forked from TrueCloudLab/frostfs-api-go
[#380] Support changes in signature schemes
Support new `SignatureRFC6979` message. Make `refs.ECDSA_SHA512` to be default scheme. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
parent
f4fd28e39b
commit
d065453bd0
9 changed files with 76 additions and 42 deletions
|
@ -152,6 +152,18 @@ func (c *Container) FromGRPCMessage(m grpc.Message) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func toSignatureRFC6979(s *refs.Signature) *refsGRPC.SignatureRFC6979 {
|
||||||
|
var res *refsGRPC.SignatureRFC6979
|
||||||
|
|
||||||
|
if s != nil {
|
||||||
|
res = new(refsGRPC.SignatureRFC6979)
|
||||||
|
res.SetKey(s.GetKey())
|
||||||
|
res.SetSign(s.GetSign())
|
||||||
|
}
|
||||||
|
|
||||||
|
return res
|
||||||
|
}
|
||||||
|
|
||||||
func (r *PutRequestBody) ToGRPCMessage() grpc.Message {
|
func (r *PutRequestBody) ToGRPCMessage() grpc.Message {
|
||||||
var m *container.PutRequest_Body
|
var m *container.PutRequest_Body
|
||||||
|
|
||||||
|
@ -159,7 +171,7 @@ func (r *PutRequestBody) ToGRPCMessage() grpc.Message {
|
||||||
m = new(container.PutRequest_Body)
|
m = new(container.PutRequest_Body)
|
||||||
|
|
||||||
m.SetContainer(r.cnr.ToGRPCMessage().(*container.Container))
|
m.SetContainer(r.cnr.ToGRPCMessage().(*container.Container))
|
||||||
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
|
m.SetSignature(toSignatureRFC6979(r.sig))
|
||||||
}
|
}
|
||||||
|
|
||||||
return m
|
return m
|
||||||
|
@ -195,7 +207,8 @@ func (r *PutRequestBody) FromGRPCMessage(m grpc.Message) error {
|
||||||
r.sig = new(refs.Signature)
|
r.sig = new(refs.Signature)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = r.sig.FromGRPCMessage(sig)
|
r.sig.SetKey(sig.GetKey())
|
||||||
|
r.sig.SetSign(sig.GetSign())
|
||||||
}
|
}
|
||||||
|
|
||||||
return err
|
return err
|
||||||
|
@ -391,7 +404,7 @@ func (r *GetResponseBody) ToGRPCMessage() grpc.Message {
|
||||||
|
|
||||||
m.SetContainer(r.cnr.ToGRPCMessage().(*container.Container))
|
m.SetContainer(r.cnr.ToGRPCMessage().(*container.Container))
|
||||||
m.SetSessionToken(r.token.ToGRPCMessage().(*sessionGRPC.SessionToken))
|
m.SetSessionToken(r.token.ToGRPCMessage().(*sessionGRPC.SessionToken))
|
||||||
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
|
m.SetSignature(toSignatureRFC6979(r.sig))
|
||||||
}
|
}
|
||||||
|
|
||||||
return m
|
return m
|
||||||
|
@ -424,7 +437,8 @@ func (r *GetResponseBody) FromGRPCMessage(m grpc.Message) error {
|
||||||
r.sig = new(refs.Signature)
|
r.sig = new(refs.Signature)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = r.sig.FromGRPCMessage(sig)
|
r.sig.SetKey(sig.GetKey())
|
||||||
|
r.sig.SetSign(sig.GetSign())
|
||||||
}
|
}
|
||||||
|
|
||||||
token := v.GetSessionToken()
|
token := v.GetSessionToken()
|
||||||
|
@ -486,7 +500,7 @@ func (r *DeleteRequestBody) ToGRPCMessage() grpc.Message {
|
||||||
m = new(container.DeleteRequest_Body)
|
m = new(container.DeleteRequest_Body)
|
||||||
|
|
||||||
m.SetContainerId(r.cid.ToGRPCMessage().(*refsGRPC.ContainerID))
|
m.SetContainerId(r.cid.ToGRPCMessage().(*refsGRPC.ContainerID))
|
||||||
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
|
m.SetSignature(toSignatureRFC6979(r.sig))
|
||||||
}
|
}
|
||||||
|
|
||||||
return m
|
return m
|
||||||
|
@ -522,7 +536,8 @@ func (r *DeleteRequestBody) FromGRPCMessage(m grpc.Message) error {
|
||||||
r.sig = new(refs.Signature)
|
r.sig = new(refs.Signature)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = r.sig.FromGRPCMessage(sig)
|
r.sig.SetKey(sig.GetKey())
|
||||||
|
r.sig.SetSign(sig.GetSign())
|
||||||
}
|
}
|
||||||
|
|
||||||
return err
|
return err
|
||||||
|
@ -765,7 +780,7 @@ func (r *SetExtendedACLRequestBody) ToGRPCMessage() grpc.Message {
|
||||||
m = new(container.SetExtendedACLRequest_Body)
|
m = new(container.SetExtendedACLRequest_Body)
|
||||||
|
|
||||||
m.SetEacl(r.eacl.ToGRPCMessage().(*aclGRPC.EACLTable))
|
m.SetEacl(r.eacl.ToGRPCMessage().(*aclGRPC.EACLTable))
|
||||||
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
|
m.SetSignature(toSignatureRFC6979(r.sig))
|
||||||
}
|
}
|
||||||
|
|
||||||
return m
|
return m
|
||||||
|
@ -801,7 +816,8 @@ func (r *SetExtendedACLRequestBody) FromGRPCMessage(m grpc.Message) error {
|
||||||
r.sig = new(refs.Signature)
|
r.sig = new(refs.Signature)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = r.sig.FromGRPCMessage(sig)
|
r.sig.SetKey(sig.GetKey())
|
||||||
|
r.sig.SetSign(sig.GetSign())
|
||||||
}
|
}
|
||||||
|
|
||||||
return err
|
return err
|
||||||
|
@ -981,7 +997,7 @@ func (r *GetExtendedACLResponseBody) ToGRPCMessage() grpc.Message {
|
||||||
m = new(container.GetExtendedACLResponse_Body)
|
m = new(container.GetExtendedACLResponse_Body)
|
||||||
|
|
||||||
m.SetEacl(r.eacl.ToGRPCMessage().(*aclGRPC.EACLTable))
|
m.SetEacl(r.eacl.ToGRPCMessage().(*aclGRPC.EACLTable))
|
||||||
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
|
m.SetSignature(toSignatureRFC6979(r.sig))
|
||||||
m.SetSessionToken(r.token.ToGRPCMessage().(*sessionGRPC.SessionToken))
|
m.SetSessionToken(r.token.ToGRPCMessage().(*sessionGRPC.SessionToken))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1018,7 +1034,8 @@ func (r *GetExtendedACLResponseBody) FromGRPCMessage(m grpc.Message) error {
|
||||||
r.sig = new(refs.Signature)
|
r.sig = new(refs.Signature)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = r.sig.FromGRPCMessage(sig)
|
r.sig.SetKey(sig.GetKey())
|
||||||
|
r.sig.SetSign(sig.GetSign())
|
||||||
}
|
}
|
||||||
|
|
||||||
token := v.GetSessionToken()
|
token := v.GetSessionToken()
|
||||||
|
|
|
@ -14,7 +14,7 @@ func (m *PutRequest_Body) SetContainer(v *Container) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetSignature sets signature of the container structure.
|
// SetSignature sets signature of the container structure.
|
||||||
func (m *PutRequest_Body) SetSignature(v *refs.Signature) {
|
func (m *PutRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
|
||||||
if m != nil {
|
if m != nil {
|
||||||
m.Signature = v
|
m.Signature = v
|
||||||
}
|
}
|
||||||
|
@ -77,7 +77,7 @@ func (m *DeleteRequest_Body) SetContainerId(v *refs.ContainerID) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetSignature sets signature of the container identifier.
|
// SetSignature sets signature of the container identifier.
|
||||||
func (m *DeleteRequest_Body) SetSignature(v *refs.Signature) {
|
func (m *DeleteRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
|
||||||
if m != nil {
|
if m != nil {
|
||||||
m.Signature = v
|
m.Signature = v
|
||||||
}
|
}
|
||||||
|
@ -166,8 +166,8 @@ func (m *GetResponse_Body) SetSessionToken(v *session.SessionToken) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetSignature sets signature of the requested container.
|
// SetSignature sets signature of the container structure.
|
||||||
func (m *GetResponse_Body) SetSignature(v *refs.Signature) {
|
func (m *GetResponse_Body) SetSignature(v *refs.SignatureRFC6979) {
|
||||||
if m != nil {
|
if m != nil {
|
||||||
m.Signature = v
|
m.Signature = v
|
||||||
}
|
}
|
||||||
|
@ -257,8 +257,8 @@ func (m *SetExtendedACLRequest_Body) SetEacl(v *acl.EACLTable) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetSignature sets signature of the eACL table.
|
// SetSignature sets signature of the eACL table structure.
|
||||||
func (m *SetExtendedACLRequest_Body) SetSignature(v *refs.Signature) {
|
func (m *SetExtendedACLRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
|
||||||
if m != nil {
|
if m != nil {
|
||||||
m.Signature = v
|
m.Signature = v
|
||||||
}
|
}
|
||||||
|
@ -341,8 +341,8 @@ func (m *GetExtendedACLResponse_Body) SetEacl(v *acl.EACLTable) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetSignature sets signature of the eACL table.
