ezcrypto2 0.0.2

data/init.rb

@@ -0,0 +1 @@
+require 'active_crypto.rb'

data/lib/active_crypto.rb

@@ -0,0 +1,325 @@
+require "ezcrypto.rb"
+module ActiveCrypto # :nodoc:
+    
+    def self.append_features(base)  #:nodoc:
+      super
+      base.extend(ClassMethods)
+    end
+    
+=begin rdoc
+
+Usage is very simple. You will generally only need the two class methods listed here in your ActiveRecord class model.
+
+== License
+
+ActiveCrypto and EzCrypto are released under the MIT license.
+
+
+== Support
+
+To contact the author, send mail to pelleb@gmail.com
+
+Also see my blogs at:
+http://stakeventures.com and
+http://neubia.com
+
+This project was based on code used in my project StakeItOut, where you can securely share web services with your partners.
+https://stakeitout.com
+
+(C) 2005 Pelle Braendgaard
+
+=end
+    module ClassMethods
+      @@session_keys={}
+
+=begin rdoc
+Turn encryption on for this record. List all encrypted attributes
+
+  class Document < ActiveRecord::Base
+		encrypt :title,:body
+	end
+
+Options are:
+  <tt>key</tt> - to specify an external KeyHolder, which holds the key used for encrypting and decrypting
+  <tt>base64</tt> - set to true in order to base64 encode the encrypted attributes.  defaults to false
+
+  class Document < ActiveRecord::Base
+  	belongs_to :user
+  	encrypt :title,:body,:key=>:user, :base64 => true
+  end
+	
+=end
+      def encrypt(*attributes)        
+      	include ActiveCrypto::Encrypted
+      	before_save :encrypt_attributes
+      	after_save :decrypt_attributes
+        options=attributes.last.is_a?(Hash) ? attributes.pop : {}
+        keyholder
+        if options and options[:key]
+  				module_eval <<-"end;"				 
+  					def session_key
+  						(send :#{options[:key]} ).send :session_key
+  					end	 
+  					@@external_key=true
+  				end;
+        end
+
+        base64_encode = (options and options[:base64])
+        module_eval <<-"end;"
+          def self.ezcrypto_base64?
+            #{base64_encode.to_s}
+          end
+        end;
+        
+        self.encrypted_attributes=attributes
+      end   
+		
+=begin rdoc
+Creates support in this class for holding a key. Adds the following methods:
+
+* enter_password(password,salt="onetwothree")
+* set_session_key(key)
+* session_key
+
+Use it as follows:
+
+  class User < ActiveRecord::Base
+  	has_many :documents
+  	keyholder
+  end
+
+=end        
+      def keyholder()
+      	include ActiveCrypto::AssociationKeyHolder   
+      	after_create :save_session_key       
+      end
+
+=begin rdoc
+Clears the session_key array. Generally this is handled automatically as a filter in ActionController. Only use these if you need to
+do something out of the ordinary.
+=end
+      def clear_session_keys() #:nodoc:
+        @@session_keys.clear
+      end 
+      
+=begin rdoc
+Sets the session_keys array. Only use these if you need to
+do something out of the ordinary, as it is handled
+=end
+      def session_keys=(keys) #:nodoc:
+        @@session_keys=keys
+      end
+      
+      def session_keys() #:nodoc:
+        @@session_keys
+      end
+      
+    end
+
+=begin rdoc
+This module handles all standard key management features.
+=end
+    module KeyHolder   
+
+=begin rdoc
+Creates a key for object based on given password and an optional salt.
+=end
+      def enter_password(password,salt="onetwothree")
+        set_session_key(EzCrypto::Key.with_password(password, salt))
+      end
+
+=begin rdoc
+Decodes the Base64 encoded key and uses it as it's session key
+=end
+      def set_encoded_key(enc)
+        set_session_key(EzCrypto::Key.decode(enc))
+      end
+=begin rdoc
+Sets a session key for the object. This should be a EzCrypto::Key instance.
+=end
+      def set_session_key(key)    
+        @session_key=key
+        self.decrypt_attributes if self.class.include? Encrypted
+      end      
+
+=begin rdoc
+Returns the session_key
+=end
+      def session_key
+        @session_key
+      end
+      
+    end
+
+    module AssociationKeyHolder   
+      include ActiveCrypto::KeyHolder
+      
+      
+      def save_session_key
+        ActiveRecord::Base.session_keys[session_key_id]=@session_key if @session_key
+      end
+=begin rdoc
+Sets a session key for the object. This should be a EzCrypto::Key instance.
+=end
+      def set_session_key(key)    
+        if self.new_record?
+          @session_key=key
+        else
+          ActiveRecord::Base.session_keys[session_key_id]=key
+        end
+        decrypt_attributes if self.class.include? Encrypted #if respond_to?(:decrypt_attributes)
+        
+      end      
+
+=begin rdoc
+Returns the session_key
+=end
+      def session_key
+        if self.new_record?
+          @session_key
+        else
+          ActiveRecord::Base.session_keys[session_key_id]
+        end
+      end
+        
+      
+
+      def session_key_id
+        "#{self.class.to_s}:#{id}"
+      end      
+      
+    end
+
+    module Encrypted    #:nodoc:
+      def self.append_features(base)  #:nodoc:
+        super
+        base.extend ClassAccessors
+      end
+      
+      module ClassAccessors
+        def encrypted_attributes
+          @encrypted_attributes||=[]
+        end
+
+        def encrypted_attributes=(attrs)
+          @encrypted_attributes=attrs
+        end
+        
+      end
+    
+      protected
+
+      def encrypt_attributes
+        if !is_encrypted?
+          self.class.encrypted_attributes.each do |key|
+            value=read_attribute(key)
+            write_attribute(key,_encrypt(value)) if value
+          end
+          @is_encrypted=true
+        end
+        true
+      end
+    
+      def decrypt_attributes
+        if is_encrypted?
+          self.class.encrypted_attributes.each do |key|
+            value=read_attribute(key)
+            write_attribute(key,_decrypt(value)) if value
+          end
+          @is_encrypted=false
+        end
+        true
+      end
+      
+      def after_find
+        @is_encrypted=true
+        decrypt_attributes unless session_key.nil?
+      end
+      
+      private
+      def is_encrypted?
+        @is_encrypted
+      end
+      
+      def _decrypt(data)
+        if session_key.nil?
+          raise MissingKeyError
+        else
+          if data
+            self.class.ezcrypto_base64? ? session_key.decrypt64(data) : session_key.decrypt(data)
+          else
+            nil
+          end
+        end
+      end
+    
+      def _encrypt(data)
+        if session_key.nil?
+          raise MissingKeyError
+        else 
+          if data
+            self.class.ezcrypto_base64? ? session_key.encrypt64(data) : session_key.encrypt(data)
+          else
+            nil
+          end
+        end
+      end
+               
+    end
+  
+
+module ActionController # :nodoc:
+=begin rdoc
+This includes some basic support in the ActionController for handling session keys. It creates two filters one before the action and one after.
+These do the following:
+  
+If the users session already has a 'session_keys' value it loads it into the ActiveRecord::Base.session_keys class field. If not it 
+clears any existing session_keys.
+
+Leaving the action it stores any session_keys in the corresponding session variable.
+
+These filters are automatically enabled. You do not have to do anything.
+  
+To manually clear the session keys call clear_session_keys. This should be done for example as part of a session log off action.
+=end      
+    def self.append_features(base) #:nodoc:
+      super
+      base.send :prepend_before_filter, :load_session_keys
+      base.send :prepend_after_filter, :save_session_keys      
+    end
+
+=begin rdoc
+Clears the session keys. Call this when a user logs of.
+=end
+    def clear_session_keys
+      ActiveRecord::Base.clear_session_keys
+    end
+    
+    
+    private
+    def load_session_keys
+      if session['session_keys']
+        ActiveRecord::Base.session_keys=session['session_keys']
+      else
+        ActiveRecord::Base.clear_session_keys
+      end
+    end
+
+    def save_session_keys
+      if ActiveRecord::Base.session_keys.size>0
+        session['session_keys']=ActiveRecord::Base.session_keys
+      else
+        session['session_keys']=nil
+      end
+    end
+    
+
+end
+
+class MissingKeyError < RuntimeError
+end 
+end
+ActiveRecord::Base.send :include, ActiveCrypto
+require 'actionpack'
+require 'action_controller'
+ActionController::Base.send :include, ActiveCrypto::ActionController

data/lib/ezcrypto2.rb

@@ -0,0 +1,610 @@
+require 'openssl'
+require 'digest/sha2'
+require 'digest/sha1'
+require 'base64'
+
+module EzCrypto2 #:nodoc:
+
+
+=begin rdoc
+The Key is the only class you need to understand for simple use.
+
+=== Algorithms
+
+The crypto algorithms default to aes-128-cbc however on any of the class methods you can change it to one of the standard openssl cipher names using the
+optional <tt>:algorithm=>alg name</tt> parameter.
+
+Eg.
+    Key.new @raw, :algorithm=>"des"
+    Key.generate :algorithm=>"blowfish"
+    Key.with_password @pwd,@salt,:algorithm=>"aes256"
+
+
+== License
+
+ActiveCrypto and EzCrypto are released under the MIT license.
+
+
+== Support
+
+To contact the author, send mail to pelleb@gmail.com
+
+Also see my blogs at:
+http://stakeventures.com and
+http://neubia.com
+
+This project was based on code used in my project StakeItOut, where you can securely share web services with your partners.
+https://stakeitout.com
+
+(C) 2005 Pelle Braendgaard
+
+=end
+
+  class Key
+
+    attr_reader :raw, :algorithm
+
+    @@block_size = 512
+
+=begin rdoc
+Set the block-size for IO-operations (default: 512 bytes)
+=end
+    def self.block_size=(size)
+      @@block_size = size
+    end
+
+=begin rdoc
+Return the block-size for IO-operations.
+=end
+    def self.block_size
+      @@block_size
+    end
+
+
+=begin rdoc
+Initialize the key with raw unencoded binary key data. This needs to be at least
+16 bytes long for the default aes-128 algorithm.
+=end
+    def initialize(raw,options = {})
+      @raw=raw
+      @algorithm=options[:algorithm]||"aes-128-cbc"
+    end
+
+=begin rdoc
+Generate random key.
+=end
+    def self.generate(options = {})
+      Key.new(EzCrypto2::Digester.generate_key(calculate_key_size(options[:algorithm])),options)
+    end
+
+=begin rdoc
+Create key generated from the given password and salt
+=end
+    def self.with_password(password,salt,options = {})
+      Key.new(EzCrypto2::Digester.get_key(password,salt,calculate_key_size(options[:algorithm])),options)
+    end
+
+=begin rdoc
+Initialize the key with Base64 encoded key data.
+=end
+    def self.decode(encoded,options = {})
+      Key.new(Base64.decode64(encoded),options)
+    end
+
+=begin rdoc
+Encrypts the data with the given password and a salt. Short hand for:
+
+  key=Key.with_password(password,salt,options)
+  key.encrypt(data)
+
+=end
+    def self.encrypt_with_password(password,salt,data,options = {})
+      key=Key.with_password(password,salt,options)
+      key.encrypt(data)
+    end
+
+=begin rdoc
+Decrypts the data with the given password and a salt. Short hand for:
+
+  key=Key.with_password(password,salt,options)
+  key.decrypt(data)
+
+
+=end
+    def self.decrypt_with_password(password,salt,data,options = {})
+      key=Key.with_password(password,salt,options)
+      key.decrypt(data)
+    end
+
+=begin rdoc
+Given an algorithm this calculates the keysize. This is used by both
+the generate and with_password methods. This is not yet 100% complete.
+=end
+    def self.calculate_key_size(algorithm)
+      if !algorithm.nil?
+        algorithm=~/^([[:alnum:]]+)(-(\d+))?/
+        if $3
+          size=($3.to_i)/8
+        else
+          case $1
+            when "bf"
+              size = 16
+            when "blowfish"
+              size = 16
+            when "des"
+              size = 8
+            when "des3"
+              size = 24
+            when "aes128"
+              size = 16
+            when "aes192"
+              size = 24
+            when "aes256"
+              size = 32
+            when "rc2"
+              size = 16
+            when "rc4"
+              size = 16
+            else
+              size = 16
+            end
+        end
+      end
+      if size.nil?
+        size = 16
+      end
+
+      size
+    end
+
+=begin rdoc
+returns the Base64 encoded key.
+=end
+    def encode
+      Base64.encode64(@raw).chop
+    end
+
+=begin rdoc
+returns the Base64 encoded key. Synonym for encode.
+=end
+    def to_s
+      encode
+    end
+
+=begin rdoc
+Encrypts the data and returns it in encrypted binary form.
+=end
+    def encrypt(data)
+      if data==nil || data==""
+        nil
+      else
+        encrypter("")
+        @cipher.encrypt(data)
+      end
+    end
+
+=begin rdoc
+Encrypts the data and returns it in encrypted Base64 encoded form.
+=end
+    def encrypt64(data)
+      Base64.encode64(encrypt(data))
+    end
+
+=begin rdoc
+Decrypts the data passed to it in binary format.
+=end
+    def decrypt(data)
+      if data==nil || data==""
+        nil
+      else
+        decrypter("")
+        @cipher.gulp(data)
+      end
+#    rescue
+#      puts @algorithm
+#      puts self.encode
+#      puts data.size
+#      throw $!
+    end
+
+=begin rdoc
+Decrypts a Base64 formatted string
+=end
+    def decrypt64(data)
+      decrypt(Base64.decode64(data))
+    end
+
+=begin rdoc
+Allows keys to be marshalled
+=end
+    def marshal_dump
+       "#{self.algorithm}$$$#{self.encode}"
+    end
+
+=begin rdoc
+Allows keys to be unmarshalled
+=end
+    def marshal_load(s)
+       a, r = s.split '$$$'
+       @algorithm = a
+       @raw = Base64.decode64(r)
+    end
+
+=begin rdoc
+Create a file with minimal permissions, and yield
+it to a block. By default only the owner may read it.
+=end
+    def safe_create(file, mod=0400, mask=0066)
+      begin
+        old_umask = File.umask
+        File.umask(mask)
+        File.open(file, File::CREAT | File::EXCL | File::WRONLY) do |f|
+          yield(f) if block_given?
+        end
+      ensure
+        File.umask(old_umask)
+      end
+      File.chmod(mod, file) if File.exists?(file)
+      File.size(file)
+    end
+
+
+=begin rdoc
+Overwrite a file with zero values before removing it's filesystem inode.
+This is not very safe :-)
+=end
+    def safe_delete(file)
+      begin
+        to_clear = File.size(file)
+        zeroes   = Array.new(Key.block_size, "\0").join
+        File.chmod(0600, file)
+        File.open(file, File::WRONLY) do |f|
+          f.rewind
+          while to_clear > 0
+            f.write(zeroes)
+            to_clear -= Key.block_size
+          end
+          f.flush
+        end
+      ensure
+        File.delete(file) if File.exists?(file)
+      end
+      return !File.exists?(file)
+    end
+
+
+=begin rdoc
+Open a file readonly and yield it to a block.
+=end
+    def safe_read(file)
+      File.open(file, File::RDONLY) do |i|
+        yield(i) if block_given?
+      end
+    end
+
+    private :safe_create, :safe_read, :safe_delete
+
+=begin rdoc
+Load a key from a yaml_file generated via Key#store.
+=end
+    def self.load(filename)
+      require 'yaml'
+      hash = YAML::load_file(filename)
+      req = proc { |k| hash[k] or raise "Missing element #{k} in #{filename}" }
+      key = self.new Base64.decode64(req.call(:key)) , :algorithm => req.call(:algorithm)
+      return key
+    end
+
+
+=begin rdoc
+Save the key data into a file, try to do this in a secure manner.
+NOTE: YAML::store & friends are not used to encance control over
+the generated file format.
+=end
+    def store(filename)
+      safe_create(filename) do |f|
+        selfenc = self.encode
+        f.puts "---"
+        f.puts ":EZCRYPTO KEY FILE: KEEP THIS SECURE !"
+        f.puts ":created: #{Time.now}"
+        f.puts ":algorithm: #{@algorithm}"
+        f.puts ":key: #{selfenc}"
+      end
+    end
+
+
+=begin rdoc
+Get a Encrypter object. You have to call #final on it by yourself!
+=end
+    def encrypter(target='')
+      @cipher = EzCrypto2::Encrypter.new(self,target,@algorithm)
+    end
+
+
+=begin rdoc
+Get a Decrypter object. You have to call #final on it by yourself!
+=end
+    def decrypter(target='')
+      @cipher = EzCrypto2::Decrypter.new(self,target,@algorithm)
+    end
+
+=begin rdoc
+Create a Decrypter object and yield it to a block.
+You must *not* call #final by yourself, the method
+does this.
+=end
+    def on_decrypter(target='', &block)
+      decrypter(target)
+      on_cipher(&block)
+    end
+
+=begin rdoc
+Create an Encrypter object and yield it to a block.
+You must *not* call #final by yourself, the method
+does this.
+=end
+    def on_encrypter(target='', &block)
+      encrypter(target)
+      on_cipher(&block)
+    end
+
+
+=begin rdoc
+Helper method, yields the current cipher to a block.
+=end
+    def on_cipher(&block)
+      begin
+        block.call @cipher
+      ensure
+        @cipher.final
+      end
+    end
+
+    private :on_cipher
+
+
+=begin rdoc
+Encrypt a file 'inplace' and add a suffix
+see #cipher_file.
+IMPORTANT: The inputfile will be deleted by default.
+=end
+    def encrypt_file(src, tgt=nil, options = {} )
+      options = { :suffix => '.ez', :autoclean => 'true' }.update(options)
+      tgt = "#{src}#{options[:suffix]}" unless tgt
+      cipher_file :on_encrypter, src, tgt, options[:autoclean]
+    end
+
+
+=begin rdoc
+Decrypt a file 'inplace' and remove a suffix
+see #cipher_file
+IMPORTANT: The inputfile will be deleted by default.
+=end
+    def decrypt_file(src, tgt=nil, options = {} )
+      options = { :suffix => '.ez', :autoclean => 'true' }.update(options)
+      unless tgt
+        tgt = src
+        tgt = tgt.gsub(/#{options[:suffix]}$/, '')
+      end
+      cipher_file :on_decrypter, src, tgt, options[:autoclean]
+    end
+
+
+=begin rdoc
+uses either  #on_decrypter or #on_encrypter to transform a given sourcefile
+to a targetfile. the sourcefile is deleted after sucessful transformation
+the delete_source is 'true'.
+=end
+    def cipher_file(method, sourcefile, targetfile, delete_source)
+      raise(ArgumentError, "source == target #{sourcefile}") if sourcefile == targetfile
+      safe_create(targetfile,0600) do |o|
+        self.send(method, o) do |c|
+          safe_read(sourcefile) do |i|
+            loop do
+              buffer = i.read(Key.block_size) or break
+              c << buffer
+            end
+          end
+        end
+      end
+      safe_delete(sourcefile) if delete_source && File.exists?(targetfile)
+      return targetfile
+    end
+
+    private :cipher_file
+
+  end
+
+=begin rdoc
+Abstract Wrapper around OpenSSL's Cipher object. Extended by Encrypter and Decrypter.
+
+You probably should be using the Key class instead.
+
+Warning! The interface may change.
+
+=end
+  class CipherWrapper #:nodoc:
+
+=begin rdoc
+
+=end
+    def initialize(key,target,mode,algorithm)
+      @cipher = OpenSSL::Cipher.new(algorithm)
+      if mode
+        @cipher.encrypt
+      else
+        @cipher.decrypt
+      end
+      @cipher.key=key.raw
+      @cipher.padding=1
+      @target=target
+      @finished=false
+    end
+
+
+    def to_target(data)
+      return data
+    end
+
+=begin rdoc
+Process the givend data with the cipher.
+=end
+    def update(data)
+      reset if @finished
+      @target<< to_target(@cipher.update(data))
+    end
+
+=begin rdoc
+
+=end
+    def <<(data)
+      update(data)
+    end
+
+=begin rdoc
+Finishes up any last bits of data in the cipher and returns the final result.
+=end
+    def final
+      @target<< to_target(@cipher.final)
+      @finished=true
+      @target
+    end
+
+=begin rdoc
+Processes the entire data string using update and performs a final on it returning the data.
+=end
+    def gulp(data)
+      update(data)
+      final
+#    rescue
+#      breakpoint
+    end
+
+=begin rdoc
+
+=end
+    def reset(target="")
+      @target=target
+      @finished=false
+    end
+  end
+
+=begin rdoc
+Wrapper around OpenSSL Cipher for Encryption use.
+
+You probably should be using Key instead.
+
+Warning! The interface may change.
+
+=end
+  class Encrypter<EzCrypto2::CipherWrapper #:nodoc:
+
+=begin rdoc
+
+=end
+    def initialize(key,target="",algorithm="aes-128-cbc")
+      super(key,target,true,algorithm)
+    end
+
+=begin rdoc
+
+=end
+    def encrypt(data)
+      gulp(data)
+    end
+  end
+
+=begin rdoc
+Wrapper around OpenSSL Cipher for Decryption use.
+
+You probably should be using Key instead.
+
+Warning! The interface may change.
+=end
+  class Decrypter<EzCrypto2::CipherWrapper #:nodoc:
+=begin rdoc
+
+=end
+    def initialize(key,target="",algorithm="aes-128-cbc")
+      super(key,target,false,algorithm)
+    end
+
+=begin rdoc
+
+=end
+    def decrypt(data)
+      gulp(data)
+    end
+  end
+
+=begin rdoc
+
+=end
+  class Digester
+=begin rdoc
+Various handy Digest methods.
+
+Warning! The interface may change.
+=end
+    def self.get_key(password,salt,size)
+        digest(salt+password,size)
+    end
+
+=begin rdoc
+
+=end
+    def self.generate_key(size=16)
+        key=OpenSSL::Random.random_bytes(size)
+        digest(key,size)
+    end
+
+=begin rdoc
+
+=end
+    def self.generate_key64(size=32)
+        key=OpenSSL::Random.random_bytes(size)
+        digest64(key,size)
+    end
+=begin rdoc
+
+=end
+    def self.generate_hexkey(size=40)
+        key=OpenSSL::Random.random_bytes(size)
+        hexdigest(key,size)
+    end
+
+=begin rdoc
+
+=end
+    def self.digest(data,size=16)
+      if size==0
+        ""
+      elsif size<=16
+        Digest::SHA1.digest(data)[0..(size-1)]
+      else
+        Digest::SHA256.digest(data)[0..(size-1)]
+      end
+    end
+
+=begin rdoc
+
+=end
+    def self.hexdigest(data,size=40)
+      if size==0
+        ""
+      elsif size<=40
+        Digest::SHA1.hexdigest(data)[0..(size-1)]
+      else
+        Digest::SHA256.hexdigest(data)[0..(size-1)]
+      end
+    end
+
+=begin rdoc
+
+=end
+    def self.digest64(data,size=16)
+      Base64.encode64(digest(data,size))
+    end
+	end
+
+end