block_io 3.0.0 → 3.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c7a878068a7ce224442ab3544657e2fb5de30dc68c43b00fd443c7c8ea35a61a
-  data.tar.gz: '09ad2302125ca6d86427637023439ffac4f8c1e7d6f477d098aeb6955d0f3be2'
+  metadata.gz: 42de3243361e4c2a75e0357745ac507c381332d927453d6b35f81b63f30ea723
+  data.tar.gz: f2416231c346fe92b0f39b665390be3c511aab2b62d9c8c8e2f07c580c12e30e
 SHA512:
-  metadata.gz: bb922e78d5c23c2e64b8259a688189eab1c20e654fa63389cc919d28a68030a0650101df2a32aecafbabb6ff639552e2698def07cd405638f0aea6bed32e7995
-  data.tar.gz: 940ff69d78033e939b150af65fc89944a8fd99a4296bab9c8314b5988508e2d093ec1e6c1295df37ebcbac4d31110fc70e3749d02a58da25585039594b872de6
+  metadata.gz: bdd5177bade408ffcb526b09d62a177ebee4d6cef0352267c1d1578c1223bd598f7900012bfa27c0ae1cb71e9202f862180ecad91ea70b4b077a44f4d06fe080
+  data.tar.gz: ff6f0db6e6bc5b485de84487d805970317fa4f936d015d4fce994302a9e48fd3e37dd076ffb0da8a8fb41e1f988040397905d6b389ca7995ed0e6b88b23544bd

data/README.md

@@ -14,9 +14,10 @@ And then execute:
 
 Or install it yourself as:
 
-    $ gem install block_io -v=3.0.0
+    $ gem install block_io
 
 ## Changelog
+*06/09/21*: Version 3.0.1 implements use of dynamic decryption algorithms.  
 *04/14/21*: BREAKING CHANGES. Version 3.0.0. Remove support for Ruby < 2.4.0, and Windows. Behavior and interfaces have changed. By upgrading you'll need to revise your code and tests.
 
 ## Important Notes

data/lib/block_io/client.rb

@@ -16,7 +16,7 @@ module BlockIo
       raise "Must provide an API Key." unless args.key?(:api_key) and args[:api_key].to_s.size > 0
       
       @api_key = args[:api_key]
-      @encryption_key = Helper.pinToAesKey(args[:pin] || "") if args.key?(:pin)
+      @pin = args[:pin]
       @version = args[:version] || 2
       @hostname = args[:hostname] || "block.io"
       @proxy = args[:proxy] || {}
@@ -131,9 +131,10 @@ module BlockIo
       if !encrypted_key.nil? and !@keys.key?(encrypted_key['public_key']) then
         # decrypt the key with PIN
 
-        raise Exception.new("PIN not set and no keys provided. Cannot sign transaction.") unless @encryption_key or @keys.size > 0
-        
-        key = Helper.extractKey(encrypted_key['encrypted_passphrase'], @encryption_key)
+        raise Exception.new("PIN not set and no keys provided. Cannot sign transaction.") unless !@pin.nil? or @keys.size > 0
+
+        key = Helper.dynamicExtractKey(encrypted_key, @pin)
+
         raise Exception.new("Public key mismatch for requested signer and ourselves. Invalid Secret PIN detected.") unless key.public_key_hex.eql?(encrypted_key["public_key"])
 
         # store this key for later use

data/lib/block_io/helper.rb

@@ -2,6 +2,18 @@ module BlockIo
 
   class Helper
 
+    LEGACY_DECRYPTION_ALGORITHM = {
+      :pbkdf2_salt => "",
+      :pbkdf2_iterations => 2048,
+      :pbkdf2_hash_function => "SHA256",
+      :pbkdf2_phase1_key_length => 16,
+      :pbkdf2_phase2_key_length => 32,
+      :aes_iv => nil,
+      :aes_cipher => "AES-256-ECB",
+      :aes_auth_tag => nil,
+      :aes_auth_data => nil
+    }
+    
     def self.allSignaturesPresent?(tx, inputs, signatures, input_address_data)
       # returns true if transaction has all signatures present
       
@@ -152,6 +164,44 @@ module BlockIo
       sighash
       
     end
+
+    def self.getDecryptionAlgorithm(user_key_algorithm = nil)
+      # mainly used so existing unit tests do not break
+      
+      algorithm = ({}).merge(LEGACY_DECRYPTION_ALGORITHM)
+
+      if !user_key_algorithm.nil? then
+        algorithm[:pbkdf2_salt] = user_key_algorithm['pbkdf2_salt']
+        algorithm[:pbkdf2_iterations] = user_key_algorithm['pbkdf2_iterations']
+        algorithm[:pbkdf2_hash_function] = user_key_algorithm['pbkdf2_hash_function']
+        algorithm[:pbkdf2_phase1_key_length] = user_key_algorithm['pbkdf2_phase1_key_length']
+        algorithm[:pbkdf2_phase2_key_length] = user_key_algorithm['pbkdf2_phase2_key_length']
+        algorithm[:aes_iv] = user_key_algorithm['aes_iv']
+        algorithm[:aes_cipher] = user_key_algorithm['aes_cipher']
+        algorithm[:aes_auth_tag] = user_key_algorithm['aes_auth_tag']
+        algorithm[:aes_auth_data] = user_key_algorithm['aes_auth_data']
+      end
+
+      algorithm
+      
+    end
+    
+    def self.dynamicExtractKey(user_key, pin)
+      # user_key object contains the encrypted user key and decryption algorithm
+
+      algorithm = self.getDecryptionAlgorithm(user_key['algorithm'])
+
+      aes_key = self.pinToAesKey(pin, algorithm[:pbkdf2_iterations],
+                                 algorithm[:pbkdf2_salt],
+                                 algorithm[:pbkdf2_hash_function],
+                                 algorithm[:pbkdf2_phase1_key_length],
+                                 algorithm[:pbkdf2_phase2_key_length])
+
+      decrypted = self.decrypt(user_key['encrypted_passphrase'], aes_key, algorithm[:aes_iv], algorithm[:aes_cipher], algorithm[:aes_auth_tag], algorithm[:aes_auth_data])
+      
+      Key.from_passphrase(decrypted)
+      
+    end
     
     def self.extractKey(encrypted_data, b64_enc_key)
       # passphrase is in plain text
@@ -169,24 +219,25 @@ module BlockIo
       OpenSSL::Digest::SHA256.digest(value).unpack("H*")[0]
     end
     
-    def self.pinToAesKey(secret_pin, iterations = 2048)
+    def self.pinToAesKey(secret_pin, iterations = 2048, salt = "", hash_function = "SHA256", pbkdf2_phase1_key_length = 16, pbkdf2_phase2_key_length = 32)
       # converts the pincode string to PBKDF2
       # returns a base64 version of PBKDF2 pincode
-      salt = ""
 
+      raise Exception.new("Unknown hash function specified. Are you using current version of this library?") unless hash_function == "SHA256"
+      
       part1 = OpenSSL::PKCS5.pbkdf2_hmac(
         secret_pin,
-        "",
-        1024,
-        128/8,
+        salt,
+        iterations/2,
+        pbkdf2_phase1_key_length,
         OpenSSL::Digest::SHA256.new
       ).unpack("H*")[0]
       
       part2 = OpenSSL::PKCS5.pbkdf2_hmac(
         part1,
-        "",
-        1024,
-        256/8,
+        salt,
+        iterations/2,
+        pbkdf2_phase2_key_length,
         OpenSSL::Digest::SHA256.new
       ) # binary
 
@@ -195,15 +246,19 @@ module BlockIo
     end
 
     # Decrypts a block of data (encrypted_data) given an encryption key
-    def self.decrypt(encrypted_data, b64_enc_key, iv = nil, cipher_type = "AES-256-ECB")
+    def self.decrypt(encrypted_data, b64_enc_key, iv = nil, cipher_type = "AES-256-ECB", auth_tag = nil, auth_data = nil)
+
+      raise Exception.new("Auth tag must be 16 bytes exactly.") unless auth_tag.nil? or auth_tag.size == 32
       
       response = nil
 
       begin
-        aes = OpenSSL::Cipher.new(cipher_type)
+        aes = OpenSSL::Cipher.new(cipher_type.downcase)
         aes.decrypt
         aes.key = b64_enc_key.unpack("m0")[0]
-        aes.iv = iv unless iv.nil?
+        aes.iv = [iv].pack("H*") unless iv.nil?
+        aes.auth_tag = [auth_tag].pack("H*") unless auth_tag.nil?
+        aes.auth_data = [auth_data].pack("H*") unless auth_data.nil?
         response = aes.update(encrypted_data.unpack("m0")[0]) << aes.final
       rescue Exception => e
         # decryption failed, must be an invalid Secret PIN
@@ -214,12 +269,17 @@ module BlockIo
     end
     
     # Encrypts a block of data given an encryption key
-    def self.encrypt(data, b64_enc_key, iv = nil, cipher_type = "AES-256-ECB")
-      aes = OpenSSL::Cipher.new(cipher_type)
+    def self.encrypt(data, b64_enc_key, iv = nil, cipher_type = "AES-256-ECB", auth_data = nil)
+      aes = OpenSSL::Cipher.new(cipher_type.downcase)
       aes.encrypt
       aes.key = b64_enc_key.unpack("m0")[0]
-      aes.iv = iv unless iv.nil?
-      [aes.update(data) << aes.final].pack("m0")
+      aes.iv = [iv].pack("H*") unless iv.nil?
+      aes.auth_data = [auth_data].pack("H*") unless auth_data.nil?
+      result = [aes.update(data) << aes.final].pack("m0")
+      auth_tag = (cipher_type.end_with?("-GCM") ? aes.auth_tag.unpack("H*")[0] : nil)
+
+      {:aes_auth_tag => auth_tag, :aes_cipher_text => result, :aes_iv => iv, :aes_cipher => cipher_type, :aes_auth_data => auth_data}
+      
     end
 
     # courtesy bitcoin-ruby

data/lib/block_io/version.rb

@@ -1,3 +1,3 @@
 module BlockIo
-  VERSION = "3.0.0"
+  VERSION = "3.0.1"
 end

data/spec/helper_spec.rb

@@ -6,24 +6,31 @@ describe "Helper.sha256" do
 end
 
 describe "Helper.pinToAesKey" do
-  it "deadbeef" do
-    expect(BlockIo::Helper.pinToAesKey("deadbeef", false)).to eq([["b87ddac3d84865782a0edbc21b5786d56795dd52bab0fe49270b3726372a83fe"].pack("H*")].pack("m0"))
+  describe "no_salt" do
+    it "deadbeef" do
+      expect(BlockIo::Helper.pinToAesKey("deadbeef")).to eq([["b87ddac3d84865782a0edbc21b5786d56795dd52bab0fe49270b3726372a83fe"].pack("H*")].pack("m0"))
+    end
+  end
+  describe "salt" do
+    it "922445847c173e90667a19d90729e1fb" do
+      expect(BlockIo::Helper.pinToAesKey("deadbeef", 500000, "922445847c173e90667a19d90729e1fb")).to eq([["f206403c6bad20e1c8cb1f3318e17cec5b2da0560ed6c7b26826867452534172"].pack("H*")].pack("m0"))
+    end
   end
 end
 
-describe "Helper.encrypt" do
+describe "Helper.encrypt_aes256ecb" do
   before(:each) do
     @encryption_key = BlockIo::Helper.pinToAesKey("deadbeef")
     @encrypted_data = BlockIo::Helper.encrypt("beadbeef", @encryption_key)
   end
 
   it "beadbeef" do
-    expect(@encrypted_data).to eq("3wIJtPoC8KO6S7x6LtrN0g==")
+    expect(@encrypted_data[:aes_cipher_text]).to eq("3wIJtPoC8KO6S7x6LtrN0g==")
   end
 
 end
 
-describe "Helper.decrypt" do
+describe "Helper.decrypt_aes256ecb" do
   before(:each) do
     @encryption_key = BlockIo::Helper.pinToAesKey("deadbeef")
     @bad_encryption_key = BlockIo::Helper.pinToAesKey(SecureRandom.hex(8))
@@ -31,7 +38,7 @@ describe "Helper.decrypt" do
   end
 
   it "encryption_key" do
-    @decrypted_data = BlockIo::Helper.decrypt(@encrypted_data, @encryption_key)
+    @decrypted_data = BlockIo::Helper.decrypt(@encrypted_data[:aes_cipher_text], @encryption_key)
     expect(@decrypted_data).to eq("beadbeef")
   end
 
@@ -42,3 +49,106 @@ describe "Helper.decrypt" do
   end
   
 end
+
+describe "Helper.encrypt_aes256cbc" do
+  before(:each) do
+    @encryption_key = BlockIo::Helper.pinToAesKey("deadbeef", 500000, "922445847c173e90667a19d90729e1fb")
+    @encrypted_data = BlockIo::Helper.encrypt("beadbeef", @encryption_key, "11bc22166c8cf8560e5fa7e5c622bb0f", "AES-256-CBC")
+  end
+
+  it "beadbeef" do
+    expect(@encrypted_data[:aes_cipher_text]).to eq("LExu1rUAtIBOekslc328Lw==")
+  end
+
+end
+
+describe "Helper.decrypt_aes256cbc" do
+  before(:each) do
+    @encryption_key = BlockIo::Helper.pinToAesKey("deadbeef", 500000, "922445847c173e90667a19d90729e1fb")
+    @bad_encryption_key = BlockIo::Helper.pinToAesKey(SecureRandom.hex(8))
+    @encrypted_data = BlockIo::Helper.encrypt("beadbeef", @encryption_key, "11bc22166c8cf8560e5fa7e5c622bb0f", "AES-256-CBC")
+  end
+
+  it "encryption_key" do
+    @decrypted_data = BlockIo::Helper.decrypt(@encrypted_data[:aes_cipher_text], @encryption_key, @encrypted_data[:aes_iv], @encrypted_data[:aes_cipher])
+    expect(@decrypted_data).to eq("beadbeef")
+  end
+
+  it "bad_encryption_key" do
+    expect{
+      BlockIo::Helper.decrypt(@encrypted_data[:aes_cipher_text], @bad_encryption_key, @encrypted_data[:aes_iv], @encrypted_data[:aes_cipher])
+    }.to raise_error(Exception, "Invalid Secret PIN provided.")
+  end
+  
+end
+
+describe "Helper.decrypt_aes256gcm" do
+  before(:each) do
+    @encryption_key = BlockIo::Helper.pinToAesKey("deadbeef", 500000, "922445847c173e90667a19d90729e1fb")
+    @bad_encryption_key = BlockIo::Helper.pinToAesKey(SecureRandom.hex(8))
+    @encrypted_data = BlockIo::Helper.encrypt("beadbeef", @encryption_key, "a57414b88b67f977829cbdca", "AES-256-GCM", "")
+  end
+
+  it "encryption_key" do
+    @decrypted_data = BlockIo::Helper.decrypt(@encrypted_data[:aes_cipher_text],
+                                              @encryption_key, @encrypted_data[:aes_iv],
+                                              @encrypted_data[:aes_cipher],
+                                              @encrypted_data[:aes_auth_tag],
+                                              @encrypted_data[:aes_auth_data])
+    expect(@decrypted_data).to eq("beadbeef")
+  end
+
+  it "encryption_key_bad_auth_tag" do
+    expect{
+      BlockIo::Helper.decrypt(@encrypted_data[:aes_cipher_text],
+                              @encryption_key, @encrypted_data[:aes_iv],
+                              @encrypted_data[:aes_cipher],
+                              @encrypted_data[:aes_auth_tag][0..30],
+                              @encrypted_data[:aes_auth_data])
+    }.to raise_error(Exception, "Auth tag must be 16 bytes exactly.")
+  end
+
+  it "bad_encryption_key" do
+    expect{
+      BlockIo::Helper.decrypt(@encrypted_data[:aes_cipher_text], @bad_encryption_key, @encrypted_data[:aes_iv], @encrypted_data[:aes_cipher], @encrypted_data[:aes_auth_tag],
+                              @encrypted_data[:aes_auth_data])
+    }.to raise_error(Exception, "Invalid Secret PIN provided.")
+  end
+  
+end
+
+describe "Helper.encrypt_aes256gcm" do
+  before(:each) do
+    @encryption_key = BlockIo::Helper.pinToAesKey("deadbeef", 500000, "922445847c173e90667a19d90729e1fb")
+    @encrypted_data = BlockIo::Helper.encrypt("beadbeef", @encryption_key, "a57414b88b67f977829cbdca", "AES-256-GCM", "")
+  end
+
+  it "beadbeef" do
+    expect(@encrypted_data[:aes_cipher_text]).to eq("ELV56Z57KoA=")
+    expect(@encrypted_data[:aes_auth_tag]).to eq("adeb7dfe53027bdda5824dc524d5e55a")
+  end
+
+end
+
+describe "Helper.dynamicExtractKey" do
+
+  before(:each) do
+    @aes256cbc_user_key = Oj.safe_load('{"encrypted_passphrase":"LExu1rUAtIBOekslc328Lw==","public_key":"02f87f787bffb30396984cb6b3a9d6830f32d5b656b3e39b0abe4f3b3c35d99323","algorithm":{"pbkdf2_salt":"922445847c173e90667a19d90729e1fb","pbkdf2_iterations":500000,"pbkdf2_hash_function":"SHA256","pbkdf2_phase1_key_length":16,"pbkdf2_phase2_key_length":32,"aes_iv":"11bc22166c8cf8560e5fa7e5c622bb0f","aes_cipher":"AES-256-CBC","aes_auth_tag":null,"aes_auth_data":null}}')
+    @aes256gcm_user_key = Oj.safe_load('{"encrypted_passphrase":"ELV56Z57KoA=","public_key":"02f87f787bffb30396984cb6b3a9d6830f32d5b656b3e39b0abe4f3b3c35d99323","algorithm":{"pbkdf2_salt":"922445847c173e90667a19d90729e1fb","pbkdf2_iterations":500000,"pbkdf2_hash_function":"SHA256","pbkdf2_phase1_key_length":16,"pbkdf2_phase2_key_length":32,"aes_iv":"a57414b88b67f977829cbdca","aes_cipher":"AES-256-GCM","aes_auth_tag":"adeb7dfe53027bdda5824dc524d5e55a","aes_auth_data":""}}')
+    @aes256ecb_user_key = Oj.safe_load('{"encrypted_passphrase":"3wIJtPoC8KO6S7x6LtrN0g==","public_key":"02f87f787bffb30396984cb6b3a9d6830f32d5b656b3e39b0abe4f3b3c35d99323","algorithm":{"pbkdf2_salt":"","pbkdf2_iterations":2048,"pbkdf2_hash_function":"SHA256","pbkdf2_phase1_key_length":16,"pbkdf2_phase2_key_length":32,"aes_iv":null,"aes_cipher":"AES-256-ECB","aes_auth_tag":null,"aes_auth_data":null}}')
+    @pin = "deadbeef"
+  end
+
+  it "aes256ecb_success" do
+    expect(BlockIo::Helper.dynamicExtractKey(@aes256ecb_user_key, @pin).public_key_hex).to eq(BlockIo::Key.from_passphrase("beadbeef").public_key_hex)
+  end
+  
+  it "aes256cbc_success" do
+    expect(BlockIo::Helper.dynamicExtractKey(@aes256cbc_user_key, @pin).public_key_hex).to eq(BlockIo::Key.from_passphrase("beadbeef").public_key_hex)
+  end
+  
+  it "aes256gcm_success" do
+    expect(BlockIo::Helper.dynamicExtractKey(@aes256gcm_user_key, @pin).public_key_hex).to eq(BlockIo::Key.from_passphrase("beadbeef").public_key_hex)
+  end
+  
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: block_io
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.0.1
 platform: ruby
 authors:
 - Atif Nazir
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-05-26 00:00:00.000000000 Z
+date: 2021-06-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler