RubyGems - as2 - Versions diffs - 0.9.0 → 0.10.0 - Mend

as2 0.9.0 → 0.10.0

Files changed (8) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e5d44130a76edfd15f3938df800fd0b82a0a14446ed064844250c33f0ba28c0c
-  data.tar.gz: b2436bd0539cefe5387e08042ba5bf1798282515c17d6c884eda08c7e9abd913
+  metadata.gz: 7e21a1d3326b7db528a205964fb6c5e99656ea20e4ad7dcba0877088fdd86104
+  data.tar.gz: c46538361b3cdb28f6b97a602465adea7dea2f348dbdc54fd18c33ca7a496801
 SHA512:
-  metadata.gz: c7ec66eff025813c21849d375933cef2e06c70ae658363ffce640d22ea72be73650908862307380e70da03510765016b99bf60a65f6f56f432d4e3381eab8ee4
-  data.tar.gz: 5f9747317e5675e292ea80f02b01de73a0d14e78c60236970f81a8a68a3cefb0535b2bd9c4d2b6fee7e95399746fd773f40de5481db2975fe2f21c9ce5c7178e
+  metadata.gz: 52189a26063743097ea72abfe0b12e21866417ab60af8633b581eab7c1902ebb32bf904538daf4301f5320c0cbfd730d94c1aa14f6a365d0ea270158f649565c
+  data.tar.gz: ec40485fcd9e7f7f38cbc3649c3b7c84986ebc1be2242a3208c9563d42bea239fb8d4f38a73bd0ce580e54e2371890a45689d138b55c5eccc0c489b6c7526a45

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,16 @@
+## 0.10.0 September 13, 2023
+support for separate signing & encryption certificates for partners. [#34](https://github.com/alexdean/as2/pull/34)
+BREAKING CHANGES:
+  * `As2::Config::Partner`
+    * Added `signing_certificate` and `encryption_certificate`
+    * Removed `certificate`.
+    * `certificate=` is still supported, and assigns the same certificate to both.
+  * `As2::Client#parse_signed_mdn`: requires `signing_certificate:` rather than `certificate:`.
+  * `As2::Message.verify`: requires `signing_certificate:` rather than `certificate:`.
 ## 0.9.0, August 28, 2023
   * Bugfix for quoting AS2-From/AS2-To identifiers

data/lib/as2/client.rb CHANGED Viewed

@@ -83,7 +83,7 @@ module As2
                                        )
       cipher = OpenSSL::Cipher::AES256.new(:CBC) # default, but we might have to make this configurable
-      encrypted = OpenSSL::PKCS7.encrypt([@partner.certificate], request_body, cipher)
+      encrypted = OpenSSL::PKCS7.encrypt([@partner.encryption_certificate], request_body, cipher)
       # > HTTP can handle binary data and so there is no need to use the
       # > content transfer encodings of MIME
@@ -257,7 +257,7 @@ module As2
       if mdn_content_type.start_with?('multipart/signed')
         result = parse_signed_mdn(
                                    multipart_signed_message: response_content,
-                                   certificate: @partner.certificate
+                                   signing_certificate: @partner.signing_certificate
                                  )
         mdn_report = result[:mdn_report]
         report[:signature_verification_error] = result[:signature_verification_error]
@@ -314,7 +314,7 @@ module As2
     #   * :mdn_mime_body [Mail::Message] The 'inner' MDN body, with signature removed
     #   * :signature_verification_error [String] Any error which resulted when checking the
     #     signature. If this is empty it means the signature was valid.
-    def parse_signed_mdn(multipart_signed_message:, certificate:)
+    def parse_signed_mdn(multipart_signed_message:, signing_certificate:)
       smime = nil
       begin
@@ -347,7 +347,7 @@ module As2
         # based on As2::Message version
         # TODO: test cases based on valid/invalid responses. (response signed with wrong certificate, etc.)
         # See notes in As2::Message.verify for reasoning on flag usage
-        smime.verify [certificate], OpenSSL::X509::Store.new, nil, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN
+        smime.verify [signing_certificate], OpenSSL::X509::Store.new, nil, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN
         signature_verification_error = smime.error_string
       else
@@ -383,7 +383,7 @@ module As2
         result = As2::Message.verify(
                    content: content,
                    signature_text: signature_text,
-                   certificate: @partner.certificate
+                   signing_certificate: signing_certificate
                  )
         signature_verification_error = result[:error]

data/lib/as2/config.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module As2
       end
     end
-    class Partner < Struct.new :name, :url, :certificate, :tls_verify_mode, :mdn_format, :outbound_format
+    class Partner < Struct.new :name, :url, :encryption_certificate, :signing_certificate, :tls_verify_mode, :mdn_format, :outbound_format
       def url=(url)
         if url.kind_of? String
           self['url'] = URI.parse url
@@ -40,7 +40,17 @@ module As2
       end
       def certificate=(certificate)
-        self['certificate'] = As2::Config.build_certificate(certificate)
+        cert = As2::Config.build_certificate(certificate)
+        self['encryption_certificate'] = cert
+        self['signing_certificate'] = cert
+      end
+      def encryption_certificate=(certificate)
+        self['encryption_certificate'] = As2::Config.build_certificate(certificate)
+      end
+      def signing_certificate=(certificate)
+        self['signing_certificate'] = As2::Config.build_certificate(certificate)
       end
       # if set, will be used for SSL transmissions.
@@ -87,14 +97,18 @@ module As2
         unless partner.name
           raise 'Partner name is required'
         end
-        unless partner.certificate
-          raise 'Partner certificate is required'
+        unless partner.signing_certificate
+          raise 'Partner signing certificate is required'
+        end
+        unless partner.encryption_certificate
+          raise 'Partner encryption certificate is required'
         end
         unless partner.url
           raise 'Partner URL is required'
         end
         Config.partners[partner.name] = partner
-        Config.store.add_cert partner.certificate
+        Config.store.add_cert partner.signing_certificate
+        Config.store.add_cert partner.encryption_certificate
       end
     end
@@ -123,6 +137,7 @@ module As2
         @partners ||= {}
       end
+      # TODO: deprecate this.
       def store
         @store ||= OpenSSL::X509::Store.new
       end

data/lib/as2/message.rb CHANGED Viewed

@@ -53,7 +53,7 @@ module As2
     #   * :valid [boolean] was the verification successful or not?
     #   * :error [String, nil] a verification error message.
     #                          will be empty when `valid` is true.
-    def self.verify(content:, signature_text:, certificate:)
+    def self.verify(content:, signature_text:, signing_certificate:)
       begin
         signature = OpenSSL::PKCS7.new(signature_text)
@@ -76,9 +76,9 @@ module As2
         #
         # https://www.openssl.org/docs/manmaster/man3/PKCS7_verify.html
         #
-        # we want this so we can be sure that the `partner_certificate` we supply
+        # we want this so we can be sure that the `signing_certificate` we supply
         # was actually used to sign the message. otherwise we could get a positive
-        # verification even if `partner_certificate` didn't sign the message
+        # verification even if `signing_certificate` didn't sign the message
         # we're checking.
         #
         # ## NOVERIFY
@@ -87,9 +87,9 @@ module As2
         #
         # ie: we won't attempt to connect signer (in the first param) to a root
         # CA (in `store`, which is empty). alternately, we could instead remove
-        # this flag, and add `partner_certificate` to `store`. but what's the point?
-        # we'd only be verifying that `partner_certificate` is connected to `partner_certificate`.
-        valid = signature.verify([certificate], store, content, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN)
+        # this flag, and add `signing_certificate` to `store`. but what's the point?
+        # we'd only be verifying that `signing_certificate` is connected to `signing_certificate`.
+        valid = signature.verify([signing_certificate], store, content, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN)
         # when `signature.verify` fails, signature.error_string will be populated.
         error = signature.error_string
@@ -121,7 +121,7 @@ module As2
       @decrypted_message ||= @pkcs7.decrypt @private_key, @public_certificate
     end
-    def valid_signature?(partner_certificate)
+    def valid_signature?(partner_signing_certificate)
       content_type = mail.header_fields.find { |h| h.name == 'Content-Type' }.content_type
       # TODO: substantial overlap between this code & the fallback/rescue code in
       # As2::Client#verify_mdn_signature
@@ -149,7 +149,7 @@ module As2
         result = self.class.verify(
                                     content: content,
                                     signature_text: signature_text,
-                                    certificate: partner_certificate
+                                    signing_certificate: partner_signing_certificate
                                   )
         output = result[:valid]
@@ -186,7 +186,7 @@ module As2
           retry_output = self.class.verify(
                                             content: content,
                                             signature_text: signature_text,
-                                            certificate: partner_certificate
+                                            signing_certificate: partner_signing_certificate
                                           )
           if retry_output[:valid]

data/lib/as2/server.rb CHANGED Viewed

@@ -40,7 +40,7 @@ module As2
       request = Rack::Request.new(env)
       message = Message.new(request.body.read, @server_info.pkey, @server_info.certificate)
-      unless message.valid_signature?(partner.certificate)
+      unless message.valid_signature?(partner.signing_certificate)
         if @signature_failure_handler
           @signature_failure_handler.call({
             env: env,
@@ -48,7 +48,7 @@ module As2
             verification_error: message.verification_error
           })
         else
-          raise "Could not verify signature"
+          raise "Could not verify signature. #{message.verification_error}"
         end
       end

data/lib/as2/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module As2
-  VERSION = "0.9.0"
+  VERSION = "0.10.0"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: as2
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.10.0
 platform: ruby
 authors:
 - OfficeLuv
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-08-28 00:00:00.000000000 Z
+date: 2023-09-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mail