as2 0.2.5 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8a3998531af86ec28183bebe5adaa77a0cba1b66f43d9b2270b53470b34f5d76
-  data.tar.gz: '079dfb30bfb10cb2a22d33502c155dda1d6c7069a87436b9a62e58d1521d2fa6'
+  metadata.gz: 3c28a94ec5915cd8930ba91814dea748017f86d0cbe2be94719fa54df5e6774f
+  data.tar.gz: 47239349434164df4c1833561b6942e458f9b919415d221b9ae376b4a28755fe
 SHA512:
-  metadata.gz: f968aeb0ab8f1836bbcad82eec78c8a13f5507edef264df0cc397b767524628ef5936f64fa6b84cb8bffec1c4eae492336c9f64c24376d6fc42a17911ece450c
-  data.tar.gz: e05c3239d2a17c7f5c236544d184fdb038c80d4917c11187b54b77091fc17efc9e9048428384976c2c45a28f955d6ba321f63c576b98220e647ac8b16dc3a860
+  metadata.gz: b7f77c9176b2f279d5a678f72494f746b687432487df3b2c1d338754b89e5942e9af4798360a39528514cb826cc923148ac4a812cc64d65b7f9f4a104eb71b2f
+  data.tar.gz: efdc7d01786e56ad1aabbbd9c373aa9d835bb299c775423df0470e622916efe080a0abc3b7bc6173e39b80223824d3c3bb885b6fe8d6b93405329dcaf9f82fd5

data/.gitignore

@@ -1,2 +1,3 @@
 certs
 .DS_Store
+Gemfile.lock

data/CHANGELOG.md

@@ -0,0 +1,9 @@
+## 0.3.0, Dec 22, 2021
+
+  * fix MIC calculation. [#1](https://github.com/andjosh/as2/pull/1)
+  * allow loading of private key and certificates without local files. [#2](https://github.com/andjosh/as2/pull/2)
+  * fix signature verification. [#3](https://github.com/andjosh/as2/pull/3)
+
+## prior to 0.3.0
+
+Initial work by [@andjosh](https://github.com/andjosh) and [@datanoise](https://github.com/datanoise).

data/as2.gemspec

@@ -6,8 +6,8 @@ require 'as2/version'
 Gem::Specification.new do |spec|
   spec.name          = "as2"
   spec.version       = As2::VERSION
-  spec.authors       = ["OfficeLuv"]
-  spec.email         = ["development@officeluv.com"]
+  spec.authors       = ["OfficeLuv", "Transfix"]
+  spec.email         = ["development@officeluv.com", "alexdean@transfix.io"]
 
   spec.summary       = %q{Simple AS2 server and client implementation}
   spec.description   = %q{Simple AS2 server and client implementation. Follows the AS2 implementation from http://as2.mendelson-e-c.com}
@@ -30,8 +30,8 @@ Gem::Specification.new do |spec|
   spec.add_dependency "mail"
   spec.add_dependency "rack"
 
-  spec.add_development_dependency "bundler", "~> 1.10"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "bundler", ">= 1.10"
+  spec.add_development_dependency "rake", ">= 10.0"
   spec.add_development_dependency "thin"
   spec.add_development_dependency "minitest"
 end

data/lib/as2/config.rb

@@ -1,6 +1,17 @@
 require 'uri'
 module As2
   module Config
+    def self.build_certificate(input)
+      if input.kind_of? OpenSSL::X509::Certificate
+        input
+      elsif input.kind_of? String
+        OpenSSL::X509::Certificate.new File.read(input)
+      else
+        raise ArgumentError, "Invalid certificate. Provide a string (file path)" \
+          " or an OpenSSL::X509::Certificate instance. Got a #{input.class} instead."
+      end
+    end
+
     class Partner < Struct.new :name, :url, :certificate
       def url=(url)
         if url.kind_of? String
@@ -11,7 +22,7 @@ module As2
       end
 
       def certificate=(certificate)
-        self['certificate'] = OpenSSL::X509::Certificate.new File.read(certificate)
+        self['certificate'] = As2::Config.build_certificate(certificate)
       end
     end
 
@@ -25,11 +36,20 @@ module As2
       end
 
       def certificate=(certificate)
-        self['certificate'] = OpenSSL::X509::Certificate.new File.read(certificate)
+        self['certificate'] = As2::Config.build_certificate(certificate)
       end
 
-      def pkey=(pkey)
-        self['pkey'] = OpenSSL::PKey.read File.read(pkey)
+      def pkey=(input)
+        # looks like even though you OpenSSL::PKey.new, you still end up with
+        # an instance which is an OpenSSL::PKey::PKey.
+        if input.kind_of? OpenSSL::PKey::PKey
+          self['pkey'] = input
+        elsif input.kind_of? String
+          self['pkey'] = OpenSSL::PKey.read File.read(input)
+        else
+          raise ArgumentError, "Invalid private key. Provide a string (file path)" \
+            " or an OpenSSL::PKey instance. Got a #{input.class} instead."
+        end
       end
 
       def add_partner
@@ -67,12 +87,7 @@ module As2
         unless @server_info.domain
           raise 'Your domain name is required'
         end
-        begin
-          store.add_cert @server_info.certificate
-        rescue OpenSSL::X509::StoreError => err
-          # ignore duplicate certs
-          raise unless err.message == 'cert already in hash table'
-        end
+        store.add_cert @server_info.certificate
       end
 
       def partners

data/lib/as2/message.rb

@@ -1,26 +1,83 @@
-require 'as2/base64_helper'
-
 module As2
   class Message
-    attr_reader :original_message
+    attr_reader :verification_error
 
     def initialize(message, private_key, public_certificate)
-      @original_message = message
+      # TODO: might need to use OpenSSL::PKCS7.read_smime rather than .new sometimes
+      @pkcs7 = OpenSSL::PKCS7.new(message)
       @private_key = private_key
       @public_certificate = public_certificate
+      @verification_error = nil
     end
 
     def decrypted_message
-      @decrypted_message ||= decrypt_smime(original_message)
+      @decrypted_message ||= @pkcs7.decrypt @private_key, @public_certificate
     end
 
     def valid_signature?(partner_certificate)
-      store = OpenSSL::X509::Store.new
-      store.add_cert(partner_certificate)
+      content_type = mail.header_fields.find { |h| h.name == 'Content-Type' }.content_type
+      if content_type == "multipart/signed"
+        # for a "multipart/signed" message, we will do 'detatched' signature
+        # verification, where we supply the data to be verified as the 3rd parameter
+        # to OpenSSL::PKCS7#verify. this is in keeping with how this content type
+        # is described in the S/MIME RFC.
+        #
+        # > The multipart/signed MIME type has two parts.  The first part contains
+        # > the MIME entity that is signed; the second part contains the "detached signature"
+        # > CMS SignedData object in which the encapContentInfo eContent field is absent.
+        #
+        # https://datatracker.ietf.org/doc/html/rfc3851#section-3.4.3.1
+
+        # TODO: more robust detection of content vs signature (if they're ever out of order).
+        content = mail.parts[0].raw_source.strip
+        signature = OpenSSL::PKCS7.new(mail.parts[1].body.to_s)
+
+        # using an empty CA store. see notes on NOVERIFY flag below.
+        store = OpenSSL::X509::Store.new
+
+        # notes on verification proces and flags used
+        #
+        # ## NOINTERN
+        #
+        # > If PKCS7_NOINTERN is set the certificates in the message itself are
+        # > not searched when locating the signer's certificate. This means that
+        # > all the signers certificates must be in the certs parameter.
+        #
+        # > One application of PKCS7_NOINTERN is to only accept messages signed
+        # > by a small number of certificates. The acceptable certificates would
+        # > be passed in the certs parameter. In this case if the signer is not
+        # > one of the certificates supplied in certs then the verify will fail
+        # > because the signer cannot be found.
+        #
+        # https://www.openssl.org/docs/manmaster/man3/PKCS7_verify.html
+        #
+        # we want this so we can be sure that the `partner_certificate` we supply
+        # was actually used to sign the message. otherwise we could get a positive
+        # verification even if `partner_certificate` didn't sign the message
+        # we're checking.
+        #
+        # ## NOVERIFY
+        #
+        # > If PKCS7_NOVERIFY is set the signer's certificates are not chain verified.
+        #
+        # ie: we won't attempt to connect signer (in the first param) to a root
+        # CA (in `store`, which is empty). alternately, we could instead remove
+        # this flag, and add `partner_certificate` to `store`. but what's the point?
+        # we'd only be verifying that `partner_certificate` is connected to `partner_certificate`.
+        output = signature.verify([partner_certificate], store, content, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN)
+
+        # when `signature.verify` fails, signature.error_string will be populated.
+        @verification_error = signature.error_string
+
+        output
+      else
+        # TODO: how to log this?
+        false
+      end
+    end
 
-      smime = Base64Helper.ensure_body_base64(decrypted_message)
-      message = read_smime(smime)
-      message.verify [partner_certificate], store
+    def mic
+      OpenSSL::Digest::SHA1.base64digest(attachment.raw_source.strip)
     end
 
     # Return the attached file, use .filename and .body on the return value
@@ -33,17 +90,9 @@ module As2
     end
 
     private
+
     def mail
       @mail ||= Mail.new(decrypted_message)
     end
-
-    def read_smime(smime)
-      OpenSSL::PKCS7.read_smime(smime)
-    end
-
-    def decrypt_smime(smime)
-      message = read_smime(smime)
-      message.decrypt @private_key, @public_certificate
-    end
   end
 end

data/lib/as2/server.rb

@@ -2,20 +2,10 @@ require 'rack'
 require 'logger'
 require 'stringio'
 require 'as2/mime_generator'
-require 'as2/base64_helper'
 require 'as2/message'
 
 module As2
   class Server
-    HEADER_MAP = {
-      'To' => 'HTTP_AS2_TO',
-      'From' => 'HTTP_AS2_FROM',
-      'Subject' => 'HTTP_SUBJECT',
-      'MIME-Version' => 'HTTP_MIME_VERSION',
-      'Content-Disposition' => 'HTTP_CONTENT_DISPOSITION',
-      'Content-Type' => 'CONTENT_TYPE',
-    }
-
     attr_accessor :logger
 
     def initialize(options = {}, &block)
@@ -34,18 +24,21 @@ module As2
         return send_error(env, "Invalid partner name #{env['HTTP_AS2_FROM']}")
       end
 
-      smime_string = build_smime_text(env)
-      message = Message.new(smime_string, @info.pkey, @info.certificate)
+      request = Rack::Request.new(env)
+      message = Message.new(request.body.read, @info.pkey, @info.certificate)
+
       unless message.valid_signature?(partner.certificate)
         if @options[:on_signature_failure]
-          @options[:on_signature_failure].call({env: env, smime_string: smime_string})
+          @options[:on_signature_failure].call({
+            env: env,
+            smime_string: message.decrypted_message,
+            verification_error: message.verification_error
+          })
         else
           raise "Could not verify signature"
         end
       end
 
-      mic = OpenSSL::Digest::SHA1.base64digest(message.decrypted_message)
-
       if @block
         begin
           @block.call message.attachment.filename, message.attachment.body
@@ -54,24 +47,10 @@ module As2
         end
       end
 
-      send_mdn(env, mic)
+      send_mdn(env, message.mic)
     end
 
     private
-    def build_smime_text(env)
-      request = Rack::Request.new(env)
-      smime_data = StringIO.new
-
-      HEADER_MAP.each do |name, value|
-        smime_data.puts "#{name}: #{env[value]}"
-      end
-
-      smime_data.puts 'Content-Transfer-Encoding: base64'
-      smime_data.puts
-      smime_data.puts Base64Helper.ensure_base64(request.body.read)
-
-      return smime_data.string
-    end
 
     def logger(env)
       @logger ||= Logger.new env['rack.errors']

data/lib/as2/version.rb

@@ -1,3 +1,3 @@
 module As2
-  VERSION = "0.2.5"
+  VERSION = "0.3.0"
 end

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: as2
 version: !ruby/object:Gem::Version
-  version: 0.2.5
+  version: 0.3.0
 platform: ruby
 authors:
 - OfficeLuv
-autorequire: 
+- Transfix
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-03-12 00:00:00.000000000 Z
+date: 2021-12-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mail
@@ -42,28 +43,28 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.10'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.10'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '10.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '10.0'
 - !ruby/object:Gem::Dependency
@@ -98,13 +99,14 @@ description: Simple AS2 server and client implementation. Follows the AS2 implem
   from http://as2.mendelson-e-c.com
 email:
 - development@officeluv.com
+- alexdean@transfix.io
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- CHANGELOG.md
 - Gemfile
-- Gemfile.lock
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -126,7 +128,7 @@ licenses:
 - MIT
 metadata:
   allowed_push_host: https://rubygems.org/
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -141,9 +143,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Simple AS2 server and client implementation
 test_files: []

data/Gemfile.lock

@@ -1,35 +0,0 @@
-PATH
-  remote: .
-  specs:
-    as2 (0.2.4)
-      mail
-      rack
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    daemons (1.2.3)
-    eventmachine (1.0.8)
-    mail (2.6.3)
-      mime-types (>= 1.16, < 3)
-    mime-types (2.6.2)
-    minitest (5.8.1)
-    rack (1.6.4)
-    rake (10.4.2)
-    thin (1.6.4)
-      daemons (~> 1.0, >= 1.0.9)
-      eventmachine (~> 1.0, >= 1.0.4)
-      rack (~> 1.0)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  as2!
-  bundler (~> 1.10)
-  minitest
-  rake (~> 10.0)
-  thin
-
-BUNDLED WITH
-   1.10.6