bequest 0.0.3

data/.gitignore

@@ -0,0 +1,3 @@
+sandbox
+Gemfile.lock
+*.gem

data/.rvmrc

@@ -0,0 +1 @@
+rvm --create use 1.8.7@bequest

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in document_builder.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Andy White
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,68 @@
+# Bequest
+
+There might be times when you (the bequestor) want to provide data to a third party (the bequestee) for a limited time and/or only on a specific machine. Bequest enables password, MAC address and expiry-based protection of data via a single, binary, encrypted license file.
+
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'bequest'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install bequest
+
+## Usage
+
+The bequestor would run:
+
+    Bequest::License.create('path/to/source/data', 'path/to/out/file', 
+      :expires_at => Time.now + 1.year,
+      :password => 'secret word or phrase',
+      :mac_addr => 'bequestee:MAC:address:for:example')
+
+Parameters:
+
+  1. Source data file - this is the secret data you want made securely available to the client, it can be plain text or binary
+  2. Out file - the license file that will be created
+
+Options (at least ONE of :password or :mac_addr must be set):
+
+  * :expires_at - time as a Ruby Time object, no expiry if omitted or set to nil
+  * :password - this can be any word or phrase and will be prompted for (if set and not supplied as an option) when the license is loaded
+  * :mac_addr - if set this will be read from the local machine when the bequestee loads the license if not supplied as an option
+
+The serialised, binary license file contains a main checksum and a body. The body is composed of:
+
+  * The encrypted expiry time
+  * Password and MAC address booleans
+  * The compressed, encrypted source data
+  * The initialisation vector
+
+The main checksum is of the body as a joined array, before it was serialised in the license file. It is used to validate the integrity of the license file.
+
+The client would run:
+
+    lic, data = Bequest::License.load('path/to/lic/file',
+      :password => 'whatever', :mac_addr => 'whatever')
+
+The password will be prompted for if set and *:password* not supplied. The first MAC address of the local machine will be used if set and *:mac_addr* not supplied. *data* will be set to nil if authentication fails or it has expired. *lic* will always be populated regardless of success and may be queried as follows:
+
+    lic.valid?             # => true or false
+    lic.expired?           # => true or false
+    lic.expires_at         # => Ruby Time object
+    lic.status             # => :ok, :expired, :unauthorized, or :tampered
+
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/bequest.gemspec

@@ -0,0 +1,20 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'bequest/version'
+
+Gem::Specification.new do |s|
+  s.name          = "bequest"
+  s.version       = Bequest::VERSION
+  s.authors       = ["Andy White"]
+  s.email         = ["andy@wireworldmedia.co.uk"]
+  s.description   = %q{License secure data}
+  s.summary       = %q{Bequest enables password, MAC address and expiry-based validation and secure data provision via a single license file.}
+  s.homepage      = ""
+  s.files         = `git ls-files`.split($/)
+  s.executables   = s.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  s.test_files    = s.files.grep(%r{^(test|spec|features)/})
+  s.require_paths = ["lib"]
+  s.add_runtime_dependency "macaddr", ">= 1.6.1"
+  s.add_development_dependency "rspec", ">= 0"
+end

data/lib/bequest.rb

@@ -0,0 +1,3 @@
+require 'bequest/data'
+require 'bequest/license'
+require 'bequest/version'

data/lib/bequest/data.rb

@@ -0,0 +1,132 @@
+require 'openssl'
+require 'digest/sha2'
+require 'digest/md5'
+require 'zlib'
+require 'macaddr'
+
+module Bequest
+  class Data
+    def initialize(secret_data, opts = {})
+      opts = {:expires_at => nil, :password => '', :mac_addr => ''}.merge(opts)
+      compressed = Zlib::Deflate.deflate(secret_data)
+      key = key(opts[:password], opts[:mac_addr])
+      iv = Digest::MD5.hexdigest(rand.to_s)
+      encrypted_data = encrypt(compressed, key, iv)
+      encrypted_expires_at = opts[:expires_at] ? encrypt(opts[:expires_at].to_i.to_s, key, iv) : nil
+
+      body = [encrypted_expires_at, opts[:password].any?, opts[:mac_addr].any?, encrypted_data, iv]
+      checksum = Digest::MD5.hexdigest(body.join)
+      @data = [checksum, body]
+    end
+    
+    def dump(path)
+      FileUtils.mkdir_p(File.dirname(path))
+      File.open(path, "w") { |f| f.write(Marshal::dump(self)) }
+    end
+
+    def unpack(password, mac_addr)
+      password = prompt_if_required(password)
+      mac_addr = get_if_required(mac_addr)
+
+      if Digest::MD5.hexdigest(body.join) == checksum
+        compressed = decrypt(encrypted_data, key(password, mac_addr), iv)
+
+        begin
+          data = Zlib::Inflate.inflate(compressed)
+
+          if encrypted_expires_at
+            expires_at = Time.at(decrypt(encrypted_expires_at, key(password, mac_addr), iv).to_i)
+
+            if expires_at.to_i < Time.now.to_i
+              [nil, :expired, expires_at]
+            else
+              [data, :ok, expires_at]
+            end
+          else
+            [data, :ok, nil]
+          end
+        rescue
+          [nil, :unauthorized, nil]
+        end
+      else
+        [nil, :tampered, nil]
+      end
+    end
+
+    private
+    
+    def checksum
+      @data[0]
+    end
+    
+    def body
+      @data[1]
+    end
+
+    def encrypted_expires_at
+      body[0]
+    end
+    
+    def need_password?
+      body[1]
+    end
+    
+    def need_mac_addr?
+      body[2]
+    end
+
+    def encrypted_data
+      body[3]
+    end
+    
+    def iv
+      body[4]
+    end
+    
+    def prompt_if_required(password)
+      if need_password? && password.nil?
+        STDOUT.puts "Password: "
+        STDOUT.flush
+        gets.chomp
+      else
+        password
+      end
+    end
+
+    def get_if_required(mac_addr)
+      if need_mac_addr? && mac_addr.nil?
+        Mac.addr
+      else
+        mac_addr
+      end
+    end
+    
+    def key(password, mac_addr)
+      sha256 = Digest::SHA2.new(256)
+      sha256.digest(
+        'ZggthtmuGfDWy4D' + (password || '') + 'gt5gIrfMcgyb8ii' + (mac_addr || '') + 'C1pq3gi65SX2ckx'
+      )
+    end
+
+    def encrypt(data, key, iv)
+      aes = OpenSSL::Cipher.new("AES-256-CFB")
+      aes.encrypt
+      aes.key = key
+      aes.iv = iv
+      aes.update(data) + aes.final
+    end
+
+    def decrypt(data, key, iv)
+      aes = OpenSSL::Cipher.new("AES-256-CFB")
+      aes.decrypt
+      aes.key = key
+      aes.iv = iv
+    
+      begin
+        aes.update(data) + aes.final
+      rescue
+        false
+      end
+    end
+  end
+end

data/lib/bequest/license.rb

@@ -0,0 +1,38 @@
+module Bequest
+  class License
+    attr_reader :expires_at, :status
+    
+    def initialize(status, expires_at)
+      @status = status
+      @expires_at = expires_at
+    end
+  
+    class << self
+      def create(data_path, out_path, opts = {})
+        if (opts[:password]||'').any? || (opts[:mac_addr]||'').any?
+          Data.new(File.read(data_path), opts).dump(out_path)
+        else
+          puts "At least ONE of password or mac_addr required"
+        end
+      end
+
+      def load(lic_file_path, opts = {})
+        begin
+          data = Marshal::load(File.read(lic_file_path))
+          original_data, status, expires_at = data.unpack(opts[:password], opts[:mac_addr])
+          [self.new(status, expires_at), original_data]
+        rescue
+          [self.new(:tampered, nil), nil]
+        end
+      end
+    end
+    
+    def valid?
+      @status == :ok
+    end
+  
+    def expired?
+      expires_at ? expires_at < Time.now : nil
+    end
+  end
+end

data/lib/bequest/version.rb

@@ -0,0 +1,3 @@
+module Bequest
+  VERSION = "0.0.3"
+end

data/samples/secret.txt

@@ -0,0 +1,44 @@
+This is
+top secret.
+
+...and here's a secret camel:
+
+                             __
+                 .--.      .'  `.
+               .' . :\    /   :  L
+               F     :\  /   . : |        .-._
+              /     :  \/        J      .' ___\
+             J     :   /      : : L    /--'   ``.
+             F      : J           |  .<'.o.  `-'>
+            /        J             L \_>.   .--w)
+           J        /              \_/|   . `-__|
+           F                        / `    -' /|)
+          |   :                    J   '        |
+         .'   ':                   |    .    :  \
+        /                          J      :     |L
+       F                              |     \   ||
+      F .                             |   :      |
+     F  |                             ; .   :  : F
+    /   |                                     : J
+   J    J             )                ;        F
+   |     L           /      .:'                J
+.-'F:     L        ./       :: :       .       F
+`-'F:     .\    `:.J         :::.             J
+  J       ::\    `:|        |::::\            |
+  J        |:`.    J        :`:::\            F
+   L   :':/ \ `-`.  \       : `:::|        .-'
+   |     /   L    >--\         :::|`.    .-'
+   J    J    |    |   L     .  :::: :`, /
+    L   F    J    )   |        >::   : /
+    |  J      L   F   \     .-.:'   . /
+    ): |     J   /     `-   | |   .--'
+    /  |     |: J        L  J J   )
+    L  |     |: |        L   F|   /
+    \: J     \:  L       \  /  L |
+     L |      \  |        F|   | )
+     J F       \ J       J |   |J
+      L|        \ \      | |   | L
+      J L        \ \     F \   F |
+       L\         \ \   J   | J   L
+      /__\_________)_`._)_  |_/   \_____
+                          ""   `"""

