[#380] Support changes in signature schemes
Support new `SignatureRFC6979` message. Make `refs.ECDSA_SHA512` to be default scheme. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
parent
f4fd28e39b
commit
d065453bd0
9 changed files with 76 additions and 42 deletions
|
@ -152,6 +152,18 @@ func (c *Container) FromGRPCMessage(m grpc.Message) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func toSignatureRFC6979(s *refs.Signature) *refsGRPC.SignatureRFC6979 {
|
||||
var res *refsGRPC.SignatureRFC6979
|
||||
|
||||
if s != nil {
|
||||
res = new(refsGRPC.SignatureRFC6979)
|
||||
res.SetKey(s.GetKey())
|
||||
res.SetSign(s.GetSign())
|
||||
}
|
||||
|
||||
return res
|
||||
}
|
||||
|
||||
func (r *PutRequestBody) ToGRPCMessage() grpc.Message {
|
||||
var m *container.PutRequest_Body
|
||||
|
||||
|
@ -159,7 +171,7 @@ func (r *PutRequestBody) ToGRPCMessage() grpc.Message {
|
|||
m = new(container.PutRequest_Body)
|
||||
|
||||
m.SetContainer(r.cnr.ToGRPCMessage().(*container.Container))
|
||||
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
|
||||
m.SetSignature(toSignatureRFC6979(r.sig))
|
||||
}
|
||||
|
||||
return m
|
||||
|
@ -195,7 +207,8 @@ func (r *PutRequestBody) FromGRPCMessage(m grpc.Message) error {
|
|||
r.sig = new(refs.Signature)
|
||||
}
|
||||
|
||||
err = r.sig.FromGRPCMessage(sig)
|
||||
r.sig.SetKey(sig.GetKey())
|
||||
r.sig.SetSign(sig.GetSign())
|
||||
}
|
||||
|
||||
return err
|
||||
|
@ -391,7 +404,7 @@ func (r *GetResponseBody) ToGRPCMessage() grpc.Message {
|
|||
|
||||
m.SetContainer(r.cnr.ToGRPCMessage().(*container.Container))
|
||||
m.SetSessionToken(r.token.ToGRPCMessage().(*sessionGRPC.SessionToken))
|
||||
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
|
||||
m.SetSignature(toSignatureRFC6979(r.sig))
|
||||
}
|
||||
|
||||
return m
|
||||
|
@ -424,7 +437,8 @@ func (r *GetResponseBody) FromGRPCMessage(m grpc.Message) error {
|
|||
r.sig = new(refs.Signature)
|
||||
}
|
||||
|
||||
err = r.sig.FromGRPCMessage(sig)
|
||||
r.sig.SetKey(sig.GetKey())
|
||||
r.sig.SetSign(sig.GetSign())
|
||||
}
|
||||
|
||||
token := v.GetSessionToken()
|
||||
|
@ -486,7 +500,7 @@ func (r *DeleteRequestBody) ToGRPCMessage() grpc.Message {
|
|||
m = new(container.DeleteRequest_Body)
|
||||
|
||||
m.SetContainerId(r.cid.ToGRPCMessage().(*refsGRPC.ContainerID))
|
||||
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
|
||||
m.SetSignature(toSignatureRFC6979(r.sig))
|
||||
}
|
||||
|
||||
return m
|
||||
|
@ -522,7 +536,8 @@ func (r *DeleteRequestBody) FromGRPCMessage(m grpc.Message) error {
|
|||
r.sig = new(refs.Signature)
|
||||
}
|
||||
|
||||
err = r.sig.FromGRPCMessage(sig)
|
||||
r.sig.SetKey(sig.GetKey())
|
||||
r.sig.SetSign(sig.GetSign())
|
||||
}
|
||||
|
||||
return err
|
||||
|
@ -765,7 +780,7 @@ func (r *SetExtendedACLRequestBody) ToGRPCMessage() grpc.Message {
|
|||
m = new(container.SetExtendedACLRequest_Body)
|
||||
|
||||
m.SetEacl(r.eacl.ToGRPCMessage().(*aclGRPC.EACLTable))
|
||||
