gnosis/lighthouse
1
0
Fork 0
mirror of https://github.com/sigp/lighthouse.git synced 2026-03-03 00:31:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove dependency on OpenSSL (#8768)

Browse Source 
https://github.com/sigp/lighthouse/issues/8756


  Only the Web3Signer actually needs OpenSSL in order to parse PKCS12 certificates. This updates the function to instead manually parse the cert (using the `p12-keystore` crate) and converts it to a `PEM` certificate (using the `pem` crate) which can be directly converted to a `reqwest::tls::Identity` as this can be done directly in `rustls`.


Co-Authored-By: Mac L <mjladson@pm.me>
This commit is contained in:
Mac L
2026-02-10 06:10:48 +04:00
committed by GitHub
parent 0c9f97f015
commit 286b67f048
8 changed files with 173 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
testing/web3signer_tests/src/lib.rs
View File

@@ -137,11 +137,7 @@ mod tests {
}
fn client_identity_path() -> PathBuf {
if cfg!(target_os = "macos") {
tls_dir().join("lighthouse").join("key_legacy.p12")
} else {
tls_dir().join("lighthouse").join("key.p12")
}
tls_dir().join("lighthouse").join("key.p12")
}
fn client_identity_password() -> String {

8
testing/web3signer_tests/tls/generate.sh
View File

@@ -1,12 +1,5 @@
#!/bin/bash
# The lighthouse/key_legacy.p12 file is generated specifically for macOS because the default `openssl pkcs12` encoding
# algorithm in OpenSSL v3 is not compatible with the PKCS algorithm used by the Apple Security Framework. The client
# side (using the reqwest crate) relies on the Apple Security Framework to parse PKCS files.
# We don't need to generate web3signer/key_legacy.p12 because the compatibility issue doesn't occur on the web3signer
# side. It seems that web3signer (Java) uses its own implementation to parse PKCS files.
# See https://github.com/sigp/lighthouse/issues/6442#issuecomment-2469252651
# We specify `-days 825` when generating the certificate files because Apple requires TLS server certificates to have a
# validity period of 825 days or fewer.
# See https://github.com/sigp/lighthouse/issues/6442#issuecomment-2474979183
@@ -16,5 +9,4 @@ openssl pkcs12 -export -out web3signer/key.p12 -inkey web3signer/key.key -in web
cp web3signer/cert.pem lighthouse/web3signer.pem &&
openssl req -x509 -sha256 -nodes -days 825 -newkey rsa:4096 -keyout lighthouse/key.key -out lighthouse/cert.pem -config lighthouse/config &&
openssl pkcs12 -export -out lighthouse/key.p12 -inkey lighthouse/key.key -in lighthouse/cert.pem -password pass:$(cat lighthouse/password.txt) &&
openssl pkcs12 -export -legacy -out lighthouse/key_legacy.p12 -inkey lighthouse/key.key -in lighthouse/cert.pem -password pass:$(cat lighthouse/password.txt) &&
openssl x509 -noout -fingerprint -sha256 -inform pem -in lighthouse/cert.pem | cut -b 20-| sed "s/^/lighthouse /" > web3signer/known_clients.txt

BIN
testing/web3signer_tests/tls/lighthouse/key_legacy.p12
View File

Binary file not shown.