linzer 0.6.3 → 0.6.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/README.md +9 -0
- data/lib/linzer/signature.rb +12 -0
- data/lib/linzer/verifier.rb +6 -3
- data/lib/linzer/version.rb +1 -1
- data/lib/linzer.rb +2 -2
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bff7f24f79244ceffa58e5b005b45b2384b34f2d23eda4c0a613060c4f708fa4
|
|
4
|
+
data.tar.gz: bfee805d74cf0e1fc3d3588ec6eac8a1de5b96a16021198d016f0be9fb48e371
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d62f773a0d20b09bb97987180f251a70b4db5c29eb4ecf2112e486c9169e418085823c813fa68e4063347d421328f171604c3f82bdf1b6ffae0385bfc41fd8ce
|
|
7
|
+
data.tar.gz: 0e53c41f9485a8028f11f67e368ca0ec60a82f8e795973d258fb96a57cfdcfe085308f4cd2eb0ac55fe8b5ee39c1a4f8d56d3d9d09fa57ee720eda17831e66ae
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,12 @@
|
|
|
1
1
|
## [Unreleased]
|
|
2
2
|
|
|
3
|
+
## [0.6.4] - 2025-04-04
|
|
4
|
+
|
|
5
|
+
- Allow validating the `created` parameter to mitigate the
|
|
6
|
+
risk of replay attacks.
|
|
7
|
+
Pull request [#8](https://github.com/nomadium/linzer/pull/8)
|
|
8
|
+
by [oneiros](https://github.com/oneiros).
|
|
9
|
+
|
|
3
10
|
## [0.6.3] - 2025-03-29
|
|
4
11
|
|
|
5
12
|
- Parse signature structured fields values as ASCII string.
|
data/README.md
CHANGED
|
@@ -117,6 +117,15 @@ Linzer.verify(pubkey, message, signature)
|
|
|
117
117
|
# => true
|
|
118
118
|
```
|
|
119
119
|
|
|
120
|
+
To mitigate the risk of "replay attacks" (i.e. an attacker capturing a message with a valid signature and re-sending it at a later point) applications may want to validate the `created` parameter of the signature. Linzer can do this automatically when given the optional `no_older_than` keyword argument:
|
|
121
|
+
|
|
122
|
+
```ruby
|
|
123
|
+
Linzer.verify(pubkey, message, signature, no_older_than: 500)
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
`no_older_than` expects a number of seconds, but you can pass anything that to responds to `#to_i`, including an `ActiveSupport::Duration`.
|
|
127
|
+
`::verify` will raise if the `created` parameter of the signature is older than the given number of seconds.
|
|
128
|
+
|
|
120
129
|
### What if an invalid signature if verified?
|
|
121
130
|
|
|
122
131
|
```ruby
|
data/lib/linzer/signature.rb
CHANGED
|
@@ -14,6 +14,18 @@ module Linzer
|
|
|
14
14
|
alias_method :components, :metadata
|
|
15
15
|
alias_method :bytes, :value
|
|
16
16
|
|
|
17
|
+
def created
|
|
18
|
+
Integer(parameters["created"])
|
|
19
|
+
rescue
|
|
20
|
+
return nil if parameters["created"].nil?
|
|
21
|
+
raise Error.new "Signature has a non-integer `created` parameter"
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def older_than?(seconds)
|
|
25
|
+
raise Error.new "Signature is missing the `created` parameter" if created.nil?
|
|
26
|
+
(Time.now.to_i - created) > seconds
|
|
27
|
+
end
|
|
28
|
+
|
|
17
29
|
def to_h
|
|
18
30
|
{
|
|
19
31
|
"signature" => Starry.serialize({label => value}),
|
data/lib/linzer/verifier.rb
CHANGED
|
@@ -5,8 +5,8 @@ module Linzer
|
|
|
5
5
|
class << self
|
|
6
6
|
include Common
|
|
7
7
|
|
|
8
|
-
def verify(key, message, signature)
|
|
9
|
-
validate message, key, signature
|
|
8
|
+
def verify(key, message, signature, no_older_than: nil)
|
|
9
|
+
validate message, key, signature, no_older_than: no_older_than
|
|
10
10
|
|
|
11
11
|
parameters = signature.parameters
|
|
12
12
|
components = signature.components
|
|
@@ -18,7 +18,7 @@ module Linzer
|
|
|
18
18
|
|
|
19
19
|
private
|
|
20
20
|
|
|
21
|
-
def validate(message, key, signature)
|
|
21
|
+
def validate(message, key, signature, no_older_than: nil)
|
|
22
22
|
raise Error.new "Message to verify cannot be null" if message.nil?
|
|
23
23
|
raise Error.new "Key to verify signature cannot be null" if key.nil?
|
|
24
24
|
raise Error.new "Signature to verify cannot be null" if signature.nil?
|
|
@@ -31,6 +31,9 @@ module Linzer
|
|
|
31
31
|
raise Error.new "Components cannot be null" if signature.components.nil?
|
|
32
32
|
|
|
33
33
|
validate_components message, signature.components
|
|
34
|
+
|
|
35
|
+
return unless no_older_than
|
|
36
|
+
raise Error.new "Signature created more than #{no_older_than} seconds ago" if signature.older_than?(no_older_than.to_i)
|
|
34
37
|
end
|
|
35
38
|
|
|
36
39
|
def verify_or_fail(key, signature, data)
|
data/lib/linzer/version.rb
CHANGED
data/lib/linzer.rb
CHANGED
|
@@ -32,8 +32,8 @@ module Linzer
|
|
|
32
32
|
Linzer::Request.build(verb, uri, params, headers)
|
|
33
33
|
end
|
|
34
34
|
|
|
35
|
-
def verify(pubkey, message, signature)
|
|
36
|
-
Linzer::Verifier.verify(pubkey, message, signature)
|
|
35
|
+
def verify(pubkey, message, signature, no_older_than: nil)
|
|
36
|
+
Linzer::Verifier.verify(pubkey, message, signature, no_older_than: no_older_than)
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
def sign(key, message, components, options = {})
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: linzer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.6.
|
|
4
|
+
version: 0.6.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Miguel Landaeta
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2025-
|
|
11
|
+
date: 2025-04-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: openssl
|