feat(noise): add WebTransport certhashes extension

[oblique]

Description

The extension for WebTransport certhashes was added and can be configured via Config::with_webtransport_certhashes.

In case of initiator, these certhashes will be used to validate the ones reported by responder. In case of responder, these certhashes will be reported to initiator.

Resolves #3988.

Notes & open questions

I had also implemented another way to resolve this issue, which was exposing certhashes via Output<T>::webtransport_certhashes. In that implementation the user (i.e. the WebTransport implementer) was responsible to check if the certhashes were valid, but I wasn't sure if I like it.

With the code of this PR, the user needs to only define certhashes in the Config, so I find it less error prone. However it might be less future proof.

Change checklist

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• A changelog entry has been made in the appropriate crates

[mxinden]

🚀 thank you for your work here! Overall this change looks good to me, though will defer another review until after reviewing #4015.

(Nit pick: Missing a changelog entry in transports/noise/CHANGELOG.md.)

Out of curiosity, mind sharing your use-case?

[thomaseizinger]

This looks really good, thank you!

It is also great to see the foundations for inbound muxer selection. That will shave off a roundtrip for all TCP connections.

I'd like to see a positive and a negative test for it to make sure it actually works and we don't break it in the future.

[thomaseizinger]

I had also implemented another way to resolve this issue, which was exposing certhashes via Output<T>::webtransport_certhashes. In that implementation the user (i.e. the WebTransport implementer) was responsible to check if the certhashes were valid, but I wasn't sure if I like it.

With the code of this PR, the user needs to only define certhashes in the Config, so I find it less error prone. However it might be less future proof.

Very much in favor of the current design:

• Smaller public API
• Less footguns
• Works out of the box
• We can solve future usecases when the arrive

[oblique]

I resolved all the issues, modified changelog, and added tests

[oblique]

@mxinden

Out of curiosity, mind sharing your use-case?

I need to use libp2p with WebTransport from a browser and wanted to implement the authentication. I can not disclose anything else for now.

[thomaseizinger]

Thanks! A few comments about the test but otherwise good! :)

[oblique]

@thomaseizinger ready

[thomaseizinger]

This is really good, thank you for the contribution!

[thomaseizinger]

I am not sure why mergify isn't merging this. I'll have to dig into it later.

[thomaseizinger]

@Mergifyio refresh

[mergify]

refresh

❌ Command disallowed due to command restrictions in the Mergify configuration.

Details

• any of:
  • sender-permission>=write
  • sender={{author}}

[thomaseizinger]

@mxinden Something seems to be borked with mergify's permissions evaluation. Can you approve this PR?

[mxinden]

Again, well done. I still have a couple of comments. Though nothing major.

[mergify]

This pull request has merge conflicts. Could you please resolve them @oblique? 🙏

[mergify]

This pull request has merge conflicts. Could you please resolve them @oblique? 🙏

[oblique]

rebased and solved merge conflicts

[oblique]

Resolved all the comments

[thomaseizinger]

Very clean, thank you for this work and your patience with the reviews :)

Good to go from my end. I'll defer to @mxinden for merging.

[mergify]

⚠️ The sha of the head commit of this PR conflicts with #4064. Mergify cannot evaluate rules on this PR. ⚠️

[thomaseizinger]

This is low risk, has passing tests and no unresolved comments. I'll merge this because it makes orchestrating the two PRs sitting on top easier.

We can ship potential improvements spotted by @mxinden's final review as separate PRs.

Approvals have been dismissed because the PR was updated after the send-it label was applied.

[mxinden]

Great to see this merged. Thank you!