gcrypto_jce 0.1

data/lib/gcrypto_jce/io_utils.rb

@@ -0,0 +1,121 @@
+
+require_relative 'global'
+require 'active_support'
+class NumberHelper
+  extend ActiveSupport::NumberHelper
+end
+
+
+module GcryptoJce
+  module IoUtils
+   
+    def IoUtils.load_input(opts = { })
+      if opts.nil? or opts.empty?
+        raise GcryptoJce::Error, "No input given to load"
+      else
+        file = opts[:file]
+        bin = opts[:bin]
+        
+        if not (file.nil? or file.empty?)
+          fis = java.io.FileInputStream.new(file)
+          fis
+        elsif not bin.nil?
+          begin
+            bais = java.io.ByteArrayInputStream.new(bin.to_java_bytes)
+          rescue NoMethodError
+            bais = java.io.ByteArrayInputStream.new(bin)
+          end
+          bais
+        else
+          if not (opts[:input_optional].nil? and opts[:input_optional])
+            raise GcryptoJce::Error, "Neither file nor bin given to load input"
+          end
+        end
+      end
+    end
+    # 
+    # end load_input()
+    # 
+
+    def IoUtils.prep_output(opts = { })
+      
+      if opts.nil? or opts.empty?
+        raise GcryptoJce::Error, "No opts given to prep output"
+      else
+        file = opts[:outFile]
+        
+        if not (file.nil? or file.empty?)
+          fos = java.io.FileOutputStream.new(file)
+          fos
+        else
+          baos = java.io.ByteArrayOutputStream.new
+          baos
+        end
+      end
+      
+    end
+
+    def IoUtils.return_if_buffer(os)
+      if os.java_kind_of?(java.io.ByteArrayOutputStream)
+        os.toByteArray
+      end
+    end
+
+    def IoUtils.read_chunk(is, opts = { },&block)
+
+      raise GcryptoJce::Error, "Cannot read chunk from nil input stream" if is.nil?
+      raise GcryptoJce::Error, "Block required for read_chunk" if not block
+
+      if not is.java_kind_of?(java.io.InputStream)
+        raise GcryptoJce::Error, "Cannot read from '#{is.class}' object"
+      end
+
+      bufLen = opts[:buffer_size] || 1024*1024
+      GcryptoJce::GConf.instance.glog.debug "read_chunk buffer size is #{NumberHelper.number_to_human_size(bufLen)}. Modifiable by caller app via key :in_buf -> :buffer_size"
+      
+      b = Java::byte[bufLen].new
+      while((read = is.read(b,0,b.length)) != -1)
+        block.call(b,0,read)
+      end
+    end
+    # 
+    # end read_chunk
+    # 
+
+    def IoUtils.file_to_memory_byte_array(path)
+      if path.nil? or path.empty?
+        raise PkernelJce::Error, "Given path '#{path}' to load to memory is nil or empty"
+      else
+        f = java.io.File.new(path)
+        b = Java::byte[f.length].new
+        dis = java.io.DataInputStream.new(java.io.FileInputStream.new(f))
+        dis.readFully(b)
+        dis.close
+
+        b
+      end
+    end
+    # end file_to_memory_byte_array
+    #
+
+    def IoUtils.ensure_java_bytes(bin)
+      if not bin.java_kind_of?(Java::byte[])
+        bin.to_java_bytes
+      else
+        bin
+      end
+    end
+    # end ensure_java_bytes
+    #
+
+    def IoUtils.attempt_zeroise(var)
+      java.util.Arrays.fill(var, 0)
+    end
+  end
+  # end IoUtils
+  #
+
+end
+# end GcryptoJce
+# 
+

data/lib/gcrypto_jce/keypair_crypto.rb

@@ -0,0 +1,278 @@
+
+
+require 'pkernel'
+require 'pkernel_jce'
+
+require_relative 'error'
+require_relative 'io_utils'
+require_relative 'provider'
+require_relative 'global'
+
+module GcryptoJce
+
+  module KeyPairCrypto
+
+    def sign(opts = { })
+      raise GcryptoJce::Error, "Insufficient parameters for signature generation" if opts.nil? or opts.empty?
+      
+      id = opts[:identity]
+      if id.nil?
+        raise GcryptoJce::Error, "Identity to sign the data is not available"
+      end
+
+      prov = GcryptoJce::Provider.handle_options(opts, nil)
+
+      is = IoUtils.load_input(opts)
+    
+      if prov.nil?
+        GcryptoJce::GConf.instance.glog.debug "Provider is nil"
+        sign = java.security.Signature.getInstance(KeyPairCrypto.derive_signing_algo(id.privKey))
+      else
+        GcryptoJce::GConf.instance.glog.debug "Provider is '#{prov.name}'"
+        sign = java.security.Signature.getInstance(KeyPairCrypto.derive_signing_algo(id.privKey), prov)
+      end 
+
+            
+      GcryptoJce::GConf.instance.glog.debug "Private key is #{id.privKey.class}"
+      sign.initSign(id.privKey)
+
+      begin
+        IoUtils.read_chunk(is) do |buf, from, len|
+          sign.update(buf, from, len)
+        end
+      rescue Exception => ex
+        GcryptoJce::GConf.instance.glog.error ex.message
+        GcryptoJce::GConf.instance.glog.error ex.backtrace.join("\n")
+      ensure
+        begin
+          is.close
+        rescue Exception
+        end
+      end
+
+      sign.sign
+      
+    end
+    # 
+    # end method sign()
+    #
+
+    def KeyPairCrypto.derive_signing_algo(kp, hash = "SHA256")
+      PkernelJce::KeyPair.derive_signing_algo(kp,hash)
+    end
+
+    def verify(opts = { })
+      
+      if opts.nil? or opts.empty?
+        raise GcryptoJce::Error, "Insufficient parameters for signature verification"
+      end
+
+      file = opts[:sign_file]
+      bin = opts[:sign_bin]
+      if not (file.nil? or file.empty?)
+        signBin = IoUtils.file_to_memory_byte_array(file)
+      elsif not bin.nil?
+        signBin = IoUtils.ensure_java_bytes(bin)
+      else
+        raise GcryptoJce::Error, "Neither signature in file or memory buffer given for signatur verification"
+      end
+
+      is = IoUtils.load_input(opts)
+      prov = GcryptoJce::Provider.handle_options(opts, nil)
+      
+      cert = opts[:certificate]
+      pubKey = opts[:pubKey]
+      if not cert.nil?
+        
+        if prov.nil?
+          GcryptoJce::GConf.instance.glog.debug "Provider is nil"
+          sign = java.security.Signature.getInstance(KeyPairCrypto.derive_signing_algo(cert))
+        else
+          GcryptoJce::GConf.instance.glog.debug "Provider is '#{prov.name}'"
+          sign = java.security.Signature.getInstance(KeyPairCrypto.derive_signing_algo(cert), prov)
+        end 
+
+        sign.initVerify(cert)
+        
+      elsif not pubKey.nil?
+        
+        if prov.nil?
+          GcryptoJce::GConf.instance.glog.debug "Provider is nil"
+          sign = java.security.Signature.getInstance(KeyPairCrypto.derive_signing_algo(pubKey))
+        else
+          GcryptoJce::GConf.instance.glog.debug "Provider is '#{prov.name}'"
+          sign = java.security.Signature.getInstance(KeyPairCrypto.derive_signing_algo(pubKey), prov)
+        end 
+
+        sign.initVerify(pubKey)
+        
+      else
+        raise GcryptoJce::Error, "No public key or certificate during signature verification"
+      end
+      
+      begin
+        IoUtils.read_chunk(is) do |buf, from, len|
+          sign.update(buf, from, len)
+        end
+      rescue Exception => ex
+        GcryptoJce::GConf.instance.glog.error ex.message
+        GcryptoJce::GConf.instance.glog.error ex.backtrace.join("\n")
+      ensure
+        begin
+          is.close
+        rescue Exception
+        end
+      end
+
+      sign.verify(signBin)     
+      
+    end
+    # 
+    # end method verify()
+    #
+     
+  
+    def encrypt(opts = { })
+      
+      file = opts[:file]
+      bin = opts[:bin]
+      
+      # assumption: 
+      # Data size is small (~kb)
+      # Because for RSA the max data = public key size
+      if not (file.nil? or file.empty?)
+        data = IoUtils.file_to_memory_byte_array(file)
+      elsif not bin.nil?
+        data = IoUtils.ensure_java_bytes(bin)
+      else
+        raise GcryptoJce::Error, "No input given for keypair encryption"
+      end 
+
+      recp = opts[:recipient]
+      if recp.nil?
+        raise GcryptoJce::Error, "No recipient given for keypair encryption"
+      end
+
+      if Pkernel::Certificate.is_cert_object?(recp)
+        pubKey = Pkernel::Certificate.public_key(recp)
+      elsif Pkernel::KeyPair.is_public_key?(recp)
+        pubKey = recp
+      else
+        raise GcryptoJce::Error, "Given recipient is neither certificate nor public key."
+      end
+
+      prov = GcryptoJce::Provider.handle_options(opts, nil)
+     
+      cipherSpec = opts[:cipher_spec] || "RSA/ECB/OAEPWithSHA-256AndMGF1Padding"
+      type = Pkernel::KeyPair.pub_key_type(pubKey)
+      case type
+      when Pkernel::KeyPair::RSA_KEY_NAME
+        if prov.nil?
+          GcryptoJce::GConf.instance.glog.debug "Provider is nil"
+          if cipherSpec =~ /PKCS5Padding/
+            GcryptoJce::GConf.instance.glog.warn "PKCS#1 1.5 may be vulnerable to Bleichenbacher's CCA attack"
+          end
+          GcryptoJce::GConf.instance.glog.debug "Using cipher spec '#{cipherSpec}'"
+          cipher = javax.crypto.Cipher.getInstance(cipherSpec)
+        else
+          GcryptoJce::GConf.instance.glog.debug "Provider is '#{prov.name}'"
+          cipher = javax.crypto.Cipher.getInstance(cipherSpec, prov)
+        end
+      else
+        raise GcryptoJce::Error, "Unsupported key type '#{pubKey}' for keypair data encryption operation"
+      end
+
+      cipher.init(javax.crypto.Cipher::ENCRYPT_MODE, pubKey)
+
+      outStream = opts[:outStream]
+      if not outStream.nil?
+        outStream.write(cipher.update(data))
+        outStream.write(cipher.doFinal)
+        outStream.flush
+      else
+        baos = java.io.ByteArrayOutputStream.new
+        baos.write(cipher.update(data))
+        baos.write(cipher.doFinal)
+        baos.toByteArray        
+      end      
+
+    end
+    # 
+    # end encrypt()
+    #
+
+    def decrypt(opts = { })
+      
+      file = opts[:enc_file]
+      bin = opts[:enc_bin]
+      
+      # assumption: 
+      # Data size is small (~kb)
+      # Because for RSA the max data = public key size
+      if not (file.nil? or file.empty?)
+        data = IoUtils.file_to_memory_byte_array(file)
+      elsif not bin.nil?
+        data = IoUtils.ensure_java_bytes(bin)
+      else
+        raise GcryptoJce::Error, "No input given for decrypt"
+      end 
+
+      id = opts[:identity]
+      if id.nil?
+        raise GcryptoJce::Error, "No identity given for decrypt"
+      end
+
+      if id.privKey.nil?
+        raise GcryptoJce::Error, "Private key is nil for data decryption"
+      end
+     
+      prov = GcryptoJce::Provider.handle_options(opts, nil)
+
+      cipherSpec = opts[:cipher_spec] || "RSA/ECB/OAEPWithSHA-256AndMGF1Padding"
+      type = Pkernel::KeyPair.key_type(id.privKey)
+      case type
+      when Pkernel::KeyPair::RSA_KEY_NAME
+        if prov.nil?
+          GcryptoJce::GConf.instance.glog.debug "Provider is nil"
+          if cipherSpec =~ /PKCS5Padding/
+            GcryptoJce::GConf.instance.glog.warn "PKCS#1 1.5 may be vulnerable to Bleichenbacher's CCA attack"
+          end
+          GcryptoJce::GConf.instance.glog.debug "Using cipher spec '#{cipherSpec}'"
+          cipher = javax.crypto.Cipher.getInstance(cipherSpec)
+        else
+          GcryptoJce::GConf.instance.glog.debug "Provider is '#{prov.name}'"
+          cipher = javax.crypto.Cipher.getInstance(cipherSpec, prov)
+        end
+      else
+        raise GcryptoJce::Error, "Unsupported key type '#{id.privKey}' for data decryption operation"
+      end
+
+      cipher.init(javax.crypto.Cipher::DECRYPT_MODE, id.privKey)
+
+      outStream = opts[:outStream]
+      if not outStream.nil?
+        outStream.write(cipher.update(data))
+        outStream.write(cipher.doFinal)
+        outStream.flush
+      else
+        baos = java.io.ByteArrayOutputStream.new
+        baos.write(cipher.update(data))
+        baos.write(cipher.doFinal)
+        baos.toByteArray        
+      end      
+
+    end
+    # 
+    # end decrypt()
+    #
+    
+  end
+  # end KeyPairCrypto
+  #
+
+  class KeyPairCryptoEngine
+    extend KeyPairCrypto
+  end
+
+end
+# end gcrypto

data/lib/gcrypto_jce/pbkdf2.rb

@@ -0,0 +1,95 @@
+
+require 'gcrypto'
+require_relative 'secretkey'
+require_relative 'error'
+require_relative 'io_utils'
+require_relative 'provider'
+require_relative 'global'
+require_relative 'converter'
+
+module GcryptoJce
+  module KDF
+    module PBKDF2
+
+      def derive(pass, opts = { })
+
+        if pass.nil? or pass.empty?
+          raise GcryptoJce::Error, "Password to derive is empty"
+        else
+          if pass.is_a?(String)
+            pa = pass.to_java.toCharArray
+          elsif pass.java_kind_of?(Java::byte[])
+            pa = String.from_java_bytes(pass).to_java.toCharArray
+          elsif pass.java_kind_of?(Java::char[])
+            pa = pass
+          else
+            raise GcryptoJce::Error, "Unknown password type '#{pass.class}'"
+          end
+        end
+
+        iter = opts[:iteration]
+        if iter.nil? or iter.to_i == 0
+          iter = rand(10000...20000)
+        end
+
+        keyLen = opts[:outKeyLen]
+        case keyLen
+        when 128
+          outKeyLen = 128
+          engSpec = "PBKDF2WithHMACSHA1"
+        when 256, 192
+          outKeyLen = 256
+          engSpec = "PBKDF2WithHMACSHA256"
+        when 512
+          outKeyLen = 512
+          engSpec = "PBKDF2WithHMACSHA512"
+        else
+          outKeyLen = 256
+          engSpec = "PBKDF2WithHMACSHA256"
+        end 
+
+        prov = GcryptoJce::Provider.handle_options(opts, nil)
+
+        salt = opts[:salt]
+        if salt.nil?
+          salt = Java::byte[outKeyLen/8].new
+          java.security.SecureRandom.new.nextBytes(salt)
+        end
+
+        GcryptoJce::GConf.instance.glog.debug "PBKDF2 using config salt : #{Gcrypto::Converter.to_hex(salt)} / iteration : #{iter} / output hash length : #{outKeyLen} / Eng : #{engSpec}"
+        spec = javax.crypto.spec.PBEKeySpec.new(pa, salt, iter, outKeyLen)
+        if prov.nil?
+          fact = javax.crypto.SecretKeyFactory.getInstance(engSpec)
+        else
+          fact = javax.crypto.SecretKeyFactory.getInstance(engSpec, prov)
+        end
+
+        secKey = fact.generateSecret(spec)
+        key = javax.crypto.spec.SecretKeySpec.new(secKey.encoded,"AES")
+
+        res = { }
+        res[:key] = key
+        res[:hash] = secKey.getEncoded
+        res[:salt] = salt
+        res[:iteration] = iter
+        res[:hashLen] = outKeyLen
+        res[:eng] = :pbkdf2
+
+        res
+
+      end
+    end
+    # end PBKDF2
+    # 
+
+    class PBKDF2Engine
+      extend PBKDF2
+    end
+
+  end
+  # end KDF
+  #
+
+end
+# end GcryptoJce
+#