chore: fix RUSTSEC-2025-0009 in libp2p-tls and libp2p-websocket

This PR tries to fix [RUSTSEC-2025-0009](https://rustsec.org/advisories/RUSTSEC-2025-0009.html) in `libp2p-tls` and `libp2p-websocket` by bumping `rcgen`.

Note: Upgrading `rcgen` in `libp2p-webrtc` is non-trival, so it's not included in this PR.

Pull-Request: #5917.

Author: hanabi1224

Cargo.lock

@@ -106,7 +106,7 @@ libp2p-swarm = { version = "0.47.0", path = "swarm" }
 libp2p-swarm-derive = { version = "=0.35.1", path = "swarm-derive" } # `libp2p-swarm-derive` may not be compatible with different `libp2p-swarm` non-breaking releases. E.g. `libp2p-swarm` might introduce a new enum variant `FromSwarm` (which is `#[non-exhaustive]`) in a non-breaking release. Older versions of `libp2p-swarm-derive` would not forward this enum variant within the `NetworkBehaviour` hierarchy. Thus the version pinning is required.
 libp2p-swarm-test = { version = "0.5.0", path = "swarm-test" }
 libp2p-tcp = { version = "0.43.0", path = "transports/tcp" }
-libp2p-tls = { version = "0.6.0", path = "transports/tls" }
+libp2p-tls = { version = "0.6.1", path = "transports/tls" }
 libp2p-uds = { version = "0.42.0", path = "transports/uds" }
 libp2p-upnp = { version = "0.4.0", path = "protocols/upnp" }
 libp2p-webrtc = { version = "0.9.0-alpha", path = "transports/webrtc" }
@@ -134,8 +134,8 @@ multistream-select = { version = "0.13.0", path = "misc/multistream-select" }
 prometheus-client = "0.22.2"
 quick-protobuf-codec = { version = "0.3.1", path = "misc/quick-protobuf-codec" }
 quickcheck = { package = "quickcheck-ext", path = "misc/quickcheck-ext" }
-rcgen = "0.11.3"
-ring = "0.17.8"
+rcgen = "0.13"
+ring = "0.17.12"
 rw-stream-sink = { version = "0.4.0", path = "misc/rw-stream-sink" }
 thiserror = "2"
 tokio = { version = "1.38", default-features = false }

Cargo.toml

@@ -1,3 +1,8 @@
+## 0.6.1
+
+- Upgrade `rcgen` to `v0.13`
+  See [PR 5917](https://github.com/libp2p/rust-libp2p/pull/5917).
+
 ## 0.6.0
 
 <!-- Update to libp2p-core v0.43.0 -->

transports/tls/CHANGELOG.md

@@ -1,6 +1,6 @@
 [package]
 name = "libp2p-tls"
-version = "0.6.0"
+version = "0.6.1"
 edition.workspace = true
 rust-version = { workspace = true }
 description = "TLS configuration based on libp2p TLS specs."

transports/tls/Cargo.toml

@@ -99,26 +99,22 @@ pub fn generate(
     // Endpoints MAY generate a new key and certificate
     // for every connection attempt, or they MAY reuse the same key
     // and certificate for multiple connections.
-    let certificate_keypair = rcgen::KeyPair::generate(P2P_SIGNATURE_ALGORITHM)?;
+    let certificate_keypair = rcgen::KeyPair::generate_for(P2P_SIGNATURE_ALGORITHM)?;
     let rustls_key = rustls::pki_types::PrivateKeyDer::from(
         rustls::pki_types::PrivatePkcs8KeyDer::from(certificate_keypair.serialize_der()),
     );
 
     let certificate = {
-        let mut params = rcgen::CertificateParams::new(vec![]);
+        let mut params = rcgen::CertificateParams::new(vec![])?;
         params.distinguished_name = rcgen::DistinguishedName::new();
         params.custom_extensions.push(make_libp2p_extension(
             identity_keypair,
             &certificate_keypair,
         )?);
-        params.alg = P2P_SIGNATURE_ALGORITHM;
-        params.key_pair = Some(certificate_keypair);
-        rcgen::Certificate::from_params(params)?
+        params.self_signed(&certificate_keypair)?
     };
 
-    let rustls_certificate = rustls::pki_types::CertificateDer::from(certificate.serialize_der()?);
-
-    Ok((rustls_certificate, rustls_key))
+    Ok((certificate.into(), rustls_key))
 }
 
 /// Attempts to parse the provided bytes as a [`P2pCertificate`].
@@ -158,7 +154,7 @@ pub struct P2pExtension {
 
 #[derive(Debug, thiserror::Error)]
 #[error(transparent)]
-pub struct GenError(#[from] rcgen::RcgenError);
+pub struct GenError(#[from] rcgen::Error);
 
 #[derive(Debug, thiserror::Error)]
 #[error(transparent)]
@@ -244,7 +240,7 @@ fn parse_unverified(der_input: &[u8]) -> Result<P2pCertificate, webpki::Error> {
 fn make_libp2p_extension(
     identity_keypair: &identity::Keypair,
     certificate_keypair: &rcgen::KeyPair,
-) -> Result<rcgen::CustomExtension, rcgen::RcgenError> {
+) -> Result<rcgen::CustomExtension, rcgen::Error> {
     // The peer signs the concatenation of the string `libp2p-tls-handshake:`
     // and the public key that it used to generate the certificate carrying
     // the libp2p Public Key Extension, using its private host key.
@@ -255,7 +251,7 @@ fn make_libp2p_extension(
 
         identity_keypair
             .sign(&msg)
-            .map_err(|_| rcgen::RcgenError::RingUnspecified)?
+            .map_err(|_| rcgen::Error::RingUnspecified)?
     };
 
     // The public host key and the signature are ANS.1-encoded

transports/tls/src/certificate.rs

@@ -22,7 +22,7 @@ libp2p-identity = { workspace = true }
 libp2p-webrtc-utils = { workspace = true }
 multihash = { workspace = true }
 rand = "0.8"
-rcgen = { workspace = true }
+rcgen = "0.11"
 stun = "0.7"
 thiserror = { workspace = true }
 tokio = { workspace = true, features = ["net"], optional = true }

transports/webrtc/Cargo.toml

@@ -2,6 +2,9 @@
 - Rename types to match naming convention in [discussion 2174](https://github.com/libp2p/rust-libp2p/discussions/2174).
   See [PR 5873](https://github.com/libp2p/rust-libp2p/pull/5873).
 
+- Upgrade `rcgen` to `v0.13`
+  See [PR 5917](https://github.com/libp2p/rust-libp2p/pull/5917).
+
 ## 0.45.0
 
 - fix: Return `Error::InvalidMultiaddr` when dialed to a `/dnsaddr` address

transports/websocket/CHANGELOG.md

@@ -70,7 +70,6 @@ use rw_stream_sink::RwStreamSink;
 /// # use libp2p_dns as dns;
 /// # use libp2p_tcp as tcp;
 /// # use libp2p_websocket as websocket;
-/// # use rcgen::generate_simple_self_signed;
 /// # use std::pin::Pin;
 /// #
 /// # #[async_std::main]
@@ -82,9 +81,12 @@ use rw_stream_sink::RwStreamSink;
 ///         .unwrap(),
 /// );
 ///
-/// let rcgen_cert = generate_simple_self_signed(vec!["localhost".to_string()]).unwrap();
-/// let priv_key = websocket::tls::PrivateKey::new(rcgen_cert.serialize_private_key_der());
-/// let cert = websocket::tls::Certificate::new(rcgen_cert.serialize_der().unwrap());
+/// let rcgen::CertifiedKey {
+///     cert: rcgen_cert,
+///     key_pair,
+/// } = rcgen::generate_simple_self_signed(vec!["localhost".to_string()]).unwrap();
+/// let priv_key = websocket::tls::PrivateKey::new(key_pair.serialize_der());
+/// let cert = websocket::tls::Certificate::new(rcgen_cert.der().to_vec());
 /// transport.set_tls_config(websocket::tls::Config::new(priv_key, vec![cert]).unwrap());
 ///
 /// let id = transport