RubyGems - linzer - Versions diffs - 0.1.0 → 0.2.0 - Mend

linzer 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6b025e976012c79dc5153ebd4ca98f23df08a55bf0706c6d8427e0374b3cd7f5
-  data.tar.gz: b864415aad8cc6c9cbee217a64531378b92edbb62fb58b67a036e5997fec4a30
+  metadata.gz: a9b2828e9333279ffabf8102d126f832ebece8e6b5ce26bec6897337bae773b4
+  data.tar.gz: 868c9763f3067b55eb8fc76dfb1b6c5e6529562a57ee08d41bbfb3f443311536
 SHA512:
-  metadata.gz: 9d2eea3036d11c6b7f8969d0f30b71fa3715d62820acde93c7d512689aa7c91d281436f8b2ea91e47b906f62167a4611298d2fad64bcf241b39b18f4405ed7a9
-  data.tar.gz: 6f85ffe146b8a52647969575dc80011f5fefdf299bdf082cd4f3b4de0fc605f60f8beaaa1cc4cf04843cf2b3a5f7d6441c7f6b3989d50ed559cca398bbc3d7b6
+  metadata.gz: ef676846ea6c038465971a4c5fa47b77763f74e37adc357b5c967c483a5d3c767f0e3d1b0e073c16621ac311cc07bd524fe422e0272e9ef6e0b88091e15120e7
+  data.tar.gz: 8047b4e3ea2778e53764bc625d04c4ba4435f2399992885406f46128a69502158598a0130184b49887ad576252220bc71bfdbe451910971ce7357a84374f2818

data/.standard.yml CHANGED Viewed

@@ -1,3 +1,11 @@
 # For available configuration options, see:
 #   https://github.com/testdouble/standard
 ruby_version: 2.6
+ignore:
+  - 'lib/**/*':
+    - Layout/ExtraSpacing
+    - Layout/HashAlignment
+  - 'spec/**/*':
+    - Layout/ExtraSpacing
+    - Layout/HashAlignment

data/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,11 @@
 ## [Unreleased]
+## [0.2.0] - 2024-02-23
+- Add signature signing functionality. RSASSA-PSS using SHA-512 is still the only
+  supported algorithm.
 ## [0.1.0] - 2024-02-18
 - Initial release
-- It barely passes unit tests to verify signatures with RSASSA-PSS Using SHA-512.
+- It barely passes unit tests to verify signatures with RSASSA-PSS using SHA-512.

data/README.md CHANGED Viewed

@@ -14,11 +14,57 @@ Or just `gem install linzer`.
 ## Usage
-TODO: Write usage instructions here
+### To sign a HTTP message:
-For now just take a look at the unit tests.
+```ruby
+key = Linzer::Key.new(material: OpenSSL::PKey::RSA.generate(2048), key_id: "my-test-key-rsa-pss")
+# => #<struct Struct::Key material=#<OpenSSL::PKey::RSA:...
+message = Linzer::Message.new(headers: {"date" => "Fri, 23 Feb 2024 17:57:23 GMT", "x-custom-header" => "foo"})
+# => #<Linzer::Message:0x0000000111b592a0 @headers={"date"=>"Fri, 23 Feb 2024 17:57:23 GMT", ...
+fields = %w[date x-custom-header])
+signature = Linzer.sign(key, message, fields)
+# => #<Linzer::Signature:0x0000000111f77ad0 ...
+puts signature.to_h
+{"signature"=>
+  "sig1=:XQQnm4qyOdIa9yTebXzCQ4f7sXXnoe76D2g1gbFFc1DeqH...",
+ "signature-input"=>"sig1=(\"date\" \"x-custom-header\");created=1708690868;keyid=\"my-test-key-rsa-pss\""}
+```
+### To verify a valid signature:
+```ruby
+pubkey = Linzer::Key.new(key_id: "some-key-rsa-pss", material: OpenSSL::PKey::RSA.new(test_key_rsa_pss))
+# => #<struct Struct::Key material=#<OpenSSL::PKey::RSA:0x0000000106eade48 oid=rsaEncryption>, key_id="some-key-rsa-pss">
+headers = {"signature-input" => "...", signature => "...", "date" => "Fri, 23 Feb 2024 13:18:15 GMT", "x-custom-header" => "bar"})
+message = Linzer::Message.new(headers)
+# => #<Linzer::Message:0x0000000111b592a0 @headers={"date"=>"Fri, 23 Feb 2024 13:18:15 GMT", ...
+signature = Linzer::Signature.build(headers)
+# => #<Linzer::Signature:0x0000000112396008 ...
+Linzer.verify(pubkey, message, signature)
+# => true
+```
+### What if an invalid signature if verified?
+```ruby
+result = Linzer.verify(pubkey, message, signature)
+linzer/lib/linzer/verifier.rb:14:in `verify': Failed to verify message: Invalid signature. (Linzer::Error)
+```
+For now, to consult additional details, just take a look at source code and/or the unit tests.
+Please note that is still early days, so only signatures RSASSA-PSS using SHA-512 like ones
+described in the RFC are supported.
-It's still early days, so only signatures RSASSA-PSS Using SHA-512 like ones described in the RFC are supported. I'll be expanding the library to cover more functionality specified in the RFC in subsequent releases.
+I'll be expanding the library to cover more functionality specified in the RFC
+in subsequent releases.
 ## Development

data/lib/linzer/message.rb CHANGED Viewed

@@ -3,8 +3,9 @@
 module Linzer
   class Message
     def initialize(request_data)
-      @headers = Hash(request_data[:headers])
-      @http = Hash(request_data[:http])
+      @headers = Hash(request_data[:headers].clone).freeze
+      @http    = Hash(request_data[:http].clone).freeze
+      freeze
     end
     def empty?
@@ -15,16 +16,54 @@ module Linzer
       @headers.key?(header)
     end
+    def field?(f)
+      !!self[f]
+    end
     def [](field_name)
       return @headers[field_name] if !field_name.start_with?("@")
       case field_name
-      when "@method" then @http["method"]
+      when "@method"    then @http["method"]
       when "@authority" then @http["host"]
-      when "@path" then @http["path"]
+      when "@path"      then @http["path"]
       else # XXX: improve this and add support for all fields in the RFC
         raise Error.new "Unknown/unsupported field: \"#{field_name}\""
       end
     end
+    def signature_base(components, parameters)
+      validate_components components
+      signature_base = components.each_with_object(+"") do |comp, base|
+        base << "\"#{comp}\": #{self[comp]}\n"
+      end
+      signature_params =
+        Starry.serialize([Starry::InnerList.new(components, parameters)])
+      signature_base << "\"@signature-params\": #{signature_params}"
+      signature_base
+    end
+    class << self
+      def parse_structured_dictionary(str, field_name = nil)
+        Starry.parse_dictionary(str)
+      rescue Starry::ParseError => _
+        raise Error.new "Cannot parse \"#{field_name}\" field. Bailing out!"
+      end
+    end
+    private
+    def validate_components(components)
+      if components.include?("@signature-params")
+        raise Error.new "Invalid component in signature input"
+      end
+      msg = "Cannot verify signature. Missing component in message: %s"
+      components.each { |c| raise Error.new msg % "\"#{c}\"" unless field? c  }
+      msg = "Invalid signature. Duplicated component in signature input."
+      raise Error.new msg if components.size != components.uniq.size
+    end
   end
 end

data/lib/linzer/signature.rb ADDED Viewed

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+module Linzer
+  class Signature
+    def initialize(metadata, value, label, parameters = {})
+      @metadata   = metadata.clone.freeze
+      @value      = value.clone.freeze
+      @parameters = parameters.clone.freeze
+      @label      = label.clone.freeze
+      freeze
+    end
+    attr_reader  :metadata, :value, :parameters, :label
+    alias_method :components, :metadata
+    alias_method :bytes, :value
+    def to_h
+      {
+        "signature" => Starry.serialize({label => value}),
+        "signature-input" =>
+          Starry.serialize({label =>
+            Starry::InnerList.new(components, parameters)})
+      }
+    end
+    class << self
+      private :new
+      def build(headers, options = {})
+        validate headers
+        input = parse_field(headers, "signature-input")
+        reject_multiple_signatures if input.size > 1 && options[:label].nil?
+        label = options[:label] || input.keys.first
+        signature = parse_field(headers, "signature")
+        fail_with_signature_not_found label unless signature.key?(label)
+        raw_signature = signature[label].value
+        fail_due_invalid_components unless input[label].value.respond_to?(:each)
+        components = input[label].value.map(&:value)
+        parameters = input[label].parameters
+        new(components, raw_signature, label, parameters)
+      end
+      private
+      def validate(headers)
+        raise Error.new "Cannot build signature: Request headers cannot be null"      if headers.nil?
+        raise Error.new "Cannot build signature: No request headers found"            if headers.empty?
+        raise Error.new "Cannot build signature: No \"signature-input\" header found" unless headers.key?("signature-input")
+        raise Error.new "Cannot build signature: No \"signature\" header found"       unless headers.key?("signature")
+      end
+      def reject_multiple_signatures
+        raise Error.new "Multiple signatures found but none was selected."
+      end
+      def fail_with_signature_not_found(label)
+        raise Error.new "Signature label not found: \"#{label}\""
+      end
+      def fail_due_invalid_components
+        raise Error.new "Unexpected value for covered components."
+      end
+      def parse_field(hsh, field_name)
+        Message.parse_structured_dictionary(hsh[field_name], field_name)
+      end
+    end
+  end
+end

data/lib/linzer/signer.rb ADDED Viewed

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+module Linzer
+  module Signer
+    DEFAULT_LABEL = "sig1"
+    class << self
+      def sign(key, message, components, options = {})
+        validate key, message, components
+        parameters = populate_parameters(key, options)
+        signature_base = message.signature_base(components, parameters)
+        signature = _sign(key, signature_base, options)
+        label = options[:label] || DEFAULT_LABEL
+        Linzer::Signature.build(serialize(signature, components, parameters, label))
+      end
+      def default_label
+        DEFAULT_LABEL
+      end
+      private
+      def validate(key, message, components)
+        raise Error.new "Message to sign cannot be null"           if message.nil?
+        raise Error.new "Message cannot be signed with a null key" if key.nil?
+        if components.include?("@signature-params")
+          raise Error.new "Invalid component in signature input"
+        end
+        component_missing = 'Cannot sign message: component "%s" is not present in message'
+        components.each do |c|
+          raise Error.new component_missing % c unless message.field? c
+        end
+      end
+      def populate_parameters(key, options)
+        parameters = {}
+        parameters[:created] = options[:created] || Time.now.getutc.to_i
+        key_id = options[:keyid] || (key.key_id if key.respond_to?(:key_id))
+        parameters[:keyid] = key_id             unless key_id.nil?
+        (options.keys - %i[created keyid label]).each { |k| parameters[k] = options[k] }
+        parameters
+      end
+      def _sign(key, data, options)
+        # signature = key.sign_pss("SHA512", signature_base, salt_length: 64, mgf1_hash: "SHA512")
+        key.sign("SHA512", data)
+      end
+      def serialize(signature, components, parameters, label)
+        {
+          "signature" => Starry.serialize({label => signature}),
+          "signature-input" =>
+            Starry.serialize({label =>
+              Starry::InnerList.new(components, parameters)})
+        }
+      end
+    end
+  end
+end

data/lib/linzer/verifier.rb CHANGED Viewed

@@ -1,101 +1,40 @@
 # frozen_string_literal: true
 module Linzer
-  class Verifier
-    def initialize(pubkeys = nil)
-      @pubkeys = Hash(pubkeys)
-    end
-    attr_reader :pubkeys
-    # XXX: probably all this validation can be moved to the Message class
-    def verify(message)
-      validate message
-      signature_input = parse_field(message, "signature-input")
-      signature = parse_field(message, "signature")
-      # XXX: this is a self-imposed limitation, fix later
-      reject_multiple(signature)
-      choosen_signature = signature.keys[0]
-      if !signature_input.key?(choosen_signature)
-        raise Error.new "Signature \"#{choosen_signature}\" is not found."
-      end
-      covered_components = signature_input[choosen_signature].to_a
-      signature_parameters = signature_input[choosen_signature].parameters
-      signature_value = signature[choosen_signature].value
-      # XXX to-do: have a mechanism to inspect components and parameters
+  module Verifier
+    class << self
+      def verify(key, message, signature)
+        validate message, key, signature
-      check_key_presence signature_parameters
-      check_components message, covered_components
+        parameters = signature.parameters
+        components = signature.components
-      signature_base = build_signature_base(message, signature_input)
+        signature_base = message.signature_base(components, parameters)
-      # XXX to-do: get rid of this hard-coded SHA512 values, support more algs
-      key = pubkeys[signature_parameters["keyid"]]
-      if !key.verify_pss("SHA512", signature_value, signature_base, salt_length: :auto, mgf1_hash: "SHA512")
+        return true if _verify(key, signature.value, signature_base)
         raise Error.new "Failed to verify message: Invalid signature."
       end
-      true
-    end
-    private
+      private
-    def validate(message)
-      raise Error.new "Message to verify cannot be null" if message.nil?
-      raise Error.new "Message to verify cannot be empty" if message.empty?
-      raise Error.new "Message signature cannot be incomplete" unless message.header?("signature-input")
-      raise Error.new "Message has no signature to verify" unless message.header?("signature")
-    end
+      def validate(message, key, signature)
+        raise Error.new "Message to verify cannot be null"       if message.nil?
+        raise Error.new "Key to verify signature cannot be null" if key.nil?
+        raise Error.new "Signature to verify cannot be null"     if signature.nil?
-    def parse_field(message, field_name)
-      Starry.parse_dictionary(message[field_name])
-    rescue Starry::ParseError => _
-      raise Error.new "Cannot parse \"#{field_name}\" field. Bailing out!"
-    end
-    def reject_multiple(hsh)
-      msg = "Messages with more than 1 signatures are not supported"
-      raise Error.new msg if hsh.keys.size > 1
-    end
-    def check_key_presence(parameters)
-      msg = "Cannot verify signature. Key not found"
-      key_id = parameters["keyid"]
-      raise Error.new msg if key_id.nil?
-      msg += ": \"#{key_id}\"" if !key_id.empty?
-      raise Error.new msg unless pubkeys.key?(key_id)
-    end
-    def check_components(message, components)
-      msg = "Cannot verify signature. Missing component in message: "
-      components
-        .map(&:value)
-        .reject { |component| message[component] }
-        .shift
-        .tap do |component|
-          if component
-            msg += "\"#{component}\""
-            raise Error.new msg
-          end
+        if !signature.respond_to?(:value) || !signature.respond_to?(:components)
+          raise Error.new "Signature is invalid"
         end
-    end
-    def build_signature_base(message, signature_input)
-      signature_base = +""
-      signature_params = ""
-      signature_input.each do |k, l|
-        signature_params = l.to_s
-        l.value.each { |c| signature_base << "\"#{c.value}\": #{message[c.value]}\n" }
+        raise Error.new "Signature raw value to cannot be null" if signature.value.nil?
+        raise Error.new "Components cannot be null"             if signature.components.nil?
+      end
+      def _verify(key, signature, data)
+        # XXX to-do: get rid of this hard-coded SHA512 values, support more algs
+        return true if key.material.verify_pss("SHA512", signature, data, salt_length: :auto, mgf1_hash: "SHA512")
+        false
       end
-      signature_base << "\"@signature-params\": #{signature_params}"
-      signature_base
     end
   end
 end

data/lib/linzer/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Linzer
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/lib/linzer.rb CHANGED Viewed

@@ -5,15 +5,29 @@ require "openssl"
 require_relative "linzer/version"
 require_relative "linzer/message"
+require_relative "linzer/signature"
+require_relative "linzer/signer"
 require_relative "linzer/verifier"
 module Linzer
   class Error < StandardError; end
+  Key = Struct.new("Key", :material, :key_id, keyword_init: true) do |clazz|
+    def sign(*args)
+      # XXX: probably this is going to grow in complexity and will need
+      # to be moved to its own class or dispatch to the signer
+      !material.nil? or raise Error.new "Cannot sign data, key material cannot be null."
+      material.sign(*args)
+    end
+  end
   class << self
-    def verify(pubkeys, message)
-      Linzer::Verifier.new(pubkeys)
-        .verify(message)
+    def verify(pubkey, message, signature)
+      Linzer::Verifier.verify(pubkey, message, signature)
+    end
+    def sign(key, message, components, options = {})
+      Linzer::Signer.sign(key, message, components, options)
     end
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: linzer
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Miguel Landaeta
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-02-18 00:00:00.000000000 Z
+date: 2024-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ed25519
@@ -60,6 +60,8 @@ files:
 - Rakefile
 - lib/linzer.rb
 - lib/linzer/message.rb
+- lib/linzer/signature.rb
+- lib/linzer/signer.rb
 - lib/linzer/verifier.rb
 - lib/linzer/version.rb
 - linzer.gemspec