diff --git a/session/container.go b/session/container.go index 2e08943f..9a245a42 100644 --- a/session/container.go +++ b/session/container.go @@ -8,6 +8,7 @@ import ( "github.com/nspcc-dev/neofs-api-go/v2/refs" "github.com/nspcc-dev/neofs-api-go/v2/session" cid "github.com/nspcc-dev/neofs-sdk-go/container/id" + neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto" "github.com/nspcc-dev/neofs-sdk-go/user" ) @@ -199,3 +200,17 @@ func (x Container) AssertVerb(verb ContainerVerb) bool { func IssuedBy(cnr Container, id user.ID) bool { return cnr.Issuer().Equals(id) } + +// VerifySessionDataSignature verifies signature of the session data. In practice, +// the method is used to authenticate an operation with session data. +func (x Container) VerifySessionDataSignature(data, signature []byte) bool { + var sigV2 refs.Signature + sigV2.SetKey(x.authKey) + sigV2.SetScheme(refs.ECDSA_RFC6979_SHA256) + sigV2.SetSign(signature) + + var sig neofscrypto.Signature + sig.ReadFromV2(sigV2) + + return sig.Verify(data) +} diff --git a/session/container_test.go b/session/container_test.go index cb908cda..95e15f0d 100644 --- a/session/container_test.go +++ b/session/container_test.go @@ -11,6 +11,7 @@ import ( "github.com/nspcc-dev/neofs-api-go/v2/refs" v2session "github.com/nspcc-dev/neofs-api-go/v2/session" cidtest "github.com/nspcc-dev/neofs-sdk-go/container/id/test" + neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto" neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa" "github.com/nspcc-dev/neofs-sdk-go/session" sessiontest "github.com/nspcc-dev/neofs-sdk-go/session/test" @@ -543,3 +544,25 @@ func TestContainer_Sign(t *testing.T) { require.True(t, val.VerifySignature()) } + +func TestContainer_VerifyDataSignature(t *testing.T) { + signer := randSigner() + + var tok session.Container + + data := make([]byte, 100) + rand.Read(data) + + var sig neofscrypto.Signature + require.NoError(t, sig.Calculate(neofsecdsa.SignerRFC6979(signer), data)) + + var sigV2 refs.Signature + sig.WriteToV2(&sigV2) + + require.False(t, tok.VerifySessionDataSignature(data, sigV2.GetSign())) + + tok.SetAuthKey((*neofsecdsa.PublicKeyRFC6979)(&signer.PublicKey)) + require.True(t, tok.VerifySessionDataSignature(data, sigV2.GetSign())) + require.False(t, tok.VerifySessionDataSignature(append(data, 1), sigV2.GetSign())) + require.False(t, tok.VerifySessionDataSignature(data, append(sigV2.GetSign(), 1))) +}