@libp2p/tls 0.0.0

package/LICENSE

@@ -0,0 +1,4 @@
+This project is dual licensed under MIT and Apache-2.0.
+
+MIT: https://www.opensource.org/licenses/mit
+Apache-2.0: https://www.apache.org/licenses/license-2.0

package/README.md

@@ -0,0 +1,45 @@
+[![libp2p.io](https://img.shields.io/badge/project-libp2p-yellow.svg?style=flat-square)](http://libp2p.io/)
+[![Discuss](https://img.shields.io/discourse/https/discuss.libp2p.io/posts.svg?style=flat-square)](https://discuss.libp2p.io)
+[![codecov](https://img.shields.io/codecov/c/github/libp2p/js-libp2p.svg?style=flat-square)](https://codecov.io/gh/libp2p/js-libp2p)
+[![CI](https://img.shields.io/github/actions/workflow/status/libp2p/js-libp2p/main.yml?branch=main\&style=flat-square)](https://github.com/libp2p/js-libp2p/actions/workflows/main.yml?query=branch%3Amain)
+
+> A connection encrypter that uses TLS 1.3
+
+# About
+
+Implements the spec at <https://github.com/libp2p/specs/blob/master/tls/tls.md>
+
+## Example
+
+```typescript
+import { createLibp2p } from 'libp2p'
+import { tls } from '@libp2p/tls'
+
+const node = await createLibp2p({
+  // ...other options
+  connectionEncryption: [
+    tls()
+  ]
+})
+```
+
+# Install
+
+```console
+$ npm i @libp2p/tls
+```
+
+# API Docs
+
+- <https://libp2p.github.io/js-libp2p/modules/_libp2p_tls.html>
+
+# License
+
+Licensed under either of
+
+- Apache 2.0, ([LICENSE-APACHE](LICENSE-APACHE) / <http://www.apache.org/licenses/LICENSE-2.0>)
+- MIT ([LICENSE-MIT](LICENSE-MIT) / <http://opensource.org/licenses/MIT>)
+
+# Contribution
+
+Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

package/dist/src/index.d.ts

@@ -0,0 +1,34 @@
+/**
+ * @packageDocumentation
+ *
+ * A connection encrypter that does no connection encryption.
+ *
+ * This should not be used in production should be used for research purposes only.
+ *
+ * @example
+ *
+ * ```typescript
+ * import { createLibp2p } from 'libp2p'
+ * import { tls } from '@libp2p/tls'
+ *
+ * const node = await createLibp2p({
+ *   // ...other options
+ *   connectionEncryption: [
+ *     tls()
+ *   ]
+ * })
+ * ```
+ */
+import type { ComponentLogger, ConnectionEncrypter } from '@libp2p/interface';
+export interface TLSComponents {
+    logger: ComponentLogger;
+}
+export interface TLSInit {
+    /**
+     * The peer id exchange must complete within this many milliseconds
+     * (default: 1000)
+     */
+    timeout?: number;
+}
+export declare function tls(init?: TLSInit): (components: TLSComponents) => ConnectionEncrypter;
+//# sourceMappingURL=index.d.ts.map

package/dist/src/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AASH,OAAO,KAAK,EAAE,eAAe,EAAuB,mBAAmB,EAA6B,MAAM,mBAAmB,CAAA;AAM7H,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,eAAe,CAAA;CACxB;AAED,MAAM,WAAW,OAAO;IACtB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AA+ED,wBAAgB,GAAG,CAAE,IAAI,CAAC,EAAE,OAAO,GAAG,CAAC,UAAU,EAAE,aAAa,KAAK,mBAAmB,CAEvF"}

package/dist/src/index.js

@@ -0,0 +1,99 @@
+/**
+ * @packageDocumentation
+ *
+ * A connection encrypter that does no connection encryption.
+ *
+ * This should not be used in production should be used for research purposes only.
+ *
+ * @example
+ *
+ * ```typescript
+ * import { createLibp2p } from 'libp2p'
+ * import { tls } from '@libp2p/tls'
+ *
+ * const node = await createLibp2p({
+ *   // ...other options
+ *   connectionEncryption: [
+ *     tls()
+ *   ]
+ * })
+ * ```
+ */
+import { TLSSocket, connect } from 'node:tls';
+import { UnexpectedPeerError } from '@libp2p/interface';
+// @ts-expect-error no types
+import itToStream from 'it-to-stream';
+// @ts-expect-error no types
+import streamToIt from 'stream-to-it';
+import { generateCertificate, verifyPeerCertificate } from './utils.js';
+const PROTOCOL = '/tls/1.0.0';
+class TLS {
+    protocol = PROTOCOL;
+    // private readonly log: Logger
+    // private readonly timeout: number
+    // constructor (components: TLSComponents, init: TLSInit = {}) {
+    //   this.log = components.logger.forComponent('libp2p:tls')
+    //   this.timeout = init.timeout ?? 1000
+    // }
+    async secureInbound(localId, conn, remoteId) {
+        return this._encrypt(localId, conn, false, remoteId);
+    }
+    async secureOutbound(localId, conn, remoteId) {
+        return this._encrypt(localId, conn, true, remoteId);
+    }
+    /**
+     * Encrypt connection
+     */
+    async _encrypt(localId, conn, isServer, remoteId) {
+        const opts = {
+            ...await generateCertificate(localId),
+            isServer,
+            requestCert: true,
+            // accept self-signed certificates
+            rejectUnauthorized: false,
+            // require TLS 1.3 or later
+            minVersion: 'TLSv1.3'
+        };
+        let socket;
+        if (isServer) {
+            socket = new TLSSocket(itToStream.duplex(conn), opts);
+        }
+        else {
+            socket = connect({
+                socket: itToStream.duplex(conn),
+                ...opts
+            });
+        }
+        return new Promise((resolve, reject) => {
+            function verifyRemote() {
+                const remote = socket.getPeerCertificate();
+                verifyPeerCertificate(remote.raw)
+                    .then(remotePeer => {
+                    if (remoteId?.equals(remotePeer) === false) {
+                        throw new UnexpectedPeerError();
+                    }
+                    const outputStream = streamToIt.duplex(socket);
+                    conn.source = outputStream.source;
+                    conn.sink = outputStream.sink;
+                    resolve({
+                        remotePeer,
+                        conn
+                    });
+                })
+                    .catch(err => {
+                    reject(err);
+                });
+            }
+            socket.on('error', err => {
+                reject(err);
+            });
+            socket.on('secure', (evt) => {
+                verifyRemote();
+            });
+        });
+    }
+}
+export function tls(init) {
+    return (components) => new TLS();
+}
+//# sourceMappingURL=index.js.map

