Merge branch 'release/0.7.4'

CHANGELOG.md

@@ -1,6 +1,22 @@
 # Changelog
 This is the changelog for NeoFS-API-Go
 
+## [0.7.4] - 2020-05-12
+
+### Added
+
+- Stringify for `object.Object`.
+
+### Changed
+
+- Mechanism for creating and verifying request message signatures.
+- Implementation and interface of private token storage.
+- File structure of packages.
+
+### Updated
+
+- NeoFS API v0.7.4
+
 ## [0.7.1] - 2020-04-20
 
 ### Added
@@ -273,3 +289,4 @@ Initial public release
 [0.6.2]: https://github.com/nspcc-dev/neofs-api-go/compare/v0.6.1...v0.6.2
 [0.7.0]: https://github.com/nspcc-dev/neofs-api-go/compare/v0.6.2...v0.7.0
 [0.7.1]: https://github.com/nspcc-dev/neofs-api-go/compare/v0.7.0...v0.7.1
+[0.7.4]: https://github.com/nspcc-dev/neofs-api-go/compare/v0.7.1...v0.7.4

Makefile

@@ -1,4 +1,4 @@
-PROTO_VERSION=v0.7.1
+PROTO_VERSION=v0.7.4
 PROTO_URL=https://github.com/nspcc-dev/neofs-api/archive/$(PROTO_VERSION).tar.gz
 
 B=\033[0;1m

accounting/sign.go

@@ -0,0 +1,167 @@
+package accounting
+
+import (
+	"encoding/binary"
+	"io"
+
+	"github.com/nspcc-dev/neofs-api-go/service"
+)
+
+// SignedData returns payload bytes of the request.
+func (m BalanceRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// SignedDataSize returns payload size of the request.
+func (m BalanceRequest) SignedDataSize() int {
+	return m.GetOwnerID().Size()
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the buffer size is insufficient, io.ErrUnexpectedEOF returns.
+func (m BalanceRequest) ReadSignedData(p []byte) (int, error) {
+	sz := m.SignedDataSize()
+	if len(p) < sz {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	copy(p, m.GetOwnerID().Bytes())
+
+	return sz, nil
+}
+
+// SignedData returns payload bytes of the request.
+func (m GetRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// SignedDataSize returns payload size of the request.
+func (m GetRequest) SignedDataSize() int {
+	return m.GetID().Size() + m.GetOwnerID().Size()
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the buffer size is insufficient, io.ErrUnexpectedEOF returns.
+func (m GetRequest) ReadSignedData(p []byte) (int, error) {
+	sz := m.SignedDataSize()
+	if len(p) < sz {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	off += copy(p[off:], m.GetID().Bytes())
+
+	copy(p[off:], m.GetOwnerID().Bytes())
+
+	return sz, nil
+}
+
+// SignedData returns payload bytes of the request.
+func (m PutRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// SignedDataSize returns payload size of the request.
+func (m PutRequest) SignedDataSize() (sz int) {
+	sz += m.GetOwnerID().Size()
+
+	sz += m.GetMessageID().Size()
+
+	sz += 8
+
+	if amount := m.GetAmount(); amount != nil {
+		sz += amount.Size()
+	}
+
+	return
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the buffer size is insufficient, io.ErrUnexpectedEOF returns.
+func (m PutRequest) ReadSignedData(p []byte) (int, error) {
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	off += copy(p[off:], m.GetOwnerID().Bytes())
+
+	off += copy(p[off:], m.GetMessageID().Bytes())
+
+	binary.BigEndian.PutUint64(p[off:], m.GetHeight())
+	off += 8
+
+	if amount := m.GetAmount(); amount != nil {
+		n, err := amount.MarshalTo(p[off:])
+		off += n
+		if err != nil {
+			return off + n, err
+		}
+	}
+
+	return off, nil
+}
+
+// SignedData returns payload bytes of the request.
+func (m ListRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// SignedDataSize returns payload size of the request.
+func (m ListRequest) SignedDataSize() int {
+	return m.GetOwnerID().Size()
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the buffer size is insufficient, io.ErrUnexpectedEOF returns.
+func (m ListRequest) ReadSignedData(p []byte) (int, error) {
+	sz := m.SignedDataSize()
+	if len(p) < sz {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	copy(p, m.GetOwnerID().Bytes())
+
+	return sz, nil
+}
+
+// SignedData returns payload bytes of the request.
+func (m DeleteRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// SignedDataSize returns payload size of the request.
+func (m DeleteRequest) SignedDataSize() (sz int) {
+	sz += m.GetID().Size()
+
+	sz += m.GetOwnerID().Size()
+
+	sz += m.GetMessageID().Size()
+
+	return
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the buffer size is insufficient, io.ErrUnexpectedEOF returns.
+func (m DeleteRequest) ReadSignedData(p []byte) (int, error) {
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	off += copy(p[off:], m.GetID().Bytes())
+
+	off += copy(p[off:], m.GetOwnerID().Bytes())
+
+	off += copy(p[off:], m.GetMessageID().Bytes())
+
+	return off, nil
+}

accounting/sign_test.go

@@ -0,0 +1,185 @@
+package accounting
+
+import (
+	"testing"
+
+	"github.com/nspcc-dev/neofs-api-go/decimal"
+	"github.com/nspcc-dev/neofs-api-go/service"
+	"github.com/nspcc-dev/neofs-crypto/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSignBalanceRequest(t *testing.T) {
+	sk := test.DecodeKey(0)
+
+	type sigType interface {
+		service.SignedDataWithToken
+		service.SignKeyPairAccumulator
+		service.SignKeyPairSource
+		SetToken(*service.Token)
+	}
+
+	items := []struct {
+		constructor    func() sigType
+		payloadCorrupt []func(sigType)
+	}{
+		{ // BalanceRequest
+			constructor: func() sigType {
+				return new(BalanceRequest)
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					req := s.(*BalanceRequest)
+
+					owner := req.GetOwnerID()
+					owner[0]++
+
+					req.SetOwnerID(owner)
+				},
+			},
+		},
+		{ // GetRequest
+			constructor: func() sigType {
+				return new(GetRequest)
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					req := s.(*GetRequest)
+
+					id, err := NewChequeID()
+					require.NoError(t, err)
+
+					req.SetID(id)
+				},
+				func(s sigType) {
+					req := s.(*GetRequest)
+
+					id := req.GetOwnerID()
+					id[0]++
+
+					req.SetOwnerID(id)
+				},
+			},
+		},
+		{ // PutRequest
+			constructor: func() sigType {
+				req := new(PutRequest)
+
+				amount := decimal.New(1)
+				req.SetAmount(amount)
+
+				return req
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					req := s.(*PutRequest)
+
+					owner := req.GetOwnerID()
+					owner[0]++
+
+					req.SetOwnerID(owner)
+				},
+				func(s sigType) {
+					req := s.(*PutRequest)
+
+					mid := req.GetMessageID()
+					mid[0]++
+
+					req.SetMessageID(mid)
+				},
+				func(s sigType) {
+					req := s.(*PutRequest)
+
+					req.SetHeight(req.GetHeight() + 1)
+				},
+				func(s sigType) {
+					req := s.(*PutRequest)
+
+					amount := req.GetAmount()
+					if amount == nil {
+						req.SetAmount(decimal.New(0))
+					} else {
+						req.SetAmount(amount.Add(decimal.New(amount.GetValue())))
+					}
+				},
+			},
+		},
+		{ // ListRequest
+			constructor: func() sigType {
+				return new(ListRequest)
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					req := s.(*ListRequest)
+
+					owner := req.GetOwnerID()
+					owner[0]++
+
+					req.SetOwnerID(owner)
+				},
+			},
+		},
+		{
+			constructor: func() sigType {
+				return new(DeleteRequest)
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					req := s.(*DeleteRequest)
+
+					id, err := NewChequeID()
+					require.NoError(t, err)
+
+					req.SetID(id)
+				},
+				func(s sigType) {
+					req := s.(*DeleteRequest)
+
+					owner := req.GetOwnerID()
+					owner[0]++
+
+					req.SetOwnerID(owner)
+				},
+				func(s sigType) {
+					req := s.(*DeleteRequest)
+
+					mid := req.GetMessageID()
+					mid[0]++
+
+					req.SetMessageID(mid)
+				},
+			},
+		},
+	}
+
+	for _, item := range items {
+		{ // token corruptions
+			v := item.constructor()
+
+			token := new(service.Token)
+			v.SetToken(token)
+
+			require.NoError(t, service.SignDataWithSessionToken(sk, v))
+
+			require.NoError(t, service.VerifyAccumulatedSignaturesWithToken(v))
+
+			token.SetSessionKey(append(token.GetSessionKey(), 1))
+
+			require.Error(t, service.VerifyAccumulatedSignaturesWithToken(v))
+		}
+
+		{ // payload corruptions
+			for _, corruption := range item.payloadCorrupt {
+				v := item.constructor()
+
+				require.NoError(t, service.SignDataWithSessionToken(sk, v))
+
+				require.NoError(t, service.VerifyAccumulatedSignaturesWithToken(v))
+
+				corruption(v)
+
+				require.Error(t, service.VerifyAccumulatedSignaturesWithToken(v))
+			}
+		}
+	}
+}

accounting/types.go

@@ -351,3 +351,103 @@ func (m *Settlement) Equal(s *Settlement) bool {
 	}
 	return len(m.Transactions) == 0 || reflect.DeepEqual(m.Transactions, s.Transactions)
 }
+
+// GetOwnerID is an OwnerID field getter.
+func (m BalanceRequest) GetOwnerID() OwnerID {
+	return m.OwnerID
+}
+
+// SetOwnerID is an OwnerID field setter.
+func (m *BalanceRequest) SetOwnerID(owner OwnerID) {
+	m.OwnerID = owner
+}
+
+// GetID is an ID field getter.
+func (m GetRequest) GetID() ChequeID {
+	return m.ID
+}
+
+// SetID is an ID field setter.
+func (m *GetRequest) SetID(id ChequeID) {
+	m.ID = id
+}
+
+// GetOwnerID is an OwnerID field getter.
+func (m GetRequest) GetOwnerID() OwnerID {
+	return m.OwnerID
+}
+
+// SetOwnerID is an OwnerID field setter.
+func (m *GetRequest) SetOwnerID(id OwnerID) {
+	m.OwnerID = id
+}
+
+// GetOwnerID is an OwnerID field getter.
+func (m PutRequest) GetOwnerID() OwnerID {
+	return m.OwnerID
+}
+
+// SetOwnerID is an OwnerID field setter.
+func (m *PutRequest) SetOwnerID(id OwnerID) {
+	m.OwnerID = id
+}
+
+// GetMessageID is a MessageID field getter.
+func (m PutRequest) GetMessageID() MessageID {
+	return m.MessageID
+}
+
+// SetMessageID is a MessageID field setter.
+func (m *PutRequest) SetMessageID(id MessageID) {
+	m.MessageID = id
+}
+
+// SetAmount is an Amount field setter.
+func (m *PutRequest) SetAmount(amount *decimal.Decimal) {
+	m.Amount = amount
+}
+
+// SetHeight is a Height field setter.
+func (m *PutRequest) SetHeight(h uint64) {
+	m.Height = h
+}
+
+// GetOwnerID is an OwnerID field getter.
+func (m ListRequest) GetOwnerID() OwnerID {
+	return m.OwnerID
+}
+
+// SetOwnerID is an OwnerID field setter.
+func (m *ListRequest) SetOwnerID(id OwnerID) {
+	m.OwnerID = id
+}
+
+// GetID is an ID field getter.
+func (m DeleteRequest) GetID() ChequeID {
+	return m.ID
+}
+
+// SetID is an ID field setter.
+func (m *DeleteRequest) SetID(id ChequeID) {
+	m.ID = id
+}
+
+// GetOwnerID is an OwnerID field getter.
+func (m DeleteRequest) GetOwnerID() OwnerID {
+	return m.OwnerID
+}
+
+// SetOwnerID is an OwnerID field setter.
+func (m *DeleteRequest) SetOwnerID(id OwnerID) {
+	m.OwnerID = id
+}
+
+// GetMessageID is a MessageID field getter.
+func (m DeleteRequest) GetMessageID() MessageID {
+	return m.MessageID
+}
+
+// SetMessageID is a MessageID field setter.
+func (m *DeleteRequest) SetMessageID(id MessageID) {
+	m.MessageID = id
+}

accounting/types_test.go

@@ -84,3 +84,110 @@ func TestCheque(t *testing.T) {
 		require.Equal(t, cheque.Amount, decimal.NewGAS(42))
 	})
 }
+
+func TestBalanceRequest_SetOwnerID(t *testing.T) {
+	ownerID := OwnerID{1, 2, 3}
+	m := new(BalanceRequest)
+
+	m.SetOwnerID(ownerID)
+
+	require.Equal(t, ownerID, m.GetOwnerID())
+}
+
+func TestGetRequestGettersSetters(t *testing.T) {
+	t.Run("id", func(t *testing.T) {
+		id := ChequeID("test id")
+		m := new(GetRequest)
+
+		m.SetID(id)
+
+		require.Equal(t, id, m.GetID())
+	})
+
+	t.Run("owner", func(t *testing.T) {
+		id := OwnerID{1, 2, 3}
+		m := new(GetRequest)
+
+		m.SetOwnerID(id)
+
+		require.Equal(t, id, m.GetOwnerID())
+	})
+}
+
+func TestPutRequestGettersSetters(t *testing.T) {
+	t.Run("owner", func(t *testing.T) {
+		id := OwnerID{1, 2, 3}
+		m := new(PutRequest)
+
+		m.SetOwnerID(id)
+
+		require.Equal(t, id, m.GetOwnerID())
+	})
+
+	t.Run("message ID", func(t *testing.T) {
+		id, err := refs.NewUUID()
+		require.NoError(t, err)
+
+		m := new(PutRequest)
+		m.SetMessageID(id)
+
+		require.Equal(t, id, m.GetMessageID())
+	})
+
+	t.Run("amount", func(t *testing.T) {
+		amount := decimal.New(1)
+		m := new(PutRequest)
+
+		m.SetAmount(amount)
+
+		require.Equal(t, amount, m.GetAmount())
+	})
+
+	t.Run("height", func(t *testing.T) {
+		h := uint64(3)
+		m := new(PutRequest)
+
+		m.SetHeight(h)
+
+		require.Equal(t, h, m.GetHeight())
+	})
+}
+
+func TestListRequestGettersSetters(t *testing.T) {
+	ownerID := OwnerID{1, 2, 3}
+	m := new(ListRequest)
+
+	m.SetOwnerID(ownerID)
+
+	require.Equal(t, ownerID, m.GetOwnerID())
+}
+
+func TestDeleteRequestGettersSetters(t *testing.T) {
+	t.Run("id", func(t *testing.T) {
+		id := ChequeID("test id")
+		m := new(DeleteRequest)
+
+		m.SetID(id)
+
+		require.Equal(t, id, m.GetID())
+	})
+
+	t.Run("owner", func(t *testing.T) {
+		id := OwnerID{1, 2, 3}
+		m := new(DeleteRequest)
+
+		m.SetOwnerID(id)
+
+		require.Equal(t, id, m.GetOwnerID())
+	})
+
+	t.Run("message ID", func(t *testing.T) {
+		id, err := refs.NewUUID()
+		require.NoError(t, err)
+
+		m := new(DeleteRequest)
+		m.SetMessageID(id)
+
+		require.Equal(t, id, m.GetMessageID())
+	})
+}

bootstrap/sign.go

@@ -0,0 +1,46 @@
+package bootstrap
+
+import (
+	"io"
+
+	"github.com/nspcc-dev/neofs-api-go/service"
+)
+
+// SignedData returns payload bytes of the request.
+func (m Request) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// SignedDataSize returns payload size of the request.
+func (m Request) SignedDataSize() (sz int) {
+	sz += m.GetType().Size()
+
+	sz += m.GetState().Size()
+
+	info := m.GetInfo()
+	sz += info.Size()
+
+	return
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the Request size is insufficient, io.ErrUnexpectedEOF returns.
+func (m Request) ReadSignedData(p []byte) (int, error) {
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	off += copy(p[off:], m.GetType().Bytes())
+
+	off += copy(p[off:], m.GetState().Bytes())
+
+	info := m.GetInfo()
+	// FIXME: implement and use stable functions
+	n, err := info.MarshalTo(p[off:])
+	off += n
+
+	return off, err
+}

bootstrap/sign_test.go

@@ -0,0 +1,82 @@
+package bootstrap
+
+import (
+	"testing"
+
+	"github.com/nspcc-dev/neofs-api-go/service"
+	"github.com/nspcc-dev/neofs-crypto/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRequestSign(t *testing.T) {
+	sk := test.DecodeKey(0)
+
+	type sigType interface {
+		service.SignedDataWithToken
+		service.SignKeyPairAccumulator
+		service.SignKeyPairSource
+		SetToken(*service.Token)
+	}
+
+	items := []struct {
+		constructor    func() sigType
+		payloadCorrupt []func(sigType)
+	}{
+		{ // Request
+			constructor: func() sigType {
+				return new(Request)
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					req := s.(*Request)
+
+					req.SetType(req.GetType() + 1)
+				},
+				func(s sigType) {
+					req := s.(*Request)
+
+					req.SetState(req.GetState() + 1)
+				},
+				func(s sigType) {
+					req := s.(*Request)
+
+					info := req.GetInfo()
+					info.Address += "1"
+
+					req.SetInfo(info)
+				},
+			},
+		},
+	}
+
+	for _, item := range items {
+		{ // token corruptions
+			v := item.constructor()
+
+			token := new(service.Token)
+			v.SetToken(token)
+
+			require.NoError(t, service.SignDataWithSessionToken(sk, v))
+
+			require.NoError(t, service.VerifyAccumulatedSignaturesWithToken(v))
+
+			token.SetSessionKey(append(token.GetSessionKey(), 1))
+
+			require.Error(t, service.VerifyAccumulatedSignaturesWithToken(v))
+		}
+
+		{ // payload corruptions
+			for _, corruption := range item.payloadCorrupt {
+				v := item.constructor()
+
+				require.NoError(t, service.SignDataWithSessionToken(sk, v))
+
+				require.NoError(t, service.VerifyAccumulatedSignaturesWithToken(v))
+
+				corruption(v)
+
+				require.Error(t, service.VerifyAccumulatedSignaturesWithToken(v))
+			}
+		}
+	}
+}

bootstrap/types.go

@@ -2,6 +2,7 @@ package bootstrap
 
 import (
 	"bytes"
+	"encoding/binary"
 	"encoding/hex"
 	"strconv"
 	"strings"
@@ -27,6 +28,8 @@ var (
 	_ proto.Message = (*SpreadMap)(nil)
 )
 
+var requestEndianness = binary.BigEndian
+
 // Equals checks whether two NodeInfo has same address.
 func (m NodeInfo) Equals(n1 NodeInfo) bool {
 	return m.Address == n1.Address && bytes.Equal(m.PubKey, n1.PubKey)
@@ -98,3 +101,37 @@ func (m SpreadMap) String() string {
 		", " +
 		"Netmap: [" + strings.Join(result, ",") + "]>"
 }
+
+// GetType is a Type field getter.
+func (m Request) GetType() NodeType {
+	return m.Type
+}
+
+// SetType is a Type field setter.
+func (m *Request) SetType(t NodeType) {
+	m.Type = t
+}
+
+// SetState is a State field setter.
+func (m *Request) SetState(state Request_State) {
+	m.State = state
+}
+
+// SetInfo is an Info field getter.
+func (m *Request) SetInfo(info NodeInfo) {
+	m.Info = info
+}
+
+// Size returns the size necessary for a binary representation of the state.
+func (x Request_State) Size() int {
+	return 4
+}
+
+// Bytes returns a binary representation of the state.
+func (x Request_State) Bytes() []byte {
+	data := make([]byte, x.Size())
+
+	requestEndianness.PutUint32(data, uint32(x))
+
+	return data
+}

bootstrap/types_test.go

@@ -0,0 +1,39 @@
+package bootstrap
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestRequestGettersSetters(t *testing.T) {
+	t.Run("type", func(t *testing.T) {
+		rt := NodeType(1)
+		m := new(Request)
+
+		m.SetType(rt)
+
+		require.Equal(t, rt, m.GetType())
+	})
+
+	t.Run("state", func(t *testing.T) {
+		st := Request_State(1)
+		m := new(Request)
+
+		m.SetState(st)
+
+		require.Equal(t, st, m.GetState())
+	})
+
+	t.Run("info", func(t *testing.T) {
+		info := NodeInfo{
+			Address: "some address",
+		}
+
+		m := new(Request)
+
+		m.SetInfo(info)
+
+		require.Equal(t, info, m.GetInfo())
+	})
+}

container/sign.go

@@ -0,0 +1,137 @@
+package container
+
+import (
+	"encoding/binary"
+	"io"
+
+	service "github.com/nspcc-dev/neofs-api-go/service"
+)
+
+var requestEndianness = binary.BigEndian
+
+// SignedData returns payload bytes of the request.
+func (m PutRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// SignedDataSize returns payload size of the request.
+func (m PutRequest) SignedDataSize() (sz int) {
+	sz += m.GetMessageID().Size()
+
+	sz += 8
+
+	sz += m.GetOwnerID().Size()
+
+	rules := m.GetRules()
+	sz += rules.Size()
+
+	sz += 4
+
+	return
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the Request size is insufficient, io.ErrUnexpectedEOF returns.
+func (m PutRequest) ReadSignedData(p []byte) (int, error) {
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	off += copy(p[off:], m.GetMessageID().Bytes())
+
+	requestEndianness.PutUint64(p[off:], m.GetCapacity())
+	off += 8
+
+	off += copy(p[off:], m.GetOwnerID().Bytes())
+
+	rules := m.GetRules()
+	// FIXME: implement and use stable functions
+	n, err := rules.MarshalTo(p[off:])
+	off += n
+	if err != nil {
+		return off, err
+	}
+
+	requestEndianness.PutUint32(p[off:], m.GetBasicACL())
+	off += 4
+
+	return off, nil
+}
+
+// SignedData returns payload bytes of the request.
+func (m DeleteRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// SignedDataSize returns payload size of the request.
+func (m DeleteRequest) SignedDataSize() int {
+	return m.GetCID().Size()
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the Request size is insufficient, io.ErrUnexpectedEOF returns.
+func (m DeleteRequest) ReadSignedData(p []byte) (int, error) {
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	off += copy(p[off:], m.GetCID().Bytes())
+
+	return off, nil
+}
+
+// SignedData returns payload bytes of the request.
+func (m GetRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// SignedDataSize returns payload size of the request.
+func (m GetRequest) SignedDataSize() int {
+	return m.GetCID().Size()
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the Request size is insufficient, io.ErrUnexpectedEOF returns.
+func (m GetRequest) ReadSignedData(p []byte) (int, error) {
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	off += copy(p[off:], m.GetCID().Bytes())
+
+	return off, nil
+}
+
+// SignedData returns payload bytes of the request.
+func (m ListRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// SignedDataSize returns payload size of the request.
+func (m ListRequest) SignedDataSize() int {
+	return m.GetOwnerID().Size()
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the Request size is insufficient, io.ErrUnexpectedEOF returns.
+func (m ListRequest) ReadSignedData(p []byte) (int, error) {
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	off += copy(p[off:], m.GetOwnerID().Bytes())
+
+	return off, nil
+}

