net/tls: Port code to latest rcgen version

2026-01-08 14:24:09 -05:00 · 2025-12-25 12:55:19 +00:00
parent add9bb596c
commit c3e227adf1
4 changed files with 52 additions and 26 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1833,7 +1833,6 @@ dependencies = [
 "randomx",
 "rcgen",
 "regex",
- "rustls-pemfile",
 "semver",
 "serde",
 "sha2",
@@ -1859,7 +1858,7 @@ dependencies = [
 "wasmer",
 "wasmer-compiler-singlepass",
 "wasmer-middlewares",
- "x509-parser",
+ "x509-parser 0.17.0",
 ]

 [[package]]
@@ -5754,13 +5753,15 @@ dependencies = [

 [[package]]
 name = "rcgen"
-version = "0.12.1"
+version = "0.14.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "48406db8ac1f3cbc7dcdb56ec355343817958a356ff430259bb07baf7607e1e1"
+checksum = "3ec0a99f2de91c3cddc84b37e7db80e4d96b743e05607f647eb236fc0455907f"
 dependencies = [
 "pem",
 "ring",
+ "rustls-pki-types",
 "time",
+ "x509-parser 0.18.0",
 "yasna",
 ]

@@ -9519,6 +9520,24 @@ dependencies = [
 "time",
 ]

+[[package]]
+name = "x509-parser"
+version = "0.18.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eb3e137310115a65136898d2079f003ce33331a6c4b0d51f1531d1be082b6425"
+dependencies = [
+ "asn1-rs",
+ "data-encoding",
+ "der-parser",
+ "lazy_static",
+ "nom",
+ "oid-registry",
+ "ring",
+ "rusticata-macros",
+ "thiserror 2.0.17",
+ "time",
+]
+
 [[package]]
 name = "xattr"
 version = "1.6.1"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -76,9 +76,8 @@ tor-proto = {version = "0.37.0", optional = true}
 tor-cell = {version = "0.37.0", optional = true}

 # TLS cert utilities
-ed25519-compact = {version = "2.1.1", optional = true}
-rcgen = {version = "0.12.1", optional = true}
-rustls-pemfile = {version = "2.2.0", optional = true}
+ed25519-compact = {version = "2.2.0", optional = true}
+rcgen = {version = "0.14.6", optional = true, features = ["pem"]}
 x509-parser = {version = "0.17.0", features = ["validate", "verify"], optional = true}

 # Encoding
@@ -224,7 +223,6 @@ net-defaults = [
    "futures-rustls",
    "rcgen",
    "regex",
-    "rustls-pemfile",
    "semver",
    "serde",
    "socket2",
--- a/src/net/transport/mod.rs
+++ b/src/net/transport/mod.rs
@@ -267,7 +267,7 @@ impl Dialer {
            DialerVariant::TcpTls(dialer) => {
                let sockaddr = self.endpoint.socket_addrs(|| None)?;
                let stream = dialer.do_dial(sockaddr[0], timeout).await?;
-                let tlsupgrade = tls::TlsUpgrade::new().await;
+                let tlsupgrade = tls::TlsUpgrade::new().await?;
                let stream = tlsupgrade.upgrade_dialer_tls(stream).await?;
                Ok(Box::new(stream))
            }
@@ -285,7 +285,7 @@ impl Dialer {
                let host = self.endpoint.host_str().unwrap();
                let port = self.endpoint.port().unwrap();
                let stream = dialer.do_dial(host, port, timeout).await?;
-                let tlsupgrade = tls::TlsUpgrade::new().await;
+                let tlsupgrade = tls::TlsUpgrade::new().await?;
                let stream = tlsupgrade.upgrade_dialer_tls(stream).await?;
                Ok(Box::new(stream))
            }
@@ -319,7 +319,7 @@ impl Dialer {
            #[cfg(feature = "p2p-socks5")]
            DialerVariant::Socks5Tls(dialer) => {
                let stream = dialer.do_dial().await?;
-                let tlsupgrade = tls::TlsUpgrade::new().await;
+                let tlsupgrade = tls::TlsUpgrade::new().await?;
                let stream = tlsupgrade.upgrade_dialer_tls(stream).await?;
                Ok(Box::new(stream))
            }
@@ -398,7 +398,7 @@ impl Listener {
            ListenerVariant::TcpTls(listener) => {
                let sockaddr = self.endpoint.socket_addrs(|| None)?;
                let l = listener.do_listen(sockaddr[0]).await?;
-                let tlsupgrade = tls::TlsUpgrade::new().await;
+                let tlsupgrade = tls::TlsUpgrade::new().await?;
                let l = tlsupgrade.upgrade_listener_tcp_tls(l).await?;
                Ok(Box::new(l))
            }
--- a/src/net/transport/tls.rs
+++ b/src/net/transport/tls.rs
@@ -29,7 +29,7 @@ use futures_rustls::{
    },
    TlsAcceptor, TlsConnector, TlsStream,
 };
-use rustls_pemfile::pkcs8_private_keys;
+use rcgen::string::Ia5String;
 use tracing::error;
 use x509_parser::{
    parse_x509_certificate,
@@ -254,30 +254,39 @@ pub struct TlsUpgrade {
 }

 impl TlsUpgrade {
-    pub async fn new() -> Self {
+    pub async fn new() -> io::Result<Self> {
        // On each instantiation, generate a new keypair and certificate
-        let keypair_pem = ed25519_compact::KeyPair::generate().to_pem();
-        let secret_key = pkcs8_private_keys(&mut keypair_pem.as_bytes()).next().unwrap().unwrap();
-        let secret_key = PrivateKeyDer::Pkcs8(secret_key);
+        let Ok(keypair) = rcgen::KeyPair::generate() else {
+            return Err(io::Error::other("Failed to generate TLS keypair"))
+        };

-        let mut cert_params = rcgen::CertificateParams::new(&[]);
-        cert_params.alg = &rcgen::PKCS_ED25519;
-        cert_params.key_pair = Some(rcgen::KeyPair::from_pem(&keypair_pem).unwrap());
-        cert_params.subject_alt_names = vec![rcgen::SanType::DnsName("dark.fi".to_string())];
+        let Ok(mut cert_params) = rcgen::CertificateParams::new(&[]) else {
+            return Err(io::Error::other("Failed to generate TLS params"))
+        };
+
+        cert_params.subject_alt_names =
+            vec![rcgen::SanType::DnsName(Ia5String::try_from("dark.fi").unwrap())];
        cert_params.extended_key_usages = vec![
            rcgen::ExtendedKeyUsagePurpose::ClientAuth,
            rcgen::ExtendedKeyUsagePurpose::ServerAuth,
        ];

-        let certificate = rcgen::Certificate::from_params(cert_params).unwrap();
-        let certificate = certificate.serialize_der().unwrap();
+        let Ok(certificate) = cert_params.self_signed(&keypair) else {
+            return Err(io::Error::other("Failed to sign TLS certificate"))
+        };
+        let certificate = certificate.der();
+
+        let keypair_der = keypair.serialize_der();
+        let Ok(secret_key_der) = PrivateKeyDer::try_from(keypair_der) else {
+            return Err(io::Error::other("Failed to deserialize DER TLS secret"))
+        };

        // Server-side config
        let client_cert_verifier = Arc::new(ClientCertificateVerifier {});
        let server_config = Arc::new(
            ServerConfig::builder_with_protocol_versions(&[&TLS13])
                .with_client_cert_verifier(client_cert_verifier)
-                .with_single_cert(vec![certificate.clone().into()], secret_key.clone_key())
+                .with_single_cert(vec![certificate.clone()], secret_key_der.clone_key())
                .unwrap(),
        );

@@ -287,11 +296,11 @@ impl TlsUpgrade {
            ClientConfig::builder_with_protocol_versions(&[&TLS13])
                .dangerous()
                .with_custom_certificate_verifier(server_cert_verifier)
-                .with_client_auth_cert(vec![certificate.into()], secret_key)
+                .with_client_auth_cert(vec![certificate.clone()], secret_key_der)
                .unwrap(),
        );

-        Self { server_config, client_config }
+        Ok(Self { server_config, client_config })
    }

    pub async fn upgrade_dialer_tls<IO>(self, stream: IO) -> io::Result<TlsStream<IO>>