Skip to main content

Module mtls

Module mtls 

Source
Expand description

mTLS layer — every peer connection is a mutually-authenticated TLS stream whose remote peer_id is verified against the one the caller asked to reach.

All DIG node-to-node comms are mutual TLS: both sides present a certificate, and each derives the other’s identity as peer_id = SHA-256(TLS SubjectPublicKeyInfo DER) (see crate::identity, matching dig-gossip). dig-nat establishes the transport AND wraps it in this mTLS session, so the resulting crate::PeerConnection is always mutually authenticated with the peer_id verified.

§Verification model

DIG peers use self-signed certificates whose public key IS the identity — there is no CA. So the rustls verifier here does NOT check a chain of trust; instead it:

  1. captures the peer’s leaf certificate,
  2. derives its peer_id via crate::identity::peer_id_from_leaf_cert_der, and
  3. pins it: if the caller supplied an expected peer_id, the handshake is rejected unless it matches; the derived id is always recorded so the caller learns exactly who it connected to.

This is the standard “trust-on-first-use / key-is-identity” model for a self-authenticating P2P overlay, and it is what makes peer_id a meaningful authentication (not just a label).

Structs§

CapturedPeerId
The outcome of verifying a peer’s certificate: the peer_id it presented, captured for the caller. Shared via Arc<Mutex<_>> because rustls verifiers are Sync and run inside the handshake.
PeerIdPinningVerifier
A rustls ServerCertVerifier for the DIG self-authenticating overlay.