smaak 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: b213ebcf6f507b5c7ecd8b92bc4ea8c5d38a9f1f
+  data.tar.gz: 951d7a6c199366cabbc88d386f7e05adcfbb3fe7
+SHA512:
+  metadata.gz: 2022526d04a845e57d9d8837ed3105ae31c17d7e5fbab4ac2a5cc154c6c733f82c174ad958fae1beed1b4e38f36a5bac16f889f687b391cbd000301f1e99ad2f
+  data.tar.gz: 43307e566b241328de13db9a69d07cdd3ae1ce697d25ab18c4cc884941772d82d1d4cdb44a25c7f6930e838cf8741ecd2d61fbe9fff099891446004acfe27130

data/.gitignore

@@ -0,0 +1,3 @@
+coverage
+Gemfile.lock
+*swp

data/.ruby-gemset

@@ -0,0 +1 @@
+smaak

data/.ruby-version

@@ -0,0 +1 @@
+ruby-2.0.0-p451

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in smaak.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2015 Ernst van Graan
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,29 @@
+# Smaak
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'smaak'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install smaak
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/smaak/associate.rb

@@ -0,0 +1,53 @@
+require 'persistent-cache'
+
+module Smaak
+  class Associate
+    attr_reader :association_store
+    attr_reader :token_life
+    attr_reader :key
+
+    def initialize
+      @association_store = Persistent::Cache.new("association_store", nil, Persistent::Cache::STORAGE_RAM)
+      @token_life = Smaak::DEFAULT_TOKEN_LIFE
+    end
+
+    def add_association(identity, key, psk)
+      the_key = key.is_a?(String) ? OpenSSL::PKey::RSA.new(key) : key
+      raise ArgumentError.new("Key needs to be valid") if not validate_key(the_key)
+      @association_store[identity] = { 'public_key' => the_key, 'psk' => psk }
+
+      rescue OpenSSL::PKey::RSAError
+        raise ArgumentError.new("Key needs to be valid")
+    end
+
+    def set_token_life(token_life)
+      raise ArgumentError.new("Token life has to be a positive number of seconds") if not validate_token_life(token_life)
+      @token_life = token_life
+    end
+
+    def set_key(key)
+      the_key = key.is_a?(String) ? OpenSSL::PKey::RSA.new(key) : key
+      raise ArgumentError.new("Key needs to be valid") if not validate_key(the_key)
+      @key = the_key
+
+      rescue OpenSSL::PKey::RSAError
+        raise ArgumentError.new("Key needs to be valid")
+    end
+
+    private
+
+    def validate_key(key)
+      return false if key.nil?
+      return false if key.is_a? String and key.empty?
+      return false if not key.is_a? OpenSSL::PKey::RSA
+      true
+    end
+
+    def validate_token_life(token_life)
+      return false if token_life.nil?
+      return false if not token_life.is_a? Integer
+      return false if not token_life > 0
+      true
+    end
+  end
+end

data/lib/smaak/auth_message.rb

@@ -0,0 +1,74 @@
+module Smaak
+  class AuthMessage
+    attr_reader :message
+    attr_reader :message_data
+    attr_reader :identity
+    attr_reader :nonce
+
+    def initialize(message)
+      raise ArgumentError.new("Message not specified") if message.nil?
+      @message = message.dup
+      @message.freeze
+      begin
+        @message_data = JSON.parse(Base64.decode64(message))
+        @message_data.freeze
+      rescue => ex
+        raise ArgumentError.new("Message must have valid message data")
+      end
+      raise ArgumentError.new("Message must have a valid expiry set") if not validate_expiry
+      @identity = @message_data['identity']
+      @identity.freeze
+      raise ArgumentError.new("Message must have a valid identity set") if @identity.nil? or @identity.empty?
+      @nonce = @message_data['nonce']
+      @nonce.freeze
+      raise ArgumentError.new("Message must have a valid nonce") if not validate_nonce(@nonce)
+    end
+
+    def expired?
+      @message_data['expires'].to_i < Time.now.to_i
+    end
+
+    def signature_ok?(signature, pubkey)
+      return false if signature.nil?
+      return false if pubkey.nil?
+      digest = OpenSSL::Digest::SHA256.new
+      pubkey.verify(digest, signature, @message)
+    end
+
+    def psk_match?(psk)
+      return false if psk.nil?
+      return false if @message_data['psk'].nil?
+      @message_data['psk'] == psk
+    end
+
+    def intended_for_recipient?(pubkey)
+      return false if pubkey.nil?
+      return false if @message_data['recipient'].nil?
+      @message_data['recipient'] == pubkey
+    end
+
+    def verify(signature, pubkey, psk)
+      return false if expired?
+      return false if not signature_ok?(signature, pubkey)
+      return false if not psk_match?(Smaak::obfuscate_psk(psk))
+      return false if not intended_for_recipient?(pubkey.export)
+      identity
+    end
+
+    private
+
+    def validate_nonce(nonce)
+      return false if nonce.nil?
+      return false if nonce.to_i == 0
+      true
+    end
+
+    def validate_expiry
+      return false if @message_data.nil?
+      return false if not @message_data.is_a? Hash
+      return false if @message_data['expires'].nil?
+      return false if not (@message_data['expires'].to_i > 0)
+      true
+    end
+  end
+end

