Example #1
0
func (conn *Conn) recvCredentials(ms util.MessageStream) {
	m, err := ms.ReadString()
	if err != nil {
		return
	}
	if m == "delegation" {
		var a Attestation
		if err = ms.ReadMessage(&a); err != nil {
			return
		}
		// Validate the peer certificate
		peerCert := conn.ConnectionState().PeerCertificates[0]
		p, err := ValidatePeerAttestation(&a, peerCert)
		if err != nil {
			ms.SetErr(err)
			return
		}
		if conn.guard != nil {
			if conn.verifier != nil {
				if err = AddEndorsements(conn.guard, &a, conn.verifier); err != nil {
					ms.SetErr(err)
					return
				}
			}
			if !conn.guard.IsAuthorized(p, "Connect", nil) {
				ms.SetErr(errors.New("principal delegator in client attestation is not authorized to connect"))
				return
			}
		}
		conn.peer = &p
	} else if m == "key" {
		peerCert := conn.ConnectionState().PeerCertificates[0]
		v, err := FromX509(peerCert)
		if err != nil {
			ms.SetErr(errors.New("can't decode key from peer certificate"))
			return
		}
		p := v.ToPrincipal()
		conn.peer = &p
	} else if m == "anonymous" {
		if conn.guard != nil {
			err = errors.New("peer did not provide tao delegation")
			ms.SetErr(err)
			return
		}
	} else {
		err = errors.New("unrecognized authentication handshake: " + m)
		ms.SetErr(err)
		return
	}
}