Use dummy san for certificates

NickCao · NickCao · commit 011248da9ba4 · 2025-03-24T10:34:35.000-04:00
diff --git a/packages/jumpstarter/jumpstarter/client/client.py b/packages/jumpstarter/jumpstarter/client/client.py
@@ -10,6 +10,7 @@
 from .grpc import SmartExporterStub
 from jumpstarter.client import DriverClient
 from jumpstarter.common.importlib import import_class
+from jumpstarter.exporter.tls import SAN
 
 
 @asynccontextmanager
@@ -54,6 +55,7 @@ async def client_from_channel(
                             private_key=endpoint.client_private_key.encode(),
                             certificate_chain=endpoint.client_certificate.encode(),
                         ),
+                        options=(("grpc.ssl_target_name_override", SAN),),
                     )
                 )
 
diff --git a/packages/jumpstarter/jumpstarter/exporter/tls.py b/packages/jumpstarter/jumpstarter/exporter/tls.py
@@ -1,5 +1,4 @@
 from datetime import datetime, timedelta
-from ipaddress import IPv4Address, IPv6Address, ip_address
 
 import grpc
 from cryptography import x509
@@ -8,38 +7,10 @@
 from cryptography.hazmat.primitives.asymmetric import rsa
 from jumpstarter_protocol import jumpstarter_pb2
 
-
-def parse_endpoint(endpoint):
-    host, sep, port = endpoint.rpartition(":")
-
-    if sep == "":
-        raise ValueError("port not specified in endpoint {}".format(endpoint))
-
-    host = host.strip("[]")  # strip brackets from ipv6 addresses
-
-    try:
-        port = int(port)
-        if port < 0 or port > 65535:
-            raise ValueError("port number {} out of range".format(port))
-    except ValueError as e:
-        raise ValueError("invalid port {} in endpoint {}".format(port, endpoint)) from e
-
-    try:
-        return ip_address(host), port
-    except ValueError:
-        return host, port
+SAN = "localhost"
 
 
 def with_alternative_endpoints(server, endpoints: list[str]):
-    sans = []
-    for endpoint in endpoints:
-        host, port = parse_endpoint(endpoint)
-        match host:
-            case str():
-                sans.append(x509.DNSName(host))
-            case IPv4Address() | IPv6Address():
-                sans.append(x509.IPAddress(host))
-
     key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend())
     client_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend())
 
@@ -51,7 +22,7 @@ def with_alternative_endpoints(server, endpoints: list[str]):
         .serial_number(x509.random_serial_number())
         .not_valid_before(datetime.now())
         .not_valid_after(datetime.now() + timedelta(days=365))
-        .add_extension(x509.SubjectAlternativeName(sans), critical=False)
+        .add_extension(x509.SubjectAlternativeName([x509.DNSName(SAN)]), critical=False)
         .sign(private_key=key, algorithm=hashes.SHA256(), backend=default_backend())
     )
     client_crt = (

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@`
`10`	`10`	`from .grpc import SmartExporterStub`
`11`	`11`	`from jumpstarter.client import DriverClient`
`12`	`12`	`from jumpstarter.common.importlib import import_class`
	`13`	`+from jumpstarter.exporter.tls import SAN`
`13`	`14`
`14`	`15`
`15`	`16`	`@asynccontextmanager`
`@@ -54,6 +55,7 @@ async def client_from_channel(`
`54`	`55`	`private_key=endpoint.client_private_key.encode(),`
`55`	`56`	`certificate_chain=endpoint.client_certificate.encode(),`
`56`	`57`	`),`
	`58`	`+ options=(("grpc.ssl_target_name_override", SAN),),`
`57`	`59`	`)`
`58`	`60`	`)`
`59`	`61`