RubyGems - linzer - Versions diffs - 0.7.2 → 0.7.3 - Mend

linzer 0.7.2 → 0.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +13 -0
data/README.md +4 -0
data/examples/sinatra/Gemfile +1 -1
data/lib/linzer/common.rb +3 -0
data/lib/linzer/helper.rb +32 -0
data/lib/linzer/jws.rb +60 -0
data/lib/linzer/key/helper.rb +8 -0
data/lib/linzer/message/adapter/rack/common.rb +5 -15
data/lib/linzer/message/adapter/rack/response.rb +2 -2
data/lib/linzer/version.rb +1 -1
data/lib/linzer.rb +4 -25
metadata +3 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 760341bd66c313c36150f7cb31d741c84252ffe726ecd5bc838928b5f656832f
-  data.tar.gz: 6df1c1af21e5fbadc3eb242dc84973251ddc8dd6849606a2bd213ea57ffd9d89
+  metadata.gz: 13262f7f33737c2ad3aec4007e612001dc9d72c97f9a0636681f0ae695d98315
+  data.tar.gz: c9663a699455f8cab8cc2214c0af3da835a4e46542f6029dcddece40ad5b9a35
 SHA512:
-  metadata.gz: 899a41a945b59b368110befe463d300445d605483ef64020e1e35c12e71e0945f3b6aeb1774155cbc4919246f88fc0b77175fe16d2f4270e4bc57f861983f145
-  data.tar.gz: 8af02940869d0e451a8c45738f943cb32bdc515347d325121cafbb9c49e6e1e601d897749e2a5f9453f7c1f6a98acff59e778a5489ed70a60476f0086ab4bace
+  metadata.gz: f4e7386cf5bb74bd20d2c74bd3fd8054c068ccc1b8704a088296ead0f61c5029cccd51744d974ef1123166a30068790590cafe6c4e3f27c55c67e0637a0073bb
+  data.tar.gz: 798032dd1a2c345f51fd23281bd9028a1ff31495f41e8d4c241d653d1857233e1c9c3bb327539c2296a399d0b5df4bbf02b9954e252ba486a022c80f79066785

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,18 @@
 ## [Unreleased]
+## [0.7.3] - 2025-06-01
+- Fix broken retrieval of header names from Rack responses.
+  Previously, this caused signatures attached to Rack response instances
+  to use incorrect header names, making them unverifiable.
+- Add Linzer.signature_base method.
+- Add initial support for JWS algorithms. See Linzer::JWS module for more details.
+  In this initial preview, only EdDSA algorithm (Ed25519) is supported).
+- Add a simple integration test to verify signatures on HTTP responses.
 ## [0.7.2] - 2025-05-21
 - Add a few integration tests against CloudFlare test server.

data/README.md CHANGED Viewed

@@ -356,6 +356,10 @@ in subsequent releases.
 linzer is built in [Continuous Integration](https://github.com/nomadium/linzer/actions/workflows/main.yml) on Ruby 3.0+.
+## Security
+This gem is provided “as is” without any warranties. It has not been audited for security vulnerabilities. Users are advised to review the code and assess its suitability for their use case, particularly in production environments.
 ## Development
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/examples/sinatra/Gemfile CHANGED Viewed

@@ -6,4 +6,4 @@ gem "sinatra",      "~> 4.0"
 gem "rackup",       "~> 2.1"
 gem "webrick",      "~> 1.9"
 gem "rack-contrib", "~> 2.4"
-gem "linzer",       "~> 0.7.0.beta2"
+gem "linzer",       "~> 0.7.2"

data/lib/linzer/common.rb CHANGED Viewed

@@ -13,6 +13,9 @@ module Linzer
       signature_base << "\"@signature-params\": #{signature_params}"
       signature_base
     end
+    module_function :signature_base
+    private
     def validate_components(message, components)
       if components.include?("@signature-params")

data/lib/linzer/helper.rb ADDED Viewed

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+module Linzer
+  module Helper
+    def sign!(request_or_response, **args)
+      message = Message.new(request_or_response)
+      options = {}
+      label = args[:label]
+      options[:label] = label if label
+      options.merge!(args.fetch(:params, {}))
+      key = args.fetch(:key)
+      signature = Linzer::Signer.sign(key, message, args.fetch(:components), options)
+      message.attach!(signature)
+    end
+    def verify!(request_or_response, key: nil, no_older_than: 900)
+      message = Message.new(request_or_response)
+      signature_headers = {}
+      %w[signature-input signature].each do |name|
+        value = message.header(name)
+        signature_headers[name] = value if value
+      end
+      signature = Signature.build(signature_headers)
+      keyid = signature.parameters["keyid"]
+      raise Linzer::Error, "key not found" if !key && !keyid
+      verify_key = block_given? ? (yield keyid) : key
+      Linzer.verify(verify_key, message, signature, no_older_than: no_older_than)
+    end
+  end
+end

data/lib/linzer/jws.rb ADDED Viewed

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+require "jwt"
+require "jwt/eddsa"
+require "ed25519"
+module Linzer
+  module JWS
+    def jwk_import(key, params = {})
+      material = JWT::JWK.import(key)
+      Linzer::JWS::Key.new(material, params)
+    end
+    module_function :jwk_import
+    def generate_key(algorithm:)
+      case String(algorithm)
+      when "EdDSA"
+        ed25519_keypair = ::Ed25519::SigningKey.generate
+        material = JWT::JWK.new(ed25519_keypair)
+        Linzer::JWS::Key.new(material)
+      else
+        err_msg = "Algorithm '#{algorithm}' is unsupported or not implemented yet."
+        raise Linzer::Error, err_msg
+      end
+    end
+    module_function :generate_key
+    class Key < Linzer::Key
+      def sign(data)
+        raise Linzer::SigningError, "Private key is missing!" if !material.private?
+        algo = resolve_algorithm
+        algo.sign(data: data, signing_key: signing_key)
+      end
+      def verify(signature, data)
+        algo = resolve_algorithm
+        algo.verify(data: data, signature: signature, verification_key: verify_key)
+      end
+      private
+      def resolve_algorithm
+        case
+        when material.verify_key.is_a?(::Ed25519::VerifyKey)
+          JWT::JWA.resolve("EdDSA")
+        else
+          raise Linzer::Error, "Unknown/unsupported algorithm"
+        end
+      end
+      def verify_key
+        material.verify_key
+      end
+      def signing_key
+        material.signing_key
+      end
+    end
+  end
+end

data/lib/linzer/key/helper.rb CHANGED Viewed

@@ -85,6 +85,14 @@ module Linzer
         key = OpenSSL::PKey::EC.new(material)
         Linzer::ECDSA::Key.new(key, id: key_id, digest: "SHA384")
       end
+      def generate_jws_key(algorithm:)
+        Linzer::JWS.generate_key(algorithm: algorithm)
+      end
+      def jwk_import(key, params = {})
+        Linzer::JWS.jwk_import(key, params)
+      end
     end
   end
 end

data/lib/linzer/message/adapter/rack/common.rb CHANGED Viewed

@@ -28,8 +28,11 @@ module Linzer
             raise ArgumentError.new, "Blank header name." if name.empty?
             name.to_str
           rescue => ex
+            # :nocov:
+            # XXX: this block of code seems to be unreachable
             err_msg = "Invalid header name: '#{name}'"
-            raise Linzer::Error.new, err_msg, cause: ex
+            raise Linzer::Error, err_msg, cause: ex
+            # :nocov:
           end
           def rack_header_name(field_name)
@@ -44,19 +47,6 @@ module Linzer
             end
           end
-          def rack_request_headers(rack_request)
-            rack_request
-              .each_header
-              .to_h
-              .select do |k, _|
-                k.start_with?("HTTP_") || %w[CONTENT_TYPE CONTENT_LENGTH].include?(k)
-              end
-              .transform_keys { |k| k.downcase.tr("_", "-") }
-              .transform_keys do |k|
-                %w[content-type content-length].include?(k) ? k : k.gsub(/^http-/, "")
-              end
-          end
           def derived(name)
             method = DERIVED_COMPONENT[name.value]
@@ -76,7 +66,7 @@ module Linzer
             else
               rack_header_name = rack_header_name(name.value.to_s)
               value = @operation.env[rack_header_name] if request?
-              value = @operation.get_header(rack_header_name) if response?
+              value = @operation.get_header(name.value.to_s) if response?
             end
             value.dup&.strip
           end

data/lib/linzer/message/adapter/rack/response.rb CHANGED Viewed

@@ -17,12 +17,12 @@ module Linzer
           end
           def header(name)
-            @operation.get_header(rack_header_name(name))
+            @operation.get_header(name)
           end
           def attach!(signature)
             signature.to_h.each do |h, v|
-              @operation.set_header(rack_header_name(h), v)
+              @operation.set_header(h, v)
             end
             @operation
           end

data/lib/linzer/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Linzer
-  VERSION = "0.7.2"
+  VERSION = "0.7.3"
 end

data/lib/linzer.rb CHANGED Viewed

@@ -9,6 +9,7 @@ require "net/http"
 require_relative "linzer/version"
 require_relative "linzer/common"
+require_relative "linzer/helper"
 require_relative "linzer/options"
 require_relative "linzer/message"
 require_relative "linzer/message/adapter"
@@ -35,6 +36,7 @@ module Linzer
   class << self
     include Key::Helper
+    include Helper
     def verify(pubkey, message, signature, no_older_than: nil)
       Linzer::Verifier.verify(pubkey, message, signature, no_older_than: no_older_than)
@@ -44,31 +46,8 @@ module Linzer
       Linzer::Signer.sign(key, message, components, options)
     end
-    def sign!(request_or_response, **args)
-      message = Message.new(request_or_response)
-      options = {}
-      label = args[:label]
-      options[:label] = label if label
-      options.merge!(args.fetch(:params, {}))
-      key = args.fetch(:key)
-      signature = Linzer::Signer.sign(key, message, args.fetch(:components), options)
-      message.attach!(signature)
-    end
-    def verify!(request_or_response, key: nil, no_older_than: 900)
-      message = Message.new(request_or_response)
-      signature_headers = {}
-      %w[signature-input signature].each do |name|
-        value = message.header(name)
-        signature_headers[name] = value if value
-      end
-      signature = Signature.build(signature_headers)
-      keyid = signature.parameters["keyid"]
-      raise Linzer::Error, "key not found" if !key && !keyid
-      verify_key = block_given? ? (yield keyid) : key
-      Linzer.verify(verify_key, message, signature, no_older_than: no_older_than)
+    def signature_base(message, components, parameters)
+      Linzer::Common.signature_base(message, components, parameters)
     end
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: linzer
 version: !ruby/object:Gem::Version
-  version: 0.7.2
+  version: 0.7.3
 platform: ruby
 authors:
 - Miguel Landaeta
@@ -192,10 +192,12 @@ files:
 - lib/linzer/common.rb
 - lib/linzer/ecdsa.rb
 - lib/linzer/ed25519.rb
+- lib/linzer/helper.rb
 - lib/linzer/hmac.rb
 - lib/linzer/http.rb
 - lib/linzer/http/bootstrap.rb
 - lib/linzer/http/signature_feature.rb
+- lib/linzer/jws.rb
 - lib/linzer/key.rb
 - lib/linzer/key/helper.rb
 - lib/linzer/message.rb