#4288 also use 'setup-ssl' on Debian, MacOS and Windows

packaging/MSWindows/xpra.iss

@@ -1,9 +1,9 @@
 [Setup]
 AppName=Xpra
 AppId=Xpra_is1
-AppVersion=6.2.0
-AppVerName=Xpra 6.2.0
-UninstallDisplayName=Xpra 6.2.0
+AppVersion=6.2.0
+AppVerName=Xpra 6.2.0
+UninstallDisplayName=Xpra 6.2.0
 AppPublisher=xpra.org
 AppPublisherURL=http:;xpra.org/
 DefaultDirName={pf}\Xpra
@@ -16,7 +16,7 @@ OutputBaseFilename=Xpra_Setup
 Compression=lzma2/max
 SolidCompression=yes
 AllowUNCPath=false
-VersionInfoVersion=6.2.0
+VersionInfoVersion=6.2.0
 VersionInfoCompany=xpra.org
 VersionInfoDescription=multi-platform screen and application forwarding system
 WizardImageFile=packaging\MSWindows\xpra-logo.bmp
@@ -178,47 +178,14 @@ end;
 
 procedure PostInstall();
 var
-  cert, config, saved_config, args, openssl, ssh_keygen, rsa_key: string;
+  xpra_exe: string;
   ResultCode: integer;
 begin
   Log('PostInstall()');
-  cert := ExpandConstant('{commonappdata}\Xpra\ssl-cert.pem');
-  if (NOT FileExists(cert)) then
-  begin
-    config := ExpandConstant('{app}\etc\ssl\openssl.cnf');
-    args := 'req -new -newkey rsa:4096 -days 365 -nodes -x509 -config "'+config+'" -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost" -out "'+cert+'" -keyout "'+cert+'"';
-    openssl := ExpandConstant('{app}\OpenSSL.exe');
-    if (FileExists(openssl)) then
-    begin
-      Log('PostInstall() generating ssl-cert.pem');
-      Exec(openssl, args, '', SW_HIDE, ewWaitUntilTerminated, ResultCode);
-    end;
-  end;
-  //move old config file:
-  config := ExpandConstant('{app}\xpra.conf');
-  saved_config := ExpandConstant('{app}\etc\xpra.conf.bak');
-  if (FileExists(config)) then
-  begin
-	RenameFile(config, saved_config);
-  end;
-  //ssh host key:
-  ssh_keygen := ExpandConstant('{app}\ssh-keygen.exe');
-  if (FileExists(ssh_keygen)) then
-  begin
-    Log('found ssh_keygen');
-    rsa_key := ExpandConstant('{commonappdata}\SSH\ssh_host_rsa_key');
-    if (NOT FileExists(rsa_key)) then
-    begin
-      Log('generating rsa key');
-      args := '-P "" -t rsa -b 4096 -f "'+rsa_key+'"';
-      Exec(ssh_keygen, args, '', SW_HIDE, ewWaitUntilTerminated, ResultCode);
-    end;
-  end else begin
-    Log('ssh-keygen.exe not found');
-  end;
+  xpra_exe := ExpandConstant('{app}\xpra.exe');
+  Exec(xpra_exe, 'setup-ssl', '', SW_HIDE, ewWaitUntilTerminated, ResultCode);
   //store installation path:
-  RegWriteStringValue(HKEY_LOCAL_MACHINE, 'Software\Xpra',
-    'InstallPath', ExpandConstant('{app}'));
+  RegWriteStringValue(HKEY_LOCAL_MACHINE, 'Software\Xpra', 'InstallPath', ExpandConstant('{app}'));
   Log('PostInstall() done');
 end;
 

packaging/MacOS/postinstall

@@ -16,19 +16,7 @@ if [ -d "$APP_ROOT" ]; then
 		fi
 	fi
 
-	LAS_XPRA="/Library/Application Support/Xpra"
-	if [ ! -e "${LAS_XPRA}/ssl-cert.pem" ]; then
-		mkdir "${LAS_XPRA}" 2> /dev/null
-		chmod 755 "${LAS_XPRA}"
-		umask=`umask`
-		umask 077
-		openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
-			-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost" \
-			-keyout "${LAS_XPRA}/key.pem" \
-			-out "${LAS_XPRA}/cert.pem" 2> /dev/null
-		cat "${LAS_XPRA}/key.pem" "${LAS_XPRA}/cert.pem" > "${LAS_XPRA}/ssl-cert.pem"
-		umask $umask
-	fi
+  $APP_ROOT/Contents/MacOS/Xpra setup-ssl
 
