diff --git a/service/sign.go b/service/sign.go deleted file mode 100644 index d8db94e..0000000 --- a/service/sign.go +++ /dev/null @@ -1,47 +0,0 @@ -package service - -import ( - "crypto/ecdsa" - - crypto "github.com/nspcc-dev/neofs-crypto" - "github.com/nspcc-dev/neofs-proto/internal" - "github.com/pkg/errors" -) - -// ErrWrongSignature should be raised when wrong signature is passed into VerifyRequest. -const ErrWrongSignature = internal.Error("wrong signature") - -// SignedRequest interface allows sign and verify requests. -type SignedRequest interface { - PrepareData() ([]byte, error) - GetSignature() []byte - SetSignature([]byte) -} - -// SignRequest with passed private key. -func SignRequest(r SignedRequest, key *ecdsa.PrivateKey) error { - var signature []byte - if data, err := r.PrepareData(); err != nil { - return err - } else if signature, err = crypto.Sign(key, data); err != nil { - return errors.Wrap(err, "could not sign data") - } - - r.SetSignature(signature) - - return nil -} - -// VerifyRequest by passed public keys. -func VerifyRequest(r SignedRequest, keys ...*ecdsa.PublicKey) bool { - data, err := r.PrepareData() - if err != nil { - return false - } - for i := range keys { - if err := crypto.Verify(keys[i], data, r.GetSignature()); err == nil { - return true - } - } - return false -} diff --git a/service/verify.go b/service/verify.go index a6ac3a5..48e2871 100644 --- a/service/verify.go +++ b/service/verify.go @@ -6,6 +6,7 @@ import ( "github.com/gogo/protobuf/proto" crypto "github.com/nspcc-dev/neofs-crypto" "github.com/nspcc-dev/neofs-proto/internal" + "github.com/nspcc-dev/neofs-proto/refs" "github.com/pkg/errors" ) @@ -35,6 +36,9 @@ const ( // ErrCannotFindOwner is raised when signatures empty in GetOwner. ErrCannotFindOwner = internal.Error("cannot find owner public key") + + // ErrWrongOwner is raised when passed OwnerID not equal to present PublicKey + ErrWrongOwner = internal.Error("wrong owner") ) // SetSignatures replaces signatures stored in RequestVerificationHeader. @@ -62,6 +66,18 @@ func (m *RequestVerificationHeader) SetOwner(pub *ecdsa.PublicKey, sign []byte) } } +// CheckOwner validates, that passed OwnerID is equal to present PublicKey of owner. +func (m *RequestVerificationHeader) CheckOwner(owner refs.OwnerID) error { + if key, err := m.GetOwner(); err != nil { + return err + } else if user, err := refs.NewOwnerID(key); err != nil { + return err + } else if !user.Equal(owner) { + return ErrWrongOwner + } + return nil +} + // GetOwner tries to get owner (client) public key from signatures. // If signatures contains not empty Origin, we should try to validate, // that session key was signed by owner (client), otherwise return error. diff --git a/service/verify_test.go b/service/verify_test.go index 1403c67..237e362 100644 --- a/service/verify_test.go +++ b/service/verify_test.go @@ -9,6 +9,7 @@ import ( "github.com/gogo/protobuf/proto" crypto "github.com/nspcc-dev/neofs-crypto" "github.com/nspcc-dev/neofs-crypto/test" + "github.com/nspcc-dev/neofs-proto/refs" "github.com/pkg/errors" "github.com/stretchr/testify/require" ) @@ -78,6 +79,12 @@ func TestMaintainableRequest(t *testing.T) { } } + { // Validate owner + user, err := refs.NewOwnerID(&owner.PublicKey) + require.NoError(t, err) + require.NoError(t, req.CheckOwner(user)) + } + { // Good case: require.NoError(t, VerifyRequestHeader(req))