diff --git a/src/tls/certificate.rs b/src/tls/certificate.rs index 8b83fc6..4851802 100644 --- a/src/tls/certificate.rs +++ b/src/tls/certificate.rs @@ -26,7 +26,7 @@ use super::LIBP2P_SIGNING_PREFIX_LENGTH; use libp2p::identity::Keypair; const LIBP2P_OID: &[u64] = &[1, 3, 6, 1, 4, 1, 53594, 1, 1]; // Based on libp2p TLS 1.3 specs -const LIBP2P_SIGNATURE_ALGORITHM_PUBLIC_KEY_LENGTH: usize = 65; +const LIBP2P_SIGNATURE_ALGORITHM_PUBLIC_KEY_LENGTH: usize = 91; static LIBP2P_SIGNATURE_ALGORITHM: &rcgen::SignatureAlgorithm = &rcgen::PKCS_ECDSA_P256_SHA256; /// Generates a self-signed TLS certificate that includes a libp2p-specific @@ -38,7 +38,7 @@ pub(crate) fn make_cert(keypair: &Keypair) -> Result Result Result Result<(), TLSErro certificate .check_self_issued() .map_err(TLSError::WebPKIError)?; - verify_libp2p_signature(&extension, certificate.subject_public_key_info().key()) + verify_libp2p_signature(&extension, certificate.subject_public_key_info().spki()) .map_err(TLSError::WebPKIError) } @@ -204,7 +204,9 @@ struct Libp2pExtension<'a> { fn parse_libp2p_extension(extension: Input<'_>) -> Result, Error> { fn read_bit_string<'a>(input: &mut Reader<'a>, e: Error) -> Result, Error> { - der::bit_string_with_no_unused_bits(input).map_err(|_| e) + // The specification states that this is a BIT STRING, but the Go implementation + // uses an OCTET STRING. OCTET STRING is superior in this context, so use it. + der::expect_tag_and_get_value(input, der::Tag::OctetString).map_err(|_| e) } let e = Error::ExtensionValueInvalid;