Project

sha256_seal

0.0
No release in over 3 years
Low commit activity in last 3 years
sha256_sealcyril/sha256_seal.rbHomepageDocumentationSource CodeBug TrackerWiki
Seal device with SHA-256 hash function, for Ruby.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
 Popularity
Downloads
15,787
Stars
0
Forks
0
Watchers
1
 Releases
Current version
0.1.7
Total releases
8
First release
2017-10-03
Latest release
2022-11-12
 Pull Requests
Open Pull Requests
2
Closed Pull Requests
2
Merged Pull Requests
0
Pull Request Acceptance Rate
0%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2020-10-06
Reverse Dependencies
0

 Dependencies

Development

bundler
>= 0
rake
>= 0
rubocop-md
>= 0
rubocop-performance
>= 0
rubocop-rake
>= 0
rubocop-rspec
>= 0
rubocop-thread_safety
>= 0
simplecov
>= 0
yard
>= 0
r_spec
>= 0
rubocop-gitlab-security
>= 0
 Project Readme

Sha256 Seal 🔏

A small Ruby library for signing documents and verifying their integrity using HMAC-SHA-256.

Status

Version Yard documentation Ruby License

Installation

Add this line to your application's Gemfile:

gem "sha256_seal"

And then execute:

bundle install

Or install it yourself as:

gem install sha256_seal

Overview

Sha256Seal enables you to:

  1. Sign data by inserting a cryptographic signature at a specific location in a string
  2. Verify the integrity of the signed data

The core concept is simple: replace a placeholder field in a string with an HMAC-SHA-256 signature, calculated using a secret key. This signature ensures that the data cannot be tampered with without detection.

Usage Examples

Basic Example - Signing Data

To sign a document, create a new builder with:

  • The original string containing a placeholder
  • A secret key
  • The placeholder to be replaced with the signature
document = "/.__SIGNATURE__/accounts/42?editable=false"
secret = "my_secret_key"
placeholder = "__SIGNATURE__"

builder = Sha256Seal::Builder.new(document, secret, placeholder)
signed_document = builder.signed_value
# => "/.a31c3936f236684a8ebc51dcfef168ce124450d71ae1ec404552ec9e0090a8db/accounts/42?editable=false"

Verifying Signed Data

To verify a signed document:

signed_document = "/.a31c3936f236684a8ebc51dcfef168ce124450d71ae1ec404552ec9e0090a8db/accounts/42?editable=false"
secret = "my_secret_key"
signature = "a31c3936f236684a8ebc51dcfef168ce124450d71ae1ec404552ec9e0090a8db"

builder = Sha256Seal::Builder.new(signed_document, secret, signature)
is_valid = builder.signed_value?
# => true if the signature is valid, false otherwise

Tamper Detection

If the document is altered in any way after signing, verification will fail:

# Original signed document
signed_document = "/.a31c3936f236684a8ebc51dcfef168ce124450d71ae1ec404552ec9e0090a8db/accounts/42?editable=false"

# Tampered document (changed editable=false to editable=true)
tampered_document = "/.a31c3936f236684a8ebc51dcfef168ce124450d71ae1ec404552ec9e0090a8db/accounts/42?editable=true"
signature = "a31c3936f236684a8ebc51dcfef168ce124450d71ae1ec404552ec9e0090a8db"

builder = Sha256Seal::Builder.new(tampered_document, secret, signature)
builder.signed_value? # => false

Rails Integration Example

Here's a practical example of how Sha256Seal can be integrated with Rails for CSRF protection in URLs:

# Environment variable
CSRF_SECRET_KEY = ENV.fetch("CSRF_SECRET_KEY", "your_default_development_secret")

# In routes.rb
Rails.application.routes.draw do
  scope module: :verified_requests, path: ".:csrf", as: "verified_request" do
    get "/accounts/:id", to: "accounts#show", as: "account"
  end
end

# In app/controllers/verified_requests/base_controller.rb
module VerifiedRequests
  class BaseController < ::ApplicationController
    def signed_url(route_method, **options)
      # Generate a URL with a temporary placeholder
      url_route_method = "#{route_method}_url".to_sym
      placeholder = "__CSRF_TOKEN__"
      url_string = public_send(url_route_method, csrf: placeholder, **options)

      # Replace the placeholder with a real signature
      builder = Sha256Seal::Builder.new(url_string, CSRF_SECRET_KEY, placeholder)
      builder.signed_value
    end
    helper_method :signed_url

    # In a before_action filter, verify the request's signature
    def verified_request?
      signature = request.path_parameters.fetch(:csrf)
      document_string = request.original_url.force_encoding("utf-8")

      builder = Sha256Seal::Builder.new(document_string, CSRF_SECRET_KEY, signature)
      builder.signed_value? || Rails.env.test?
    end
  end
end

Common Use Cases

  • Protecting against CSRF attacks by signing URLs
  • Creating signed download links with limited validity
  • Verifying the integrity of data submitted in forms
  • Creating tamper-proof API request signatures

Technical Details

  • Uses HMAC-SHA-256 for cryptographic signatures
  • Encodes signatures as URL-safe Base64 without padding
  • Ensures UTF-8 encoding for all input strings
  • Limits maximum input size to 1MB

Versioning

Sha256Seal uses Semantic Versioning 2.0.0

Further Reading

For more information about the concepts behind URL protection using HMAC, check out this article: URL Protection Through HMAC: A Practical Approach

License

The gem is available as open source under the terms of the MIT License.