consensus_core/network/
tonic_tls.rs

1// Copyright (c) Mysten Labs, Inc.
2// Modifications Copyright (c) 2024 IOTA Stiftung
3// SPDX-License-Identifier: Apache-2.0
4
5use consensus_config::{AuthorityIndex, NetworkKeyPair};
6use iota_tls::AllowPublicKeys;
7use tokio_rustls::rustls::{ClientConfig, ServerConfig};
8
9use crate::context::Context;
10
11pub(crate) fn create_rustls_server_config(
12    context: &Context,
13    network_keypair: NetworkKeyPair,
14) -> ServerConfig {
15    let allower = AllowPublicKeys::new(
16        context
17            .committee
18            .authorities()
19            .map(|(_i, a)| a.network_key.clone().into_inner())
20            .collect(),
21    );
22    let verifier = iota_tls::ClientCertVerifier::new(allower, certificate_server_name(context));
23    // TODO: refactor to use key bytes
24    let self_signed_cert = iota_tls::SelfSignedCertificate::new(
25        network_keypair.private_key().into_inner(),
26        &certificate_server_name(context),
27    );
28    let tls_cert = self_signed_cert.rustls_certificate();
29    let tls_private_key = self_signed_cert.rustls_private_key();
30    let mut tls_config = verifier
31        .rustls_server_config(vec![tls_cert], tls_private_key)
32        .unwrap_or_else(|e| panic!("Failed to create TLS server config: {:?}", e));
33    tls_config.alpn_protocols = vec![b"h2".to_vec()];
34    tls_config
35}
36
37pub(crate) fn create_rustls_client_config(
38    context: &Context,
39    network_keypair: NetworkKeyPair,
40    target: AuthorityIndex,
41) -> ClientConfig {
42    let target_public_key = context
43        .committee
44        .authority(target)
45        .network_key
46        .clone()
47        .into_inner();
48    let self_signed_cert = iota_tls::SelfSignedCertificate::new(
49        network_keypair.private_key().into_inner(),
50        &certificate_server_name(context),
51    );
52    let tls_cert = self_signed_cert.rustls_certificate();
53    let tls_private_key = self_signed_cert.rustls_private_key();
54    let mut tls_config =
55        iota_tls::ServerCertVerifier::new(target_public_key, certificate_server_name(context))
56            .rustls_client_config(vec![tls_cert], tls_private_key)
57            .unwrap_or_else(|e| panic!("Failed to create TLS client config: {:?}", e));
58    // ServerCertVerifier sets alpn for completeness, but alpn cannot be predefined
59    // when using HttpsConnector from hyper-rustls, as in TonicManager.
60    tls_config.alpn_protocols = vec![];
61    tls_config
62}
63
64fn certificate_server_name(context: &Context) -> String {
65    format!("consensus_epoch_{}", context.committee.epoch())
66}