From b0271aa47867afb3a4222ee35f7a471d635e073e Mon Sep 17 00:00:00 2001 From: Leonard Lyubich Date: Wed, 19 May 2021 15:26:41 +0300 Subject: [PATCH] [#505] ir/container: Verify signature of binary eACL tables Add signature check to `checkSetEACL` method of the `setEACL` notification handler in Container processor. Signed-off-by: Leonard Lyubich --- .../processors/container/process_eacl.go | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/pkg/innerring/processors/container/process_eacl.go b/pkg/innerring/processors/container/process_eacl.go index 9c014605c7..105553483a 100644 --- a/pkg/innerring/processors/container/process_eacl.go +++ b/pkg/innerring/processors/container/process_eacl.go @@ -1,6 +1,12 @@ package container import ( + "crypto/elliptic" + "crypto/sha256" + "errors" + "fmt" + + "github.com/nspcc-dev/neo-go/pkg/crypto/keys" "github.com/nspcc-dev/neofs-node/pkg/morph/event/container" "go.uber.org/zap" ) @@ -24,6 +30,21 @@ func (cp *Processor) processSetEACL(e container.SetEACL) { } func (cp *Processor) checkSetEACL(e container.SetEACL) error { + // verify signature + key, err := keys.NewPublicKeyFromBytes(e.PublicKey(), elliptic.P256()) + if err != nil { + return fmt.Errorf("invalid key: %w", err) + } + + table := e.Table() + tableHash := sha256.Sum256(table) + + if !key.Verify(e.Signature(), tableHash[:]) { + return errors.New("invalid signature") + } + + // TODO: check key ownership + return nil }