cyberplat_pki 1.0.0

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format progress

data/.travis.yml

@@ -0,0 +1,7 @@
+language: ruby
+rvm:
+  - 1.9.3
+  - rbx-19mode
+  - jruby-19mode
+script:
+  - ruby -w -S rspec

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in cyberplat_pki.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2012  Peter Zotov <whitequark@whitequark.org>
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,47 @@
+# CyberplatPKI
+
+CyberplatPKI is an FFI binding for signing Cyberplat requests. It includes both Linux and Windows versions of Cyberplat-provided library as well as the necessary wrapping code.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'cyberplat_pki'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install cyberplat_pki
+
+## Usage
+
+To sign:
+
+``` ruby
+privkey_serialized = File.read("private.key")
+privkey = CyberplatPKI::Key.new_private(privkey_serialized, 'passphrase')
+
+signed_data = privkey.sign(data)
+```
+
+To verify:
+
+``` ruby
+pubkey_serialized = File.read("public.key")
+pubkey = CyberplatPKI::Key.new_public(pubkey_serialized, 12345) # serial = 12345
+
+pubkey.verify(signed_data) # => true
+```
+
+Note that the library uses Windows line endings (`\r\n`) internally. You must not touch those, or the library will fail. Treat the signed data as binary, or make sure to restore the expected line endings.
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/cyberplat_pki.gemspec

@@ -0,0 +1,21 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+Gem::Specification.new do |gem|
+  gem.name          = "cyberplat_pki"
+  gem.version       = "1.0.0"
+  gem.authors       = ["Peter Zotov"]
+  gem.email         = ["whitequark@whitequark.org"]
+  gem.description   = %q{CyberplatPKI is an FFI binding for signing Cyberplat requests.}
+  gem.summary       = gem.description
+  gem.homepage      = "http://github.com/whitequark/cyberplat_pki"
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency             "ffi"
+  gem.add_development_dependency "rspec"
+end

data/lib/cyberplat_pki.rb

@@ -0,0 +1,10 @@
+module CyberplatPKI
+  require_relative 'cyberplat_pki/library'
+  require_relative 'cyberplat_pki/key'
+
+  Library.invoke :Initialize
+
+  at_exit {
+    Library.invoke :Done
+  }
+end

data/lib/cyberplat_pki/key.rb

@@ -0,0 +1,78 @@
+module CyberplatPKI
+  class Key
+    attr_reader :internal
+
+    class << self
+      def new_private(source, password, engine=Library::DEFAULT_ENGINE)
+        internal = Library::Key.new
+
+        Library.invoke :OpenSecretKey,
+            engine,
+            source, source.length,
+            password,
+            internal
+
+        new(internal)
+      end
+
+      def new_public(source, serial, ca_key=nil, engine=Library::DEFAULT_ENGINE)
+        internal = Library::Key.new
+
+        if ca_key
+          ca_key = ca_key.internal
+        end
+
+        Library.invoke :OpenPublicKey,
+            engine,
+            source, source.length,
+            serial,
+            internal,
+            ca_key
+
+        new(internal)
+      end
+
+      private :new
+    end
+
+    def initialize(internal)
+      @internal = internal
+      if defined?(ObjectSpace) &&
+           ObjectSpace.respond_to?(:define_finalizer)
+        ObjectSpace.define_finalizer(self, lambda {
+          Library.invoke :CloseKey, internal
+        })
+      else
+        warn "No ObjectSpace.define_finalizer; Crypt_CloseKey will not be called."
+      end
+    end
+
+    def sign(data)
+      # Be fucking optimistic. Someone, please teach the morons from
+      # cyberplat how to design APIs and document them.
+      # I sincerely hope this does not segfault in production.
+      result = FFI::MemoryPointer.new(:char, data.length + 1024)
+
+      result_length = Library.invoke :Sign,
+          data,   data.size,
+          result, result.total,
+          @internal
+
+      result.read_string(result_length)
+    end
+
+    def verify(data_with_signature)
+      retval = Library.Crypt_Verify \
+          data_with_signature, data_with_signature.size,
+          nil, nil,
+          @internal
+
+      if retval == -20 # VERIFY
+        false
+      else
+        Library.handle_error("Crypt_Verify", retval)
+        true
+      end
+    end
+  end
+end

data/lib/cyberplat_pki/library.rb

@@ -0,0 +1,128 @@
+require 'ffi'
+
+module CyberplatPKI::Library
+  extend FFI::Library
+
+  if defined?(Rubinius) # Fuck you.
+    if Rubinius.windows?
+      tuple = "windows-"
+    elsif RUBY_PLATFORM =~ /linux/
+      tuple = "linux-"
+    else
+      tuple = "unknown-"
+    end
+
+    if FFI::Platform::ARCH =~ /x86_64/
+      tuple << "x86_64"
+    elsif FFI::Platform::ARCH =~ /(i.?|x)86/
+      tuple << "i386"
+    end
+  else
+    tuple = "#{FFI::Platform::OS}-#{FFI::Platform::ARCH}"
+  end
+
+  if tuple == 'windows-i386'
+    ffi_lib File.expand_path('../../../ext/libipriv32.dll', __FILE__)
+  elsif tuple == 'linux-i386'
+    ffi_lib File.expand_path('../../../ext/libipriv-linux32.so', __FILE__)
+  else
+    raise "CyberplatPKI: unsupported platform #{tuple}."
+  end
+
+  Errors = {
+    -1   => "BAD_ARGS",
+    -2   => "OUT_OF_MEMORY",
+    -3   => "INVALID_FORMAT",
+    -4   => "NO_DATA_FOUND",
+    -5   => "INVALID_PACKET_FORMAT",
+    -6   => "UNKNOWN_ALG",
+    -7   => "INVALID_KEYLEN",
+    -8   => "INVALID_PASSWD",
+    -9   => "DOCTYPE",
+    -10  => "RADIX_DECODE",
+    -11  => "RADIX_ENCODE",
+    -12  => "INVALID_ENG",
+    -13  => "ENG_NOT_READY",
+    -14  => "NOT_SUPPORT",
+    -15  => "FILE_NOT_FOUND",
+    -16  => "CANT_READ_FILE",
+    -17  => "INVALID_KEY",
+    -18  => "SEC_ENC",
+    -19  => "PUB_KEY_NOT_FOUND",
+    -20  => "VERIFY",
+    -21  => "CREATE_FILE",
+    -22  => "CANT_WRITE_FILE",
+    -23  => "INVALID_KEYCARD",
+    -24  => "GENKEY",
+    -25  => "PUB_ENC",
+    -26  => "SEC_DEC",
+  }
+
+  ENGINE_RSAREF   = 0
+  ENGINE_OPENSSL  = 1
+  ENGINE_PKCS11   = 2
+  ENGINE_WINCRYPT = 3
+
+  DEFAULT_ENGINE  = ENGINE_RSAREF
+
+  ENGCMD_IS_READY              = 0
+  ENGCMD_GET_ERROR             = 1
+  ENGCMD_SET_PIN               = 2
+  ENGCMD_SET_PKCS11_LIB        = 3
+  ENGCMD_GET_PKCS11_SLOTS_NUM  = 4
+  ENGCMD_GET_PKCS11_SLOT_NAME  = 5
+  ENGCMD_SET_PKCS11_SLOT       = 6
+  ENGCMD_ENUM_PKCS11_KEYS      = 7
+  ENGCMD_ENUM_PKCS11_PUBKEYS   = 8
+
+  KEY_TYPE_RSA_SECRET  = 1
+  KEY_TYPE_RSA_PUBLIC  = 2
+
+  MAX_USERID_LENGTH    = 20
+
+  class Key < FFI::Struct
+    layout :eng,       :short,
+           :type,      :short,
+           :keyserial, :ulong,
+           :userid,    [:char, 24],
+           :key,       :pointer
+  end
+
+  # Only required functions are defined.
+  # For all functions, zero return code is success, nonzero is error.
+
+  # int Crypt_Initialize(void)
+  attach_function :Crypt_Initialize, [], :int
+
+  # int Crypt_OpenSecretKey(int eng, const char* src, int src_len, const char* password, IPRIV_KEY* key)
+  attach_function :Crypt_OpenSecretKey, [:int, :string, :int, :string, :pointer], :int
+
+  # int Crypt_OpenPublicKey(int eng, const char* src, int src_len, int keyserial, IPRIV_KEY* key, IPRIV_KEY* cakey)
+  attach_function :Crypt_OpenPublicKey, [:int, :string, :int, :int, :pointer, :pointer], :int
+
+  # int Crypt_Sign(const char* src, int src_len, char* dst, int dst_len, IPRIV_KEY* key);
+  attach_function :Crypt_Sign, [:string, :int, :pointer, :int, :pointer], :int
+
+  # int Crypt_Verify(const char* src, int src_len, const char** pdst, int* pndst,IPRIV_KEY* key);
+  attach_function :Crypt_Verify, [:string, :int, :pointer, :pointer, :pointer], :int
+
+  # int Crypt_CloseKey(IPRIV_KEY* key)
+  attach_function :Crypt_CloseKey, [:pointer], :int
+
+  # int Crypt_Done(void)
+  attach_function :Crypt_Done, [], :int
+
+  def self.handle_error(function, retval)
+    if retval < 0
+      error = Errors[retval] || "UNKNOWN"
+      raise "CyberplatPKI: Cannot invoke #{function}: #{error} (#{retval})"
+    end
+
+    retval
+  end
+
+  def self.invoke(function, *args)
+    function = :"Crypt_#{function}"
+    handle_error(function, send(function, *args))
+  end
+end

data/spec/key_spec.rb

@@ -0,0 +1,77 @@
+require 'spec_helper'
+
+describe CyberplatPKI::Key do
+  before do
+    @pubkey = File.read(File.expand_path('../keys/pubkeys.key', __FILE__))
+    @seckey = File.read(File.expand_path('../keys/secret.key', __FILE__))
+  end
+
+  it "should load public keys" do
+    lambda {
+      CyberplatPKI::Key.new_public(@pubkey, 17033)
+    }.should_not raise_error
+  end
+
+  it "fails loading public key from invalid source" do
+    lambda {
+      CyberplatPKI::Key.new_public(@pubkey, 12345)
+    }.should raise_error(/PUB_KEY_NOT_FOUND/)
+
+    lambda {
+      CyberplatPKI::Key.new_public("foo", 17033)
+    }.should raise_error(/PUB_KEY_NOT_FOUND/)
+  end
+
+  it "should load private keys" do
+    lambda {
+      CyberplatPKI::Key.new_private(@seckey, '1111111111')
+    }.should_not raise_error
+  end
+
+  it "fails loading private key from invalid source" do
+    lambda {
+      CyberplatPKI::Key.new_private("foo", '1111111111')
+    }.should raise_error(/INVALID_FORMAT/)
+  end
+
+  it "fails loading private key with invalid password" do
+    lambda {
+      CyberplatPKI::Key.new_private(@seckey, 'foo')
+    }.should raise_error(/INVALID_PASSWD/)
+  end
+
+  SIGNED = <<-SIGNED.gsub("\n", "\r\n").freeze
+0000027201SM000000110000001100000125
+api17032            00017033
+                    00000000
+BEGIN
+Hello world
+END
+BEGIN SIGNATURE
+iQBRAwkBAABCiVCdMQoBAcf2AfwOYzgQxyj1jwRv/6JdjCFh+lguLENscUFfaNXu
+OIi4jaGbW8jFrxnUj5AaoeA/WJtFuBayNdBmyiQpeisngU6XsAHH
+=z1vE
+END SIGNATURE
+  SIGNED
+
+  it "can sign and then verify block" do
+    privkey = CyberplatPKI::Key.new_private(@seckey, '1111111111')
+    pubkey = CyberplatPKI::Key.new_public(@pubkey, 17033)
+
+    signed = privkey.sign("Hello world")
+    pubkey.verify(signed).should be_true
+  end
+
+  it "can verify a block" do
+    pubkey = CyberplatPKI::Key.new_public(@pubkey, 17033)
+
+    pubkey.verify(SIGNED).should be_true
+  end
+
+  it "fails verifying an invalid block" do
+    pubkey = CyberplatPKI::Key.new_public(@pubkey, 17033)
+
+    fail_signed = SIGNED.sub('world', 'wor1d')
+    pubkey.verify(fail_signed).should be_false
+  end
+end

data/spec/keys/pubkeys.key

@@ -0,0 +1,28 @@
+0000040801NS000001470000010000000125
+api17032            00017033
+api17032            00017033
+BEGIN
+mQBRAwAAQok95z4+AAABAgDrzoyI24MItz/UdYrV7as4xrjhjpYqBG3Owb7dP1pE
+p6Dz4MLJkdWzm+ccjy3pTmjgvqfnaAnRyID4nrwQ9+p9AAURsAGHtAhhcGkxNzAz
+MrABAw==
+=5jFd
+END
+BEGIN SIGNATURE
+iQBRAwkQAABCiT3nPj4BAaxXAgDT6bfpnp513156n2O4H5nyp7LyH6jaR6NrOi1/
+x3Bm+/rzl0mfBFMC8LTVF2ukQ4gX6meCwK+ZaFFdT8UJXVVUsAHH
+=fOzH
+END SIGNATURE
+0000040401NS000001430000009800000125
+0J0005              00064182
+api17032            00017033
+BEGIN
+mQBRAwAA+rY8quyyAAABAgDb8iYDU760T8phaS1KFW4wj0cSROQ2dJzkJN5X64y0
+azNAmCCyM9KzGU3M400isSEU+LddQG+HE/hbRsntAURTAAURsAGHtAYwSjAwMDWw
+AQM=
+=HcgR
+END
+BEGIN SIGNATURE
+iQBRAwkQAABCiT3nPnEBAeYFAgCJWP1AnPJ46UrJny81UCv5EVMyaocqBRCbQW9S
+8bxvV/uixVcWwimyrGv8/aNc9bTeX9TacEELashrOTfXTUSIsAHH
+=S9Y8
+END SIGNATURE

data/spec/keys/secret.key

@@ -0,0 +1,15 @@
+0000051701NM000003810000027300000000
+api17032            00017033
+                    00000000
+BEGIN
+lQEEAwAAQok95z4+AAABAgDrzoyI24MItz/UdYrV7as4xrjhjpYqBG3Owb7dP1pE
+p6Dz4MLJkdWzm+ccjy3pTmjgvqfnaAnRyID4nrwQ9+p9AAURATXU8D817k6vAfqv
+qaNX3nRlR6EMHSyDSoMzeMYZ64D5OgHqIt+rnqRLqApwk5tP5ewscxfr6coACuF5
+qLJAKmAtwHRZnY8cWgKzAQBMyV0nshDFbN7+biMSPGobWjhhQ8GlVfi1636/FZqe
+TQEApdjYa7cCBMKNdJojykQ977wVZpcYzDZ0zIWBRhfLez0BAPTvT/ipmFxcjtGG
+z0sFSYk7QVaXIoCIdugQbd4Z+iq8TPK0CGFwaTE3MDMy
+=Uxun
+END
+BEGIN SIGNATURE
+
+END SIGNATURE

data/spec/spec_helper.rb

@@ -0,0 +1,19 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+end
+
+require 'cyberplat_pki'

metadata

@@ -0,0 +1,101 @@
+--- !ruby/object:Gem::Specification
+name: cyberplat_pki
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Peter Zotov
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-11-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: ffi
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: CyberplatPKI is an FFI binding for signing Cyberplat requests.
+email:
+- whitequark@whitequark.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- .travis.yml
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- cyberplat_pki.gemspec
+- ext/libipriv-linux32.so
+- ext/libipriv32.dll
+- lib/cyberplat_pki.rb
+- lib/cyberplat_pki/key.rb
+- lib/cyberplat_pki/library.rb
+- spec/key_spec.rb
+- spec/keys/pubkeys.key
+- spec/keys/secret.key
+- spec/spec_helper.rb
+- vendor/linux.zip
+- vendor/win32.zip
+homepage: http://github.com/whitequark/cyberplat_pki
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: CyberplatPKI is an FFI binding for signing Cyberplat requests.
+test_files:
+- spec/key_spec.rb
+- spec/keys/pubkeys.key
+- spec/keys/secret.key
+- spec/spec_helper.rb
+has_rdoc: