3.1.5.7 Validating a CPA

To validate a CPA, a PNRP node MUST perform the following checks. If any assertion in the following is not true, the CPA MUST be rejected as invalid.

Verify that the CPA conforms to the syntax as specified in section 2.2.3.1.

If a nonzero BinaryAuthority is present in the CPA, then verify that either a Certificate Chain is present in the CPA or the BinaryAuthority is a SHA-1 hash of the public key included in the CPA. If a Certificate Chain exists, then validate the Certificate Chain as specified in section 3.1.5.10.

If the X flag bit in CPA is set, then validate the Extended Payload field as specified in section 3.1.5.8.

Retrieve the current UTC time for the local PNRP node. Verify that it is not greater than the value in the Not After field.

Verify that the value of the Nonce field in the CPA matches the value of the Nonce field in the original INQUIRE message.

Using the BinaryAuthority, ClassifierHash, and ServiceLocation in the CPA, construct the PNRP ID as specified in section 3.1.4.4.1. Verify that the computed PNRP ID matches the PNRP ID in the ROUTE_ENTRY message in the AUTHORITY_BUFFER message.

Verify (using the rules in section 3.1.5.9) that the SIGNATURE structure contains the correct signature of the Encoded CPA structure (minus the Signature field).