[#380] Support changes in signature schemes

Support new `SignatureRFC6979` message. Make `refs.ECDSA_SHA512` to be
default scheme.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>

container/convert.go

@@ -152,6 +152,18 @@ func (c *Container) FromGRPCMessage(m grpc.Message) error {
 	return nil
 }
 
+func toSignatureRFC6979(s *refs.Signature) *refsGRPC.SignatureRFC6979 {
+	var res *refsGRPC.SignatureRFC6979
+
+	if s != nil {
+		res = new(refsGRPC.SignatureRFC6979)
+		res.SetKey(s.GetKey())
+		res.SetSign(s.GetSign())
+	}
+
+	return res
+}
+
 func (r *PutRequestBody) ToGRPCMessage() grpc.Message {
 	var m *container.PutRequest_Body
 
@@ -159,7 +171,7 @@ func (r *PutRequestBody) ToGRPCMessage() grpc.Message {
 		m = new(container.PutRequest_Body)
 
 		m.SetContainer(r.cnr.ToGRPCMessage().(*container.Container))
-		m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
+		m.SetSignature(toSignatureRFC6979(r.sig))
 	}
 
 	return m
@@ -195,7 +207,8 @@ func (r *PutRequestBody) FromGRPCMessage(m grpc.Message) error {
 			r.sig = new(refs.Signature)
 		}
 
-		err = r.sig.FromGRPCMessage(sig)
+		r.sig.SetKey(sig.GetKey())
+		r.sig.SetSign(sig.GetSign())
 	}
 
 	return err
@@ -391,7 +404,7 @@ func (r *GetResponseBody) ToGRPCMessage() grpc.Message {
 
 		m.SetContainer(r.cnr.ToGRPCMessage().(*container.Container))
 		m.SetSessionToken(r.token.ToGRPCMessage().(*sessionGRPC.SessionToken))
-		m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
+		m.SetSignature(toSignatureRFC6979(r.sig))
 	}
 
 	return m
@@ -424,7 +437,8 @@ func (r *GetResponseBody) FromGRPCMessage(m grpc.Message) error {
 			r.sig = new(refs.Signature)
 		}
 
-		err = r.sig.FromGRPCMessage(sig)
+		r.sig.SetKey(sig.GetKey())
+		r.sig.SetSign(sig.GetSign())
 	}
 
 	token := v.GetSessionToken()
@@ -486,7 +500,7 @@ func (r *DeleteRequestBody) ToGRPCMessage() grpc.Message {
 		m = new(container.DeleteRequest_Body)
 
 		m.SetContainerId(r.cid.ToGRPCMessage().(*refsGRPC.ContainerID))
-		m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
+		m.SetSignature(toSignatureRFC6979(r.sig))
 	}
 
 	return m
@@ -522,7 +536,8 @@ func (r *DeleteRequestBody) FromGRPCMessage(m grpc.Message) error {
 			r.sig = new(refs.Signature)
 		}
 
-		err = r.sig.FromGRPCMessage(sig)
+		r.sig.SetKey(sig.GetKey())
+		r.sig.SetSign(sig.GetSign())
 	}
 
 	return err
@@ -765,7 +780,7 @@ func (r *SetExtendedACLRequestBody) ToGRPCMessage() grpc.Message {
 		m = new(container.SetExtendedACLRequest_Body)
 
 		m.SetEacl(r.eacl.ToGRPCMessage().(*aclGRPC.EACLTable))
-		m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
+		m.SetSignature(toSignatureRFC6979(r.sig))
 	}
 
 	return m
@@ -801,7 +816,8 @@ func (r *SetExtendedACLRequestBody) FromGRPCMessage(m grpc.Message) error {
 			r.sig = new(refs.Signature)
 		}
 
-		err = r.sig.FromGRPCMessage(sig)
+		r.sig.SetKey(sig.GetKey())
+		r.sig.SetSign(sig.GetSign())
 	}
 
 	return err
@@ -981,7 +997,7 @@ func (r *GetExtendedACLResponseBody) ToGRPCMessage() grpc.Message {
 		m = new(container.GetExtendedACLResponse_Body)
 
 		m.SetEacl(r.eacl.ToGRPCMessage().(*aclGRPC.EACLTable))
-		m.SetSignature(r.sig.ToGRPCMessage().(*refsGRPC.Signature))
+		m.SetSignature(toSignatureRFC6979(r.sig))
 		m.SetSessionToken(r.token.ToGRPCMessage().(*sessionGRPC.SessionToken))
 	}
 
@@ -1018,7 +1034,8 @@ func (r *GetExtendedACLResponseBody) FromGRPCMessage(m grpc.Message) error {
 			r.sig = new(refs.Signature)
 		}
 
-		err = r.sig.FromGRPCMessage(sig)
+		r.sig.SetKey(sig.GetKey())
+		r.sig.SetSign(sig.GetSign())
 	}
 
 	token := v.GetSessionToken()

container/grpc/service.go

@@ -14,7 +14,7 @@ func (m *PutRequest_Body) SetContainer(v *Container) {
 }
 
 // SetSignature sets signature of the container structure.
-func (m *PutRequest_Body) SetSignature(v *refs.Signature) {
+func (m *PutRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
 	if m != nil {
 		m.Signature = v
 	}
@@ -77,7 +77,7 @@ func (m *DeleteRequest_Body) SetContainerId(v *refs.ContainerID) {
 }
 
 // SetSignature sets signature of the container identifier.
-func (m *DeleteRequest_Body) SetSignature(v *refs.Signature) {
+func (m *DeleteRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
 	if m != nil {
 		m.Signature = v
 	}
@@ -166,8 +166,8 @@ func (m *GetResponse_Body) SetSessionToken(v *session.SessionToken) {
 	}
 }
 
-// SetSignature sets signature of the requested container.
+// SetSignature sets signature of the container structure.
-func (m *GetResponse_Body) SetSignature(v *refs.Signature) {
+func (m *GetResponse_Body) SetSignature(v *refs.SignatureRFC6979) {
 	if m != nil {
 		m.Signature = v
 	}
@@ -257,8 +257,8 @@ func (m *SetExtendedACLRequest_Body) SetEacl(v *acl.EACLTable) {
 	}
 }
 
-// SetSignature sets signature of the eACL table.
+// SetSignature sets signature of the eACL table structure.
-func (m *SetExtendedACLRequest_Body) SetSignature(v *refs.Signature) {
+func (m *SetExtendedACLRequest_Body) SetSignature(v *refs.SignatureRFC6979) {
 	if m != nil {
 		m.Signature = v
 	}
@@ -341,8 +341,8 @@ func (m *GetExtendedACLResponse_Body) SetEacl(v *acl.EACLTable) {
 	}
 }
 
-// SetSignature sets signature of the eACL table.
+// SetSignature sets signature of the eACL table structure.
-func (m *GetExtendedACLResponse_Body) SetSignature(v *refs.Signature) {
+func (m *GetExtendedACLResponse_Body) SetSignature(v *refs.SignatureRFC6979) {
 	if m != nil {
 		m.Signature = v
 	}

container/types.go

@@ -316,6 +316,8 @@ func (r *PutRequestBody) GetSignature() *refs.Signature {
 
 func (r *PutRequestBody) SetSignature(v *refs.Signature) {
 	if r != nil {
+		// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
+		v.SetScheme(0)
 		r.sig = v
 	}
 }
@@ -434,6 +436,8 @@ func (r *GetResponseBody) GetSignature() *refs.Signature {
 // SetSignature sets signature of the requested container.
 func (r *GetResponseBody) SetSignature(v *refs.Signature) {
 	if r != nil {
+		// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
+		v.SetScheme(0)
 		r.sig = v
 	}
 }
@@ -476,6 +480,8 @@ func (r *DeleteRequestBody) GetSignature() *refs.Signature {
 
 func (r *DeleteRequestBody) SetSignature(v *refs.Signature) {
 	if r != nil {
+		// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
+		v.SetScheme(0)
 		r.sig = v
 	}
 }
@@ -588,6 +594,8 @@ func (r *SetExtendedACLRequestBody) GetSignature() *refs.Signature {
 
 func (r *SetExtendedACLRequestBody) SetSignature(v *refs.Signature) {
 	if r != nil {
+		// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
+		v.SetScheme(0)
 		r.sig = v
 	}
 }
@@ -672,6 +680,8 @@ func (r *GetExtendedACLResponseBody) GetSignature() *refs.Signature {
 
 func (r *GetExtendedACLResponseBody) SetSignature(v *refs.Signature) {
 	if r != nil {
+		// TODO: (neofs-api-go#381) avoid this hack (e.g. create refs.SignatureRFC6979 type)
+		v.SetScheme(0)
 		r.sig = v
 	}
 }

refs/grpc/types.go

@@ -84,6 +84,20 @@ func (x *Signature) SetScheme(s SignatureScheme) {
 	}
 }
 
+// SetKey sets public key in a binary format.
+func (x *SignatureRFC6979) SetKey(v []byte) {
+	if x != nil {
+		x.Key = v
+	}
+}
+
+// SetSign sets signature.
+func (x *SignatureRFC6979) SetSign(v []byte) {
+	if x != nil {
+		x.Sign = v
+	}
+}
+
 // FromString parses SignatureScheme from a string representation,
 // It is a reverse action to String().
 //

refs/types.go

@@ -35,8 +35,7 @@ type SignatureScheme uint32
 
 //nolint:revive
 const (
-	UnspecifiedScheme SignatureScheme = iota
+	ECDSA_SHA512 SignatureScheme = iota
-	ECDSA_SHA512
 	ECDSA_RFC6979_SHA256
 )
 
@@ -189,7 +188,7 @@ func (s *Signature) GetScheme() SignatureScheme {
 	if s != nil {
 		return s.scheme
 	}
-	return UnspecifiedScheme
+	return 0
 }
 
 func (s *Signature) SetScheme(scheme SignatureScheme) {

util/signature/data.go

@@ -41,13 +41,13 @@ func SignDataWithHandler(key *ecdsa.PrivateKey, src DataSource, handler KeySigna
 		opts[i](cfg)
 	}
 
-	sigData, err := sign(cfg, cfg.defaultScheme, key, data)
+	sigData, err := sign(cfg, key, data)
 	if err != nil {
 		return err
 	}
 
 	sig := new(refs.Signature)
-	sig.SetScheme(cfg.defaultScheme)
+	sig.SetScheme(cfg.scheme)
 	sig.SetKey(crypto.MarshalPublicKey(&key.PublicKey))
 	sig.SetSign(sigData)
 	handler(sig)

util/signature/options.go

@@ -9,51 +9,45 @@ import (
 )
 
 type cfg struct {
-	defaultScheme  refs.SignatureScheme
+	schemeFixed bool
-	restrictScheme refs.SignatureScheme
+	scheme      refs.SignatureScheme
 }
 
 func defaultCfg() *cfg {
-	return &cfg{
+	return new(cfg)
-		defaultScheme:  refs.ECDSA_SHA512,
-		restrictScheme: refs.UnspecifiedScheme,
-	}
 }
 
 func verify(cfg *cfg, data []byte, sig *refs.Signature) error {
-	scheme := sig.GetScheme()
+	if !cfg.schemeFixed {
-	if scheme == refs.UnspecifiedScheme {
+		cfg.scheme = sig.GetScheme()
-		scheme = cfg.defaultScheme
-	}
-	if cfg.restrictScheme != refs.UnspecifiedScheme && scheme != cfg.restrictScheme {
-		return fmt.Errorf("%w: unexpected signature scheme", crypto.ErrInvalidSignature)
 	}
 
 	pub := crypto.UnmarshalPublicKey(sig.GetKey())
-	switch scheme {
+
+	switch cfg.scheme {
 	case refs.ECDSA_SHA512:
 		return crypto.Verify(pub, data, sig.GetSign())
 	case refs.ECDSA_RFC6979_SHA256:
 		return crypto.VerifyRFC6979(pub, data, sig.GetSign())
 	default:
-		return crypto.ErrInvalidSignature
+		return fmt.Errorf("unsupported signature scheme %s", cfg.scheme)
 	}
 }
 
-func sign(cfg *cfg, scheme refs.SignatureScheme, key *ecdsa.PrivateKey, data []byte) ([]byte, error) {
+func sign(cfg *cfg, key *ecdsa.PrivateKey, data []byte) ([]byte, error) {
-	switch scheme {
+	switch cfg.scheme {
 	case refs.ECDSA_SHA512:
 		return crypto.Sign(key, data)
 	case refs.ECDSA_RFC6979_SHA256:
 		return crypto.SignRFC6979(key, data)
 	default:
-		panic("unsupported scheme")
+		panic(fmt.Sprintf("unsupported scheme %s", cfg.scheme))
 	}
 }
 
 func SignWithRFC6979() SignOption {
 	return func(c *cfg) {
-		c.defaultScheme = refs.ECDSA_RFC6979_SHA256
+		c.schemeFixed = true
-		c.restrictScheme = refs.ECDSA_RFC6979_SHA256
+		c.scheme = refs.ECDSA_RFC6979_SHA256
 	}
 }