cose 0.9.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ad1f050dae008442fcd66013cf0b0dcd6c192b66c8fb308b7aeed1fdd53687f7
-  data.tar.gz: 2917bb5f18b73c9651ca33946aea646f72fcfb3d3ee84dc26bf653b7e2573a71
+  metadata.gz: a9bd8e1fa2c7e0f08d903f81ec2303a60a2377e6ba63c548b0c7f72d1c3197ee
+  data.tar.gz: ccf797d8600edc7020c9248db5bfc60ffdfd7c07f11f7c39cad172116176430e
 SHA512:
-  metadata.gz: da3842878fc2de2d47006aeea49fdc644197226362de585f4b1692929676d0fa048567b29091682ede9f31aeda0a704db88a79f0773548342720c4bcb5a98969
-  data.tar.gz: edf9e3bef367c32a46c8a554a422df690c2156fcabc61c55c658cfa1f0b67f70471a9566052574c92bb640002196dc33244a19c86bb7368d00c35447142a4063
+  metadata.gz: 5f27deece5637039eb3fd8ce9a8d33baf99c31fab75036462e40d599c4e0df789cf6f5ada85fcd4df75ebfddef91faa49132b0f08486f2e322e731cf2e217808
+  data.tar.gz: 6eebcecddf4fc55ce1b8f7f219d9dc8bd37f1e01a18a4e3877b47b84398de883cae204d6013349e409836111b82c254a6374e9b104e552c4339ad7a94153df4b

data/.rspec

@@ -1,3 +1,3 @@
---format documentation
 --color
 --require spec_helper
+--order random

data/.rubocop.yml

@@ -6,7 +6,7 @@ inherit_mode:
     - Exclude
 
 AllCops:
-  TargetRubyVersion: 2.3
+  TargetRubyVersion: 2.4
   DisabledByDefault: true
   Exclude:
     - "gemfiles/**/*"
@@ -20,13 +20,12 @@ Gemspec:
 Layout:
   Enabled: true
 
+Layout/LineLength:
+  Max: 120
+
 Lint:
   Enabled: true
 
-Metrics/LineLength:
-  Max: 120
-  IgnoreCopDirectives: true
-
 Naming:
   Enabled: true
 

data/.travis.yml

@@ -1,17 +1,17 @@
-sudo: false
+dist: bionic
 language: ruby
 cache: bundler
 
 rvm:
   - ruby-head
-  - 2.7.0-preview1
-  - 2.6.4
-  - 2.5.6
-  - 2.4.7
-  - 2.3.8
+  - 2.7.1
+  - 2.6.6
+  - 2.5.8
+  - 2.4.10
 
 gemfile:
   - gemfiles/openssl_head.gemfile
+  - gemfiles/openssl_2_2.gemfile
   - gemfiles/openssl_2_1.gemfile
   - gemfiles/openssl_2_0.gemfile
   - gemfiles/openssl_default.gemfile
@@ -22,5 +22,4 @@ matrix:
   fast_finish: true
   allow_failures:
     - rvm: ruby-head
-    - rvm: 2.7.0-preview1
     - gemfile: gemfiles/openssl_head.gemfile

data/Appraisals

@@ -4,6 +4,10 @@ appraise "openssl_head" do
   gem "openssl", git: "https://github.com/ruby/openssl"
 end
 
+appraise "openssl_2_2" do
+  gem "openssl", "~> 2.2.0"
+end
+
 appraise "openssl_2_1" do
   gem "openssl", "~> 2.1.0"
 end

data/CHANGELOG.md

@@ -1,5 +1,45 @@
 # Changelog
 
+## [v1.2.0] - 2020-07-10
+
+### Added
+
+- Support ES256K signature algorithm
+
+## [v1.1.0] - 2020-07-09
+
+### Dependencies
+
+- Update `openssl-signature_algorithm` runtime dependency from `~> 0.4.0` to `~> 1.0`.
+
+## [v1.0.0] - 2020-03-29
+
+### Added
+
+- Signature verification validates key `alg` is compatible with the signature algorithm
+
+NOTE: No breaking changes. Moving out of `v0.x` to express the intention to keep the public API stable.
+
+## [v0.11.0] - 2020-01-30
+
+### Added
+
+- Let others easily support more signature algorithms by making `COSE::Algorithm::SignatureAlgorithm` smarter
+
+## [v0.10.0] - 2019-12-19
+
+### Added
+
+- Works on ruby 2.7 without throwing any warnings
+- Simpler way to rescue key deserialization error, now possible to:
+  ```rb
+    begin
+      COSE::Key.deserialize(cbor)
+    rescue COSE::KeyDeserializationError
+      # handle error
+    end
+  ```
+
 ## [v0.9.0] - 2019-08-31
 
 ### Added
@@ -95,7 +135,12 @@
 - EC2 key object
 - Works with ruby 2.5
 
-[v0.8.0]: https://github.com/cedarcode/cose-ruby/compare/v0.8.0...v0.9.0/
+[v1.2.0]: https://github.com/cedarcode/cose-ruby/compare/v1.1.0...v1.2.0/
+[v1.1.0]: https://github.com/cedarcode/cose-ruby/compare/v1.0.0...v1.1.0/
+[v1.0.0]: https://github.com/cedarcode/cose-ruby/compare/v0.11.0...v1.0.0/
+[v0.11.0]: https://github.com/cedarcode/cose-ruby/compare/v0.10.0...v0.11.0/
+[v0.10.0]: https://github.com/cedarcode/cose-ruby/compare/v0.9.0...v0.10.0/
+[v0.9.0]: https://github.com/cedarcode/cose-ruby/compare/v0.8.0...v0.9.0/
 [v0.8.0]: https://github.com/cedarcode/cose-ruby/compare/v0.7.0...v0.8.0/
 [v0.7.0]: https://github.com/cedarcode/cose-ruby/compare/v0.6.1...v0.7.0/
 [v0.6.1]: https://github.com/cedarcode/cose-ruby/compare/v0.6.0...v0.6.1/

data/README.md

@@ -1,8 +1,8 @@
-# cose
+# cose-ruby
 
-Ruby implementation of RFC 8152 CBOR Object Signing and Encryption (COSE)
+Ruby implementation of RFC [8152](https://tools.ietf.org/html/rfc8152) CBOR Object Signing and Encryption (COSE)
 
-[![Gem](https://img.shields.io/gem/v/cose.svg?style=flat-square)](https://rubygems.org/gems/cose)
+[![Gem](https://img.shields.io/gem/v/cose.svg?style=flat-square&color=informational)](https://rubygems.org/gems/cose)
 [![Travis](https://img.shields.io/travis/cedarcode/cose-ruby.svg?style=flat-square)](https://travis-ci.org/cedarcode/cose-ruby)
 
 ## Installation

data/bin/setup

@@ -3,6 +3,8 @@ set -euo pipefail
 IFS=$'\n\t'
 set -vx
 
+git submodule update --init --recursive
+
 bundle install
 
 # Do any other automated setup that you need to do here

data/cose.gemspec

@@ -29,15 +29,16 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.3"
+  spec.required_ruby_version = ">= 2.4"
 
   spec.add_dependency "cbor", "~> 0.5.9"
+  spec.add_dependency "openssl-signature_algorithm", "~> 1.0"
 
   spec.add_development_dependency "appraisal", "~> 2.2.0"
   spec.add_development_dependency "bundler", ">= 1.17", "< 3"
-  spec.add_development_dependency "byebug", ">= 10.0"
-  spec.add_development_dependency "rake", "~> 12.3"
+  spec.add_development_dependency "byebug", "~> 11.0"
+  spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.8"
-  spec.add_development_dependency "rubocop", "0.74.0"
+  spec.add_development_dependency "rubocop", "0.80.1"
   spec.add_development_dependency "rubocop-performance", "~> 1.4"
 end

data/gemfiles/openssl_2_2.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "openssl", "~> 2.2.0"
+
+gemspec path: "../"

data/lib/cose/algorithm.rb

@@ -26,9 +26,10 @@ module COSE
       @registered_by_name[name]
     end
 
-    register(ECDSA.new(-7, "ES256", hash_function: "SHA256"))
-    register(ECDSA.new(-35, "ES384", hash_function: "SHA384"))
-    register(ECDSA.new(-36, "ES512", hash_function: "SHA512"))
+    register(ECDSA.new(-7, "ES256", hash_function: "SHA256", curve_name: "P-256"))
+    register(ECDSA.new(-35, "ES384", hash_function: "SHA384", curve_name: "P-384"))
+    register(ECDSA.new(-36, "ES512", hash_function: "SHA512", curve_name: "P-521"))
+    register(ECDSA.new(-47, "ES256K", hash_function: "SHA256", curve_name: "secp256k1"))
     register(RSAPSS.new(-37, "PS256", hash_function: "SHA256", salt_length: 32))
     register(RSAPSS.new(-38, "PS384", hash_function: "SHA384", salt_length: 48))
     register(RSAPSS.new(-39, "PS512", hash_function: "SHA512", salt_length: 64))

data/lib/cose/algorithm/base.rb

@@ -3,8 +3,6 @@
 module COSE
   module Algorithm
     class Base
-      BYTE_LENGTH = 8
-
       attr_reader :id, :name
 
       def initialize(id, name)

data/lib/cose/algorithm/ecdsa.rb

@@ -2,32 +2,41 @@
 
 require "cose/algorithm/signature_algorithm"
 require "cose/error"
+require "cose/key/curve"
 require "cose/key/ec2"
 require "openssl"
+require "openssl/signature_algorithm/ecdsa"
 
 module COSE
   module Algorithm
     class ECDSA < SignatureAlgorithm
-      attr_reader :hash_function
+      attr_reader :hash_function, :curve
 
-      def initialize(*args, hash_function:)
+      def initialize(*args, hash_function:, curve_name:)
         super(*args)
 
         @hash_function = hash_function
-      end
-
-      def compatible_key?(key)
-        to_pkey(key)
-      rescue COSE::Error
-        false
+        @curve = COSE::Key::Curve.by_name(curve_name) || raise("Couldn't find curve with name='#{curve_name}'")
       end
 
       private
 
-      def valid_signature?(key, signature, verification_data)
-        pkey = to_pkey(key)
+      def valid_key?(key)
+        cose_key = to_cose_key(key)
+
+        cose_key.is_a?(COSE::Key::EC2) && (!cose_key.alg || cose_key.alg == id)
+      end
 
-        pkey.verify(hash_function, in_der(signature, pkey.group.degree), verification_data)
+      def signature_algorithm_class
+        OpenSSL::SignatureAlgorithm::ECDSA
+      end
+
+      def signature_algorithm_parameters
+        if curve
+          super.merge(curve: curve.pkey_name)
+        else
+          super
+        end
       end
 
       def to_pkey(key)
@@ -40,23 +49,6 @@ module COSE
           raise(COSE::Error, "Incompatible key for algorithm")
         end
       end
-
-      # Borrowed from jwt rubygem.
-      # https://github.com/jwt/ruby-jwt/blob/7a6a3f1dbaff806993156d1dff9c217bb2523ff8/lib/jwt/security_utils.rb#L34-L39
-      #
-      # Hopefully this will be provided by openssl rubygem in the future.
-      def in_der(signature, key_length)
-        n = (key_length.to_f / BYTE_LENGTH).ceil
-
-        if signature.size == n * 2
-          r = signature[0..(n - 1)]
-          s = signature[n..-1]
-
-          OpenSSL::ASN1::Sequence.new([r, s].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
-        else
-          signature
-        end
-      end
     end
   end
 end

data/lib/cose/algorithm/hmac.rb

@@ -6,6 +6,8 @@ require "openssl"
 module COSE
   module Algorithm
     class HMAC < Base
+      BYTE_LENGTH = 8
+
       attr_reader :hash_function, :tag_length
 
       def initialize(*args, hash_function:, tag_length:)

data/lib/cose/algorithm/rsa_pss.rb

@@ -4,6 +4,7 @@ require "cose/algorithm/signature_algorithm"
 require "cose/key/rsa"
 require "cose/error"
 require "openssl"
+require "openssl/signature_algorithm/rsapss"
 
 module COSE
   module Algorithm
@@ -17,22 +18,14 @@ module COSE
         @salt_length = salt_length
       end
 
-      def compatible_key?(key)
-        to_pkey(key)
-      rescue COSE::Error
-        false
-      end
-
       private
 
-      def valid_signature?(key, signature, verification_data)
-        pkey = to_pkey(key)
+      def valid_key?(key)
+        to_cose_key(key).is_a?(COSE::Key::RSA)
+      end
 
-        if pkey.respond_to?(:verify_pss)
-          pkey.verify_pss(hash_function, signature, verification_data, salt_length: :digest, mgf1_hash: hash_function)
-        else
-          raise(COSE::Error, "Update to openssl gem >= v2.1 to have RSA-PSS support")
-        end
+      def signature_algorithm_class
+        OpenSSL::SignatureAlgorithm::RSAPSS
       end
 
       def to_pkey(key)

data/lib/cose/algorithm/signature_algorithm.rb

@@ -7,8 +7,55 @@ module COSE
   module Algorithm
     class SignatureAlgorithm < Base
       def verify(key, signature, verification_data)
+        compatible_key?(key) || raise(COSE::Error, "Incompatible key for signature verification")
         valid_signature?(key, signature, verification_data) || raise(COSE::Error, "Signature verification failed")
       end
+
+      def compatible_key?(key)
+        valid_key?(key) && to_pkey(key)
+      rescue COSE::Error
+        false
+      end
+
+      private
+
+      def valid_signature?(key, signature, verification_data)
+        signature_algorithm = signature_algorithm_class.new(**signature_algorithm_parameters)
+        signature_algorithm.verify_key = to_pkey(key)
+
+        begin
+          signature_algorithm.verify(signature, verification_data)
+        rescue OpenSSL::SignatureAlgorithm::Error
+          false
+        end
+      end
+
+      def signature_algorithm_parameters
+        { hash_function: hash_function }
+      end
+
+      def to_cose_key(key)
+        case key
+        when COSE::Key::Base
+          key
+        when OpenSSL::PKey::PKey
+          COSE::Key.from_pkey(key)
+        else
+          raise(COSE::Error, "Don't know how to transform #{key.class} to COSE::Key")
+        end
+      end
+
+      def signature_algorithm_class
+        raise NotImplementedError
+      end
+
+      def valid_key?(_key)
+        raise NotImplementedError
+      end
+
+      def to_pkey(_key)
+        raise NotImplementedError
+      end
     end
   end
 end

data/lib/cose/key.rb

@@ -8,7 +8,10 @@ require "cose/key/symmetric"
 require "openssl"
 
 module COSE
-  class UnknownKeyType < StandardError; end
+  class Error < StandardError; end
+  class KeyDeserializationError < Error; end
+  class MalformedKeyError < KeyDeserializationError; end
+  class UnknownKeyType < KeyDeserializationError; end
 
   module Key
     def self.serialize(pkey)
@@ -27,7 +30,7 @@ module COSE
     end
 
     def self.deserialize(data)
-      map = CBOR.decode(data)
+      map = cbor_decode(data)
 
       case map[Base::LABEL_KTY]
       when COSE::Key::OKP::KTY_OKP
@@ -39,10 +42,16 @@ module COSE
       when COSE::Key::Symmetric::KTY_SYMMETRIC
         COSE::Key::Symmetric.from_map(map)
       when nil
-        raise UnknownKeyType, "Missing required key type kty label"
+        raise COSE::UnknownKeyType, "Missing required key type kty label"
       else
-        raise UnknownKeyType, "Unsupported or unknown key type #{map[Base::LABEL_KTY]}"
+        raise COSE::UnknownKeyType, "Unsupported or unknown key type #{map[Base::LABEL_KTY]}"
       end
     end
+
+    def self.cbor_decode(data)
+      CBOR.decode(data)
+    rescue CBOR::MalformedFormatError, EOFError, FloatDomainError, RegexpError, TypeError, URI::InvalidURIError
+      raise COSE::MalformedKeyError, "Malformed CBOR key input"
+    end
   end
 end

data/lib/cose/key/base.rb

@@ -41,14 +41,12 @@ module COSE
       end
 
       def map
-        map = {
+        {
           LABEL_BASE_IV => base_iv,
           LABEL_KEY_OPS => key_ops,
           LABEL_ALG => alg,
           LABEL_KID => kid,
-        }
-
-        map.reject { |_k, v| v.nil? }
+        }.compact
       end
     end
   end

data/lib/cose/key/curve.rb

@@ -32,3 +32,4 @@ end
 COSE::Key::Curve.register(1, "P-256", "prime256v1")
 COSE::Key::Curve.register(2, "P-384", "secp384r1")
 COSE::Key::Curve.register(3, "P-521", "secp521r1")
+COSE::Key::Curve.register(8, "secp256k1", "secp256k1")

