gnosis/lighthouse
1
0
Fork 0
mirror of https://github.com/sigp/lighthouse.git synced 2026-03-09 19:51:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove dependency on OpenSSL (#8768)

Browse Source 
https://github.com/sigp/lighthouse/issues/8756


  Only the Web3Signer actually needs OpenSSL in order to parse PKCS12 certificates. This updates the function to instead manually parse the cert (using the `p12-keystore` crate) and converts it to a `PEM` certificate (using the `pem` crate) which can be directly converted to a `reqwest::tls::Identity` as this can be done directly in `rustls`.


Co-Authored-By: Mac L <mjladson@pm.me>
This commit is contained in:
Mac L
2026-02-10 06:10:48 +04:00
committed by GitHub
parent 0c9f97f015
commit 286b67f048
8 changed files with 173 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
validator_client/initialized_validators/src/lib.rs
View File

@@ -397,6 +397,7 @@ pub fn load_pem_certificate<P: AsRef<Path>>(pem_path: P) -> Result<Certificate,
Certificate::from_pem(&buf).map_err(Error::InvalidWeb3SignerRootCertificate)
}
// Read a PKCS12 identity certificate and parse it into a PEM certificate.
pub fn load_pkcs12_identity<P: AsRef<Path>>(
pkcs12_path: P,
password: &str,
@@ -406,7 +407,29 @@ pub fn load_pkcs12_identity<P: AsRef<Path>>(
.map_err(Error::InvalidWeb3SignerClientIdentityCertificateFile)?
.read_to_end(&mut buf)
.map_err(Error::InvalidWeb3SignerClientIdentityCertificateFile)?;
Identity::from_pkcs12_der(&buf, password)
let keystore = p12_keystore::KeyStore::from_pkcs12(&buf, password).map_err(|e| {
Error::InvalidWeb3SignerClientIdentityCertificateFile(io::Error::new(
io::ErrorKind::InvalidData,
format!("PKCS12 parse error: {e:?}"),
))
})?;
let (_alias, key_chain) = keystore
.private_key_chain()
.ok_or(Error::MissingWeb3SignerClientIdentityCertificateFile)?;
let key_pem = pem::encode(&pem::Pem::new("PRIVATE KEY", key_chain.key()));
let certs_pem: String = key_chain
.chain()
.iter()
.map(|cert| pem::encode(&pem::Pem::new("CERTIFICATE", cert.as_der())))
.collect::<Vec<_>>()
.join("\n");
let combined_pem = format!("{key_pem}\n{certs_pem}");
Identity::from_pem(combined_pem.as_bytes())
.map_err(Error::InvalidWeb3SignerClientIdentityCertificate)
}