akero 1.0.1 → 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
- data/benchmark/bm_rate.png +0 -0
- data/benchmark/bm_size.png +0 -0
- data/lib/akero.rb +18 -34
- data/lib/akero/version.rb +1 -1
- data/spec/akero_spec.rb +2 -3
- metadata +4 -4
data/benchmark/bm_rate.png
CHANGED
Binary file
|
data/benchmark/bm_size.png
CHANGED
Binary file
|
data/lib/akero.rb
CHANGED
@@ -73,7 +73,6 @@ class Akero
|
|
73
73
|
ERR_MSG_NOT_STRING_NOR_PKCS7 = "Message must be of type String or OpenSSL::PKCS7" # @private
|
74
74
|
ERR_MSG_CORRUPT_CERT = "Malformed message: Embedded certificate could not be verified; POSSIBLE SPOOF ATTEMPT!" # @private
|
75
75
|
ERR_MSG_TOO_MANY_SIGNERS = "Corrupt message: Zero or multiple signers, expected exactly 1; POSSIBLE SPOOF ATTEMPT" # @private
|
76
|
-
ERR_MSG_SIG_MISMATCH = "Inner signature does not match outer signature; POSSIBLE SPOOF ATTEMPT" # @private
|
77
76
|
|
78
77
|
PKEY_HEADER = "-----BEGIN AKERO PRIVATE KEY-----\n" # @private
|
79
78
|
PKEY_FOOTER = "-----END AKERO PRIVATE KEY-----\n" # @private
|
@@ -200,7 +199,7 @@ class Akero
|
|
200
199
|
raise RuntimeError, ERR_INVALID_RECIPIENT
|
201
200
|
end
|
202
201
|
}
|
203
|
-
Akero.replate(_sign(_encrypt(to, _sign(plaintext))).to_s, PLATE_CRYPTED)
|
202
|
+
Akero.replate(_sign(_encrypt(to, _sign(plaintext, false))).to_s, PLATE_CRYPTED)
|
204
203
|
end
|
205
204
|
|
206
205
|
# Receive an Akero message.
|
@@ -210,7 +209,7 @@ class Akero
|
|
210
209
|
def receive(ciphertext)
|
211
210
|
ciphertext = Akero.replate(ciphertext, Akero::PLATE_CRYPTED, true)
|
212
211
|
begin
|
213
|
-
body,
|
212
|
+
body, signer_cert, body_type = verify(ciphertext, nil)
|
214
213
|
rescue ArgumentError
|
215
214
|
raise RuntimeError, ERR_MSG_MALFORMED_ENV
|
216
215
|
end
|
@@ -218,16 +217,12 @@ class Akero
|
|
218
217
|
case body_type.ord
|
219
218
|
when 0x00
|
220
219
|
# public message (signed)
|
221
|
-
return Message.new(body,
|
220
|
+
return Message.new(body, signer_cert, :signed)
|
222
221
|
when 0x01
|
223
222
|
# private message (signed, crypted, signed)
|
224
223
|
signed_plaintext = _decrypt(body)
|
225
|
-
plaintext,
|
226
|
-
msg = Message.new(plaintext,
|
227
|
-
|
228
|
-
if msg.from != Akero.fingerprint_from_cert(outer_signer_cert)
|
229
|
-
raise RuntimeError, ERR_MSG_SIG_MISMATCH
|
230
|
-
end
|
224
|
+
plaintext, verified_cert, body_type = verify(signed_plaintext, signer_cert)
|
225
|
+
msg = Message.new(plaintext, signer_cert, :encrypted)
|
231
226
|
return msg
|
232
227
|
end
|
233
228
|
raise RuntimeError, ERR_MSG_MALFORMED_BODY
|
@@ -280,25 +275,13 @@ class Akero
|
|
280
275
|
end
|
281
276
|
end
|
282
277
|
|
283
|
-
# Encrypt a message for one ore more recipients.
|
284
|
-
#
|
285
|
-
# @return [Array] Message_body, signer_certificate, body_type
|
286
278
|
def _encrypt(to, msg, cipher=nil)
|
287
279
|
cipher ||= OpenSSL::Cipher::new("AES-256-CFB")
|
288
280
|
OpenSSL::PKCS7::encrypt(to, msg.to_der, cipher, OpenSSL::PKCS7::BINARY)
|
289
281
|
end
|
290
282
|
|
291
|
-
|
292
|
-
|
293
|
-
# @overload _sign(message)
|
294
|
-
# Sign a message.
|
295
|
-
# @param [String] message Message
|
296
|
-
# @return [OpenSSL::PKCS7] Signed message
|
297
|
-
# @overload _sign(message)
|
298
|
-
# Sign a message.
|
299
|
-
# @param [OpenSSL::PKCS7] message Message
|
300
|
-
# @return [OpenSSL::PKCS7] Signed message
|
301
|
-
def _sign(message)
|
283
|
+
def _sign(message, embed_cert=true)
|
284
|
+
flags = embed_cert ? OpenSSL::PKCS7::BINARY : (OpenSSL::PKCS7::BINARY | OpenSSL::PKCS7::NOCERTS)
|
302
285
|
case message
|
303
286
|
when String
|
304
287
|
type = 0x00
|
@@ -308,25 +291,26 @@ class Akero
|
|
308
291
|
raise RuntimeError, ERR_MSG_NOT_STRING_NOR_PKCS7
|
309
292
|
end
|
310
293
|
message = message.to_der if message.is_a? OpenSSL::PKCS7
|
311
|
-
OpenSSL::PKCS7::sign(@cert, @key, type.chr + message, [],
|
294
|
+
OpenSSL::PKCS7::sign(@cert, @key, type.chr + message, [], flags)
|
312
295
|
end
|
313
296
|
|
314
|
-
|
315
|
-
#
|
316
|
-
# @return [Array] message_body, signer_certificate, body_type
|
317
|
-
def verify(signed_msg)
|
297
|
+
def verify(signed_msg, cert)
|
318
298
|
signed_msg = OpenSSL::PKCS7.new(signed_msg) if signed_msg.is_a? String
|
319
299
|
store = OpenSSL::X509::Store.new
|
320
|
-
|
321
|
-
|
300
|
+
|
301
|
+
if cert.nil?
|
302
|
+
if signed_msg.certificates.nil? or signed_msg.certificates.length != 1
|
303
|
+
raise RuntimeError, ERR_MSG_TOO_MANY_SIGNERS
|
304
|
+
end
|
305
|
+
|
306
|
+
cert = signed_msg.certificates[0]
|
322
307
|
end
|
323
308
|
|
324
|
-
|
325
|
-
unless signed_msg.verify([signer_cert], store, nil, OpenSSL::PKCS7::NOINTERN | OpenSSL::PKCS7::NOVERIFY)
|
309
|
+
unless signed_msg.verify([cert], store, nil, OpenSSL::PKCS7::NOINTERN | OpenSSL::PKCS7::NOVERIFY)
|
326
310
|
raise RuntimeError, ERR_MSG_CORRUPT_CERT
|
327
311
|
end
|
328
312
|
|
329
|
-
[signed_msg.data[1..-1],
|
313
|
+
[signed_msg.data[1..-1], cert, signed_msg.data[0]]
|
330
314
|
end
|
331
315
|
|
332
316
|
# Generate new RSA keypair and certificate.
|
data/lib/akero/version.rb
CHANGED
data/spec/akero_spec.rb
CHANGED
@@ -176,7 +176,7 @@ describe Akero do
|
|
176
176
|
b = oscar.send(:_sign, a).to_s
|
177
177
|
c = Akero.replate(b, Akero::PLATE_CRYPTED)
|
178
178
|
subject.receive(c)
|
179
|
-
}.should raise_error RuntimeError, Akero::
|
179
|
+
}.should raise_error RuntimeError, Akero::ERR_MSG_CORRUPT_CERT
|
180
180
|
end
|
181
181
|
|
182
182
|
it "raises RuntimeError on malformed inner message" do
|
@@ -205,10 +205,9 @@ describe Akero do
|
|
205
205
|
fake_msg.stub(:verify).and_return(false)
|
206
206
|
fake_msg.stub_chain(:certificates, :length).and_return(1)
|
207
207
|
fake_msg.stub_chain(:certificates, :[]).and_return(nil)
|
208
|
-
subject.send(:verify, fake_msg)
|
208
|
+
subject.send(:verify, fake_msg, nil)
|
209
209
|
}.should raise_error RuntimeError, Akero::ERR_MSG_CORRUPT_CERT
|
210
210
|
end
|
211
|
-
|
212
211
|
end
|
213
212
|
|
214
213
|
describe '#inspect' do
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: akero
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.
|
4
|
+
version: 1.0.2
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-01-
|
12
|
+
date: 2013-01-16 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: rb-inotify
|
@@ -192,7 +192,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
192
192
|
version: '0'
|
193
193
|
segments:
|
194
194
|
- 0
|
195
|
-
hash:
|
195
|
+
hash: 1964830564918929784
|
196
196
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
197
197
|
none: false
|
198
198
|
requirements:
|
@@ -201,7 +201,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
201
201
|
version: '0'
|
202
202
|
segments:
|
203
203
|
- 0
|
204
|
-
hash:
|
204
|
+
hash: 1964830564918929784
|
205
205
|
requirements: []
|
206
206
|
rubyforge_project:
|
207
207
|
rubygems_version: 1.8.23
|