don't sign X.509 certs

Nodes currently don't verify X.509 self-signed certificates because peer authentication is done via TLS 1.3 CertificateVerify. Thus, encodes an invalid signature in the X.509 certificate instead.
solana-labs · Nov 29, 2023 · 2b1c177 · 2b1c177
1 parent ceb0103
commit 2b1c177
Show file tree

Hide file tree

Showing 20 changed files with 105 additions and 223 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -278,7 +278,6 @@ rand = "0.8.5"
 rand_chacha = "0.3.1"
 raptorq = "1.8.0"
 rayon = "1.8.0"
-rcgen = "0.10.0"
 reed-solomon-erasure = "6.0.0"
 regex = "1.10.2"
 reqwest = { version = "0.11.22", default-features = false }

diff --git a/client/src/connection_cache.rs b/client/src/connection_cache.rs
@@ -79,9 +79,7 @@ impl ConnectionCache {
             config.update_client_endpoint(client_endpoint);
         }
         if let Some(cert_info) = cert_info {
-            config
-                .update_client_certificate(cert_info.0, cert_info.1)
-                .unwrap();
+            config.update_client_certificate(cert_info.0, cert_info.1);
         }
         if let Some(stake_info) = stake_info {
             config.set_staked_nodes(stake_info.0, stake_info.1);
@@ -240,7 +238,7 @@ mod tests {
     #[test]
     fn test_connection_with_specified_client_endpoint() {
         // Start a response receiver:
-        let (response_recv_socket, response_recv_exit, keypair2, response_recv_ip) = server_args();
+        let (response_recv_socket, response_recv_exit, keypair2, _) = server_args();
         let (sender2, _receiver2) = unbounded();
 
         let staked_nodes = Arc::new(RwLock::new(StakedNodes::default()));
@@ -249,7 +247,6 @@ mod tests {
             "quic_streamer_test",
             response_recv_socket,
             &keypair2,
-            response_recv_ip,
             sender2,
             response_recv_exit.clone(),
             1,

diff --git a/connection-cache/Cargo.toml b/connection-cache/Cargo.toml
@@ -19,7 +19,6 @@ indicatif = { workspace = true, optional = true }
 log = { workspace = true }
 rand = { workspace = true }
 rayon = { workspace = true }
-rcgen = { workspace = true }
 solana-measure = { workspace = true }
 solana-metrics = { workspace = true }
 solana-sdk = { workspace = true }

diff --git a/connection-cache/src/connection_cache.rs b/connection-cache/src/connection_cache.rs
@@ -406,9 +406,6 @@ pub enum ConnectionPoolError {
 
 #[derive(Error, Debug)]
 pub enum ClientError {
-    #[error("Certificate error: {0}")]
-    CertificateError(#[from] rcgen::RcgenError),
-
     #[error("IO error: {0:?}")]
     IoError(#[from] std::io::Error),
 }

diff --git a/core/Cargo.toml b/core/Cargo.toml
@@ -36,7 +36,6 @@ quinn = { workspace = true }
 rand = { workspace = true }
 rand_chacha = { workspace = true }
 rayon = { workspace = true }
-rcgen = { workspace = true }
 rolling-file = { workspace = true }
 rustls = { workspace = true }
 serde = { workspace = true }

diff --git a/core/src/repair/quic_endpoint.rs b/core/src/repair/quic_endpoint.rs
@@ -9,20 +9,17 @@ use {
         EndpointConfig, IdleTimeout, ReadError, ReadToEndError, RecvStream, SendStream,
         ServerConfig, TokioRuntime, TransportConfig, VarInt, WriteError,
     },
-    rcgen::RcgenError,
     rustls::{Certificate, PrivateKey},
     serde_bytes::ByteBuf,
     solana_quic_client::nonblocking::quic_client::SkipServerVerification,
     solana_runtime::bank_forks::BankForks,
     solana_sdk::{packet::PACKET_DATA_SIZE, pubkey::Pubkey, signature::Keypair},
-    solana_streamer::{
-        quic::SkipClientVerification, tls_certificates::new_self_signed_tls_certificate,
-    },
+    solana_streamer::{quic::SkipClientVerification, tls_certificates::new_dummy_x509_certificate},
     std::{
         cmp::Reverse,
         collections::{hash_map::Entry, HashMap},
         io::{Cursor, Error as IoError},
-        net::{IpAddr, SocketAddr, UdpSocket},
+        net::{SocketAddr, UdpSocket},
         sync::{
             atomic::{AtomicBool, AtomicU64, Ordering},
             Arc, RwLock,
@@ -88,8 +85,6 @@ pub struct RemoteRequest {
 #[derive(Error, Debug)]
 #[allow(clippy::enum_variant_names)]
 pub(crate) enum Error {
-    #[error(transparent)]
-    CertificateError(#[from] RcgenError),
     #[error("Channel Send Error")]
     ChannelSendError,
     #[error(transparent)]
@@ -123,11 +118,10 @@ pub(crate) fn new_quic_endpoint(
     runtime: &tokio::runtime::Handle,
     keypair: &Keypair,
     socket: UdpSocket,
-    address: IpAddr,
     remote_request_sender: Sender<RemoteRequest>,
     bank_forks: Arc<RwLock<BankForks>>,
 ) -> Result<(Endpoint, AsyncSender<LocalRequest>, AsyncTryJoinHandle), Error> {
-    let (cert, key) = new_self_signed_tls_certificate(keypair, address)?;
+    let (cert, key) = new_dummy_x509_certificate(keypair);
     let server_config = new_server_config(cert.clone(), key.clone())?;
     let client_config = new_client_config(cert, key)?;
     let mut endpoint = {
@@ -792,7 +786,6 @@ async fn report_metrics_task(name: &'static str, stats: Arc<RepairQuicStats>) {
 
 fn record_error(err: &Error, stats: &RepairQuicStats) {
     match err {
-        Error::CertificateError(_) => (),
         Error::ChannelSendError => (),
         Error::ConnectError(ConnectError::EndpointStopping) => {
             add_metric!(stats.connect_error_other)
@@ -1048,7 +1041,6 @@ mod tests {
                         runtime.handle(),
                         keypair,
                         socket,
-                        IpAddr::V4(Ipv4Addr::LOCALHOST),
                         remote_request_sender,
                         bank_forks.clone(),
                     )

diff --git a/core/src/tpu.rs b/core/src/tpu.rs
@@ -19,7 +19,7 @@ use {
     },
     bytes::Bytes,
     crossbeam_channel::{unbounded, Receiver},
-    solana_client::connection_cache::{ConnectionCache, Protocol},
+    solana_client::connection_cache::ConnectionCache,
     solana_gossip::cluster_info::ClusterInfo,
     solana_ledger::{
         blockstore::Blockstore, blockstore_processor::TransactionStatusSender,
@@ -152,11 +152,6 @@ impl Tpu {
             "quic_streamer_tpu",
             transactions_quic_sockets,
             keypair,
-            cluster_info
-                .my_contact_info()
-                .tpu(Protocol::QUIC)
-                .expect("Operator must spin up node with valid (QUIC) TPU address")
-                .ip(),
             packet_sender,
             exit.clone(),
             MAX_QUIC_CONNECTIONS_PER_PEER,
@@ -172,11 +167,6 @@ impl Tpu {
             "quic_streamer_tpu_forwards",
             transactions_forwards_quic_sockets,
             keypair,
-            cluster_info
-                .my_contact_info()
-                .tpu_forwards(Protocol::QUIC)
-                .expect("Operator must spin up node with valid (QUIC) TPU-forwards address")
-                .ip(),
             forwarded_packet_sender,
             exit.clone(),
             MAX_QUIC_CONNECTIONS_PER_PEER,

diff --git a/core/src/validator.rs b/core/src/validator.rs
@@ -1176,10 +1176,6 @@ impl Validator {
                 .unwrap_or_else(|| current_runtime_handle.as_ref().unwrap()),
             &identity_keypair,
             node.sockets.tvu_quic,
-            node.info
-                .tvu(Protocol::QUIC)
-                .map_err(|err| format!("Invalid QUIC TVU address: {err:?}"))?
-                .ip(),
             turbine_quic_endpoint_sender,
             bank_forks.clone(),
         )
@@ -1201,10 +1197,6 @@ impl Validator {
                     .unwrap_or_else(|| current_runtime_handle.as_ref().unwrap()),
                 &identity_keypair,
                 node.sockets.serve_repair_quic,
-                node.info
-                    .serve_repair(Protocol::QUIC)
-                    .map_err(|err| format!("Invalid QUIC serve-repair address: {err:?}"))?
-                    .ip(),
                 repair_quic_endpoint_sender,
                 bank_forks.clone(),
             )

diff --git a/programs/sbf/Cargo.lock b/programs/sbf/Cargo.lock
diff --git a/quic-client/Cargo.toml b/quic-client/Cargo.toml
@@ -18,7 +18,6 @@ lazy_static = { workspace = true }
 log = { workspace = true }
 quinn = { workspace = true }
 quinn-proto = { workspace = true }
-rcgen = { workspace = true }
 rustls = { workspace = true, features = ["dangerous_configuration"] }
 solana-connection-cache = { workspace = true }
 solana-measure = { workspace = true }