ccrypto-ruby 0.1.0

data/lib/ccrypto/ruby/engines/hmac_engine.rb

@@ -0,0 +1,53 @@
+
+require_relative '../data_conversion'
+
+module Ccrypto
+  module Ruby
+    class HMACEngine
+      include TR::CondUtils
+      include DataConversion
+
+      def initialize(*args,&block)
+        @config = args.first
+
+        raise HMACEngineException, "HMAC config is expected" if not @config.is_a?(Ccrypto::HMACConfig) 
+
+        raise HMACEngineException, "Signing key is required" if is_empty?(@config.key)
+        raise HMACEngineException, "Secret key as signing key is required. Given #{@config.key.class}" if not @config.key.is_a?(Ccrypto::SecretKey)
+
+        raise HMACEngineException, "Digest '#{@config.digest}' is not supported" if not DigestEngine.is_supported?(@config.digest)
+       
+        dig = DigestEngine.digest(@config.digest)
+
+        @hmac = OpenSSL::HMAC.new(@config.key.to_bin, dig.native_digest_engine)
+
+      end
+
+      def hmac_update(val)
+        @hmac.update(val) 
+      end
+
+      def hmac_final
+        @hmac.digest
+      end
+
+      def hmac_digest(val, output = :binary)
+        hmac_update(val)
+        res = hmac_final
+
+        @hmac.reset
+
+        case output
+        when :hex
+          to_hex(res)
+        when :b64
+          to_b64(res)
+        else
+          res
+        end
+      end
+
+
+    end
+  end
+end

data/lib/ccrypto/ruby/engines/pbkdf2_engine.rb

@@ -0,0 +1,69 @@
+
+require_relative '../data_conversion'
+
+module Ccrypto
+  module Ruby
+    class PBKDF2Engine
+      include TR::CondUtils
+      include DataConversion
+
+      def initialize(conf, &block)
+        raise KDFEngineException, "PBKDF2 config is expected" if not conf.is_a?(Ccrypto::PBKDF2Config)
+        raise KDFEngineException, "Output bit length (outBitLength) value is not given or not a positive value (#{conf.outBitLength})" if is_empty?(conf.outBitLength) or conf.outBitLength <= 0
+
+        @config = conf
+        if is_empty?(@config.salt)
+          @config.salt = SecureRandom.random_bytes(16)
+        end
+      end
+
+      def derive(input, output = :binary)
+
+        @config.digest = default_digest if is_empty?(@config.digest)
+        digest = init_digest(@config.digest)
+
+        logger.debug "Digest : #{@config.digest}"
+        logger.debug "Iterations : #{@config.iter}"
+        logger.debug "Out byte length : #{@config.outBitLength/8}"
+
+        res = OpenSSL::KDF.pbkdf2_hmac(input, salt: @config.salt, iterations: @config.iter, length: @config.outBitLength/8, hash: digest)  
+
+        case output
+        when :hex
+          to_hex(res)
+        when :b64
+          to_b64(res)
+        else
+          res
+        end
+      end
+
+      private
+      def init_digest(algo)
+        if DigestEngine.is_supported?(algo)
+          conf = DigestEngine.engineKeys[algo]
+          if not_empty?(conf)
+            OpenSSL::Digest.new(conf.provider_config)
+          else
+            raise DigestEngineException, "Algo config '#{algo}' not found"
+          end
+        else
+          raise DigestEngineException, "Digest algo '#{algo}' is not supported"
+        end
+      end
+
+      def default_digest
+        :sha3_256
+      end
+
+      def logger
+        if @logger.nil?
+          @logger = TeLogger::Tlogger.new
+          @logger.tag = :pbkdf2
+        end
+        @logger
+      end
+
+    end
+  end
+end

