, this);
}
}
}
Expand Down