Authentication of PeerIds in authority discovery records (#10317)

* Consolidating test and production code * Signing/verifying authority discovery records with PeerId Unsigned records cannot be rejected yet, they just produce a warning in the log. * Upgrading to libp2p 0.40 * libp2p::identity and sp_core::crypto Ed25519 are compatible * Rejecting authority records unsigned by peer id can be configured * Fixes based on review comments * No command-line argument needed * info was still too much spam in the logs * Added tests for both strict and loose validation * Fixing based on review comments * Pierre preferred a signing method * Ooops, I need to slow down * Update bin/node/cli/src/service.rs * Reexport libp2p crypto used in sc-network * Added proto3 compatibility tests. And import noise. Co-authored-by: Bastian Köcher <bkchr@users.noreply.github.com>
2026-04-30 14:17:56 +00:00 · 2021-12-05 20:17:14 +01:00
parent 4775f11edc
commit 5fd7fdcfcd
14 changed files with 637 additions and 200 deletions
@@ -78,6 +78,11 @@ pub struct WorkerConfig {
 	///
 	/// Defaults to `true` to avoid the surprise factor.
 	pub publish_non_global_ips: bool,
+
+	/// Reject authority discovery records that are not signed by their network identity (PeerId)
+	///
+	/// Defaults to `false` to provide compatibility with old versions
+	pub strict_record_validation: bool,
 }

 impl Default for WorkerConfig {
@@ -98,6 +103,7 @@ impl Default for WorkerConfig {
 			// `authority_discovery_dht_event_received`.
 			max_query_interval: Duration::from_secs(10 * 60),
 			publish_non_global_ips: true,
+			strict_record_validation: false,
 		}
 	}
 }