octokey 0.1.pre.4 → 0.1.pre.5

data/lib/octokey.rb

@@ -13,7 +13,7 @@ require File.expand_path('octokey/auth_request', File.dirname(__FILE__))
 # heavily by, and borrowing algorithms from, OpenSSH.
 class Octokey
   # The current version of Octokey as a string.
-  VERSION = '0.1.pre.4'
+  VERSION = '0.1.pre.5'
 
   # Raised when you try and access details of an invalid octokey request.
   # If you always check .can_log_in? or .can_sign_up? first, you should not

data/lib/octokey/buffer.rb

@@ -77,33 +77,22 @@ class Octokey
 
     # Add a timestamp to this buffer
     #
-    # Times are stored to millisecond precision, and are limited to
-    # 2 **48 to give plenty of margin for implementations using doubles
-    # as the backing for their date time, which nicely gives us a range
-    # ending just after the year 10000.
-    #
-    # @param [Time] time
+    # @param [Fixnum] x milliseconds since the epoch
     # @return [Octokey::Buffer] self
     # @raise [Octokey::InvalidBuffer] if the time is too far into the future
-    def add_time(time)
-      seconds, millis = [time.to_i, (time.usec / 1000.0).round]
-      raw = seconds * 1000 + millis
-      raise Octokey::InvalidBuffer, "Invalid time" if raw >= 2 ** 48
-      add_uint64(raw)
+    def add_timestamp(x)
+      raise InvalidBuffer, "Invalid timestamp: #{x}" if x < 0 || x >= 2 ** 64
+      add_uint32(x >> 32 & 0xffff_ffff)
+      add_uint32(x & 0xffff_ffff)
       self
     end
 
     # Destructively read a timestamp from this buffer
     #
-    # Times are stored to millisecond precision
-    #
-    # @return [Time]
+    # @return [Fixnum] milliseconds since the epoch
     # @raise [Octokey::InvalidBuffer]
-    def scan_time
-      raw = scan_uint64
-      raise Octokey::InvalidBuffer, "Invalid time" if raw >= 2 ** 48
-      seconds, millis = [raw / 1000, raw % 1000]
-      Time.at(seconds).utc + (millis / 1000.0)
+    def scan_timestamp
+      (scan_uint32 << 32) + scan_uint32
     end
 
     # Add an IPv4  or IPv6 address to this buffer
@@ -304,24 +293,6 @@ class Octokey
       scan(4).unpack("N").first
     end
 
-    # Add an unsigned 64-bit number to this buffer
-    # @param [Fixnum] x
-    # @return [Octokey::Buffer] self
-    # @raise [Octokey::InvalidBuffer] if x is not a uint64
-    def add_uint64(x)
-      raise InvalidBuffer, "Invalid uint64: #{x}" if x < 0 || x >= 2 ** 64
-      add_uint32(x >> 32 & 0xffff_ffff)
-      add_uint32(x & 0xffff_ffff)
-      self
-    end
-
-    # Destructively read an unsigned 64-bit number from this buffer
-    # @return [Fixnum]
-    # @raise [Octokey::InvalidBuffer]
-    def scan_uint64
-      (scan_uint32 << 32) + scan_uint32
-    end
-
     # Check whether a string is valid utf-8
     # @param [String] string
     # @return [String] string

data/lib/octokey/challenge.rb

@@ -30,13 +30,13 @@ class Octokey
     RANDOM_SIZE = 32
     # Hash algorithm to use in the HMAC
     HMAC_ALGORITHM = "sha1"
-    # The maximum age of a valid challenge
-    MAX_AGE = 5 * 60
-    # The minimum age of a valid challenge
-    MIN_AGE = -30
+    # The maximum age of a valid challenge (milliseconds)
+    MAX_AGE = 5 * 60_000
+    # The minimum age of a valid challenge (milliseconds)
+    MIN_AGE = -30_000
 
     private
-    attr_accessor :version, :time, :client_ip, :random, :digest, :invalid_buffer
+    attr_accessor :version, :timestamp, :client_ip, :random, :digest, :invalid_buffer
 
     public
 
@@ -55,8 +55,8 @@ class Octokey
         begin
           self.version = buffer.scan_uint8
           if version == CHALLENGE_VERSION
-            self.time, self.client_ip, self.random, self.digest =
-              buffer.scan_all(:time, :ip, :varbytes, :varbytes)
+            self.timestamp, self.client_ip, self.random, self.digest =
+              buffer.scan_all(:timestamp, :ip, :varbytes, :varbytes)
           end
         rescue InvalidBuffer => e
           self.invalid_buffer = e.message
@@ -79,7 +79,7 @@ class Octokey
         current_time = opts[:current_time] || Time.now
 
         self.version = CHALLENGE_VERSION
-        self.time = current_time
+        self.timestamp = current_time.to_i * 1000 + current_time.usec / 1000
         self.client_ip = expected_ip
         self.random = SecureRandom.random_bytes(RANDOM_SIZE)
         self.digest = expected_digest
@@ -109,16 +109,17 @@ class Octokey
     def errors(opts)
       expected_ip  = IPAddr(opts[:client_ip])
       current_time = opts[:current_time] || Time.now
+      current_time = current_time.to_i * 1000 + current_time.usec / 1000
 
       return [invalid_buffer] unless invalid_buffer.nil?
       return ["Challenge version mismatch"] unless version == CHALLENGE_VERSION
 
       errors = []
-      errors << "Challenge too old"          unless current_time < time + MAX_AGE
-      errors << "Challenge too new"          unless current_time > time + MIN_AGE
+      errors << "Challenge too old"          unless current_time < timestamp + MAX_AGE
+      errors << "Challenge too new"          unless current_time > timestamp + MIN_AGE
       errors << "Challenge IP mismatch"      unless client_ip == expected_ip
       errors << "Challenge random mismatch"  unless random.size == RANDOM_SIZE
-      errors << "Challenge HMAC mismatch"    unless digest == expected_digest
+      errors << "Challenge HMAC mismatch"    unless time_safe_equals(digest, expected_digest)
 
       errors
     end
@@ -142,7 +143,7 @@ class Octokey
     #
     # @return [String]
     def inspect
-      "#<Octokey::Challenge @version=#{version.inspect} @time=#{time.inspect}" +
+      "#<Octokey::Challenge @version=#{version.inspect} @timestamp=#{timestamp.inspect}" +
         "@client_ip=#{client_ip.inspect}>"
     end
 
@@ -161,7 +162,7 @@ class Octokey
     def unsigned_buffer
       Octokey::Buffer.new.
         add_uint8(version).
-        add_time(time).
+        add_timestamp(timestamp).
         add_ip(client_ip).
         add_varbytes(random)
     end
@@ -174,5 +175,16 @@ class Octokey
     def IPAddr(x)
       x && IPAddr.new(x.to_s) or raise ArgumentError, "no client IP given"
     end
+
+    # Compare two strings in a manner hard to timing attack
+    #
+    # Useful for comparing digests so that a motivated attacker can't guess the correct
+    # checksum by measuring how long it takes for comparing checksums to fail.
+    #
+    # @param [String] a
+    # @param [String] b
+    def time_safe_equals(a, b)
+      a.hash == b.hash && a == b
+    end
   end
 end

data/lib/octokey/key.rb

@@ -0,0 +1,36 @@
+class Octokey
+  class KeyCoder
+
+    def self.from_buffer(buffer)
+
+    end
+
+    def self.from_formatted(formatted)
+      type, buffer, comment = formatted.split(" ", 3)
+      if formatted =~ /\A(ssh-rsa)\s+([^\s]+)(\s.*)?/
+        key, errors = decode_public_key(Octokey::Buffer.new($2), $1)
+        raise "Invalid public key: #{errors.join(". ")}." unless errors.empty?
+
+        key
+      else
+        raise "Invalid public key: Got #{formatted.inspect}, expected \"ssh-rsa AAAAf...\""
+      end
+    end
+
+    def initialize(public_key)
+      raise "not an RSA key: #{public_key}" unless OpenSSL::PKey::RSA === public_key
+    end
+
+    def to_buffer
+      buffer = Octokey::Buffer.new
+      buffer.add_string "ssh-rsa"
+      buffer.add_mpint public_key.e
+      buffer.add_mpint public_key.n
+      buffer
+    end
+
+    def to_formatted
+      "ssh-rsa #{to_buffer.to_s}"
+    end
+  end
+end

metadata

@@ -1,116 +1,151 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: octokey
-version: !ruby/object:Gem::Version 
+version: !ruby/object:Gem::Version
   prerelease: 4
-  version: 0.1.pre.4
+  version: 0.1.pre.5
 platform: ruby
-authors: 
-  - Conrad Irwin
-  - Martin Kleppmann
+authors:
+- Conrad Irwin
+- Martin Kleppmann
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2012-07-30 00:00:00 Z
-dependencies: 
-  - !ruby/object:Gem::Dependency 
-    name: rspec
-    prerelease: false
-    requirement: &id001 !ruby/object:Gem::Requirement 
-      none: false
-      requirements: 
-        - - ">="
-          - !ruby/object:Gem::Version 
-            version: "0"
-    type: :development
-    version_requirements: *id001
-  - !ruby/object:Gem::Dependency 
-    name: active_support
-    prerelease: false
-    requirement: &id002 !ruby/object:Gem::Requirement 
-      none: false
-      requirements: 
-        - - ">="
-          - !ruby/object:Gem::Version 
-            version: "0"
-    type: :development
-    version_requirements: *id002
-  - !ruby/object:Gem::Dependency 
-    name: i18n
-    prerelease: false
-    requirement: &id003 !ruby/object:Gem::Requirement 
-      none: false
-      requirements: 
-        - - ">="
-          - !ruby/object:Gem::Version 
-            version: "0"
-    type: :development
-    version_requirements: *id003
-  - !ruby/object:Gem::Dependency 
-    name: simplecov
-    prerelease: false
-    requirement: &id004 !ruby/object:Gem::Requirement 
-      none: false
-      requirements: 
-        - - ">="
-          - !ruby/object:Gem::Version 
-            version: "0"
-    type: :development
-    version_requirements: *id004
-  - !ruby/object:Gem::Dependency 
-    name: yard
-    prerelease: false
-    requirement: &id005 !ruby/object:Gem::Requirement 
-      none: false
-      requirements: 
-        - - ">="
-          - !ruby/object:Gem::Version 
-            version: "0"
-    type: :development
-    version_requirements: *id005
+date: 2012-12-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  type: :development
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: rake
+- !ruby/object:Gem::Dependency
+  type: :development
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: rspec
+- !ruby/object:Gem::Dependency
+  type: :development
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: active_support
+- !ruby/object:Gem::Dependency
+  type: :development
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: i18n
+- !ruby/object:Gem::Dependency
+  type: :development
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: simplecov
+- !ruby/object:Gem::Dependency
+  type: :development
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: yard
 description: Allows you to use secure authentication mechanisms in place of passwords
-email: 
-  - conrad.irwin@gmail.com
-  - martin@kleppmann.de
+email:
+- conrad.irwin@gmail.com
+- martin@kleppmann.de
 executables: []
-
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
-  - lib/octokey.rb
-  - lib/octokey/auth_request.rb
-  - lib/octokey/buffer.rb
-  - lib/octokey/challenge.rb
-  - lib/octokey/config.rb
-  - lib/octokey/public_key.rb
+files:
+- lib/octokey.rb
+- lib/octokey/public_key.rb
+- lib/octokey/config.rb
+- lib/octokey/challenge.rb
+- lib/octokey/buffer.rb
+- lib/octokey/key.rb
+- lib/octokey/auth_request.rb
 homepage: https://github.com/octokey/octokey-gem
 licenses: []
-
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
-  - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-    - - ">"
-      - !ruby/object:Gem::Version 
-        version: 1.3.1
+  requirements:
+  - - ! '>'
+    - !ruby/object:Gem::Version
+      version: 1.3.1
 requirements: []
-
 rubyforge_project: 
 rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: Public key authentication for the web!
 test_files: []
-
+has_rdoc: