feat: Add WebTransport protocol based on BiagioFesta/wtransport

Cargo.toml

@@ -65,6 +65,7 @@ members = [
     "transports/websocket-websys",
     "transports/websocket",
     "transports/webtransport-websys",
+    "transports/webtransport",
     "wasm-tests/webtransport-tests",
 ]
 resolver = "2"

transports/tls/Cargo.toml

@@ -19,6 +19,7 @@ thiserror = { workspace = true }
 webpki = { version = "0.101.4", package = "rustls-webpki", features = ["std"] }
 x509-parser = "0.16.0"
 yasna = "0.5.2"
+time = "0.3"
 
 # Exposed dependencies. Breaking changes to these are breaking changes to us.
 [dependencies.rustls]

transports/tls/src/certificate.rs

@@ -28,6 +28,8 @@ use libp2p_identity as identity;
 use libp2p_identity::PeerId;
 use x509_parser::{prelude::*, signature_algorithm::SignatureAlgorithm};
 
+use ::time::OffsetDateTime;
+
 /// The libp2p Public Key Extension is a X.509 extension
 /// with the Object Identifier 1.3.6.1.4.1.53594.1.1,
 /// allocated by IANA to the libp2p project at Protocol Labs.
@@ -121,14 +123,65 @@ pub fn generate(
     Ok((rustls_certificate, rustls_key))
 }
 
+pub fn generate_with_validity_period(
+    identity_keypair: &identity::Keypair,
+    not_before: OffsetDateTime,
+    not_after: OffsetDateTime,
+) -> Result<
+    (
+        rustls::pki_types::CertificateDer<'static>,
+        rustls::pki_types::PrivateKeyDer<'static>,
+    ),
+    GenError,
+> {
+    // Keypair used to sign the certificate.
+    // SHOULD NOT be related to the host's key.
+    // Endpoints MAY generate a new key and certificate
+    // for every connection attempt, or they MAY reuse the same key
+    // and certificate for multiple connections.
+    let certificate_keypair = rcgen::KeyPair::generate(P2P_SIGNATURE_ALGORITHM)?;
+    let rustls_key = rustls::pki_types::PrivateKeyDer::from(
+        rustls::pki_types::PrivatePkcs8KeyDer::from(certificate_keypair.serialize_der()),
+    );
+
+    let certificate = {
+        let mut params = rcgen::CertificateParams::new(vec![]);
+        params.distinguished_name = rcgen::DistinguishedName::new();
+        params.custom_extensions.push(make_libp2p_extension(
+            identity_keypair,
+            &certificate_keypair,
+        )?);
+        params.alg = P2P_SIGNATURE_ALGORITHM;
+        params.key_pair = Some(certificate_keypair);
+        params.not_before = not_before;
+        params.not_after = not_after;
+        rcgen::Certificate::from_params(params)?
+    };
+
+    let rustls_certificate = rustls::pki_types::CertificateDer::from(certificate.serialize_der()?);
+
+    Ok((rustls_certificate, rustls_key))
+}
+
+
 /// Attempts to parse the provided bytes as a [`P2pCertificate`].
 ///
 /// For this to succeed, the certificate must contain the specified extension and the signature must
 /// match the embedded public key.
 pub fn parse<'a>(
     certificate: &'a rustls::pki_types::CertificateDer<'a>,
 ) -> Result<P2pCertificate<'a>, ParseError> {
-    let certificate = parse_unverified(certificate.as_ref())?;
+    parse_binary(certificate.as_ref())
+}
+
+/// Attempts to parse the provided bytes as a [`P2pCertificate`].
+///
+/// For this to succeed, the certificate must contain the specified extension and the signature must
+/// match the embedded public key.
+pub fn parse_binary(
+    der_input: &[u8],
+) -> Result<P2pCertificate, ParseError> {
+    let certificate = parse_unverified(der_input)?;
 
     certificate.verify()?;
 

transports/tls/src/lib.rs

@@ -32,6 +32,8 @@ mod verifier;
 use std::sync::Arc;
 
 use certificate::AlwaysResolvesCert;
+use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+
 pub use futures_rustls::TlsStream;
 use libp2p_identity::{Keypair, PeerId};
 pub use upgrade::{Config, UpgradeError};
@@ -89,3 +91,27 @@ pub fn make_server_config(
 
     Ok(crypto)
 }
+
+/// Create a TLS server configuration for libp2p.
+pub fn make_webtransport_server_config(
+    certificate: &CertificateDer<'static>,
+    private_key: &PrivateKeyDer,
+    protocols: Vec<Vec<u8>>,
+) -> rustls::ServerConfig {
+    let mut provider = rustls::crypto::ring::default_provider();
+    provider.cipher_suites = verifier::CIPHERSUITES.to_vec();
+
+    let cert_resolver = Arc::new(
+        AlwaysResolvesCert::new(certificate.clone(), private_key)
+            .expect("Server cert key DER is valid; qed"),
+    );
+
+    let mut crypto = rustls::ServerConfig::builder_with_provider(provider.into())
+        .with_protocol_versions(verifier::PROTOCOL_VERSIONS)
+        .expect("Cipher suites and kx groups are configured; qed")
+        .with_client_cert_verifier(Arc::new(verifier::Libp2pCertificateVerifier::new()))
+        .with_cert_resolver(cert_resolver);
+    crypto.alpn_protocols = protocols.to_vec();
+
+    crypto
+}