Use client certs in QUIC to get peer's stake #26477
Conversation
| // Generate a self-signed cert from client's identity key | ||
| let cert_params = new_cert_params(identity_keypair, san); | ||
| let cert = rcgen::Certificate::from_params(cert_params)?; | ||
| let cert_der = cert.serialize_der().unwrap(); |
There was a problem hiding this comment.
kind of looks similar to the server-side cert code, is there anything that could be shared?
There was a problem hiding this comment.
I think the new_certs and its dependencies can be moved to a separate file that can be shared between client and server. Maybe in a follow on PR?
streamer/src/nonblocking/quic.rs
Outdated
| cert.public_key().parsed().ok().and_then(|key| match key { | ||
| PublicKey::Unknown(inner_key) => { | ||
| let pubkey = Pubkey::new(inner_key); | ||
| info!("Peer public key is {:?}", pubkey); |
There was a problem hiding this comment.
Probably shouldn't be info! level. This would be printed on every connection, right?
There was a problem hiding this comment.
I'll change it to debug.
| let server_tls_config = rustls::ServerConfig::builder() | ||
| .with_safe_defaults() | ||
| .with_client_cert_verifier(SkipClientVerification::new()) | ||
| .with_single_cert(cert_chain, priv_key) |
There was a problem hiding this comment.
so we need this because the self-signed client cert is not in the trust chain?
There was a problem hiding this comment.
Yes, that's correct.
There was a problem hiding this comment.
The client is also skipping the server certificate verification. Maybe we should look if there is some additional verification needed/possible on both sides.
* Use client certs in QUIC to get peer's stake * fixes to cert processing * integrate the code * clippy * more cleanup * sort cargo deps * test fixes * info -> debug (cherry picked from commit ea7448c) # Conflicts: # Cargo.lock # client/Cargo.toml # programs/bpf/Cargo.lock
* Use client certs in QUIC to get peer's stake (#26477) * Use client certs in QUIC to get peer's stake * fixes to cert processing * integrate the code * clippy * more cleanup * sort cargo deps * test fixes * info -> debug (cherry picked from commit ea7448c) # Conflicts: # Cargo.lock # client/Cargo.toml # programs/bpf/Cargo.lock * resolve conflicts * resolve conflicts * cargo.lock Co-authored-by: Pankaj Garg <pankaj@solana.com>
* Use client certs in QUIC to get peer's stake * fixes to cert processing * integrate the code * clippy * more cleanup * sort cargo deps * test fixes * info -> debug
Problem
The QUIC streamer is using peer's IP address to compute the stake. If multiple clients are behind the NAT, they will have the same IP address. So the client's stake may not be accurately computed.
Summary of Changes
This PR adds provisions for clients to add certificates signed by their corresponding identity keypair. The QUIC streamer can fetch the client's public key from the cert, and use that to lookup its stake.
Fixes #26363