cyberplat_pki 1.0.0 → 2.0.0

data/README.md

@@ -1,6 +1,10 @@
 # CyberplatPKI
 
-CyberplatPKI is an FFI binding for signing Cyberplat requests. It includes both Linux and Windows versions of Cyberplat-provided library as well as the necessary wrapping code.
+CyberplatPKI 1.0 is an FFI binding for signing Cyberplat requests. It includes both Linux and Windows versions of Cyberplat-provided library as well as the necessary wrapping code. Note that this version only works on 32-bit Linux and Windows.
+
+CyberplatPKI 2.0 is a pure-Ruby reimplementation of the reverse-engineered signing algorithm. It should be completely compatible with the vendor-provided library. This version works everywhere.
+
+Select the variant you'd like to install with the version specification. `gem 'cyberplat_pki', '~> 1.0'` requests the FFI version, and `gem 'cyberplat_pki', '~> 2.0'` requests the pure-Ruby one.
 
 ## Installation
 

data/cyberplat_pki.gemspec

@@ -4,10 +4,10 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |gem|
   gem.name          = "cyberplat_pki"
-  gem.version       = "1.0.0"
+  gem.version       = "2.0.0"
   gem.authors       = ["Peter Zotov"]
   gem.email         = ["whitequark@whitequark.org"]
-  gem.description   = %q{CyberplatPKI is an FFI binding for signing Cyberplat requests.}
+  gem.description   = %q{CyberplatPKI is a library for signing Cyberplat requests.}
   gem.summary       = gem.description
   gem.homepage      = "http://github.com/whitequark/cyberplat_pki"
 
@@ -16,6 +16,9 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
-  gem.add_dependency             "ffi"
   gem.add_development_dependency "rspec"
+  gem.add_dependency 'digest-crc' # For CRC24
+  gem.add_dependency 'crypt'      # For IDEA
+  gem.add_dependency "jruby-openssl" if RUBY_PLATFORM == "java"
+  gem.add_dependency "openssl" if RUBY_PLATFORM == "ruby"
 end

data/lib/cyberplat_pki/document.rb

@@ -0,0 +1,82 @@
+require "stringio"
+require "base64"
+require "digest/crc24"
+
+module CyberplatPKI
+  class Document
+    attr_accessor :engine, :type, :subject, :ca, :body, :signature, :data_length
+
+    def initialize
+      @engine = nil
+      @type = nil
+      @subject = nil
+      @ca = nil
+      @body = nil
+      @signature = nil
+      @unknown1 = nil
+    end
+
+    def self.load(source)
+      source = source.sub /^[ \t\n\r]*/, ''
+
+      io = StringIO.new source, "rb"
+      io.extend DocumentIORoutines
+
+      documents = []
+
+      until io.eof?
+        begin
+          documents << io.read_document
+        rescue EOFError => e
+          raise "CyberplatPKI: CRYPT_ERR_INVALID_FORMAT (unexpected end of document)"
+        end
+      end
+
+      documents
+    end
+
+    def self.save(documents)
+      io = StringIO.new '', "wb"
+      io.extend DocumentIORoutines
+
+      documents.each { |document| io.write_document document }
+
+      io.string[0...-2] # Strip trailing CRLF of last document
+    end
+
+    def self.encode64(data)
+      encoded = Base64.encode64(data).gsub /\n/, "\r\n"
+
+      crc = Digest::CRC24.checksum data
+
+      encoded << "=#{Base64.encode64([ crc ].pack("N")[1..-1])[0..-2]}"
+
+      encoded
+    end
+
+    def self.decode64(data)
+      lines = data.split "\r\n"
+
+      data = ""
+      crc = nil
+
+      lines.each do |line|
+        if line[0] == '='
+          crc, = "\0".concat(Base64.decode64(line[1..-1])).unpack('N')
+        else
+          data << line
+        end
+      end
+
+      data = Base64.decode64 data
+
+      if !crc.nil?
+        calculated_crc = Digest::CRC24.checksum data
+
+        raise "CyberplatPKI: CRYPT_ERR_RADIX_DECODE (invalid data checksum)" if calculated_crc != crc
+      end
+
+      data
+    end
+  end
+end

data/lib/cyberplat_pki/document_io_routines.rb

@@ -0,0 +1,104 @@
+module CyberplatPKI
+  module DocumentIORoutines
+    def readline_crlf
+      line = readline "\r\n"
+
+      line.sub! /\r\n$/, ''
+
+      line
+    end
+
+    def read_key_id
+      line = readline_crlf
+
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_FORMAT (invalid key ID line: '#{line}'. Expecting 28 characters, got #{line.length})" unless line.length == 28
+
+      KeyId.new line[0...20].rstrip!, cut_int(line, 20...28)
+    end
+
+    def write_key_id(key_id)
+      printf "%-20s%08d\r\n", key_id.key_name, key_id.key_serial
+    end
+
+    def read_block(header, trailer, data_size)
+      line = readline_crlf
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_FORMAT (unexpected header '#{line}', expecting '#{header}')" if line != header
+
+      data_start = pos
+      seek data_size, IO::SEEK_CUR
+
+      line = readline_crlf
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_FORMAT (unexpected trailer '#{line}', expecting '')" if line != ''
+
+      line = readline_crlf
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_FORMAT (unexpected trailer '#{line}', expecting '#{trailer}')" if line != trailer
+
+      block_end = tell
+
+      seek data_start
+      data = read data_size
+      seek block_end
+
+      data
+    end
+
+    def write_block(header, trailer, data)
+      write "#{header}\r\n#{data}\r\n#{trailer}\r\n"
+    end
+
+    def read_document
+      document_start = pos
+
+      header = readline_crlf
+
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_FORMAT (invalid document header: '#{header}'. Expecting 36 characters, got #{header.length})" unless header.length == 36
+
+      doc = Document.new
+
+      length            = cut_int header, 0...8      # Length of following data (e.g. document length - 8)
+      doc.engine        = cut_int header, 8...10     # Engine ID
+      doc.type          = header[10...12].to_sym     # Document type
+      body_block        = cut_int header, 12...20    # Body block size
+      doc.data_length   = cut_int header, 20...28    # Length of body in signatures
+      signature_block   = cut_int header, 28...36    # Signature block size
+
+      doc.subject       = read_key_id
+      doc.ca            = read_key_id
+
+      doc.body           = read_block 'BEGIN', 'END', body_block
+      doc.signature      = read_block 'BEGIN SIGNATURE', 'END SIGNATURE', signature_block
+
+      seek document_start + 8 + length + 2
+
+      doc
+    end
+
+    def write_document(doc)
+      start_pos = pos
+
+      printf "XXXXXXXX%02d%s%08d%08d%08d\r\n", doc.engine, doc.type.to_s, doc.body.length, doc.data_length, doc.signature.length
+      write_key_id doc.subject
+      write_key_id doc.ca
+
+      write_block 'BEGIN', 'END', doc.body
+      write_block 'BEGIN SIGNATURE', 'END SIGNATURE', doc.signature
+
+      end_pos = pos
+      seek start_pos
+      printf "%08d", end_pos - start_pos - 10
+      seek end_pos
+    end
+
+    private
+
+    def cut_int(string, range)
+      slice = string[range]
+
+      begin
+        Integer slice, 10
+      rescue ArgumentError => e
+        raise "CyberplatPKI: CRYPT_ERR_INVALID_FORMAT (invalid integer in document: '#{slice}')"
+      end
+    end
+  end
+end

data/lib/cyberplat_pki/idea_cfb.rb

@@ -0,0 +1,108 @@
+require "crypt/idea"
+
+module CyberplatPKI
+  class IdeaCfb
+    BLOCK_SIZE = 8
+
+    def initialize
+      @encbuf = "\0" * BLOCK_SIZE
+      @fr     = "\0" * BLOCK_SIZE
+      @fre    = "\0" * BLOCK_SIZE
+      @pos    = 0
+      @keys   = nil
+    end
+
+    def start_encryption(key)
+      @idea = Crypt::IDEA.new key.unpack('n*'), Crypt::IDEA::ENCRYPT
+    end
+
+    def start_decryption(key)
+      @idea = Crypt::IDEA.new key.unpack('n*'), Crypt::IDEA::DECRYPT
+    end
+
+    def encrypt(data)
+      cfb_engine data, method(:mix_enc), @idea.method(:encrypt_block)
+    end
+
+
+    def decrypt(data)
+      cfb_engine data, method(:mix_dec), @idea.method(:decrypt_block)
+    end
+
+    def resync
+      if @pos != 0
+        @fr[0...BLOCK_SIZE - @pos]          = @encbuf[@pos...BLOCK_SIZE]
+        @fr[BLOCK_SIZE - @pos...BLOCK_SIZE] = @encbuf[0...@pos]
+
+        @encbuf = "\0" * BLOCK_SIZE
+        @pos = 0
+      end
+    end
+
+    private
+
+    def idea_block(data)
+      data
+    end
+
+    def mix_enc(data)
+      outbuf = "\0" * data.length
+
+      (@pos...@pos + data.length).each_with_index do |i, index|
+        outbuf[index] = @encbuf[i] = (@fre[i].ord ^ data[index].ord).chr
+      end
+
+      @pos += data.length
+
+      outbuf
+    end
+
+    def mix_dec(data)
+      outbuf = "\0" * data.length
+
+      (@pos...@pos + data.length).each_with_index do |i, index|
+        @encbuf[i] = data[index]
+        outbuf[index] = (@fre[i].ord ^ @encbuf[i].ord).chr
+      end
+
+      @pos += data.length
+
+      outbuf
+    end
+
+    def cfb_engine(data, mix, crypt_block)
+      pos = 0
+      dst = ""
+
+      while pos < data.length && @pos > 0
+        n = [ BLOCK_SIZE - @pos, data.length - pos ].min
+
+        dst << mix.call(data[pos...pos + n])
+        pos += n
+
+        if @pos == BLOCK_SIZE
+          @fr = @encbuf
+          @encbuf = "\0" * BLOCK_SIZE
+          @pos = 0
+        end
+      end
+
+      while pos < data.length
+        @fre = crypt_block.call @fr
+
+        n = [ BLOCK_SIZE, data.length - pos ].min
+
+        dst << mix.call(data[pos...pos + n])
+        pos += n
+
+        if @pos == BLOCK_SIZE
+          @fr = @encbuf
+          @encbuf = "\0" * BLOCK_SIZE
+          @pos = 0
+        end
+      end
+
+      dst
+    end
+  end
+end

data/lib/cyberplat_pki/key.rb

@@ -1,78 +1,150 @@
+require "openssl"
+
 module CyberplatPKI
   class Key
-    attr_reader :internal
+    module Helpers
+      def self.key_from_document_set(list, type, serial, password = nil)
+        document = list.find do |doc|
+          doc.type == type && (serial == 0 || doc.subject.key_serial == serial)
+        end
 
-    class << self
-      def new_private(source, password, engine=Library::DEFAULT_ENGINE)
-        internal = Library::Key.new
+        raise "CyberplatPKI: CRYPT_ERR_PUB_KEY_NOT_FOUND (key with specified serial has not been found in the document)" if document.nil?
 
-        Library.invoke :OpenSecretKey,
-            engine,
-            source, source.length,
-            password,
-            internal
+        key = Key.new
+        key.serial    = document.subject.key_serial
+        key.name      = document.subject.key_name
+        key.packets   = Packet.load Document.decode64(document.body), password
+        key.signature = Packet.load Document.decode64(document.signature), password
 
-        new(internal)
+        [ key, document ]
       end
 
-      def new_public(source, serial, ca_key=nil, engine=Library::DEFAULT_ENGINE)
-        internal = Library::Key.new
+      def self.find_record(list, record_class)
+        record = list.find { |record| record.kind_of? record_class }
 
-        if ca_key
-          ca_key = ca_key.internal
-        end
+        raise "CyberplatPKI: CRYPT_ERR_INVALID_PACKET_FORMAT (#{record_class.name} not found in the document)" if record.nil?
 
-        Library.invoke :OpenPublicKey,
-            engine,
-            source, source.length,
-            serial,
-            internal,
-            ca_key
-
-        new(internal)
+        record
       end
+    end
 
-      private :new
+    attr_accessor :serial, :name, :signature, :ca_key, :packets
+
+    def self.new_private(source, password = nil)
+      documents = Document.load source
+
+      key, document = Helpers.key_from_document_set documents, :NM, 0, password
+      key.ca_key = key
+
+      key
     end
 
-    def initialize(internal)
-      @internal = internal
-      if defined?(ObjectSpace) &&
-           ObjectSpace.respond_to?(:define_finalizer)
-        ObjectSpace.define_finalizer(self, lambda {
-          Library.invoke :CloseKey, internal
-        })
+    def self.new_public(source, serial, ca_key = nil)
+      documents = Document.load source
+
+      key, document = Helpers.key_from_document_set documents, :NS, serial
+      if ca_key.nil?
+        if document.subject == document.ca
+          key.ca_key = key
+        else
+          key.ca_key, ca_document = Helpers.key_from_document_set documents, :NS, document.ca.key_serial
+          key.ca_key.ca_key = key.ca_key
+
+          key.ca_key.validate
+        end
       else
-        warn "No ObjectSpace.define_finalizer; Crypt_CloseKey will not be called."
+        key.ca_key = ca_key
       end
+
+      key.validate
+
+      key
+    end
+
+    def initialize
+      @serial = nil
+      @name = nil
+      @signature = nil
+      @ca_key = nil
+      @packets = nil
     end
 
     def sign(data)
-      # Be fucking optimistic. Someone, please teach the morons from
-      # cyberplat how to design APIs and document them.
-      # I sincerely hope this does not segfault in production.
-      result = FFI::MemoryPointer.new(:char, data.length + 1024)
+      signature = SignaturePacket.new
+
+      signature.metadata = [
+        0x01,         # Signature type
+        serial,       # Signing key serial number
+        Time.now.to_i # Timestamp
+      ].pack("CNN")
+
+      key_packet = Helpers.find_record packets, KeyPacket
 
-      result_length = Library.invoke :Sign,
-          data,   data.size,
-          result, result.total,
-          @internal
+      digest = OpenSSL::Digest::MD5.new
+      signature.signature = key_packet.key.sign digest, data + signature.metadata
 
-      result.read_string(result_length)
+      # Re-hash to get 'first word of digest'
+      digest.reset
+      digest.update data
+      digest.update signature.metadata
+      signature.hash_msw = digest.digest[0..1]
+
+      signature_block = Document.encode64 Packet.save([ signature ])
+
+      doc = Document.new
+      doc.engine      = 1
+      doc.type        = :SM
+      doc.subject     = KeyId.new @name, @serial
+      doc.ca          = KeyId.new '', 0
+      doc.data_length = data.length
+      doc.body        = data
+      doc.signature   = signature_block
+
+      text = Document.save [ doc ]
+
+      text
     end
 
     def verify(data_with_signature)
-      retval = Library.Crypt_Verify \
-          data_with_signature, data_with_signature.size,
-          nil, nil,
-          @internal
+      documents = Document.load data_with_signature
 
-      if retval == -20 # VERIFY
-        false
-      else
-        Library.handle_error("Crypt_Verify", retval)
-        true
-      end
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_FORMAT (expected one document of type SM)" if documents.length != 1 || documents[0].type != :SM
+
+      document, = *documents
+
+      signature_packet, = Packet.load Document.decode64(document.signature)
+      key_packet        = Helpers.find_record packets, KeyPacket
+
+      digest = OpenSSL::Digest::MD5.new
+      signature = signature_packet.signature.ljust key_packet.key.n.num_bytes, 0.chr
+      key_packet.key.verify digest, signature, document.body + signature_packet.metadata
+    end
+
+    def validate
+      signature_packet = Helpers.find_record signature,      SignaturePacket
+      key_packet       = Helpers.find_record packets,        KeyPacket
+      user_id_packet   = Helpers.find_record packets,        UserIdPacket
+      ca_key_packet    = Helpers.find_record ca_key.packets, KeyPacket
+
+      io = StringIO.open ''.encode('BINARY'), 'wb'
+      io.extend PacketIORoutines
+
+      io.seek 3
+      key_packet.save io, nil
+
+      data_length = io.pos - 3
+      io.rewind
+      io.write [ 0x99, data_length ].pack "Cn"
+      io.seek 0, IO::SEEK_END
+
+      io.write user_id_packet.user_id
+      io.write signature_packet.metadata
+
+      digest = OpenSSL::Digest::MD5.new
+      signature = signature_packet.signature.rjust ca_key_packet.key.n.num_bytes, 0.chr
+      valid = ca_key_packet.key.verify digest, signature, io.string
+
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_KEY (key signature verification failed)" unless valid
     end
   end
-end
+end

data/lib/cyberplat_pki/key_id.rb

@@ -0,0 +1,15 @@
+module CyberplatPKI
+  class KeyId
+    attr_accessor :key_name, :key_serial
+
+    def initialize(key_name = nil, key_serial = nil)
+      @key_name = key_name
+      @key_serial = key_serial
+    end
+
+    def ==(other)
+      key_name == other.key_name && key_serial == other.key_serial
+    end
+  end
+end
+

data/lib/cyberplat_pki/key_packet.rb

@@ -0,0 +1,45 @@
+require "openssl"
+
+module CyberplatPKI
+  class KeyPacket < Packet
+    attr_accessor :serial, :timestamp, :valid_days, :algorithm, :key
+
+    def self.load(io, context)
+      version = io.readbyte
+
+      # RFC4880 says:
+      #
+      # V3 keys are deprecated.  They contain three weaknesses.  First, it is
+      # relatively easy to construct a V3 key that has the same Key ID as any
+      # other key because the Key ID is simply the low 64 bits of the public
+      # modulus.  Secondly, because the fingerprint of a V3 key hashes the
+      # key material, but not its length, there is an increased opportunity
+      # for fingerprint collisions.  Third, there are weaknesses in the MD5
+      # hash algorithm that make developers prefer other algorithms.  See
+      # below for a fuller discussion of Key IDs and fingerprints.
+      #
+      # Beware.
+
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_PACKET_FORMAT (unsupported key version: #{version})" if version != 0x03
+
+      key = KeyPacket.new
+
+      key.serial, key.timestamp, key.valid_days, algorithm = io.read(11).unpack "NNnC"
+
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_PACKET_FORMAT (unsupported algorithm #{algorithm})" if algorithm != 1
+
+      key.key = OpenSSL::PKey::RSA.new
+      key.key.n = io.read_mpi
+      key.key.e = io.read_mpi
+
+      key
+    end
+
+    def save(io, context)
+      io.write [ 3, serial, timestamp, valid_days, 1 ].pack("CNNnC")
+
+      io.write_mpi key.n
+      io.write_mpi key.e
+    end
+  end
+end

data/lib/cyberplat_pki/packet.rb

@@ -0,0 +1,31 @@
+require "stringio"
+
+module CyberplatPKI
+  class Packet
+    def self.load(source, password = nil)
+      io = StringIO.new source, "rb"
+      io.extend PacketIORoutines
+
+      packets = []
+
+      until io.eof?
+        begin
+          packets << io.read_packet(password)
+        rescue EOFError => e
+          raise "CyberplatPKI: CRYPT_ERR_INVALID_PACKET_FORMAT (unexpected end of packet)"
+        end
+      end
+
+      packets
+    end
+
+    def self.save(packets, password = nil)
+      io = StringIO.new '', "wb"
+      io.extend PacketIORoutines
+
+      packets.each { |packet| io.write_packet packet, password }
+
+      io.string
+    end
+  end
+end

data/lib/cyberplat_pki/packet_io_routines.rb

@@ -0,0 +1,120 @@
+require "stringio"
+require "openssl"
+
+module CyberplatPKI
+  module PacketIORoutines
+    attr_accessor :cipher, :checksum
+
+    def read_packet(password = nil)
+      header = readbyte
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_PACKET_FORMAT (invalid packet header)" if (header & 0xC0) != 0x80
+
+      case header & 3
+      when 0
+        data_length = readbyte
+
+      when 1
+        data_length, = read(2).unpack 'n'
+
+      when 2
+        data_length, = read(4).unpack 'N'
+
+      else
+        raise "CyberplatPKI: CRYPT_ERR_INVALID_PACKET_FORMAT (invalid packet length type: #{header % 3}"
+      end
+
+      packet_type = (header >> 2) & 0x0F
+
+      data = read data_length
+      packet_class = PACKET_TYPES[packet_type]
+
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_PACKET_FORMAT (unsupported packet type: #{packet_type})" if packet_class.nil?
+
+      StringIO.open(data, "rb") do |io|
+        io.extend PacketIORoutines
+        packet_class.load io, context_for_password(password)
+      end
+    end
+
+    def write_packet(packet, password = nil)
+      io = StringIO.open ''.encode('BINARY'), 'wb'
+      io.extend PacketIORoutines
+      packet.save io, context_for_password(password)
+
+      data = io.string
+
+      packet_type = (PACKET_TYPES.key(packet.class) << 2) | 0x80
+
+      case data.length
+      when 0x00..0xFF
+        putc packet_type
+        putc data.length
+
+      when 0x0100..0xFFFF
+        putc packet_type | 1
+
+        write [ data.length ].pack("n")
+
+      when 0x00010000..0xFFFFFFFF
+        putc packet_type | 2
+
+        write [ data.length ].pack("N")
+      end
+
+      write data
+    end
+
+    def read_mpi
+      header = read(2)
+
+      mpi_bits, = header.unpack("n")
+      data = read((mpi_bits + 7) / 8)
+
+      if !cipher.nil?
+        cipher.resync
+        data = cipher.decrypt data
+      end
+
+      add_checksum header
+      add_checksum data
+
+      OpenSSL::BN.new data, 2
+    end
+
+    def write_mpi(bn)
+      header = [ bn.num_bits ].pack("n")
+      data = bn.to_s 2
+
+      add_checksum header
+      add_checksum data
+
+      write header
+
+      if !cipher.nil?
+        cipher.resync
+        data = cipher.encrypt data
+      end
+
+      write data
+    end
+
+    private
+
+    def context_for_password(password)
+      if password.nil?
+        nil
+      else
+        context = IdeaCfb.new
+        context.start_encryption OpenSSL::Digest::MD5.digest(password) # yes, encryption
+
+        context
+      end
+    end
+
+    def add_checksum(string)
+      if !checksum.nil?
+        @checksum = (@checksum + string.sum(16)) & 0xFFFF
+      end
+    end
+  end
+end

data/lib/cyberplat_pki/private_key_packet.rb

@@ -0,0 +1,49 @@
+module CyberplatPKI
+  class PrivateKeyPacket < KeyPacket
+    def self.load(io, context)
+      key = super
+
+      cipher = io.readbyte
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_PACKET_FORMAT (unsupported private key cipher: #{cipher})" if cipher != 1 # IDEA-CFB + MD5
+
+      iv = io.read 8
+      context.decrypt iv
+
+      public_key = key.key
+      key.key = OpenSSL::PKey::RSA.new
+
+      io.cipher = context
+      io.checksum = 0
+
+      key.key.d = io.read_mpi
+      key.key.p = io.read_mpi
+      key.key.q = io.read_mpi
+      dummy     = io.read_mpi
+
+      calculated_checksum = io.checksum
+
+      io.checksum = nil
+      io.cipher = nil
+
+      checksum, = io.read(2).unpack("n")
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_PASSWD (invalid MPI checksum. Expected #{checksum.to_s 16}, calculated #{calculated_checksum.to_s 16})" if checksum != calculated_checksum
+
+      key.key.dmp1 = key.key.d % (key.key.p - 1)
+      key.key.dmq1 = key.key.d % (key.key.q - 1)
+      key.key.iqmp = key.key.q.mod_inverse key.key.p
+
+      # jruby-openssl requires public key parameters to be set LAST
+      key.key.n = public_key.n
+      key.key.e = public_key.e
+
+      key
+    end
+
+    def save(io, context)
+      super
+
+      raise NotImplementedError, "CyberplatPKI: PrivateKeyPacket#save is not implemented"
+    end
+
+  end
+end

data/lib/cyberplat_pki/signature_packet.rb

@@ -0,0 +1,42 @@
+module CyberplatPKI
+  class SignaturePacket < Packet
+    attr_accessor :metadata, :signature, :hash_msw
+
+    def initialize
+      @metadata = nil
+      @signature = nil
+      @hash_msw = nil
+    end
+
+    def self.load(io, context)
+      version = io.readbyte
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_PACKET_FORMAT (unsupported signature length: #{version})" if version != 3
+
+      metadata_length = io.readbyte
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_PACKET_FORMAT (invalid metadata length: #{metadata_length})" if metadata_length > 32
+
+      signature = new
+
+      signature.metadata = io.read metadata_length
+
+      key_algorithm, hash_algorithm = io.read(2).unpack("CC")
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_PACKET_FORMAT (invalid public key algorithm: #{key_algorithm})" if key_algorithm != 0x01
+      raise "CyberplatPKI: CRYPT_ERR_INVALID_PACKET_FORMAT (invalid hash key algorithm: #{key_algorithm})" if hash_algorithm != 0x01
+
+      signature.hash_msw = io.read(2)
+      signature_bits, = io.read(2).unpack("n")
+      signature.signature = io.read (signature_bits + 7) / 8
+
+      signature
+    end
+
+    def save(io, context)
+      io.write [ 3, metadata.length ].pack "CC"
+      io.write metadata
+      io.write [ 1, 1 ].pack "CC"
+      io.write hash_msw
+      io.write [ signature.length * 8 ].pack "n"
+      io.write signature
+    end
+  end
+end

data/lib/cyberplat_pki/trust_packet.rb

@@ -0,0 +1,17 @@
+module CyberplatPKI
+  class TrustPacket < Packet
+    attr_accessor :trust
+
+    def initialize(trust = nil)
+      @trust = trust
+    end
+
+    def self.load(io, context)
+      new io.read
+    end
+
+    def save(io, context)
+      io.write @trust
+    end
+  end
+end

data/lib/cyberplat_pki/user_id_packet.rb

@@ -0,0 +1,17 @@
+module CyberplatPKI
+  class UserIdPacket < Packet
+    attr_accessor :user_id
+
+    def initialize(user_id = nil)
+      @user_id = user_id
+    end
+
+    def self.load(io, context)
+      new io.read
+    end
+
+    def save(io, context)
+      io.write @user_id
+    end
+  end
+end

