client: Set external signer for requests payload

Signed-off-by: Evgenii Baidakov <evgenii@nspcc.io>

client/container.go

@@ -28,6 +28,8 @@ type PrmContainerPut struct {
 
 	sessionSet bool
 	session    session.Container
+
+	signer neofscrypto.Signer
 }
 
 // SetContainer sets structured information about new NeoFS container.
@@ -37,6 +39,13 @@ func (x *PrmContainerPut) SetContainer(cnr container.Container) {
 	x.cnrSet = true
 }
 
+// SetSigner sets signer to sign request payload.
+// Signer's scheme MUST be neofscrypto.ECDSA_DETERMINISTIC_SHA256. For example, you can use neofsecdsa.SignerRFC6979.
+// Optional parameter: defaults to internal Client signer.
+func (x *PrmContainerPut) SetSigner(signer neofscrypto.Signer) {
+	x.signer = signer
+}
+
 // WithinSession specifies session within which container should be saved.
 //
 // Creator of the session acquires the authorship of the request. This affects
@@ -64,6 +73,10 @@ func (x ResContainerPut) ID() cid.ID {
 	return x.id
 }
 
+func (c *Client) defaultSigner() neofscrypto.Signer {
+	return neofsecdsa.SignerRFC6979(c.prm.key)
+}
+
 // ContainerPut sends request to save container in NeoFS.
 //
 // Exactly one return value is non-nil. By default, server status is returned in res structure.
@@ -97,8 +110,12 @@ func (c *Client) ContainerPut(ctx context.Context, prm PrmContainerPut) (*ResCon
 	prm.cnr.WriteToV2(&cnr)
 
 	var sig neofscrypto.Signature
+	signer := prm.signer
+	if signer == nil {
+		signer = c.defaultSigner()
+	}
 
-	err := container.CalculateSignature(&sig, prm.cnr, c.prm.key)
+	err := container.CalculateSignature(&sig, prm.cnr, signer)
 	if err != nil {
 		return nil, fmt.Errorf("calculate container signature: %w", err)
 	}
@@ -375,6 +392,8 @@ type PrmContainerDelete struct {
 
 	tokSet bool
 	tok    session.Container
+
+	signer neofscrypto.Signer
 }
 
 // SetContainer sets identifier of the NeoFS container to be removed.
@@ -384,6 +403,13 @@ func (x *PrmContainerDelete) SetContainer(id cid.ID) {
 	x.idSet = true
 }
 
+// SetSigner sets signer to sign request payload.
+// Signer's scheme MUST be neofscrypto.ECDSA_DETERMINISTIC_SHA256. For example, you can use neofsecdsa.SignerRFC6979.
+// Optional parameter: defaults to internal Client signer.
+func (x *PrmContainerDelete) SetSigner(signer neofscrypto.Signer) {
+	x.signer = signer
+}
+
 // WithinSession specifies session within which container should be removed.
 //
 // Creator of the session acquires the authorship of the request.
@@ -439,8 +465,12 @@ func (c *Client) ContainerDelete(ctx context.Context, prm PrmContainerDelete) (*
 	data := cidV2.GetValue()
 
 	var sig neofscrypto.Signature
+	signer := prm.signer
+	if signer == nil {
+		signer = c.defaultSigner()
+	}
 
-	err := sig.Calculate(neofsecdsa.SignerRFC6979(c.prm.key), data)
+	err := sig.Calculate(signer, data)
 	if err != nil {
 		return nil, fmt.Errorf("calculate signature: %w", err)
 	}
@@ -599,6 +629,8 @@ type PrmContainerSetEACL struct {
 
 	sessionSet bool
 	session    session.Container
+
+	signer neofscrypto.Signer
 }
 
 // SetTable sets eACL table structure to be set for the container.
@@ -608,6 +640,13 @@ func (x *PrmContainerSetEACL) SetTable(table eacl.Table) {
 	x.tableSet = true
 }
 
+// SetSigner sets signer to sign request payload.
+// Signer's scheme MUST be neofscrypto.ECDSA_DETERMINISTIC_SHA256. For example, you can use neofsecdsa.SignerRFC6979.
+// Optional parameter: defaults to internal Client signer.
+func (x *PrmContainerSetEACL) SetSigner(signer neofscrypto.Signer) {
+	x.signer = signer
+}
+
 // WithinSession specifies session within which extended ACL of the container
 // should be saved.
 //
@@ -665,8 +704,12 @@ func (c *Client) ContainerSetEACL(ctx context.Context, prm PrmContainerSetEACL)
 	eaclV2 := prm.table.ToV2()
 
 	var sig neofscrypto.Signature
+	signer := prm.signer
+	if signer == nil {
+		signer = c.defaultSigner()
+	}
 
-	err := sig.Calculate(neofsecdsa.SignerRFC6979(c.prm.key), eaclV2.StableMarshal(nil))
+	err := sig.Calculate(signer, eaclV2.StableMarshal(nil))
 	if err != nil {
 		return nil, fmt.Errorf("calculate signature: %w", err)
 	}

container/container.go

@@ -1,7 +1,6 @@
 package container
 
 import (
-	"crypto/ecdsa"
 	"crypto/sha256"
 	"errors"
 	"fmt"
@@ -15,7 +14,6 @@ import (
 	"github.com/nspcc-dev/neofs-sdk-go/container/acl"
 	cid "github.com/nspcc-dev/neofs-sdk-go/container/id"
 	neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto"
-	neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa"
 	"github.com/nspcc-dev/neofs-sdk-go/netmap"
 	subnetid "github.com/nspcc-dev/neofs-sdk-go/subnet/id"
 	"github.com/nspcc-dev/neofs-sdk-go/user"
@@ -481,8 +479,8 @@ func ReadDomain(cnr Container) (res Domain) {
 // will most likely break the signature.
 //
 // See also VerifySignature.
-func CalculateSignature(dst *neofscrypto.Signature, cnr Container, signer ecdsa.PrivateKey) error {
+func CalculateSignature(dst *neofscrypto.Signature, cnr Container, signer neofscrypto.Signer) error {
-	return dst.Calculate(neofsecdsa.SignerRFC6979(signer), cnr.Marshal())
+	return dst.Calculate(signer, cnr.Marshal())
 }
 
 // VerifySignature verifies Container signature calculated using CalculateSignature.

container/container_test.go

@@ -16,6 +16,7 @@ import (
 	cidtest "github.com/nspcc-dev/neofs-sdk-go/container/id/test"
 	containertest "github.com/nspcc-dev/neofs-sdk-go/container/test"
 	neofscrypto "github.com/nspcc-dev/neofs-sdk-go/crypto"
+	neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa"
 	netmaptest "github.com/nspcc-dev/neofs-sdk-go/netmap/test"
 	subnetid "github.com/nspcc-dev/neofs-sdk-go/subnet/id"
 	subnetidtest "github.com/nspcc-dev/neofs-sdk-go/subnet/id/test"
@@ -339,7 +340,7 @@ func TestCalculateSignature(t *testing.T) {
 
 	var sig neofscrypto.Signature
 
-	require.NoError(t, container.CalculateSignature(&sig, val, key.PrivateKey))
+	require.NoError(t, container.CalculateSignature(&sig, val, neofsecdsa.SignerRFC6979(key.PrivateKey)))
 
 	var msg refs.Signature
 	sig.WriteToV2(&msg)