RubyGems - linzer - Versions diffs - 0.4.0 → 0.5.0 - Mend

linzer 0.4.0 → 0.5.0

Files changed (11) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 94cad96e720cc1235948c2a2ef20b1056f444b4a456364c8551cfda414c539fb
-  data.tar.gz: fbd2f500e2c64e010fa380ac525e2afeef1a1fc7de055655263138a1a6afab27
+  metadata.gz: 026db131a5602b1f62b4f930086a0612b99f17a3aa6aa0eb649baa7bc8ba574b
+  data.tar.gz: 8f29e81e3083257c4731c9e408f4a66a95125fdb4d0678fd8d16cc410637d694
 SHA512:
-  metadata.gz: f187e852f367e8d6428eb8cb61919693c67f0650a6b723e20211b1eabc47d0834c0b1facaaf89790e0d2e7335fe65752c09b0b136734e9d3214578b54fac794c
-  data.tar.gz: a5fa3a4eb24c9362918197d0828347095a354ed2151f3f08e6582d42854a0fd19460163b16523148823f82ada8a1aa95a4d467553490b909b39cba52a0ae9166
+  metadata.gz: 6edb3a943f2bcf408ed865fe8bec013c3b13e609ea791981474a84bb21936b2e5fa61d86e64f9e9917c0a3e440e6246d443761c81cd94c094898c78423137789
+  data.tar.gz: 82074df18649f3f85af7c187762dbcf90b602c9748c9f6dba4695db42ee53ce24c5a546589f96011ab9d47564e1f9d2436a35616b54678e24f4222cd12f97837

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,18 @@
 ## [Unreleased]
+## [0.5.0] - 2024-03-30
+- Build Linzer::Message instances from Rack request and response objects
+  instead of unspecified/ad-hoc hashes with HTTP request and
+  response parameters.
+- Update README examples.
+## [0.4.1] - 2024-03-25
+- Fix one-off error on ECDSA P-256 and P-384 curve signature generation.
+  In some cases, an invalid signature of 63 or 95 bytes could be generated.
 ## [0.4.0] - 2024-03-16
 - Add support for capitalized HTTP header names.

data/README.md CHANGED Viewed

@@ -17,35 +17,94 @@ Or just `gem install linzer`.
 ### To sign a HTTP message:
 ```ruby
-irb(main):001:0> key = Linzer.generate_ed25519_key
+key = Linzer.generate_ed25519_key
 # => #<Linzer::Ed25519::Key:0x00000fe13e9bd208
-message = Linzer::Message.new(headers: {"date" => "Fri, 23 Feb 2024 17:57:23 GMT", "x-custom-header" => "foo"})
-# => #<Linzer::Message:0x0000000111b592a0 @headers={"date"=>"Fri, 23 Feb 2024 17:57:23 GMT", ...
+headers = {
+  "date" => "Fri, 23 Feb 2024 17:57:23 GMT",
+  "x-custom-header" => "foo"
+}
+request = Linzer.new_request(:post, "/some_uri", {}, headers)
+# => #<Rack::Request:0x0000000104c1c8c0
+#       @env={"HTTP_DATE"=>"Fri, 23 Feb 2024 17:57:23 GMT", "HTTP_X_CUSTOM..."
+#       @params=nil>
+message = Linzer::Message.new(request)
+# => #<Linzer::Message:0x0000000104afa960
+#       @operation=#<Rack::Request:0x00000001049754a0
+#       @env={"HTTP_DATE"=>"Fri, 23 Feb 2024 17:57:23 GMT", "HTTP_X_CUSTOM..."
+#       @params=nil>>
+fields = %w[date x-custom-header @method @path]
-fields = %w[date x-custom-header]
 signature = Linzer.sign(key, message, fields)
 # => #<Linzer::Signature:0x0000000111f77ad0 ...
-puts signature.to_h
-{"signature"=>
-  "sig1=:8rLY3nFtezwwsK+sqZEMe7wzbNHojZJGEnvp3suKichgwH...",
- "signature-input"=>"sig1=(\"date\" \"x-custom-header\");created=1709075013;keyid=\"test-key-ed25519\""}
+pp signature.to_h
+# => {"signature"=>"sig1=:Cv1TUCxUpX+5SVa7pH0Xh...",
+#  "signature-input"=>"sig1=(\"date\" \"x-custom-header\" ..."}
+```
+### Use the message signature with any HTTP client:
+```ruby
+require "net/http"
+http = Net::HTTP.new("localhost", 9292)
+http.set_debug_output($stderr)
+response = http.post("/some_uri", "data", headers.merge(signature.to_h))
+# opening connection to localhost:9292...
+# opened
+# <- "POST /some_uri HTTP/1.1\r\n
+# <- Date: Fri, 23 Feb 2024 17:57:23 GMT\r\n
+# <- X-Custom-Header: foo\r\n
+# <- Signature: sig1=:Cv1TUCxUpX+5SVa7pH0X...
+# <- Signature-Input: sig1=(\"date\" \"x-custom-header\" \"@method\"...
+# <- Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3\r\n
+# <- Accept: */*\r\n
+# <- User-Agent: Ruby\r\n
+# <- Connection: close\r\n
+# <- Host: localhost:9292
+# <- Content-Length: 4\r\n
+# <- Content-Type: application/x-www-form-urlencoded\r\n\r\n"
+# <- "data"
+#
+# -> "HTTP/1.1 200 OK\r\n"
+# -> "Content-Type: text/html;charset=utf-8\r\n"
+# -> "Content-Length: 0\r\n"
+# -> "X-Xss-Protection: 1; mode=block\r\n"
+# -> "X-Content-Type-Options: nosniff\r\n"
+# -> "X-Frame-Options: SAMEORIGIN\r\n"
+# -> "Server: WEBrick/1.8.1 (Ruby/3.2.0/2022-12-25)\r\n"
+# -> "Date: Thu, 28 Mar 2024 17:19:21 GMT\r\n"
+# -> "Connection: close\r\n"
+# -> "\r\n"
+# reading 0 bytes...
+# -> ""
+# read 0 bytes
+# Conn close
+# => #<Net::HTTPOK 200 OK readbody=true>
 ```
 ### To verify a valid signature:
 ```ruby
+test_ed25519_key_pub = Base64.strict_encode64(key.material.verify_key.to_bytes)
+# => "EUra7KsJ8B/lSZJVhDaopMycmZ6T7KtJqKVNJTHKIw0="
 pubkey = Linzer.new_ed25519_public_key(test_ed25519_key_pub, "some-key-ed25519")
 # => #<Linzer::Ed25519::Key:0x00000fe19b9384b0
-headers = {"signature-input" => "...", signature => "...", "date" => "Fri, 23 Feb 2024 13:18:15 GMT", "x-custom-header" => "bar"})
+# if you have to, there is a helper method to build a request object on the server side
+# although any standard Ruby web server or framework (Sinatra, Rails, etc) should expose
+# a request object and this should not be required for most cases.
+#
+# request = Linzer.new_request(:post, "/some_uri", {}, headers)
-message = Linzer::Message.new(headers)
-# => #<Linzer::Message:0x0000000111b592a0 @headers={"date"=>"Fri, 23 Feb 2024 13:18:15 GMT", ...
+message = Linzer::Message.new(request)
-signature = Linzer::Signature.build(headers)
-# => #<Linzer::Signature:0x0000000112396008 ...
+signature = Linzer::Signature.build(message.headers)
 Linzer.verify(pubkey, message, signature)
 # => true
@@ -55,10 +114,35 @@ Linzer.verify(pubkey, message, signature)
 ```ruby
 result = Linzer.verify(pubkey, message, signature)
-lib/linzer/verifier.rb:34:in `verify_or_fail': Failed to verify message: Invalid signature. (Linzer::Error)
+lib/linzer/verifier.rb:38:in `verify_or_fail': Failed to verify message: Invalid signature. (Linzer::Error)
+```
+### HTTP responses are also supported
+HTTP responses can also be signed and verified in the same way as requests.
+```ruby
+headers = {
+  "date" => "Sat, 30 Mar 2024 21:40:13 GMT",
+  "x-response-custom" => "bar"
+}
+response = Linzer.new_response("request body", 200, headers)
+# or just use the response object exposed by your HTTP framework
+message = Linzer::Message.new(response)
+fields  = %w[@status date x-response-custom]
+signature = Linzer.sign(key, message, fields)
+pp signature.to_h
+# => {"signature"=>
+#   "sig1=:tCldwXqbISktyABrmbhszo...",
+#  "signature-input"=>"sig1=(\"@status\" \"date\" ..."}
 ```
-For now, to consult additional details, just take a look at source code and/or the unit tests.
+For now, to consult additional details just take a look at source code and/or the unit tests.
 Please note that is still early days and extensive testing is still ongoing. For now only the following algorithms are supported: RSASSA-PSS using SHA-512, HMAC-SHA256, Ed25519 and ECDSA (P-256 and P-384 curves).

data/lib/linzer/ecdsa.rb CHANGED Viewed

@@ -25,12 +25,12 @@ module Linzer
         case digest
         when "SHA256"
           raise Linzer::Error.new(msg) if sig.length != 64
-          r_bn = OpenSSL::BN.new(sig[0..31].unpack1("H*").to_i(16))
-          s_bn = OpenSSL::BN.new(sig[32..63].unpack1("H*").to_i(16))
+          r_bn = OpenSSL::BN.new(sig[0..31].unpack1("H64").to_i(16))
+          s_bn = OpenSSL::BN.new(sig[32..63].unpack1("H64").to_i(16))
         when "SHA384"
           raise Linzer::Error.new(msg) if sig.length != 96
-          r_bn = OpenSSL::BN.new(sig[0..47].unpack1("H*").to_i(16))
-          s_bn = OpenSSL::BN.new(sig[48..95].unpack1("H*").to_i(16))
+          r_bn = OpenSSL::BN.new(sig[0..47].unpack1("H96").to_i(16))
+          s_bn = OpenSSL::BN.new(sig[48..95].unpack1("H96").to_i(16))
         else
           msg = "Cannot verify signature, unsupported digest algorithm: '%s'" % digest
           raise Linzer::Error.new(msg)
@@ -44,13 +44,21 @@ module Linzer
       end
       def decode_der_signature(der_sig)
+        digest = @params[:digest]
+        msg = "Unsupported digest algorithm: '%s'" % digest
         OpenSSL::ASN1
           .decode(der_sig)
           .value
-          .map { |n| n.value.to_s(16) }
-          .map { |s| [s].pack("H*")   }
+          .map do |n|
+            case digest
+            when "SHA256" then "%.64x" % n.value
+            when "SHA384" then "%.96x" % n.value
+            else raise Linzer::Error.new(msg)
+            end
+          end
+          .map { |s| [s].pack("H#{s.length}") }
           .reduce(:<<)
-          .force_encoding(Encoding::ASCII_8BIT)
+          .encode(Encoding::ASCII_8BIT)
       end
     end
   end

data/lib/linzer/message.rb CHANGED Viewed

@@ -2,20 +2,23 @@
 module Linzer
   class Message
-    def initialize(request_data)
-      @http    = Hash(request_data[:http].clone).freeze
-      @headers = Hash(request_data.fetch(:headers, {})
-                        .transform_keys(&:downcase)
-                        .clone).freeze
+    def initialize(operation)
+      @operation = operation
       freeze
     end
-    def empty?
-      @headers.empty?
+    def request?
+      @operation.is_a?(Rack::Request) || @operation.respond_to?(:request_method)
     end
-    def header?(header)
-      @headers.key?(header)
+    def response?
+      @operation.is_a?(Rack::Response) || @operation.respond_to?(:status)
+    end
+    def headers
+      return @operation.headers if response? || @operation.respond_to?(:headers)
+      Request.headers(@operation)
     end
     def field?(f)
@@ -23,13 +26,16 @@ module Linzer
     end
     def [](field_name)
-      return @headers[field_name] if !field_name.start_with?("@")
+      if !field_name.start_with?("@")
+        return @operation.env[Request.rack_header_name(field_name)] if request?
+        return @operation.headers[field_name]                     # if response?
+      end
       case field_name
-      when "@method"    then @http["method"]
-      when "@authority" then @http["host"]
-      when "@path"      then @http["path"]
-      when "@status"    then @http["status"]
+      when "@method"    then @operation.request_method
+      when "@authority" then @operation.authority
+      when "@path"      then @operation.path_info
+      when "@status"    then @operation.status
       else # XXX: improve this and add support for all fields in the RFC
         raise Error.new "Unknown/unsupported field: \"#{field_name}\""
       end

data/lib/linzer/request.rb ADDED Viewed

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+module Linzer
+  module Request
+    extend self
+    def build(verb, uri = "/", params = {}, headers = {})
+      validate verb, uri, params, headers
+      # XXX: to-do: handle rack request params?
+      request_method = Rack.const_get(verb.upcase)
+      args = {
+        "REQUEST_METHOD" => request_method,
+        "PATH_INFO"      => uri.to_str
+      }
+      Rack::Request.new(build_rack_env(headers).merge(args))
+    end
+    def rack_header_name(field_name)
+      validate_header_name field_name
+      rack_name = field_name.upcase.tr("-", "_")
+      case field_name.downcase
+      when "content-type", "content-length"
+        rack_name
+      else
+        "HTTP_#{rack_name}"
+      end
+    end
+    def headers(rack_request)
+      rack_request
+        .each_header
+        .to_h
+        .select do |k, _|
+          k.start_with?("HTTP_") || %w[CONTENT_TYPE CONTENT_LENGTH].include?(k)
+        end
+        .transform_keys { |k| k.downcase.tr("_", "-") }
+        .transform_keys do |k|
+          %w[content-type content-length].include?(k) ? k : k.gsub(/^http-/, "")
+        end
+    end
+    private
+    def validate(verb, uri, params, headers)
+      validate_verb      verb
+      validate_uri       uri
+      validate_arg_hash  headers: headers
+      validate_arg_hash  params:  params
+    end
+    def validate_verb(verb)
+      Rack.const_get(verb.upcase)
+    rescue => ex
+      unknown_method = "Unknown/invalid HTTP request method"
+      raise Error.new, unknown_method, cause: ex
+    end
+    def validate_uri(uri)
+      uri.to_str
+    rescue => ex
+      invalid_uri = "Invalid URI"
+      raise Error.new, invalid_uri, cause: ex
+    end
+    def validate_arg_hash(hsh)
+      arg_name = hsh.keys.first
+      hsh[arg_name].to_hash
+    rescue => ex
+      err_msg = "invalid \"#{arg_name}\" parameter, cannot be converted to hash."
+      raise Error.new, "Cannot build request: #{err_msg}", cause: ex
+    end
+    def validate_header_name(name)
+      raise ArgumentError.new, "Blank header name." if name.empty?
+      name.to_str
+    rescue => ex
+      err_msg = "Invalid header name: '#{name}'"
+      raise Error.new, err_msg, cause: ex
+    end
+    def build_rack_env(headers)
+      headers
+        .to_hash
+        .transform_keys { |k| k.upcase.tr("-", "_") }
+        .transform_keys do |k|
+          %w[CONTENT_TYPE CONTENT_LENGTH].include?(k) ? k : "HTTP_#{k}"
+        end
+    end
+  end
+end

data/lib/linzer/response.rb ADDED Viewed

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+module Linzer
+  module Response
+    def new_response(body = nil, status = 200, headers = {})
+      Rack::Response.new(body, status, headers)
+    end
+  end
+end

data/lib/linzer/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Linzer
-  VERSION = "0.4.0"
+  VERSION = "0.5.0"
 end

data/lib/linzer.rb CHANGED Viewed

@@ -2,9 +2,12 @@
 require "starry"
 require "openssl"
+require "rack"
 require_relative "linzer/version"
 require_relative "linzer/common"
+require_relative "linzer/request"
+require_relative "linzer/response"
 require_relative "linzer/message"
 require_relative "linzer/signature"
 require_relative "linzer/key"
@@ -21,6 +24,11 @@ module Linzer
   class << self
     include Key::Helper
+    include Response
+    def new_request(verb, uri = "/", params = {}, headers = {})
+      Linzer::Request.build(verb, uri, params, headers)
+    end
     def verify(pubkey, message, signature)
       Linzer::Verifier.verify(pubkey, message, signature)

data/linzer.gemspec CHANGED Viewed

@@ -31,4 +31,5 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency "ed25519", "~> 1.3", ">= 1.3.0"
   spec.add_runtime_dependency "starry", "~> 0.1"
+  spec.add_runtime_dependency "rack", "~> 3.0"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: linzer
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Miguel Landaeta
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-03-16 00:00:00.000000000 Z
+date: 2024-03-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ed25519
@@ -44,6 +44,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 description:
 email:
 - miguel@miguel.cc
@@ -66,6 +80,8 @@ files:
 - lib/linzer/key.rb
 - lib/linzer/key/helper.rb
 - lib/linzer/message.rb
+- lib/linzer/request.rb
+- lib/linzer/response.rb
 - lib/linzer/rsa.rb
 - lib/linzer/signature.rb
 - lib/linzer/signer.rb