package/dist/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,SAAS,EAAyB,OAAO,EAAE,MAAM,UAAU,CAAA;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAA;AACvD,4BAA4B;AAC5B,OAAO,UAAU,MAAM,cAAc,CAAA;AACrC,4BAA4B;AAC5B,OAAO,UAAU,MAAM,cAAc,CAAA;AACrC,OAAO,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAA;AAKvE,MAAM,QAAQ,GAAG,YAAY,CAAA;AAc7B,MAAM,GAAG;IACA,QAAQ,GAAW,QAAQ,CAAA;IAClC,+BAA+B;IAC/B,mCAAmC;IAEnC,gEAAgE;IAChE,4DAA4D;IAC5D,wCAAwC;IACxC,IAAI;IAEJ,KAAK,CAAC,aAAa,CAA6F,OAAe,EAAE,IAAY,EAAE,QAAiB;QAC9J,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAA;IACtD,CAAC;IAED,KAAK,CAAC,cAAc,CAA6F,OAAe,EAAE,IAAY,EAAE,QAAiB;QAC/J,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAA;IACrD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ,CAA6F,OAAe,EAAE,IAAY,EAAE,QAAiB,EAAE,QAAiB;QAC5K,MAAM,IAAI,GAAqB;YAC7B,GAAG,MAAM,mBAAmB,CAAC,OAAO,CAAC;YACrC,QAAQ;YACR,WAAW,EAAE,IAAI;YACjB,kCAAkC;YAClC,kBAAkB,EAAE,KAAK;YACzB,2BAA2B;YAC3B,UAAU,EAAE,SAAS;SACtB,CAAA;QAED,IAAI,MAAiB,CAAA;QAErB,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,GAAG,IAAI,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,CAAA;QACvD,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,OAAO,CAAC;gBACf,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC;gBAC/B,GAAG,IAAI;aACR,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,SAAS,YAAY;gBACnB,MAAM,MAAM,GAAG,MAAM,CAAC,kBAAkB,EAAE,CAAA;gBAE1C,qBAAqB,CAAC,MAAM,CAAC,GAAG,CAAC;qBAC9B,IAAI,CAAC,UAAU,CAAC,EAAE;oBACjB,IAAI,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC,KAAK,KAAK,EAAE,CAAC;wBAC3C,MAAM,IAAI,mBAAmB,EAAE,CAAA;oBACjC,CAAC;oBAED,MAAM,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;oBAC9C,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC,MAAM,CAAA;oBACjC,IAAI,CAAC,IAAI,GAAG,YAAY,CAAC,IAAI,CAAA;oBAE7B,OAAO,CAAC;wBACN,UAAU;wBACV,IAAI;qBACL,CAAC,CAAA;gBACJ,CAAC,CAAC;qBACD,KAAK,CAAC,GAAG,CAAC,EAAE;oBACX,MAAM,CAAC,GAAG,CAAC,CAAA;gBACb,CAAC,CAAC,CAAA;YACN,CAAC;YAED,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;gBACvB,MAAM,CAAC,GAAG,CAAC,CAAA;YACb,CAAC,CAAC,CAAA;YACF,MAAM,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC,GAAG,EAAE,EAAE;gBAC1B,YAAY,EAAE,CAAA;YAChB,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;IACJ,CAAC;CACF;AAED,MAAM,UAAU,GAAG,CAAE,IAAc;IACjC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,IAAI,GAAG,EAAE,CAAA;AAClC,CAAC"}

package/dist/src/pb/index.d.ts

@@ -0,0 +1,21 @@
+import { type Codec } from 'protons-runtime';
+import type { Uint8ArrayList } from 'uint8arraylist';
+export declare enum KeyType {
+    RSA = "RSA",
+    Ed25519 = "Ed25519",
+    Secp256k1 = "Secp256k1",
+    ECDSA = "ECDSA"
+}
+export declare namespace KeyType {
+    const codec: () => Codec<KeyType>;
+}
+export interface PublicKey {
+    type?: KeyType;
+    data?: Uint8Array;
+}
+export declare namespace PublicKey {
+    const codec: () => Codec<PublicKey>;
+    const encode: (obj: Partial<PublicKey>) => Uint8Array;
+    const decode: (buf: Uint8Array | Uint8ArrayList) => PublicKey;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/src/pb/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/pb/index.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,KAAK,KAAK,EAAsD,MAAM,iBAAiB,CAAA;AAChG,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAA;AAEpD,oBAAY,OAAO;IACjB,GAAG,QAAQ;IACX,OAAO,YAAY;IACnB,SAAS,cAAc;IACvB,KAAK,UAAU;CAChB;AASD,yBAAiB,OAAO,CAAC;IAChB,MAAM,KAAK,QAAO,MAAM,OAAO,CAErC,CAAA;CACF;AACD,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,EAAE,OAAO,CAAA;IACd,IAAI,CAAC,EAAE,UAAU,CAAA;CAClB;AAED,yBAAiB,SAAS,CAAC;IAGlB,MAAM,KAAK,QAAO,MAAM,SAAS,CAiDvC,CAAA;IAEM,MAAM,MAAM,QAAS,QAAQ,SAAS,CAAC,KAAG,UAEhD,CAAA;IAEM,MAAM,MAAM,QAAS,UAAU,GAAG,cAAc,KAAG,SAEzD,CAAA;CACF"}

package/dist/src/pb/index.js

@@ -0,0 +1,78 @@
+/* eslint-disable import/export */
+/* eslint-disable complexity */
+/* eslint-disable @typescript-eslint/no-namespace */
+/* eslint-disable @typescript-eslint/no-unnecessary-boolean-literal-compare */
+/* eslint-disable @typescript-eslint/no-empty-interface */
+import { decodeMessage, encodeMessage, enumeration, message } from 'protons-runtime';
+export var KeyType;
+(function (KeyType) {
+    KeyType["RSA"] = "RSA";
+    KeyType["Ed25519"] = "Ed25519";
+    KeyType["Secp256k1"] = "Secp256k1";
+    KeyType["ECDSA"] = "ECDSA";
+})(KeyType || (KeyType = {}));
+var __KeyTypeValues;
+(function (__KeyTypeValues) {
+    __KeyTypeValues[__KeyTypeValues["RSA"] = 0] = "RSA";
+    __KeyTypeValues[__KeyTypeValues["Ed25519"] = 1] = "Ed25519";
+    __KeyTypeValues[__KeyTypeValues["Secp256k1"] = 2] = "Secp256k1";
+    __KeyTypeValues[__KeyTypeValues["ECDSA"] = 3] = "ECDSA";
+})(__KeyTypeValues || (__KeyTypeValues = {}));
+(function (KeyType) {
+    KeyType.codec = () => {
+        return enumeration(__KeyTypeValues);
+    };
+})(KeyType || (KeyType = {}));
+export var PublicKey;
+(function (PublicKey) {
+    let _codec;
+    PublicKey.codec = () => {
+        if (_codec == null) {
+            _codec = message((obj, w, opts = {}) => {
+                if (opts.lengthDelimited !== false) {
+                    w.fork();
+                }
+                if (obj.type != null) {
+                    w.uint32(8);
+                    KeyType.codec().encode(obj.type, w);
+                }
+                if (obj.data != null) {
+                    w.uint32(18);
+                    w.bytes(obj.data);
+                }
+                if (opts.lengthDelimited !== false) {
+                    w.ldelim();
+                }
+            }, (reader, length) => {
+                const obj = {};
+                const end = length == null ? reader.len : reader.pos + length;
+                while (reader.pos < end) {
+                    const tag = reader.uint32();
+                    switch (tag >>> 3) {
+                        case 1: {
+                            obj.type = KeyType.codec().decode(reader);
+                            break;
+                        }
+                        case 2: {
+                            obj.data = reader.bytes();
+                            break;
+                        }
+                        default: {
+                            reader.skipType(tag & 7);
+                            break;
+                        }
+                    }
+                }
+                return obj;
+            });
+        }
+        return _codec;
+    };
+    PublicKey.encode = (obj) => {
+        return encodeMessage(obj, PublicKey.codec());
+    };
+    PublicKey.decode = (buf) => {
+        return decodeMessage(buf, PublicKey.codec());
+    };
+})(PublicKey || (PublicKey = {}));
+//# sourceMappingURL=index.js.map

package/dist/src/pb/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/pb/index.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,+BAA+B;AAC/B,oDAAoD;AACpD,8EAA8E;AAC9E,0DAA0D;AAE1D,OAAO,EAAc,aAAa,EAAE,aAAa,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAA;AAGhG,MAAM,CAAN,IAAY,OAKX;AALD,WAAY,OAAO;IACjB,sBAAW,CAAA;IACX,8BAAmB,CAAA;IACnB,kCAAuB,CAAA;IACvB,0BAAe,CAAA;AACjB,CAAC,EALW,OAAO,KAAP,OAAO,QAKlB;AAED,IAAK,eAKJ;AALD,WAAK,eAAe;IAClB,mDAAO,CAAA;IACP,2DAAW,CAAA;IACX,+DAAa,CAAA;IACb,uDAAS,CAAA;AACX,CAAC,EALI,eAAe,KAAf,eAAe,QAKnB;AAED,WAAiB,OAAO;IACT,aAAK,GAAG,GAAmB,EAAE;QACxC,OAAO,WAAW,CAAU,eAAe,CAAC,CAAA;IAC9C,CAAC,CAAA;AACH,CAAC,EAJgB,OAAO,KAAP,OAAO,QAIvB;AAMD,MAAM,KAAW,SAAS,CA6DzB;AA7DD,WAAiB,SAAS;IACxB,IAAI,MAAwB,CAAA;IAEf,eAAK,GAAG,GAAqB,EAAE;QAC1C,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;YACnB,MAAM,GAAG,OAAO,CAAY,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,GAAG,EAAE,EAAE,EAAE;gBAChD,IAAI,IAAI,CAAC,eAAe,KAAK,KAAK,EAAE,CAAC;oBACnC,CAAC,CAAC,IAAI,EAAE,CAAA;gBACV,CAAC;gBAED,IAAI,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;oBACrB,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;oBACX,OAAO,CAAC,KAAK,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAA;gBACrC,CAAC;gBAED,IAAI,GAAG,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;oBACrB,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;oBACZ,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;gBACnB,CAAC;gBAED,IAAI,IAAI,CAAC,eAAe,KAAK,KAAK,EAAE,CAAC;oBACnC,CAAC,CAAC,MAAM,EAAE,CAAA;gBACZ,CAAC;YACH,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE;gBACpB,MAAM,GAAG,GAAQ,EAAE,CAAA;gBAEnB,MAAM,GAAG,GAAG,MAAM,IAAI,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,GAAG,MAAM,CAAA;gBAE7D,OAAO,MAAM,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;oBACxB,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,EAAE,CAAA;oBAE3B,QAAQ,GAAG,KAAK,CAAC,EAAE,CAAC;wBAClB,KAAK,CAAC,CAAC,CAAC,CAAC;4BACP,GAAG,CAAC,IAAI,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;4BACzC,MAAK;wBACP,CAAC;wBACD,KAAK,CAAC,CAAC,CAAC,CAAC;4BACP,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,KAAK,EAAE,CAAA;4BACzB,MAAK;wBACP,CAAC;wBACD,OAAO,CAAC,CAAC,CAAC;4BACR,MAAM,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAAA;4BACxB,MAAK;wBACP,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,OAAO,GAAG,CAAA;YACZ,CAAC,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,MAAM,CAAA;IACf,CAAC,CAAA;IAEY,gBAAM,GAAG,CAAC,GAAuB,EAAc,EAAE;QAC5D,OAAO,aAAa,CAAC,GAAG,EAAE,SAAS,CAAC,KAAK,EAAE,CAAC,CAAA;IAC9C,CAAC,CAAA;IAEY,gBAAM,GAAG,CAAC,GAAgC,EAAa,EAAE;QACpE,OAAO,aAAa,CAAC,GAAG,EAAE,SAAS,CAAC,KAAK,EAAE,CAAC,CAAA;IAC9C,CAAC,CAAA;AACH,CAAC,EA7DgB,SAAS,KAAT,SAAS,QA6DzB"}

package/dist/src/utils.d.ts

@@ -0,0 +1,11 @@
+import type { PeerId } from '@libp2p/interface';
+export declare function verifyPeerCertificate(rawCertificate: Uint8Array): Promise<PeerId>;
+export declare function generateCertificate(peerId: PeerId): Promise<{
+    cert: string;
+    key: string;
+}>;
+/**
+ * @see https://github.com/libp2p/specs/blob/master/tls/tls.md#libp2p-public-key-extension
+ */
+export declare function encodeSignatureData(certPublicKey: ArrayBuffer): Uint8Array;
+//# sourceMappingURL=utils.d.ts.map

package/dist/src/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/utils.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,MAAM,EAAgC,MAAM,mBAAmB,CAAA;AAY7E,wBAAsB,qBAAqB,CAAE,cAAc,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAmDxF;AAED,wBAAsB,mBAAmB,CAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC,CA8EjG;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAE,aAAa,EAAE,WAAW,GAAG,UAAU,CAQ3E"}

package/dist/src/utils.js

@@ -0,0 +1,157 @@
+import { Ed25519PublicKey, Secp256k1PublicKey, marshalPublicKey, supportedKeys, unmarshalPrivateKey, unmarshalPublicKey } from '@libp2p/crypto/keys';
+import { CodeError, InvalidCryptoExchangeError } from '@libp2p/interface';
+import { peerIdFromKeys } from '@libp2p/peer-id';
+import { AsnConvert } from '@peculiar/asn1-schema';
+import * as asn1X509 from '@peculiar/asn1-x509';
+import { Crypto } from '@peculiar/webcrypto';
+import * as x509 from '@peculiar/x509';
+import * as asn1js from 'asn1js';
+import { concat as uint8ArrayConcat } from 'uint8arrays/concat';
+import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string';
+import { toString as uint8ArrayToString } from 'uint8arrays/to-string';
+import { KeyType, PublicKey } from '../src/pb/index.js';
+const crypto = new Crypto();
+x509.cryptoProvider.set(crypto);
+const LIBP2P_PUBLIC_KEY_EXTENSION = '1.3.6.1.4.1.53594.1.1';
+const CERT_PREFIX = 'libp2p-tls-handshake:';
+// https://github.com/libp2p/go-libp2p/blob/28c0f6ab32cd69e4b18e9e4b550ef6ce059a9d1a/p2p/security/tls/crypto.go#L265
+const CERT_VALIDITY_PERIOD_FROM = 60 * 60 * 1000; // ~1 hour
+// https://github.com/libp2p/go-libp2p/blob/28c0f6ab32cd69e4b18e9e4b550ef6ce059a9d1a/p2p/security/tls/crypto.go#L24C28-L24C44
+const CERT_VALIDITY_PERIOD_TO = 100 * 365 * 24 * 60 * 60 * 1000; // ~100 years
+export async function verifyPeerCertificate(rawCertificate) {
+    const now = Date.now();
+    const x509Cert = new x509.X509Certificate(rawCertificate);
+    if (x509Cert.notBefore.getTime() > now) {
+        throw new CodeError('The certificate is not valid yet', 'ERR_INVALID_CERTIFICATE');
+    }
+    if (x509Cert.notAfter.getTime() < now) {
+        throw new CodeError('The certificate has expired', 'ERR_INVALID_CERTIFICATE');
+    }
+    // TODO: assert chain is only one certificate long
+    const libp2pPublicKeyExtension = x509Cert.extensions[0];
+    if (libp2pPublicKeyExtension == null || libp2pPublicKeyExtension.type !== LIBP2P_PUBLIC_KEY_EXTENSION) {
+        throw new CodeError('The certificate did not include the libp2p public key extension', 'ERR_INVALID_CERTIFICATE');
+    }
+    const { result: libp2pKeySequence } = asn1js.fromBER(libp2pPublicKeyExtension.value);
+    // @ts-expect-error deep chain
+    const remotePeerIdPb = libp2pKeySequence.valueBlock.value[0].valueBlock.valueHex;
+    const marshalledPeerId = new Uint8Array(remotePeerIdPb, 0, remotePeerIdPb.byteLength);
+    const remotePeerId = PublicKey.decode(marshalledPeerId);
+    const remotePeerIdData = remotePeerId.data ?? new Uint8Array(0);
+    let remotePublicKey;
+    if (remotePeerId.type === KeyType.Ed25519) {
+        remotePublicKey = new Ed25519PublicKey(remotePeerIdData);
+    }
+    else if (remotePeerId.type === KeyType.Secp256k1) {
+        remotePublicKey = new Secp256k1PublicKey(remotePeerIdData);
+    }
+    else if (remotePeerId.type === KeyType.RSA) {
+        remotePublicKey = supportedKeys.rsa.unmarshalRsaPublicKey(remotePeerIdData);
+    }
+    else {
+        throw new Error('Unknown or unsupported key type');
+    }
+    // @ts-expect-error deep chain
+    const remoteSignature = libp2pKeySequence.valueBlock.value[1].valueBlock.valueHex;
+    const dataToVerify = encodeSignatureData(x509Cert.publicKey.rawData);
+    const result = await remotePublicKey.verify(dataToVerify, new Uint8Array(remoteSignature, 0, remoteSignature.byteLength));
+    if (!result) {
+        throw new Error('Could not verify signature');
+    }
+    const marshalled = marshalPublicKey(remotePublicKey);
+    return peerIdFromKeys(marshalled);
+}
+export async function generateCertificate(peerId) {
+    const now = Date.now();
+    const alg = {
+        name: 'ECDSA',
+        namedCurve: 'P-256',
+        hash: 'SHA-256'
+    };
+    const keys = await crypto.subtle.generateKey(alg, true, ['sign']);
+    const certPublicKeySpki = await crypto.subtle.exportKey('spki', keys.publicKey);
+    const dataToSign = encodeSignatureData(certPublicKeySpki);
+    if (peerId.privateKey == null) {
+        throw new InvalidCryptoExchangeError('Private key was missing from PeerId');
+    }
+    const privateKey = await unmarshalPrivateKey(peerId.privateKey);
+    const sig = await privateKey.sign(dataToSign);
+    let keyType;
+    let keyData;
+    if (peerId.publicKey == null) {
+        throw new CodeError('Public key missing from PeerId', 'ERR_INVALID_PEER_ID');
+    }
+    const publicKey = unmarshalPublicKey(peerId.publicKey);
+    if (peerId.type === 'Ed25519') {
+        // Ed25519: Only the 32 bytes of the public key
+        keyType = KeyType.Ed25519;
+        keyData = publicKey.marshal();
+    }
+    else if (peerId.type === 'secp256k1') {
+        // Secp256k1: Only the compressed form of the public key. 33 bytes.
+        keyType = KeyType.Secp256k1;
+        keyData = publicKey.marshal();
+    }
+    else if (peerId.type === 'RSA') {
+        // The rest of the keys are encoded as a SubjectPublicKeyInfo structure in PKIX, ASN.1 DER form.
+        keyType = KeyType.RSA;
+        keyData = publicKey.marshal();
+    }
+    else {
+        throw new CodeError('Unknown PeerId type', 'ERR_UNKNOWN_PEER_ID_TYPE');
+    }
+    const selfCert = await x509.X509CertificateGenerator.createSelfSigned({
+        serialNumber: uint8ArrayToString(crypto.getRandomValues(new Uint8Array(9)), 'base16'),
+        name: '',
+        notBefore: new Date(now - CERT_VALIDITY_PERIOD_FROM),
+        notAfter: new Date(now + CERT_VALIDITY_PERIOD_TO),
+        signingAlgorithm: alg,
+        keys,
+        extensions: [
+            new x509.Extension(LIBP2P_PUBLIC_KEY_EXTENSION, true, new asn1js.Sequence({
+                value: [
+                    // publicKey
+                    new asn1js.OctetString({
+                        valueHex: PublicKey.encode({
+                            type: keyType,
+                            data: keyData
+                        })
+                    }),
+                    // signature
+                    new asn1js.OctetString({
+                        valueHex: sig
+                    })
+                ]
+            }).toBER())
+        ]
+    });
+    const certPrivateKeySpki = await crypto.subtle.exportKey('spki', keys.privateKey);
+    return {
+        cert: selfCert.toString(),
+        key: spkiToPEM(certPrivateKeySpki)
+    };
+}
+/**
+ * @see https://github.com/libp2p/specs/blob/master/tls/tls.md#libp2p-public-key-extension
+ */
+export function encodeSignatureData(certPublicKey) {
+    const keyInfo = AsnConvert.parse(certPublicKey, asn1X509.SubjectPublicKeyInfo);
+    const bytes = AsnConvert.serialize(keyInfo);
+    return uint8ArrayConcat([
+        uint8ArrayFromString(CERT_PREFIX),
+        new Uint8Array(bytes, 0, bytes.byteLength)
+    ]);
+}
+function spkiToPEM(keydata) {
+    return formatAsPem(uint8ArrayToString(new Uint8Array(keydata), 'base64'));
+}
+function formatAsPem(str) {
+    let finalString = '-----BEGIN PRIVATE KEY-----\n';
+    while (str.length > 0) {
+        finalString += str.substring(0, 64) + '\n';
+        str = str.substring(64);
+    }
+    finalString = finalString + '-----END PRIVATE KEY-----';
+    return finalString;
+}
+//# sourceMappingURL=utils.js.map

package/dist/src/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,aAAa,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAA;AACpJ,OAAO,EAAE,SAAS,EAAE,0BAA0B,EAAE,MAAM,mBAAmB,CAAA;AACzE,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAClD,OAAO,KAAK,QAAQ,MAAM,qBAAqB,CAAA;AAC/C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5C,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAA;AACtC,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAA;AAChC,OAAO,EAAE,MAAM,IAAI,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AAC/D,OAAO,EAAE,UAAU,IAAI,oBAAoB,EAAE,MAAM,yBAAyB,CAAA;AAC5E,OAAO,EAAE,QAAQ,IAAI,kBAAkB,EAAE,MAAM,uBAAuB,CAAA;AACtE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAGvD,MAAM,MAAM,GAAG,IAAI,MAAM,EAAE,CAAA;AAC3B,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;AAE/B,MAAM,2BAA2B,GAAG,uBAAuB,CAAA;AAC3D,MAAM,WAAW,GAAG,uBAAuB,CAAA;AAC3C,oHAAoH;AACpH,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA,CAAC,UAAU;AAC3D,6HAA6H;AAC7H,MAAM,uBAAuB,GAAG,GAAG,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA,CAAC,aAAa;AAE7E,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAE,cAA0B;IACrE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IACtB,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAA;IAEzD,IAAI,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,GAAG,EAAE,CAAC;QACvC,MAAM,IAAI,SAAS,CAAC,kCAAkC,EAAE,yBAAyB,CAAC,CAAA;IACpF,CAAC;IAED,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,GAAG,EAAE,CAAC;QACtC,MAAM,IAAI,SAAS,CAAC,6BAA6B,EAAE,yBAAyB,CAAC,CAAA;IAC/E,CAAC;IAED,kDAAkD;IAElD,MAAM,wBAAwB,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;IAEvD,IAAI,wBAAwB,IAAI,IAAI,IAAI,wBAAwB,CAAC,IAAI,KAAK,2BAA2B,EAAE,CAAC;QACtG,MAAM,IAAI,SAAS,CAAC,iEAAiE,EAAE,yBAAyB,CAAC,CAAA;IACnH,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,wBAAwB,CAAC,KAAK,CAAC,CAAA;IAEpF,8BAA8B;IAC9B,MAAM,cAAc,GAAG,iBAAiB,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAA;IAChF,MAAM,gBAAgB,GAAG,IAAI,UAAU,CAAC,cAAc,EAAE,CAAC,EAAE,cAAc,CAAC,UAAU,CAAC,CAAA;IACrF,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAA;IACvD,MAAM,gBAAgB,GAAG,YAAY,CAAC,IAAI,IAAI,IAAI,UAAU,CAAC,CAAC,CAAC,CAAA;IAC/D,IAAI,eAAgC,CAAA;IAEpC,IAAI,YAAY,CAAC,IAAI,KAAK,OAAO,CAAC,OAAO,EAAE,CAAC;QAC1C,eAAe,GAAG,IAAI,gBAAgB,CAAC,gBAAgB,CAAC,CAAA;IAC1D,CAAC;SAAM,IAAI,YAAY,CAAC,IAAI,KAAK,OAAO,CAAC,SAAS,EAAE,CAAC;QACnD,eAAe,GAAG,IAAI,kBAAkB,CAAC,gBAAgB,CAAC,CAAA;IAC5D,CAAC;SAAM,IAAI,YAAY,CAAC,IAAI,KAAK,OAAO,CAAC,GAAG,EAAE,CAAC;QAC7C,eAAe,GAAG,aAAa,CAAC,GAAG,CAAC,qBAAqB,CAAC,gBAAgB,CAAC,CAAA;IAC7E,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAA;IACpD,CAAC;IAED,8BAA8B;IAC9B,MAAM,eAAe,GAAG,iBAAiB,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAA;IACjF,MAAM,YAAY,GAAG,mBAAmB,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACpE,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,YAAY,EAAE,IAAI,UAAU,CAAC,eAAe,EAAE,CAAC,EAAE,eAAe,CAAC,UAAU,CAAC,CAAC,CAAA;IAEzH,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAA;IAC/C,CAAC;IAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAA;IAEpD,OAAO,cAAc,CAAC,UAAU,CAAC,CAAA;AACnC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAE,MAAc;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAEtB,MAAM,GAAG,GAAG;QACV,IAAI,EAAE,OAAO;QACb,UAAU,EAAE,OAAO;QACnB,IAAI,EAAE,SAAS;KAChB,CAAA;IAED,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC,CAAA;IAEjE,MAAM,iBAAiB,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,CAAA;IAC/E,MAAM,UAAU,GAAG,mBAAmB,CAAC,iBAAiB,CAAC,CAAA;IAEzD,IAAI,MAAM,CAAC,UAAU,IAAI,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,0BAA0B,CAAC,qCAAqC,CAAC,CAAA;IAC7E,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;IAC/D,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAE7C,IAAI,OAAgB,CAAA;IACpB,IAAI,OAAmB,CAAA;IAEvB,IAAI,MAAM,CAAC,SAAS,IAAI,IAAI,EAAE,CAAC;QAC7B,MAAM,IAAI,SAAS,CAAC,gCAAgC,EAAE,qBAAqB,CAAC,CAAA;IAC9E,CAAC;IAED,MAAM,SAAS,GAAG,kBAAkB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;IAEtD,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC9B,+CAA+C;QAC/C,OAAO,GAAG,OAAO,CAAC,OAAO,CAAA;QACzB,OAAO,GAAG,SAAS,CAAC,OAAO,EAAE,CAAA;IAC/B,CAAC;SAAM,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QACvC,mEAAmE;QACnE,OAAO,GAAG,OAAO,CAAC,SAAS,CAAA;QAC3B,OAAO,GAAG,SAAS,CAAC,OAAO,EAAE,CAAA;IAC/B,CAAC;SAAM,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QACjC,gGAAgG;QAChG,OAAO,GAAG,OAAO,CAAC,GAAG,CAAA;QACrB,OAAO,GAAG,SAAS,CAAC,OAAO,EAAE,CAAA;IAC/B,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,SAAS,CAAC,qBAAqB,EAAE,0BAA0B,CAAC,CAAA;IACxE,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,wBAAwB,CAAC,gBAAgB,CAAC;QACpE,YAAY,EAAE,kBAAkB,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC;QACrF,IAAI,EAAE,EAAE;QACR,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,GAAG,yBAAyB,CAAC;QACpD,QAAQ,EAAE,IAAI,IAAI,CAAC,GAAG,GAAG,uBAAuB,CAAC;QACjD,gBAAgB,EAAE,GAAG;QACrB,IAAI;QACJ,UAAU,EAAE;YACV,IAAI,IAAI,CAAC,SAAS,CAAC,2BAA2B,EAAE,IAAI,EAAE,IAAI,MAAM,CAAC,QAAQ,CAAC;gBACxE,KAAK,EAAE;oBACL,YAAY;oBACZ,IAAI,MAAM,CAAC,WAAW,CAAC;wBACrB,QAAQ,EAAE,SAAS,CAAC,MAAM,CAAC;4BACzB,IAAI,EAAE,OAAO;4BACb,IAAI,EAAE,OAAO;yBACd,CAAC;qBACH,CAAC;oBACF,YAAY;oBACZ,IAAI,MAAM,CAAC,WAAW,CAAC;wBACrB,QAAQ,EAAE,GAAG;qBACd,CAAC;iBACH;aACF,CAAC,CAAC,KAAK,EAAE,CAAC;SACZ;KACF,CAAC,CAAA;IAEF,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;IAEjF,OAAO;QACL,IAAI,EAAE,QAAQ,CAAC,QAAQ,EAAE;QACzB,GAAG,EAAE,SAAS,CAAC,kBAAkB,CAAC;KACnC,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAE,aAA0B;IAC7D,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,aAAa,EAAE,QAAQ,CAAC,oBAAoB,CAAC,CAAA;IAC9E,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IAE3C,OAAO,gBAAgB,CAAC;QACtB,oBAAoB,CAAC,WAAW,CAAC;QACjC,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC,EAAE,KAAK,CAAC,UAAU,CAAC;KAC3C,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,SAAS,CAAE,OAAoB;IACtC,OAAO,WAAW,CAAC,kBAAkB,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAA;AAC3E,CAAC;AAED,SAAS,WAAW,CAAE,GAAW;IAC/B,IAAI,WAAW,GAAG,+BAA+B,CAAA;IAEjD,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,WAAW,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAA;QAC1C,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;IACzB,CAAC;IAED,WAAW,GAAG,WAAW,GAAG,2BAA2B,CAAA;IAEvD,OAAO,WAAW,CAAA;AACpB,CAAC"}

package/dist/typedoc-urls.json

@@ -0,0 +1,8 @@
+{
+  "TLSComponents": "https://libp2p.github.io/js-libp2p/interfaces/_libp2p_tls.TLSComponents.html",
+  ".:TLSComponents": "https://libp2p.github.io/js-libp2p/interfaces/_libp2p_tls.TLSComponents.html",
+  "TLSInit": "https://libp2p.github.io/js-libp2p/interfaces/_libp2p_tls.TLSInit.html",
+  ".:TLSInit": "https://libp2p.github.io/js-libp2p/interfaces/_libp2p_tls.TLSInit.html",
+  "tls": "https://libp2p.github.io/js-libp2p/functions/_libp2p_tls.tls.html",
+  ".:tls": "https://libp2p.github.io/js-libp2p/functions/_libp2p_tls.tls.html"
+}

package/package.json

@@ -0,0 +1,71 @@
+{
+  "name": "@libp2p/tls",
+  "version": "0.0.0",
+  "description": "A connection encrypter that uses TLS 1.3",
+  "license": "Apache-2.0 OR MIT",
+  "homepage": "https://github.com/libp2p/js-libp2p/tree/main/packages/connection-encrypter-tls#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/libp2p/js-libp2p.git"
+  },
+  "bugs": {
+    "url": "https://github.com/libp2p/js-libp2p/issues"
+  },
+  "type": "module",
+  "types": "./dist/src/index.d.ts",
+  "files": [
+    "src",
+    "dist",
+    "!dist/test",
+    "!**/*.tsbuildinfo"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/src/index.d.ts",
+      "import": "./dist/src/index.js"
+    }
+  },
+  "eslintConfig": {
+    "extends": "ipfs",
+    "parserOptions": {
+      "project": true,
+      "sourceType": "module"
+    }
+  },
+  "scripts": {
+    "start": "node dist/src/main.js",
+    "build": "aegir build --bundle false",
+    "test": "aegir test -t node",
+    "clean": "aegir clean",
+    "generate": "protons ./src/pb/index.proto",
+    "lint": "aegir lint",
+    "test:node": "aegir test -t node --cov",
+    "dep-check": "aegir dep-check"
+  },
+  "dependencies": {
+    "@libp2p/crypto": "^4.0.1",
+    "@libp2p/interface": "^1.1.2",
+    "@libp2p/peer-id": "^4.0.5",
+    "@peculiar/asn1-schema": "^2.3.8",
+    "@peculiar/asn1-x509": "^2.3.8",
+    "@peculiar/webcrypto": "^1.4.5",
+    "@peculiar/x509": "^1.9.6",
+    "asn1js": "^3.0.5",
+    "it-stream-types": "^2.0.1",
+    "it-to-stream": "^1.0.0",
+    "protons-runtime": "^5.0.0",
+    "stream-to-it": "^0.2.4",
+    "uint8arraylist": "^2.4.7",
+    "uint8arrays": "^5.0.1"
+  },
+  "devDependencies": {
+    "@libp2p/interface-compliance-tests": "^5.2.0",
+    "@libp2p/logger": "^4.0.5",
+    "@libp2p/peer-id-factory": "^4.0.5",
+    "@multiformats/multiaddr": "^12.1.10",
+    "aegir": "^42.0.0",
+    "protons": "^7.3.0",
+    "sinon": "^17.0.1"
+  },
+  "sideEffects": false
+}

package/src/index.ts

@@ -0,0 +1,125 @@
+/**
+ * @packageDocumentation
+ *
+ * Implements the spec at https://github.com/libp2p/specs/blob/master/tls/tls.md
+ *
+ * @example
+ *
+ * ```typescript
+ * import { createLibp2p } from 'libp2p'
+ * import { tls } from '@libp2p/tls'
+ *
+ * const node = await createLibp2p({
+ *   // ...other options
+ *   connectionEncryption: [
+ *     tls()
+ *   ]
+ * })
+ * ```
+ */
+
+import { TLSSocket, type TLSSocketOptions, connect } from 'node:tls'
+import { UnexpectedPeerError } from '@libp2p/interface'
+// @ts-expect-error no types
+import itToStream from 'it-to-stream'
+// @ts-expect-error no types
+import streamToIt from 'stream-to-it'
+import { generateCertificate, verifyPeerCertificate } from './utils.js'
+import type { ComponentLogger, MultiaddrConnection, ConnectionEncrypter, SecuredConnection, PeerId } from '@libp2p/interface'
+import type { Duplex } from 'it-stream-types'
+import type { Uint8ArrayList } from 'uint8arraylist'
+
+const PROTOCOL = '/tls/1.0.0'
+
+export interface TLSComponents {
+  logger: ComponentLogger
+}
+
+export interface TLSInit {
+  /**
+   * The peer id exchange must complete within this many milliseconds
+   * (default: 1000)
+   */
+  timeout?: number
+}
+
+class TLS implements ConnectionEncrypter {
+  public protocol: string = PROTOCOL
+  // private readonly log: Logger
+  // private readonly timeout: number
+
+  // constructor (components: TLSComponents, init: TLSInit = {}) {
+  //   this.log = components.logger.forComponent('libp2p:tls')
+  //   this.timeout = init.timeout ?? 1000
+  // }
+
+  async secureInbound <Stream extends Duplex<AsyncGenerator<Uint8Array | Uint8ArrayList>> = MultiaddrConnection> (localId: PeerId, conn: Stream, remoteId?: PeerId): Promise<SecuredConnection<Stream>> {
+    return this._encrypt(localId, conn, false, remoteId)
+  }
+
+  async secureOutbound <Stream extends Duplex<AsyncGenerator<Uint8Array | Uint8ArrayList>> = MultiaddrConnection> (localId: PeerId, conn: Stream, remoteId?: PeerId): Promise<SecuredConnection<Stream>> {
+    return this._encrypt(localId, conn, true, remoteId)
+  }
+
+  /**
+   * Encrypt connection
+   */
+  async _encrypt <Stream extends Duplex<AsyncGenerator<Uint8Array | Uint8ArrayList>> = MultiaddrConnection> (localId: PeerId, conn: Stream, isServer: boolean, remoteId?: PeerId): Promise<SecuredConnection<Stream>> {
+    const opts: TLSSocketOptions = {
+      ...await generateCertificate(localId),
+      isServer,
+      requestCert: true,
+      // accept self-signed certificates from clients
+      rejectUnauthorized: false,
+      // require TLS 1.3 or later
+      minVersion: 'TLSv1.3'
+    }
+
+    let socket: TLSSocket
+
+    if (isServer) {
+      socket = new TLSSocket(itToStream.duplex(conn), opts)
+    } else {
+      socket = connect({
+        socket: itToStream.duplex(conn),
+        ...opts
+      })
+    }
+
+    return new Promise((resolve, reject) => {
+      function verifyRemote (): void {
+        const remote = socket.getPeerCertificate()
+
+        verifyPeerCertificate(remote.raw)
+          .then(remotePeer => {
+            if (remoteId?.equals(remotePeer) === false) {
+              throw new UnexpectedPeerError()
+            }
+
+            const outputStream = streamToIt.duplex(socket)
+            conn.source = outputStream.source
+            conn.sink = outputStream.sink
+
+            resolve({
+              remotePeer,
+              conn
+            })
+          })
+          .catch(err => {
+            reject(err)
+          })
+      }
+
+      socket.on('error', err => {
+        reject(err)
+      })
+      socket.on('secure', (evt) => {
+        verifyRemote()
+      })
+    })
+  }
+}
+
+export function tls (init?: TLSInit): (components: TLSComponents) => ConnectionEncrypter {
+  return (components) => new TLS()
+}

package/src/pb/index.proto

@@ -0,0 +1,13 @@
+syntax = "proto3";
+
+enum KeyType {
+  RSA = 0;
+  Ed25519 = 1;
+  Secp256k1 = 2;
+  ECDSA = 3;
+}
+
+message PublicKey {
+  optional KeyType type = 1;
+  optional bytes data = 2;
+}

package/src/pb/index.ts

@@ -0,0 +1,95 @@
+/* eslint-disable import/export */
+/* eslint-disable complexity */
+/* eslint-disable @typescript-eslint/no-namespace */
+/* eslint-disable @typescript-eslint/no-unnecessary-boolean-literal-compare */
+/* eslint-disable @typescript-eslint/no-empty-interface */
+
+import { type Codec, decodeMessage, encodeMessage, enumeration, message } from 'protons-runtime'
+import type { Uint8ArrayList } from 'uint8arraylist'
+
+export enum KeyType {
+  RSA = 'RSA',
+  Ed25519 = 'Ed25519',
+  Secp256k1 = 'Secp256k1',
+  ECDSA = 'ECDSA'
+}
+
+enum __KeyTypeValues {
+  RSA = 0,
+  Ed25519 = 1,
+  Secp256k1 = 2,
+  ECDSA = 3
+}
+
+export namespace KeyType {
+  export const codec = (): Codec<KeyType> => {
+    return enumeration<KeyType>(__KeyTypeValues)
+  }
+}
+export interface PublicKey {
+  type?: KeyType
+  data?: Uint8Array
+}
+
+export namespace PublicKey {
+  let _codec: Codec<PublicKey>
+
+  export const codec = (): Codec<PublicKey> => {
+    if (_codec == null) {
+      _codec = message<PublicKey>((obj, w, opts = {}) => {
+        if (opts.lengthDelimited !== false) {
+          w.fork()
+        }
+
+        if (obj.type != null) {
+          w.uint32(8)
+          KeyType.codec().encode(obj.type, w)
+        }
+
+        if (obj.data != null) {
+          w.uint32(18)
+          w.bytes(obj.data)
+        }
+
+        if (opts.lengthDelimited !== false) {
+          w.ldelim()
+        }
+      }, (reader, length) => {
+        const obj: any = {}
+
+        const end = length == null ? reader.len : reader.pos + length
+
+        while (reader.pos < end) {
+          const tag = reader.uint32()
+
+          switch (tag >>> 3) {
+            case 1: {
+              obj.type = KeyType.codec().decode(reader)
+              break
+            }
+            case 2: {
+              obj.data = reader.bytes()
+              break
+            }
+            default: {
+              reader.skipType(tag & 7)
+              break
+            }
+          }
+        }
+
+        return obj
+      })
+    }
+
+    return _codec
+  }
+
+  export const encode = (obj: Partial<PublicKey>): Uint8Array => {
+    return encodeMessage(obj, PublicKey.codec())
+  }
+
+  export const decode = (buf: Uint8Array | Uint8ArrayList): PublicKey => {
+    return decodeMessage(buf, PublicKey.codec())
+  }
+}

package/src/utils.ts

@@ -0,0 +1,186 @@
+import { Ed25519PublicKey, Secp256k1PublicKey, marshalPublicKey, supportedKeys, unmarshalPrivateKey, unmarshalPublicKey } from '@libp2p/crypto/keys'
+import { CodeError, InvalidCryptoExchangeError } from '@libp2p/interface'
+import { peerIdFromKeys } from '@libp2p/peer-id'
+import { AsnConvert } from '@peculiar/asn1-schema'
+import * as asn1X509 from '@peculiar/asn1-x509'
+import { Crypto } from '@peculiar/webcrypto'
+import * as x509 from '@peculiar/x509'
+import * as asn1js from 'asn1js'
+import { concat as uint8ArrayConcat } from 'uint8arrays/concat'
+import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string'
+import { toString as uint8ArrayToString } from 'uint8arrays/to-string'
+import { KeyType, PublicKey } from '../src/pb/index.js'
+import type { PeerId, PublicKey as Libp2pPublicKey } from '@libp2p/interface'
+
+const crypto = new Crypto()
+x509.cryptoProvider.set(crypto)
+
+const LIBP2P_PUBLIC_KEY_EXTENSION = '1.3.6.1.4.1.53594.1.1'
+const CERT_PREFIX = 'libp2p-tls-handshake:'
+// https://github.com/libp2p/go-libp2p/blob/28c0f6ab32cd69e4b18e9e4b550ef6ce059a9d1a/p2p/security/tls/crypto.go#L265
+const CERT_VALIDITY_PERIOD_FROM = 60 * 60 * 1000 // ~1 hour
+// https://github.com/libp2p/go-libp2p/blob/28c0f6ab32cd69e4b18e9e4b550ef6ce059a9d1a/p2p/security/tls/crypto.go#L24C28-L24C44
+const CERT_VALIDITY_PERIOD_TO = 100 * 365 * 24 * 60 * 60 * 1000 // ~100 years
+
+export async function verifyPeerCertificate (rawCertificate: Uint8Array): Promise<PeerId> {
+  const now = Date.now()
+  const x509Cert = new x509.X509Certificate(rawCertificate)
+
+  if (x509Cert.notBefore.getTime() > now) {
+    throw new CodeError('The certificate is not valid yet', 'ERR_INVALID_CERTIFICATE')
+  }
+
+  if (x509Cert.notAfter.getTime() < now) {
+    throw new CodeError('The certificate has expired', 'ERR_INVALID_CERTIFICATE')
+  }
+
+  // TODO: assert chain is only one certificate long
+
+  const libp2pPublicKeyExtension = x509Cert.extensions[0]
+
+  if (libp2pPublicKeyExtension == null || libp2pPublicKeyExtension.type !== LIBP2P_PUBLIC_KEY_EXTENSION) {
+    throw new CodeError('The certificate did not include the libp2p public key extension', 'ERR_INVALID_CERTIFICATE')
+  }
+
+  const { result: libp2pKeySequence } = asn1js.fromBER(libp2pPublicKeyExtension.value)
+
+  // @ts-expect-error deep chain
+  const remotePeerIdPb = libp2pKeySequence.valueBlock.value[0].valueBlock.valueHex
+  const marshalledPeerId = new Uint8Array(remotePeerIdPb, 0, remotePeerIdPb.byteLength)
+  const remotePeerId = PublicKey.decode(marshalledPeerId)
+  const remotePeerIdData = remotePeerId.data ?? new Uint8Array(0)
+  let remotePublicKey: Libp2pPublicKey
+
+  if (remotePeerId.type === KeyType.Ed25519) {
+    remotePublicKey = new Ed25519PublicKey(remotePeerIdData)
+  } else if (remotePeerId.type === KeyType.Secp256k1) {
+    remotePublicKey = new Secp256k1PublicKey(remotePeerIdData)
+  } else if (remotePeerId.type === KeyType.RSA) {
+    remotePublicKey = supportedKeys.rsa.unmarshalRsaPublicKey(remotePeerIdData)
+  } else {
+    throw new Error('Unknown or unsupported key type')
+  }
+
+  // @ts-expect-error deep chain
+  const remoteSignature = libp2pKeySequence.valueBlock.value[1].valueBlock.valueHex
+  const dataToVerify = encodeSignatureData(x509Cert.publicKey.rawData)
+  const result = await remotePublicKey.verify(dataToVerify, new Uint8Array(remoteSignature, 0, remoteSignature.byteLength))
+
+  if (!result) {
+    throw new Error('Could not verify signature')
+  }
+
+  const marshalled = marshalPublicKey(remotePublicKey)
+
+  return peerIdFromKeys(marshalled)
+}
+
+export async function generateCertificate (peerId: PeerId): Promise<{ cert: string, key: string }> {
+  const now = Date.now()
+
+  const alg = {
+    name: 'ECDSA',
+    namedCurve: 'P-256',
+    hash: 'SHA-256'
+  }
+
+  const keys = await crypto.subtle.generateKey(alg, true, ['sign'])
+
+  const certPublicKeySpki = await crypto.subtle.exportKey('spki', keys.publicKey)
+  const dataToSign = encodeSignatureData(certPublicKeySpki)
+
+  if (peerId.privateKey == null) {
+    throw new InvalidCryptoExchangeError('Private key was missing from PeerId')
+  }
+
+  const privateKey = await unmarshalPrivateKey(peerId.privateKey)
+  const sig = await privateKey.sign(dataToSign)
+
+  let keyType: KeyType
+  let keyData: Uint8Array
+
+  if (peerId.publicKey == null) {
+    throw new CodeError('Public key missing from PeerId', 'ERR_INVALID_PEER_ID')
+  }
+
+  const publicKey = unmarshalPublicKey(peerId.publicKey)
+
+  if (peerId.type === 'Ed25519') {
+    // Ed25519: Only the 32 bytes of the public key
+    keyType = KeyType.Ed25519
+    keyData = publicKey.marshal()
+  } else if (peerId.type === 'secp256k1') {
+    // Secp256k1: Only the compressed form of the public key. 33 bytes.
+    keyType = KeyType.Secp256k1
+    keyData = publicKey.marshal()
+  } else if (peerId.type === 'RSA') {
+    // The rest of the keys are encoded as a SubjectPublicKeyInfo structure in PKIX, ASN.1 DER form.
+    keyType = KeyType.RSA
+    keyData = publicKey.marshal()
+  } else {
+    throw new CodeError('Unknown PeerId type', 'ERR_UNKNOWN_PEER_ID_TYPE')
+  }
+
+  const selfCert = await x509.X509CertificateGenerator.createSelfSigned({
+    serialNumber: uint8ArrayToString(crypto.getRandomValues(new Uint8Array(9)), 'base16'),
+    name: '',
+    notBefore: new Date(now - CERT_VALIDITY_PERIOD_FROM),
+    notAfter: new Date(now + CERT_VALIDITY_PERIOD_TO),
+    signingAlgorithm: alg,
+    keys,
+    extensions: [
+      new x509.Extension(LIBP2P_PUBLIC_KEY_EXTENSION, true, new asn1js.Sequence({
+        value: [
+          // publicKey
+          new asn1js.OctetString({
+            valueHex: PublicKey.encode({
+              type: keyType,
+              data: keyData
+            })
+          }),
+          // signature
+          new asn1js.OctetString({
+            valueHex: sig
+          })
+        ]
+      }).toBER())
+    ]
+  })
+
+  const certPrivateKeySpki = await crypto.subtle.exportKey('spki', keys.privateKey)
+
+  return {
+    cert: selfCert.toString(),
+    key: spkiToPEM(certPrivateKeySpki)
+  }
+}
+
+/**
+ * @see https://github.com/libp2p/specs/blob/master/tls/tls.md#libp2p-public-key-extension
+ */
+export function encodeSignatureData (certPublicKey: ArrayBuffer): Uint8Array {
+  const keyInfo = AsnConvert.parse(certPublicKey, asn1X509.SubjectPublicKeyInfo)
+  const bytes = AsnConvert.serialize(keyInfo)
+
+  return uint8ArrayConcat([
+    uint8ArrayFromString(CERT_PREFIX),
+    new Uint8Array(bytes, 0, bytes.byteLength)
+  ])
+}
+
+function spkiToPEM (keydata: ArrayBuffer): string {
+  return formatAsPem(uint8ArrayToString(new Uint8Array(keydata), 'base64'))
+}
+
+function formatAsPem (str: string): string {
+  let finalString = '-----BEGIN PRIVATE KEY-----\n'
+
+  while (str.length > 0) {
+    finalString += str.substring(0, 64) + '\n'
+    str = str.substring(64)
+  }
+
+  finalString = finalString + '-----END PRIVATE KEY-----'
+
+  return finalString
+}