linzer 0.7.1 → 0.7.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9d495888382dc17a4fae60d05b853dd0cbb0036119ae725f960471baa6ff0d4b
-  data.tar.gz: a6860cf3dcfb586e1591b0b683c883bbf8a42de941f57ec6a2ba6f8574a5a2dd
+  metadata.gz: 13262f7f33737c2ad3aec4007e612001dc9d72c97f9a0636681f0ae695d98315
+  data.tar.gz: c9663a699455f8cab8cc2214c0af3da835a4e46542f6029dcddece40ad5b9a35
 SHA512:
-  metadata.gz: c4d53b9d1102eaa3fc0241938afa86fd194a9ae780233bdabd171190ab9b83958193f5bc28b5bd78fb11a234c3a25c3145ee87e6ac6116f544cb04e73c67a5bd
-  data.tar.gz: 40e9c1e6bf52d944cd1a82b67502a41ae2939852e723143f1b154bab0b984fb9db6d944ecdf56b6845b6419096f4cbcef01ac545b9b9df73fe8ccc6f0489ace9
+  metadata.gz: f4e7386cf5bb74bd20d2c74bd3fd8054c068ccc1b8704a088296ead0f61c5029cccd51744d974ef1123166a30068790590cafe6c4e3f27c55c67e0637a0073bb
+  data.tar.gz: 798032dd1a2c345f51fd23281bd9028a1ff31495f41e8d4c241d653d1857233e1c9c3bb327539c2296a399d0b5df4bbf02b9954e252ba486a022c80f79066785

data/CHANGELOG.md

@@ -1,5 +1,26 @@
 ## [Unreleased]
 
+## [0.7.3] - 2025-06-01
+
+- Fix broken retrieval of header names from Rack responses.
+  Previously, this caused signatures attached to Rack response instances
+  to use incorrect header names, making them unverifiable.
+
+- Add Linzer.signature_base method.
+
+- Add initial support for JWS algorithms. See Linzer::JWS module for more details.
+  In this initial preview, only EdDSA algorithm (Ed25519) is supported).
+
+- Add a simple integration test to verify signatures on HTTP responses.
+
+## [0.7.2] - 2025-05-21
+
+- Add a few integration tests against CloudFlare test server.
+
+- Fix bug when accessing headers in http adapter classes.
+  Pull request [#14](https://github.com/nomadium/linzer/pull/14)
+  by [oneiros](https://github.com/oneiros).
+
 ## [0.7.1] - 2025-05-18
 
 - Introduce specific exception classes for message signing errors

data/README.md

@@ -356,6 +356,10 @@ in subsequent releases.
 
 linzer is built in [Continuous Integration](https://github.com/nomadium/linzer/actions/workflows/main.yml) on Ruby 3.0+.
 
+## Security
+
+This gem is provided “as is” without any warranties. It has not been audited for security vulnerabilities. Users are advised to review the code and assess its suitability for their use case, particularly in production environments.
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/Rakefile

@@ -7,4 +7,10 @@ RSpec::Core::RakeTask.new(:spec)
 
 require "standard/rake"
 
+desc "Run RSpec integration examples"
+task :integration do
+  sh "bundle exec rspec -t integration spec/integration/**"
+end
+
 task default: %i[spec standard]
+task all: %i[integration default]

data/examples/sinatra/Gemfile

@@ -6,4 +6,4 @@ gem "sinatra",      "~> 4.0"
 gem "rackup",       "~> 2.1"
 gem "webrick",      "~> 1.9"
 gem "rack-contrib", "~> 2.4"
-gem "linzer",       "~> 0.7.0.beta2"
+gem "linzer",       "~> 0.7.2"

data/lib/linzer/common.rb

@@ -13,6 +13,9 @@ module Linzer
       signature_base << "\"@signature-params\": #{signature_params}"
       signature_base
     end
+    module_function :signature_base
+
+    private
 
     def validate_components(message, components)
       if components.include?("@signature-params")

data/lib/linzer/helper.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Linzer
+  module Helper
+    def sign!(request_or_response, **args)
+      message = Message.new(request_or_response)
+      options = {}
+
+      label = args[:label]
+      options[:label] = label if label
+      options.merge!(args.fetch(:params, {}))
+
+      key = args.fetch(:key)
+      signature = Linzer::Signer.sign(key, message, args.fetch(:components), options)
+      message.attach!(signature)
+    end
+
+    def verify!(request_or_response, key: nil, no_older_than: 900)
+      message = Message.new(request_or_response)
+      signature_headers = {}
+      %w[signature-input signature].each do |name|
+        value = message.header(name)
+        signature_headers[name] = value if value
+      end
+      signature = Signature.build(signature_headers)
+      keyid = signature.parameters["keyid"]
+      raise Linzer::Error, "key not found" if !key && !keyid
+      verify_key = block_given? ? (yield keyid) : key
+      Linzer.verify(verify_key, message, signature, no_older_than: no_older_than)
+    end
+  end
+end

data/lib/linzer/http.rb

@@ -65,6 +65,7 @@ module Linzer
     end
 
     def build_headers(headers)
+      return headers if headers.transform_keys(&:downcase).key?("user-agent")
       headers.merge({"user-agent" => "Linzer/#{Linzer::VERSION}"})
     end
 

data/lib/linzer/jws.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require "jwt"
+require "jwt/eddsa"
+require "ed25519"
+
+module Linzer
+  module JWS
+    def jwk_import(key, params = {})
+      material = JWT::JWK.import(key)
+      Linzer::JWS::Key.new(material, params)
+    end
+    module_function :jwk_import
+
+    def generate_key(algorithm:)
+      case String(algorithm)
+      when "EdDSA"
+        ed25519_keypair = ::Ed25519::SigningKey.generate
+        material = JWT::JWK.new(ed25519_keypair)
+        Linzer::JWS::Key.new(material)
+      else
+        err_msg = "Algorithm '#{algorithm}' is unsupported or not implemented yet."
+        raise Linzer::Error, err_msg
+      end
+    end
+    module_function :generate_key
+
+    class Key < Linzer::Key
+      def sign(data)
+        raise Linzer::SigningError, "Private key is missing!" if !material.private?
+        algo = resolve_algorithm
+        algo.sign(data: data, signing_key: signing_key)
+      end
+
+      def verify(signature, data)
+        algo = resolve_algorithm
+        algo.verify(data: data, signature: signature, verification_key: verify_key)
+      end
+
+      private
+
+      def resolve_algorithm
+        case
+        when material.verify_key.is_a?(::Ed25519::VerifyKey)
+          JWT::JWA.resolve("EdDSA")
+        else
+          raise Linzer::Error, "Unknown/unsupported algorithm"
+        end
+      end
+
+      def verify_key
+        material.verify_key
+      end
+
+      def signing_key
+        material.signing_key
+      end
+    end
+  end
+end

data/lib/linzer/key/helper.rb

@@ -85,6 +85,14 @@ module Linzer
         key = OpenSSL::PKey::EC.new(material)
         Linzer::ECDSA::Key.new(key, id: key_id, digest: "SHA384")
       end
+
+      def generate_jws_key(algorithm:)
+        Linzer::JWS.generate_key(algorithm: algorithm)
+      end
+
+      def jwk_import(key, params = {})
+        Linzer::JWS.jwk_import(key, params)
+      end
     end
   end
 end

data/lib/linzer/message/adapter/abstract.rb

@@ -37,7 +37,7 @@ module Linzer
           end
         end
 
-        def headers
+        def header(name)
           raise Linzer::Error, "Sub-classes are required to implement this method!"
         end
 

data/lib/linzer/message/adapter/http_gem/request.rb

@@ -5,8 +5,8 @@ module Linzer
     module Adapter
       module HTTPGem
         class Request < Linzer::Message::Adapter::NetHTTP::Request
-          def headers
-            @operation.headers.to_h
+          def header(name)
+            @operation[name]
           end
 
           private

data/lib/linzer/message/adapter/http_gem/response.rb

@@ -14,8 +14,8 @@ module Linzer
             freeze
           end
 
-          def headers
-            @operation.headers
+          def header(name)
+            @operation[name]
           end
 
           # XXX: this implementation is incomplete, e.g.: ;tr parameter is not supported yet

data/lib/linzer/message/adapter/net_http/request.rb

@@ -12,8 +12,8 @@ module Linzer
             freeze
           end
 
-          def headers
-            @operation.each_header.to_h
+          def header(name)
+            @operation[name]
           end
 
           def attach!(signature)

data/lib/linzer/message/adapter/net_http/response.rb

@@ -13,8 +13,8 @@ module Linzer
             freeze
           end
 
-          def headers
-            @operation.each_header.to_h
+          def header(name)
+            @operation[name]
           end
 
           # XXX: this implementation is incomplete, e.g.: ;tr parameter is not supported yet

data/lib/linzer/message/adapter/rack/common.rb

@@ -28,8 +28,11 @@ module Linzer
             raise ArgumentError.new, "Blank header name." if name.empty?
             name.to_str
           rescue => ex
+            # :nocov:
+            # XXX: this block of code seems to be unreachable
             err_msg = "Invalid header name: '#{name}'"
-            raise Linzer::Error.new, err_msg, cause: ex
+            raise Linzer::Error, err_msg, cause: ex
+            # :nocov:
           end
 
           def rack_header_name(field_name)
@@ -44,19 +47,6 @@ module Linzer
             end
           end
 
-          def rack_request_headers(rack_request)
-            rack_request
-              .each_header
-              .to_h
-              .select do |k, _|
-                k.start_with?("HTTP_") || %w[CONTENT_TYPE CONTENT_LENGTH].include?(k)
-              end
-              .transform_keys { |k| k.downcase.tr("_", "-") }
-              .transform_keys do |k|
-                %w[content-type content-length].include?(k) ? k : k.gsub(/^http-/, "")
-              end
-          end
-
           def derived(name)
             method = DERIVED_COMPONENT[name.value]
 
@@ -74,11 +64,9 @@ module Linzer
             if has_tr
               value = tr(name)
             else
-              if request?
-                rack_header_name = rack_header_name(name.value.to_s)
-                value = @operation.env[rack_header_name]
-              end
-              value = @operation.headers[name.value.to_s] if response?
+              rack_header_name = rack_header_name(name.value.to_s)
+              value = @operation.env[rack_header_name] if request?
+              value = @operation.get_header(name.value.to_s) if response?
             end
             value.dup&.strip
           end

data/lib/linzer/message/adapter/rack/request.rb

@@ -13,8 +13,8 @@ module Linzer
             freeze
           end
 
-          def headers
-            rack_request_headers(@operation)
+          def header(name)
+            @operation.get_header(rack_header_name(name))
           end
 
           def attach!(signature)

data/lib/linzer/message/adapter/rack/response.rb

@@ -16,12 +16,14 @@ module Linzer
             freeze
           end
 
-          def headers
-            @operation.headers
+          def header(name)
+            @operation.get_header(name)
           end
 
           def attach!(signature)
-            signature.to_h.each { |h, v| @operation[h] = v }
+            signature.to_h.each do |h, v|
+              @operation.set_header(h, v)
+            end
             @operation
           end
         end

data/lib/linzer/message.rb

@@ -15,7 +15,7 @@ module Linzer
     def_delegators :@adapter, :request?, :response?, :attached_request?
 
     # fields look up
-    def_delegators :@adapter, :headers, :field?, :[]
+    def_delegators :@adapter, :header, :field?, :[]
 
     # to attach a signature to the underlying HTTP message
     def_delegators :@adapter, :attach!

data/lib/linzer/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Linzer
-  VERSION = "0.7.1"
+  VERSION = "0.7.3"
 end

data/lib/linzer.rb

@@ -9,6 +9,7 @@ require "net/http"
 
 require_relative "linzer/version"
 require_relative "linzer/common"
+require_relative "linzer/helper"
 require_relative "linzer/options"
 require_relative "linzer/message"
 require_relative "linzer/message/adapter"
@@ -35,6 +36,7 @@ module Linzer
 
   class << self
     include Key::Helper
+    include Helper
 
     def verify(pubkey, message, signature, no_older_than: nil)
       Linzer::Verifier.verify(pubkey, message, signature, no_older_than: no_older_than)
@@ -44,26 +46,8 @@ module Linzer
       Linzer::Signer.sign(key, message, components, options)
     end
 
-    def sign!(request_or_response, **args)
-      message = Message.new(request_or_response)
-      options = {}
-
-      label = args[:label]
-      options[:label] = label if label
-      options.merge!(args.fetch(:params, {}))
-
-      key = args.fetch(:key)
-      signature = Linzer::Signer.sign(key, message, args.fetch(:components), options)
-      message.attach!(signature)
-    end
-
-    def verify!(request_or_response, key: nil, no_older_than: 900)
-      message = Message.new(request_or_response)
-      signature = Signature.build(message.headers.slice("signature", "signature-input"))
-      keyid = signature.parameters["keyid"]
-      raise Linzer::Error, "key not found" if !key && !keyid
-      verify_key = block_given? ? (yield keyid) : key
-      Linzer.verify(verify_key, message, signature, no_older_than: no_older_than)
+    def signature_base(message, components, parameters)
+      Linzer::Common.signature_base(message, components, parameters)
     end
   end
 end

data/lib/rack/auth/signature.rb

@@ -67,7 +67,12 @@ module Rack
         signature_opts[:label] = label if label
 
         @message = Linzer::Message.new(request)
-        signature = Linzer::Signature.build(@message.headers, **signature_opts)
+        signature_headers = {}
+        %w[signature-input signature].each do |name|
+          value = @message.header(name)
+          signature_headers[name] = value if value
+        end
+        signature = Linzer::Signature.build(signature_headers, **signature_opts)
         request.env["rack.signature"] = signature
         signature
       end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: linzer
 version: !ruby/object:Gem::Version
-  version: 0.7.1
+  version: 0.7.3
 platform: ruby
 authors:
 - Miguel Landaeta
@@ -192,10 +192,12 @@ files:
 - lib/linzer/common.rb
 - lib/linzer/ecdsa.rb
 - lib/linzer/ed25519.rb
+- lib/linzer/helper.rb
 - lib/linzer/hmac.rb
 - lib/linzer/http.rb
 - lib/linzer/http/bootstrap.rb
 - lib/linzer/http/signature_feature.rb
+- lib/linzer/jws.rb
 - lib/linzer/key.rb
 - lib/linzer/key/helper.rb
 - lib/linzer/message.rb