feat(core): ADR-027 — RawKey decoupling, client cert request, ACME integration

Three tasks implementing ADR-027:

1. core/rawkey-decouple-from-iroh: TlsIdentity::RawKey now uses
   Ed25519SecretKey (alknet-core-owned wrapper over ed25519_dalek)
   instead of iroh::SecretKey. RawKeyCertResolver and Ed25519SigningKey
   un-gated from #[cfg(all(quinn, iroh))] to #[cfg(quinn)] only.
   Quinn-only builds (default) now support RFC 7250 raw-key identity.
   iroh transport converts via iroh::SecretKey::from_bytes.

2. core/endpoint-request-client-cert: replaced with_no_client_auth()
   with AcceptAnyCertVerifier — a custom ClientCertVerifier that
   requests client certs but doesn't require them or verify against
   a CA. alknet's identity model is fingerprint-based (the
   authorized_fingerprints set is the trust anchor), not PKI-based.
   Peer certs are extracted at the TLS layer for fingerprinting;
   peers without certs connect normally.

3. core/acme-integration: TlsIdentity::Acme variant (domains,
   cache_dir, directory, contact) + AcmeDirectory enum. TlsSetup
   two-phase construction: synchronous for X509/RawKey/SelfSigned,
   async for Acme (spawns AcmeState event loop, builds ServerConfig
   with ResolvesServerCertAcme). acme-tls/1 ALPN added when ACME is
   active; dispatch_quinn guard closes challenge connections
   gracefully (challenge is TLS-layer-handled). acme feature gate
   keeps rustls-acme out of non-ACME builds.

Workspace: build/test/clippy green across all 3 feature configs
(quinn-only, quinn+iroh, quinn+acme, all-features). 331 tests, 0
failures, 0 warnings.
This commit is contained in:
2026-06-24 20:29:43 +00:00
parent d94d7a132a
commit 00edfc0889
8 changed files with 607 additions and 37 deletions

View File

@@ -1,7 +1,7 @@
---
id: core/acme-integration
name: Add ACME auto-provisioning via rustls-acme (ADR-027)
status: pending
status: completed
depends_on: [core/rawkey-decouple-from-iroh]
scope: moderate
risk: medium

View File

@@ -1,7 +1,7 @@
---
id: core/endpoint-request-client-cert
name: Switch rustls ServerConfig from with_no_client_auth to request-but-don't-require client certs
status: pending
status: completed
depends_on: [core/endpoint-client-fingerprint]
scope: narrow
risk: medium

View File

@@ -1,7 +1,7 @@
---
id: core/rawkey-decouple-from-iroh
name: Decouple TlsIdentity::RawKey from the iroh feature (ADR-027)
status: pending
status: completed
depends_on: []
scope: narrow
risk: medium