Upgrade rcgen 0.10.0 -> 0.14.5 (#450)

dmitry-markin · web-flow · commit 955872218fa8 · 2025-10-20T14:31:01.000+03:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -60,7 +60,7 @@ quinn = { version = "0.9.3", default-features = false, features = ["tls-rustls",
 rustls = { version = "0.20.7", default-features = false, features = ["dangerous_configuration"], optional = true }
 ring = { version = "0.17.14", optional = true }
 webpki = { version = "0.22.4", optional = true }
-rcgen = { version = "0.10.0", optional = true }
+rcgen = { version = "0.14.5", optional = true }
 # End of Quic related dependencies.
 
 # WebRTC related dependencies. WebRTC is an experimental feature flag. The dependencies must be updated.
diff --git a/src/crypto/tls/certificate.rs b/src/crypto/tls/certificate.rs
@@ -57,22 +57,20 @@ pub fn generate(
     // Endpoints MAY generate a new key and certificate
     // for every connection attempt, or they MAY reuse the same key
     // and certificate for multiple connections.
-    let certificate_keypair = rcgen::KeyPair::generate(P2P_SIGNATURE_ALGORITHM)?;
+    let certificate_keypair = rcgen::KeyPair::generate_for(P2P_SIGNATURE_ALGORITHM)?;
     let rustls_key = rustls::PrivateKey(certificate_keypair.serialize_der());
 
     let certificate = {
-        let mut params = rcgen::CertificateParams::new(vec![]);
+        let mut params = rcgen::CertificateParams::new(vec![])?;
         params.distinguished_name = rcgen::DistinguishedName::new();
         params.custom_extensions.push(make_libp2p_extension(
             identity_keypair,
             &certificate_keypair,
         )?);
-        params.alg = P2P_SIGNATURE_ALGORITHM;
-        params.key_pair = Some(certificate_keypair);
-        rcgen::Certificate::from_params(params)?
+        params.self_signed(&certificate_keypair)?
     };
 
-    let rustls_certificate = rustls::Certificate(certificate.serialize_der()?);
+    let rustls_certificate = rustls::Certificate(certificate.der().to_vec());
 
     Ok((rustls_certificate, rustls_key))
 }
@@ -113,7 +111,7 @@ pub struct P2pExtension {
 
 #[derive(Debug, thiserror::Error)]
 #[error(transparent)]
-pub struct GenError(#[from] rcgen::RcgenError);
+pub struct GenError(#[from] rcgen::Error);
 
 #[derive(Debug, thiserror::Error)]
 #[error(transparent)]
@@ -200,15 +198,15 @@ fn parse_unverified<'a>(der_input: &'a [u8]) -> Result<P2pCertificate<'a>, webpk
 
 fn make_libp2p_extension(
     identity_keypair: &Keypair,
-    certificate_keypair: &rcgen::KeyPair,
-) -> Result<rcgen::CustomExtension, rcgen::RcgenError> {
+    certificate_pubkey: &impl rcgen::PublicKeyData,
+) -> Result<rcgen::CustomExtension, rcgen::Error> {
     // The peer signs the concatenation of the string `libp2p-tls-handshake:`
-    // and the public key that it used to generate the certificate carrying
+    // and the public key (in SPKI DER format) that it used to generate the certificate carrying
     // the libp2p Public Key Extension, using its private host key.
     let signature = {
         let mut msg = vec![];
         msg.extend(P2P_SIGNING_PREFIX);
-        msg.extend(certificate_keypair.public_key_der());
+        msg.extend(certificate_pubkey.subject_public_key_info());
 
         identity_keypair.sign(&msg)
     };