data/spec/helper.rb

@@ -0,0 +1,8 @@
+def sandbox
+  File.expand_path(File.join('..', '..', 'sandbox'), __FILE__)
+end
+
+def set_sandbox
+  system "rm -fr #{sandbox} && mkdir #{sandbox}"
+end
+

data/spec/license_spec.rb

@@ -0,0 +1,279 @@
+require 'bequest'
+require 'helper'
+
+module Bequest
+  describe License do
+    before(:each) do
+      set_sandbox
+      @lic_file = './sandbox/lic.dat'
+      @tampered_lic_file = './samples/tampered_lic.dat'
+      @tampered_checksum_lic_file = './samples/tampered_checksum_lic.dat'
+      @data_file = './samples/secret.txt'
+      @soon = Time.now + 10
+      @just_passed = Time.now - 10
+      @password = 'secret'
+      @mac_addr = 'mac:addr'
+    end
+  
+    describe "Bequester makes a new license" do
+      before(:each) do
+        License.create(@data_file, @lic_file, :expires_at => @soon, :password => @password)
+        @lic, data = License.load(@lic_file, :password => @password)
+      end
+      
+      it "creates a file" do
+        File.exist?(@lic_file).should be_true
+      end
+      
+      it "has a correct expiry time" do
+        @lic.expires_at.to_i.should == @soon.to_i
+      end
+
+      it "requires at least ONE of password or mac_addr" do
+        @lic = License.create(@data_file, @lic_file)
+        @lic.should be_nil
+      end
+
+      it "requires at least ONE of password or mac_addr to have a length" do
+        @lic = License.create(@data_file, @lic_file, :password => '')
+        @lic.should be_nil
+      end
+    end
+  
+    describe "Bequestee loads an 'in date', password protected license file" do
+      before(:each) do
+        License.create(@data_file, @lic_file, :expires_at => @soon, :password => @password)
+      end
+
+      describe "Correct password supplied" do
+        before(:each) do
+          @lic, @data = License.load(@lic_file, :password => @password)
+        end
+          
+        it "should be a license" do
+          @lic.class.should == License
+        end
+          
+        it "should be valid" do
+          @lic.valid?.should be_true
+        end
+          
+        it "status should be OK" do
+          @lic.status.should == :ok
+        end
+          
+        it "has a correct expiry time" do
+          @lic.expires_at.to_i.should == @soon.to_i
+        end
+      
+        it "should not be expired" do
+          @lic.expired?.should == false
+        end
+      
+        it "should yield original data" do
+          @data.should == File.read(@data_file)
+        end
+      end
+    
+      describe "Wrong password supplied" do
+        before(:each) do
+          @lic, @data = License.load(@lic_file, :password => 'plainly wrong')
+        end
+          
+        it "should not be valid" do
+          @lic.valid?.should be_false
+        end
+          
+        it "status should be unauthorized" do
+          @lic.status.should == :unauthorized
+        end
+          
+        it "should have a nil expiry time" do
+          @lic.expires_at.should be_nil
+        end
+      
+        it "expired? should be nil" do
+          @lic.expired?.should be_nil
+        end
+      
+        it "should yield no data" do
+          @data.should be_nil
+        end
+      end
+
+      describe "No password supplied" do
+        it "should prompt" do
+          STDOUT.should_receive(:puts).with("Password: ")
+          @lic, @data = License.load(@lic_file)
+        end
+      end
+    end
+  
+    describe "Bequestee loads an expired, password protected license file" do
+      before(:each) do
+        lic = License.create(@data_file, @lic_file, :expires_at => @just_passed, :password => @password)
+        @lic, @data = License.load(@lic_file, :password => @password)
+      end
+    
+      it "should not be valid" do
+        @lic.valid?.should be_false
+      end
+        
+      it "status should be expired" do
+        @lic.status.should == :expired
+      end
+        
+      it "should have correct expiry time" do
+        @lic.expires_at.to_i.should == @just_passed.to_i
+      end
+    
+      it "expired? should be true" do
+        @lic.expired?.should be_true
+      end
+    
+      it "should yield no data" do
+        @data.should be_nil
+      end
+    end
+    
+    describe "Bequestee loads a password protected license file with a tampered body" do
+      before(:each) do
+        @lic, @data = License.load(@tampered_lic_file, :password => @password)
+      end
+    
+      it "should not be valid" do
+        @lic.valid?.should be_false
+      end
+        
+      it "status should be tampered" do
+        @lic.status.should == :tampered
+      end
+        
+      it "should have nil expiry time" do
+        @lic.expires_at.should be_nil
+      end
+    
+      it "expired? should be nil" do
+        @lic.expired?.should be_nil
+      end
+    
+      it "should yield no data" do
+        @data.should be_nil
+      end
+    end
+    
+    describe "Bequestee loads a password protected license file with a tampered checksum" do
+      before(:each) do
+        @lic, @data = License.load(@tampered_checksum_lic_file, :password => @password)
+      end
+    
+      it "should not be valid" do
+        @lic.valid?.should be_false
+      end
+        
+      it "status should be tampered" do
+        @lic.status.should == :tampered
+      end
+        
+      it "should have nil expiry time" do
+        @lic.expires_at.should be_nil
+      end
+    
+      it "expired? should be nil" do
+        @lic.expired?.should be_nil
+      end
+    
+      it "should yield no data" do
+        @data.should be_nil
+      end
+    end
+
+    describe "Bequestee loads an imortal, password protected license file" do 
+      before(:each) do
+        lic = License.create(@data_file, @lic_file, :password => @password)
+        @lic, @data = License.load(@lic_file, :password => @password)
+      end
+
+      it "should be valid" do
+        @lic.valid?.should be_true
+      end
+        
+      it "status should be ok" do
+        @lic.status.should == :ok
+      end
+        
+      it "should have nil expiry time" do
+        @lic.expires_at.should be_nil
+      end
+    
+      it "expired? should be nil" do
+        @lic.expired?.should be_nil
+      end
+    
+      it "should yield original data" do
+        @data.should == File.read(@data_file)
+      end
+    end
+    
+    describe "Bequestee loads an imortal, MAC protected (for bequestee machine) license file" do
+      before(:each) do
+        lic = License.create(@data_file, @lic_file, :mac_addr => Mac.addr)
+      end
+      
+      describe "no MAC supplied" do
+        before(:each) do
+          @lic, @data = License.load(@lic_file)
+        end
+        
+        it "should be valid" do
+          @lic.valid?.should be_true
+        end
+
+        it "status should be ok" do
+          @lic.status.should == :ok
+        end
+
+        it "should yield original data" do
+          @data.should == File.read(@data_file)
+        end
+      end
+      
+      describe "Wrong MAC supplied" do
+        before(:each) do
+          @lic, @data = License.load(@lic_file, :mac_addr => 'very:wrong:mac:addr:indeed')
+        end
+        
+        it "should not be valid" do
+          @lic.valid?.should be_false
+        end
+          
+        it "status should be unauthorized" do
+          @lic.status.should == :unauthorized
+        end
+          
+        it "should have a nil expiry time" do
+          @lic.expires_at.should be_nil
+        end
+      
+        it "expired? should be nil" do
+          @lic.expired?.should be_nil
+        end
+      
+        it "should yield no data" do
+          @data.should be_nil
+        end
+      end
+    end
+
+    describe "Bequestee loads a binary file" do
+      before(:each) do
+        License.create('./samples/hello.exe', @lic_file, :password => @password)
+        @lic, @data = License.load(@lic_file, :password => @password)
+      end
+      
+      it "binary data matches original" do
+        @data == open('./samples/hello.exe', "rb") {|io| io.read }
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,113 @@
+--- !ruby/object:Gem::Specification 
+name: bequest
+version: !ruby/object:Gem::Version 
+  hash: 25
+  prerelease: 
+  segments: 
+  - 0
+  - 0
+  - 3
+  version: 0.0.3
+platform: ruby
+authors: 
+- Andy White
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2013-02-21 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: macaddr
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 13
+        segments: 
+        - 1
+        - 6
+        - 1
+        version: 1.6.1
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id002
+description: License secure data
+email: 
+- andy@wireworldmedia.co.uk
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- .gitignore
+- .rvmrc
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bequest.gemspec
+- lib/bequest.rb
+- lib/bequest/data.rb
+- lib/bequest/license.rb
+- lib/bequest/version.rb
+- samples/hello.exe
+- samples/lic.dat
+- samples/secret.txt
+- samples/tampered_checksum_lic.dat
+- samples/tampered_lic.dat
+- spec/helper.rb
+- spec/license_spec.rb
+homepage: ""
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.8.25
+signing_key: 
+specification_version: 3
+summary: Bequest enables password, MAC address and expiry-based validation and secure data provision via a single license file.
+test_files: 
+- spec/helper.rb
+- spec/license_spec.rb