RubyGems - linzer - Versions diffs - 0.4.0 → 0.5.0 - Mend

linzer 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 94cad96e720cc1235948c2a2ef20b1056f444b4a456364c8551cfda414c539fb
-  data.tar.gz: fbd2f500e2c64e010fa380ac525e2afeef1a1fc7de055655263138a1a6afab27
+  metadata.gz: 026db131a5602b1f62b4f930086a0612b99f17a3aa6aa0eb649baa7bc8ba574b
+  data.tar.gz: 8f29e81e3083257c4731c9e408f4a66a95125fdb4d0678fd8d16cc410637d694
 SHA512:
-  metadata.gz: f187e852f367e8d6428eb8cb61919693c67f0650a6b723e20211b1eabc47d0834c0b1facaaf89790e0d2e7335fe65752c09b0b136734e9d3214578b54fac794c
-  data.tar.gz: a5fa3a4eb24c9362918197d0828347095a354ed2151f3f08e6582d42854a0fd19460163b16523148823f82ada8a1aa95a4d467553490b909b39cba52a0ae9166
+  metadata.gz: 6edb3a943f2bcf408ed865fe8bec013c3b13e609ea791981474a84bb21936b2e5fa61d86e64f9e9917c0a3e440e6246d443761c81cd94c094898c78423137789
+  data.tar.gz: 82074df18649f3f85af7c187762dbcf90b602c9748c9f6dba4695db42ee53ce24c5a546589f96011ab9d47564e1f9d2436a35616b54678e24f4222cd12f97837

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,18 @@
 ## [Unreleased]
+## [0.5.0] - 2024-03-30
+- Build Linzer::Message instances from Rack request and response objects
+  instead of unspecified/ad-hoc hashes with HTTP request and
+  response parameters.
+- Update README examples.
+## [0.4.1] - 2024-03-25
+- Fix one-off error on ECDSA P-256 and P-384 curve signature generation.
+  In some cases, an invalid signature of 63 or 95 bytes could be generated.
 ## [0.4.0] - 2024-03-16
 - Add support for capitalized HTTP header names.

data/README.md CHANGED Viewed

@@ -17,35 +17,94 @@ Or just `gem install linzer`.
 ### To sign a HTTP message:
 ```ruby
-irb(main):001:0> key = Linzer.generate_ed25519_key
+key = Linzer.generate_ed25519_key
 # => #<Linzer::Ed25519::Key:0x00000fe13e9bd208
-message = Linzer::Message.new(headers: {"date" => "Fri, 23 Feb 2024 17:57:23 GMT", "x-custom-header" => "foo"})
-# => #<Linzer::Message:0x0000000111b592a0 @headers={"date"=>"Fri, 23 Feb 2024 17:57:23 GMT", ...
+headers = {
+  "date" => "Fri, 23 Feb 2024 17:57:23 GMT",
+  "x-custom-header" => "foo"
+}
+request = Linzer.new_request(:post, "/some_uri", {}, headers)
+# => #<Rack::Request:0x0000000104c1c8c0
+#       @env={"HTTP_DATE"=>"Fri, 23 Feb 2024 17:57:23 GMT", "HTTP_X_CUSTOM..."
+#       @params=nil>
+message = Linzer::Message.new(request)
+# => #<Linzer::Message:0x0000000104afa960
+#       @operation=#<Rack::Request:0x00000001049754a0
+#       @env={"HTTP_DATE"=>"Fri, 23 Feb 2024 17:57:23 GMT", "HTTP_X_CUSTOM..."
+#       @params=nil>>
+fields = %w[date x-custom-header @method @path]
-fields = %w[date x-custom-header]
 signature = Linzer.sign(key, message, fields)
 # => #<Linzer::Signature:0x0000000111f77ad0 ...
-puts signature.to_h
-{"signature"=>
-  "sig1=:8rLY3nFtezwwsK+sqZEMe7wzbNHojZJGEnvp3suKichgwH...",
- "signature-input"=>"sig1=(\"date\" \"x-custom-header\");created=1709075013;keyid=\"test-key-ed25519\""}
+pp signature.to_h
+# => {"signature"=>"sig1=:Cv1TUCxUpX+5SVa7pH0Xh...",
+#  "signature-input"=>"sig1=(\"date\" \"x-custom-header\" ..."}
+```
+### Use the message signature with any HTTP client:
+```ruby
+require "net/http"
+http = Net::HTTP.new("localhost", 9292)
+http.set_debug_output($stderr)
+response = http.post("/some_uri", "data", headers.merge(signature.to_h))
+# opening connection to localhost:9292...
+# opened
+# <- "POST /some_uri HTTP/1.1\r\n
+# <- Date: Fri, 23 Feb 2024 17:57:23 GMT\r\n
+# <- X-Custom-Header: foo\r\n
+# <- Signature: sig1=:Cv1TUCxUpX+5SVa7pH0X...
+# <- Signature-Input: sig1=(\"date\" \"x-custom-header\" \"@method\"...
+# <- Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3\r\n
+# <- Accept: */*\r\n
+# <- User-Agent: Ruby\r\n
+# <- Connection: close\r\n
+# <- Host: localhost:9292
+# <- Content-Length: 4\r\n
+# <- Content-Type: application/x-www-form-urlencoded\r\n\r\n"
+# <- "data"
+#
+# -> "HTTP/1.1 200 OK\r\n"
+# -> "Content-Type: text/html;charset=utf-8\r\n"
+# -> "Content-Length: 0\r\n"
+# -> "X-Xss-Protection: 1; mode=block\r\n"
+# -> "X-Content-Type-Options: nosniff\r\n"
+# -> "X-Frame-Options: SAMEORIGIN\r\n"
+# -> "Server: WEBrick/1.8.1 (Ruby/3.2.0/2022-12-25)\r\n"
+# -> "Date: Thu, 28 Mar 2024 17:19:21 GMT\r\n"
+# -> "Connection: close\r\n"
+# -> "\r\n"
+# reading 0 bytes...
+# -> ""
+# read 0 bytes
+# Conn close
+# => #<Net::HTTPOK 200 OK readbody=true>
 ```
 ### To verify a valid signature:
 ```ruby
+test_ed25519_key_pub = Base64.strict_encode64(key.material.verify_key.to_bytes)
+# => "EUra7KsJ8B/lSZJVhDaopMycmZ6T7KtJqKVNJTHKIw0="
 pubkey = Linzer.new_ed25519_public_key(test_ed25519_key_pub, "some-key-ed25519")
 # => #<Linzer::Ed25519::Key:0x00000fe19b9384b0
-headers = {"signature-input" => "...", signature => "...", "date" => "Fri, 23 Feb 2024 13:18:15 GMT", "x-custom-header" => "bar"})
+# if you have to, there is a helper method to build a request object on the server side
+# although any standard Ruby web server or framework (Sinatra, Rails, etc) should expose
+# a request object and this should not be required for most cases.
+#
+# request = Linzer.new_request(:post, "/some_uri", {}, headers)
-message = Linzer::Message.new(headers)
-# => #<Linzer::Message:0x0000000111b592a0 @headers={"date"=>"Fri, 23 Feb 2024 13:18:15 GMT", ...
+message = Linzer::Message.new(request)
-signature = Linzer::Signature.build(headers)
-# => #<Linzer::Signature:0x0000000112396008 ...
+signature = Linzer::Signature.build(message.headers)
 Linzer.verify(pubkey, message, signature)
 # => true
@@ -55,10 +114,35 @@ Linzer.verify(pubkey, message, signature)
 ```ruby
 result = Linzer.verify(pubkey, message, signature)
-lib/linzer/verifier.rb:34:in `verify_or_fail': Failed to verify message: Invalid signature. (Linzer::Error)
+lib/linzer/verifier.rb:38:in `verify_or_fail': Failed to verify message: Invalid signature. (Linzer::Error)
+```
+### HTTP responses are also supported
+HTTP responses can also be signed and verified in the same way as requests.
+```ruby
+headers = {
+  "date" => "Sat, 30 Mar 2024 21:40:13 GMT",
+  "x-response-custom" => "bar"
+}
+response = Linzer.new_response("request body", 200, headers)
+# or just use the response object exposed by your HTTP framework
+message = Linzer::Message.new(response)
+fields  = %w[@status date x-response-custom]
+signature = Linzer.sign(key, message, fields)
+pp signature.to_h
+# => {"signature"=>
+#   "sig1=:tCldwXqbISktyABrmbhszo...",
+#  "signature-input"=>"sig1=(\"@status\" \"date\" ..."}
 ```
-For now, to consult additional details, just take a look at source code and/or the unit tests.
+For now, to consult additional details just take a look at source code and/or the unit tests.
 Please note that is still early days and extensive testing is still ongoing. For now only the following algorithms are supported: RSASSA-PSS using SHA-512, HMAC-SHA256, Ed25519 and ECDSA (P-256 and P-384 curves).

data/lib/linzer/ecdsa.rb CHANGED Viewed

@@ -25,12 +25,12 @@ module Linzer
         case digest
         when "SHA256"
           raise Linzer::Error.new(msg) if sig.length != 64
-          r_bn = OpenSSL::BN.new(sig[0..31].unpack1("H*").to_i(16))
-          s_bn = OpenSSL::BN.new(sig[32..63].unpack1("H*").to_i(16))
+          r_bn = OpenSSL::BN.new(sig[0..31].unpack1("H64").to_i(16))
+          s_bn = OpenSSL::BN.new(sig[32..63].unpack1("H64").to_i(16))
         when "SHA384"
           raise Linzer::Error.new(msg) if sig.length != 96
-          r_bn = OpenSSL::BN.new(sig[0..47].unpack1("H*").to_i(16))
-          s_bn = OpenSSL::BN.new(sig[48..95].unpack1("H*").to_i(16))
+          r_bn = OpenSSL::BN.new(sig[0..47].unpack1("H96").to_i(16))
+          s_bn = OpenSSL::BN.new(sig[48..95].unpack1("H96").to_i(16))
         else
           msg = "Cannot verify signature, unsupported digest algorithm: '%s'" % digest
           raise Linzer::Error.new(msg)
@@ -44,13 +44,21 @@ module Linzer
       end
       def decode_der_signature(der_sig)
+        digest = @params[:digest]
+        msg = "Unsupported digest algorithm: '%s'" % digest
         OpenSSL::ASN1
           .decode(der_sig)
           .value
-          .map { |n| n.value.to_s(16) }
-          .map { |s| [s].pack("H*")   }
+          .map do |n|
+            case digest
+            when "SHA256" then "%.64x" % n.value
+            when "SHA384" then "%.96x" % n.value
+            else raise Linzer::Error.new(msg)
+            end
+          end
+          .map { |s| [s].pack("H#{s.length}") }
           .reduce(:<<)
-          .force_encoding(Encoding::ASCII_8BIT)
+          .encode(Encoding::ASCII_8BIT)
       end
     end
   end

data/lib/linzer/message.rb CHANGED Viewed

@@ -2,20 +2,23 @@
 module Linzer
   class Message
-    def initialize(request_data)
-      @http    = Hash(request_data[:http].clone).freeze
-      @headers = Hash(request_data.fetch(:headers, {})
-                        .transform_keys(&:downcase)
-                        .clone).freeze
+    def initialize(operation)
+      @operation = operation
       freeze
     end
-    def empty?
-      @headers.empty?
+    def request?
+      @operation.is_a?(Rack::Request) || @operation.respond_to?(:request_method)
     end
-    def header?(header)
-      @headers.key?(header)
+    def response?
+      @operation.is_a?(Rack::Response) || @operation.respond_to?(:status)
+    end
+    def headers
+      return @operation.headers if response? || @operation.respond_to?(:headers)
+      Request.headers(@operation)
     end
     def field?(f)
@@ -23,13 +26,16 @@ module Linzer
     end
     def [](field_name)
-      return @headers[field_name] if !field_name.start_with?("@")
+      if !field_name.start_with?("@")
+        return @operation.env[Request.rack_header_name(field_name)] if request?
+        return @operation.headers[field_name]                     # if response?
+      end
       case field_name
-      when "@method"    then @http["method"]
-      when "@authority" then @http["host"]
-      when "@path"      then @http["path"]
-      when "@status"    then @http["status"]
+      when "@method"    then @operation.request_method
+      when "@authority" then @operation.authority
+      when "@path"      then @operation.path_info
+      when "@status"    then @operation.status
       else # XXX: improve this and add support for all fields in the RFC
         raise Error.new "Unknown/unsupported field: \"#{field_name}\""
       end

data/lib/linzer/request.rb ADDED Viewed

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+module Linzer
+  module Request
+    extend self
+    def build(verb, uri = "/", params = {}, headers = {})
+      validate verb, uri, params, headers
+      # XXX: to-do: handle rack request params?
+      request_method = Rack.const_get(verb.upcase)
+      args = {
+        "REQUEST_METHOD" => request_method,
+        "PATH_INFO"      => uri.to_str
+      }
+      Rack::Request.new(build_rack_env(headers).merge(args))
+    end
+    def rack_header_name(field_name)
+      validate_header_name field_name
+      rack_name = field_name.upcase.tr("-", "_")
+      case field_name.downcase
+      when "content-type", "content-length"
+        rack_name
+      else
+        "HTTP_#{rack_name}"
+      end
+    end
+    def headers(rack_request)
+      rack_request
+        .each_header
+        .to_h
+        .select do |k, _|
+          k.start_with?("HTTP_") || %w[CONTENT_TYPE CONTENT_LENGTH].include?(k)
+        end
+        .transform_keys { |k| k.downcase.tr("_", "-") }
+        .transform_keys do |k|
+          %w[content-type content-length].include?(k) ? k : k.gsub(/^http-/, "")
+        end
+    end
+    private
+    def validate(verb, uri, params, headers)
+      validate_verb      verb
+      validate_uri       uri
+      validate_arg_hash  headers: headers
+      validate_arg_hash  params:  params
+    end
+    def validate_verb(verb)
+      Rack.const_get(verb.upcase)
+    rescue => ex
+      unknown_method = "Unknown/invalid HTTP request method"
+      raise Error.new, unknown_method, cause: ex
+    end
+    def validate_uri(uri)
+      uri.to_str
+    rescue => ex
+      invalid_uri = "Invalid URI"
+      raise Error.new, invalid_uri, cause: ex
+    end
+    def validate_arg_hash(hsh)
+      arg_name = hsh.keys.first
+      hsh[arg_name].to_hash
+    rescue => ex
+      err_msg = "invalid \"#{arg_name}\" parameter, cannot be converted to hash."
+      raise Error.new, "Cannot build request: #{err_msg}", cause: ex
+    end
+    def validate_header_name(name)
+      raise ArgumentError.new, "Blank header name." if name.empty?
+      name.to_str
+    rescue => ex
+      err_msg = "Invalid header name: '#{name}'"
+      raise Error.new, err_msg, cause: ex
+    end
+    def build_rack_env(headers)
+      headers
+        .to_hash
+        .transform_keys { |k| k.upcase.tr("-", "_") }
+        .transform_keys do |k|
+          %w[CONTENT_TYPE CONTENT_LENGTH].include?(k) ? k : "HTTP_#{k}"
+        end
+    end
+  end
+end

data/lib/linzer/response.rb ADDED Viewed

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+module Linzer
+  module Response
+    def new_response(body = nil, status = 200, headers = {})
+      Rack::Response.new(body, status, headers)
+    end
+  end
+end

data/lib/linzer/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Linzer
-  VERSION = "0.4.0"
+  VERSION = "0.5.0"
 end

data/lib/linzer.rb CHANGED Viewed

@@ -2,9 +2,12 @@
 require "starry"
 require "openssl"
+require "rack"
 require_relative "linzer/version"
 require_relative "linzer/common"
+require_relative "linzer/request"
+require_relative "linzer/response"
 require_relative "linzer/message"
 require_relative "linzer/signature"
 require_relative "linzer/key"
@@ -21,6 +24,11 @@ module Linzer
   class << self
     include Key::Helper
+    include Response
+    def new_request(verb, uri = "/", params = {}, headers = {})
+      Linzer::Request.build(verb, uri, params, headers)
+    end
     def verify(pubkey, message, signature)
       Linzer::Verifier.verify(pubkey, message, signature)

data/linzer.gemspec CHANGED Viewed

@@ -31,4 +31,5 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency "ed25519", "~> 1.3", ">= 1.3.0"
   spec.add_runtime_dependency "starry", "~> 0.1"
+  spec.add_runtime_dependency "rack", "~> 3.0"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: linzer
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Miguel Landaeta
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-03-16 00:00:00.000000000 Z
+date: 2024-03-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ed25519
@@ -44,6 +44,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 description:
 email:
 - miguel@miguel.cc
@@ -66,6 +80,8 @@ files:
 - lib/linzer/key.rb
 - lib/linzer/key/helper.rb
 - lib/linzer/message.rb
+- lib/linzer/request.rb
+- lib/linzer/response.rb
 - lib/linzer/rsa.rb
 - lib/linzer/signature.rb
 - lib/linzer/signer.rb