(feat/webrtc-sniffer): node use p2p key to create self-signed dtls certificate

vlad9486 · vlad9486 · commit beb8ba7129d6 · 2025-02-20T13:34:41.000+01:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/p2p/Cargo.toml b/p2p/Cargo.toml
@@ -24,7 +24,7 @@ cfg-if = "1.0.0"
 url = "2.3.1"
 multihash = "0.18.1"
 sha2 = "0.10.6"
-ed25519-dalek = { version = "2.1.1", features = ["serde"] }
+ed25519-dalek = { version = "2.1.1", features = ["serde", "pem"] }
 x25519-dalek = { version = "2.0.1", features = ["static_secrets"] }
 aes-gcm = "0.10.3"
 faster-stun = { version = "1.0.1", optional = true }
@@ -84,6 +84,7 @@ webrtc = { git = "https://github.com/openmina/webrtc.git", rev = "e8705db39af1b1
 datachannel = { git = "https://github.com/openmina/datachannel-rs.git", rev = "1bfb064d0ff3e54a93ae0288409902aab8d102d3", optional = true, features = [
     "vendored",
 ] }
+rcgen = { version = "0.13", features = ["pem", "x509-parser"], optional = true }
 reqwest = { version = "0.11", features = ["json"] }
 mio = { version = "0.8.11", features = ["os-poll", "net"] }
 libc = { version = "0.2.151" }
@@ -119,7 +120,7 @@ getrandom = { version = "0.2", features = ["js"] }
 [features]
 serializable_callbacks = []
 p2p-webrtc = ["p2p-webrtc-rs"]
-p2p-webrtc-rs = ["webrtc"]
+p2p-webrtc-rs = ["webrtc", "rcgen"]
 p2p-webrtc-cpp = ["datachannel"]
 p2p-libp2p = ["fuzzing", "dep:reqwest", "dep:faster-stun"]
 fuzzing = ["openmina-fuzzer", "openmina-core/fuzzing"]
diff --git a/p2p/src/identity/secret_key.rs b/p2p/src/identity/secret_key.rs
@@ -1,10 +1,13 @@
 use std::{fmt, path::Path, str::FromStr};
 
 use base64::Engine;
-use ed25519_dalek::{ed25519::signature::SignerMut, SigningKey as Ed25519SecretKey};
+use ed25519_dalek::{
+    ed25519::signature::SignerMut, pkcs8::EncodePrivateKey as _, SigningKey as Ed25519SecretKey,
+};
 use openmina_core::{EncryptedSecretKey, EncryptedSecretKeyFile, EncryptionError};
 use rand::{CryptoRng, Rng};
 use serde::{Deserialize, Serialize};
+use zeroize::Zeroizing;
 
 use super::{PublicKey, Signature};
 
@@ -53,6 +56,12 @@ impl SecretKey {
         self.0.to_scalar_bytes().into()
     }
 
+    pub fn to_pem(&self) -> Zeroizing<String> {
+        self.0
+            .to_pkcs8_pem(Default::default())
+            .expect("must be valid key")
+    }
+
     pub fn from_encrypted_file(
         path: impl AsRef<Path>,
         password: &str,
diff --git a/p2p/src/service_impl/webrtc/mod.rs b/p2p/src/service_impl/webrtc/mod.rs
@@ -33,22 +33,22 @@ use crate::{
 #[cfg(all(not(target_arch = "wasm32"), feature = "p2p-webrtc-rs"))]
 mod imports {
     pub use super::webrtc_rs::{
-        build_api, webrtc_signal_send, Api, RTCChannel, RTCConnection, RTCConnectionState,
-        RTCSignalingError,
+        build_api, certificate_from_pem_key, webrtc_signal_send, Api, RTCCertificate, RTCChannel,
+        RTCConnection, RTCConnectionState, RTCSignalingError,
     };
 }
 #[cfg(all(not(target_arch = "wasm32"), feature = "p2p-webrtc-cpp"))]
 mod imports {
     pub use super::webrtc_cpp::{
-        build_api, webrtc_signal_send, Api, RTCChannel, RTCConnection, RTCConnectionState,
-        RTCSignalingError,
+        build_api, certificate_from_pem_key, webrtc_signal_send, Api, RTCCertificate, RTCChannel,
+        RTCConnection, RTCConnectionState, RTCSignalingError,
     };
 }
 #[cfg(target_arch = "wasm32")]
 mod imports {
     pub use super::web::{
-        build_api, webrtc_signal_send, Api, RTCChannel, RTCConnection, RTCConnectionState,
-        RTCSignalingError,
+        build_api, certificate_from_pem_key, webrtc_signal_send, Api, RTCCertificate, RTCChannel,
+        RTCConnection, RTCConnectionState, RTCSignalingError,
     };
 }
 
@@ -140,7 +140,7 @@ pub type OnConnectionStateChangeHdlrFn = Box<
 
 pub struct RTCConfig {
     pub ice_servers: RTCConfigIceServers,
-    // TODO(binier): certificate
+    pub certificate: RTCCertificate,
 }
 
 #[derive(Serialize)]
@@ -223,7 +223,13 @@ async fn wait_for_ice_gathering_complete(pc: &mut RTCConnection) {
     }
 }
 
-async fn peer_start(api: Api, args: PeerAddArgs, abort: Aborted, closed: mpsc::Sender<()>) {
+async fn peer_start(
+    api: Api,
+    args: PeerAddArgs,
+    abort: Aborted,
+    closed: mpsc::Sender<()>,
+    certificate: RTCCertificate,
+) {
     let PeerAddArgs {
         peer_id,
         kind,
@@ -234,6 +240,7 @@ async fn peer_start(api: Api, args: PeerAddArgs, abort: Aborted, closed: mpsc::S
 
     let config = RTCConfig {
         ice_servers: Default::default(),
+        certificate,
     };
     let fut = async {
         let mut pc = RTCConnection::create(&api, config).await?;
@@ -727,7 +734,7 @@ pub trait P2pServiceWebrtc: redux::Service {
         const MAX_PEERS: usize = 500;
         let (cmd_sender, mut cmd_receiver) = mpsc::unbounded_channel();
 
-        let _ = secret_key;
+        let certificate = certificate_from_pem_key(secret_key.to_pem().as_str());
 
         spawner.spawn_main("webrtc", async move {
             #[allow(clippy::all)]
@@ -741,6 +748,7 @@ pub trait P2pServiceWebrtc: redux::Service {
                         let conn_permits = conn_permits.clone();
                         let peer_id = args.peer_id;
                         let event_sender = args.event_sender.clone();
+                        let certificate = certificate.clone();
                         spawn_local(async move {
                             let Ok(_permit) = conn_permits.try_acquire() else {
                                 // state machine shouldn't allow this to happen.
@@ -755,8 +763,9 @@ pub trait P2pServiceWebrtc: redux::Service {
                                 event_sender_clone(P2pConnectionEvent::Closed(peer_id).into());
                             });
                             tokio::select! {
-                                _ = peer_start(api, args, aborted.clone(), closed_tx.clone()) => {}
-                                _ = aborted.wait() => {}
+                                _ = peer_start(api, args, aborted.clone(), closed_tx.clone(), certificate) => {}
+                                _ = aborted.wait() => {
+                                }
                             }
 
                             // delay dropping permit to give some time for cleanup.
diff --git a/p2p/src/service_impl/webrtc/web.rs b/p2p/src/service_impl/webrtc/web.rs
@@ -32,6 +32,12 @@ pub type RTCConnectionState = RtcPeerConnectionState;
 
 pub type Api = ();
 
+pub type RTCCertificate = ();
+
+pub fn certificate_from_pem_key(_: &str) -> RTCCertificate {
+    ()
+}
+
 pub fn build_api() -> Api {}
 
 pub struct RTCConnection(Rc<RtcPeerConnection>, bool);
diff --git a/p2p/src/service_impl/webrtc/webrtc_cpp.rs b/p2p/src/service_impl/webrtc/webrtc_cpp.rs
@@ -22,6 +22,12 @@ pub type RTCConnectionState = ConnectionState;
 
 pub type Api = ();
 
+pub type RTCCertificate = ();
+
+pub fn certificate_from_pem_key(_: &str) -> RTCCertificate {
+    ()
+}
+
 type MessageHandler = Box<dyn FnMut(&[u8]) + 'static + Send>;
 
 pub fn build_api() -> Api {}
diff --git a/p2p/src/service_impl/webrtc/webrtc_rs.rs b/p2p/src/service_impl/webrtc/webrtc_rs.rs
@@ -28,6 +28,13 @@ pub type RTCConnectionState = RTCPeerConnectionState;
 
 pub type Api = Arc<webrtc::api::API>;
 
+pub type RTCCertificate = webrtc::peer_connection::certificate::RTCCertificate;
+
+pub fn certificate_from_pem_key(pem_str: &str) -> RTCCertificate {
+    let keypair = rcgen::KeyPair::from_pem(pem_str).expect("valid pem");
+    RTCCertificate::from_key_pair(keypair).expect("keypair is compatible")
+}
+
 pub fn build_api() -> Api {
     APIBuilder::new().build().into()
 }
@@ -192,6 +199,7 @@ impl From<RTCConfig> for RTCConfiguration {
         RTCConfiguration {
             ice_servers: value.ice_servers.0.into_iter().map(Into::into).collect(),
             ice_transport_policy: RTCIceTransportPolicy::All,
+            certificates: vec![value.certificate],
             ..Default::default()
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,13 @@ pub type RTCConnectionState = RTCPeerConnectionState;`
`28`	`28`
`29`	`29`	`pub type Api = Arc<webrtc::api::API>;`
`30`	`30`
	`31`	`+pub type RTCCertificate = webrtc::peer_connection::certificate::RTCCertificate;`
	`32`	`+`
	`33`	`+pub fn certificate_from_pem_key(pem_str: &str) -> RTCCertificate {`
	`34`	`+ let keypair = rcgen::KeyPair::from_pem(pem_str).expect("valid pem");`
	`35`	`+ RTCCertificate::from_key_pair(keypair).expect("keypair is compatible")`
	`36`	`+}`
	`37`	`+`
`31`	`38`	`pub fn build_api() -> Api {`
`32`	`39`	`APIBuilder::new().build().into()`
`33`	`40`	`}`
`@@ -192,6 +199,7 @@ impl From<RTCConfig> for RTCConfiguration {`
`192`	`199`	`RTCConfiguration {`
`193`	`200`	`ice_servers: value.ice_servers.0.into_iter().map(Into::into).collect(),`
`194`	`201`	`ice_transport_policy: RTCIceTransportPolicy::All,`
	`202`	`+ certificates: vec![value.certificate],`
`195`	`203`	`..Default::default()`
`196`	`204`	`}`
`197`	`205`	`}`