feat(core): ADR-027 — RawKey decoupling, client cert request, ACME integration
Three tasks implementing ADR-027: 1. core/rawkey-decouple-from-iroh: TlsIdentity::RawKey now uses Ed25519SecretKey (alknet-core-owned wrapper over ed25519_dalek) instead of iroh::SecretKey. RawKeyCertResolver and Ed25519SigningKey un-gated from #[cfg(all(quinn, iroh))] to #[cfg(quinn)] only. Quinn-only builds (default) now support RFC 7250 raw-key identity. iroh transport converts via iroh::SecretKey::from_bytes. 2. core/endpoint-request-client-cert: replaced with_no_client_auth() with AcceptAnyCertVerifier — a custom ClientCertVerifier that requests client certs but doesn't require them or verify against a CA. alknet's identity model is fingerprint-based (the authorized_fingerprints set is the trust anchor), not PKI-based. Peer certs are extracted at the TLS layer for fingerprinting; peers without certs connect normally. 3. core/acme-integration: TlsIdentity::Acme variant (domains, cache_dir, directory, contact) + AcmeDirectory enum. TlsSetup two-phase construction: synchronous for X509/RawKey/SelfSigned, async for Acme (spawns AcmeState event loop, builds ServerConfig with ResolvesServerCertAcme). acme-tls/1 ALPN added when ACME is active; dispatch_quinn guard closes challenge connections gracefully (challenge is TLS-layer-handled). acme feature gate keeps rustls-acme out of non-ACME builds. Workspace: build/test/clippy green across all 3 feature configs (quinn-only, quinn+iroh, quinn+acme, all-features). 331 tests, 0 failures, 0 warnings.
This commit is contained in:
@@ -185,6 +185,22 @@ unresolved at the endpoint layer. A follow-up task will switch the server
|
||||
config to request-but-not-require client certs so fingerprints flow for
|
||||
peers that present them.
|
||||
|
||||
### Server-side client cert request
|
||||
|
||||
The quinn `rustls::ServerConfig` uses a custom `AcceptAnyCertVerifier`
|
||||
that requests client certs but does not require them and does not verify
|
||||
them against a CA. This is the "request-but-don't-require" mode: peers
|
||||
that present a cert (X.509 or RFC 7250 raw key) have their fingerprint
|
||||
extracted via `peer_identity()`; peers that don't present a cert connect
|
||||
normally with `tls_client_fingerprint: None`.
|
||||
|
||||
The verifier accepts any presented cert without CA verification because
|
||||
alknet's identity model is fingerprint-based, not PKI-based — the
|
||||
`AuthPolicy::authorized_fingerprints` set is the trust anchor, not a
|
||||
root CA store. The cert bytes are extracted at the TLS layer and hashed
|
||||
to a fingerprint string; the fingerprint is then matched against the
|
||||
configured set by `IdentityProvider::resolve_from_fingerprint()`.
|
||||
|
||||
## Resolution Flow
|
||||
|
||||
### Endpoint-level (before `handle()`)
|
||||
|
||||
Reference in New Issue
Block a user