Skip to content

Fix: signer identity validation for signed PeerRecords#1339

Open
sumanjeet0012 wants to merge 5 commits into
libp2p:mainfrom
sumanjeet0012:kademlia_issue
Open

Fix: signer identity validation for signed PeerRecords#1339
sumanjeet0012 wants to merge 5 commits into
libp2p:mainfrom
sumanjeet0012:kademlia_issue

Conversation

@sumanjeet0012

@sumanjeet0012 sumanjeet0012 commented May 30, 2026

Copy link
Copy Markdown
Contributor

What was wrong?

Fixes #1338

KadDHT accepted signed PeerRecords where the signer identity did not match record.peer_id.

Although the envelope signature was valid, the signer public key embedded in the envelope could derive to a different peer ID than the one claimed in the record payload.

This allowed authenticated but incorrectly bound peer records to poison the certified address book for arbitrary peer IDs.

How was it fixed?

Added signer identity binding validation before accepting signed peer records.

The fix enforces:

signer_peer_id = ID.from_pubkey(envelope.public_key)

Records with mismatched signer identities are now rejected before they can update certified peer addresses.

To-Do

  • Clean up commit history
  • Add or update documentation related to these changes
  • Add entry to the release notes

Cute Animal Picture

@yashksaini-coder

yashksaini-coder commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Hi @sumanjeet0012 — yours predates and covers #1338, and enforcing this in peerstore.consume_peer_record is a more central spot than where I landed (it covers every caller, not just KadDHT), so this clearly has priority. I'd independently opened #1348 for the same issue before I noticed yours — apologies for the overlap.

One thing from #1348 that might be useful here: it includes a regression test — tests/core/kad_dht/test_signed_record_signer_binding.py — that exercises the forgery on both the senderRecord and signedRecord paths and also checks a legitimate self-signed record is still accepted. It should apply cleanly on top of your peerstore fix.

Happy to push it to your branch, or open it as a small follow-up once this merges — whatever's easiest for you. Feel free to lift it straight from #1348. Let me know if a second pair of eyes on the diff would help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

KadDHT accepts signed PeerRecords with mismatched signer identity

2 participants

@sumanjeet0012 @yashksaini-coder