[#380] Support changes in signature schemes

Support new `SignatureRFC6979` message. Make `refs.ECDSA_SHA512` to be
default scheme.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
Leonard Lyubich 2022-03-02 13:15:36 +03:00 committed by Alex Vanin
parent f4fd28e39b
commit d065453bd0
9 changed files with 76 additions and 42 deletions

View file

@ -152,6 +152,18 @@ func (c *Container) FromGRPCMessage(m grpc.Message) error {
return nil return nil
} }
func toSignatureRFC6979(s *refs.Signature) *refsGRPC.SignatureRFC6979 {
var res *refsGRPC.SignatureRFC6979
if s != nil {
res = new(refsGRPC.SignatureRFC6979)
res.SetKey(s.GetKey())
res.SetSign(s.GetSign())
}
return res
}
func (r *PutRequestBody) ToGRPCMessage() grpc.Message { func (r *PutRequestBody) ToGRPCMessage() grpc.Message {
var m *container.PutRequest_Body var m *container.PutRequest_Body
@ -159,7 +171,7 @@ func (r *PutRequestBody) ToGRPCMessage() grpc.Message {
m = new(container.PutRequest_Body) m = new(container.PutRequest_Body)
m.SetContainer(r.cnr.ToGRPCMessage().(*container.Container)) m.SetContainer(r.cnr.ToGRPCMessage().(*container.Container))
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature)) m.SetSignature(toSignatureRFC6979(r.sig))
} }
return m return m
@ -195,7 +207,8 @@ func (r *PutRequestBody) FromGRPCMessage(m grpc.Message) error {
r.sig = new(refs.Signature) r.sig = new(refs.Signature)
} }
err = r.sig.FromGRPCMessage(sig) r.sig.SetKey(sig.GetKey())
r.sig.SetSign(sig.GetSign())
} }
return err return err
@ -391,7 +404,7 @@ func (r *GetResponseBody) ToGRPCMessage() grpc.Message {
m.SetContainer(r.cnr.ToGRPCMessage().(*container.Container)) m.SetContainer(r.cnr.ToGRPCMessage().(*container.Container))
m.SetSessionToken(r.token.ToGRPCMessage().(*sessionGRPC.SessionToken)) m.SetSessionToken(r.token.ToGRPCMessage().(*sessionGRPC.SessionToken))
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature)) m.SetSignature(toSignatureRFC6979(r.sig))
} }
return m return m
@ -424,7 +437,8 @@ func (r *GetResponseBody) FromGRPCMessage(m grpc.Message) error {
r.sig = new(refs.Signature) r.sig = new(refs.Signature)
} }
err = r.sig.FromGRPCMessage(sig) r.sig.SetKey(sig.GetKey())
r.sig.SetSign(sig.GetSign())
} }
token := v.GetSessionToken() token := v.GetSessionToken()
@ -486,7 +500,7 @@ func (r *DeleteRequestBody) ToGRPCMessage() grpc.Message {
m = new(container.DeleteRequest_Body) m = new(container.DeleteRequest_Body)
m.SetContainerId(r.cid.ToGRPCMessage().(*refsGRPC.ContainerID)) m.SetContainerId(r.cid.ToGRPCMessage().(*refsGRPC.ContainerID))
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature)) m.SetSignature(toSignatureRFC6979(r.sig))
} }
return m return m
@ -522,7 +536,8 @@ func (r *DeleteRequestBody) FromGRPCMessage(m grpc.Message) error {
r.sig = new(refs.Signature) r.sig = new(refs.Signature)
} }
err = r.sig.FromGRPCMessage(sig) r.sig.SetKey(sig.GetKey())
r.sig.SetSign(sig.GetSign())
} }
return err return err
@ -765,7 +780,7 @@ func (r *SetExtendedACLRequestBody) ToGRPCMessage() grpc.Message {
m = new(container.SetExtendedACLRequest_Body) m = new(container.SetExtendedACLRequest_Body)
m.SetEacl(r.eacl.ToGRPCMessage().(*aclGRPC.EACLTable)) m.SetEacl(r.eacl.ToGRPCMessage().(*aclGRPC.EACLTable))
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature)) m.SetSignature(toSignatureRFC6979(r.sig))
} }
return m return m
@ -801,7 +816,8 @@ func (r *SetExtendedACLRequestBody) FromGRPCMessage(m grpc.Message) error {
r.sig = new(refs.Signature) r.sig = new(refs.Signature)
} }
err = r.sig.FromGRPCMessage(sig) r.sig.SetKey(sig.GetKey())
r.sig.SetSign(sig.GetSign())
} }
return err return err
@ -981,7 +997,7 @@ func (r *GetExtendedACLResponseBody) ToGRPCMessage() grpc.Message {
m = new(container.GetExtendedACLResponse_Body) m = new(container.GetExtendedACLResponse_Body)
m.SetEacl(r.eacl.ToGRPCMessage().(*aclGRPC.EACLTable)) m.SetEacl(r.eacl.ToGRPCMessage().(*aclGRPC.EACLTable))
m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature)) m.SetSignature(toSignatureRFC6979(r.sig))
m.SetSessionToken(r.token.ToGRPCMessage().(*sessionGRPC.SessionToken)) m.SetSessionToken(r.token.ToGRPCMessage().(*sessionGRPC.SessionToken))
} }
@ -1018,7 +1034,8 @@ func (r *GetExtendedACLResponseBody) FromGRPCMessage(m grpc.Message) error {
r.sig = new(refs.Signature) r.sig = new(refs.Signature)
} }
err = r.sig.FromGRPCMessage(sig) r.sig.SetKey(sig.GetKey())
r.sig.SetSign(sig.GetSign())
} }
token := v.GetSessionToken() token := v.GetSessionToken()

View file

@ -14,7 +14,7 @@ func (m *PutRequest_Body) SetContainer(v *Container) {
} }
// SetSignature sets signature of the container structure. // SetSignature sets signature of the container structure.
func (m *PutRequest_Body) SetSignature(v *refs.Signature) { func (m *PutRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
if m != nil { if m != nil {
m.Signature = v m.Signature = v
} }
@ -77,7 +77,7 @@ func (m *DeleteRequest_Body) SetContainerId(v *refs.ContainerID) {
} }
// SetSignature sets signature of the container identifier. // SetSignature sets signature of the container identifier.
func (m *DeleteRequest_Body) SetSignature(v *refs.Signature) { func (m *DeleteRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
if m != nil { if m != nil {
m.Signature = v m.Signature = v
} }
@ -166,8 +166,8 @@ func (m *GetResponse_Body) SetSessionToken(v *session.SessionToken) {
} }
} }
// SetSignature sets signature of the requested container. // SetSignature sets signature of the container structure.
func (m *GetResponse_Body) SetSignature(v *refs.Signature) { func (m *GetResponse_Body) SetSignature(v *refs.SignatureRFC6979) {
if m != nil { if m != nil {
m.Signature = v m.Signature = v
} }
@ -257,8 +257,8 @@ func (m *SetExtendedACLRequest_Body) SetEacl(v *acl.EACLTable) {
} }
} }
// SetSignature sets signature of the eACL table. // SetSignature sets signature of the eACL table structure.
func (m *SetExtendedACLRequest_Body) SetSignature(v *refs.Signature) { func (m *SetExtendedACLRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
if m != nil { if m != nil {
m.Signature = v m.Signature = v
} }
@ -341,8 +341,8 @@ func (m *GetExtendedACLResponse_Body) SetEacl(v *acl.EACLTable) {
} }
} }
// SetSignature sets signature of the eACL table. // SetSignature sets signature of the eACL table structure.
func (m *GetExtendedACLResponse_Body) SetSignature(v *refs.Signature) { func (m *GetExtendedACLResponse_Body) SetSignature(v *refs.SignatureRFC6979) {
if m != nil { if m != nil {
m.Signature = v m.Signature = v
} }

Binary file not shown.

View file

@ -316,6 +316,8 @@ func (r *PutRequestBody) GetSignature() *refs.Signature {
func (r *PutRequestBody) SetSignature(v *refs.Signature) { func (r *PutRequestBody) SetSignature(v *refs.Signature) {
if r != nil { if r != nil {
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
v.SetScheme(0)
r.sig = v r.sig = v
} }
} }
@ -434,6 +436,8 @@ func (r *GetResponseBody) GetSignature() *refs.Signature {
// SetSignature sets signature of the requested container. // SetSignature sets signature of the requested container.
func (r *GetResponseBody) SetSignature(v *refs.Signature) { func (r *GetResponseBody) SetSignature(v *refs.Signature) {
if r != nil { if r != nil {
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
v.SetScheme(0)
r.sig = v r.sig = v
} }
} }
@ -476,6 +480,8 @@ func (r *DeleteRequestBody) GetSignature() *refs.Signature {
func (r *DeleteRequestBody) SetSignature(v *refs.Signature) { func (r *DeleteRequestBody) SetSignature(v *refs.Signature) {
if r != nil { if r != nil {
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
v.SetScheme(0)
r.sig = v r.sig = v
} }
} }
@ -588,6 +594,8 @@ func (r *SetExtendedACLRequestBody) GetSignature() *refs.Signature {
func (r *SetExtendedACLRequestBody) SetSignature(v *refs.Signature) { func (r *SetExtendedACLRequestBody) SetSignature(v *refs.Signature) {
if r != nil { if r != nil {
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
v.SetScheme(0)
r.sig = v r.sig = v
} }
} }
@ -672,6 +680,8 @@ func (r *GetExtendedACLResponseBody) GetSignature() *refs.Signature {
func (r *GetExtendedACLResponseBody) SetSignature(v *refs.Signature) { func (r *GetExtendedACLResponseBody) SetSignature(v *refs.Signature) {
if r != nil { if r != nil {
// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
v.SetScheme(0)
r.sig = v r.sig = v
} }
} }

View file

@ -84,6 +84,20 @@ func (x *Signature) SetScheme(s SignatureScheme) {
} }
} }
// SetKey sets public key in a binary format.
func (x *SignatureRFC6979) SetKey(v []byte) {
if x != nil {
x.Key = v
}
}
// SetSign sets signature.
func (x *SignatureRFC6979) SetSign(v []byte) {
if x != nil {
x.Sign = v
}
}
// FromString parses SignatureScheme from a string representation, // FromString parses SignatureScheme from a string representation,
// It is a reverse action to String(). // It is a reverse action to String().
// //

BIN
refs/grpc/types.pb.go generated

Binary file not shown.

View file

@ -35,8 +35,7 @@ type SignatureScheme uint32
//nolint:revive //nolint:revive
const ( const (
UnspecifiedScheme SignatureScheme = iota ECDSA_SHA512 SignatureScheme = iota
ECDSA_SHA512
ECDSA_RFC6979_SHA256 ECDSA_RFC6979_SHA256
) )
@ -189,7 +188,7 @@ func (s *Signature) GetScheme() SignatureScheme {
if s != nil { if s != nil {
return s.scheme return s.scheme
} }
return UnspecifiedScheme return 0
} }
func (s *Signature) SetScheme(scheme SignatureScheme) { func (s *Signature) SetScheme(scheme SignatureScheme) {

View file

@ -41,13 +41,13 @@ func SignDataWithHandler(key *ecdsa.PrivateKey, src DataSource, handler KeySigna
opts[i](cfg) opts[i](cfg)
} }
sigData, err := sign(cfg, cfg.defaultScheme, key, data) sigData, err := sign(cfg, key, data)
if err != nil { if err != nil {
return err return err
} }
sig := new(refs.Signature) sig := new(refs.Signature)
sig.SetScheme(cfg.defaultScheme) sig.SetScheme(cfg.scheme)
sig.SetKey(crypto.MarshalPublicKey(&key.PublicKey)) sig.SetKey(crypto.MarshalPublicKey(&key.PublicKey))
sig.SetSign(sigData) sig.SetSign(sigData)
handler(sig) handler(sig)

View file

@ -9,51 +9,45 @@ import (
) )
type cfg struct { type cfg struct {
defaultScheme refs.SignatureScheme schemeFixed bool
restrictScheme refs.SignatureScheme scheme refs.SignatureScheme
} }
func defaultCfg() *cfg { func defaultCfg() *cfg {
return &cfg{ return new(cfg)
defaultScheme: refs.ECDSA_SHA512,
restrictScheme: refs.UnspecifiedScheme,
}
} }
func verify(cfg *cfg, data []byte, sig *refs.Signature) error { func verify(cfg *cfg, data []byte, sig *refs.Signature) error {
scheme := sig.GetScheme() if !cfg.schemeFixed {
if scheme == refs.UnspecifiedScheme { cfg.scheme = sig.GetScheme()
scheme = cfg.defaultScheme
}
if cfg.restrictScheme != refs.UnspecifiedScheme && scheme != cfg.restrictScheme {
return fmt.Errorf("%w: unexpected signature scheme", crypto.ErrInvalidSignature)
} }
pub := crypto.UnmarshalPublicKey(sig.GetKey()) pub := crypto.UnmarshalPublicKey(sig.GetKey())
switch scheme {
switch cfg.scheme {
case refs.ECDSA_SHA512: case refs.ECDSA_SHA512:
return crypto.Verify(pub, data, sig.GetSign()) return crypto.Verify(pub, data, sig.GetSign())
case refs.ECDSA_RFC6979_SHA256: case refs.ECDSA_RFC6979_SHA256:
return crypto.VerifyRFC6979(pub, data, sig.GetSign()) return crypto.VerifyRFC6979(pub, data, sig.GetSign())
default: default:
return crypto.ErrInvalidSignature return fmt.Errorf("unsupported signature scheme %s", cfg.scheme)
} }
} }
func sign(cfg *cfg, scheme refs.SignatureScheme, key *ecdsa.PrivateKey, data []byte) ([]byte, error) { func sign(cfg *cfg, key *ecdsa.PrivateKey, data []byte) ([]byte, error) {
switch scheme { switch cfg.scheme {
case refs.ECDSA_SHA512: case refs.ECDSA_SHA512:
return crypto.Sign(key, data) return crypto.Sign(key, data)
case refs.ECDSA_RFC6979_SHA256: case refs.ECDSA_RFC6979_SHA256:
return crypto.SignRFC6979(key, data) return crypto.SignRFC6979(key, data)
default: default:
panic("unsupported scheme") panic(fmt.Sprintf("unsupported scheme %s", cfg.scheme))
} }
} }
func SignWithRFC6979() SignOption { func SignWithRFC6979() SignOption {
return func(c *cfg) { return func(c *cfg) {
c.defaultScheme = refs.ECDSA_RFC6979_SHA256 c.schemeFixed = true
c.restrictScheme = refs.ECDSA_RFC6979_SHA256 c.scheme = refs.ECDSA_RFC6979_SHA256
} }
} }