data/lib/ccrypto/ruby/engines/pkcs7_engine.rb

@@ -0,0 +1,179 @@
+
+require_relative '../data_conversion'
+
+module Ccrypto
+  module Ruby
+    
+    class PKCS7EngineException < StandardError; end
+
+    class PKCS7Engine
+      include TR::CondUtils
+      include DataConversion
+
+      include TeLogger::TeLogHelper
+
+      teLogger_tag :r_p7
+
+      def initialize(config)
+        @config = config
+        raise PKCS7EngineException, "Ccrypto::PKCS7Config is expected" if not @config.is_a?(Ccrypto::PKCS7Config)
+      end
+
+      def sign(val, outFormat = :bin, &block)
+        validate_input(val, "signing") 
+        validate_key_must_exist("signing")
+        raise PKCS7EngineException, "signerCert is required for PKCS7 sign operation" if is_empty?(@config.signerCert)
+        raise PKCS7EngineException, "Given signerCert must be a Ccrypto::X509Cert object" if not @config.signerCert.is_a?(Ccrypto::X509Cert)
+
+        privKey = @config.private_key.native_privKey
+
+        caCerts = []
+        attached = true
+        if block
+          caCerts = block.call(:ca_certs)
+          detachedSign = block.call(:detached_sign)
+          attached = ! detachedSign if is_bool?(detachedSign)
+        end
+
+        caCerts = [] if caCerts.nil?
+        attached = true if is_empty?(attached) and not is_bool?(attached)
+
+        if not attached
+          flag = OpenSSL::PKCS7::BINARY | OpenSSL::PKCS7::DETACHED
+        else
+          flag = OpenSSL::PKCS7::BINARY
+        end
+
+        res = OpenSSL::PKCS7.sign(@config.signerCert.nativeX509, privKey, val, caCerts, flag) 
+        case outFormat
+        when :b64
+          to_b64(res.to_der)
+        when :hex
+          to_hex(res.to_der)
+        else
+          res.to_der
+        end
+      end
+
+      def verify(val, inForm = :bin, &block)
+        validate_input(val, "verify") 
+
+        case inForm
+        when :b64
+          v = from_b64(val)
+        when :hex
+          v = from_hex(val)
+        else
+          v = val
+        end
+
+        p7 = OpenSSL::PKCS7.new(v)
+
+        certVerified = true
+        store = OpenSSL::X509::Store.new
+        p7.certificates.each do |c|
+          if block
+            certVerified = block.call(:verify_certificate, c)
+            if is_empty?(certVerified)
+              teLogger.debug "Certificate with subject #{c.subject.to_s} / Issuer: #{c.issuer.to_s} / SN: #{c.serial.to_s(16)} passed through (no checking by application). Assumed good cert."
+              store.add_cert(c)
+              certVerified = true
+            else
+              if certVerified
+                teLogger.debug "Certificate with subject #{c.subject.to_s} / Issuer: #{c.issuer.to_s} / SN: #{c.serial.to_s(16)} accepted by application"
+                store.add_cert(c)
+              else
+                teLogger.debug "Certificate with subject #{c.subject.to_s} / Issuer: #{c.issuer.to_s} / SN: #{c.serial.to_s(16)} rejected by application"
+              end
+            end
+          else
+            teLogger.debug "Certificate with subject #{c.subject.to_s} / Issuer: #{c.issuer.to_s} / SN: #{c.serial.to_s(16)} passed through (no checking by application)"
+            store.add_cert(c)
+          end
+        end
+
+        if certVerified
+          
+          if p7.detached?
+            teLogger.debug "Detached signature detected during signature verification"
+            raise PKCS7EngineException, "block is required for detached signature" if not block
+            data = block.call(:signed_data)
+            p7.data = data
+          else
+            teLogger.debug "Attached signature detected during signature verification"
+          end
+
+          res = p7.verify([], store, nil, OpenSSL::PKCS7::NOVERIFY)
+
+          if block
+            block.call(:verification_result, res)
+            if res and not p7.detached?
+              block.call(:attached_data, p7.data)
+            end
+          end
+
+          res
+
+        else
+          certVerified
+        end
+
+      end
+
+      def encrypt(val, &block)
+        validate_input(val, "encrypt") 
+        raise PKCS7EngineException, "At least one recipient_cert is required for PKCS7 encrypt" if is_empty?(@config.recipient_certs)
+        
+        recps = @config.recipient_certs.map do |c|
+          raise PKCS7EngineException, "Given recipient_cert must be a Ccrypto::X509Cert object" if not c.is_a?(Ccrypto::X509Cert)
+          c.nativeX509
+        end
+
+        if block
+          cipher = block.call(:cipher)
+          teLogger.debug "Application given cipher : #{cipher}"
+        end
+
+        cipher = "AES-256-CBC" if is_empty?(cipher)
+
+        cip = OpenSSL::Cipher.new(cipher)
+
+        begin
+          OpenSSL::PKCS7.encrypt(recps, val, cip, OpenSSL::PKCS7::BINARY)
+        rescue OpenSSL::PKCS7::PKCS7Error => ex
+          raise PKCS7EngineException, ex
+        end
+
+      end
+
+      def decrypt(val, &block)
+        validate_input(val, "decrypt") 
+        validate_key_must_exist("decrypt")
+
+        raise PKCS7EngineException, "certForDecryption is required for PKCS7 decrypt operation" if is_empty?(@config.certForDecryption)
+        raise PKCS7EngineException, "Given certForDecryption must be a Ccrypto::X509Cert object" if not @config.certForDecryption.is_a?(Ccrypto::X509Cert)
+
+        p7 = OpenSSL::PKCS7.new(val)
+        p7.decrypt(@config.private_key.native_privKey, @config.certForDecryption.nativeX509)
+      end
+
+      protected
+      def validate_input(val, ops)
+        raise PKCS7EngineException, "Given data to #{ops} operation is empty" if is_empty?(val) 
+      end
+
+      def validate_key_must_exist(ops)
+        #raise PKCS7EngineException, "Keybundle is required for PKCS7 #{ops}" if is_empty?(@config.keybundle)
+        #raise PKCS7EngineException, "Given key must be a Ccrypto::KeyBundle object" if not @config.keybundle.is_a?(Ccrypto::KeyBundle)
+        raise PKCS7EngineException, "Private key is required for PKCS7 #{ops}" if is_empty?(@config.private_key)
+        raise PKCS7EngineException, "Given private key must be a Ccrypto::PrivateKey object" if not @config.private_key.is_a?(Ccrypto::PrivateKey)
+      end
+
+      #def validate_cert_must_exist(ops)
+      #  raise PKCS7EngineException, "signerCert is required for PKCS7 #{ops}" if is_empty?(@config.signerCert)
+      #  raise PKCS7EngineException, "Given signerCert must be a Ccrypto::X509Cert object" if not @config.signerCert.is_a?(Ccrypto::X509Cert)
+      #end
+
+    end
+  end
+end

data/lib/ccrypto/ruby/engines/rsa_engine.rb

@@ -0,0 +1,300 @@
+
+require_relative '../keybundle_store/pkcs12'
+require_relative '../keybundle_store/pem_store'
+
+module Ccrypto
+  module Ruby
+    
+    class RSAPublicKey < Ccrypto::RSAPublicKey
+
+      def to_bin
+        @native_pubKey.to_der
+      end
+
+      def self.to_key(bin)
+        rk = OpenSSL::PKey::RSA.new(bin)
+        RSAPublicKey.new(rk)
+      end
+
+    end # RSAPublicKey
+
+    class RSAKeyBundle 
+      include Ccrypto::RSAKeyBundle
+      include TR::CondUtils
+
+      include PKCS12Store
+      include PEMStore
+
+      include TeLogger::TeLogHelper
+
+      teLogger_tag :r_rsa_keybundle
+
+      def initialize(kp)
+        @nativeKeypair = kp
+      end
+
+      def public_key
+        if @pubKey.nil?
+          @pubKey = RSAPublicKey.new(@nativeKeypair.public_key)
+        end
+        @pubKey
+      end
+
+      def private_key
+        if @privKey.nil?
+          @privKey = Ccrypto::RSAPrivateKey.new(@nativeKeypair)
+        end
+        @privKey
+      end
+
+      def to_storage(format, &block)
+        case format
+        when :pkcs12, :p12
+          to_pkcs12 do |key|
+            case key
+            when :keypair
+              @nativeKeypair
+            else
+              block.call(key) if block
+            end
+          end
+        when :pem 
+          to_pem do |key|
+            case key
+            when :keypair
+              @nativeKeypair
+            else
+              block.call(key) if block
+            end
+          end
+        else
+          raise KeyBundleStorageException, "Unknown storage format #{format}"
+        end
+       
+      end
+
+      def self.from_storage(bin, &block)
+        raise KeypairEngineException, "Given data to load is empty" if is_empty?(bin)
+
+        case bin
+        when String
+          teLogger.debug "Given String to load from storage" 
+          if is_pem?(bin)
+            self.from_pem(bin, &block)
+          else
+            # binary buffer
+            teLogger.debug "Given binary to load from storage" 
+            self.from_pkcs12(bin,&block)
+          end
+        else
+          raise KeyBundleStorageException, "Unsupported input type #{bin}"
+        end
+
+      end
+
+      def equal?(kp)
+        if kp.respond_to?(:to_der)
+          @nativeKeypair.to_der == kp.to_der
+        else
+          @nativeKeypair == kp
+        end
+      end
+
+      def method_missing(mtd, *args, &block)
+        if @nativeKeypair.respond_to?(mtd)
+          teLogger.debug "Sending to nativeKeypair #{mtd}"
+          @nativeKeypair.send(mtd,*args, &block)
+        else
+          super
+        end
+      end
+
+      def respond_to_missing?(mtd, *args, &block)
+        @nativeKeypair.respond_to?(mtd)
+      end
+
+    end # RSAKeyBundle
+
+    class RSAEngine
+      include TR::CondUtils
+
+      def initialize(*args, &block)
+        @config = args.first
+        raise KeypairEngineException, "1st parameter must be a #{Ccrypto::KeypairConfig.class} object" if not @config.is_a?(Ccrypto::KeypairConfig)
+      end
+
+      def generate_keypair(&block)
+        kp = OpenSSL::PKey::RSA.generate(@config.keysize)
+        RSAKeyBundle.new(kp)
+      end
+
+      def sign(val, &block)
+        if block
+          pss = block.call(:pss_mode)
+          pss = false if is_empty?(pss) or not is_bool?(pss)
+
+          if pss
+            sign_pss(val, &block)
+          else
+            sign_typical(val, &block)
+          end
+        else
+          sign_typical(val, &block)
+        end
+      end
+
+      def self.verify(pubKey, val, sign, &block)
+        if block
+          pss = block.call(:pss_mode)
+          pss = false if is_empty?(pss) or not is_bool?(pss)
+
+          if pss
+            verify_pss(pubKey, val, sign, &block)
+          else
+            verify_typical(pubKey, val, sign, &block)
+          end
+        else
+          verify_typical(pubKey, val, sign, &block)
+        end
+      end
+
+      def self.encrypt(pubKey, val, &block)
+        raise KeypairEngineException, "Public key is required" if is_empty?(pubKey)
+
+        padding = :oaep
+        if block
+          padding = block.call(:padding)
+        end
+
+        case padding
+        when :pkcs1
+          padVal = OpenSSL::PKey::RSA::PKCS1_PADDING
+        when :oaep
+          padVal = OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
+        when :no_padding
+          padVal = OpenSSL::PKey::RSA::NO_PADDING
+        else
+          raise KeypairEngineException, "Padding requires either :pkcs1 or :oaep. Default is :oaep"
+        end
+
+        pubKey.public_encrypt(val, padVal)
+      end
+
+      def decrypt(enc, &block)
+
+        raise KeypairEngineException, "Private key is required" if not @config.has_private_key? 
+        raise KeypairEngineException, "RSA private key is required" if not @config.private_key.is_a?(RSAPrivateKey)
+
+        padding = :oaep
+        if block
+          padding = block.call(:padding)
+        end
+
+        case padding
+        when :pkcs1
+          padVal = OpenSSL::PKey::RSA::PKCS1_PADDING
+        when :oaep
+          padVal = OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
+        when :no_padding
+          padVal = OpenSSL::PKey::RSA::NO_PADDING
+        else
+          raise KeypairEngineException, "Padding requires either :pkcs1 or :oaep. Default is :oaep"
+        end
+
+        @config.private_key.private_decrypt(enc, padVal)
+      end
+
+
+
+      #####################
+      ## Private section ##
+      private
+      def sign_typical(val, &block)
+        
+        raise KeypairEngineException, "Private key is required" if not @config.has_private_key? 
+        raise KeypairEngineException, "RSA private key is required" if not @config.private_key.is_a?(RSAPrivateKey)
+
+        privKey = @config.private_key
+
+        signHash = "sha256"
+        if block
+          signHash = block.call(:sign_hash)
+        end
+
+        begin
+          shash = OpenSSL::Digest.new(signHash)
+        rescue Exception => ex
+          raise KeypairEngineException, ex
+        end
+
+        privKey.sign(shash, val)
+
+      end
+
+      def sign_pss(val, &block)
+        
+        raise KeypairEngineException, "Private key is required" if not @config.has_private_key? 
+        raise KeypairEngineException, "RSA private key is required" if not @config.private_key.is_a?(RSAPrivateKey)
+
+        privKey = @config.private_key
+
+        signHash = "sha256"
+        mgf1Hash = "sha256"
+        saltLen = :max
+        if block
+          signHash = block.call(:sign_hash)
+          mgf1Hash = block.call("mgf1_hash")
+          saltLen = block.call("salt_length")
+        end
+        mgf1Hash = "sha256" if is_empty?(mgf1Hash)
+        saltLen = :max if is_empty?(saltLen)
+        signHash = "sha256" if is_empty?(signHash)
+
+        privKey.native_privKey.sign_pss(signHash, val, salt_length: saltLen, mgf1_hash: mgf1Hash)
+
+      end
+
+      def self.verify_typical(pubKey, val, sign, &block)
+        uPubKey = pubKey.native_pubKey
+
+        if block
+          signHash = block.call(:sign_hash)
+        end
+        signHash = "sha256" if is_empty?(signHash)
+
+        begin
+          shash = OpenSSL::Digest.new(signHash)
+        rescue Exception => ex
+          raise KeypairEngineException, ex
+        end
+
+        res = uPubKey.verify(shash, sign, val)
+        res
+        
+      end
+
+      def self.verify_pss(pubKey, val, sign, &block)
+        uPubKey = pubKey.native_pubKey
+
+        signHash = "sha256"
+        mgf1Hash = "sha256"
+        saltLen = :auto
+        if block
+          signHash = block.call(:sign_hash)
+          mgf1Hash = block.call("mgf1_hash")
+          saltLen = block.call("salt_length")
+        end
+        mgf1Hash = "sha256" if is_empty?(mgf1Hash)
+        saltLen = :auto if is_empty?(saltLen)
+        signHash = "sha256" if is_empty?(signHash)
+
+        res = uPubKey.verify_pss(signHash, sign, val, salt_length: saltLen, mgf1_hash: mgf1Hash)
+        res
+        
+      end
+
+
+    end
+
+  end
+end

data/lib/ccrypto/ruby/engines/scrypt_engine.rb

@@ -0,0 +1,34 @@
+
+require_relative '../data_conversion'
+
+module Ccrypto
+  module Ruby
+    class ScryptEngine
+      include DataConversion
+      include TR::CondUtils
+
+      def initialize(conf, &block)
+        raise KDFEngineException, "KDF config is expected" if not conf.is_a?(Ccrypto::KDFConfig)
+        raise KDFEngineException, "Output bit length (outBitLength) value is not given or not a positive value (#{conf.outBitLength})" if is_empty?(conf.outBitLength) or conf.outBitLength <= 0
+        @config = conf
+
+        if is_empty?(@config.salt)
+          @config.salt = SecureRandom.random_bytes(16)
+        end
+      end
+
+      def derive(input, output = :binary)
+        res = OpenSSL::KDF.scrypt(input, salt: @config.salt, N: @config.cost, r: @config.blockSize, p: @config.parallel, length: @config.outBitLength/8)  
+        case output
+        when :hex
+          to_hex(res)
+        when :b64
+          to_b64(res)
+        else
+          res
+        end
+      end
+
+    end
+  end
+end

data/lib/ccrypto/ruby/engines/secret_key_engine.rb

@@ -0,0 +1,18 @@
+
+
+module Ccrypto
+  module Ruby
+    class SecretKeyEngine
+
+      def self.generate(*args, &block)
+        config = args.first
+
+        raise SecretKeyEngineException, "KeyConfig is expected" if not config.is_a?(Ccrypto::KeyConfig) 
+
+        key = SecureRandom.random_bytes(config.keysize/8)
+
+        Ccrypto::SecretKey.new(config.algo, key)
+      end
+    end
+  end
+end