service: Add updated Sign/Verify mechanism

2020-08-12 17:03:11 +03:00 · 2020-08-12 17:03:11 +03:00 · 297212886d
commit 297212886d
parent ea7c6a22da
4 changed files with 206 additions and 0 deletions
--- a/service/signature/data.go
+++ b/service/signature/data.go
@ -0,0 +1,85 @@
 package signature
 import (
 	"crypto/ecdsa"
 	crypto "github.com/nspcc-dev/neofs-crypto"
 )
 type DataSource interface {
 	ReadSignedData([]byte) ([]byte, error)
 	SignedDataLength() int
 }
 type DataWithSignature interface {
 	DataSource
 	GetSignatureWithKey() (key, sig []byte)
 	SetSignatureWithKey(key, sig []byte)
 }
 type SignOption func(*cfg)
 type KeySignatureHandler func(key []byte, sig []byte)
 type KeySignatureSource func() (key, sig []byte)
 func DataSignature(key *ecdsa.PrivateKey, src DataSource, opts ...SignOption) ([]byte, error) {
 	if key == nil {
 		return nil, crypto.ErrEmptyPrivateKey
 	}
 	data, err := dataForSignature(src)
 	if err != nil {
 		return nil, err
 	}
 	defer bytesPool.Put(data)
 	cfg := defaultCfg()
 	for i := range opts {
 		opts[i](cfg)
 	}
 	return cfg.signFunc(key, data)
 }
 func SignDataWithHandler(key *ecdsa.PrivateKey, src DataSource, handler KeySignatureHandler, opts ...SignOption) error {
 	sig, err := DataSignature(key, src, opts...)
 	if err != nil {
 		return err
 	}
 	handler(crypto.MarshalPublicKey(&key.PublicKey), sig)
 	return nil
 }
 func VerifyDataWithSource(dataSrc DataSource, sigSrc KeySignatureSource, opts ...SignOption) error {
 	data, err := dataForSignature(dataSrc)
 	if err != nil {
 		return err
 	}
 	defer bytesPool.Put(data)
 	cfg := defaultCfg()
 	for i := range opts {
 		opts[i](cfg)
 	}
 	key, sig := sigSrc()
 	return cfg.verifyFunc(
 		crypto.UnmarshalPublicKey(key),
 		data,
 		sig,
 	)
 }
 func SignData(key *ecdsa.PrivateKey, v DataWithSignature, opts ...SignOption) error {
 	return SignDataWithHandler(key, v, v.SetSignatureWithKey, opts...)
 }
 func VerifyData(src DataWithSignature, opts ...SignOption) error {
 	return VerifyDataWithSource(src, src.GetSignatureWithKey, opts...)
 }
--- a/service/signature/options.go
+++ b/service/signature/options.go
@ -0,0 +1,26 @@
 package signature
 import (
 	"crypto/ecdsa"
 	crypto "github.com/nspcc-dev/neofs-crypto"
 )
 type cfg struct {
 	signFunc   func(key *ecdsa.PrivateKey, msg []byte) ([]byte, error)
 	verifyFunc func(key *ecdsa.PublicKey, msg []byte, sig []byte) error
 }
 func defaultCfg() *cfg {
 	return &cfg{
 		signFunc:   crypto.Sign,
 		verifyFunc: crypto.Verify,
 	}
 }
 func SignWithRFC6979() SignOption {
 	return func(c *cfg) {
 		c.signFunc = crypto.SignRFC6979
 		c.verifyFunc = crypto.VerifyRFC6979
 	}
 }
--- a/service/signature/request.go
+++ b/service/signature/request.go
@ -0,0 +1,64 @@
 package signature
 import (
 	"crypto/ecdsa"
 	"github.com/pkg/errors"
 )
 type SignedRequest interface {
 	Body() DataSource
 	MetaHeader() DataSource
 	OriginVerificationHeader() DataSource
 	SetBodySignatureWithKey(key, sig []byte)
 	BodySignatureWithKey() (key, sig []byte)
 	SetMetaSignatureWithKey(key, sig []byte)
 	MetaSignatureWithKey() (key, sig []byte)
 	SetOriginSignatureWithKey(key, sig []byte)
 	OriginSignatureWithKey() (key, sig []byte)
 }
 func SignRequest(key *ecdsa.PrivateKey, src SignedRequest) error {
 	if src == nil {
 		return errors.New("nil source")
 	}
 	// sign body
 	if err := SignDataWithHandler(key, src.Body(), src.SetBodySignatureWithKey); err != nil {
 		return errors.Wrap(err, "could not sign body")
 	}
 	// sign meta
 	if err := SignDataWithHandler(key, src.Body(), src.SetMetaSignatureWithKey); err != nil {
 		return errors.Wrap(err, "could not sign meta header")
 	}
 	// sign verify origin
 	if err := SignDataWithHandler(key, src.OriginVerificationHeader(), src.SetOriginSignatureWithKey); err != nil {
 		return errors.Wrap(err, "could not sign verification header origin")
 	}
 	return nil
 }
 func VerifyRequest(src SignedRequest) error {
 	// verify body signature
 	if err := VerifyDataWithSource(src.Body(), src.BodySignatureWithKey); err != nil {
 		return errors.Wrap(err, "could not verify body")
 	}
 	// verify meta header
 	if err := VerifyDataWithSource(src.MetaHeader(), src.MetaSignatureWithKey); err != nil {
 		return errors.Wrap(err, "could not verify meta header")
 	}
 	// verify verification header origin
 	if err := VerifyDataWithSource(src.OriginVerificationHeader(), src.OriginSignatureWithKey); err != nil {
 		return errors.Wrap(err, "could not verify verification header origin")
 	}
 	return nil
 }
--- a/service/signature/util.go
+++ b/service/signature/util.go
@ -0,0 +1,31 @@
 package signature
 import (
 	"sync"
 	"github.com/pkg/errors"
 )
 var bytesPool = sync.Pool{
 	New: func() interface{} {
 		return make([]byte, 5<<20)
 	},
 }
 func dataForSignature(src DataSource) ([]byte, error) {
 	if src == nil {
 		return nil, errors.New("nil source")
 	}
 	buf := bytesPool.Get().([]byte)
 	if size := src.SignedDataLength(); size < 0 {
 		return nil, errors.New("negative length")
 	} else if size <= cap(buf) {
 		buf = buf[:size]
 	} else {
 		buf = make([]byte, size)
 	}
 	return src.ReadSignedData(buf)
 }