feat: add TLS encryption for client-agent communication

Implement TLS support using Ed25519 self-signed certificates to encrypt
communication between dutctl client and dutagent server. TLS is enabled
by default with an --insecure flag available for HTTP support.
This provides encryption only, not client authentication. Any client
can connect to the agent.

Signed-off-by: Fabian Wienand <fabian.wienand@9elements.com>

Author: RiSKeD

cmds/dutagent/dutagent.go

@@ -24,6 +24,7 @@ import (
 	"connectrpc.com/connect"
 	"github.com/BlindspotSoftware/dutctl/internal/buildinfo"
 	"github.com/BlindspotSoftware/dutctl/internal/dutagent"
+	"github.com/BlindspotSoftware/dutctl/internal/tlsutil"
 	"github.com/BlindspotSoftware/dutctl/pkg/dut"
 	"github.com/BlindspotSoftware/dutctl/protobuf/gen/dutctl/v1/dutctlv1connect"
 	"golang.org/x/net/http2"
@@ -55,6 +56,9 @@ func newAgent(stdout io.Writer, exitFunc func(int), args []string) *agent {
 	fs.BoolVar(&agt.dryRun, "dry-run", false, dryRunInfo)
 	fs.StringVar(&agt.server, "server", "", serverInfo)
 	fs.BoolVar(&agt.versionFlag, "v", false, versionFlagInfo)
+	fs.BoolVar(&agt.insecure, "insecure", false, "Disable TLS (use plain HTTP)")
+	fs.StringVar(&agt.tlsCertPath, "tls-cert", "/etc/dutagent/tls/cert.pem", "Path to TLS certificate file (auto-generated if missing)")
+	fs.StringVar(&agt.tlsKeyPath, "tls-key", "/etc/dutagent/tls/key.pem", "Path to TLS key file (auto-generated if missing)")
 	//nolint:errcheck // flag.Parse always returns no error because of flag.ExitOnError
 	fs.Parse(args[1:])
 
@@ -73,6 +77,9 @@ type agent struct {
 	checkConfig bool
 	dryRun      bool
 	server      string
+	insecure    bool
+	tlsCertPath string
+	tlsKeyPath  string
 
 	// state
 	config config
@@ -164,12 +171,37 @@ func (agt *agent) startRPCService() error {
 	path, handler := dutctlv1connect.NewDeviceServiceHandler(service)
 	mux.Handle(path, handler)
 
-	//nolint:gosec
-	return http.ListenAndServe(
-		agt.address,
-		// Use h2c so we can serve HTTP/2 without TLS.
-		h2c.NewHandler(mux, &http2.Server{}),
-	)
+	if agt.insecure {
+		// Use h2c so we can serve HTTP/2 without TLS
+		log.Printf("Starting in INSECURE mode (plain HTTP) on %s", agt.address)
+		//nolint:gosec
+		return http.ListenAndServe(
+			agt.address,
+			h2c.NewHandler(mux, &http2.Server{}),
+		)
+	}
+
+	// Use TLS mode (default) - load or auto-generate certificate
+	cert, err := tlsutil.LoadOrGenerateCert(agt.tlsCertPath, agt.tlsKeyPath)
+	if err != nil {
+		return fmt.Errorf("failed to load/generate TLS certificate: %w", err)
+	}
+
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		MinVersion:   tls.VersionTLS12,
+	}
+
+	server := &http.Server{
+		Addr:      agt.address,
+		Handler:   mux,
+		TLSConfig: tlsConfig,
+	}
+
+	log.Printf("Starting TLS-enabled RPC service on %s", agt.address)
+
+	// ListenAndServeTLS with empty cert/key paths since we've already loaded them in tlsConfig
+	return server.ListenAndServeTLS("", "")
 }
 
 func (agt *agent) registerWithServer() error {

cmds/dutctl/dutctl.go

@@ -78,6 +78,7 @@ func newApp(stdin io.Reader, stdout, stderr io.Writer, exitFunc func(int), args
 	fs.StringVar(&app.outputFormat, "f", "", outputFormatInfo)
 	fs.BoolVar(&app.verbose, "v", false, verboseInfo)
 	fs.BoolVar(&app.noColor, "no-color", false, noColorInfo)
+	fs.BoolVar(&app.insecure, "insecure", false, "Disable TLS (use plain HTTP)")
 
 	//nolint:errcheck // flag.Parse always returns no error because of flag.ExitOnError
 	fs.Parse(args[1:])
@@ -106,6 +107,7 @@ type application struct {
 	outputFormat      string
 	verbose           bool
 	noColor           bool
+	insecure          bool
 	args              []string
 	printFlagDefaults func()
 
@@ -114,14 +116,33 @@ type application struct {
 }
 
 func (app *application) setupRPCClient() {
-	client := dutctlv1connect.NewDeviceServiceClient(
-		// Instead of http.DefaultClient, use the HTTP/2 protocol without TLS
-		newInsecureClient(),
-		fmt.Sprintf("http://%s", app.serverAddr),
+	var client *http.Client
+	var scheme string
+
+	if app.insecure {
+		client = newInsecureClient()
+		scheme = "http"
+	} else {
+		client = newTLSClient()
+		scheme = "https"
+	}
+
+	app.rpcClient = dutctlv1connect.NewDeviceServiceClient(
+		client,
+		fmt.Sprintf("%s://%s", scheme, app.serverAddr),
 		connect.WithGRPC(),
 	)
+}
 
-	app.rpcClient = client
+func newTLSClient() *http.Client {
+	return &http.Client{
+		Transport: &http2.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true, // Skip certificate verification
+				MinVersion:         tls.VersionTLS12,
+			},
+		},
+	}
 }
 
 func newInsecureClient() *http.Client {

internal/tlsutil/tlsutil.go

@@ -0,0 +1,159 @@
+// Copyright 2025 Blindspot Software
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tlsutil
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"log"
+	"math/big"
+	"net"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+// GenerateSelfSignedCert creates a new self-signed TLS certificate and private key.
+// The certificate is valid for 10 years and includes localhost and system hostname in SANs.
+// Uses Ed25519 for better performance and security compared to RSA.
+func GenerateSelfSignedCert(certPath, keyPath string) error {
+	// Generate Ed25519 private key (much faster than RSA)
+	publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return fmt.Errorf("failed to generate Ed25519 key: %w", err)
+	}
+
+	// Generate a random serial number
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return fmt.Errorf("failed to generate serial number: %w", err)
+	}
+
+	// Get system hostname for SANs
+	hostname, err := os.Hostname()
+	if err != nil {
+		hostname = "localhost" // Fallback if hostname detection fails
+	}
+
+	// Create certificate template
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Organization: []string{"Blindspot Software"},
+			CommonName:   "dutagent",
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour), // 10 years
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		DNSNames:              []string{"localhost", hostname},
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")},
+	}
+
+	// Create self-signed certificate
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey, privateKey)
+	if err != nil {
+		return fmt.Errorf("failed to create certificate: %w", err)
+	}
+
+	// Write certificate to file with secure permissions
+	certOut, err := os.OpenFile(certPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		return fmt.Errorf("failed to create cert file: %w", err)
+	}
+	defer certOut.Close()
+
+	if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
+		return fmt.Errorf("failed to write certificate: %w", err)
+	}
+
+	// Marshal Ed25519 private key in PKCS8 format
+	privBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	if err != nil {
+		return fmt.Errorf("failed to marshal private key: %w", err)
+	}
+
+	// Write private key to file with restrictive permissions
+	keyOut, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return fmt.Errorf("failed to create key file: %w", err)
+	}
+	defer keyOut.Close()
+
+	if err := pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil {
+		return fmt.Errorf("failed to write private key: %w", err)
+	}
+
+	log.Printf("Generated Ed25519 self-signed TLS certificate: %s", certPath)
+	log.Printf("Generated private key: %s", keyPath)
+
+	return nil
+}
+
+// LoadOrGenerateCert attempts to load an existing TLS certificate/key pair.
+// If the files don't exist, it generates a new self-signed certificate.
+// If the files exist but cannot be loaded, it returns an error without overwriting them.
+func LoadOrGenerateCert(certPath, keyPath string) (tls.Certificate, error) {
+	// Check if certificate and key files exist
+	certExists := fileExists(certPath)
+	keyExists := fileExists(keyPath)
+
+	// If either file exists, we must load them (don't auto-generate)
+	if certExists || keyExists {
+		cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+		if err != nil {
+			return tls.Certificate{}, fmt.Errorf("certificate/key files exist but failed to load (cert exists: %v, key exists: %v): %w",
+				certExists, keyExists, err)
+		}
+		log.Printf("Loaded existing TLS certificate from: %s", certPath)
+		return cert, nil
+	}
+
+	// Neither file exists, generate new certificate
+	log.Printf("TLS certificate not found, generating new self-signed certificate...")
+
+	// Derive directory from cert path
+	certDir := filepath.Dir(certPath)
+	keyDir := filepath.Dir(keyPath)
+
+	// Ensure directories exist
+	if err := os.MkdirAll(certDir, 0755); err != nil {
+		return tls.Certificate{}, fmt.Errorf("failed to create cert directory: %w", err)
+	}
+	if certDir != keyDir {
+		if err := os.MkdirAll(keyDir, 0755); err != nil {
+			return tls.Certificate{}, fmt.Errorf("failed to create key directory: %w", err)
+		}
+	}
+
+	// Generate certificate
+	if err := GenerateSelfSignedCert(certPath, keyPath); err != nil {
+		return tls.Certificate{}, err
+	}
+
+	// Load the newly generated certificate
+	cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+	if err != nil {
+		return tls.Certificate{}, fmt.Errorf("failed to load generated certificate: %w", err)
+	}
+
+	return cert, nil
+}
+
+// fileExists checks if a file exists and is not a directory.
+func fileExists(path string) bool {
+	info, err := os.Stat(path)
+	if err != nil {
+		return false
+	}
+	return !info.IsDir()
+}