EliChin/frostfs-api-go
1
0
Fork 0
forked from TrueCloudLab/frostfs-api-go
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#380] Support changes in signature schemes

Browse source 
Support new `SignatureRFC6979` message. Make `refs.ECDSA_SHA512` to be
default scheme.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
Leonard Lyubich 2022-03-02 13:15:36 +03:00 committed by Alex Vanin
parent f4fd28e39b
commit d065453bd0
9 changed files with 76 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
container/convert.go
View file

@ -152,6 +152,18 @@ func (c *Container) FromGRPCMessage(m grpc.Message) error {
return nil
}
func toSignatureRFC6979(s *refs.Signature) *refsGRPC.SignatureRFC6979 {
var res *refsGRPC.SignatureRFC6979
if s != nil {
res = new(refsGRPC.SignatureRFC6979)
res.SetKey(s.GetKey())
res.SetSign(s.GetSign())
}
return res
}
func (r *PutRequestBody) ToGRPCMessage() grpc.Message {
var m *container.PutRequest_Body
@ -159,7 +171,7 @@ func (r *PutRequestBody) ToGRPCMessage() grpc.Message {
m = new(container.PutRequest_Body)
m.SetContainer(r.cnr.ToGRPCMessage().(*container.Container))
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
m.SetSignature(toSignatureRFC6979(r.sig))
}
return m
@ -195,7 +207,8 @@ func (r *PutRequestBody) FromGRPCMessage(m grpc.Message) error {
r.sig = new(refs.Signature)
}
err = r.sig.FromGRPCMessage(sig)
r.sig.SetKey(sig.GetKey())
r.sig.SetSign(sig.GetSign())
}
return err
@ -391,7 +404,7 @@ func (r *GetResponseBody) ToGRPCMessage() grpc.Message {
m.SetContainer(r.cnr.ToGRPCMessage().(*container.Container))
m.SetSessionToken(r.token.ToGRPCMessage().(*sessionGRPC.SessionToken))
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
m.SetSignature(toSignatureRFC6979(r.sig))
}
return m
@ -424,7 +437,8 @@ func (r *GetResponseBody) FromGRPCMessage(m grpc.Message) error {
r.sig = new(refs.Signature)
}
err = r.sig.FromGRPCMessage(sig)
r.sig.SetKey(sig.GetKey())
r.sig.SetSign(sig.GetSign())
}
token := v.GetSessionToken()
@ -486,7 +500,7 @@ func (r *DeleteRequestBody) ToGRPCMessage() grpc.Message {
m = new(container.DeleteRequest_Body)
m.SetContainerId(r.cid.ToGRPCMessage().(*refsGRPC.ContainerID))
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
m.SetSignature(toSignatureRFC6979(r.sig))
}
return m
@ -522,7 +536,8 @@ func (r *DeleteRequestBody) FromGRPCMessage(m grpc.Message) error {
r.sig = new(refs.Signature)
}
err = r.sig.FromGRPCMessage(sig)
r.sig.SetKey(sig.GetKey())
r.sig.SetSign(sig.GetSign())
}
return err
@ -765,7 +780,7 @@ func (r *SetExtendedACLRequestBody) ToGRPCMessage() grpc.Message {
m = new(container.SetExtendedACLRequest_Body)
m.SetEacl(r.eacl.ToGRPCMessage().(*aclGRPC.EACLTable))
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
m.SetSignature(toSignatureRFC6979(r.sig))
}
return m
@ -801,7 +816,8 @@ func (r *SetExtendedACLRequestBody) FromGRPCMessage(m grpc.Message) error {
r.sig = new(refs.Signature)
}
err = r.sig.FromGRPCMessage(sig)
r.sig.SetKey(sig.GetKey())
r.sig.SetSign(sig.GetSign())
}
return err
@ -981,7 +997,7 @@ func (r *GetExtendedACLResponseBody) ToGRPCMessage() grpc.Message {
m = new(container.GetExtendedACLResponse_Body)
m.SetEacl(r.eacl.ToGRPCMessage().(*aclGRPC.EACLTable))
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
m.SetSignature(toSignatureRFC6979(r.sig))
m.SetSessionToken(r.token.ToGRPCMessage().(*sessionGRPC.SessionToken))
}
@ -1018,7 +1034,8 @@ func (r *GetExtendedACLResponseBody) FromGRPCMessage(m grpc.Message) error {
r.sig = new(refs.Signature)
}
err = r.sig.FromGRPCMessage(sig)
r.sig.SetKey(sig.GetKey())
r.sig.SetSign(sig.GetSign())
}
token := v.GetSessionToken()

16
container/grpc/service.go
View file

@ -14,7 +14,7 @@ func (m *PutRequest_Body) SetContainer(v *Container) {
}
// SetSignature sets signature of the container structure.
func (m *PutRequest_Body) SetSignature(v *refs.Signature) {
func (m *PutRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
if m != nil {
m.Signature = v
}
@ -77,7 +77,7 @@ func (m *DeleteRequest_Body) SetContainerId(v *refs.ContainerID) {
}
// SetSignature sets signature of the container identifier.
func (m *DeleteRequest_Body) SetSignature(v *refs.Signature) {
func (m *DeleteRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
if m != nil {
m.Signature = v
}
@ -166,8 +166,8 @@ func (m *GetResponse_Body) SetSessionToken(v *session.SessionToken) {
}
}
// SetSignature sets signature of the requested container.
func (m *GetResponse_Body) SetSignature(v *refs.Signature) {
// SetSignature sets signature of the container structure.
func (m *GetResponse_Body) SetSignature(v *refs.SignatureRFC6979) {
if m != nil {
m.Signature = v
}
@ -257,8 +257,8 @@ func (m *SetExtendedACLRequest_Body) SetEacl(v *acl.EACLTable) {
}
}
// SetSignature sets signature of the eACL table.
func (m *SetExtendedACLRequest_Body) SetSignature(v *refs.Signature) {
// SetSignature sets signature of the eACL table structure.
func (m *SetExtendedACLRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
if m != nil {
m.Signature = v
}
@ -341,8 +341,8 @@ func (m *GetExtendedACLResponse_Body) SetEacl(v *acl.EACLTable) {
}
}
// SetSignature sets signature of the eACL table.
func (m *GetExtendedACLResponse_Body) SetSignature(v *refs.Signature) {
// SetSignature sets signature of the eACL table structure.
func (m *GetExtendedACLResponse_Body) SetSignature(v *refs.SignatureRFC6979) {
if m != nil {
m.Signature = v
}

BIN
container/grpc/service.pb.go generated
View file

Binary file not shown.

10
container/types.go
View file

@ -316,6 +316,8 @@ func (r *PutRequestBody) GetSignature() *refs.Signature {
func (r *PutRequestBody) SetSignature(v *refs.Signature) {
if r != nil {
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
v.SetScheme(0)
r.sig = v
}
}
@ -434,6 +436,8 @@ func (r *GetResponseBody) GetSignature() *refs.Signature {
// SetSignature sets signature of the requested container.
func (r *GetResponseBody) SetSignature(v *refs.Signature) {
if r != nil {
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
v.SetScheme(0)
r.sig = v
}
}
@ -476,6 +480,8 @@ func (r *DeleteRequestBody) GetSignature() *refs.Signature {
func (r *DeleteRequestBody) SetSignature(v *refs.Signature) {
if r != nil {
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
v.SetScheme(0)
r.sig = v
}
}
@ -588,6 +594,8 @@ func (r *SetExtendedACLRequestBody) GetSignature() *refs.Signature {
func (r *SetExtendedACLRequestBody) SetSignature(v *refs.Signature) {
if r != nil {
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
v.SetScheme(0)
r.sig = v
}
}
@ -672,6 +680,8 @@ func (r *GetExtendedACLResponseBody) GetSignature() *refs.Signature {
func (r *GetExtendedACLResponseBody) SetSignature(v *refs.Signature) {
if r != nil {
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
v.SetScheme(0)
r.sig = v
}
}

14
refs/grpc/types.go
View file

@ -84,6 +84,20 @@ func (x *Signature) SetScheme(s SignatureScheme) {
}
}
// SetKey sets public key in a binary format.
func (x *SignatureRFC6979) SetKey(v []byte) {
if x != nil {
x.Key = v
}
}
// SetSign sets signature.
func (x *SignatureRFC6979) SetSign(v []byte) {
if x != nil {
x.Sign = v
}
}
// FromString parses SignatureScheme from a string representation,
// It is a reverse action to String().
//

BIN
refs/grpc/types.pb.go generated
View file

Binary file not shown.

5
refs/types.go
View file

@ -35,8 +35,7 @@ type SignatureScheme uint32
//nolint:revive
const (
UnspecifiedScheme SignatureScheme = iota
ECDSA_SHA512
ECDSA_SHA512 SignatureScheme = iota
ECDSA_RFC6979_SHA256
)
@ -189,7 +188,7 @@ func (s *Signature) GetScheme() SignatureScheme {
if s != nil {
return s.scheme
}
return UnspecifiedScheme
return 0
}
func (s *Signature) SetScheme(scheme SignatureScheme) {

4
util/signature/data.go
View file

@ -41,13 +41,13 @@ func SignDataWithHandler(key *ecdsa.PrivateKey, src DataSource, handler KeySigna
opts[i](cfg)
}
sigData, err := sign(cfg, cfg.defaultScheme, key, data)
sigData, err := sign(cfg, key, data)
if err != nil {
return err
}
sig := new(refs.Signature)
sig.SetScheme(cfg.defaultScheme)
sig.SetScheme(cfg.scheme)
sig.SetKey(crypto.MarshalPublicKey(&key.PublicKey))
sig.SetSign(sigData)
handler(sig)

32
util/signature/options.go
View file

@ -9,51 +9,45 @@ import (
)
type cfg struct {
defaultScheme refs.SignatureScheme
restrictScheme refs.SignatureScheme
schemeFixed bool
scheme refs.SignatureScheme
}
func defaultCfg() *cfg {
return &cfg{
defaultScheme: refs.ECDSA_SHA512,
restrictScheme: refs.UnspecifiedScheme,
}
return new(cfg)
}
func verify(cfg *cfg, data []byte, sig *refs.Signature) error {
scheme := sig.GetScheme()
if scheme == refs.UnspecifiedScheme {
scheme = cfg.defaultScheme
}
if cfg.restrictScheme != refs.UnspecifiedScheme && scheme != cfg.restrictScheme {
return fmt.Errorf("%w: unexpected signature scheme", crypto.ErrInvalidSignature)
if !cfg.schemeFixed {
cfg.scheme = sig.GetScheme()
}
pub := crypto.UnmarshalPublicKey(sig.GetKey())
switch scheme {
switch cfg.scheme {
case refs.ECDSA_SHA512:
return crypto.Verify(pub, data, sig.GetSign())
case refs.ECDSA_RFC6979_SHA256:
return crypto.VerifyRFC6979(pub, data, sig.GetSign())
default:
return crypto.ErrInvalidSignature
return fmt.Errorf("unsupported signature scheme %s", cfg.scheme)
}
}
func sign(cfg *cfg, scheme refs.SignatureScheme, key *ecdsa.PrivateKey, data []byte) ([]byte, error) {
switch scheme {
func sign(cfg *cfg, key *ecdsa.PrivateKey, data []byte) ([]byte, error) {
switch cfg.scheme {
case refs.ECDSA_SHA512:
return crypto.Sign(key, data)
case refs.ECDSA_RFC6979_SHA256:
return crypto.SignRFC6979(key, data)
default:
panic("unsupported scheme")
panic(fmt.Sprintf("unsupported scheme %s", cfg.scheme))
}
}
func SignWithRFC6979() SignOption {
return func(c *cfg) {
c.defaultScheme = refs.ECDSA_RFC6979_SHA256
c.restrictScheme = refs.ECDSA_RFC6979_SHA256
c.schemeFixed = true
c.scheme = refs.ECDSA_RFC6979_SHA256
}
}