feat: make certificate validation / creation configurable #3213
Conversation
| func keyToCertificate(sk ic.PrivKey, certTmpl *x509.Certificate) (*tls.Certificate, error) { | ||
| certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| // after calling CreateCertificate, these will end up in Certificate.Extensions | ||
| extension, err := GenerateSignedExtension(sk, certKey.Public()) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| certTmpl.ExtraExtensions = append(certTmpl.ExtraExtensions, extension) | ||
|
|
||
| certDER, err := x509.CreateCertificate(rand.Reader, certTmpl, certTmpl, certKey.Public(), certKey) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| return &tls.Certificate{ | ||
| Certificate: [][]byte{certDER}, | ||
| PrivateKey: certKey, | ||
| }, nil | ||
| } |
There was a problem hiding this comment.
This now lives as a part of the DefaultCertManager
ethan-gallant
changed the title
|
Can you explain how it enables Pnet? |
This doesn't directly implement the Pnet protocol. However it does enable the same use-case of being able to create a private network of LibP2P peers with a pre-shared key. |
| remotePubKey, err := p2ptls.PubKeyFromCertChain(qconn.ConnectionState().TLS.PeerCertificates) | ||
| remotePubKey, err := l.transport.identity.CertManager().VerifyCertChain(qconn.ConnectionState().TLS.PeerCertificates) |
There was a problem hiding this comment.
@MarcoPolo is it the case that the peers identity has already been verified at this point?
e.g. is the authentication done here invalid aside from ensuring an already authenticated peer don't sneakily change its LibP2P identity?
There was a problem hiding this comment.
We first calculate the the Peer's ID from the TLS handshake here: https://github.com/libp2p/go-libp2p/blob/master/p2p/transport/quic/transport.go#L288-L292 using the ConfigForPeer function.
This part gets peer's id so we can include it in the returned connection.
We are on the listening side here, so we don't have an expectation of what the peer should be (as opposed to dialing where you expect a certain peer id). We just return the peer id we learn about from the TLS handshake
This enables creation of private LibP2P networks over QUIC. This is beneficial since QUIC does not support pnet #1432 and it also enables unique authentication schemes. It also enables peers to establish a chain of trust with each-other.