xah30/AuraVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(proto): implement Wave 2 — hybrid PKI handshake + session

Browse Source 
aura-proto: 5-byte wire header + Frame codec (§6.1/§6.3); transport-agnostic
handshake state machine (§6.2) over split tokio AsyncRead/AsyncWrite —
hybrid X25519+ML-KEM-768 KEM, SHA-256 transcript, mutual X.509 auth with
ECDSA-P256 transcript signatures (ring), constant-time HMAC Finished;
Session with sliding-window replay protection. 13 tests green, clippy clean.

Handshake message order pinned (resolves spec diagram ambiguity); reader/writer
taken by value since Session owns both halves.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
xah30
2026-05-25 18:05:11 +03:00
parent b8ce58ddf0
commit bb835e4ca7
11 changed files with 1710 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
crates/aura-proto/tests/common/mod.rs
+56
View File
@@ -0,0 +1,56 @@
//! Shared test helpers: minting an Aura CA + leaf certs, and wiring an in-memory duplex transport.
#![allow(dead_code)] // each integration test binary uses a different subset of these helpers
use aura_pki::AuraCa;
use aura_proto::{ClientConfig, ServerConfig};
/// A minted PKI fixture: a CA, a server cert/key, and a client cert/key.
pub struct Pki {
pub ca_cert_pem: String,
pub server_cert_pem: String,
pub server_key_pem: String,
pub client_cert_pem: String,
pub client_key_pem: String,
pub server_name: String,
pub client_id: String,
}
/// Mint a CA plus a server cert (for `server_name`) and a client cert (CN = `client_id`).
pub fn mint_pki(server_name: &str, client_id: &str) -> Pki {
let ca = AuraCa::generate("Aura Test Root CA").expect("generate CA");
let server = ca
.issue_server_cert(server_name)
.expect("issue server cert");
let client = ca.issue_client_cert(client_id).expect("issue client cert");
Pki {
ca_cert_pem: ca.ca_cert_pem(),
server_cert_pem: server.cert_pem,
server_key_pem: server.key_pem,
client_cert_pem: client.cert_pem,
client_key_pem: client.key_pem,
server_name: server_name.to_string(),
client_id: client_id.to_string(),
}
}
impl Pki {
/// Build a matching [`ClientConfig`] from this fixture.
pub fn client_config(&self) -> ClientConfig {
ClientConfig {
ca_cert_pem: self.ca_cert_pem.clone(),
client_cert_pem: self.client_cert_pem.clone(),
client_key_pem: self.client_key_pem.clone(),
server_name: self.server_name.clone(),
}
}
/// Build a matching [`ServerConfig`] from this fixture.
pub fn server_config(&self) -> ServerConfig {
ServerConfig {
ca_cert_pem: self.ca_cert_pem.clone(),
server_cert_pem: self.server_cert_pem.clone(),
server_key_pem: self.server_key_pem.clone(),
}
}
}