Skip to content

Check signature's signed time #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ct-clearhaus wants to merge 1 commit into from
Closed

Check signature's signed time #10

ct-clearhaus wants to merge 1 commit into from

Conversation

@ct-clearhaus
Copy link

@ct-clearhaus ct-clearhaus commented Jan 23, 2018

I hand-picked the number 5 to substitute for "few" in

If the time signature and the transaction time differ by more than a few minutes, it's possible that the token is a replay attack.

https://developer.apple.com/library/content/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html

YMMV

Ref. #3 (comment)

@rwdaigle
Copy link
Contributor

rwdaigle commented May 4, 2018

@ct-clearhaus thank you for this!

Any clever ideas on how to create a test case around this functionality?

@ct-clearhaus
Copy link
Author

ct-clearhaus commented May 7, 2018

Unfortunately I'm not familiar with test/unit (I couldn't even make the specs run locally; see below), but in rspec I'd amend test_failed_decrypt to hit the different InvalidSignatureErrors and e.g.

expect(Time).to receive(:now).twice.and_return(time)

and have time be just before the interval, just inside the interval and just after the interval.

Also, it would be nicer to adjust this PR to have

now = Time.now
raise InvalidSignatureError, "..." unless '...'.between?(now - 5*60, now + 5*60)

Couldn't make specs run:

$ docker run --rm -it -v $PWD:/gala ruby:2.4 bash
root@74d394cd3940:/# cd gala/
root@74d394cd3940:/gala# bundle install
Fetching gem metadata from https://rubygems.org/.........
Fetching https://github.com/Shopify/aead.git
Fetching rake 12.0.0
Installing rake 12.0.0
Fetching systemu 2.6.5
Installing systemu 2.6.5
Fetching macaddr 1.7.1
Installing macaddr 1.7.1
Using aead 1.8.2 from https://github.com/Shopify/aead.git (at 340e771@340e771)
Using bundler 1.16.1
Fetching coderay 1.1.2
Installing coderay 1.1.2
Using gala 0.3.1 from source at `.`
Fetching method_source 0.9.0
Installing method_source 0.9.0
Fetching pry 0.11.3
Installing pry 0.11.3
Bundle complete! 5 Gemfile dependencies, 9 gems now installed.
Bundled gems are installed into `/usr/local/bundle`
root@74d394cd3940:/gala# bundle exec rake test
/gala/test/payment_token_test.rb:2:in `require': cannot load such file -- test/unit (LoadError)
        from /gala/test/payment_token_test.rb:2:in `<top (required)>'
        from /usr/local/bundle/gems/rake-12.0.0/lib/rake/rake_test_loader.rb:15:in `require'
        from /usr/local/bundle/gems/rake-12.0.0/lib/rake/rake_test_loader.rb:15:in `block in <main>'
        from /usr/local/bundle/gems/rake-12.0.0/lib/rake/rake_test_loader.rb:4:in `select'
        from /usr/local/bundle/gems/rake-12.0.0/lib/rake/rake_test_loader.rb:4:in `<main>'
rake aborted!
Command failed with status (1)
/usr/local/bundle/gems/rake-12.0.0/exe/rake:27:in `<top (required)>'
/usr/local/bin/bundle:23:in `load'
/usr/local/bin/bundle:23:in `<main>'
Tasks: TOP => test
(See full trace by running task with --trace)

@rwdaigle
Copy link
Contributor

rwdaigle commented May 7, 2018

Ah, yes, fiddling with time. Good idea.

Re: test failures, if you rebase against latest, it should be Ruby2.4 compatible.

@AnilRh AnilRh mentioned this pull request Dec 15, 2023
Open
@ct-clearhaus
Copy link
Author

ct-clearhaus commented Jan 2, 2024

Replaced by #24.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ct-clearhaus @rwdaigle