don't sign X.509 certs #34896
don't sign X.509 certs #34896
Conversation
Nodes currently don't verify X.509 self-signed certificates because peer authentication is done via TLS 1.3 CertificateVerify. Thus, encodes an invalid signature in the X.509 certificate instead.
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #34896 +/- ##
=========================================
- Coverage 81.7% 81.7% -0.1%
=========================================
Files 826 826
Lines 223413 223357 -56
=========================================
- Hits 182614 182553 -61
- Misses 40799 40804 +5 |
|
Can you push your commits directly to #34202 so we have all the context and discussions in one place? |
Unfortunately, I do not have permission to push to the firedancer repo. So the technique would not work. The real change is c1bf6c0 -- rest is just address merge conflicts. Which is just restore the issuer common name back to "Solana node" from "Solana" |
There was a problem hiding this comment.
lgtm,
Can you also plz comment on #34202 pointing to this one for reference and close that as well?
client/src/connection_cache.rs
Outdated
| @@ -253,7 +251,7 @@ mod tests { | |||
| #[test] | |||
| fn test_connection_with_specified_client_endpoint() { | |||
| // Start a response receiver: | |||
| let (response_recv_socket, response_recv_exit, keypair2, response_recv_ip) = server_args(); | |||
| let (response_recv_socket, response_recv_exit, keypair2, _) = server_args(); | |||
There was a problem hiding this comment.
If it is not used anywhere, should server_args() be updated not to return response_recv_ip?
|
Just for record keeping, the CERT looks like the following: openssl x509 -in dummy.cer -inform DER -text -noout |
|
Thank you @lijunwangs. So happy to see this go through. 🎉 |
In solana-labs/solana#34896, Solana Labs chose a slightly different mock cert layout. This PR updates Firedancer and Solana Labs to use the same.
In solana-labs/solana#34896, Solana Labs chose a slightly different mock cert layout. This PR updates Firedancer and Solana Labs to use the same.
In solana-labs/solana#34896, Solana Labs chose a slightly different mock cert layout. This PR updates Firedancer and Solana Labs to use the same.
Problem
This is to resurrect PR from #34202 to address merge conflicts and some comments.
Summary of Changes
This get rid of 3rd party components rcgen in the path of private key access to make the code more secure.
Fixes #