data/lib/cose/key/curve_key.rb

@@ -20,7 +20,7 @@ module COSE
         }
       end
 
-      def initialize(crv:, x: nil, d: nil, **keyword_arguments) # rubocop:disable Naming/UncommunicativeMethodParamName
+      def initialize(crv:, x: nil, d: nil, **keyword_arguments) # rubocop:disable Naming/MethodParameterName
         super(**keyword_arguments)
 
         if !crv
@@ -35,13 +35,11 @@ module COSE
       end
 
       def map
-        map = super.merge(
+        super.merge(
           LABEL_CRV => crv,
           LABEL_X => x,
           LABEL_D => d
-        )
-
-        map.reject { |_k, v| v.nil? }
+        ).compact
       end
     end
   end

data/lib/cose/key/ec2.rb

@@ -48,7 +48,7 @@ module COSE
 
       attr_reader :y
 
-      def initialize(y: nil, **keyword_arguments) # rubocop:disable Naming/UncommunicativeMethodParamName
+      def initialize(y: nil, **keyword_arguments) # rubocop:disable Naming/MethodParameterName
         if (!y || !keyword_arguments[:x]) && !keyword_arguments[:d]
           raise ArgumentError, "Both x and y are required if d is missing"
         else
@@ -59,12 +59,10 @@ module COSE
       end
 
       def map
-        map = super.merge(
+        super.merge(
           Base::LABEL_KTY => KTY_EC2,
           LABEL_Y => y,
-        )
-
-        map.reject { |_k, v| v.nil? }
+        ).compact
       end
 
       def to_pkey

data/lib/cose/key/rsa.rb

@@ -42,12 +42,12 @@ module COSE
           )
         end
 
-        new(attributes)
+        new(**attributes)
       end
 
       attr_reader :n, :e, :d, :p, :q, :dp, :dq, :qinv
 
-      def initialize(n:, e:, d: nil, p: nil, q: nil, dp: nil, dq: nil, qinv: nil, **keyword_arguments) # rubocop:disable Naming/UncommunicativeMethodParamName
+      def initialize(n:, e:, d: nil, p: nil, q: nil, dp: nil, dq: nil, qinv: nil, **keyword_arguments) # rubocop:disable Naming/MethodParameterName
         super(**keyword_arguments)
 
         if !n
@@ -74,7 +74,7 @@ module COSE
       end
 
       def map
-        map = super.merge(
+        super.merge(
           Base::LABEL_KTY => KTY_RSA,
           LABEL_N => n,
           LABEL_E => e,
@@ -84,9 +84,7 @@ module COSE
           LABEL_DP => dp,
           LABEL_DQ => dq,
           LABEL_QINV => qinv
-        )
-
-        map.reject { |_k, v| v.nil? }
+        ).compact
       end
 
       def to_pkey

data/lib/cose/key/symmetric.rb

@@ -17,7 +17,7 @@ module COSE
         end
       end
 
-      def initialize(k:, **keyword_arguments) # rubocop:disable Naming/UncommunicativeMethodParamName
+      def initialize(k:, **keyword_arguments) # rubocop:disable Naming/MethodParameterName
         super(**keyword_arguments)
 
         if !k

data/lib/cose/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module COSE
-  VERSION = "0.9.0"
+  VERSION = "1.2.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cose
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 1.2.0
 platform: ruby
 authors:
 - Gonzalo Rodriguez
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-08-31 00:00:00.000000000 Z
+date: 2020-07-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cbor
@@ -25,6 +25,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.5.9
+- !ruby/object:Gem::Dependency
+  name: openssl-signature_algorithm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
@@ -63,30 +77,30 @@ dependencies:
   name: byebug
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '11.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '11.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -107,14 +121,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.74.0
+        version: 0.80.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.74.0
+        version: 0.80.1
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -154,6 +168,7 @@ files:
 - cose.gemspec
 - gemfiles/openssl_2_0.gemfile
 - gemfiles/openssl_2_1.gemfile
+- gemfiles/openssl_2_2.gemfile
 - gemfiles/openssl_default.gemfile
 - gemfiles/openssl_head.gemfile
 - lib/cose.rb
@@ -198,14 +213,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Ruby implementation of RFC 8152 CBOR Object Signing and Encryption (COSE)