Expand description
mTLS layer — every peer connection is a mutually-authenticated TLS stream whose remote
peer_id is verified against the one the caller asked to reach.
All DIG node-to-node comms are mutual TLS: both sides present a certificate, and each derives the
other’s identity as peer_id = SHA-256(TLS SubjectPublicKeyInfo DER) (see crate::identity,
matching dig-gossip). dig-nat establishes the transport AND wraps it in this mTLS session, so the
resulting crate::PeerConnection is always mutually authenticated with the peer_id verified.
§Verification model
DIG peers use self-signed certificates whose public key IS the identity — there is no CA. So the rustls verifier here does NOT check a chain of trust; instead it:
- captures the peer’s leaf certificate,
- derives its
peer_idviacrate::identity::peer_id_from_leaf_cert_der, and - pins it: if the caller supplied an expected
peer_id, the handshake is rejected unless it matches; the derived id is always recorded so the caller learns exactly who it connected to.
This is the standard “trust-on-first-use / key-is-identity” model for a self-authenticating P2P
overlay, and it is what makes peer_id a meaningful authentication (not just a label).
Structs§
- Captured
Peer Id - The outcome of verifying a peer’s certificate: the
peer_idit presented, captured for the caller. Shared viaArc<Mutex<_>>because rustls verifiers areSyncand run inside the handshake. - Peer
IdPinning Verifier - A rustls
ServerCertVerifierfor the DIG self-authenticating overlay.