Implement signing of RDP files downloaded from web

cmd/rdpgw/config/configuration.go

@@ -1,15 +1,16 @@
 package config
 
 import (
+	"log"
+	"os"
+	"strings"
+
 	"github.com/bolkedebruin/rdpgw/cmd/rdpgw/security"
 	"github.com/knadh/koanf/parsers/yaml"
 	"github.com/knadh/koanf/providers/confmap"
 	"github.com/knadh/koanf/providers/env"
 	"github.com/knadh/koanf/providers/file"
 	"github.com/knadh/koanf/v2"
-	"log"
-	"os"
-	"strings"
 )
 
 const (
@@ -96,6 +97,8 @@ type ClientConfig struct {
 	UsernameTemplate string `koanf:"usernametemplate"`
 	SplitUserDomain  bool   `koanf:"splituserdomain"`
 	NoUsername       bool   `koanf:"nousername"`
+	SigningCert      string `koanf:"signingcert"`
+	SigningKey       string `koanf:"signingkey"`
 }
 
 func ToCamel(s string) string {
@@ -219,10 +222,10 @@ func Load(configFile string) Configuration {
 	if Conf.Server.BasicAuthEnabled() && Conf.Server.Tls == "disable" {
 		log.Fatalf("basicauth=local and tls=disable are mutually exclusive")
 	}
-        
+
 	if Conf.Server.NtlmEnabled() && Conf.Server.KerberosEnabled() {
 		log.Fatalf("ntlm and kerberos authentication are not stackable")
-        }
+	}
 
 	if !Conf.Caps.TokenAuth && Conf.Server.OpenIDEnabled() {
 		log.Fatalf("openid is configured but tokenauth disabled")
@@ -238,7 +241,6 @@ func Load(configFile string) Configuration {
 	}
 
 	return Conf
-
 }
 
 func (s *ServerConfig) OpenIDEnabled() bool {

cmd/rdpgw/main.go

@@ -4,6 +4,12 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
+	"log"
+	"net/http"
+	"net/url"
+	"os"
+	"strconv"
+
 	"github.com/bolkedebruin/gokrb5/v8/keytab"
 	"github.com/bolkedebruin/gokrb5/v8/service"
 	"github.com/bolkedebruin/gokrb5/v8/spnego"
@@ -18,11 +24,6 @@ import (
 	"github.com/thought-machine/go-flags"
 	"golang.org/x/crypto/acme/autocert"
 	"golang.org/x/oauth2"
-	"log"
-	"net/http"
-	"net/url"
-	"os"
-	"strconv"
 )
 
 const (
@@ -110,10 +111,12 @@ func main() {
 		RdpOpts: web.RdpOpts{
 			UsernameTemplate: conf.Client.UsernameTemplate,
 			SplitUserDomain:  conf.Client.SplitUserDomain,
-			NoUsername: conf.Client.NoUsername,
+			NoUsername:       conf.Client.NoUsername,
 		},
 		GatewayAddress: url,
 		TemplateFile:   conf.Client.Defaults,
+		RdpSigningCert: conf.Client.SigningCert,
+		RdpSigningKey:  conf.Client.SigningKey,
 	}
 
 	if conf.Caps.TokenAuth {
@@ -229,7 +232,7 @@ func main() {
 	// for stacking of authentication
 	auth := web.NewAuthMux()
 	rdp.MatcherFunc(web.NoAuthz).HandlerFunc(auth.SetAuthenticate)
-        
+
 	// ntlm
 	if conf.Server.NtlmEnabled() {
 		log.Printf("enabling NTLM authentication")
@@ -238,7 +241,7 @@ func main() {
 		rdp.NewRoute().HeadersRegexp("Authorization", "Negotiate").HandlerFunc(ntlm.NTLMAuth(gw.HandleGatewayProtocol))
 		auth.Register(`NTLM`)
 		auth.Register(`Negotiate`)
-        }
+	}
 
