Domain Validation

What is implemented

Transport tests verify that a connection with mismatched peer domain is rejected (ErrDomainMismatch) even when TLS handshake succeeds.

Certificate Identity Mapping Rules

Transport identity extraction is now explicit (certIdentityFromCert):

1. URI SAN rule (preferred): parse URI path segments:

   • /.../peers/<peer-id>/... → PeerID = "uri:<peer-id>"

   • /.../domains/<domain-id>/... → extracted certificate domain

2. DNS SAN fallback: PeerID = "dns:<first-dns-san>"

3. CN fallback: PeerID = "cn:<subject-cn>"

4. Final fallback: SHA-256 fingerprint of DER certificate bytes

If a certificate domain is present and mismatches local edge_domain_id, transport rejects with ErrDomainMismatch.

Clarification

The previous mention of tool.http_get allowlist belongs to runtime tool policy controls, not deterministic relay transport domain validation.

Evidence

• edge/transport/transport.go (ErrDomainMismatch, PeerID contract)

• edge/transport/tcptls.go (certIdentityFromCert, parseIdentityURI, certificate-domain enforcement)

• edge/transport/transport_test.go (TestTCPTLS_WrongDomain_Rejected)

• edge/transport/identity_test.go (TestCertIdentityFromCert_URIRules, TestCertIdentityFromCert_CNFallback)

• docs/_generated/test-outputs/demo-output.txt (shows documented fallback path when socket tests are unavailable)

• runtime/tools.go (ErrDomainNotAllowed, runtime-layer concern)

See Also

• mTLS

• Beacon Privacy

• Architecture → Invariants — INV-09