mirror of
https://github.com/fluencelabs/js-libp2p-noise
synced 2025-06-30 10:41:42 +00:00
Verify peer id
This commit is contained in:
morrigan
@ -14,6 +14,8 @@ export type PeerId = {
|
||||
pubKey: {
|
||||
marshal(): bytes;
|
||||
};
|
||||
marshalPubKey(): bytes;
|
||||
marshalPrivKey(): bytes;
|
||||
};
|
||||
|
||||
export interface NoiseConnection {
|
||||
|
||||
@ -2,14 +2,16 @@ import { Buffer } from "buffer";
|
||||
|
||||
import { bytes, bytes32 } from "./@types/basic";
|
||||
import { NoiseSession, XXHandshake } from "./xx";
|
||||
import { KeyPair } from "./@types/libp2p";
|
||||
import { KeyPair, PeerId } from "./@types/libp2p";
|
||||
import {
|
||||
createHandshakePayload,
|
||||
decodeMessageBuffer,
|
||||
encodeMessageBuffer,
|
||||
getHandshakePayload,
|
||||
logger, signEarlyDataPayload,
|
||||
signPayload, verifySignedPayload,
|
||||
logger,
|
||||
signEarlyDataPayload,
|
||||
signPayload,
|
||||
verifySignedPayload,
|
||||
} from "./utils";
|
||||
import { WrappedConnection } from "./noise";
|
||||
|
||||
@ -22,6 +24,7 @@ export class Handshake {
|
||||
private prologue: bytes32;
|
||||
private staticKeys: KeyPair;
|
||||
private connection: WrappedConnection;
|
||||
private remotePeer: PeerId;
|
||||
private xx: XXHandshake;
|
||||
|
||||
constructor(
|
||||
@ -31,6 +34,7 @@ export class Handshake {
|
||||
prologue: bytes32,
|
||||
staticKeys: KeyPair,
|
||||
connection: WrappedConnection,
|
||||
remotePeer: PeerId,
|
||||
handshake?: XXHandshake,
|
||||
) {
|
||||
this.isInitiator = isInitiator;
|
||||
@ -39,6 +43,7 @@ export class Handshake {
|
||||
this.prologue = prologue;
|
||||
this.staticKeys = staticKeys;
|
||||
this.connection = connection;
|
||||
this.remotePeer = remotePeer;
|
||||
|
||||
this.xx = handshake || new XXHandshake();
|
||||
this.session = this.xx.initSession(this.isInitiator, this.prologue, this.staticKeys);
|
||||
@ -67,11 +72,12 @@ export class Handshake {
|
||||
const plaintext = await this.xx.recvMessage(this.session, receivedMessageBuffer);
|
||||
logger('Stage 1 - Initiator received the message. Got remote\'s static key.');
|
||||
|
||||
// if (!libp2pRemotekey) {
|
||||
// throw new Error("Missing remote's libp2p public key, can't verify peer ID.");
|
||||
// }
|
||||
logger("Initiator going to check remote's signature...");
|
||||
await verifySignedPayload(receivedMessageBuffer.ns, plaintext);
|
||||
try {
|
||||
await verifySignedPayload(receivedMessageBuffer.ns, plaintext, this.remotePeer.id);
|
||||
} catch (e) {
|
||||
throw new Error(`Error occurred while verifying signed payload: ${e.message}`);
|
||||
}
|
||||
logger("All good with the signature!");
|
||||
} else {
|
||||
logger('Stage 1 - Responder sending out first message with signed payload and static key.');
|
||||
@ -111,11 +117,11 @@ export class Handshake {
|
||||
const plaintext = await this.xx.recvMessage(this.session, receivedMessageBuffer);
|
||||
logger('Stage 2 - Responder received the message, finished handshake. Got remote\'s static key.');
|
||||
|
||||
// if (!libp2pRemotekey) {
|
||||
// throw new Error("Missing remote's libp2p public key, can't verify signature.");
|
||||
// }
|
||||
|
||||
await verifySignedPayload(receivedMessageBuffer.ns, plaintext);
|
||||
try {
|
||||
await verifySignedPayload(receivedMessageBuffer.ns, plaintext, this.remotePeer.id);
|
||||
} catch (e) {
|
||||
throw new Error(`Error occurred while verifying signed payload: ${e.message}`);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -46,7 +46,7 @@ export class Noise implements NoiseConnection {
|
||||
*/
|
||||
public async secureOutbound(localPeer: PeerId, connection: any, remotePeer: PeerId): Promise<SecureOutbound> {
