cose 0.8.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3f2e83dd45585da762903b90f50376dcc75f175acf5ebbc3804763a963dfedfc
-  data.tar.gz: 6f83ee059a2b00539f20b932c9b6382df837aef0dbb42e201be344b055a51dbf
+  metadata.gz: ef03f2ea3b2f4f4bb8f81fdd777cf3ae3905e1eae953599f0e6b0feca89343f5
+  data.tar.gz: 94db44b9a0a449bdb81ae9274fb193365838ec84f9df3db3540dcf5eb1ca3303
 SHA512:
-  metadata.gz: 536b1620403cf8f2a6d54ffd8c7918fc0196e3fbb14b0c8ccf99ad85620184463cc92140b6ad1e810d06afeb84c4b9ce03d17c926a316270df2a3eb77f922f10
-  data.tar.gz: 230af044b097a08fd714bb180ce41e3df194c6c880f046d7628acb984d954c0f7308a5e9a89c52705c0e9341f2404f24753a4cc5e47da89784d21a7b32734a23
+  metadata.gz: 17492d5ba3f7fce248418a158d29419392f9d849f33421d7b6192e61e021e5d62ca14f6a42721a05e77e31dfc67ef267c18e8be7138360a9146e359e5cb5b740
+  data.tar.gz: 49834d1df018a49669dfc02b8548c30f2aedf99fbad979cd072ee480eff99e9b6076e74654cfff72e6d6a6da96798d1de7902497f19f70e53b6464ac5a7d716a

data/.gitmodules

@@ -0,0 +1,3 @@
+[submodule "spec/fixtures/cose-wg-examples"]
+	path = spec/fixtures/cose-wg-examples
+	url = https://github.com/cose-wg/Examples

data/.rspec

@@ -1,3 +1,3 @@
---format documentation
 --color
 --require spec_helper
+--order random

data/.rubocop.yml

@@ -6,7 +6,7 @@ inherit_mode:
     - Exclude
 
 AllCops:
-  TargetRubyVersion: 2.2
+  TargetRubyVersion: 2.4
   DisabledByDefault: true
   Exclude:
     - "gemfiles/**/*"
@@ -20,13 +20,12 @@ Gemspec:
 Layout:
   Enabled: true
 
+Layout/LineLength:
+  Max: 120
+
 Lint:
   Enabled: true
 
-Metrics/LineLength:
-  Max: 120
-  IgnoreCopDirectives: true
-
 Naming:
   Enabled: true
 

data/.travis.yml

@@ -1,35 +1,25 @@
-sudo: false
+dist: bionic
 language: ruby
 cache: bundler
 
 rvm:
   - ruby-head
-  - 2.7.0-preview1
-  - 2.6.3
-  - 2.5.5
-  - 2.4.6
-  - 2.3.8
-  - 2.2.10
+  - 2.7.1
+  - 2.6.6
+  - 2.5.8
+  - 2.4.10
 
 gemfile:
   - gemfiles/openssl_head.gemfile
+  - gemfiles/openssl_2_2.gemfile
   - gemfiles/openssl_2_1.gemfile
   - gemfiles/openssl_2_0.gemfile
   - gemfiles/openssl_default.gemfile
 
-before_install: gem install bundler -v '~> 1.17'
+before_install: gem install bundler -v '~> 2.0'
 
 matrix:
   fast_finish: true
   allow_failures:
     - rvm: ruby-head
-    - rvm: 2.7.0-preview1
-    - rvm: 2.2.10
     - gemfile: gemfiles/openssl_head.gemfile
-  exclude:
-    - rvm: 2.2.10
-      gemfile: gemfiles/openssl_head.gemfile
-    - rvm: 2.2.10
-      gemfile: gemfiles/openssl_2_1.gemfile
-    - rvm: 2.2.10
-      gemfile: gemfiles/openssl_2_0.gemfile

data/Appraisals

@@ -1,7 +1,13 @@
+# frozen_string_literal: true
+
 appraise "openssl_head" do
   gem "openssl", git: "https://github.com/ruby/openssl"
 end
 
+appraise "openssl_2_2" do
+  gem "openssl", "~> 2.2.0"
+end
+
 appraise "openssl_2_1" do
   gem "openssl", "~> 2.1.0"
 end

data/CHANGELOG.md

@@ -1,5 +1,48 @@
 # Changelog
 
+## [v1.1.0] - 2020-07-09
+
+### Dependencies
+
+- Update `openssl-signature_algorithm` runtime dependency from `~> 0.4.0` to `~> 1.0`.
+
+## [v1.0.0] - 2020-03-29
+
+### Added
+
+- Signature verification validates key `alg` is compatible with the signature algorithm
+
+NOTE: No breaking changes. Moving out of `v0.x` to express the intention to keep the public API stable.
+
+## [v0.11.0] - 2020-01-30
+
+### Added
+
+- Let others easily support more signature algorithms by making `COSE::Algorithm::SignatureAlgorithm` smarter
+
+## [v0.10.0] - 2019-12-19
+
+### Added
+
+- Works on ruby 2.7 without throwing any warnings
+- Simpler way to rescue key deserialization error, now possible to:
+  ```rb
+    begin
+      COSE::Key.deserialize(cbor)
+    rescue COSE::KeyDeserializationError
+      # handle error
+    end
+  ```
+
+## [v0.9.0] - 2019-08-31
+
+### Added
+
+- `COSE::Sign1#verify`
+- `COSE::Sign#verify`
+- `COSE::Mac0#verify`
+- `COSE::Mac#verify`
+
 ## [v0.8.0] - 2019-08-17
 
 ### Added
@@ -86,6 +129,11 @@
 - EC2 key object
 - Works with ruby 2.5
 
+[v1.1.0]: https://github.com/cedarcode/cose-ruby/compare/v1.0.0...v1.1.0/
+[v1.0.0]: https://github.com/cedarcode/cose-ruby/compare/v0.11.0...v1.0.0/
+[v0.11.0]: https://github.com/cedarcode/cose-ruby/compare/v0.10.0...v0.11.0/
+[v0.10.0]: https://github.com/cedarcode/cose-ruby/compare/v0.9.0...v0.10.0/
+[v0.9.0]: https://github.com/cedarcode/cose-ruby/compare/v0.8.0...v0.9.0/
 [v0.8.0]: https://github.com/cedarcode/cose-ruby/compare/v0.7.0...v0.8.0/
 [v0.7.0]: https://github.com/cedarcode/cose-ruby/compare/v0.6.1...v0.7.0/
 [v0.6.1]: https://github.com/cedarcode/cose-ruby/compare/v0.6.0...v0.6.1/

data/README.md

@@ -1,8 +1,8 @@
-# cose
+# cose-ruby
 
-Ruby implementation of RFC 8152 CBOR Object Signing and Encryption (COSE)
+Ruby implementation of RFC [8152](https://tools.ietf.org/html/rfc8152) CBOR Object Signing and Encryption (COSE)
 
-[![Gem](https://img.shields.io/gem/v/cose.svg?style=flat-square)](https://rubygems.org/gems/cose)
+[![Gem](https://img.shields.io/gem/v/cose.svg?style=flat-square&color=informational)](https://rubygems.org/gems/cose)
 [![Travis](https://img.shields.io/travis/cedarcode/cose-ruby.svg?style=flat-square)](https://travis-ci.org/cedarcode/cose-ruby)
 
 ## Installation
@@ -145,15 +145,14 @@ cbor_data = "..."
 
 sign = COSE::Sign.deserialize(cbor_data)
 
-sign.protected_headers
-sign.unprotected_headers
-sign.payload
+# Verify by doing (key should be a COSE::Key):
+sign.verify(key)
 
-sign.signatures.each do |signature|
-  signature.protected_headers
-  signature.unprotected_headers
-  signature.signature
-end
+# or, if externally supplied authenticated data exists:
+sign.verify(key, external_aad)
+
+# Then access payload
+sign.payload
 ```
 
 #### COSE_Sign1
@@ -163,10 +162,14 @@ cbor_data = "..."
 
 sign1 = COSE::Sign1.deserialize(cbor_data)
 
-sign1.protected_headers
-sign1.unprotected_headers
+# Verify by doing (key should be a COSE::Key):
+sign1.verify(key)
+
+# or, if externally supplied authenticated data exists:
+sign1.verify(key, external_aad)
+
+# Then access payload
 sign1.payload
-sign1.signature
 ```
 
 ### MAC Objects
@@ -178,24 +181,14 @@ cbor_data = "..."
 
 mac = COSE::Mac.deserialize(cbor_data)
 
-mac.protected_headers
-mac.unprotected_headers
-mac.payload
-mac.tag
+# Verify by doing (key should be a COSE::Key::Symmetric):
+mac.verify(key)
 
-mac.recipients.each do |recipient|
-  recipient.protected_headers
-  recipient.unprotected_headers
-  recipient.ciphertext
+# or, if externally supplied authenticated data exists:
+mac.verify(key, external_aad)
 
-  if recipient.recipients
-    recipient.recipients.each do |recipient|
-      recipient.protected_headers
-      recipient.unprotected_headers
-      recipient.ciphertext
-    end
-  end
-end
+# Then access payload
+mac.payload
 ```
 
 #### COSE_Mac0
@@ -205,10 +198,14 @@ cbor_data = "..."
 
 mac0 = COSE::Mac0.deserialize(cbor_data)
 
-mac0.protected_headers
-mac0.unprotected_headers
+# Verify by doing (key should be a COSE::Key::Symmetric):
+mac0.verify(key)
+
+# or, if externally supplied authenticated data exists:
+mac0.verify(key, external_aad)
+
+# Then access payload
 mac0.payload
-mac0.tag
 ```
 
 ### Encryption Objects

data/SECURITY.md

@@ -4,9 +4,9 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
+| 0.9.z   | :white_check_mark: |
 | 0.8.z   | :white_check_mark: |
-| 0.7.z   | :white_check_mark: |
-| < 0.7   | :x:                |
+| < 0.8   | :x:                |
 
 ## Reporting a Vulnerability
 

data/bin/setup

@@ -3,6 +3,8 @@ set -euo pipefail
 IFS=$'\n\t'
 set -vx
 
+git submodule update --init --recursive
+
 bundle install
 
 # Do any other automated setup that you need to do here

data/cose.gemspec

@@ -29,15 +29,16 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.2"
+  spec.required_ruby_version = ">= 2.4"
 
   spec.add_dependency "cbor", "~> 0.5.9"
+  spec.add_dependency "openssl-signature_algorithm", "~> 1.0"
 
   spec.add_development_dependency "appraisal", "~> 2.2.0"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3"
-  spec.add_development_dependency "byebug", ">= 10.0"
-  spec.add_development_dependency "rake", "~> 12.3"
+  spec.add_development_dependency "byebug", "~> 11.0"
+  spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.8"
-  spec.add_development_dependency "rubocop", "0.68.0"
-  spec.add_development_dependency "rubocop-performance", "~> 1.3"
+  spec.add_development_dependency "rubocop", "0.80.1"
+  spec.add_development_dependency "rubocop-performance", "~> 1.4"
 end

data/gemfiles/openssl_2_2.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "openssl", "~> 2.2.0"
+
+gemspec path: "../"

data/lib/cose.rb

@@ -2,6 +2,7 @@
 
 require "cose/encrypt"
 require "cose/encrypt0"
+require "cose/error"
 require "cose/key"
 require "cose/mac"
 require "cose/mac0"

data/lib/cose/algorithm.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require "cose/algorithm/ecdsa"
+require "cose/algorithm/hmac"
+require "cose/algorithm/rsa_pss"
+
+module COSE
+  module Algorithm
+    @registered_by_id = {}
+    @registered_by_name = {}
+
+    def self.register(algorithm)
+      @registered_by_id[algorithm.id] = algorithm
+      @registered_by_name[algorithm.name] = algorithm
+    end
+
+    def self.find(id_or_name)
+      by_id(id_or_name) || by_name(id_or_name)
+    end
+
+    def self.by_id(id)
+      @registered_by_id[id]
+    end
+
+    def self.by_name(name)
+      @registered_by_name[name]
+    end
+
+    register(ECDSA.new(-7, "ES256", hash_function: "SHA256"))
+    register(ECDSA.new(-35, "ES384", hash_function: "SHA384"))
+    register(ECDSA.new(-36, "ES512", hash_function: "SHA512"))
+    register(RSAPSS.new(-37, "PS256", hash_function: "SHA256", salt_length: 32))
+    register(RSAPSS.new(-38, "PS384", hash_function: "SHA384", salt_length: 48))
+    register(RSAPSS.new(-39, "PS512", hash_function: "SHA512", salt_length: 64))
+    register(HMAC.new(4, "HMAC 256/64", hash_function: "SHA256", tag_length: 64))
+    register(HMAC.new(5, "HMAC 256/256", hash_function: "SHA256", tag_length: 256))
+    register(HMAC.new(6, "HMAC 384/384", hash_function: "SHA384", tag_length: 384))
+    register(HMAC.new(7, "HMAC 512/512", hash_function: "SHA512", tag_length: 512))
+  end
+end

data/lib/cose/algorithm/base.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module COSE
+  module Algorithm
+    class Base
+      attr_reader :id, :name
+
+      def initialize(id, name)
+        @id = id
+        @name = name
+      end
+    end
+  end
+end

data/lib/cose/algorithm/ecdsa.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require "cose/algorithm/signature_algorithm"
+require "cose/error"
+require "cose/key/ec2"
+require "openssl"
+require "openssl/signature_algorithm/ecdsa"
+
+module COSE
+  module Algorithm
+    class ECDSA < SignatureAlgorithm
+      attr_reader :hash_function
+
+      def initialize(*args, hash_function:)
+        super(*args)
+
+        @hash_function = hash_function
+      end
+
+      private
+
+      def valid_key?(key)
+        cose_key = to_cose_key(key)
+
+        cose_key.is_a?(COSE::Key::EC2) && (!cose_key.alg || cose_key.alg == id)
+      end
+
+      def signature_algorithm_class
+        OpenSSL::SignatureAlgorithm::ECDSA
+      end
+
+      def to_pkey(key)
+        case key
+        when COSE::Key::EC2
+          key.to_pkey
+        when OpenSSL::PKey::EC
+          key
+        else
+          raise(COSE::Error, "Incompatible key for algorithm")
+        end
+      end
+    end
+  end
+end

data/lib/cose/algorithm/hmac.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require "cose/algorithm/base"
+require "openssl"
+
+module COSE
+  module Algorithm
+    class HMAC < Base
+      BYTE_LENGTH = 8
+
+      attr_reader :hash_function, :tag_length
+
+      def initialize(*args, hash_function:, tag_length:)
+        super(*args)
+
+        @hash_function = hash_function
+        @tag_length = tag_length
+      end
+
+      def mac(key, to_be_signed)
+        mac = OpenSSL::HMAC.digest(hash_function, key, to_be_signed)
+
+        if tag_bytesize && tag_bytesize < mac.bytesize
+          mac.byteslice(0, tag_bytesize)
+        else
+          mac
+        end
+      end
+
+      private
+
+      def tag_bytesize
+        @tag_bytesize ||=
+          if tag_length
+            tag_length / BYTE_LENGTH
+          end
+      end
+    end
+  end
+end

data/lib/cose/algorithm/rsa_pss.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "cose/algorithm/signature_algorithm"
+require "cose/key/rsa"
+require "cose/error"
+require "openssl"
+require "openssl/signature_algorithm/rsapss"
+
+module COSE
+  module Algorithm
+    class RSAPSS < SignatureAlgorithm
+      attr_reader :hash_function, :salt_length
+
+      def initialize(*args, hash_function:, salt_length:)
+        super(*args)
+
+        @hash_function = hash_function
+        @salt_length = salt_length
+      end
+
+      private
+
+      def valid_key?(key)
+        to_cose_key(key).is_a?(COSE::Key::RSA)
+      end
+
+      def signature_algorithm_class
+        OpenSSL::SignatureAlgorithm::RSAPSS
+      end
+
+      def to_pkey(key)
+        case key
+        when COSE::Key::RSA
+          key.to_pkey
+        when OpenSSL::PKey::RSA
+          key
+        else
+          raise(COSE::Error, "Incompatible key for algorithm")
+        end
+      end
+    end
+  end
+end

data/lib/cose/algorithm/signature_algorithm.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require "cose/algorithm/base"
+require "cose/error"
+
+module COSE
+  module Algorithm
+    class SignatureAlgorithm < Base
+      def verify(key, signature, verification_data)
+        compatible_key?(key) || raise(COSE::Error, "Incompatible key for signature verification")
+        valid_signature?(key, signature, verification_data) || raise(COSE::Error, "Signature verification failed")
+      end
+
+      def compatible_key?(key)
+        valid_key?(key) && to_pkey(key)
+      rescue COSE::Error
+        false
+      end
+
+      private
+
+      def valid_signature?(key, signature, verification_data)
+        signature_algorithm = signature_algorithm_class.new(hash_function: hash_function)
+        signature_algorithm.verify_key = to_pkey(key)
+
+        begin
+          signature_algorithm.verify(signature, verification_data)
+        rescue OpenSSL::SignatureAlgorithm::Error
+          false
+        end
+      end
+
+      def to_cose_key(key)
+        case key
+        when COSE::Key::Base
+          key
+        when OpenSSL::PKey::PKey
+          COSE::Key.from_pkey(key)
+        else
+          raise(COSE::Error, "Don't know how to transform #{key.class} to COSE::Key")
+        end
+      end
+
+      def signature_algorithm_class
+        raise NotImplementedError
+      end
+
+      def valid_key?(_key)
+        raise NotImplementedError
+      end
+
+      def to_pkey(_key)
+        raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/cose/encrypt.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "cose/security_message"
 require "cose/recipient"
 

data/lib/cose/encrypt0.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "cose/security_message"
 
 module COSE

data/lib/cose/error.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module COSE
+  class Error < StandardError; end
+end

data/lib/cose/key.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "cbor"
 require "cose/key/ec2"
 require "cose/key/okp"
@@ -6,7 +8,10 @@ require "cose/key/symmetric"
 require "openssl"
 
 module COSE
-  class UnknownKeyType < StandardError; end
+  class Error < StandardError; end
+  class KeyDeserializationError < Error; end
+  class MalformedKeyError < KeyDeserializationError; end
+  class UnknownKeyType < KeyDeserializationError; end
 
   module Key
     def self.serialize(pkey)
@@ -25,7 +30,7 @@ module COSE
     end
 
     def self.deserialize(data)
-      map = CBOR.decode(data)
+      map = cbor_decode(data)
 
       case map[Base::LABEL_KTY]
       when COSE::Key::OKP::KTY_OKP
@@ -37,10 +42,16 @@ module COSE
       when COSE::Key::Symmetric::KTY_SYMMETRIC
         COSE::Key::Symmetric.from_map(map)
       when nil
-        raise UnknownKeyType, "Missing required key type kty label"
+        raise COSE::UnknownKeyType, "Missing required key type kty label"
       else
-        raise UnknownKeyType, "Unsupported or unknown key type #{map[Base::LABEL_KTY]}"
+        raise COSE::UnknownKeyType, "Unsupported or unknown key type #{map[Base::LABEL_KTY]}"
       end
     end
+
+    def self.cbor_decode(data)
+      CBOR.decode(data)
+    rescue CBOR::MalformedFormatError, EOFError, FloatDomainError, RegexpError, TypeError, URI::InvalidURIError
+      raise COSE::MalformedKeyError, "Malformed CBOR key input"
+    end
   end
 end

data/lib/cose/key/base.rb

@@ -41,14 +41,12 @@ module COSE
       end
 
       def map
-        map = {
+        {
           LABEL_BASE_IV => base_iv,
           LABEL_KEY_OPS => key_ops,
           LABEL_ALG => alg,
           LABEL_KID => kid,
-        }
-
-        map.reject { |_k, v| v.nil? }
+        }.compact
       end
     end
   end

data/lib/cose/key/curve.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module COSE
   module Key
     # https://tools.ietf.org/html/rfc8152#section-13.1

data/lib/cose/key/curve_key.rb

@@ -20,7 +20,7 @@ module COSE
         }
       end
 
-      def initialize(crv:, x: nil, d: nil, **keyword_arguments) # rubocop:disable Naming/UncommunicativeMethodParamName
+      def initialize(crv:, x: nil, d: nil, **keyword_arguments) # rubocop:disable Naming/MethodParameterName
         super(**keyword_arguments)
 
         if !crv
@@ -35,13 +35,11 @@ module COSE
       end
 
       def map
-        map = super.merge(
+        super.merge(
           LABEL_CRV => crv,
           LABEL_X => x,
           LABEL_D => d
-        )
-
-        map.reject { |_k, v| v.nil? }
+        ).compact
       end
     end
   end

data/lib/cose/key/ec2.rb

@@ -48,7 +48,7 @@ module COSE
 
       attr_reader :y
 
-      def initialize(y: nil, **keyword_arguments) # rubocop:disable Naming/UncommunicativeMethodParamName
+      def initialize(y: nil, **keyword_arguments) # rubocop:disable Naming/MethodParameterName
         if (!y || !keyword_arguments[:x]) && !keyword_arguments[:d]
           raise ArgumentError, "Both x and y are required if d is missing"
         else
@@ -59,12 +59,10 @@ module COSE
       end
 
       def map
-        map = super.merge(
+        super.merge(
           Base::LABEL_KTY => KTY_EC2,
           LABEL_Y => y,
-        )
-
-        map.reject { |_k, v| v.nil? }
+        ).compact
       end
 
       def to_pkey

data/lib/cose/key/rsa.rb

@@ -42,12 +42,12 @@ module COSE
           )
         end
 
-        new(attributes)
+        new(**attributes)
       end
 
       attr_reader :n, :e, :d, :p, :q, :dp, :dq, :qinv
 
-      def initialize(n:, e:, d: nil, p: nil, q: nil, dp: nil, dq: nil, qinv: nil, **keyword_arguments) # rubocop:disable Naming/UncommunicativeMethodParamName
+      def initialize(n:, e:, d: nil, p: nil, q: nil, dp: nil, dq: nil, qinv: nil, **keyword_arguments) # rubocop:disable Naming/MethodParameterName
         super(**keyword_arguments)
 
         if !n
@@ -74,7 +74,7 @@ module COSE
       end
 
       def map
-        map = super.merge(
+        super.merge(
           Base::LABEL_KTY => KTY_RSA,
           LABEL_N => n,
           LABEL_E => e,
@@ -84,9 +84,7 @@ module COSE
           LABEL_DP => dp,
           LABEL_DQ => dq,
           LABEL_QINV => qinv
-        )
-
-        map.reject { |_k, v| v.nil? }
+        ).compact
       end
 
       def to_pkey

data/lib/cose/key/symmetric.rb

@@ -17,7 +17,7 @@ module COSE
         end
       end
 
-      def initialize(k:, **keyword_arguments) # rubocop:disable Naming/UncommunicativeMethodParamName
+      def initialize(k:, **keyword_arguments) # rubocop:disable Naming/MethodParameterName
         super(**keyword_arguments)
 
         if !k

data/lib/cose/mac.rb

@@ -1,25 +1,42 @@
-require "cbor"
+# frozen_string_literal: true
+
 require "cose/recipient"
-require "cose/security_message"
+require "cose/mac0"
 
 module COSE
-  class Mac < SecurityMessage
-    attr_reader :payload, :tag, :recipients
+  class Mac < Mac0
+    CONTEXT = "MAC"
+
+    attr_reader :recipients
 
     def self.keyword_arguments_for_initialize(decoded)
-      {
-        payload: CBOR.decode(decoded[0]),
-        tag: decoded[1],
-        recipients: decoded[2].map { |s| COSE::Recipient.deserialize(s) }
-      }
+      super.merge(recipients: decoded.last.map { |r| COSE::Recipient.from_array(r) })
     end
 
-    def initialize(payload:, tag:, recipients:, **keyword_arguments)
+    def self.tag
+      97
+    end
+
+    def initialize(recipients:, **keyword_arguments)
       super(**keyword_arguments)
 
-      @payload = payload
-      @tag = tag
       @recipients = recipients
     end
+
+    def verify(key, external_aad = nil)
+      recipient = recipients.detect { |r| r.headers.kid == key.kid }
+
+      if recipient
+        super
+      else
+        raise(COSE::Error, "No recipient match the key")
+      end
+    end
+
+    private
+
+    def context
+      CONTEXT
+    end
   end
 end

data/lib/cose/mac0.rb

@@ -1,12 +1,21 @@
+# frozen_string_literal: true
+
 require "cbor"
 require "cose/security_message"
+require "openssl"
 
 module COSE
   class Mac0 < SecurityMessage
+    CONTEXT = "MAC0"
+
     attr_reader :payload, :tag
 
     def self.keyword_arguments_for_initialize(decoded)
-      { payload: CBOR.decode(decoded[0]), tag: decoded[1] }
+      { payload: decoded[0], tag: decoded[1] }
+    end
+
+    def self.tag
+      17
     end
 
     def initialize(payload:, tag:, **keyword_arguments)
@@ -15,5 +24,19 @@ module COSE
       @payload = payload
       @tag = tag
     end
+
+    def verify(key, external_aad = nil)
+      tag == algorithm.mac(key.k, data(external_aad)) || raise(COSE::Error, "Mac0 verification failed")
+    end
+
+    private
+
+    def data(external_aad = nil)
+      CBOR.encode([context, serialized_map(protected_headers), external_aad || zero_length_bin_string, payload])
+    end
+
+    def context
+      CONTEXT
+    end
   end
 end

data/lib/cose/recipient.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "cose/security_message"
 
 module COSE

data/lib/cose/security_message.rb

@@ -1,26 +1,71 @@
+# frozen_string_literal: true
+
 require "cbor"
+require "cose/algorithm"
+require "cose/error"
+require "cose/security_message/headers"
 
 module COSE
   class SecurityMessage
+    ZERO_LENGTH_BIN_STRING = "".b
+
     attr_reader :protected_headers, :unprotected_headers
 
     def self.deserialize(cbor)
       decoded = CBOR.decode(cbor)
 
-      if decoded.respond_to?(:value)
+      if decoded.is_a?(CBOR::Tagged)
+        if respond_to?(:tag) && tag != decoded.tag
+          raise(COSE::Error, "Invalid CBOR tag")
+        end
+
         decoded = decoded.value
       end
 
+      from_array(decoded)
+    end
+
+    def self.from_array(array)
       new(
-        protected_headers: CBOR.decode(decoded[0]),
-        unprotected_headers: decoded[1],
-        **keyword_arguments_for_initialize(decoded[2..-1])
+        protected_headers: deserialize_headers(array[0]),
+        unprotected_headers: array[1],
+        **keyword_arguments_for_initialize(array[2..-1])
       )
     end
 
+    def self.deserialize_headers(data)
+      if data == ZERO_LENGTH_BIN_STRING
+        {}
+      else
+        CBOR.decode(data)
+      end
+    end
+
     def initialize(protected_headers:, unprotected_headers:)
       @protected_headers = protected_headers
       @unprotected_headers = unprotected_headers
     end
+
+    def algorithm
+      @algorithm ||= COSE::Algorithm.find(headers.alg) || raise(COSE::Error, "Unsupported algorithm '#{headers.alg}'")
+    end
+
+    def headers
+      @headers ||= Headers.new(protected_headers, unprotected_headers)
+    end
+
+    private
+
+    def serialized_map(map)
+      if map && !map.empty?
+        map.to_cbor
+      else
+        zero_length_bin_string
+      end
+    end
+
+    def zero_length_bin_string
+      ZERO_LENGTH_BIN_STRING
+    end
   end
 end

data/lib/cose/security_message/headers.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module COSE
+  class SecurityMessage
+    class Headers
+      HEADER_LABEL_ALG = 1
+      HEADER_LABEL_KID = 4
+
+      attr_reader :protected_bucket, :unprotected_bucket
+
+      def initialize(protected_bucket, unprotected_bucket)
+        @protected_bucket = protected_bucket
+        @unprotected_bucket = unprotected_bucket
+      end
+
+      def alg
+        header(HEADER_LABEL_ALG)
+      end
+
+      def kid
+        header(HEADER_LABEL_KID)
+      end
+
+      private
+
+      def header(label)
+        protected_bucket[label] || unprotected_bucket[label]
+      end
+    end
+  end
+end

data/lib/cose/sign.rb

@@ -1,13 +1,22 @@
+# frozen_string_literal: true
+
 require "cbor"
+require "cose/error"
 require "cose/security_message"
 require "cose/signature"
 
 module COSE
   class Sign < SecurityMessage
+    CONTEXT = "Signature"
+
     attr_reader :payload, :signatures
 
     def self.keyword_arguments_for_initialize(decoded)
-      { payload: CBOR.decode(decoded[0]), signatures: decoded[1].map { |s| COSE::Signature.deserialize(s) } }
+      { payload: decoded[0], signatures: decoded[1].map { |s| COSE::Signature.from_array(s) } }
+    end
+
+    def self.tag
+      98
     end
 
     def initialize(payload:, signatures:, **keyword_arguments)
@@ -16,5 +25,30 @@ module COSE
       @payload = payload
       @signatures = signatures
     end
+
+    def verify(key, external_aad = nil)
+      signature = signatures.detect { |s| s.headers.kid == key.kid }
+
+      if signature
+        signature.algorithm.verify(key, signature.signature, verification_data(signature, external_aad))
+      else
+        raise(COSE::Error, "No signature matches key kid")
+      end
+    end
+
+    private
+
+    def verification_data(signature, external_aad = nil)
+      @verification_data ||=
+        CBOR.encode(
+          [
+            CONTEXT,
+            serialized_map(protected_headers),
+            serialized_map(signature.protected_headers),
+            external_aad || ZERO_LENGTH_BIN_STRING,
+            payload
+          ]
+        )
+    end
   end
 end

data/lib/cose/sign1.rb

@@ -1,12 +1,21 @@
+# frozen_string_literal: true
+
 require "cbor"
+require "cose/error"
 require "cose/security_message"
 
 module COSE
   class Sign1 < SecurityMessage
+    CONTEXT = "Signature1"
+
     attr_reader :payload, :signature
 
     def self.keyword_arguments_for_initialize(decoded)
-      { payload: CBOR.decode(decoded[0]), signature: decoded[1] }
+      { payload: decoded[0], signature: decoded[1] }
+    end
+
+    def self.tag
+      18
     end
 
     def initialize(payload:, signature:, **keyword_arguments)
@@ -15,5 +24,19 @@ module COSE
       @payload = payload
       @signature = signature
     end
+
+    def verify(key, external_aad = nil)
+      if key.kid == headers.kid
+        algorithm.verify(key, signature, verification_data(external_aad))
+      else
+        raise(COSE::Error, "Non matching kid")
+      end
+    end
+
+    private
+
+    def verification_data(external_aad = nil)
+      CBOR.encode([CONTEXT, serialized_map(protected_headers), external_aad || ZERO_LENGTH_BIN_STRING, payload])
+    end
   end
 end

data/lib/cose/signature.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "cose/security_message"
 
 module COSE

data/lib/cose/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module COSE
-  VERSION = "0.8.0"
+  VERSION = "1.1.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cose
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-08-17 00:00:00.000000000 Z
+date: 2020-07-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cbor
@@ -25,6 +25,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.5.9
+- !ruby/object:Gem::Dependency
+  name: openssl-signature_algorithm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
@@ -63,30 +77,30 @@ dependencies:
   name: byebug
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '11.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '11.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -107,28 +121,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.68.0
+        version: 0.80.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.68.0
+        version: 0.80.1
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '1.4'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '1.4'
 description: 
 email:
 - gonzalo@cedarcode.com
@@ -138,6 +152,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".gitmodules"
 - ".rspec"
 - ".rubocop.yml"
 - ".travis.yml"
@@ -153,11 +168,19 @@ files:
 - cose.gemspec
 - gemfiles/openssl_2_0.gemfile
 - gemfiles/openssl_2_1.gemfile
+- gemfiles/openssl_2_2.gemfile
 - gemfiles/openssl_default.gemfile
 - gemfiles/openssl_head.gemfile
 - lib/cose.rb
+- lib/cose/algorithm.rb
+- lib/cose/algorithm/base.rb
+- lib/cose/algorithm/ecdsa.rb
+- lib/cose/algorithm/hmac.rb
+- lib/cose/algorithm/rsa_pss.rb
+- lib/cose/algorithm/signature_algorithm.rb
 - lib/cose/encrypt.rb
 - lib/cose/encrypt0.rb
+- lib/cose/error.rb
 - lib/cose/key.rb
 - lib/cose/key/base.rb
 - lib/cose/key/curve.rb
@@ -170,6 +193,7 @@ files:
 - lib/cose/mac0.rb
 - lib/cose/recipient.rb
 - lib/cose/security_message.rb
+- lib/cose/security_message/headers.rb
 - lib/cose/sign.rb
 - lib/cose/sign1.rb
 - lib/cose/signature.rb
@@ -189,14 +213,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.2'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Ruby implementation of RFC 8152 CBOR Object Signing and Encryption (COSE)