|
// SetSignature sets signature of the eACL table structure.
|
||||||
func (m *GetExtendedACLResponse_Body) SetSignature(v *refs.Signature) {
|
func (m *GetExtendedACLResponse_Body) SetSignature(v *refs.SignatureRFC6979) {
|
||||||
if m != nil {
|
if m != nil {
|
||||||
m.Signature = v
|
m.Signature = v
|
||||||
}
|
}
|
||||||
|
|
BIN
container/grpc/service.pb.go
generated
BIN
container/grpc/service.pb.go
generated
Binary file not shown.
|
@ -316,6 +316,8 @@ func (r *PutRequestBody) GetSignature() *refs.Signature {
|
||||||
|
|
||||||
func (r *PutRequestBody) SetSignature(v *refs.Signature) {
|
func (r *PutRequestBody) SetSignature(v *refs.Signature) {
|
||||||
if r != nil {
|
if r != nil {
|
||||||
|
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
|
||||||
|
v.SetScheme(0)
|
||||||
r.sig = v
|
r.sig = v
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -434,6 +436,8 @@ func (r *GetResponseBody) GetSignature() *refs.Signature {
|
||||||
// SetSignature sets signature of the requested container.
|
// SetSignature sets signature of the requested container.
|
||||||
func (r *GetResponseBody) SetSignature(v *refs.Signature) {
|
func (r *GetResponseBody) SetSignature(v *refs.Signature) {
|
||||||
if r != nil {
|
if r != nil {
|
||||||
|
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
|
||||||
|
v.SetScheme(0)
|
||||||
r.sig = v
|
r.sig = v
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -476,6 +480,8 @@ func (r *DeleteRequestBody) GetSignature() *refs.Signature {
|
||||||
|
|
||||||
func (r *DeleteRequestBody) SetSignature(v *refs.Signature) {
|
func (r *DeleteRequestBody) SetSignature(v *refs.Signature) {
|
||||||
if r != nil {
|
if r != nil {
|
||||||
|
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
|
||||||
|
v.SetScheme(0)
|
||||||
r.sig = v
|
r.sig = v
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -588,6 +594,8 @@ func (r *SetExtendedACLRequestBody) GetSignature() *refs.Signature {
|
||||||
|
|
||||||
func (r *SetExtendedACLRequestBody) SetSignature(v *refs.Signature) {
|
func (r *SetExtendedACLRequestBody) SetSignature(v *refs.Signature) {
|
||||||
if r != nil {
|
if r != nil {
|
||||||
|
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
|
||||||
|
v.SetScheme(0)
|
||||||
r.sig = v
|
r.sig = v
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -672,6 +680,8 @@ func (r *GetExtendedACLResponseBody) GetSignature() *refs.Signature {
|
||||||
|
|
||||||
func (r *GetExtendedACLResponseBody) SetSignature(v *refs.Signature) {
|
func (r *GetExtendedACLResponseBody) SetSignature(v *refs.Signature) {
|
||||||
if r != nil {
|
if r != nil {
|
||||||
|
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
|
||||||
|
v.SetScheme(0)
|
||||||
r.sig = v
|
r.sig = v
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -84,6 +84,20 @@ func (x *Signature) SetScheme(s SignatureScheme) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SetKey sets public key in a binary format.
|
||||||
|
func (x *SignatureRFC6979) SetKey(v []byte) {
|
||||||
|
if x != nil {
|
||||||
|
x.Key = v
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetSign sets signature.
|
||||||
|
func (x *SignatureRFC6979) SetSign(v []byte) {
|
||||||
|
if x != nil {
|
||||||
|
x.Sign = v
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// FromString parses SignatureScheme from a string representation,
|
// FromString parses SignatureScheme from a string representation,
|
||||||
// It is a reverse action to String().
|
// It is a reverse action to String().
|
||||||
//
|
//
|
||||||
|
|
BIN
refs/grpc/types.pb.go
generated
BIN
refs/grpc/types.pb.go
generated
Binary file not shown.
|
@ -35,8 +35,7 @@ type SignatureScheme uint32
|
||||||
|
|
||||||
//nolint:revive
|
//nolint:revive
|
||||||
const (
|
const (
|
||||||
UnspecifiedScheme SignatureScheme = iota
|
ECDSA_SHA512 SignatureScheme = iota
|
||||||
ECDSA_SHA512
|
|
||||||
ECDSA_RFC6979_SHA256
|
ECDSA_RFC6979_SHA256
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -189,7 +188,7 @@ func (s *Signature) GetScheme() SignatureScheme {
|
||||||
if s != nil {
|
if s != nil {
|
||||||
return s.scheme
|
return s.scheme
|
||||||
}
|
}
|
||||||
return UnspecifiedScheme
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Signature) SetScheme(scheme SignatureScheme) {
|
func (s *Signature) SetScheme(scheme SignatureScheme) {
|
||||||
|
|
|
@ -41,13 +41,13 @@ func SignDataWithHandler(key *ecdsa.PrivateKey, src DataSource, handler KeySigna
|
||||||
opts[i](cfg)
|
opts[i](cfg)
|
||||||
}
|
}
|
||||||
|
|
||||||
sigData, err := sign(cfg, cfg.defaultScheme, key, data)
|
sigData, err := sign(cfg, key, data)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
sig := new(refs.Signature)
|
sig := new(refs.Signature)
|
||||||
sig.SetScheme(cfg.defaultScheme)
|
sig.SetScheme(cfg.scheme)
|
||||||
sig.SetKey(crypto.MarshalPublicKey(&key.PublicKey))
|
sig.SetKey(crypto.MarshalPublicKey(&key.PublicKey))
|
||||||
sig.SetSign(sigData)
|
sig.SetSign(sigData)
|
||||||
handler(sig)
|
handler(sig)
|
||||||
|
|
|
@ -9,51 +9,45 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
type cfg struct {
|
type cfg struct {
|
||||||
defaultScheme refs.SignatureScheme
|
schemeFixed bool
|
||||||
restrictScheme refs.SignatureScheme
|
scheme refs.SignatureScheme
|
||||||
}
|
}
|
||||||
|
|
||||||
func defaultCfg() *cfg {
|
func defaultCfg() *cfg {
|
||||||
return &cfg{
|
return new(cfg)
|
||||||
defaultScheme: refs.ECDSA_SHA512,
|
|
||||||
restrictScheme: refs.UnspecifiedScheme,
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func verify(cfg *cfg, data []byte, sig *refs.Signature) error {
|
func verify(cfg *cfg, data []byte, sig *refs.Signature) error {
|
||||||
scheme := sig.GetScheme()
|
if !cfg.schemeFixed {
|
||||||
if scheme == refs.UnspecifiedScheme {
|
cfg.scheme = sig.GetScheme()
|
||||||
scheme = cfg.defaultScheme
|
|
||||||
}
|
|
||||||
if cfg.restrictScheme != refs.UnspecifiedScheme && scheme != cfg.restrictScheme {
|
|
||||||
return fmt.Errorf("%w: unexpected signature scheme", crypto.ErrInvalidSignature)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
pub := crypto.UnmarshalPublicKey(sig.GetKey())
|
pub := crypto.UnmarshalPublicKey(sig.GetKey())
|
||||||
switch scheme {
|
|
||||||
|
switch cfg.scheme {
|
||||||
case refs.ECDSA_SHA512:
|
case refs.ECDSA_SHA512:
|
||||||
return crypto.Verify(pub, data, sig.GetSign())
|
return crypto.Verify(pub, data, sig.GetSign())
|
||||||
case refs.ECDSA_RFC6979_SHA256:
|
case refs.ECDSA_RFC6979_SHA256:
|
||||||
return crypto.VerifyRFC6979(pub, data, sig.GetSign())
|
return crypto.VerifyRFC6979(pub, data, sig.GetSign())
|
||||||
default:
|
default:
|
||||||
return crypto.ErrInvalidSignature
|
return fmt.Errorf("unsupported signature scheme %s", cfg.scheme)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func sign(cfg *cfg, scheme refs.SignatureScheme, key *ecdsa.PrivateKey, data []byte) ([]byte, error) {
|
func sign(cfg *cfg, key *ecdsa.PrivateKey, data []byte) ([]byte, error) {
|
||||||
switch scheme {
|
switch cfg.scheme {
|
||||||
case refs.ECDSA_SHA512:
|
case refs.ECDSA_SHA512:
|
||||||
return crypto.Sign(key, data)
|
return crypto.Sign(key, data)
|
||||||
case refs.ECDSA_RFC6979_SHA256:
|
case refs.ECDSA_RFC6979_SHA256:
|
||||||
return crypto.SignRFC6979(key, data)
|
return crypto.SignRFC6979(key, data)
|
||||||
default:
|
default:
|
||||||
panic("unsupported scheme")
|
panic(fmt.Sprintf("unsupported scheme %s", cfg.scheme))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func SignWithRFC6979() SignOption {
|
func SignWithRFC6979() SignOption {
|
||||||
return func(c *cfg) {
|
return func(c *cfg) {
|
||||||
c.defaultScheme = refs.ECDSA_RFC6979_SHA256
|
c.schemeFixed = true
|
||||||
c.restrictScheme = refs.ECDSA_RFC6979_SHA256
|
c.scheme = refs.ECDSA_RFC6979_SHA256
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue