global_session 3.3.1 → 3.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/global_session/session/v4.rb +53 -14
- data/lib/global_session/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b75e449accf51bf9e65be304661b21a165527b6a
|
|
4
|
+
data.tar.gz: ca39768616c5a864817d2f82a07ee426426319b5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d06bf171e7f61865c796066177d3e8dd4a26a16baadd72c4bb10d8712904aede3b382e239af502d1bf51dedbd08ef66894d52b1e9267f44eef18c613596ef411
|
|
7
|
+
data.tar.gz: ed45f7a736cccc28d596ea976afeb72ae33d34c6dfbf3471e605f760d9bc09ee8d74f052ad37bd16adb6c4ee770f96878b7a380d204457d5d776373723413047
|
|
@@ -92,22 +92,27 @@ module GlobalSession::Session
|
|
|
92
92
|
raise GlobalSession::PrematureSession, "Session not valid before #{not_before}" unless Time.now >= not_before
|
|
93
93
|
end
|
|
94
94
|
|
|
95
|
-
#Check trust in signing authority
|
|
95
|
+
# Check trust in signing authority
|
|
96
96
|
if @directory.trusted_authority?(issuer)
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
raise GlobalSession::
|
|
107
|
-
|
|
108
|
-
|
|
97
|
+
# Verify the signature
|
|
98
|
+
key = @directory.authorities[issuer]
|
|
99
|
+
digest_klass = digest_for_key(key)
|
|
100
|
+
plaintext = cookie.split('.')[0..1].join('.')
|
|
101
|
+
if key.respond_to?(:dsa_verify_asn1)
|
|
102
|
+
# DSA signature with JWT-compatible encoding
|
|
103
|
+
digest = digest_klass.new.update(plaintext).digest
|
|
104
|
+
signature = raw_to_asn1(sig, key)
|
|
105
|
+
result = key.dsa_verify_asn1(digest, signature)
|
|
106
|
+
raise GlobalSession::InvalidSignature, "Global session signature verification failed: Signature mismatch: DSA verify failed" unless result
|
|
107
|
+
elsif key.respond_to?(:verify)
|
|
108
|
+
digest = digest_klass.new
|
|
109
|
+
result = key.verify(digest, sig, plaintext)
|
|
110
|
+
raise GlobalSession::InvalidSignature, "Global session signature verification failed: Signature mismatch: verify failed" unless result
|
|
111
|
+
else
|
|
112
|
+
raise NotImplementedError, "Cannot verify JWT with #{key.class.name}"
|
|
109
113
|
end
|
|
110
|
-
|
|
114
|
+
# Check expiration
|
|
115
|
+
raise GlobalSession::ExpiredSession, "Session expired at #{expired_at}" unless expired_at >= Time.now
|
|
111
116
|
else
|
|
112
117
|
raise GlobalSession::InvalidSignature, "Global sessions signed by #{authority.inspect} are not trusted"
|
|
113
118
|
end
|
|
@@ -128,6 +133,40 @@ module GlobalSession::Session
|
|
|
128
133
|
@cookie = cookie
|
|
129
134
|
end
|
|
130
135
|
|
|
136
|
+
# Returns the digest class used for the given key type
|
|
137
|
+
#
|
|
138
|
+
# @param key [OpenSSL::PKey::PKey] the key used for verifying signatures
|
|
139
|
+
#
|
|
140
|
+
# @return [OpenSSL::Digest] the digest class to use
|
|
141
|
+
def digest_for_key(key)
|
|
142
|
+
case key
|
|
143
|
+
when OpenSSL::PKey::DSA
|
|
144
|
+
OpenSSL::Digest::SHA1
|
|
145
|
+
when OpenSSL::PKey::EC
|
|
146
|
+
case key.group.degree
|
|
147
|
+
when 256 then OpenSSL::Digest::SHA256
|
|
148
|
+
when 384 then OpenSSL::Digest::SHA384
|
|
149
|
+
when 521 then OpenSSL::Digest::SHA512
|
|
150
|
+
else
|
|
151
|
+
raise ArgumentError, "Cannot guess digest"
|
|
152
|
+
end
|
|
153
|
+
when OpenSSL::PKey::RSA
|
|
154
|
+
OpenSSL::Digest::SHA256
|
|
155
|
+
else
|
|
156
|
+
OpenSSL::Digest::SHA1
|
|
157
|
+
end
|
|
158
|
+
end
|
|
159
|
+
|
|
160
|
+
# Convert raw pair of concatenated bignums into ASN1-encoded pair of integers.
|
|
161
|
+
# This only works for OpenSSL::PKey::EC.
|
|
162
|
+
# https://github.com/jwt/ruby-jwt/blob/master/lib/jwt.rb#L159
|
|
163
|
+
def raw_to_asn1(signature, public_key) # :nodoc:
|
|
164
|
+
byte_size = (public_key.group.degree + 7) / 8
|
|
165
|
+
r = signature[0..(byte_size - 1)]
|
|
166
|
+
s = signature[byte_size..-1] || ''
|
|
167
|
+
OpenSSL::ASN1::Sequence.new([r, s].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
|
|
168
|
+
end
|
|
169
|
+
|
|
131
170
|
def create_from_scratch
|
|
132
171
|
@signed = {}
|
|
133
172
|
@insecure = {}
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: global_session
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.3.
|
|
4
|
+
version: 3.3.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tony Spataro
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-05-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: json
|