RubyGems - fernet - Versions diffs - 1.6 → 2.0.rc1 - Mend

fernet 1.6 → 2.0.rc1

Files changed (21) hide show

data/.gitmodules +3 -0
data/.travis.yml +2 -2
data/README.md +43 -35
data/fernet.gemspec +2 -3
data/lib/fernet.rb +8 -14
data/lib/fernet/bit_packing.rb +17 -0
data/lib/fernet/configuration.rb +0 -5
data/lib/fernet/encryption.rb +28 -0
data/lib/fernet/generator.rb +16 -50
data/lib/fernet/secret.rb +15 -9
data/lib/fernet/token.rb +165 -0
data/lib/fernet/verifier.rb +29 -57
data/lib/fernet/version.rb +1 -1
data/spec/acceptance/generate_spec.rb +27 -0
data/spec/acceptance/verify_spec.rb +52 -0
data/spec/bit_packing_spec.rb +36 -0
data/spec/fernet_spec.rb +39 -115
data/spec/secret_spec.rb +30 -0
data/spec/token_spec.rb +85 -0
metadata +38 -15
data/lib/shim/base64.rb +0 -21

data/.gitmodules ADDED Viewed

@@ -0,0 +1,3 @@
+[submodule "spec/fernet-spec"]
+	path = spec/fernet-spec
+	url = git://github.com/kr/fernet-spec.git

data/.travis.yml CHANGED Viewed

@@ -3,7 +3,7 @@ language: ruby
 rvm:
   - "1.9.3"
   - "1.9.2"
-  - rbx-19mode
-  - "1.8.7"
+  - "2.0.0"
+  - "ruby-head"
 script: bundle exec rspec -b spec

data/README.md CHANGED Viewed

@@ -1,11 +1,11 @@
 # Fernet
 [![Build Status](https://secure.travis-ci.org/hgmnz/fernet.png)](http://travis-ci.org/hgmnz/fernet)
-[![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/hgmnz/fernet)
+[![Code Climate](https://codeclimate.com/github/hgmnz/fernet.png)](https://codeclimate.com/github/hgmnz/fernet)
 Fernet allows you to easily generate and verify **HMAC based authentication
 tokens** for issuing API requests between remote servers. It also **encrypts**
-data by default, so it can be used to transmit secure messages over the wire.
+the message so it can be used to transmit secure data over the wire.
 ![Fernet](http://f.cl.ly/items/2d0P3d26271O3p2v253u/photo.JPG)
@@ -16,17 +16,9 @@ Fernet about it!
 ## Installation
-Add this line to your application's Gemfile:
-    gem 'fernet'
-And then execute:
-    $ bundle
-Or install it yourself as:
-    $ gem install fernet
+Fernet is distributed as [a rubygem](https://rubygems.org/gems/fernet), so
+either add `gem 'fernet'` to your application's Gemfile or install it yourself
+by running `gem install fernet`.
 ## Usage
@@ -36,53 +28,41 @@ You want to encode some data in the token as well, for example, an email
 address can be used to verify it on the other end.
 ```ruby
-token = Fernet.generate(secret) do |generator|
-  generator.data = { email: 'harold@heroku.com' }
-end
+token = Fernet.generate(secret, 'harold@heroku.com')
 ```
 On the server side, the receiver can use this token to verify whether it's
 legit:
 ```ruby
-verified = Fernet.verify(secret, token) do |verifier|
-  verifier.data['email'] == 'harold@heroku.com'
+verifier = Fernet.verifier(secret, token)
+if verifier.valid?
+  operate_on(verifier.message) # the original, decrypted message
 end
 ```
-The `verified` variable will be true if:
+The verifier is valid if:
-* The email encoded in the token data is `harold@heroku.com`
-* The token was generated in the last 60 seconds
+* The token was generated in the last 60 seconds (or some configurable TTL)
 * The secret used to generate the token matches
 Otherwise, `verified` will be false, and you should deny the request with an
 HTTP 401, for example.
-The `Fernet.verify` method can be awkward if extracting the plain text data is
-required. For this case, a `verifier` can be requested that makes that
-use case more pleasent:
-```ruby
-verifier = Fernet.verifier(secret, token)
-if verifier.valid? # signature valid, TTL verified
-  operate_on(verifier.data) # the original, decrypted data
-end
-```
 The specs
 ([spec/fernet_spec.rb](https://github.com/hgmnz/fernet/blob/master/spec/fernet_spec.rb))
 have more usage examples.
 ### Global configuration
-It's possible to configure fernet via the `Configuration` class. Put this in an initializer:
+It's possible to configure fernet via the `Configuration` class. To do so, put
+this in an initializer:
 ```ruby
 # default values shown here
 Fernet::Configuration.run do |config|
   config.enforce_ttl = true
   config.ttl         = 60
-  config.encrypt     = true
 end
 ```
@@ -94,14 +74,42 @@ generate it using `/dev/random` in a *nix. To generate a base64-encoded 256 bit
     dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64
+### Ruby Compatibility
+Fernet is compatible with Ruby 1.9 and above. It is tested on the rubies
+available on this [Travis CI configuration
+file](https://github.com/hgmnz/fernet/blob/master/.travis.yml)
 ### Attribution
 This library was largely made possible by [Mr. Tom
-Maher](http://twitter.com/#tmaher), who clearly articulated the mechanics
+Maher](https://twitter.com/tmaher), who clearly articulated the mechanics
 behind this process, and further found ways to make it
 [more](https://github.com/hgmnz/fernet/commit/2bf0b4a66b49ef3fc92ef50708a2c8b401950fc2)
 [secure](https://github.com/hgmnz/fernet/commit/051161d0afb0b41480734d84bc824bdbc7f9c563).
+Similarly, [Mr. Keith Rarick](https://twitter.com/krarick) who implemented a [Go
+version](https://github.com/kr/fernet) and put together the [Fernet
+spec](https://github.com/kr/fernet-spec) which is used by this project to
+verify interoparability.
+### Contributing
+Contributions are welcome via github pull requests.
+To run the test suite:
+* Clone the project
+* Init submodules with `git submodule init && git submodule update`
+* Run the suite: `bundle exec rspec spec`
+Thanks to all [contributors](https://github.com/hgmnz/fernet/contributors).
+### Security disclosures
+If you find a security issue with Fernet, please report it by emailing
+the fernet security list: fernet-secure@googlegroups.com
 ## License
 Fernet is copyright (c) Harold Giménez and is released under the terms of the

data/fernet.gemspec CHANGED Viewed

@@ -4,7 +4,7 @@ require File.expand_path('../lib/fernet/version', __FILE__)
 Gem::Specification.new do |gem|
   gem.authors       = ["Harold Giménez"]
   gem.email         = ["harold.gimenez@gmail.com"]
-  gem.description   = %q{Delicious HMAC Digest(if) authentication and encryption}
+  gem.description   = %q{Delicious HMAC Digest(if) authentication and AES-128-CBC encryption}
   gem.summary       = %q{Easily generate and verify AES encrypted HMAC based authentication tokens}
   gem.homepage      = ""
@@ -15,7 +15,6 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
   gem.version       = Fernet::VERSION
-  gem.add_dependency "yajl-ruby"
+  gem.add_runtime_dependency "valcro", "0.1"
   gem.add_development_dependency "rspec"
 end

data/lib/fernet.rb CHANGED Viewed

@@ -1,27 +1,21 @@
 require 'fernet/version'
+require 'fernet/bit_packing'
+require 'fernet/encryption'
+require 'fernet/token'
 require 'fernet/generator'
 require 'fernet/verifier'
 require 'fernet/secret'
 require 'fernet/configuration'
-if RUBY_VERSION == '1.8.7'
-  require 'shim/base64'
-end
 Fernet::Configuration.run
 module Fernet
-  def self.generate(secret, encrypt = Configuration.encrypt, &block)
-    Generator.new(secret, encrypt).generate(&block)
-  end
-  def self.verify(secret, token, encrypt = Configuration.encrypt, &block)
-    Verifier.new(secret, encrypt).verify_token(token, &block)
+  def self.generate(secret, message = '', opts = {}, &block)
+    Generator.new(opts.merge({secret: secret, message: message})).
+      generate(&block)
   end
-  def self.verifier(secret, token, encrypt = Configuration.encrypt)
-    Verifier.new(secret, encrypt).tap do |v|
-      v.verify_token(token)
-    end
+  def self.verifier(secret, token, opts = {})
+    Verifier.new(opts.merge({secret: secret, token: token}))
   end
 end

data/lib/fernet/bit_packing.rb ADDED Viewed

@@ -0,0 +1,17 @@
+module Fernet
+  module BitPacking
+    extend self
+    # N.B. Ruby 1.9.2 and below silently ignore endianness specifiers in
+    # packing/unpacking format directives; we work around it with this
+    def pack_int64_bigendian(value)
+      (0..7).map { |index| (value >> (index * 8)) & 0xFF }.reverse.map(&:chr).join
+    end
+    def unpack_int64_bigendian(bytes)
+      bytes.each_byte.to_a.reverse.each_with_index.
+        reduce(0) { |val, (byte, index)| val | (byte << (index * 8)) }
+    end
+  end
+end

data/lib/fernet/configuration.rb CHANGED Viewed

@@ -11,14 +11,9 @@ module Fernet
     # (an integer in seconds)
     attr_accessor :ttl
-    # Whether to encrypt the payload
-    # (true or false)
-    attr_accessor :encrypt
     def self.run
       self.instance.enforce_ttl = true
       self.instance.ttl         = 60
-      self.instance.encrypt     = true
       yield self.instance if block_given?
     end

data/lib/fernet/encryption.rb ADDED Viewed

@@ -0,0 +1,28 @@
+require 'openssl'
+module Fernet
+  module Encryption
+    AES_BLOCK_SIZE  = 16.freeze
+    def self.encrypt(opts)
+      cipher = OpenSSL::Cipher.new('AES-128-CBC')
+      cipher.encrypt
+      iv = opts[:iv] || cipher.random_iv
+      cipher.iv  = iv
+      cipher.key = opts[:key]
+      [cipher.update(opts[:message]) + cipher.final, iv]
+    end
+    def self.decrypt(opts)
+      decipher = OpenSSL::Cipher.new('AES-128-CBC')
+      decipher.decrypt
+      decipher.iv  = opts[:iv]
+      decipher.key = opts[:key]
+      decipher.update(opts[:ciphertext]) + decipher.final
+    end
+    def self.hmac_digest(key, blob)
+      OpenSSL::HMAC.digest('sha256', key, blob)
+    end
+  end
+end

data/lib/fernet/generator.rb CHANGED Viewed

@@ -1,71 +1,37 @@
+#encoding UTF-8
 require 'base64'
-require 'yajl'
 require 'openssl'
 require 'date'
 module Fernet
   class Generator
-    attr_accessor :data, :payload
+    attr_accessor :message
-    def initialize(secret, encrypt)
-      @secret  = Secret.new(secret, encrypt)
-      @encrypt = encrypt
-      @payload = ''
-      @data    = {}
+    def initialize(opts)
+      @secret  = opts.fetch(:secret)
+      @message = opts[:message]
+      @iv      = opts[:iv]
+      @now     = opts[:now]
     end
     def generate
       yield self if block_given?
-      data.merge!(:issued_at => DateTime.now)
-      if encrypt?
-        iv = encrypt_data!
-        @payload = "#{base64(data)}|#{base64(iv)}"
-      else
-        @payload = base64(Yajl::Encoder.encode(data))
-      end
-      mac = OpenSSL::HMAC.hexdigest('sha256', payload, signing_key)
-      "#{payload}|#{mac}"
+      token = Token.generate(secret:  @secret,
+                             message: @message,
+                             iv:      @iv,
+                             now:     @now)
+      token.to_s
     end
     def inspect
-      "#<Fernet::Generator @secret=[masked] @data=#{@data.inspect}>"
+      "#<Fernet::Generator @secret=[masked] @message=#{@message.inspect}>"
     end
     alias to_s inspect
-    def data
-      @data ||= {}
-    end
-  private
-    attr_reader :secret
-    def encrypt_data!
-      cipher = OpenSSL::Cipher.new('AES-128-CBC')
-      cipher.encrypt
-      iv         = cipher.random_iv
-      cipher.iv  = iv
-      cipher.key = encryption_key
-      @data = cipher.update(Yajl::Encoder.encode(data)) + cipher.final
-      iv
+    def data=(message)
+      puts "[WARNING] 'data' is deprecated, use 'message' instead"
+      @message = message
     end
-    def base64(chars)
-      Base64.urlsafe_encode64(chars)
-    end
-    def encryption_key
-      @secret.encryption_key
-    end
-    def signing_key
-      @secret.signing_key
-    end
-    def encrypt?
-      @encrypt
-    end
   end
 end

data/lib/fernet/secret.rb CHANGED Viewed

@@ -1,20 +1,26 @@
+require 'base64'
 module Fernet
   class Secret
-    def initialize(secret, encrypt)
-      @secret  = secret
-      @encrypt = encrypt
+    class InvalidSecret < RuntimeError; end
+    def initialize(secret)
+      @secret = Base64.urlsafe_decode64(secret)
+      unless @secret.bytesize == 32
+        raise InvalidSecret, "Secret must be 32 bytes, instead got #{@secret.bytesize}"
+      end
     end
     def encryption_key
-      @secret.slice(@secret.size/2, @secret.size)
+      @secret.slice(16, 16)
     end
     def signing_key
-      if @encrypt
-        @secret.slice(0, @secret.size/2)
-      else
-        @secret
-      end
+      @secret.slice(0, 16)
+    end
+    def to_s
+      "<Fernet::Secret [masked]>"
     end
+    alias to_s inspect
   end
 end

data/lib/fernet/token.rb ADDED Viewed

@@ -0,0 +1,165 @@
+# encoding UTF-8
+require 'base64'
+require 'valcro'
+module Fernet
+  class Token
+    include Valcro
+    class InvalidToken < StandardError; end
+    DEFAULT_VERSION = 0x80.freeze
+    MAX_CLOCK_SKEW  = 60.freeze
+    def initialize(token, opts = {})
+      @token       = token
+      @enforce_ttl = opts.fetch(:enforce_ttl) { Configuration.enforce_ttl }
+      @ttl         = opts[:ttl] || Configuration.ttl
+      @now         = opts[:now]
+    end
+    def to_s
+      @token
+    end
+    def secret=(secret)
+      @secret = Secret.new(secret)
+    end
+    def valid?
+      validate
+      super
+    end
+    def message
+      if valid?
+        begin
+          Encryption.decrypt(key: @secret.encryption_key,
+                             ciphertext: encrypted_message,
+                             iv: iv)
+        rescue OpenSSL::Cipher::CipherError
+          raise InvalidToken, "bad decrypt"
+        end
+      else
+        raise InvalidToken, error_messages
+      end
+    end
+    def self.generate(params)
+      unless params[:secret]
+        raise ArgumentError, 'Secret not provided'
+      end
+      secret = Secret.new(params[:secret])
+      encrypted_message, iv = Encryption.encrypt(key:     secret.encryption_key,
+                                                 message: params[:message],
+                                                 iv:      params[:iv])
+      issued_timestamp = (params[:now] || Time.now).to_i
+      payload = [DEFAULT_VERSION].pack("C") +
+        BitPacking.pack_int64_bigendian(issued_timestamp) +
+        iv +
+        encrypted_message
+      mac = OpenSSL::HMAC.digest('sha256', secret.signing_key, payload)
+      new(Base64.urlsafe_encode64(payload + mac))
+    end
+  private
+    def decoded_token
+      @decoded_token ||= Base64.urlsafe_decode64(@token)
+    end
+    def version
+      decoded_token.chr.unpack("C").first
+    end
+    def received_signature
+      decoded_token[(decoded_token.length - 32), 32]
+    end
+    def issued_timestamp
+      BitPacking.unpack_int64_bigendian(decoded_token[1, 8])
+    end
+    def iv
+      decoded_token[9, 16]
+    end
+    def encrypted_message
+      decoded_token[25..(decoded_token.length - 33)]
+    end
+    validate do
+      if valid_base64?
+        if unknown_token_version?
+          errors.add :version, "is unknown"
+        else
+          unless signatures_match?
+            errors.add :signature, "does not match"
+          end
+          if enforce_ttl? && !issued_recent_enough?
+            errors.add :issued_timestamp, "is too far in the past: token expired"
+          end
+          if unacceptable_clock_slew?
+            errors.add :issued_timestamp, "is too far in the future"
+          end
+          unless ciphertext_multiple_of_block_size?
+            errors.add :ciphertext, "is not a multiple of block size"
+          end
+        end
+      else
+        errors.add(:token, "invalid base64")
+      end
+    end
+    def regenerated_mac
+      Encryption.hmac_digest(@secret.signing_key, signing_blob)
+    end
+    def signing_blob
+      [version].pack("C") +
+        BitPacking.pack_int64_bigendian(issued_timestamp) +
+        iv +
+        encrypted_message
+    end
+    def valid_base64?
+      decoded_token
+      true
+    rescue ArgumentError
+      false
+    end
+    def signatures_match?
+      regenerated_bytes = regenerated_mac.bytes.to_a
+      received_bytes    = received_signature.bytes.to_a
+      received_bytes.inject(0) do |accum, byte|
+        accum |= byte ^ regenerated_bytes.shift
+      end.zero?
+    end
+    def issued_recent_enough?
+      good_till = issued_timestamp + @ttl
+      good_till >= now.to_i
+    end
+    def unacceptable_clock_slew?
+      issued_timestamp >= (now.to_i + MAX_CLOCK_SKEW)
+    end
+    def ciphertext_multiple_of_block_size?
+      (encrypted_message.size % Encryption::AES_BLOCK_SIZE).zero?
+    end
+    def unknown_token_version?
+      DEFAULT_VERSION != version
+    end
+    def enforce_ttl?
+      @enforce_ttl
+    end
+    def now
+      @now || Time.now
+    end
+  end
+end

data/lib/fernet/verifier.rb CHANGED Viewed

@@ -1,68 +1,60 @@
+#encoding UTF-8
 require 'base64'
-require 'yajl'
 require 'openssl'
 require 'date'
 module Fernet
   class Verifier
-    attr_reader :token, :data
+    class UnknownTokenVersion < RuntimeError; end
+    attr_reader :token
     attr_accessor :ttl, :enforce_ttl
-    def initialize(secret, decrypt)
-      @secret      = Secret.new(secret, decrypt)
-      @decrypt     = decrypt
-      @ttl         = Configuration.ttl
-      @enforce_ttl = Configuration.enforce_ttl
+    def initialize(opts = {})
+      enforce_ttl = opts.has_key?(:enforce_ttl) ? opts[:enforce_ttl] : Configuration.enforce_ttl
+      @token = Token.new(opts.fetch(:token),
+                           enforce_ttl: enforce_ttl,
+                           ttl: opts[:ttl],
+                           now: opts[:now])
+      @token.secret = opts.fetch(:secret)
     end
-    def verify_token(token)
-      @token = token
-      deconstruct
-      if block_given?
-        custom_verification = yield self
-      else
-        custom_verification = true
-      end
+    def valid?
+      @token.valid?
+    end
-      @valid = signatures_match? && token_recent_enough? && custom_verification
+    def message
+      @token.message
     end
-    def valid?
-      @valid
+    def data
+      puts "[WARNING] data is deprected. Use message instead"
+      message
     end
     def inspect
-      "#<Fernet::Verifier @secret=[masked] @token=#{@token} @data=#{@data.inspect} @ttl=#{@ttl}>"
+      "#<Fernet::Verifier @secret=[masked] @token=#{@token} @message=#{@message.inspect} @ttl=#{@ttl} @enforce_ttl=#{@enforce_ttl}>"
     end
     alias to_s inspect
   private
-    attr_reader :secret
-    def deconstruct
-      parts = @token.split('|')
-      if decrypt?
-        encrypted_data, iv, @received_signature = *parts
-        @data = Yajl::Parser.parse(decrypt!(encrypted_data, Base64.urlsafe_decode64(iv)))
-        signing_blob = "#{encrypted_data}|#{iv}"
-      else
-        encoded_data, @received_signature = *parts
-        signing_blob = encoded_data
-        @data = Yajl::Parser.parse(Base64.urlsafe_decode64(encoded_data))
-      end
-      @regenerated_mac = OpenSSL::HMAC.hexdigest('sha256', signing_blob, signing_key)
+    def must_verify?
+      @must_verify || @valid.nil?
     end
     def token_recent_enough?
       if enforce_ttl?
-        good_till = DateTime.parse(data['issued_at']) + (ttl.to_f / 24 / 60 / 60)
-        good_till > now
+        good_till = @issued_at + (ttl.to_f / 24 / 60 / 60)
+        (good_till.to_i >= now.to_i) && acceptable_clock_skew?
       else
         true
       end
     end
+    def acceptable_clock_skew?
+      @issued_at < (now + MAX_CLOCK_SKEW)
+    end
     def signatures_match?
       regenerated_bytes = @regenerated_mac.bytes.to_a
       received_bytes    = @received_signature.bytes.to_a
@@ -71,32 +63,12 @@ module Fernet
       end.zero?
     end
-    def decrypt!(encrypted_data, iv)
-      decipher = OpenSSL::Cipher.new('AES-128-CBC')
-      decipher.decrypt
-      decipher.iv  = iv
-      decipher.key = encryption_key
-      decipher.update(Base64.urlsafe_decode64(encrypted_data)) + decipher.final
-    end
-    def encryption_key
-      @secret.encryption_key
-    end
-    def signing_key
-      @secret.signing_key
-    end
-    def decrypt?
-      @decrypt
-    end
     def enforce_ttl?
       @enforce_ttl
     end
     def now
-      DateTime.now
+      @now ||= Time.now
     end
   end
 end

data/lib/fernet/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Fernet
-  VERSION = "1.6"
+  VERSION = "2.0.rc1"
 end

data/spec/acceptance/generate_spec.rb ADDED Viewed

@@ -0,0 +1,27 @@
+require 'spec_helper'
+require 'fernet'
+require 'json'
+require 'base64'
+describe Fernet::Generator do
+  it 'generates tokens according to the spec' do
+    path = File.expand_path(
+      './../fernet-spec/generate.json', File.dirname(__FILE__)
+    )
+    generate_json  = JSON.parse(File.read(path))
+    generate_json.each do |test_data|
+      message        = test_data['src']
+      iv             = test_data['iv'].pack("C*")
+      secret         = test_data['secret']
+      now            = DateTime.parse(test_data['now']).to_time
+      expected_token = test_data['token']
+      generator = Fernet::Generator.new(secret:  secret,
+                                        message: message,
+                                        iv:      iv,
+                                        now:     now)
+      expect(generator.generate).to eq(expected_token)
+    end
+  end
+end

data/spec/acceptance/verify_spec.rb ADDED Viewed

@@ -0,0 +1,52 @@
+require 'spec_helper'
+require 'fernet'
+require 'json'
+require 'base64'
+describe Fernet::Verifier do
+  it 'verifies tokens according to the spec' do
+    path = File.expand_path(
+      './../fernet-spec/verify.json', File.dirname(__FILE__)
+    )
+    verify_json  = JSON.parse(File.read(path))
+    verify_json.each do |test_data|
+      token   = test_data['token']
+      ttl     = test_data['ttl_sec']
+      now     = DateTime.parse(test_data['now']).to_time
+      secret  = test_data['secret']
+      message = test_data['src']
+      verifier = Fernet::Verifier.new(token: token,
+                                      secret: secret,
+                                      now: now,
+                                      ttl: ttl)
+      expect(
+        verifier.message
+      ).to eq(message)
+    end
+  end
+  context 'invalid tokens' do
+    path = File.expand_path(
+      './../fernet-spec/invalid.json', File.dirname(__FILE__)
+    )
+    invalid_json = JSON.parse(File.read(path))
+    invalid_json.each do |test_data|
+      it "detects #{test_data['desc']}" do
+        token  = test_data['token']
+        ttl    = test_data['ttl_sec']
+        now    = DateTime.parse(test_data['now']).to_time
+        secret = test_data['secret']
+        verifier = Fernet::Verifier.new(token: token,
+                                        secret: secret,
+                                        now: now,
+                                        ttl: ttl)
+        expect { verifier.message }.to raise_error(Fernet::Token::InvalidToken)
+      end
+    end
+  end
+end

data/spec/bit_packing_spec.rb ADDED Viewed

@@ -0,0 +1,36 @@
+require 'spec_helper'
+require 'fernet/bit_packing'
+describe Fernet::BitPacking do
+  VALUE_TO_BYTES = {
+    0x0000000000000000 => [ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ],
+    0x00000000000000FF => [ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF ],
+    0x000000FF00000000 => [ 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00, 0x00, 0x00 ],
+    0x00000000FF000000 => [ 0x00, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00, 0x00 ],
+    0xFF00000000000000 => [ 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ],
+    0xFFFFFFFFFFFFFFFF => [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ]
+  }
+  def self.pretty(bytea)
+    "0x#{bytea.map { |b| sprintf("%.2x", b) }.join}"
+  end
+  def self.bytestr(bytea)
+    bytea.map(&:chr).join
+  end
+  VALUE_TO_BYTES.each do |value, bytes|
+    pretty_bytes = pretty(bytes).rjust(20)
+    pretty_val = value.to_s.rjust(20)
+    bytestr = bytestr(bytes)
+    it "encodes #{pretty_val} to #{pretty_bytes}" do
+      expect(Fernet::BitPacking.pack_int64_bigendian(value)).to eq(bytestr)
+    end
+    # N.B.: we have two extra spaces in the spec description for
+    # aligned formatting w.r.t. the 'encode' specs
+    it "decodes #{pretty_bytes} to #{pretty_val}" do
+      expect(Fernet::BitPacking.unpack_int64_bigendian(bytestr)).to eq(value)
+    end
+  end
+end

data/spec/fernet_spec.rb CHANGED Viewed

@@ -4,90 +4,55 @@ require 'fernet'
 describe Fernet do
   after { Fernet::Configuration.run }
-  let(:token_data) do
-    { :email => 'harold@heroku.com', :id => '123', :arbitrary => 'data' }
-  end
   let(:secret)     { 'JrdICDH6x3M7duQeM8dJEMK4Y5TkBIsYDw1lPy35RiY=' }
   let(:bad_secret) { 'badICDH6x3M7duQeM8dJEMK4Y5TkBIsYDw1lPy35RiY=' }
   it 'can verify tokens it generates' do
     token = Fernet.generate(secret) do |generator|
-      generator.data = token_data
+      generator.message = 'harold@heroku.com'
     end
-    expect(
-      Fernet.verify(secret, token) do |verifier|
-        verifier.data['email'] == 'harold@heroku.com'
-      end
-    ).to be_true
+    verifier = Fernet.verifier(secret, token)
+    expect(verifier).to be_valid
+    expect(verifier.message).to eq('harold@heroku.com')
   end
-  it 'fails with a bad secret' do
-    token = Fernet.generate(secret) do |generator|
-      generator.data = token_data
-    end
-    expect(
-      Fernet.verify(bad_secret, token) do |verifier|
-        verifier.data['email'] == 'harold@heroku.com'
-      end
-    ).to be_false
+  it 'can generate tokens without a block' do
+    token = Fernet.generate(secret, 'harold@heroku.com')
+    verifier = Fernet.verifier(secret, token)
+    expect(verifier).to be_valid
+    expect(verifier.message).to eq('harold@heroku.com')
   end
-  it 'fails with a bad custom verification' do
+  it 'fails with a bad secret' do
     token = Fernet.generate(secret) do |generator|
-      generator.data = { :email => 'harold@heroku.com' }
+      generator.message = 'harold@heroku.com'
     end
-    expect(
-      Fernet.verify(secret, token) do |verifier|
-        verifier.data['email'] == 'lol@heroku.com'
-      end
-    ).to be_false
+    verifier = Fernet.verifier(bad_secret, token)
+    expect(verifier.valid?).to be_false
+    expect {
+      verifier.message
+    }.to raise_error
   end
   it 'fails if the token is too old' do
-    token = Fernet.generate(secret) do |generator|
-      generator.data = token_data
-    end
+    token = Fernet.generate(secret, 'harold@heroku.com', now: (Time.now - 61))
-    expect(
-      Fernet.verify(secret, token) do |verifier|
-        verifier.ttl = 1
-        def verifier.now
-          now = DateTime.now
-          DateTime.new(now.year, now.month, now.day, now.hour,
-                       now.min, now.sec + 2, now.offset)
-        end
-        true
-      end
-    ).to be_false
-  end
-  it 'verifies without a custom verification' do
-    token = Fernet.generate(secret) do |generator|
-      generator.data = token_data
-    end
-    expect(Fernet.verify(secret, token)).to be_true
+    verifier = Fernet.verifier(secret, token)
+    expect(verifier.valid?).to be_false
   end
   it 'can ignore TTL enforcement' do
-    token = Fernet.generate(secret) do |generator|
-      generator.data = token_data
+    Fernet::Configuration.run do |config|
+      config.enforce_ttl = true
     end
-    expect(
-      Fernet.verify(secret, token) do |verifier|
-        def verifier.now
-          Time.now + 99999999999
-        end
-        verifier.enforce_ttl = false
-        true
-      end
-    ).to be_true
+    token = Fernet.generate(secret, 'harold@heroku.com')
+    verifier = Fernet.verifier(secret, token, enforce_ttl: false,
+                                              now: Time.now + 9999)
+    expect(verifier.valid?).to be_true
   end
   it 'can ignore TTL enforcement via global config' do
@@ -95,70 +60,29 @@ describe Fernet do
       config.enforce_ttl = false
     end
-    token = Fernet.generate(secret) do |generator|
-      generator.data = token_data
-    end
-    expect(
-      Fernet.verify(secret, token) do |verifier|
-        def verifier.now
-          Time.now + 99999999999
-        end
-        true
-      end
-    ).to be_true
-  end
-  it 'generates without custom data' do
-    token = Fernet.generate(secret)
-    expect(Fernet.verify(secret, token)).to be_true
-  end
+    token = Fernet.generate(secret, 'harold@heroku.com')
-  it 'can encrypt the payload' do
-    token = Fernet.generate(secret, true) do |generator|
-      generator.data['password'] = 'password1'
-    end
-    expect(Base64.decode64(token)).not_to match /password1/
-    Fernet.verify(secret, token) do |verifier|
-      expect(verifier.data['password']).to eq('password1')
-    end
+    verifier = Fernet.verifier(secret, token, now: Time.now + 999999)
+    expect(verifier.valid?).to be_true
   end
-  it 'does not encrypt when asked nicely' do
-    token = Fernet.generate(secret, false) do |generator|
-      generator.data['password'] = 'password1'
-    end
-    expect(Base64.decode64(token)).to match /password1/
+  it 'does not send the message in plain text' do
+    token = Fernet.generate(secret, 'password1')
-    Fernet.verify(secret, token, false) do |verifier|
-      expect(verifier.data['password']).to eq('password1')
-    end
+    expect(Base64.urlsafe_decode64(token)).not_to match /password1/
   end
-  it 'can disable encryption via global configuration' do
-    Fernet::Configuration.run { |c| c.encrypt = false }
-    token = Fernet.generate(secret) do |generator|
-      generator.data['password'] = 'password1'
-    end
-    expect(Base64.decode64(token)).to match /password1/
-    Fernet.verify(secret, token) do |verifier|
-      expect(verifier.data['password']).to eq('password1')
+  it 'allows overriding enforce_ttl on a verifier' do
+    Fernet::Configuration.run do |config|
+      config.enforce_ttl = true
+      config.ttl = 0
     end
-  end
-  it 'returns the unencrypted message upon verify' do
     token = Fernet.generate(secret) do |generator|
-      generator.data['password'] = 'password1'
+      generator.message = 'password1'
     end
     verifier = Fernet.verifier(secret, token)
+    verifier.enforce_ttl = false
     expect(verifier.valid?).to be_true
-    expect(verifier.data['password']).to eq('password1')
+    expect(verifier.message).to eq('password1')
   end
 end

data/spec/secret_spec.rb ADDED Viewed

@@ -0,0 +1,30 @@
+require 'spec_helper'
+require 'fernet/secret'
+describe Fernet::Secret do
+  it "expects base64 encoded 32 byte strings" do
+    secret = Base64.urlsafe_encode64("A"*32)
+    expect do
+      Fernet::Secret.new(secret)
+    end.to_not raise_error
+  end
+  it "extracts encryption and signing keys" do
+    secret = Base64.urlsafe_encode64("A"*16 + "B"*16)
+    fernet_secret = Fernet::Secret.new(secret)
+    expect(
+      fernet_secret.signing_key
+    ).to eq("A"*16)
+    expect(
+      fernet_secret.encryption_key
+    ).to eq("B"*16)
+  end
+  it "fails loudly when an invalid secret is provided" do
+    secret = Base64.urlsafe_encode64("bad")
+    expect do
+      Fernet::Secret.new(secret)
+    end.to raise_error(Fernet::Secret::InvalidSecret)
+  end
+end

data/spec/token_spec.rb ADDED Viewed

@@ -0,0 +1,85 @@
+require 'spec_helper'
+require 'fernet'
+require 'json'
+describe Fernet::Token, 'validation' do
+  let(:secret) { 'odN/0Yu+Pwp3oIvvG8OiE5w4LsLrqfWYRb3knQtSyKI=' }
+  it 'is invalid with a bad MAC signature' do
+    generated = Fernet::Token.generate(secret: secret,
+                                       message: 'hello')
+    bogus_hmac = "1" * 32
+    Fernet::Encryption.stub(hmac_digest: bogus_hmac)
+    token = Fernet::Token.new(generated.to_s)
+    token.secret = secret
+    expect(token.valid?).to be_false
+    expect(token.errors[:signature]).to include("does not match")
+  end
+  it 'is invalid if too old' do
+    generated = Fernet::Token.generate(secret: secret,
+                                       message: 'hello',
+                                       now: Time.now - 61)
+    token = Fernet::Token.new(generated.to_s, enforce_ttl: true,
+                                              ttl: 60)
+    token.secret = secret
+    expect(token.valid?).to be_false
+    expect(token.errors[:issued_timestamp]).to include("is too far in the past: token expired")
+  end
+  it 'is invalid with a large clock skew' do
+    generated = Fernet::Token.generate(secret:  secret,
+                                       message: 'hello',
+                                       now:     Time.at(Time.now.to_i + 61))
+    token = Fernet::Token.new(generated.to_s)
+    token.secret = secret
+    expect(token.valid?).to be_false
+    expect(token.errors[:issued_timestamp]).to include("is too far in the future")
+  end
+  it 'is invalid with bad base64' do
+    token = Fernet::Token.new('bad')
+    token.secret = secret
+    expect(token.valid?).to be_false
+    expect(token.errors[:token]).to include("invalid base64")
+  end
+  it 'is invalid with an unknown token version' do
+    token  = Fernet::Token.new(Base64.urlsafe_encode64("xxxxxx"))
+    expect(token.valid?).to be_false
+    expect(token.errors[:version]).to include("is unknown")
+  end
+end
+describe Fernet::Token, 'message' do
+  let(:secret) { 'odN/0Yu+Pwp3oIvvG8OiE5w4LsLrqfWYRb3knQtSyKI=' }
+  it 'refuses to decrypt if invalid' do
+    generated = Fernet::Token.generate(secret:  secret,
+                                       message: 'hello',
+                                       now:     Time.now + 61)
+    token = Fernet::Token.new(generated.to_s)
+    token.secret = secret
+    !token.valid? or raise "invalid token"
+    expect {
+      token.message
+    }.to raise_error Fernet::Token::InvalidToken,
+      /issued_timestamp is too far in the future/
+  end
+  it 'gives back the original message in plain text' do
+    token = Fernet::Token.generate(secret: secret,
+                                   message: 'hello')
+    token.secret = secret
+    token.valid? or raise "invalid token"
+    expect(token.message).to eq('hello')
+  end
+end

metadata CHANGED Viewed

@@ -1,30 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: fernet
 version: !ruby/object:Gem::Version
-  version: '1.6'
-  prerelease:
+  version: 2.0.rc1
+  prerelease: 4
 platform: ruby
 authors:
 - Harold Giménez
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-11-26 00:00:00.000000000 Z
+date: 2013-08-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: yajl-ruby
-  requirement: &70306497693420 !ruby/object:Gem::Requirement
+  name: valcro
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ! '>='
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.1'
   type: :runtime
   prerelease: false
-  version_requirements: *70306497693420
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: '0.1'
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70306497692980 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,8 +37,13 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70306497692980
-description: Delicious HMAC Digest(if) authentication and encryption
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Delicious HMAC Digest(if) authentication and AES-128-CBC encryption
 email:
 - harold.gimenez@gmail.com
 executables: []
@@ -41,6 +51,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
+- .gitmodules
 - .rspec
 - .travis.yml
 - Gemfile
@@ -49,14 +60,21 @@ files:
 - Rakefile
 - fernet.gemspec
 - lib/fernet.rb
+- lib/fernet/bit_packing.rb
 - lib/fernet/configuration.rb
+- lib/fernet/encryption.rb
 - lib/fernet/generator.rb
 - lib/fernet/secret.rb
+- lib/fernet/token.rb
 - lib/fernet/verifier.rb
 - lib/fernet/version.rb
-- lib/shim/base64.rb
+- spec/acceptance/generate_spec.rb
+- spec/acceptance/verify_spec.rb
+- spec/bit_packing_spec.rb
 - spec/fernet_spec.rb
+- spec/secret_spec.rb
 - spec/spec_helper.rb
+- spec/token_spec.rb
 homepage: ''
 licenses: []
 post_install_message:
@@ -72,15 +90,20 @@ required_ruby_version: !ruby/object:Gem::Requirement
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ! '>='
+  - - ! '>'
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.10
+rubygems_version: 1.8.23
 signing_key:
 specification_version: 3
 summary: Easily generate and verify AES encrypted HMAC based authentication tokens
 test_files:
+- spec/acceptance/generate_spec.rb
+- spec/acceptance/verify_spec.rb
+- spec/bit_packing_spec.rb
 - spec/fernet_spec.rb
+- spec/secret_spec.rb
 - spec/spec_helper.rb
+- spec/token_spec.rb

data/lib/shim/base64.rb DELETED Viewed

@@ -1,21 +0,0 @@
-Base64.class_eval do
-  def strict_encode64(bin)
-    encode64(bin).tr("\n",'')
-  end
-  def strict_decode64(str)
-    unless str.include?("\n")
-      decode64(str)
-    else
-      raise(ArgumentError,"invalid base64")
-    end
-  end
-  def urlsafe_encode64(bin)
-    strict_encode64(bin).tr("+/", "-_")
-  end
-  def urlsafe_decode64(str)
-    strict_decode64(str.tr("-_", "+/"))
-  end
-end