Gossip: Learn certificate at validation time

yacovm · yacovm · commit bc7f9d8ea780 · 2017-03-06T00:24:21.000+02:00
When an AliveMessage enters the routine that handles all messages,
It is first validated and only then the certificate may be learned
from the alive message, but then it is validated again when it is
learned because the identity store validates the cert when it attempts
to store it.

This is redundant, we may simply learn the cert at validation time as
part of storing the cert (gossip/identity/identityMapper:Put also
validates a cert, and even checks if the calculated PKI-ID matches
the claimed PKI-ID)

Change-Id: I90900818aef3b51c413384df989f4e63073401f6
Signed-off-by: Yacov Manevich &lt;yacovm@il.ibm.com&gt;
diff --git a/gossip/gossip/gossip_impl.go b/gossip/gossip/gossip_impl.go
@@ -285,19 +285,6 @@ func (g *gossipServiceImpl) handleMessage(m proto.ReceivedMessage) {
 	}
 
 	if msg.IsAliveMsg() {
-		am := msg.GetAliveMsg()
-		storedIdentity, _ := g.idMapper.Get(common.PKIidType(am.Membership.PkiId))
-		// If peer's certificate is included inside AliveMessage, and we don't have a mapping between
-		// its PKI-ID and certificate, create a mapping for it now.
-		if identity := am.Identity; identity != nil && storedIdentity == nil {
-			err := g.idMapper.Put(common.PKIidType(am.Membership.PkiId), api.PeerIdentityType(identity))
-			if err != nil {
-				g.logger.Warning("Failed adding identity of", am, "into identity store:", err)
-				return
-			}
-			g.logger.Info("Learned identity of", am.Membership.PkiId)
-		}
-
 		added := g.aliveMsgStore.Add(msg)
 		if !added {
 			return
@@ -771,13 +758,8 @@ func (sa *discoverySecurityAdapter) ValidateAliveMsg(m *proto.SignedGossipMessag
 	// If identity is included inside AliveMessage
 	if am.Identity != nil {
 		identity = api.PeerIdentityType(am.Identity)
-		calculatedPKIID := sa.mcs.GetPKIidOfCert(identity)
 		claimedPKIID := am.Membership.PkiId
-		if !bytes.Equal(calculatedPKIID, claimedPKIID) {
-			sa.logger.Warning("Calculated pkiID doesn't match identity:", calculatedPKIID, claimedPKIID)
-			return false
-		}
-		err := sa.mcs.ValidateIdentity(api.PeerIdentityType(identity))
+		err := sa.idMapper.Put(claimedPKIID, identity)
 		if err != nil {
 			sa.logger.Warning("Failed validating identity of", am, "reason:", err)
 			return false
