1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
use super::secret_connection::{PublicKey, SecretConnection};
use crate::{
error::{Error, ErrorKind::*},
key_utils,
prelude::*,
};
use std::{net::TcpStream, path::PathBuf, time::Duration};
use subtle::ConstantTimeEq;
use tendermint::node;
const DEFAULT_TIMEOUT: u16 = 10;
pub fn open_secret_connection(
host: &str,
port: u16,
identity_key_path: &Option<PathBuf>,
peer_id: &Option<node::Id>,
timeout: Option<u16>,
v0_33_handshake: bool,
) -> Result<SecretConnection<TcpStream>, Error> {
let identity_key_path = identity_key_path.as_ref().ok_or_else(|| {
format_err!(
ConfigError,
"config error: no `secret_key` for validator: {}:{}",
host,
port
)
})?;
let identity_key = key_utils::load_base64_ed25519_key(identity_key_path)?;
info!("KMS node ID: {}", PublicKey::from(&identity_key));
let socket = TcpStream::connect(format!("{}:{}", host, port))?;
let timeout = Duration::from_secs(timeout.unwrap_or(DEFAULT_TIMEOUT).into());
socket.set_read_timeout(Some(timeout))?;
socket.set_write_timeout(Some(timeout))?;
let connection = SecretConnection::new(socket, &identity_key, v0_33_handshake)?;
let actual_peer_id = connection.remote_pubkey().peer_id();
if let Some(expected_peer_id) = peer_id {
if expected_peer_id.ct_eq(&actual_peer_id).unwrap_u8() == 0 {
fail!(
VerificationError,
"{}:{}: validator peer ID mismatch! (expected {}, got {})",
host,
port,
expected_peer_id,
actual_peer_id
);
}
}
Ok(connection)
}