feat(iroh)!: remove deprecated x509 libp2p TLS authentication (#3330)

## Description

As previously announced, we are fully transitioning to using Raw Public
Keys for the TLS authentication, so this old method is now removed, in
preparation of cleanup & stabilization in 1.0.

## Breaking Changes

- `iroh::endpoint::Builder:: tls_x509` removed, this is the tls
mechanism that has been removed
- `iroh::endpoint::Builder:: tls_raw_public_keys ` removed, this is the
default mechanism now, so not needed anymore

Author: dignifiedquire

Cargo.lock

@@ -54,7 +54,6 @@ quinn = { package = "iroh-quinn", version = "0.13.0", default-features = false,
 quinn-proto = { package = "iroh-quinn-proto", version = "0.13.0" }
 quinn-udp = { package = "iroh-quinn-udp", version = "0.5.7" }
 rand = "0.8"
-rcgen = "0.13"
 reqwest = { version = "0.12", default-features = false, features = [
     "rustls-tls",
     "stream",
@@ -79,7 +78,6 @@ url = { version = "2.5", features = ["serde"] }
 webpki = { package = "rustls-webpki", version = "0.103", features = ["ring"] }
 webpki_types = { package = "rustls-pki-types", version = "1.12" }
 webpki-roots = "0.26"
-x509-parser = "0.16"
 z32 = "1.0.3"
 
 # fix minimal versions

iroh/Cargo.toml

@@ -145,7 +145,6 @@ pub struct Builder {
     addr_v6: Option<SocketAddrV6>,
     #[cfg(any(test, feature = "test-utils"))]
     path_selection: PathSelection,
-    tls_auth: tls::Authentication,
 }
 
 impl Default for Builder {
@@ -171,7 +170,6 @@ impl Default for Builder {
             addr_v6: None,
             #[cfg(any(test, feature = "test-utils"))]
             path_selection: PathSelection::default(),
-            tls_auth: tls::Authentication::RawPublicKey,
         }
     }
 }
@@ -190,7 +188,7 @@ impl Builder {
             .unwrap_or_else(|| SecretKey::generate(rand::rngs::OsRng));
         let static_config = StaticConfig {
             transport_config: Arc::new(self.transport_config),
-            tls_config: tls::TlsConfig::new(self.tls_auth, secret_key.clone()),
+            tls_config: tls::TlsConfig::new(secret_key.clone()),
             keylog: self.keylog,
         };
         #[cfg(not(wasm_browser))]
@@ -397,24 +395,6 @@ impl Builder {
         self
     }
 
-    /// Use libp2p based self signed certificates for TLS.
-    ///
-    /// For details see the libp2p spec at <https://github.com/libp2p/specs/blob/master/tls/tls.md>
-    ///
-    /// This is the only mechanism available in `iroh@0.33.0` and earlier.
-    pub fn tls_x509(mut self) -> Self {
-        self.tls_auth = tls::Authentication::X509;
-        self
-    }
-
-    /// Use TLS Raw Public Keys
-    ///
-    /// This is the default, but is not compatible with older versions of iroh.
-    pub fn tls_raw_public_keys(mut self) -> Self {
-        self.tls_auth = tls::Authentication::RawPublicKey;
-        self
-    }
-
     #[cfg(feature = "discovery-pkarr-dht")]
     /// Configures the endpoint to also use the mainline DHT with default settings.
     ///
@@ -1706,10 +1686,7 @@ impl Future for IncomingFuture {
             Poll::Pending => Poll::Pending,
             Poll::Ready(Err(err)) => Poll::Ready(Err(err)),
             Poll::Ready(Ok(inner)) => {
-                let conn = Connection {
-                    inner,
-                    tls_auth: this.ep.static_config.tls_config.auth,
-                };
+                let conn = Connection { inner };
                 try_send_rtt_msg(&conn, this.ep, None);
                 Poll::Ready(Ok(conn))
             }
@@ -1797,10 +1774,7 @@ impl Connecting {
     pub fn into_0rtt(self) -> Result<(Connection, ZeroRttAccepted), Self> {
         match self.inner.into_0rtt() {
             Ok((inner, zrtt_accepted)) => {
-                let conn = Connection {
-                    inner,
-                    tls_auth: self.ep.static_config.tls_config.auth,
-                };
+                let conn = Connection { inner };
                 let zrtt_accepted = ZeroRttAccepted {
                     inner: zrtt_accepted,
                     _discovery_drop_guard: self._discovery_drop_guard,
@@ -1850,10 +1824,7 @@ impl Future for Connecting {
             Poll::Pending => Poll::Pending,
             Poll::Ready(Err(err)) => Poll::Ready(Err(err)),
             Poll::Ready(Ok(inner)) => {
-                let conn = Connection {
-                    inner,
-                    tls_auth: this.ep.static_config.tls_config.auth,
-                };
+                let conn = Connection { inner };
                 try_send_rtt_msg(&conn, this.ep, *this.remote_node_id);
                 Poll::Ready(Ok(conn))
             }
@@ -1902,7 +1873,6 @@ impl Future for ZeroRttAccepted {
 #[derive(Debug, Clone)]
 pub struct Connection {
     inner: quinn::Connection,
-    tls_auth: tls::Authentication,
 }
 
 #[allow(missing_docs)]
@@ -2144,19 +2114,10 @@ impl Connection {
                         return Err(RemoteNodeIdSnafu.build());
                     }
 
-                    match self.tls_auth {
-                        tls::Authentication::X509 => {
-                            let cert = tls::certificate::parse(&certs[0])
-                                .map_err(|_| RemoteNodeIdSnafu.build())?;
-                            Ok(cert.peer_id())
-                        }
-                        tls::Authentication::RawPublicKey => {
-                            let peer_id = VerifyingKey::from_public_key_der(&certs[0])
-                                .map_err(|_| RemoteNodeIdSnafu.build())?
-                                .into();
-                            Ok(peer_id)
-                        }
-                    }
+                    let peer_id = VerifyingKey::from_public_key_der(&certs[0])
+                        .map_err(|_| RemoteNodeIdSnafu.build())?
+                        .into();
+                    Ok(peer_id)
                 }
                 Err(err) => {
                     warn!("invalid peer certificate: {:?}", err);
@@ -2358,7 +2319,6 @@ mod tests {
     use crate::{
         endpoint::{ConnectOptions, Connection, ConnectionType, RemoteInfo},
         test_utils::{run_relay_server, run_relay_server_with},
-        tls,
         watcher::Watcher,
         RelayMode,
     };
@@ -2694,34 +2654,16 @@ mod tests {
 
     #[tokio::test]
     #[traced_test]
-    async fn endpoint_bidi_send_recv_x509() -> Result {
-        endpoint_bidi_send_recv(tls::Authentication::X509).await
-    }
-
-    #[tokio::test]
-    #[traced_test]
-    async fn endpoint_bidi_send_recv_raw_public_key() -> Result {
-        endpoint_bidi_send_recv(tls::Authentication::RawPublicKey).await
-    }
-
-    async fn endpoint_bidi_send_recv(auth: tls::Authentication) -> Result {
+    async fn endpoint_bidi_send_recv() -> Result {
         let ep1 = Endpoint::builder()
             .alpns(vec![TEST_ALPN.to_vec()])
             .relay_mode(RelayMode::Disabled);
 
-        let ep1 = match auth {
-            tls::Authentication::X509 => ep1.tls_x509(),
-            tls::Authentication::RawPublicKey => ep1.tls_raw_public_keys(),
-        };
         let ep1 = ep1.bind().await?;
         let ep2 = Endpoint::builder()
             .alpns(vec![TEST_ALPN.to_vec()])
             .relay_mode(RelayMode::Disabled);
 
-        let ep2 = match auth {
-            tls::Authentication::X509 => ep2.tls_x509(),
-            tls::Authentication::RawPublicKey => ep2.tls_raw_public_keys(),
-        };
         let ep2 = ep2.bind().await?;
 
         let ep1_nodeaddr = ep1.node_addr().initialized().await?;

iroh/src/endpoint.rs

@@ -3565,8 +3565,7 @@ mod tests {
     impl Default for Options {
         fn default() -> Self {
             let secret_key = SecretKey::generate(rand::rngs::OsRng);
-            let tls_auth = crate::tls::Authentication::RawPublicKey;
-            let server_config = make_default_server_config(&secret_key, tls_auth);
+            let server_config = make_default_server_config(&secret_key);
             Options {
                 addr_v4: None,
                 addr_v6: None,
@@ -3589,12 +3588,9 @@ mod tests {
     }
 
     /// Generate a server config with no ALPNS and a default transport configuration
-    fn make_default_server_config(
-        secret_key: &SecretKey,
-        tls_auth: crate::tls::Authentication,
-    ) -> ServerConfig {
-        let quic_server_config = crate::tls::TlsConfig::new(tls_auth, secret_key.clone())
-            .make_server_config(vec![], false);
+    fn make_default_server_config(secret_key: &SecretKey) -> ServerConfig {
+        let quic_server_config =
+            crate::tls::TlsConfig::new(secret_key.clone()).make_server_config(vec![], false);
         let mut server_config = ServerConfig::with_crypto(Arc::new(quic_server_config));
         server_config.transport_config(Arc::new(quinn::TransportConfig::default()));
         server_config
@@ -4166,9 +4162,9 @@ mod tests {
     ///
     /// Use [`magicsock_connect`] to establish connections.
     #[instrument(name = "ep", skip_all, fields(me = secret_key.public().fmt_short()))]
-    async fn magicsock_ep(secret_key: SecretKey, tls_auth: tls::Authentication) -> Result<Handle> {
-        let quic_server_config = tls::TlsConfig::new(tls_auth, secret_key.clone())
-            .make_server_config(vec![ALPN.to_vec()], true);
+    async fn magicsock_ep(secret_key: SecretKey) -> Result<Handle> {
+        let quic_server_config =
+            tls::TlsConfig::new(secret_key.clone()).make_server_config(vec![ALPN.to_vec()], true);
         let mut server_config = ServerConfig::with_crypto(Arc::new(quic_server_config));
         server_config.transport_config(Arc::new(quinn::TransportConfig::default()));
 
@@ -4202,7 +4198,6 @@ mod tests {
         ep_secret_key: SecretKey,
         addr: NodeIdMappedAddr,
         node_id: NodeId,
-        tls_auth: tls::Authentication,
     ) -> Result<quinn::Connection> {
         // Endpoint::connect sets this, do the same to have similar behaviour.
         let mut transport_config = quinn::TransportConfig::default();
@@ -4214,7 +4209,6 @@ mod tests {
             addr,
             node_id,
             Arc::new(transport_config),
-            tls_auth,
         )
         .await
     }
@@ -4231,11 +4225,10 @@ mod tests {
         mapped_addr: NodeIdMappedAddr,
         node_id: NodeId,
         transport_config: Arc<quinn::TransportConfig>,
-        tls_auth: tls::Authentication,
     ) -> Result<quinn::Connection> {
         let alpns = vec![ALPN.to_vec()];
         let quic_client_config =
-            tls::TlsConfig::new(tls_auth, ep_secret_key.clone()).make_client_config(alpns, true);
+            tls::TlsConfig::new(ep_secret_key.clone()).make_client_config(alpns, true);
         let mut client_config = quinn::ClientConfig::new(Arc::new(quic_client_config));
         client_config.transport_config(transport_config);
         let connect = ep
@@ -4255,15 +4248,13 @@ mod tests {
         // Regression test: if there is no send_addr we should keep being able to use the
         // Endpoint.
 
-        let tls_auth = tls::Authentication::RawPublicKey;
-
         let secret_key_1 = SecretKey::from_bytes(&[1u8; 32]);
         let secret_key_2 = SecretKey::from_bytes(&[2u8; 32]);
         let node_id_2 = secret_key_2.public();
         let secret_key_missing_node = SecretKey::from_bytes(&[255u8; 32]);
         let node_id_missing_node = secret_key_missing_node.public();
 
-        let msock_1 = magicsock_ep(secret_key_1.clone(), tls_auth).await.unwrap();
+        let msock_1 = magicsock_ep(secret_key_1.clone()).await.unwrap();
 
         // Generate an address not present in the NodeMap.
         let bad_addr = NodeIdMappedAddr::generate();
@@ -4279,14 +4270,13 @@ mod tests {
                 secret_key_1.clone(),
                 bad_addr,
                 node_id_missing_node,
-                tls_auth,
             ),
         )
         .await;
         assert!(res.is_err(), "expecting timeout");
 
         // Now check we can still create another connection with this endpoint.
-        let msock_2 = magicsock_ep(secret_key_2.clone(), tls_auth).await.unwrap();
+        let msock_2 = magicsock_ep(secret_key_2.clone()).await.unwrap();
 
         // This needs an accept task
         let accept_task = tokio::spawn({
@@ -4336,13 +4326,7 @@ mod tests {
         let addr = msock_1.get_mapping_addr(node_id_2).unwrap();
         let res = tokio::time::timeout(
             Duration::from_secs(10),
-            magicsock_connect(
-                msock_1.endpoint(),
-                secret_key_1.clone(),
-                addr,
-                node_id_2,
-                tls_auth,
-            ),
+            magicsock_connect(msock_1.endpoint(), secret_key_1.clone(), addr, node_id_2),
         )
         .await
         .expect("timeout while connecting");
@@ -4360,14 +4344,12 @@ mod tests {
         // This specifically tests the `if udp_addr.is_none() && relay_url.is_none()`
         // behaviour of MagicSock::try_send.
 
-        let tls_auth = tls::Authentication::RawPublicKey;
-
         let secret_key_1 = SecretKey::from_bytes(&[1u8; 32]);
         let secret_key_2 = SecretKey::from_bytes(&[2u8; 32]);
         let node_id_2 = secret_key_2.public();
 
-        let msock_1 = magicsock_ep(secret_key_1.clone(), tls_auth).await.unwrap();
-        let msock_2 = magicsock_ep(secret_key_2.clone(), tls_auth).await.unwrap();
+        let msock_1 = magicsock_ep(secret_key_1.clone()).await.unwrap();
+        let msock_2 = magicsock_ep(secret_key_2.clone()).await.unwrap();
         let ep_2 = msock_2.endpoint().clone();
 
         // We need a task to accept the connection.
@@ -4425,7 +4407,6 @@ mod tests {
             addr_2,
             node_id_2,
             Arc::new(transport_config),
-            tls_auth,
         )
         .await;
         assert!(res.is_err(), "expected timeout");
@@ -4454,15 +4435,10 @@ mod tests {
         // We can now connect
         tokio::time::timeout(Duration::from_secs(10), async move {
             info!("establishing new connection");
-            let conn = magicsock_connect(
-                msock_1.endpoint(),
-                secret_key_1.clone(),
-                addr_2,
-                node_id_2,
-                tls_auth,
-            )
-            .await
-            .unwrap();
+            let conn =
+                magicsock_connect(msock_1.endpoint(), secret_key_1.clone(), addr_2, node_id_2)
+                    .await
+                    .unwrap();
             info!("have connection");
             let mut stream = conn.open_uni().await.unwrap();
             stream.write_all(b"hello").await.unwrap();