mirror of
https://github.com/pezkuwichain/pezkuwi-subxt.git
synced 2026-04-27 01:07:57 +00:00
Authentication of PeerIds in authority discovery records (#10317)
* Consolidating test and production code * Signing/verifying authority discovery records with PeerId Unsigned records cannot be rejected yet, they just produce a warning in the log. * Upgrading to libp2p 0.40 * libp2p::identity and sp_core::crypto Ed25519 are compatible * Rejecting authority records unsigned by peer id can be configured * Fixes based on review comments * No command-line argument needed * info was still too much spam in the logs * Added tests for both strict and loose validation * Fixing based on review comments * Pierre preferred a signing method * Ooops, I need to slow down * Update bin/node/cli/src/service.rs * Reexport libp2p crypto used in sc-network * Added proto3 compatibility tests. And import noise. Co-authored-by: Bastian Köcher <bkchr@users.noreply.github.com>
This commit is contained in:
wigy
@@ -273,8 +273,9 @@ pub use protocol::{
|
||||
PeerInfo,
|
||||
};
|
||||
pub use service::{
|
||||
IfDisconnected, NetworkService, NetworkWorker, NotificationSender, NotificationSenderReady,
|
||||
OutboundFailure, RequestFailure,
|
||||
DecodingError, IfDisconnected, KademliaKey, Keypair, NetworkService, NetworkWorker,
|
||||
NotificationSender, NotificationSenderReady, OutboundFailure, PublicKey, RequestFailure,
|
||||
Signature, SigningError,
|
||||
};
|
||||
|
||||
pub use sc_peerset::ReputationChange;
|
||||
|
||||
@@ -54,7 +54,6 @@ use libp2p::{
|
||||
either::EitherError,
|
||||
upgrade, ConnectedPoint, Executor,
|
||||
},
|
||||
kad::record,
|
||||
multiaddr,
|
||||
ping::Failure as PingFailure,
|
||||
swarm::{
|
||||
@@ -93,9 +92,19 @@ pub use behaviour::{
|
||||
|
||||
mod metrics;
|
||||
mod out_events;
|
||||
mod signature;
|
||||
#[cfg(test)]
|
||||
mod tests;
|
||||
|
||||
pub use libp2p::{
|
||||
identity::{
|
||||
error::{DecodingError, SigningError},
|
||||
Keypair, PublicKey,
|
||||
},
|
||||
kad::record::Key as KademliaKey,
|
||||
};
|
||||
pub use signature::*;
|
||||
|
||||
/// Substrate network service. Handles network IO and manages connectivity.
|
||||
pub struct NetworkService<B: BlockT + 'static, H: ExHashT> {
|
||||
/// Number of peers we're connected to.
|
||||
@@ -106,6 +115,8 @@ pub struct NetworkService<B: BlockT + 'static, H: ExHashT> {
|
||||
is_major_syncing: Arc<AtomicBool>,
|
||||
/// Local copy of the `PeerId` of the local node.
|
||||
local_peer_id: PeerId,
|
||||
/// The `KeyPair` that defines the `PeerId` of the local node.
|
||||
local_identity: Keypair,
|
||||
/// Bandwidth logging system. Can be queried to know the average bandwidth consumed.
|
||||
bandwidth: Arc<transport::BandwidthSinks>,
|
||||
/// Peerset manager (PSM); manages the reputation of nodes and indicates the network which
|
||||
@@ -318,7 +329,7 @@ impl<B: BlockT + 'static, H: ExHashT> NetworkWorker<B, H> {
|
||||
};
|
||||
|
||||
transport::build_transport(
|
||||
local_identity,
|
||||
local_identity.clone(),
|
||||
config_mem,
|
||||
params.network_config.yamux_window_size,
|
||||
yamux_maximum_buffer_size,
|
||||
@@ -406,6 +417,7 @@ impl<B: BlockT + 'static, H: ExHashT> NetworkWorker<B, H> {
|
||||
is_major_syncing: is_major_syncing.clone(),
|
||||
peerset: peerset_handle,
|
||||
local_peer_id,
|
||||
local_identity,
|
||||
to_worker,
|
||||
peers_notifications_sinks: peers_notifications_sinks.clone(),
|
||||
notifications_sizes_metric: metrics
|
||||
@@ -667,6 +679,14 @@ impl<B: BlockT + 'static, H: ExHashT> NetworkService<B, H> {
|
||||
&self.local_peer_id
|
||||
}
|
||||
|
||||
/// Signs the message with the `KeyPair` that defined the local `PeerId`.
|
||||
pub fn sign_with_local_identity(
|
||||
&self,
|
||||
msg: impl AsRef<[u8]>,
|
||||
) -> Result<Signature, SigningError> {
|
||||
Signature::sign_message(msg.as_ref(), &self.local_identity)
|
||||
}
|
||||
|
||||
/// Set authorized peers.
|
||||
///
|
||||
/// Need a better solution to manage authorized peers, but now just use reserved peers for
|
||||
@@ -1024,7 +1044,7 @@ impl<B: BlockT + 'static, H: ExHashT> NetworkService<B, H> {
|
||||
///
|
||||
/// This will generate either a `ValueFound` or a `ValueNotFound` event and pass it as an
|
||||
/// item on the [`NetworkWorker`] stream.
|
||||
pub fn get_value(&self, key: &record::Key) {
|
||||
pub fn get_value(&self, key: &KademliaKey) {
|
||||
let _ = self.to_worker.unbounded_send(ServiceToWorkerMsg::GetValue(key.clone()));
|
||||
}
|
||||
|
||||
@@ -1032,7 +1052,7 @@ impl<B: BlockT + 'static, H: ExHashT> NetworkService<B, H> {
|
||||
///
|
||||
/// This will generate either a `ValuePut` or a `ValuePutFailed` event and pass it as an
|
||||
/// item on the [`NetworkWorker`] stream.
|
||||
pub fn put_value(&self, key: record::Key, value: Vec<u8>) {
|
||||
pub fn put_value(&self, key: KademliaKey, value: Vec<u8>) {
|
||||
let _ = self.to_worker.unbounded_send(ServiceToWorkerMsg::PutValue(key, value));
|
||||
}
|
||||
|
||||
@@ -1393,8 +1413,8 @@ enum ServiceToWorkerMsg<B: BlockT, H: ExHashT> {
|
||||
RequestJustification(B::Hash, NumberFor<B>),
|
||||
ClearJustificationRequests,
|
||||
AnnounceBlock(B::Hash, Option<Vec<u8>>),
|
||||
GetValue(record::Key),
|
||||
PutValue(record::Key, Vec<u8>),
|
||||
GetValue(KademliaKey),
|
||||
PutValue(KademliaKey, Vec<u8>),
|
||||
AddKnownAddress(PeerId, Multiaddr),
|
||||
SetReservedOnly(bool),
|
||||
AddReserved(PeerId),
|
||||
|
||||
@@ -0,0 +1,50 @@
|
||||
// This file is part of Substrate.
|
||||
//
|
||||
// Copyright (C) 2017-2021 Parity Technologies (UK) Ltd.
|
||||
// SPDX-License-Identifier: GPL-3.0-or-later WITH Classpath-exception-2.0
|
||||
//
|
||||
// This program is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
//
|
||||
// If you read this, you are very thorough, congratulations.
|
||||
|
||||
use super::*;
|
||||
|
||||
/// A result of signing a message with a network identity. Since `PeerId` is potentially a hash of a
|
||||
/// `PublicKey`, you need to reveal the `PublicKey` next to the signature, so the verifier can check
|
||||
/// if the signature was made by the entity that controls a given `PeerId`.
|
||||
pub struct Signature {
|
||||
/// The public key derived from the network identity that signed the message.
|
||||
pub public_key: PublicKey,
|
||||
/// The actual signature made for the message signed.
|
||||
pub bytes: Vec<u8>,
|
||||
}
|
||||
|
||||
impl Signature {
|
||||
/// Create a signature for a message with a given network identity.
|
||||
pub fn sign_message(
|
||||
message: impl AsRef<[u8]>,
|
||||
keypair: &Keypair,
|
||||
) -> Result<Self, SigningError> {
|
||||
let public_key = keypair.public();
|
||||
let bytes = keypair.sign(message.as_ref())?;
|
||||
Ok(Self { public_key, bytes })
|
||||
}
|
||||
|
||||
/// Verify whether the signature was made for the given message by the entity that controls the
|
||||
/// given `PeerId`.
|
||||
pub fn verify(&self, message: impl AsRef<[u8]>, peer_id: &PeerId) -> bool {
|
||||
*peer_id == self.public_key.to_peer_id() &&
|
||||
self.public_key.verify(message.as_ref(), &self.bytes)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user