gamecenter-auth 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: fdf562542b694b74c953cb181097610dc52dc489
+  data.tar.gz: a65aca8f3058c1cdbc36381b4c164575b9d56fae
+SHA512:
+  metadata.gz: 9b479c43be9c3e9ad7a8998c50333fe16feaaf0c9f703154180bc3d6b1714f3b3737a208901d2426df4a0d5c56279f15e9a960f50f3c8ae92bf4eb858256c61f
+  data.tar.gz: 93a436eeb3f928f5730aa61d93528ae78066ea2a799c77cfed4bda4b5c7037d8194ca56984d53c0d73120a0dfa73f1b36746d11bad71c2382ee879ad429259c3

data/.gitignore

@@ -0,0 +1,38 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalisation:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+Gemfile.lock
+.ruby-version
+.ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+
+# RubyMine
+/.idea

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.0.0
+before_install: gem install bundler -v 1.10.6

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in gamecenter-auth.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Bichinger Software & Consulting
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

data/README.md

@@ -0,0 +1,85 @@
+# gamecenter-auth
+
+Ruby gem for iOS GameKit/Game Center player authentication using the "Identity Verification Signature" provided by the generateIdentityVerificationSignatureWithCompletionHandler method in Apple's GameKit framework 
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'gamecenter-auth'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install gamecenter-auth
+
+## Usage
+
+Gamecenter::Auth takes all parameters your iOS-App receives from the call generateIdentityVerificationSignatureWithCompletionHandler.
+
+See https://developer.apple.com/library/prerelease/ios/documentation/GameKit/Reference/GKLocalPlayer_Ref/index.html
+
+### Configuration
+
+!This is likely to be changed a little in future versions!
+
+Gamecenter::Auth can be statically configured using the following parameters (values show the default values):
+
+```ruby
+# if for some reason you don't want the public key certificate verified
+# against the issuer's (Apple) certificate, set this to false
+Gamecenter::Auth.verify_issuer_certificate = true
+
+# public keys won't change often, this saves a lot of HTTP requests
+Gamecenter::Auth.cache_public_keys = true
+# cache this many public keys (has to be 1 at least!)
+Gamecenter::Auth.public_key_cache_entries = 10
+
+# if the salt is already base64-decoded, set this to false 
+Gamecenter::Auth.base64_decode_salt = true
+# if the signature is already base64-decoded, set this to false 
+Gamecenter::Auth.base64_decode_signature = true
+
+# HTTP timeouts in seconds
+Gamecenter::Auth.request_public_key_open_timeout = 5
+Gamecenter::Auth.request_public_key_read_timeout = 5
+Gamecenter::Auth.request_public_key_ssl_timeout = 5
+
+```
+
+### Example usage
+
+```ruby
+player_id = 'G:123148854'
+bundle_id = 'de.bichinger.test.gamekit-auth'
+public_key_url = 'https://static.gc.apple.com/public-key/gc-prod-2.cer'
+signature = 'SGKgszgKffUshV4aMe0aQHAvzSointPjBlfF2MK34gHY50DycZlC5gwKDpRb+gBCS2OHQNLSRctYV5WORYsDbjAcNdrzR2Tl0oDMptpBiVJQX+kCilv45Fbs7szEJ2jw/4Xl/CAFlX/HtRxYZKb4oeC/knB5ueuDGcAyjFZJkl8FmFvyRn2ZeO0pGfefzQ2lz3bgHkwgcY+w8ZMQ5wIoHkgt4x44H21hnI5he/G0q48Il0lc3frWiojeZn2UWIo8j601svFHSDkX3mx9SJrYeP4f8goJ8ax1/fVVHxSdh2+uKW+9Zz/gAbrAC4xtVUiz12DjHZf9G6hxZ0etrjZYBQ=='
+salt = 'Yt1c3Q=='
+timestamp = 1445940012818
+
+auth = Gamecenter::Auth.new
+success = auth.verify_player(player_id, bundle_id, public_key_url, signature, salt, timestamp)
+
+puts success ? 'player verified' : 'player not verified'
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are very welcome on GitHub at https://github.com/bichinger/gamecenter-auth.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "gamecenter/auth"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/gamecenter-auth.gemspec

@@ -0,0 +1,25 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'gamecenter/auth/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'gamecenter-auth'
+  spec.version       = Gamecenter::Auth::VERSION
+  spec.authors       = ['Niklas Bichinger', 'Kai Machemehl']
+  spec.email         = %w(niklas@bichinger.de k.machemehl@bichinger.de)
+
+  spec.summary       = %q{Server-side iOS GameKit/Game Center player authentication}
+  spec.description   = %q{Server-side iOS GameKit/Game Center player authentication using the "Identity Verification Signature" provided by the method generateIdentityVerificationSignatureWithCompletionHandler in Apple's GameKit framework}
+  spec.homepage      = 'https://github.com/bichinger/gamecenter-auth'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 1.10'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec'
+end

data/lib/gamecenter/auth/version.rb

@@ -0,0 +1,5 @@
+module Gamecenter
+  class Auth
+    VERSION = '1.0.0'
+  end
+end

data/lib/gamecenter/auth.rb

@@ -0,0 +1,192 @@
+require 'gamecenter/auth/version'
+require 'uri'
+require 'logger'
+require 'base64'
+
+module Gamecenter
+  class Auth
+
+    @@verify_issuer_certificate = true
+
+    @@cache_public_keys = true
+    @@public_key_cache_entries = 10 # 1+: cache this many public keys (has to be 1 at least!)
+
+    @@base64_decode_salt = true
+    @@base64_decode_signature = true
+
+    @@request_public_key_open_timeout = 5 # seconds
+    @@request_public_key_read_timeout = 5 # seconds
+    @@request_public_key_ssl_timeout = 5 # seconds
+
+    @@ca_certificate = OpenSSL::X509::Certificate.new <<EOCACERT
+-----BEGIN CERTIFICATE-----
+MIIFWTCCBEGgAwIBAgIQPXjX+XZJYLJhffTwHsqGKjANBgkqhkiG9w0BAQsFADCB
+yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
+U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
+ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5IC0gRzUwHhcNMTMxMjEwMDAwMDAwWhcNMjMxMjA5MjM1OTU5WjB/MQsw
+CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
+BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxMDAuBgNVBAMTJ1N5bWFudGVjIENs
+YXNzIDMgU0hBMjU2IENvZGUgU2lnbmluZyBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAJeDHgAWryyx0gjE12iTUWAecfbiR7TbWE0jYmq0v1obUfej
+DRh3aLvYNqsvIVDanvPnXydOC8KXyAlwk6naXA1OpA2RoLTsFM6RclQuzqPbROlS
+Gz9BPMpK5KrA6DmrU8wh0MzPf5vmwsxYaoIV7j02zxzFlwckjvF7vjEtPW7ctZlC
+n0thlV8ccO4XfduL5WGJeMdoG68ReBqYrsRVR1PZszLWoQ5GQMWXkorRU6eZW4U1
+V9Pqk2JhIArHMHckEU1ig7a6e2iCMe5lyt/51Y2yNdyMK29qclxghJzyDJRewFZS
+AEjM0/ilfd4v1xPkOKiE1Ua4E4bCG53qWjjdm9sCAwEAAaOCAYMwggF/MC8GCCsG
+AQUFBwEBBCMwITAfBggrBgEFBQcwAYYTaHR0cDovL3MyLnN5bWNiLmNvbTASBgNV
+HRMBAf8ECDAGAQH/AgEAMGwGA1UdIARlMGMwYQYLYIZIAYb4RQEHFwMwUjAmBggr
+BgEFBQcCARYaaHR0cDovL3d3dy5zeW1hdXRoLmNvbS9jcHMwKAYIKwYBBQUHAgIw
+HBoaaHR0cDovL3d3dy5zeW1hdXRoLmNvbS9ycGEwMAYDVR0fBCkwJzAloCOgIYYf
+aHR0cDovL3MxLnN5bWNiLmNvbS9wY2EzLWc1LmNybDAdBgNVHSUEFjAUBggrBgEF
+BQcDAgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgEGMCkGA1UdEQQiMCCkHjAcMRow
+GAYDVQQDExFTeW1hbnRlY1BLSS0xLTU2NzAdBgNVHQ4EFgQUljtT8Hkzl699g+8u
+K8zKt4YecmYwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJKoZI
+hvcNAQELBQADggEBABOFGh5pqTf3oL2kr34dYVP+nYxeDKZ1HngXI9397BoDVTn7
+cZXHZVqnjjDSRFph23Bv2iEFwi5zuknx0ZP+XcnNXgPgiZ4/dB7X9ziLqdbPuzUv
+M1ioklbRyE07guZ5hBb8KLCxR/Mdoj7uh9mmf6RWpT+thC4p3ny8qKqjPQQB6rqT
+og5QIikXTIfkOhFf1qQliZsFay+0yQFMJ3sLrBkFIqBgFT/ayftNTI/7cmd3/SeU
+x7o1DohJ/o39KK9KEr0Ns5cF3kQMFfo2KwPcwVAB8aERXRTl4r0nS1S+K4ReD6bD
+dAUK75fDiSKxH3fzvc1D1PFMqT+1i4SvZPLQFCE=
+-----END CERTIFICATE-----
+EOCACERT
+
+    # Verifies the identity of the given player. Takes all return values from GameKit's generateIdentityVerificationSignatureWithCompletionHandler method.
