Skip to content

Commit

Permalink
don't sign X.509 certs (solana-labs#34896)
Browse files Browse the repository at this point in the history 
This get rid of 3rd party components rcgen in the path of private key access to make the code more secure.
  • Loading branch information
@lijunwangs
lijunwangs authored Jan 29, 2024
1 parent b9815da commit 8fde8d2
Show file tree
Hide file tree
Showing 20 changed files with 128 additions and 332 deletions.
69 changes: 0 additions & 69 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 0 additions & 2 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -263,7 +263,6 @@ pbkdf2 = { version = "0.11.0", default-features = false }
pem = "1.1.1"
percentage = "0.1.0"
pickledb = { version = "0.5.1", default-features = false }
pkcs8 = "0.8.0"
predicates = "2.1"
pretty-hex = "0.3.0"
prio-graph = "0.2.1"
Expand All @@ -282,7 +281,6 @@ rand = "0.8.5"
rand_chacha = "0.3.1"
raptorq = "1.8.0"
rayon = "1.8.1"
rcgen = "0.10.0"
reed-solomon-erasure = "6.0.0"
regex = "1.10.3"
reqwest = { version = "0.11.23", default-features = false }
Expand Down
10 changes: 3 additions & 7 deletions client/src/connection_cache.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,7 @@ impl ConnectionCache {
config.update_client_endpoint(client_endpoint);
}
if let Some(cert_info) = cert_info {
config
.update_client_certificate(cert_info.0, cert_info.1)
.unwrap();
config.update_client_certificate(cert_info.0, cert_info.1);
}
if let Some(stake_info) = stake_info {
config.set_staked_nodes(stake_info.0, stake_info.1);
Expand Down Expand Up @@ -241,19 +239,18 @@ mod tests {
},
};

fn server_args() -> (UdpSocket, Arc<AtomicBool>, Keypair, IpAddr) {
fn server_args() -> (UdpSocket, Arc<AtomicBool>, Keypair) {
(
UdpSocket::bind("127.0.0.1:0").unwrap(),
Arc::new(AtomicBool::new(false)),
Keypair::new(),
"127.0.0.1".parse().unwrap(),
)
}

#[test]
fn test_connection_with_specified_client_endpoint() {
// Start a response receiver:
let (response_recv_socket, response_recv_exit, keypair2, response_recv_ip) = server_args();
let (response_recv_socket, response_recv_exit, keypair2) = server_args();
let (sender2, _receiver2) = unbounded();

let staked_nodes = Arc::new(RwLock::new(StakedNodes::default()));
Expand All @@ -266,7 +263,6 @@ mod tests {
"quic_streamer_test",
response_recv_socket,
&keypair2,
response_recv_ip,
sender2,
response_recv_exit.clone(),
1,
Expand Down
1 change: 0 additions & 1 deletion connection-cache/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ indicatif = { workspace = true, optional = true }
log = { workspace = true }
rand = { workspace = true }
rayon = { workspace = true }
rcgen = { workspace = true }
solana-measure = { workspace = true }
solana-metrics = { workspace = true }
solana-sdk = { workspace = true }
Expand Down
3 changes: 0 additions & 3 deletions connection-cache/src/connection_cache.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -412,9 +412,6 @@ pub enum ConnectionPoolError {

#[derive(Error, Debug)]
pub enum ClientError {
#[error("Certificate error: {0}")]
CertificateError(#[from] rcgen::RcgenError),

#[error("IO error: {0:?}")]
IoError(#[from] std::io::Error),
}
Expand Down
1 change: 0 additions & 1 deletion core/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,6 @@ quinn = { workspace = true }
rand = { workspace = true }
rand_chacha = { workspace = true }
rayon = { workspace = true }
rcgen = { workspace = true }
rolling-file = { workspace = true }
rustls = { workspace = true }
serde = { workspace = true }
Expand Down
14 changes: 3 additions & 11 deletions core/src/repair/quic_endpoint.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,20 +9,17 @@ use {
EndpointConfig, IdleTimeout, ReadError, ReadToEndError, RecvStream, SendStream,
ServerConfig, TokioRuntime, TransportConfig, VarInt, WriteError,
},
rcgen::RcgenError,
rustls::{Certificate, PrivateKey},
serde_bytes::ByteBuf,
solana_quic_client::nonblocking::quic_client::SkipServerVerification,
solana_runtime::bank_forks::BankForks,
solana_sdk::{packet::PACKET_DATA_SIZE, pubkey::Pubkey, signature::Keypair},
solana_streamer::{
quic::SkipClientVerification, tls_certificates::new_self_signed_tls_certificate,
},
solana_streamer::{quic::SkipClientVerification, tls_certificates::new_dummy_x509_certificate},
std::{
cmp::Reverse,
collections::{hash_map::Entry, HashMap},
io::{Cursor, Error as IoError},
net::{IpAddr, SocketAddr, UdpSocket},
net::{SocketAddr, UdpSocket},
sync::{
atomic::{AtomicBool, AtomicU64, Ordering},
Arc, RwLock,
Expand Down Expand Up @@ -88,8 +85,6 @@ pub struct RemoteRequest {
#[derive(Error, Debug)]
#[allow(clippy::enum_variant_names)]
pub(crate) enum Error {
#[error(transparent)]
CertificateError(#[from] RcgenError),
#[error("Channel Send Error")]
ChannelSendError,
#[error(transparent)]
Expand Down Expand Up @@ -123,11 +118,10 @@ pub(crate) fn new_quic_endpoint(
runtime: &tokio::runtime::Handle,
keypair: &Keypair,
socket: UdpSocket,
address: IpAddr,
remote_request_sender: Sender<RemoteRequest>,
bank_forks: Arc<RwLock<BankForks>>,
) -> Result<(Endpoint, AsyncSender<LocalRequest>, AsyncTryJoinHandle), Error> {
let (cert, key) = new_self_signed_tls_certificate(keypair, address)?;
let (cert, key) = new_dummy_x509_certificate(keypair);
let server_config = new_server_config(cert.clone(), key.clone())?;
let client_config = new_client_config(cert, key)?;
let mut endpoint = {
Expand Down Expand Up @@ -809,7 +803,6 @@ async fn report_metrics_task(name: &'static str, stats: Arc<RepairQuicStats>) {

fn record_error(err: &Error, stats: &RepairQuicStats) {
match err {
Error::CertificateError(_) => (),
Error::ChannelSendError => (),
Error::ConnectError(ConnectError::EndpointStopping) => {
add_metric!(stats.connect_error_other)
Expand Down Expand Up @@ -1065,7 +1058,6 @@ mod tests {
runtime.handle(),
keypair,
socket,
IpAddr::V4(Ipv4Addr::LOCALHOST),
remote_request_sender,
bank_forks.clone(),
)
Expand Down
12 changes: 1 addition & 11 deletions core/src/tpu.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ use {
},
bytes::Bytes,
crossbeam_channel::{unbounded, Receiver},
solana_client::connection_cache::{ConnectionCache, Protocol},
solana_client::connection_cache::ConnectionCache,
solana_gossip::cluster_info::ClusterInfo,
solana_ledger::{
blockstore::Blockstore, blockstore_processor::TransactionStatusSender,
Expand Down Expand Up @@ -156,11 +156,6 @@ impl Tpu {
"quic_streamer_tpu",
transactions_quic_sockets,
keypair,
cluster_info
.my_contact_info()
.tpu(Protocol::QUIC)
.expect("Operator must spin up node with valid (QUIC) TPU address")
.ip(),
packet_sender,
exit.clone(),
MAX_QUIC_CONNECTIONS_PER_PEER,
Expand All @@ -180,11 +175,6 @@ impl Tpu {
"quic_streamer_tpu_forwards",
transactions_forwards_quic_sockets,
keypair,
cluster_info
.my_contact_info()
.tpu_forwards(Protocol::QUIC)
.expect("Operator must spin up node with valid (QUIC) TPU-forwards address")
.ip(),
forwarded_packet_sender,
exit.clone(),
MAX_QUIC_CONNECTIONS_PER_PEER,
Expand Down
8 changes: 0 additions & 8 deletions core/src/validator.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1193,10 +1193,6 @@ impl Validator {
.unwrap_or_else(|| current_runtime_handle.as_ref().unwrap()),
&identity_keypair,
node.sockets.tvu_quic,
node.info
.tvu(Protocol::QUIC)
.map_err(|err| format!("Invalid QUIC TVU address: {err:?}"))?
.ip(),
turbine_quic_endpoint_sender,
bank_forks.clone(),
)
Expand Down Expand Up @@ -1226,10 +1222,6 @@ impl Validator {
.unwrap_or_else(|| current_runtime_handle.as_ref().unwrap()),
&identity_keypair,
node.sockets.serve_repair_quic,
node.info
.serve_repair(Protocol::QUIC)
.map_err(|err| format!("Invalid QUIC serve-repair address: {err:?}"))?
.ip(),
repair_quic_endpoint_sender,
bank_forks.clone(),
)
Expand Down
Loading

0 comments on commit 8fde8d2

Please sign in to comment.