Replace AcceptAnyServerCertVerifier (a security hole for X.509) with verifier selection by PeerEntry presence (ADR-034 §3, OQ-29): - build_client_auth presents the Ed25519 key as an RFC 7250 raw public key client cert (replaces with_no_client_auth), activating the PeerEntry fingerprint -> peer_id resolution path on quinn. - select_server_verifier: Some(fingerprint) -> FingerprintPinVerifier (fingerprint match for known peers); None -> WebPkiServerVerifier (CA verification for public X.509 endpoints). None + Ed25519 raw key fails closed at handshake (no CA to fall back to). - FingerprintPinVerifier matches ed25519:<hex> (raw key extraction) and SHA256:<hex> (DER hash); verifies handshake signatures via verify_tls13_signature_with_raw_key / verify_tls12/13_signature. - Extract shared fingerprint logic into alknet_core::fingerprint (pub module) reused by endpoint (server-side) and call_client (client-side). - remote_identity: None is load-bearing (not defaulted to placeholder). - Integration tests updated to pin the self-signed server cert fingerprint (the known-peer path).
35 lines
1.0 KiB
TOML
35 lines
1.0 KiB
TOML
[package]
|
|
name = "alknet-call"
|
|
version.workspace = true
|
|
edition.workspace = true
|
|
license.workspace = true
|
|
description = "Structured RPC over QUIC on ALPN `alknet/call`: operations, streaming subscriptions, service discovery"
|
|
repository.workspace = true
|
|
|
|
[lib]
|
|
name = "alknet_call"
|
|
|
|
[features]
|
|
default = ["quinn"]
|
|
quinn = ["dep:quinn", "dep:rustls", "dep:rustls-native-certs", "dep:rustls-pemfile", "alknet-core/quinn"]
|
|
|
|
[dependencies]
|
|
alknet-core = { path = "../alknet-core" }
|
|
irpc = { workspace = true }
|
|
tokio = { version = "1", features = ["full"] }
|
|
serde = { version = "1", features = ["derive"] }
|
|
serde_json = "1"
|
|
async-trait = "0.1"
|
|
tracing = "0.1"
|
|
thiserror = "2"
|
|
uuid = { version = "1", features = ["v4"] }
|
|
futures = "0.3"
|
|
parking_lot = "0.12"
|
|
quinn = { version = "0.11", optional = true }
|
|
rustls = { version = "0.23", optional = true, features = ["aws_lc_rs"] }
|
|
rustls-native-certs = { version = "0.8", optional = true }
|
|
rustls-pemfile = { version = "2", optional = true }
|
|
|
|
[dev-dependencies]
|
|
rcgen = "0.13"
|
|
hex = "0.4" |