+    # @see https://developer.apple.com/library/prerelease/ios/documentation/GameKit/Reference/GKLocalPlayer_Ref/index.html#//apple_ref/occ/instm/GKLocalPlayer/generateIdentityVerificationSignatureWithCompletionHandler:
+    # @param [String] player_id the playerID from the player to verify identity of
+    # @param [String] bundle_id the app's bundleID
+    # @param [String] public_key_url the publicKeyURL property returned from the GameKit framework
+    # @param [String] signature the signature property returned from the GameKit framework
+    # @param [String] salt the salt property returned from the GameKit framework
+    # @param [Integer] timestamp the timestamp property returned from the GameKit framework
+    # @return [Boolean] true if player could be verified, false if not
+    def verify_player(player_id, bundle_id, public_key_url, signature, salt, timestamp)
+      unless verify_public_key_url public_key_url
+        logger.debug { "public key url invalid: #{public_key_url}" }
+        return false
+      end
+
+      cert = get_public_key_certificate public_key_url
+      unless cert
+        logger.debug { "could not get certificate from: #{public_key_url}" }
+        return false
+      end
+      if @@verify_issuer_certificate && !verify_public_key_certificate(cert)
+        logger.debug { "failed verification of public key certificate from: #{public_key_url}" }
+        return false
+      end
+
+      salt_decoded = @@base64_decode_salt ? Base64.decode64(salt) : salt
+      payload = "#{player_id}#{bundle_id}#{[timestamp.to_i].pack('Q>')}#{salt_decoded}"
+      signature_decoded = @@base64_decode_signature ? Base64.decode64(signature) : signature
+      unless verify_signature cert, signature_decoded, payload
+        logger.debug { "failed signature validation for player id #{player_id}, bundle id #{bundle_id}, timestamp #{timestamp}, salt #{salt} (decode: #{@@base64_decode_salt}), signature #{signature} (decode: #{@@base64_decode_signature}) with certificate from: #{public_key_url}" }
+        return false
+      end
+
+      true
+    end
+
+    # Verifies that the public key url originates from one of Apple's secured servers
+    # @param [String] public_key_url The publicKeyURL property returned from the GameKit framework
+    # @return [Boolean] true if url verification was successful, false if url fails verification
+    def verify_public_key_url(public_key_url)
+      url_ok = false
+      begin
+        uri = URI.parse public_key_url
+        url_ok = uri.scheme == 'https' && !!(uri.host =~ /\.apple\.com$/i)
+      rescue URI::InvalidURIError => e
+        logger.error e
+      end
+
+      url_ok
+    end
+
+    # Checks if given public key certificate can be verified with the CA certificate
+    # @param [OpenSSL::X509::Certificate] public_key_cert a previously fetched public key certificate object
+    # @return [Boolean] true if certificate could be verified against the CA certificate, false if it couldn't
+    def verify_public_key_certificate(public_key_cert)
+      verified = public_key_cert.verify(@@ca_certificate.public_key)
+      no_errors = OpenSSL.errors.empty? # this method has to be called always as it empties the OpenSSL error stack
+
+      verified && no_errors
+    end
+
+    # Verifies the signature of given payload with given public key certificate
+    # @param [OpenSSL:X509::Certificate] public_key_cert a previously fetched public key certificate object
+    # @param [String] signature the signature to be verified
+    # @param [String] payload the payload to verify the signature for
+    # @return [Boolean] true if signature is valid for given certificate and payload, false if it isn't
+    def verify_signature(public_key_cert, signature, payload)
+      verified = public_key_cert.public_key.verify(OpenSSL::Digest::SHA256.new, signature, payload)
+      no_errors = OpenSSL.errors.empty? # this method has to be called always as it empties the OpenSSL error stack
+
+      verified && no_errors
+    end
+
+    # Get a public key certificate for given URL. Caches the results, depending on the configuration.
+    # @param [String] public_key_url the URL of the certificate to fetch
+    # @return [OpenSSL::X509::Certificate] certificate found at given URL or nil if there was an error
+    def get_public_key_certificate(public_key_url)
+      if @@cache_public_keys
+        # caching is enabled
+        cache = (@@_public_key_cache ||= {})
+        unless cert = cache[public_key_url] && cert.not_after > Time.now
+          # no cache hit or certificate expired
+          cache.delete public_key_url
+
+          cert = request_public_key_certificate public_key_url
+
+          available_entries = @@public_key_cache_entries - cache.size
+          # check if there are free entries
+          unless available_entries > 0
+            # there are not, randomly delete enough to make room for this certificate
+            cache.keys.sample(available_entries.abs + 1).each { |key|
+              cache.delete key
+            }
+          end
+          cache[public_key_url] = cert
+        end
+
+        cert
+      else
+        # caching is disabled
+        request_public_key_certificate public_key_url
+      end
+    end
+
+    # Fetch a certificate from given URL.
+    # @param [String] public_key_url the URL to fetch the certificate from
+    # @return [OpenSSL::X509::Certificate] certificate found at given URL or nil if there was an error
+    def request_public_key_certificate(public_key_url)
+      uri = URI.parse public_key_url
+      begin
+        Net::HTTP.start(uri.host, uri.port,
+                        use_ssl: uri.scheme == 'https',
+                        open_timeout: @@request_public_key_open_timeout,
+                        read_timeout: @@request_public_key_read_timeout,
+                        ssl_timeout: @@request_public_key_ssl_timeout) do |http|
+          request = Net::HTTP::Get.new uri.request_uri
+          response = http.request request # Net::HTTPResponse object
+          begin
+            return OpenSSL::X509::Certificate.new(response.body) if response.body
+          rescue OpenSSL::X509::CertificateError => e
+            logger.error e
+          end
+        end
+      rescue Net::OpenTimeout, Net::ReadTimeout, OpenSSL::SSL::SSLError => e
+        logger.error e
+      end
+
+      nil
+    end
+
+    private
+
+    def logger
+      @@logger ||= Logger.new(STDERR)
+    end
+
+  end
+end

metadata

@@ -0,0 +1,102 @@
+--- !ruby/object:Gem::Specification
+name: gamecenter-auth
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Niklas Bichinger
+- Kai Machemehl
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2015-11-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Server-side iOS GameKit/Game Center player authentication using the "Identity
+  Verification Signature" provided by the method generateIdentityVerificationSignatureWithCompletionHandler
+  in Apple's GameKit framework
+email:
+- niklas@bichinger.de
+- k.machemehl@bichinger.de
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- gamecenter-auth.gemspec
+- lib/gamecenter/auth.rb
+- lib/gamecenter/auth/version.rb
+homepage: https://github.com/bichinger/gamecenter-auth
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: Server-side iOS GameKit/Game Center player authentication
+test_files: []