diff options
Diffstat (limited to 'p2p/src')
-rw-r--r-- | p2p/src/error.rs | 4 | ||||
-rw-r--r-- | p2p/src/tls_config.rs | 139 |
2 files changed, 97 insertions, 46 deletions
diff --git a/p2p/src/error.rs b/p2p/src/error.rs index 11de0f1..75330a8 100644 --- a/p2p/src/error.rs +++ b/p2p/src/error.rs @@ -63,10 +63,10 @@ pub enum Error { Rcgen(#[from] rcgen::RcgenError), #[error("Tls Error: {0}")] - Rustls(#[from] async_rustls::rustls::Error), + Rustls(#[from] futures_rustls::rustls::Error), #[error("Invalid DNS Name: {0}")] - InvalidDnsNameError(#[from] async_rustls::rustls::client::InvalidDnsNameError), + InvalidDnsNameError(#[from] futures_rustls::pki_types::InvalidDnsNameError), #[error("Channel Send Error: {0}")] ChannelSend(String), diff --git a/p2p/src/tls_config.rs b/p2p/src/tls_config.rs index ebb12f4..893c321 100644 --- a/p2p/src/tls_config.rs +++ b/p2p/src/tls_config.rs @@ -1,10 +1,19 @@ use std::sync::Arc; -use async_rustls::rustls::{ - self, cipher_suite::TLS13_CHACHA20_POLY1305_SHA256, client::ServerCertVerifier, - server::ClientCertVerifier, Certificate, CertificateError, Error::InvalidCertificate, - PrivateKey, SupportedCipherSuite, SupportedKxGroup, SupportedProtocolVersion, +use futures_rustls::rustls::{ + self, + client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier}, + crypto::{ + aws_lc_rs::{self, cipher_suite::TLS13_CHACHA20_POLY1305_SHA256, kx_group}, + CryptoProvider, SupportedKxGroup, + }, + pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime}, + server::danger::{ClientCertVerified, ClientCertVerifier}, + CertificateError, DigitallySignedStruct, DistinguishedName, + Error::InvalidCertificate, + SignatureScheme, SupportedCipherSuite, SupportedProtocolVersion, }; + use log::error; use x509_parser::{certificate::X509Certificate, parse_x509_certificate}; @@ -16,7 +25,8 @@ use crate::{PeerID, Result}; static PROTOCOL_VERSIONS: &[&SupportedProtocolVersion] = &[&rustls::version::TLS13]; static CIPHER_SUITES: &[SupportedCipherSuite] = &[TLS13_CHACHA20_POLY1305_SHA256]; -static KX_GROUPS: &[&SupportedKxGroup] = &[&rustls::kx_group::X25519]; +static KX_GROUPS: &[&dyn SupportedKxGroup] = &[kx_group::X25519]; +static SIGNATURE_SCHEMES: &[SignatureScheme] = &[SignatureScheme::ED25519]; const BAD_SIGNATURE_ERR: rustls::Error = InvalidCertificate(CertificateError::BadSignature); const BAD_ENCODING_ERR: rustls::Error = InvalidCertificate(CertificateError::BadEncoding); @@ -28,12 +38,19 @@ pub fn tls_client_config( ) -> Result<rustls::ClientConfig> { let (cert, private_key) = generate_cert(key_pair)?; let server_verifier = SrvrCertVerifier { peer_id }; - let client_config = rustls::ClientConfig::builder() - .with_cipher_suites(CIPHER_SUITES) - .with_kx_groups(KX_GROUPS) - .with_protocol_versions(PROTOCOL_VERSIONS)? - .with_custom_certificate_verifier(Arc::new(server_verifier)) - .with_client_auth_cert(vec![cert], private_key)?; + + let client_config = rustls::ClientConfig::builder_with_provider( + CryptoProvider { + kx_groups: KX_GROUPS.to_vec(), + cipher_suites: CIPHER_SUITES.to_vec(), + ..aws_lc_rs::default_provider() + } + .into(), + ) + .with_protocol_versions(PROTOCOL_VERSIONS)? + .dangerous() + .with_custom_certificate_verifier(Arc::new(server_verifier)) + .with_client_auth_cert(vec![cert], private_key)?; Ok(client_config) } @@ -42,20 +59,25 @@ pub fn tls_client_config( pub fn tls_server_config(key_pair: &KeyPair) -> Result<rustls::ServerConfig> { let (cert, private_key) = generate_cert(key_pair)?; let client_verifier = CliCertVerifier {}; - let server_config = rustls::ServerConfig::builder() - .with_cipher_suites(CIPHER_SUITES) - .with_kx_groups(KX_GROUPS) - .with_protocol_versions(PROTOCOL_VERSIONS)? - .with_client_cert_verifier(Arc::new(client_verifier)) - .with_single_cert(vec![cert], private_key)?; + let server_config = rustls::ServerConfig::builder_with_provider( + CryptoProvider { + kx_groups: KX_GROUPS.to_vec(), + cipher_suites: CIPHER_SUITES.to_vec(), + ..aws_lc_rs::default_provider() + } + .into(), + ) + .with_protocol_versions(PROTOCOL_VERSIONS)? + .with_client_cert_verifier(Arc::new(client_verifier)) + .with_single_cert(vec![cert], private_key)?; Ok(server_config) } /// Generates a certificate and returns both the certificate and the private key. -fn generate_cert(key_pair: &KeyPair) -> Result<(Certificate, PrivateKey)> { +fn generate_cert<'a>(key_pair: &KeyPair) -> Result<(CertificateDer<'a>, PrivateKeyDer<'a>)> { let cert_key_pair = rcgen::KeyPair::generate(&rcgen::PKCS_ED25519)?; - let private_key = rustls::PrivateKey(cert_key_pair.serialize_der()); + let private_key = PrivateKeyDer::Pkcs8(cert_key_pair.serialize_der().into()); // Add a custom extension to the certificate: // - Sign the certificate's public key with the provided key pair's private key @@ -71,12 +93,12 @@ fn generate_cert(key_pair: &KeyPair) -> Result<(Certificate, PrivateKey)> { params.key_pair = Some(cert_key_pair); params.custom_extensions.push(ext); - let cert = rustls::Certificate(rcgen::Certificate::from_params(params)?.serialize_der()?); + let cert = CertificateDer::from(rcgen::Certificate::from_params(params)?.serialize_der()?); Ok((cert, private_key)) } /// Verifies the given certification. -fn verify_cert(end_entity: &Certificate) -> std::result::Result<PeerID, rustls::Error> { +fn verify_cert(end_entity: &CertificateDer<'_>) -> std::result::Result<PeerID, rustls::Error> { // Parse the certificate. let cert = parse_cert(end_entity)?; @@ -107,7 +129,9 @@ fn verify_cert(end_entity: &Certificate) -> std::result::Result<PeerID, rustls:: } /// Parses the given x509 certificate. -fn parse_cert(end_entity: &Certificate) -> std::result::Result<X509Certificate, rustls::Error> { +fn parse_cert<'a>( + end_entity: &'a CertificateDer<'a>, +) -> std::result::Result<X509Certificate<'a>, rustls::Error> { let (_, cert) = parse_x509_certificate(end_entity.as_ref()).map_err(|_| BAD_ENCODING_ERR)?; if !cert.validity().is_valid() { @@ -134,6 +158,7 @@ fn verify_cert_signature( .map_err(|_| BAD_SIGNATURE_ERR) } +#[derive(Debug)] struct SrvrCertVerifier { peer_id: Option<PeerID>, } @@ -141,13 +166,12 @@ struct SrvrCertVerifier { impl ServerCertVerifier for SrvrCertVerifier { fn verify_server_cert( &self, - end_entity: &Certificate, - _intermediates: &[Certificate], - _server_name: &rustls::ServerName, - _scts: &mut dyn Iterator<Item = &[u8]>, + end_entity: &CertificateDer<'_>, + _intermediates: &[CertificateDer<'_>], + _server_name: &ServerName, _ocsp_response: &[u8], - _now: std::time::SystemTime, - ) -> std::result::Result<rustls::client::ServerCertVerified, rustls::Error> { + _now: UnixTime, + ) -> std::result::Result<ServerCertVerified, rustls::Error> { let peer_id = match verify_cert(end_entity) { Ok(pid) => pid, Err(err) => { @@ -167,49 +191,76 @@ impl ServerCertVerifier for SrvrCertVerifier { } } - Ok(rustls::client::ServerCertVerified::assertion()) + Ok(ServerCertVerified::assertion()) + } + + fn verify_tls12_signature( + &self, + _message: &[u8], + _cert: &CertificateDer<'_>, + _dss: &DigitallySignedStruct, + ) -> std::result::Result<HandshakeSignatureValid, rustls::Error> { + unreachable!("ONLY SUPPORT tls 13 VERSION") } fn verify_tls13_signature( &self, message: &[u8], - cert: &Certificate, - dss: &rustls::DigitallySignedStruct, - ) -> std::result::Result<rustls::client::HandshakeSignatureValid, rustls::Error> { + cert: &CertificateDer<'_>, + dss: &DigitallySignedStruct, + ) -> std::result::Result<HandshakeSignatureValid, rustls::Error> { let cert = parse_cert(cert)?; verify_cert_signature(&cert, message, dss.signature())?; - Ok(rustls::client::HandshakeSignatureValid::assertion()) + Ok(HandshakeSignatureValid::assertion()) + } + + fn supported_verify_schemes(&self) -> Vec<SignatureScheme> { + SIGNATURE_SCHEMES.to_vec() } } +#[derive(Debug)] struct CliCertVerifier {} impl ClientCertVerifier for CliCertVerifier { fn verify_client_cert( &self, - end_entity: &Certificate, - _intermediates: &[Certificate], - _now: std::time::SystemTime, - ) -> std::result::Result<rustls::server::ClientCertVerified, rustls::Error> { + end_entity: &CertificateDer<'_>, + _intermediates: &[CertificateDer<'_>], + _now: UnixTime, + ) -> std::result::Result<ClientCertVerified, rustls::Error> { if let Err(err) = verify_cert(end_entity) { error!("Failed to verify cert: {err}"); return Err(err); }; - Ok(rustls::server::ClientCertVerified::assertion()) + Ok(ClientCertVerified::assertion()) + } + + fn root_hint_subjects(&self) -> &[DistinguishedName] { + &[] + } + + fn verify_tls12_signature( + &self, + _message: &[u8], + _cert: &CertificateDer<'_>, + _dss: &DigitallySignedStruct, + ) -> std::result::Result<HandshakeSignatureValid, rustls::Error> { + unreachable!("ONLY SUPPORT tls 13 VERSION") } fn verify_tls13_signature( &self, message: &[u8], - cert: &Certificate, - dss: &rustls::DigitallySignedStruct, - ) -> std::result::Result<rustls::client::HandshakeSignatureValid, rustls::Error> { + cert: &CertificateDer<'_>, + dss: &DigitallySignedStruct, + ) -> std::result::Result<HandshakeSignatureValid, rustls::Error> { let cert = parse_cert(cert)?; verify_cert_signature(&cert, message, dss.signature())?; - Ok(rustls::client::HandshakeSignatureValid::assertion()) + Ok(HandshakeSignatureValid::assertion()) } - fn client_auth_root_subjects(&self) -> &[rustls::DistinguishedName] { - &[] + fn supported_verify_schemes(&self) -> Vec<SignatureScheme> { + SIGNATURE_SCHEMES.to_vec() } } |