From a292150d42bd14cfd254def5a556236042fcefde Mon Sep 17 00:00:00 2001 From: Leonard Lyubich Date: Wed, 2 Mar 2022 13:41:41 +0300 Subject: [PATCH] [#157] signature: Change scheme selection `SignData`: use `ECDSAWithSHA512` by default. `SignWithRFC6979` option switches the scheme to `RFC6979WithSHA256`. `VerifyData`: if scheme is not fixed (like by `SignWithRFC6979` option) then scheme from the message is processed. Signed-off-by: Leonard Lyubich --- go.mod | 2 +- go.sum | 4 ++-- signature/signature.go | 7 +++++-- util/signature/data.go | 4 ++-- util/signature/options.go | 25 ++++++++++--------------- 5 files changed, 20 insertions(+), 22 deletions(-) diff --git a/go.mod b/go.mod index 5981be1..5433f99 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/mr-tron/base58 v1.2.0 github.com/nspcc-dev/hrw v1.0.9 github.com/nspcc-dev/neo-go v0.98.0 - github.com/nspcc-dev/neofs-api-go/v2 v2.12.0 + github.com/nspcc-dev/neofs-api-go/v2 v2.11.2-0.20220302134950-d065453bd0a7 github.com/stretchr/testify v1.7.0 go.uber.org/zap v1.18.1 google.golang.org/grpc v1.41.0 diff --git a/go.sum b/go.sum index e6a32fe..d1187f9 100644 --- a/go.sum +++ b/go.sum @@ -177,8 +177,8 @@ github.com/nspcc-dev/neo-go v0.73.1-pre.0.20200303142215-f5a1b928ce09/go.mod h1: github.com/nspcc-dev/neo-go v0.98.0 h1:yyW4sgY88/pLf0949qmgfkQXzRKC3CI/WyhqXNnwMd8= github.com/nspcc-dev/neo-go v0.98.0/go.mod h1:E3cc1x6RXSXrJb2nDWXTXjnXk3rIqVN8YdFyWv+FrqM= github.com/nspcc-dev/neofs-api-go/v2 v2.11.0-pre.0.20211201134523-3604d96f3fe1/go.mod h1:oS8dycEh8PPf2Jjp6+8dlwWyEv2Dy77h/XhhcdxYEFs= -github.com/nspcc-dev/neofs-api-go/v2 v2.12.0 h1:xWqXzorDk9WFMTtWP7cwwlyJDL1X6Z4HT1e5zqkq7xY= -github.com/nspcc-dev/neofs-api-go/v2 v2.12.0/go.mod h1:oS8dycEh8PPf2Jjp6+8dlwWyEv2Dy77h/XhhcdxYEFs= +github.com/nspcc-dev/neofs-api-go/v2 v2.11.2-0.20220302134950-d065453bd0a7 h1:hLMvj4K9djzBg+TaeDGQWGuohzXvcThi0r0LSLhhi3M= +github.com/nspcc-dev/neofs-api-go/v2 v2.11.2-0.20220302134950-d065453bd0a7/go.mod h1:oS8dycEh8PPf2Jjp6+8dlwWyEv2Dy77h/XhhcdxYEFs= github.com/nspcc-dev/neofs-crypto v0.2.0/go.mod h1:F/96fUzPM3wR+UGsPi3faVNmFlA9KAEAUQR7dMxZmNA= github.com/nspcc-dev/neofs-crypto v0.2.3/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw= github.com/nspcc-dev/neofs-crypto v0.3.0 h1:zlr3pgoxuzrmGCxc5W8dGVfA9Rro8diFvVnBg0L4ifM= diff --git a/signature/signature.go b/signature/signature.go index a79b5be..75b7843 100644 --- a/signature/signature.go +++ b/signature/signature.go @@ -12,11 +12,14 @@ type Scheme uint32 // Supported signature schemes. const ( - Unspecified Scheme = iota - ECDSAWithSHA512 + ECDSAWithSHA512 Scheme = iota RFC6979WithSHA256 ) +func (x Scheme) String() string { + return refs.SignatureScheme(x).String() +} + // NewFromV2 wraps v2 Signature message to Signature. // // Nil refs.Signature converts to nil. diff --git a/util/signature/data.go b/util/signature/data.go index 9351126..1de11a8 100644 --- a/util/signature/data.go +++ b/util/signature/data.go @@ -57,7 +57,7 @@ func SignData(key *ecdsa.PrivateKey, src DataSource, opts ...SignOption) (*signa cfg := getConfig(opts...) - sigData, err := sign(cfg.defaultScheme, key, data) + sigData, err := sign(cfg.scheme, key, data) if err != nil { return nil, err } @@ -65,7 +65,7 @@ func SignData(key *ecdsa.PrivateKey, src DataSource, opts ...SignOption) (*signa sig := signature.New() sig.SetKey((*keys.PublicKey)(&key.PublicKey).Bytes()) sig.SetSign(sigData) - sig.SetScheme(cfg.defaultScheme) + sig.SetScheme(cfg.scheme) return sig, nil } diff --git a/util/signature/options.go b/util/signature/options.go index 1400148..f768351 100644 --- a/util/signature/options.go +++ b/util/signature/options.go @@ -16,14 +16,13 @@ import ( var curve = elliptic.P256() type cfg struct { - defaultScheme signature.Scheme - restrictScheme signature.Scheme + schemeFixed bool + scheme signature.Scheme } func getConfig(opts ...SignOption) *cfg { cfg := &cfg{ - defaultScheme: signature.ECDSAWithSHA512, - restrictScheme: signature.Unspecified, + scheme: signature.ECDSAWithSHA512, } for i := range opts { @@ -46,7 +45,7 @@ func sign(scheme signature.Scheme, key *ecdsa.PrivateKey, msg []byte) ([]byte, e p := &keys.PrivateKey{PrivateKey: *key} return p.Sign(msg), nil default: - panic("unsupported scheme") + panic(fmt.Sprintf("unsupported scheme %s", scheme)) } } @@ -56,15 +55,11 @@ func verify(cfg *cfg, msg []byte, sig *signature.Signature) error { return fmt.Errorf("%w: %v", ErrInvalidPublicKey, err) } - scheme := sig.Scheme() - if scheme == signature.Unspecified { - scheme = cfg.defaultScheme - } - if cfg.restrictScheme != signature.Unspecified && scheme != cfg.restrictScheme { - return fmt.Errorf("%w: unexpected signature scheme", ErrInvalidSignature) + if !cfg.schemeFixed { + cfg.scheme = sig.Scheme() } - switch scheme { + switch cfg.scheme { case signature.ECDSAWithSHA512: h := sha512.Sum512(msg) r, s := unmarshalXY(sig.Sign()) @@ -79,7 +74,7 @@ func verify(cfg *cfg, msg []byte, sig *signature.Signature) error { } return ErrInvalidSignature default: - return ErrInvalidSignature + return fmt.Errorf("unsupported signature scheme %s", cfg.scheme) } } @@ -111,7 +106,7 @@ func unmarshalXY(data []byte) (x *big.Int, y *big.Int) { func SignWithRFC6979() SignOption { return func(c *cfg) { - c.defaultScheme = signature.RFC6979WithSHA256 - c.restrictScheme = signature.RFC6979WithSHA256 + c.schemeFixed = true + c.scheme = signature.RFC6979WithSHA256 } }