smaak 0.0.10 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a06ce9d26d15fda320f1c294b584a16c8cd1006d
-  data.tar.gz: 9b04495475ec21d1ff6f33625f30978cc1e823b0
+  metadata.gz: 41115c26166ffbbd902b43707e6e219101155802
+  data.tar.gz: 6cb113261fc5c764ebf137eec743297a664d709a
 SHA512:
-  metadata.gz: 165f5d90ce01a893cb9c7cf8464edebe13c3ffdb420efaed98ccc96c410fb1380b572988ec130f91749853b6136d0448fada87f196295a0fc487ae8b3b147d5d
-  data.tar.gz: f50c7a2da3b77aab667bcca1081b6eae07392cea03a36050f9a119f3edd964859b3298267c9a172eb200abd9c0ea9a2fa0a8440a5e79963c90ae621630c2eeb1
+  metadata.gz: eee3f15e1cb880f556fadc7338900ca6ee0a856b70cd1b0db5ee0d1f8d7d6aeb2d9d3297cc354a840b1b5397af9136a9f603a1a9cddab250572c1c11d757ec71
+  data.tar.gz: 193ecdd1021ff1f8f5cd485196e383af674aa02d02d4552bc5448dc86c3ef1b465d6f1aa9ef45ae1450cdca0c41a4069f1cfc50ad01cf5e26e17641e733bece7

data/.gitignore

@@ -2,3 +2,5 @@ coverage
 Gemfile.lock
 *swp
 *gem
+backup
+doc

data/README.md

@@ -1,8 +1,117 @@
 # Smaak
 
-This gems caters for both client and server sides of a signed message interaction over HTTP or HTTPS implementing the RFC2617 Digest Access Authentication. The following compromises are protected against as specified: Man in the middle (header and payload signature- see 'Extending') / snooping (HTTPS turned on), Replay (nonce + expires), Forgery (signature), Masquerading (recipient pub key check), Clear-text password compromise (MD5 pre-shared key)
+This gems caters for both client and server sides of a signed message interaction over HTTP implementing RFC2617 Digest Access Authentication as well as IETF draft-cavage-http-signatures-04, extended with 'x-smaak-recipient', 'x-smaak-identifier', 'x-smaak-psk', 'x-smaak-expires' and 'x-smaak-nonce' headers. The following compromises are protected against as specified: Man in the middle (header and payload signature, as well as body digest) / snooping (message body encryption), Replay (nonce + expiry), Forgery (signature), Masquerading (identifier and signature), Forwarding / Unintended recipient (recipient pub key check), Clear-text password compromise (MD5 pre-shared key, obfuscated), lack of password (pre-shared key), Message fabrication (associations are purpose-fully provisioned to known associates.)
+
+## Smaak mechanism:
+
+When provisioning a Smaak::Server and a Smaak::Client, all associations these services should be aware of are provisioned by calling add_association. The associations are indexed by identifier (e.g. FQDN of the associate,) and remember the associate's public key, a pre-shared key and a boolean indicating whether the association expects data to encrypted.
+
+Smaak appends 'x-smaak' headers to the HTTP request to convey a generated nonce, expiry, the requestor's identifier, the pre-shared key (obfuscated) and a digest of the request body. The headers are signed using the requestor (Smaak::Client)'s private key. If encryption is requested, the message body is encrypted using the receiver (Smaak::Server)'s public key. The message body for the response from the Smaak::Server to the Smaak::Client is also encrypted. RSA 4096 bit keys are recommended.
+
+The signing of an HTTP request and the placement of the signature in an Authorization header is performed by a signing specification specified when signing. The algorithm implementing the signing specification is expected to embed a Smaak::AuthMessage in the signature and allow access to it when the signed header is interpreted. Currently IETF draft-cavage-http-signatures-04 is the only supported signature specification.
+
+Smaak verifies an AuthMessage signed in the Authorization header by looking at nonce, expiry, recipient and pre-shared key. The order of headers signed is important for signature verification.
+
+### Example Server:
+
+A Smaak::Server operates on an instance of an HTTP request received. The Smaak module can be told about different request technology implementations by providing an adaptor to a request technology (Smaak::add_request_adaptor). The gem ships with a Rack::Request adaptor. Call Smaak::create_adaptor with your request to get an instance of an adaptor.
+
+A Smaak::Server needs to keep track of nonces received in the fresh-ness interval of requests. To make this easy, you can extend Smaak::SmaakService. Override the configure_service method to provide your server's public key, private key and associations. Smaak::SmaakService provides a cache of received nonces checked against the freshness interval.
+
+When setting up a Smaak::Server, tell the server of your SmaakService and verify incoming request, so:
+
+    class SecureServer < Smaak::SmaakService
+      def configure_services
+        @smaak_server.set_public_key(File.read '/secure/server_public.pem')
+        @smaak_server.set_private_key(File.read '/secure/server_private.pem') # only required when encryption is specified
