http_signatures 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2f089f43abace9a9b86c3d19ba394ca4029260c2
-  data.tar.gz: d3f055bf4eb80034756d585770be2bffd778b798
+  metadata.gz: e7081d201a0f52168e49d42043f5a2dfd792b1e6
+  data.tar.gz: 51fd29fdd9c4c20f09d4fbcfb2bf012ed36739bb
 SHA512:
-  metadata.gz: 6d8a718a78fed672fb5c61b1a43f9d01fc983abf08f5fa97f7156f1d14ceaba5bcd95413f2b47dec8bc154880a7cfa4530b68ffa52cb63a48866a67309249065
-  data.tar.gz: 00be41245a855a9441a0414c1a2c10c5523df24b879f32c3b9c55d2327bb9dfe56b7382304a8e36818e870e0e4479e78830446bcef84daf2b79a410d69639671
+  metadata.gz: bac9b3f9a8b8e2f5583c5d4e02fada9053c516a0df7fce6909c065c064c2489ea3662fb11eb3a6fc827f7c2a9f5386ec4ce0a03b915ca76bfce55a5c09aad47b
+  data.tar.gz: 0ce9bee030d5f433ed3391b420be018b59983b01c5d2ba384ba2f60ce966662b3a4533726da02927ae13422cacd58e4b9c8b0edfa894e4cb627690494716b885

data/README.md

@@ -3,6 +3,10 @@
 Ruby implementation of [HTTP Signatures][draft03] draft specification;
 cryptographically sign and verify HTTP requests and responses.
 
+See also:
+
+* https://github.com/99designs/http-signatures-php
+
 
 ## Usage
 
@@ -58,14 +62,9 @@ message["Authorization"]
 
 ### Verifying a signed message
 
-Message verification is not implemented, but will look like this:
-
-* The key ID, algorithm name, header list and provided signature will be parsed
-  from the `Signature` and/or `Authorization` header.
-* The signing string will be derived by selecting the listed headers from the
-  message.
-* The valid signature will be derived by applying the algorithm and secret key.
-* The message is valid if the provided signature matches the valid signature.
+```rb
+$context.verifier.valid?(message)  # => true or false
+```
 
 
 ## Contributing

data/lib/http_signatures/context.rb

@@ -16,6 +16,10 @@ module HttpSignatures
       )
     end
 
+    def verifier
+      Verifier.new(key_store: @key_store)
+    end
+
     private
 
     def signing_key

data/lib/http_signatures/header_list.rb

@@ -17,7 +17,7 @@ module HttpSignatures
       @names.dup
     end
 
-    def to_s
+    def to_str
       @names.join(" ")
     end
 

data/lib/http_signatures/signature.rb

@@ -0,0 +1,25 @@
+module HttpSignatures
+  class Signature
+
+    def initialize(message:, key:, algorithm:, header_list:)
+      @message = message
+      @key = key
+      @algorithm = algorithm
+      @header_list = header_list
+    end
+
+    def to_str
+      @algorithm.sign(@key.secret, signing_string)
+    end
+
+    private
+
+    def signing_string
+      SigningString.new(
+        header_list: @header_list,
+        message: @message,
+      ).to_str
+    end
+
+  end
+end

data/lib/http_signatures/signature_parameters.rb

@@ -20,7 +20,7 @@ module HttpSignatures
       pc = []
       pc << 'keyId="%s"' % @key.id
       pc << 'algorithm="%s"' % @algorithm.name
-      pc << 'headers="%s"' % @header_list.to_s
+      pc << 'headers="%s"' % @header_list.to_str
       pc << 'signature="%s"' % signature_base64
       pc
     end

data/lib/http_signatures/signature_parameters_parser.rb

@@ -0,0 +1,35 @@
+module HttpSignatures
+  class SignatureParametersParser
+
+    def initialize(string)
+      @string = string
+    end
+
+    def parse
+      Hash[array_of_pairs]
+    end
+
+    private
+
+    def array_of_pairs
+      segments.map { |segment| pair(segment) }
+    end
+
+    def segments
+      @string.split(",")
+    end
+
+    def pair(segment)
+      match = segment_pattern.match(segment)
+      raise Error if match.nil?
+      match.captures
+    end
+
+    def segment_pattern
+      %r{\A(keyId|algorithm|headers|signature)="(.*)"\z}
+    end
+
+    class Error < StandardError; end
+
+  end
+end

data/lib/http_signatures/signer.rb

@@ -11,40 +11,29 @@ module HttpSignatures
 
     def sign(message)
       message.tap do |m|
-        signature = signature_parameters_for_message(message).to_str
-        m["Signature"] = [signature]
-        m["Authorization"] = [AUTHORIZATION_SCHEME + " " + signature]
+        m["Signature"] = [signature_parameters(message).to_str]
+        m["Authorization"] = [AUTHORIZATION_SCHEME + " " + signature_parameters(message).to_str]
       end
     end
 
     private
 
-    def signature_parameters_for_message(message)
+    def signature_parameters(message)
       SignatureParameters.new(
         key: @key,
         algorithm: @algorithm,
         header_list: @header_list,
-        signature: signature_for_message(message),
+        signature: signature(message).to_str,
       )
     end
 
-    def signature_for_message(message)
-      @algorithm.sign(@key.secret, signing_string_for_message(message))
-    end
-
-    def signing_string_for_message(message)
-      SigningString.new(
-        header_list: @header_list,
+    def signature(message)
+      Signature.new(
         message: message,
-      ).to_s
-    end
-
-    class EmptyHeaderNames < StandardError; end
-
-    class MessageMissingHeader < StandardError
-      def initialize(name)
-        super("Message missing header '#{name}'")
-      end
+        key: @key,
+        algorithm: @algorithm,
+        header_list: @header_list,
+      )
     end
 
   end

data/lib/http_signatures/signing_string.rb

@@ -8,7 +8,7 @@ module HttpSignatures
       @message = message
     end
 
-    def to_s
+    def to_str
       @header_list.to_a.map do |header|
         "%s: %s" % [header, header_value(header)]
       end.join("\n")

data/lib/http_signatures/verification.rb

@@ -0,0 +1,53 @@
+module HttpSignatures
+  class Verification
+
+    def initialize(message:, key_store:)
+      @message = message
+      @key_store = key_store
+    end
+
+    def valid?
+      expected_signature_base64 == provided_signature_base64
+    end
+
+    private
+
+    def expected_signature_base64
+      Base64.strict_encode64(expected_signature_raw)
+    end
+
+    def expected_signature_raw
+      Signature.new(
+        message: @message,
+        key: key,
+        algorithm: algorithm,
+        header_list: header_list,
+      ).to_str
+    end
+
+    def provided_signature_base64
+      parsed_parameters.fetch("signature")
+    end
+
+    def key
+      @key_store.fetch(parsed_parameters["keyId"])
+    end
+
+    def algorithm
+      Algorithm.create(parsed_parameters["algorithm"])
+    end
+
+    def header_list
+      HeaderList.from_string(parsed_parameters["headers"])
+    end
+
+    def parsed_parameters
+      @_parsed_parameters ||= SignatureParametersParser.new(fetch_header("Signature")).parse
+    end
+
+    def fetch_header(name)
+      @message.fetch(name)
+    end
+
+  end
+end

data/lib/http_signatures/verifier.rb

@@ -0,0 +1,13 @@
+module HttpSignatures
+  class Verifier
+
+    def initialize(key_store:)
+      @key_store = key_store
+    end
+
+    def valid?(message)
+      Verification.new(message: message, key_store: @key_store).valid?
+    end
+
+  end
+end

data/lib/http_signatures/version.rb

@@ -1,3 +1,3 @@
 module HttpSignatures
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/lib/http_signatures.rb

@@ -5,9 +5,13 @@ require "http_signatures/context"
 require "http_signatures/header_list"
 require "http_signatures/key"
 require "http_signatures/key_store"
+require "http_signatures/signature"
 require "http_signatures/signature_parameters"
+require "http_signatures/signature_parameters_parser"
 require "http_signatures/signer"
 require "http_signatures/signing_string"
+require "http_signatures/verification"
+require "http_signatures/verifier"
 require "http_signatures/version"
 
 module HttpSignatures

data/spec/context_spec.rb

@@ -24,7 +24,13 @@ RSpec.describe HttpSignatures::Context do
       end
 
       it "signs without errors" do
-        context.signer.sign(message)
+        expect { context.signer.sign(message) }.to_not raise_error
+      end
+
+      it "verifies without errors" do
+        signature_parameters = 'keyId="hello",algorithm="hmac-sha1",headers="date",signature="x"'
+        message = Net::HTTP::Get.new("/", "Date" => "x", "Signature" => signature_parameters)
+        expect { context.verifier.valid?(message) }.to_not raise_error
       end
     end
   end

data/spec/header_list_spec.rb

@@ -26,10 +26,10 @@ RSpec.describe HttpSignatures::HeaderList do
     end
   end
 
-  describe "#to_s" do
+  describe "#to_str" do
     it "joins normalized header names with spaces" do
       list = HttpSignatures::HeaderList.new(["(request-target)", "Date", "Content-Type"])
-      expect(list.to_s).to eq("(request-target) date content-type")
+      expect(list.to_str).to eq("(request-target) date content-type")
     end
   end
 

data/spec/signature_parameters_parser_spec.rb

@@ -0,0 +1,24 @@
+RSpec.describe HttpSignatures::SignatureParametersParser do
+
+  subject(:parser) do
+    HttpSignatures::SignatureParametersParser.new(input)
+  end
+
+  let(:input) do
+    'keyId="example",algorithm="hmac-sha1",headers="(request-target) date",signature="b64"'
+  end
+
+  describe "#parse" do
+    it "returns hash with string keys matching those in the parsed string" do
+      expect(parser.parse).to eq(
+        {
+          "keyId" => "example",
+          "algorithm" => "hmac-sha1",
+          "headers" => "(request-target) date",
+          "signature" => "b64",
+        }
+      )
+    end
+  end
+
+end

data/spec/signature_parameters_spec.rb

@@ -0,0 +1,25 @@
+RSpec.describe HttpSignatures::SignatureParameters do
+
+  subject(:signature_parameters) do
+    HttpSignatures::SignatureParameters.new(
+      key: key,
+      algorithm: algorithm,
+      header_list: header_list,
+      signature: signature,
+    )
+  end
+
+  let(:key) { double("Key", id: "pda") }
+  let(:algorithm) { double("Algorithm", name: "hmac-test") }
+  let(:header_list) { double("HeaderList", to_str: "a b c") }
+  let(:signature) { "sigstring" }
+
+  describe "#to_str" do
+    it "builds parameters into string" do
+      expect(signature_parameters.to_str).to eq(
+        'keyId="pda",algorithm="hmac-test",headers="a b c",signature="c2lnc3RyaW5n"'
+      )
+    end
+  end
+
+end

data/spec/signer_spec.rb

@@ -48,11 +48,8 @@ RSpec.describe HttpSignatures::Signer do
     it "passes correct signing string to algorithm" do
       expect(algorithm).to receive(:sign).with(
         "sh",
-        [
-          "date: #{EXAMPLE_DATE}",
-          "content-type: text/plain",
-        ].join("\n")
-      ).and_return("null")
+        ["date: #{EXAMPLE_DATE}", "content-type: text/plain"].join("\n")
+      ).at_least(:once).and_return("null")
       signer.sign(message)
     end
     it "returns reference to the mutated input" do

data/spec/signing_string_spec.rb

@@ -19,10 +19,10 @@ RSpec.describe HttpSignatures::SigningString do
     Net::HTTP::Get.new("/path?query=123", "date" => DATE, "x-herring" => "red")
   end
 
-  describe "#to_s" do
+  describe "#to_str" do
 
     it "returns correct signing string" do
-      expect(signing_string.to_s).to eq(
+      expect(signing_string.to_str).to eq(
         "(request-target): get /path?query=123\n" +
         "date: #{DATE}"
       )
@@ -32,7 +32,7 @@ RSpec.describe HttpSignatures::SigningString do
       let(:header_list) { HttpSignatures::HeaderList.from_string("nope") }
       it "raises HeaderNotInMessage" do
         expect {
-          signing_string.to_s
+          signing_string.to_str
         }.to raise_error(HttpSignatures::HeaderNotInMessage)
       end
     end

data/spec/verifier_spec.rb

@@ -0,0 +1,42 @@
+require "net/http"
+require "time"
+
+RSpec.describe HttpSignatures::Verifier do
+
+  DATE = "Fri, 01 Aug 2014 13:44:32 -0700"
+  DATE_DIFFERENT = "Fri, 01 Aug 2014 13:44:33 -0700"
+
+  subject(:verifier) { HttpSignatures::Verifier.new(key_store: key_store) }
+  let(:key_store) { HttpSignatures::KeyStore.new("pda" => "secret") }
+  let(:message) { Net::HTTP::Get.new("/path?query=123", headers) }
+  let(:headers) { {"Date" => DATE, "Signature" => signature_header} }
+
+  let(:signature_header) do
+    'keyId="%s",algorithm="%s",headers="%s",signature="%s"' % [
+      "pda",
+      "hmac-sha256",
+      "(request-target) date",
+      "cS2VvndvReuTLy52Ggi4j6UaDqGm9hMb4z0xJZ6adqU=",
+    ]
+  end
+
+  it "verifies a valid message" do
+    expect(verifier.valid?(message)).to eq(true)
+  end
+
+  it "rejects message with tampered path" do
+    message.path << "x"
+    expect(verifier.valid?(message)).to eq(false)
+  end
+
+  it "rejects message with tampered date" do
+    message["Date"] = DATE_DIFFERENT
+    expect(verifier.valid?(message)).to eq(false)
+  end
+
+  it "rejects message with tampered signature" do
+    message["Signature"] = message["Signature"].sub('signature="', 'signature="x')
+    expect(verifier.valid?(message)).to eq(false)
+  end
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: http_signatures
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Paul Annesley
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-07-29 00:00:00.000000000 Z
+date: 2014-08-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -74,17 +74,24 @@ files:
 - lib/http_signatures/header_list.rb
 - lib/http_signatures/key.rb
 - lib/http_signatures/key_store.rb
+- lib/http_signatures/signature.rb
 - lib/http_signatures/signature_parameters.rb
+- lib/http_signatures/signature_parameters_parser.rb
 - lib/http_signatures/signer.rb
 - lib/http_signatures/signing_string.rb
+- lib/http_signatures/verification.rb
+- lib/http_signatures/verifier.rb
 - lib/http_signatures/version.rb
 - spec/algorithm_spec.rb
 - spec/context_spec.rb
 - spec/header_list_spec.rb
 - spec/key_store_spec.rb
+- spec/signature_parameters_parser_spec.rb
+- spec/signature_parameters_spec.rb
 - spec/signer_spec.rb
 - spec/signing_string_spec.rb
 - spec/spec_helper.rb
+- spec/verifier_spec.rb
 homepage: https://github.com/99designs/http-signatures-ruby
 licenses:
 - MIT
@@ -114,6 +121,9 @@ test_files:
 - spec/context_spec.rb
 - spec/header_list_spec.rb
 - spec/key_store_spec.rb
+- spec/signature_parameters_parser_spec.rb
+- spec/signature_parameters_spec.rb
 - spec/signer_spec.rb
 - spec/signing_string_spec.rb
 - spec/spec_helper.rb
+- spec/verifier_spec.rb