Remove dependency on OpenSSL (#8768)

https://github.com/sigp/lighthouse/issues/8756 Only the Web3Signer actually needs OpenSSL in order to parse PKCS12 certificates. This updates the function to instead manually parse the cert (using the `p12-keystore` crate) and converts it to a `PEM` certificate (using the `pem` crate) which can be directly converted to a `reqwest::tls::Identity` as this can be done directly in `rustls`. Co-Authored-By: Mac L <mjladson@pm.me>
2026-03-14 10:22:38 +00:00 · 2026-02-10 06:10:48 +04:00
parent 0c9f97f015
commit 286b67f048
8 changed files with 173 additions and 138 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1481,6 +1481,15 @@ dependencies = [
 "generic-array",
 ]

+[[package]]
+name = "block-padding"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8894febbff9f758034a5b8e12d87918f56dfc64a8e1fe757d65e29041538d93"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "block2"
 version = "0.6.2"
@@ -1694,6 +1703,15 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"

+[[package]]
+name = "cbc"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26b52a9543ae338f279b96b0b9fed9c8093744685043739079ce85cd58f289a6"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "cc"
 version = "1.2.49"
@@ -1923,6 +1941,18 @@ dependencies = [
 "cc",
 ]

+[[package]]
+name = "cms"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b77c319abfd5219629c45c34c89ba945ed3c5e49fcde9d16b6c3885f118a730"
+dependencies = [
+ "const-oid",
+ "der",
+ "spki",
+ "x509-cert",
+]
+
 [[package]]
 name = "colorchoice"
 version = "1.0.4"
@@ -2492,6 +2522,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb"
 dependencies = [
 "const-oid",
+ "der_derive",
+ "flagset",
+ "pem-rfc7468",
 "zeroize",
 ]

@@ -2509,6 +2542,17 @@ dependencies = [
 "rusticata-macros",
 ]

+[[package]]
+name = "der_derive"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8034092389675178f570469e6c3b0465d3d30b4505c294a6550db47f3c17ad18"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.111",
+]
+
 [[package]]
 name = "deranged"
 version = "0.5.5"
@@ -2577,6 +2621,15 @@ dependencies = [
 "unicode-xid",
 ]

+[[package]]
+name = "des"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ffdd80ce8ce993de27e9f063a444a4d53ce8e8db4c1f00cc03af5ad5a9867a1e"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "digest"
 version = "0.9.0"
@@ -3486,6 +3539,12 @@ dependencies = [
 "safe_arith",
 ]

+[[package]]
+name = "flagset"
+version = "0.4.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7ac824320a75a52197e8f2d787f6a38b6718bb6897a35142d749af3c0e8f4fe"
+
 [[package]]
 name = "flate2"
 version = "1.1.5"
@@ -3516,21 +3575,6 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"

-[[package]]
-name = "foreign-types"
-version = "0.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
-dependencies = [
- "foreign-types-shared",
-]
-
-[[package]]
-name = "foreign-types-shared"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
-
 [[package]]
 name = "fork_choice"
 version = "0.1.0"
@@ -4307,22 +4351,6 @@ dependencies = [
 "tower-service",
 ]

-[[package]]
-name = "hyper-tls"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0"
-dependencies = [
- "bytes",
- "http-body-util",
- "hyper 1.8.1",
- "hyper-util",
- "native-tls",
- "tokio",
- "tokio-native-tls",
- "tower-service",
-]
-
 [[package]]
 name = "hyper-util"
 version = "0.1.19"
@@ -4598,7 +4626,9 @@ dependencies = [
 "filesystem",
 "lockfile",
 "metrics",
+ "p12-keystore",
 "parking_lot",
+ "pem",
 "rand 0.9.2",
 "reqwest",
 "serde",
@@ -4619,6 +4649,7 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "879f10e63c20629ecabbb64a8010319738c66a5cd0c29b02d63d272b03751d01"
 dependencies = [
+ "block-padding",
 "generic-array",
 ]

@@ -5949,23 +5980,6 @@ dependencies = [
 "unsigned-varint",
 ]

-[[package]]
-name = "native-tls"
-version = "0.2.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87de3442987e9dbec73158d5c715e7ad9072fda936bb03d19d7fa10e00520f0e"
-dependencies = [
- "libc",
- "log",
- "openssl",
- "openssl-probe",
- "openssl-sys",
- "schannel",
- "security-framework 2.11.1",
- "security-framework-sys",
- "tempfile",
-]
-
 [[package]]
 name = "netlink-packet-core"
 version = "0.7.0"
@@ -6350,60 +6364,12 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"

-[[package]]
-name = "openssl"
-version = "0.10.75"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08838db121398ad17ab8531ce9de97b244589089e290a384c900cb9ff7434328"
-dependencies = [
- "bitflags 2.10.0",
- "cfg-if",
- "foreign-types",
- "libc",
- "once_cell",
- "openssl-macros",
- "openssl-sys",
-]
-
-[[package]]
-name = "openssl-macros"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.111",
-]
-
 [[package]]
 name = "openssl-probe"
 version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"

-[[package]]
-name = "openssl-src"
-version = "300.5.4+3.5.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a507b3792995dae9b0df8a1c1e3771e8418b7c2d9f0baeba32e6fe8b06c7cb72"
-dependencies = [
- "cc",
-]
-
-[[package]]
-name = "openssl-sys"
-version = "0.9.111"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "82cab2d520aa75e3c58898289429321eb788c3106963d0dc886ec7a5f4adc321"
-dependencies = [
- "cc",
- "libc",
- "openssl-src",
- "pkg-config",
- "vcpkg",
-]
-
 [[package]]
 name = "opentelemetry"
 version = "0.30.0"
@@ -6504,6 +6470,29 @@ dependencies = [
 "types",
 ]

+[[package]]
+name = "p12-keystore"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e8d55319bae67f92141ce4da80c5392acd3d1323bd8312c1ffdfb018927d07d7"
+dependencies = [
+ "base64 0.22.1",
+ "cbc",
+ "cms",
+ "der",
+ "des",
+ "hex",
+ "hmac",
+ "pkcs12",
+ "pkcs5",
+ "rand 0.9.2",
+ "rc2",
+ "sha1",
+ "sha2",
+ "thiserror 2.0.17",
+ "x509-parser",
+]
+
 [[package]]
 name = "page_size"
 version = "0.6.0"
@@ -6606,6 +6595,15 @@ dependencies = [
 "serde_core",
 ]

+[[package]]
+name = "pem-rfc7468"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412"
+dependencies = [
+ "base64ct",
+]
+
 [[package]]
 name = "percent-encoding"
 version = "2.3.2"
@@ -6654,6 +6652,36 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"

+[[package]]
+name = "pkcs12"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "695b3df3d3cc1015f12d70235e35b6b79befc5fa7a9b95b951eab1dd07c9efc2"
+dependencies = [
+ "cms",
+ "const-oid",
+ "der",
+ "digest 0.10.7",
+ "spki",
+ "x509-cert",
+ "zeroize",
+]
+
+[[package]]
+name = "pkcs5"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e847e2c91a18bfa887dd028ec33f2fe6f25db77db3619024764914affe8b69a6"
+dependencies = [
+ "aes",
+ "cbc",
+ "der",
+ "pbkdf2",
+ "scrypt",
+ "sha2",
+ "spki",
+]
+
 [[package]]
 name = "pkcs8"
 version = "0.10.2"
@@ -7252,6 +7280,15 @@ dependencies = [
 "crossbeam-utils",
 ]

+[[package]]
+name = "rc2"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "62c64daa8e9438b84aaae55010a93f396f8e60e3911590fcba770d04643fc1dd"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "rcgen"
 version = "0.13.2"
@@ -7359,11 +7396,9 @@ dependencies = [
 "http-body-util",
 "hyper 1.8.1",
 "hyper-rustls",
- "hyper-tls",
 "hyper-util",
 "js-sys",
 "log",
- "native-tls",
 "percent-encoding",
 "pin-project-lite",
 "quinn",
@@ -7374,7 +7409,6 @@ dependencies = [
 "serde_urlencoded",
 "sync_wrapper",
 "tokio",
- "tokio-native-tls",
 "tokio-rustls 0.26.4",
 "tokio-util",
 "tower 0.5.2",
@@ -7643,7 +7677,7 @@ dependencies = [
 "openssl-probe",
 "rustls-pki-types",
 "schannel",
- "security-framework 3.5.1",
+ "security-framework",
 ]

 [[package]]
@@ -7846,19 +7880,6 @@ dependencies = [
 "cc",
 ]

-[[package]]
-name = "security-framework"
-version = "2.11.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
-dependencies = [
- "bitflags 2.10.0",
- "core-foundation 0.9.4",
- "core-foundation-sys",
- "libc",
- "security-framework-sys",
-]
-
 [[package]]
 name = "security-framework"
 version = "3.5.1"
@@ -8909,16 +8930,6 @@ dependencies = [
 "syn 2.0.111",
 ]

-[[package]]
-name = "tokio-native-tls"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
-dependencies = [
- "native-tls",
- "tokio",
-]
-
 [[package]]
 name = "tokio-rustls"
 version = "0.25.0"
@@ -10400,6 +10411,17 @@ dependencies = [
 "zeroize",
 ]

+[[package]]
+name = "x509-cert"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1301e935010a701ae5f8655edc0ad17c44bad3ac5ce8c39185f75453b720ae94"
+dependencies = [
+ "const-oid",
+ "der",
+ "spki",
+]
+
 [[package]]
 name = "x509-parser"
 version = "0.17.0"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -224,7 +224,6 @@ reqwest = { version = "0.12", default-features = false, features = [
    "json",
    "stream",
    "rustls-tls",
-    "native-tls-vendored",
 ] }
 ring = "0.17"
 rpds = "0.11"
--- a/deny.toml
+++ b/deny.toml
@@ -10,6 +10,7 @@ deny = [
    { crate = "protobuf", reason = "use quick-protobuf instead" },
    { crate = "derivative", reason = "use educe or derive_more instead" },
    { crate = "ark-ff", reason = "present in Cargo.lock but not needed by Lighthouse" },
+    { crate = "openssl", reason = "non-Rust dependency, use rustls instead" },
    { crate = "strum", deny-multiple-versions = true, reason = "takes a long time to compile" },
    { crate = "reqwest", deny-multiple-versions = true, reason = "takes a long time to compile" },
    { crate = "aes", deny-multiple-versions = true, reason = "takes a long time to compile" },
--- a/testing/web3signer_tests/src/lib.rs
+++ b/testing/web3signer_tests/src/lib.rs
@@ -137,11 +137,7 @@ mod tests {
    }

    fn client_identity_path() -> PathBuf {
-        if cfg!(target_os = "macos") {
-            tls_dir().join("lighthouse").join("key_legacy.p12")
-        } else {
-            tls_dir().join("lighthouse").join("key.p12")
-        }
+        tls_dir().join("lighthouse").join("key.p12")
    }

    fn client_identity_password() -> String {
--- a/testing/web3signer_tests/tls/generate.sh
+++ b/testing/web3signer_tests/tls/generate.sh
@@ -1,12 +1,5 @@
 #!/bin/bash

-# The lighthouse/key_legacy.p12 file is generated specifically for macOS because the default `openssl pkcs12` encoding
-# algorithm in OpenSSL v3 is not compatible with the PKCS algorithm used by the Apple Security Framework. The client
-# side (using the reqwest crate) relies on the Apple Security Framework to parse PKCS files.
-# We don't need to generate web3signer/key_legacy.p12 because the compatibility issue doesn't occur on the web3signer
-# side. It seems that web3signer (Java) uses its own implementation to parse PKCS files.
-# See https://github.com/sigp/lighthouse/issues/6442#issuecomment-2469252651
-
 # We specify `-days 825` when generating the certificate files because Apple requires TLS server certificates to have a
 # validity period of 825 days or fewer.
 # See https://github.com/sigp/lighthouse/issues/6442#issuecomment-2474979183
@@ -16,5 +9,4 @@ openssl pkcs12 -export -out web3signer/key.p12 -inkey web3signer/key.key -in web
 cp web3signer/cert.pem lighthouse/web3signer.pem &&
 openssl req -x509 -sha256 -nodes -days 825 -newkey rsa:4096 -keyout lighthouse/key.key -out lighthouse/cert.pem -config lighthouse/config &&
 openssl pkcs12 -export -out lighthouse/key.p12 -inkey lighthouse/key.key -in lighthouse/cert.pem -password pass:$(cat lighthouse/password.txt) &&
-openssl pkcs12 -export -legacy -out lighthouse/key_legacy.p12 -inkey lighthouse/key.key -in lighthouse/cert.pem -password pass:$(cat lighthouse/password.txt) &&
 openssl x509 -noout -fingerprint -sha256 -inform pem -in lighthouse/cert.pem | cut -b 20-| sed "s/^/lighthouse /" > web3signer/known_clients.txt
--- a/testing/web3signer_tests/tls/lighthouse/key_legacy.p12
+++ b/testing/web3signer_tests/tls/lighthouse/key_legacy.p12
--- a/validator_client/initialized_validators/Cargo.toml
+++ b/validator_client/initialized_validators/Cargo.toml
@@ -12,7 +12,9 @@ eth2_keystore = { workspace = true }
 filesystem = { workspace = true }
 lockfile = { workspace = true }
 metrics = { workspace = true }
+p12-keystore = "0.2"
 parking_lot = { workspace = true }
+pem = "3"
 rand = { workspace = true }
 reqwest = { workspace = true }
 serde = { workspace = true }
--- a/validator_client/initialized_validators/src/lib.rs
+++ b/validator_client/initialized_validators/src/lib.rs
@@ -397,6 +397,7 @@ pub fn load_pem_certificate<P: AsRef<Path>>(pem_path: P) -> Result<Certificate,
    Certificate::from_pem(&buf).map_err(Error::InvalidWeb3SignerRootCertificate)
 }

+// Read a PKCS12 identity certificate and parse it into a PEM certificate.
 pub fn load_pkcs12_identity<P: AsRef<Path>>(
    pkcs12_path: P,
    password: &str,
@@ -406,7 +407,29 @@ pub fn load_pkcs12_identity<P: AsRef<Path>>(
        .map_err(Error::InvalidWeb3SignerClientIdentityCertificateFile)?
        .read_to_end(&mut buf)
        .map_err(Error::InvalidWeb3SignerClientIdentityCertificateFile)?;
-    Identity::from_pkcs12_der(&buf, password)
+
+    let keystore = p12_keystore::KeyStore::from_pkcs12(&buf, password).map_err(|e| {
+        Error::InvalidWeb3SignerClientIdentityCertificateFile(io::Error::new(
+            io::ErrorKind::InvalidData,
+            format!("PKCS12 parse error: {e:?}"),
+        ))
+    })?;
+
+    let (_alias, key_chain) = keystore
+        .private_key_chain()
+        .ok_or(Error::MissingWeb3SignerClientIdentityCertificateFile)?;
+
+    let key_pem = pem::encode(&pem::Pem::new("PRIVATE KEY", key_chain.key()));
+    let certs_pem: String = key_chain
+        .chain()
+        .iter()
+        .map(|cert| pem::encode(&pem::Pem::new("CERTIFICATE", cert.as_der())))
+        .collect::<Vec<_>>()
+        .join("\n");
+
+    let combined_pem = format!("{key_pem}\n{certs_pem}");
+
+    Identity::from_pem(combined_pem.as_bytes())
        .map_err(Error::InvalidWeb3SignerClientIdentityCertificate)
 }