RubyGems - linzer - Versions diffs - 0.7.3 → 0.7.4 - Mend

linzer 0.7.3 → 0.7.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +11 -0
data/lib/linzer/common.rb +24 -8
data/lib/linzer/ecdsa.rb +2 -0
data/lib/linzer/ed25519.rb +10 -0
data/lib/linzer/hmac.rb +8 -0
data/lib/linzer/jws.rb +6 -1
data/lib/linzer/key.rb +29 -3
data/lib/linzer/message/adapter/abstract.rb +16 -21
data/lib/linzer/message/adapter/http_gem/request.rb +1 -1
data/lib/linzer/message/adapter/net_http/request.rb +8 -8
data/lib/linzer/message/adapter/net_http/response.rb +16 -6
data/lib/linzer/message/adapter/rack/common.rb +10 -10
data/lib/linzer/message/field/parser.rb +50 -0
data/lib/linzer/message/field.rb +56 -0
data/lib/linzer/rsa.rb +4 -5
data/lib/linzer/rsa_pss.rb +12 -5
data/lib/linzer/signature.rb +13 -6
data/lib/linzer/signer.rb +9 -5
data/lib/linzer/verifier.rb +3 -3
data/lib/linzer/version.rb +1 -1
data/lib/linzer.rb +6 -1
data/lib/rack/auth/signature/helpers.rb +8 -1
data/lib/rack/auth/signature.rb +1 -1
metadata +4 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 13262f7f33737c2ad3aec4007e612001dc9d72c97f9a0636681f0ae695d98315
-  data.tar.gz: c9663a699455f8cab8cc2214c0af3da835a4e46542f6029dcddece40ad5b9a35
+  metadata.gz: 7ca1f4d456be7ceedda5bbe7cfd205e696689da336408324c6ec06ed10440d07
+  data.tar.gz: 1db3b82c5644c65b6037cb844bea963aa803dd4bf74c93673aac8473dc647d38
 SHA512:
-  metadata.gz: f4e7386cf5bb74bd20d2c74bd3fd8054c068ccc1b8704a088296ead0f61c5029cccd51744d974ef1123166a30068790590cafe6c4e3f27c55c67e0637a0073bb
-  data.tar.gz: 798032dd1a2c345f51fd23281bd9028a1ff31495f41e8d4c241d653d1857233e1c9c3bb327539c2296a399d0b5df4bbf02b9954e252ba486a022c80f79066785
+  metadata.gz: ce767d2e1c8df88b72321e8fbb513a9dadadb6436a4cefe6caa1a873f82cd4332b4f676ca0f355170156175077af2f675dabb22fbcb16ec7984950ca826a307c
+  data.tar.gz: affedd0f107f8ae2e9073ceb007896e5de9b45d2b50086bec7ff9dc6e771d208cffa7edb1e12ff414771a13eecc2597f2559b0d9c68a1a2ddb1010732afa2663

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,16 @@
 ## [Unreleased]
+## [0.7.4] - 2025-06-30
+- Add validation routines on key instances before performing
+  signing and verifying operations. This will catch obvious errors
+  like trying to sign a request with a public key.
+- Fix bug with incorrect signature generation and verification on
+  messages with HTTP field identifiers including parameters. Those
+  fields were not serialized correctly and messages were being signed
+  with incorrect signature base.
 ## [0.7.3] - 2025-06-01
 - Fix broken retrieval of header names from Rack responses.

data/lib/linzer/common.rb CHANGED Viewed

@@ -2,23 +2,39 @@
 module Linzer
   module Common
-    def signature_base(message, components, parameters)
-      signature_base = components.each_with_object(+"") do |component, base|
-        base << "\"#{component}\": #{message[component]}\n"
-      end
+    def signature_base(message, serialized_components, parameters)
+      signature_base =
+        serialized_components.each_with_object(+"") do |component, base|
+          base << "%s\n" % signature_base_line(component, message)
+        end
-      signature_params =
-        Starry.serialize([Starry::InnerList.new(components, parameters)])
+      signature_base << signature_params_line(serialized_components, parameters)
-      signature_base << "\"@signature-params\": #{signature_params}"
       signature_base
     end
     module_function :signature_base
+    def signature_base_line(component, message)
+      field_id = FieldId.new(field_name: component)
+      "%s: %s" % [field_id.serialize, message[field_id]]
+    end
+    module_function :signature_base_line
+    def signature_params_line(serialized_components, parameters)
+      identifiers = serialized_components.map { |c| Starry.parse_item(c) }
+      signature_params =
+        Starry.serialize([Starry::InnerList.new(identifiers, parameters)])
+      "%s: %s" % [Starry.serialize("@signature-params"), signature_params]
+    end
+    module_function :signature_params_line
     private
     def validate_components(message, components)
-      if components.include?("@signature-params")
+      if components.include?('"@signature-params"') ||
+          components.any? { |c| c.start_with?('"@signature-params"') }
         raise Error.new "Invalid component in signature input"
       end

data/lib/linzer/ecdsa.rb CHANGED Viewed

@@ -9,10 +9,12 @@ module Linzer
       end
       def sign(data)
+        validate_signing_key
         decode_der_signature(material.sign(@params[:digest], data))
       end
       def verify(signature, data)
+        validate_verify_key
         material.verify(@params[:digest], der_signature(signature), data)
       end

data/lib/linzer/ed25519.rb CHANGED Viewed

@@ -4,12 +4,22 @@ module Linzer
   module Ed25519
     class Key < Linzer::Key
       def sign(data)
+        validate_signing_key
         material.sign(nil, data)
       end
       def verify(signature, data)
+        validate_verify_key
         material.verify(nil, signature, data)
       end
+      def public?
+        has_pem_public?
+      end
+      def private?
+        has_pem_private?
+      end
     end
   end
 end

data/lib/linzer/hmac.rb CHANGED Viewed

@@ -18,6 +18,14 @@ module Linzer
         signature == sign(data)
       end
+      def private?
+        !material.nil?
+      end
+      def public?
+        false
+      end
       def inspect
         vars =
           instance_variables

data/lib/linzer/jws.rb CHANGED Viewed

@@ -27,16 +27,21 @@ module Linzer
     class Key < Linzer::Key
       def sign(data)
-        raise Linzer::SigningError, "Private key is missing!" if !material.private?
+        validate_signing_key
         algo = resolve_algorithm
         algo.sign(data: data, signing_key: signing_key)
       end
       def verify(signature, data)
+        validate_verify_key
         algo = resolve_algorithm
         algo.verify(data: data, signature: signature, verification_key: verify_key)
       end
+      def public?
+        !!verify_key
+      end
       private
       def resolve_algorithm

data/lib/linzer/key.rb CHANGED Viewed

@@ -17,12 +17,20 @@ module Linzer
     def sign(*args)
       abstract_error = "Cannot sign data, \"#{self.class}\" is an abstract class."
-      raise Error.new abstract_error
+      raise Error, abstract_error
     end
     def verify(*args)
       abstract_error = "Cannot verify signature, \"#{self.class}\" is an abstract class."
-      raise Error.new abstract_error
+      raise Error, abstract_error
+    end
+    def public?
+      material.public?
+    end
+    def private?
+      material.private?
     end
     private
@@ -34,7 +42,25 @@ module Linzer
     def validate_digest
       no_digest = !@params.key?(:digest) || @params[:digest].nil? || String(@params[:digest]).empty?
       no_digest_error = "Invalid key definition, no digest algorithm was selected."
-      raise Linzer::Error.new no_digest_error if no_digest
+      raise Error, no_digest_error if no_digest
+    end
+    def validate_signing_key
+      raise SigningError, "Private key is needed!" unless private?
+    end
+    def validate_verify_key
+      raise VerifyError, "Public key is needed!" unless public?
+    end
+    def has_pem_public?
+      material.public_to_pem.match?(/^-----BEGIN PUBLIC KEY-----/)
+    end
+    def has_pem_private?
+      material.private_to_pem.match?(/^-----BEGIN PRIVATE KEY-----/)
+    rescue
+      false
     end
   end
 end

data/lib/linzer/message/adapter/abstract.rb CHANGED Viewed

@@ -26,15 +26,10 @@ module Linzer
           !!self[f]
         end
-        def [](field_name)
-          name = parse_field_name(field_name)
-          return nil if name.nil?
-          if field_name.start_with?("@")
-            retrieve(name, :derived)
-          else
-            retrieve(name, :field)
-          end
+        def [](field)
+          field_id = field.is_a?(FieldId) ? field : parse_field_name(field)
+          return nil if field_id.nil? || field_id.item.nil?
+          retrieve(field_id.item, field_id.derived? ? :derived : :field)
         end
         def header(name)
@@ -48,13 +43,16 @@ module Linzer
         private
         def parse_field_name(field_name)
-          if field_name&.start_with?("@")
-            Starry.parse_item(field_name[1..])
-          else
-            Starry.parse_item(field_name)
-          end
-        rescue => _
-          nil
+          field_id  = FieldId.new(field_name: field_name)
+          component = field_id.item
+          return nil if component.nil?
+          # 2.2.9
+          invalid = "@status component identifier is invalid in a request message"
+          raise Error, invalid if request? && component.value == "@status"
+          field_id
         end
         def validate_attached_request(message)
@@ -73,7 +71,7 @@ module Linzer
           value    = name.value
           # Section 2.2.8 of RFC 9421
-          return nil if has_name && value != :"query-param"
+          return nil if has_name && value != "@query-param"
           # No derived values come from trailers section
           return nil if method == :derived && name.parameters["tr"]
@@ -141,10 +139,7 @@ module Linzer
         end
         def req(field, method)
-          case method
-          when :derived then @attached_request["@#{field}"]
-          when :field   then @attached_request[field.to_s]
-          end
+          attached_request? ? @attached_request[String(field)] : nil
         end
       end
     end

data/lib/linzer/message/adapter/http_gem/request.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module Linzer
           private
           def derived(name)
-            return @operation.verb.to_s.upcase if name.value == :method
+            return @operation.verb.to_s.upcase if name.value == "@method"
             super
           end
         end

data/lib/linzer/message/adapter/net_http/request.rb CHANGED Viewed

@@ -25,14 +25,14 @@ module Linzer
           def derived(name)
             case name.value
-            when :method           then @operation.method
-            when :"target-uri"     then @operation.uri.to_s
-            when :authority        then @operation.uri.authority.downcase
-            when :scheme           then @operation.uri.scheme.downcase
-            when :"request-target" then @operation.uri.request_uri
-            when :path             then @operation.uri.path
-            when :query            then "?%s" % String(@operation.uri.query)
-            when :"query-param"    then query_param(name)
+            when "@method"         then @operation.method
+            when "@target-uri"     then @operation.uri.to_s
+            when "@authority"      then @operation.uri.authority.downcase
+            when "@scheme"         then @operation.uri.scheme.downcase
+            when "@request-target" then @operation.uri.request_uri
+            when "@path"           then @operation.uri.path
+            when "@query"          then "?%s" % String(@operation.uri.query)
+            when "@query-param"    then query_param(name)
             end
           end

data/lib/linzer/message/adapter/net_http/response.rb CHANGED Viewed

@@ -17,16 +17,26 @@ module Linzer
             @operation[name]
           end
-          # XXX: this implementation is incomplete, e.g.: ;tr parameter is not supported yet
-          def [](field_name)
-            return @operation.code.to_i if field_name == "@status"
-            @operation[field_name]
-          end
           def attach!(signature)
             signature.to_h.each { |h, v| @operation[h] = v }
             @operation
           end
+          private
+          def derived(name)
+            case name.value
+            when "@status" then @operation.code.to_i
+            end
+          end
+          # XXX: this implementation is incomplete, e.g.: ;bs parameter is not supported yet
+          def field(name)
+            has_tr = name.parameters["tr"]
+            return nil if has_tr # Net::HTTP doesn't support trailers
+            value = @operation[name.value.to_s]
+            value.dup&.strip
+          end
         end
       end
     end

data/lib/linzer/message/adapter/rack/common.rb CHANGED Viewed

@@ -6,14 +6,14 @@ module Linzer
       module Rack
         module Common
           DERIVED_COMPONENT = {
-            method:           :request_method,
-            authority:        :authority,
-            path:             :path_info,
-            status:           :status,
-            "target-uri":     :url,
-            scheme:           :scheme,
-            "request-target": :fullpath,
-            query:            :query_string
+            "@method"         => :request_method,
+            "@authority"      => :authority,
+            "@path"           => :path_info,
+            "@status"         => :status,
+            "@target-uri"     => :url,
+            "@scheme"         => :scheme,
+            "@request-target" => :fullpath,
+            "@query"          => :query_string
           }.freeze
           private_constant :DERIVED_COMPONENT
@@ -51,8 +51,8 @@ module Linzer
             method = DERIVED_COMPONENT[name.value]
             value = case name.value
-            when :query         then derive(@operation, method)
-            when :"query-param" then query_param(name)
+            when "@query"       then derive(@operation, method)
+            when "@query-param" then query_param(name)
             end
             return nil if !method && !value

data/lib/linzer/message/field/parser.rb ADDED Viewed

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+module Linzer
+  class Message
+    class Field
+      class Identifier
+        module Parser
+          extend self
+          def parse(field_name)
+            case
+            when field_name.match?(/";/), field_name.start_with?('"')
+              Starry.parse_item(field_name)
+            when field_name.match?(/;/)
+              parse_unserialized_input(field_name)
+            when field_name.start_with?("@"), field_name.match?(/^[a-z]/)
+              Starry.parse_item(Starry.serialize(field_name))
+            else
+              raise Error, "Invalid component identifier: '#{field_name}'!"
+            end
+          rescue Starry::ParseError => ex
+            parse_error = "Failed to parse component identifier: '#{field_name}'!"
+            raise Error, parse_error, cause: ex
+          end
+          private
+          def parse_unserialized_input(field_name)
+            field, *raw_params = field_name.split(";")
+            item               = Starry.parse_item(Starry.serialize(field))
+            item.parameters    = collect_parameters(raw_params)
+            item
+          end
+          def collect_parameters(str)
+            params = str.map do |param|
+              if (tokens = param.split("=")) == [param] # e.g.: ";bs"
+                {param => true}
+              else
+                Hash[*tokens.first(2)]                  # e.g.: ";key=\"foo\""
+                  .transform_values! { |v| Starry.parse_item(v).value }
+              end
+            end
+            params.reduce({}, :merge)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/linzer/message/field.rb ADDED Viewed

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+module Linzer
+  class Message
+    class Field
+      module IdentifierMethods
+        def initialize(field_name:)
+          @item = Identifier::Parser.parse(field_name) rescue nil
+          super
+        end
+        attr_reader :item
+        def derived?
+          item&.value&.start_with?("@")
+        end
+        def serialize
+          raise Error, "Invalid component identifier: '#{field_name}'!" unless item
+          Starry.serialize(@item)
+        end
+      end
+      # Excluded from coverage as obviously both branches cannot be covered
+      # on a single test run.
+      # :nocov:
+      if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.2.0")
+        class Identifier < Struct.new(:field_name, keyword_init: true); end
+      else
+        class Identifier < Data.define(:field_name); end
+      end
+      # :nocov:
+      Identifier.include Message::Field::IdentifierMethods
+      class Identifier
+        class << self
+          def serialize(component)
+            new(field_name: component).serialize
+          end
+          def serialize_components(components)
+            components.map(&method(:serialize))
+          end
+          def deserialize_components(components)
+            components.map do |c|
+              item = Starry.parse_item(c)
+              item.parameters.empty? ? item.value : Starry.serialize(item)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/linzer/rsa.rb CHANGED Viewed

@@ -9,14 +9,13 @@ module Linzer
       end
       def sign(data)
-        # XXX: should check if the key is usable for signing
-        @material.sign(@params[:digest], data)
+        validate_signing_key
+        material.sign(@params[:digest], data)
       end
       def verify(signature, data)
-        # XXX: should check if the key is usable for verifying
-        return true if @material.verify(@params[:digest], signature, data)
-        false
+        validate_verify_key
+        material.verify(@params[:digest], signature, data)
       end
     end
   end

data/lib/linzer/rsa_pss.rb CHANGED Viewed

@@ -11,19 +11,26 @@ module Linzer
       end
       def sign(data)
-        # XXX: should check if the key is usable for signing
-        @material.sign(@params[:digest], data, signature_options)
+        validate_signing_key
+        material.sign(@params[:digest], data, signature_options)
       end
       def verify(signature, data)
-        # XXX: should check if the key is usable for verifying
-        return true if @material.verify(
+        validate_verify_key
+        material.verify(
           @params[:digest],
           signature,
           data,
           signature_options
         )
-        false
+      end
+      def public?
+        has_pem_public?
+      end
+      def private?
+        has_pem_private?
       end
       private

data/lib/linzer/signature.rb CHANGED Viewed

@@ -11,9 +11,13 @@ module Linzer
     end
     attr_reader  :metadata, :value, :parameters, :label
-    alias_method :components, :metadata
+    alias_method :serialized_components, :metadata
     alias_method :bytes, :value
+    def components
+      FieldId.deserialize_components(serialized_components)
+    end
     def created
       Integer(parameters["created"])
     rescue
@@ -28,10 +32,13 @@ module Linzer
     def to_h
       {
-        "signature" => Starry.serialize({label => value}),
-        "signature-input" =>
-          Starry.serialize({label =>
-            Starry::InnerList.new(components, parameters)})
+        "signature"       => Starry.serialize({label => value}),
+        "signature-input" => Starry.serialize({
+          label => Starry::InnerList.new(
+            serialized_components.map { |c| Starry.parse_item(c) },
+            parameters
+          )
+        })
       }
     end
@@ -56,7 +63,7 @@ module Linzer
         fail_due_invalid_components unless input[label].value.respond_to?(:each)
-        components = input[label].value.map(&:value)
+        components = input[label].value.map { |c| Starry.serialize_item(c) }
         parameters = input[label].parameters
         new(components, raw_signature, label, parameters)

data/lib/linzer/signer.rb CHANGED Viewed

@@ -8,15 +8,16 @@ module Linzer
       include Common
       def sign(key, message, components, options = {})
-        validate key, message, components
+        serialized_components = FieldId.serialize_components(Array(components))
+        validate key, message, serialized_components
         parameters = populate_parameters(key, options)
-        signature_base = signature_base(message, components, parameters)
+        signature_base = signature_base(message, serialized_components, parameters)
         signature = key.sign(signature_base)
         label = options[:label] || DEFAULT_LABEL
-        Linzer::Signature.build(serialize(signature, components, parameters, label))
+        Linzer::Signature.build(serialize(signature, serialized_components, parameters, label))
       end
       def default_label
@@ -55,8 +56,11 @@ module Linzer
         {
           "signature" => Starry.serialize({label => signature}),
           "signature-input" =>
-            Starry.serialize({label =>
-              Starry::InnerList.new(components, parameters)})
+            Starry.serialize(label =>
+              Starry::InnerList.new(
+                components.map { |c| Starry.parse_item(c) },
+                parameters
+              ))
         }
       end
     end

data/lib/linzer/verifier.rb CHANGED Viewed

@@ -9,9 +9,9 @@ module Linzer
         validate message, key, signature, no_older_than: no_older_than
         parameters = signature.parameters
-        components = signature.components
+        serialized_components = signature.serialized_components
-        signature_base = signature_base(message, components, parameters)
+        signature_base = signature_base(message, serialized_components, parameters)
         verify_or_fail key, signature.value, signature_base
       end
@@ -31,7 +31,7 @@ module Linzer
         raise VerifyError, "Components cannot be null"             if signature.components.nil?
         begin
-          validate_components message, signature.components
+          validate_components message, signature.serialized_components
         rescue Error => ex
           raise VerifyError, ex.message, cause: ex
         end

data/lib/linzer/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Linzer
-  VERSION = "0.7.3"
+  VERSION = "0.7.4"
 end

data/lib/linzer.rb CHANGED Viewed

@@ -14,6 +14,8 @@ require_relative "linzer/options"
 require_relative "linzer/message"
 require_relative "linzer/message/adapter"
 require_relative "linzer/message/wrapper"
+require_relative "linzer/message/field"
+require_relative "linzer/message/field/parser"
 require_relative "linzer/signature"
 require_relative "linzer/key"
 require_relative "linzer/rsa"
@@ -25,7 +27,6 @@ require_relative "linzer/key/helper"
 require_relative "linzer/signer"
 require_relative "linzer/verifier"
 require_relative "linzer/http"
-require_relative "rack/auth/signature"
 module Linzer
   class Error < StandardError; end
@@ -50,4 +51,8 @@ module Linzer
       Linzer::Common.signature_base(message, components, parameters)
     end
   end
+  FieldId = Message::Field::Identifier
 end
+require_relative "rack/auth/signature"

data/lib/rack/auth/signature/helpers.rb CHANGED Viewed

@@ -36,6 +36,11 @@ module Rack
         end
         module Configuration
+          def default_covered_components
+            Linzer::Options::DEFAULT[:covered_components]
+          end
+          module_function :default_covered_components
           DEFAULT_OPTIONS = {
             signatures: {
               reject_older_than:  900,
@@ -45,7 +50,9 @@ module Rack
               tag_required:       false,
               expires_required:   false,
               keyid_required:     false,
-              covered_components: %w[@method @request-target @authority date],
+              covered_components:
+                Linzer::FieldId
+                  .serialize_components(default_covered_components),
               error_response:     {body: [], status: 401, headers: {}}
             },
             keys: {}

data/lib/rack/auth/signature.rb CHANGED Viewed

@@ -85,7 +85,7 @@ module Rack
       end
       def has_required_components?
-        components         = @signature.components || []
+        components         = @signature.serialized_components || []
         covered_components = options[:signatures][:covered_components]
         warning = "Insufficient coverage by signature. Consult S 7.2.1. in RFC"
         logger.warn warning if covered_components.empty?

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: linzer
 version: !ruby/object:Gem::Version
-  version: 0.7.3
+  version: 0.7.4
 platform: ruby
 authors:
 - Miguel Landaeta
@@ -210,6 +210,8 @@ files:
 - lib/linzer/message/adapter/rack/common.rb
 - lib/linzer/message/adapter/rack/request.rb
 - lib/linzer/message/adapter/rack/response.rb
+- lib/linzer/message/field.rb
+- lib/linzer/message/field/parser.rb
 - lib/linzer/message/wrapper.rb
 - lib/linzer/options.rb
 - lib/linzer/rsa.rb
@@ -241,7 +243,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 3.6.8
 specification_version: 4
 summary: An implementation of HTTP Messages Signatures (RFC9421)
 test_files: []