+        @smaak_server.add_association('client-facing-service-needing-back-end-data', File.read '/secure/client_public.pem', 'client-pre-shared-key')
+    end
+
+    class SecureService
+      def serve(request)
+        auth_message, body = SecureServer.get_instance.smaak_server.verify_signed_request(request)
+        return [200, "message from #{auth_message.identifier} verified!"] if auth_message.identifier
+        [401, "Insufficient proof!"]
+      end
+    end
+
+### Example Client:
+
+A Smaak::Client operates on an instance of an HTTP request. The Smaak module can be told about different request technology implementations by providing an adaptor to a request technology (Smaak::add_request_adaptor). The gem ships with a Net::HTTP adaptor. Call Smaak::create_adaptor with your request to get an instance of an adaptor.
+
+    # The user requested some data which requires my service to talk to another, a Smaak::Server
+    class SecureController
+      def initialize
+        # We recommend this configuration be provisioned by a secure configuration service and/or by service boot-strapping
+        @client = Smaak::Client.new
+        @client.set_identifier('client-facing-service-needing-back-end-data')
+        @client.set_private_key(File.read '/secure/client_private.pem')
+        @client.add_association('service-provider', File.read('/secure/server_public.pem'), 'client-pre-shared-key', true) # encrypted
+      end
+
+      def serve(request)
+        response = @client.post('service-provider', 'http://service-provider.com:9393/backend', { 'index1' => 'data1', 'index2' => 'data2' }.to_json)
+        [200, response.body]
+      end
+
+    class SecureConsumer
+      def initialize
+        ...
+      end
+
+      def some_other(param)
+        response = @client.get('service-provider', 'http://service-provider.com:9393/query', { 'looking_for' => param }.to_json)
+        consume_response(response)
+      end
+    end
+
+## Identity management
+
+During provisioning, we recommend that the key-pair that does the signing and verification has associated with it an X.509 certificate signed by a CA you trust that contains the identity of the signer. The association is provisioned with an 'identifier' that the Authorization header transports in the 'x-smaak-identifier' header. This identifier is used on the receiver end to look up the public key of the signer in the association list. Once the associated key successfully verifies the signature, that certificate's identity can be used for identity management and authorization. This allows multiple identifiers (e.g. multiple server heads) to represent a single service (identity) with separate signing certs for each head.
+
+## Example on-the-wire requests
+
+### Un-encrypted
+
+    POST http://service-provider-internal:9393/secure-service HTTP/1.1
+    Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+    Accept: */*
+    User-Agent: Ruby
+    Authorization: Signature keyId="rsa-key-1",algorithm="rsa-sha256", headers="host date digest x-smaak-recipient x-smaak-identifier x-smaak-psk x-smaak-expires x-smaak-nonce x-smaak-encrypt content-length", signature="DywQfsuJOzP7uQw/rZ3sEKtyBlzs+3Gqif/WEjjxjC1h6/vsMP6LHz1jeCQdBWRgPZ/NonM06NeSWei/YXpg9dtntoWWHQ8e8pvQsLVrx0BuMAyGhckuE9IcUSnaAOqCGCTcEV2cIE6a50tPSbBHS88jzIasliMrM8QIG2boIB9hMXbYNCPUzUKo7mOtda2NUrGwYflmLZ1cXuRGHeXuG/m/kYJOSSUawrneWH3uxuIhJTQiVtblYr7tHDQsAB6WJgCxLkrZJreALYyM62D6Cpvip3atMoKh+2b3/SqseSdt2BirrMiTdS+1+6Tyk+z/y9sGhEF0WZoIOZUmo1+7yfXe4hHaa7SQD8olsjoJTPaBsd39sb5xPZKsFS3k/eeWQxXEa7iLLumDgHncaIhyRkyb+XTG6/qk0XemBuc4LlU1JjFCdGYjYx0T9V9OUrt8Jpi6g2FKg8JLaJsd2Xk4sUBwHMrYwweutdCXxbHZn2VYF5BydDB+Eesc62PC8jh1xiAVperSUF60HdOLhcJp/eJz7VuyjaRx+EYVNqBHxIG9w9si/pcxy6tX2yA5Go+UJ37xG5E12P3QNDC6HBEEqq8tOW+YqnOacm+IbI2YSZ/ilEbSYhmE/KH7GZKxl1cSvswHcDrYRwFhviSPutQGBtGl6o/YjdmpYAVcZiEGUtE="
+    Host: service-provider-internal
+    Date: 2015-06-25 09:48:13 GMT
+    Digest: SHA-256=0190f465c943501984c4018bacdbb0be167979f261caf1fe50ce63e97d31dff2
