tanker-identity 2.16.0.alpha.1 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 88d5a8e184f0271d9b431a9440eb7a358d9a3d7f4e0e88f5774b9c8601a74cb3
-  data.tar.gz: 501f29acdb04b8777fcff7fedabeebcb97d6be545b825958d31d985720c00d2c
+  metadata.gz: 538f757e41dcface55b1025098af3e75bb52303547e5665ae8ad118f80d447eb
+  data.tar.gz: ab2746f68ae1ecc15e8c0900ec382b49a01508270dfc5e7217503221c19cb168
 SHA512:
-  metadata.gz: 62fe18c7feea78adbbb5d52aae664d3a4a806bd34dd04130e9ba20a49bf8acab96741d8525a8be50d213ee86d0b9e8d8532374df33a101db1c5cb05910a7ab8f
-  data.tar.gz: 227bcb9e1e49db803afa686eb511048929a04ad5cac2da25ce54a800cf4ca3b295b0c6fe149826c92a5c544f29ed5c2ea5e1a16db9162eb74a48039da9662c15
+  metadata.gz: 9b1cbeae3ffc99ab33c8f65602a1d40c72d31108a273e98e403652f95e5596cce27f778c33154372f77e764fbc879008c497969ab52f3cde19ece5139e97c57a
+  data.tar.gz: 76881380c77649b73eb2d9f3d68f28e21ecc6055da620155c20ad67e9181de55380be53b5f44b9eb60c22a6d4469cd123fa5faf53e92803f1639618544f2f010

data/README.md

@@ -10,7 +10,7 @@ Identity generation in Ruby for the [Tanker SDK](https://docs.tanker.io/latest/)
 
 This gem requires Ruby v2.5 or greater (transitive requirement from [rbnacl](https://github.com/crypto-rb/rbnacl)).
 
-If still on an older version of Ruby, use `tanker-identity` with the [`603b35f8` commit ref](https://github.com/TankerHQ/identity-ruby/tree/603b35f8e1ca889c4862e8f9c1e54632a38b32b6).
+Older Ruby versions are not supported.
 
 ## Installation
 
@@ -21,7 +21,7 @@ Before going further, please follow [instructions to install libsodium](https://
 Then, add this line to your application's Gemfile:
 
 ```ruby
-gem 'tanker-identity', git: 'https://github.com/TankerHQ/identity-ruby' #, ref: '<commit>'
+gem 'tanker-identity', 'X.Y.Z'
 ```
 
 Finally, execute:
@@ -48,7 +48,7 @@ The unique ID of a user in your application.
 <br><br>
 
 ```ruby
-Tanker::Identity.create_provisional_identity(app_id, email)
+Tanker::Identity.create_provisional_identity(app_id, 'email', email)
 ```
 Create a Tanker provisional identity. It allows you to share a resource with a user who does not have an account in your application yet.
 

data/lib/tanker/crypto.rb

@@ -7,12 +7,27 @@ module Tanker
     class InvalidSignature < StandardError; end
 
     HASH_MIN_SIZE = RbNaCl::Hash::Blake2b::BYTES_MIN # 16
+    BLOCK_HASH_SIZE = 32
 
     def self.generichash(input, size)
       binary_input = input.dup.force_encoding(Encoding::ASCII_8BIT)
       RbNaCl::Hash.blake2b(binary_input, digest_size: size)
     end
 
+    def self.hash_user_id(app_id, user_id)
+      binary_user_id = user_id.dup.force_encoding(Encoding::ASCII_8BIT)
+      Crypto.generichash(binary_user_id + app_id, BLOCK_HASH_SIZE)
+    end
+
+    def self.hashed_provisional_email(email)
+      Base64.strict_encode64(Crypto.generichash(email, BLOCK_HASH_SIZE))
+    end
+
+    def self.hashed_provisional_value(value, private_signature_key)
+      secret_salt = Crypto.generichash(Base64.strict_decode64(private_signature_key), BLOCK_HASH_SIZE)
+      Base64.strict_encode64(Crypto.generichash(secret_salt + value, BLOCK_HASH_SIZE))
+    end
+
     # We need this static method since a RbNaCl::SigningKey instance can't be
     # directly initialized with a given private_signature_key
     def self.sign_detached(message, private_signature_key)

data/lib/tanker/identity.rb

@@ -9,16 +9,10 @@ module Tanker
     APP_SECRET_SIZE = 64
     APP_PUBLIC_KEY_SIZE = 32
     AUTHOR_SIZE = 32
-    BLOCK_HASH_SIZE = 32
     USER_SECRET_SIZE = 32
 
     private
 
-    def self.hash_user_id(app_id, user_id)
-      binary_user_id = user_id.dup.force_encoding(Encoding::ASCII_8BIT)
-      Crypto.generichash(binary_user_id + app_id, BLOCK_HASH_SIZE)
-    end
-
     def self.user_secret(hashed_user_id)
       random_bytes = Crypto.random_bytes(USER_SECRET_SIZE - 1)
       check = Crypto.generichash(random_bytes + hashed_user_id, Crypto::HASH_MIN_SIZE)
@@ -27,9 +21,7 @@ module Tanker
 
     def self.assert_string_values(hash)
       hash.each_pair do |key, value|
-        unless value.is_a?(String)
-          raise TypeError.new("expected #{key} to be a String but was a #{value.class}")
-        end
+        raise TypeError, "expected #{key} to be a String but was a #{value.class}" unless value.is_a?(String)
       end
     end
 
@@ -37,7 +29,7 @@ module Tanker
       block_nature = APP_CREATION_NATURE.chr(Encoding::ASCII_8BIT)
       none_author = 0.chr(Encoding::ASCII_8BIT) * AUTHOR_SIZE
       app_public_key = app_secret[-APP_PUBLIC_KEY_SIZE..-1]
-      Crypto.generichash(block_nature + none_author + app_public_key, BLOCK_HASH_SIZE)
+      Crypto.generichash(block_nature + none_author + app_public_key, Crypto::BLOCK_HASH_SIZE)
     end
 
     public
@@ -52,55 +44,61 @@ module Tanker
 
     def self.create_identity(b64_app_id, b64_app_secret, user_id)
       assert_string_values({
-        app_id: b64_app_id,
-        app_secret: b64_app_secret,
-        user_id: user_id
-      })
+                             app_id: b64_app_id,
+                             app_secret: b64_app_secret,
+                             user_id: user_id
+                           })
 
       app_id = Base64.strict_decode64(b64_app_id)
       app_secret = Base64.strict_decode64(b64_app_secret)
 
-      raise ArgumentError.new("Invalid app_id") if app_id.bytesize != BLOCK_HASH_SIZE
-      raise ArgumentError.new("Invalid app_secret") if app_secret.bytesize != APP_SECRET_SIZE
-      raise ArgumentError.new("Invalid (app_id, app_secret) combination") if app_id != generate_app_id(app_secret)
+      raise ArgumentError, "Invalid app_id" if app_id.bytesize != Crypto::BLOCK_HASH_SIZE
+      raise ArgumentError, "Invalid app_secret" if app_secret.bytesize != APP_SECRET_SIZE
+      raise ArgumentError, "Invalid (app_id, app_secret) combination" if app_id != generate_app_id(app_secret)
 
-      hashed_user_id = hash_user_id(app_id, user_id)
+      hashed_user_id = Crypto.hash_user_id(app_id, user_id)
       signature_keypair = Crypto.generate_signature_keypair
       message = signature_keypair[:public_key] + hashed_user_id
       signature = Crypto.sign_detached(message, app_secret)
 
       serialize({
-        trustchain_id: Base64.strict_encode64(app_id),
-        target: 'user',
-        value: Base64.strict_encode64(hashed_user_id),
-        delegation_signature: Base64.strict_encode64(signature),
-        ephemeral_public_signature_key: Base64.strict_encode64(signature_keypair[:public_key]),
-        ephemeral_private_signature_key: Base64.strict_encode64(signature_keypair[:private_key]),
-        user_secret: Base64.strict_encode64(user_secret(hashed_user_id))
-      })
+                  trustchain_id: Base64.strict_encode64(app_id),
+                  target: 'user',
+                  value: Base64.strict_encode64(hashed_user_id),
+                  delegation_signature: Base64.strict_encode64(signature),
+                  ephemeral_public_signature_key: Base64.strict_encode64(signature_keypair[:public_key]),
+                  ephemeral_private_signature_key: Base64.strict_encode64(signature_keypair[:private_key]),
+                  user_secret: Base64.strict_encode64(user_secret(hashed_user_id))
+                })
     end
 
