RubyGems - sandal - Versions diffs - 0.0.0 → 0.0.1 - Mend

sandal 0.0.0 → 0.0.1

Files changed (9) hide show

data/lib/sandal.rb CHANGED Viewed

@@ -16,10 +16,10 @@ module Sandal
     if header_fields && header_fields['enc']
       throw ArgumentError.new('The header cannot contain an "enc" parameter.')
     end
-    sig ||= Sandal::Sig::None.new
+    sig ||= Sandal::Sig::None.instance
     header = {}
-    header['alg'] = sig.name if sig.name != 'none'
+    header['alg'] = sig.name if sig.name != Sandal::Sig::None.instance.name
     header = header_fields.merge(header) if header_fields
     encoded_header = Sandal::Util.base64_encode(JSON.generate(header))
@@ -66,7 +66,7 @@ module Sandal
   end
   # Decrypts a token.
-  def self.decrypt_token(encrypted_token, &key_finder)
+  def self.decrypt_token(encrypted_token, &enc_finder)
     parts = encrypted_token.split('.')
     throw ArgumentError.new('Invalid token format.') unless parts.length == 5
     begin
@@ -79,50 +79,9 @@ module Sandal
       throw ArgumentError.new('Invalid token encoding.')
     end
-    algorithm = header['alg']
-    encryption = header['enc']
-    case encryption
-    when 'A128CBC+HS256', 'A256CBC+HS512'
-      aes_length = Integer(encryption[1..3])
-      sha_length = Integer(encryption[-3..-1])
-      digest = OpenSSL::Digest.new("SHA#{sha_length}")
-      private_key = key_finder.call(header)
-      throw SecurityError.new('No key was found to decrypt the content master key.') unless private_key
-      content_master_key = private_key.private_decrypt(encrypted_key)
-      content_encryption_key = derive_content_key('Encryption', content_master_key, encryption, digest, aes_length)
-      content_integrity_key = derive_content_key('Integrity', content_master_key, encryption, digest, sha_length)
-      secured_input = parts.take(4).join('.')
-      computed_integrity_value = OpenSSL::HMAC.digest(digest, content_integrity_key, secured_input)
-      throw ArgumentError.new('Invalid signature.') unless integrity_value == computed_integrity_value
-      cipher = OpenSSL::Cipher.new("AES-#{aes_length}-CBC")
-      cipher.decrypt
-      cipher.key = content_encryption_key
-      cipher.iv = iv
-      cipher.update(ciphertext) + cipher.final
-    when 'A128GCM', 'A256GCM'
-      throw NotImplementedError.new("The GCM family of encryption algorithms are not implemented yet.")
-    else
-      throw NotImplementedError.new("The #{encryption} encryption algorithm is not supported.")
-    end
-  end
-  private
-  # Derives content keys using the Concat KDF.
-  def self.derive_content_key(label, content_master_key, encryption, digest, size)
-    round_number = [1].pack('N')
-    output_size = [size].pack('N')
-    enc_bytes = encryption.encode('utf-8').bytes.to_a.pack('C*')
-    epu = epv = [0].pack('N')
-    label_bytes = label.encode('us-ascii').bytes.to_a.pack('C*')
-    hash_input = round_number + content_master_key + output_size + enc_bytes + epu + epv + label_bytes
-    hash = digest.digest(hash_input)
-    hash[0..((size / 8) - 1)]
+    enc = enc_finder.call(header)
+    throw SecurityError.new('No decryptor was found.') unless enc
+    enc.decrypt(encrypted_key, iv, ciphertext, parts.take(4).join('.'), integrity_value)
   end
 end
@@ -149,12 +108,12 @@ if __FILE__ == $0
   puts jws_token
   jwe_key = OpenSSL::PKey::RSA.new(2048)
-  enc = Sandal::Enc::AES128CBC.new(jwe_key.public_key)
+  enc = Sandal::Enc::AES128GCM.new(jwe_key.public_key)
   jwe_token = Sandal.encrypt_token(jws_token, enc, { 'cty' => 'JWT' })
   puts jwe_token
-  jws_token_2 = Sandal.decrypt_token(jwe_token) { |header| jwe_key }
+  jws_token_2 = Sandal.decrypt_token(jwe_token) { |header| Sandal::Enc::AES128CBC.new(jwe_key) }
   roundtrip_claims = Sandal.decode_token(jws_token_2) { |header| Sandal::Sig::RS256.new(jws_key.public_key) }
   puts roundtrip_claims

data/lib/sandal/enc.rb CHANGED Viewed

@@ -14,11 +14,12 @@ module Sandal
     end
     # Decrypts a token.
-    def decrypt(data)
+    def decrypt(encrypted_key, iv, ciphertext, secured_input, integrity_value)
       throw NotImplementedError.new("#{@name}.decrypt is not implemented.")
     end
   end
 end
-require 'sandal/enc/aescbc'
+require 'sandal/enc/aescbc'
+require 'sandal/enc/aesgcm'

data/lib/sandal/enc/aescbc.rb CHANGED Viewed

@@ -44,6 +44,19 @@ module Sandal
         [secured_input, encoded_integrity_value].join('.')
       end
+      def decrypt(encrypted_key, iv, ciphertext, secured_input, integrity_value)
+        content_master_key = @key.private_decrypt(encrypted_key)
+        content_integrity_key = derive_content_key('Integrity', content_master_key, @sha_size)
+        computed_integrity_value = OpenSSL::HMAC.digest(@digest, content_integrity_key, secured_input)
+        throw ArgumentError.new('Invalid signature.') unless integrity_value == computed_integrity_value
+        cipher = OpenSSL::Cipher.new(@cipher_name).decrypt
+        cipher.key = derive_content_key('Encryption', content_master_key, @aes_size)
+        cipher.iv = iv
+        cipher.update(ciphertext) + cipher.final
+      end
       private
       # Derives content keys using the Concat KDF.

data/lib/sandal/enc/aesgcm.rb ADDED Viewed

@@ -0,0 +1,40 @@
+require 'openssl'
+require 'sandal/util'
+module Sandal
+  module Enc
+    # Base implementation of the AES/GCM family of encryption algorithms.
+    class AESGCM
+      include Sandal::Enc
+      def initialize(aes_size, key)
+        throw NotImplementedException.new('AES-CGM is not yet implemented.')
+      end
+      def encrypt(header, payload)
+        throw NotImplementedException.new('AES-CGM is not yet implemented.')
+      end
+      def decrypt(encrypted_key, iv, ciphertext, secured_input, integrity_value)
+        throw NotImplementedException.new('AES-CGM is not yet implemented.')
+      end
+    end
+    # The AES-128-GCM encryption algorithm.
+    class AES128GCM < Sandal::Enc::AESGCM
+      def initialize(key)
+        super(128, key)
+      end
+    end
+    # The AES-256-GCM encryption algorithm.
+    class AES256GCM < Sandal::Enc::AESGCM
+      def initialize(key)
+        super(256, key)
+      end
+    end
+  end
+end

data/lib/sandal/sig.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require 'singleton'
 module Sandal
   # Common signature traits.
   module Sig
@@ -18,6 +20,7 @@ module Sandal
     # The 'none' JWA signature method.
     class None
       include Sandal::Sig
+      include Singleton
       # Creates a new instance.
       def initialize
@@ -39,5 +42,6 @@ module Sandal
   end
 end
+require 'sandal/sig/es'
 require 'sandal/sig/hs'
 require 'sandal/sig/rs'

data/lib/sandal/sig/es.rb ADDED Viewed

@@ -0,0 +1,88 @@
+require 'openssl'
+module Sandal
+  module Sig
+    # Base implementation of the ECDSA-SHA family of signature algorithms.
+    class ES
+      include Sandal::Sig
+      # Creates a new instance with the size of the SHA algorithm and an OpenSSL ES PKey.
+      def initialize(sha_size, key)
+        throw ArgumentError.new('A key is required.') unless key
+        @name = "ES#{sha_size}"
+        @digest = OpenSSL::Digest.new("SHA#{sha_size}")
+        @key = key
+      end
+      # Signs a payload and returns the signature.
+      def sign(payload)
+        hash = @digest.digest(payload)
+        asn1_sig = @key.dsa_sign_asn1(hash)
+        r, s = self.class.decode_asn1_signature(asn1_sig)
+        self.class.encode_jws_signature(r, s)
+      end
+      # Verifies a payload signature and returns whether the signature matches.
+      def verify(signature, payload)
+        hash = @digest.digest(payload)
+        r, s = self.class.decode_jws_signature(signature)
+        asn1_sig = self.class.encode_asn1_signature(r, s)
+        @key.dsa_verify_asn1(hash, asn1_sig)
+      end
+      # Decodes an ASN1 signature into a pair of BNs.
+      def self.decode_asn1_signature(signature)
+        asn_seq = OpenSSL::ASN1.decode(signature)
+        return asn_seq.value[0].value, asn_seq.value[1].value
+      end
+      # Encodes a pair of BNs into an ASN1 signature.
+      def self.encode_asn1_signature(r, s)
+        items = [OpenSSL::ASN1::Integer.new(r), OpenSSL::ASN1::Integer.new(s)]
+        OpenSSL::ASN1::Sequence.new(items).to_der
+      end
+      # Decodes a JWS signature into a pair of BNs.
+      def self.decode_jws_signature(signature)
+        hex_string = Sandal::Util.base64_decode(signature)
+        coord_length = hex_string.length / 2
+        r = OpenSSL::BN.new(hex_string[0..(coord_length - 1)].unpack('H*')[0], 16)
+        s = OpenSSL::BN.new(hex_string[coord_length..-1].unpack('H*')[0], 16)
+        return r, s
+      end
+      # Encodes a pair of BNs into a JWS signature.
+      def self.encode_jws_signature(r, s)
+        hex_string = [r.to_s(16) + s.to_s(16)].pack('H*')
+        Sandal::Util.base64_encode(hex_string)
+      end
+    end
+    # The ECDSA-SHA256 signing algorithm.
+    class ES256 < Sandal::Sig::ES
+      # Creates a new instance with an OpenSSL ES PKey.
+      def initialize(key)
+        super(256, key)
+      end
+    end
+    # The ECDSA-SHA384 signing algorithm.
+    class ES384 < Sandal::Sig::ES
+      # Creates a new instance with an OpenSSL ES PKey.
+      def initialize(key)
+        super(384, key)
+      end
+    end
+    # The ECDSA-SHA512 signing algorithm.
+    class ES512 < Sandal::Sig::ES
+      # Creates a new instance with an OpenSSL ES PKey.
+      def initialize(key)
+        super(512, key)
+      end
+    end
+  end
+end

data/lib/sandal/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
 module Sandal
   # The semantic version of the library.
-  VERSION = '0.0.0'
+  VERSION = '0.0.1'
 end

metadata CHANGED Viewed

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: sandal
 version: !ruby/object:Gem::Version
-  version: 0.0.0
+  version: 0.0.1
+  prerelease:
 platform: ruby
 authors:
 - Greg Beech
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-03-22 00:00:00.000000000 Z
+date: 2013-03-25 00:00:00.000000000 Z
 dependencies: []
 description: A ruby library for creating and reading JSON Web Tokens (JWT), supporting
   JSON Web Signatures (JWS) and JSON Web Encryption (JWE).
@@ -19,7 +20,9 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/sandal/enc/aescbc.rb
+- lib/sandal/enc/aesgcm.rb
 - lib/sandal/enc.rb
+- lib/sandal/sig/es.rb
 - lib/sandal/sig/hs.rb
 - lib/sandal/sig/rs.rb
 - lib/sandal/sig.rb
@@ -29,25 +32,26 @@ files:
 homepage: http://rubygems.org/gems/sandal
 licenses:
 - MIT
-metadata: {}
 post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.0.3
+rubygems_version: 1.8.25
 signing_key:
-specification_version: 4
+specification_version: 3
 summary: A JSON Web Token (JWT) library.
 test_files: []

checksums.yaml DELETED Viewed

@@ -1,15 +0,0 @@
----
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    NjVlMDRhMzgyZTY4OTkyMDZjZmUwNDY2ZGY3YjY4NTdiZWY0NDFjZA==
-  data.tar.gz: !binary |-
-    MjE1N2ZmZmQxMjI1YmEzYzQ4YzJiMGY5MjliOWQ0NDU0NmYzZWM2Mw==
-!binary "U0hBNTEy":
-  metadata.gz: !binary |-
-    YjU2ZWEwYWU5NDc2MzliNmQwNjExMDdmYTU2ZTc4OGRlZWQ3ZWE4ODAxZmE1
-    MzJkMWJlMzQzZjQ2ZDg4MGY1YTlmZThkZDE5MmUzZTBmMTQ2NjQ1OWFkZTJm
-    MDkzYTY3NGQwNDFmNjlkMGQ4ODliOWFlMjg4MTA3MDAyNWNhMGY=
-  data.tar.gz: !binary |-
-    NzRiZjIwYjg2OGUwOWZlZmY3MTAxY2U3ZWFmMjI5NjZiM2U1ODFlMjBlNDA0
-    Y2M4NzI2M2IyMGU2ODUyYWE1MTEzYTczMTc5YjM2Yzg1N2IxNWNlYjFlYzk1
-    MmFlMjkxZmU2ODRkNTUxMGZkODNlNWY1ZDQyMDQ1MGUwMmVkNzI=