data/lib/cyberplat_pki.rb

@@ -1,10 +1,23 @@
-module CyberplatPKI
-  require_relative 'cyberplat_pki/library'
-  require_relative 'cyberplat_pki/key'
-
-  Library.invoke :Initialize
+require_relative 'cyberplat_pki/key_id'
+require_relative 'cyberplat_pki/document'
+require_relative 'cyberplat_pki/document_io_routines'
+require_relative 'cyberplat_pki/packet'
+require_relative 'cyberplat_pki/signature_packet'
+require_relative 'cyberplat_pki/key_packet'
+require_relative 'cyberplat_pki/private_key_packet'
+require_relative 'cyberplat_pki/trust_packet'
+require_relative 'cyberplat_pki/user_id_packet'
+require_relative 'cyberplat_pki/packet_io_routines'
+require_relative 'cyberplat_pki/key'
+require_relative 'cyberplat_pki/idea_cfb'
 
-  at_exit {
-    Library.invoke :Done
+module CyberplatPKI
+  PACKET_TYPES = {
+    2  => SignaturePacket,
+    5  => PrivateKeyPacket,
+    6  => KeyPacket,
+    12 => TrustPacket,
+    13 => UserIdPacket
   }
 end
+

data/spec/key_spec.rb

@@ -19,7 +19,7 @@ describe CyberplatPKI::Key do
 
     lambda {
       CyberplatPKI::Key.new_public("foo", 17033)
-    }.should raise_error(/PUB_KEY_NOT_FOUND/)
+    }.should raise_error(/INVALID_FORMAT/)
   end
 
   it "should load private keys" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cyberplat_pki
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.0.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,10 +9,26 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-11-09 00:00:00.000000000 Z
+date: 2012-11-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: ffi
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: digest-crc
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
@@ -28,14 +44,14 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: crypt
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-  type: :development
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     none: false
@@ -43,7 +59,7 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-description: CyberplatPKI is an FFI binding for signing Cyberplat requests.
+description: CyberplatPKI is a library for signing Cyberplat requests.
 email:
 - whitequark@whitequark.org
 executables: []
@@ -58,17 +74,23 @@ files:
 - README.md
 - Rakefile
 - cyberplat_pki.gemspec
-- ext/libipriv-linux32.so
-- ext/libipriv32.dll
 - lib/cyberplat_pki.rb
+- lib/cyberplat_pki/document.rb
+- lib/cyberplat_pki/document_io_routines.rb
+- lib/cyberplat_pki/idea_cfb.rb
 - lib/cyberplat_pki/key.rb
-- lib/cyberplat_pki/library.rb
+- lib/cyberplat_pki/key_id.rb
+- lib/cyberplat_pki/key_packet.rb
+- lib/cyberplat_pki/packet.rb
+- lib/cyberplat_pki/packet_io_routines.rb
+- lib/cyberplat_pki/private_key_packet.rb
+- lib/cyberplat_pki/signature_packet.rb
+- lib/cyberplat_pki/trust_packet.rb
+- lib/cyberplat_pki/user_id_packet.rb
 - spec/key_spec.rb
 - spec/keys/pubkeys.key
 - spec/keys/secret.key
 - spec/spec_helper.rb
-- vendor/linux.zip
-- vendor/win32.zip
 homepage: http://github.com/whitequark/cyberplat_pki
 licenses: []
 post_install_message: 
@@ -92,7 +114,7 @@ rubyforge_project:
 rubygems_version: 1.8.23
 signing_key: 
 specification_version: 3
-summary: CyberplatPKI is an FFI binding for signing Cyberplat requests.
+summary: CyberplatPKI is a library for signing Cyberplat requests.
 test_files:
 - spec/key_spec.rb
 - spec/keys/pubkeys.key

data/lib/cyberplat_pki/library.rb

@@ -1,128 +0,0 @@
-require 'ffi'
-
-module CyberplatPKI::Library
-  extend FFI::Library
-
-  if defined?(Rubinius) # Fuck you.
-    if Rubinius.windows?
-      tuple = "windows-"
-    elsif RUBY_PLATFORM =~ /linux/
-      tuple = "linux-"
-    else
-      tuple = "unknown-"
-    end
-
-    if FFI::Platform::ARCH =~ /x86_64/
-      tuple << "x86_64"
-    elsif FFI::Platform::ARCH =~ /(i.?|x)86/
-      tuple << "i386"
-    end
-  else
-    tuple = "#{FFI::Platform::OS}-#{FFI::Platform::ARCH}"
-  end
-
-  if tuple == 'windows-i386'
-    ffi_lib File.expand_path('../../../ext/libipriv32.dll', __FILE__)
-  elsif tuple == 'linux-i386'
-    ffi_lib File.expand_path('../../../ext/libipriv-linux32.so', __FILE__)
-  else
-    raise "CyberplatPKI: unsupported platform #{tuple}."
-  end
-
-  Errors = {
-    -1   => "BAD_ARGS",
-    -2   => "OUT_OF_MEMORY",
-    -3   => "INVALID_FORMAT",
-    -4   => "NO_DATA_FOUND",
-    -5   => "INVALID_PACKET_FORMAT",
-    -6   => "UNKNOWN_ALG",
-    -7   => "INVALID_KEYLEN",
-    -8   => "INVALID_PASSWD",
-    -9   => "DOCTYPE",
-    -10  => "RADIX_DECODE",
-    -11  => "RADIX_ENCODE",
-    -12  => "INVALID_ENG",
-    -13  => "ENG_NOT_READY",
-    -14  => "NOT_SUPPORT",
-    -15  => "FILE_NOT_FOUND",
-    -16  => "CANT_READ_FILE",
-    -17  => "INVALID_KEY",
-    -18  => "SEC_ENC",
-    -19  => "PUB_KEY_NOT_FOUND",
-    -20  => "VERIFY",
-    -21  => "CREATE_FILE",
-    -22  => "CANT_WRITE_FILE",
-    -23  => "INVALID_KEYCARD",
-    -24  => "GENKEY",
-    -25  => "PUB_ENC",
-    -26  => "SEC_DEC",
-  }
-
-  ENGINE_RSAREF   = 0
-  ENGINE_OPENSSL  = 1
-  ENGINE_PKCS11   = 2
-  ENGINE_WINCRYPT = 3
-
-  DEFAULT_ENGINE  = ENGINE_RSAREF
-
-  ENGCMD_IS_READY              = 0
-  ENGCMD_GET_ERROR             = 1
-  ENGCMD_SET_PIN               = 2
-  ENGCMD_SET_PKCS11_LIB        = 3
-  ENGCMD_GET_PKCS11_SLOTS_NUM  = 4
-  ENGCMD_GET_PKCS11_SLOT_NAME  = 5
-  ENGCMD_SET_PKCS11_SLOT       = 6
-  ENGCMD_ENUM_PKCS11_KEYS      = 7
-  ENGCMD_ENUM_PKCS11_PUBKEYS   = 8
-
-  KEY_TYPE_RSA_SECRET  = 1
-  KEY_TYPE_RSA_PUBLIC  = 2
-
-  MAX_USERID_LENGTH    = 20
-
-  class Key < FFI::Struct
-    layout :eng,       :short,
-           :type,      :short,
-           :keyserial, :ulong,
-           :userid,    [:char, 24],
-           :key,       :pointer
-  end
-
-  # Only required functions are defined.
-  # For all functions, zero return code is success, nonzero is error.
-
-  # int Crypt_Initialize(void)
-  attach_function :Crypt_Initialize, [], :int
-
-  # int Crypt_OpenSecretKey(int eng, const char* src, int src_len, const char* password, IPRIV_KEY* key)
-  attach_function :Crypt_OpenSecretKey, [:int, :string, :int, :string, :pointer], :int
-
-  # int Crypt_OpenPublicKey(int eng, const char* src, int src_len, int keyserial, IPRIV_KEY* key, IPRIV_KEY* cakey)
-  attach_function :Crypt_OpenPublicKey, [:int, :string, :int, :int, :pointer, :pointer], :int
-
-  # int Crypt_Sign(const char* src, int src_len, char* dst, int dst_len, IPRIV_KEY* key);
-  attach_function :Crypt_Sign, [:string, :int, :pointer, :int, :pointer], :int
-
-  # int Crypt_Verify(const char* src, int src_len, const char** pdst, int* pndst,IPRIV_KEY* key);
-  attach_function :Crypt_Verify, [:string, :int, :pointer, :pointer, :pointer], :int
-
-  # int Crypt_CloseKey(IPRIV_KEY* key)
-  attach_function :Crypt_CloseKey, [:pointer], :int
-
-  # int Crypt_Done(void)
-  attach_function :Crypt_Done, [], :int
-
-  def self.handle_error(function, retval)
-    if retval < 0
-      error = Errors[retval] || "UNKNOWN"
-      raise "CyberplatPKI: Cannot invoke #{function}: #{error} (#{retval})"
-    end
-
-    retval
-  end
-
-  def self.invoke(function, *args)
-    function = :"Crypt_#{function}"
-    handle_error(function, send(function, *args))
-  end
-end