rack-response-signature 0.1.0

data/README.rdoc

@@ -0,0 +1,81 @@
+== Rack::ResponseSignature
+
+Rack::ResponseSignature is a Rack middleware which can drop into any 
+Rack-compliant application an add transparent response signing.  Response 
+signing is done to verify to clients that the response is coming from a 
+trusted source.  The signature is currently based on RSA Public/Private key 
+pair signing.
+
+Primarily, this is useful when verified-SSL is not an option.  This may occur 
+when you are working on a shared host or other environment which utilizes 
+wildcard certificates (like Heroku).  In this case, while the SSL certificate
+may be verified with the Certificate Authority, it doesn't not ensure the 
+identity of the serving party.
+
+With this implementation:
+
+* RSA keys of any strength may be used,
+* SSL certificates are optional,
+* Response signing is transparent,
+* Response verification is simple
+
+=== Installation
+
+From the gem:
+
+    $ sudo gem install rack-response-signature
+
+From source:
+
+    $ git clone http://github.com/nbibler/rack_response_signature.git
+    $ rake package && sudo rake install
+
+=== Basic Usage
+
+==== Rack
+
+Rack::ResponseSignature is implemented as a piece of Rack middleware and can 
+be used with any Rack-based application.  If your application includes a 
+rackup file (`config.ru`, for example) or uses Rack::Builder to construct the 
+application stack, then require and use, like so:
+
+    require 'rack/response_signature'
+    
+    use Rack::ResponseSignature, "my-private-ssh-key-for-signing"
+    
+    run app
+
+The SSH key may also be read from a file with `File.read('private.key')`, as 
+well.
+
+==== Rails
+
+To use this middleware with Rails, add this to your `config/environment.rb`,
+to `config/environments/production.rb`, or to an initializer:
+
+    config.middleware.use Rack::ResponseSignature, "my-private-ssh-key..."
+
+You should now see `Rack::ResponseSignature` listed in the middleware stack:
+
+    $ rake middleware
+
+=== License
+
+Copyright (c) 2010 Nathaniel Bibler <http://www.nathanielbibler.com/>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/lib/rack/response_signature.rb

