flexiblepower · davidv1992 · Mar 26, 2026 · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -9,6 +9,7 @@ base64 = "0.22.1"
 bon = "3.8.0"
 chrono = { version = "0.4.42", features = ["serde"] }
 futures-util = "0.3.31"
+generic-array = { version = "=0.14.7", features = ["serde"] }
 hmac = "0.12.1"
 http = "1.4.0"
 hyper = "1.8.1"

diff --git a/s2energy-connection/Cargo.toml b/s2energy-connection/Cargo.toml
@@ -8,6 +8,7 @@ axum.workspace = true
 axum-extra.workspace = true
 base64.workspace = true
 futures-util.workspace = true
+generic-array.workspace = true
 hmac.workspace = true
 http.workspace = true
 hyper.workspace = true

diff --git a/s2energy-connection/examples/communication-client.rs b/s2energy-connection/examples/communication-client.rs
@@ -35,6 +35,10 @@ impl ClientPairing for &mut MemoryPairing {
         &self.communication_url
     }
 
+    fn certificate_hash(&self) -> Option<s2energy_connection::CertificateHash> {
+        None
+    }
+
     async fn set_access_tokens(&mut self, tokens: Vec<AccessToken>) -> Result<(), Self::Error> {
         self.tokens = tokens;
         Ok(())

diff --git a/s2energy-connection/examples/pairing-client.rs b/s2energy-connection/examples/pairing-client.rs
@@ -4,7 +4,7 @@ use uuid::uuid;
 
 use s2energy_connection::{
     Deployment, EndpointDescription, MessageVersion, NodeDescription, Role,
-    pairing::{Client, ClientConfig, NodeConfig, NodeIdAlias, PairingRemote},
+    pairing::{Client, ClientConfig, NodeConfig, NodeIdAlias, PairingRemote, RemoteNodeIdentifier},
 };
 use tracing_subscriber::{EnvFilter, fmt, prelude::*};
 
@@ -29,7 +29,7 @@ async fn main() {
         },
         vec![MessageVersion("v1".into())],
     )
-    .with_connection_initiate_url("client.example.com".into())
+    .with_connection_initiate_url("https://client.example.com".into())
     .build()
     .unwrap();
 
@@ -48,7 +48,7 @@ async fn main() {
             &config,
             PairingRemote {
                 url: "https://localhost:8005".into(),
-                id: Some(NodeIdAlias("ninechars".into())),
+                id: RemoteNodeIdentifier::Alias(NodeIdAlias("ninechars".into())),
             },
             PAIRING_TOKEN,
             async |pairing| {
@@ -61,7 +61,7 @@ async fn main() {
     let pair_result = rx.await.unwrap();
 
     match pair_result.role {
-        s2energy_connection::pairing::PairingRole::CommunicationClient { initiate_url } => {
+        s2energy_connection::pairing::PairingRole::CommunicationClient { initiate_url, .. } => {
             println!("Paired as client, url: {initiate_url}, token: {}", pair_result.token.0)
         }
         s2energy_connection::pairing::PairingRole::CommunicationServer => println!("Paired as server, token: {}", pair_result.token.0),

diff --git a/s2energy-connection/examples/pairing-server.rs b/s2energy-connection/examples/pairing-server.rs
@@ -35,7 +35,7 @@ async fn main() {
         },
         vec![MessageVersion("v1".into())],
     )
-    .with_connection_initiate_url("test.example.com".into())
+    .with_connection_initiate_url("https://test.example.com".into())
     .build()
     .unwrap();
     let app = server.get_router();

diff --git a/s2energy-connection/src/communication/client.rs b/s2energy-connection/src/communication/client.rs
@@ -7,10 +7,11 @@ use tokio_tungstenite::{Connector, connect_async_tls_with_config, tungstenite::C
 use tracing::{debug, trace};
 
 use crate::{
-    AccessToken, CommunicationProtocol, EndpointDescription, NodeId,
+    AccessToken, CertificateHash, CommunicationProtocol, EndpointDescription, NodeId,
     common::negotiate_version,
     communication::{
         CommunicationResult, ConnectionInfo, Error, ErrorKind, NodeConfig, WebSocketTransport,
+        transport::hash_checking_http_client,
         wire::{
             CommunicationDetails, CommunicationDetailsErrorMessage, InitiateConnectionRequest, InitiateConnectionResponse, UnpairRequest,
         },
@@ -52,6 +53,8 @@ pub trait ClientPairing: Send {
     fn access_tokens(&self) -> impl AsRef<[AccessToken]>;
     /// The communication url the client can use to contact the server.
     fn communication_url(&self) -> impl AsRef<str>;
+    /// Hash of the root certificate the server uses.
+    fn certificate_hash(&self) -> Option<CertificateHash>;
 
     /// Store a new set of access tokens for the pairing.
     fn set_access_tokens(&mut self, tokens: Vec<AccessToken>) -> impl Future<Output = Result<(), Self::Error>> + Send;
@@ -71,14 +74,17 @@ impl Client {
     /// upon success.
     #[tracing::instrument(skip_all, fields(client = %pairing.client_id(), server = %pairing.server_id()), level = tracing::Level::ERROR)]
     pub async fn unpair(&self, pairing: impl ClientPairing) -> CommunicationResult<()> {
-        let client = reqwest::Client::builder()
-            .tls_certs_merge(
-                self.additional_certificates
-                    .iter()
-                    .filter_map(|v| reqwest::Certificate::from_der(v).ok()),
-            )
-            .build()
-            .map_err(|e| Error::new(ErrorKind::TransportFailed, e))?;
+        let client = match pairing.certificate_hash() {
+            Some(hash) => hash_checking_http_client(hash)?,
+            None => reqwest::Client::builder()
+                .tls_certs_merge(
+                    self.additional_certificates
+                        .iter()
+                        .filter_map(|v| reqwest::Certificate::from_der(v).ok()),
+                )
+                .build()
+                .map_err(|e| Error::new(ErrorKind::TransportFailed, e))?,
+        };
 
         let communication_url = Url::parse(pairing.communication_url().as_ref()).map_err(|e| Error::new(ErrorKind::InvalidUrl, e))?;
 
@@ -301,7 +307,7 @@ mod tests {
     use tokio::net::TcpListener;
 
     use crate::{
-        AccessToken, CommunicationProtocol, EndpointDescription, MessageVersion, NodeId, Role,
+        AccessToken, CertificateHash, CommunicationProtocol, EndpointDescription, MessageVersion, NodeId, Role,
         common::wire::test::{UUID_A, UUID_B, basic_node_description},
         communication::{
             self, Client, ClientConfig, ClientPairing, ErrorKind, NodeConfig, PairingLookup, Server, ServerConfig, ServerPairing,
@@ -370,6 +376,7 @@ mod tests {
         server: NodeId,
         tokens: Arc<Mutex<Vec<AccessToken>>>,
         url: String,
+        certificate_hash: Option<CertificateHash>,
     }
 
     impl ClientPairing for &TestPairing {
@@ -391,6 +398,10 @@ mod tests {
             &self.url
         }
 
+        fn certificate_hash(&self) -> Option<CertificateHash> {
+            self.certificate_hash.clone()
+        }
+
         async fn set_access_tokens(&mut self, tokens: Vec<AccessToken>) -> Result<(), Self::Error> {
             *self.tokens.lock().unwrap() = tokens;
             Ok(())
@@ -451,6 +462,7 @@ mod tests {
             server: UUID_B.into(),
             tokens: Arc::new(Mutex::new(vec![AccessToken("testtoken".into())])),
             url: format!("https://localhost:{}/", addr.port()),
+            certificate_hash: None,
         };
 
         assert!(client.unpair(&pairing).await.is_ok());
@@ -483,6 +495,7 @@ mod tests {
             server: UUID_B.into(),
             tokens: Arc::new(Mutex::new(vec![AccessToken("invalidtoken".into())])),
             url: format!("https://localhost:{}/", addr.port()),
+            certificate_hash: None,
         };
 
         let error = client.unpair(&pairing).await.unwrap_err();
@@ -511,6 +524,7 @@ mod tests {
             server: UUID_B.into(),
             tokens: Arc::new(Mutex::new(vec![AccessToken("testtoken".into())])),
             url: format!("https://localhost:{}/", addr.port()),
+            certificate_hash: None,
         };
 
         let mut client_connection = client.connect(&pairing).await.unwrap();
@@ -577,6 +591,7 @@ mod tests {
             server: UUID_B.into(),
             tokens: Arc::new(Mutex::new(vec![AccessToken("testtoken".into())])),
             url: format!("https://localhost:{}/", addr.port()),
+            certificate_hash: None,
         };
 
         let mut client_connection = client.connect(&pairing).await.unwrap();
@@ -637,6 +652,7 @@ mod tests {
             server: UUID_B.into(),
             tokens: Arc::new(Mutex::new(vec![AccessToken("testtoken".into())])),
             url: format!("https://localhost:{}/", addr.port()),
+            certificate_hash: None,
         };
 
         let mut client_connection = client.connect(&pairing).await.unwrap();
@@ -692,6 +708,7 @@ mod tests {
             server: UUID_B.into(),
             tokens: Arc::new(Mutex::new(vec![AccessToken("testtoken".into())])),
             url: format!("https://localhost:{}/", addr.port()),
+            certificate_hash: None,
         };
 
         let mut client_connection = client.connect(&pairing).await.unwrap();
@@ -740,6 +757,7 @@ mod tests {
             server: UUID_B.into(),
             tokens: Arc::new(Mutex::new(vec![AccessToken("testtoken".into())])),
             url: format!("https://localhost:{}/", addr.port()),
+            certificate_hash: None,
         };
 
         let mut client_connection = client.connect(&pairing).await.unwrap();
@@ -792,6 +810,7 @@ mod tests {
             server: UUID_B.into(),
             tokens: Arc::new(Mutex::new(vec![AccessToken("testtoken".into())])),
             url: format!("https://localhost:{}/", addr.port()),
+            certificate_hash: None,
         };
 
         assert_eq!(client.connect(&pairing).await.unwrap_err().kind(), ErrorKind::NoSupportedVersion);
@@ -830,6 +849,7 @@ mod tests {
             server: UUID_B.into(),
             tokens: Arc::new(Mutex::new(vec![AccessToken("testtoken".into())])),
             url: format!("https://localhost:{}/", addr.port()),
+            certificate_hash: None,
         };
 
         assert_eq!(client.connect(&pairing).await.unwrap_err().kind(), ErrorKind::NoSupportedVersion);
@@ -876,6 +896,7 @@ mod tests {
             server: UUID_B.into(),
             tokens: Arc::new(Mutex::new(vec![AccessToken("testtoken".into())])),
             url: format!("https://localhost:{}/", addr.port()),
+            certificate_hash: None,
         };
 
         assert_eq!(client.connect(&pairing).await.unwrap_err().kind(), ErrorKind::NoSupportedVersion);
@@ -922,6 +943,7 @@ mod tests {
             server: UUID_B.into(),
             tokens: Arc::new(Mutex::new(vec![AccessToken("testtoken".into())])),
             url: format!("https://localhost:{}/", addr.port()),
+            certificate_hash: None,
         };
 
         assert_eq!(client.connect(&pairing).await.unwrap_err().kind(), ErrorKind::NoSupportedVersion);
@@ -973,6 +995,10 @@ mod tests {
                 &self.url
             }
 
+            fn certificate_hash(&self) -> Option<CertificateHash> {
+                None
+            }
+
             async fn set_access_tokens(&mut self, _tokens: Vec<AccessToken>) -> Result<(), Self::Error> {
                 Err(std::io::ErrorKind::Other.into())
             }
@@ -995,6 +1021,7 @@ mod tests {
             server: UUID_B.into(),
             tokens: Arc::new(Mutex::new(vec![AccessToken("testtoken".into())])),
             url: format!("https://localhost:{}/", addr.port()),
+            certificate_hash: None,
         };
 
         let mut client_connection = client.connect(&pairing).await.unwrap();
@@ -1042,6 +1069,7 @@ mod tests {
             server: UUID_B.into(),
             tokens: Arc::new(Mutex::new(vec![AccessToken("testtoken".into())])),
             url: format!("https://localhost:{}/", addr.port()),
+            certificate_hash: None,
         };
 
         assert_eq!(client.connect(&pairing).await.unwrap_err().kind(), ErrorKind::ProtocolError);
@@ -1076,6 +1104,7 @@ mod tests {
             server: UUID_B.into(),
             tokens: Arc::new(Mutex::new(vec![AccessToken("testtoken".into())])),
             url: format!("https://localhost:{}/", addr.port()),
+            certificate_hash: None,
         };
 
         assert_eq!(client.connect(&pairing).await.unwrap_err().kind(), ErrorKind::ProtocolError);

diff --git a/s2energy-connection/src/communication/mod.rs b/s2energy-connection/src/communication/mod.rs
@@ -44,12 +44,13 @@
 //! # use std::sync::Arc;
 //! # use std::convert::Infallible;
 //! # use s2energy_connection::communication::{NodeConfig, Client, ClientConfig, ClientPairing};
-//! # use s2energy_connection::{MessageVersion, AccessToken, NodeId};
+//! # use s2energy_connection::{MessageVersion, AccessToken, NodeId, CertificateHash};
 //! struct MemoryClientPairing {
 //!     client_id: NodeId,
 //!     server_id: NodeId,
 //!     communication_url: String,
 //!     access_tokens: Vec<AccessToken>,
+//!     certificate_hash: Option<CertificateHash>,
 //! }
 //!
 //! impl ClientPairing for MemoryClientPairing {
@@ -71,6 +72,10 @@
 //!         &self.access_tokens
 //!     }
 //!
+//!     fn certificate_hash(&self) -> Option<CertificateHash> {
+//!         self.certificate_hash.clone()
+//!     }
+//!
 //!     async fn set_access_tokens(&mut self, tokens: Vec<AccessToken>) -> Result<(), Infallible> {
 //!         self.access_tokens = tokens;
 //!         Ok(())
@@ -84,6 +89,7 @@
 //!     server_id: NodeId::try_from("67e55044-10b1-426f-9247-bb680e5fe0c6").unwrap(),
 //!     communication_url: "https://example.com".into(),
 //!     access_tokens: vec![AccessToken("some-token-value".into())],
+//!     certificate_hash: None,
 //! });
 //! ```
 //!
@@ -210,6 +216,7 @@ use crate::{EndpointDescription, MessageVersion, NodeDescription};
 mod client;
 mod error;
 mod server;
+mod transport;
 mod websocket;
 mod wire;