forked from TrueCloudLab/frostfs-api-go
service: implement sign/verify function for data with session token
This commit is contained in:
parent
fc2c78ae89
commit
52d3c82776
6 changed files with 326 additions and 84 deletions
|
@ -2,10 +2,12 @@ package service
|
||||||
|
|
||||||
import "github.com/nspcc-dev/neofs-api-go/internal"
|
import "github.com/nspcc-dev/neofs-api-go/internal"
|
||||||
|
|
||||||
// ErrNilToken is returned by functions that expect a non-nil token argument, but received nil.
|
// ErrNilToken is returned by functions that expect
|
||||||
|
// a non-nil token argument, but received nil.
|
||||||
const ErrNilToken = internal.Error("token is nil")
|
const ErrNilToken = internal.Error("token is nil")
|
||||||
|
|
||||||
// ErrInvalidTTL means that the TTL value does not satisfy a specific criterion.
|
// ErrInvalidTTL means that the TTL value does not
|
||||||
|
// satisfy a specific criterion.
|
||||||
const ErrInvalidTTL = internal.Error("invalid TTL value")
|
const ErrInvalidTTL = internal.Error("invalid TTL value")
|
||||||
|
|
||||||
// ErrInvalidPublicKeyBytes means that the public key could not be unmarshaled.
|
// ErrInvalidPublicKeyBytes means that the public key could not be unmarshaled.
|
||||||
|
@ -14,14 +16,30 @@ const ErrInvalidPublicKeyBytes = internal.Error("cannot load public key")
|
||||||
// ErrCannotFindOwner is raised when signatures empty in GetOwner.
|
// ErrCannotFindOwner is raised when signatures empty in GetOwner.
|
||||||
const ErrCannotFindOwner = internal.Error("cannot find owner public key")
|
const ErrCannotFindOwner = internal.Error("cannot find owner public key")
|
||||||
|
|
||||||
// ErrWrongOwner is raised when passed OwnerID not equal to present PublicKey
|
// ErrWrongOwner is raised when passed OwnerID
|
||||||
|
// not equal to present PublicKey
|
||||||
const ErrWrongOwner = internal.Error("wrong owner")
|
const ErrWrongOwner = internal.Error("wrong owner")
|
||||||
|
|
||||||
// ErrNilSignedDataSource returned by functions that expect a non-nil SignedDataSource, but received nil.
|
// ErrNilSignedDataSource returned by functions that expect a non-nil
|
||||||
|
// SignedDataSource, but received nil.
|
||||||
const ErrNilSignedDataSource = internal.Error("signed data source is nil")
|
const ErrNilSignedDataSource = internal.Error("signed data source is nil")
|
||||||
|
|
||||||
// ErrNilSignatureKeySource is returned by functions that expect a non-nil SignatureKeySource, but received nil.
|
// ErrNilSignatureKeySource is returned by functions that expect a non-nil
|
||||||
|
// SignatureKeySource, but received nil.
|
||||||
const ErrNilSignatureKeySource = internal.Error("empty key-signature source")
|
const ErrNilSignatureKeySource = internal.Error("empty key-signature source")
|
||||||
|
|
||||||
// ErrEmptyDataWithSignature is returned by functions that expect a non-nil DataWithSignature, but received nil.
|
// ErrEmptyDataWithSignature is returned by functions that expect
|
||||||
|
// a non-nil DataWithSignature, but received nil.
|
||||||
const ErrEmptyDataWithSignature = internal.Error("empty data with signature")
|
const ErrEmptyDataWithSignature = internal.Error("empty data with signature")
|
||||||
|
|
||||||
|
// ErrNegativeLength is returned by functions that received
|
||||||
|
// negative length for slice allocation.
|
||||||
|
const ErrNegativeLength = internal.Error("negative slice length")
|
||||||
|
|
||||||
|
// ErrNilDataWithTokenSignAccumulator is returned by functions that expect
|
||||||
|
// a non-nil DataWithTokenSignAccumulator, but received nil.
|
||||||
|
const ErrNilDataWithTokenSignAccumulator = internal.Error("signed data with token is nil")
|
||||||
|
|
||||||
|
// ErrNilSignatureKeySourceWithToken is returned by functions that expect
|
||||||
|
// a non-nil SignatureKeySourceWithToken, but received nil.
|
||||||
|
const ErrNilSignatureKeySourceWithToken = internal.Error("key-signature source with token is nil")
|
||||||
|
|
|
@ -34,6 +34,8 @@ func newSignatureKeyPair(key *ecdsa.PublicKey, sign []byte) SignKeyPair {
|
||||||
// If passed DataSignatureAccumulator provides a SignedDataReader interface, data for signature is obtained
|
// If passed DataSignatureAccumulator provides a SignedDataReader interface, data for signature is obtained
|
||||||
// using this interface for optimization. In this case, it is understood that reading into the slice D
|
// using this interface for optimization. In this case, it is understood that reading into the slice D
|
||||||
// that the method DataForSignature returns does not change D.
|
// that the method DataForSignature returns does not change D.
|
||||||
|
//
|
||||||
|
// If returned length of data is negative, ErrNegativeLength returns.
|
||||||
func dataForSignature(src SignedDataSource) ([]byte, error) {
|
func dataForSignature(src SignedDataSource) ([]byte, error) {
|
||||||
if src == nil {
|
if src == nil {
|
||||||
return nil, ErrNilSignedDataSource
|
return nil, ErrNilSignedDataSource
|
||||||
|
@ -45,11 +47,10 @@ func dataForSignature(src SignedDataSource) ([]byte, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
buf := bytesPool.Get().([]byte)
|
buf := bytesPool.Get().([]byte)
|
||||||
defer func() {
|
|
||||||
bytesPool.Put(buf)
|
|
||||||
}()
|
|
||||||
|
|
||||||
if size := r.SignedDataSize(); size <= cap(buf) {
|
if size := r.SignedDataSize(); size < 0 {
|
||||||
|
return nil, ErrNegativeLength
|
||||||
|
} else if size <= cap(buf) {
|
||||||
buf = buf[:size]
|
buf = buf[:size]
|
||||||
} else {
|
} else {
|
||||||
buf = make([]byte, size)
|
buf = make([]byte, size)
|
||||||
|
@ -78,14 +79,17 @@ func DataSignature(key *ecdsa.PrivateKey, src SignedDataSource) ([]byte, error)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
defer bytesPool.Put(data)
|
||||||
|
|
||||||
return crypto.Sign(key, data)
|
return crypto.Sign(key, data)
|
||||||
}
|
}
|
||||||
|
|
||||||
// AddSignatureWithKey calculates the data signature and adds it to accumulator with public key.
|
// AddSignatureWithKey calculates the data signature and adds it to accumulator with public key.
|
||||||
//
|
//
|
||||||
|
// Any change of data provoke signature breakdown.
|
||||||
|
//
|
||||||
// Returns signing errors only.
|
// Returns signing errors only.
|
||||||
func AddSignatureWithKey(v SignatureKeyAccumulator, key *ecdsa.PrivateKey) error {
|
func AddSignatureWithKey(key *ecdsa.PrivateKey, v DataWithSignKeyAccumulator) error {
|
||||||
sign, err := DataSignature(key, v)
|
sign, err := DataSignature(key, v)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -108,6 +112,7 @@ func verifySignatures(src SignedDataSource, items ...SignKeyPair) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
defer bytesPool.Put(data)
|
||||||
|
|
||||||
for _, signKey := range items {
|
for _, signKey := range items {
|
||||||
if err := crypto.Verify(
|
if err := crypto.Verify(
|
||||||
|
@ -135,7 +140,7 @@ func VerifySignatures(src SignedDataSource, items ...SignKeyPair) error {
|
||||||
//
|
//
|
||||||
// Behaves like VerifySignatures.
|
// Behaves like VerifySignatures.
|
||||||
// If passed key-signature source is empty, ErrNilSignatureKeySource returns.
|
// If passed key-signature source is empty, ErrNilSignatureKeySource returns.
|
||||||
func VerifyAccumulatedSignatures(src SignatureKeySource) error {
|
func VerifyAccumulatedSignatures(src DataWithSignKeySource) error {
|
||||||
if src == nil {
|
if src == nil {
|
||||||
return ErrNilSignatureKeySource
|
return ErrNilSignatureKeySource
|
||||||
}
|
}
|
||||||
|
@ -148,7 +153,7 @@ func VerifyAccumulatedSignatures(src SignatureKeySource) error {
|
||||||
// If passed data with signature is nil, ErrEmptyDataWithSignature returns.
|
// If passed data with signature is nil, ErrEmptyDataWithSignature returns.
|
||||||
// If passed key is nil, crypto.ErrEmptyPublicKey returns.
|
// If passed key is nil, crypto.ErrEmptyPublicKey returns.
|
||||||
// A non-nil error returns if and only if the signature does not pass verification.
|
// A non-nil error returns if and only if the signature does not pass verification.
|
||||||
func VerifySignatureWithKey(src DataWithSignature, key *ecdsa.PublicKey) error {
|
func VerifySignatureWithKey(key *ecdsa.PublicKey, src DataWithSignature) error {
|
||||||
if src == nil {
|
if src == nil {
|
||||||
return ErrEmptyDataWithSignature
|
return ErrEmptyDataWithSignature
|
||||||
} else if key == nil {
|
} else if key == nil {
|
||||||
|
@ -163,3 +168,55 @@ func VerifySignatureWithKey(src DataWithSignature, key *ecdsa.PublicKey) error {
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SignDataWithSessionToken calculates data with token signature and adds it to accumulator.
|
||||||
|
//
|
||||||
|
// Any change of data or session token info provoke signature breakdown.
|
||||||
|
//
|
||||||
|
// If passed private key is nil, crypto.ErrEmptyPrivateKey returns.
|
||||||
|
// If passed DataWithTokenSignAccumulator is nil, ErrNilDataWithTokenSignAccumulator returns.
|
||||||
|
func SignDataWithSessionToken(key *ecdsa.PrivateKey, src DataWithTokenSignAccumulator) error {
|
||||||
|
if src == nil {
|
||||||
|
return ErrNilDataWithTokenSignAccumulator
|
||||||
|
} else if r, ok := src.(SignedDataReader); ok {
|
||||||
|
return AddSignatureWithKey(key, &signDataReaderWithToken{
|
||||||
|
SignedDataSource: src,
|
||||||
|
SignKeyPairAccumulator: src,
|
||||||
|
|
||||||
|
rdr: r,
|
||||||
|
token: src.GetSessionToken(),
|
||||||
|
},
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
return AddSignatureWithKey(key, &signAccumWithToken{
|
||||||
|
SignedDataSource: src,
|
||||||
|
SignKeyPairAccumulator: src,
|
||||||
|
|
||||||
|
token: src.GetSessionToken(),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyAccumulatedSignaturesWithToken checks if accumulated key-signature pairs of data with token are valid.
|
||||||
|
//
|
||||||
|
// If passed DataWithTokenSignSource is nil, ErrNilSignatureKeySourceWithToken returns.
|
||||||
|
func VerifyAccumulatedSignaturesWithToken(src DataWithTokenSignSource) error {
|
||||||
|
if src == nil {
|
||||||
|
return ErrNilSignatureKeySourceWithToken
|
||||||
|
} else if r, ok := src.(SignedDataReader); ok {
|
||||||
|
return VerifyAccumulatedSignatures(&signDataReaderWithToken{
|
||||||
|
SignedDataSource: src,
|
||||||
|
SignKeyPairSource: src,
|
||||||
|
|
||||||
|
rdr: r,
|
||||||
|
token: src.GetSessionToken(),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
return VerifyAccumulatedSignatures(&signAccumWithToken{
|
||||||
|
SignedDataSource: src,
|
||||||
|
SignKeyPairSource: src,
|
||||||
|
|
||||||
|
token: src.GetSessionToken(),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
|
@ -13,38 +13,32 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
type testSignedDataSrc struct {
|
type testSignedDataSrc struct {
|
||||||
e error
|
err error
|
||||||
d []byte
|
|
||||||
}
|
|
||||||
|
|
||||||
type testSignedDataReader struct {
|
|
||||||
SignedDataSource
|
|
||||||
|
|
||||||
e error
|
|
||||||
d []byte
|
|
||||||
}
|
|
||||||
|
|
||||||
type testKeySigAccum struct {
|
|
||||||
data []byte
|
data []byte
|
||||||
sig []byte
|
sig []byte
|
||||||
key *ecdsa.PublicKey
|
key *ecdsa.PublicKey
|
||||||
|
token SessionToken
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s testKeySigAccum) GetSignature() []byte {
|
type testSignedDataReader struct {
|
||||||
|
*testSignedDataSrc
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s testSignedDataSrc) GetSignature() []byte {
|
||||||
return s.sig
|
