Example #1
0
// validateAliveMsg validates that an Alive message is authentic
func (sa *discoverySecurityAdapter) ValidateAliveMsg(am *proto.AliveMessage) bool {
	if am == nil || am.Membership == nil || am.Membership.PkiID == nil || am.Signature == nil {
		sa.logger.Warning("Invalid alive message:", am)
		return false
	}

	var identity api.PeerIdentityType

	// If signature is included inside AliveMessage
	if am.Identity != nil {
		identity = api.PeerIdentityType(am.Identity)
		err := sa.mcs.ValidateIdentity(api.PeerIdentityType(identity))
		if err != nil {
			sa.logger.Warning("Failed validating identity of", am, "reason:", err)
			return false
		}
	} else {
		identity, _ = sa.idMapper.Get(am.Membership.PkiID)
		if identity != nil {
			sa.logger.Debug("Fetched identity of", am.Membership.PkiID, "from identity store")
		}
	}

	if identity == nil {
		sa.logger.Warning("Don't have certificate for", am)
		return false
	}

	// At this point we got the certificate of the peer, proceed to verifying the AliveMessage

	sig := am.Signature
	am.Signature = nil
	amIdentity := am.Identity
	am.Identity = nil
	b, err := prot.Marshal(am)
	am.Signature = sig
	am.Identity = amIdentity
	if err != nil {
		sa.logger.Error("Failed marshalling", am, ":", err)
		return false
	}
	err = sa.mcs.Verify(identity, sig, b)
	if err != nil {
		sa.logger.Warning("Failed verifying:", am, ":", err)
		return false
	}
	return true
}
Example #2
0
// SignMessage signs an AliveMessage and updates its signature field
func (sa *discoverySecurityAdapter) SignMessage(am *proto.AliveMessage) *proto.AliveMessage {
	am.Signature = nil
	identity := am.Identity
	am.Identity = nil
	b, err := prot.Marshal(am)
	if err != nil {
		sa.logger.Error("Failed marshalling", am, ":", err)
		return am
	}
	b, err = sa.mcs.Sign(b)
	if err != nil {
		sa.logger.Error("Failed signing", am, ":", err)
		return am
	}
	am.Signature = b
	am.Identity = identity
	return am
}