feat(core): ADR-027 — RawKey decoupling, client cert request, ACME integration

Three tasks implementing ADR-027:

1. core/rawkey-decouple-from-iroh: TlsIdentity::RawKey now uses
   Ed25519SecretKey (alknet-core-owned wrapper over ed25519_dalek)
   instead of iroh::SecretKey. RawKeyCertResolver and Ed25519SigningKey
   un-gated from #[cfg(all(quinn, iroh))] to #[cfg(quinn)] only.
   Quinn-only builds (default) now support RFC 7250 raw-key identity.
   iroh transport converts via iroh::SecretKey::from_bytes.

2. core/endpoint-request-client-cert: replaced with_no_client_auth()
   with AcceptAnyCertVerifier — a custom ClientCertVerifier that
   requests client certs but doesn't require them or verify against
   a CA. alknet's identity model is fingerprint-based (the
   authorized_fingerprints set is the trust anchor), not PKI-based.
   Peer certs are extracted at the TLS layer for fingerprinting;
   peers without certs connect normally.

3. core/acme-integration: TlsIdentity::Acme variant (domains,
   cache_dir, directory, contact) + AcmeDirectory enum. TlsSetup
   two-phase construction: synchronous for X509/RawKey/SelfSigned,
   async for Acme (spawns AcmeState event loop, builds ServerConfig
   with ResolvesServerCertAcme). acme-tls/1 ALPN added when ACME is
   active; dispatch_quinn guard closes challenge connections
   gracefully (challenge is TLS-layer-handled). acme feature gate
   keeps rustls-acme out of non-ACME builds.

Workspace: build/test/clippy green across all 3 feature configs
(quinn-only, quinn+iroh, quinn+acme, all-features). 331 tests, 0
failures, 0 warnings.
This commit is contained in:
2026-06-24 20:29:43 +00:00
parent d94d7a132a
commit 00edfc0889
8 changed files with 607 additions and 37 deletions

View File

@@ -29,15 +29,72 @@ pub struct StaticConfig {
pub drain_timeout: Duration,
}
#[derive(Clone)]
pub struct Ed25519SecretKey(ed25519_dalek::SigningKey);
impl Ed25519SecretKey {
pub fn generate() -> Self {
let mut csprng = rand::rngs::OsRng;
Self(ed25519_dalek::SigningKey::generate(&mut csprng))
}
pub fn from_bytes(bytes: &[u8; 32]) -> Self {
Self(ed25519_dalek::SigningKey::from_bytes(bytes))
}
pub fn as_bytes(&self) -> [u8; 32] {
self.0.to_bytes()
}
pub fn public(&self) -> ed25519_dalek::VerifyingKey {
self.0.verifying_key()
}
pub fn sign(&self, message: &[u8]) -> ed25519_dalek::Signature {
use ed25519_dalek::Signer;
self.0.sign(message)
}
}
impl std::fmt::Debug for Ed25519SecretKey {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
f.debug_struct("Ed25519SecretKey").finish_non_exhaustive()
}
}
impl zeroize::ZeroizeOnDrop for Ed25519SecretKey {}
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum AcmeDirectory {
Production,
Staging,
Custom(String),
}
impl AcmeDirectory {
pub fn url(&self) -> &str {
match self {
AcmeDirectory::Production => "https://acme-v02.api.letsencrypt.org/directory",
AcmeDirectory::Staging => "https://acme-staging-v02.api.letsencrypt.org/directory",
AcmeDirectory::Custom(url) => url,
}
}
}
#[derive(Debug, Clone)]
pub enum TlsIdentity {
X509 {
cert: PathBuf,
key: PathBuf,
},
#[cfg(feature = "iroh")]
RawKey(iroh::SecretKey),
RawKey(Ed25519SecretKey),
SelfSigned,
Acme {
domains: Vec<String>,
cache_dir: PathBuf,
directory: AcmeDirectory,
contact: Vec<String>,
},
}
#[derive(Debug, Clone, Default)]