xah30/AuraVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a070da0be967e15a8ce77c0b2baf0ff030226b7a
AuraVPN/crates/aura-pki/Cargo.toml
T
xah30 35d94dee33 feat(proto,pki,cli): in-band CRL push (closes last v2 limitation) 
Server now pushes its signed CRL to each connecting client right after the
handshake; the client verifies the signature against the CA and applies the
revocation list to its verifier (and caches it on disk for restarts).
Removes the v1 "CRL distributed out-of-band" honest limitation.

Wire (multiplexed over existing PacketConnection, no trait change):
control envelope = MAGIC[4]=[0xAA,0xAA,0xC0,0x01] || kind(u8) || u32_be(len)
  || payload. IPv4/IPv6 start with 0x4X/0x6X, so 0xAA cannot collide; an old
peer just drops it as a junk packet in the TUN — back-compat preserved.

- aura-proto: ControlKind { CrlPush, CrlAck, Unknown }, encode/decode_control_
  envelope, CONTROL_ENVELOPE_MAGIC; 7 frame tests.
- aura-pki: CrlStore::{encode_signed, save_signed, decode_signed_verified,
  load_signed_verified} — ECDSA-P256/SHA-256 from the CA private key against
  a textual "CRL-Aura-v1" body + --SIGNATURE--; 7 signing tests. ring 0.17
  added crate-local (already in lockfile via rustls-webpki).
- aura-cli: crl_push module — server pushes via conn.send_packet on accept;
  client wraps the Arc<dyn PacketConnection> in AcceptPushedCrlConn which
  sniffs the magic in recv_packet, verifies the signature, updates the
  AuraCertVerifier, caches to disk. PkiSection gets ca_key, crl_push (default
  true), accept_pushed_crl (default true).
- 5 in_band_crl integration tests via mock PacketConnection.

Workspace: 235 tests passed (+28), clippy -D warnings clean, fmt clean. v2
COMPLETE — all 9 honest v1 limitations resolved (except sing-box, per user).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 12:35:16 +03:00

27 lines
1.2 KiB
TOML
Raw Blame History

[package]
name = "aura-pki"
version.workspace = true
edition.workspace = true
license.workspace = true
description = "Aura PKI: CA, X.509 issuance and mutual-auth verification"
[dependencies]
# `x509-parser` feature enables Issuer::from_ca_cert_pem (parsing an existing CA
# cert to reconstruct the issuer). Merged on top of the workspace default features.
rcgen = { workspace = true, features = ["x509-parser"] }
rustls.workspace = true
rustls-pki-types.workspace = true
x509-parser.workspace = true
uuid.workspace = true
thiserror.workspace = true
anyhow.workspace = true
# Chain verification against the Aura CA trust anchor. 0.103 is already in the
# workspace lockfile (pulled transitively), so this adds no new resolution.
webpki = { package = "rustls-webpki", version = "0.103", default-features = false, features = ["ring"] }
# Certificate validity windows (not_before / not_after). Already in the lockfile.
time = { version = "0.3", default-features = false, features = ["std"] }
# v2 in-band CRL signing/verification: ECDSA P-256 sign over the CRL body, verify against
# the CA's public key. `ring` is already pulled transitively by `rustls-webpki` (the lockfile
# entry is `ring 0.17.14`) so this adds no new workspace dependency.
ring = "0.17"
Reference in New Issue View Git Blame Copy Permalink