fix(tls): fix rustls panic due to critical libp2p extension

[arpankapoor]

Description

Resolves #5487.

Notes & open questions

While parsing a certificate, rustls-webpki throws up a UnsupportedCriticalExtension if the certificate has any non-standard TLS extensions that are marked critical.
Since the libp2p TLS extension spec says This extension MAY be marked critical, not marking the extension as critical should be okay.

Ideally, the certificate consistency check added upstream should probably ignore non-critical errors like this.

If this seems like an acceptable solution, I'll add in a changelog entry.

Change checklist

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• A changelog entry has been made in the appropriate crates

[jxs]

Hi, and thanks a lot for digging into this! ❤️
This change acceptable to me, can you add the CHANGELOG.md entry?
What I don't understand is, why are we havingwebpki trying to parse the libp2p extension?

[arpankapoor]

As per my understanding, this upstream change added a new check to verify the consistency of the certificate. It does so by parsing the CertificateDer in order to extract its public key and compare with the public key extracted from the SigningKey.

[jxs]

Hi @arpankapoor sorry to be back to this, but wdyt of implementing the suggestion mentioned on rustls/rustls#1918 (comment) and therefore being able to continue setting it to critical?

[arpankapoor]

yeah, that's a better solution. I've implemented it for both the client and server certs.

[jxs]

LGTM! Thanks Arpan!

Approvals have been dismissed because the PR was updated after the send-it label was applied.

[jxs]

released libp2p-tls 0.4.1

[DougAnderson444]

Thank you! This was driving me nuts debugging .with_quic.