Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate dependency on x509 to crypton-x509 #4996

Open
HeinrichApfelmus opened this issue Feb 21, 2025 · 0 comments
Open

Migrate dependency on x509 to crypton-x509 #4996

HeinrichApfelmus opened this issue Feb 21, 2025 · 0 comments

Comments

@HeinrichApfelmus
Copy link
Contributor

Why

Cardano-wallet uses TLS to secure the HTTP API — only clients with a valid client certificate are able to connect to the wallet server. For instance, Daedalus connects to the wallet API in this way. This prevents access to the wallet by unauthorized processes on the user's machine.

In order to implement this functionality, cardano-wallet uses the x509 package, both directly and via dependencies, such as the tls package. Unfortunately, the x509 package is no longer maintained. Fortunately, the package crypton-x509 provides a viable migration path.

If we want to keep this feature, we will have to migrate eventually due to other dependencies. Specifically, other dependencies that are related, such as tls-1.7.0, have already upgraded to crypton-x509. As tls is a dependency of the web server implementation that we use to provide the HTTP API with TLS, we will not be able to upgrade the web server without upgrading tls at some point in the future.

What

Fortunately, the use of Data.X509 from x509 is confined to the modules

  • Cardano.Wallet.Application.Tls
  • Cardano.Wallet.Application.TlsSpec

Unfortunately, in order to generate tests in TlsSpec, cardano-wallet currently relies on the

package. This reliance is somewhat substantial, as cardano-sl-x509 handles the writing of files in Privacy Enhances Mail (PEM) format. Sadly, this package is outdated, no longer maintained, and not in our control.

How

I propose a divide-and-conquer strategy.

  1. Create a new package in the lib/api-tls directory whose purpose is to handle all concerns related to securing a HTTP API via TLS. The main module Cardano.Wallet.Application.Tls has a small and simple interface and provides very good encapsulation.
  2. Inline the cardano-sl-x509 package into lib/api-tls. This is a non-friendly fork, but gets rid of an unmaintained dependency. (There may be a licensing issue: The package uses an MIT license, while we use an Apache 2.0 license.)
  3. Migrate lib/api-tls to crypton-x509, removing code that is unnecessary for functionality or testing. For example, the parsing of cardano-sl-x509.yaml configuration can probably be removed; this can be expressed in the Haskell tests directly.

Instead of step 2., we could also perform

2.' As the test certificates exist as golden data, we could remove their generation.

However, this reliance on golden test data is brittle, as the certificates have an expiry date, and will stop working after a certain time. Thus, I believe that we need to retain the ability to generate valid TLS client and server certificates.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@HeinrichApfelmus