Merge pull request #36 from nspcc-dev/public-keys-in-token

Public keys in token
This commit is contained in:
Alex Vanin 2020-01-17 13:57:59 +03:00 committed by GitHub
commit 038f934da5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 111 additions and 26 deletions

View file

@ -115,6 +115,7 @@ User token granting rights for object manipulation
| ObjectID | [bytes](#bytes) | repeated | ObjectID is an object identifier of manipulation object | | ObjectID | [bytes](#bytes) | repeated | ObjectID is an object identifier of manipulation object |
| Signature | [bytes](#bytes) | | Signature is a token signature, signed by owner of manipulation object | | Signature | [bytes](#bytes) | | Signature is a token signature, signed by owner of manipulation object |
| ID | [bytes](#bytes) | | ID is a token identifier. valid UUIDv4 represented in bytes | | ID | [bytes](#bytes) | | ID is a token identifier. valid UUIDv4 represented in bytes |
| PublicKeys | [bytes](#bytes) | repeated | PublicKeys associated with owner |
<a name="session.VerificationHeader"></a> <a name="session.VerificationHeader"></a>

View file

@ -31,20 +31,22 @@ func newTestClient(t *testing.T) *testClient {
func signToken(t *testing.T, token *PToken, c *testClient) { func signToken(t *testing.T, token *PToken, c *testClient) {
require.NotNil(t, token) require.NotNil(t, token)
token.SetPublicKeys(&c.PublicKey)
signH, err := c.Sign(token.Header.PublicKey) signH, err := c.Sign(token.Header.PublicKey)
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, signH) require.NotNil(t, signH)
// data is not yet signed // data is not yet signed
require.False(t, token.Verify(&c.PublicKey)) keys := UnmarshalPublicKeys(&token.Token)
require.False(t, token.Verify(keys...))
signT, err := c.Sign(token.verificationData()) signT, err := c.Sign(token.verificationData())
require.NoError(t, err) require.NoError(t, err)
require.NotNil(t, signT) require.NotNil(t, signT)
token.AddSignatures(signH, signT) token.AddSignatures(signH, signT)
require.True(t, token.Verify(&c.PublicKey)) require.True(t, token.Verify(keys...))
} }
func TestTokenStore(t *testing.T) { func TestTokenStore(t *testing.T) {

View file

@ -6,6 +6,7 @@ import (
"sync" "sync"
crypto "github.com/nspcc-dev/neofs-crypto" crypto "github.com/nspcc-dev/neofs-crypto"
"github.com/nspcc-dev/neofs-proto/chain"
"github.com/nspcc-dev/neofs-proto/internal" "github.com/nspcc-dev/neofs-proto/internal"
"github.com/nspcc-dev/neofs-proto/refs" "github.com/nspcc-dev/neofs-proto/refs"
"github.com/pkg/errors" "github.com/pkg/errors"
@ -111,11 +112,24 @@ func (m *Token) Sign(key *ecdsa.PrivateKey) error {
return nil return nil
} }
// SetPublicKeys sets owner's public keys to the token
func (m *Token) SetPublicKeys(keys... *ecdsa.PublicKey) {
m.PublicKeys = m.PublicKeys[:0]
for i := range keys {
m.PublicKeys = append(m.PublicKeys, crypto.MarshalPublicKey(keys[i]))
}
}
// Verify checks if token is correct and signed. // Verify checks if token is correct and signed.
func (m *Token) Verify(keys ...*ecdsa.PublicKey) bool { func (m *Token) Verify(keys ...*ecdsa.PublicKey) bool {
if m.FirstEpoch > m.LastEpoch { if m.FirstEpoch > m.LastEpoch {
return false return false
} }
ownerFromKeys := chain.KeysToAddress(keys...)
if m.OwnerID.String() != ownerFromKeys {
return false
}
for i := range keys { for i := range keys {
if m.Header.Verify(keys[i]) && crypto.Verify(keys[i], m.verificationData(), m.Signature) == nil { if m.Header.Verify(keys[i]) && crypto.Verify(keys[i], m.verificationData(), m.Signature) == nil {
return true return true
@ -156,3 +170,12 @@ func (m *VerificationHeader) Verify(keys ...*ecdsa.PublicKey) bool {
} }
return false return false
} }
// UnmarshalPublicKeys returns unmarshal public keys from the token
func UnmarshalPublicKeys(t *Token) []*ecdsa.PublicKey {
r := make([]*ecdsa.PublicKey, 0, len(t.PublicKeys))
for i := range t.PublicKeys {
r = append(r, crypto.UnmarshalPublicKey(t.PublicKeys[i]))
}
return r
}

View file

@ -91,7 +91,9 @@ type Token struct {
// Signature is a token signature, signed by owner of manipulation object // Signature is a token signature, signed by owner of manipulation object
Signature []byte `protobuf:"bytes,6,opt,name=Signature,proto3" json:"Signature,omitempty"` Signature []byte `protobuf:"bytes,6,opt,name=Signature,proto3" json:"Signature,omitempty"`
// ID is a token identifier. valid UUIDv4 represented in bytes // ID is a token identifier. valid UUIDv4 represented in bytes
ID TokenID `protobuf:"bytes,7,opt,name=ID,proto3,customtype=TokenID" json:"ID"` ID TokenID `protobuf:"bytes,7,opt,name=ID,proto3,customtype=TokenID" json:"ID"`
// PublicKeys associated with owner
PublicKeys [][]byte `protobuf:"bytes,8,rep,name=PublicKeys,proto3" json:"PublicKeys,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"` XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"` XXX_sizecache int32 `json:"-"`
@ -154,6 +156,13 @@ func (m *Token) GetSignature() []byte {
return nil return nil
} }
func (m *Token) GetPublicKeys() [][]byte {
if m != nil {
return m.PublicKeys
}
return nil
}
func init() { func init() {
proto.RegisterType((*VerificationHeader)(nil), "session.VerificationHeader") proto.RegisterType((*VerificationHeader)(nil), "session.VerificationHeader")
proto.RegisterType((*Token)(nil), "session.Token") proto.RegisterType((*Token)(nil), "session.Token")
@ -162,29 +171,30 @@ func init() {
func init() { proto.RegisterFile("session/types.proto", fileDescriptor_c0d9d9cb855cdad8) } func init() { proto.RegisterFile("session/types.proto", fileDescriptor_c0d9d9cb855cdad8) }
var fileDescriptor_c0d9d9cb855cdad8 = []byte{ var fileDescriptor_c0d9d9cb855cdad8 = []byte{
// 344 bytes of a gzipped FileDescriptorProto // 358 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x64, 0x91, 0x4d, 0x4b, 0xc3, 0x30, 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x64, 0x91, 0xcd, 0x4e, 0xe3, 0x30,
0x18, 0xc7, 0x97, 0xee, 0x4d, 0xe3, 0x40, 0x89, 0x97, 0xa2, 0xd2, 0x8d, 0x9d, 0x2a, 0xb8, 0x16, 0x14, 0x85, 0x9b, 0xf4, 0x77, 0x3c, 0x95, 0x66, 0xe4, 0xd9, 0x44, 0x03, 0x4a, 0xab, 0xae, 0x82,
0xf4, 0xe4, 0xc5, 0x43, 0xa9, 0x62, 0x99, 0x30, 0xa9, 0xb2, 0x83, 0xb7, 0x36, 0xcb, 0xba, 0xf8, 0x44, 0x13, 0x09, 0x56, 0x6c, 0x58, 0x44, 0x01, 0x11, 0x15, 0xa9, 0xc8, 0xa0, 0x2e, 0xd8, 0x25,
0x92, 0x94, 0x26, 0x55, 0xf6, 0x4d, 0xf6, 0x91, 0x76, 0xf4, 0x28, 0x1e, 0x86, 0xd4, 0x2f, 0x22, 0xae, 0x9b, 0x9a, 0x1f, 0x3b, 0x8a, 0x1d, 0x50, 0xdf, 0x84, 0x47, 0xe1, 0x11, 0xba, 0x64, 0x89,
0x4b, 0xbb, 0x75, 0xc3, 0xdb, 0xf3, 0xfc, 0xfe, 0xc9, 0xf3, 0xf2, 0x7f, 0xe0, 0xa1, 0x20, 0x42, 0x58, 0x54, 0x28, 0xbc, 0x08, 0x8a, 0x93, 0xa6, 0xad, 0xd8, 0xdd, 0xfb, 0x1d, 0xfb, 0x9e, 0xeb,
0x50, 0xce, 0x6c, 0x39, 0x8d, 0x89, 0xb0, 0xe2, 0x84, 0x4b, 0x8e, 0x9a, 0x05, 0x3c, 0xea, 0x45, 0x63, 0xf0, 0x4f, 0x10, 0x21, 0x28, 0x67, 0x8e, 0x5c, 0xc4, 0x44, 0xd8, 0x71, 0xc2, 0x25, 0x87,
0x54, 0x4e, 0xd2, 0xd0, 0xc2, 0xfc, 0xcd, 0x8e, 0x78, 0xc4, 0x6d, 0xa5, 0x87, 0xe9, 0x58, 0x65, 0xed, 0x12, 0xfe, 0x1f, 0x46, 0x54, 0xce, 0xd3, 0xd0, 0xc6, 0xfc, 0xd1, 0x89, 0x78, 0xc4, 0x1d,
0x2a, 0x51, 0x51, 0xfe, 0xaf, 0x3b, 0x84, 0x68, 0x48, 0x12, 0x3a, 0xa6, 0x38, 0x90, 0x94, 0xb3, 0xa5, 0x87, 0xe9, 0x4c, 0x75, 0xaa, 0x51, 0x55, 0x71, 0x6f, 0x30, 0x01, 0x70, 0x42, 0x12, 0x3a,
0x5b, 0x12, 0x8c, 0x48, 0x82, 0x4e, 0xe0, 0xee, 0x7d, 0x1a, 0xbe, 0x52, 0xdc, 0x27, 0x53, 0x1d, 0xa3, 0x38, 0x90, 0x94, 0xb3, 0x0b, 0x12, 0x4c, 0x49, 0x02, 0xf7, 0xc1, 0xaf, 0xab, 0x34, 0x7c,
0x74, 0x80, 0xd9, 0xf2, 0x4b, 0x80, 0xba, 0xb0, 0xd5, 0x27, 0xd3, 0x07, 0x1a, 0xb1, 0x40, 0xa6, 0xa0, 0x78, 0x44, 0x16, 0x86, 0xd6, 0xd7, 0xac, 0x2e, 0xda, 0x00, 0x38, 0x00, 0xdd, 0x11, 0x59,
0x09, 0xd1, 0x35, 0xf5, 0x60, 0x8b, 0x75, 0x67, 0x1a, 0xac, 0x3f, 0xf2, 0x17, 0xc2, 0xd0, 0x25, 0x5c, 0xd3, 0x88, 0x05, 0x32, 0x4d, 0x88, 0xa1, 0xab, 0x03, 0x3b, 0x6c, 0xf0, 0xaa, 0x83, 0xe6,
0x6c, 0xe4, 0x55, 0x55, 0xa1, 0xbd, 0xf3, 0x63, 0xab, 0x18, 0xd5, 0xfa, 0xdf, 0xd8, 0xa9, 0xcd, 0x0d, 0xbf, 0x27, 0x0c, 0x9e, 0x80, 0x56, 0x31, 0x55, 0x0d, 0xfa, 0x7d, 0xb4, 0x67, 0x97, 0xab,
0x17, 0xed, 0x8a, 0x5f, 0x7c, 0x40, 0xa7, 0xb0, 0x39, 0xf8, 0x60, 0x24, 0xf1, 0xdc, 0xbc, 0x87, 0xda, 0x3f, 0x8d, 0xdd, 0xc6, 0x72, 0xd5, 0xab, 0xa1, 0xf2, 0x02, 0x3c, 0x00, 0xed, 0xf1, 0x33,
0xb3, 0xbf, 0x94, 0xbf, 0x17, 0xed, 0x15, 0xf6, 0x57, 0x01, 0x32, 0x20, 0xbc, 0xa1, 0x89, 0x90, 0x23, 0x89, 0xef, 0x15, 0x1e, 0xee, 0x9f, 0x5c, 0xfe, 0x58, 0xf5, 0xd6, 0x18, 0xad, 0x0b, 0x68,
0xd7, 0x31, 0xc7, 0x13, 0xbd, 0xda, 0x01, 0x66, 0xcd, 0xdf, 0x20, 0xcb, 0x8d, 0xee, 0x82, 0x95, 0x02, 0x70, 0x4e, 0x13, 0x21, 0xcf, 0x62, 0x8e, 0xe7, 0x46, 0xbd, 0xaf, 0x59, 0x0d, 0xb4, 0x45,
0x5c, 0x53, 0x72, 0x09, 0xd0, 0x19, 0xdc, 0x19, 0x84, 0xcf, 0x04, 0x4b, 0xcf, 0xd5, 0xeb, 0x9d, 0xf2, 0x17, 0x5d, 0x06, 0x6b, 0xb9, 0xa1, 0xe4, 0x0d, 0x80, 0x87, 0xa0, 0x33, 0x0e, 0xef, 0x08,
0xaa, 0xd9, 0x72, 0x0e, 0x8a, 0x4e, 0x6b, 0xee, 0xaf, 0xa3, 0x65, 0xad, 0x72, 0xf9, 0x46, 0xee, 0x96, 0xbe, 0x67, 0x34, 0xfb, 0x75, 0xab, 0xeb, 0xfe, 0x2d, 0x9d, 0x2a, 0x8e, 0xaa, 0x2a, 0x9f,
0xce, 0x1a, 0xa0, 0x36, 0xd4, 0x3c, 0x57, 0x6f, 0x6e, 0xcf, 0xab, 0xac, 0xf0, 0x5c, 0x5f, 0xf3, 0xb5, 0x79, 0x7c, 0xab, 0x48, 0xa7, 0x02, 0xb0, 0x07, 0x74, 0xdf, 0x33, 0xda, 0xbb, 0xfb, 0xaa,
0x5c, 0xe7, 0x6a, 0x9e, 0x19, 0xe0, 0x33, 0x33, 0xc0, 0x57, 0x66, 0x80, 0x9f, 0xcc, 0x00, 0xb3, 0x28, 0x7c, 0x0f, 0xe9, 0xc5, 0xaa, 0x55, 0x96, 0xc2, 0xe8, 0xe4, 0x76, 0x68, 0x8b, 0xb8, 0xa7,
0x5f, 0xa3, 0xf2, 0x64, 0x6e, 0xdc, 0x8d, 0x89, 0x18, 0xe3, 0xde, 0x88, 0xbc, 0xdb, 0x8c, 0xf0, 0xcb, 0xcc, 0xd4, 0xde, 0x32, 0x53, 0x7b, 0xcf, 0x4c, 0xed, 0x33, 0x33, 0xb5, 0x97, 0x2f, 0xb3,
0xb1, 0xe8, 0xe5, 0x57, 0x2b, 0x6c, 0x0b, 0x1b, 0x2a, 0xbd, 0xf8, 0x0b, 0x00, 0x00, 0xff, 0xff, 0x76, 0x6b, 0x6d, 0xfd, 0x2b, 0x13, 0x31, 0xc6, 0xc3, 0x29, 0x79, 0x72, 0x18, 0xe1, 0x33, 0x31,
0xc6, 0x87, 0x25, 0xf9, 0x08, 0x02, 0x00, 0x00, 0x2c, 0x7e, 0xb5, 0x8c, 0x35, 0x6c, 0xa9, 0xf6, 0xf8, 0x3b, 0x00, 0x00, 0xff, 0xff, 0xbe, 0x33,
0xae, 0xb5, 0x28, 0x02, 0x00, 0x00,
} }
func (m *VerificationHeader) Marshal() (dAtA []byte, err error) { func (m *VerificationHeader) Marshal() (dAtA []byte, err error) {
@ -252,6 +262,15 @@ func (m *Token) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i -= len(m.XXX_unrecognized) i -= len(m.XXX_unrecognized)
copy(dAtA[i:], m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized)
} }
if len(m.PublicKeys) > 0 {
for iNdEx := len(m.PublicKeys) - 1; iNdEx >= 0; iNdEx-- {
i -= len(m.PublicKeys[iNdEx])
copy(dAtA[i:], m.PublicKeys[iNdEx])
i = encodeVarintTypes(dAtA, i, uint64(len(m.PublicKeys[iNdEx])))
i--
dAtA[i] = 0x42
}
}
{ {
size := m.ID.Size() size := m.ID.Size()
i -= size i -= size
@ -375,6 +394,12 @@ func (m *Token) Size() (n int) {
} }
l = m.ID.Size() l = m.ID.Size()
n += 1 + l + sovTypes(uint64(l)) n += 1 + l + sovTypes(uint64(l))
if len(m.PublicKeys) > 0 {
for _, b := range m.PublicKeys {
l = len(b)
n += 1 + l + sovTypes(uint64(l))
}
}
if m.XXX_unrecognized != nil { if m.XXX_unrecognized != nil {
n += len(m.XXX_unrecognized) n += len(m.XXX_unrecognized)
} }
@ -744,6 +769,38 @@ func (m *Token) Unmarshal(dAtA []byte) error {
return err return err
} }
iNdEx = postIndex iNdEx = postIndex
case 8:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field PublicKeys", wireType)
}
var byteLen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowTypes
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
byteLen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if byteLen < 0 {
return ErrInvalidLengthTypes
}
postIndex := iNdEx + byteLen
if postIndex < 0 {
return ErrInvalidLengthTypes
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.PublicKeys = append(m.PublicKeys, make([]byte, postIndex-iNdEx))
copy(m.PublicKeys[len(m.PublicKeys)-1], dAtA[iNdEx:postIndex])
iNdEx = postIndex
default: default:
iNdEx = preIndex iNdEx = preIndex
skippy, err := skipTypes(dAtA[iNdEx:]) skippy, err := skipTypes(dAtA[iNdEx:])

View file

@ -29,4 +29,6 @@ message Token {
bytes Signature = 6; bytes Signature = 6;
// ID is a token identifier. valid UUIDv4 represented in bytes // ID is a token identifier. valid UUIDv4 represented in bytes
bytes ID = 7 [(gogoproto.customtype) = "TokenID", (gogoproto.nullable) = false]; bytes ID = 7 [(gogoproto.customtype) = "TokenID", (gogoproto.nullable) = false];
// PublicKeys associated with owner
repeated bytes PublicKeys = 8;
} }