linzer 0.3.0 → 0.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 22298d26596b660ac67a7f039ed0d05cc41715a5413c4583a4703ce452e6548c
-  data.tar.gz: 735d31e3752eea02207baa7e093bd18a114281f4c493acf98cd7451d73e03fff
+  metadata.gz: 8d894c6969ed3ed090305c6232eba9b9c277893ade58afc49df8f34adebfe8f2
+  data.tar.gz: a33efff10c8805011949f49e26a8777a7b1c4bf592ba4b5974de3c753cb4ed02
 SHA512:
-  metadata.gz: 81428b963ffaa3f39e86ed28e52927923998aaeeb07f773a852bb01abe9272f812c8b0a593813293908845f57799c849163da00d4ae4ca2ef62d36687055ce81
-  data.tar.gz: 3f91ef995bd53bda69832e774ce383cf55a8ef903ffe615e8dbb1a586cf437b85a3d98f8082f39311a6757a3bd4f2657ac4b5d73c3270b4a4534ea571b9e8427
+  metadata.gz: 199983c83faa155354b4f9d0ee433fcf67ec5c2aac02deaf8be2be6ab3db612e68b062f43885f643643bbcbb5a150c2dc81021bc5de5ffbc1f99d32b05254bf9
+  data.tar.gz: a8e0299826535468912457200eb479a115b395b6f20966f7584e3f257a05be01fb27f49f5dfd822baed973efd5b20ae824000faf2b427a19266ac28eb936c97c

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 ## [Unreleased]
 
+## [0.3.2] - 2024-03-16
+
+- Force signature component name strings to be encoded as ASCII.
+  Otherwise in some scenarios, this could to signature verification errors
+  for valid signatures.
+
+## [0.3.1] - 2024-03-02
+
+- Fix incorrect signing and verifying for ECDSA P-256 and P-384 curves.
+
 ## [0.3.0] - 2024-02-28
 
 - Add support for the following algorithms: Ed25519, HMAC-SHA256 and

data/README.md

@@ -60,7 +60,7 @@ lib/linzer/verifier.rb:34:in `verify_or_fail': Failed to verify message: Invalid
 
 For now, to consult additional details, just take a look at source code and/or the unit tests.
 
-Please note that is still early days and extensive testing is still ongoing. For now only the following algorithms are supported: RSASSA-PSS using SHA-512, HMAC-SHA256, Ed25519 and ECDSA P-256 curve. ECDSA P-384 curve was also added but not tested yet.
+Please note that is still early days and extensive testing is still ongoing. For now only the following algorithms are supported: RSASSA-PSS using SHA-512, HMAC-SHA256, Ed25519 and ECDSA (P-256 and P-384 curves).
 
 I'll be expanding the library to cover more functionality specified in the RFC
 in subsequent releases.

data/lib/linzer/ecdsa.rb

@@ -9,11 +9,48 @@ module Linzer
       end
 
       def sign(data)
-        material.sign(@params[:digest], data)
+        decode_der_signature(material.sign(@params[:digest], data))
       end
 
       def verify(signature, data)
-        material.verify(@params[:digest], signature, data)
+        material.verify(@params[:digest], der_signature(signature), data)
+      end
+
+      private
+
+      def der_signature(sig)
+        digest = @params[:digest]
+        msg = "Cannot verify invalid signature."
+
+        case digest
+        when "SHA256"
+          raise Linzer::Error.new(msg) if sig.length != 64
+          r_bn = OpenSSL::BN.new(sig[0..31].unpack1("H*").to_i(16))
+          s_bn = OpenSSL::BN.new(sig[32..63].unpack1("H*").to_i(16))
+        when "SHA384"
+          raise Linzer::Error.new(msg) if sig.length != 96
+          r_bn = OpenSSL::BN.new(sig[0..47].unpack1("H*").to_i(16))
+          s_bn = OpenSSL::BN.new(sig[48..95].unpack1("H*").to_i(16))
+        else
+          msg = "Cannot verify signature, unsupported digest algorithm: '%s'" % digest
+          raise Linzer::Error.new(msg)
+        end
+
+        r = OpenSSL::ASN1::Integer(r_bn)
+        s = OpenSSL::ASN1::Integer(s_bn)
+
+        seq = OpenSSL::ASN1::Sequence.new([r, s])
+        seq.to_der
+      end
+
+      def decode_der_signature(der_sig)
+        OpenSSL::ASN1
+          .decode(der_sig)
+          .value
+          .map { |n| n.value.to_s(16) }
+          .map { |s| [s].pack("H*")   }
+          .reduce(:<<)
+          .force_encoding(Encoding::ASCII_8BIT)
       end
     end
   end

data/lib/linzer/key/helper.rb

@@ -63,7 +63,7 @@ module Linzer
       # https://www.rfc-editor.org/rfc/rfc4492.html#appendix-A
       # Table 6: Equivalent curves defined by SECG, ANSI, and NIST
       # secp384r1   |               |   NIST P-384
-      def generate_ecdsa_p384_sha256_key(key_id = nil)
+      def generate_ecdsa_p384_sha384_key(key_id = nil)
         material = OpenSSL::PKey::EC.generate("secp384r1")
         Linzer::ECDSA::Key.new(material, id: key_id, digest: "SHA384")
       end

data/lib/linzer/signature.rb

@@ -36,11 +36,14 @@ module Linzer
         signature = parse_field(headers, "signature")
         fail_with_signature_not_found label unless signature.key?(label)
 
-        raw_signature = signature[label].value
+        raw_signature =
+          signature[label].value
+            .force_encoding(Encoding::ASCII_8BIT)
 
         fail_due_invalid_components unless input[label].value.respond_to?(:each)
 
-        components = input[label].value.map(&:value)
+        ascii = Encoding::US_ASCII
+        components = input[label].value.map { |c| c.value.encode(ascii) }
         parameters = input[label].parameters
 
         new(components, raw_signature, label, parameters)

data/lib/linzer/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Linzer
-  VERSION = "0.3.0"
+  VERSION = "0.3.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: linzer
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.2
 platform: ruby
 authors:
 - Miguel Landaeta
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-02-29 00:00:00.000000000 Z
+date: 2024-03-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ed25519
@@ -94,7 +94,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.19
+rubygems_version: 3.4.3
 signing_key:
 specification_version: 4
 summary: An implementation of HTTP Messages Signatures (RFC9421)