2020-05-04 15:52:56 +00:00
|
|
|
package service
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/ecdsa"
|
2020-06-10 17:22:34 +00:00
|
|
|
"io"
|
2020-05-12 07:40:48 +00:00
|
|
|
"sync"
|
2020-05-04 15:52:56 +00:00
|
|
|
|
|
|
|
crypto "github.com/nspcc-dev/neofs-crypto"
|
2020-06-10 17:22:34 +00:00
|
|
|
"github.com/pkg/errors"
|
2020-05-04 15:52:56 +00:00
|
|
|
)
|
|
|
|
|
2020-05-05 10:16:21 +00:00
|
|
|
type keySign struct {
|
|
|
|
key *ecdsa.PublicKey
|
|
|
|
sign []byte
|
|
|
|
}
|
|
|
|
|
2020-06-10 17:22:34 +00:00
|
|
|
type signSourceGroup struct {
|
|
|
|
SignKeyPairSource
|
|
|
|
SignKeyPairAccumulator
|
|
|
|
|
|
|
|
sources []SignedDataSource
|
|
|
|
}
|
|
|
|
|
|
|
|
type signReadersGroup struct {
|
|
|
|
SignKeyPairSource
|
|
|
|
SignKeyPairAccumulator
|
|
|
|
|
|
|
|
readers []SignedDataReader
|
|
|
|
}
|
|
|
|
|
2020-05-12 07:40:48 +00:00
|
|
|
var bytesPool = sync.Pool{
|
|
|
|
New: func() interface{} {
|
|
|
|
return make([]byte, 5<<20)
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2020-05-05 10:16:21 +00:00
|
|
|
// GetSignature is a sign field getter.
|
|
|
|
func (s keySign) GetSignature() []byte {
|
|
|
|
return s.sign
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetPublicKey is a key field getter,
|
|
|
|
func (s keySign) GetPublicKey() *ecdsa.PublicKey {
|
|
|
|
return s.key
|
|
|
|
}
|
|
|
|
|
|
|
|
// Unites passed key with signature and returns SignKeyPair interface.
|
|
|
|
func newSignatureKeyPair(key *ecdsa.PublicKey, sign []byte) SignKeyPair {
|
|
|
|
return &keySign{
|
|
|
|
key: key,
|
|
|
|
sign: sign,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-05-04 15:52:56 +00:00
|
|
|
// Returns data from DataSignatureAccumulator for signature creation/verification.
|
|
|
|
//
|
|
|
|
// If passed DataSignatureAccumulator provides a SignedDataReader interface, data for signature is obtained
|
|
|
|
// using this interface for optimization. In this case, it is understood that reading into the slice D
|
|
|
|
// that the method DataForSignature returns does not change D.
|
2020-05-06 08:44:55 +00:00
|
|
|
//
|
|
|
|
// If returned length of data is negative, ErrNegativeLength returns.
|
2020-05-04 15:52:56 +00:00
|
|
|
func dataForSignature(src SignedDataSource) ([]byte, error) {
|
2020-05-05 10:16:21 +00:00
|
|
|
if src == nil {
|
|
|
|
return nil, ErrNilSignedDataSource
|
|
|
|
}
|
|
|
|
|
2020-05-04 15:52:56 +00:00
|
|
|
r, ok := src.(SignedDataReader)
|
|
|
|
if !ok {
|
|
|
|
return src.SignedData()
|
|
|
|
}
|
|
|
|
|
|
|
|
buf := bytesPool.Get().([]byte)
|
|
|
|
|
2020-05-06 08:44:55 +00:00
|
|
|
if size := r.SignedDataSize(); size < 0 {
|
|
|
|
return nil, ErrNegativeLength
|
|
|
|
} else if size <= cap(buf) {
|
2020-05-04 15:52:56 +00:00
|
|
|
buf = buf[:size]
|
|
|
|
} else {
|
|
|
|
buf = make([]byte, size)
|
|
|
|
}
|
|
|
|
|
|
|
|
n, err := r.ReadSignedData(buf)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return buf[:n], nil
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
// DataSignature returns the signature of data obtained using the private key.
|
|
|
|
//
|
|
|
|
// If passed data container is nil, ErrNilSignedDataSource returns.
|
|
|
|
// If passed private key is nil, crypto.ErrEmptyPrivateKey returns.
|
|
|
|
// If the data container or the signature function returns an error, it is returned directly.
|
2020-05-05 10:16:21 +00:00
|
|
|
func DataSignature(key *ecdsa.PrivateKey, src SignedDataSource) ([]byte, error) {
|
|
|
|
if key == nil {
|
2020-05-04 15:52:56 +00:00
|
|
|
return nil, crypto.ErrEmptyPrivateKey
|
|
|
|
}
|
|
|
|
|
|
|
|
data, err := dataForSignature(src)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-05-06 08:44:55 +00:00
|
|
|
defer bytesPool.Put(data)
|
2020-05-04 15:52:56 +00:00
|
|
|
|
|
|
|
return crypto.Sign(key, data)
|
|
|
|
}
|
2020-05-04 16:33:18 +00:00
|
|
|
|
|
|
|
// AddSignatureWithKey calculates the data signature and adds it to accumulator with public key.
|
|
|
|
//
|
2020-05-06 08:44:55 +00:00
|
|
|
// Any change of data provoke signature breakdown.
|
|
|
|
//
|
2020-05-04 16:33:18 +00:00
|
|
|
// Returns signing errors only.
|
2020-05-06 08:44:55 +00:00
|
|
|
func AddSignatureWithKey(key *ecdsa.PrivateKey, v DataWithSignKeyAccumulator) error {
|
2020-05-05 10:16:21 +00:00
|
|
|
sign, err := DataSignature(key, v)
|
2020-05-04 16:33:18 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
v.AddSignKey(sign, &key.PublicKey)
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
2020-05-05 10:16:21 +00:00
|
|
|
|
|
|
|
// Checks passed key-signature pairs for data from the passed container.
|
|
|
|
//
|
|
|
|
// If passed key-signatures pair set is empty, nil returns immediately.
|
|
|
|
func verifySignatures(src SignedDataSource, items ...SignKeyPair) error {
|
|
|
|
if len(items) <= 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
data, err := dataForSignature(src)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2020-05-06 08:44:55 +00:00
|
|
|
defer bytesPool.Put(data)
|
2020-05-05 10:16:21 +00:00
|
|
|
|
|
|
|
for _, signKey := range items {
|
|
|
|
if err := crypto.Verify(
|
|
|
|
signKey.GetPublicKey(),
|
|
|
|
data,
|
|
|
|
signKey.GetSignature(),
|
|
|
|
); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// VerifySignatures checks passed key-signature pairs for data from the passed container.
|
|
|
|
//
|
|
|
|
// If passed data source is nil, ErrNilSignedDataSource returns.
|
|
|
|
// If check data is not ready, corresponding error returns.
|
|
|
|
// If at least one of the pairs is invalid, an error returns.
|
|
|
|
func VerifySignatures(src SignedDataSource, items ...SignKeyPair) error {
|
|
|
|
return verifySignatures(src, items...)
|
|
|
|
}
|
|
|
|
|
|
|
|
// VerifyAccumulatedSignatures checks if accumulated key-signature pairs are valid.
|
|
|
|
//
|
|
|
|
// Behaves like VerifySignatures.
|
|
|
|
// If passed key-signature source is empty, ErrNilSignatureKeySource returns.
|
2020-05-06 08:44:55 +00:00
|
|
|
func VerifyAccumulatedSignatures(src DataWithSignKeySource) error {
|
2020-05-05 10:16:21 +00:00
|
|
|
if src == nil {
|
|
|
|
return ErrNilSignatureKeySource
|
|
|
|
}
|
|
|
|
|
|
|
|
return verifySignatures(src, src.GetSignKeyPairs()...)
|
|
|
|
}
|
|
|
|
|
|
|
|
// VerifySignatureWithKey checks data signature from the passed container with passed key.
|
|
|
|
//
|
|
|
|
// If passed data with signature is nil, ErrEmptyDataWithSignature returns.
|
|
|
|
// If passed key is nil, crypto.ErrEmptyPublicKey returns.
|
|
|
|
// A non-nil error returns if and only if the signature does not pass verification.
|
2020-05-06 08:44:55 +00:00
|
|
|
func VerifySignatureWithKey(key *ecdsa.PublicKey, src DataWithSignature) error {
|
2020-05-05 10:16:21 +00:00
|
|
|
if src == nil {
|
|
|
|
return ErrEmptyDataWithSignature
|
|
|
|
} else if key == nil {
|
|
|
|
return crypto.ErrEmptyPublicKey
|
|
|
|
}
|
|
|
|
|
|
|
|
return verifySignatures(
|
|
|
|
src,
|
|
|
|
newSignatureKeyPair(
|
|
|
|
key,
|
|
|
|
src.GetSignature(),
|
|
|
|
),
|
|
|
|
)
|
|
|
|
}
|
2020-05-06 08:44:55 +00:00
|
|
|
|
2020-06-10 17:22:34 +00:00
|
|
|
// SignRequestData calculates request data signature and adds it to accumulator.
|
2020-05-06 08:44:55 +00:00
|
|
|
//
|
2020-06-10 17:22:34 +00:00
|
|
|
// Any change of request data provoke signature breakdown.
|
2020-05-06 08:44:55 +00:00
|
|
|
//
|
|
|
|
// If passed private key is nil, crypto.ErrEmptyPrivateKey returns.
|
2020-06-10 17:22:34 +00:00
|
|
|
// If passed RequestSignedData is nil, ErrNilRequestSignedData returns.
|
|
|
|
func SignRequestData(key *ecdsa.PrivateKey, src RequestSignedData) error {
|
2020-05-06 08:44:55 +00:00
|
|
|
if src == nil {
|
2020-06-10 17:22:34 +00:00
|
|
|
return ErrNilRequestSignedData
|
|
|
|
}
|
|
|
|
|
|
|
|
sigSrc, err := GroupSignedPayloads(
|
|
|
|
src,
|
|
|
|
src,
|
|
|
|
NewSignedSessionToken(
|
|
|
|
src.GetSessionToken(),
|
|
|
|
),
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2020-05-06 08:44:55 +00:00
|
|
|
|
2020-06-10 17:22:34 +00:00
|
|
|
return AddSignatureWithKey(key, sigSrc)
|
|
|
|
}
|
|
|
|
|
|
|
|
// VerifyRequestData checks if accumulated key-signature pairs of data with token are valid.
|
|
|
|
//
|
|
|
|
// If passed RequestVerifyData is nil, ErrNilRequestVerifyData returns.
|
|
|
|
func VerifyRequestData(src RequestVerifyData) error {
|
|
|
|
if src == nil {
|
|
|
|
return ErrNilRequestVerifyData
|
2020-05-06 08:44:55 +00:00
|
|
|
}
|
|
|
|
|
2020-06-10 17:22:34 +00:00
|
|
|
verSrc, err := GroupVerifyPayloads(
|
|
|
|
src,
|
|
|
|
src,
|
|
|
|
NewVerifiedSessionToken(
|
|
|
|
src.GetSessionToken(),
|
|
|
|
),
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return VerifyAccumulatedSignatures(verSrc)
|
|
|
|
}
|
|
|
|
|
|
|
|
// SignedData returns payload bytes concatenation from all sources keeping order.
|
|
|
|
func (s signSourceGroup) SignedData() ([]byte, error) {
|
|
|
|
chunks := make([][]byte, 0, len(s.sources))
|
|
|
|
sz := 0
|
|
|
|
|
|
|
|
for i := range s.sources {
|
|
|
|
data, err := s.sources[i].SignedData()
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrapf(err, "could not get signed payload of element #%d", i)
|
|
|
|
}
|
|
|
|
|
|
|
|
chunks = append(chunks, data)
|
|
|
|
|
|
|
|
sz += len(data)
|
|
|
|
}
|
|
|
|
|
|
|
|
res := make([]byte, sz)
|
|
|
|
off := 0
|
|
|
|
|
|
|
|
for i := range chunks {
|
|
|
|
off += copy(res[off:], chunks[i])
|
|
|
|
}
|
|
|
|
|
|
|
|
return res, nil
|
|
|
|
}
|
2020-05-06 08:44:55 +00:00
|
|
|
|
2020-06-10 17:22:34 +00:00
|
|
|
// SignedData returns payload bytes concatenation from all readers.
|
|
|
|
func (s signReadersGroup) SignedData() ([]byte, error) {
|
|
|
|
return SignedDataFromReader(s)
|
2020-05-06 08:44:55 +00:00
|
|
|
}
|
|
|
|
|
2020-06-10 17:22:34 +00:00
|
|
|
// SignedDataSize returns the sum of sizes of all readers.
|
|
|
|
func (s signReadersGroup) SignedDataSize() (sz int) {
|
|
|
|
for i := range s.readers {
|
|
|
|
sz += s.readers[i].SignedDataSize()
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// ReadSignedData reads data from all readers to passed buffer keeping order.
|
|
|
|
//
|
|
|
|
// If the buffer size is insufficient, io.ErrUnexpectedEOF returns.
|
|
|
|
func (s signReadersGroup) ReadSignedData(p []byte) (int, error) {
|
|
|
|
sz := s.SignedDataSize()
|
|
|
|
if len(p) < sz {
|
|
|
|
return 0, io.ErrUnexpectedEOF
|
|
|
|
}
|
|
|
|
|
|
|
|
off := 0
|
|
|
|
|
|
|
|
for i := range s.readers {
|
|
|
|
n, err := s.readers[i].ReadSignedData(p[off:])
|
|
|
|
off += n
|
|
|
|
if err != nil {
|
|
|
|
return off, errors.Wrapf(err, "could not read signed payload of element #%d", i)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return off, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// GroupSignedPayloads groups SignKeyPairAccumulator and SignedDataSource list to DataWithSignKeyAccumulator.
|
|
|
|
//
|
|
|
|
// If passed SignKeyPairAccumulator is nil, ErrNilSignKeyPairAccumulator returns.
|
|
|
|
//
|
|
|
|
// Signed payload of the result is a concatenation of payloads of list elements keeping order.
|
|
|
|
// Nil elements in list are ignored.
|
|
|
|
//
|
|
|
|
// If all elements implement SignedDataReader, result implements it too.
|
|
|
|
func GroupSignedPayloads(acc SignKeyPairAccumulator, sources ...SignedDataSource) (DataWithSignKeyAccumulator, error) {
|
|
|
|
if acc == nil {
|
|
|
|
return nil, ErrNilSignKeyPairAccumulator
|
|
|
|
}
|
|
|
|
|
|
|
|
return groupPayloads(acc, nil, sources...), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// GroupVerifyPayloads groups SignKeyPairSource and SignedDataSource list to DataWithSignKeySource.
|
|
|
|
//
|
|
|
|
// If passed SignKeyPairSource is nil, ErrNilSignatureKeySource returns.
|
|
|
|
//
|
|
|
|
// Signed payload of the result is a concatenation of payloads of list elements keeping order.
|
|
|
|
// Nil elements in list are ignored.
|
2020-05-06 08:44:55 +00:00
|
|
|
//
|
2020-06-10 17:22:34 +00:00
|
|
|
// If all elements implement SignedDataReader, result implements it too.
|
|
|
|
func GroupVerifyPayloads(src SignKeyPairSource, sources ...SignedDataSource) (DataWithSignKeySource, error) {
|
2020-05-06 08:44:55 +00:00
|
|
|
if src == nil {
|
2020-06-10 17:22:34 +00:00
|
|
|
return nil, ErrNilSignatureKeySource
|
|
|
|
}
|
|
|
|
|
|
|
|
return groupPayloads(nil, src, sources...), nil
|
|
|
|
}
|
2020-05-06 08:44:55 +00:00
|
|
|
|
2020-06-10 17:22:34 +00:00
|
|
|
func groupPayloads(acc SignKeyPairAccumulator, src SignKeyPairSource, sources ...SignedDataSource) interface {
|
|
|
|
SignedDataSource
|
|
|
|
SignKeyPairSource
|
|
|
|
SignKeyPairAccumulator
|
|
|
|
} {
|
|
|
|
var allReaders bool
|
|
|
|
|
|
|
|
for i := range sources {
|
|
|
|
if sources[i] == nil {
|
|
|
|
continue
|
|
|
|
} else if _, allReaders = sources[i].(SignedDataReader); !allReaders {
|
|
|
|
break
|
|
|
|
}
|
2020-05-06 08:44:55 +00:00
|
|
|
}
|
|
|
|
|
2020-06-10 17:22:34 +00:00
|
|
|
if !allReaders {
|
|
|
|
res := &signSourceGroup{
|
|
|
|
SignKeyPairSource: src,
|
|
|
|
SignKeyPairAccumulator: acc,
|
|
|
|
|
|
|
|
sources: make([]SignedDataSource, 0, len(sources)),
|
|
|
|
}
|
|
|
|
|
|
|
|
for i := range sources {
|
|
|
|
if sources[i] != nil {
|
|
|
|
res.sources = append(res.sources, sources[i])
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return res
|
|
|
|
}
|
|
|
|
|
|
|
|
res := &signReadersGroup{
|
|
|
|
SignKeyPairSource: src,
|
|
|
|
SignKeyPairAccumulator: acc,
|
|
|
|
|
|
|
|
readers: make([]SignedDataReader, 0, len(sources)),
|
|
|
|
}
|
|
|
|
|
|
|
|
for i := range sources {
|
|
|
|
if sources[i] != nil {
|
|
|
|
res.readers = append(res.readers, sources[i].(SignedDataReader))
|
|
|
|
}
|
|
|
|
}
|
2020-05-06 08:44:55 +00:00
|
|
|
|
2020-06-10 17:22:34 +00:00
|
|
|
return res
|
2020-05-06 08:44:55 +00:00
|
|
|
}
|