Sigp audit fixes (#438)

Co-authored-by: Manuel Iñaki Bilbao <manuel.bilbao@lambdaclass.com>
Co-authored-by: Joe Clapis <jclapis@outlook.com>
Co-authored-by: eltitanb <lorenzo@gattaca.com>
Co-authored-by: ltitanb <163874448+ltitanb@users.noreply.github.com>

Author: 4 people

.cargo/audit.toml

@@ -0,0 +1,27 @@
+# RUSTSEC-2026-0049: CRL revocation checking bug in rustls-webpki 0.101.7.
+#
+# Background: CRL (Certificate Revocation List) checking is an optional TLS
+# feature where a client fetches a list of revoked certificates from URLs
+# embedded in the cert itself, to confirm it hasn't been invalidated since
+# issuance. This is distinct from normal certificate validation.
+#
+# The bug: when a cert lists multiple CRL distribution point URLs, only the
+# first URL is checked; the rest are silently ignored. This matters only when
+# CRL checking is enabled AND the UnknownStatusPolicy is set to Allow (meaning
+# "if I can't determine revocation status, accept the cert anyway"). With that
+# combination, a revoked certificate from a compromised CA could be accepted.
+#
+# Why this does not affect Commit-Boost: the vulnerable code path is never
+# reached because no code in this codebase enables CRL checking at all.
+# TLS is used in four places: (1) relay communication via reqwest with
+# rustls-tls uses default CA validation with no CRL configured; (2) the signer
+# server presents a TLS certificate but does not check client revocation;
+# (3) the signer client pins a single self-signed certificate via
+# add_root_certificate — CRL is irrelevant for self-signed certs; (4) the Dirk
+# remote signer uses mTLS with a custom CA but again no CRL. In all cases the
+# buggy CRL code in rustls-webpki is never invoked.
+#
+# Blocked on sigp/lighthouse upgrading past v8.0.1 without a compilation
+# regression (SseEventSource missing cfg guard in eth2 error.rs).
+[advisories]
+ignore = ["RUSTSEC-2026-0049"]

.gitignore

@@ -16,6 +16,7 @@ targets.json
 .idea/
 logs
 .vscode/
+certs/
 
 # Python (release scripts under .github/workflows/release/)
 __pycache__/

Cargo.toml

@@ -24,6 +24,7 @@ assert_cmd = "2.1.2"
 async-trait = "0.1.80"
 axum = { version = "0.8.1", features = ["macros"] }
 axum-extra = { version = "0.10.0", features = ["typed-header"] }
+axum-server = { version = "0.7.2", features = ["tls-rustls"] }
 base64 = "0.22.1"
 bimap = { version = "0.6.3", features = ["serde"] }
 blsful = "^2.5"
@@ -38,6 +39,7 @@ cb-signer = { path = "crates/signer" }
 cipher = "0.4"
 clap = { version = "4.5.48", features = ["derive", "env"] }
 color-eyre = "0.6.3"
+const_format = "0.2.34"
 ctr = "0.9.2"
 derive_more = { version = "2.0.1", features = ["deref", "display", "from", "into"] }
 docker-compose-types = "0.16.0"
@@ -62,7 +64,10 @@ prometheus = "0.14.0"
 prost = "0.13.4"
 rand = { version = "0.9", features = ["os_rng"] }
 rayon = "1.10.0"
-reqwest = { version = "0.13", features = ["json", "stream"] }
+reqwest = { version = "0.13", features = ["json", "stream", "rustls-tls"] }
+rcgen = "0.13.2"
+reqwest-eventsource = "=0.5.0"
+rustls = "0.23.23"
 serde = { version = "1.0.202", features = ["derive"] }
 serde_json = "1.0.117"
 serde_yaml = "0.9.33"