RubyGems - as2 - Versions diffs - 0.9.0 → 0.10.0 - Mend

as2 0.9.0 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e5d44130a76edfd15f3938df800fd0b82a0a14446ed064844250c33f0ba28c0c
-  data.tar.gz: b2436bd0539cefe5387e08042ba5bf1798282515c17d6c884eda08c7e9abd913
+  metadata.gz: 7e21a1d3326b7db528a205964fb6c5e99656ea20e4ad7dcba0877088fdd86104
+  data.tar.gz: c46538361b3cdb28f6b97a602465adea7dea2f348dbdc54fd18c33ca7a496801
 SHA512:
-  metadata.gz: c7ec66eff025813c21849d375933cef2e06c70ae658363ffce640d22ea72be73650908862307380e70da03510765016b99bf60a65f6f56f432d4e3381eab8ee4
-  data.tar.gz: 5f9747317e5675e292ea80f02b01de73a0d14e78c60236970f81a8a68a3cefb0535b2bd9c4d2b6fee7e95399746fd773f40de5481db2975fe2f21c9ce5c7178e
+  metadata.gz: 52189a26063743097ea72abfe0b12e21866417ab60af8633b581eab7c1902ebb32bf904538daf4301f5320c0cbfd730d94c1aa14f6a365d0ea270158f649565c
+  data.tar.gz: ec40485fcd9e7f7f38cbc3649c3b7c84986ebc1be2242a3208c9563d42bea239fb8d4f38a73bd0ce580e54e2371890a45689d138b55c5eccc0c489b6c7526a45

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,16 @@
+## 0.10.0 September 13, 2023
+support for separate signing & encryption certificates for partners. [#34](https://github.com/alexdean/as2/pull/34)
+BREAKING CHANGES:
+  * `As2::Config::Partner`
+    * Added `signing_certificate` and `encryption_certificate`
+    * Removed `certificate`.
+    * `certificate=` is still supported, and assigns the same certificate to both.
+  * `As2::Client#parse_signed_mdn`: requires `signing_certificate:` rather than `certificate:`.
+  * `As2::Message.verify`: requires `signing_certificate:` rather than `certificate:`.
 ## 0.9.0, August 28, 2023
   * Bugfix for quoting AS2-From/AS2-To identifiers

data/lib/as2/client.rb CHANGED Viewed

@@ -83,7 +83,7 @@ module As2
                                        )
       cipher = OpenSSL::Cipher::AES256.new(:CBC) # default, but we might have to make this configurable
-      encrypted = OpenSSL::PKCS7.encrypt([@partner.certificate], request_body, cipher)
+      encrypted = OpenSSL::PKCS7.encrypt([@partner.encryption_certificate], request_body, cipher)
       # > HTTP can handle binary data and so there is no need to use the
       # > content transfer encodings of MIME
@@ -257,7 +257,7 @@ module As2
       if mdn_content_type.start_with?('multipart/signed')
         result = parse_signed_mdn(
                                    multipart_signed_message: response_content,
-                                   certificate: @partner.certificate
+                                   signing_certificate: @partner.signing_certificate
                                  )
         mdn_report = result[:mdn_report]
         report[:signature_verification_error] = result[:signature_verification_error]
@@ -314,7 +314,7 @@ module As2
     #   * :mdn_mime_body [Mail::Message] The 'inner' MDN body, with signature removed
     #   * :signature_verification_error [String] Any error which resulted when checking the
     #     signature. If this is empty it means the signature was valid.
-    def parse_signed_mdn(multipart_signed_message:, certificate:)
+    def parse_signed_mdn(multipart_signed_message:, signing_certificate:)
       smime = nil
       begin
@@ -347,7 +347,7 @@ module As2
         # based on As2::Message version
         # TODO: test cases based on valid/invalid responses. (response signed with wrong certificate, etc.)
         # See notes in As2::Message.verify for reasoning on flag usage
-        smime.verify [certificate], OpenSSL::X509::Store.new, nil, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN
+        smime.verify [signing_certificate], OpenSSL::X509::Store.new, nil, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN
         signature_verification_error = smime.error_string
       else
@@ -383,7 +383,7 @@ module As2
         result = As2::Message.verify(
                    content: content,
                    signature_text: signature_text,
-                   certificate: @partner.certificate
+                   signing_certificate: signing_certificate
                  )
         signature_verification_error = result[:error]

data/lib/as2/config.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module As2
       end
     end
-    class Partner < Struct.new :name, :url, :certificate, :tls_verify_mode, :mdn_format, :outbound_format
+    class Partner < Struct.new :name, :url, :encryption_certificate, :signing_certificate, :tls_verify_mode, :mdn_format, :outbound_format
       def url=(url)
         if url.kind_of? String
           self['url'] = URI.parse url
@@ -40,7 +40,17 @@ module As2
       end
       def certificate=(certificate)
-        self['certificate'] = As2::Config.build_certificate(certificate)
+        cert = As2::Config.build_certificate(certificate)
+        self['encryption_certificate'] = cert
+        self['signing_certificate'] = cert
+      end
+      def encryption_certificate=(certificate)
+        self['encryption_certificate'] = As2::Config.build_certificate(certificate)
+      end
+      def signing_certificate=(certificate)
+        self['signing_certificate'] = As2::Config.build_certificate(certificate)
       end
       # if set, will be used for SSL transmissions.
@@ -87,14 +97,18 @@ module As2
         unless partner.name
           raise 'Partner name is required'
         end
-        unless partner.certificate
-          raise 'Partner certificate is required'
+        unless partner.signing_certificate
+          raise 'Partner signing certificate is required'
+        end
+        unless partner.encryption_certificate
+          raise 'Partner encryption certificate is required'
         end
         unless partner.url
           raise 'Partner URL is required'
         end
         Config.partners[partner.name] = partner
-        Config.store.add_cert partner.certificate
+        Config.store.add_cert partner.signing_certificate
+        Config.store.add_cert partner.encryption_certificate
       end
     end
@@ -123,6 +137,7 @@ module As2
         @partners ||= {}
       end
+      # TODO: deprecate this.
       def store
         @store ||= OpenSSL::X509::Store.new
       end

data/lib/as2/message.rb CHANGED Viewed

@@ -53,7 +53,7 @@ module As2
     #   * :valid [boolean] was the verification successful or not?
     #   * :error [String, nil] a verification error message.
     #                          will be empty when `valid` is true.
-    def self.verify(content:, signature_text:, certificate:)
+    def self.verify(content:, signature_text:, signing_certificate:)
       begin
         signature = OpenSSL::PKCS7.new(signature_text)
@@ -76,9 +76,9 @@ module As2
         #
         # https://www.openssl.org/docs/manmaster/man3/PKCS7_verify.html
         #
-        # we want this so we can be sure that the `partner_certificate` we supply
+        # we want this so we can be sure that the `signing_certificate` we supply
         # was actually used to sign the message. otherwise we could get a positive
-        # verification even if `partner_certificate` didn't sign the message
+        # verification even if `signing_certificate` didn't sign the message
         # we're checking.
         #
         # ## NOVERIFY
@@ -87,9 +87,9 @@ module As2
         #
         # ie: we won't attempt to connect signer (in the first param) to a root
         # CA (in `store`, which is empty). alternately, we could instead remove
-        # this flag, and add `partner_certificate` to `store`. but what's the point?
-        # we'd only be verifying that `partner_certificate` is connected to `partner_certificate`.
-        valid = signature.verify([certificate], store, content, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN)
+        # this flag, and add `signing_certificate` to `store`. but what's the point?
+        # we'd only be verifying that `signing_certificate` is connected to `signing_certificate`.
+        valid = signature.verify([signing_certificate], store, content, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN)
         # when `signature.verify` fails, signature.error_string will be populated.
         error = signature.error_string
@@ -121,7 +121,7 @@ module As2
       @decrypted_message ||= @pkcs7.decrypt @private_key, @public_certificate
     end
-    def valid_signature?(partner_certificate)
+    def valid_signature?(partner_signing_certificate)
       content_type = mail.header_fields.find { |h| h.name == 'Content-Type' }.content_type
       # TODO: substantial overlap between this code & the fallback/rescue code in
       # As2::Client#verify_mdn_signature
@@ -149,7 +149,7 @@ module As2
         result = self.class.verify(
                                     content: content,
                                     signature_text: signature_text,
-                                    certificate: partner_certificate
+                                    signing_certificate: partner_signing_certificate
                                   )
         output = result[:valid]
@@ -186,7 +186,7 @@ module As2
           retry_output = self.class.verify(
                                             content: content,
                                             signature_text: signature_text,
-                                            certificate: partner_certificate
+                                            signing_certificate: partner_signing_certificate
                                           )
           if retry_output[:valid]

data/lib/as2/server.rb CHANGED Viewed

@@ -40,7 +40,7 @@ module As2
       request = Rack::Request.new(env)
       message = Message.new(request.body.read, @server_info.pkey, @server_info.certificate)
-      unless message.valid_signature?(partner.certificate)
+      unless message.valid_signature?(partner.signing_certificate)
         if @signature_failure_handler
           @signature_failure_handler.call({
             env: env,
@@ -48,7 +48,7 @@ module As2
             verification_error: message.verification_error
           })
         else
-          raise "Could not verify signature"
+          raise "Could not verify signature. #{message.verification_error}"
         end
       end

data/lib/as2/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module As2
-  VERSION = "0.9.0"
+  VERSION = "0.10.0"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: as2
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.10.0
 platform: ruby
 authors:
 - OfficeLuv
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-08-28 00:00:00.000000000 Z
+date: 2023-09-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mail