Verifiable credentials and libp2p

smartrics · July 8, 2019, 10:51pm

Hi - we’re looking into libp2p as a network stack for our application and exploring how we could integrate verifiable credentials (https://w3c.github.io/vc-data-model/) infrastructure. A basic use case is that of a node being challenged to provide some specific credential to join the network. The bootstrap node handling the incoming connection should verify the credential with the issuer and complete the connection/bootstrap or terminate it.

Wanting to implement the scenario above, can we intercept the bootstrap connection on the receiver node and inject our verification logic? And what is the best way, for a node, to send some extra blob of data representing a VC?

We just started looking into go-libp2p and any pointer into the right direction would be greatly appreciated.

PS: I originally posted this as an issue here https://github.com/libp2p/libp2p/issues/78 but I only discovered this forum since.

Warchant · July 12, 2019, 5:00pm

You could accept streams from all peers that want to join the network, and execute custom authentication protocol on top of it. Then you reset any stream that did not pass authentication.

Also look at ConnManager component.

smartrics · August 5, 2019, 4:21pm

Thanks for replying - we managed by implementing the ConnectedF callback and by setting a stream handler:

host.Network().Notify(&inet.NotifyBundle{
	ConnectedF: func(n inet.Network, c inet.Conn) {
		// Open stream and read auth challenge and remove remote peer if failed
		stream, err := nn.Host.NewStream(nn.ctx, c.RemotePeer(), MyProtoID)
		// read challenge from stream 
		// do checks and close connection if necessary
	},
})

nn.Host.SetStreamHandler(ProtoID, func(stream network.Stream) {
	// write challenge to stream			
}

The main problem I see in this approach is that the security checks are performed when the node is already connected (ConnectedF). The node is disconnected only after the checks have failed.

I don’t see how ConnManager helps preventing the connection to be accepted if the incoming node isn’t authorised… It feels like as if we have to extend the nodes’ authentication handshake OR maybe we have to use a transport upgrader to intercept the connection creation (here we may have to use a separate socket channel to exchange secrets etc)

Thanks in advance for any other pointers you may be able to share.

Topic		Replies	Views
Implement custom handshake go	6	1601	April 20, 2023
Is libp2p suitable to build a node for a existing non-libp2p network? Users and Developers	2	315	January 6, 2023
Auth with ConnectionGater go	1	253	August 24, 2023
How can the listener verify the identity of the dialer? js	7	962	May 27, 2020
Proposal for removing unsigned messages in go-libp2p-pubsub Users and Developers	3	449	April 17, 2019

Verifiable credentials and libp2p

Related Topics