@libp2p/tls 0.0.0-0321812e7

package/dist/src/utils.js

@@ -0,0 +1,274 @@
+import { Duplex as DuplexStream } from 'node:stream';
+import { Ed25519PublicKey, Secp256k1PublicKey, marshalPublicKey, supportedKeys, unmarshalPrivateKey, unmarshalPublicKey } from '@libp2p/crypto/keys';
+import { CodeError, InvalidCryptoExchangeError, UnexpectedPeerError } from '@libp2p/interface';
+import { peerIdFromKeys } from '@libp2p/peer-id';
+import { AsnConvert } from '@peculiar/asn1-schema';
+import * as asn1X509 from '@peculiar/asn1-x509';
+import { Crypto } from '@peculiar/webcrypto';
+import * as x509 from '@peculiar/x509';
+import * as asn1js from 'asn1js';
+import { pushable } from 'it-pushable';
+import { concat as uint8ArrayConcat } from 'uint8arrays/concat';
+import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string';
+import { toString as uint8ArrayToString } from 'uint8arrays/to-string';
+import { KeyType, PublicKey } from '../src/pb/index.js';
+const crypto = new Crypto();
+x509.cryptoProvider.set(crypto);
+const LIBP2P_PUBLIC_KEY_EXTENSION = '1.3.6.1.4.1.53594.1.1';
+const CERT_PREFIX = 'libp2p-tls-handshake:';
+// https://github.com/libp2p/go-libp2p/blob/28c0f6ab32cd69e4b18e9e4b550ef6ce059a9d1a/p2p/security/tls/crypto.go#L265
+const CERT_VALIDITY_PERIOD_FROM = 60 * 60 * 1000; // ~1 hour
+// https://github.com/libp2p/go-libp2p/blob/28c0f6ab32cd69e4b18e9e4b550ef6ce059a9d1a/p2p/security/tls/crypto.go#L24C28-L24C44
+const CERT_VALIDITY_PERIOD_TO = 100 * 365 * 24 * 60 * 60 * 1000; // ~100 years
+export async function verifyPeerCertificate(rawCertificate, expectedPeerId, log) {
+    const now = Date.now();
+    const x509Cert = new x509.X509Certificate(rawCertificate);
+    if (x509Cert.notBefore.getTime() > now) {
+        log?.error('the certificate was not valid yet');
+        throw new CodeError('The certificate is not valid yet', 'ERR_INVALID_CERTIFICATE');
+    }
+    if (x509Cert.notAfter.getTime() < now) {
+        log?.error('the certificate has expired');
+        throw new CodeError('The certificate has expired', 'ERR_INVALID_CERTIFICATE');
+    }
+    const certSignatureValid = await x509Cert.verify();
+    if (!certSignatureValid) {
+        log?.error('certificate self signature was invalid');
+        throw new InvalidCryptoExchangeError('Invalid certificate self signature');
+    }
+    const certIsSelfSigned = await x509Cert.isSelfSigned();
+    if (!certIsSelfSigned) {
+        log?.error('certificate must be self signed');
+        throw new InvalidCryptoExchangeError('Certificate must be self signed');
+    }
+    const libp2pPublicKeyExtension = x509Cert.extensions[0];
+    if (libp2pPublicKeyExtension == null || libp2pPublicKeyExtension.type !== LIBP2P_PUBLIC_KEY_EXTENSION) {
+        log?.error('the certificate did not include the libp2p public key extension');
+        throw new CodeError('The certificate did not include the libp2p public key extension', 'ERR_INVALID_CERTIFICATE');
+    }
+    const { result: libp2pKeySequence } = asn1js.fromBER(libp2pPublicKeyExtension.value);
+    // @ts-expect-error deep chain
+    const remotePeerIdPb = libp2pKeySequence.valueBlock.value[0].valueBlock.valueHex;
+    const marshalledPeerId = new Uint8Array(remotePeerIdPb, 0, remotePeerIdPb.byteLength);
+    const remotePublicKey = PublicKey.decode(marshalledPeerId);
+    const remotePublicKeyData = remotePublicKey.data ?? new Uint8Array(0);
+    let remoteLibp2pPublicKey;
+    if (remotePublicKey.type === KeyType.Ed25519) {
+        remoteLibp2pPublicKey = new Ed25519PublicKey(remotePublicKeyData);
+    }
+    else if (remotePublicKey.type === KeyType.Secp256k1) {
+        remoteLibp2pPublicKey = new Secp256k1PublicKey(remotePublicKeyData);
+    }
+    else if (remotePublicKey.type === KeyType.RSA) {
+        remoteLibp2pPublicKey = supportedKeys.rsa.unmarshalRsaPublicKey(remotePublicKeyData);
+    }
+    else {
