[#203] refs: Change support for different signature schemes

Remove `UNSPECIFIED` value from `SignatureScheme` enum. Make
`ECDSA_SHA512` to be default signature scheme (zero value).

Define `SignatureRFC6979` type for RFC-6979 signatures. Use it in
`Container` service.

Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
Leonard Lyubich 2022-03-02 12:30:05 +03:00 committed by Alex Vanin
parent f6dad19bef
commit b28ce35524
4 changed files with 39 additions and 25 deletions

View file

@ -97,8 +97,7 @@ message PutRequest {
container.Container container = 1; container.Container container = 1;
// Signature of a stable-marshalled container according to RFC-6979. // Signature of a stable-marshalled container according to RFC-6979.
// Signature scheme must be either UNSPECIFIED or ECDSA_RFC6979_SHA256. neo.fs.v2.refs.SignatureRFC6979 signature = 2;
neo.fs.v2.refs.Signature signature =2;
} }
// Body of container put request message. // Body of container put request message.
Body body = 1; Body body = 1;
@ -146,8 +145,7 @@ message DeleteRequest {
neo.fs.v2.refs.ContainerID container_id = 1; neo.fs.v2.refs.ContainerID container_id = 1;
// `ContainerID` signed with the container owner's key according to RFC-6979. // `ContainerID` signed with the container owner's key according to RFC-6979.
// Signature scheme must be either UNSPECIFIED or ECDSA_RFC6979_SHA256. neo.fs.v2.refs.SignatureRFC6979 signature = 2;
neo.fs.v2.refs.Signature signature = 2;
} }
// Body of container delete request message. // Body of container delete request message.
Body body = 1; Body body = 1;
@ -210,8 +208,7 @@ message GetResponse {
Container container = 1; Container container = 1;
// Signature of a stable-marshalled container according to RFC-6979. // Signature of a stable-marshalled container according to RFC-6979.
// Signature scheme must be either UNSPECIFIED or ECDSA_RFC6979_SHA256. neo.fs.v2.refs.SignatureRFC6979 signature = 2;
neo.fs.v2.refs.Signature signature = 2;
// Session token if the container was created within a session // Session token if the container was created within a session
neo.fs.v2.session.SessionToken session_token = 3; neo.fs.v2.session.SessionToken session_token = 3;
@ -279,8 +276,7 @@ message SetExtendedACLRequest {
neo.fs.v2.acl.EACLTable eacl = 1; neo.fs.v2.acl.EACLTable eacl = 1;
// Signature of stable-marshalled Extended ACL table according to RFC-6979. // Signature of stable-marshalled Extended ACL table according to RFC-6979.
// Signature scheme must be either UNSPECIFIED or ECDSA_RFC6979_SHA256. neo.fs.v2.refs.SignatureRFC6979 signature = 2;
neo.fs.v2.refs.Signature signature = 2;
} }
// Body of set extended acl request message. // Body of set extended acl request message.
Body body = 1; Body body = 1;
@ -346,8 +342,7 @@ message GetExtendedACLResponse {
neo.fs.v2.acl.EACLTable eacl = 1; neo.fs.v2.acl.EACLTable eacl = 1;
// Signature of stable-marshalled Extended ACL according to RFC-6979. // Signature of stable-marshalled Extended ACL according to RFC-6979.
// Signature scheme must be either UNSPECIFIED or ECDSA_RFC6979_SHA256. neo.fs.v2.refs.SignatureRFC6979 signature = 2;
neo.fs.v2.refs.Signature signature = 2;
// Session token if Extended ACL was set within a session // Session token if Extended ACL was set within a session
neo.fs.v2.session.SessionToken session_token = 3; neo.fs.v2.session.SessionToken session_token = 3;

View file

@ -259,7 +259,7 @@ smart contract, so signing algorithm must be supported by NeoVM.
| Field | Type | Label | Description | | Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- | | ----- | ---- | ----- | ----------- |
| container_id | [neo.fs.v2.refs.ContainerID](#neo.fs.v2.refs.ContainerID) | | Identifier of the container to delete from NeoFS | | container_id | [neo.fs.v2.refs.ContainerID](#neo.fs.v2.refs.ContainerID) | | Identifier of the container to delete from NeoFS |
| signature | [neo.fs.v2.refs.Signature](#neo.fs.v2.refs.Signature) | | `ContainerID` signed with the container owner's key according to RFC-6979. Signature scheme must be either UNSPECIFIED or ECDSA_RFC6979_SHA256. | | signature | [neo.fs.v2.refs.SignatureRFC6979](#neo.fs.v2.refs.SignatureRFC6979) | | `ContainerID` signed with the container owner's key according to RFC-6979. |
<a name="neo.fs.v2.container.DeleteResponse"></a> <a name="neo.fs.v2.container.DeleteResponse"></a>
@ -332,7 +332,7 @@ container creation.
| Field | Type | Label | Description | | Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- | | ----- | ---- | ----- | ----------- |
| eacl | [neo.fs.v2.acl.EACLTable](#neo.fs.v2.acl.EACLTable) | | Extended ACL requested, if available | | eacl | [neo.fs.v2.acl.EACLTable](#neo.fs.v2.acl.EACLTable) | | Extended ACL requested, if available |
| signature | [neo.fs.v2.refs.Signature](#neo.fs.v2.refs.Signature) | | Signature of stable-marshalled Extended ACL according to RFC-6979. Signature scheme must be either UNSPECIFIED or ECDSA_RFC6979_SHA256. | | signature | [neo.fs.v2.refs.SignatureRFC6979](#neo.fs.v2.refs.SignatureRFC6979) | | Signature of stable-marshalled Extended ACL according to RFC-6979. |
| session_token | [neo.fs.v2.session.SessionToken](#neo.fs.v2.session.SessionToken) | | Session token if Extended ACL was set within a session | | session_token | [neo.fs.v2.session.SessionToken](#neo.fs.v2.session.SessionToken) | | Session token if Extended ACL was set within a session |
@ -383,7 +383,7 @@ was already verified on container creation.
| Field | Type | Label | Description | | Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- | | ----- | ---- | ----- | ----------- |
| container | [Container](#neo.fs.v2.container.Container) | | Requested container structure | | container | [Container](#neo.fs.v2.container.Container) | | Requested container structure |
| signature | [neo.fs.v2.refs.Signature](#neo.fs.v2.refs.Signature) | | Signature of a stable-marshalled container according to RFC-6979. Signature scheme must be either UNSPECIFIED or ECDSA_RFC6979_SHA256. | | signature | [neo.fs.v2.refs.SignatureRFC6979](#neo.fs.v2.refs.SignatureRFC6979) | | Signature of a stable-marshalled container according to RFC-6979. |
| session_token | [neo.fs.v2.session.SessionToken](#neo.fs.v2.session.SessionToken) | | Session token if the container was created within a session | | session_token | [neo.fs.v2.session.SessionToken](#neo.fs.v2.session.SessionToken) | | Session token if the container was created within a session |
@ -461,7 +461,7 @@ additional signature checks.
| Field | Type | Label | Description | | Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- | | ----- | ---- | ----- | ----------- |
| container | [Container](#neo.fs.v2.container.Container) | | Container structure to register in NeoFS | | container | [Container](#neo.fs.v2.container.Container) | | Container structure to register in NeoFS |
| signature | [neo.fs.v2.refs.Signature](#neo.fs.v2.refs.Signature) | | Signature of a stable-marshalled container according to RFC-6979. Signature scheme must be either UNSPECIFIED or ECDSA_RFC6979_SHA256. | | signature | [neo.fs.v2.refs.SignatureRFC6979](#neo.fs.v2.refs.SignatureRFC6979) | | Signature of a stable-marshalled container according to RFC-6979. |
<a name="neo.fs.v2.container.PutResponse"></a> <a name="neo.fs.v2.container.PutResponse"></a>
@ -514,7 +514,7 @@ reference. It will be taken from `EACLTable.container_id` field.
| Field | Type | Label | Description | | Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- | | ----- | ---- | ----- | ----------- |
| eacl | [neo.fs.v2.acl.EACLTable](#neo.fs.v2.acl.EACLTable) | | Extended ACL table to set for container | | eacl | [neo.fs.v2.acl.EACLTable](#neo.fs.v2.acl.EACLTable) | | Extended ACL table to set for container |
| signature | [neo.fs.v2.refs.Signature](#neo.fs.v2.refs.Signature) | | Signature of stable-marshalled Extended ACL table according to RFC-6979. Signature scheme must be either UNSPECIFIED or ECDSA_RFC6979_SHA256. | | signature | [neo.fs.v2.refs.SignatureRFC6979](#neo.fs.v2.refs.SignatureRFC6979) | | Signature of stable-marshalled Extended ACL table according to RFC-6979. |
<a name="neo.fs.v2.container.SetExtendedACLResponse"></a> <a name="neo.fs.v2.container.SetExtendedACLResponse"></a>

View file

@ -12,6 +12,7 @@
- [ObjectID](#neo.fs.v2.refs.ObjectID) - [ObjectID](#neo.fs.v2.refs.ObjectID)
- [OwnerID](#neo.fs.v2.refs.OwnerID) - [OwnerID](#neo.fs.v2.refs.OwnerID)
- [Signature](#neo.fs.v2.refs.Signature) - [Signature](#neo.fs.v2.refs.Signature)
- [SignatureRFC6979](#neo.fs.v2.refs.SignatureRFC6979)
- [SubnetID](#neo.fs.v2.refs.SubnetID) - [SubnetID](#neo.fs.v2.refs.SubnetID)
- [Version](#neo.fs.v2.refs.Version) - [Version](#neo.fs.v2.refs.Version)
@ -148,7 +149,19 @@ Signature of something in NeoFS.
| ----- | ---- | ----- | ----------- | | ----- | ---- | ----- | ----------- |
| key | [bytes](#bytes) | | Public key used for signing | | key | [bytes](#bytes) | | Public key used for signing |
| sign | [bytes](#bytes) | | Signature | | sign | [bytes](#bytes) | | Signature |
| scheme | [SignatureScheme](#neo.fs.v2.refs.SignatureScheme) | | Scheme contains digital signature scheme identifier. | | scheme | [SignatureScheme](#neo.fs.v2.refs.SignatureScheme) | | Scheme contains digital signature scheme identifier |
<a name="neo.fs.v2.refs.SignatureRFC6979"></a>
### Message SignatureRFC6979
RFC 6979 signature.
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
| key | [bytes](#bytes) | | Public key used for signing |
| sign | [bytes](#bytes) | | Deterministic ECDSA with SHA-256 hashing |
<a name="neo.fs.v2.refs.SubnetID"></a> <a name="neo.fs.v2.refs.SubnetID"></a>
@ -203,9 +216,8 @@ Signature scheme describes digital signing scheme used for (key, signature) pair
| Name | Number | Description | | Name | Number | Description |
| ---- | ------ | ----------- | | ---- | ------ | ----------- |
| UNSPECIFIED | 0 | Unknown. The default interpretation depends on a particular structure type. | | ECDSA_SHA512 | 0 | ECDSA with SHA-512 hashing (FIPS 186-3) |
| ECDSA_SHA512 | 1 | ECDSA with SHA-512 hashing (FIPS 186-3). | | ECDSA_RFC6979_SHA256 | 1 | Deterministic ECDSA with SHA-256 hashing (RFC 6979) |
| ECDSA_RFC6979_SHA256 | 2 | Deterministic ECDSA with SHA-256 hashing (RFC 6979) |
<!-- end enums --> <!-- end enums -->

View file

@ -105,18 +105,25 @@ message Signature {
bytes key = 1 [json_name = "key"]; bytes key = 1 [json_name = "key"];
// Signature // Signature
bytes sign = 2 [json_name = "signature"]; bytes sign = 2 [json_name = "signature"];
// Scheme contains digital signature scheme identifier. // Scheme contains digital signature scheme identifier
SignatureScheme scheme = 3 [json_name = "scheme"]; SignatureScheme scheme = 3 [json_name = "scheme"];
} }
// Signature scheme describes digital signing scheme used for (key, signature) pair. // Signature scheme describes digital signing scheme used for (key, signature) pair.
enum SignatureScheme { enum SignatureScheme {
// Unknown. The default interpretation depends on a particular structure type. // ECDSA with SHA-512 hashing (FIPS 186-3)
UNSPECIFIED = 0; ECDSA_SHA512 = 0;
// ECDSA with SHA-512 hashing (FIPS 186-3).
ECDSA_SHA512 = 1;
// Deterministic ECDSA with SHA-256 hashing (RFC 6979) // Deterministic ECDSA with SHA-256 hashing (RFC 6979)
ECDSA_RFC6979_SHA256 = 2; ECDSA_RFC6979_SHA256 = 1;
}
// RFC 6979 signature.
message SignatureRFC6979 {
// Public key used for signing
bytes key = 1 [json_name = "key"];
// Deterministic ECDSA with SHA-256 hashing
bytes sign = 2 [json_name = "signature"];
} }
// Checksum algorithm type. // Checksum algorithm type.