Remove dependency on OpenSSL #8768
Merged
+173
−138
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
macladson
force-pushed
the
remove-openssl
branch
from
f9eed07 to
08de065
Compare
macladson
commented
Feb 7, 2026
Comment on lines
-3
to
-8
| # The lighthouse/key_legacy.p12 file is generated specifically for macOS because the default `openssl pkcs12` encoding | ||
| # algorithm in OpenSSL v3 is not compatible with the PKCS algorithm used by the Apple Security Framework. The client | ||
| # side (using the reqwest crate) relies on the Apple Security Framework to parse PKCS files. | ||
| # We don't need to generate web3signer/key_legacy.p12 because the compatibility issue doesn't occur on the web3signer | ||
| # side. It seems that web3signer (Java) uses its own implementation to parse PKCS files. | ||
| # See https://github.com/sigp/lighthouse/issues/6442#issuecomment-2469252651 |
Member
Author
There was a problem hiding this comment.
I believe now that we are using pure Rust, we no longer rely on the Apple Security Framework and so can support OpenSSL v3 even on MacOS
macladson
added
ready-for-review
Member
|
Can we add openssl to the list of banned crates here? Lines 7 to 19 in edba56b |
jimmygchen
added
waiting-on-author
macladson
added
ready-for-review
pawanjay176
approved these changes
Feb 9, 2026
michaelsproul
added
ready-for-merge
Merge Queue StatusRule:
This pull request spent 31 minutes 52 seconds in the queue, including 30 minutes 41 seconds running CI. Required conditions to merge
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue Addressed
#8756
Proposed Changes
Only the Web3Signer actually needs OpenSSL in order to parse PKCS12 certificates. This updates the function to instead manually parse the cert (using the
p12-keystorecrate) and converts it to aPEMcertificate (using thepemcrate) which can be directly converted to areqwest::tls::Identityas this can be done directly inrustls.Additional Info
There may be some situations where a .p12 certificate could be strangely formatted (for example, if not generated by openssl) and break this function where it would succeed before. I'm not sure how to quantify the risks here but we could consider adding more test cases.