forked from TrueCloudLab/frostfs-api-go
service: implement functions for verification of signatures
This commit is contained in:
Leonard Lyubich
parent
f3e6caf7e7
commit
74144f207a
4 changed files with 264 additions and 27 deletions
103
service/sign.go
103
service/sign.go
|
|
@ -6,12 +6,39 @@ import (
|
|||
crypto "github.com/nspcc-dev/neofs-crypto"
|
||||
)
|
||||
|
||||
type keySign struct {
|
||||
key *ecdsa.PublicKey
|
||||
sign []byte
|
||||
}
|
||||
|
||||
// GetSignature is a sign field getter.
|
||||
func (s keySign) GetSignature() []byte {
|
||||
return s.sign
|
||||
}
|
||||
|
||||
// GetPublicKey is a key field getter,
|
||||
func (s keySign) GetPublicKey() *ecdsa.PublicKey {
|
||||
return s.key
|
||||
}
|
||||
|
||||
// Unites passed key with signature and returns SignKeyPair interface.
|
||||
func newSignatureKeyPair(key *ecdsa.PublicKey, sign []byte) SignKeyPair {
|
||||
return &keySign{
|
||||
key: key,
|
||||
sign: sign,
|
||||
}
|
||||
}
|
||||
|
||||
// Returns data from DataSignatureAccumulator for signature creation/verification.
|
||||
//
|
||||
// If passed DataSignatureAccumulator provides a SignedDataReader interface, data for signature is obtained
|
||||
// using this interface for optimization. In this case, it is understood that reading into the slice D
|
||||
// that the method DataForSignature returns does not change D.
|
||||
func dataForSignature(src SignedDataSource) ([]byte, error) {
|
||||
if src == nil {
|
||||
return nil, ErrNilSignedDataSource
|
||||
}
|
||||
|
||||
r, ok := src.(SignedDataReader)
|
||||
if !ok {
|
||||
return src.SignedData()
|
||||
|
|
@ -42,10 +69,8 @@ func dataForSignature(src SignedDataSource) ([]byte, error) {
|
|||
// If passed data container is nil, ErrNilSignedDataSource returns.
|
||||
// If passed private key is nil, crypto.ErrEmptyPrivateKey returns.
|
||||
// If the data container or the signature function returns an error, it is returned directly.
|
||||
func DataSignature(src SignedDataSource, key *ecdsa.PrivateKey) ([]byte, error) {
|
||||
if src == nil {
|
||||
return nil, ErrNilSignedDataSource
|
||||
} else if key == nil {
|
||||
func DataSignature(key *ecdsa.PrivateKey, src SignedDataSource) ([]byte, error) {
|
||||
if key == nil {
|
||||
return nil, crypto.ErrEmptyPrivateKey
|
||||
}
|
||||
|
||||
|
|
@ -61,7 +86,7 @@ func DataSignature(src SignedDataSource, key *ecdsa.PrivateKey) ([]byte, error)
|
|||
//
|
||||
// Returns signing errors only.
|
||||
func AddSignatureWithKey(v SignatureKeyAccumulator, key *ecdsa.PrivateKey) error {
|
||||
sign, err := DataSignature(v, key)
|
||||
sign, err := DataSignature(key, v)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -70,3 +95,71 @@ func AddSignatureWithKey(v SignatureKeyAccumulator, key *ecdsa.PrivateKey) error
|
|||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Checks passed key-signature pairs for data from the passed container.
|
||||
//
|
||||
// If passed key-signatures pair set is empty, nil returns immediately.
|
||||
func verifySignatures(src SignedDataSource, items ...SignKeyPair) error {
|
||||
if len(items) <= 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
data, err := dataForSignature(src)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
for _, signKey := range items {
|
||||
if err := crypto.Verify(
|
||||
signKey.GetPublicKey(),
|
||||
data,
|
||||
signKey.GetSignature(),
|
||||
); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// VerifySignatures checks passed key-signature pairs for data from the passed container.
|
||||
//
|
||||
// If passed data source is nil, ErrNilSignedDataSource returns.
|
||||
// If check data is not ready, corresponding error returns.
|
||||
// If at least one of the pairs is invalid, an error returns.
|
||||
func VerifySignatures(src SignedDataSource, items ...SignKeyPair) error {
|
||||
return verifySignatures(src, items...)
|
||||
}
|
||||
|
||||
// VerifyAccumulatedSignatures checks if accumulated key-signature pairs are valid.
|
||||
//
|
||||
// Behaves like VerifySignatures.
|
||||
// If passed key-signature source is empty, ErrNilSignatureKeySource returns.
|
||||
func VerifyAccumulatedSignatures(src SignatureKeySource) error {
|
||||
if src == nil {
|
||||
return ErrNilSignatureKeySource
|
||||
}
|
||||
|
||||
return verifySignatures(src, src.GetSignKeyPairs()...)
|
||||
}
|
||||
|
||||
// VerifySignatureWithKey checks data signature from the passed container with passed key.
|
||||
//
|
||||
// If passed data with signature is nil, ErrEmptyDataWithSignature returns.
|
||||
// If passed key is nil, crypto.ErrEmptyPublicKey returns.
|
||||
// A non-nil error returns if and only if the signature does not pass verification.
|
||||
func VerifySignatureWithKey(src DataWithSignature, key *ecdsa.PublicKey) error {
|
||||
if src == nil {
|
||||
return ErrEmptyDataWithSignature
|
||||
} else if key == nil {
|
||||
return crypto.ErrEmptyPublicKey
|
||||
}
|
||||
|
||||
return verifySignatures(
|
||||
src,
|
||||
newSignatureKeyPair(
|
||||
key,
|
||||
src.GetSignature(),
|
||||
),
|
||||
)
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue