func (conn *Conn) recvCredentials(ms util.MessageStream) {
m, err := ms.ReadString()
if err != nil {
return
}
if m == "delegation" {
var a Attestation
if err = ms.ReadMessage(&a); err != nil {
return
}
// Validate the peer certificate
peerCert := conn.ConnectionState().PeerCertificates[0]
p, err := ValidatePeerAttestation(&a, peerCert)
if err != nil {
ms.SetErr(err)
return
}
if conn.guard != nil {
if conn.verifier != nil {
if err = AddEndorsements(conn.guard, &a, conn.verifier); err != nil {
ms.SetErr(err)
return
}
}
if !conn.guard.IsAuthorized(p, "Connect", nil) {
ms.SetErr(errors.New("principal delegator in client attestation is not authorized to connect"))
return
}
}
conn.peer = &p
} else if m == "key" {
peerCert := conn.ConnectionState().PeerCertificates[0]
v, err := FromX509(peerCert)
if err != nil {
ms.SetErr(errors.New("can't decode key from peer certificate"))
return
}
p := v.ToPrincipal()
conn.peer = &p
} else if m == "anonymous" {
if conn.guard != nil {
err = errors.New("peer did not provide tao delegation")
ms.SetErr(err)
return
}
} else {
err = errors.New("unrecognized authentication handshake: " + m)
ms.SetErr(err)
return
}
}
