How to get the certhash for webrtc?

[Download]

Trying to understand how to make browser to server communication work over webrtc. I am looking at the example in the docs for js-libp2p/transport-webrtc and there I see this:

const ma =  multiaddr('/ip4/0.0.0.0/udp/56093/webrtc/certhash/uEiByaEfNSLBexWBNFZy_QB1vAKEj7JAXDizRs4_SnTflsQ')

This has me stumped. Why is there a hardcoded certhash here? How do I find this certhash for my server?

There are lots of docs on WebRTC. Many are a real interesting read. But when it comes to setting this up practically speaking, initially just for a Node JS server running on localhost and later for a public server running on some public IP somewhere, I am running into a dead end.

I would be willing to update the docs with PRs, if I can get into a place where I actually understand how to do it myself. But as of yet I have no idea where this magic hardcoded value is coming from and what I could do to get this value for my own server. Any help would be greatly appreciated.

[Download]

To make matters a bit more practical, I created a very small program that represents my current attempt at starting a node that supports circuit-relay and webRTC (because I understand that WebRTC requires Circuit-Relay but please correct me if I'm wrong).

I am generating a public/private keypair at the start of the program and generating a peerid based on that.... So if I need to do something with e.g. the private key in order to generate the certhash, it can be done once I know how...

Example program

import type { PeerId, PrivateKey, PublicKey } from '@libp2p/interface'
import { keys } from '@libp2p/crypto'
import { peerIdFromKeys } from '@libp2p/peer-id'
import { createLibp2p } from 'libp2p'
import { circuitRelayTransport } from '@libp2p/circuit-relay-v2'
import { webRTC } from '@libp2p/webrtc'
import { noise } from '@chainsafe/libp2p-noise'
import { yamux } from '@chainsafe/libp2p-yamux'

type PeerInfo = {
  peerId: PeerId;
  privateKey: PrivateKey;
  publicKey: PublicKey;
}

async function generatePeerInfo(): Promise<PeerInfo> {
  console.info('Generating a secp256k1 private/public key pair...')
  const privateKey: PrivateKey = await keys.generateKeyPair('secp256k1')
  console.info('Generated a secp256k1 private key. Extracting public key...')
  const publicKey: PublicKey = privateKey.public;
  console.info('Extracted public key. Generating PeerId...')
  const peerId: PeerId = await peerIdFromKeys(publicKey.bytes, privateKey.bytes)
  console.info('Generated PeerId: ' + peerId.toString())
  return {
    peerId,
    privateKey,
    publicKey
  }
}

async function createNode (peerInfo: PeerInfo) {
  return await createLibp2p({
    peerId: peerInfo.peerId,
    // libp2p nodes are started by default,
    // pass false to override this
    start: false,
    addresses: {
      listen: [
        `/webrtc`,
      ]
    },
    transports: [
      circuitRelayTransport(),
      webRTC(),
    ],
    connectionEncryption: [noise()],
    streamMuxers: [yamux()],
  })
}

// generate peer info
const peerInfo: PeerInfo = await generatePeerInfo()

// create a node using generated peer info
const node = await createNode(peerInfo)

// start the node
await node.start()

// log multi addresses
console.info('Node listening on ', node.getMultiaddrs())

// stop the node
await node.stop()
console.info('Node stopped');

Example program output

Generating a secp256k1 private/public key pair...
Generated a secp256k1 private key. Extracting public key...
Extracted public key. Generating PeerId...
Generated PeerId: 16Uiu2HAkxwMUYVjNJetbMYtUJACwibUC35NYcXDwHTpMjLmjtNEq
Node listening on  []
Node stopped

My expectation

I am expecting to get some listening addresses so I can contact the running node from some other node. But as you can see from the output it prints only an empty array after Node listening on ... So this is where my questions lie. I would expect a relay address (since I added the relay transport) and a webrtc address but I am getting none.

[Download]

Since first asking this question, I have done some more research, mostly by looking at the browser pubsub example, which uses both WebRTC and Circuit Relay.

Following the instructions in that example, I have been able to directly connect one node running in the browser to another node running in the browser. I have verified that even after I terminate the server node (running the relay server), both nodes in the browser are still able to communicate with each other. So that is good news.

However, I still don't understand where the certhash comes into the picture and how to manage it (if indeed it needs to be managed in the first place?).

Here is what I am seeing in the browser pubsub example:

I open a relay server
I dial this relay server from the browser node
The browser node has '/webrtc' as the listening address (note: no certhash here)
Once the browser node establishes a connection to the relay server, its list of listening addresses contains addresses containing the string ../p2p-circuit/webrtc/.., e.g.:

/ip4/127.0.0.1/tcp/54672/ws/p2p/16Uiu2HAmShBjx9QS2uQxb7Q8kgACS1PfWpaKFVgzN3hkU5FrfVNz/p2p-circuit/webrtc/p2p/12D3KooWGYSAAp16RoYFsK659SNEz2yDft5iC3J7KwAWz1buu1uQ

If I dial this address from a second browser node, they see each other as peers. I can subscribe both to the same pubsub topic and if one node publishes a message to the topic, the other node sees it. This works even after stopping the relay server.

So that is the good news. The bad news is that I still have no idea where the certhash comes into this picture. It seems to me that these p2p-circuit/webrtc addresses can only be dialed via the Circuit Relay server. And maybe that is indeed true. Maybe the certhash is only relevant when running WebRTC on the server? Or maybe the certhash gets added for these browser nodes only during the establishment of the connection (below the surface)?

I have something working now but with little actual understanding on my part. Maybe that will come later as I expand on this example and read more of the source code.... But as far as docs and guides go I simply cannot find the answer and also this question got zero answers so far... I am trying to help improve the docs but I cant unless I understand it myself so that is a bit of a catch-22. Hoping people that understand it better than me can chime in on this question to help me improve my understanding to the point where I can contribute to the docs better.

[sleep9]

I am trying to solve this exact problem. See the following https://github.com/libp2p/specs/blob/master/webrtc/webrtc-direct.md

The TLS certificate fingerprint in /certhash is a multibase encoded multihash.

I tried generating a selfsigned certificate via https://github.com/jfromaniello/selfsigned and extracting the fingerprint. Then hashing this with sha256 multihash, then encoding with multibase (base64url). However my solution does not work.

[achingbrain]

certhash is the hash of the SSL certificate the listener is using to encrypt the connection and is not derived from the PeerId.

It's only used by the WebRTC Direct transport which is dial-only in browsers and not implemented in Node.js (the other flavour of WebRTC OTOH is implemented in browsers, node, electron, etc).

You should be able to obtain it from the multiaddr of the server, which you'd get by some out-of-band method.

Unfortunately the WebRTC readme was out of date and showed an example for WebRTC Direct but used a multiaddr with a webrtc protocol instead of webrtc-direct. I've updated it now, please open a PR if you think it can be improved further - https://github.com/libp2p/js-libp2p/tree/main/packages/transport-webrtc#readme