 	for x in Xpra; do
 		echo '#!/bin/sh' > /usr/local/bin/$x

packaging/debian/xpra/xpra-server.postinst

@@ -10,15 +10,6 @@ case "${1}" in
     ;;
 esac
 
-if [ ! -f  /etc/xpra/ssl-cert.pem ]; then
-	umask=`umask`
-	umask 077
-	openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \
-		-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost" \
-		-keyout "/etc/xpra/key.pem" -out "/etc/xpra/cert.pem"
-	cat /etc/xpra/key.pem /etc/xpra/cert.pem > /etc/xpra/ssl-cert.pem
-	umask $umask
-	chmod 644 /etc/xpra/cert.pem
-fi
+xpra setup-ssl
 
 #DEBHELPER#

xpra/net/ssl_util.py

@@ -1,5 +1,5 @@
 # This file is part of Xpra.
-# Copyright (C) 2017-2023 Antoine Martin <antoine@xpra.org>
+# Copyright (C) 2017-2024 Antoine Martin <antoine@xpra.org>
 # Xpra is released under the terms of the GNU GPL v2, or, at your option, any
 # later version. See the file COPYING for details.
 
@@ -8,7 +8,7 @@
 from typing import Any
 
 from xpra.exit_codes import ExitCode
-from xpra.os_util import WIN32, POSIX, OSX, getuid
+from xpra.os_util import WIN32, POSIX, OSX, is_admin
 from xpra.util.io import load_binary_file, umask_context
 from xpra.scripts.config import InitExit, InitException, TRUE_OPTIONS
 from xpra.util.env import osexpand, envbool
@@ -512,10 +512,20 @@ def gen_ssl_cert() -> tuple[str, str]:
     openssl = which("openssl") or os.environ.get("OPENSSL", "")
     if not openssl:
         raise InitExit(ExitCode.SSL_FAILURE, "cannot find openssl executable")
-    if POSIX and not OSX and getuid() == 0:
+    openssl_config = ""
+    if WIN32:
+        from xpra.platform.paths import get_app_dir
+        openssl_config = os.path.join(get_app_dir(), "etc", "ssl", "openssl.cnf")
+    if is_admin():
         # running as root, use global location:
-        prefix = "" if sys.prefix == "/usr" else sys.prefix
-        xpra_dir = f"{prefix}/etc/xpra"
+        if OSX:
+            xpra_dir = "/Library/Application Support/Xpra"
+        elif WIN32:
+            from xpra.platform.win32.paths import get_program_data_dir
+            xpra_dir = os.path.join(get_program_data_dir(), "Xpra")
+        else:
+            prefix = "" if sys.prefix == "/usr" else sys.prefix
+            xpra_dir = f"{prefix}/etc/xpra"
         ssldir = f"{xpra_dir}/ssl"
         if not os.path.exists(xpra_dir):
             os.mkdir(ssldir, 0o777)
@@ -574,6 +584,8 @@ def gen_ssl_cert() -> tuple[str, str]:
         "-keyout", keypath,
         "-out", certpath,
     ]
+    if openssl_config and os.path.exists(openssl_config):
+        cmd += ["-config", openssl_config]
     log.info("generating a new certificate:")
     log.info(f" {keypath!r}")
     log.info(f" {certpath!r}")
@@ -589,6 +601,7 @@ def gen_ssl_cert() -> tuple[str, str]:
     sslcert = key+cert
     sslcertpath = f"{ssldir}/{SSL_CERT_FILENAME}"
     with open(sslcertpath, "wb") as f:
-        os.fchmod(f.fileno(), 0o600)
+        if POSIX:
+            os.fchmod(f.fileno(), 0o600)
         f.write(sslcert)
     return keypath, certpath