RubyGems - costan-tem_openssl - Versions diffs - 0.3.6 - Mend

costan-tem_openssl 0.3.6

Files changed (13) hide show

data/CHANGELOG ADDED Viewed

@@ -0,0 +1,19 @@
+v0.3.6. Updated to the API of tem_ruby 0.10.2.
+v0.3.5. Updated to the API of tem_ruby 0.10.1.
+v0.3.4. Updated to the API of tem_ruby 0.10.0.
+v0.3.3. Updated to the API of tem_ruby 0.9.1.
+v0.3.2. Updated to the API of tem_ruby 0.7.1 (Tem#pubek instead of an ugly hack).
+v0.3.1. Updated to the API of tem_ruby 0.7.0.
+v0.3. Implemented rsautl -sign and -verify to meet the openssl specs.
+v0.2.1. Implemented public key exporting to PEM files. Requires public keys instead of the full key when possible. The TEM should not be needed when only public keys are required.
+v0.2. Implemented signing.
+v0.1. Initial release.

data/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+The MIT License
+Copyright (c) 2007 Massachusetts Institute of Technology
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Manifest ADDED Viewed

@@ -0,0 +1,11 @@
+bin/openssl_tem
+CHANGELOG
+lib/openssl/executor.rb
+lib/openssl/key.rb
+lib/openssl/tem_tools.rb
+lib/tem_openssl.rb
+LICENSE
+Manifest
+Rakefile
+README
+test/test_executor.rb

data/README ADDED Viewed

@@ -0,0 +1,37 @@
+This is a tool for the TEM-based OpenSSL engine.
+Running coverage tests:
+gem install rcov
+rcov -Ilib test/*.rb
+Implemented commands (the format is supposed to be compatible with the "openssl"
+tool):
+openssl_tem reset
+Resets the TEM to a working state. The TEM applet is reinitialized, and the TEM
+is emitted. All key material and state on TEM is lost.
+openssl_tem rsagen 2048 -out key.temkey
+Generates a RSA key pair on the TEM (the size is ignored), outputs the TEM-bound
+key pair to "key.temkey".
+openssl_tem rsa -in key.temkey -out key.pem -pubout
+Extracts the public key from a TEM-bound key pair, outputs it in PEM format to
+"key.pem"
+openssl_tem rsautl -encrypt -in plain.txt -inkey key.pem -out crypted.txt -pkcs
+Encrypts the data in "plain.txt" using the PEM public key (or public key in a
+TEM-bound key pair) in "key.pem". PKCS#1 padding is always used.
+openssl_tem rsautl -decrypt -in crypted.txt -inkey key.temkey -out plain2.txt -pkcs
+Decrypts the data in "crypted.txt" using TEM-bound key pair in "key.temkey".
+PKCS#1 padding is always used.
+openssl_tem rsautl -xsign -in plain.txt -inkey key.temkey -out signature.txt -pkcs
+Signs the data in "plain.txt" using the TEM-bound key pair in "key.temkey".
+PKCS#1 padding over a SHA-1 message digest of the data is always used.
+openssl_tem rsautl -xverify -in signature.txt -inkey key.pem -indata plain.txt -out verif.txt -pkcs
+Verifies that "signature.txt" was produced by signing the data in "plain.txt"
+using the TEM-bound key with the PEM public key in "key.pem". PKCS#1 padding
+over a SHA-1 of the data is always used. The output is "true" or "false".

data/Rakefile ADDED Viewed

@@ -0,0 +1,22 @@
+require 'rubygems'
+gem 'echoe'
+require 'echoe'
+Echoe.new('tem_openssl') do |p|
+  p.project = 'tem' # rubyforge project
+  p.author = 'Victor Costan'
+  p.email = 'victor@costan.us'
+  p.summary = 'TEM (Trusted Execution Module) engine for OpenSSL.'
+  p.url = 'http://tem.rubyforge.org'
+  p.dependencies = ['tem_ruby >=0.10.2']
+  p.need_tar_gz = !Platform.windows?
+  p.need_zip = !Platform.windows?
+  p.rdoc_pattern = /^(lib|bin|tasks|ext)|^BUILD|^README|^CHANGELOG|^TODO|^LICENSE|^COPYING$/
+end
+if $0 == __FILE__
+  Rake.application = Rake::Application.new
+  Rake.application.run
+end

data/bin/openssl_tem ADDED Viewed

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+require 'rubygems'
+require 'tem_openssl'
+Tem::OpenSSL::Executor.run(ARGV)

data/lib/openssl/executor.rb ADDED Viewed

@@ -0,0 +1,110 @@
+# :nodoc: namespace
+module Tem::OpenSSL
+class Executor
+  def initialize(args, test_options)
+    @args = args
+    # unknown args get thrown here
+    @arg_bag = {}
+    # read key from here
+    @in_key = nil
+    # read (original) data from here
+    @in_data = nil
+    # read input from here
+    @in = $stdin
+    # dump output here
+    @out = $stdout
+    # run the procs here to clean up
+    @cleanup_procs = []
+    # hash of flags to help unit tests
+    @test_options = test_options
+    connect_to_tem
+    parse_args
+  end
+  def run
+    case @args[0]
+    when 'reset'
+      @tem.kill
+      @tem.activate
+      @tem.emit
+    when 'rsa'
+      if @arg_bag[:pubout]
+        @key = Tem::OpenSSL::Key.load_from_tkfile @in
+        @out.write @key.pub_key.ssl_key.to_s
+      end
+    when 'rsagen'
+      @key = Tem::OpenSSL::Key.new_tem_key @tem
+      @out.write @key.to_tkfile
+    when 'rsautl'
+      @key = Tem::OpenSSL::Key.load_from_tkfile @in_key
+      data = @in.read
+      case
+    when @arg_bag[:decrypt]
+        # decrypting with private key
+        result = @key.privk_decrypt data, @tem
+      when @arg_bag[:encrypt]
+        # encrypting with public key
+        result = @key.pub_key.encrypt data
+      when @arg_bag[:sign]
+        # fake-signing (encrypting with private key)
+        result = @key.privk_encrypt data, @tem
+      when @arg_bag[:verify]
+        # fake-verifying (decrypting with public key)
+        result = @key.pub_key.decrypt data
+      when @arg_bag[:xsign]
+        result = @key.privk_sign data, @tem
+      when @arg_bag[:xverify]
+        orig_data = @in_data.read
+        result = @key.pub_key.verify orig_data, data
+      else
+        # ?!
+      end
+      @out.write result
+    end
+  end
+  def parse_args
+    0.upto(@args.length - 1) do |i|
+      # the tokens that don't start with - are processed OOB
+      next unless @args[i][0] == ?-
+      case @args[i]
+      when '-in'
+        @in = File.open(@args[i + 1], 'rb')
+        @cleanup_procs << Proc.new { @in.close }
+      when '-inkey'
+        @in_key = File.open(@args[i + 1], 'r')
+        @cleanup_procs << Proc.new { @in_key.close }
+      when '-indata'
+        @in_data = File.open(@args[i + 1], 'r')
+        @cleanup_procs << Proc.new { @in_data.close }
+      when '-out'
+        @out = File.open(@args[i + 1], 'wb')
+        @cleanup_procs << Proc.new { @out.close }
+      else
+        @arg_bag[@args[i][1..-1].to_sym] = true
+      end
+    end
+  end
+  def cleanup
+    @cleanup_procs.each { |p| p.call }
+  end
+  def connect_to_tem
+    @tem = Tem.auto_tem
+    if @tem
+      @cleanup_procs << Proc.new { @tem.disconnect; }
+    end
+  end
+  def self.run(args, test_options = {})
+    ex = self.new args, test_options
+    ex.run
+    ex.cleanup
+  end
+end
+end  # namespace Tem::OpenSSL

data/lib/openssl/key.rb ADDED Viewed

@@ -0,0 +1,61 @@
+require 'pp'
+# :nodoc: namespace
+module Tem::OpenSSL
+class Key
+  include TemTools
+  attr_reader :pub_key
+  def initialize(pub_key, priv_decrypt_sec, priv_encrypt_sec, priv_sign_sec)
+    @pub_key = pub_key
+    @priv_decrypt_sec = priv_decrypt_sec
+    @priv_encrypt_sec = priv_encrypt_sec
+    @priv_sign_sec = priv_sign_sec
+  end
+  def to_tkfile
+    @pub_key.ssl_key.to_s + [@priv_decrypt_sec.to_array,
+                             @priv_encrypt_sec.to_array,
+                             @priv_sign_sec.to_array].to_yaml
+  end
+  def privk_decrypt(data, tem)
+    TemTools.crypt_with_sec data, @priv_decrypt_sec, tem
+  end
+  def privk_encrypt(data, tem)
+    TemTools.crypt_with_sec data, @priv_encrypt_sec, tem
+  end
+  def privk_sign(data, tem)
+    TemTools.sign_with_sec data, @priv_sign_sec, tem
+  end
+  def self.new_tem_key(tem)
+    keys = TemTools.generate_key_on_tem tem
+    decrypt_sec = TemTools.crypting_sec keys[:privk], tem, :decrypt
+    encrypt_sec = TemTools.crypting_sec keys[:privk], tem, :encrypt
+    sign_sec = TemTools.signing_sec keys[:privk], tem
+    self.new keys[:pubk], decrypt_sec, encrypt_sec, sign_sec
+  end
+  def self.load_from_tkfile(file)
+    ossl_pub_key = OpenSSL::PKey::RSA.new file
+    pub_key = Tem::Key.new_from_ssl_key ossl_pub_key
+    begin
+      ds_ary, es_ary, ss_ary = *YAML.load(file)
+      priv_decrypt_sec = Tem::SecPack.new_from_array ds_ary
+      priv_encrypt_sec = Tem::SecPack.new_from_array es_ary
+      priv_sign_sec = Tem::SecPack.new_from_array ss_ary
+    rescue
+      priv_decrypt_sec = nil
+      priv_encrypt_sec = nil
+      priv_sign_sec = nil
+    end
+    self.new pub_key, priv_decrypt_sec, priv_encrypt_sec, priv_sign_sec
+  end
+end
+end  # namespace Tem::OpenSSL

data/lib/openssl/tem_tools.rb ADDED Viewed

@@ -0,0 +1,129 @@
+# :nodoc: namespace
+module Tem::OpenSSL
+module TemTools
+  # Generate an RSA key pair on the TEM.
+  #
+  # Runs slower than OpenSSL-based generation, but uses a hardware RNG.
+  def self.generate_key_on_tem(tem)
+    kdata = tem.tk_gen_key :asymmetric
+    pubk = tem.tk_read_key kdata[:pubk_id], kdata[:authz]
+    tem.tk_delete_key kdata[:pubk_id], kdata[:authz]
+    privk = tem.tk_read_key kdata[:privk_id], kdata[:authz]
+    tem.tk_delete_key kdata[:privk_id], kdata[:authz]
+    return {:privk => privk, :pubk => pubk}
+  end
+  # Generates a SECpack that encrypts/decrypts a user-supplied blob.
+  #
+  # The SECpack is tied down to a TEM.
+  def self.crypting_sec(key, tem, mode = :decrypt)
+    crypt_sec = tem.assemble do |s|
+      # load the key in the TEM
+      s.ldwc :const => :key_data
+      s.rdk
+      # allocate the output buffer
+      s.ldwc :const => 512
+      s.outnew
+      # decrypt the given data
+      s.ldw :from => :input_length
+      s.ldwc :const => :input_data
+      s.ldwc :const => -1
+      s.send({:encrypt => :kevb, :decrypt => :kdvb}[mode])
+      s.halt
+      # key material
+      s.label :key_data
+      s.data :tem_ubyte, key.to_tem_key
+      # user-supplied argument: the length of the blob to be encrypted/decrypted
+      s.label :input_length
+      s.data :tem_ushort, 256
+      # user-supplied argument: the blob to be encrypted/decrypted
+      s.label :input_data
+      s.zeros :tem_ubyte, 512
+      s.label :sec_stack
+      s.stack 4
+    end
+    crypt_sec.bind tem.pubek, :key_data, :input_length
+    crypt_sec
+  end
+  # Generates a SECpack that decrypts a user-supplied blob.
+  #
+  # The SECpack is tied down to a TEM.
+  def self.signing_sec(key, tem)
+    sign_sec = tem.assemble do |s|
+      # load the key in the TEM
+      s.ldwc :const => :key_data
+      s.rdk
+      # allocate the output buffer
+      s.ldwc :const => key.ssl_key.n.num_bytes + 1
+      s.outnew
+      # sign the given data
+      s.ldw :from => :input_length
+      s.ldwc :const => :input_data
+      s.ldwc :const => -1
+      s.ksvb
+      s.halt
+      # key material
+      s.label :key_data
+      s.data :tem_ubyte, key.to_tem_key
+      # user-supplied argument: the length of the blob to be signed
+      s.label :input_length
+      s.data :tem_ushort, 256
+      # user-supplied argument: the blob to be signed
+      s.label :input_data
+      s.zeros :tem_ubyte, 512
+      s.label :sec_stack
+      s.stack 4
+    end
+    sign_sec.bind tem.pubek, :key_data, :input_length
+    sign_sec
+  end
+  # Encrypts/decrypts using a SECpack generated via a previous call to
+  # crypting_sec.
+  def self.crypt_with_sec(encrypted_data, dec_sec, tem)
+    # convert the data string to an array of numbers
+    ed = encrypted_data.unpack 'C*'
+    # patch the data and its length into the SEC
+    elen = tem.to_tem_ushort ed.length
+    dec_sec.body[dec_sec.label_address(:input_length), elen.length] = elen
+    dec_sec.body[dec_sec.label_address(:input_data), ed.length] = ed
+    # run the sec and convert its output to a string
+    dd = tem.execute dec_sec
+    decrypted_data = dd.pack 'C*'
+    return decrypted_data
+  end
+  # Signs using a SECpack generated via a previous call to signing_sec.
+  def self.sign_with_sec(data, sign_sec, tem)
+    # convert the data string to an array of numbers
+    d = data.unpack 'C*'
+    # patch the data and its length into the SEC
+    len = tem.to_tem_ushort d.length
+    sign_sec.body[sign_sec.label_address(:input_length), len.length] = len
+    sign_sec.body[sign_sec.label_address(:input_data), d.length] = d
+    # run the sec and convert its output to a string
+    s = tem.execute sign_sec
+    signature = s.pack 'C*'
+    return signature
+  end
+end
+end  # namespace Tem::OpenSSL

data/lib/tem_openssl.rb ADDED Viewed

@@ -0,0 +1,9 @@
+require 'rubygems'
+require 'tem_ruby'
+module Tem::OpenSSL
+end
+require 'openssl/tem_tools.rb'
+require 'openssl/key.rb'
+require 'openssl/executor.rb'

data/tem_openssl.gemspec ADDED Viewed

@@ -0,0 +1,36 @@
+# -*- encoding: utf-8 -*-
+Gem::Specification.new do |s|
+  s.name = %q{tem_openssl}
+  s.version = "0.3.6"
+  s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Victor Costan"]
+  s.date = %q{2009-05-31}
+  s.default_executable = %q{openssl_tem}
+  s.description = %q{TEM (Trusted Execution Module) engine for OpenSSL.}
+  s.email = %q{victor@costan.us}
+  s.executables = ["openssl_tem"]
+  s.extra_rdoc_files = ["bin/openssl_tem", "CHANGELOG", "lib/openssl/executor.rb", "lib/openssl/key.rb", "lib/openssl/tem_tools.rb", "lib/tem_openssl.rb", "LICENSE", "README"]
+  s.files = ["bin/openssl_tem", "CHANGELOG", "lib/openssl/executor.rb", "lib/openssl/key.rb", "lib/openssl/tem_tools.rb", "lib/tem_openssl.rb", "LICENSE", "Manifest", "Rakefile", "README", "test/test_executor.rb", "tem_openssl.gemspec"]
+  s.homepage = %q{http://tem.rubyforge.org}
+  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Tem_openssl", "--main", "README"]
+  s.require_paths = ["lib"]
+  s.rubyforge_project = %q{tem}
+  s.rubygems_version = %q{1.3.3}
+  s.summary = %q{TEM (Trusted Execution Module) engine for OpenSSL.}
+  s.test_files = ["test/test_executor.rb"]
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<tem_ruby>, [">= 0.10.2"])
+    else
+      s.add_dependency(%q<tem_ruby>, [">= 0.10.2"])
+    end
+  else
+    s.add_dependency(%q<tem_ruby>, [">= 0.10.2"])
+  end
+end

data/test/test_executor.rb ADDED Viewed

@@ -0,0 +1,54 @@
+require 'tem_openssl'
+require 'test/unit'
+class ExecutorTest < Test::Unit::TestCase
+  def setup
+    Tem::OpenSSL::Executor.run ['reset']
+    # generate key and extract public key
+    Tem::OpenSSL::Executor.run ['rsagen', '2048', '-out', 'test_key.tkey']
+    Tem::OpenSSL::Executor.run ['rsa', '-in', 'test_key.tkey', '-out', 'test_key.pem', '-pubout'], :no_tem => true
+  end
+  def teardown
+    ['test_key.tkey', 'test_key.pem'].each { |fname| File.delete fname }
+  end
+  def test_encryption
+    # test encryption and decryption (using the PEM file for the public key)
+    plain_text = 'Simple encryption test.\n'
+    File.open('test_plain.txt', 'wb') { |f| f.write plain_text }
+    Tem::OpenSSL::Executor.run ['rsautl', '-encrypt', '-inkey', 'test_key.pem', '-in', 'test_plain.txt', '-pkcs', '-out', 'test_enc.txt'], :no_tem => true
+    Tem::OpenSSL::Executor.run ['rsautl', '-decrypt', '-inkey', 'test_key.tkey', '-in', 'test_enc.txt', '-pkcs', '-out', 'test_plain2.txt']
+    assert_equal plain_text, File.open('test_plain2.txt', 'rb') { |f| f.read }, 'data corruption in encryption/decryption'
+    ['test_plain.txt', 'test_plain2.txt', 'test_enc.txt'].each { |fname| File.delete fname }
+    # test encryption and decryption (using the TEM-bound file for the public key)
+    plain_text = 'Simple encryption test.\n'
+    File.open('test_plain.txt', 'wb') { |f| f.write plain_text }
+    Tem::OpenSSL::Executor.run ['rsautl', '-encrypt', '-inkey', 'test_key.tkey', '-in', 'test_plain.txt', '-pkcs', '-out', 'test_enc.txt']
+    Tem::OpenSSL::Executor.run ['rsautl', '-decrypt', '-inkey', 'test_key.tkey', '-in', 'test_enc.txt', '-pkcs', '-out', 'test_plain2.txt']
+    assert_equal plain_text, File.open('test_plain2.txt', 'rb') { |f| f.read }, 'data corruption in encryption/decryption'
+    ['test_plain.txt', 'test_plain2.txt', 'test_enc.txt'].each { |fname| File.delete fname }
+  end
+  def test_fake_signing
+    # test fake (openssl-compatible) signing
+    plain_text = 'Simple fake-signing test.\n'
+    File.open('test_plain.txt', 'wb') { |f| f.write plain_text }
+    Tem::OpenSSL::Executor.run ['rsautl', '-sign', '-inkey', 'test_key.tkey', '-in', 'test_plain.txt', '-pkcs', '-out', 'test_fsign.txt']
+    Tem::OpenSSL::Executor.run ['rsautl', '-verify', '-inkey', 'test_key.pem', '-in', 'test_fsign.txt', '-pkcs', '-out', 'test_fverify.txt']
+    assert_equal plain_text, File.open('test_fverify.txt', 'rb') { |f| f.read }, 'data corruption in fake-sign/verification'
+    ['test_plain.txt', 'test_fsign.txt', 'test_fverify.txt'].each { |fname| File.delete fname }
+  end
+  def test_xsigning
+    # test proper signing (using the PEM file for the public key)
+    plain_text = 'Simple signing test.\n'
+    File.open('test_plain.txt', 'wb') { |f| f.write plain_text }
+    Tem::OpenSSL::Executor.run ['rsautl', '-xsign', '-inkey', 'test_key.tkey', '-in', 'test_plain.txt', '-pkcs', '-out', 'test_sign.txt']
+    Tem::OpenSSL::Executor.run ['rsautl', '-xverify', '-inkey', 'test_key.pem', '-in', 'test_sign.txt', '-indata', 'test_plain.txt', '-pkcs', '-out', 'test_verify.txt'], :no_tem => true
+    assert_equal "true", File.open('test_verify.txt', 'rb') { |f| f.read }, 'data corruption in sign/verification'
+    ['test_plain.txt', 'test_sign.txt', 'test_verify.txt'].each { |fname| File.delete fname }
+  end
+end

metadata ADDED Viewed

@@ -0,0 +1,85 @@
+--- !ruby/object:Gem::Specification
+name: costan-tem_openssl
+version: !ruby/object:Gem::Version
+  version: 0.3.6
+platform: ruby
+authors:
+- Victor Costan
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2009-05-31 00:00:00 -07:00
+default_executable: openssl_tem
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: tem_ruby
+  type: :runtime
+  version_requirement:
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.10.2
+    version:
+description: TEM (Trusted Execution Module) engine for OpenSSL.
+email: victor@costan.us
+executables:
+- openssl_tem
+extensions: []
+extra_rdoc_files:
+- bin/openssl_tem
+- CHANGELOG
+- lib/openssl/executor.rb
+- lib/openssl/key.rb
+- lib/openssl/tem_tools.rb
+- lib/tem_openssl.rb
+- LICENSE
+- README
+files:
+- bin/openssl_tem
+- CHANGELOG
+- lib/openssl/executor.rb
+- lib/openssl/key.rb
+- lib/openssl/tem_tools.rb
+- lib/tem_openssl.rb
+- LICENSE
+- Manifest
+- Rakefile
+- README
+- test/test_executor.rb
+- tem_openssl.gemspec
+has_rdoc: false
+homepage: http://tem.rubyforge.org
+post_install_message:
+rdoc_options:
+- --line-numbers
+- --inline-source
+- --title
+- Tem_openssl
+- --main
+- README
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: "0"
+  version:
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: "1.2"
+  version:
+requirements: []
+rubyforge_project: tem
+rubygems_version: 1.2.0
+signing_key:
+specification_version: 3
+summary: TEM (Trusted Execution Module) engine for OpenSSL.
+test_files:
+- test/test_executor.rb