RubyGems - global_session - Versions diffs - 3.3.1 → 3.3.2 - Mend

global_session 3.3.1 → 3.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/global_session/session/v4.rb +53 -14
data/lib/global_session/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e56d2f3a7219fc3822d4f1d1d38e7235660bd4f0
-  data.tar.gz: 865c98ce63514205a96180b578a61ed28f3b779a
+  metadata.gz: b75e449accf51bf9e65be304661b21a165527b6a
+  data.tar.gz: ca39768616c5a864817d2f82a07ee426426319b5
 SHA512:
-  metadata.gz: 839158a96a18c9eb86ee08a91cb1b798edc9a2eada486ce7475ce7b6dfe280cfd45190203db88bc280745b37cf7a4571ae0c981c45ceec1a4c187c6549a255e5
-  data.tar.gz: 524d20de67cc1838443cbf2eff4e690c0375e34e162cd429420869ccfc3000b679f3a7b1ec3263a0be341b7317fc98c10f6bf875bc985bf7c9d6c6fbeffdfe14
+  metadata.gz: d06bf171e7f61865c796066177d3e8dd4a26a16baadd72c4bb10d8712904aede3b382e239af502d1bf51dedbd08ef66894d52b1e9267f44eef18c613596ef411
+  data.tar.gz: ed45f7a736cccc28d596ea976afeb72ae33d34c6dfbf3471e605f760d9bc09ee8d74f052ad37bd16adb6c4ee770f96878b7a380d204457d5d776373723413047

data/lib/global_session/session/v4.rb CHANGED

@@ -92,22 +92,27 @@ module GlobalSession::Session
         raise GlobalSession::PrematureSession, "Session not valid before #{not_before}" unless Time.now >= not_before
       end
-      #Check trust in signing authority
+      # Check trust in signing authority
       if @directory.trusted_authority?(issuer)
-        signed_hash =
-          RightSupport::Crypto::SignedHash.new(payload,
-            @directory.authorities[issuer],
-            envelope: :jwt
-          )
-        begin
-          signed_hash.verify!(sig, expired_at)
-        rescue RightSupport::Crypto::ExpiredSignature
-          raise GlobalSession::ExpiredSession, "Session expired at #{expired_at}"
-        rescue RightSupport::Crypto::InvalidSignature => e
-          raise GlobalSession::InvalidSignature, "Global session signature verification failed: " + e.message
+        # Verify the signature
+        key = @directory.authorities[issuer]
+        digest_klass = digest_for_key(key)
+        plaintext = cookie.split('.')[0..1].join('.')
+        if key.respond_to?(:dsa_verify_asn1)
+          # DSA signature with JWT-compatible encoding
+          digest = digest_klass.new.update(plaintext).digest
+          signature = raw_to_asn1(sig, key)
+          result = key.dsa_verify_asn1(digest, signature)
+          raise GlobalSession::InvalidSignature, "Global session signature verification failed: Signature mismatch: DSA verify failed" unless result
+        elsif key.respond_to?(:verify)
+          digest = digest_klass.new
+          result = key.verify(digest, sig, plaintext)
+          raise GlobalSession::InvalidSignature, "Global session signature verification failed: Signature mismatch: verify failed" unless result
+        else
+          raise NotImplementedError, "Cannot verify JWT with #{key.class.name}"
         end
+        # Check expiration
+        raise GlobalSession::ExpiredSession, "Session expired at #{expired_at}" unless expired_at >= Time.now
       else
         raise GlobalSession::InvalidSignature, "Global sessions signed by #{authority.inspect} are not trusted"
       end
@@ -128,6 +133,40 @@ module GlobalSession::Session
       @cookie = cookie
     end
+    # Returns the digest class used for the given key type
+    #
+    # @param key [OpenSSL::PKey::PKey] the key used for verifying signatures
+    #
+    # @return [OpenSSL::Digest] the digest class to use
+    def digest_for_key(key)
+      case key
+      when OpenSSL::PKey::DSA
+        OpenSSL::Digest::SHA1
+      when OpenSSL::PKey::EC
+        case key.group.degree
+        when 256 then OpenSSL::Digest::SHA256
+        when 384 then OpenSSL::Digest::SHA384
+        when 521 then OpenSSL::Digest::SHA512
+        else
+          raise ArgumentError, "Cannot guess digest"
+        end
+      when OpenSSL::PKey::RSA
+        OpenSSL::Digest::SHA256
+      else
+        OpenSSL::Digest::SHA1
+      end
+    end
+    # Convert raw pair of concatenated bignums into ASN1-encoded pair of integers.
+    # This only works for OpenSSL::PKey::EC.
+    # https://github.com/jwt/ruby-jwt/blob/master/lib/jwt.rb#L159
+    def raw_to_asn1(signature, public_key) # :nodoc:
+      byte_size = (public_key.group.degree + 7) / 8
+      r = signature[0..(byte_size - 1)]
+      s = signature[byte_size..-1] || ''
+      OpenSSL::ASN1::Sequence.new([r, s].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
+    end
     def create_from_scratch
       @signed = {}
       @insecure = {}

data/lib/global_session/version.rb CHANGED

@@ -1,3 +1,3 @@
 module GlobalSession
-  VERSION = '3.3.1'
+  VERSION = '3.3.2'
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: global_session
 version: !ruby/object:Gem::Version
-  version: 3.3.1
+  version: 3.3.2
 platform: ruby
 authors:
 - Tony Spataro
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-01-19 00:00:00.000000000 Z
+date: 2017-05-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json