 	// basic auth
 	if conf.Server.BasicAuthEnabled() {

cmd/rdpgw/web/web.go

@@ -1,13 +1,12 @@
 package web
 
 import (
+	"bytes"
 	"context"
 	"crypto/rand"
 	"encoding/hex"
 	"errors"
 	"fmt"
-	"github.com/bolkedebruin/rdpgw/cmd/rdpgw/identity"
-	"github.com/bolkedebruin/rdpgw/cmd/rdpgw/rdp"
 	"hash/maphash"
 	"log"
 	rnd "math/rand"
@@ -15,6 +14,10 @@ import (
 	"net/url"
 	"strings"
 	"time"
+
+	"github.com/andrewheberle/rdpsign"
+	"github.com/bolkedebruin/rdpgw/cmd/rdpgw/identity"
+	"github.com/bolkedebruin/rdpgw/cmd/rdpgw/rdp"
 )
 
 type TokenGeneratorFunc func(context.Context, string, string) (string, error)
@@ -32,6 +35,8 @@ type Config struct {
 	GatewayAddress     *url.URL
 	RdpOpts            RdpOpts
 	TemplateFile       string
+	RdpSigningCert     string
+	RdpSigningKey      string
 }
 
 type RdpOpts struct {
@@ -51,6 +56,7 @@ type Handler struct {
 	hostSelection      string
 	rdpOpts            RdpOpts
 	rdpDefaults        string
+	rdpSigner          *rdpsign.Signer
 }
 
 func (c *Config) NewHandler() *Handler {
@@ -58,7 +64,7 @@ func (c *Config) NewHandler() *Handler {
 		log.Fatal("Not enough hosts to connect to specified")
 	}
 
-	return &Handler{
+	handler := &Handler{
 		paaTokenGenerator:  c.PAATokenGenerator,
 		enableUserToken:    c.EnableUserToken,
 		userTokenGenerator: c.UserTokenGenerator,
@@ -70,6 +76,18 @@ func (c *Config) NewHandler() *Handler {
 		rdpOpts:            c.RdpOpts,
 		rdpDefaults:        c.TemplateFile,
 	}
+
+	// set up RDP signer if config values are set
+	if c.RdpSigningCert != "" && c.RdpSigningKey != "" {
+		signer, err := rdpsign.NewSigner(c.RdpSigningCert, c.RdpSigningKey)
+		if err != nil {
+			log.Fatal("Could not set up RDP signer", err)
+		}
+
+		handler.rdpSigner = signer
+	}
+
+	return handler
 }
 
 func (h *Handler) selectRandomHost() string {
@@ -224,5 +242,21 @@ func (h *Handler) HandleDownload(w http.ResponseWriter, r *http.Request) {
 	d.Settings.GatewayCredentialMethod = 1
 	d.Settings.GatewayUsageMethod = 1
 
+	if h.rdpSigner != nil {
+		// get rdp content
+		rdpContent := d.String()
+
+		signedContent, err := h.rdpSigner.SignRdp(rdpContent)
+		if err != nil {
+			log.Printf("Could not sign RDP file due to %s", err)
+			http.Error(w, errors.New("could not sign RDP file").Error(), http.StatusInternalServerError)
+			return
+		}
+
+		// return signd rdp file
+		http.ServeContent(w, r, fn, time.Now(), bytes.NewReader(signedContent))
+		return
+	}
+
 	http.ServeContent(w, r, fn, time.Now(), strings.NewReader(d.String()))
 }

go.mod

@@ -1,10 +1,9 @@
 module github.com/bolkedebruin/rdpgw
 
-go 1.23.0
-
-toolchain go1.24.1
+go 1.24.2
 
 require (
+	github.com/andrewheberle/rdpsign v1.0.0
 	github.com/bolkedebruin/gokrb5/v8 v8.5.0
 	github.com/coreos/go-oidc/v3 v3.9.0
 	github.com/fatih/structs v1.1.0