RubyGems - sandal - Versions diffs - 0.0.0 → 0.0.1 - Mend

sandal 0.0.0 → 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

data/lib/sandal.rb CHANGED Viewed

@@ -16,10 +16,10 @@ module Sandal
     if header_fields && header_fields['enc']
       throw ArgumentError.new('The header cannot contain an "enc" parameter.')
     end
-    sig ||= Sandal::Sig::None.new
+    sig ||= Sandal::Sig::None.instance
     header = {}
-    header['alg'] = sig.name if sig.name != 'none'
+    header['alg'] = sig.name if sig.name != Sandal::Sig::None.instance.name
     header = header_fields.merge(header) if header_fields
     encoded_header = Sandal::Util.base64_encode(JSON.generate(header))
@@ -66,7 +66,7 @@ module Sandal
   end
   # Decrypts a token.
-  def self.decrypt_token(encrypted_token, &key_finder)
+  def self.decrypt_token(encrypted_token, &enc_finder)
     parts = encrypted_token.split('.')
     throw ArgumentError.new('Invalid token format.') unless parts.length == 5
     begin
@@ -79,50 +79,9 @@ module Sandal
       throw ArgumentError.new('Invalid token encoding.')
     end
-    algorithm = header['alg']
-    encryption = header['enc']
-    case encryption
-    when 'A128CBC+HS256', 'A256CBC+HS512'
-      aes_length = Integer(encryption[1..3])
-      sha_length = Integer(encryption[-3..-1])
-      digest = OpenSSL::Digest.new("SHA#{sha_length}")
-      private_key = key_finder.call(header)
-      throw SecurityError.new('No key was found to decrypt the content master key.') unless private_key
-      content_master_key = private_key.private_decrypt(encrypted_key)
-      content_encryption_key = derive_content_key('Encryption', content_master_key, encryption, digest, aes_length)
-      content_integrity_key = derive_content_key('Integrity', content_master_key, encryption, digest, sha_length)
-      secured_input = parts.take(4).join('.')
-      computed_integrity_value = OpenSSL::HMAC.digest(digest, content_integrity_key, secured_input)
-      throw ArgumentError.new('Invalid signature.') unless integrity_value == computed_integrity_value
-      cipher = OpenSSL::Cipher.new("AES-#{aes_length}-CBC")
-      cipher.decrypt
-      cipher.key = content_encryption_key
-      cipher.iv = iv
-      cipher.update(ciphertext) + cipher.final
-    when 'A128GCM', 'A256GCM'
-      throw NotImplementedError.new("The GCM family of encryption algorithms are not implemented yet.")
-    else
-      throw NotImplementedError.new("The #{encryption} encryption algorithm is not supported.")
-    end
-  end
-  private
-  # Derives content keys using the Concat KDF.
-  def self.derive_content_key(label, content_master_key, encryption, digest, size)
-    round_number = [1].pack('N')
-    output_size = [size].pack('N')
-    enc_bytes = encryption.encode('utf-8').bytes.to_a.pack('C*')
-    epu = epv = [0].pack('N')
-    label_bytes = label.encode('us-ascii').bytes.to_a.pack('C*')
-    hash_input = round_number + content_master_key + output_size + enc_bytes + epu + epv + label_bytes
-    hash = digest.digest(hash_input)
-    hash[0..((size / 8) - 1)]
+    enc = enc_finder.call(header)
+    throw SecurityError.new('No decryptor was found.') unless enc
+    enc.decrypt(encrypted_key, iv, ciphertext, parts.take(4).join('.'), integrity_value)
   end
 end
@@ -149,12 +108,12 @@ if __FILE__ == $0
   puts jws_token
   jwe_key = OpenSSL::PKey::RSA.new(2048)
-  enc = Sandal::Enc::AES128CBC.new(jwe_key.public_key)
+  enc = Sandal::Enc::AES128GCM.new(jwe_key.public_key)
   jwe_token = Sandal.encrypt_token(jws_token, enc, { 'cty' => 'JWT' })
   puts jwe_token
-  jws_token_2 = Sandal.decrypt_token(jwe_token) { |header| jwe_key }
+  jws_token_2 = Sandal.decrypt_token(jwe_token) { |header| Sandal::Enc::AES128CBC.new(jwe_key) }
   roundtrip_claims = Sandal.decode_token(jws_token_2) { |header| Sandal::Sig::RS256.new(jws_key.public_key) }
   puts roundtrip_claims

data/lib/sandal/enc.rb CHANGED Viewed

@@ -14,11 +14,12 @@ module Sandal
     end
     # Decrypts a token.
-    def decrypt(data)
+    def decrypt(encrypted_key, iv, ciphertext, secured_input, integrity_value)
       throw NotImplementedError.new("#{@name}.decrypt is not implemented.")
     end
   end
 end
-require 'sandal/enc/aescbc'
+require 'sandal/enc/aescbc'
+require 'sandal/enc/aesgcm'

data/lib/sandal/enc/aescbc.rb CHANGED Viewed

@@ -44,6 +44,19 @@ module Sandal
         [secured_input, encoded_integrity_value].join('.')
       end
+      def decrypt(encrypted_key, iv, ciphertext, secured_input, integrity_value)
+        content_master_key = @key.private_decrypt(encrypted_key)
+        content_integrity_key = derive_content_key('Integrity', content_master_key, @sha_size)
+        computed_integrity_value = OpenSSL::HMAC.digest(@digest, content_integrity_key, secured_input)
+        throw ArgumentError.new('Invalid signature.') unless integrity_value == computed_integrity_value
+        cipher = OpenSSL::Cipher.new(@cipher_name).decrypt
+        cipher.key = derive_content_key('Encryption', content_master_key, @aes_size)
+        cipher.iv = iv
+        cipher.update(ciphertext) + cipher.final
+      end
       private
       # Derives content keys using the Concat KDF.

data/lib/sandal/enc/aesgcm.rb ADDED Viewed

@@ -0,0 +1,40 @@
+require 'openssl'
+require 'sandal/util'
+module Sandal
+  module Enc
+    # Base implementation of the AES/GCM family of encryption algorithms.
+    class AESGCM
+      include Sandal::Enc
+      def initialize(aes_size, key)
+        throw NotImplementedException.new('AES-CGM is not yet implemented.')
+      end
+      def encrypt(header, payload)
+        throw NotImplementedException.new('AES-CGM is not yet implemented.')
+      end
+      def decrypt(encrypted_key, iv, ciphertext, secured_input, integrity_value)
+        throw NotImplementedException.new('AES-CGM is not yet implemented.')
+      end
+    end
+    # The AES-128-GCM encryption algorithm.
+    class AES128GCM < Sandal::Enc::AESGCM
+      def initialize(key)
+        super(128, key)
+      end
+    end
+    # The AES-256-GCM encryption algorithm.
+    class AES256GCM < Sandal::Enc::AESGCM
+      def initialize(key)
+        super(256, key)
+      end
+    end
+  end
+end

data/lib/sandal/sig.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require 'singleton'
 module Sandal
   # Common signature traits.
   module Sig
@@ -18,6 +20,7 @@ module Sandal
     # The 'none' JWA signature method.
     class None
       include Sandal::Sig
+      include Singleton
       # Creates a new instance.
       def initialize
@@ -39,5 +42,6 @@ module Sandal
   end
 end
+require 'sandal/sig/es'
 require 'sandal/sig/hs'
 require 'sandal/sig/rs'

data/lib/sandal/sig/es.rb ADDED Viewed

@@ -0,0 +1,88 @@
+require 'openssl'
+module Sandal
+  module Sig
+    # Base implementation of the ECDSA-SHA family of signature algorithms.
+    class ES
+      include Sandal::Sig
+      # Creates a new instance with the size of the SHA algorithm and an OpenSSL ES PKey.
+      def initialize(sha_size, key)
+        throw ArgumentError.new('A key is required.') unless key
+        @name = "ES#{sha_size}"
+        @digest = OpenSSL::Digest.new("SHA#{sha_size}")
+        @key = key
+      end
+      # Signs a payload and returns the signature.
+      def sign(payload)
+        hash = @digest.digest(payload)
+        asn1_sig = @key.dsa_sign_asn1(hash)
+        r, s = self.class.decode_asn1_signature(asn1_sig)
+        self.class.encode_jws_signature(r, s)
+      end
+      # Verifies a payload signature and returns whether the signature matches.
+      def verify(signature, payload)
+        hash = @digest.digest(payload)
+        r, s = self.class.decode_jws_signature(signature)
+        asn1_sig = self.class.encode_asn1_signature(r, s)
+        @key.dsa_verify_asn1(hash, asn1_sig)
+      end
+      # Decodes an ASN1 signature into a pair of BNs.
+      def self.decode_asn1_signature(signature)
+        asn_seq = OpenSSL::ASN1.decode(signature)
+        return asn_seq.value[0].value, asn_seq.value[1].value
+      end
+      # Encodes a pair of BNs into an ASN1 signature.
+      def self.encode_asn1_signature(r, s)
+        items = [OpenSSL::ASN1::Integer.new(r), OpenSSL::ASN1::Integer.new(s)]
+        OpenSSL::ASN1::Sequence.new(items).to_der
+      end
+      # Decodes a JWS signature into a pair of BNs.
+      def self.decode_jws_signature(signature)
+        hex_string = Sandal::Util.base64_decode(signature)
+        coord_length = hex_string.length / 2
+        r = OpenSSL::BN.new(hex_string[0..(coord_length - 1)].unpack('H*')[0], 16)
+        s = OpenSSL::BN.new(hex_string[coord_length..-1].unpack('H*')[0], 16)
+        return r, s
+      end
+      # Encodes a pair of BNs into a JWS signature.
+      def self.encode_jws_signature(r, s)
+        hex_string = [r.to_s(16) + s.to_s(16)].pack('H*')
+        Sandal::Util.base64_encode(hex_string)
+      end
+    end
+    # The ECDSA-SHA256 signing algorithm.
+    class ES256 < Sandal::Sig::ES
+      # Creates a new instance with an OpenSSL ES PKey.
+      def initialize(key)
+        super(256, key)
+      end
+    end
+    # The ECDSA-SHA384 signing algorithm.
+    class ES384 < Sandal::Sig::ES
+      # Creates a new instance with an OpenSSL ES PKey.
+      def initialize(key)
+        super(384, key)
+      end
+    end
+    # The ECDSA-SHA512 signing algorithm.
+    class ES512 < Sandal::Sig::ES
+      # Creates a new instance with an OpenSSL ES PKey.
+      def initialize(key)
+        super(512, key)
+      end
+    end
+  end
+end

data/lib/sandal/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
 module Sandal
   # The semantic version of the library.
-  VERSION = '0.0.0'
+  VERSION = '0.0.1'
 end

metadata CHANGED Viewed

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: sandal
 version: !ruby/object:Gem::Version
-  version: 0.0.0
+  version: 0.0.1
+  prerelease:
 platform: ruby
 authors:
 - Greg Beech
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-03-22 00:00:00.000000000 Z
+date: 2013-03-25 00:00:00.000000000 Z
 dependencies: []
 description: A ruby library for creating and reading JSON Web Tokens (JWT), supporting
   JSON Web Signatures (JWS) and JSON Web Encryption (JWE).
@@ -19,7 +20,9 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/sandal/enc/aescbc.rb
+- lib/sandal/enc/aesgcm.rb
 - lib/sandal/enc.rb
+- lib/sandal/sig/es.rb
 - lib/sandal/sig/hs.rb
 - lib/sandal/sig/rs.rb
 - lib/sandal/sig.rb
@@ -29,25 +32,26 @@ files:
 homepage: http://rubygems.org/gems/sandal
 licenses:
 - MIT
-metadata: {}
 post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.0.3
+rubygems_version: 1.8.25
 signing_key:
-specification_version: 4
+specification_version: 3
 summary: A JSON Web Token (JWT) library.
 test_files: []

checksums.yaml DELETED Viewed

@@ -1,15 +0,0 @@
----
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    NjVlMDRhMzgyZTY4OTkyMDZjZmUwNDY2ZGY3YjY4NTdiZWY0NDFjZA==
-  data.tar.gz: !binary |-
-    MjE1N2ZmZmQxMjI1YmEzYzQ4YzJiMGY5MjliOWQ0NDU0NmYzZWM2Mw==
-!binary "U0hBNTEy":
-  metadata.gz: !binary |-
-    YjU2ZWEwYWU5NDc2MzliNmQwNjExMDdmYTU2ZTc4OGRlZWQ3ZWE4ODAxZmE1
-    MzJkMWJlMzQzZjQ2ZDg4MGY1YTlmZThkZDE5MmUzZTBmMTQ2NjQ1OWFkZTJm
-    MDkzYTY3NGQwNDFmNjlkMGQ4ODliOWFlMjg4MTA3MDAyNWNhMGY=
-  data.tar.gz: !binary |-
-    NzRiZjIwYjg2OGUwOWZlZmY3MTAxY2U3ZWFmMjI5NjZiM2U1ODFlMjBlNDA0
-    Y2M4NzI2M2IyMGU2ODUyYWE1MTEzYTczMTc5YjM2Yzg1N2IxNWNlYjFlYzk1
-    MmFlMjkxZmU2ODRkNTUxMGZkODNlNWY1ZDQyMDQ1MGUwMmVkNzI=