@@ -0,0 +1,142 @@
+require 'openssl'
+require 'base64'
+require 'cgi'
+
+module Rack
+  
+  ##
+  # Rack::ResponseSignature is a middleware which will manipulate the server
+  # response by signing the response body against an RSA private key.  Your 
+  # clients may then validate the response against a known-good public key
+  # to verify server authenticity against a man-in-the-middle attack.
+  # 
+  # The signature, if generated, is placed in a "Response-Signature" HTTP 
+  # header.  Currently, signatures are only generated for HTTP SUCCESS (200) 
+  # responses.
+  # 
+  # Obviously, it would be more straightforward to simply use an SSL 
+  # certificate provided by a trusted CA and just enable SSL verification
+  # per request.  However, the use of SSL accrues significate overhead both for
+  # the server, the client, and the network in general.  Not only that, but
+  # in some cases (like Heroku) using a custom, verifiable SSL certificate
+  # is either not reasonable or not possible.
+  # 
+  # === Using Rack::ResponseSignature
+  # 
+  # To use this middleware, simply:
+  # 
+  #     use Rack::ResponseSignature, "--- BEGIN PRIVATE KEY ----\nabc123....."
+  # 
+  # Or, for Rails,
+  # 
+  #     config.middleware.use "Rack::ResponseSignature", "--- BEGIN PRIVATE KEY ----\nabc123....."
+  # 
+  # Or, a somewhat more secure approach would be to utilize environment 
+  # variables on the production system to define your private key.  This 
+  # keeps your private keys out of your source code manager and away from
+  # prying eyes:
+  # 
+  #     config.middleware.use "Rack::ResponseSignature", ENV['PRIVATE_RESPONSE_KEY']
+  # 
+  # This is especially useful for Heroku deployments.
+  # 
+  # === Manual Verification of Signature
+  # 
+  # Using curl, you can manually inspect to be sure that your signatures are 
+  # being generated with:
+  # 
+  #     $ curl -is http://myserver.com
+  # 
+  # Which would return something similar to:
+  # 
+  #     HTTP/1.1 200 OK
+  #     Server: nginx/0.6.39
+  #     Date: Tue, 23 Feb 2010 05:15:25 GMT
+  #     Content-Type: application/xml; charset=utf-8
+  #     Transfer-Encoding: chunked
+  #     Connection: keep-alive
+  #     ETag: "54a2096d2c361907b3f9cc7ec9a2231d"
+  #     Response-Signature: JywymlJfA90Q4x52LKt4J8Tb8p4rXI%2BptKDNm3NC7F495...
+  #     Cache-Control: private, max-age=0, must-revalidate
+  # 
+  # === Client Verification
+  # 
+  # To verify your signatures on the client, simply share your public RSA key
+  # with your client and verify the response:
+  # 
+  #     require 'net/http'
+  #     require 'base64'
+  #     require 'cgi'
+  #     
+  #     uri = URI.parse("http://myserver.com/")
+  #     response = nil
+  #     Net::HTTP.start(uri.host, uri.port) do |http|
+  #       response = http.get(uri.path)
+  #     end
+  #     
+  #     puts "Response valid? %s" % [OpenSSL::PKey::RSA.new(PublicKey).
+  #       verify(OpenSSL::Digest::SHA256.new, 
+  #             Base64.decode64(CGI.unescape(response['Response-Signature'])), 
+  #             response.body.strip)]
+  # 
+  # === Options
+  # 
+  # You may pass an optional, third, hash argument into the middleware.  This
+  # argument allows you to override defaults.
+  # 
+  # digest::
+  #   Set the digest to use when generating the signature (Default: OpenSSL::Digest::SHA256)
+  # 
+  class ResponseSignature
+    
+    VERSION = '0.1.0'
+    
+    def initialize(app, private_key, options = {})
+      options[:digest]  ||= OpenSSL::Digest::SHA256
+      @app              = app
+      @private_key      = private_key && private_key != '' ? private_key : nil
+      @options          = options
+    end
+    
+    def call(env)
+      status, headers, response = @app.call(env)
+      
+      if set_signature_header?(status)
+        [status, add_signature(headers, value_of(response)), value_of(response)]
+      else
+        [status, headers, response]
+      end
+    end
+    
+    
+    private
+    
+    
+    def set_signature_header?(status)
+      @private_key && status.to_i == 200
+    end
+    
+    def add_signature(headers, body)
+      headers['Response-Signature'] = CGI.escape(Base64.encode64(sign(body)))
+      headers
+    end
+    
+    def rsa
+      @rsa ||= OpenSSL::PKey::RSA.new(@private_key)
+    end
+    
+    def sign(data)
+      rsa.sign(digest, data)
+    end
+    
+    def digest
+      @options.has_key?(:digest) ? @options[:digest].new : OpenSSL::Digest::SHA256.new
+    end
+    
+    def value_of(response)
+      (response.respond_to?(:body) ? response.body : response).strip
+    end
+    
+  end
+  
+end

metadata

@@ -0,0 +1,63 @@
+--- !ruby/object:Gem::Specification 
+name: rack-response-signature
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 1
+  - 0
+  version: 0.1.0
+platform: ruby
+authors: 
+- Nathaniel Bibler
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-04-15 00:00:00 -04:00
+default_executable: 
+dependencies: []
+
+description: Rack::ResponseSignature uses RSA key pairs to transparently sign the outgoing responses from any Rack-compliant application.
+email: gem@nathanielbibler.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- lib/rack/response_signature.rb
+- README.rdoc
+has_rdoc: true
+homepage: http://github.com/nbibler/rack_response_signature
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: Rack middleware to add transparent response signing
+test_files: []
+