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
|
||||
m.SetSignature(toSignatureRFC6979(r.sig))
|
||||
}
|
||||
|
||||
return m
|
||||
|
@ -801,7 +816,8 @@ func (r *SetExtendedACLRequestBody) FromGRPCMessage(m grpc.Message) error {
|
|||
r.sig = new(refs.Signature)
|
||||
}
|
||||
|
||||
err = r.sig.FromGRPCMessage(sig)
|
||||
r.sig.SetKey(sig.GetKey())
|
||||
r.sig.SetSign(sig.GetSign())
|
||||
}
|
||||
|
||||
return err
|
||||
|
@ -981,7 +997,7 @@ func (r *GetExtendedACLResponseBody) ToGRPCMessage() grpc.Message {
|
|||
m = new(container.GetExtendedACLResponse_Body)
|
||||
|
||||
m.SetEacl(r.eacl.ToGRPCMessage().(*aclGRPC.EACLTable))
|
||||
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
|
||||
m.SetSignature(toSignatureRFC6979(r.sig))
|
||||
m.SetSessionToken(r.token.ToGRPCMessage().(*sessionGRPC.SessionToken))
|
||||
}
|
||||
|
||||
|
@ -1018,7 +1034,8 @@ func (r *GetExtendedACLResponseBody) FromGRPCMessage(m grpc.Message) error {
|
|||
r.sig = new(refs.Signature)
|
||||
}
|
||||
|
||||
err = r.sig.FromGRPCMessage(sig)
|
||||
r.sig.SetKey(sig.GetKey())
|
||||
r.sig.SetSign(sig.GetSign())
|
||||
}
|
||||
|
||||
token := v.GetSessionToken()
|
||||
|
|
|
@ -14,7 +14,7 @@ func (m *PutRequest_Body) SetContainer(v *Container) {
|
|||
}
|
||||
|
||||
// SetSignature sets signature of the container structure.
|
||||
func (m *PutRequest_Body) SetSignature(v *refs.Signature) {
|
||||
func (m *PutRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
|
||||
if m != nil {
|
||||
m.Signature = v
|
||||
}
|
||||
|
@ -77,7 +77,7 @@ func (m *DeleteRequest_Body) SetContainerId(v *refs.ContainerID) {
|
|||
}
|
||||
|
||||
// SetSignature sets signature of the container identifier.
|
||||
func (m *DeleteRequest_Body) SetSignature(v *refs.Signature) {
|
||||
func (m *DeleteRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
|
||||
if m != nil {
|
||||
m.Signature = v
|
||||
}
|
||||
|
@ -166,8 +166,8 @@ func (m *GetResponse_Body) SetSessionToken(v *session.SessionToken) {
|
|||
}
|
||||
}
|
||||
|
||||
// SetSignature sets signature of the requested container.
|
||||
func (m *GetResponse_Body) SetSignature(v *refs.Signature) {
|
||||
// SetSignature sets signature of the container structure.
|
||||
func (m *GetResponse_Body) SetSignature(v *refs.SignatureRFC6979) {
|
||||
if m != nil {
|
||||
m.Signature = v
|
||||
}
|
||||
|
@ -257,8 +257,8 @@ func (m *SetExtendedACLRequest_Body) SetEacl(v *acl.EACLTable) {
|
|||
}
|
||||
}
|
||||
|
||||
// SetSignature sets signature of the eACL table.
|
||||
func (m *SetExtendedACLRequest_Body) SetSignature(v *refs.Signature) {
|
||||
// SetSignature sets signature of the eACL table structure.
|
||||
func (m *SetExtendedACLRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
|
||||
if m != nil {
|
||||
m.Signature = v
|
||||
}
|
||||
|
@ -341,8 +341,8 @@ func (m *GetExtendedACLResponse_Body) SetEacl(v *acl.EACLTable) {
|
|||
}
|
||||
}
|
||||
|
||||
// SetSignature sets signature of the eACL table.
|
||||
func (m *GetExtendedACLResponse_Body) SetSignature(v *refs.Signature) {
|
||||
// SetSignature sets signature of the eACL table structure.
|
||||
func (m *GetExtendedACLResponse_Body) SetSignature(v *refs.SignatureRFC6979) {
|
||||
if m != nil {
|
||||
m.Signature = v
|
||||
}
|
||||
|
|
BIN
container/grpc/service.pb.go
generated
BIN
container/grpc/service.pb.go
generated
Binary file not shown.
|
@ -316,6 +316,8 @@ func (r *PutRequestBody) GetSignature() *refs.Signature {
|
|||
|
||||
func (r *PutRequestBody) SetSignature(v *refs.Signature) {
|
||||
if r != nil {
|
||||
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
|
||||
v.SetScheme(0)
|
||||
r.sig = v
|
||||
}
|
||||
}
|
||||
|
@ -434,6 +436,8 @@ func (r *GetResponseBody) GetSignature() *refs.Signature {
|
|||
// SetSignature sets signature of the requested container.
|
||||
func (r *GetResponseBody) SetSignature(v *refs.Signature) {
|
||||
if r != nil {
|
||||
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
|
||||
v.SetScheme(0)
|
||||
r.sig = v
|
||||
}
|
||||
}
|
||||
|
@ -476,6 +480,8 @@ func (r *DeleteRequestBody) GetSignature() *refs.Signature {
|
|||
|
||||
func (r *DeleteRequestBody) SetSignature(v *refs.Signature) {
|
||||
if r != nil {
|
||||
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
|
||||
v.SetScheme(0)
|
||||
r.sig = v
|
||||
}
|
||||
}
|
||||
|
@ -588,6 +594,8 @@ func (r *SetExtendedACLRequestBody) GetSignature() *refs.Signature {
|
|||
|
||||
func (r *SetExtendedACLRequestBody) SetSignature(v *refs.Signature) {
|
||||
if r != nil {
|
||||
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
|
||||
v.SetScheme(0)
|
||||
r.sig = v
|
||||
}
|
||||
}
|
||||
|
@ -672,6 +680,8 @@ func (r *GetExtendedACLResponseBody) GetSignature() *refs.Signature {
|
|||
|
||||
func (r *GetExtendedACLResponseBody) SetSignature(v *refs.Signature) {
|
||||
if r != nil {
|
||||
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
|
||||
v.SetScheme(0)
|
||||
r.sig = v
|
||||
}
|
||||
}
|
||||
|
|
|
@ -84,6 +84,20 @@ func (x *Signature) SetScheme(s SignatureScheme) {
|
|||
}
|
||||
}
|
||||
|
||||
// SetKey sets public key in a binary format.
|
||||
func (x *SignatureRFC6979) SetKey(v []byte) {
|
||||
if x != nil {
|
||||
x.Key = v
|
||||
}
|
||||
}
|
||||
|
||||
// SetSign sets signature.
|
||||
func (x *SignatureRFC6979) SetSign(v []byte) {
|
||||
if x != nil {
|
||||
x.Sign = v
|
||||
}
|
||||
}
|
||||
|
||||
// FromString parses SignatureScheme from a string representation,
|
||||
// It is a reverse action to String().
|
||||
//
|
||||
|
|
BIN
refs/grpc/types.pb.go
generated
BIN
refs/grpc/types.pb.go
generated
Binary file not shown.
|
@ -35,8 +35,7 @@ type SignatureScheme uint32
|
|||
|
||||
//nolint:revive
|
||||
const (
|
||||
UnspecifiedScheme SignatureScheme = iota
|
||||
ECDSA_SHA512
|
||||
ECDSA_SHA512 SignatureScheme = iota
|
||||
ECDSA_RFC6979_SHA256
|
||||
)
|
||||
|
||||
|
@ -189,7 +188,7 @@ func (s *Signature) GetScheme() SignatureScheme {
|
|||
if s != nil {
|
||||
return s.scheme
|
||||
}
|
||||
return UnspecifiedScheme
|
||||
return 0
|
||||
}
|
||||
|
||||
func (s *Signature) SetScheme(scheme SignatureScheme) {
|
||||
|
|
|
@ -41,13 +41,13 @@ func SignDataWithHandler(key *ecdsa.PrivateKey, src DataSource, handler KeySigna
|
|||
opts[i](cfg)
|
||||
}
|
||||
|
||||
sigData, err := sign(cfg, cfg.defaultScheme, key, data)
|
||||
sigData, err := sign(cfg, key, data)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
sig := new(refs.Signature)
|
||||
sig.SetScheme(cfg.defaultScheme)
|
||||
sig.SetScheme(cfg.scheme)
|
||||
sig.SetKey(crypto.MarshalPublicKey(&key.PublicKey))
|
||||
sig.SetSign(sigData)
|
||||
handler(sig)
|
||||
|
|
|
@ -9,51 +9,45 @@ import (
|
|||
)
|
||||
|
||||
type cfg struct {
|
||||
defaultScheme refs.SignatureScheme
|
||||
restrictScheme refs.SignatureScheme
|
||||
schemeFixed bool
|
||||
scheme refs.SignatureScheme
|
||||
}
|
||||
|
||||
func defaultCfg() *cfg {
|
||||
return &cfg{
|
||||
defaultScheme: refs.ECDSA_SHA512,
|
||||
restrictScheme: refs.UnspecifiedScheme,
|
||||
}
|
||||
return new(cfg)
|
||||
}
|
||||
|
||||
func verify(cfg *cfg, data []byte, sig *refs.Signature) error {
|
||||
scheme := sig.GetScheme()
|
||||
if scheme == refs.UnspecifiedScheme {
|
||||
scheme = cfg.defaultScheme
|
||||
}
|
||||
if cfg.restrictScheme != refs.UnspecifiedScheme && scheme != cfg.restrictScheme {
|
||||
return fmt.Errorf("%w: unexpected signature scheme", crypto.ErrInvalidSignature)
|
||||
if !cfg.schemeFixed {
|
||||
cfg.scheme = sig.GetScheme()
|
||||
}
|
||||
|
||||
pub := crypto.UnmarshalPublicKey(sig.GetKey())
|
||||
switch scheme {
|
||||
|
||||
switch cfg.scheme {
|
||||
case refs.ECDSA_SHA512:
|
||||
return crypto.Verify(pub, data, sig.GetSign())
|
||||
case refs.ECDSA_RFC6979_SHA256:
|
||||
return crypto.VerifyRFC6979(pub, data, sig.GetSign())
|
||||
default:
|
||||
return crypto.ErrInvalidSignature
|
||||
return fmt.Errorf("unsupported signature scheme %s", cfg.scheme)
|
||||
}
|
||||
}
|
||||
|
||||
func sign(cfg *cfg, scheme refs.SignatureScheme, key *ecdsa.PrivateKey, data []byte) ([]byte, error) {
|
||||
switch scheme {
|
||||
func sign(cfg *cfg, key *ecdsa.PrivateKey, data []byte) ([]byte, error) {
|
||||
switch cfg.scheme {
|
||||
case refs.ECDSA_SHA512:
|
||||
return crypto.Sign(key, data)
|
||||
case refs.ECDSA_RFC6979_SHA256:
|
||||
return crypto.SignRFC6979(key, data)
|
||||
default:
|
||||
panic("unsupported scheme")
|
||||
panic(fmt.Sprintf("unsupported scheme %s", cfg.scheme))
|
||||
}
|
||||
}
|
||||
|
||||
func SignWithRFC6979() SignOption {
|
||||
return func(c *cfg) {
|
||||
c.defaultScheme = refs.ECDSA_RFC6979_SHA256
|
||||
c.restrictScheme = refs.ECDSA_RFC6979_SHA256
|
||||
c.schemeFixed = true
|
||||
c.scheme = refs.ECDSA_RFC6979_SHA256
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue