Support SSL pinning

[puddly]

This PR adds support for SSL pinning as part of the preferred authentication mechanism.

The flow is a little verbose due to aiohttp and Python's ssl module not providing the invalid SSL certificate as part of the error (from which we could compute the fingerprint), requiring us to do things a little verbosely:

from aiohttp import ClientConnectorCertificateError
from nanokvm.client import NanoKVMClient
from nanokvm.utils import async_fetch_remote_fingerprint

# Step 1: default SSL verification rejects the self-signed certificate (authentication failed)
async with NanoKVMClient(url) as client:
    with pytest.raises(ClientConnectorCertificateError):
        await client.authenticate("admin", "test")

# Step 2: fetch the remote certificate fingerprint (reauthentication flow)
fingerprint = await async_fetch_remote_fingerprint(url)
assert len(fingerprint) == 64  # SHA-256 hex string

# Step 3: pin the fingerprint
async with NanoKVMClient(url, ssl_fingerprint=fingerprint) as client:
    await client.authenticate("admin", "test")
    assert client.token == "fake-token-123"

As part of this change, I've modified the constructor to accept an (optional) session kwarg. This allows you to pass in an external session object (Home Assistant prefers to use a shared session wherever possible):

from homeassistant.helpers.aiohttp_client import async_get_clientsession

session = async_get_clientsession()

async with NanoKVMClient(url, session=session, ssl_fingerprint=fingerprint) as client:
    pass

CC @chiconws

[Copilot]

Pull request overview

Adds TLS certificate fingerprint pinning support to NanoKVMClient (to support self-signed NanoKVM HTTPS deployments) and allows consumers to provide an external aiohttp.ClientSession (e.g., shared Home Assistant sessions). Includes a helper to fetch a remote certificate fingerprint and adds tests/docs for the new flow.

Changes:

• Add ssl_fingerprint pinning support and a session kwarg to NanoKVMClient; pass SSL configuration per request / websocket.
• Add async_fetch_remote_fingerprint() utility to retrieve a server cert SHA-256 fingerprint for TOFU pinning.
• Add new integration tests for pinning with a real local HTTPS server; update README; update testing extras.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
nanokvm/client.py	Adds session injection and ssl_fingerprint support; updates SSL handling for HTTP + WS requests.
nanokvm/utils.py	Adds async helper to fetch remote TLS certificate fingerprint.
tests/test_client.py	Adds test coverage for external-session lifecycle behavior.
tests/test_certificate_pinning.py	Adds integration tests spinning up a real HTTPS server to validate pinning flow.
README.md	Documents certificate pinning usage and updates SSL configuration options.
pyproject.toml	Adds cryptography to testing extra (currently redundant with main deps).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[puddly]

Related PRs:

• Feature request: add functionality to retrieve the the server certificate in a client request aio-libs/aiohttp#2816
• Add ClientResponse.certificate and populate it, if appropriate aio-libs/aiohttp#7181