service: use new function for token signing and verification

This commit is contained in:
Leonard Lyubich 2020-05-05 14:49:35 +03:00
parent 74144f207a
commit fc2c78ae89
2 changed files with 76 additions and 104 deletions

View file

@ -3,10 +3,22 @@ package service
import ( import (
"crypto/ecdsa" "crypto/ecdsa"
"encoding/binary" "encoding/binary"
"io"
crypto "github.com/nspcc-dev/neofs-crypto" "github.com/nspcc-dev/neofs-api-go/refs"
) )
const verbSize = 4
const fixedTokenDataSize = 0 +
refs.UUIDSize +
refs.OwnerIDSize +
verbSize +
refs.UUIDSize +
refs.CIDSize +
8 +
8
var tokenEndianness = binary.BigEndian var tokenEndianness = binary.BigEndian
// GetID is an ID field getter. // GetID is an ID field getter.
@ -74,88 +86,71 @@ func (m *Token) SetSignature(sig []byte) {
m.Signature = sig m.Signature = sig
} }
// Returns byte slice that is used for creation/verification of the token signature. // Size returns the size of a binary representation of the verb.
func verificationTokenData(token SessionToken) []byte { func (x Token_Info_Verb) Size() int {
var sz int return verbSize
}
id := token.GetID()
sz += id.Size()
ownerID := token.GetOwnerID()
sz += ownerID.Size()
verb := uint32(token.GetVerb())
sz += 4
addr := token.GetAddress()
sz += addr.CID.Size() + addr.ObjectID.Size()
cEpoch := token.CreationEpoch()
sz += 8
fEpoch := token.ExpirationEpoch()
sz += 8
key := token.GetSessionKey()
sz += len(key)
data := make([]byte, sz)
var off int
tokenEndianness.PutUint32(data, verb)
off += 4
tokenEndianness.PutUint64(data[off:], cEpoch)
off += 8
tokenEndianness.PutUint64(data[off:], fEpoch)
off += 8
off += copy(data[off:], id.Bytes())
off += copy(data[off:], ownerID.Bytes())
off += copy(data[off:], addr.CID.Bytes())
off += copy(data[off:], addr.ObjectID.Bytes())
off += copy(data[off:], key)
// Bytes returns a binary representation of the verb.
func (x Token_Info_Verb) Bytes() []byte {
data := make([]byte, verbSize)
tokenEndianness.PutUint32(data, uint32(x))
return data return data
} }
// SignToken calculates and stores the signature of token information. // AddSignKey calls a Signature field setter with passed signature.
func (m *Token) AddSignKey(sig []byte, _ *ecdsa.PublicKey) {
m.SetSignature(sig)
}
// SignedData returns token information in a binary representation.
func (m *Token) SignedData() ([]byte, error) {
data := make([]byte, m.SignedDataSize())
copyTokenSignedData(data, m)
return data, nil
}
// ReadSignedData copies a binary representation of the token information to passed buffer.
// //
// If passed token is nil, ErrNilToken returns. // If buffer length is less than required, io.ErrUnexpectedEOF returns.
// If passed private key is nil, crypto.ErrEmptyPrivateKey returns. func (m *Token_Info) ReadSignedData(p []byte) (int, error) {
func SignToken(token SessionToken, key *ecdsa.PrivateKey) error { sz := m.SignedDataSize()
if token == nil { if len(p) < sz {
return ErrNilToken return 0, io.ErrUnexpectedEOF
} else if key == nil {
return crypto.ErrEmptyPrivateKey
} }
sig, err := crypto.Sign(key, verificationTokenData(token)) copyTokenSignedData(p, m)
if err != nil {
return err return sz, nil
} }
token.SetSignature(sig) // SignedDataSize returns the length of signed token information slice.
func (m Token_Info) SignedDataSize() int {
return nil return fixedTokenDataSize + len(m.GetSessionKey())
} }
// VerifyTokenSignature checks if token was signed correctly. // Fills passed buffer with signing token information bytes.
// // Does not check buffer length, it is understood that enough space is allocated in it.
// If passed token is nil, ErrNilToken returns. func copyTokenSignedData(buf []byte, token SessionTokenInfo) {
// If passed public key is nil, crypto.ErrEmptyPublicKey returns. var off int
func VerifyTokenSignature(token SessionToken, key *ecdsa.PublicKey) error {
if token == nil {
return ErrNilToken
} else if key == nil {
return crypto.ErrEmptyPublicKey
}
return crypto.Verify( off += copy(buf[off:], token.GetID().Bytes())
key,
verificationTokenData(token), off += copy(buf[off:], token.GetOwnerID().Bytes())
token.GetSignature(),
) off += copy(buf[off:], token.GetVerb().Bytes())
addr := token.GetAddress()
off += copy(buf[off:], addr.CID.Bytes())
off += copy(buf[off:], addr.ObjectID.Bytes())
tokenEndianness.PutUint64(buf[off:], token.CreationEpoch())
off += 8
tokenEndianness.PutUint64(buf[off:], token.ExpirationEpoch())
off += 8
copy(buf[off:], token.GetSessionKey())
} }

View file

@ -5,7 +5,6 @@ import (
"testing" "testing"
"github.com/nspcc-dev/neofs-api-go/refs" "github.com/nspcc-dev/neofs-api-go/refs"
crypto "github.com/nspcc-dev/neofs-crypto"
"github.com/nspcc-dev/neofs-crypto/test" "github.com/nspcc-dev/neofs-crypto/test"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )
@ -90,29 +89,7 @@ func TestTokenGettersSetters(t *testing.T) {
} }
func TestSignToken(t *testing.T) { func TestSignToken(t *testing.T) {
// nil token token := new(Token)
require.EqualError(t,
SignToken(nil, nil),
ErrNilToken.Error(),
)
require.EqualError(t,
VerifyTokenSignature(nil, nil),
ErrNilToken.Error(),
)
var token SessionToken = new(Token)
// nil key
require.EqualError(t,
SignToken(token, nil),
crypto.ErrEmptyPrivateKey.Error(),
)
require.EqualError(t,
VerifyTokenSignature(token, nil),
crypto.ErrEmptyPublicKey.Error(),
)
// create private key for signing // create private key for signing
sk := test.DecodeKey(0) sk := test.DecodeKey(0)
@ -150,8 +127,8 @@ func TestSignToken(t *testing.T) {
token.SetSessionKey(sessionKey) token.SetSessionKey(sessionKey)
// sign and verify token // sign and verify token
require.NoError(t, SignToken(token, sk)) require.NoError(t, AddSignatureWithKey(token, sk))
require.NoError(t, VerifyTokenSignature(token, pk)) require.NoError(t, VerifySignatureWithKey(token, pk))
items := []struct { items := []struct {
corrupt func() corrupt func()
@ -235,8 +212,8 @@ func TestSignToken(t *testing.T) {
for _, v := range items { for _, v := range items {
v.corrupt() v.corrupt()
require.Error(t, VerifyTokenSignature(token, pk)) require.Error(t, VerifySignatureWithKey(token, pk))
v.restore() v.restore()
require.NoError(t, VerifyTokenSignature(token, pk)) require.NoError(t, VerifySignatureWithKey(token, pk))
} }
} }