return s.sig
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s testKeySigAccum) GetSignKeyPairs() []SignKeyPair {
|
func (s testSignedDataSrc) GetSignKeyPairs() []SignKeyPair {
|
||||||
return []SignKeyPair{
|
return []SignKeyPair{
|
||||||
newSignatureKeyPair(s.key, s.sig),
|
newSignatureKeyPair(s.key, s.sig),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s testKeySigAccum) SignedData() ([]byte, error) {
|
func (s testSignedDataSrc) SignedData() ([]byte, error) {
|
||||||
return s.data, nil
|
return s.data, s.err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s testKeySigAccum) AddSignKey(sig []byte, key *ecdsa.PublicKey) {
|
func (s *testSignedDataSrc) AddSignKey(sig []byte, key *ecdsa.PublicKey) {
|
||||||
s.key = key
|
s.key = key
|
||||||
s.sig = sig
|
s.sig = sig
|
||||||
}
|
}
|
||||||
|
@ -56,24 +50,24 @@ func testData(t *testing.T, sz int) []byte {
|
||||||
return d
|
return d
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s testSignedDataSrc) GetSessionToken() SessionToken {
|
||||||
|
return s.token
|
||||||
|
}
|
||||||
|
|
||||||
func (s testSignedDataReader) SignedDataSize() int {
|
func (s testSignedDataReader) SignedDataSize() int {
|
||||||
return len(s.d)
|
return len(s.data)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s testSignedDataReader) ReadSignedData(buf []byte) (int, error) {
|
func (s testSignedDataReader) ReadSignedData(buf []byte) (int, error) {
|
||||||
if s.e != nil {
|
if s.err != nil {
|
||||||
return 0, s.e
|
return 0, s.err
|
||||||
}
|
}
|
||||||
|
|
||||||
var err error
|
var err error
|
||||||
if len(buf) < len(s.d) {
|
if len(buf) < len(s.data) {
|
||||||
err = io.ErrUnexpectedEOF
|
err = io.ErrUnexpectedEOF
|
||||||
}
|
}
|
||||||
return copy(buf, s.d), err
|
return copy(buf, s.data), err
|
||||||
}
|
|
||||||
|
|
||||||
func (s testSignedDataSrc) SignedData() ([]byte, error) {
|
|
||||||
return s.d, s.e
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestDataSignature(t *testing.T) {
|
func TestDataSignature(t *testing.T) {
|
||||||
|
@ -93,63 +87,59 @@ func TestDataSignature(t *testing.T) {
|
||||||
t.Run("common signed data source", func(t *testing.T) {
|
t.Run("common signed data source", func(t *testing.T) {
|
||||||
// create test data source
|
// create test data source
|
||||||
src := &testSignedDataSrc{
|
src := &testSignedDataSrc{
|
||||||
d: testData(t, 10),
|
data: testData(t, 10),
|
||||||
}
|
}
|
||||||
|
|
||||||
// create custom error for data source
|
// create custom error for data source
|
||||||
src.e = errors.New("test error for data source")
|
src.err = errors.New("test error for data source")
|
||||||
|
|
||||||
_, err = DataSignature(sk, src)
|
_, err = DataSignature(sk, src)
|
||||||
require.EqualError(t, err, src.e.Error())
|
require.EqualError(t, err, src.err.Error())
|
||||||
|
|
||||||
// reset error to nil
|
// reset error to nil
|
||||||
src.e = nil
|
src.err = nil
|
||||||
|
|
||||||
// calculate data signature
|
// calculate data signature
|
||||||
sig, err := DataSignature(sk, src)
|
sig, err := DataSignature(sk, src)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
// ascertain that the signature passes verification
|
// ascertain that the signature passes verification
|
||||||
require.NoError(t, crypto.Verify(&sk.PublicKey, src.d, sig))
|
require.NoError(t, crypto.Verify(&sk.PublicKey, src.data, sig))
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("signed data reader", func(t *testing.T) {
|
t.Run("signed data reader", func(t *testing.T) {
|
||||||
// create test signed data reader
|
// create test signed data reader
|
||||||
src := &testSignedDataReader{
|
src := &testSignedDataSrc{
|
||||||
d: testData(t, 10),
|
data: testData(t, 10),
|
||||||
}
|
}
|
||||||
|
|
||||||
// create custom error for signed data reader
|
// create custom error for signed data reader
|
||||||
src.e = errors.New("test error for signed data reader")
|
src.err = errors.New("test error for signed data reader")
|
||||||
|
|
||||||
sig, err := DataSignature(sk, src)
|
sig, err := DataSignature(sk, src)
|
||||||
require.EqualError(t, err, src.e.Error())
|
require.EqualError(t, err, src.err.Error())
|
||||||
|
|
||||||
// reset error to nil
|
// reset error to nil
|
||||||
src.e = nil
|
src.err = nil
|
||||||
|
|
||||||
// calculate data signature
|
// calculate data signature
|
||||||
sig, err = DataSignature(sk, src)
|
sig, err = DataSignature(sk, src)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
// ascertain that the signature passes verification
|
// ascertain that the signature passes verification
|
||||||
require.NoError(t, crypto.Verify(&sk.PublicKey, src.d, sig))
|
require.NoError(t, crypto.Verify(&sk.PublicKey, src.data, sig))
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestAddSignatureWithKey(t *testing.T) {
|
func TestAddSignatureWithKey(t *testing.T) {
|
||||||
// create test data
|
require.NoError(t,
|
||||||
data := testData(t, 10)
|
AddSignatureWithKey(
|
||||||
|
test.DecodeKey(0),
|
||||||
// create test private key
|
&testSignedDataSrc{
|
||||||
sk := test.DecodeKey(0)
|
data: testData(t, 10),
|
||||||
|
},
|
||||||
// create test signature accumulator
|
),
|
||||||
var s SignatureKeyAccumulator = &testKeySigAccum{
|
)
|
||||||
data: data,
|
|
||||||
}
|
|
||||||
|
|
||||||
require.NoError(t, AddSignatureWithKey(s, sk))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestVerifySignatures(t *testing.T) {
|
func TestVerifySignatures(t *testing.T) {
|
||||||
|
@ -158,14 +148,14 @@ func TestVerifySignatures(t *testing.T) {
|
||||||
|
|
||||||
// create test signature source
|
// create test signature source
|
||||||
src := &testSignedDataSrc{
|
src := &testSignedDataSrc{
|
||||||
d: testData(t, 10),
|
data: testData(t, 10),
|
||||||
}
|
}
|
||||||
|
|
||||||
// create private key for test
|
// create private key for test
|
||||||
sk := test.DecodeKey(0)
|
sk := test.DecodeKey(0)
|
||||||
|
|
||||||
// calculate a signature of the data
|
// calculate a signature of the data
|
||||||
sig, err := crypto.Sign(sk, src.d)
|
sig, err := crypto.Sign(sk, src.data)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
// ascertain that verification is passed
|
// ascertain that verification is passed
|
||||||
|
@ -208,7 +198,7 @@ func TestVerifyAccumulatedSignatures(t *testing.T) {
|
||||||
sk := test.DecodeKey(0)
|
sk := test.DecodeKey(0)
|
||||||
|
|
||||||
// create signature source
|
// create signature source
|
||||||
src := &testKeySigAccum{
|
src := &testSignedDataSrc{
|
||||||
data: testData(t, 10),
|
data: testData(t, 10),
|
||||||
key: &sk.PublicKey,
|
key: &sk.PublicKey,
|
||||||
}
|
}
|
||||||
|
@ -237,13 +227,13 @@ func TestVerifySignatureWithKey(t *testing.T) {
|
||||||
)
|
)
|
||||||
|
|
||||||
// create test signature source
|
// create test signature source
|
||||||
src := &testKeySigAccum{
|
src := &testSignedDataSrc{
|
||||||
data: testData(t, 10),
|
data: testData(t, 10),
|
||||||
}
|
}
|
||||||
|
|
||||||
// nil public key
|
// nil public key
|
||||||
require.EqualError(t,
|
require.EqualError(t,
|
||||||
VerifySignatureWithKey(src, nil),
|
VerifySignatureWithKey(nil, src),
|
||||||
crypto.ErrEmptyPublicKey.Error(),
|
crypto.ErrEmptyPublicKey.Error(),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -257,11 +247,80 @@ func TestVerifySignatureWithKey(t *testing.T) {
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
// ascertain that verification is passed
|
// ascertain that verification is passed
|
||||||
require.NoError(t, VerifySignatureWithKey(src, &sk.PublicKey))
|
require.NoError(t, VerifySignatureWithKey(&sk.PublicKey, src))
|
||||||
|
|
||||||
// break the signature
|
// break the signature
|
||||||
src.sig[0]++
|
src.sig[0]++
|
||||||
|
|
||||||
// ascertain that verification is failed
|
// ascertain that verification is failed
|
||||||
require.Error(t, VerifySignatureWithKey(src, &sk.PublicKey))
|
require.Error(t, VerifySignatureWithKey(&sk.PublicKey, src))
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSignVerifyDataWithSessionToken(t *testing.T) {
|
||||||
|
// sign with empty DataWithTokenSignAccumulator
|
||||||
|
require.EqualError(t,
|
||||||
|
SignDataWithSessionToken(nil, nil),
|
||||||
|
ErrNilDataWithTokenSignAccumulator.Error(),
|
||||||
|
)
|
||||||
|
|
||||||
|
// verify with empty DataWithTokenSignSource
|
||||||
|
require.EqualError(t,
|
||||||
|
VerifyAccumulatedSignaturesWithToken(nil),
|
||||||
|
ErrNilSignatureKeySourceWithToken.Error(),
|
||||||
|
)
|
||||||
|
|
||||||
|
// create test session token
|
||||||
|
var (
|
||||||
|
token = new(Token)
|
||||||
|
initVerb = Token_Info_Verb(1)
|
||||||
|
)
|
||||||
|
|
||||||
|
token.SetVerb(initVerb)
|
||||||
|
|
||||||
|
// create test data with token
|
||||||
|
src := &testSignedDataSrc{
|
||||||
|
data: testData(t, 10),
|
||||||
|
token: token,
|
||||||
|
}
|
||||||
|
|
||||||
|
// create test private key
|
||||||
|
sk := test.DecodeKey(0)
|
||||||
|
|
||||||
|
// sign with private key
|
||||||
|
require.NoError(t, SignDataWithSessionToken(sk, src))
|
||||||
|
|
||||||
|
// ascertain that verification is passed
|
||||||
|
require.NoError(t, VerifyAccumulatedSignaturesWithToken(src))
|
||||||
|
|
||||||
|
// break the data
|
||||||
|
src.data[0]++
|
||||||
|
|
||||||
|
// ascertain that verification is failed
|
||||||
|
require.Error(t, VerifyAccumulatedSignaturesWithToken(src))
|
||||||
|
|
||||||
|
// restore the data
|
||||||
|
src.data[0]--
|
||||||
|
|
||||||
|
// break the token
|
||||||
|
token.SetVerb(initVerb + 1)
|
||||||
|
|
||||||
|
// ascertain that verification is failed
|
||||||
|
require.Error(t, VerifyAccumulatedSignaturesWithToken(src))
|
||||||
|
|
||||||
|
// restore the token
|
||||||
|
token.SetVerb(initVerb)
|
||||||
|
|
||||||
|
// ascertain that verification is passed
|
||||||
|
require.NoError(t, VerifyAccumulatedSignaturesWithToken(src))
|
||||||
|
|
||||||
|
// wrap to data reader
|
||||||
|
rdr := &testSignedDataReader{
|
||||||
|
testSignedDataSrc: src,
|
||||||
|
}
|
||||||
|
|
||||||
|
// sign with private key
|
||||||
|
require.NoError(t, SignDataWithSessionToken(sk, rdr))
|
||||||
|
|
||||||
|
// ascertain that verification is passed
|
||||||
|
require.NoError(t, VerifyAccumulatedSignaturesWithToken(rdr))
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,6 +8,24 @@ import (
|
||||||
"github.com/nspcc-dev/neofs-api-go/refs"
|
"github.com/nspcc-dev/neofs-api-go/refs"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type signAccumWithToken struct {
|
||||||
|
SignedDataSource
|
||||||
|
SignKeyPairAccumulator
|
||||||
|
SignKeyPairSource
|
||||||
|
|
||||||
|
token SessionToken
|
||||||
|
}
|
||||||
|
|
||||||
|
type signDataReaderWithToken struct {
|
||||||
|
SignedDataSource
|
||||||
|
SignKeyPairAccumulator
|
||||||
|
SignKeyPairSource
|
||||||
|
|
||||||
|
rdr SignedDataReader
|
||||||
|
|
||||||
|
token SessionToken
|
||||||
|
}
|
||||||
|
|
||||||
const verbSize = 4
|
const verbSize = 4
|
||||||
|
|
||||||
const fixedTokenDataSize = 0 +
|
const fixedTokenDataSize = 0 +
|
||||||
|
@ -127,13 +145,26 @@ func (m *Token_Info) ReadSignedData(p []byte) (int, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// SignedDataSize returns the length of signed token information slice.
|
// SignedDataSize returns the length of signed token information slice.
|
||||||
func (m Token_Info) SignedDataSize() int {
|
func (m *Token_Info) SignedDataSize() int {
|
||||||
return fixedTokenDataSize + len(m.GetSessionKey())
|
return tokenInfoSize(m)
|
||||||
|
}
|
||||||
|
|
||||||
|
func tokenInfoSize(v SessionKeySource) int {
|
||||||
|
if v == nil {
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
return fixedTokenDataSize + len(v.GetSessionKey())
|
||||||
}
|
}
|
||||||
|
|
||||||
// Fills passed buffer with signing token information bytes.
|
// Fills passed buffer with signing token information bytes.
|
||||||
// Does not check buffer length, it is understood that enough space is allocated in it.
|
// Does not check buffer length, it is understood that enough space is allocated in it.
|
||||||
|
//
|
||||||
|
// If passed SessionTokenInfo, buffer remains unchanged.
|
||||||
func copyTokenSignedData(buf []byte, token SessionTokenInfo) {
|
func copyTokenSignedData(buf []byte, token SessionTokenInfo) {
|
||||||
|
if token == nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
var off int
|
var off int
|
||||||
|
|
||||||
off += copy(buf[off:], token.GetID().Bytes())
|
off += copy(buf[off:], token.GetID().Bytes())
|
||||||
|
@ -154,3 +185,51 @@ func copyTokenSignedData(buf []byte, token SessionTokenInfo) {
|
||||||
|
|
||||||
copy(buf[off:], token.GetSessionKey())
|
copy(buf[off:], token.GetSessionKey())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SignedData concatenates signed data with session token information. Returns concatenation result.
|
||||||
|
//
|
||||||
|
// Token bytes are added if and only if token is not nil.
|
||||||
|
func (s signAccumWithToken) SignedData() ([]byte, error) {
|
||||||
|
data, err := s.SignedDataSource.SignedData()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
tokenData := make([]byte, tokenInfoSize(s.token))
|
||||||
|
|
||||||
|
copyTokenSignedData(tokenData, s.token)
|
||||||
|
|
||||||
|
return append(data, tokenData...), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s signDataReaderWithToken) SignedDataSize() int {
|
||||||
|
sz := s.rdr.SignedDataSize()
|
||||||
|
if sz < 0 {
|
||||||
|
return -1
|
||||||
|
}
|
||||||
|
|
||||||
|
sz += tokenInfoSize(s.token)
|
||||||
|
|
||||||
|
return sz
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s signDataReaderWithToken) ReadSignedData(p []byte) (int, error) {
|
||||||
|
dataSize := s.rdr.SignedDataSize()
|
||||||
|
if dataSize < 0 {
|
||||||
|
return 0, ErrNegativeLength
|
||||||
|
}
|
||||||
|
|
||||||
|
sumSize := dataSize + tokenInfoSize(s.token)
|
||||||
|
|
||||||
|
if len(p) < sumSize {
|
||||||
|
return 0, io.ErrUnexpectedEOF
|
||||||
|
}
|
||||||
|
|
||||||
|
if n, err := s.rdr.ReadSignedData(p); err != nil {
|
||||||
|
return n, err
|
||||||
|
}
|
||||||
|
|
||||||
|
copyTokenSignedData(p[dataSize:], s.token)
|
||||||
|
|
||||||
|
return sumSize, nil
|
||||||
|
}
|
||||||
|
|
|
@ -127,8 +127,8 @@ func TestSignToken(t *testing.T) {
|
||||||
token.SetSessionKey(sessionKey)
|
token.SetSessionKey(sessionKey)
|
||||||
|
|
||||||
// sign and verify token
|
// sign and verify token
|
||||||
require.NoError(t, AddSignatureWithKey(token, sk))
|
require.NoError(t, AddSignatureWithKey(sk, token))
|
||||||
require.NoError(t, VerifySignatureWithKey(token, pk))
|
require.NoError(t, VerifySignatureWithKey(pk, token))
|
||||||
|
|
||||||
items := []struct {
|
items := []struct {
|
||||||
corrupt func()
|
corrupt func()
|
||||||
|
@ -212,8 +212,8 @@ func TestSignToken(t *testing.T) {
|
||||||
|
|
||||||
for _, v := range items {
|
for _, v := range items {
|
||||||
v.corrupt()
|
v.corrupt()
|
||||||
require.Error(t, VerifySignatureWithKey(token, pk))
|
require.Error(t, VerifySignatureWithKey(pk, token))
|
||||||
v.restore()
|
v.restore()
|
||||||
require.NoError(t, VerifySignatureWithKey(token, pk))
|
require.NoError(t, VerifySignatureWithKey(pk, token))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -186,32 +186,61 @@ type SignedDataSource interface {
|
||||||
// SignedDataReader is an interface of signed data reader.
|
// SignedDataReader is an interface of signed data reader.
|
||||||
type SignedDataReader interface {
|
type SignedDataReader interface {
|
||||||
// Must return the minimum length of the slice for full reading.
|
// Must return the minimum length of the slice for full reading.
|
||||||
|
// Must return a negative value if the length cannot be calculated.
|
||||||
SignedDataSize() int
|
SignedDataSize() int
|
||||||
|
|
||||||
// Must behave like Read method of io.Reader and differ only in the reading of the signed data.
|
// Must behave like Read method of io.Reader and differ only in the reading of the signed data.
|
||||||
ReadSignedData([]byte) (int, error)
|
ReadSignedData([]byte) (int, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
// SignatureKeyAccumulator is an interface of the container of a data and signatures.
|
// SignKeyPairAccumulator is an interface of a set of key-signature pairs with append access.
|
||||||
type SignatureKeyAccumulator interface {
|
type SignKeyPairAccumulator interface {
|
||||||
SignedDataSource
|
|
||||||
AddSignKey([]byte, *ecdsa.PublicKey)
|
AddSignKey([]byte, *ecdsa.PublicKey)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SignKeyPairSource is an interface of a set of key-signature pairs with read access.
|
||||||
|
type SignKeyPairSource interface {
|
||||||
|
GetSignKeyPairs() []SignKeyPair
|
||||||
|
}
|
||||||
|
|
||||||
// SignKeyPair is an interface of key-signature pair with read access.
|
// SignKeyPair is an interface of key-signature pair with read access.
|
||||||
type SignKeyPair interface {
|
type SignKeyPair interface {
|
||||||
SignatureSource
|
SignatureSource
|
||||||
GetPublicKey() *ecdsa.PublicKey
|
GetPublicKey() *ecdsa.PublicKey
|
||||||
}
|
}
|
||||||
|
|
||||||
// SignatureKeyAccumulator is an interface of the container of a data and signatures with read access.
|
|
||||||
type SignatureKeySource interface {
|
|
||||||
SignedDataSource
|
|
||||||
GetSignKeyPairs() []SignKeyPair
|
|
||||||
}
|
|
||||||
|
|
||||||
// DataWithSignature is an interface of data-signature pair with read access.
|
// DataWithSignature is an interface of data-signature pair with read access.
|
||||||
type DataWithSignature interface {
|
type DataWithSignature interface {
|
||||||
SignedDataSource
|
SignedDataSource
|
||||||
SignatureSource
|
SignatureSource
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DataWithSignKeyAccumulator is an interface of data and key-signature accumulator pair.
|
||||||
|
type DataWithSignKeyAccumulator interface {
|
||||||
|
SignedDataSource
|
||||||
|
SignKeyPairAccumulator
|
||||||
|
}
|
||||||
|
|
||||||
|
// DataWithSignKeySource is an interface of data and key-signature source pair.
|
||||||
|
type DataWithSignKeySource interface {
|
||||||
|
SignedDataSource
|
||||||
|
SignKeyPairSource
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignedDataWithToken is an interface of data-token pair with read access.
|
||||||
|
type SignedDataWithToken interface {
|
||||||
|
SignedDataSource
|
||||||
|
SessionTokenSource
|
||||||
|
}
|
||||||
|
|
||||||
|
// DataWithTokenSignAccumulator is an interface of data-token pair with signature write access.
|
||||||
|
type DataWithTokenSignAccumulator interface {
|
||||||
|
SignedDataWithToken
|
||||||
|
SignKeyPairAccumulator
|
||||||
|
}
|
||||||
|
|
||||||
|
// DataWithTokenSignSource is an interface of data-token pair with signature read access.
|
||||||
|
type DataWithTokenSignSource interface {
|
||||||
|
SignedDataWithToken
|
||||||
|
SignKeyPairSource
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue