linzer 0.3.0 → 0.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/README.md +1 -1
- data/lib/linzer/ecdsa.rb +39 -2
- data/lib/linzer/key/helper.rb +1 -1
- data/lib/linzer/signature.rb +5 -2
- data/lib/linzer/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8d894c6969ed3ed090305c6232eba9b9c277893ade58afc49df8f34adebfe8f2
|
4
|
+
data.tar.gz: a33efff10c8805011949f49e26a8777a7b1c4bf592ba4b5974de3c753cb4ed02
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 199983c83faa155354b4f9d0ee433fcf67ec5c2aac02deaf8be2be6ab3db612e68b062f43885f643643bbcbb5a150c2dc81021bc5de5ffbc1f99d32b05254bf9
|
7
|
+
data.tar.gz: a8e0299826535468912457200eb479a115b395b6f20966f7584e3f257a05be01fb27f49f5dfd822baed973efd5b20ae824000faf2b427a19266ac28eb936c97c
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,15 @@
|
|
1
1
|
## [Unreleased]
|
2
2
|
|
3
|
+
## [0.3.2] - 2024-03-16
|
4
|
+
|
5
|
+
- Force signature component name strings to be encoded as ASCII.
|
6
|
+
Otherwise in some scenarios, this could to signature verification errors
|
7
|
+
for valid signatures.
|
8
|
+
|
9
|
+
## [0.3.1] - 2024-03-02
|
10
|
+
|
11
|
+
- Fix incorrect signing and verifying for ECDSA P-256 and P-384 curves.
|
12
|
+
|
3
13
|
## [0.3.0] - 2024-02-28
|
4
14
|
|
5
15
|
- Add support for the following algorithms: Ed25519, HMAC-SHA256 and
|
data/README.md
CHANGED
@@ -60,7 +60,7 @@ lib/linzer/verifier.rb:34:in `verify_or_fail': Failed to verify message: Invalid
|
|
60
60
|
|
61
61
|
For now, to consult additional details, just take a look at source code and/or the unit tests.
|
62
62
|
|
63
|
-
Please note that is still early days and extensive testing is still ongoing. For now only the following algorithms are supported: RSASSA-PSS using SHA-512, HMAC-SHA256, Ed25519 and ECDSA P-256
|
63
|
+
Please note that is still early days and extensive testing is still ongoing. For now only the following algorithms are supported: RSASSA-PSS using SHA-512, HMAC-SHA256, Ed25519 and ECDSA (P-256 and P-384 curves).
|
64
64
|
|
65
65
|
I'll be expanding the library to cover more functionality specified in the RFC
|
66
66
|
in subsequent releases.
|
data/lib/linzer/ecdsa.rb
CHANGED
@@ -9,11 +9,48 @@ module Linzer
|
|
9
9
|
end
|
10
10
|
|
11
11
|
def sign(data)
|
12
|
-
material.sign(@params[:digest], data)
|
12
|
+
decode_der_signature(material.sign(@params[:digest], data))
|
13
13
|
end
|
14
14
|
|
15
15
|
def verify(signature, data)
|
16
|
-
material.verify(@params[:digest], signature, data)
|
16
|
+
material.verify(@params[:digest], der_signature(signature), data)
|
17
|
+
end
|
18
|
+
|
19
|
+
private
|
20
|
+
|
21
|
+
def der_signature(sig)
|
22
|
+
digest = @params[:digest]
|
23
|
+
msg = "Cannot verify invalid signature."
|
24
|
+
|
25
|
+
case digest
|
26
|
+
when "SHA256"
|
27
|
+
raise Linzer::Error.new(msg) if sig.length != 64
|
28
|
+
r_bn = OpenSSL::BN.new(sig[0..31].unpack1("H*").to_i(16))
|
29
|
+
s_bn = OpenSSL::BN.new(sig[32..63].unpack1("H*").to_i(16))
|
30
|
+
when "SHA384"
|
31
|
+
raise Linzer::Error.new(msg) if sig.length != 96
|
32
|
+
r_bn = OpenSSL::BN.new(sig[0..47].unpack1("H*").to_i(16))
|
33
|
+
s_bn = OpenSSL::BN.new(sig[48..95].unpack1("H*").to_i(16))
|
34
|
+
else
|
35
|
+
msg = "Cannot verify signature, unsupported digest algorithm: '%s'" % digest
|
36
|
+
raise Linzer::Error.new(msg)
|
37
|
+
end
|
38
|
+
|
39
|
+
r = OpenSSL::ASN1::Integer(r_bn)
|
40
|
+
s = OpenSSL::ASN1::Integer(s_bn)
|
41
|
+
|
42
|
+
seq = OpenSSL::ASN1::Sequence.new([r, s])
|
43
|
+
seq.to_der
|
44
|
+
end
|
45
|
+
|
46
|
+
def decode_der_signature(der_sig)
|
47
|
+
OpenSSL::ASN1
|
48
|
+
.decode(der_sig)
|
49
|
+
.value
|
50
|
+
.map { |n| n.value.to_s(16) }
|
51
|
+
.map { |s| [s].pack("H*") }
|
52
|
+
.reduce(:<<)
|
53
|
+
.force_encoding(Encoding::ASCII_8BIT)
|
17
54
|
end
|
18
55
|
end
|
19
56
|
end
|
data/lib/linzer/key/helper.rb
CHANGED
@@ -63,7 +63,7 @@ module Linzer
|
|
63
63
|
# https://www.rfc-editor.org/rfc/rfc4492.html#appendix-A
|
64
64
|
# Table 6: Equivalent curves defined by SECG, ANSI, and NIST
|
65
65
|
# secp384r1 | | NIST P-384
|
66
|
-
def
|
66
|
+
def generate_ecdsa_p384_sha384_key(key_id = nil)
|
67
67
|
material = OpenSSL::PKey::EC.generate("secp384r1")
|
68
68
|
Linzer::ECDSA::Key.new(material, id: key_id, digest: "SHA384")
|
69
69
|
end
|
data/lib/linzer/signature.rb
CHANGED
@@ -36,11 +36,14 @@ module Linzer
|
|
36
36
|
signature = parse_field(headers, "signature")
|
37
37
|
fail_with_signature_not_found label unless signature.key?(label)
|
38
38
|
|
39
|
-
raw_signature =
|
39
|
+
raw_signature =
|
40
|
+
signature[label].value
|
41
|
+
.force_encoding(Encoding::ASCII_8BIT)
|
40
42
|
|
41
43
|
fail_due_invalid_components unless input[label].value.respond_to?(:each)
|
42
44
|
|
43
|
-
|
45
|
+
ascii = Encoding::US_ASCII
|
46
|
+
components = input[label].value.map { |c| c.value.encode(ascii) }
|
44
47
|
parameters = input[label].parameters
|
45
48
|
|
46
49
|
new(components, raw_signature, label, parameters)
|
data/lib/linzer/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: linzer
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.3.
|
4
|
+
version: 0.3.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Miguel Landaeta
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-03-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: ed25519
|
@@ -94,7 +94,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
94
94
|
- !ruby/object:Gem::Version
|
95
95
|
version: '0'
|
96
96
|
requirements: []
|
97
|
-
rubygems_version: 3.4.
|
97
|
+
rubygems_version: 3.4.3
|
98
98
|
signing_key:
|
99
99
|
specification_version: 4
|
100
100
|
summary: An implementation of HTTP Messages Signatures (RFC9421)
|