data/lib/smaak/client.rb

@@ -0,0 +1,33 @@
+module Smaak
+  class Client < Associate
+    attr_accessor :identity
+    attr_accessor :private_key
+
+    def set_private_key(key)
+      set_key(key)
+    end
+
+    def set_identity(identity)
+      @identity = identity
+    end
+
+    def build_auth_header(associate_identity)
+      raise ArgumentError.new("Associate invalid") if not validate_associate(associate_identity)
+      associate = @association_store[associate_identity]
+      message_data = Smaak::compile_auth_message_data(associate['public_key'], associate['psk'], @token_life, @identity)
+      signature = Smaak::sign_message_data(message_data, @key)
+      message = Smaak::build_message(message_data)
+      auth_body = { 'message' => message,
+                    'signature' => Base64.encode64(signature) }
+      auth = auth_body.to_json
+    end
+
+    private
+
+    def validate_associate(associate_identity)
+      return false if associate_identity.nil?
+      return false if @association_store[associate_identity].nil?
+      true
+    end
+  end
+end

data/lib/smaak/server.rb

@@ -0,0 +1,33 @@
+require 'smaak/associate.rb'
+
+module Smaak
+  class Server < Associate
+    attr_accessor :nonce_store
+    attr_accessor :public_key
+
+    def initialize
+      super
+      @nonce_store = Persistent::Cache.new("nonce_store", @token_life, Persistent::Cache::STORAGE_RAM)
+    end
+
+    def set_public_key(key)
+      set_key(key)
+    end
+
+    def auth_message_unique?(auth_message)
+      if nonce_store[auth_message.nonce].nil?
+        nonce_store[auth_message.nonce] = 1
+        return true
+      end
+      false
+    end
+
+    def verify_auth_message(auth_message, signature)
+      return false if not auth_message_unique?(auth_message)
+      identity = auth_message.identity
+      pubkey = @association_store[identity]['public_key']
+      psk = @association_store[identity]['psk']
+      auth_message.verify(signature, pubkey, psk)
+    end
+  end
+end

data/lib/smaak/version.rb

@@ -0,0 +1,3 @@
+module Smaak
+  VERSION = "0.0.1"
+end

data/lib/smaak.rb

@@ -0,0 +1,33 @@
+require "smaak/version"
+
+require 'openssl'
+
+module Smaak
+  DEFAULT_TOKEN_LIFE = 2 unless defined? DEFAULT_TOKEN_LIFE; DEFAULT_TOKEN_LIFE.freeze
+
+  def self.obfuscate_psk(psk)
+    Digest::MD5.hexdigest(psk.reverse)
+  end
+
+  def self.build_message(message_data)
+    Base64.encode64(message_data.to_json)
+  end
+
+  def self.sign_message_data(message_data, private_key)
+    digest = OpenSSL::Digest::SHA256.new
+    private_key.sign(digest, Smaak::build_message(message_data))
+  end
+
+  def self.generate_nonce
+    SecureRandom::random_number(10000000000)
+  end
+
+  def self.compile_auth_message_data(recipient_public_key, recipient_psk, token_life, identity)
+    { 'recipient' => recipient_public_key.export,
+      'identity' => identity,
+      'psk' => Smaak::obfuscate_psk(recipient_psk),
+      'expires' => Time.now.to_i + token_life,
+      'nonce' => Smaak::generate_nonce }
+  end
+end
+

data/smaak.gemspec

@@ -0,0 +1,30 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'smaak/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "smaak"
+  spec.version       = Smaak::VERSION
+  spec.authors       = ["Ernst van Graan"]
+  spec.email         = ["ernst.van.graan@hetzner.co.za"]
+  spec.description   = %q{Signed Message Authentication and Authorization with Key validation}
+  spec.summary       = %q{This gems caters for both client and server side of a signed message interaction over HTTP or HTTPS implementing the RFC2617 Digest Access Authentication. The following compromises are protected against as specified: Man in the middle / snooping (HTTPS turned on), Replay (nonce + expires), Forgery (signature), Masquerading (recipient pub key check), Clear-text password compromise (MD5 pre-shared key)}
+  spec.homepage      = ""
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+  spec.required_ruby_version = '>= 2.0'
+
+  spec.add_dependency "persistent-cache", ">= 0.3.9"
+  spec.add_dependency "unirest"
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "byebug"
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'simplecov-rcov'
+  spec.add_development_dependency 'rspec'
+end

data/spec/lib/smaak/associate_spec.rb

@@ -0,0 +1,98 @@
+require './spec/spec_helper.rb'
+require 'smaak'
+
+describe Smaak::Associate do
+  before :all do
+    @test_private_key = OpenSSL::PKey::RSA.new(4096)
+    @test_psk = "testpresharedkey"
+    @test_public_key = @test_private_key.public_key
+  end
+
+  before :each do
+    @iut = Smaak::Associate.new
+  end
+
+  context "when initialized" do
+    it "should have an association store" do
+      expect(@iut.association_store.class).to eq(Persistent::Cache)
+    end
+    it "should default to DEFAULT_TOKEN_LIFE if a token life is not provided" do
+      expect(@iut.token_life).to eq(Smaak::DEFAULT_TOKEN_LIFE)
+    end
+  end
+
+  context "when given its own key" do
+    it "should remember its own key" do
+      @iut.set_key(@test_public_key)
+      expect(@iut.key).to eq(@test_public_key)
+    end
+
+    it "should convert its own key from string to RSA if given a string" do
+      @iut.set_key(@test_public_key.export)
+      expect(@iut.key.export).to eq(@test_public_key.export)
+    end
+
+    it "should raise an ArgumentError if the key is not a valid key" do
+      error = "Key needs to be valid"
+      expect {
+        @iut.set_key(nil)
+      }.to raise_error ArgumentError, error
+      expect {
+        @iut.set_key(1)
+      }.to raise_error ArgumentError, error
+      expect {
+        @iut.set_key("")
+      }.to raise_error ArgumentError, error
+    end
+  end
+
+  context "when given a token life" do
+    it "should remember a token life provided" do
+      @iut.set_token_life(6)
+      expect(@iut.token_life).to eq(6)
+    end
+
+    it "should raise an ArgumentError if the token life provided is not a valid number > 0" do
+      error = "Token life has to be a positive number of seconds"
+      expect {
+        @iut.set_token_life(nil)
+      }.to raise_error ArgumentError, error
+      expect {
+        @iut.set_token_life(0)
+      }.to raise_error ArgumentError, error
+      expect {
+        @iut.set_token_life(-1)
+      }.to raise_error ArgumentError, error
+      expect {
+        @iut.set_token_life("1")
+      }.to raise_error ArgumentError, error
+    end
+  end
+
+  context "when told about an association" do
+    error = "Key needs to be valid"
+    it "should raise an ArgumentError if the association does not have a valid key" do
+      expect {
+        @iut.add_association("test", nil, "psk")
+      }.to raise_error ArgumentError, error
+      expect {
+        @iut.add_association("test", 1, "psk")
+      }.to raise_error ArgumentError, error
+      expect {
+        @iut.add_association("test", "", "psk")
+      }.to raise_error ArgumentError, error
+    end
+
+    it "should remember the association's name, public key and pre-shared key" do
+      @iut.add_association("test", @test_public_key, @test_psk)
+      expect(@iut.association_store["test"].nil?).to eq(false)
+      expect(@iut.association_store["test"]["public_key"]).to eq(@test_public_key)
+      expect(@iut.association_store["test"]["psk"]).to eq(@test_psk)
+    end
+
+    it "should convert string keys into RSA keys" do
+      @iut.add_association("test", @test_public_key.export, @test_psk)
+      expect(@iut.association_store["test"]["public_key"].export).to eq(@test_public_key.export)
+    end
+  end
+end

data/spec/lib/smaak/auth_message_spec.rb

@@ -0,0 +1,238 @@
+require './spec/spec_helper.rb'
+require 'smaak'
+
+describe Smaak::AuthMessage do
+  before :all do
+    @test_nonce = 1234567890
+    @test_server_private_key = OpenSSL::PKey::RSA.new(4096)
+    @test_psk = "testpresharedkey"
+    @test_server_public_key = @test_server_private_key.public_key
+    @test_identity = 'test-service'
+  end
+
+  before :each do
+    @test_message_data = { 'recipient' => @test_server_public_key.export,
+                           'identity' => @test_identity,
+                           'psk' => Smaak::obfuscate_psk(@test_psk),
+                           'expires' => Time.now.to_i + 10,
+                           'nonce' => @test_nonce }
+    @test_message = Smaak::build_message(@test_message_data)
+
+    @iut = Smaak::AuthMessage.new(@test_message)
+  end
+
+  context "when initialized" do
+    it "should raise an ArgumentError if no message is provided" do
+      expect {
+        Smaak::AuthMessage.new(nil)
+      }.to raise_error ArgumentError, "Message not specified"
+    end
+
+    it "should remember the message provided" do
+      expect(@iut.message).to eq(@test_message)
+    end
+
+    it "should unpack the message data using Base64::decode and JSON.parse" do
+      expect(@iut.message_data).to eq(@test_message_data)
+    end
+
+    it "should raise an ArgumentError if the message does not have a valid expiry set" do
+      error = "Message must have a valid expiry set"
+
+      expired_data = @test_message_data.dup
+
+      expect {
+        expired_data['expires'] = ""
+        Smaak::AuthMessage.new(Smaak::build_message(expired_data))
+      }.to raise_error ArgumentError, error
+      expect {
+        expired_data['expires'] = nil
+        Smaak::AuthMessage.new(Smaak::build_message(expired_data))
+      }.to raise_error ArgumentError, error
+      expect {
+        expired_data['expires'] = 'sometimes'
+        Smaak::AuthMessage.new(Smaak::build_message(expired_data))
+      }.to raise_error ArgumentError, error
+    end
+
+    it "should prevent its message from being changed" do
+      expect{
+        @iut.message = ""
+      }.to raise_error NoMethodError
+    end
+
+    it "should prevent its message data from being changed" do
+      expect{
+        @iut.message_data = ""
+      }.to raise_error NoMethodError
+    end
+
+    it "should extract the identity from the message data and remember it" do
+      expect(@iut.identity).to eq("test-service")
+    end
+
+    it "should prevent its identity from being changed" do
+      expect{
+        @iut.identity = ""
+      }.to raise_error NoMethodError
+    end
+
+    it "should raise an ArgumentError if the message does not have a valid nonce set" do
+      error = "Message must have a valid nonce"
+
+      noncense_data = @test_message_data.dup
+
+      expect {
+        noncense_data['nonce'] = "broken"
+        Smaak::AuthMessage.new(Smaak::build_message(noncense_data))
+      }.to raise_error ArgumentError, error
+      expect {
+        noncense_data['nonce'] = nil
+        Smaak::AuthMessage.new(Smaak::build_message(noncense_data))
+      }.to raise_error ArgumentError, error
+      expect {
+        noncense_data['nonce'] = 0
+        Smaak::AuthMessage.new(Smaak::build_message(noncense_data))
+      }.to raise_error ArgumentError, error
+    end
+
+    it "should extract the nonce from the message data and remember it" do
+      expect(@iut.nonce).to eq(@test_nonce)
+    end
+
+    it "should prevent its nonce from being changed" do
+      expect{
+        @iut.nonce = ""
+      }.to raise_error NoMethodError
+    end
+
+    it "should raise an ArgumentError if the message data does not contain an identity" do
+      error = "Message must have a valid identity set"
+      anonymous_data = @test_message_data.dup
+      anonymous_data['identity'] = nil
+      expect {
+        Smaak::AuthMessage.new(Smaak::build_message(anonymous_data))
+      }.to raise_error ArgumentError, error
+      anonymous_data['identity'] = ""
+      expect {
+        Smaak::AuthMessage.new(Smaak::build_message(anonymous_data))
+      }.to raise_error ArgumentError, error
+    end
+  end
+
+  context "when asked if it has expired" do
+    it "should return true if the current timestamp exceeds that of the message expiry" do
+      expired_data = @test_message_data.dup
+      expired_data['expires'] = Time.now - 1
+      iut = Smaak::AuthMessage.new(Smaak::build_message(expired_data))
+      expect(iut.expired?).to eq(true)
+    end
+
+    it "should return false if the current timestamp does not exceed that of the message expiry" do
+      expect(@iut.expired?).to eq(false)
+    end
+  end
+
+  context "when asked if the signature is ok given a signature and public key" do
+    before :each do
+      @test_signature = Smaak::sign_message_data(@test_message_data, @test_server_private_key)
+    end
+
+    it "should return false if the public key provided is not the correct key for the signature" do
+      mismatched = OpenSSL::PKey::RSA.new(4096).public_key
+      expect(@iut.signature_ok?(@test_signature, mismatched)).to eq(false)
+    end
+
+    it "should return false if the signature is nil" do
+      expect(@iut.signature_ok?(nil, @test_server_public_key)).to eq(false)
+    end
+
+    it "should return false if the public key is nil" do
+      expect(@iut.signature_ok?(@test_signature, nil)).to eq(false)
+    end
+
+    it "should return false if OpenSSL cannot verify the message against the signature using the public key" do
+      broken = @test_message_data
+      broken['identity'] = 'suspect-identity'
+      iut = Smaak::AuthMessage.new(Smaak::build_message(broken))
+      expect(iut.signature_ok?(@test_signature, @test_server_public_key)).to eq(false)
+    end
+
+    it "should return true if OpenSSL succesfully verifies message against the signature using the public key" do
+      expect(@iut.signature_ok?(@test_signature, @test_server_public_key)).to eq(true)
+    end
+  end
+
+  context "when asked whether a message's psk matched" do
+    it "should return false if no psk was provided" do
+      expect(@iut.psk_match?(nil)).to eq(false)
+    end
+
+    it "should return false if the message data does not include a psk" do
+      broken = @test_message_data
+      broken['psk'] = nil
+      iut = Smaak::AuthMessage.new(Smaak::build_message(broken))
+      expect(iut.psk_match?(@test_psk)).to eq(false)
+    end
+
+    it "should return false if the PSKs do not match" do
+      expect(@iut.psk_match?("doesnotmatch")).to eq(false)
+    end
+
+    it "should return true if the PSKs do match" do
+      expect(@iut.psk_match?(@test_psk)).to eq(false)
+    end
+  end
+
+  context "when asked whether this message is intended for a recipient, identified by public key" do
+    it "should return false if the recipient does not match the public key specified" do
+      mismatched = OpenSSL::PKey::RSA.new(4096).public_key
+      expect(@iut.intended_for_recipient?(mismatched.export)).to eq (false)
+    end
+
+    it "should return false if the message_data does not include a recipient" do
+      broken = @test_message_data
+      broken['recipient'] = nil
+      iut = Smaak::AuthMessage.new(Smaak::build_message(broken))
+      expect(iut.intended_for_recipient?(@test_server_public_key.export)).to eq (false)
+    end
+
+    it "should return false if the public key is not specified" do
+      expect(@iut.intended_for_recipient?(nil)).to eq (false)
+    end
+
+    it "should return true if the recipient matches the public key specified" do
+      expect(@iut.intended_for_recipient?(@test_server_public_key.export)).to eq (true)
+    end
+  end
+
+  context "when asked to verify the message using a signature" do
+    before :each do
+      @test_signature = Smaak::sign_message_data(@test_message_data, @test_server_private_key)
+    end
+
+    it "should check message expiry return false if the message has expired" do
+      expect(@iut).to(receive(:expired?)).and_return(true)
+      expect(@iut.verify(@test_signature, @test_server_public_key, @test_psk)).to eq(false)
+    end
+
+    it "should check the signature and return false if not OK" do
+      expect(@iut).to(receive(:signature_ok?)).and_return(false)
+      expect(@iut.verify(@test_signature, @test_server_public_key, @test_psk)).to eq(false)
+    end
+
+    it "should try and match the PSK and return false if it cannot" do
+      expect(@iut).to(receive(:psk_match?)).and_return(false)
+      expect(@iut.verify(@test_signature, @test_server_public_key, @test_psk)).to eq(false)
+    end
+
+    it "should ensure the message is intended for this service and return false if it is not" do
+      expect(@iut).to(receive(:intended_for_recipient?)).and_return(false)
+      expect(@iut.verify(@test_signature, @test_server_public_key, @test_psk)).to eq(false)
+    end
+
+    it "should return the identity specified in the message if the message was successfully verified" do
+      expect(@iut.verify(@test_signature, @test_server_public_key, @test_psk)).to eq(@test_identity)
+    end
+  end
+end

data/spec/lib/smaak/client_spec.rb

@@ -0,0 +1,71 @@
+require './spec/spec_helper.rb'
+require 'smaak'
+
+describe Smaak::Client do
+  before :all do
+    @test_service_identity = 'service-to-talk-to'
+    @test_service_psk = 'testsharedsecret'
+    @test_client_private_key = OpenSSL::PKey::RSA.new(4096)
+    @test_service_private_key = OpenSSL::PKey::RSA.new(4096)
+    @test_service_public_key = @test_service_private_key.public_key
+    @iut = Smaak::Client.new
+    @test_identity = 'test-client'
+    @test_token_life = 5
+    @iut.set_identity(@test_identity)
+    @iut.set_private_key(@test_client_private_key)
+    @iut.set_token_life(@test_token_life)
+    @iut.add_association(@test_service_identity, @test_service_public_key, @test_service_psk)
+  end
+
+  context "when given an identity" do
+    it "should remember an identity provided" do
+      iut = Smaak::Client.new
+      expect(iut.identity).to eq(nil)
+      iut.set_identity('test-client')
+      expect(iut.identity).to eq('test-client')
+    end
+  end
+
+  context "when asked to build an auth header destined for an associate" do
+    it "should raise an ArgumentError if the associate is unknown" do
+      expect{
+        @iut.build_auth_header("unknown")
+      }.to raise_error ArgumentError, "Associate invalid"
+      expect{
+        @iut.build_auth_header(nil)
+      }.to raise_error ArgumentError, "Associate invalid"
+    end
+
+    it "should compile the auth message data using the associate details" do
+      expect(Smaak).to receive(:compile_auth_message_data).with(@test_service_public_key, @test_service_psk, @test_token_life, @test_identity)
+      @iut.build_auth_header(@test_service_identity)
+    end
+
+    it "should build the message" do
+      expect(Smaak).to receive(:generate_nonce).twice().and_return(12345)
+      test_message_data = Smaak::compile_auth_message_data(@test_service_public_key, @test_service_psk, @test_token_life, @test_identity)
+      expect(Smaak).to receive(:build_message).with(test_message_data)
+      expect{
+        @iut.build_auth_header(@test_service_identity)
+      }.to raise_error
+    end
+
+    it "should sign the message" do
+      expect(Smaak).to receive(:generate_nonce).twice().and_return(12345)
+      test_message_data = Smaak::compile_auth_message_data(@test_service_public_key, @test_service_psk, @test_token_life, @test_identity)
+      expect(Smaak).to receive(:sign_message_data).with(test_message_data, @test_client_private_key)
+      expect{
+        @iut.build_auth_header(@test_service_identity)
+      }.to raise_error
+    end
+
+    it "should place the message and its signature (encoded base64) in a JSON dictionary" do
+      expect(Smaak).to receive(:generate_nonce).twice().and_return(12345)
+      test_message_data = Smaak::compile_auth_message_data(@test_service_public_key, @test_service_psk, @test_token_life, @test_identity)
+      test_signature = Smaak::sign_message_data(test_message_data, @test_client_private_key)
+      test_message = Smaak::build_message(test_message_data)
+      test_envelope = { 'message' => test_message, 'signature' => Base64.encode64(test_signature) }.to_json
+      expect(@iut.build_auth_header(@test_service_identity)).to eq(test_envelope)
+    end
+  end
+end

data/spec/lib/smaak/server_spec.rb

@@ -0,0 +1,91 @@
+require './spec/spec_helper.rb'
+require 'smaak'
+
+describe Smaak::Server do
+  before :all do
+    @iut = Smaak::Server.new
+    @iut.set_token_life(2)
+    @test_nonce = 1234567890
+    @test_server_private_key = OpenSSL::PKey::RSA.new(4096)
+    @test_psk = "testpresharedkey"
+    @test_server_public_key = @test_server_private_key.public_key
+    @test_identity = 'test-service'
+  end
+
+  before :each do
+    @test_message_data = { 'recipient' => @test_server_public_key.export,
+                           'identity' => @test_identity,
+                           'psk' => Smaak::obfuscate_psk(@test_psk),
+                           'expires' => Time.now.to_i + 10,
+                           'nonce' => @test_nonce }
+    @message = Smaak::AuthMessage.new(Smaak::build_message(@test_message_data))
+    @iut.nonce_store[@test_nonce] = nil
+    expect(@iut.nonce_store[@test_nonce]).to eq(nil)
+  end
+
+  context "when initialized" do
+    it "should have a nonce store" do
+      expect(@iut.nonce_store.class).to eq(Persistent::Cache)
+    end
+
+    it "should not know its own public key" do
+      iut = Smaak::Server.new
+      expect(iut.public_key).to eq(nil)
+    end
+  end
+
+  context "when preventing replay attacks" do
+    it "should forget about nonces older than token_life" do
+      nonces = @iut.nonce_store
+      nonces[@test_nonce] = 1
+      expect(nonces[@test_nonce]).to eq(1)
+      sleep @iut.token_life
+      expect(nonces[@test_nonce]).to eq(nil)
+    end
+
+    it "should remember nonces younger than token_life" do
+      nonces = @iut.nonce_store
+      nonces[@test_nonce] = 1
+      expect(nonces[@test_nonce]).to eq(1)
+      sleep @iut.token_life - 1
+      expect(nonces[@test_nonce]).to eq(1)
+    end
+  end
+
+  context "when asked if a message is unique" do
+    it "should store a nonce once it has seen it" do
+      @iut.auth_message_unique?(@message)
+      expect(@iut.nonce_store[@test_nonce]).to eq(1)
+    end
+
+    it "should return true if the message nonce was not seen in the last token_life period" do
+      expect(@iut.auth_message_unique?(@message)).to eq(true)
+    end
+
+    it "should return false if the message was seen in the last token_life period" do
+      expect(@iut.auth_message_unique?(@message)).to eq(true)
+      expect(@iut.auth_message_unique?(@message)).to eq(false)
+    end
+  end
+
+  context "when asked to verify a message given a signature" do
+    before :each do
+      @signature = Smaak::sign_message_data(@test_message_data, @test_server_private_key)
+      @iut.set_public_key(@test_server_public_key.export)
+      @iut.add_association(@test_identity, @test_server_public_key.export, @test_psk)
+    end
+
+    it "should look up the identity specified in the message and retrieve its public key from the associations store" do
+      expect(@iut.verify_auth_message(@message, @signature)).to eq(@test_identity)
+    end
+
+    it "should look up the identity specified in the message and retrieve its PSK from the associations store" do
+      expect(@iut.verify_auth_message(@message, @signature)).to eq(@test_identity)
+    end
+
+    it "should check nonce uniqueness and return false if not unique" do
+      expect(@iut.auth_message_unique?(@message)).to eq(true)
+      expect(@iut.verify_auth_message(@message, @signature)).to eq(false)
+    end
+  end
+end

data/spec/lib/smaak_spec.rb

@@ -0,0 +1,87 @@
+require './spec/spec_helper.rb'
+
+describe Smaak do
+  context "when loaded" do
+    it "should specify a default token life" do
+     expect(Smaak::DEFAULT_TOKEN_LIFE).to eq(2)
+    end
+  end
+
+  context "when asked to obfuscate a clear-text psk" do
+    it "should reverse the psk and appluy an MD5 hexadecimal digest to the result" do
+      expect(Smaak::obfuscate_psk('sharedsecret')).to eq(Digest::MD5.hexdigest('sharedsecret'.reverse))
+    end
+  end
+
+  context "when asked to build an auth message" do
+    it "should base 64 encode a json representation of the message" do
+      testm = {'a' => 'A'}
+      expect(Smaak::build_message(testm)).to eq(Base64::encode64(testm.to_json))
+    end
+  end
+
+  context "when asked to sign a message given a private key" do
+    it "should sign the message with the key using a 256 bit digest" do
+      private_key = OpenSSL::PKey::RSA.new(4096)
+      message_data = {'a' => 'B'}
+      message = Smaak::build_message(message_data)
+      digest = OpenSSL::Digest::SHA256.new
+      expect(Smaak::sign_message_data(message_data, private_key)).to eq(private_key.sign(digest, message))
+    end
+  end
+
+  context "when asked to generate a nonce" do
+    it "should generate a random nonce with at most 1 in a ten billion probability of a consecutive clash" do
+      expect(SecureRandom).to receive(:random_number).with(10000000000)
+      Smaak::generate_nonce
+    end
+
+    it "should generate a different nonce every time with high probability (less than 1 in 10000) given a history of 1000000 nonces" do
+      repeat = {}
+      failed = 0
+      threshold = 1000000
+      for i in 1..threshold do
+        value = Smaak::generate_nonce
+        failed = failed + 1 if repeat[value] == 1
+        repeat[value] = 1
+      end
+      failed_p = (failed.to_f / threshold) * 100
+      puts "I've seen #{failed_p} % of nonces before in #{threshold} generations"
+      expect(failed_p < 0.01).to eq(true)
+    end
+  end
+
+  context "when asked to compile an auth message data dictionary with addressed to an associate" do
+    before :all do
+      @associate_public_key = OpenSSL::PKey::RSA.new(4096).public_key
+      @associate_psk = 'sharedsecret'
+      @token_life = 3
+      @identity = 'test-service'
+    end
+
+    before :each do
+      @iut = Smaak::compile_auth_message_data(@associate_public_key, @associate_psk, @token_life, @identity)
+      @timestamp = Time.now.to_i
+    end
+
+    it "should set the recipient to the recipient specified" do
+      expect(@iut['recipient']).to eq(@associate_public_key.export)
+    end
+
+    it "should set the identity to the sender's identity" do
+      expect(@iut['identity']).to eq(@identity)
+    end
+
+    it "should set the psk to the psk specified, obfuscated" do
+      expect(@iut['psk']).to eq(Smaak::obfuscate_psk(@associate_psk))
+    end
+
+    it "should set the expiry to now + the token life specified" do
+      expect(@iut['expires']).to eq(@timestamp + @token_life)
+    end
+
+    it "should generate and assign a nonce" do
+      expect(@iut['nonce'] > 0).to eq(true)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,40 @@
+require 'rspec'
+require 'rspec/mocks'
+require 'tempfile'
+require 'simplecov'
+require 'simplecov-rcov'
+require 'byebug'
+
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+
+$:.unshift(File.join(File.dirname(__FILE__), '..', 'smaak'))
+$:.unshift(File.join(File.dirname(__FILE__), '..'))
+
+require 'lib/smaak.rb'
+require 'lib/smaak/associate.rb'
+require 'lib/smaak/server.rb'
+require 'lib/smaak/client.rb'
+require 'lib/smaak/auth_message.rb'
+
+RSpec.configure do |config|
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+  #config.expect_with(:rspec) { |c| c.syntax = :should }
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+end
+
+SimpleCov.formatter = SimpleCov::Formatter::RcovFormatter
+SimpleCov.start do
+  add_filter "/spec/"
+end
+

metadata

@@ -0,0 +1,186 @@
+--- !ruby/object:Gem::Specification
+name: smaak
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Ernst van Graan
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-06-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: persistent-cache
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 0.3.9
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 0.3.9
+- !ruby/object:Gem::Dependency
+  name: unirest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov-rcov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Signed Message Authentication and Authorization with Key validation
+email:
+- ernst.van.graan@hetzner.co.za
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .ruby-gemset
+- .ruby-version
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/smaak.rb
+- lib/smaak/associate.rb
+- lib/smaak/auth_message.rb
+- lib/smaak/client.rb
+- lib/smaak/server.rb
+- lib/smaak/version.rb
+- smaak.gemspec
+- spec/lib/smaak/associate_spec.rb
+- spec/lib/smaak/auth_message_spec.rb
+- spec/lib/smaak/client_spec.rb
+- spec/lib/smaak/server_spec.rb
+- spec/lib/smaak_spec.rb
+- spec/spec_helper.rb
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '2.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.14
+signing_key: 
+specification_version: 4
+summary: 'This gems caters for both client and server side of a signed message interaction
+  over HTTP or HTTPS implementing the RFC2617 Digest Access Authentication. The following
+  compromises are protected against as specified: Man in the middle / snooping (HTTPS
+  turned on), Replay (nonce + expires), Forgery (signature), Masquerading (recipient
+  pub key check), Clear-text password compromise (MD5 pre-shared key)'
+test_files:
+- spec/lib/smaak/associate_spec.rb
+- spec/lib/smaak/auth_message_spec.rb
+- spec/lib/smaak/client_spec.rb
+- spec/lib/smaak/server_spec.rb
+- spec/lib/smaak_spec.rb
+- spec/spec_helper.rb