// validateAliveMsg validates that an Alive message is authentic
func (sa *discoverySecurityAdapter) ValidateAliveMsg(am *proto.AliveMessage) bool {
if am == nil || am.Membership == nil || am.Membership.PkiID == nil || am.Signature == nil {
sa.logger.Warning("Invalid alive message:", am)
return false
}
var identity api.PeerIdentityType
// If signature is included inside AliveMessage
if am.Identity != nil {
identity = api.PeerIdentityType(am.Identity)
err := sa.mcs.ValidateIdentity(api.PeerIdentityType(identity))
if err != nil {
sa.logger.Warning("Failed validating identity of", am, "reason:", err)
return false
}
} else {
identity, _ = sa.idMapper.Get(am.Membership.PkiID)
if identity != nil {
sa.logger.Debug("Fetched identity of", am.Membership.PkiID, "from identity store")
}
}
if identity == nil {
sa.logger.Warning("Don't have certificate for", am)
return false
}
// At this point we got the certificate of the peer, proceed to verifying the AliveMessage
sig := am.Signature
am.Signature = nil
amIdentity := am.Identity
am.Identity = nil
b, err := prot.Marshal(am)
am.Signature = sig
am.Identity = amIdentity
if err != nil {
sa.logger.Error("Failed marshalling", am, ":", err)
return false
}
err = sa.mcs.Verify(identity, sig, b)
if err != nil {
sa.logger.Warning("Failed verifying:", am, ":", err)
return false
}
return true
}
// SignMessage signs an AliveMessage and updates its signature field
func (sa *discoverySecurityAdapter) SignMessage(am *proto.AliveMessage) *proto.AliveMessage {
am.Signature = nil
identity := am.Identity
am.Identity = nil
b, err := prot.Marshal(am)
if err != nil {
sa.logger.Error("Failed marshalling", am, ":", err)
return am
}
b, err = sa.mcs.Sign(b)
if err != nil {
sa.logger.Error("Failed signing", am, ":", err)
return am
}
am.Signature = b
am.Identity = identity
return am
}
