address Elena's review

Author: jxs

transports/tls/src/certificate.rs

@@ -40,6 +40,10 @@ const P2P_EXT_OID: [u64; 9] = [1, 3, 6, 1, 4, 1, 53594, 1, 1];
 /// in possession of the private host key at the time the certificate was signed.
 const P2P_SIGNING_PREFIX: [u8; 21] = *b"libp2p-tls-handshake:";
 
+// Certificates MUST use the NamedCurve encoding for elliptic curve parameters.
+// Similarly, hash functions with an output length less than 256 bits MUST NOT be used.
+static P2P_SIGNATURE_ALGORITHM: &rcgen::SignatureAlgorithm = &rcgen::PKCS_ECDSA_P256_SHA256;
+
 #[derive(Debug)]
 pub(crate) struct AlwaysResolvesCert(Arc<rustls::sign::CertifiedKey>);
 
@@ -95,7 +99,7 @@ pub fn generate(
     // Endpoints MAY generate a new key and certificate
     // for every connection attempt, or they MAY reuse the same key
     // and certificate for multiple connections.
-    let certificate_keypair = rcgen::KeyPair::generate()?;
+    let certificate_keypair = rcgen::KeyPair::generate_for(P2P_SIGNATURE_ALGORITHM)?;
     let rustls_key = rustls::pki_types::PrivateKeyDer::from(
         rustls::pki_types::PrivatePkcs8KeyDer::from(certificate_keypair.serialize_der()),
     );
@@ -110,7 +114,7 @@ pub fn generate(
         params.self_signed(&certificate_keypair)?
     };
 
-    Ok((certificate.der().clone(), rustls_key))
+    Ok((certificate.into(), rustls_key))
 }
 
 /// Attempts to parse the provided bytes as a [`P2pCertificate`].