Rustls support for raw public keys

Proposal

Sponsor the authors of rustls to add support for the RFC 7250 standard.

Related GitHub issue: Support RawPublicKey (non-X509) certificates, e.g. for P2P · Issue #423 · rustls/rustls · GitHub

The maintainers of rustls are (according to the README):

  • Joe Birr-Pixton (@ctz, Project Founder - full-time funded by Prossimo)
  • Dirkjan Ochtman (@djc, Co-maintainer)
  • Daniel McCarney (@cpu, Co-maintainer - full-time funded by Prossimo)

Sponsorship links:

Motivation

The Solana Labs client uses the rustls open-source library to establish secure peer-to-peer connections.

Considerable tech debt has been caused by lack of support for “raw public keys”, a TLS extension that simplifies authentication.

rustls only supports heavy web PKI/X.509 authentication, which is primarily designed for the web. The Solana Labs client has had to resort to hacks to get X.509 to work in peer-to-peer networks.

In Firedancer, 10255 lines of code are currently dedicated to supporting these X.509 mock certificates.

Support for RFC 7250 will improve network security and reduce code footprint by tens of thousands of lines of code across Solana peer-to-peer libraries.

See the following related forum posts:

7 Likes

I’m working on this right now (see this PR) and have a question: would it be all right to implement this only for TLS 1.3, or do we also need it for TLS 1.2? The maintainers mentioned they’d prefer a TLS1.3 -only implementation, that’s why I’m asking.