Authentication of PeerIds in authority discovery records

bin/node/cli/src/service.rs

@@ -358,6 +358,7 @@ pub fn new_full_base(
 	let name = config.network.node_name.clone();
 	let enable_grandpa = !config.disable_grandpa;
 	let prometheus_registry = config.prometheus_registry().cloned();
+	let strict_record_validation = config.strict_authority_records;
 
 	let rpc_handlers = sc_service::spawn_tasks(sc_service::SpawnTasksParams {
 		config,
@@ -455,6 +456,7 @@ pub fn new_full_base(
 			sc_authority_discovery::new_worker_and_service_with_config(
 				sc_authority_discovery::WorkerConfig {
 					publish_non_global_ips: auth_disc_publish_non_global_ips,
+					strict_record_validation,
 					..Default::default()
 				},
 				client.clone(),

client/authority-discovery/README.md

@@ -1,9 +1,9 @@
-Substrate authority discovery.
+# Substrate authority discovery
 
 This crate enables Substrate authorities to discover and directly connect to
 other authorities. It is split into two components the [`Worker`] and the
 [`Service`].
 
 See [`Worker`] and [`Service`] for more documentation.
 
-License: GPL-3.0-or-later WITH Classpath-exception-2.0
+License: GPL-3.0-or-later WITH Classpath-exception-2.0

client/authority-discovery/src/error.rs

@@ -46,10 +46,18 @@ pub enum Error {
 	EncodingDecodingScale(codec::Error),
 	/// Failed to parse a libp2p multi address.
 	ParsingMultiaddress(libp2p::core::multiaddr::Error),
+	/// Failed to parse a libp2p key.
+	ParsingLibp2pIdentity(libp2p::identity::error::DecodingError),
 	/// Failed to sign using a specific public key.
 	MissingSignature(CryptoTypePublicPair),
 	/// Failed to sign using all public keys.
 	Signing,
 	/// Failed to register Prometheus metric.
 	Prometheus(prometheus_endpoint::PrometheusError),
+	/// Received authority record that contains addresses with multiple peer ids
+	ReceivingDhtValueFoundEventWithDifferentPeerIds,
+	/// Received authority record without any addresses having a peer id
+	ReceivingDhtValueFoundEventWithNoPeerIds,
+	/// Received authority record without a valid signature for the remote peer id.
+	MissingPeerIdSignature,
 }

client/authority-discovery/src/lib.rs

@@ -78,6 +78,11 @@ pub struct WorkerConfig {
 	///
 	/// Defaults to `true` to avoid the surprise factor.
 	pub publish_non_global_ips: bool,
+
+	/// Reject authority discovery records that are not signed by their network identity (PeerId)
+	///
+	/// Defaults to `false` to provide compatibility with old versions
+	pub strict_record_validation: bool,
 }
 
 impl Default for WorkerConfig {
@@ -98,6 +103,7 @@ impl Default for WorkerConfig {
 			// `authority_discovery_dht_event_received`.
 			max_query_interval: Duration::from_secs(10 * 60),
 			publish_non_global_ips: true,
+			strict_record_validation: false,
 		}
 	}
 }

client/authority-discovery/src/tests.rs

@@ -82,3 +82,32 @@ fn get_addresses_and_authority_id() {
 		);
 	});
 }
+
+#[test]
+fn cryptos_are_compatible() {
+	use sp_core::crypto::Pair;
+
+	let libp2p_secret = libp2p::identity::Keypair::generate_ed25519();
+	let libp2p_public = libp2p_secret.public();
+
+	let sp_core_secret = {
+		let libp2p_ed_secret = match libp2p_secret.clone() {
+			libp2p::identity::Keypair::Ed25519(x) => x,
+			_ => panic!("generate_ed25519 should have generated an Ed25519 key ¯\\_(ツ)_/¯"),
+		};
+		sp_core::ed25519::Pair::from_seed_slice(&libp2p_ed_secret.secret().as_ref()).unwrap()
+	};
+	let sp_core_public = sp_core_secret.public();
+
+	let message = b"we are more powerful than not to be better";
+
+	let libp2p_signature = libp2p_secret.sign(message).unwrap();
+	let sp_core_signature = sp_core_secret.sign(message); // no error expected...
+
+	assert!(sp_core::ed25519::Pair::verify(
+		&sp_core::ed25519::Signature::from_slice(&libp2p_signature),
+		message,
+		&sp_core_public
+	));
+	assert!(libp2p_public.verify(message, sp_core_signature.as_ref()));
+}