Remove dependency on OpenSSL

Cargo.toml

@@ -224,7 +224,6 @@ reqwest = { version = "0.12", default-features = false, features = [
     "json",
     "stream",
     "rustls-tls",
-    "native-tls-vendored",
 ] }
 ring = "0.17"
 rpds = "0.11"

deny.toml

@@ -10,6 +10,7 @@ deny = [
     { crate = "protobuf", reason = "use quick-protobuf instead" },
     { crate = "derivative", reason = "use educe or derive_more instead" },
     { crate = "ark-ff", reason = "present in Cargo.lock but not needed by Lighthouse" },
+    { crate = "openssl", reason = "non-Rust dependency, use rustls instead" },
     { crate = "strum", deny-multiple-versions = true, reason = "takes a long time to compile" },
     { crate = "reqwest", deny-multiple-versions = true, reason = "takes a long time to compile" },
     { crate = "aes", deny-multiple-versions = true, reason = "takes a long time to compile" },

testing/web3signer_tests/src/lib.rs

@@ -137,11 +137,7 @@ mod tests {
     }
 
     fn client_identity_path() -> PathBuf {
-        if cfg!(target_os = "macos") {
-            tls_dir().join("lighthouse").join("key_legacy.p12")
-        } else {
-            tls_dir().join("lighthouse").join("key.p12")
-        }
+        tls_dir().join("lighthouse").join("key.p12")
     }
 
     fn client_identity_password() -> String {

testing/web3signer_tests/tls/generate.sh

@@ -1,12 +1,5 @@
 #!/bin/bash
 
-# The lighthouse/key_legacy.p12 file is generated specifically for macOS because the default `openssl pkcs12` encoding
-# algorithm in OpenSSL v3 is not compatible with the PKCS algorithm used by the Apple Security Framework. The client
-# side (using the reqwest crate) relies on the Apple Security Framework to parse PKCS files.
-# We don't need to generate web3signer/key_legacy.p12 because the compatibility issue doesn't occur on the web3signer
-# side. It seems that web3signer (Java) uses its own implementation to parse PKCS files.
-# See https://github.com/sigp/lighthouse/issues/6442#issuecomment-2469252651
-
 # We specify `-days 825` when generating the certificate files because Apple requires TLS server certificates to have a
 # validity period of 825 days or fewer.
 # See https://github.com/sigp/lighthouse/issues/6442#issuecomment-2474979183
@@ -16,5 +9,4 @@ openssl pkcs12 -export -out web3signer/key.p12 -inkey web3signer/key.key -in web
 cp web3signer/cert.pem lighthouse/web3signer.pem &&
 openssl req -x509 -sha256 -nodes -days 825 -newkey rsa:4096 -keyout lighthouse/key.key -out lighthouse/cert.pem -config lighthouse/config &&
 openssl pkcs12 -export -out lighthouse/key.p12 -inkey lighthouse/key.key -in lighthouse/cert.pem -password pass:$(cat lighthouse/password.txt) &&
-openssl pkcs12 -export -legacy -out lighthouse/key_legacy.p12 -inkey lighthouse/key.key -in lighthouse/cert.pem -password pass:$(cat lighthouse/password.txt) &&
 openssl x509 -noout -fingerprint -sha256 -inform pem -in lighthouse/cert.pem | cut -b 20-| sed "s/^/lighthouse /" > web3signer/known_clients.txt

validator_client/initialized_validators/Cargo.toml

@@ -12,7 +12,9 @@ eth2_keystore = { workspace = true }
 filesystem = { workspace = true }
 lockfile = { workspace = true }
 metrics = { workspace = true }
+p12-keystore = "0.2"
 parking_lot = { workspace = true }
+pem = "3"
 rand = { workspace = true }
 reqwest = { workspace = true }
 serde = { workspace = true }

validator_client/initialized_validators/src/lib.rs

@@ -397,6 +397,7 @@ pub fn load_pem_certificate<P: AsRef<Path>>(pem_path: P) -> Result<Certificate,
     Certificate::from_pem(&buf).map_err(Error::InvalidWeb3SignerRootCertificate)
 }
 
+// Read a PKCS12 identity certificate and parse it into a PEM certificate.
 pub fn load_pkcs12_identity<P: AsRef<Path>>(
     pkcs12_path: P,
     password: &str,
@@ -406,7 +407,29 @@ pub fn load_pkcs12_identity<P: AsRef<Path>>(
         .map_err(Error::InvalidWeb3SignerClientIdentityCertificateFile)?
         .read_to_end(&mut buf)
         .map_err(Error::InvalidWeb3SignerClientIdentityCertificateFile)?;
-    Identity::from_pkcs12_der(&buf, password)
+
+    let keystore = p12_keystore::KeyStore::from_pkcs12(&buf, password).map_err(|e| {
+        Error::InvalidWeb3SignerClientIdentityCertificateFile(io::Error::new(
+            io::ErrorKind::InvalidData,
+            format!("PKCS12 parse error: {e:?}"),
+        ))
+    })?;
+
+    let (_alias, key_chain) = keystore
+        .private_key_chain()
+        .ok_or(Error::MissingWeb3SignerClientIdentityCertificateFile)?;
+
+    let key_pem = pem::encode(&pem::Pem::new("PRIVATE KEY", key_chain.key()));
+    let certs_pem: String = key_chain
+        .chain()
+        .iter()
+        .map(|cert| pem::encode(&pem::Pem::new("CERTIFICATE", cert.as_der())))
+        .collect::<Vec<_>>()
+        .join("\n");
+
+    let combined_pem = format!("{key_pem}\n{certs_pem}");
+
+    Identity::from_pem(combined_pem.as_bytes())
         .map_err(Error::InvalidWeb3SignerClientIdentityCertificate)
 }