global_session 3.3.1 → 3.3.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/global_session/session/v4.rb +53 -14
  3. data/lib/global_session/version.rb +1 -1
  4. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: e56d2f3a7219fc3822d4f1d1d38e7235660bd4f0
4
- data.tar.gz: 865c98ce63514205a96180b578a61ed28f3b779a
3
+ metadata.gz: b75e449accf51bf9e65be304661b21a165527b6a
4
+ data.tar.gz: ca39768616c5a864817d2f82a07ee426426319b5
5
5
  SHA512:
6
- metadata.gz: 839158a96a18c9eb86ee08a91cb1b798edc9a2eada486ce7475ce7b6dfe280cfd45190203db88bc280745b37cf7a4571ae0c981c45ceec1a4c187c6549a255e5
7
- data.tar.gz: 524d20de67cc1838443cbf2eff4e690c0375e34e162cd429420869ccfc3000b679f3a7b1ec3263a0be341b7317fc98c10f6bf875bc985bf7c9d6c6fbeffdfe14
6
+ metadata.gz: d06bf171e7f61865c796066177d3e8dd4a26a16baadd72c4bb10d8712904aede3b382e239af502d1bf51dedbd08ef66894d52b1e9267f44eef18c613596ef411
7
+ data.tar.gz: ed45f7a736cccc28d596ea976afeb72ae33d34c6dfbf3471e605f760d9bc09ee8d74f052ad37bd16adb6c4ee770f96878b7a380d204457d5d776373723413047
data/lib/global_session/session/v4.rb CHANGED
@@ -92,22 +92,27 @@ module GlobalSession::Session
92
92
  raise GlobalSession::PrematureSession, "Session not valid before #{not_before}" unless Time.now >= not_before
93
93
  end
94
94
 
95
- #Check trust in signing authority
95
+ # Check trust in signing authority
96
96
  if @directory.trusted_authority?(issuer)
97
- signed_hash =
98
- RightSupport::Crypto::SignedHash.new(payload,
99
- @directory.authorities[issuer],
100
- envelope: :jwt
101
- )
102
-
103
- begin
104
- signed_hash.verify!(sig, expired_at)
105
- rescue RightSupport::Crypto::ExpiredSignature
106
- raise GlobalSession::ExpiredSession, "Session expired at #{expired_at}"
107
- rescue RightSupport::Crypto::InvalidSignature => e
108
- raise GlobalSession::InvalidSignature, "Global session signature verification failed: " + e.message
97
+ # Verify the signature
98
+ key = @directory.authorities[issuer]
99
+ digest_klass = digest_for_key(key)
100
+ plaintext = cookie.split('.')[0..1].join('.')
101
+ if key.respond_to?(:dsa_verify_asn1)
102
+ # DSA signature with JWT-compatible encoding
103
+ digest = digest_klass.new.update(plaintext).digest
104
+ signature = raw_to_asn1(sig, key)
105
+ result = key.dsa_verify_asn1(digest, signature)
106
+ raise GlobalSession::InvalidSignature, "Global session signature verification failed: Signature mismatch: DSA verify failed" unless result
107
+ elsif key.respond_to?(:verify)
108
+ digest = digest_klass.new
109
+ result = key.verify(digest, sig, plaintext)
110
+ raise GlobalSession::InvalidSignature, "Global session signature verification failed: Signature mismatch: verify failed" unless result
111
+ else
112
+ raise NotImplementedError, "Cannot verify JWT with #{key.class.name}"
109
113
  end
110
-
114
+ # Check expiration
115
+ raise GlobalSession::ExpiredSession, "Session expired at #{expired_at}" unless expired_at >= Time.now
111
116
  else
112
117
  raise GlobalSession::InvalidSignature, "Global sessions signed by #{authority.inspect} are not trusted"
113
118
  end
@@ -128,6 +133,40 @@ module GlobalSession::Session
128
133
  @cookie = cookie
129
134
  end
130
135
 
136
+ # Returns the digest class used for the given key type
137
+ #
138
+ # @param key [OpenSSL::PKey::PKey] the key used for verifying signatures
139
+ #
140
+ # @return [OpenSSL::Digest] the digest class to use
141
+ def digest_for_key(key)
142
+ case key
143
+ when OpenSSL::PKey::DSA
144
+ OpenSSL::Digest::SHA1
145
+ when OpenSSL::PKey::EC
146
+ case key.group.degree
147
+ when 256 then OpenSSL::Digest::SHA256
148
+ when 384 then OpenSSL::Digest::SHA384
149
+ when 521 then OpenSSL::Digest::SHA512
150
+ else
151
+ raise ArgumentError, "Cannot guess digest"
152
+ end
153
+ when OpenSSL::PKey::RSA
154
+ OpenSSL::Digest::SHA256
155
+ else
156
+ OpenSSL::Digest::SHA1
157
+ end
158
+ end
159
+
160
+ # Convert raw pair of concatenated bignums into ASN1-encoded pair of integers.
161
+ # This only works for OpenSSL::PKey::EC.
162
+ # https://github.com/jwt/ruby-jwt/blob/master/lib/jwt.rb#L159
163
+ def raw_to_asn1(signature, public_key) # :nodoc:
164
+ byte_size = (public_key.group.degree + 7) / 8
165
+ r = signature[0..(byte_size - 1)]
166
+ s = signature[byte_size..-1] || ''
167
+ OpenSSL::ASN1::Sequence.new([r, s].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
168
+ end
169
+
131
170
  def create_from_scratch
132
171
  @signed = {}
133
172
  @insecure = {}
data/lib/global_session/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module GlobalSession
2
- VERSION = '3.3.1'
2
+ VERSION = '3.3.2'
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: global_session
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.3.1
4
+ version: 3.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tony Spataro
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-01-19 00:00:00.000000000 Z
11
+ date: 2017-05-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: json