
296 lines
9.4 KiB
Raw Normal View History

package libp2ptls
import (
2022-11-04 13:57:20 +00:00
2022-11-04 13:57:20 +00:00
ic ""
const certValidityPeriod = 100 * 365 * 24 * time.Hour // ~100 years
const certificatePrefix = "libp2p-tls-handshake:"
const alpn string = "libp2p"
var extensionID = getPrefixedExtensionID([]int{1, 1})
2021-10-19 13:43:41 +00:00
var extensionCritical bool // so we can mark the extension critical in tests
type signedKey struct {
PubKey []byte
Signature []byte
// Identity is used to secure connections
type Identity struct {
config tls.Config
2022-11-04 13:57:20 +00:00
// IdentityConfig is used to configure an Identity
type IdentityConfig struct {
CertTemplate *x509.Certificate
// IdentityOption transforms an IdentityConfig to apply optional settings.
type IdentityOption func(r *IdentityConfig)
// WithCertTemplate specifies the template to use when generating a new certificate.
func WithCertTemplate(template *x509.Certificate) IdentityOption {
return func(c *IdentityConfig) {
c.CertTemplate = template
// NewIdentity creates a new identity
2022-11-04 13:57:20 +00:00
func NewIdentity(privKey ic.PrivKey, opts ...IdentityOption) (*Identity, error) {
config := IdentityConfig{}
for _, opt := range opts {
var err error
if config.CertTemplate == nil {
config.CertTemplate, err = certTemplate()
if err != nil {
return nil, err
cert, err := keyToCertificate(privKey, config.CertTemplate)
if err != nil {
return nil, err
return &Identity{
config: tls.Config{
MinVersion: tls.VersionTLS13,
PreferServerCipherSuites: preferServerCipherSuites(),
InsecureSkipVerify: true, // This is not insecure here. We will verify the cert chain ourselves.
ClientAuth: tls.RequireAnyClientCert,
Certificates: []tls.Certificate{*cert},
VerifyPeerCertificate: func(_ [][]byte, _ [][]*x509.Certificate) error {
panic("tls config not specialized for peer")
NextProtos: []string{alpn},
SessionTicketsDisabled: true,
}, nil
// ConfigForPeer creates a new single-use tls.Config that verifies the peer's
// certificate chain and returns the peer's public key via the channel. If the
// peer ID is empty, the returned config will accept any peer.
// It should be used to create a new tls.Config before securing either an
// incoming or outgoing connection.
func (i *Identity) ConfigForPeer(remote peer.ID) (*tls.Config, <-chan ic.PubKey) {
keyCh := make(chan ic.PubKey, 1)
// We need to check the peer ID in the VerifyPeerCertificate callback.
// The tls.Config it is also used for listening, and we might also have concurrent dials.
// Clone it so we can check for the specific peer ID we're dialing here.
conf := i.config.Clone()
// We're using InsecureSkipVerify, so the verifiedChains parameter will always be empty.
// We need to parse the certificates ourselves from the raw certs.
conf.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) (err error) {
defer func() {
if rerr := recover(); rerr != nil {
fmt.Fprintf(os.Stderr, "panic when processing peer certificate in TLS handshake: %s\n%s\n", rerr, debug.Stack())
err = fmt.Errorf("panic when processing peer certificate in TLS handshake: %s", rerr)
defer close(keyCh)
chain := make([]*x509.Certificate, len(rawCerts))
for i := 0; i < len(rawCerts); i++ {
cert, err := x509.ParseCertificate(rawCerts[i])
if err != nil {
return err
chain[i] = cert
pubKey, err := PubKeyFromCertChain(chain)
if err != nil {
return err
if remote != "" && !remote.MatchesPublicKey(pubKey) {
2021-10-19 13:43:41 +00:00
peerID, err := peer.IDFromPublicKey(pubKey)
if err != nil {
peerID = peer.ID(fmt.Sprintf("(not determined: %s)", err.Error()))
return fmt.Errorf("peer IDs don't match: expected %s, got %s", remote, peerID)
keyCh <- pubKey
return nil
return conf, keyCh
// PubKeyFromCertChain verifies the certificate chain and extract the remote's public key.
func PubKeyFromCertChain(chain []*x509.Certificate) (ic.PubKey, error) {
if len(chain) != 1 {
return nil, errors.New("expected one certificates in the chain")
cert := chain[0]
pool := x509.NewCertPool()
var found bool
var keyExt pkix.Extension
// find the libp2p key extension, skipping all unknown extensions
for _, ext := range cert.Extensions {
if extensionIDEqual(ext.Id, extensionID) {
keyExt = ext
found = true
2021-10-19 13:43:41 +00:00
for i, oident := range cert.UnhandledCriticalExtensions {
if oident.Equal(ext.Id) {
// delete the extension from UnhandledCriticalExtensions
cert.UnhandledCriticalExtensions = append(cert.UnhandledCriticalExtensions[:i], cert.UnhandledCriticalExtensions[i+1:]...)
if !found {
return nil, errors.New("expected certificate to contain the key extension")
2021-10-19 13:43:41 +00:00
if _, err := cert.Verify(x509.VerifyOptions{Roots: pool}); err != nil {
// If we return an x509 error here, it will be sent on the wire.
// Wrap the error to avoid that.
return nil, fmt.Errorf("certificate verification failed: %s", err)
var sk signedKey
if _, err := asn1.Unmarshal(keyExt.Value, &sk); err != nil {
return nil, fmt.Errorf("unmarshalling signed certificate failed: %s", err)
pubKey, err := ic.UnmarshalPublicKey(sk.PubKey)
if err != nil {
return nil, fmt.Errorf("unmarshalling public key failed: %s", err)
certKeyPub, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
if err != nil {
return nil, err
valid, err := pubKey.Verify(append([]byte(certificatePrefix), certKeyPub...), sk.Signature)
if err != nil {
return nil, fmt.Errorf("signature verification failed: %s", err)
if !valid {
return nil, errors.New("signature invalid")
return pubKey, nil
2022-11-04 13:57:20 +00:00
// GenerateSignedExtension uses the provided private key to sign the public key, and returns the
// signature within a pkix.Extension.
// This extension is included in a certificate to cryptographically tie it to the libp2p private key.
func GenerateSignedExtension(sk ic.PrivKey, pubKey crypto.PublicKey) (pkix.Extension, error) {
keyBytes, err := ic.MarshalPublicKey(sk.GetPublic())
if err != nil {
2022-11-04 13:57:20 +00:00
return pkix.Extension{}, err
2022-11-04 13:57:20 +00:00
certKeyPub, err := x509.MarshalPKIXPublicKey(pubKey)
if err != nil {
2022-11-04 13:57:20 +00:00
return pkix.Extension{}, err
signature, err := sk.Sign(append([]byte(certificatePrefix), certKeyPub...))
if err != nil {
2022-11-04 13:57:20 +00:00
return pkix.Extension{}, err
value, err := asn1.Marshal(signedKey{
PubKey: keyBytes,
Signature: signature,
2022-11-04 13:57:20 +00:00
if err != nil {
return pkix.Extension{}, err
return pkix.Extension{Id: extensionID, Critical: extensionCritical, Value: value}, nil
// keyToCertificate generates a new ECDSA private key and corresponding x509 certificate.
// The certificate includes an extension that cryptographically ties it to the provided libp2p
// private key to authenticate TLS connections.
func keyToCertificate(sk ic.PrivKey, certTmpl *x509.Certificate) (*tls.Certificate, error) {
certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, err
// after calling CreateCertificate, these will end up in Certificate.Extensions
extension, err := GenerateSignedExtension(sk, certKey.Public())
if err != nil {
return nil, err
certTmpl.ExtraExtensions = append(certTmpl.ExtraExtensions, extension)
certDER, err := x509.CreateCertificate(rand.Reader, certTmpl, certTmpl, certKey.Public(), certKey)
if err != nil {
return nil, err
2022-11-04 13:57:20 +00:00
return &tls.Certificate{
Certificate: [][]byte{certDER},
PrivateKey: certKey,
}, nil
2022-11-04 13:57:20 +00:00
// certTemplate returns the template for generating an Identity's TLS certificates.
func certTemplate() (*x509.Certificate, error) {
2022-04-01 16:16:46 +00:00
bigNum := big.NewInt(1 << 62)
sn, err := rand.Int(rand.Reader, bigNum)
if err != nil {
return nil, err
2022-11-04 13:57:20 +00:00
2022-04-01 16:16:46 +00:00
subjectSN, err := rand.Int(rand.Reader, bigNum)
if err != nil {
return nil, err
2022-11-04 13:57:20 +00:00
return &x509.Certificate{
SerialNumber: sn,
2022-04-01 16:16:46 +00:00
NotBefore: time.Now().Add(-time.Hour),
NotAfter: time.Now().Add(certValidityPeriod),
2022-04-01 16:16:46 +00:00
// According to RFC 3280, the issuer field must be set,
// see
Subject: pkix.Name{SerialNumber: subjectSN.String()},
}, nil
// We want nodes without AES hardware (e.g. ARM) support to always use ChaCha.
// Only if both nodes have AES hardware support (e.g. x86), AES should be used.
// x86->x86: AES, ARM->x86: ChaCha, x86->ARM: ChaCha and ARM->ARM: Chacha
// This function returns true if we don't have AES hardware support, and false otherwise.
// Thus, ARM servers will always use their own cipher suite preferences (ChaCha first),
2022-11-04 13:57:20 +00:00
// and x86 servers will always use the client's cipher suite preferences.
func preferServerCipherSuites() bool {
// Copied from the Go TLS implementation.
// Check the cpu flags for each platform that has optimized GCM implementations.
// Worst case, these variables will just all be false.
var (
hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
// Keep in sync with crypto/aes/cipher_s390x.go.
hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
hasGCMAsm = hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
return !hasGCMAsm