Not working because webrtc is stupid

Author: thomaseizinger

transports/webrtc/Cargo.toml

@@ -13,6 +13,7 @@ categories = ["network-programming", "asynchronous"]
 async-trait = "0.1"
 asynchronous-codec = "0.6"
 bytes = "1"
+ed25519-compact = "2.0.2"
 futures = "0.3"
 futures-timer = "3"
 hex = "0.4"
@@ -24,6 +25,9 @@ multihash = { version = "0.16", default-features = false, features = ["sha2"] }
 prost = "0.11"
 prost-codec = { version = "0.2.1", path = "../../misc/prost-codec" }
 rand = "0.8"
+rcgen = "0.9.3"
+ring = "0.16.20"
+rustls = "0.19" # Needs to match version in `webrtc`
 serde = { version = "1.0", features = ["derive"] }
 stun = "0.4"
 thiserror = "1"
@@ -43,5 +47,8 @@ anyhow = "1.0"
 env_logger = "0.9"
 hex-literal = "0.3"
 libp2p = { path = "../..", features = ["request-response", "webrtc"], default-features = false }
-rcgen = "0.9.3"
 unsigned-varint = { version = "0.7", features = ["asynchronous_codec"] }
+
+[[test]]
+name = "smoke"
+required-features = ["tokio"]

transports/webrtc/src/certificate.rs

@@ -0,0 +1,126 @@
+use rand::distributions::DistString;
+use rand::{CryptoRng, Rng, SeedableRng};
+use rcgen::{CertificateParams, RcgenError, PKCS_ED25519};
+use ring::signature::Ed25519KeyPair;
+use webrtc::dtls;
+use webrtc::dtls::crypto::{CryptoPrivateKey, CryptoPrivateKeyKind};
+use webrtc::peer_connection::certificate::RTCCertificate;
+
+#[derive(PartialEq)]
+pub struct Certificate {
+    seed: [u8; 32],
+    alt_name: String,
+    pub(crate) inner: RTCCertificate,
+}
+
+impl Certificate {
+    pub fn from_seed(seed: [u8; 32]) -> Result<Self, Error> {
+        let mut rng = rand::rngs::StdRng::from_seed(seed);
+
+        Self::new(&mut rng)
+    }
+
+    pub fn new<R>(rng: &mut R) -> Result<Self, Error>
+    where
+        R: CryptoRng + Rng,
+    {
+        let seed = rng.gen::<[u8; 32]>();
+        let alt_name = rand::distributions::Alphanumeric.sample_string(rng, 16);
+
+        Self::from_seed_and_alt_name(seed, alt_name)
+    }
+
+    fn from_seed_and_alt_name(seed: [u8; 32], alt_name: String) -> Result<Certificate, Error> {
+        let der_keypair =
+            ed25519_compact::KeyPair::from_seed(ed25519_compact::Seed::from(seed.clone()))
+                .sk
+                .to_der();
+
+        let mut params = CertificateParams::new(vec![alt_name.clone()]);
+        params.alg = &PKCS_ED25519;
+        params.key_pair = Some(
+            rcgen::KeyPair::from_der_and_sign_algo(&der_keypair, &PKCS_ED25519)
+                .map_err(Kind::Rcgen)?,
+        );
+
+        let expiry = params.not_after;
+
+        let x509_cert = rcgen::Certificate::from_params(params).map_err(Kind::Rcgen)?;
+        let certificate = x509_cert.serialize_der().map_err(Kind::Rcgen)?;
+
+        let private_key = CryptoPrivateKey {
+            kind: CryptoPrivateKeyKind::Ed25519(
+                Ed25519KeyPair::from_pkcs8_maybe_unchecked(&der_keypair).map_err(Kind::Ring)?,
+            ),
+            serialized_der: der_keypair,
+        };
+
+        let certificate = RTCCertificate::from_existing(
+            dtls::crypto::Certificate {
+                certificate: vec![rustls::Certificate(certificate)],
+                private_key,
+            },
+            &x509_cert.serialize_pem().map_err(Kind::Rcgen)?,
+            expiry.into(),
+        );
+
+        Ok(Self {
+            seed,
+            alt_name,
+            inner: certificate,
+        })
+    }
+
+    pub fn to_pem(&self) -> &str {
+        self.inner.pem()
+    }
+}
+
+impl Clone for Certificate {
+    fn clone(&self) -> Self {
+        Certificate::from_seed_and_alt_name(self.seed, self.alt_name.clone())
+            .expect("it worked the first time")
+    }
+}
+
+#[derive(thiserror::Error, Debug)]
+#[error("Failed to generate certificate")]
+pub struct Error(#[from] Kind);
+
+#[derive(thiserror::Error, Debug)]
+enum Kind {
+    #[error(transparent)]
+    Rcgen(RcgenError),
+    #[error(transparent)]
+    Ring(ring::error::KeyRejected),
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use rand::thread_rng;
+
+    #[test]
+    fn certificate_generation_is_deterministic() {
+        let certificate = Certificate::from_seed([0u8; 32]).unwrap();
+
+        let pem = certificate.to_pem();
+
+        let expected = "-----BEGIN CERTIFICATE-----\r\nMIIBGTCBzKADAgECAgkAmhN4/nhTqzYwBQYDK2VwMCExHzAdBgNVBAMMFnJjZ2Vu\r\nIHNlbGYgc2lnbmVkIGNlcnQwIBcNNzUwMTAxMDAwMDAwWhgPNDA5NjAxMDEwMDAw\r\nMDBaMCExHzAdBgNVBAMMFnJjZ2VuIHNlbGYgc2lnbmVkIGNlcnQwKjAFBgMrZXAD\r\nIQAZkVlx7FLxyVC7GOK7UhQusdNotn+7mJTPgLUmOYlaBKMfMB0wGwYDVR0RBBQw\r\nEoIQZlVrWHBQRnEwelNGUU9ySDAFBgMrZXADQQBk2U8R6h9c8d6veJS+CSxQu5HX\r\nz8/zwwDR/X6yFpVVUGvuOMS3a9J9t9IRZMwUn0fxqlC9rdS/NWzU2NWNVHAO\r\n-----END CERTIFICATE-----\r\n";
+        assert_eq!(expected, pem)
+    }
+
+    #[test]
+    fn can_generate_random_certificate() {
+        Certificate::new(&mut thread_rng()).unwrap();
+    }
+
+    #[test]
+    fn cloned_certificate_is_equivalent() {
+        let certificate = Certificate::from_seed([0u8; 32]).unwrap();
+
+        let cloned_certificate = certificate.clone();
+
+        assert!(certificate == cloned_certificate)
+    }
+}

transports/webrtc/src/lib.rs

@@ -88,3 +88,9 @@ mod message_proto {
 
 #[cfg(feature = "tokio")]
 pub mod tokio;
+
+#[cfg(feature = "tokio")]
+mod certificate;
+
+#[cfg(feature = "tokio")]
+pub use certificate::Certificate;

transports/webrtc/src/tokio/transport.rs

@@ -26,9 +26,9 @@ use libp2p_core::{
     transport::{ListenerId, TransportError, TransportEvent},
     PeerId,
 };
-use webrtc::peer_connection::certificate::RTCCertificate;
 use webrtc::peer_connection::configuration::RTCConfiguration;
 
+use crate::Certificate;
 use std::net::IpAddr;
 use std::{
     net::SocketAddr,
@@ -61,20 +61,16 @@ impl Transport {
     /// use libp2p_core::identity;
     /// use webrtc::peer_connection::certificate::RTCCertificate;
     /// use rand::distributions::DistString;
+    /// use rand::thread_rng;
+    /// use libp2p_webrtc::Certificate;
     /// use libp2p_webrtc::tokio::Transport;
     ///
     /// let id_keys = identity::Keypair::generate_ed25519();
-    /// let certificate = {
-    ///     let mut params = rcgen::CertificateParams::new(vec![
-    ///         rand::distributions::Alphanumeric.sample_string(&mut rand::thread_rng(), 16)
-    ///     ]);
-    ///     params.alg = &rcgen::PKCS_ECDSA_P256_SHA256;
-    ///     RTCCertificate::from_params(params).expect("default params to work")
-    /// };
+    /// let certificate = Certificate::new(&mut thread_rng()).unwrap();
     ///
     /// let transport = Transport::new(id_keys, certificate);
     /// ```
-    pub fn new(id_keys: identity::Keypair, certificate: RTCCertificate) -> Self {
+    pub fn new(id_keys: identity::Keypair, certificate: Certificate) -> Self {
         Self {
             config: Config::new(id_keys, certificate),
             listeners: SelectAll::new(),
@@ -146,7 +142,7 @@ impl libp2p_core::Transport for Transport {
         Ok(async move {
             let (peer_id, connection) = upgrade::outbound(
                 sock_addr,
-                config.inner,
+                config.rtc_configuration(),
                 udp_mux,
                 client_fingerprint,
                 server_fingerprint,
@@ -310,7 +306,7 @@ impl Stream for ListenStream {
 
                     let upgrade = upgrade::inbound(
                         new_addr.addr,
-                        self.config.inner.clone(),
+                        self.config.rtc_configuration(),
                         self.udp_mux.udp_mux_handle(),
                         self.config.fingerprint,
                         new_addr.ufrag,
@@ -336,7 +332,7 @@ impl Stream for ListenStream {
 /// A config which holds peer's keys and a x509Cert used to authenticate WebRTC communications.
 #[derive(Clone)]
 struct Config {
-    inner: RTCConfiguration,
+    certificate: Certificate,
     fingerprint: Fingerprint,
     id_keys: identity::Keypair,
 }
@@ -348,23 +344,27 @@ impl Config {
     ///
     /// This function will panic if there's no fingerprint with the SHA-256 algorithm (see
     /// [`RTCCertificate::get_fingerprints`]).
-    fn new(id_keys: identity::Keypair, certificate: RTCCertificate) -> Self {
-        let fingerprints = certificate.get_fingerprints().expect("to never fail");
+    fn new(id_keys: identity::Keypair, certificate: Certificate) -> Self {
+        let fingerprints = certificate.inner.get_fingerprints().expect("to never fail");
         let sha256_fingerprint = fingerprints
             .iter()
             .find(|f| f.algorithm == "sha-256")
             .expect("a SHA-256 fingerprint");
 
         Self {
             id_keys,
-            inner: RTCConfiguration {
-                certificates: vec![certificate],
-                ..RTCConfiguration::default()
-            },
+            certificate,
             fingerprint: Fingerprint::try_from_rtc_dtls(sha256_fingerprint)
                 .expect("we specified SHA-256"),
         }
     }
+
+    fn rtc_configuration(&self) -> RTCConfiguration {
+        RTCConfiguration {
+            certificates: vec![self.certificate.clone().inner],
+            ..RTCConfiguration::default()
+        }
+    }
 }
 
 /// Turns an IP address and port into the corresponding WebRTC multiaddr.
@@ -447,7 +447,7 @@ mod tests {
     use super::*;
     use futures::future::poll_fn;
     use libp2p_core::{multiaddr::Protocol, Transport as _};
-    use rand::distributions::DistString;
+    use rand::thread_rng;
     use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
 
     #[test]
@@ -567,8 +567,7 @@ mod tests {
     #[tokio::test]
     async fn close_listener() {
         let id_keys = identity::Keypair::generate_ed25519();
-        let certificate = generate_certificate();
-        let mut transport = Transport::new(id_keys, certificate);
+        let mut transport = Transport::new(id_keys, Certificate::new(&mut thread_rng()).unwrap());
 
         assert!(poll_fn(|cx| Pin::new(&mut transport).as_mut().poll(cx))
             .now_or_never()
@@ -617,12 +616,4 @@ mod tests {
             assert!(transport.listeners.is_empty());
         }
     }
-
-    fn generate_certificate() -> RTCCertificate {
-        let mut params = rcgen::CertificateParams::new(vec![
-            rand::distributions::Alphanumeric.sample_string(&mut rand::thread_rng(), 16)
-        ]);
-        params.alg = &rcgen::PKCS_ECDSA_P256_SHA256;
-        RTCCertificate::from_params(params).expect("default params to work")
-    }
 }

transports/webrtc/tests/smoke.rs

@@ -18,7 +18,6 @@
 // FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
 // DEALINGS IN THE SOFTWARE.
 
-use ::webrtc::peer_connection::certificate::RTCCertificate;
 use anyhow::Result;
 use async_trait::async_trait;
 use futures::{
@@ -33,9 +32,9 @@ use libp2p::request_response::{
 };
 use libp2p::swarm::{Swarm, SwarmBuilder, SwarmEvent};
 use libp2p::webrtc::tokio as webrtc;
-use rand::distributions::DistString;
-use rand::RngCore;
+use rand::{thread_rng, RngCore};
 
+use libp2p_webrtc::Certificate;
 use std::{io, iter};
 
 #[tokio::test]
@@ -472,8 +471,7 @@ impl RequestResponseCodec for PingCodec {
 fn create_swarm() -> Result<Swarm<RequestResponse<PingCodec>>> {
     let id_keys = identity::Keypair::generate_ed25519();
     let peer_id = id_keys.public().to_peer_id();
-    let certificate = generate_certificate();
-    let transport = webrtc::Transport::new(id_keys, certificate);
+    let transport = webrtc::Transport::new(id_keys, Certificate::new(&mut thread_rng()).unwrap());
 
     let protocols = iter::once((PingProtocol(), ProtocolSupport::Full));
     let cfg = RequestResponseConfig::default();
@@ -488,11 +486,3 @@ fn create_swarm() -> Result<Swarm<RequestResponse<PingCodec>>> {
         }))
         .build())
 }
-
-fn generate_certificate() -> RTCCertificate {
-    let mut params = rcgen::CertificateParams::new(vec![
-        rand::distributions::Alphanumeric.sample_string(&mut rand::thread_rng(), 16)
-    ]);
-    params.alg = &rcgen::PKCS_ECDSA_P256_SHA256;
-    RTCCertificate::from_params(params).expect("default params to work")
-}