-    def self.create_provisional_identity(b64_app_id, email)
+    def self.create_provisional_identity(b64_app_id, target, value)
       assert_string_values({
-        app_id: b64_app_id,
-        email: email
-      })
+                             app_id: b64_app_id,
+                             target: target,
+                             value: value
+                           })
+
+      valid_targets = %w[email phone_number]
+      unless valid_targets.include? target
+        raise ArgumentError, "expected #{target} to be one of #{valid_targets.join(', ')}"
+      end
 
       app_id = Base64.strict_decode64(b64_app_id)
-      raise ArgumentError.new("Invalid app_id") if app_id.bytesize != BLOCK_HASH_SIZE
+      raise ArgumentError, "Invalid app_id" if app_id.bytesize != Crypto::BLOCK_HASH_SIZE
 
       encryption_keypair = Crypto.generate_encryption_keypair
       signature_keypair = Crypto.generate_signature_keypair
 
       serialize({
-        trustchain_id: b64_app_id,
-        target: 'email',
-        value: email,
-        public_encryption_key: Base64.strict_encode64(encryption_keypair[:public_key]),
-        private_encryption_key: Base64.strict_encode64(encryption_keypair[:private_key]),
-        public_signature_key: Base64.strict_encode64(signature_keypair[:public_key]),
-        private_signature_key: Base64.strict_encode64(signature_keypair[:private_key])
-      })
+                  trustchain_id: b64_app_id,
+                  target: target,
+                  value: value,
+                  public_encryption_key: Base64.strict_encode64(encryption_keypair[:public_key]),
+                  private_encryption_key: Base64.strict_encode64(encryption_keypair[:private_key]),
+                  public_signature_key: Base64.strict_encode64(signature_keypair[:public_key]),
+                  private_signature_key: Base64.strict_encode64(signature_keypair[:private_key])
+                })
     end
 
     def self.get_public_identity(serialized_identity)
@@ -117,9 +115,29 @@ module Tanker
       public_identity = {}
       public_keys.each { |key| public_identity[key] = identity.fetch(key) }
 
+      if identity['target'] == 'email'
+        public_identity['target'] = 'hashed_email'
+        public_identity['value'] = Crypto.hashed_provisional_email(public_identity['value'])
+      elsif identity['target'] != 'user'
+        public_identity['target'] = 'hashed_' + public_identity['target']
+        public_identity['value'] = Crypto.hashed_provisional_value(public_identity['value'],
+                                                                   identity['private_signature_key'])
+      end
+
       serialize(public_identity)
     rescue KeyError # failed fetch
-      raise ArgumentError.new('Not a valid Tanker identity')
+      raise ArgumentError, 'Not a valid Tanker identity'
+    end
+
+    def self.upgrade_identity(serialized_identity)
+      assert_string_values({ identity: serialized_identity })
+
+      identity = deserialize(serialized_identity)
+      if identity['target'] == 'email' && !identity.key?('private_encryption_key')
+        identity['target'] = 'hashed_email'
+        identity['value'] = Crypto.hashed_provisional_email(identity['value'])
+      end
+      serialize(identity)
     end
   end
 end

data/lib/tanker/identity/version.rb

@@ -1,6 +1,6 @@
 module Tanker
   module Identity
-    VERSION = '2.16.0.alpha.1'
+    VERSION = '3.0.0'
   end
 
   def self.const_missing(name)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tanker-identity
 version: !ruby/object:Gem::Version
-  version: 2.16.0.alpha.1
+  version: 3.0.0
 platform: ruby
 authors:
 - Tanker Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-21 00:00:00.000000000 Z
+date: 2021-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rbnacl
@@ -154,11 +154,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Tanker identity management library packaged as a gem