diff --git a/docs/object.md b/docs/object.md
index e9248ba5..7e863253 100644
--- a/docs/object.md
+++ b/docs/object.md
@@ -33,6 +33,7 @@
- [IntegrityHeader](#object.IntegrityHeader)
- [Link](#object.Link)
- [Object](#object.Object)
+ - [PublicKey](#object.PublicKey)
- [Range](#object.Range)
- [SystemHeader](#object.SystemHeader)
- [Tombstone](#object.Tombstone)
@@ -368,6 +369,7 @@ in distributed system.
| PayloadChecksum | [bytes](#bytes) | | PayloadChecksum of actual object's payload |
| Integrity | [IntegrityHeader](#object.IntegrityHeader) | | Integrity header with checksum of all above headers in the object |
| StorageGroup | [storagegroup.StorageGroup](#storagegroup.StorageGroup) | | StorageGroup contains meta information for the data audit |
+| PublicKey | [PublicKey](#object.PublicKey) | | PublicKey of owner of the object. Key is used for verification and can be based on NeoID or x509 cert. |
@@ -407,6 +409,17 @@ in distributed system.
| Payload | [bytes](#bytes) | | Payload is an object's payload |
+
+
+### Message PublicKey
+
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| Value | [bytes](#bytes) | | Value contains marshaled ecdsa public key |
+
+
### Message Range
diff --git a/go.mod b/go.mod
index bb8c4ffa..688905e0 100644
--- a/go.mod
+++ b/go.mod
@@ -7,7 +7,7 @@ require (
github.com/golang/protobuf v1.3.2
github.com/google/uuid v1.1.1
github.com/mr-tron/base58 v1.1.3
- github.com/nspcc-dev/neofs-crypto v0.2.2
+ github.com/nspcc-dev/neofs-crypto v0.2.3
github.com/nspcc-dev/netmap v1.6.1
github.com/nspcc-dev/tzhash v1.3.0
github.com/pkg/errors v0.8.1
diff --git a/go.sum b/go.sum
index db7763e0..531a6826 100644
--- a/go.sum
+++ b/go.sum
@@ -106,12 +106,12 @@ github.com/mr-tron/base58 v1.1.3/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjW
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/nspcc-dev/hrw v1.0.8 h1:vwRuJXZXgkMvf473vFzeWGCfY1WBVeSHAEHvR4u3/Cg=
github.com/nspcc-dev/hrw v1.0.8/go.mod h1:l/W2vx83vMQo6aStyx2AuZrJ+07lGv2JQGlVkPG06MU=
-github.com/nspcc-dev/neofs-crypto v0.2.2 h1:jLc5O+Wdpaq7L4lNYFX7li+OP4I1FsvvcPW1NXm3erY=
-github.com/nspcc-dev/neofs-crypto v0.2.2/go.mod h1:F/96fUzPM3wR+UGsPi3faVNmFlA9KAEAUQR7dMxZmNA=
+github.com/nspcc-dev/neofs-crypto v0.2.3 h1:aca3X2aly92ENRbFK+kH6Hd+J9EQ4Eu6XMVoITSIKtc=
+github.com/nspcc-dev/neofs-crypto v0.2.3/go.mod h1:8w16GEJbH6791ktVqHN9YRNH3s9BEEKYxGhlFnp0cDw=
github.com/nspcc-dev/netmap v1.6.1 h1:Pigqpqi6QSdRiusbq5XlO20A18k6Eyu7j9MzOfAE3CM=
github.com/nspcc-dev/netmap v1.6.1/go.mod h1:mhV3UOg9ljQmu0teQShD6+JYX09XY5gu2I4hIByCH9M=
-github.com/nspcc-dev/rfc6979 v0.1.0 h1:Lwg7esRRoyK1Up/IN1vAef1EmvrBeMHeeEkek2fAJ6c=
-github.com/nspcc-dev/rfc6979 v0.1.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
+github.com/nspcc-dev/rfc6979 v0.2.0 h1:3e1WNxrN60/6N0DW7+UYisLeZJyfqZTNOjeV/toYvOE=
+github.com/nspcc-dev/rfc6979 v0.2.0/go.mod h1:exhIh1PdpDC5vQmyEsGvc4YDM/lyQp/452QxGq/UEso=
github.com/nspcc-dev/tzhash v1.3.0 h1:n6FTHsfPYbMi5Jmo6SwGVVRQD8i2w1P2ScCaW6rz69Q=
github.com/nspcc-dev/tzhash v1.3.0/go.mod h1:Lc4DersKS8MNIrunTmsAzANO56qnG+LZ4GOE/WYGVzU=
github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
diff --git a/object/extensions.go b/object/extensions.go
index 7427079b..f6b10ab7 100644
--- a/object/extensions.go
+++ b/object/extensions.go
@@ -1,4 +1,5 @@
package object
+// todo: all extensions must be transferred to the separate util library
import "github.com/nspcc-dev/neofs-proto/storagegroup"
diff --git a/object/types.go b/object/types.go
index f433b9c9..79cef655 100644
--- a/object/types.go
+++ b/object/types.go
@@ -67,6 +67,8 @@ const (
IntegrityHdr
// StorageGroupHdr is a storage group header type.
StorageGroupHdr
+ // PublicKeyHdr is a public key header type.
+ PublicKeyHdr
)
var (
@@ -140,6 +142,8 @@ func (m Header) typeOf(t isHeader_Value) (ok bool) {
_, ok = m.Value.(*Header_Integrity)
case *Header_StorageGroup:
_, ok = m.Value.(*Header_StorageGroup)
+ case *Header_PublicKey:
+ _, ok = m.Value.(*Header_PublicKey)
}
return
}
@@ -168,6 +172,8 @@ func HeaderType(t headerType) Pred {
return func(h *Header) bool { _, ok := h.Value.(*Header_Integrity); return ok }
case StorageGroupHdr:
return func(h *Header) bool { _, ok := h.Value.(*Header_StorageGroup); return ok }
+ case PublicKeyHdr:
+ return func(h *Header) bool { _, ok := h.Value.(*Header_PublicKey); return ok }
default:
return nil
}
diff --git a/object/types.pb.go b/object/types.pb.go
index b5a1e785..525b39b3 100644
Binary files a/object/types.pb.go and b/object/types.pb.go differ
diff --git a/object/types.proto b/object/types.proto
index 8f50f76e..293f3470 100644
--- a/object/types.proto
+++ b/object/types.proto
@@ -45,6 +45,8 @@ message Header {
IntegrityHeader Integrity = 9;
// StorageGroup contains meta information for the data audit
storagegroup.StorageGroup StorageGroup = 10;
+ // PublicKey of owner of the object. Key is used for verification and can be based on NeoID or x509 cert.
+ PublicKey PublicKey = 11;
}
}
@@ -122,3 +124,8 @@ message Object {
// Payload is an object's payload
bytes Payload = 3;
}
+
+message PublicKey {
+ // Value contains marshaled ecdsa public key
+ bytes Value = 1;
+}
diff --git a/object/verification.go b/object/verification.go
index 761c04e2..742375a9 100644
--- a/object/verification.go
+++ b/object/verification.go
@@ -63,28 +63,35 @@ func (m Object) verifySignature(key []byte, ih *IntegrityHeader) error {
// Verify performs local integrity check by finding verification header and
// integrity header. If header integrity is passed, function verifies
// checksum of the object payload.
+// todo: move this verification logic into separate library
func (m Object) Verify() error {
var (
err error
checksum []byte
+ pubkey []byte
)
- // Prepare structures
- _, vh := m.LastHeader(HeaderType(VerifyHdr))
- if vh == nil {
- return ErrHeaderNotFound
- }
- verify := vh.Value.(*Header_Verify).Verify
-
- _, ih := m.LastHeader(HeaderType(IntegrityHdr))
- if ih == nil {
+ ind, ih := m.LastHeader(HeaderType(IntegrityHdr))
+ if ih == nil || ind != len(m.Headers) - 1{
return ErrHeaderNotFound
}
integrity := ih.Value.(*Header_Integrity).Integrity
+ // Prepare structures
+ _, vh := m.LastHeader(HeaderType(VerifyHdr))
+ if vh == nil {
+ _, pkh := m.LastHeader(HeaderType(PublicKeyHdr))
+ if pkh == nil {
+ return ErrHeaderNotFound
+ }
+ pubkey = pkh.Value.(*Header_PublicKey).PublicKey.Value
+ } else {
+ pubkey = vh.Value.(*Header_Verify).Verify.PublicKey
+ }
+
// Verify signature
- err = m.verifySignature(verify.PublicKey, integrity)
+ err = m.verifySignature(pubkey, integrity)
if err != nil {
- return errors.Wrapf(err, "public key: %x", verify.PublicKey)
+ return errors.Wrapf(err, "public key: %x", pubkey)
}
// Verify checksum of header
@@ -111,22 +118,32 @@ func (m Object) Verify() error {
return nil
}
-// Sign creates new integrity header and adds it to the end of the list of
-// extended headers.
-func (m *Object) Sign(key *ecdsa.PrivateKey) error {
- headerChecksum, err := m.headersChecksum(false)
+// CreateIntegrityHeader returns signed integrity header for the object
+func CreateIntegrityHeader(obj *Object, key *ecdsa.PrivateKey) (*Header, error) {
+ headerChecksum, err := obj.headersChecksum(false)
if err != nil {
- return err
+ return nil, err
}
headerChecksumSignature, err := crypto.Sign(key, headerChecksum)
if err != nil {
- return err
+ return nil, err
}
- m.AddHeader(&Header{Value: &Header_Integrity{
+
+ return &Header{Value: &Header_Integrity{
Integrity: &IntegrityHeader{
HeadersChecksum: headerChecksum,
ChecksumSignature: headerChecksumSignature,
},
- }})
+ }}, nil
+}
+
+// Sign creates new integrity header and adds it to the end of the list of
+// extended headers.
+func (m *Object) Sign(key *ecdsa.PrivateKey) error {
+ ih, err := CreateIntegrityHeader(m, key)
+ if err != nil {
+ return err
+ }
+ m.AddHeader(ih)
return nil
}
diff --git a/object/verification_test.go b/object/verification_test.go
index f91e0518..b538023c 100644
--- a/object/verification_test.go
+++ b/object/verification_test.go
@@ -56,7 +56,7 @@ func TestObject_Verify(t *testing.T) {
obj.SetPayload(payload)
obj.SetHeader(&Header{Value: &Header_PayloadChecksum{[]byte("incorrect checksum")}})
- t.Run("error no integrity header", func(t *testing.T) {
+ t.Run("error no integrity header and pubkey", func(t *testing.T) {
err = obj.Verify()
require.EqualError(t, err, ErrHeaderNotFound.Error())
})
@@ -83,12 +83,25 @@ func TestObject_Verify(t *testing.T) {
}
obj.SetVerificationHeader(vh)
+ // validation header is not last
+ t.Run("error validation header is not last", func(t *testing.T) {
+ err = obj.Verify()
+ require.EqualError(t, err, ErrHeaderNotFound.Error())
+ })
+
+ obj.Headers = obj.Headers[:len(obj.Headers)-2]
+ obj.SetVerificationHeader(vh)
+ obj.SetHeader(&Header{Value: &Header_Integrity{ih}})
+
t.Run("error invalid header checksum", func(t *testing.T) {
err = obj.Verify()
require.EqualError(t, err, ErrVerifyHeader.Error())
})
- require.NoError(t, obj.Sign(sessionkey))
+ obj.Headers = obj.Headers[:len(obj.Headers)-1]
+ genIH, err := CreateIntegrityHeader(obj, sessionkey)
+ require.NoError(t, err)
+ obj.SetHeader(genIH)
t.Run("error invalid payload checksum", func(t *testing.T) {
err = obj.Verify()
@@ -96,10 +109,39 @@ func TestObject_Verify(t *testing.T) {
})
obj.SetHeader(&Header{Value: &Header_PayloadChecksum{obj.PayloadChecksum()}})
- require.NoError(t, obj.Sign(sessionkey))
- t.Run("correct", func(t *testing.T) {
+ obj.Headers = obj.Headers[:len(obj.Headers)-1]
+ genIH, err = CreateIntegrityHeader(obj, sessionkey)
+ require.NoError(t, err)
+ obj.SetHeader(genIH)
+
+ t.Run("correct with vh", func(t *testing.T) {
err = obj.Verify()
require.NoError(t, err)
})
+
+ pkh := Header{Value: &Header_PublicKey{&PublicKey{
+ Value: crypto.MarshalPublicKey(&key.PublicKey),
+ }}}
+ // replace vh with pkh
+ obj.Headers[len(obj.Headers)-2] = pkh
+ // re-sign object
+ obj.Sign(sessionkey)
+
+
+ t.Run("incorrect with bad public key", func(t *testing.T) {
+ err = obj.Verify()
+ require.Error(t, err)
+ })
+
+ obj.SetHeader(&Header{Value: &Header_PublicKey{&PublicKey{
+ Value: dataPK,
+ }}})
+ obj.Sign(sessionkey)
+
+ t.Run("correct with good public key", func(t *testing.T) {
+ err = obj.Verify()
+ require.NoError(t, err)
+ })
+
}