Module cert_validation

Expand description

§Offline X.509 chain validation for `AnnounceV2` proofs

is_cert_valid decides whether a leaf+intermediate chain (presented inline by an announcing peer) is a real, current, public-CA-issued certificate for the announced IP address. The whole point is to gate Kademlia admission without pinging the announcer: a peer that doesn’t control its announced IP can’t complete ACME’s HTTP-01 / TLS-ALPN-01 challenge, so it can’t put a chain in its announce that satisfies all three checks here.

Checks (all offline, no network):

Path validation against the bundled Mozilla NSS root store from webpki-roots. Enforces server-auth EKU and the cert’s own validity window against the supplied now.
SAN match against the announced IP — per [project invariant], hashiverse servers identify by raw IP, so we expect an IP SAN (not DNS).

Out of scope: OCSP/CRL revocation (would need network), liveness of the listener (the existing prune-on-RPC-failure path catches that).

The function is wrapped by HttpsTransportOwnershipProof::prove in hashiverse-server-lib; tests live alongside in this module.

Functions§

is_cert_valid: Offline-validate a TLS chain against the bundled public-CA roots and the announced IP address. Returns true only if every check passes.