m/n/c/rpc: allow authenticated connections to unauthenticated endpoints
This allows authenticated clients to use whatever channel they already
have (ie., an already authenticated one) to perform connections to
endpoints marked as 'unauthenticated'.
Change-Id: I6d10f145aa0cc9e2f37068ac7ec5f9ef37fe8303
Reviewed-on: https://review.monogon.dev/c/monogon/+/783
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
diff --git a/metropolis/node/core/rpc/server_authentication.go b/metropolis/node/core/rpc/server_authentication.go
index 83afad2..73f04b9 100644
--- a/metropolis/node/core/rpc/server_authentication.go
+++ b/metropolis/node/core/rpc/server_authentication.go
@@ -200,7 +200,9 @@
cert, err := getPeerCertificate(ctx)
if err == nil {
if err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature); err != nil {
- return nil, status.Errorf(codes.Unauthenticated, "presented certificate must be self-signed (check error: %v)", err)
+ // Peer presented a certificate that is not self-signed - for example a user or
+ // node certificate. Ignore it.
+ return &res, nil
}
res.Unauthenticated.SelfSignedPublicKey = cert.PublicKey.(ed25519.PublicKey)
}