container/sign_test.go

@@ -0,0 +1,143 @@
+package container
+
+import (
+	"testing"
+
+	"github.com/nspcc-dev/neofs-api-go/service"
+	"github.com/nspcc-dev/neofs-crypto/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRequestSign(t *testing.T) {
+	sk := test.DecodeKey(0)
+
+	type sigType interface {
+		service.SignedDataWithToken
+		service.SignKeyPairAccumulator
+		service.SignKeyPairSource
+		SetToken(*service.Token)
+	}
+
+	items := []struct {
+		constructor    func() sigType
+		payloadCorrupt []func(sigType)
+	}{
+		{ // PutRequest
+			constructor: func() sigType {
+				return new(PutRequest)
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					req := s.(*PutRequest)
+
+					id := req.GetMessageID()
+					id[0]++
+
+					req.SetMessageID(id)
+				},
+				func(s sigType) {
+					req := s.(*PutRequest)
+
+					req.SetCapacity(req.GetCapacity() + 1)
+				},
+				func(s sigType) {
+					req := s.(*PutRequest)
+
+					owner := req.GetOwnerID()
+					owner[0]++
+
+					req.SetOwnerID(owner)
+				},
+				func(s sigType) {
+					req := s.(*PutRequest)
+
+					rules := req.GetRules()
+					rules.ReplFactor++
+
+					req.SetRules(rules)
+				},
+				func(s sigType) {
+					req := s.(*PutRequest)
+
+					req.SetBasicACL(req.GetBasicACL() + 1)
+				},
+			},
+		},
+		{ // DeleteRequest
+			constructor: func() sigType {
+				return new(DeleteRequest)
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					req := s.(*DeleteRequest)
+
+					cid := req.GetCID()
+					cid[0]++
+
+					req.SetCID(cid)
+				},
+			},
+		},
+		{ // GetRequest
+			constructor: func() sigType {
+				return new(GetRequest)
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					req := s.(*GetRequest)
+
+					cid := req.GetCID()
+					cid[0]++
+
+					req.SetCID(cid)
+				},
+			},
+		},
+		{ // ListRequest
+			constructor: func() sigType {
+				return new(ListRequest)
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					req := s.(*ListRequest)
+
+					owner := req.GetOwnerID()
+					owner[0]++
+
+					req.SetOwnerID(owner)
+				},
+			},
+		},
+	}
+
+	for _, item := range items {
+		{ // token corruptions
+			v := item.constructor()
+
+			token := new(service.Token)
+			v.SetToken(token)
+
+			require.NoError(t, service.SignDataWithSessionToken(sk, v))
+
+			require.NoError(t, service.VerifyAccumulatedSignaturesWithToken(v))
+
+			token.SetSessionKey(append(token.GetSessionKey(), 1))
+
+			require.Error(t, service.VerifyAccumulatedSignaturesWithToken(v))
+		}
+
+		{ // payload corruptions
+			for _, corruption := range item.payloadCorrupt {
+				v := item.constructor()
+
+				require.NoError(t, service.SignDataWithSessionToken(sk, v))
+
+				require.NoError(t, service.VerifyAccumulatedSignaturesWithToken(v))
+
+				corruption(v)
+
+				require.Error(t, service.VerifyAccumulatedSignaturesWithToken(v))
+			}
+		}
+	}
+}

container/types.go

@@ -93,3 +93,68 @@ func NewTestContainer() (*Container, error) {
 		},
 	})
 }
+
+// GetMessageID is a MessageID field getter.
+func (m PutRequest) GetMessageID() MessageID {
+	return m.MessageID
+}
+
+// SetMessageID is a MessageID field getter.
+func (m *PutRequest) SetMessageID(id MessageID) {
+	m.MessageID = id
+}
+
+// SetCapacity is a Capacity field setter.
+func (m *PutRequest) SetCapacity(c uint64) {
+	m.Capacity = c
+}
+
+// GetOwnerID is an OwnerID field getter.
+func (m PutRequest) GetOwnerID() OwnerID {
+	return m.OwnerID
+}
+
+// SetOwnerID is an OwnerID field setter.
+func (m *PutRequest) SetOwnerID(owner OwnerID) {
+	m.OwnerID = owner
+}
+
+// SetRules is a Rules field setter.
+func (m *PutRequest) SetRules(rules netmap.PlacementRule) {
+	m.Rules = rules
+}
+
+// SetBasicACL is a BasicACL field setter.
+func (m *PutRequest) SetBasicACL(acl uint32) {
+	m.BasicACL = acl
+}
+
+// GetCID is a CID field getter.
+func (m DeleteRequest) GetCID() CID {
+	return m.CID
+}
+
+// SetCID is a CID field setter.
+func (m *DeleteRequest) SetCID(cid CID) {
+	m.CID = cid
+}
+
+// GetCID is a CID field getter.
+func (m GetRequest) GetCID() CID {
+	return m.CID
+}
+
+// SetCID is a CID field setter.
+func (m *GetRequest) SetCID(cid CID) {
+	m.CID = cid
+}
+
+// GetOwnerID is an OwnerID field getter.
+func (m ListRequest) GetOwnerID() OwnerID {
+	return m.OwnerID
+}
+
+// SetOwnerID is an OwnerID field setter.
+func (m *ListRequest) SetOwnerID(owner OwnerID) {
+	m.OwnerID = owner
+}

container/types_test.go

@@ -55,3 +55,88 @@ func TestCID(t *testing.T) {
 		require.Equal(t, cid1, cid2)
 	})
 }
+
+func TestPutRequestGettersSetters(t *testing.T) {
+	t.Run("owner", func(t *testing.T) {
+		owner := OwnerID{1, 2, 3}
+		m := new(PutRequest)
+
+		m.SetOwnerID(owner)
+
+		require.Equal(t, owner, m.GetOwnerID())
+	})
+
+	t.Run("capacity", func(t *testing.T) {
+		cp := uint64(3)
+		m := new(PutRequest)
+
+		m.SetCapacity(cp)
+
+		require.Equal(t, cp, m.GetCapacity())
+	})
+
+	t.Run("message ID", func(t *testing.T) {
+		id, err := refs.NewUUID()
+		require.NoError(t, err)
+
+		m := new(PutRequest)
+
+		m.SetMessageID(id)
+
+		require.Equal(t, id, m.GetMessageID())
+	})
+
+	t.Run("rules", func(t *testing.T) {
+		rules := netmap.PlacementRule{
+			ReplFactor: 1,
+		}
+
+		m := new(PutRequest)
+
+		m.SetRules(rules)
+
+		require.Equal(t, rules, m.GetRules())
+	})
+
+	t.Run("basic ACL", func(t *testing.T) {
+		bACL := uint32(5)
+		m := new(PutRequest)
+
+		m.SetBasicACL(bACL)
+
+		require.Equal(t, bACL, m.GetBasicACL())
+	})
+}
+
+func TestDeleteRequestGettersSetters(t *testing.T) {
+	t.Run("cid", func(t *testing.T) {
+		cid := CID{1, 2, 3}
+		m := new(DeleteRequest)
+
+		m.SetCID(cid)
+
+		require.Equal(t, cid, m.GetCID())
+	})
+}
+
+func TestGetRequestGettersSetters(t *testing.T) {
+	t.Run("cid", func(t *testing.T) {
+		cid := CID{1, 2, 3}
+		m := new(GetRequest)
+
+		m.SetCID(cid)
+
+		require.Equal(t, cid, m.GetCID())
+	})
+}
+
+func TestListRequestGettersSetters(t *testing.T) {
+	t.Run("owner", func(t *testing.T) {
+		owner := OwnerID{1, 2, 3}
+		m := new(PutRequest)
+
+		m.SetOwnerID(owner)
+
+		require.Equal(t, owner, m.GetOwnerID())
+	})
+}

docs/object.md

@@ -149,7 +149,6 @@ calculated for XORed data.
 | ----- | ---- | ----- | ----------- |
 | Address | [refs.Address](#refs.Address) |  | Address of object (container id + object id) |
 | OwnerID | [bytes](#bytes) |  | OwnerID is a wallet address |
-| Token | [session.Token](#session.Token) |  | Token with session public key and user's signature |
 | Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) |  | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
 | Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) |  | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
 
@@ -228,7 +227,6 @@ in distributed system.
 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
 | Address | [refs.Address](#refs.Address) |  | Address of object (container id + object id) |
-| Raw | [bool](#bool) |  | Raw is the request flag of a physically stored representation of an object |
 | Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) |  | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
 | Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) |  | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
 
@@ -256,7 +254,6 @@ in distributed system.
 | ----- | ---- | ----- | ----------- |
 | Address | [refs.Address](#refs.Address) |  | Address of object (container id + object id) |
 | FullHeaders | [bool](#bool) |  | FullHeaders can be set true for extended headers in the object |
-| Raw | [bool](#bool) |  | Raw is the request flag of a physically stored representation of an object |
 | Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) |  | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
 | Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) |  | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
 
@@ -296,7 +293,6 @@ in distributed system.
 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
 | Object | [Object](#object.Object) |  | Object with at least container id and owner id fields |
-| Token | [session.Token](#session.Token) |  | Token with session public key and user's signature |
 | CopiesNumber | [uint32](#uint32) |  | Number of the object copies to store within the RPC call (zero is processed according to the placement rules) |
 
 
@@ -378,7 +374,7 @@ in distributed system.
 | UserHeader | [UserHeader](#object.UserHeader) |  | UserHeader is a set of KV headers defined by user |
 | Transform | [Transform](#object.Transform) |  | Transform defines transform operation (e.g. payload split) |
 | Tombstone | [Tombstone](#object.Tombstone) |  | Tombstone header that set up in deleted objects |
-| Verify | [session.VerificationHeader](#session.VerificationHeader) |  | Verify header that contains session public key and user's signature |
+| Token | [service.Token](#service.Token) |  | Token header contains token of the session within which the object was created |
 | HomoHash | [bytes](#bytes) |  | HomoHash is a homomorphic hash of original object payload |
 | PayloadChecksum | [bytes](#bytes) |  | PayloadChecksum of actual object's payload |
 | Integrity | [IntegrityHeader](#object.IntegrityHeader) |  | Integrity header with checksum of all above headers in the object |

docs/service.md

@@ -14,8 +14,10 @@
 
   - Messages
     - [RequestVerificationHeader](#service.RequestVerificationHeader)
-    - [RequestVerificationHeader.Sign](#service.RequestVerificationHeader.Sign)
     - [RequestVerificationHeader.Signature](#service.RequestVerificationHeader.Signature)
+    - [Token](#service.Token)
+    - [Token.Info](#service.Token.Info)
+    - [TokenLifetime](#service.TokenLifetime)
     
 
 - [service/verify_test.proto](#service/verify_test.proto)
@@ -49,6 +51,7 @@ RequestMetaHeader contains information about request meta headers
 | TTL | [uint32](#uint32) |  | TTL must be larger than zero, it decreased in every NeoFS Node |
 | Epoch | [uint64](#uint64) |  | Epoch for user can be empty, because node sets epoch to the actual value |
 | Version | [uint32](#uint32) |  | Version defines protocol version TODO: not used for now, should be implemented in future |
+| Raw | [bool](#bool) |  | Raw determines whether the request is raw or not |
 
 
 <a name="service.ResponseMetaHeader"></a>
@@ -88,18 +91,7 @@ RequestVerificationHeader is a set of signatures of every NeoFS Node that proces
 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
 | Signatures | [RequestVerificationHeader.Signature](#service.RequestVerificationHeader.Signature) | repeated | Signatures is a set of signatures of every passed NeoFS Node |
-
+| Token | [Token](#service.Token) |  | Token is a token of the session within which the request is sent |
-
-<a name="service.RequestVerificationHeader.Sign"></a>
-
-### Message RequestVerificationHeader.Sign
-
-
-
-| Field | Type | Label | Description |
-| ----- | ---- | ----- | ----------- |
-| Sign | [bytes](#bytes) |  | Sign is signature of the request or session key. |
-| Peer | [bytes](#bytes) |  | Peer is compressed public key used for signature. |
 
 
 <a name="service.RequestVerificationHeader.Signature"></a>
@@ -110,11 +102,68 @@ RequestVerificationHeader is a set of signatures of every NeoFS Node that proces
 
 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
-| Sign | [RequestVerificationHeader.Sign](#service.RequestVerificationHeader.Sign) |  | Sign is a signature and public key of the request. |
+| Sign | [bytes](#bytes) |  | Sign is signature of the request or session key. |
-| Origin | [RequestVerificationHeader.Sign](#service.RequestVerificationHeader.Sign) |  | Origin used for requests, when trusted node changes it and re-sign with session key. If session key used for signature request, then Origin should contain public key of user and signed session key. |
+| Peer | [bytes](#bytes) |  | Peer is compressed public key used for signature. |
+
+
+<a name="service.Token"></a>
+
+### Message Token
+User token granting rights for object manipulation
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| TokenInfo | [Token.Info](#service.Token.Info) |  | TokenInfo is a grouped information about token |
+| Signature | [bytes](#bytes) |  | Signature is a signature of session token information |
+
+
+<a name="service.Token.Info"></a>
+
+### Message Token.Info
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| ID | [bytes](#bytes) |  | ID is a token identifier. valid UUIDv4 represented in bytes |
+| OwnerID | [bytes](#bytes) |  | OwnerID is an owner of manipulation object |
+| verb | [Token.Info.Verb](#service.Token.Info.Verb) |  | Verb is a type of request for which the token is issued |
+| Address | [refs.Address](#refs.Address) |  | Address is an object address for which token is issued |
+| Lifetime | [TokenLifetime](#service.TokenLifetime) |  | Lifetime is a lifetime of the session |
+| SessionKey | [bytes](#bytes) |  | SessionKey is a public key of session key |
+
+
+<a name="service.TokenLifetime"></a>
+
+### Message TokenLifetime
+TokenLifetime carries a group of lifetime parameters of the token
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| Created | [uint64](#uint64) |  | Created carries an initial epoch of token lifetime |
+| ValidUntil | [uint64](#uint64) |  | ValidUntil carries a last epoch of token lifetime |
 
  <!-- end messages -->
 
+
+<a name="service.Token.Info.Verb"></a>
+
+### Token.Info.Verb
+Verb is an enumeration of session request types
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| Put | 0 | Put refers to object.Put RPC call |
+| Get | 1 | Get refers to object.Get RPC call |
+| Head | 2 | Head refers to object.Head RPC call |
+| Search | 3 | Search refers to object.Search RPC call |
+| Delete | 4 | Delete refers to object.Delete RPC call |
+| Range | 5 | Range refers to object.GetRange RPC call |
+| RangeHash | 6 | RangeHash refers to object.GetRangeHash RPC call |
+
+
  <!-- end enums -->
 
 

docs/session.md

@@ -12,13 +12,6 @@
     - [CreateResponse](#session.CreateResponse)
     
 
-- [session/types.proto](#session/types.proto)
-
-  - Messages
-    - [Token](#session.Token)
-    - [VerificationHeader](#session.VerificationHeader)
-    
-
 - [Scalar Value Types](#scalar-value-types)
 
 
@@ -37,22 +30,13 @@
 
 
 ```
-rpc Create(stream CreateRequest) returns (stream CreateResponse);
+rpc Create(CreateRequest) returns (CreateResponse);
 
 ```
 
 #### Method Create
 
-Create is a method that used to open a trusted session to manipulate
+Create opens new session between the client and the server
-an object. In order to put or delete object client have to obtain session
-token with trusted node. Trusted node will modify client's object
-(add missing headers, checksums, homomorphic hash) and sign id with
-session key. Session is established during 4-step handshake in one gRPC stream
-
-- First client stream message SHOULD BE type of `CreateRequest_Init`.
-- First server stream message SHOULD BE type of `CreateResponse_Unsigned`.
-- Second client stream message SHOULD BE type of `CreateRequest_Signed`.
-- Second server stream message SHOULD BE type of `CreateResponse_Result`.
 
 | Name | Input | Output |
 | ---- | ----- | ------ |
@@ -63,13 +47,13 @@ session key. Session is established during 4-step handshake in one gRPC stream
 <a name="session.CreateRequest"></a>
 
 ### Message CreateRequest
-
+CreateRequest carries an information necessary for opening a session
 
 
 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
-| Init | [Token](#session.Token) |  | Init is a message to initialize session opening. Carry: owner of manipulation object; ID of manipulation object; token lifetime bounds. |
+| OwnerID | [bytes](#bytes) |  | OwnerID carries an identifier of a session initiator |
-| Signed | [Token](#session.Token) |  | Signed Init message response (Unsigned) from server with user private key |
+| Lifetime | [service.TokenLifetime](#service.TokenLifetime) |  | Lifetime carries a lifetime of the session |
 | Meta | [service.RequestMetaHeader](#service.RequestMetaHeader) |  | RequestMetaHeader contains information about request meta headers (should be embedded into message) |
 | Verify | [service.RequestVerificationHeader](#service.RequestVerificationHeader) |  | RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message) |
 
@@ -77,57 +61,13 @@ session key. Session is established during 4-step handshake in one gRPC stream
 <a name="session.CreateResponse"></a>
 
 ### Message CreateResponse
-
+CreateResponse carries an information about the opened session
-
-
-| Field | Type | Label | Description |
-| ----- | ---- | ----- | ----------- |
-| Unsigned | [Token](#session.Token) |  | Unsigned token with token ID and session public key generated on server side |
-| Result | [Token](#session.Token) |  | Result is a resulting token which can be used for object placing through an trusted intermediary |
-
- <!-- end messages -->
-
- <!-- end enums -->
-
-
-
-<a name="session/types.proto"></a>
-<p align="right"><a href="#top">Top</a></p>
-
-## session/types.proto
-
-
- <!-- end services -->
-
-
-<a name="session.Token"></a>
-
-### Message Token
-User token granting rights for object manipulation
 
 
 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
-| Header | [VerificationHeader](#session.VerificationHeader) |  | Header carries verification data of session key |
+| ID | [bytes](#bytes) |  | ID carries an identifier of session token |
-| OwnerID | [bytes](#bytes) |  | OwnerID is an owner of manipulation object |
+| SessionKey | [bytes](#bytes) |  | SessionKey carries a session public key |
-| FirstEpoch | [uint64](#uint64) |  | FirstEpoch is an initial epoch of token lifetime |
-| LastEpoch | [uint64](#uint64) |  | LastEpoch is a last epoch of token lifetime |
-| ObjectID | [bytes](#bytes) | repeated | ObjectID is an object identifier of manipulation object |
-| Signature | [bytes](#bytes) |  | Signature is a token signature, signed by owner of manipulation object |
-| ID | [bytes](#bytes) |  | ID is a token identifier. valid UUIDv4 represented in bytes |
-| PublicKeys | [bytes](#bytes) | repeated | PublicKeys associated with owner |
-
-
-<a name="session.VerificationHeader"></a>
-
-### Message VerificationHeader
-
-
-
-| Field | Type | Label | Description |
-| ----- | ---- | ----- | ----------- |
-| PublicKey | [bytes](#bytes) |  | PublicKey is a session public key |
-| KeySignature | [bytes](#bytes) |  | KeySignature is a session public key signature. Signed by trusted side |
 
  <!-- end messages -->
 

object/extensions.go

@@ -19,21 +19,6 @@ func (m Object) IsLinking() bool {
 	return false
 }
 
-// VerificationHeader returns verification header if it is presented in extended headers.
-func (m Object) VerificationHeader() (*VerificationHeader, error) {
-	_, vh := m.LastHeader(HeaderType(VerifyHdr))
-	if vh == nil {
-		return nil, ErrHeaderNotFound
-	}
-	return vh.Value.(*Header_Verify).Verify, nil
-}
-
-// SetVerificationHeader sets verification header in the object.
-// It will replace existing verification header or add a new one.
-func (m *Object) SetVerificationHeader(header *VerificationHeader) {
-	m.SetHeader(&Header{Value: &Header_Verify{Verify: header}})
-}
-
 // Links returns slice of ids of specified link type
 func (m *Object) Links(t Link_Type) []ID {
 	var res []ID

object/service.go

@@ -31,7 +31,7 @@ type (
 	// All object operations must have TTL, Epoch, Type, Container ID and
 	// permission of usage previous network map.
 	Request interface {
-		service.MetaHeader
+		service.SeizedRequestMetaContainer
 
 		CID() CID
 		Type() RequestType

object/service.proto

@@ -5,7 +5,6 @@ option csharp_namespace = "NeoFS.API.Object";
 
 import "refs/types.proto";
 import "object/types.proto";
-import "session/types.proto";
 import "service/meta.proto";
 import "service/verify.proto";
 import "github.com/gogo/protobuf/gogoproto/gogo.proto";
@@ -58,8 +57,6 @@ service Service {
 message GetRequest {
     // Address of object (container id + object id)
     refs.Address Address                     = 1 [(gogoproto.nullable) = false];
-    // Raw is the request flag of a physically stored representation of an object
-    bool Raw                                 = 2;
     // RequestMetaHeader contains information about request meta headers (should be embedded into message)
     service.RequestMetaHeader Meta           = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
     // RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)
@@ -82,10 +79,8 @@ message PutRequest {
     message PutHeader {
         // Object with at least container id and owner id fields
         Object Object       = 1;
-        // Token with session public key and user's signature
-        session.Token Token = 2;
         // Number of the object copies to store within the RPC call (zero is processed according to the placement rules)
-        uint32 CopiesNumber = 3;
+        uint32 CopiesNumber = 2;
     }
 
     oneof R {
@@ -112,8 +107,6 @@ message DeleteRequest {
     refs.Address Address                     = 1 [(gogoproto.nullable) = false];
     // OwnerID is a wallet address
     bytes OwnerID                            = 2 [(gogoproto.nullable) = false, (gogoproto.customtype) = "OwnerID"];
-    // Token with session public key and user's signature
-    session.Token Token                      = 3;
     // RequestMetaHeader contains information about request meta headers (should be embedded into message)
     service.RequestMetaHeader Meta           = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
     // RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)
@@ -132,8 +125,6 @@ message HeadRequest {
     refs.Address Address                     = 1 [(gogoproto.nullable) = false, (gogoproto.customtype) = "Address"];
     // FullHeaders can be set true for extended headers in the object
     bool FullHeaders                         = 2;
-    // Raw is the request flag of a physically stored representation of an object
-    bool Raw                                 = 3;
     // RequestMetaHeader contains information about request meta headers (should be embedded into message)
     service.RequestMetaHeader Meta           = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
     // RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)

object/service_test.go

@@ -16,8 +16,8 @@ func TestRequest(t *testing.T) {
 		&DeleteRequest{},
 		&GetRangeRequest{},
 		&GetRangeHashRequest{},
-		MakePutRequestHeader(nil, nil),
+		MakePutRequestHeader(nil),
-		MakePutRequestHeader(&Object{}, nil),
+		MakePutRequestHeader(&Object{}),
 	}
 
 	types := []RequestType{

object/sign.go

@@ -0,0 +1,259 @@
+package object
+
+import (
+	"encoding/binary"
+	"io"
+
+	"github.com/nspcc-dev/neofs-api-go/service"
+)
+
+// SignedData returns payload bytes of the request.
+//
+// If payload is nil, ErrHeaderNotFound returns.
+func (m PutRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the buffer size is insufficient, io.ErrUnexpectedEOF returns.
+func (m PutRequest) ReadSignedData(p []byte) (int, error) {
+	r := m.GetR()
+	if r == nil {
+		return 0, ErrHeaderNotFound
+	}
+
+	return r.MarshalTo(p)
+}
+
+// SignedDataSize returns the size of payload of the Put request.
+//
+// If payload is nil, -1 returns.
+func (m PutRequest) SignedDataSize() int {
+	r := m.GetR()
+	if r == nil {
+		return -1
+	}
+
+	return r.Size()
+}
+
+// SignedData returns payload bytes of the request.
+func (m GetRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the buffer size is insufficient, io.ErrUnexpectedEOF returns.
+func (m GetRequest) ReadSignedData(p []byte) (int, error) {
+	addr := m.GetAddress()
+
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	off += copy(p[off:], addr.CID.Bytes())
+
+	off += copy(p[off:], addr.ObjectID.Bytes())
+
+	return off, nil
+}
+
+// SignedDataSize returns payload size of the request.
+func (m GetRequest) SignedDataSize() int {
+	return addressSize(m.GetAddress())
+}
+
+// SignedData returns payload bytes of the request.
+func (m HeadRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the buffer size is insufficient, io.ErrUnexpectedEOF returns.
+func (m HeadRequest) ReadSignedData(p []byte) (int, error) {
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	if m.GetFullHeaders() {
+		p[0] = 1
+	}
+
+	off := 1
+
+	off += copy(p[off:], m.Address.CID.Bytes())
+
+	off += copy(p[off:], m.Address.ObjectID.Bytes())
+
+	return off, nil
+}
+
+// SignedDataSize returns payload size of the request.
+func (m HeadRequest) SignedDataSize() int {
+	return addressSize(m.Address) + 1
+}
+
+// SignedData returns payload bytes of the request.
+func (m DeleteRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the buffer size is insufficient, io.ErrUnexpectedEOF returns.
+func (m DeleteRequest) ReadSignedData(p []byte) (int, error) {
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	off += copy(p[off:], m.OwnerID.Bytes())
+
+	off += copy(p[off:], addressBytes(m.Address))
+
+	return off, nil
+}
+
+// SignedDataSize returns payload size of the request.
+func (m DeleteRequest) SignedDataSize() int {
+	return m.OwnerID.Size() + addressSize(m.Address)
+}
+
+// SignedData returns payload bytes of the request.
+func (m GetRangeRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the buffer size is insufficient, io.ErrUnexpectedEOF returns.
+func (m GetRangeRequest) ReadSignedData(p []byte) (int, error) {
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	n, err := (&m.Range).MarshalTo(p)
+	if err != nil {
+		return 0, err
+	}
+
+	n += copy(p[n:], addressBytes(m.GetAddress()))
+
+	return n, nil
+}
+
+// SignedDataSize returns payload size of the request.
+func (m GetRangeRequest) SignedDataSize() int {
+	return (&m.Range).Size() + addressSize(m.GetAddress())
+}
+
+// SignedData returns payload bytes of the request.
+func (m GetRangeHashRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the buffer size is insufficient, io.ErrUnexpectedEOF returns.
+func (m GetRangeHashRequest) ReadSignedData(p []byte) (int, error) {
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	off += copy(p[off:], addressBytes(m.GetAddress()))
+
+	off += copy(p[off:], rangeSetBytes(m.GetRanges()))
+
+	off += copy(p[off:], m.GetSalt())
+
+	return off, nil
+}
+
+// SignedDataSize returns payload size of the request.
+func (m GetRangeHashRequest) SignedDataSize() int {
+	var sz int
+
+	sz += addressSize(m.GetAddress())
+
+	sz += rangeSetSize(m.GetRanges())
+
+	sz += len(m.GetSalt())
+
+	return sz
+}
+
+// SignedData returns payload bytes of the request.
+func (m SearchRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the buffer size is insufficient, io.ErrUnexpectedEOF returns.
+func (m SearchRequest) ReadSignedData(p []byte) (int, error) {
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	off += copy(p[off:], m.CID().Bytes())
+
+	binary.BigEndian.PutUint32(p[off:], m.GetQueryVersion())
+	off += 4
+
+	off += copy(p[off:], m.GetQuery())
+
+	return off, nil
+}
+
+// SignedDataSize returns payload size of the request.
+func (m SearchRequest) SignedDataSize() int {
+	var sz int
+
+	sz += m.CID().Size()
+
+	sz += 4 // uint32 Version
+
+	sz += len(m.GetQuery())
+
+	return sz
+}
+
+func rangeSetSize(rs []Range) int {
+	return 4 + len(rs)*16 // two uint64 fields
+}
+
+func rangeSetBytes(rs []Range) []byte {
+	data := make([]byte, rangeSetSize(rs))
+
+	binary.BigEndian.PutUint32(data, uint32(len(rs)))
+
+	off := 4
+
+	for i := range rs {
+		binary.BigEndian.PutUint64(data[off:], rs[i].Offset)
+		off += 8
+
+		binary.BigEndian.PutUint64(data[off:], rs[i].Length)
+		off += 8
+	}
+
+	return data
+}
+
+func addressSize(addr Address) int {
+	return addr.CID.Size() + addr.ObjectID.Size()
+}
+
+func addressBytes(addr Address) []byte {
+	return append(addr.CID.Bytes(), addr.ObjectID.Bytes()...)
+}

object/sign_test.go

@@ -0,0 +1,189 @@
+package object
+
+import (
+	"testing"
+
+	"github.com/nspcc-dev/neofs-api-go/service"
+	"github.com/nspcc-dev/neofs-crypto/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSignVerifyRequests(t *testing.T) {
+	sk := test.DecodeKey(0)
+
+	type sigType interface {
+		service.SignedDataWithToken
+		service.SignKeyPairAccumulator
+		service.SignKeyPairSource
+		SetToken(*Token)
+	}
+
+	items := []struct {
+		constructor    func() sigType
+		payloadCorrupt []func(sigType)
+	}{
+		{ // PutRequest.PutHeader
+			constructor: func() sigType {
+				return MakePutRequestHeader(new(Object))
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					obj := s.(*PutRequest).GetR().(*PutRequest_Header).Header.GetObject()
+					obj.SystemHeader.PayloadLength++
+				},
+			},
+		},
+		{ // PutRequest.Chunk
+			constructor: func() sigType {
+				return MakePutRequestChunk(make([]byte, 10))
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					h := s.(*PutRequest).GetR().(*PutRequest_Chunk)
+					h.Chunk[0]++
+				},
+			},
+		},
+		{ // GetRequest
+			constructor: func() sigType {
+				return new(GetRequest)
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					s.(*GetRequest).Address.CID[0]++
+				},
+				func(s sigType) {
+					s.(*GetRequest).Address.ObjectID[0]++
+				},
+			},
+		},
+		{ // HeadRequest
+			constructor: func() sigType {
+				return new(HeadRequest)
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					s.(*HeadRequest).Address.CID[0]++
+				},
+				func(s sigType) {
+					s.(*HeadRequest).Address.ObjectID[0]++
+				},
+				func(s sigType) {
+					s.(*HeadRequest).FullHeaders = true
+				},
+			},
+		},
+		{ // DeleteRequest
+			constructor: func() sigType {
+				return new(DeleteRequest)
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					s.(*DeleteRequest).OwnerID[0]++
+				},
+				func(s sigType) {
+					s.(*DeleteRequest).Address.CID[0]++
+				},
+				func(s sigType) {
+					s.(*DeleteRequest).Address.ObjectID[0]++
+				},
+			},
+		},
+		{ // GetRangeRequest
+			constructor: func() sigType {
+				return new(GetRangeRequest)
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					s.(*GetRangeRequest).Range.Length++
+				},
+				func(s sigType) {
+					s.(*GetRangeRequest).Range.Offset++
+				},
+				func(s sigType) {
+					s.(*GetRangeRequest).Address.CID[0]++
+				},
+				func(s sigType) {
+					s.(*GetRangeRequest).Address.ObjectID[0]++
+				},
+			},
+		},
+		{ // GetRangeHashRequest
+			constructor: func() sigType {
+				return &GetRangeHashRequest{
+					Ranges: []Range{{}},
+					Salt:   []byte{1, 2, 3},
+				}
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					s.(*GetRangeHashRequest).Address.CID[0]++
+				},
+				func(s sigType) {
+					s.(*GetRangeHashRequest).Address.ObjectID[0]++
+				},
+				func(s sigType) {
+					s.(*GetRangeHashRequest).Salt[0]++
+				},
+				func(s sigType) {
+					s.(*GetRangeHashRequest).Ranges[0].Length++
+				},
+				func(s sigType) {
+					s.(*GetRangeHashRequest).Ranges[0].Offset++
+				},
+				func(s sigType) {
+					s.(*GetRangeHashRequest).Ranges = nil
+				},
+			},
+		},
+		{ // GetRangeHashRequest
+			constructor: func() sigType {
+				return &SearchRequest{
+					Query: []byte{1, 2, 3},
+				}
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					s.(*SearchRequest).ContainerID[0]++
+				},
+				func(s sigType) {
+					s.(*SearchRequest).Query[0]++
+				},
+				func(s sigType) {
+					s.(*SearchRequest).QueryVersion++
+				},
+			},
+		},
+	}
+
+	for _, item := range items {
+		{ // token corruptions
+			v := item.constructor()
+
+			token := new(Token)
+			v.SetToken(token)
+
+			require.NoError(t, service.SignDataWithSessionToken(sk, v))
+
+			require.NoError(t, service.VerifyAccumulatedSignaturesWithToken(v))
+
+			token.SetSessionKey(append(token.GetSessionKey(), 1))
+
+			require.Error(t, service.VerifyAccumulatedSignaturesWithToken(v))
+		}
+
+		{ // payload corruptions
+			for _, corruption := range item.payloadCorrupt {
+				v := item.constructor()
+
+				require.NoError(t, service.SignDataWithSessionToken(sk, v))
+
+				require.NoError(t, service.VerifyAccumulatedSignaturesWithToken(v))
+
+				corruption(v)
+
+				require.Error(t, service.VerifyAccumulatedSignaturesWithToken(v))
+			}
+		}
+	}
+}

object/types.go

@@ -3,11 +3,14 @@ package object
 import (
 	"bytes"
 	"context"
+	"fmt"
+	"io"
+	"reflect"
 
 	"github.com/gogo/protobuf/proto"
 	"github.com/nspcc-dev/neofs-api-go/internal"
 	"github.com/nspcc-dev/neofs-api-go/refs"
-	"github.com/nspcc-dev/neofs-api-go/session"
+	"github.com/pkg/errors"
 )
 
 type (
@@ -19,9 +22,6 @@ type (
 	// Address is a type alias of object Address.
 	Address = refs.Address
 
-	// VerificationHeader is a type alias of session's verification header.
-	VerificationHeader = session.VerificationHeader
-
 	// PositionReader defines object reader that returns slice of bytes
 	// for specified object and data range.
 	PositionReader interface {
@@ -60,8 +60,8 @@ const (
 	TransformHdr
 	// TombstoneHdr is a tombstone header type.
 	TombstoneHdr
-	// VerifyHdr is a verification header type.
+	// TokenHdr is a token header type.
-	VerifyHdr
+	TokenHdr
 	// HomoHashHdr is a homomorphic hash header type.
 	HomoHashHdr
 	// PayloadChecksumHdr is a payload checksum header type.
@@ -175,8 +175,8 @@ func (m Header) typeOf(t isHeader_Value) (ok bool) {
 		_, ok = m.Value.(*Header_Transform)
 	case *Header_Tombstone:
 		_, ok = m.Value.(*Header_Tombstone)
-	case *Header_Verify:
+	case *Header_Token:
-		_, ok = m.Value.(*Header_Verify)
+		_, ok = m.Value.(*Header_Token)
 	case *Header_HomoHash:
 		_, ok = m.Value.(*Header_HomoHash)
 	case *Header_PayloadChecksum:
@@ -205,8 +205,8 @@ func HeaderType(t headerType) Pred {
 		return func(h *Header) bool { _, ok := h.Value.(*Header_Transform); return ok }
 	case TombstoneHdr:
 		return func(h *Header) bool { _, ok := h.Value.(*Header_Tombstone); return ok }
-	case VerifyHdr:
+	case TokenHdr:
-		return func(h *Header) bool { _, ok := h.Value.(*Header_Verify); return ok }
+		return func(h *Header) bool { _, ok := h.Value.(*Header_Token); return ok }
 	case HomoHashHdr:
 		return func(h *Header) bool { _, ok := h.Value.(*Header_HomoHash); return ok }
 	case PayloadChecksumHdr:
@@ -251,6 +251,12 @@ func (m *Object) CopyTo(o *Object) {
 					HomoHash: v.HomoHash,
 				},
 			}
+		case *Header_Token:
+			o.Headers[i] = Header{
+				Value: &Header_Token{
+					Token: v.Token,
+				},
+			}
 		default:
 			o.Headers[i] = *proto.Clone(&m.Headers[i]).(*Header)
 		}
@@ -266,3 +272,117 @@ func (m Object) Address() *refs.Address {
 		CID:      m.SystemHeader.CID,
 	}
 }
+
+func (m CreationPoint) String() string {
+	return fmt.Sprintf(`{UnixTime=%d Epoch=%d}`, m.UnixTime, m.Epoch)
+}
+
+// Stringify converts object into string format.
+func Stringify(dst io.Writer, obj *Object) error {
+	// put empty line
+	if _, err := fmt.Fprintln(dst); err != nil {
+		return err
+	}
+
+	// put object line
+	if _, err := fmt.Fprintln(dst, "Object:"); err != nil {
+		return err
+	}
+
+	// put system headers
+	if _, err := fmt.Fprintln(dst, "\tSystemHeader:"); err != nil {
+		return err
+	}
+
+	sysHeaders := []string{"ID", "CID", "OwnerID", "Version", "PayloadLength", "CreatedAt"}
+	v := reflect.ValueOf(obj.SystemHeader)
+	for _, key := range sysHeaders {
+		if !v.FieldByName(key).IsValid() {
+			return errors.Errorf("invalid system header key: %q", key)
+		}
+
+		val := v.FieldByName(key).Interface()
+		if _, err := fmt.Fprintf(dst, "\t\t- %s=%v\n", key, val); err != nil {
+			return err
+		}
+	}
+
+	// put user headers
+	if _, err := fmt.Fprintln(dst, "\tUserHeaders:"); err != nil {
+		return err
+	}
+
+	for _, header := range obj.Headers {
+		var (
+			typ = reflect.ValueOf(header.Value)
+			key string
+			val interface{}
+		)
+
+		switch t := typ.Interface().(type) {
+		case *Header_Link:
+			key = "Link"
+			val = fmt.Sprintf(`{Type=%s ID=%s}`, t.Link.Type, t.Link.ID)
+		case *Header_Redirect:
+			key = "Redirect"
+			val = fmt.Sprintf(`{CID=%s OID=%s}`, t.Redirect.CID, t.Redirect.ObjectID)
+		case *Header_UserHeader:
+			key = "UserHeader"
+			val = fmt.Sprintf(`{Key=%s Val=%s}`, t.UserHeader.Key, t.UserHeader.Value)
+		case *Header_Transform:
+			key = "Transform"
+			val = t.Transform.Type.String()
+		case *Header_Tombstone:
+			key = "Tombstone"
+			val = "MARKED"
+		case *Header_Token:
+			key = "Token"
+			val = fmt.Sprintf("{"+
+				"ID=%s OwnerID=%s Verb=%s Address=%s Created=%d ValidUntil=%d SessionKey=%02x Signature=%02x"+
+				"}",
+				t.Token.GetID(),
+				t.Token.GetOwnerID(),
+				t.Token.GetVerb(),
+				t.Token.GetAddress(),
+				t.Token.CreationEpoch(),
+				t.Token.ExpirationEpoch(),
+				t.Token.GetSessionKey(),
+				t.Token.GetSignature())
+		case *Header_HomoHash:
+			key = "HomoHash"
+			val = t.HomoHash
+		case *Header_PayloadChecksum:
+			key = "PayloadChecksum"
+			val = t.PayloadChecksum
+		case *Header_Integrity:
+			key = "Integrity"
+			val = fmt.Sprintf(`{Checksum=%02x Signature=%02x}`,
+				t.Integrity.HeadersChecksum,
+				t.Integrity.ChecksumSignature)
+		case *Header_StorageGroup:
+			key = "StorageGroup"
+			val = fmt.Sprintf(`{DataSize=%d Hash=%02x Lifetime={Unit=%s Value=%d}}`,
+				t.StorageGroup.ValidationDataSize,
+				t.StorageGroup.ValidationHash,
+				t.StorageGroup.Lifetime.Unit,
+				t.StorageGroup.Lifetime.Value)
+		case *Header_PublicKey:
+			key = "PublicKey"
+			val = t.PublicKey.Value
+		default:
+			key = "Unknown"
+			val = t
+		}
+
+		if _, err := fmt.Fprintf(dst, "\t\t- Type=%s\n\t\t  Value=%v\n", key, val); err != nil {
+			return err
+		}
+	}
+
+	// put payload
+	if _, err := fmt.Fprintf(dst, "\tPayload: %#v\n", obj.Payload); err != nil {
+		return err
+	}
+
+	return nil
+}

object/types.proto

@@ -4,7 +4,7 @@ option go_package = "github.com/nspcc-dev/neofs-api-go/object";
 option csharp_namespace = "NeoFS.API.Object";
 
 import "refs/types.proto";
-import "session/types.proto";
+import "service/verify.proto";
 import "storagegroup/types.proto";
 import "github.com/gogo/protobuf/gogoproto/gogo.proto";
 
@@ -36,8 +36,8 @@ message Header {
         Transform Transform                    = 4;
         // Tombstone header that set up in deleted objects
         Tombstone Tombstone                    = 5;
-        // Verify header that contains session public key and user's signature
+        // Token header contains token of the session within which the object was created
-        session.VerificationHeader Verify      = 6;
+        service.Token Token                    = 6;
         // HomoHash is a homomorphic hash of original object payload
         bytes HomoHash                         = 7 [(gogoproto.customtype) = "Hash"];
         // PayloadChecksum of actual object's payload
@@ -70,6 +70,8 @@ message SystemHeader {
 }
 
 message CreationPoint {
+    option (gogoproto.goproto_stringer) = false;
+
     // UnixTime is a date of creation in unixtime format
     int64 UnixTime = 1;
     // Epoch is a date of creation in NeoFS epochs

object/types_test.go

@@ -0,0 +1,201 @@
+package object
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/nspcc-dev/neofs-api-go/refs"
+	"github.com/nspcc-dev/neofs-api-go/service"
+	"github.com/nspcc-dev/neofs-api-go/storagegroup"
+	"github.com/nspcc-dev/neofs-crypto/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestStringify(t *testing.T) {
+	res := `
+Object:
+	SystemHeader:
+		- ID=7e0b9c6c-aabc-4985-949e-2680e577b48b
+		- CID=11111111111111111111111111111111
+		- OwnerID=ALYeYC41emF6MrmUMc4a8obEPdgFhq9ran
+		- Version=1
+		- PayloadLength=1
+		- CreatedAt={UnixTime=1 Epoch=1}
+	UserHeaders:
+		- Type=Link
+		  Value={Type=Child ID=7e0b9c6c-aabc-4985-949e-2680e577b48b}
+		- Type=Redirect
+		  Value={CID=11111111111111111111111111111111 OID=7e0b9c6c-aabc-4985-949e-2680e577b48b}
+		- Type=UserHeader
+		  Value={Key=test_key Val=test_value}
+		- Type=Transform
+		  Value=Split
+		- Type=Tombstone
+		  Value=MARKED
+		- Type=Token
+		  Value={ID=7e0b9c6c-aabc-4985-949e-2680e577b48b OwnerID=ALYeYC41emF6MrmUMc4a8obEPdgFhq9ran Verb=Search Address=11111111111111111111111111111111/7e0b9c6c-aabc-4985-949e-2680e577b48b Created=1 ValidUntil=2 SessionKey=010203040506 Signature=010203040506}
+		- Type=HomoHash
+		  Value=1111111111111111111111111111111111111111111111111111111111111111
+		- Type=PayloadChecksum
+		  Value=[1 2 3 4 5 6]
+		- Type=Integrity
+		  Value={Checksum=010203040506 Signature=010203040506}
+		- Type=StorageGroup
+		  Value={DataSize=5 Hash=31313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131 Lifetime={Unit=UnixTime Value=555}}
+		- Type=PublicKey
+		  Value=[1 2 3 4 5 6]
+	Payload: []byte{0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7}
+`
+
+	key := test.DecodeKey(0)
+
+	uid, err := refs.NewOwnerID(&key.PublicKey)
+	require.NoError(t, err)
+
+	var oid refs.UUID
+
+	require.NoError(t, oid.Parse("7e0b9c6c-aabc-4985-949e-2680e577b48b"))
+
+	obj := &Object{
+		SystemHeader: SystemHeader{
+			Version:       1,
+			PayloadLength: 1,
+			ID:            oid,
+			OwnerID:       uid,
+			CID:           CID{},
+			CreatedAt: CreationPoint{
+				UnixTime: 1,
+				Epoch:    1,
+			},
+		},
+		Payload: []byte{1, 2, 3, 4, 5, 6, 7},
+	}
+
+	// *Header_Link
+	obj.Headers = append(obj.Headers, Header{
+		Value: &Header_Link{
+			Link: &Link{ID: oid, Type: Link_Child},
+		},
+	})
+
+	// *Header_Redirect
+	obj.Headers = append(obj.Headers, Header{
+		Value: &Header_Redirect{
+			Redirect: &Address{ObjectID: oid, CID: CID{}},
+		},
+	})
+
+	// *Header_UserHeader
+	obj.Headers = append(obj.Headers, Header{
+		Value: &Header_UserHeader{
+			UserHeader: &UserHeader{
+				Key:   "test_key",
+				Value: "test_value",
+			},
+		},
+	})
+
+	// *Header_Transform
+	obj.Headers = append(obj.Headers, Header{
+		Value: &Header_Transform{
+			Transform: &Transform{
+				Type: Transform_Split,
+			},
+		},
+	})
+
+	// *Header_Tombstone
+	obj.Headers = append(obj.Headers, Header{
+		Value: &Header_Tombstone{
+			Tombstone: &Tombstone{},
+		},
+	})
+
+	token := new(Token)
+	token.SetID(oid)
+	token.SetOwnerID(uid)
+	token.SetVerb(service.Token_Info_Search)
+	token.SetAddress(Address{ObjectID: oid, CID: refs.CID{}})
+	token.SetCreationEpoch(1)
+	token.SetExpirationEpoch(2)
+	token.SetSessionKey([]byte{1, 2, 3, 4, 5, 6})
+	token.SetSignature([]byte{1, 2, 3, 4, 5, 6})
+
+	// *Header_Token
+	obj.Headers = append(obj.Headers, Header{
+		Value: &Header_Token{
+			Token: token,
+		},
+	})
+
+	// *Header_HomoHash
+	obj.Headers = append(obj.Headers, Header{
+		Value: &Header_HomoHash{
+			HomoHash: Hash{},
+		},
+	})
+
+	// *Header_PayloadChecksum
+	obj.Headers = append(obj.Headers, Header{
+		Value: &Header_PayloadChecksum{
+			PayloadChecksum: []byte{1, 2, 3, 4, 5, 6},
+		},
+	})
+
+	// *Header_Integrity
+	obj.Headers = append(obj.Headers, Header{
+		Value: &Header_Integrity{
+			Integrity: &IntegrityHeader{
+				HeadersChecksum:   []byte{1, 2, 3, 4, 5, 6},
+				ChecksumSignature: []byte{1, 2, 3, 4, 5, 6},
+			},
+		},
+	})
+
+	// *Header_StorageGroup
+	obj.Headers = append(obj.Headers, Header{
+		Value: &Header_StorageGroup{
+			StorageGroup: &storagegroup.StorageGroup{
+				ValidationDataSize: 5,
+				ValidationHash:     storagegroup.Hash{},
+				Lifetime: &storagegroup.StorageGroup_Lifetime{
+					Unit:  storagegroup.StorageGroup_Lifetime_UnixTime,
+					Value: 555,
+				},
+			},
+		},
+	})
+
+	// *Header_PublicKey
+	obj.Headers = append(obj.Headers, Header{
+		Value: &Header_PublicKey{
+			PublicKey: &PublicKey{Value: []byte{1, 2, 3, 4, 5, 6}},
+		},
+	})
+
+	buf := new(bytes.Buffer)
+
+	require.NoError(t, Stringify(buf, obj))
+	require.Equal(t, res, buf.String())
+}
+
+func TestObject_Copy(t *testing.T) {
+	t.Run("token header", func(t *testing.T) {
+		token := new(Token)
+		token.SetID(service.TokenID{1, 2, 3})
+
+		obj := new(Object)
+
+		obj.AddHeader(&Header{
+			Value: &Header_Token{
+				Token: token,
+			},
+		})
+
+		cp := obj.Copy()
+
+		_, h := cp.LastHeader(HeaderType(TokenHdr))
+		require.NotNil(t, h)
+		require.Equal(t, token, h.GetValue().(*Header_Token).Token)
+	})
+}

object/utils.go

@@ -4,7 +4,6 @@ import (
 	"io"
 	"strconv"
 
-	"github.com/nspcc-dev/neofs-api-go/session"
 	"github.com/pkg/errors"
 )
 
@@ -46,11 +45,10 @@ func (b ByteSize) String() string {
 
 // MakePutRequestHeader combines object and session token value
 // into header of object put request.
-func MakePutRequestHeader(obj *Object, token *session.Token) *PutRequest {
+func MakePutRequestHeader(obj *Object) *PutRequest {
 	return &PutRequest{
 		R: &PutRequest_Header{Header: &PutRequest_PutHeader{
 			Object: obj,
-			Token:  token,
 		}},
 	}
 }

object/verification.go

@@ -77,7 +77,7 @@ func (m Object) Verify() error {
 	integrity := ih.Value.(*Header_Integrity).Integrity
 
 	// Prepare structures
-	_, vh := m.LastHeader(HeaderType(VerifyHdr))
+	_, vh := m.LastHeader(HeaderType(TokenHdr))
 	if vh == nil {
 		_, pkh := m.LastHeader(HeaderType(PublicKeyHdr))
 		if pkh == nil {
@@ -85,7 +85,7 @@ func (m Object) Verify() error {
 		}
 		pubkey = pkh.Value.(*Header_PublicKey).PublicKey.Value
 	} else {
-		pubkey = vh.Value.(*Header_Verify).Verify.PublicKey
+		pubkey = vh.Value.(*Header_Token).Token.GetSessionKey()
 	}
 
 	// Verify signature

object/verification_test.go

@@ -6,7 +6,6 @@ import (
 	"github.com/google/uuid"
 	"github.com/nspcc-dev/neofs-api-go/container"
 	"github.com/nspcc-dev/neofs-api-go/refs"
-	"github.com/nspcc-dev/neofs-api-go/session"
 	crypto "github.com/nspcc-dev/neofs-crypto"
 	"github.com/nspcc-dev/neofs-crypto/test"
 	"github.com/stretchr/testify/require"
@@ -77,11 +76,10 @@ func TestObject_Verify(t *testing.T) {
 
 	dataPK := crypto.MarshalPublicKey(&sessionkey.PublicKey)
 	signature, err = crypto.Sign(key, dataPK)
-	vh := &session.VerificationHeader{
+	tok := new(Token)
-		PublicKey:    dataPK,
+	tok.SetSignature(signature)
-		KeySignature: signature,
+	tok.SetSessionKey(dataPK)
-	}
+	obj.AddHeader(&Header{Value: &Header_Token{Token: tok}})
-	obj.SetVerificationHeader(vh)
 
 	// validation header is not last
 	t.Run("error validation header is not last", func(t *testing.T) {
@@ -90,7 +88,7 @@ func TestObject_Verify(t *testing.T) {
 	})
 
 	obj.Headers = obj.Headers[:len(obj.Headers)-2]
-	obj.SetVerificationHeader(vh)
+	obj.AddHeader(&Header{Value: &Header_Token{Token: tok}})
 	obj.SetHeader(&Header{Value: &Header_Integrity{ih}})
 
 	t.Run("error invalid header checksum", func(t *testing.T) {
@@ -115,7 +113,7 @@ func TestObject_Verify(t *testing.T) {
 	require.NoError(t, err)
 	obj.SetHeader(genIH)
 
-	t.Run("correct with vh", func(t *testing.T) {
+	t.Run("correct with tok", func(t *testing.T) {
 		err = obj.Verify()
 		require.NoError(t, err)
 	})
@@ -123,7 +121,7 @@ func TestObject_Verify(t *testing.T) {
 	pkh := Header{Value: &Header_PublicKey{&PublicKey{
 		Value: crypto.MarshalPublicKey(&key.PublicKey),
 	}}}
-	// replace vh with pkh
+	// replace tok with pkh
 	obj.Headers[len(obj.Headers)-2] = pkh
 	// re-sign object
 	obj.Sign(sessionkey)

refs/types.go

@@ -37,6 +37,23 @@ type (
 	OwnerID chain.WalletAddress
 )
 
+// OwnerIDSource is an interface of the container of an OwnerID value with read access.
+type OwnerIDSource interface {
+	GetOwnerID() OwnerID
+}
+
+// OwnerIDContainer is an interface of the container of an OwnerID value.
+type OwnerIDContainer interface {
+	OwnerIDSource
+	SetOwnerID(OwnerID)
+}
+
+// AddressContainer is an interface of the container of object address value.
+type AddressContainer interface {
+	GetAddress() Address
+	SetAddress(Address)
+}
+
 const (
 	// UUIDSize contains size of UUID.
 	UUIDSize = 16

service/alias.go

@@ -0,0 +1,20 @@
+package service
+
+import (
+	"github.com/nspcc-dev/neofs-api-go/refs"
+)
+
+// TokenID is a type alias of UUID ref.
+type TokenID = refs.UUID
+
+// OwnerID is a type alias of OwnerID ref.
+type OwnerID = refs.OwnerID
+
+// Address is a type alias of Address ref.
+type Address = refs.Address
+
+// AddressContainer is a type alias of refs.AddressContainer.
+type AddressContainer = refs.AddressContainer
+
+// OwnerIDContainer is a type alias of refs.OwnerIDContainer.
+type OwnerIDContainer = refs.OwnerIDContainer

service/epoch.go

@@ -0,0 +1,11 @@
+package service
+
+// SetEpoch is an Epoch field setter.
+func (m *ResponseMetaHeader) SetEpoch(v uint64) {
+	m.Epoch = v
+}
+
+// SetEpoch is an Epoch field setter.
+func (m *RequestMetaHeader) SetEpoch(v uint64) {
+	m.Epoch = v
+}

service/epoch_test.go

@@ -0,0 +1,21 @@
+package service
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetSetEpoch(t *testing.T) {
+	v := uint64(5)
+
+	items := []EpochContainer{
+		new(ResponseMetaHeader),
+		new(RequestMetaHeader),
+	}
+
+	for _, item := range items {
+		item.SetEpoch(v)
+		require.Equal(t, v, item.GetEpoch())
+	}
+}

service/errors.go

@@ -0,0 +1,49 @@
+package service
+
+import "github.com/nspcc-dev/neofs-api-go/internal"
+
+// ErrNilToken is returned by functions that expect
+// a non-nil token argument, but received nil.
+const ErrNilToken = internal.Error("token is nil")
+
+// ErrInvalidTTL means that the TTL value does not
+// satisfy a specific criterion.
+const ErrInvalidTTL = internal.Error("invalid TTL value")
+
+// ErrInvalidPublicKeyBytes means that the public key could not be unmarshaled.
+const ErrInvalidPublicKeyBytes = internal.Error("cannot load public key")
+
+// ErrCannotFindOwner is raised when signatures empty in GetOwner.
+const ErrCannotFindOwner = internal.Error("cannot find owner public key")
+
+// ErrWrongOwner is raised when passed OwnerID
+// not equal to present PublicKey
+const ErrWrongOwner = internal.Error("wrong owner")
+
+// ErrNilSignedDataSource returned by functions that expect a non-nil
+// SignedDataSource, but received nil.
+const ErrNilSignedDataSource = internal.Error("signed data source is nil")
+
+// ErrNilSignatureKeySource is returned by functions that expect a non-nil
+// SignatureKeySource, but received nil.
+const ErrNilSignatureKeySource = internal.Error("empty key-signature source")
+
+// ErrEmptyDataWithSignature is returned by functions that expect
+// a non-nil DataWithSignature, but received nil.
+const ErrEmptyDataWithSignature = internal.Error("empty data with signature")
+
+// ErrNegativeLength is returned by functions that received
+// negative length for slice allocation.
+const ErrNegativeLength = internal.Error("negative slice length")
+
+// ErrNilDataWithTokenSignAccumulator is returned by functions that expect
+// a non-nil DataWithTokenSignAccumulator, but received nil.
+const ErrNilDataWithTokenSignAccumulator = internal.Error("signed data with token is nil")
+
+// ErrNilSignatureKeySourceWithToken is returned by functions that expect
+// a non-nil SignatureKeySourceWithToken, but received nil.
+const ErrNilSignatureKeySourceWithToken = internal.Error("key-signature source with token is nil")
+
+// ErrNilSignedDataReader is returned by functions that expect
+// a non-nil SignedDataReader, but received nil.
+const ErrNilSignedDataReader = internal.Error("signed data reader is nil")

service/meta.go

@@ -1,127 +1,13 @@
 package service
 
-import (
+// CutMeta returns current value and sets RequestMetaHeader to empty value.
-	"github.com/nspcc-dev/neofs-api-go/internal"
+func (m *RequestMetaHeader) CutMeta() RequestMetaHeader {
-	"github.com/pkg/errors"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-)
-
-type (
-	// MetaHeader contains meta information of request.
-	// It provides methods to get or set meta information meta header.
-	// Also contains methods to reset and restore meta header.
-	// Also contains methods to get or set request protocol version
-	MetaHeader interface {
-		ResetMeta() RequestMetaHeader
-		RestoreMeta(RequestMetaHeader)
-
-		// TTLRequest to verify and update ttl requests.
-		GetTTL() uint32
-		SetTTL(uint32)
-
-		// EpochHeader gives possibility to get or set epoch in RPC Requests.
-		EpochHeader
-
-		// VersionHeader allows get or set version of protocol request
-		VersionHeader
-	}
-
-	// EpochHeader interface gives possibility to get or set epoch in RPC Requests.
-	EpochHeader interface {
-		GetEpoch() uint64
-		SetEpoch(v uint64)
-	}
-
-	// VersionHeader allows get or set version of protocol request
-	VersionHeader interface {
-		GetVersion() uint32
-		SetVersion(uint32)
-	}
-
-	// TTLCondition is closure, that allows to validate request with ttl.
-	TTLCondition func(ttl uint32) error
-)
-
-const (
-	// ZeroTTL is empty ttl, should produce ErrZeroTTL.
-	ZeroTTL = iota
-
-	// NonForwardingTTL is a ttl that allows direct connections only.
-	NonForwardingTTL
-
-	// SingleForwardingTTL is a ttl that allows connections through another node.
-	SingleForwardingTTL
-)
-
-const (
-	// ErrZeroTTL is raised when zero ttl is passed.
-	ErrZeroTTL = internal.Error("zero ttl")
-
-	// ErrIncorrectTTL is raised when NonForwardingTTL is passed and NodeRole != InnerRingNode.
-	ErrIncorrectTTL = internal.Error("incorrect ttl")
-)
-
-// SetVersion sets protocol version to ResponseMetaHeader.
-func (m *ResponseMetaHeader) SetVersion(v uint32) { m.Version = v }
-
-// SetEpoch sets Epoch to ResponseMetaHeader.
-func (m *ResponseMetaHeader) SetEpoch(v uint64) { m.Epoch = v }
-
-// SetVersion sets protocol version to RequestMetaHeader.
-func (m *RequestMetaHeader) SetVersion(v uint32) { m.Version = v }
-
-// SetTTL sets TTL to RequestMetaHeader.
-func (m *RequestMetaHeader) SetTTL(v uint32) { m.TTL = v }
-
-// SetEpoch sets Epoch to RequestMetaHeader.
-func (m *RequestMetaHeader) SetEpoch(v uint64) { m.Epoch = v }
-
-// ResetMeta returns current value and sets RequestMetaHeader to empty value.
-func (m *RequestMetaHeader) ResetMeta() RequestMetaHeader {
 	cp := *m
 	m.Reset()
 	return cp
 }
 
 // RestoreMeta sets current RequestMetaHeader to passed value.
-func (m *RequestMetaHeader) RestoreMeta(v RequestMetaHeader) { *m = v }
+func (m *RequestMetaHeader) RestoreMeta(v RequestMetaHeader) {
-
+	*m = v
-// IRNonForwarding condition that allows NonForwardingTTL only for IR
-func IRNonForwarding(role NodeRole) TTLCondition {
-	return func(ttl uint32) error {
-		if ttl == NonForwardingTTL && role != InnerRingNode {
-			return ErrIncorrectTTL
-		}
-
-		return nil
-	}
-}
-
-// ProcessRequestTTL validates and update ttl requests.
-func ProcessRequestTTL(req MetaHeader, cond ...TTLCondition) error {
-	ttl := req.GetTTL()
-
-	if ttl == ZeroTTL {
-		return status.New(codes.InvalidArgument, ErrZeroTTL.Error()).Err()
-	}
-
-	for i := range cond {
-		if cond[i] == nil {
-			continue
-		}
-
-		// check specific condition:
-		if err := cond[i](ttl); err != nil {
-			if st, ok := status.FromError(errors.Cause(err)); ok {
-				return st.Err()
-			}
-
-			return status.New(codes.InvalidArgument, err.Error()).Err()
-		}
-	}
-
-	req.SetTTL(ttl - 1)
-
-	return nil
 }

service/meta.proto

@@ -17,6 +17,8 @@ message RequestMetaHeader {
     // Version defines protocol version
     // TODO: not used for now, should be implemented in future
     uint32 Version = 3;
+    // Raw determines whether the request is raw or not
+    bool Raw       = 4;
 }
 
 // ResponseMetaHeader contains meta information based on request processing by server

service/meta_test.go

@@ -3,102 +3,23 @@ package service
 import (
 	"testing"
 
-	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 )
 
-type mockedRequest struct {
+func TestCutRestoreMeta(t *testing.T) {
-	msg     string
+	items := []func() SeizedMetaHeaderContainer{
-	name    string
+		func() SeizedMetaHeaderContainer {
-	code    codes.Code
+			m := new(RequestMetaHeader)
-	handler TTLCondition
+			m.SetEpoch(1)
-	RequestMetaHeader
+			return m
-}
-
-func TestMetaRequest(t *testing.T) {
-	tests := []mockedRequest{
-		{
-			name:              "direct to ir node",
-			handler:           IRNonForwarding(InnerRingNode),
-			RequestMetaHeader: RequestMetaHeader{TTL: NonForwardingTTL},
-		},
-		{
-			code:              codes.InvalidArgument,
-			msg:               ErrIncorrectTTL.Error(),
-			name:              "direct to storage node",
-			handler:           IRNonForwarding(StorageNode),
-			RequestMetaHeader: RequestMetaHeader{TTL: NonForwardingTTL},
-		},
-		{
-			msg:               ErrZeroTTL.Error(),
-			code:              codes.InvalidArgument,
-			name:              "zero ttl",
-			handler:           IRNonForwarding(StorageNode),
-			RequestMetaHeader: RequestMetaHeader{TTL: ZeroTTL},
-		},
-		{
-			name:              "default to ir node",
-			handler:           IRNonForwarding(InnerRingNode),
-			RequestMetaHeader: RequestMetaHeader{TTL: SingleForwardingTTL},
-		},
-		{
-			name:              "default to storage node",
-			handler:           IRNonForwarding(StorageNode),
-			RequestMetaHeader: RequestMetaHeader{TTL: SingleForwardingTTL},
-		},
-		{
-			msg:               "not found",
-			code:              codes.NotFound,
-			name:              "custom status error",
-			RequestMetaHeader: RequestMetaHeader{TTL: SingleForwardingTTL},
-			handler:           func(_ uint32) error { return status.Error(codes.NotFound, "not found") },
-		},
-		{
-			msg:               "not found",
-			code:              codes.NotFound,
-			name:              "custom wrapped status error",
-			RequestMetaHeader: RequestMetaHeader{TTL: SingleForwardingTTL},
-			handler: func(_ uint32) error {
-				err := status.Error(codes.NotFound, "not found")
-				err = errors.Wrap(err, "some error context")
-				err = errors.Wrap(err, "another error context")
-				return err
-			},
 		},
 	}
 
-	for i := range tests {
+	for _, item := range items {
-		tt := tests[i]
+		v1 := item()
-		t.Run(tt.name, func(t *testing.T) {
+		m1 := v1.CutMeta()
-			before := tt.GetTTL()
+		v1.RestoreMeta(m1)
-			err := ProcessRequestTTL(&tt, tt.handler)
-			if tt.msg != "" {
-				require.Errorf(t, err, tt.msg)
 
-				state, ok := status.FromError(err)
+		require.Equal(t, item(), v1)
-				require.True(t, ok)
-				require.Equal(t, tt.code, state.Code())
-				require.Equal(t, tt.msg, state.Message())
-			} else {
-				require.NoError(t, err)
-				require.NotEqualf(t, before, tt.GetTTL(), "ttl should be changed: %d vs %d", before, tt.GetTTL())
-			}
-		})
 	}
 }
-
-func TestRequestMetaHeader_SetEpoch(t *testing.T) {
-	m := new(ResponseMetaHeader)
-	epoch := uint64(3)
-	m.SetEpoch(epoch)
-	require.Equal(t, epoch, m.GetEpoch())
-}
-
-func TestRequestMetaHeader_SetVersion(t *testing.T) {
-	m := new(ResponseMetaHeader)
-	version := uint32(3)
-	m.SetVersion(version)
-	require.Equal(t, version, m.GetVersion())
-}

service/raw.go

@@ -0,0 +1,6 @@
+package service
+
+// SetRaw is a Raw field setter.
+func (m *RequestMetaHeader) SetRaw(raw bool) {
+	m.Raw = raw
+}

service/raw_test.go

@@ -0,0 +1,24 @@
+package service
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetSetRaw(t *testing.T) {
+	items := []RawContainer{
+		new(RequestMetaHeader),
+	}
+
+	for _, item := range items {
+		// init with false
+		item.SetRaw(false)
+
+		item.SetRaw(true)
+		require.True(t, item.GetRaw())
+
+		item.SetRaw(false)
+		require.False(t, item.GetRaw())
+	}
+}

service/role.go

@@ -1,7 +1,6 @@
 package service
 
-// NodeRole to identify in Bootstrap service.
+import "encoding/binary"
-type NodeRole int32
 
 const (
 	_ NodeRole = iota
@@ -22,3 +21,17 @@ func (nt NodeRole) String() string {
 		return "Unknown"
 	}
 }
+
+// Size returns the size necessary for a binary representation of the NodeRole.
+func (nt NodeRole) Size() int {
+	return 4
+}
+
+// Bytes returns a binary representation of the NodeRole.
+func (nt NodeRole) Bytes() []byte {
+	data := make([]byte, nt.Size())
+
+	binary.BigEndian.PutUint32(data, uint32(nt))
+
+	return data
+}

service/sign.go

@@ -0,0 +1,229 @@
+package service
+
+import (
+	"crypto/ecdsa"
+	"sync"
+
+	crypto "github.com/nspcc-dev/neofs-crypto"
+)
+
+type keySign struct {
+	key  *ecdsa.PublicKey
+	sign []byte
+}
+
+var bytesPool = sync.Pool{
+	New: func() interface{} {
+		return make([]byte, 5<<20)
+	},
+}
+
+// GetSignature is a sign field getter.
+func (s keySign) GetSignature() []byte {
+	return s.sign
+}
+
+// GetPublicKey is a key field getter,
+func (s keySign) GetPublicKey() *ecdsa.PublicKey {
+	return s.key
+}
+
+// Unites passed key with signature and returns SignKeyPair interface.
+func newSignatureKeyPair(key *ecdsa.PublicKey, sign []byte) SignKeyPair {
+	return &keySign{
+		key:  key,
+		sign: sign,
+	}
+}
+
+// Returns data from DataSignatureAccumulator for signature creation/verification.
+//
+// If passed DataSignatureAccumulator provides a SignedDataReader interface, data for signature is obtained
+// using this interface for optimization. In this case, it is understood that reading into the slice D
+// that the method DataForSignature returns does not change D.
+//
+// If returned length of data is negative, ErrNegativeLength returns.
+func dataForSignature(src SignedDataSource) ([]byte, error) {
+	if src == nil {
+		return nil, ErrNilSignedDataSource
+	}
+
+	r, ok := src.(SignedDataReader)
+	if !ok {
+		return src.SignedData()
+	}
+
+	buf := bytesPool.Get().([]byte)
+
+	if size := r.SignedDataSize(); size < 0 {
+		return nil, ErrNegativeLength
+	} else if size <= cap(buf) {
+		buf = buf[:size]
+	} else {
+		buf = make([]byte, size)
+	}
+
+	n, err := r.ReadSignedData(buf)
+	if err != nil {
+		return nil, err
+	}
+
+	return buf[:n], nil
+
+}
+
+// DataSignature returns the signature of data obtained using the private key.
+//
+// If passed data container is nil, ErrNilSignedDataSource returns.
+// If passed private key is nil, crypto.ErrEmptyPrivateKey returns.
+// If the data container or the signature function returns an error, it is returned directly.
+func DataSignature(key *ecdsa.PrivateKey, src SignedDataSource) ([]byte, error) {
+	if key == nil {
+		return nil, crypto.ErrEmptyPrivateKey
+	}
+
+	data, err := dataForSignature(src)
+	if err != nil {
+		return nil, err
+	}
+	defer bytesPool.Put(data)
+
+	return crypto.Sign(key, data)
+}
+
+// AddSignatureWithKey calculates the data signature and adds it to accumulator with public key.
+//
+// Any change of data provoke signature breakdown.
+//
+// Returns signing errors only.
+func AddSignatureWithKey(key *ecdsa.PrivateKey, v DataWithSignKeyAccumulator) error {
+	sign, err := DataSignature(key, v)
+	if err != nil {
+		return err
+	}
+
+	v.AddSignKey(sign, &key.PublicKey)
+
+	return nil
+}
+
+// Checks passed key-signature pairs for data from the passed container.
+//
+// If passed key-signatures pair set is empty, nil returns immediately.
+func verifySignatures(src SignedDataSource, items ...SignKeyPair) error {
+	if len(items) <= 0 {
+		return nil
+	}
+
+	data, err := dataForSignature(src)
+	if err != nil {
+		return err
+	}
+	defer bytesPool.Put(data)
+
+	for _, signKey := range items {
+		if err := crypto.Verify(
+			signKey.GetPublicKey(),
+			data,
+			signKey.GetSignature(),
+		); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// VerifySignatures checks passed key-signature pairs for data from the passed container.
+//
+// If passed data source is nil, ErrNilSignedDataSource returns.
+// If check data is not ready, corresponding error returns.
+// If at least one of the pairs is invalid, an error returns.
+func VerifySignatures(src SignedDataSource, items ...SignKeyPair) error {
+	return verifySignatures(src, items...)
+}
+
+// VerifyAccumulatedSignatures checks if accumulated key-signature pairs are valid.
+//
+// Behaves like VerifySignatures.
+// If passed key-signature source is empty, ErrNilSignatureKeySource returns.
+func VerifyAccumulatedSignatures(src DataWithSignKeySource) error {
+	if src == nil {
+		return ErrNilSignatureKeySource
+	}
+
+	return verifySignatures(src, src.GetSignKeyPairs()...)
+}
+
+// VerifySignatureWithKey checks data signature from the passed container with passed key.
+//
+// If passed data with signature is nil, ErrEmptyDataWithSignature returns.
+// If passed key is nil, crypto.ErrEmptyPublicKey returns.
+// A non-nil error returns if and only if the signature does not pass verification.
+func VerifySignatureWithKey(key *ecdsa.PublicKey, src DataWithSignature) error {
+	if src == nil {
+		return ErrEmptyDataWithSignature
+	} else if key == nil {
+		return crypto.ErrEmptyPublicKey
+	}
+
+	return verifySignatures(
+		src,
+		newSignatureKeyPair(
+			key,
+			src.GetSignature(),
+		),
+	)
+}
+
+// SignDataWithSessionToken calculates data with token signature and adds it to accumulator.
+//
+// Any change of data or session token info provoke signature breakdown.
+//
+// If passed private key is nil, crypto.ErrEmptyPrivateKey returns.
+// If passed DataWithTokenSignAccumulator is nil, ErrNilDataWithTokenSignAccumulator returns.
+func SignDataWithSessionToken(key *ecdsa.PrivateKey, src DataWithTokenSignAccumulator) error {
+	if src == nil {
+		return ErrNilDataWithTokenSignAccumulator
+	} else if r, ok := src.(SignedDataReader); ok {
+		return AddSignatureWithKey(key, &signDataReaderWithToken{
+			SignedDataSource:       src,
+			SignKeyPairAccumulator: src,
+
+			rdr:   r,
+			token: src.GetSessionToken(),
+		},
+		)
+	}
+
+	return AddSignatureWithKey(key, &signAccumWithToken{
+		SignedDataSource:       src,
+		SignKeyPairAccumulator: src,
+
+		token: src.GetSessionToken(),
+	})
+}
+
+// VerifyAccumulatedSignaturesWithToken checks if accumulated key-signature pairs of data with token are valid.
+//
+// If passed DataWithTokenSignSource is nil, ErrNilSignatureKeySourceWithToken returns.
+func VerifyAccumulatedSignaturesWithToken(src DataWithTokenSignSource) error {
+	if src == nil {
+		return ErrNilSignatureKeySourceWithToken
+	} else if r, ok := src.(SignedDataReader); ok {
+		return VerifyAccumulatedSignatures(&signDataReaderWithToken{
+			SignedDataSource:  src,
+			SignKeyPairSource: src,
+
+			rdr:   r,
+			token: src.GetSessionToken(),
+		})
+	}
+
+	return VerifyAccumulatedSignatures(&signAccumWithToken{
+		SignedDataSource:  src,
+		SignKeyPairSource: src,
+
+		token: src.GetSessionToken(),
+	})
+}

service/sign_test.go

@@ -0,0 +1,326 @@
+package service
+
+import (
+	"crypto/ecdsa"
+	"crypto/rand"
+	"errors"
+	"io"
+	"testing"
+
+	crypto "github.com/nspcc-dev/neofs-crypto"
+	"github.com/nspcc-dev/neofs-crypto/test"
+	"github.com/stretchr/testify/require"
+)
+
+type testSignedDataSrc struct {
+	err   error
+	data  []byte
+	sig   []byte
+	key   *ecdsa.PublicKey
+	token SessionToken
+}
+
+type testSignedDataReader struct {
+	*testSignedDataSrc
+}
+
+func (s testSignedDataSrc) GetSignature() []byte {
+	return s.sig
+}
+
+func (s testSignedDataSrc) GetSignKeyPairs() []SignKeyPair {
+	return []SignKeyPair{
+		newSignatureKeyPair(s.key, s.sig),
+	}
+}
+
+func (s testSignedDataSrc) SignedData() ([]byte, error) {
+	return s.data, s.err
+}
+
+func (s *testSignedDataSrc) AddSignKey(sig []byte, key *ecdsa.PublicKey) {
+	s.key = key
+	s.sig = sig
+}
+
+func testData(t *testing.T, sz int) []byte {
+	d := make([]byte, sz)
+	_, err := rand.Read(d)
+	require.NoError(t, err)
+	return d
+}
+
+func (s testSignedDataSrc) GetSessionToken() SessionToken {
+	return s.token
+}
+
+func (s testSignedDataReader) SignedDataSize() int {
+	return len(s.data)
+}
+
+func (s testSignedDataReader) ReadSignedData(buf []byte) (int, error) {
+	if s.err != nil {
+		return 0, s.err
+	}
+
+	var err error
+	if len(buf) < len(s.data) {
+		err = io.ErrUnexpectedEOF
+	}
+	return copy(buf, s.data), err
+}
+
+func TestDataSignature(t *testing.T) {
+	var err error
+
+	// nil private key
+	_, err = DataSignature(nil, nil)
+	require.EqualError(t, err, crypto.ErrEmptyPrivateKey.Error())
+
+	// create test private key
+	sk := test.DecodeKey(0)
+
+	// nil private key
+	_, err = DataSignature(sk, nil)
+	require.EqualError(t, err, ErrNilSignedDataSource.Error())
+
+	t.Run("common signed data source", func(t *testing.T) {
+		// create test data source
+		src := &testSignedDataSrc{
+			data: testData(t, 10),
+		}
+
+		// create custom error for data source
+		src.err = errors.New("test error for data source")
+
+		_, err = DataSignature(sk, src)
+		require.EqualError(t, err, src.err.Error())
+
+		// reset error to nil
+		src.err = nil
+
+		// calculate data signature
+		sig, err := DataSignature(sk, src)
+		require.NoError(t, err)
+
+		// ascertain that the signature passes verification
+		require.NoError(t, crypto.Verify(&sk.PublicKey, src.data, sig))
+	})
+
+	t.Run("signed data reader", func(t *testing.T) {
+		// create test signed data reader
+		src := &testSignedDataSrc{
+			data: testData(t, 10),
+		}
+
+		// create custom error for signed data reader
+		src.err = errors.New("test error for signed data reader")
+
+		sig, err := DataSignature(sk, src)
+		require.EqualError(t, err, src.err.Error())
+
+		// reset error to nil
+		src.err = nil
+
+		// calculate data signature
+		sig, err = DataSignature(sk, src)
+		require.NoError(t, err)
+
+		// ascertain that the signature passes verification
+		require.NoError(t, crypto.Verify(&sk.PublicKey, src.data, sig))
+	})
+}
+
+func TestAddSignatureWithKey(t *testing.T) {
+	require.NoError(t,
+		AddSignatureWithKey(
+			test.DecodeKey(0),
+			&testSignedDataSrc{
+				data: testData(t, 10),
+			},
+		),
+	)
+}
+
+func TestVerifySignatures(t *testing.T) {
+	// empty signatures
+	require.NoError(t, VerifySignatures(nil))
+
+	// create test signature source
+	src := &testSignedDataSrc{
+		data: testData(t, 10),
+	}
+
+	// create private key for test
+	sk := test.DecodeKey(0)
+
+	// calculate a signature of the data
+	sig, err := crypto.Sign(sk, src.data)
+	require.NoError(t, err)
+
+	// ascertain that verification is passed
+	require.NoError(t,
+		VerifySignatures(
+			src,
+			newSignatureKeyPair(&sk.PublicKey, sig),
+		),
+	)
+
+	// break the signature
+	sig[0]++
+
+	require.Error(t,
+		VerifySignatures(
+			src,
+			newSignatureKeyPair(&sk.PublicKey, sig),
+		),
+	)
+
+	// restore the signature
+	sig[0]--
+
+	// empty data source
+	require.EqualError(t,
+		VerifySignatures(nil, nil),
+		ErrNilSignedDataSource.Error(),
+	)
+
+}
+
+func TestVerifyAccumulatedSignatures(t *testing.T) {
+	// nil signature source
+	require.EqualError(t,
+		VerifyAccumulatedSignatures(nil),
+		ErrNilSignatureKeySource.Error(),
+	)
+
+	// create test private key
+	sk := test.DecodeKey(0)
+
+	// create signature source
+	src := &testSignedDataSrc{
+		data: testData(t, 10),
+		key:  &sk.PublicKey,
+	}
+
+	var err error
+
+	// calculate a signature
+	src.sig, err = crypto.Sign(sk, src.data)
+	require.NoError(t, err)
+
+	// ascertain that verification is passed
+	require.NoError(t, VerifyAccumulatedSignatures(src))
+
+	// break the signature
+	src.sig[0]++
+
+	// ascertain that verification is failed
+	require.Error(t, VerifyAccumulatedSignatures(src))
+}
+
+func TestVerifySignatureWithKey(t *testing.T) {
+	// nil signature source
+	require.EqualError(t,
+		VerifySignatureWithKey(nil, nil),
+		ErrEmptyDataWithSignature.Error(),
+	)
+
+	// create test signature source
+	src := &testSignedDataSrc{
+		data: testData(t, 10),
+	}
+
+	// nil public key
+	require.EqualError(t,
+		VerifySignatureWithKey(nil, src),
+		crypto.ErrEmptyPublicKey.Error(),
+	)
+
+	// create test private key
+	sk := test.DecodeKey(0)
+
+	var err error
+
+	// calculate a signature
+	src.sig, err = crypto.Sign(sk, src.data)
+	require.NoError(t, err)
+
+	// ascertain that verification is passed
+	require.NoError(t, VerifySignatureWithKey(&sk.PublicKey, src))
+
+	// break the signature
+	src.sig[0]++
+
+	// ascertain that verification is failed
+	require.Error(t, VerifySignatureWithKey(&sk.PublicKey, src))
+}
+
+func TestSignVerifyDataWithSessionToken(t *testing.T) {
+	// sign with empty DataWithTokenSignAccumulator
+	require.EqualError(t,
+		SignDataWithSessionToken(nil, nil),
+		ErrNilDataWithTokenSignAccumulator.Error(),
+	)
+
+	// verify with empty DataWithTokenSignSource
+	require.EqualError(t,
+		VerifyAccumulatedSignaturesWithToken(nil),
+		ErrNilSignatureKeySourceWithToken.Error(),
+	)
+
+	// create test session token
+	var (
+		token    = new(Token)
+		initVerb = Token_Info_Verb(1)
+	)
+
+	token.SetVerb(initVerb)
+
+	// create test data with token
+	src := &testSignedDataSrc{
+		data:  testData(t, 10),
+		token: token,
+	}
+
+	// create test private key
+	sk := test.DecodeKey(0)
+
+	// sign with private key
+	require.NoError(t, SignDataWithSessionToken(sk, src))
+
+	// ascertain that verification is passed
+	require.NoError(t, VerifyAccumulatedSignaturesWithToken(src))
+
+	// break the data
+	src.data[0]++
+
+	// ascertain that verification is failed
+	require.Error(t, VerifyAccumulatedSignaturesWithToken(src))
+
+	// restore the data
+	src.data[0]--
+
+	// break the token
+	token.SetVerb(initVerb + 1)
+
+	// ascertain that verification is failed
+	require.Error(t, VerifyAccumulatedSignaturesWithToken(src))
+
+	// restore the token
+	token.SetVerb(initVerb)
+
+	// ascertain that verification is passed
+	require.NoError(t, VerifyAccumulatedSignaturesWithToken(src))
+
+	// wrap to data reader
+	rdr := &testSignedDataReader{
+		testSignedDataSrc: src,
+	}
+
+	// sign with private key
+	require.NoError(t, SignDataWithSessionToken(sk, rdr))
+
+	// ascertain that verification is passed
+	require.NoError(t, VerifyAccumulatedSignaturesWithToken(rdr))
+}

service/token.go

@@ -0,0 +1,231 @@
+package service
+
+import (
+	"crypto/ecdsa"
+	"encoding/binary"
+	"io"
+
+	"github.com/nspcc-dev/neofs-api-go/refs"
+)
+
+type signAccumWithToken struct {
+	SignedDataSource
+	SignKeyPairAccumulator
+	SignKeyPairSource
+
+	token SessionToken
+}
+
+type signDataReaderWithToken struct {
+	SignedDataSource
+	SignKeyPairAccumulator
+	SignKeyPairSource
+
+	rdr SignedDataReader
+
+	token SessionToken
+}
+
+const verbSize = 4
+
+const fixedTokenDataSize = 0 +
+	refs.UUIDSize +
+	refs.OwnerIDSize +
+	verbSize +
+	refs.UUIDSize +
+	refs.CIDSize +
+	8 +
+	8
+
+var tokenEndianness = binary.BigEndian
+
+// GetID is an ID field getter.
+func (m Token_Info) GetID() TokenID {
+	return m.ID
+}
+
+// SetID is an ID field setter.
+func (m *Token_Info) SetID(id TokenID) {
+	m.ID = id
+}
+
+// GetOwnerID is an OwnerID field getter.
+func (m Token_Info) GetOwnerID() OwnerID {
+	return m.OwnerID
+}
+
+// SetOwnerID is an OwnerID field setter.
+func (m *Token_Info) SetOwnerID(id OwnerID) {
+	m.OwnerID = id
+}
+
+// SetVerb is a Verb field setter.
+func (m *Token_Info) SetVerb(verb Token_Info_Verb) {
+	m.Verb = verb
+}
+
+// GetAddress is an Address field getter.
+func (m Token_Info) GetAddress() Address {
+	return m.Address
+}
+
+// SetAddress is an Address field setter.
+func (m *Token_Info) SetAddress(addr Address) {
+	m.Address = addr
+}
+
+// CreationEpoch is a Created field getter.
+func (m TokenLifetime) CreationEpoch() uint64 {
+	return m.Created
+}
+
+// SetCreationEpoch is a Created field setter.
+func (m *TokenLifetime) SetCreationEpoch(e uint64) {
+	m.Created = e
+}
+
+// ExpirationEpoch is a ValidUntil field getter.
+func (m TokenLifetime) ExpirationEpoch() uint64 {
+	return m.ValidUntil
+}
+
+// SetExpirationEpoch is a ValidUntil field setter.
+func (m *TokenLifetime) SetExpirationEpoch(e uint64) {
+	m.ValidUntil = e
+}
+
+// SetSessionKey is a SessionKey field setter.
+func (m *Token_Info) SetSessionKey(key []byte) {
+	m.SessionKey = key
+}
+
+// SetSignature is a Signature field setter.
+func (m *Token) SetSignature(sig []byte) {
+	m.Signature = sig
+}
+
+// Size returns the size of a binary representation of the verb.
+func (x Token_Info_Verb) Size() int {
+	return verbSize
+}
+
+// Bytes returns a binary representation of the verb.
+func (x Token_Info_Verb) Bytes() []byte {
+	data := make([]byte, verbSize)
+	tokenEndianness.PutUint32(data, uint32(x))
+	return data
+}
+
+// AddSignKey calls a Signature field setter with passed signature.
+func (m *Token) AddSignKey(sig []byte, _ *ecdsa.PublicKey) {
+	m.SetSignature(sig)
+}
+
+// SignedData returns token information in a binary representation.
+func (m *Token) SignedData() ([]byte, error) {
+	return SignedDataFromReader(m)
+}
+
+// ReadSignedData copies a binary representation of the token information to passed buffer.
+//
+// If buffer length is less than required, io.ErrUnexpectedEOF returns.
+func (m *Token_Info) ReadSignedData(p []byte) (int, error) {
+	sz := m.SignedDataSize()
+	if len(p) < sz {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	copyTokenSignedData(p, m)
+
+	return sz, nil
+}
+
+// SignedDataSize returns the length of signed token information slice.
+func (m *Token_Info) SignedDataSize() int {
+	return tokenInfoSize(m)
+}
+
+func tokenInfoSize(v SessionKeySource) int {
+	if v == nil {
+		return 0
+	}
+	return fixedTokenDataSize + len(v.GetSessionKey())
+}
+
+// Fills passed buffer with signing token information bytes.
+// Does not check buffer length, it is understood that enough space is allocated in it.
+//
+// If passed SessionTokenInfo, buffer remains unchanged.
+func copyTokenSignedData(buf []byte, token SessionTokenInfo) {
+	if token == nil {
+		return
+	}
+
+	var off int
+
+	off += copy(buf[off:], token.GetID().Bytes())
+
+	off += copy(buf[off:], token.GetOwnerID().Bytes())
+
+	off += copy(buf[off:], token.GetVerb().Bytes())
+
+	addr := token.GetAddress()
+	off += copy(buf[off:], addr.CID.Bytes())
+	off += copy(buf[off:], addr.ObjectID.Bytes())
+
+	tokenEndianness.PutUint64(buf[off:], token.CreationEpoch())
+	off += 8
+
+	tokenEndianness.PutUint64(buf[off:], token.ExpirationEpoch())
+	off += 8
+
+	copy(buf[off:], token.GetSessionKey())
+}
+
+// SignedData concatenates signed data with session token information. Returns concatenation result.
+//
+// Token bytes are added if and only if token is not nil.
+func (s signAccumWithToken) SignedData() ([]byte, error) {
+	data, err := s.SignedDataSource.SignedData()
+	if err != nil {
+		return nil, err
+	}
+
+	tokenData := make([]byte, tokenInfoSize(s.token))
+
+	copyTokenSignedData(tokenData, s.token)
+
+	return append(data, tokenData...), nil
+}
+
+func (s signDataReaderWithToken) SignedDataSize() int {
+	sz := s.rdr.SignedDataSize()
+	if sz < 0 {
+		return -1
+	}
+
+	sz += tokenInfoSize(s.token)
+
+	return sz
+}
+
+func (s signDataReaderWithToken) ReadSignedData(p []byte) (int, error) {
+	dataSize := s.rdr.SignedDataSize()
+	if dataSize < 0 {
+		return 0, ErrNegativeLength
+	}
+
+	sumSize := dataSize + tokenInfoSize(s.token)
+
+	if len(p) < sumSize {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	if n, err := s.rdr.ReadSignedData(p); err != nil {
+		return n, err
+	}
+
+	copyTokenSignedData(p[dataSize:], s.token)
+
+	return sumSize, nil
+}

service/token_test.go

@@ -0,0 +1,219 @@
+package service
+
+import (
+	"crypto/rand"
+	"testing"
+
+	"github.com/nspcc-dev/neofs-api-go/refs"
+	"github.com/nspcc-dev/neofs-crypto/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestTokenGettersSetters(t *testing.T) {
+	var tok SessionToken = new(Token)
+
+	{ // ID
+		id, err := refs.NewUUID()
+		require.NoError(t, err)
+
+		tok.SetID(id)
+
+		require.Equal(t, id, tok.GetID())
+	}
+
+	{ // OwnerID
+		ownerID := OwnerID{}
+		_, err := rand.Read(ownerID[:])
+		require.NoError(t, err)
+
+		tok.SetOwnerID(ownerID)
+
+		require.Equal(t, ownerID, tok.GetOwnerID())
+	}
+
+	{ // Verb
+		verb := Token_Info_Verb(3)
+
+		tok.SetVerb(verb)
+
+		require.Equal(t, verb, tok.GetVerb())
+	}
+
+	{ // Address
+		addr := Address{}
+		_, err := rand.Read(addr.CID[:])
+		require.NoError(t, err)
+		_, err = rand.Read(addr.ObjectID[:])
+		require.NoError(t, err)
+
+		tok.SetAddress(addr)
+
+		require.Equal(t, addr, tok.GetAddress())
+	}
+
+	{ // Created
+		e := uint64(5)
+
+		tok.SetCreationEpoch(e)
+
+		require.Equal(t, e, tok.CreationEpoch())
+	}
+
+	{ // ValidUntil
+		e := uint64(5)
+
+		tok.SetExpirationEpoch(e)
+
+		require.Equal(t, e, tok.ExpirationEpoch())
+	}
+
+	{ // SessionKey
+		key := make([]byte, 10)
+		_, err := rand.Read(key)
+		require.NoError(t, err)
+
+		tok.SetSessionKey(key)
+
+		require.Equal(t, key, tok.GetSessionKey())
+	}
+
+	{ // Signature
+		sig := make([]byte, 10)
+		_, err := rand.Read(sig)
+		require.NoError(t, err)
+
+		tok.SetSignature(sig)
+
+		require.Equal(t, sig, tok.GetSignature())
+	}
+}
+
+func TestSignToken(t *testing.T) {
+	token := new(Token)
+
+	// create private key for signing
+	sk := test.DecodeKey(0)
+	pk := &sk.PublicKey
+
+	id := TokenID{}
+	_, err := rand.Read(id[:])
+	require.NoError(t, err)
+	token.SetID(id)
+
+	ownerID := OwnerID{}
+	_, err = rand.Read(ownerID[:])
+	require.NoError(t, err)
+	token.SetOwnerID(ownerID)
+
+	verb := Token_Info_Verb(1)
+	token.SetVerb(verb)
+
+	addr := Address{}
+	_, err = rand.Read(addr.ObjectID[:])
+	require.NoError(t, err)
+	_, err = rand.Read(addr.CID[:])
+	require.NoError(t, err)
+	token.SetAddress(addr)
+
+	cEpoch := uint64(1)
+	token.SetCreationEpoch(cEpoch)
+
+	fEpoch := uint64(2)
+	token.SetExpirationEpoch(fEpoch)
+
+	sessionKey := make([]byte, 10)
+	_, err = rand.Read(sessionKey[:])
+	require.NoError(t, err)
+	token.SetSessionKey(sessionKey)
+
+	// sign and verify token
+	require.NoError(t, AddSignatureWithKey(sk, token))
+	require.NoError(t, VerifySignatureWithKey(pk, token))
+
+	items := []struct {
+		corrupt func()
+		restore func()
+	}{
+		{ // ID
+			corrupt: func() {
+				id[0]++
+				token.SetID(id)
+			},
+			restore: func() {
+				id[0]--
+				token.SetID(id)
+			},
+		},
+		{ // Owner ID
+			corrupt: func() {
+				ownerID[0]++
+				token.SetOwnerID(ownerID)
+			},
+			restore: func() {
+				ownerID[0]--
+				token.SetOwnerID(ownerID)
+			},
+		},
+		{ // Verb
+			corrupt: func() {
+				token.SetVerb(verb + 1)
+			},
+			restore: func() {
+				token.SetVerb(verb)
+			},
+		},
+		{ // ObjectID
+			corrupt: func() {
+				addr.ObjectID[0]++
+				token.SetAddress(addr)
+			},
+			restore: func() {
+				addr.ObjectID[0]--
+				token.SetAddress(addr)
+			},
+		},
+		{ // CID
+			corrupt: func() {
+				addr.CID[0]++
+				token.SetAddress(addr)
+			},
+			restore: func() {
+				addr.CID[0]--
+				token.SetAddress(addr)
+			},
+		},
+		{ // Creation epoch
+			corrupt: func() {
+				token.SetCreationEpoch(cEpoch + 1)
+			},
+			restore: func() {
+				token.SetCreationEpoch(cEpoch)
+			},
+		},
+		{ // Expiration epoch
+			corrupt: func() {
+				token.SetExpirationEpoch(fEpoch + 1)
+			},
+			restore: func() {
+				token.SetExpirationEpoch(fEpoch)
+			},
+		},
+		{ // Session key
+			corrupt: func() {
+				sessionKey[0]++
+				token.SetSessionKey(sessionKey)
+			},
+			restore: func() {
+				sessionKey[0]--
+				token.SetSessionKey(sessionKey)
+			},
+		},
+	}
+
+	for _, v := range items {
+		v.corrupt()
+		require.Error(t, VerifySignatureWithKey(pk, token))
+		v.restore()
+		require.NoError(t, VerifySignatureWithKey(pk, token))
+	}
+}

service/ttl.go

@@ -0,0 +1,63 @@
+package service
+
+import (
+	"github.com/pkg/errors"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// TTL constants.
+const (
+	// ZeroTTL is an upper bound of invalid TTL values.
+	ZeroTTL = iota
+
+	// NonForwardingTTL is a TTL value that does not imply a request forwarding.
+	NonForwardingTTL
+
+	// SingleForwardingTTL is a TTL value that imply potential forwarding with NonForwardingTTL.
+	SingleForwardingTTL
+)
+
+// SetTTL is a TTL field setter.
+func (m *RequestMetaHeader) SetTTL(v uint32) {
+	m.TTL = v
+}
+
+// IRNonForwarding condition that allows NonForwardingTTL only for IR.
+func IRNonForwarding(role NodeRole) TTLCondition {
+	return func(ttl uint32) error {
+		if ttl == NonForwardingTTL && role != InnerRingNode {
+			return ErrInvalidTTL
+		}
+
+		return nil
+	}
+}
+
+// ProcessRequestTTL validates and updates requests with TTL.
+func ProcessRequestTTL(req TTLContainer, cond ...TTLCondition) error {
+	ttl := req.GetTTL()
+
+	if ttl == ZeroTTL {
+		return status.New(codes.InvalidArgument, ErrInvalidTTL.Error()).Err()
+	}
+
+	for i := range cond {
+		if cond[i] == nil {
+			continue
+		}
+
+		// check specific condition:
+		if err := cond[i](ttl); err != nil {
+			if st, ok := status.FromError(errors.Cause(err)); ok {
+				return st.Err()
+			}
+
+			return status.New(codes.InvalidArgument, err.Error()).Err()
+		}
+	}
+
+	req.SetTTL(ttl - 1)
+
+	return nil
+}

service/ttl_test.go

@@ -0,0 +1,99 @@
+package service
+
+import (
+	"testing"
+
+	"github.com/pkg/errors"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+type mockedRequest struct {
+	msg     string
+	name    string
+	code    codes.Code
+	handler TTLCondition
+	RequestMetaHeader
+}
+
+func TestMetaRequest(t *testing.T) {
+	tests := []mockedRequest{
+		{
+			name:              "direct to ir node",
+			handler:           IRNonForwarding(InnerRingNode),
+			RequestMetaHeader: RequestMetaHeader{TTL: NonForwardingTTL},
+		},
+		{
+			code:              codes.InvalidArgument,
+			msg:               ErrInvalidTTL.Error(),
+			name:              "direct to storage node",
+			handler:           IRNonForwarding(StorageNode),
+			RequestMetaHeader: RequestMetaHeader{TTL: NonForwardingTTL},
+		},
+		{
+			msg:               ErrInvalidTTL.Error(),
+			code:              codes.InvalidArgument,
+			name:              "zero ttl",
+			handler:           IRNonForwarding(StorageNode),
+			RequestMetaHeader: RequestMetaHeader{TTL: ZeroTTL},
+		},
+		{
+			name:              "default to ir node",
+			handler:           IRNonForwarding(InnerRingNode),
+			RequestMetaHeader: RequestMetaHeader{TTL: SingleForwardingTTL},
+		},
+		{
+			name:              "default to storage node",
+			handler:           IRNonForwarding(StorageNode),
+			RequestMetaHeader: RequestMetaHeader{TTL: SingleForwardingTTL},
+		},
+		{
+			msg:               "not found",
+			code:              codes.NotFound,
+			name:              "custom status error",
+			RequestMetaHeader: RequestMetaHeader{TTL: SingleForwardingTTL},
+			handler:           func(_ uint32) error { return status.Error(codes.NotFound, "not found") },
+		},
+		{
+			msg:               "not found",
+			code:              codes.NotFound,
+			name:              "custom wrapped status error",
+			RequestMetaHeader: RequestMetaHeader{TTL: SingleForwardingTTL},
+			handler: func(_ uint32) error {
+				err := status.Error(codes.NotFound, "not found")
+				err = errors.Wrap(err, "some error context")
+				err = errors.Wrap(err, "another error context")
+				return err
+			},
+		},
+	}
+
+	for i := range tests {
+		tt := tests[i]
+		t.Run(tt.name, func(t *testing.T) {
+			before := tt.GetTTL()
+			err := ProcessRequestTTL(&tt, tt.handler)
+			if tt.msg != "" {
+				require.Errorf(t, err, tt.msg)
+
+				state, ok := status.FromError(err)
+				require.True(t, ok)
+				require.Equal(t, tt.code, state.Code())
+				require.Equal(t, tt.msg, state.Message())
+			} else {
+				require.NoError(t, err)
+				require.NotEqualf(t, before, tt.GetTTL(), "ttl should be changed: %d vs %d", before, tt.GetTTL())
+			}
+		})
+	}
+}
+
+func TestRequestMetaHeader_SetTTL(t *testing.T) {
+	m := new(RequestMetaHeader)
+	ttl := uint32(3)
+
+	m.SetTTL(ttl)
+
+	require.Equal(t, ttl, m.GetTTL())
+}

service/types.go

@@ -0,0 +1,256 @@
+package service
+
+import (
+	"crypto/ecdsa"
+)
+
+// NodeRole to identify in Bootstrap service.
+type NodeRole int32
+
+// TTLCondition is a function type that used to verify that TTL values match a specific criterion.
+// Nil error indicates compliance with the criterion.
+type TTLCondition func(uint32) error
+
+// RawSource is an interface of the container of a boolean Raw value with read access.
+type RawSource interface {
+	GetRaw() bool
+}
+
+// RawContainer is an interface of the container of a boolean Raw value.
+type RawContainer interface {
+	RawSource
+	SetRaw(bool)
+}
+
+// VersionSource is an interface of the container of a numerical Version value with read access.
+type VersionSource interface {
+	GetVersion() uint32
+}
+
+// VersionContainer is an interface of the container of a numerical Version value.
+type VersionContainer interface {
+	VersionSource
+	SetVersion(uint32)
+}
+
+// EpochSource is an interface of the container of a NeoFS epoch number with read access.
+type EpochSource interface {
+	GetEpoch() uint64
+}
+
+// EpochContainer is an interface of the container of a NeoFS epoch number.
+type EpochContainer interface {
+	EpochSource
+	SetEpoch(uint64)
+}
+
+// TTLSource is an interface of the container of a numerical TTL value with read access.
+type TTLSource interface {
+	GetTTL() uint32
+}
+
+// TTLContainer is an interface of the container of a numerical TTL value.
+type TTLContainer interface {
+	TTLSource
+	SetTTL(uint32)
+}
+
+// SeizedMetaHeaderContainer is an interface of container of RequestMetaHeader that can be cut and restored.
+type SeizedMetaHeaderContainer interface {
+	CutMeta() RequestMetaHeader
+	RestoreMeta(RequestMetaHeader)
+}
+
+// RequestMetaContainer is an interface of a fixed set of request meta value containers.
+// Contains:
+// - TTL value;
+// - NeoFS epoch number;
+// - Protocol version;
+// - Raw toggle option.
+type RequestMetaContainer interface {
+	TTLContainer
+	EpochContainer
+	VersionContainer
+	RawContainer
+}
+
+// SeizedRequestMetaContainer is a RequestMetaContainer with seized meta.
+type SeizedRequestMetaContainer interface {
+	RequestMetaContainer
+	SeizedMetaHeaderContainer
+}
+
+// VerbSource is an interface of the container of a token verb value with read access.
+type VerbSource interface {
+	GetVerb() Token_Info_Verb
+}
+
+// VerbContainer is an interface of the container of a token verb value.
+type VerbContainer interface {
+	VerbSource
+	SetVerb(Token_Info_Verb)
+}
+
+// TokenIDSource is an interface of the container of a token ID value with read access.
+type TokenIDSource interface {
+	GetID() TokenID
+}
+
+// TokenIDContainer is an interface of the container of a token ID value.
+type TokenIDContainer interface {
+	TokenIDSource
+	SetID(TokenID)
+}
+
+// CreationEpochSource is an interface of the container of a creation epoch number with read access.
+type CreationEpochSource interface {
+	CreationEpoch() uint64
+}
+
+// CreationEpochContainer is an interface of the container of a creation epoch number.
+type CreationEpochContainer interface {
+	CreationEpochSource
+	SetCreationEpoch(uint64)
+}
+
+// ExpirationEpochSource is an interface of the container of an expiration epoch number with read access.
+type ExpirationEpochSource interface {
+	ExpirationEpoch() uint64
+}
+
+// ExpirationEpochContainer is an interface of the container of an expiration epoch number.
+type ExpirationEpochContainer interface {
+	ExpirationEpochSource
+	SetExpirationEpoch(uint64)
+}
+
+// LifetimeSource is an interface of the container of creation-expiration epoch pair with read access.
+type LifetimeSource interface {
+	CreationEpochSource
+	ExpirationEpochSource
+}
+
+// LifetimeContainer is an interface of the container of creation-expiration epoch pair.
+type LifetimeContainer interface {
+	CreationEpochContainer
+	ExpirationEpochContainer
+}
+
+// SessionKeySource is an interface of the container of session key bytes with read access.
+type SessionKeySource interface {
+	GetSessionKey() []byte
+}
+
+// SessionKeyContainer is an interface of the container of public session key bytes.
+type SessionKeyContainer interface {
+	SessionKeySource
+	SetSessionKey([]byte)
+}
+
+// SignatureSource is an interface of the container of signature bytes with read access.
+type SignatureSource interface {
+	GetSignature() []byte
+}
+
+// SignatureContainer is an interface of the container of signature bytes.
+type SignatureContainer interface {
+	SignatureSource
+	SetSignature([]byte)
+}
+
+// SessionTokenSource is an interface of the container of a SessionToken with read access.
+type SessionTokenSource interface {
+	GetSessionToken() SessionToken
+}
+
+// SessionTokenInfo is an interface of a fixed set of token information value containers.
+// Contains:
+// - ID of the token;
+// - ID of the token's owner;
+// - verb of the session;
+// - address of the session object;
+// - token lifetime;
+// - public session key bytes.
+type SessionTokenInfo interface {
+	TokenIDContainer
+	OwnerIDContainer
+	VerbContainer
+	AddressContainer
+	LifetimeContainer
+	SessionKeyContainer
+}
+
+// SessionToken is an interface of token information and signature pair.
+type SessionToken interface {
+	SessionTokenInfo
+	SignatureContainer
+}
+
+// SignedDataSource is an interface of the container of a data for signing.
+type SignedDataSource interface {
+	// Must return the required for signature byte slice.
+	// A non-nil error indicates that the data is not ready for signature.
+	SignedData() ([]byte, error)
+}
+
+// SignedDataReader is an interface of signed data reader.
+type SignedDataReader interface {
+	// Must return the minimum length of the slice for full reading.
+	// Must return a negative value if the length cannot be calculated.
+	SignedDataSize() int
+
+	// Must behave like Read method of io.Reader and differ only in the reading of the signed data.
+	ReadSignedData([]byte) (int, error)
+}
+
+// SignKeyPairAccumulator is an interface of a set of key-signature pairs with append access.
+type SignKeyPairAccumulator interface {
+	AddSignKey([]byte, *ecdsa.PublicKey)
+}
+
+// SignKeyPairSource is an interface of a set of key-signature pairs with read access.
+type SignKeyPairSource interface {
+	GetSignKeyPairs() []SignKeyPair
+}
+
+// SignKeyPair is an interface of key-signature pair with read access.
+type SignKeyPair interface {
+	SignatureSource
+	GetPublicKey() *ecdsa.PublicKey
+}
+
+// DataWithSignature is an interface of data-signature pair with read access.
+type DataWithSignature interface {
+	SignedDataSource
+	SignatureSource
+}
+
+// DataWithSignKeyAccumulator is an interface of data and key-signature accumulator pair.
+type DataWithSignKeyAccumulator interface {
+	SignedDataSource
+	SignKeyPairAccumulator
+}
+
+// DataWithSignKeySource is an interface of data and key-signature source pair.
+type DataWithSignKeySource interface {
+	SignedDataSource
+	SignKeyPairSource
+}
+
+// SignedDataWithToken is an interface of data-token pair with read access.
+type SignedDataWithToken interface {
+	SignedDataSource
+	SessionTokenSource
+}
+
+// DataWithTokenSignAccumulator is an interface of data-token pair with signature write access.
+type DataWithTokenSignAccumulator interface {
+	SignedDataWithToken
+	SignKeyPairAccumulator
+}
+
+// DataWithTokenSignSource is an interface of data-token pair with signature read access.
+type DataWithTokenSignSource interface {
+	SignedDataWithToken
+	SignKeyPairSource
+}

service/utils.go

@@ -0,0 +1,18 @@
+package service
+
+// SignedDataFromReader allocates buffer and reads bytes from passed reader to it.
+//
+// If passed SignedDataReader is nil, ErrNilSignedDataReader returns.
+func SignedDataFromReader(r SignedDataReader) ([]byte, error) {
+	if r == nil {
+		return nil, ErrNilSignedDataReader
+	}
+
+	data := make([]byte, r.SignedDataSize())
+
+	if _, err := r.ReadSignedData(data); err != nil {
+		return nil, err
+	}
+
+	return data, nil
+}

service/utils_test.go

@@ -0,0 +1,34 @@
+package service
+
+import (
+	"testing"
+
+	"github.com/pkg/errors"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSignedDataFromReader(t *testing.T) {
+	// nil SignedDataReader
+	_, err := SignedDataFromReader(nil)
+	require.EqualError(t, err, ErrNilSignedDataReader.Error())
+
+	rdr := &testSignedDataReader{
+		testSignedDataSrc: new(testSignedDataSrc),
+	}
+
+	// make reader to return an error
+	rdr.err = errors.New("test error")
+
+	_, err = SignedDataFromReader(rdr)
+	require.EqualError(t, err, rdr.err.Error())
+
+	// remove the error
+	rdr.err = nil
+
+	// fill the data
+	rdr.data = testData(t, 10)
+
+	res, err := SignedDataFromReader(rdr)
+	require.NoError(t, err)
+	require.Equal(t, rdr.data, res)
+}

service/verify.go

@@ -2,226 +2,69 @@ package service
 
 import (
 	"crypto/ecdsa"
-	"sync"
 
 	"github.com/nspcc-dev/neofs-api-go/internal"
-	"github.com/nspcc-dev/neofs-api-go/refs"
 	crypto "github.com/nspcc-dev/neofs-crypto"
-	"github.com/pkg/errors"
 )
 
-type (
+// GetSessionToken returns SessionToken interface of Token field.
-	// VerifiableRequest adds possibility to sign and verify request header.
+//
-	VerifiableRequest interface {
+// If token field value is nil, nil returns.
-		Size() int
+func (m RequestVerificationHeader) GetSessionToken() SessionToken {
-		MarshalTo([]byte) (int, error)
+	if t := m.GetToken(); t != nil {
-		AddSignature(*RequestVerificationHeader_Signature)
+		return t
-		GetSignatures() []*RequestVerificationHeader_Signature
-		SetSignatures([]*RequestVerificationHeader_Signature)
 	}
 
-	// MaintainableRequest adds possibility to set and get (+validate)
+	return nil
-	// owner (client) public key from RequestVerificationHeader.
+}
-	MaintainableRequest interface {
+
-		GetOwner() (*ecdsa.PublicKey, error)
+// AddSignKey adds new element to Signatures field.
-		SetOwner(*ecdsa.PublicKey, []byte)
+//
-		GetLastPeer() (*ecdsa.PublicKey, error)
+// Sets Sign field to passed sign. Set Peer field to marshaled passed key.
+func (m *RequestVerificationHeader) AddSignKey(sign []byte, key *ecdsa.PublicKey) {
+	m.SetSignatures(
+		append(
+			m.GetSignatures(),
+			&RequestVerificationHeader_Signature{
+				Sign: sign,
+				Peer: crypto.MarshalPublicKey(key),
+			},
+		),
+	)
+}
+
+// GetSignKeyPairs returns the elements of Signatures field as SignKeyPair slice.
+func (m RequestVerificationHeader) GetSignKeyPairs() []SignKeyPair {
+	var (
+		signs = m.GetSignatures()
+		res   = make([]SignKeyPair, len(signs))
+	)
+
+	for i := range signs {
+		res[i] = signs[i]
 	}
-)
 
-const (
+	return res
-	// ErrCannotLoadPublicKey is raised when cannot unmarshal public key from RequestVerificationHeader_Sign.
+}
-	ErrCannotLoadPublicKey = internal.Error("cannot load public key")
 
-	// ErrCannotFindOwner is raised when signatures empty in GetOwner.
+// GetSignature returns the result of a Sign field getter.
-	ErrCannotFindOwner = internal.Error("cannot find owner public key")
+func (m RequestVerificationHeader_Signature) GetSignature() []byte {
+	return m.GetSign()
+}
 
-	// ErrWrongOwner is raised when passed OwnerID not equal to present PublicKey
+// GetPublicKey unmarshals and returns the result of a Peer field getter.
-	ErrWrongOwner = internal.Error("wrong owner")
+func (m RequestVerificationHeader_Signature) GetPublicKey() *ecdsa.PublicKey {
-)
+	return crypto.UnmarshalPublicKey(m.GetPeer())
+}
 
 // SetSignatures replaces signatures stored in RequestVerificationHeader.
 func (m *RequestVerificationHeader) SetSignatures(signatures []*RequestVerificationHeader_Signature) {
 	m.Signatures = signatures
 }
 
-// AddSignature adds new Signature into RequestVerificationHeader.
+// SetToken is a Token field setter.
-func (m *RequestVerificationHeader) AddSignature(sig *RequestVerificationHeader_Signature) {
+func (m *RequestVerificationHeader) SetToken(token *Token) {
-	if sig == nil {
+	m.Token = token
-		return
-	}
-	m.Signatures = append(m.Signatures, sig)
-}
-
-// SetOwner adds origin (sign and public key) of owner (client) into first signature.
-func (m *RequestVerificationHeader) SetOwner(pub *ecdsa.PublicKey, sign []byte) {
-	if len(m.Signatures) == 0 || pub == nil {
-		return
-	}
-
-	m.Signatures[0].Origin = &RequestVerificationHeader_Sign{
-		Sign: sign,
-		Peer: crypto.MarshalPublicKey(pub),
-	}
-}
-
-// CheckOwner validates, that passed OwnerID is equal to present PublicKey of owner.
-func (m *RequestVerificationHeader) CheckOwner(owner refs.OwnerID) error {
-	if key, err := m.GetOwner(); err != nil {
-		return err
-	} else if user, err := refs.NewOwnerID(key); err != nil {
-		return err
-	} else if !user.Equal(owner) {
-		return ErrWrongOwner
-	}
-	return nil
-}
-
-// GetOwner tries to get owner (client) public key from signatures.
-// If signatures contains not empty Origin, we should try to validate,
-// that session key was signed by owner (client), otherwise return error.
-func (m *RequestVerificationHeader) GetOwner() (*ecdsa.PublicKey, error) {
-	if len(m.Signatures) == 0 {
-		return nil, ErrCannotFindOwner
-	}
-
-	// if first signature contains origin, we should try to validate session key
-	if m.Signatures[0].Origin != nil {
-		owner := crypto.UnmarshalPublicKey(m.Signatures[0].Origin.Peer)
-		if owner == nil {
-			return nil, ErrCannotLoadPublicKey
-		} else if err := crypto.Verify(owner, m.Signatures[0].Peer, m.Signatures[0].Origin.Sign); err != nil {
-			return nil, errors.Wrap(err, "could not verify session token")
-		}
-
-		return owner, nil
-	} else if key := crypto.UnmarshalPublicKey(m.Signatures[0].Peer); key != nil {
-		return key, nil
-	}
-
-	return nil, ErrCannotLoadPublicKey
-}
-
-// GetLastPeer tries to get last peer public key from signatures.
-// If signatures has zero length, returns ErrCannotFindOwner.
-// If signatures has length equal to one, uses GetOwner.
-// Otherwise tries to unmarshal last peer public key.
-func (m *RequestVerificationHeader) GetLastPeer() (*ecdsa.PublicKey, error) {
-	switch ln := len(m.Signatures); ln {
-	case 0:
-		return nil, ErrCannotFindOwner
-	case 1:
-		return m.GetOwner()
-	default:
-		if key := crypto.UnmarshalPublicKey(m.Signatures[ln-1].Peer); key != nil {
-			return key, nil
-		}
-
-		return nil, ErrCannotLoadPublicKey
-	}
-}
-
-func newSignature(key *ecdsa.PrivateKey, data []byte) (*RequestVerificationHeader_Signature, error) {
-	sign, err := crypto.Sign(key, data)
-	if err != nil {
-		return nil, err
-	}
-
-	return &RequestVerificationHeader_Signature{
-		RequestVerificationHeader_Sign: RequestVerificationHeader_Sign{
-			Sign: sign,
-			Peer: crypto.MarshalPublicKey(&key.PublicKey),
-		},
-	}, nil
-}
-
-var bytesPool = sync.Pool{New: func() interface{} {
-	return make([]byte, 4.5*1024*1024) // 4.5MB
-}}
-
-// SignRequestHeader receives private key and request with RequestVerificationHeader,
-// tries to marshal and sign request with passed PrivateKey, after that adds
-// new signature to headers. If something went wrong, returns error.
-func SignRequestHeader(key *ecdsa.PrivateKey, msg VerifiableRequest) error {
-	// ignore meta header
-	if meta, ok := msg.(MetaHeader); ok {
-		h := meta.ResetMeta()
-
-		defer func() {
-			meta.RestoreMeta(h)
-		}()
-	}
-
-	data := bytesPool.Get().([]byte)
-	defer func() {
-		bytesPool.Put(data)
-	}()
-
-	if size := msg.Size(); size <= cap(data) {
-		data = data[:size]
-	} else {
-		data = make([]byte, size)
-	}
-
-	size, err := msg.MarshalTo(data)
-	if err != nil {
-		return err
-	}
-
-	signature, err := newSignature(key, data[:size])
-	if err != nil {
-		return err
-	}
-
-	msg.AddSignature(signature)
-
-	return nil
-}
-
-// VerifyRequestHeader receives request with RequestVerificationHeader,
-// tries to marshal and verify each signature from request.
-// If something went wrong, returns error.
-func VerifyRequestHeader(msg VerifiableRequest) error {
-	// ignore meta header
-	if meta, ok := msg.(MetaHeader); ok {
-		h := meta.ResetMeta()
-
-		defer func() {
-			meta.RestoreMeta(h)
-		}()
-	}
-
-	data := bytesPool.Get().([]byte)
-	signatures := msg.GetSignatures()
-	defer func() {
-		bytesPool.Put(data)
-		msg.SetSignatures(signatures)
-	}()
-
-	for i := range signatures {
-		msg.SetSignatures(signatures[:i])
-		peer := signatures[i].GetPeer()
-		sign := signatures[i].GetSign()
-
-		key := crypto.UnmarshalPublicKey(peer)
-		if key == nil {
-			return errors.Wrapf(ErrCannotLoadPublicKey, "%d: %02x", i, peer)
-		}
-
-		if size := msg.Size(); size <= cap(data) {
-			data = data[:size]
-		} else {
-			data = make([]byte, size)
-		}
-
-		if size, err := msg.MarshalTo(data); err != nil {
-			return errors.Wrapf(err, "%d: %02x", i, peer)
-		} else if err := crypto.Verify(key, data[:size], sign); err != nil {
-			return errors.Wrapf(err, "%d: %02x", i, peer)
-		}
-	}
-
-	return nil
 }
 
 // testCustomField for test usage only.

service/verify.proto

@@ -3,6 +3,7 @@ package service;
 option go_package = "github.com/nspcc-dev/neofs-api-go/service";
 option csharp_namespace = "NeoFS.API.Service";
 
+import "refs/types.proto";
 import "github.com/gogo/protobuf/gogoproto/gogo.proto";
 
 option (gogoproto.stable_marshaler_all) = true;
@@ -10,22 +11,80 @@ option (gogoproto.stable_marshaler_all) = true;
 // RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request
 // (should be embedded into message).
 message RequestVerificationHeader {
-    message Sign {
+    message Signature {
         // Sign is signature of the request or session key.
         bytes Sign = 1;
         // Peer is compressed public key used for signature.
         bytes Peer = 2;
     }
 
-    message Signature {
-        // Sign is a signature and public key of the request.
-        Sign Sign   = 1 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
-        // Origin used for requests, when trusted node changes it and re-sign with session key.
-        // If session key used for signature request, then Origin should contain
-        // public key of user and signed session key.
-        Sign Origin = 2;
-    }
-
     // Signatures is a set of signatures of every passed NeoFS Node
     repeated Signature Signatures = 1;
+
+    // Token is a token of the session within which the request is sent
+    Token Token = 2;
 }
+
+// User token granting rights for object manipulation
+message Token {
+    message Info {
+        // ID is a token identifier. valid UUIDv4 represented in bytes
+        bytes ID = 1 [(gogoproto.customtype) = "TokenID", (gogoproto.nullable) = false];
+
+        // OwnerID is an owner of manipulation object
+        bytes OwnerID = 2 [(gogoproto.customtype) = "OwnerID", (gogoproto.nullable) = false];
+
+        // Verb is an enumeration of session request types
+        enum Verb {
+            // Put refers to object.Put RPC call
+            Put = 0;
+            // Get refers to object.Get RPC call
+            Get = 1;
+            // Head refers to object.Head RPC call
+            Head = 2;
+            // Search refers to object.Search RPC call
+            Search = 3;
+            // Delete refers to object.Delete RPC call
+            Delete = 4;
+            // Range refers to object.GetRange RPC call
+            Range = 5;
+            // RangeHash refers to object.GetRangeHash RPC call
+            RangeHash = 6;
+        }
+
+        // Verb is a type of request for which the token is issued
+        Verb verb = 3 [(gogoproto.customname) = "Verb"];
+
+        // Address is an object address for which token is issued
+        refs.Address Address = 4 [(gogoproto.nullable) = false, (gogoproto.customtype) = "Address"];
+
+        // Lifetime is a lifetime of the session
+        TokenLifetime Lifetime = 5 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
+
+        // SessionKey is a public key of session key
+        bytes SessionKey = 6;
+    }
+
+    // TokenInfo is a grouped information about token
+    Info TokenInfo = 1 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
+
+    // Signature is a signature of session token information
+    bytes Signature = 8;
+}
+
+// TokenLifetime carries a group of lifetime parameters of the token
+message TokenLifetime {
+    // Created carries an initial epoch of token lifetime
+    uint64 Created = 1;
+
+    // ValidUntil carries a last epoch of token lifetime
+    uint64 ValidUntil = 2;
+}
+
+// TODO: for variable token types and version redefine message
+// Example:
+// message Token {
+//     TokenType TokenType = 1;
+//     uint32 Version = 2;
+//     bytes Data = 3;
+// }

service/verify_test.go

@@ -1,201 +1,117 @@
 package service
 
 import (
-	"bytes"
+	"encoding/binary"
-	"log"
+	"io"
 	"math"
 	"testing"
 
-	"github.com/gogo/protobuf/proto"
 	"github.com/nspcc-dev/neofs-api-go/refs"
-	crypto "github.com/nspcc-dev/neofs-crypto"
 	"github.com/nspcc-dev/neofs-crypto/test"
-	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
 )
 
-func BenchmarkSignRequestHeader(b *testing.B) {
+func (m TestRequest) SignedData() ([]byte, error) {
+	return SignedDataFromReader(m)
+}
+
+func (m TestRequest) SignedDataSize() (sz int) {
+	sz += 4
+
+	sz += len(m.StringField)
+
+	sz += len(m.BytesField)
+
+	sz += m.CustomField.Size()
+
+	return
+}
+
+func (m TestRequest) ReadSignedData(p []byte) (int, error) {
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	binary.BigEndian.PutUint32(p[off:], uint32(m.IntField))
+	off += 4
+
+	off += copy(p[off:], []byte(m.StringField))
+
+	off += copy(p[off:], m.BytesField)
+
+	n, err := m.CustomField.MarshalTo(p[off:])
+	off += n
+
+	return off, err
+}
+
+func BenchmarkSignDataWithSessionToken(b *testing.B) {
 	key := test.DecodeKey(0)
 
-	custom := testCustomField{1, 2, 3, 4, 5, 6, 7, 8}
+	customField := testCustomField{1, 2, 3, 4, 5, 6, 7, 8}
 
-	some := &TestRequest{
+	token := new(Token)
-		IntField:    math.MaxInt32,
-		StringField: "TestRequestStringField",
-		BytesField:  make([]byte, 1<<22),
-		CustomField: &custom,
-		RequestMetaHeader: RequestMetaHeader{
-			TTL:   math.MaxInt32 - 8,
-			Epoch: math.MaxInt64 - 12,
-		},
-	}
 
-	b.ResetTimer()
-	b.ReportAllocs()
-
-	for i := 0; i < b.N; i++ {
-		require.NoError(b, SignRequestHeader(key, some))
-	}
-}
-
-func BenchmarkVerifyRequestHeader(b *testing.B) {
-	custom := testCustomField{1, 2, 3, 4, 5, 6, 7, 8}
-
-	some := &TestRequest{
-		IntField:    math.MaxInt32,
-		StringField: "TestRequestStringField",
-		BytesField:  make([]byte, 1<<22),
-		CustomField: &custom,
-		RequestMetaHeader: RequestMetaHeader{
-			TTL:   math.MaxInt32 - 8,
-			Epoch: math.MaxInt64 - 12,
-		},
-	}
-
-	for i := 0; i < 10; i++ {
-		key := test.DecodeKey(i)
-		require.NoError(b, SignRequestHeader(key, some))
-	}
-
-	b.ResetTimer()
-	b.ReportAllocs()
-
-	for i := 0; i < b.N; i++ {
-		require.NoError(b, VerifyRequestHeader(some))
-	}
-}
-
-func TestSignRequestHeader(t *testing.T) {
 	req := &TestRequest{
 		IntField:    math.MaxInt32,
 		StringField: "TestRequestStringField",
-		BytesField:  []byte("TestRequestBytesField"),
+		BytesField:  make([]byte, 1<<22),
+		CustomField: &customField,
 	}
 
-	key := test.DecodeKey(0)
+	req.SetTTL(math.MaxInt32 - 8)
-	peer := crypto.MarshalPublicKey(&key.PublicKey)
+	req.SetEpoch(math.MaxInt64 - 12)
+	req.SetToken(token)
 
-	data, err := req.Marshal()
+	b.ResetTimer()
+	b.ReportAllocs()
+
+	for i := 0; i < b.N; i++ {
+		require.NoError(b, SignDataWithSessionToken(key, req))
+	}
+}
+
+func BenchmarkVerifyAccumulatedSignaturesWithToken(b *testing.B) {
+	customField := testCustomField{1, 2, 3, 4, 5, 6, 7, 8}
+
+	token := new(Token)
+
+	req := &TestRequest{
+		IntField:    math.MaxInt32,
+		StringField: "TestRequestStringField",
+		BytesField:  make([]byte, 1<<22),
+		CustomField: &customField,
+	}
+
+	req.SetTTL(math.MaxInt32 - 8)
+	req.SetEpoch(math.MaxInt64 - 12)
+	req.SetToken(token)
+
+	for i := 0; i < 10; i++ {
+		key := test.DecodeKey(i)
+		require.NoError(b, SignDataWithSessionToken(key, req))
+	}
+
+	b.ResetTimer()
+	b.ReportAllocs()
+
+	for i := 0; i < b.N; i++ {
+		require.NoError(b, VerifyAccumulatedSignaturesWithToken(req))
+	}
+}
+
+func TestRequestVerificationHeader_SetToken(t *testing.T) {
+	id, err := refs.NewUUID()
 	require.NoError(t, err)
 
-	require.NoError(t, SignRequestHeader(key, req))
+	token := new(Token)
+	token.SetID(id)
 
-	require.Len(t, req.Signatures, 1)
+	h := new(RequestVerificationHeader)
-	for i := range req.Signatures {
+
-		sign := req.Signatures[i].GetSign()
+	h.SetToken(token)
-		require.Equal(t, peer, req.Signatures[i].GetPeer())
+
-		require.NoError(t, crypto.Verify(&key.PublicKey, data, sign))
+	require.Equal(t, token, h.GetToken())
-	}
-}
-
-func TestVerifyRequestHeader(t *testing.T) {
-	req := &TestRequest{
-		IntField:          math.MaxInt32,
-		StringField:       "TestRequestStringField",
-		BytesField:        []byte("TestRequestBytesField"),
-		RequestMetaHeader: RequestMetaHeader{TTL: 10},
-	}
-
-	for i := 0; i < 10; i++ {
-		req.TTL--
-		require.NoError(t, SignRequestHeader(test.DecodeKey(i), req))
-	}
-
-	require.NoError(t, VerifyRequestHeader(req))
-}
-
-func TestMaintainableRequest(t *testing.T) {
-	req := &TestRequest{
-		IntField:          math.MaxInt32,
-		StringField:       "TestRequestStringField",
-		BytesField:        []byte("TestRequestBytesField"),
-		RequestMetaHeader: RequestMetaHeader{TTL: 10},
-	}
-
-	count := 10
-	owner := test.DecodeKey(count + 1)
-
-	for i := 0; i < count; i++ {
-		req.TTL--
-
-		key := test.DecodeKey(i)
-		require.NoError(t, SignRequestHeader(key, req))
-
-		// sign first key (session key) by owner key
-		if i == 0 {
-			sign, err := crypto.Sign(owner, crypto.MarshalPublicKey(&key.PublicKey))
-			require.NoError(t, err)
-
-			req.SetOwner(&owner.PublicKey, sign)
-		}
-	}
-
-	{ // Validate owner
-		user, err := refs.NewOwnerID(&owner.PublicKey)
-		require.NoError(t, err)
-		require.NoError(t, req.CheckOwner(user))
-	}
-
-	{ // Good case:
-		require.NoError(t, VerifyRequestHeader(req))
-
-		// validate, that first key (session key) was signed with owner
-		signatures := req.GetSignatures()
-
-		require.Len(t, signatures, count)
-
-		pub, err := req.GetOwner()
-		require.NoError(t, err)
-
-		require.Equal(t, &owner.PublicKey, pub)
-	}
-
-	{ // wrong owner:
-		req.Signatures[0].Origin = nil
-
-		pub, err := req.GetOwner()
-		require.NoError(t, err)
-
-		require.NotEqual(t, &owner.PublicKey, pub)
-	}
-
-	{ // Wrong signatures:
-		copy(req.Signatures[count-1].Sign, req.Signatures[count-1].Peer)
-		err := VerifyRequestHeader(req)
-		require.EqualError(t, errors.Cause(err), crypto.ErrInvalidSignature.Error())
-	}
-}
-
-func TestVerifyAndSignRequestHeaderWithoutCloning(t *testing.T) {
-	key := test.DecodeKey(0)
-
-	custom := testCustomField{1, 2, 3, 4, 5, 6, 7, 8}
-
-	b := &TestRequest{
-		IntField:    math.MaxInt32,
-		StringField: "TestRequestStringField",
-		BytesField:  []byte("TestRequestBytesField"),
-		CustomField: &custom,
-		RequestMetaHeader: RequestMetaHeader{
-			TTL:   math.MaxInt32 - 8,
-			Epoch: math.MaxInt64 - 12,
-		},
-	}
-
-	require.NoError(t, SignRequestHeader(key, b))
-	require.NoError(t, VerifyRequestHeader(b))
-
-	require.Len(t, b.Signatures, 1)
-	require.Equal(t, custom, *b.CustomField)
-	require.Equal(t, uint32(math.MaxInt32-8), b.GetTTL())
-	require.Equal(t, uint64(math.MaxInt64-12), b.GetEpoch())
-
-	buf := bytes.NewBuffer(nil)
-	log.SetOutput(buf)
-
-	cp, ok := proto.Clone(b).(*TestRequest)
-	require.True(t, ok)
-	require.NotEqual(t, b, cp)
-
-	require.Contains(t, buf.String(), "proto: don't know how to copy")
 }

service/version.go

@@ -0,0 +1,11 @@
+package service
+
+// SetVersion is a Version field setter.
+func (m *ResponseMetaHeader) SetVersion(v uint32) {
+	m.Version = v
+}
+
+// SetVersion is a Version field setter.
+func (m *RequestMetaHeader) SetVersion(v uint32) {
+	m.Version = v
+}

service/version_test.go

@@ -0,0 +1,21 @@
+package service
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetSetVersion(t *testing.T) {
+	v := uint32(7)
+
+	items := []VersionContainer{
+		new(ResponseMetaHeader),
+		new(RequestMetaHeader),
+	}
+
+	for _, item := range items {
+		item.SetVersion(v)
+		require.Equal(t, v, item.GetVersion())
+	}
+}

session/alias.go

@@ -0,0 +1,15 @@
+package session
+
+import (
+	"github.com/nspcc-dev/neofs-api-go/refs"
+	"github.com/nspcc-dev/neofs-api-go/service"
+)
+
+// OwnerID is a type alias of OwnerID ref.
+type OwnerID = refs.OwnerID
+
+// TokenID is a type alias of TokenID ref.
+type TokenID = service.TokenID
+
+// Token is a type alias of Token.
+type Token = service.Token

session/create.go

@@ -0,0 +1,62 @@
+package session
+
+import (
+	"context"
+	"crypto/ecdsa"
+
+	"github.com/nspcc-dev/neofs-api-go/service"
+	crypto "github.com/nspcc-dev/neofs-crypto"
+	"google.golang.org/grpc"
+)
+
+type gRPCCreator struct {
+	conn *grpc.ClientConn
+
+	key *ecdsa.PrivateKey
+
+	clientFunc func(*grpc.ClientConn) SessionClient
+}
+
+// NewGRPCCreator unites virtual gRPC client with private ket and returns Creator interface.
+//
+// If passed ClientConn is nil, ErrNilGPRCClientConn returns.
+// If passed private key is nil, crypto.ErrEmptyPrivateKey returns.
+func NewGRPCCreator(conn *grpc.ClientConn, key *ecdsa.PrivateKey) (Creator, error) {
+	if conn == nil {
+		return nil, ErrNilGPRCClientConn
+	} else if key == nil {
+		return nil, crypto.ErrEmptyPrivateKey
+	}
+
+	return &gRPCCreator{
+		conn: conn,
+
+		key: key,
+
+		clientFunc: NewSessionClient,
+	}, nil
+}
+
+// Create constructs message, signs it with private key and sends it to a gRPC client.
+//
+// If passed CreateParamsSource is nil, ErrNilCreateParamsSource returns.
+// If message could not be signed, an error returns.
+func (s gRPCCreator) Create(ctx context.Context, p CreateParamsSource) (CreateResult, error) {
+	if p == nil {
+		return nil, ErrNilCreateParamsSource
+	}
+
+	// create and fill a message
+	req := new(CreateRequest)
+	req.SetOwnerID(p.GetOwnerID())
+	req.SetCreationEpoch(p.CreationEpoch())
+	req.SetExpirationEpoch(p.ExpirationEpoch())
+
+	// sign with private key
+	if err := service.SignDataWithSessionToken(s.key, req); err != nil {
+		return nil, err
+	}
+
+	// make gRPC call
+	return s.clientFunc(s.conn).Create(ctx, req)
+}

session/create_test.go

@@ -0,0 +1,103 @@
+package session
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"testing"
+
+	"github.com/nspcc-dev/neofs-api-go/service"
+	crypto "github.com/nspcc-dev/neofs-crypto"
+	"github.com/nspcc-dev/neofs-crypto/test"
+	"github.com/pkg/errors"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+)
+
+type testSessionClient struct {
+	fn   func(*CreateRequest)
+	resp *CreateResponse
+	err  error
+}
+
+func (s testSessionClient) Create(ctx context.Context, in *CreateRequest, opts ...grpc.CallOption) (*CreateResponse, error) {
+	if s.fn != nil {
+		s.fn(in)
+	}
+
+	return s.resp, s.err
+}
+
+func TestNewGRPCCreator(t *testing.T) {
+	var (
+		err  error
+		conn = new(grpc.ClientConn)
+		sk   = new(ecdsa.PrivateKey)
+	)
+
+	// nil client connection
+	_, err = NewGRPCCreator(nil, sk)
+	require.EqualError(t, err, ErrNilGPRCClientConn.Error())
+
+	// nil private key
+	_, err = NewGRPCCreator(conn, nil)
+	require.EqualError(t, err, crypto.ErrEmptyPrivateKey.Error())
+
+	// valid params
+	res, err := NewGRPCCreator(conn, sk)
+	require.NoError(t, err)
+
+	v := res.(*gRPCCreator)
+	require.Equal(t, conn, v.conn)
+	require.Equal(t, sk, v.key)
+	require.NotNil(t, v.clientFunc)
+}
+
+func TestGRPCCreator_Create(t *testing.T) {
+	ctx := context.TODO()
+	s := new(gRPCCreator)
+
+	// nil CreateParamsSource
+	_, err := s.Create(ctx, nil)
+	require.EqualError(t, err, ErrNilCreateParamsSource.Error())
+
+	var (
+		ownerID = OwnerID{1, 2, 3}
+		created = uint64(2)
+		expired = uint64(4)
+	)
+
+	p := NewParams()
+	p.SetOwnerID(ownerID)
+	p.SetCreationEpoch(created)
+	p.SetExpirationEpoch(expired)
+
+	// nil private key
+	_, err = s.Create(ctx, p)
+	require.Error(t, err)
+
+	// create test private key
+	s.key = test.DecodeKey(0)
+
+	// create test client
+	c := &testSessionClient{
+		fn: func(req *CreateRequest) {
+			require.Equal(t, ownerID, req.GetOwnerID())
+			require.Equal(t, created, req.CreationEpoch())
+			require.Equal(t, expired, req.ExpirationEpoch())
+			require.NoError(t, service.VerifyAccumulatedSignaturesWithToken(req))
+		},
+		resp: &CreateResponse{
+			ID:         TokenID{1, 2, 3},
+			SessionKey: []byte{1, 2, 3},
+		},
+		err: errors.New("test error"),
+	}
+
+	s.clientFunc = func(*grpc.ClientConn) SessionClient {
+		return c
+	}
+
+	res, err := s.Create(ctx, p)
+	require.EqualError(t, err, c.err.Error())
+	require.Equal(t, c.resp, res)
+}

session/errors.go

@@ -0,0 +1,15 @@
+package session
+
+import "github.com/nspcc-dev/neofs-api-go/internal"
+
+// ErrNilCreateParamsSource is returned by functions that expect a non-nil
+// CreateParamsSource, but received nil.
+const ErrNilCreateParamsSource = internal.Error("create params source is nil")
+
+// ErrNilGPRCClientConn is returned by functions that expect a non-nil
+// grpc.ClientConn, but received nil.
+const ErrNilGPRCClientConn = internal.Error("gRPC client connection is nil")
+
+// ErrPrivateTokenNotFound is returned when addressed private token was
+// not found in storage.
+const ErrPrivateTokenNotFound = internal.Error("private token not found")

session/private.go

@@ -0,0 +1,55 @@
+package session
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+
+	crypto "github.com/nspcc-dev/neofs-crypto"
+)
+
+type pToken struct {
+	// private session token
+	sessionKey *ecdsa.PrivateKey
+	// last epoch of the lifetime
+	validUntil uint64
+}
+
+// NewPrivateToken creates PrivateToken instance that expires after passed epoch.
+//
+// Returns non-nil error on key generation error.
+func NewPrivateToken(validUntil uint64) (PrivateToken, error) {
+	sk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+
+	return &pToken{
+		sessionKey: sk,
+		validUntil: validUntil,
+	}, nil
+}
+
+// Sign signs data with session private key.
+func (t *pToken) Sign(data []byte) ([]byte, error) {
+	return crypto.Sign(t.sessionKey, data)
+}
+
+// PublicKey returns a binary representation of the session public key.
+func (t *pToken) PublicKey() []byte {
+	return crypto.MarshalPublicKey(&t.sessionKey.PublicKey)
+}
+
+func (t *pToken) Expired(epoch uint64) bool {
+	return t.validUntil < epoch
+}
+
+// SetOwnerID is an owner ID field setter.
+func (s *PrivateTokenKey) SetOwnerID(id OwnerID) {
+	s.owner = id
+}
+
+// SetTokenID is a token ID field setter.
+func (s *PrivateTokenKey) SetTokenID(id TokenID) {
+	s.token = id
+}

session/private_test.go

@@ -0,0 +1,70 @@
+package session
+
+import (
+	"crypto/rand"
+	"testing"
+
+	crypto "github.com/nspcc-dev/neofs-crypto"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPrivateToken(t *testing.T) {
+	// create new private token
+	pToken, err := NewPrivateToken(0)
+	require.NoError(t, err)
+
+	// generate data to sign
+	data := make([]byte, 10)
+	_, err = rand.Read(data)
+	require.NoError(t, err)
+
+	// sign data via private token
+	sig, err := pToken.Sign(data)
+	require.NoError(t, err)
+
+	// check signature
+	require.NoError(t,
+		crypto.Verify(
+			crypto.UnmarshalPublicKey(pToken.PublicKey()),
+			data,
+			sig,
+		),
+	)
+}
+
+func TestPToken_Expired(t *testing.T) {
+	e := uint64(10)
+
+	var token PrivateToken = &pToken{
+		validUntil: e,
+	}
+
+	// must not be expired in the epoch before last
+	require.False(t, token.Expired(e-1))
+
+	// must not be expired in the last epoch
+	require.False(t, token.Expired(e))
+
+	// must be expired in the epoch after last
+	require.True(t, token.Expired(e+1))
+}
+
+func TestPrivateTokenKey_SetOwnerID(t *testing.T) {
+	ownerID := OwnerID{1, 2, 3}
+
+	s := new(PrivateTokenKey)
+
+	s.SetOwnerID(ownerID)
+
+	require.Equal(t, ownerID, s.owner)
+}
+
+func TestPrivateTokenKey_SetTokenID(t *testing.T) {
+	tokenID := TokenID{1, 2, 3}
+
+	s := new(PrivateTokenKey)
+
+	s.SetTokenID(tokenID)
+
+	require.Equal(t, tokenID, s.token)
+}

session/request.go

@@ -0,0 +1,62 @@
+package session
+
+import (
+	"encoding/binary"
+	"io"
+
+	"github.com/nspcc-dev/neofs-api-go/refs"
+	"github.com/nspcc-dev/neofs-api-go/service"
+)
+
+const signedRequestDataSize = 0 +
+	refs.OwnerIDSize +
+	8 +
+	8
+
+var requestEndianness = binary.BigEndian
+
+// NewParams creates a new CreateRequest message and returns CreateParamsContainer interface.
+func NewParams() CreateParamsContainer {
+	return new(CreateRequest)
+}
+
+// GetOwnerID is an OwnerID field getter.
+func (m CreateRequest) GetOwnerID() OwnerID {
+	return m.OwnerID
+}
+
+// SetOwnerID is an OwnerID field setter.
+func (m *CreateRequest) SetOwnerID(id OwnerID) {
+	m.OwnerID = id
+}
+
+// SignedData returns payload bytes of the request.
+func (m CreateRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// SignedDataSize returns payload size of the request.
+func (m CreateRequest) SignedDataSize() int {
+	return signedRequestDataSize
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the buffer size is insufficient, io.ErrUnexpectedEOF returns.
+func (m CreateRequest) ReadSignedData(p []byte) (int, error) {
+	sz := m.SignedDataSize()
+	if len(p) < sz {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	off += copy(p[off:], m.GetOwnerID().Bytes())
+
+	requestEndianness.PutUint64(p[off:], m.CreationEpoch())
+	off += 8
+
+	requestEndianness.PutUint64(p[off:], m.ExpirationEpoch())
+
+	return sz, nil
+}

session/request_test.go

@@ -0,0 +1,92 @@
+package session
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCreateRequestGettersSetters(t *testing.T) {
+	t.Run("owner ID", func(t *testing.T) {
+		id := OwnerID{1, 2, 3}
+		m := new(CreateRequest)
+
+		m.SetOwnerID(id)
+
+		require.Equal(t, id, m.GetOwnerID())
+	})
+
+	t.Run("lifetime", func(t *testing.T) {
+		e1, e2 := uint64(3), uint64(4)
+		m := new(CreateRequest)
+
+		m.SetCreationEpoch(e1)
+		m.SetExpirationEpoch(e2)
+
+		require.Equal(t, e1, m.CreationEpoch())
+		require.Equal(t, e2, m.ExpirationEpoch())
+	})
+}
+
+func TestCreateRequest_SignedData(t *testing.T) {
+	var (
+		id = OwnerID{1, 2, 3}
+		e1 = uint64(1)
+		e2 = uint64(2)
+	)
+
+	// create new message
+	m := new(CreateRequest)
+
+	// fill the fields
+	m.SetOwnerID(id)
+	m.SetCreationEpoch(e1)
+	m.SetExpirationEpoch(e2)
+
+	// calculate initial signed data
+	d, err := m.SignedData()
+	require.NoError(t, err)
+
+	items := []struct {
+		change func()
+		reset  func()
+	}{
+		{ // OwnerID
+			change: func() {
+				id2 := id
+				id2[0]++
+				m.SetOwnerID(id2)
+			},
+			reset: func() {
+				m.SetOwnerID(id)
+			},
+		},
+		{ // CreationEpoch
+			change: func() {
+				m.SetCreationEpoch(e1 + 1)
+			},
+			reset: func() {
+				m.SetCreationEpoch(e1)
+			},
+		},
+		{ // ExpirationEpoch
+			change: func() {
+				m.SetExpirationEpoch(e2 + 1)
+			},
+			reset: func() {
+				m.SetExpirationEpoch(e2)
+			},
+		},
+	}
+
+	for _, item := range items {
+		item.change()
+
+		d2, err := m.SignedData()
+		require.NoError(t, err)
+
+		require.NotEqual(t, d, d2)
+
+		item.reset()
+	}
+}

session/response.go

@@ -0,0 +1,16 @@
+package session
+
+// GetID is an ID field getter.
+func (m CreateResponse) GetID() TokenID {
+	return m.ID
+}
+
+// SetID is an ID field setter.
+func (m *CreateResponse) SetID(id TokenID) {
+	m.ID = id
+}
+
+// SetSessionKey is a SessionKey field setter.
+func (m *CreateResponse) SetSessionKey(key []byte) {
+	m.SessionKey = key
+}

session/response_test.go

@@ -0,0 +1,27 @@
+package session
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCreateResponseGettersSetters(t *testing.T) {
+	t.Run("id", func(t *testing.T) {
+		id := TokenID{1, 2, 3}
+		m := new(CreateResponse)
+
+		m.SetID(id)
+
+		require.Equal(t, id, m.GetID())
+	})
+
+	t.Run("session key", func(t *testing.T) {
+		key := []byte{1, 2, 3}
+		m := new(CreateResponse)
+
+		m.SetSessionKey(key)
+
+		require.Equal(t, key, m.GetSessionKey())
+	})
+}

session/service.go

@@ -1,58 +0,0 @@
-package session
-
-import (
-	"context"
-	"crypto/ecdsa"
-
-	"github.com/nspcc-dev/neofs-api-go/refs"
-	crypto "github.com/nspcc-dev/neofs-crypto"
-)
-
-type (
-	// KeyStore is an interface that describes storage,
-	// that allows to fetch public keys by OwnerID.
-	KeyStore interface {
-		Get(ctx context.Context, id refs.OwnerID) ([]*ecdsa.PublicKey, error)
-	}
-
-	// TokenStore is a PToken storage manipulation interface.
-	TokenStore interface {
-		// New returns new token with specified parameters.
-		New(p TokenParams) *PToken
-
-		// Fetch tries to fetch a token with specified id.
-		Fetch(id TokenID) *PToken
-
-		// Remove removes token with id from store.
-		Remove(id TokenID)
-	}
-
-	// TokenParams contains params to create new PToken.
-	TokenParams struct {
-		FirstEpoch uint64
-		LastEpoch  uint64
-		ObjectID   []ObjectID
-		OwnerID    OwnerID
-		PublicKeys [][]byte
-	}
-)
-
-// NewInitRequest returns new initialization CreateRequest from passed Token.
-func NewInitRequest(t *Token) *CreateRequest {
-	return &CreateRequest{Message: &CreateRequest_Init{Init: t}}
-}
-
-// NewSignedRequest returns new signed CreateRequest from passed Token.
-func NewSignedRequest(t *Token) *CreateRequest {
-	return &CreateRequest{Message: &CreateRequest_Signed{Signed: t}}
-}
-
-// Sign signs contents of the header with the private key.
-func (m *VerificationHeader) Sign(key *ecdsa.PrivateKey) error {
-	s, err := crypto.Sign(key, m.PublicKey)
-	if err != nil {
-		return err
-	}
-	m.KeySignature = s
-	return nil
-}

session/service.proto

@@ -3,7 +3,6 @@ package session;
 option go_package = "github.com/nspcc-dev/neofs-api-go/session";
 option csharp_namespace = "NeoFS.API.Session";
 
-import "session/types.proto";
 import "service/meta.proto";
 import "service/verify.proto";
 import "github.com/gogo/protobuf/gogoproto/gogo.proto";
@@ -12,42 +11,29 @@ option (gogoproto.stable_marshaler_all) = true;
 
 
 service Session {
-    // Create is a method that used to open a trusted session to manipulate
+    // Create opens new session between the client and the server
-    // an object. In order to put or delete object client have to obtain session
+    rpc Create (CreateRequest) returns (CreateResponse);
-    // token with trusted node. Trusted node will modify client's object
-    // (add missing headers, checksums, homomorphic hash) and sign id with
-    // session key. Session is established during 4-step handshake in one gRPC stream
-    //
-    // - First client stream message SHOULD BE type of `CreateRequest_Init`.
-    // - First server stream message SHOULD BE type of `CreateResponse_Unsigned`.
-    // - Second client stream message SHOULD BE type of `CreateRequest_Signed`.
-    // - Second server stream message SHOULD BE type of `CreateResponse_Result`.
-    rpc Create (stream CreateRequest) returns (stream CreateResponse);
 }
 
-
+// CreateRequest carries an information necessary for opening a session
 message CreateRequest {
-    // Message should be one of
+    // OwnerID carries an identifier of a session initiator
-    oneof Message {
+    bytes OwnerID = 1 [(gogoproto.nullable) = false, (gogoproto.customtype) = "OwnerID"];
-        // Init is a message to initialize session opening. Carry:
+
-        // owner of manipulation object;
+    // Lifetime carries a lifetime of the session
-        // ID of manipulation object;
+    service.TokenLifetime Lifetime = 2 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
-        // token lifetime bounds.
+
-        session.Token Init = 1;
-        // Signed Init message response (Unsigned) from server with user private key
-        session.Token Signed = 2;
-    }
     // RequestMetaHeader contains information about request meta headers (should be embedded into message)
     service.RequestMetaHeader Meta           = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
     // RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)
     service.RequestVerificationHeader Verify = 99 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
 }
 
+// CreateResponse carries an information about the opened session
 message CreateResponse {
-    oneof Message {
+    // ID carries an identifier of session token
-        // Unsigned token with token ID and session public key generated on server side
+    bytes ID = 1 [(gogoproto.customtype) = "TokenID", (gogoproto.nullable) = false];
-        session.Token Unsigned = 1;
+
-        // Result is a resulting token which can be used for object placing through an trusted intermediary
+    // SessionKey carries a session public key
-        session.Token Result = 2;
+    bytes SessionKey = 2;
-    }
 }

session/store.go

@@ -1,82 +1,64 @@
 package session
 
 import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
 	"sync"
-
-	"github.com/nspcc-dev/neofs-api-go/refs"
-	crypto "github.com/nspcc-dev/neofs-crypto"
 )
 
-type simpleStore struct {
+type mapTokenStore struct {
 	*sync.RWMutex
 
-	tokens map[TokenID]*PToken
+	tokens map[PrivateTokenKey]PrivateToken
 }
 
-// TODO get curve from neofs-crypto
+// NewMapTokenStore creates new PrivateTokenStore instance.
-func defaultCurve() elliptic.Curve {
+//
-	return elliptic.P256()
+// The elements of the instance are stored in the map.
-}
+func NewMapTokenStore() PrivateTokenStore {
-
+	return &mapTokenStore{
-// NewSimpleStore creates simple token storage
-func NewSimpleStore() TokenStore {
-	return &simpleStore{
 		RWMutex: new(sync.RWMutex),
-		tokens:  make(map[TokenID]*PToken),
+		tokens:  make(map[PrivateTokenKey]PrivateToken),
 	}
 }
 
-// New returns new token with specified parameters.
+// Store adds passed token to the map.
-func (s *simpleStore) New(p TokenParams) *PToken {
+//
-	tid, err := refs.NewUUID()
+// Resulting error is always nil.
-	if err != nil {
+func (s *mapTokenStore) Store(key PrivateTokenKey, token PrivateToken) error {
-		return nil
-	}
-
-	key, err := ecdsa.GenerateKey(defaultCurve(), rand.Reader)
-	if err != nil {
-		return nil
-	}
-
-	if p.FirstEpoch > p.LastEpoch || p.OwnerID.Empty() {
-		return nil
-	}
-
-	t := &PToken{
-		mtx: new(sync.Mutex),
-		Token: Token{
-			ID:         tid,
-			Header:     VerificationHeader{PublicKey: crypto.MarshalPublicKey(&key.PublicKey)},
-			FirstEpoch: p.FirstEpoch,
-			LastEpoch:  p.LastEpoch,
-			ObjectID:   p.ObjectID,
-			OwnerID:    p.OwnerID,
-			PublicKeys: p.PublicKeys,
-		},
-		PrivateKey: key,
-	}
-
 	s.Lock()
-	s.tokens[t.ID] = t
+	s.tokens[key] = token
 	s.Unlock()
 
-	return t
+	return nil
 }
 
-// Fetch tries to fetch a token with specified id.
+// Fetch returns the map element corresponding to the given key.
-func (s *simpleStore) Fetch(id TokenID) *PToken {
+//
+// Returns ErrPrivateTokenNotFound is there is no element in map.
+func (s *mapTokenStore) Fetch(key PrivateTokenKey) (PrivateToken, error) {
 	s.RLock()
 	defer s.RUnlock()
 
-	return s.tokens[id]
+	t, ok := s.tokens[key]
+	if !ok {
+		return nil, ErrPrivateTokenNotFound
+	}
+
+	return t, nil
 }
 
-// Remove removes token with id from store.
+// RemoveExpired removes all the map elements that are expired in the passed epoch.
-func (s *simpleStore) Remove(id TokenID) {
+//
+// Resulting error is always nil.
+func (s *mapTokenStore) RemoveExpired(epoch uint64) error {
 	s.Lock()
-	delete(s.tokens, id)
+
+	for key, token := range s.tokens {
+		if token.Expired(epoch) {
+			delete(s.tokens, key)
+		}
+	}
+
 	s.Unlock()
+
+	return nil
 }

session/store_test.go

@@ -1,96 +1,111 @@
 package session
 
 import (
-	"crypto/ecdsa"
-	"crypto/rand"
 	"testing"
 
 	"github.com/nspcc-dev/neofs-api-go/refs"
-	crypto "github.com/nspcc-dev/neofs-crypto"
 	"github.com/stretchr/testify/require"
 )
 
-type testClient struct {
+func TestMapTokenStore(t *testing.T) {
-	*ecdsa.PrivateKey
+	// create new private token
-	OwnerID OwnerID
+	pToken, err := NewPrivateToken(0)
+	require.NoError(t, err)
+
+	// create map token store
+	s := NewMapTokenStore()
+
+	// create test TokenID
+	tid, err := refs.NewUUID()
+	require.NoError(t, err)
+
+	// create test OwnerID
+	ownerID := OwnerID{1, 2, 3}
+
+	key := PrivateTokenKey{}
+	key.SetOwnerID(ownerID)
+	key.SetTokenID(tid)
+
+	// ascertain that there is no record for the key
+	_, err = s.Fetch(key)
+	require.EqualError(t, err, ErrPrivateTokenNotFound.Error())
+
+	// save private token record
+	require.NoError(t, s.Store(key, pToken))
+
+	// fetch private token by the key
+	res, err := s.Fetch(key)
+	require.NoError(t, err)
+
+	// ascertain that returned token equals to initial
+	require.Equal(t, pToken, res)
 }
 
-func (c *testClient) Sign(data []byte) ([]byte, error) {
+func TestMapTokenStore_RemoveExpired(t *testing.T) {
-	return crypto.Sign(c.PrivateKey, data)
+	// create some epoch number
-}
+	e1 := uint64(1)
-
+
-func newTestClient(t *testing.T) *testClient {
+	// create private token that expires after e1
-	key, err := ecdsa.GenerateKey(defaultCurve(), rand.Reader)
+	tok1, err := NewPrivateToken(e1)
-	require.NoError(t, err)
+	require.NoError(t, err)
-
+
-	owner, err := refs.NewOwnerID(&key.PublicKey)
+	// create some greater than e1 epoch number
-	require.NoError(t, err)
+	e2 := e1 + 1
-
+
-	return &testClient{PrivateKey: key, OwnerID: owner}
+	// create private token that expires after e2
-}
+	tok2, err := NewPrivateToken(e2)
-
+	require.NoError(t, err)
-func signToken(t *testing.T, token *PToken, c *testClient) {
+
-	require.NotNil(t, token)
+	// create token store instance
-	token.SetPublicKeys(&c.PublicKey)
+	s := NewMapTokenStore()
-
+
-	signH, err := c.Sign(token.Header.PublicKey)
+	// create test PrivateTokenKey
-	require.NoError(t, err)
+	key := PrivateTokenKey{}
-	require.NotNil(t, signH)
+	key.SetOwnerID(OwnerID{1, 2, 3})
-
+
-	// data is not yet signed
+	// create IDs for tokens
-	keys := UnmarshalPublicKeys(&token.Token)
+	id1, err := refs.NewUUID()
-	require.False(t, token.Verify(keys...))
+	require.NoError(t, err)
-
+	id2, err := refs.NewUUID()
-	signT, err := c.Sign(token.verificationData())
+	require.NoError(t, err)
-	require.NoError(t, err)
+
-	require.NotNil(t, signT)
+	assertPresence := func(ids ...TokenID) {
-
+		for i := range ids {
-	token.AddSignatures(signH, signT)
+			key.SetTokenID(ids[i])
-	require.True(t, token.Verify(keys...))
+			_, err = s.Fetch(key)
-}
+			require.NoError(t, err)
-
+		}
-func TestTokenStore(t *testing.T) {
+	}
-	s := NewSimpleStore()
+
-
+	assertAbsence := func(ids ...TokenID) {
-	oid, err := refs.NewObjectID()
+		for i := range ids {
-	require.NoError(t, err)
+			key.SetTokenID(ids[i])
-
+			_, err = s.Fetch(key)
-	c := newTestClient(t)
+			require.EqualError(t, err, ErrPrivateTokenNotFound.Error())
-	require.NotNil(t, c)
+		}
-	pk := [][]byte{crypto.MarshalPublicKey(&c.PublicKey)}
+	}
-
+
-	// create new token
+	// store both tokens
-	token := s.New(TokenParams{
+	key.SetTokenID(id1)
-		ObjectID:   []ObjectID{oid},
+	require.NoError(t, s.Store(key, tok1))
-		OwnerID:    c.OwnerID,
+	key.SetTokenID(id2)
-		PublicKeys: pk,
+	require.NoError(t, s.Store(key, tok2))
-	})
+
-	signToken(t, token, c)
+	// ascertain that both tokens are available
-
+	assertPresence(id1, id2)
-	// check that it can be fetched
+
-	t1 := s.Fetch(token.ID)
+	// perform cleaning for epoch in which both tokens are not expired
-	require.NotNil(t, t1)
+	require.NoError(t, s.RemoveExpired(e1))
-	require.Equal(t, token, t1)
+
-
+	// ascertain that both tokens are still available
-	// create and sign another token by the same client
+	assertPresence(id1, id2)
-	t1 = s.New(TokenParams{
+
-		ObjectID:   []ObjectID{oid},
+	// perform cleaning for epoch greater than e1 and not greater than e2
-		OwnerID:    c.OwnerID,
+	require.NoError(t, s.RemoveExpired(e1+1))
-		PublicKeys: pk,
+
-	})
+	// ascertain that tok1 was removed
-
+	assertAbsence(id1)
-	signToken(t, t1, c)
+
-
+	// ascertain that tok2 was not removed
-	data := []byte{1, 2, 3}
+	assertPresence(id2)
-	sign, err := t1.SignData(data)
-	require.NoError(t, err)
-	require.Error(t, token.Header.VerifyData(data, sign))
-
-	sign, err = token.SignData(data)
-	require.NoError(t, err)
-	require.NoError(t, token.Header.VerifyData(data, sign))
-
-	s.Remove(token.ID)
-	require.Nil(t, s.Fetch(token.ID))
-	require.NotNil(t, s.Fetch(t1.ID))
 }

session/types.go

@@ -1,181 +1,86 @@
 package session
 
 import (
+	"context"
 	"crypto/ecdsa"
-	"encoding/binary"
-	"sync"
 
-	"github.com/nspcc-dev/neofs-api-go/chain"
-	"github.com/nspcc-dev/neofs-api-go/internal"
 	"github.com/nspcc-dev/neofs-api-go/refs"
-	crypto "github.com/nspcc-dev/neofs-crypto"
+	"github.com/nspcc-dev/neofs-api-go/service"
-	"github.com/pkg/errors"
 )
 
-type (
+// PrivateToken is an interface of session private part.
-	// ObjectID type alias.
+type PrivateToken interface {
-	ObjectID = refs.ObjectID
+	// PublicKey must return a binary representation of session public key.
-	// OwnerID type alias.
+	PublicKey() []byte
-	OwnerID = refs.OwnerID
-	// TokenID type alias.
-	TokenID = refs.UUID
 
-	// PToken is a wrapper around Token that allows to sign data
+	// Sign must return the signature of passed data.
-	// and to do thread-safe manipulations.
+	//
-	PToken struct {
+	// Resulting signature must be verified by crypto.Verify function
-		Token
+	// with the session public key.
+	Sign([]byte) ([]byte, error)
 
-		mtx        *sync.Mutex
+	// Expired must return true if and only if private token is expired in the given epoch number.
-		PrivateKey *ecdsa.PrivateKey
+	Expired(uint64) bool
-	}
-)
-
-const (
-	// ErrWrongFirstEpoch is raised when passed Token contains wrong first epoch.
-	// First epoch is an epoch since token is valid
-	ErrWrongFirstEpoch = internal.Error("wrong first epoch")
-
-	// ErrWrongLastEpoch is raised when passed Token contains wrong last epoch.
-	// Last epoch is an epoch until token is valid
-	ErrWrongLastEpoch = internal.Error("wrong last epoch")
-
-	// ErrWrongOwner is raised when passed Token contains wrong OwnerID.
-	ErrWrongOwner = internal.Error("wrong owner")
-
-	// ErrEmptyPublicKey is raised when passed Token contains wrong public key.
-	ErrEmptyPublicKey = internal.Error("empty public key")
-
-	// ErrWrongObjectsCount is raised when passed Token contains wrong objects count.
-	ErrWrongObjectsCount = internal.Error("wrong objects count")
-
-	// ErrWrongObjects is raised when passed Token contains wrong object ids.
-	ErrWrongObjects = internal.Error("wrong objects")
-
-	// ErrInvalidSignature is raised when wrong signature is passed to VerificationHeader.VerifyData().
-	ErrInvalidSignature = internal.Error("invalid signature")
-)
-
-// verificationData returns byte array to sign.
-// Note: protobuf serialization is inconsistent as
-// wire order is unspecified.
-func (m *Token) verificationData() (data []byte) {
-	var size int
-	if l := len(m.ObjectID); l > 0 {
-		size = m.ObjectID[0].Size()
-		data = make([]byte, 16+l*size)
-	} else {
-		data = make([]byte, 16)
-	}
-	binary.BigEndian.PutUint64(data, m.FirstEpoch)
-	binary.BigEndian.PutUint64(data[8:], m.LastEpoch)
-	for i := range m.ObjectID {
-		copy(data[16+i*size:], m.ObjectID[i].Bytes())
-	}
-	return
 }
 
-// IsSame checks if the passed token is valid and equal to current token
+// PrivateTokenKey is a structure of private token storage key.
-func (m *Token) IsSame(t *Token) error {
+type PrivateTokenKey struct {
-	switch {
+	owner OwnerID
-	case m.FirstEpoch != t.FirstEpoch:
+	token TokenID
-		return ErrWrongFirstEpoch
-	case m.LastEpoch != t.LastEpoch:
-		return ErrWrongLastEpoch
-	case !m.OwnerID.Equal(t.OwnerID):
-		return ErrWrongOwner
-	case m.Header.PublicKey == nil:
-		return ErrEmptyPublicKey
-	case len(m.ObjectID) != len(t.ObjectID):
-		return ErrWrongObjectsCount
-	default:
-		for i := range m.ObjectID {
-			if !m.ObjectID[i].Equal(t.ObjectID[i]) {
-				return errors.Wrapf(ErrWrongObjects, "expect %s, actual: %s", m.ObjectID[i], t.ObjectID[i])
-			}
-		}
-	}
-	return nil
 }
 
-// Sign tries to sign current Token data and stores signature inside it.
+// PrivateTokenSource is an interface of private token storage with read access.
-func (m *Token) Sign(key *ecdsa.PrivateKey) error {
+type PrivateTokenSource interface {
-	if err := m.Header.Sign(key); err != nil {
+	// Fetch must return the storage record corresponding to the passed key.
-		return err
+	//
-	}
+	// Resulting error must be ErrPrivateTokenNotFound if there is no corresponding record.
-
+	Fetch(PrivateTokenKey) (PrivateToken, error)
-	s, err := crypto.Sign(key, m.verificationData())
-	if err != nil {
-		return err
-	}
-
-	m.Signature = s
-	return nil
 }
 
-// SetPublicKeys sets owner's public keys to the token
+// EpochLifetimeStore is an interface of the storage of elements that lifetime is limited by NeoFS epoch.
-func (m *Token) SetPublicKeys(keys ...*ecdsa.PublicKey) {
+type EpochLifetimeStore interface {
-	m.PublicKeys = m.PublicKeys[:0]
+	// RemoveExpired must remove all elements that are expired in the given epoch.
-	for i := range keys {
+	RemoveExpired(uint64) error
-		m.PublicKeys = append(m.PublicKeys, crypto.MarshalPublicKey(keys[i]))
-	}
 }
 
-// Verify checks if token is correct and signed.
+// PrivateTokenStore is an interface of the storage of private tokens addressable by TokenID.
-func (m *Token) Verify(keys ...*ecdsa.PublicKey) bool {
+type PrivateTokenStore interface {
-	if m.FirstEpoch > m.LastEpoch {
+	PrivateTokenSource
-		return false
+	EpochLifetimeStore
-	}
-	ownerFromKeys := chain.KeysToAddress(keys...)
-	if m.OwnerID.String() != ownerFromKeys {
-		return false
-	}
 
-	for i := range keys {
+	// Store must save passed private token in the storage under the given key.
-		if m.Header.Verify(keys[i]) && crypto.Verify(keys[i], m.verificationData(), m.Signature) == nil {
+	//
-			return true
+	// Resulting error must be nil if private token was stored successfully.
-		}
+	Store(PrivateTokenKey, PrivateToken) error
-	}
-	return false
 }
 
-// AddSignatures adds token signatures.
+// KeyStore is an interface of the storage of public keys addressable by OwnerID,
-func (t *PToken) AddSignatures(signH, signT []byte) {
+type KeyStore interface {
-	t.mtx.Lock()
+	// Get must return the storage record corresponding to the passed key.
-
+	//
-	t.Header.KeySignature = signH
+	// Resulting error must be ErrKeyNotFound if there is no corresponding record.
-	t.Signature = signT
+	Get(context.Context, OwnerID) ([]*ecdsa.PublicKey, error)
-
-	t.mtx.Unlock()
 }
 
-// SignData signs data with session private key.
+// CreateParamsSource is an interface of the container of session parameters with read access.
-func (t *PToken) SignData(data []byte) ([]byte, error) {
+type CreateParamsSource interface {
-	return crypto.Sign(t.PrivateKey, data)
+	refs.OwnerIDSource
+	service.LifetimeSource
 }
 
-// VerifyData checks if signature of data by token is equal to sign.
+// CreateParamsContainer is an interface of the container of session parameters.
-func (m *VerificationHeader) VerifyData(data, sign []byte) error {
+type CreateParamsContainer interface {
-	if crypto.Verify(crypto.UnmarshalPublicKey(m.PublicKey), data, sign) != nil {
+	refs.OwnerIDContainer
-		return ErrInvalidSignature
+	service.LifetimeContainer
-	}
-	return nil
 }
 
-// Verify checks if verification header was issued by id.
+// CreateResult is an interface of the container of an opened session info with read access.
-func (m *VerificationHeader) Verify(keys ...*ecdsa.PublicKey) bool {
+type CreateResult interface {
-	for i := range keys {
+	service.TokenIDSource
-		if crypto.Verify(keys[i], m.PublicKey, m.KeySignature) == nil {
+	service.SessionKeySource
-			return true
-		}
-	}
-	return false
 }
 
-// UnmarshalPublicKeys returns unmarshal public keys from the token
+// Creator is an interface of the tool for a session opening.
-func UnmarshalPublicKeys(t *Token) []*ecdsa.PublicKey {
+type Creator interface {
-	r := make([]*ecdsa.PublicKey, 0, len(t.PublicKeys))
+	Create(context.Context, CreateParamsSource) (CreateResult, error)
-	for i := range t.PublicKeys {
-		r = append(r, crypto.UnmarshalPublicKey(t.PublicKeys[i]))
-	}
-	return r
 }

session/types.proto

@@ -1,35 +0,0 @@
-syntax = "proto3";
-package session;
-option go_package = "github.com/nspcc-dev/neofs-api-go/session";
-option csharp_namespace = "NeoFS.API.Session";
-
-import "github.com/gogo/protobuf/gogoproto/gogo.proto";
-
-option (gogoproto.stable_marshaler_all) = true;
-
-message VerificationHeader {
-    // PublicKey is a session public key
-    bytes PublicKey = 1;
-    // KeySignature is a session public key signature. Signed by trusted side
-    bytes KeySignature = 2;
-}
-
-// User token granting rights for object manipulation
-message Token {
-    // Header carries verification data of session key
-    VerificationHeader Header = 1 [(gogoproto.nullable) = false];
-    // OwnerID is an owner of manipulation object
-    bytes OwnerID = 2 [(gogoproto.customtype) = "OwnerID", (gogoproto.nullable) = false];
-    // FirstEpoch is an initial epoch of token lifetime
-    uint64 FirstEpoch = 3;
-    // LastEpoch is a last epoch of token lifetime
-    uint64 LastEpoch = 4;
-    // ObjectID is an object identifier of manipulation object
-    repeated bytes ObjectID = 5 [(gogoproto.customtype) = "ObjectID", (gogoproto.nullable) = false];
-    // Signature is a token signature, signed by owner of manipulation object
-    bytes Signature = 6;
-    // ID is a token identifier. valid UUIDv4 represented in bytes
-    bytes ID = 7 [(gogoproto.customtype) = "TokenID", (gogoproto.nullable) = false];
-    // PublicKeys associated with owner
-    repeated bytes PublicKeys = 8;
-}

state/sign.go

@@ -0,0 +1,67 @@
+package state
+
+import (
+	"io"
+
+	"github.com/nspcc-dev/neofs-api-go/service"
+)
+
+// SignedData returns payload bytes of the request.
+//
+// Always returns an empty slice.
+func (m NetmapRequest) SignedData() ([]byte, error) {
+	return make([]byte, 0), nil
+}
+
+// SignedData returns payload bytes of the request.
+//
+// Always returns an empty slice.
+func (m MetricsRequest) SignedData() ([]byte, error) {
+	return make([]byte, 0), nil
+}
+
+// SignedData returns payload bytes of the request.
+//
+// Always returns an empty slice.
+func (m HealthRequest) SignedData() ([]byte, error) {
+	return make([]byte, 0), nil
+}
+
+// SignedData returns payload bytes of the request.
+//
+// Always returns an empty slice.
+func (m DumpRequest) SignedData() ([]byte, error) {
+	return make([]byte, 0), nil
+}
+
+// SignedData returns payload bytes of the request.
+//
+// Always returns an empty slice.
+func (m DumpVarsRequest) SignedData() ([]byte, error) {
+	return make([]byte, 0), nil
+}
+
+// SignedData returns payload bytes of the request.
+func (m ChangeStateRequest) SignedData() ([]byte, error) {
+	return service.SignedDataFromReader(m)
+}
+
+// SignedDataSize returns payload size of the request.
+func (m ChangeStateRequest) SignedDataSize() int {
+	return m.GetState().Size()
+}
+
+// ReadSignedData copies payload bytes to passed buffer.
+//
+// If the Request size is insufficient, io.ErrUnexpectedEOF returns.
+func (m ChangeStateRequest) ReadSignedData(p []byte) (int, error) {
+	if len(p) < m.SignedDataSize() {
+		return 0, io.ErrUnexpectedEOF
+	}
+
+	var off int
+
+	off += copy(p[off:], m.GetState().Bytes())
+
+	return off, nil
+}

state/sign_test.go

@@ -0,0 +1,94 @@
+package state
+
+import (
+	"testing"
+
+	"github.com/nspcc-dev/neofs-api-go/service"
+	"github.com/nspcc-dev/neofs-crypto/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRequestSign(t *testing.T) {
+	sk := test.DecodeKey(0)
+
+	type sigType interface {
+		service.SignedDataWithToken
+		service.SignKeyPairAccumulator
+		service.SignKeyPairSource
+		SetToken(*service.Token)
+	}
+
+	items := []struct {
+		constructor    func() sigType
+		payloadCorrupt []func(sigType)
+	}{
+		{ // NetmapRequest
+			constructor: func() sigType {
+				return new(NetmapRequest)
+			},
+		},
+		{ // MetricsRequest
+			constructor: func() sigType {
+				return new(MetricsRequest)
+			},
+		},
+		{ // HealthRequest
+			constructor: func() sigType {
+				return new(HealthRequest)
+			},
+		},
+		{ // DumpRequest
+			constructor: func() sigType {
+				return new(DumpRequest)
+			},
+		},
+		{ // DumpVarsRequest
+			constructor: func() sigType {
+				return new(DumpVarsRequest)
+			},
+		},
+		{
+			constructor: func() sigType {
+				return new(ChangeStateRequest)
+			},
+			payloadCorrupt: []func(sigType){
+				func(s sigType) {
+					req := s.(*ChangeStateRequest)
+
+					req.SetState(req.GetState() + 1)
+				},
+			},
+		},
+	}
+
+	for _, item := range items {
+		{ // token corruptions
+			v := item.constructor()
+
+			token := new(service.Token)
+			v.SetToken(token)
+
+			require.NoError(t, service.SignDataWithSessionToken(sk, v))
+
+			require.NoError(t, service.VerifyAccumulatedSignaturesWithToken(v))
+
+			token.SetSessionKey(append(token.GetSessionKey(), 1))
+
+			require.Error(t, service.VerifyAccumulatedSignaturesWithToken(v))
+		}
+
+		{ // payload corruptions
+			for _, corruption := range item.payloadCorrupt {
+				v := item.constructor()
+
+				require.NoError(t, service.SignDataWithSessionToken(sk, v))
+
+				require.NoError(t, service.VerifyAccumulatedSignaturesWithToken(v))
+
+				corruption(v)
+
+				require.Error(t, service.VerifyAccumulatedSignaturesWithToken(v))
+			}
+		}
+	}
+}

state/types.go

@@ -0,0 +1,24 @@
+package state
+
+import (
+	"encoding/binary"
+)
+
+// SetState is a State field setter.
+func (m *ChangeStateRequest) SetState(st ChangeStateRequest_State) {
+	m.State = st
+}
+
+// Size returns the size of the state binary representation.
+func (ChangeStateRequest_State) Size() int {
+	return 4
+}
+
+// Bytes returns the state binary representation.
+func (x ChangeStateRequest_State) Bytes() []byte {
+	data := make([]byte, x.Size())
+
+	binary.BigEndian.PutUint32(data, uint32(x))
+
+	return data
+}

state/types_test.go

@@ -0,0 +1,18 @@
+package state
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestChangeStateRequestGettersSetters(t *testing.T) {
+	t.Run("state", func(t *testing.T) {
+		st := ChangeStateRequest_State(1)
+		m := new(ChangeStateRequest)
+
+		m.SetState(st)
+
+		require.Equal(t, st, m.GetState())
+	})
+}