forked from TrueCloudLab/frostfs-sdk-go
[#157] signature: Change scheme selection
`SignData`: use `ECDSAWithSHA512` by default. `SignWithRFC6979` option switches the scheme to `RFC6979WithSHA256`. `VerifyData`: if scheme is not fixed (like by `SignWithRFC6979` option) then scheme from the message is processed. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
Leonard Lyubich
Alex Vanin
parent
2a0b7b6b40
commit
a292150d42
5 changed files with 20 additions and 22 deletions
2
go.mod
2
go.mod
|
|
@ -10,7 +10,7 @@ require (
|
||||||
github.com/mr-tron/base58 v1.2.0
|
github.com/mr-tron/base58 v1.2.0
|
||||||
github.com/nspcc-dev/hrw v1.0.9
|
github.com/nspcc-dev/hrw v1.0.9
|
||||||
github.com/nspcc-dev/neo-go v0.98.0
|
github.com/nspcc-dev/neo-go v0.98.0
|
||||||
github.com/nspcc-dev/neofs-api-go/v2 v2.12.0
|
github.com/nspcc-dev/neofs-api-go/v2 v2.11.2-0.20220302134950-d065453bd0a7
|
||||||
github.com/stretchr/testify v1.7.0
|
github.com/stretchr/testify v1.7.0
|
||||||
go.uber.org/zap v1.18.1
|
go.uber.org/zap v1.18.1
|
||||||
google.golang.org/grpc v1.41.0
|
google.golang.org/grpc v1.41.0
|
||||||
|
|
|
||||||
4
go.sum
4
go.sum
|
|
@ -177,8 +177,8 @@ github.com/nspcc-dev/neo-go v0.73.1-pre.0.20200303142215-f5a1b928ce09/go.mod h1:
|
||||||
github.com/nspcc-dev/neo-go v0.98.0 h1:yyW4sgY88/pLf0949qmgfkQXzRKC3CI/WyhqXNnwMd8=
|
github.com/nspcc-dev/neo-go v0.98.0 h1:yyW4sgY88/pLf0949qmgfkQXzRKC3CI/WyhqXNnwMd8=
|
||||||
github.com/nspcc-dev/neo-go v0.98.0/go.mod h1:E3cc1x6RXSXrJb2nDWXTXjnXk3rIqVN8YdFyWv+FrqM=
|
github.com/nspcc-dev/neo-go v0.98.0/go.mod h1:E3cc1x6RXSXrJb2nDWXTXjnXk3rIqVN8YdFyWv+FrqM=
|
||||||
github.com/nspcc-dev/neofs-api-go/v2 v2.11.0-pre.0.20211201134523-3604d96f3fe1/go.mod h1:oS8dycEh8PPf2Jjp6+8dlwWyEv2Dy77h/XhhcdxYEFs=
|
github.com/nspcc-dev/neofs-api-go/v2 v2.11.0-pre.0.20211201134523-3604d96f3fe1/go.mod h1:oS8dycEh8PPf2Jjp6+8dlwWyEv2Dy77h/XhhcdxYEFs=
|
||||||
github.com/nspcc-dev/neofs-api-go/v2 v2.12.0 h1:xWqXzorDk9WFMTtWP7cwwlyJDL1X6Z4HT1e5zqkq7xY=
|
github.com/nspcc-dev/neofs-api-go/v2 v2.11.2-0.20220302134950-d065453bd0a7 h1:hLMvj4K9djzBg+TaeDGQWGuohzXvcThi0r0LSLhhi3M=
|
||||||
github.com/nspcc-dev/neofs-api-go/v2 v2.12.0/go.mod h1:oS8dycEh8PPf2Jjp6+8dlwWyEv2Dy77h/XhhcdxYEFs=
|
github.com/nspcc-dev/neofs-api-go/v2 v2.11.2-0.20220302134950-d065453bd0a7/go.mod h1:oS8dycEh8PPf2Jjp6+8dlwWyEv2Dy77h/XhhcdxYEFs=
|
||||||
github.com/nspcc-dev/neofs-crypto v0.2.0/go.mod h1:F/96fUzPM3wR+UGsPi3faVNmFlA9KAEAUQR7dMxZmNA=
|
github.com/nspcc-dev/neofs-crypto v0.2.0/go.mod h1:F/96fUzPM3wR+UGsPi3faVNmFlA9KAEAUQR7dMxZmNA=
|
||||||
github.com/nspcc-dev/neofs-crypto v0.2.3/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw=
|
github.com/nspcc-dev/neofs-crypto v0.2.3/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw=
|
||||||
github.com/nspcc-dev/neofs-crypto v0.3.0 h1:zlr3pgoxuzrmGCxc5W8dGVfA9Rro8diFvVnBg0L4ifM=
|
github.com/nspcc-dev/neofs-crypto v0.3.0 h1:zlr3pgoxuzrmGCxc5W8dGVfA9Rro8diFvVnBg0L4ifM=
|
||||||
|
|
|
||||||
|
|
@ -12,11 +12,14 @@ type Scheme uint32
|
||||||
|
|
||||||
// Supported signature schemes.
|
// Supported signature schemes.
|
||||||
const (
|
const (
|
||||||
Unspecified Scheme = iota
|
ECDSAWithSHA512 Scheme = iota
|
||||||
ECDSAWithSHA512
|
|
||||||
RFC6979WithSHA256
|
RFC6979WithSHA256
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func (x Scheme) String() string {
|
||||||
|
return refs.SignatureScheme(x).String()
|
||||||
|
}
|
||||||
|
|
||||||
// NewFromV2 wraps v2 Signature message to Signature.
|
// NewFromV2 wraps v2 Signature message to Signature.
|
||||||
//
|
//
|
||||||
// Nil refs.Signature converts to nil.
|
// Nil refs.Signature converts to nil.
|
||||||
|
|
|
||||||
|
|
@ -57,7 +57,7 @@ func SignData(key *ecdsa.PrivateKey, src DataSource, opts ...SignOption) (*signa
|
||||||
|
|
||||||
cfg := getConfig(opts...)
|
cfg := getConfig(opts...)
|
||||||
|
|
||||||
sigData, err := sign(cfg.defaultScheme, key, data)
|
sigData, err := sign(cfg.scheme, key, data)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
@ -65,7 +65,7 @@ func SignData(key *ecdsa.PrivateKey, src DataSource, opts ...SignOption) (*signa
|
||||||
sig := signature.New()
|
sig := signature.New()
|
||||||
sig.SetKey((*keys.PublicKey)(&key.PublicKey).Bytes())
|
sig.SetKey((*keys.PublicKey)(&key.PublicKey).Bytes())
|
||||||
sig.SetSign(sigData)
|
sig.SetSign(sigData)
|
||||||
sig.SetScheme(cfg.defaultScheme)
|
sig.SetScheme(cfg.scheme)
|
||||||
return sig, nil
|
return sig, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,14 +16,13 @@ import (
|
||||||
var curve = elliptic.P256()
|
var curve = elliptic.P256()
|
||||||
|
|
||||||
type cfg struct {
|
type cfg struct {
|
||||||
defaultScheme signature.Scheme
|
schemeFixed bool
|
||||||
restrictScheme signature.Scheme
|
scheme signature.Scheme
|
||||||
}
|
}
|
||||||
|
|
||||||
func getConfig(opts ...SignOption) *cfg {
|
func getConfig(opts ...SignOption) *cfg {
|
||||||
cfg := &cfg{
|
cfg := &cfg{
|
||||||
defaultScheme: signature.ECDSAWithSHA512,
|
scheme: signature.ECDSAWithSHA512,
|
||||||
restrictScheme: signature.Unspecified,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
for i := range opts {
|
for i := range opts {
|
||||||
|
|
@ -46,7 +45,7 @@ func sign(scheme signature.Scheme, key *ecdsa.PrivateKey, msg []byte) ([]byte, e
|
||||||
p := &keys.PrivateKey{PrivateKey: *key}
|
p := &keys.PrivateKey{PrivateKey: *key}
|
||||||
return p.Sign(msg), nil
|
return p.Sign(msg), nil
|
||||||
default:
|
default:
|
||||||
panic("unsupported scheme")
|
panic(fmt.Sprintf("unsupported scheme %s", scheme))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -56,15 +55,11 @@ func verify(cfg *cfg, msg []byte, sig *signature.Signature) error {
|
||||||
return fmt.Errorf("%w: %v", ErrInvalidPublicKey, err)
|
return fmt.Errorf("%w: %v", ErrInvalidPublicKey, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
scheme := sig.Scheme()
|
if !cfg.schemeFixed {
|
||||||
if scheme == signature.Unspecified {
|
cfg.scheme = sig.Scheme()
|
||||||
scheme = cfg.defaultScheme
|
|
||||||
}
|
|
||||||
if cfg.restrictScheme != signature.Unspecified && scheme != cfg.restrictScheme {
|
|
||||||
return fmt.Errorf("%w: unexpected signature scheme", ErrInvalidSignature)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
switch scheme {
|
switch cfg.scheme {
|
||||||
case signature.ECDSAWithSHA512:
|
case signature.ECDSAWithSHA512:
|
||||||
h := sha512.Sum512(msg)
|
h := sha512.Sum512(msg)
|
||||||
r, s := unmarshalXY(sig.Sign())
|
r, s := unmarshalXY(sig.Sign())
|
||||||
|
|
@ -79,7 +74,7 @@ func verify(cfg *cfg, msg []byte, sig *signature.Signature) error {
|
||||||
}
|
}
|
||||||
return ErrInvalidSignature
|
return ErrInvalidSignature
|
||||||
default:
|
default:
|
||||||
return ErrInvalidSignature
|
return fmt.Errorf("unsupported signature scheme %s", cfg.scheme)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -111,7 +106,7 @@ func unmarshalXY(data []byte) (x *big.Int, y *big.Int) {
|
||||||
|
|
||||||
func SignWithRFC6979() SignOption {
|
func SignWithRFC6979() SignOption {
|
||||||
return func(c *cfg) {
|
return func(c *cfg) {
|
||||||
c.defaultScheme = signature.RFC6979WithSHA256
|
c.schemeFixed = true
|
||||||
c.restrictScheme = signature.RFC6979WithSHA256
|
c.scheme = signature.RFC6979WithSHA256
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue