akero 1.0.3 → 1.0.4

data/README.md

@@ -4,13 +4,13 @@ Akero ([ἄγγελος](http://en.wiktionary.org/wiki/%F0%90%80%80%F0%90%80%90%
 
 Under the hood Akero uses standard OpenSSL primitives. Each instance wraps a [RSA](http://en.wikipedia.org/wiki/RSA)-keypair, a corresponding [X.509 certificate](http://en.wikipedia.org/wiki/X.509) and exchanges self-signed messages ([PKCS#7](https://tools.ietf.org/html/rfc2315)) with other instances.
 
-Akero does not try to be a substitute for a fully featured [PKI](http://en.wikipedia.org/wiki/Public_key_infrastructure). It is meant to be used as a building block in scenarios where trust-relationships and keyrings can be externally managed, and where the complexity of traditional solutions (X.509 PKI, OpenPGP, homegrown RSA) yields no tangible benefits.
+Akero does not try to be a substitute for a fully featured [PKI](http://en.wikipedia.org/wiki/Public_key_infrastructure). It is meant to be used as a building block in scenarios where trust-relationships and keyrings can be externally managed, and where the complexity of traditional solutions (X.509 PKI, OpenPGP, custom RSA) yields no tangible benefits.
 
 ## Features
 
 * Secure 1-to-n messaging (sign-only -or- sign->encrypt->sign)
-* Low complexity; easy to use, understand and review (only 166 lines of code)
-* Transport agnostic; messages and certificates are self-contained, ascii-armored (base64)
+* Low complexity; easy to use, understand and review (only 192 lines of code)
+* Transport agnostic; messages and certificates are self-contained and optionally ascii-armored (base64)
 * Built on standard OpenSSL primitives, no homegrown algorithms
 * [100%](https://busyloop.net/oss/akero/coverage/) test coverage
 
@@ -64,6 +64,13 @@ File.open('/tmp/alice.akr', 'w') { |f| f.write(alice.private_key) }
 # And load her again
 new_alice = Akero.load(File.read('/tmp/alice.akr'))
 
+# By default all messages are ascii armored.
+# In production Alice disables the armoring
+# for better performance.
+signed_msg = alice.sign("Hello world!", false)
+msg = alice.encrypt(alice.public_key, "Hello!", false)
+puts alice.receive(msg).body # => "Hello!"
+
 ```
 
 ## Documentation

data/Rakefile

@@ -22,4 +22,8 @@ namespace :docs do
   task :push do
     `bl_www_sync akero coverage`
   end
+
+  task :loc do
+    puts `grep -v '^\\s*#' lib/akero.rb | grep -v '^$' | wc -l`
+  end
 end

data/lib/akero.rb

@@ -81,6 +81,7 @@ class Akero
   PLATE_CRYPTED = ['PKCS7', 'AKERO SECRET MESSAGE'] # @private
 
   DEFAULT_RSA_BITS = 2048
+  DEFAULT_DIGEST = OpenSSL::Digest::SHA512
 
   # Unique fingerprint of this Akero keypair.
   #
@@ -101,10 +102,10 @@ class Akero
   #   Akero.new(4096, OpenSSL::Digest::SHA512)
   #
   # @param [Integer] rsa_bits RSA key length
-  # @param [OpenSSL::Digest] sign_digest Signature digest
+  # @param [OpenSSL::Digest] digest Signature digest
   # @return [Akero] New Akero instance
-  def initialize(rsa_bits=DEFAULT_RSA_BITS, sign_digest=OpenSSL::Digest::SHA512)
-    @key, @cert = generate_keypair(rsa_bits, sign_digest) unless rsa_bits.nil?
+  def initialize(rsa_bits=DEFAULT_RSA_BITS, digest=DEFAULT_DIGEST)
+    @key, @cert = generate_keypair(rsa_bits, digest) unless rsa_bits.nil?
   end
 
   # Load an Akero identity.
@@ -161,9 +162,11 @@ class Akero
   # Sign a message.
   #
   # @param [String] plaintext The message to sign (binary safe)
+  # @param [Boolean] ascii_armor Convert the output in base64?
   # @return [String] Akero signed message
-  def sign(plaintext)
-    Akero.replate(_sign(plaintext).to_s, Akero::PLATE_SIGNED)
+  def sign(plaintext, ascii_armor=true)
+    out = _sign(plaintext)
+    ascii_armor ? Akero.replate(out.to_s, Akero::PLATE_SIGNED) : out.to_der
   end
 
   # Sign->encrypt->sign a message for 1 or more recipients.
@@ -184,8 +187,9 @@ class Akero
   #
   # @param [Array] to Akero public keys of recipients
   # @param [String] plaintext The message to encrypt (binary safe)
+  # @param [Boolean] ascii_armor Convert the output to base64?
   # @return [String] Akero secret message
-  def encrypt(to, plaintext)
+  def encrypt(to, plaintext, ascii_armor=true)
     to = [to] unless to.is_a? Array
     to = to.map { |e| 
       case e
@@ -199,7 +203,8 @@ class Akero
           raise RuntimeError, ERR_INVALID_RECIPIENT
       end
     }
-    Akero.replate(_sign(_encrypt(to, _sign(plaintext, false))).to_s, PLATE_CRYPTED)
+    out = _sign(_encrypt(to, _sign(plaintext, false)))
+    ascii_armor ? Akero.replate(out.to_s, PLATE_CRYPTED) : out.to_der
   end
 
   # Receive an Akero message.
@@ -207,7 +212,9 @@ class Akero
   # @param [String] ciphertext Akero Message
   # @return [Akero::Message] Message_body, signer_certificate, body_type
   def receive(ciphertext)
-    ciphertext = Akero.replate(ciphertext, Akero::PLATE_CRYPTED, true)
+    if ciphertext.start_with? '-----BEGIN '
+      ciphertext = Akero.replate(ciphertext, Akero::PLATE_CRYPTED, true)
+    end
     begin
       body, signer_cert, body_type = verify(ciphertext, nil)
     rescue ArgumentError
@@ -316,9 +323,9 @@ class Akero
   # Generate new RSA keypair and certificate.
   #
   # @param [Integer] rsa_bits RSA key length
-  # @param [OpenSSL::Digest] sign_digest Signature digest
+  # @param [OpenSSL::Digest] digest Signature digest
   # @return [Array] rsa_keypair, certificate
-  def generate_keypair(rsa_bits=DEFAULT_RSA_BITS, sign_digest=OpenSSL::Digest::SHA512)
+  def generate_keypair(rsa_bits=DEFAULT_RSA_BITS, digest=DEFAULT_DIGEST)
     cn = "Akero #{Akero::VERSION}"
     rsa = OpenSSL::PKey::RSA.new(rsa_bits)
 
@@ -342,7 +349,7 @@ class Akero
     aki = ef.create_extension("authorityKeyIdentifier",
                               "keyid:always,issuer:always")
     cert.add_extension(aki)
-    cert.sign(rsa, sign_digest.new)
+    cert.sign(rsa, digest.new)
     [rsa, cert]
   end
 end

data/lib/akero/benchmark.rb

@@ -15,16 +15,16 @@ class Akero
         puts "Running size benchmark..."
 
         rnd = Random.new
-        msg_sizes = (8..13).map{|x| 2**x}
-        key_sizes = [2048, 4096]
+        msg_sizes = (8..14).map{|x| 2**x}
+        modes = [[2048, false], [2048, true]]
         results = {}
-        key_sizes.each do |ksize|
-          alice = Akero.new(ksize)
-          bob   = Akero.new(ksize)
+        modes.each do |mode|
+          alice = Akero.new(mode[0])
+          bob   = Akero.new(mode[0])
           msg_sizes.each do |msize|
             msg = rnd.bytes(msize)
-            ciphertext = alice.encrypt(bob.public_key, msg)
-            (results["ENCRYPT #{ksize} bits"] ||= []) << [msize, ciphertext.length / msg.length.to_f]
+            ciphertext = alice.encrypt(bob.public_key, msg, mode[1])
+            (results["ENCRYPT #{mode[0]} bits #{mode[1] ? 'ascii_armor=1' : 'ascii_armor=0'}"] ||= []) << [msize, ciphertext.length / msg.length.to_f]
           end
         end
 
@@ -34,48 +34,48 @@ class Akero
       def b_timing
         puts "Running timing benchmark..."
 
-        msg_sizes = (4..18).map{|x| 2**x}
-        key_sizes = [2048, 4096]
+        msg_sizes = (8..18).map{|x| 2**x}
+        modes = [[2048, false], [2048, true]]
 
         rnd = Random.new
 
         rounds = 50
         results = []
-        key_sizes.each do |ksize|
-          results << B.enchmark("ENCRYPT #{ksize} bits", :rounds => rounds, :compare => :mean) do
-            alice = Akero.new(ksize)
-            bob   = Akero.new(ksize)
+        modes.each do |mode|
+          results << B.enchmark("ENCRYPT #{mode[0]} bits, ascii_armor=#{mode[1]?1:0}", :rounds => rounds, :compare => :mean) do
+            alice = Akero.new(mode[0])
+            bob   = Akero.new(mode[0])
             msg_sizes.each_with_index do |msize, i|
               msg = rnd.bytes(msize)
               job "msg_size #{msize}" do
-                alice.encrypt(bob.public_key, msg)
+                alice.encrypt(bob.public_key, msg, mode[1])
               end
             end
           end
         end
 
-        key_sizes.each do |ksize|
-          results << B.enchmark("SIGN #{ksize} bits", :rounds => rounds, :compare => :mean) do
-            alice = Akero.new(ksize)
-            bob   = Akero.new(ksize)
+        modes.each do |mode|
+          results << B.enchmark("DECRYPT #{mode[0]} bits, ascii_armor=#{mode[1]?1:0}", :rounds => rounds, :compare => :mean) do
+            alice = Akero.new(mode[0])
+            bob   = Akero.new(mode[0])
             msg_sizes.each_with_index do |msize, i|
               msg = rnd.bytes(msize)
+              msg = alice.encrypt(bob.public_key, msg, mode[1])
               job "msg_size #{msize}" do
-                alice.sign(msg)
+                bob.receive(msg)
               end
             end
           end
         end
 
-        key_sizes.each do |ksize|
-          results << B.enchmark("DECRYPT #{ksize} bits", :rounds => rounds, :compare => :mean) do
-            alice = Akero.new(ksize)
-            bob   = Akero.new(ksize)
+        modes.each do |mode|
+          results << B.enchmark("SIGN #{mode[0]} bits, ascii_armor=#{mode[1]?1:0}", :rounds => rounds, :compare => :mean) do
+            alice = Akero.new(mode[0])
+            bob   = Akero.new(mode[0])
             msg_sizes.each_with_index do |msize, i|
               msg = rnd.bytes(msize)
-              msg = alice.encrypt(bob.public_key, msg)
               job "msg_size #{msize}" do
-                bob.receive(msg)
+                alice.sign(msg, mode[1])
               end
             end
           end

data/lib/akero/version.rb

@@ -1,3 +1,3 @@
 class Akero
-  VERSION = "1.0.3"
+  VERSION = "1.0.4"
 end

data/spec/akero_spec.rb

@@ -56,145 +56,150 @@ describe Akero do
   end
 
   describe '#sign' do
-    describe 'return value' do
-      it "is a String that looks like an Akero signed message" do
-        plaintext = "Hello world!"
-        signed_msg = subject.sign(plaintext)
-        signed_msg.should be_a String
-        signed_msg.should match /^-----BEGIN #{Akero::PLATE_SIGNED[1]}-----\n/
-        signed_msg.should match /\n-----END #{Akero::PLATE_SIGNED[1]}-----\n$/
-      end
-
-      it "contains valid signature" do
-        plaintext = "Hello world!"
-        signed_msg = subject.sign(plaintext)
-        bob = Akero.new
-        msg = bob.receive(signed_msg)
-        msg.from.should == subject.id
-        msg.from_pk.should == subject.public_key
-        msg.body.should == plaintext
-        msg.type.should == :signed
+    ([true, false]).each do |ascii_armor|
+      describe "ascii_armor=#{ascii_armor}" do
+        describe 'return value' do
+          if ascii_armor
+            it "is a String that looks like an Akero signed message" do
+              plaintext = "Hello world!"
+              signed_msg = subject.sign(plaintext, ascii_armor)
+              signed_msg.should be_a String
+              signed_msg.should match /^-----BEGIN #{Akero::PLATE_SIGNED[1]}-----\n/
+              signed_msg.should match /\n-----END #{Akero::PLATE_SIGNED[1]}-----\n$/
+            end
+          end
+
+          it "contains valid signature" do
+            plaintext = "Hello world!"
+            signed_msg = subject.sign(plaintext, ascii_armor)
+            bob = Akero.new
+            msg = bob.receive(signed_msg)
+            msg.from.should == subject.id
+            msg.from_pk.should == subject.public_key
+            msg.body.should == plaintext
+            msg.type.should == :signed
+          end
+        end
       end
     end
   end
 
   describe '#encrypt' do
-    describe 'return value' do
-      it "is a String that looks like an Akero secret message" do
-        plaintext = "Hello world!"
-        ciphertext = subject.encrypt(subject.public_key, plaintext)
-        ciphertext.should be_a String
-        ciphertext.should match /^-----BEGIN #{Akero::PLATE_CRYPTED[1]}-----\n/
-        ciphertext.should match /\n-----END #{Akero::PLATE_CRYPTED[1]}-----\n$/
-      end
-
-      it "contains valid signature" do
-        plaintext = "Hello world!"
-        signed_msg = subject.sign(plaintext)
-        bob = Akero.new
-        msg = bob.receive(signed_msg)
-        msg.from == subject.id
-        msg.from_pk.should == subject.public_key
-        msg.body.should == plaintext
-        msg.type.should == :signed
-      end
-
-      it "raises RuntimeError on invalid recipient (invalid public key)" do
-        lambda {
-          msg = "Hello world!"
-          ciphertext = subject.encrypt([subject.public_key, 'foo'], msg)
-        }.should raise_error RuntimeError, Akero::ERR_INVALID_RECIPIENT_CERT
-      end
-
-      it "raises RuntimeError on invalid recipient (wrong type)" do
-        lambda {
-          msg = "Hello world!"
-          ciphertext = subject.encrypt([subject.public_key, 42], msg)
-        }.should raise_error RuntimeError, Akero::ERR_INVALID_RECIPIENT
-      end
-
-      it "raises RuntimeError when message is not String" do
-        lambda {
-          msg = "Hello world!"
-          ciphertext = subject.encrypt(subject.public_key, 42)
-        }.should raise_error RuntimeError, Akero::ERR_MSG_NOT_STRING_NOR_PKCS7
+    ([true, false]).each do |ascii_armor|
+      describe "ascii_armor=#{ascii_armor}" do
+        describe 'return value' do
+          if ascii_armor
+            it "is a String that looks like an Akero secret message" do
+              plaintext = "Hello world!"
+              ciphertext = subject.encrypt(subject.public_key, plaintext, ascii_armor)
+              ciphertext.should be_a String
+              ciphertext.should match /^-----BEGIN #{Akero::PLATE_CRYPTED[1]}-----\n/
+              ciphertext.should match /\n-----END #{Akero::PLATE_CRYPTED[1]}-----\n$/
+            end
+          end
+
+          it "raises RuntimeError on invalid recipient (invalid public key)" do
+            lambda {
+              msg = "Hello world!"
+              ciphertext = subject.encrypt([subject.public_key, 'foo'], msg)
+            }.should raise_error RuntimeError, Akero::ERR_INVALID_RECIPIENT_CERT
+          end
+
+          it "raises RuntimeError on invalid recipient (wrong type)" do
+            lambda {
+              msg = "Hello world!"
+              ciphertext = subject.encrypt([subject.public_key, 42], msg)
+            }.should raise_error RuntimeError, Akero::ERR_INVALID_RECIPIENT
+          end
+
+          it "raises RuntimeError when message is not String" do
+            lambda {
+              msg = "Hello world!"
+              ciphertext = subject.encrypt(subject.public_key, 42)
+            }.should raise_error RuntimeError, Akero::ERR_MSG_NOT_STRING_NOR_PKCS7
+          end
+        end
       end
     end
   end
 
   describe '#receive' do
-    it "decrypts message that was encrypted for self" do
-      plaintext = "Hello world!"
-      ciphertext = subject.encrypt(subject.public_key, plaintext)
-      msg = subject.receive(ciphertext)
-      msg.body.should == plaintext
-      msg.type.should == :encrypted
-    end
-
-    it "decrypts message that was encrypted for self and other recipients" do
-      plaintext = "Hello world!"
-      alice = Akero.new
-      bob   = Akero.new
-      ciphertext = subject.encrypt([alice.public_key, subject.public_key, bob.public_key], plaintext)
-      msg = subject.receive(ciphertext)
-      msg.body.should == plaintext
-      msg.type.should == :encrypted
-    end
-
-    it "fails to decrypt message that was encrypted only for other recipients" do
-      lambda {
-        plaintext = "Hello world!"
-        alice = Akero.new
-        bob   = Akero.new
-        ciphertext = subject.encrypt([alice.public_key, bob.public_key], plaintext)
-        msg = subject.receive(ciphertext)
-        msg.body.should == plaintext
-        msg.type.should == :encrypted
-      }.should raise_error RuntimeError, Akero::ERR_DECRYPT
-    end
-
-    it "extracts signature from signed message" do
-      plaintext = "Hello world!"
-      alice = Akero.new
-      signed_msg = subject.sign(plaintext)
-      msg = alice.receive(signed_msg)
-      msg.body.should == plaintext
-      msg.type.should == :signed
-    end
-
-    it "raises RuntimeError on invalid message" do
-      lambda {
-        subject.receive("foobar")
-      }.should raise_error RuntimeError #, Akero::ERR_MSG_MALFORMED_ENV
-    end
-
-    it "raises RuntimeError when inner does not match outer signature" do
-      lambda {
-        oscar = Akero.new
-        raw_key = subject.send(:instance_variable_get, '@cert')
-        a = subject.send(:_encrypt, [raw_key], subject.send(:_sign, 'foobar'))
-        b = oscar.send(:_sign, a).to_s
-        c = Akero.replate(b, Akero::PLATE_CRYPTED)
-        subject.receive(c)
-      }.should raise_error RuntimeError, Akero::ERR_MSG_CORRUPT_CERT
-    end
-
-    it "raises RuntimeError on malformed inner message" do
-      lambda {
-        key, cert = subject.send(:generate_keypair, 1024)
-        env = OpenSSL::PKCS7::sign(cert, key, 0xff.chr, [], OpenSSL::PKCS7::BINARY)
-        broken_msg = Akero.replate(env.to_s, Akero::PLATE_CRYPTED)
-        subject.receive(broken_msg)
-      }.should raise_error RuntimeError, Akero::ERR_MSG_MALFORMED_BODY
-    end
-
-    it "raises RuntimeError on unsigned message" do
-      lambda {
-        raw_key = subject.send(:instance_variable_get, '@cert')
-        env = OpenSSL::PKCS7::encrypt([raw_key], 'foobar', OpenSSL::Cipher::new("AES-256-CFB"), OpenSSL::PKCS7::BINARY)
-        broken_msg = Akero.replate(env.to_s, Akero::PLATE_CRYPTED)
-        subject.receive(broken_msg)
-      }.should raise_error RuntimeError, Akero::ERR_MSG_TOO_MANY_SIGNERS
+    ([true, false]).each do |ascii_armor|
+      describe "ascii_armor=#{ascii_armor}" do
+        it "decrypts message that was encrypted for self" do
+          plaintext = "Hello world!"
+          ciphertext = subject.encrypt(subject.public_key, plaintext, ascii_armor)
+          msg = subject.receive(ciphertext)
+          msg.body.should == plaintext
+          msg.type.should == :encrypted
+        end
+
+        it "decrypts message that was encrypted for self and other recipients" do
+          plaintext = "Hello world!"
+          alice = Akero.new
+          bob   = Akero.new
+          ciphertext = subject.encrypt([alice.public_key, subject.public_key, bob.public_key], plaintext, ascii_armor)
+          msg = subject.receive(ciphertext)
+          msg.body.should == plaintext
+          msg.type.should == :encrypted
+        end
+
+        it "fails to decrypt message that was encrypted only for other recipients" do
+          lambda {
+            plaintext = "Hello world!"
+            alice = Akero.new
+            bob   = Akero.new
+            ciphertext = subject.encrypt([alice.public_key, bob.public_key], plaintext, ascii_armor)
+            msg = subject.receive(ciphertext)
+            msg.body.should == plaintext
+            msg.type.should == :encrypted
+          }.should raise_error RuntimeError, Akero::ERR_DECRYPT
+        end
+
+        it "extracts signature from signed message" do
+          plaintext = "Hello world!"
+          alice = Akero.new
+          signed_msg = subject.sign(plaintext, ascii_armor)
+          msg = alice.receive(signed_msg)
+          msg.body.should == plaintext
+          msg.type.should == :signed
+        end
+
+        it "raises RuntimeError on invalid message" do
+          lambda {
+            subject.receive("foobar")
+          }.should raise_error RuntimeError #, Akero::ERR_MSG_MALFORMED_ENV
+        end
+
+        it "raises RuntimeError when payload does not match envelope signature" do
+          lambda {
+            oscar = Akero.new
+            raw_key = subject.send(:instance_variable_get, '@cert')
+            a = subject.send(:_encrypt, [raw_key], subject.send(:_sign, 'foobar'))
+            b = oscar.send(:_sign, a)
+            c = ascii_armor ? Akero.replate(b.to_s, Akero::PLATE_CRYPTED) : b.to_der
+            subject.receive(c)
+          }.should raise_error RuntimeError, Akero::ERR_MSG_CORRUPT_CERT
+        end
+
+        it "raises RuntimeError on malformed inner message" do
+          lambda {
+            key, cert = subject.send(:generate_keypair, 1024)
+            env = OpenSSL::PKCS7::sign(cert, key, 0xff.chr, [], OpenSSL::PKCS7::BINARY)
+            broken_msg = Akero.replate(env.to_s, Akero::PLATE_CRYPTED)
+            subject.receive(broken_msg)
+          }.should raise_error RuntimeError, Akero::ERR_MSG_MALFORMED_BODY
+        end
+
+        it "raises RuntimeError on unsigned message" do
+          lambda {
+            raw_key = subject.send(:instance_variable_get, '@cert')
+            env = OpenSSL::PKCS7::encrypt([raw_key], 'foobar', OpenSSL::Cipher::new("AES-256-CFB"), OpenSSL::PKCS7::BINARY)
+            broken_msg = Akero.replate(env.to_s, Akero::PLATE_CRYPTED)
+            subject.receive(broken_msg)
+          }.should raise_error RuntimeError, Akero::ERR_MSG_TOO_MANY_SIGNERS
+        end
+      end
     end
   end
  

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: akero
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.0.4
   prerelease: 
 platform: ruby
 authors:
@@ -190,18 +190,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: 1654579781693310372
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: 1654579781693310372
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.23