+        log?.error('unknown or unsupported key type', remotePublicKey.type);
+        throw new InvalidCryptoExchangeError('Unknown or unsupported key type');
+    }
+    // @ts-expect-error deep chain
+    const remoteSignature = libp2pKeySequence.valueBlock.value[1].valueBlock.valueHex;
+    const dataToVerify = encodeSignatureData(x509Cert.publicKey.rawData);
+    const result = await remoteLibp2pPublicKey.verify(dataToVerify, new Uint8Array(remoteSignature, 0, remoteSignature.byteLength));
+    if (!result) {
+        log?.error('invalid libp2p signature');
+        throw new InvalidCryptoExchangeError('Could not verify signature');
+    }
+    const marshalled = marshalPublicKey(remoteLibp2pPublicKey);
+    const remotePeerId = await peerIdFromKeys(marshalled);
+    if (expectedPeerId?.equals(remotePeerId) === false) {
+        log?.error('invalid peer id');
+        throw new UnexpectedPeerError();
+    }
+    return remotePeerId;
+}
+export async function generateCertificate(peerId) {
+    const now = Date.now();
+    const alg = {
+        name: 'ECDSA',
+        namedCurve: 'P-256',
+        hash: 'SHA-256'
+    };
+    const keys = await crypto.subtle.generateKey(alg, true, ['sign']);
+    const certPublicKeySpki = await crypto.subtle.exportKey('spki', keys.publicKey);
+    const dataToSign = encodeSignatureData(certPublicKeySpki);
+    if (peerId.privateKey == null) {
+        throw new InvalidCryptoExchangeError('Private key was missing from PeerId');
+    }
+    const privateKey = await unmarshalPrivateKey(peerId.privateKey);
+    const sig = await privateKey.sign(dataToSign);
+    let keyType;
+    let keyData;
+    if (peerId.publicKey == null) {
+        throw new CodeError('Public key missing from PeerId', 'ERR_INVALID_PEER_ID');
+    }
+    const publicKey = unmarshalPublicKey(peerId.publicKey);
+    if (peerId.type === 'Ed25519') {
+        // Ed25519: Only the 32 bytes of the public key
+        keyType = KeyType.Ed25519;
+        keyData = publicKey.marshal();
+    }
+    else if (peerId.type === 'secp256k1') {
+        // Secp256k1: Only the compressed form of the public key. 33 bytes.
+        keyType = KeyType.Secp256k1;
+        keyData = publicKey.marshal();
+    }
+    else if (peerId.type === 'RSA') {
+        // The rest of the keys are encoded as a SubjectPublicKeyInfo structure in PKIX, ASN.1 DER form.
+        keyType = KeyType.RSA;
+        keyData = publicKey.marshal();
+    }
+    else {
+        throw new CodeError('Unknown PeerId type', 'ERR_UNKNOWN_PEER_ID_TYPE');
+    }
+    const selfCert = await x509.X509CertificateGenerator.createSelfSigned({
+        serialNumber: uint8ArrayToString(crypto.getRandomValues(new Uint8Array(9)), 'base16'),
+        name: '',
+        notBefore: new Date(now - CERT_VALIDITY_PERIOD_FROM),
+        notAfter: new Date(now + CERT_VALIDITY_PERIOD_TO),
+        signingAlgorithm: alg,
+        keys,
+        extensions: [
+            new x509.Extension(LIBP2P_PUBLIC_KEY_EXTENSION, true, new asn1js.Sequence({
+                value: [
+                    // publicKey
+                    new asn1js.OctetString({
+                        valueHex: PublicKey.encode({
+                            type: keyType,
+                            data: keyData
+                        })
+                    }),
+                    // signature
+                    new asn1js.OctetString({
+                        valueHex: sig
+                    })
+                ]
+            }).toBER())
+        ]
+    });
+    const certPrivateKeySpki = await crypto.subtle.exportKey('spki', keys.privateKey);
+    return {
+        cert: selfCert.toString(),
+        key: spkiToPEM(certPrivateKeySpki)
+    };
+}
+/**
+ * @see https://github.com/libp2p/specs/blob/master/tls/tls.md#libp2p-public-key-extension
+ */
+export function encodeSignatureData(certPublicKey) {
+    const keyInfo = AsnConvert.parse(certPublicKey, asn1X509.SubjectPublicKeyInfo);
+    const bytes = AsnConvert.serialize(keyInfo);
+    return uint8ArrayConcat([
+        uint8ArrayFromString(CERT_PREFIX),
+        new Uint8Array(bytes, 0, bytes.byteLength)
+    ]);
+}
+function spkiToPEM(keydata) {
+    return formatAsPem(uint8ArrayToString(new Uint8Array(keydata), 'base64'));
+}
+function formatAsPem(str) {
+    let finalString = '-----BEGIN PRIVATE KEY-----\n';
+    while (str.length > 0) {
+        finalString += str.substring(0, 64) + '\n';
+        str = str.substring(64);
+    }
+    finalString = finalString + '-----END PRIVATE KEY-----';
+    return finalString;
+}
+export function itToStream(conn) {
+    const output = pushable();
+    const iterator = conn.source[Symbol.asyncIterator]();
+    const stream = new DuplexStream({
+        autoDestroy: false,
+        allowHalfOpen: true,
+        write(chunk, encoding, callback) {
+            output.push(chunk);
+            callback();
+        },
+        read() {
+            iterator.next()
+                .then(result => {
+                if (result.done === true) {
+                    this.push(null);
+                }
+                else {
+                    this.push(result.value);
+                }
+            }, (err) => {
+                this.destroy(err);
+            });
+        }
+    });
+    // @ts-expect-error return type of sink is unknown
+    conn.sink(output)
+        .catch((err) => {
+        stream.destroy(err);
+    });
+    return stream;
+}
+export function streamToIt(stream) {
+    const output = {
+        source: (async function* () {
+            const output = pushable();
+            stream.addListener('data', (buf) => {
+                output.push(buf.subarray());
+            });
+            // both ends closed
+            stream.addListener('close', () => {
+                output.end();
+            });
+            stream.addListener('error', (err) => {
+                output.end(err);
+            });
+            // just writable end closed
+            stream.addListener('finish', () => {
+                output.end();
+            });
+            try {
+                yield* output;
+            }
+            catch (err) {
+                stream.destroy(err);
+                throw err;
+            }
+        })(),
+        sink: async (source) => {
+            try {
+                for await (const buf of source) {
+                    const sendMore = stream.write(buf.subarray());
+                    if (!sendMore) {
+                        await waitForBackpressure(stream);
+                    }
+                }
+                // close writable end
+                stream.end();
+            }
+            catch (err) {
+                stream.destroy(err);
+                throw err;
+            }
+        }
+    };
+    return output;
+}
+async function waitForBackpressure(stream) {
+    await new Promise((resolve, reject) => {
+        const continueListener = () => {
+            cleanUp();
+            resolve();
+        };
+        const stopListener = (err) => {
+            cleanUp();
+            reject(err ?? new Error('Stream ended'));
+        };
+        const cleanUp = () => {
+            stream.removeListener('drain', continueListener);
+            stream.removeListener('end', stopListener);
+            stream.removeListener('error', stopListener);
+        };
+        stream.addListener('drain', continueListener);
+        stream.addListener('end', stopListener);
+        stream.addListener('error', stopListener);
+    });
+}
+//# sourceMappingURL=utils.js.map

package/dist/src/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,YAAY,EAAE,MAAM,aAAa,CAAA;AACpD,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,aAAa,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAA;AACpJ,OAAO,EAAE,SAAS,EAAE,0BAA0B,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAA;AAC9F,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAClD,OAAO,KAAK,QAAQ,MAAM,qBAAqB,CAAA;AAC/C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAA;AACtC,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAA;AAChC,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAA;AACtC,OAAO,EAAE,MAAM,IAAI,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AAC/D,OAAO,EAAE,UAAU,IAAI,oBAAoB,EAAE,MAAM,yBAAyB,CAAA;AAC5E,OAAO,EAAE,QAAQ,IAAI,kBAAkB,EAAE,MAAM,uBAAuB,CAAA;AACtE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAKvD,MAAM,MAAM,GAAG,IAAI,MAAM,EAAE,CAAA;AAC3B,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;AAE/B,MAAM,2BAA2B,GAAG,uBAAuB,CAAA;AAC3D,MAAM,WAAW,GAAG,uBAAuB,CAAA;AAC3C,oHAAoH;AACpH,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA,CAAC,UAAU;AAC3D,6HAA6H;AAC7H,MAAM,uBAAuB,GAAG,GAAG,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA,CAAC,aAAa;AAE7E,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAE,cAA0B,EAAE,cAAuB,EAAE,GAAY;IAC5G,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IACtB,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAA;IAEzD,IAAI,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,GAAG,EAAE,CAAC;QACvC,GAAG,EAAE,KAAK,CAAC,mCAAmC,CAAC,CAAA;QAC/C,MAAM,IAAI,SAAS,CAAC,kCAAkC,EAAE,yBAAyB,CAAC,CAAA;IACpF,CAAC;IAED,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,GAAG,EAAE,CAAC;QACtC,GAAG,EAAE,KAAK,CAAC,6BAA6B,CAAC,CAAA;QACzC,MAAM,IAAI,SAAS,CAAC,6BAA6B,EAAE,yBAAyB,CAAC,CAAA;IAC/E,CAAC;IAED,MAAM,kBAAkB,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,CAAA;IAElD,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,GAAG,EAAE,KAAK,CAAC,wCAAwC,CAAC,CAAA;QACpD,MAAM,IAAI,0BAA0B,CAAC,oCAAoC,CAAC,CAAA;IAC5E,CAAC;IAED,MAAM,gBAAgB,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,CAAA;IAEtD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,GAAG,EAAE,KAAK,CAAC,iCAAiC,CAAC,CAAA;QAC7C,MAAM,IAAI,0BAA0B,CAAC,iCAAiC,CAAC,CAAA;IACzE,CAAC;IAED,MAAM,wBAAwB,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;IAEvD,IAAI,wBAAwB,IAAI,IAAI,IAAI,wBAAwB,CAAC,IAAI,KAAK,2BAA2B,EAAE,CAAC;QACtG,GAAG,EAAE,KAAK,CAAC,iEAAiE,CAAC,CAAA;QAC7E,MAAM,IAAI,SAAS,CAAC,iEAAiE,EAAE,yBAAyB,CAAC,CAAA;IACnH,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,wBAAwB,CAAC,KAAK,CAAC,CAAA;IAEpF,8BAA8B;IAC9B,MAAM,cAAc,GAAG,iBAAiB,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAA;IAChF,MAAM,gBAAgB,GAAG,IAAI,UAAU,CAAC,cAAc,EAAE,CAAC,EAAE,cAAc,CAAC,UAAU,CAAC,CAAA;IACrF,MAAM,eAAe,GAAG,SAAS,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAA;IAC1D,MAAM,mBAAmB,GAAG,eAAe,CAAC,IAAI,IAAI,IAAI,UAAU,CAAC,CAAC,CAAC,CAAA;IACrE,IAAI,qBAAsC,CAAA;IAE1C,IAAI,eAAe,CAAC,IAAI,KAAK,OAAO,CAAC,OAAO,EAAE,CAAC;QAC7C,qBAAqB,GAAG,IAAI,gBAAgB,CAAC,mBAAmB,CAAC,CAAA;IACnE,CAAC;SAAM,IAAI,eAAe,CAAC,IAAI,KAAK,OAAO,CAAC,SAAS,EAAE,CAAC;QACtD,qBAAqB,GAAG,IAAI,kBAAkB,CAAC,mBAAmB,CAAC,CAAA;IACrE,CAAC;SAAM,IAAI,eAAe,CAAC,IAAI,KAAK,OAAO,CAAC,GAAG,EAAE,CAAC;QAChD,qBAAqB,GAAG,aAAa,CAAC,GAAG,CAAC,qBAAqB,CAAC,mBAAmB,CAAC,CAAA;IACtF,CAAC;SAAM,CAAC;QACN,GAAG,EAAE,KAAK,CAAC,iCAAiC,EAAE,eAAe,CAAC,IAAI,CAAC,CAAA;QACnE,MAAM,IAAI,0BAA0B,CAAC,iCAAiC,CAAC,CAAA;IACzE,CAAC;IAED,8BAA8B;IAC9B,MAAM,eAAe,GAAG,iBAAiB,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAA;IACjF,MAAM,YAAY,GAAG,mBAAmB,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACpE,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,MAAM,CAAC,YAAY,EAAE,IAAI,UAAU,CAAC,eAAe,EAAE,CAAC,EAAE,eAAe,CAAC,UAAU,CAAC,CAAC,CAAA;IAE/H,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,GAAG,EAAE,KAAK,CAAC,0BAA0B,CAAC,CAAA;QACtC,MAAM,IAAI,0BAA0B,CAAC,4BAA4B,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,qBAAqB,CAAC,CAAA;IAC1D,MAAM,YAAY,GAAG,MAAM,cAAc,CAAC,UAAU,CAAC,CAAA;IAErD,IAAI,cAAc,EAAE,MAAM,CAAC,YAAY,CAAC,KAAK,KAAK,EAAE,CAAC;QACnD,GAAG,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAA;QAC7B,MAAM,IAAI,mBAAmB,EAAE,CAAA;IACjC,CAAC;IAED,OAAO,YAAY,CAAA;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAE,MAAc;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAEtB,MAAM,GAAG,GAAG;QACV,IAAI,EAAE,OAAO;QACb,UAAU,EAAE,OAAO;QACnB,IAAI,EAAE,SAAS;KAChB,CAAA;IAED,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC,CAAA;IAEjE,MAAM,iBAAiB,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,CAAA;IAC/E,MAAM,UAAU,GAAG,mBAAmB,CAAC,iBAAiB,CAAC,CAAA;IAEzD,IAAI,MAAM,CAAC,UAAU,IAAI,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,0BAA0B,CAAC,qCAAqC,CAAC,CAAA;IAC7E,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;IAC/D,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAE7C,IAAI,OAAgB,CAAA;IACpB,IAAI,OAAmB,CAAA;IAEvB,IAAI,MAAM,CAAC,SAAS,IAAI,IAAI,EAAE,CAAC;QAC7B,MAAM,IAAI,SAAS,CAAC,gCAAgC,EAAE,qBAAqB,CAAC,CAAA;IAC9E,CAAC;IAED,MAAM,SAAS,GAAG,kBAAkB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;IAEtD,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC9B,+CAA+C;QAC/C,OAAO,GAAG,OAAO,CAAC,OAAO,CAAA;QACzB,OAAO,GAAG,SAAS,CAAC,OAAO,EAAE,CAAA;IAC/B,CAAC;SAAM,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QACvC,mEAAmE;QACnE,OAAO,GAAG,OAAO,CAAC,SAAS,CAAA;QAC3B,OAAO,GAAG,SAAS,CAAC,OAAO,EAAE,CAAA;IAC/B,CAAC;SAAM,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QACjC,gGAAgG;QAChG,OAAO,GAAG,OAAO,CAAC,GAAG,CAAA;QACrB,OAAO,GAAG,SAAS,CAAC,OAAO,EAAE,CAAA;IAC/B,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,0BAA0B,CAAC,CAAA;IACxE,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,wBAAwB,CAAC,gBAAgB,CAAC;QACpE,YAAY,EAAE,kBAAkB,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC;QACrF,IAAI,EAAE,EAAE;QACR,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,GAAG,yBAAyB,CAAC;QACpD,QAAQ,EAAE,IAAI,IAAI,CAAC,GAAG,GAAG,uBAAuB,CAAC;QACjD,gBAAgB,EAAE,GAAG;QACrB,IAAI;QACJ,UAAU,EAAE;YACV,IAAI,IAAI,CAAC,SAAS,CAAC,2BAA2B,EAAE,IAAI,EAAE,IAAI,MAAM,CAAC,QAAQ,CAAC;gBACxE,KAAK,EAAE;oBACL,YAAY;oBACZ,IAAI,MAAM,CAAC,WAAW,CAAC;wBACrB,QAAQ,EAAE,SAAS,CAAC,MAAM,CAAC;4BACzB,IAAI,EAAE,OAAO;4BACb,IAAI,EAAE,OAAO;yBACd,CAAC;qBACH,CAAC;oBACF,YAAY;oBACZ,IAAI,MAAM,CAAC,WAAW,CAAC;wBACrB,QAAQ,EAAE,GAAG;qBACd,CAAC;iBACH;aACF,CAAC,CAAC,KAAK,EAAE,CAAC;SACZ;KACF,CAAC,CAAA;IAEF,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;IAEjF,OAAO;QACL,IAAI,EAAE,QAAQ,CAAC,QAAQ,EAAE;QACzB,GAAG,EAAE,SAAS,CAAC,kBAAkB,CAAC;KACnC,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAE,aAA0B;IAC7D,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,aAAa,EAAE,QAAQ,CAAC,oBAAoB,CAAC,CAAA;IAC9E,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IAE3C,OAAO,gBAAgB,CAAC;QACtB,oBAAoB,CAAC,WAAW,CAAC;QACjC,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC,EAAE,KAAK,CAAC,UAAU,CAAC;KAC3C,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,SAAS,CAAE,OAAoB;IACtC,OAAO,WAAW,CAAC,kBAAkB,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAA;AAC3E,CAAC;AAED,SAAS,WAAW,CAAE,GAAW;IAC/B,IAAI,WAAW,GAAG,+BAA+B,CAAA;IAEjD,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,WAAW,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAA;QAC1C,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;IACzB,CAAC;IAED,WAAW,GAAG,WAAW,GAAG,2BAA2B,CAAA;IAEvD,OAAO,WAAW,CAAA;AACpB,CAAC;AAED,MAAM,UAAU,UAAU,CAAE,IAAyD;IACnF,MAAM,MAAM,GAAG,QAAQ,EAAE,CAAA;IACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,EAAgC,CAAA;IAElF,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC;QAC9B,WAAW,EAAE,KAAK;QAClB,aAAa,EAAE,IAAI;QACnB,KAAK,CAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ;YAC9B,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAClB,QAAQ,EAAE,CAAA;QACZ,CAAC;QACD,IAAI;YACF,QAAQ,CAAC,IAAI,EAAE;iBACZ,IAAI,CAAC,MAAM,CAAC,EAAE;gBACb,IAAI,MAAM,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;oBACzB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;gBACjB,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;gBACzB,CAAC;YACH,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE;gBACT,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;YACnB,CAAC,CAAC,CAAA;QACN,CAAC;KACF,CAAC,CAAA;IAEF,kDAAkD;IAClD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;SACd,KAAK,CAAC,CAAC,GAAQ,EAAE,EAAE;QAClB,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACrB,CAAC,CAAC,CAAA;IAEJ,OAAO,MAAM,CAAA;AACf,CAAC;AAED,MAAM,UAAU,UAAU,CAAE,MAAoB;IAC9C,MAAM,MAAM,GAAwD;QAClE,MAAM,EAAE,CAAC,KAAK,SAAU,CAAC;YACvB,MAAM,MAAM,GAAG,QAAQ,EAAc,CAAA;YAErC,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE;gBACjC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAA;YAC7B,CAAC,CAAC,CAAA;YACF,mBAAmB;YACnB,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,EAAE;gBAC/B,MAAM,CAAC,GAAG,EAAE,CAAA;YACd,CAAC,CAAC,CAAA;YACF,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBAClC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YACjB,CAAC,CAAC,CAAA;YACF,2BAA2B;YAC3B,MAAM,CAAC,WAAW,CAAC,QAAQ,EAAE,GAAG,EAAE;gBAChC,MAAM,CAAC,GAAG,EAAE,CAAA;YACd,CAAC,CAAC,CAAA;YAEF,IAAI,CAAC;gBACH,KAAM,CAAC,CAAC,MAAM,CAAA;YAChB,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;gBACnB,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC,CAAC,EAAE;QACJ,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE;YACrB,IAAI,CAAC;gBACH,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;oBAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAA;oBAE7C,IAAI,CAAC,QAAQ,EAAE,CAAC;wBACd,MAAM,mBAAmB,CAAC,MAAM,CAAC,CAAA;oBACnC,CAAC;gBACH,CAAC;gBAED,qBAAqB;gBACrB,MAAM,CAAC,GAAG,EAAE,CAAA;YACd,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;gBACnB,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC;KACF,CAAA;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAE,MAAoB;IACtD,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,gBAAgB,GAAG,GAAS,EAAE;YAClC,OAAO,EAAE,CAAA;YACT,OAAO,EAAE,CAAA;QACX,CAAC,CAAA;QACD,MAAM,YAAY,GAAG,CAAC,GAAW,EAAQ,EAAE;YACzC,OAAO,EAAE,CAAA;YACT,MAAM,CAAC,GAAG,IAAI,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC,CAAA;QAC1C,CAAC,CAAA;QAED,MAAM,OAAO,GAAG,GAAS,EAAE;YACzB,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAA;YAChD,MAAM,CAAC,cAAc,CAAC,KAAK,EAAE,YAAY,CAAC,CAAA;YAC1C,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,YAAY,CAAC,CAAA;QAC9C,CAAC,CAAA;QAED,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAA;QAC7C,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,YAAY,CAAC,CAAA;QACvC,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,YAAY,CAAC,CAAA;IAC3C,CAAC,CAAC,CAAA;AACJ,CAAC"}

package/package.json

@@ -0,0 +1,74 @@
+{
+  "name": "@libp2p/tls",
+  "version": "0.0.0-0321812e7",
+  "description": "A connection encrypter that uses TLS 1.3",
+  "license": "Apache-2.0 OR MIT",
+  "homepage": "https://github.com/libp2p/js-libp2p/tree/main/packages/connection-encrypter-tls#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/libp2p/js-libp2p.git"
+  },
+  "bugs": {
+    "url": "https://github.com/libp2p/js-libp2p/issues"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "type": "module",
+  "types": "./dist/src/index.d.ts",
+  "files": [
+    "src",
+    "dist",
+    "!dist/test",
+    "!**/*.tsbuildinfo"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/src/index.d.ts",
+      "import": "./dist/src/index.js"
+    }
+  },
+  "eslintConfig": {
+    "extends": "ipfs",
+    "parserOptions": {
+      "project": true,
+      "sourceType": "module"
+    }
+  },
+  "scripts": {
+    "start": "node dist/src/main.js",
+    "build": "aegir build --bundle false",
+    "test": "aegir test -t node",
+    "clean": "aegir clean",
+    "generate": "protons ./src/pb/index.proto",
+    "lint": "aegir lint",
+    "test:node": "aegir test -t node --cov",
+    "dep-check": "aegir dep-check"
+  },
+  "dependencies": {
+    "@libp2p/crypto": "4.0.1-0321812e7",
+    "@libp2p/interface": "1.1.2-0321812e7",
+    "@libp2p/peer-id": "4.0.5-0321812e7",
+    "@peculiar/asn1-schema": "^2.3.8",
+    "@peculiar/asn1-x509": "^2.3.8",
+    "@peculiar/webcrypto": "^1.4.5",
+    "@peculiar/x509": "^1.9.7",
+    "asn1js": "^3.0.5",
+    "it-pushable": "^3.2.3",
+    "it-stream-types": "^2.0.1",
+    "protons-runtime": "^5.4.0",
+    "uint8arraylist": "^2.4.8",
+    "uint8arrays": "^5.0.1"
+  },
+  "devDependencies": {
+    "@libp2p/interface-compliance-tests": "5.2.0-0321812e7",
+    "@libp2p/logger": "4.0.5-0321812e7",
+    "@libp2p/peer-id-factory": "4.0.5-0321812e7",
+    "@multiformats/multiaddr": "^12.1.14",
+    "aegir": "^42.2.3",
+    "protons": "^7.5.0",
+    "sinon": "^17.0.1"
+  },
+  "sideEffects": false
+}

package/src/index.ts

@@ -0,0 +1,40 @@
+/**
+ * @packageDocumentation
+ *
+ * Implements the spec at https://github.com/libp2p/specs/blob/master/tls/tls.md
+ *
+ * @example
+ *
+ * ```typescript
+ * import { createLibp2p } from 'libp2p'
+ * import { tls } from '@libp2p/tls'
+ *
+ * const node = await createLibp2p({
+ *   // ...other options
+ *   connectionEncryption: [
+ *     tls()
+ *   ]
+ * })
+ * ```
+ */
+
+import { TLS } from './tls.js'
+import type { ComponentLogger, ConnectionEncrypter } from '@libp2p/interface'
+
+export const PROTOCOL = '/tls/1.0.0'
+
+export interface TLSComponents {
+  logger: ComponentLogger
+}
+
+export interface TLSInit {
+  /**
+   * The peer id exchange must complete within this many milliseconds
+   * (default: 1000)
+   */
+  timeout?: number
+}
+
+export function tls (init?: TLSInit): (components: TLSComponents) => ConnectionEncrypter {
+  return (components) => new TLS(components, init)
+}

package/src/pb/index.proto

@@ -0,0 +1,13 @@
+syntax = "proto3";
+
+enum KeyType {
+  RSA = 0;
+  Ed25519 = 1;
+  Secp256k1 = 2;
+  ECDSA = 3;
+}
+
+message PublicKey {
+  optional KeyType type = 1;
+  optional bytes data = 2;
+}

package/src/pb/index.ts

@@ -0,0 +1,95 @@
+/* eslint-disable import/export */
+/* eslint-disable complexity */
+/* eslint-disable @typescript-eslint/no-namespace */
+/* eslint-disable @typescript-eslint/no-unnecessary-boolean-literal-compare */
+/* eslint-disable @typescript-eslint/no-empty-interface */
+
+import { type Codec, decodeMessage, encodeMessage, enumeration, message } from 'protons-runtime'
+import type { Uint8ArrayList } from 'uint8arraylist'
+
+export enum KeyType {
+  RSA = 'RSA',
+  Ed25519 = 'Ed25519',
+  Secp256k1 = 'Secp256k1',
+  ECDSA = 'ECDSA'
+}
+
+enum __KeyTypeValues {
+  RSA = 0,
+  Ed25519 = 1,
+  Secp256k1 = 2,
+  ECDSA = 3
+}
+
+export namespace KeyType {
+  export const codec = (): Codec<KeyType> => {
+    return enumeration<KeyType>(__KeyTypeValues)
+  }
+}
+export interface PublicKey {
+  type?: KeyType
+  data?: Uint8Array
+}
+
+export namespace PublicKey {
+  let _codec: Codec<PublicKey>
+
+  export const codec = (): Codec<PublicKey> => {
+    if (_codec == null) {
+      _codec = message<PublicKey>((obj, w, opts = {}) => {
+        if (opts.lengthDelimited !== false) {
+          w.fork()
+        }
+
+        if (obj.type != null) {
+          w.uint32(8)
+          KeyType.codec().encode(obj.type, w)
+        }
+
+        if (obj.data != null) {
+          w.uint32(18)
+          w.bytes(obj.data)
+        }
+
+        if (opts.lengthDelimited !== false) {
+          w.ldelim()
+        }
+      }, (reader, length) => {
+        const obj: any = {}
+
+        const end = length == null ? reader.len : reader.pos + length
+
+        while (reader.pos < end) {
+          const tag = reader.uint32()
+
+          switch (tag >>> 3) {
+            case 1: {
+              obj.type = KeyType.codec().decode(reader)
+              break
+            }
+            case 2: {
+              obj.data = reader.bytes()
+              break
+            }
+            default: {
+              reader.skipType(tag & 7)
+              break
+            }
+          }
+        }
+
+        return obj
+      })
+    }
+
+    return _codec
+  }
+
+  export const encode = (obj: Partial<PublicKey>): Uint8Array => {
+    return encodeMessage(obj, PublicKey.codec())
+  }
+
+  export const decode = (buf: Uint8Array | Uint8ArrayList): PublicKey => {
+    return decodeMessage(buf, PublicKey.codec())
+  }
+}

package/src/tls.ts

@@ -0,0 +1,115 @@
+/**
+ * @packageDocumentation
+ *
+ * Implements the spec at https://github.com/libp2p/specs/blob/master/tls/tls.md
+ *
+ * @example
+ *
+ * ```typescript
+ * import { createLibp2p } from 'libp2p'
+ * import { tls } from '@libp2p/tls'
+ *
+ * const node = await createLibp2p({
+ *   // ...other options
+ *   connectionEncryption: [
+ *     tls()
+ *   ]
+ * })
+ * ```
+ */
+
+import { TLSSocket, type TLSSocketOptions, connect } from 'node:tls'
+import { CodeError } from '@libp2p/interface'
+import { generateCertificate, verifyPeerCertificate, itToStream, streamToIt } from './utils.js'
+import { PROTOCOL } from './index.js'
+import type { TLSComponents, TLSInit } from './index.js'
+import type { MultiaddrConnection, ConnectionEncrypter, SecuredConnection, PeerId, Logger } from '@libp2p/interface'
+import type { Duplex } from 'it-stream-types'
+import type { Uint8ArrayList } from 'uint8arraylist'
+
+export class TLS implements ConnectionEncrypter {
+  public protocol: string = PROTOCOL
+  private readonly log: Logger
+  private readonly timeout: number
+
+  constructor (components: TLSComponents, init: TLSInit = {}) {
+    this.log = components.logger.forComponent('libp2p:tls')
+    this.timeout = init.timeout ?? 1000
+  }
+
+  async secureInbound <Stream extends Duplex<AsyncGenerator<Uint8Array | Uint8ArrayList>> = MultiaddrConnection> (localId: PeerId, conn: Stream, remoteId?: PeerId): Promise<SecuredConnection<Stream>> {
+    return this._encrypt(localId, conn, false, remoteId)
+  }
+
+  async secureOutbound <Stream extends Duplex<AsyncGenerator<Uint8Array | Uint8ArrayList>> = MultiaddrConnection> (localId: PeerId, conn: Stream, remoteId?: PeerId): Promise<SecuredConnection<Stream>> {
+    return this._encrypt(localId, conn, true, remoteId)
+  }
+
+  /**
+   * Encrypt connection
+   */
+  async _encrypt <Stream extends Duplex<AsyncGenerator<Uint8Array | Uint8ArrayList>> = MultiaddrConnection> (localId: PeerId, conn: Stream, isServer: boolean, remoteId?: PeerId): Promise<SecuredConnection<Stream>> {
+    const opts: TLSSocketOptions = {
+      ...await generateCertificate(localId),
+      isServer,
+      // require TLS 1.3 or later
+      minVersion: 'TLSv1.3',
+      maxVersion: 'TLSv1.3',
+      // accept self-signed certificates
+      rejectUnauthorized: false
+    }
+
+    let socket: TLSSocket
+
+    if (isServer) {
+      socket = new TLSSocket(itToStream(conn), {
+        ...opts,
+        // require clients to send certificates
+        requestCert: true
+      })
+    } else {
+      socket = connect({
+        socket: itToStream(conn),
+        ...opts
+      })
+    }
+
+    return new Promise((resolve, reject) => {
+      const abortTimeout = setTimeout(() => {
+        socket.destroy(new CodeError('Handshake timeout', 'ERR_HANDSHAKE_TIMEOUT'))
+      }, this.timeout)
+
+      const verifyRemote = (): void => {
+        const remote = socket.getPeerCertificate()
+
+        verifyPeerCertificate(remote.raw, remoteId, this.log)
+          .then(remotePeer => {
+            this.log('remote certificate ok, remote peer %p', remotePeer)
+
+            resolve({
+              remotePeer,
+              conn: {
+                ...conn,
+                ...streamToIt(socket)
+              }
+            })
+          })
+          .catch(err => {
+            reject(err)
+          })
+          .finally(() => {
+            clearTimeout(abortTimeout)
+          })
+      }
+
+      socket.on('error', err => {
+        reject(err)
+        clearTimeout(abortTimeout)
+      })
+      socket.on('secure', (evt) => {
+        this.log('verifying remote certificate')
+        verifyRemote()
+      })
+    })
+  }
+}