Verify the remote pubkey and peer_id
- Add `from_bytes` in RSAPublicKey and Secp256k1PublicKey - Add `pubkey_from_protobuf` to parse pubkey from protobuf - Verify key and peer_id in `InsecureSession.run_handshake`
This commit is contained in:
mhchia
parent
ef476e555b
commit
921bfb65cc
@ -11,6 +11,11 @@ class RSAPublicKey(PublicKey):
|
|||||||
def to_bytes(self) -> bytes:
|
def to_bytes(self) -> bytes:
|
||||||
return self.impl.export_key("DER")
|
return self.impl.export_key("DER")
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def from_bytes(cls, key_bytes: bytes) -> "RSAPublicKey":
|
||||||
|
rsakey = RSA.import_key(key_bytes)
|
||||||
|
return cls(rsakey)
|
||||||
|
|
||||||
def get_type(self) -> KeyType:
|
def get_type(self) -> KeyType:
|
||||||
return KeyType.RSA
|
return KeyType.RSA
|
||||||
|
|
||||||
@ -30,6 +35,11 @@ class RSAPrivateKey(PrivateKey):
|
|||||||
def to_bytes(self) -> bytes:
|
def to_bytes(self) -> bytes:
|
||||||
return self.impl.export_key("DER")
|
return self.impl.export_key("DER")
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def from_bytes(cls, key_bytes: bytes) -> "RSAPrivateKey":
|
||||||
|
rsakey = RSA.import_key(key_bytes)
|
||||||
|
return cls(rsakey)
|
||||||
|
|
||||||
def get_type(self) -> KeyType:
|
def get_type(self) -> KeyType:
|
||||||
return KeyType.RSA
|
return KeyType.RSA
|
||||||
|
|
||||||
|
|||||||
@ -10,6 +10,11 @@ class Secp256k1PublicKey(PublicKey):
|
|||||||
def to_bytes(self) -> bytes:
|
def to_bytes(self) -> bytes:
|
||||||
return self.impl.format()
|
return self.impl.format()
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def from_bytes(cls, key_bytes: bytes) -> "Secp256k1PublicKey":
|
||||||
|
secp256k1_pubkey = coincurve.PublicKey(key_bytes)
|
||||||
|
return cls(secp256k1_pubkey)
|
||||||
|
|
||||||
def get_type(self) -> KeyType:
|
def get_type(self) -> KeyType:
|
||||||
return KeyType.Secp256k1
|
return KeyType.Secp256k1
|
||||||
|
|
||||||
|
|||||||
16
libp2p/crypto/utils.py
Normal file
16
libp2p/crypto/utils.py
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
from .keys import PublicKey
|
||||||
|
from .pb import crypto_pb2 as protobuf
|
||||||
|
from .rsa import RSAPublicKey
|
||||||
|
from .secp256k1 import Secp256k1PublicKey
|
||||||
|
|
||||||
|
|
||||||
|
def pubkey_from_protobuf(pubkey_pb: protobuf.PublicKey) -> PublicKey:
|
||||||
|
if pubkey_pb.key_type == protobuf.RSA:
|
||||||
|
return RSAPublicKey.from_bytes(pubkey_pb.data)
|
||||||
|
# TODO: Test against secp256k1 keys
|
||||||
|
elif pubkey_pb.key_type == protobuf.Secp256k1:
|
||||||
|
return Secp256k1PublicKey.from_bytes(pubkey_pb.data)
|
||||||
|
else:
|
||||||
|
raise ValueError(
|
||||||
|
f"unsupported key_type={pubkey_pb.key_type}, data={pubkey_pb.data!r}"
|
||||||
|
)
|
||||||
@ -13,6 +13,12 @@ class BaseSession(ISecureConn):
|
|||||||
is only meant to be used in clases that derive from it.
|
is only meant to be used in clases that derive from it.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
local_peer: ID
|
||||||
|
local_private_key: PrivateKey
|
||||||
|
conn: IRawConnection
|
||||||
|
remote_peer_id: ID
|
||||||
|
remote_permanent_pubkey: PublicKey
|
||||||
|
|
||||||
def __init__(
|
def __init__(
|
||||||
self, transport: BaseSecureTransport, conn: IRawConnection, peer_id: ID
|
self, transport: BaseSecureTransport, conn: IRawConnection, peer_id: ID
|
||||||
) -> None:
|
) -> None:
|
||||||
|
|||||||
@ -1,4 +1,5 @@
|
|||||||
from libp2p.crypto.keys import PublicKey
|
from libp2p.crypto.keys import PublicKey
|
||||||
|
from libp2p.crypto.utils import pubkey_from_protobuf
|
||||||
from libp2p.network.connection.raw_connection_interface import IRawConnection
|
from libp2p.network.connection.raw_connection_interface import IRawConnection
|
||||||
from libp2p.peer.id import ID
|
from libp2p.peer.id import ID
|
||||||
from libp2p.security.base_session import BaseSession
|
from libp2p.security.base_session import BaseSession
|
||||||
@ -23,13 +24,31 @@ class InsecureSession(BaseSession):
|
|||||||
encoded_msg_bytes = encode_fixedint_prefixed(msg_bytes)
|
encoded_msg_bytes = encode_fixedint_prefixed(msg_bytes)
|
||||||
await self.write(encoded_msg_bytes)
|
await self.write(encoded_msg_bytes)
|
||||||
|
|
||||||
msg_bytes_other_side = await read_fixedint_prefixed(self.conn)
|
remote_msg_bytes = await read_fixedint_prefixed(self.conn)
|
||||||
msg_other_side = plaintext_pb2.Exchange()
|
remote_msg = plaintext_pb2.Exchange()
|
||||||
msg_other_side.ParseFromString(msg_bytes_other_side)
|
remote_msg.ParseFromString(remote_msg_bytes)
|
||||||
|
|
||||||
# TODO: Verify public key with peer id
|
# Verify if the given `pubkey` matches the given `peer_id`
|
||||||
# TODO: Store public key
|
try:
|
||||||
self.remote_peer_id = ID(msg_other_side.id)
|
remote_pubkey = pubkey_from_protobuf(remote_msg.pubkey)
|
||||||
|
except ValueError as error:
|
||||||
|
raise SecurityUpgradeFailure(
|
||||||
|
f"unknown protocol of remote_msg.pubkey={remote_msg.pubkey}"
|
||||||
|
) from error
|
||||||
|
remote_peer_id = ID(remote_msg.id)
|
||||||
|
remote_peer_id_from_pubkey = ID.from_pubkey(remote_pubkey)
|
||||||
|
if remote_peer_id_from_pubkey != remote_peer_id:
|
||||||
|
raise SecurityUpgradeFailure(
|
||||||
|
"peer id and pubkey from the remote mismatch: "
|
||||||
|
f"remote_peer_id={remote_peer_id}, remote_pubkey={remote_pubkey}, "
|
||||||
|
f"remote_peer_id_from_pubkey={remote_peer_id_from_pubkey}"
|
||||||
|
)
|
||||||
|
|
||||||
|
# Nothing is wrong. Store the `pubkey` and `peer_id` in the session.
|
||||||
|
self.remote_permanent_pubkey = remote_pubkey
|
||||||
|
self.remote_peer_id = ID(remote_msg.id)
|
||||||
|
|
||||||
|
# TODO: Store `pubkey` and `peer_id` to `PeerStore`
|
||||||
|
|
||||||
|
|
||||||
class InsecureTransport(BaseSecureTransport):
|
class InsecureTransport(BaseSecureTransport):
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user