feat(core): ADR-027 — RawKey decoupling, client cert request, ACME integration
Three tasks implementing ADR-027: 1. core/rawkey-decouple-from-iroh: TlsIdentity::RawKey now uses Ed25519SecretKey (alknet-core-owned wrapper over ed25519_dalek) instead of iroh::SecretKey. RawKeyCertResolver and Ed25519SigningKey un-gated from #[cfg(all(quinn, iroh))] to #[cfg(quinn)] only. Quinn-only builds (default) now support RFC 7250 raw-key identity. iroh transport converts via iroh::SecretKey::from_bytes. 2. core/endpoint-request-client-cert: replaced with_no_client_auth() with AcceptAnyCertVerifier — a custom ClientCertVerifier that requests client certs but doesn't require them or verify against a CA. alknet's identity model is fingerprint-based (the authorized_fingerprints set is the trust anchor), not PKI-based. Peer certs are extracted at the TLS layer for fingerprinting; peers without certs connect normally. 3. core/acme-integration: TlsIdentity::Acme variant (domains, cache_dir, directory, contact) + AcmeDirectory enum. TlsSetup two-phase construction: synchronous for X509/RawKey/SelfSigned, async for Acme (spawns AcmeState event loop, builds ServerConfig with ResolvesServerCertAcme). acme-tls/1 ALPN added when ACME is active; dispatch_quinn guard closes challenge connections gracefully (challenge is TLS-layer-handled). acme feature gate keeps rustls-acme out of non-ACME builds. Workspace: build/test/clippy green across all 3 feature configs (quinn-only, quinn+iroh, quinn+acme, all-features). 331 tests, 0 failures, 0 warnings.
This commit is contained in:
@@ -29,15 +29,72 @@ pub struct StaticConfig {
|
||||
pub drain_timeout: Duration,
|
||||
}
|
||||
|
||||
#[derive(Clone)]
|
||||
pub struct Ed25519SecretKey(ed25519_dalek::SigningKey);
|
||||
|
||||
impl Ed25519SecretKey {
|
||||
pub fn generate() -> Self {
|
||||
let mut csprng = rand::rngs::OsRng;
|
||||
Self(ed25519_dalek::SigningKey::generate(&mut csprng))
|
||||
}
|
||||
|
||||
pub fn from_bytes(bytes: &[u8; 32]) -> Self {
|
||||
Self(ed25519_dalek::SigningKey::from_bytes(bytes))
|
||||
}
|
||||
|
||||
pub fn as_bytes(&self) -> [u8; 32] {
|
||||
self.0.to_bytes()
|
||||
}
|
||||
|
||||
pub fn public(&self) -> ed25519_dalek::VerifyingKey {
|
||||
self.0.verifying_key()
|
||||
}
|
||||
|
||||
pub fn sign(&self, message: &[u8]) -> ed25519_dalek::Signature {
|
||||
use ed25519_dalek::Signer;
|
||||
self.0.sign(message)
|
||||
}
|
||||
}
|
||||
|
||||
impl std::fmt::Debug for Ed25519SecretKey {
|
||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||
f.debug_struct("Ed25519SecretKey").finish_non_exhaustive()
|
||||
}
|
||||
}
|
||||
|
||||
impl zeroize::ZeroizeOnDrop for Ed25519SecretKey {}
|
||||
|
||||
#[derive(Debug, Clone, PartialEq, Eq)]
|
||||
pub enum AcmeDirectory {
|
||||
Production,
|
||||
Staging,
|
||||
Custom(String),
|
||||
}
|
||||
|
||||
impl AcmeDirectory {
|
||||
pub fn url(&self) -> &str {
|
||||
match self {
|
||||
AcmeDirectory::Production => "https://acme-v02.api.letsencrypt.org/directory",
|
||||
AcmeDirectory::Staging => "https://acme-staging-v02.api.letsencrypt.org/directory",
|
||||
AcmeDirectory::Custom(url) => url,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone)]
|
||||
pub enum TlsIdentity {
|
||||
X509 {
|
||||
cert: PathBuf,
|
||||
key: PathBuf,
|
||||
},
|
||||
#[cfg(feature = "iroh")]
|
||||
RawKey(iroh::SecretKey),
|
||||
RawKey(Ed25519SecretKey),
|
||||
SelfSigned,
|
||||
Acme {
|
||||
domains: Vec<String>,
|
||||
cache_dir: PathBuf,
|
||||
directory: AcmeDirectory,
|
||||
contact: Vec<String>,
|
||||
},
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Default)]
|
||||
|
||||
Reference in New Issue
Block a user