|
||||
const wrappedConnection = Wrap(connection);
|
||||
const libp2pPublicKey = localPeer.pubKey.marshal();
|
||||
const libp2pPublicKey = localPeer.marshalPubKey();
|
||||
const handshake = await this.performHandshake(wrappedConnection, true, libp2pPublicKey, remotePeer);
|
||||
const conn = await this.createSecureConnection(wrappedConnection, handshake);
|
||||
|
||||
@ -65,7 +65,7 @@ export class Noise implements NoiseConnection {
|
||||
*/
|
||||
public async secureInbound(localPeer: PeerId, connection: any, remotePeer: PeerId): Promise<SecureOutbound> {
|
||||
const wrappedConnection = Wrap(connection);
|
||||
const libp2pPublicKey = localPeer.pubKey.marshal();
|
||||
const libp2pPublicKey = localPeer.marshalPubKey();
|
||||
const handshake = await this.performHandshake(wrappedConnection, false, libp2pPublicKey, remotePeer);
|
||||
const conn = await this.createSecureConnection(wrappedConnection, handshake);
|
||||
|
||||
@ -82,7 +82,7 @@ export class Noise implements NoiseConnection {
|
||||
remotePeer: PeerId,
|
||||
): Promise<Handshake> {
|
||||
const prologue = Buffer.from(this.protocol);
|
||||
const handshake = new Handshake(isInitiator, this.privateKey, libp2pPublicKey, prologue, this.staticKeys, connection);
|
||||
const handshake = new Handshake(isInitiator, this.privateKey, libp2pPublicKey, prologue, this.staticKeys, connection, remotePeer);
|
||||
|
||||
try {
|
||||
await handshake.propose();
|
||||
|
||||
21
src/utils.ts
21
src/utils.ts
@ -3,6 +3,7 @@ import protobuf from "protobufjs";
|
||||
import { Buffer } from "buffer";
|
||||
import debug from "debug";
|
||||
import PeerId from "peer-id";
|
||||
import * as crypto from 'libp2p-crypto';
|
||||
|
||||
import { KeyPair } from "./@types/libp2p";
|
||||
import { bytes } from "./@types/basic";
|
||||
@ -83,19 +84,23 @@ export function decodeMessageBuffer(message: bytes): MessageBuffer {
|
||||
}
|
||||
}
|
||||
|
||||
export async function verifyPeerId(peerId: bytes, publicKey: bytes) {
|
||||
const generatedPeerId = await PeerId.createFromPubKey(publicKey);
|
||||
if (!generatedPeerId.equals(peerId)) {
|
||||
throw new Error("Peer ID doesn't match libp2p public key.");
|
||||
}
|
||||
async function isValidPeerId(peerId: bytes, publicKeyProtobuf: bytes) {
|
||||
const generatedPeerId = await PeerId.createFromPubKey(publicKeyProtobuf);
|
||||
return generatedPeerId.id.equals(peerId);
|
||||
}
|
||||
|
||||
export async function verifySignedPayload(noiseStaticKey: bytes, plaintext: bytes) {
|
||||
export async function verifySignedPayload(noiseStaticKey: bytes, plaintext: bytes, peerId: bytes) {
|
||||
const NoiseHandshakePayload = await loadPayloadProto();
|
||||
const receivedPayload = NoiseHandshakePayload.toObject(NoiseHandshakePayload.decode(plaintext));
|
||||
const generatedPayload = getHandshakePayload(noiseStaticKey);
|
||||
|
||||
if (!ed25519.verify(generatedPayload, receivedPayload.noiseStaticKeySignature, receivedPayload.libp2pKey)) {
|
||||
if (!(await isValidPeerId(peerId, receivedPayload.libp2pKey)) ) {
|
||||
throw new Error("Peer ID doesn't match libp2p public key.");
|
||||
}
|
||||
|
||||
const generatedPayload = getHandshakePayload(noiseStaticKey);
|
||||
// Unmarshaling from PublicKey protobuf and taking key buffer only.
|
||||
const publicKey = crypto.keys.unmarshalPublicKey(receivedPayload.libp2pKey).marshal();
|
||||
if (!ed25519.verify(generatedPayload, receivedPayload.noiseStaticKeySignature, publicKey)) {
|
||||
throw new Error("Static key doesn't match to peer that signed payload!");
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user