+    X-Smaak-Recipient: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUFxL2tiYjdBNWllQWV1WlBBVnI3MAo5cjl1TkFzc2dmYkdjeGMzZTc3RDNndkY4U2tzbURNQmQyTUt5TUh0ZjBrM1pqSVdZemJJVG5jQXM1Nnd4cmRSClhiVHpIZnhjMll1dDMwd0ljR2YvUVk4ZTJXNmdMWko4aVM3MXlYb0JQNFpEc2lLSXd4ajFsenYyVFlXWnNSL3EKd28xSzBxZ1NzOXJJVEVkWDVqampycHBYWTdobHNPMGVKQ2JBRG0weEtnU1hMcFQycnJzUnJ2OFllRXFvZTRMaQpDOFd6RjZZRlh1U3RHR1E4SXlxbjdPaTN5aVU2WFc3OTl2cFpIeHJlaERYaytDalZuU0ZXWkVPUHg3cENpam9SCnlXb0gyUmR6QVpQczdVdVJWOUdGWWFQeHRudmttNVdVZDVTdWVCNlMxT2E4dVZ3UnpyeXl6WkRjdG0xdWs1VjIKUE0zLzFqbFJMbFJzTWxSeHdZUDRzaFMzVlhjTkdGYjkvbzkvTjkzbitKZUFpSGd4YU5pQjN6YVV0a05XWWs0Vgozang2d0psTythOUNxdGJJeXg2ZzdyTHhOanVqRFpRZTZGcUdsMzVkVDR5MHA2UmVuUWQ4b1p5aWw3dlpqSkJaCjluTWRJblMyU05wWUZFclBsb25rdXNZKzZsam9TbFNLMXVSRmd2S3dzeGE3RmROMXZWSnRJQk9qdVJzSk9DaHYKOTB2K0ZEQWwxSnNZVUNPUnByUmtMWXB2TWI4Q1BZaUlzb3JmTUdKNnI3NktYUEIzRS9xejRmaWJ1UmZVeWJxMgp5eGxRTVJKb216d1BPemUrbWRQUU5Hd3VTTjU0VnByYXhoNGFpcWtaUVBsSWpRb1dFaFVKRWxMb0NtQXZ4TmtxCmRBcVZJMXZ3cS9FRXFBTEh3amJKRXIwQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=
+    X-Smaak-Identifier: service-provider-public
+    X-Smaak-Psk: 917e5f9bcf6d7c20a338d8a39bbf79ef
+    X-Smaak-Expires: 1435225695
+    X-Smaak-Nonce: 7211840395
+    X-Smaak-Encrypt: false
+    Content-Type: text/plain
+    Content-Length: 20
+    ... (redacted)
+    {"index1":"data1"}
+
+### Encrypted
+    POST http://service-provider-internal:9393/secure-service HTTP/1.1
+    Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+    Accept: */*
+    User-Agent: Ruby
+    Authorization: Signature keyId="rsa-key-1",algorithm="rsa-sha256", headers="host date digest x-smaak-recipient x-smaak-identifier x-smaak-psk x-smaak-expires x-smaak-nonce x-smaak-encrypt content-length", signature="Y9v95p/rUAp3mmrZHKKvc4FVcDkCQuBVqArvhu70REQrIuHjJ2HDdS2xcQc1t41Ff+lRhO1aWf60cd+Be+1Q/8qsm5G35S66R9sQVr79h/zXovsimWw+GWmHj/d2RecgvGC9SXLRLchPSibYWiV1H5UlkCSqZEYevwFf17LlAk6mRVvFzcB50F+mYglcAFMQhFQI68JMN6CJWUrp09q5DH44WlsaCwUdmbn7pVAnbO6z45OtHPBjVoHtSFkGeFqhndkSRiXWrd9joXPqCb4VRUNG+NZk/9gU17yxkg63cheurf29EmRjAMDkP3nd/VGseOjNzm6MHjdgF9qrQxoQLleNb/lZcZB/ldCimR3AV0thu21NcSpOr1dIlKZX0oyiUOijPXCjXiOEtfO2wqsRk42c8b8nLJJUnFoDvWLQrY7ZFWnzeuu6OPVZQELcSsXokssz8Wsa+RjWo4HoQzfRi12/P1fDZVgj5EkNfUK/R/3ROR11XqdRaIiSXU8SIkof7iCe/2nGOLQNDmhQB6DWKRbN6Sl6bKB00Wto0t1yeeDyLcTrCDmJpKGS3L8hC671cT2f8nv4zHeDZUCqEVdvbcpbOILh9BxoxtLkhOhoAamdebOeOESDQEHwPvXHg9e46cQjGkdMxNgO/CyhSzVM6I5P60Sbn6ppHgsZ5w8ymPA="
+    Host: service-provider-internal
+    Date: 2015-06-25 09:45:34 GMT
+    Digest: SHA-256=3f4502e658dd304d4cd1004a83935ede11692751011a410134ba861a1b55df92
+    X-Smaak-Recipient: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUFxL2tiYjdBNWllQWV1WlBBVnI3MAo5cjl1TkFzc2dmYkdjeGMzZTc3RDNndkY4U2tzbURNQmQyTUt5TUh0ZjBrM1pqSVdZemJJVG5jQXM1Nnd4cmRSClhiVHpIZnhjMll1dDMwd0ljR2YvUVk4ZTJXNmdMWko4aVM3MXlYb0JQNFpEc2lLSXd4ajFsenYyVFlXWnNSL3EKd28xSzBxZ1NzOXJJVEVkWDVqampycHBYWTdobHNPMGVKQ2JBRG0weEtnU1hMcFQycnJzUnJ2OFllRXFvZTRMaQpDOFd6RjZZRlh1U3RHR1E4SXlxbjdPaTN5aVU2WFc3OTl2cFpIeHJlaERYaytDalZuU0ZXWkVPUHg3cENpam9SCnlXb0gyUmR6QVpQczdVdVJWOUdGWWFQeHRudmttNVdVZDVTdWVCNlMxT2E4dVZ3UnpyeXl6WkRjdG0xdWs1VjIKUE0zLzFqbFJMbFJzTWxSeHdZUDRzaFMzVlhjTkdGYjkvbzkvTjkzbitKZUFpSGd4YU5pQjN6YVV0a05XWWs0Vgozang2d0psTythOUNxdGJJeXg2ZzdyTHhOanVqRFpRZTZGcUdsMzVkVDR5MHA2UmVuUWQ4b1p5aWw3dlpqSkJaCjluTWRJblMyU05wWUZFclBsb25rdXNZKzZsam9TbFNLMXVSRmd2S3dzeGE3RmROMXZWSnRJQk9qdVJzSk9DaHYKOTB2K0ZEQWwxSnNZVUNPUnByUmtMWXB2TWI4Q1BZaUlzb3JmTUdKNnI3NktYUEIzRS9xejRmaWJ1UmZVeWJxMgp5eGxRTVJKb216d1BPemUrbWRQUU5Hd3VTTjU0VnByYXhoNGFpcWtaUVBsSWpRb1dFaFVKRWxMb0NtQXZ4TmtxCmRBcVZJMXZ3cS9FRXFBTEh3amJKRXIwQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=
+    X-Smaak-Identifier: service-provider-public
+    X-Smaak-Psk: 917e5f9bcf6d7c20a338d8a39bbf79ef
+    X-Smaak-Expires: 1435225536
+    X-Smaak-Nonce: 1443964335
+    X-Smaak-Encrypt: true
+    Content-Type: text/plain
+    Content-Length: 684
+    ... (redacted)
+    fBkLECsy+UXmfx08eoFf45dtRgzkOCsoH2yh3CjsnSpiPKuXz+O5KVYvM/VpWrtYs11h5rwl563wwDoLuSQLgWzeiNoyJ4jttqcawVLG+
 
-This gem is sponsored by Hetzner (Pty) Ltd - http://hetzner.co.za
 
 ## Installation
 
@@ -18,52 +127,6 @@ Or install it yourself as:
 
     $ gem install smaak
 
-## Use cases
-
-This gem and mechanism attempts to alleviate the following attacks and concerns for inter-service communication. This is not a public client/server mechanism.
-
-Man-in-the-middle attack:
-
-Use this gem to communicate inside an HTTPS tunnel that you trust. For internal private networks, place a secure CA on your network.
-
-Masquerading:
-
-Each association made requires messages to be signed using that association's keypair.
-
-Forgery:
-
-The indentity of the requestor is signed. The HTTP headers, URL and body / querystring is not. Authorization is left to a service that understands the identity and its permissions.
-
-Replay:
-
-The request is signed with an expiry and a nonce.
-
-## Extending
-
-Designing for future protocol security requirements. The nonce and expiry becomes an optional feature (timestamp header signed could replace these). Passing in a RequestData object for signing, and a RequestSigningValidator object that validates the data content includes all that is required for security, allows us to, in future, cater for man-in-the-middle attacks as well if, for example, the validator requires timestamp, url, form data/querystring, method, etc. to be in the data. If this is all signed, a device in the middle cannot modify the request without the source's private key, and man-in-the-middle is defeated.
-
-Though arbitrary data can be added for signature and an arbitrary validator provided to ensure the data and headers required are included for signing on request, on the server side the payload is not automatically checked by the Smaak::Server class. Ensure after verification of signature that you look in message_data['data'] and verify your payload has what you require to prove no man-in-the middle modification. This could be automated in a future release.
-
-## Usage
-
-Inject your certs and pre-shared keys from the environment, or configuration files or configuration service, etc. User your HTTP library of choice.
-
-### Client
-
-    client = Smaak::Client.new
-    client.set_identity('service-provider-public')
-    client.set_private_key(File.read '/home/ubuntu/secure/service-provider-public.pem')
-    client.add_association('service-provider-internal', File.read('/home/ubuntu/secure/service-provider-internal-pub.pem'), 'pre-shared-key')
-
-    response = Unirest.get "http://service-provider-internal:9393/secure-service", headers:{ "Authorization" => client.build_auth_header('service-provider-internal') }, parameters:{ :someparam => 'somevalue'] }
-
-### Server
-
-    server = Smaak::Server.new
-    server.set_public_key(File.read('/home/ubuntu/secure/service-provider-internal-pub.pem'))
-    server.add_association('service-provider-public', File.read('/home/ubuntu/secure/service-provider-public-pub.pem'), 'pre-shared-key')
-    requestor = server.verify_signed_request(request)
-
 ## Contributing
 
   Please send feedback and comments to the author at:
@@ -72,8 +135,4 @@ Inject your certs and pre-shared keys from the environment, or configuration fil
 
   Thanks to Sheldon Hearn for review and great ideas that unblocked complex challenges (https://rubygems.org/profiles/sheldonh).
 
-1. Fork it
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
+  This gem is sponsored by Hetzner (Pty) Ltd - http://hetzner.co.za

data/lib/smaak/adaptors/net_http_adaptor.rb

@@ -0,0 +1,43 @@
+require 'smaak'
+require 'smaak/utils'
+require 'uri'
+
+module Smaak
+  class NetHttpAdaptor
+    attr_reader :request
+
+    def initialize(request)
+      raise ArgumentError.new("Must provide a Net::HTTPRequest") if not request.is_a? Net::HTTPRequest
+      @request = request
+    end
+
+    def set_header(header, value)
+      raise ArgumentError.new("Header must be a non-blank string") if not Smaak::Utils::non_blank_string?(header)
+      @request[header] = value
+    end
+
+    def each_header(&block)
+      @request.each_header(&block)
+    end
+
+    def host
+      URI.parse(@request.path).host
+    end
+
+    def path
+      URI.parse(@request.path).path
+    end
+
+    def method
+      @request.method
+    end
+
+    def body
+      @request.body
+    end
+
+    def body=(body)
+      @request.body = body
+    end
+  end
+end

data/lib/smaak/adaptors/rack_adaptor.rb

@@ -0,0 +1,32 @@
+require 'smaak'
+require 'uri'
+
+module Smaak
+  class RackAdaptor
+    attr_reader :request
+
+    def initialize(request)
+      raise ArgumentError.new("Must provide a Net::HTTPRequest") if not request.is_a? Rack::Request
+      @request = request
+    end
+
+    def header(header)
+      raise ArgumentError.new("Header must be a non-blank string") if not Smaak::Utils::non_blank_string?(header)
+      return value = @request.env["CONTENT_LENGTH"] if header == "content-length"
+      return value = @request.env["REQUEST_METHOD"] if header == "request-method"
+      return @request.env["HTTP_#{header.upcase.gsub("-", "_")}"]
+    end
+  
+    def method
+      @request.env["REQUEST_METHOD"]
+    end
+
+    def path
+      @request.env["PATH_INFO"]
+    end
+
+    def body
+      @request.body
+    end
+  end
+end

data/lib/smaak/associate.rb

@@ -11,10 +11,8 @@ module Smaak
       @token_life = Smaak::DEFAULT_TOKEN_LIFE
     end
 
-    def add_association(identity, key, psk)
-      the_key = key.is_a?(String) ? OpenSSL::PKey::RSA.new(key) : key
-      raise ArgumentError.new("Key needs to be valid") if not validate_key(the_key)
-      @association_store[identity] = { 'public_key' => the_key, 'psk' => psk }
+    def set_key(key)
+      @key = adapt_rsa_key(key)
 
       rescue OpenSSL::PKey::RSAError
         raise ArgumentError.new("Key needs to be valid")
@@ -25,15 +23,23 @@ module Smaak
       @token_life = token_life
     end
 
-    def set_key(key)
+    def add_association(identifier, key, psk, encrypt = false)
       the_key = key.is_a?(String) ? OpenSSL::PKey::RSA.new(key) : key
       raise ArgumentError.new("Key needs to be valid") if not validate_key(the_key)
-      @key = the_key
+      @association_store[identifier] = { 'public_key' => the_key, 'psk' => psk, 'encrypt' => encrypt }
 
       rescue OpenSSL::PKey::RSAError
         raise ArgumentError.new("Key needs to be valid")
     end
 
+    protected
+
+    def adapt_rsa_key(key)
+      the_key = key.is_a?(String) ? OpenSSL::PKey::RSA.new(key) : key
+      raise ArgumentError.new("Key needs to be valid") if not validate_key(the_key)
+      the_key
+    end
+
     private
 
     def validate_key(key)

data/lib/smaak/auth_message.rb

@@ -1,57 +1,69 @@
+require 'smaak/crypto'
+
 module Smaak
   class AuthMessage
-    attr_reader :message
-    attr_reader :message_data
-    attr_reader :identity
+    attr_reader :identifier
     attr_reader :nonce
+    attr_reader :recipient
+    attr_reader :psk
+    attr_reader :expires
+    attr_reader :encrypt
+
+    def self.create(recipient_public_key, psk, token_life, identifier, encrypt = false)
+      nonce = Smaak::Crypto::generate_nonce
+      expires = Time.now.to_i + token_life
+      #Must obfuscate PSK. AuthMessage must always have an obfuscated PSK
+      psk = Smaak::Crypto::obfuscate_psk(psk)
+      AuthMessage::build(recipient_public_key, psk, expires, identifier, nonce, encrypt)
+    end
 
-    def initialize(message)
-      raise ArgumentError.new("Message not specified") if message.nil?
-      @message = message.dup
-      @message.freeze
-      begin
-        @message_data = JSON.parse(Base64.decode64(message))
-        @message_data.freeze
-      rescue => ex
-        raise ArgumentError.new("Message must have valid message data")
-      end
-      raise ArgumentError.new("Message must have a valid expiry set") if not validate_expiry
-      @identity = @message_data['identity']
-      @identity.freeze
-      raise ArgumentError.new("Message must have a valid identity set") if @identity.nil? or @identity.empty?
-      @nonce = @message_data['nonce']
+    def self.build(recipient_public_key, psk, expires, identifier, nonce, encrypt = false)
+      #No need to obfuscate PSK. Off the wire we should always expect an obfuscated PSK
+      AuthMessage.new(identifier, nonce, expires, psk, recipient_public_key, encrypt)
+    end
+
+    def initialize(identifier, nonce, expires, psk, recipient_public_key, encrypt)
+      raise ArgumentError.new("Message must have a valid identifier set") if identifier.nil? or identifier.empty?
+      @identifier = identifier
+      @identifier.freeze
+
+      raise ArgumentError.new("Message must have a valid nonce set") if not validate_nonce(nonce)
+      @nonce = nonce
       @nonce.freeze
-      raise ArgumentError.new("Message must have a valid nonce") if not validate_nonce(@nonce)
+
+      @recipient = recipient_public_key
+      @psk = psk
+
+      raise ArgumentError.new("Message must have a valid expiry set") if not validate_expiry(expires)
+      @expires = expires
+      set_encrypt(encrypt)
     end
 
-    def expired?
-      @message_data['expires'].to_i < Time.now.to_i
+    def set_encrypt(encrypt)
+      @encrypt = false
+      @encrypt = true if encrypt == "true" or encrypt == true
     end
 
-    def signature_ok?(signature, pubkey)
-      return false if signature.nil?
-      return false if pubkey.nil?
-      digest = OpenSSL::Digest::SHA256.new
-      pubkey.verify(digest, signature, @message)
+    def expired?
+      @expires.to_i < Time.now.to_i
     end
 
     def psk_match?(psk)
       return false if psk.nil?
-      return false if @message_data['psk'].nil?
-      @message_data['psk'] == psk
+      return false if @psk.nil?
+      @psk == Smaak::Crypto::obfuscate_psk(psk)
     end
 
     def intended_for_recipient?(pubkey)
       return false if pubkey.nil?
-      return false if @message_data['recipient'].nil?
-      @message_data['recipient'] == pubkey
+      return false if @recipient.nil?
+      @recipient == pubkey
     end
 
-    def verify(signature, pubkey, psk)
+    def verify(psk)
       return false if expired?
-      return false if not signature_ok?(signature, pubkey)
-      return false if not psk_match?(Smaak::obfuscate_psk(psk))
-      identity
+      return false if not psk_match?(psk)
+      true
     end
 
     private
@@ -60,14 +72,18 @@ module Smaak
       return false if nonce.nil?
       return false if nonce.to_i == 0
       true
+
+      rescue
+        false
     end
 
-    def validate_expiry
-      return false if @message_data.nil?
-      return false if not @message_data.is_a? Hash
-      return false if @message_data['expires'].nil?
-      return false if not (@message_data['expires'].to_i > 0)
+    def validate_expiry(expires)
+      return false if expires.nil?
+      return false if not (expires.to_i > 0)
       true
+
+      rescue
+        false
     end
   end
 end

data/lib/smaak/cavage_04.rb

@@ -0,0 +1,84 @@
+require 'smaak'
+
+module Smaak
+  class Cavage04
+    SPECIFICATION = "https://datatracker.ietf.org/doc/draft-cavage-http-signatures/04/" unless defined? SPECIFICATION; SPECIFICATION.freeze
+    attr_reader :adaptor
+    attr_reader :headers_to_be_signed
+
+    def initialize(adaptor)
+      raise ArgumentError.new("Must provide a valid request adaptor") if adaptor.nil?
+      @adaptor = adaptor
+      @headers_to_be_signed = Smaak::Cavage04::headers_to_be_signed + Smaak::headers_to_be_signed
+    end
+  
+    def self.headers_to_be_signed
+      [ "(request-target)",
+        "host",
+        "date",
+        "digest",
+        "content-length" ]
+    end
+
+    def compile_auth_header(signature)
+      raise ArgumentError.new("invalid signature") if not Smaak::Utils::non_blank_string?(signature)
+      ordered_headers = ""
+      @adaptor.each_header do |header, value|
+        ordered_headers = "#{ordered_headers} #{header}" if @headers_to_be_signed.include?(header)
+      end
+      ordered_headers = ordered_headers[1..ordered_headers.size]
+      @adaptor.set_header("authorization", "Signature keyId=\"rsa-key-1\",algorithm=\"rsa-sha256\", headers=\"#{ordered_headers}\", signature=\"#{signature}\"")
+    end
+
+    def compile_signature_headers(auth_message)
+      body = @adaptor.body.nil? ? "" : @adaptor.body
+      @adaptor.set_header("authorization", "")
+      @adaptor.set_header("host", "#{@adaptor.host}")
+      @adaptor.set_header("date", "#{gmt_now}")
+      @adaptor.set_header("digest", "SHA-256=#{Digest::SHA256.hexdigest(body)}")
+      @adaptor.set_header("x-smaak-recipient", "#{Smaak::Crypto::encode64(auth_message.recipient)}")
+      @adaptor.set_header("x-smaak-identifier", "#{auth_message.identifier}")
+      @adaptor.set_header("x-smaak-psk", "#{auth_message.psk}")
+      @adaptor.set_header("x-smaak-expires", "#{auth_message.expires}")
+      @adaptor.set_header("x-smaak-nonce", "#{auth_message.nonce}")
+      @adaptor.set_header("x-smaak-encrypt", "#{auth_message.encrypt}")
+      @adaptor.set_header("content-type", "text/plain")
+      @adaptor.set_header("content-length", "#{body.size}")
+
+      signature_headers = ""
+      @adaptor.each_header do |header, value|
+        signature_headers = append_header(signature_headers, "#{header}: #{value}") if @headers_to_be_signed.include? header
+      end
+      signature_headers = prepend_header("(request-target)", "#{@adaptor.method.downcase} #{@adaptor.path}", signature_headers)
+    end
+
+    def extract_signature_headers
+      @adaptor.header("authorization") =~ /headers=\"([^"]*)\",/
+      headers_order = $1.split(' ')
+  
+      signature_headers = ""
+      headers_order.each do |header|
+        signature_headers = append_header(signature_headers, "#{header}: #{@adaptor.header(header)}")
+      end
+      signature_headers = prepend_header("(request-target)", "#{@adaptor.method.downcase} #{@adaptor.path}", signature_headers)
+    end
+
+    def extract_signature
+      @adaptor.header("authorization") =~ /signature=\"([^"]*)\"/
+      $1
+    end
+    private
+
+    def gmt_now
+      Time.now.gmtime.to_s.gsub("UTC", "GMT")
+    end
+
+    def append_header(header_list, header)
+      header_list = "#{header_list}\n#{header}"
+    end
+
+    def prepend_header(header, value, signature_headers)
+      "#{header}: #{value}#{signature_headers}"
+    end
+  end
+end

data/lib/smaak/client.rb

@@ -1,41 +1,58 @@
+require 'uri'
 require 'smaak.rb'
 require 'smaak/associate.rb'
-require 'smaak/request_signing_validator.rb'
+require 'smaak/auth_message.rb'
 
 module Smaak
   class Client < Associate
-    attr_accessor :identity
-    attr_accessor :private_key
+    attr_reader :identifier
 
     def set_private_key(key)
       set_key(key)
     end
 
-    def set_identity(identity)
-      @identity = identity
+    def set_identifier(identifier)
+      raise ArgumentError.new("Invalid identifier") if not Smaak::Utils::non_blank_string?(identifier)
+      @identifier = identifier
     end
 
-    def build_auth_header(associate_identity,
-                          request_signing_data = {},
-                          request_signing_data_validator = RequestSigningValidator.new)
-      raise ArgumentError.new("Associate invalid") if not validate_associate(associate_identity)
-      request_signing_data_validator.validate(request_signing_data)
-      associate = @association_store[associate_identity]
-      message_data = Smaak::compile_auth_message_data(associate['public_key'], associate['psk'], @token_life, @identity, request_signing_data)
-      signature = Smaak::sign_message_data(message_data, @key)
-      #TBD add request_signing_data approved by validator here
-      message = Smaak::build_message(message_data)
-      auth_body = { 'message' => message,
-                    'signature' => Base64.encode64(signature) }
-      auth = auth_body.to_json
+    def sign_request(associate_identifier, adaptor)
+      raise ArgumentError.new("Associate invalid") if not validate_associate(associate_identifier)
+      associate = @association_store[associate_identifier]
+      raise ArgumentError.new("Invalid adaptor") if adaptor.nil?
+      auth_message = Smaak::AuthMessage.create(associate['public_key'].export, associate['psk'], @token_life, @identifier, associate['encrypt'])
+      adaptor.body = Smaak::Crypto::encrypt(adaptor.body, associate['public_key']) if auth_message.encrypt
+      adaptor = Smaak::sign_authorization_headers(@key, auth_message, adaptor, Smaak::Cavage04::SPECIFICATION)
+    end
+
+    def get(identifier, uri, body, ssl = false, ssl_verify = OpenSSL::SSL::VERIFY_PEER)
+      connect(Net::HTTP::Get, identifier, uri, body, ssl, ssl_verify)
+    end
+
+    def post(identifier, uri, body, ssl = false, ssl_verify = OpenSSL::SSL::VERIFY_PEER)
+      connect(Net::HTTP::Post, identifier, uri, body, ssl, ssl_verify)
     end
 
     private
 
-    def validate_associate(associate_identity)
-      return false if associate_identity.nil?
-      return false if @association_store[associate_identity].nil?
+    def validate_associate(associate_identifier)
+      return false if associate_identifier.nil?
+      return false if @association_store[associate_identifier].nil?
       true
     end
+
+    def connect(connector, identifier, uri, body, ssl, ssl_verify)
+      url = URI.parse(uri)
+      http = Net::HTTP.new(url.host, url.port)
+      http.use_ssl = ssl
+      http.verify_mode = ssl_verify
+      req = connector.new(url.to_s)
+      req.body = body
+      adaptor = Smaak::create_adaptor(req)
+      req = (sign_request(identifier, adaptor)).request
+      response = http.request(req)
+      response.body = Smaak::Crypto::decrypt(response.body, @key) if @association_store[identifier]['encrypt']
+      response
+    end
   end
 end

data/lib/smaak/crypto.rb

@@ -0,0 +1,45 @@
+module Smaak
+  class Crypto
+    def self.obfuscate_psk(psk)
+      Digest::MD5.hexdigest(psk.reverse)
+    end
+
+    def self.generate_nonce
+      SecureRandom::random_number(10000000000)
+    end
+
+    def self.encode64(data)
+      Base64.strict_encode64(data)
+    end
+
+    def self.decode64(data)
+      Base64.strict_decode64(data)
+    end
+
+    def self.sign_data(data, private_key)
+      digest = OpenSSL::Digest::SHA256.new
+      private_key.sign(digest, Smaak::Crypto::encode64(data))
+    end
+
+    def self.verify_signature(signature, data, public_key)
+      digest = OpenSSL::Digest::SHA256.new
+      public_key.verify(digest, signature, data)
+    end
+
+    def self.encrypt(data, public_key)
+      Base64.strict_encode64(public_key.public_encrypt(data))
+    end
+
+    def self.decrypt(data, private_key)
+      private_key.private_decrypt(Base64.strict_decode64(data))
+    end
+
+    def self.sink(stream)
+     data = ""
+     while t = stream.gets do
+       data = data + t
+     end
+     data
+    end
+  end
+end