gcrypto_jce 0.1

data/lib/gcrypto_jce/provider.rb

@@ -0,0 +1,66 @@
+
+
+Dir.glob(File.join(File.dirname(__FILE__),'../../jars/*.jar')).each do |f|
+  require_relative File.expand_path(f)
+end
+
+require_relative 'global'
+
+module GcryptoJce
+  module Provider
+    
+    DefProvider = org.bouncycastle.jce.provider.BouncyCastleProvider.new
+
+    def Provider::add_default
+      add_provider(DefProvider)
+      DefProvider
+    end
+    # 
+    # end add_default
+    #
+
+    def Provider::add_provider(prov)
+			if prov != nil
+				if prov.is_a?(String) and not prov.empty?
+          GcryptoJce::GConf.instance.glog.error "Unknown provider by string '#{prov}'. Please use provider object."
+          raise Exception, "Unknown provider by string '#{prov}'. Please use provider object."
+				elsif prov.is_a?(java.security.Provider)
+					if prov != nil
+						if not java.security.Security.get_providers.to_a.include?(prov)
+              GcryptoJce::GConf.instance.glog.debug "Adding security provider '#{prov.name}'" 
+							java.security.Security.add_provider(prov)
+						end
+						prov
+					else
+						raise Exception, "Unknown provider object #{prov.inspect}"
+					end
+
+				end
+			end
+      
+    end
+    # 
+    # end add_provider
+    #
+
+    def Provider::handle_options(opts = { }, def_if_nil = DefProvider)
+      if opts.nil? or opts.empty?
+      else
+        prov = opts[:provider]
+        if prov.nil?
+          if def_if_nil != nil
+            Provider::add_provider(def_if_nil)
+          end
+        else
+          Provider::add_provider(prov)
+        end
+      end
+    end
+    # 
+    # add handle_options
+    #
+
+  end
+end
+
+

data/lib/gcrypto_jce/secretkey.rb

@@ -0,0 +1,159 @@
+
+require 'pkernel'
+require 'pkernel_jce'
+
+require_relative 'error'
+require_relative 'io_utils'
+require_relative 'provider'
+require_relative 'global'
+
+module GcryptoJce
+  module SecretKey
+    
+    def generate(opts = { })
+      
+      skType = opts[:type]
+      if skType.nil?
+        raise GcryptoJce::Error, "Secret key type is not given for generation"
+      else
+        skType = to_algo_string(skType)
+      end
+
+      prov = GcryptoJce::Provider.handle_options(opts, nil)
+      
+      if prov.nil?
+        GcryptoJce::GConf.instance.glog.debug "Provider is nil"
+        kg = javax.crypto.KeyGenerator.getInstance(skType)
+      else
+        GcryptoJce::GConf.instance.glog.debug "Provider is '#{prov.name}'"
+        kg = javax.crypto.KeyGenerator.getInstance(skType, prov)
+      end
+
+      keyLen = opts[:keyLen]
+      secRandom = opts[:secRandom]
+      if keyLen.nil? or keyLen.to_i == 0
+        raise GcryptoJce::Error, "Key length not given or invalid"
+      else
+        if secRandom.nil?
+          kg.init(keyLen.to_i)
+        else
+          kg.init(keyLen.to_i, secRandom)
+        end
+      end 
+
+      kg.generateKey
+      
+    end
+    # end generate()
+    #
+
+    def SecretKey.is_secret_key?(obj)
+      if obj.nil?
+        false
+      else
+        obj.java_kind_of?(javax.crypto.spec.SecretKeySpec)
+      end
+    end
+
+    def dump(sk, opts = { })
+      file = opts[:file]
+      baos = java.io.ByteArrayOutputStream.new
+      
+      if not (file.nil? or file.empty?)
+        os = java.io.ObjectOutputStream.new(java.io.FileOutputStream.new(file))
+      else
+        os = java.io.ObjectOutputStream.new(baos)
+      end
+
+      os.writeObject(sk)
+      os.flush
+      os.close
+
+      if not (file.nil? or file.empty?)
+      else
+        baos.toByteArray
+      end
+    end
+    # end dump()
+
+    def load(opts = { })
+      file = opts[:file]
+      bin = opts[:bin]
+      if not (file.nil? or file.empty?)
+        skBin = IoUtils.file_to_memory_byte_array(file)
+      elsif not bin.nil?
+        skBin = IoUtils.ensure_java_bytes(bin)
+      else
+        raise GcryptoJce::Error, "No file or buffer given to load secret key"
+      end
+
+      skOs = java.io.ObjectInputStream.new(java.io.ByteArrayInputStream.new(skBin))
+      sk = skOs.readObject
+      skOs.close
+      
+      sk
+    end
+    # end load()
+
+    def load_from_bin(opts = { })
+      file = opts[:file]
+      bin = opts[:bin]
+      if not (file.nil? or file.empty?)
+        skBin = IoUtils.file_to_memory_byte_array(file)
+      elsif not bin.nil?
+        skBin = IoUtils.ensure_java_bytes(bin)
+      else
+        raise GcryptoJce::Error, "No file or buffer given to load secret key from binary"
+      end
+      
+      skType = opts[:type]
+      if skType.nil? or skType.empty?
+        raise GcryptoJce::Error, "Secret Key type is not given to load from binary"
+      end
+      
+      javax.crypto.spec.SecretKeySpec.new(skBin, skType)
+    end
+
+    def to_algo_string(key)
+      key = key.to_s.upcase
+      case key
+      when "AES"
+        "AES"
+      when "3DES", "TRIPLEDES", "TRIPLE-DES", "3-DES"
+        "3DES"
+      else
+        "AES"
+        #raise GcryptoJce::Error, "Unknown algo '#{key}'"
+      end
+    end
+    # 
+    # end to_algo_string
+    #
+
+    def SecretKey.key_type(secKeySpec)
+      algo = secKeySepc.algorithm
+      case algo
+      when "AES"
+        "AES"
+      when "3DES"
+        "3DES"
+      else
+        raise GcryptoJce::Error, "Unknown key type '#{algo}'"
+      end
+    end
+    # 
+    # end key_type
+    #
+  
+  end
+  # 
+  # end module SecretKey
+  #
+
+  class SecretKeyFactory
+    extend SecretKey
+  end
+end
+# 
+# end module Gcrypto
+#

data/lib/gcrypto_jce/secretkey_crypto.rb

@@ -0,0 +1,412 @@
+
+
+require 'pkernel'
+require 'pkernel_jce'
+
+require 'gcrypto'
+
+require_relative 'error'
+require_relative 'io_utils'
+require_relative 'provider'
+require_relative 'global'
+require_relative 'secretkey'
+require_relative 'pbkdf2'
+
+require 'securerandom'
+
+require 'active_support'
+class NumberHelper
+  extend ActiveSupport::NumberHelper
+end
+
+module Gcrypto #::SecretKeyCryptoContext
+  class AESCContext
+    attr_accessor :padding, :secure_random, :key_provider, :name
+    alias_method :ori_init, :initialize
+    def initialize
+      ori_init
+      #@keyType = :aes
+      #@keyLen = 256
+      #@mode = "GCM"
+      #@padding = "NoPadding"
+      @mode = "CBC"
+      #@padding = "PKCS5Padding"
+      @name = ::SecureRandom.hex(8)  # KEK requires an ID, just generates it...
+      begin
+        # java 8 introduce getInstanceStrong()
+        @secure_random = java.security.SecureRandom.getInstanceStrong
+      rescue Exception
+        @secure_random = java.security.SecureRandom.getInstance('SHA1PRNG')
+      end
+    end
+
+    def padding
+      if @padding.nil? or @padding.empty?
+        case @mode
+        when "CBC"
+          @padding = "PKCS5Padding"
+        when "GCM"
+          @padding = "NoPadding"
+        else
+          @padding = "PKCS5Padding"
+        end
+      end
+
+      @padding
+    end
+
+    def random_iv
+      if @iv.nil? or @iv.empty?
+        if mode == "GCM"
+          @iv = Java::byte[12].new # for GCM mode
+        else
+          @iv = Java::byte[16].new # for CBC mode
+        end
+        #@iv = Java::byte[12].new # for GCM mode
+        #@iv = Java::byte[16].new # for CBC mode
+        @secure_random.nextBytes(@iv)
+      end
+
+      @iv
+    end
+    # end random_iv
+
+    def random_key
+      if @key.nil?
+        conf = { type: @keyType, keyLen: @keyLen }
+        if @key_provider.nil?
+        else
+          conf.merge!({ provider: @key_provider })
+        end
+
+        if not @secure_random.nil?
+          conf.merge!({ secRandom: @secure_random })
+        end
+
+        @key = GcryptoJce::SecretKeyFactory.generate(conf)  
+      end
+
+      @key 
+    end
+    # end ramdom_key
+
+    def raw_key=(val)
+      @raw_key = val
+      
+      if not @raw_key.nil?
+        @key = GcryptoJce::SecretKeyFactory.load_from_bin({ bin: @raw_key, type: "AES" })
+      end
+    end
+
+    def raw_key
+      @raw_key
+    end
+
+    def derive_key(pass, opts = { })
+      
+      eng = opts[:eng] || :pbkdf2
+
+      case eng
+      when :pbkdf2
+        opts.merge!( { reqKeyLen: @keyLen } )
+        res = GcryptoJce::KDF::PBKDF2Engine.derive(pass, opts)
+        @key = res[:key]
+        res.delete(:key)
+
+        res
+      else
+        raise GcryptoJce::Error, "Unknown derive key engine '#{eng}'"    
+      end
+
+    end
+
+    def to_java_cipher_spec
+      "#{@keyType.to_s.upcase}/#{mode}/#{padding}"
+    end
+    # to_java_cipher_spec
+
+    def to_java_key_type
+      "AES"
+    end
+
+    def algo_params_spec
+      if @mode.upcase == "GCM"
+        if @iv.nil?
+          random_iv
+        end
+        
+        # https://javainterviewpoint.com/java-aes-256-gcm-encryption-and-decryption/
+        javax.crypto.spec.GCMParameterSpec.new(16*8, @iv)
+
+      elsif mode == "CBC"
+        if @iv.nil?
+          random_iv
+        end
+
+        javax.crypto.spec.IvParameterSpec.new(@iv)
+      end
+    end
+    # end algo_params_spec
+
+    def mode
+      if not @mode.nil?
+        @mode.to_s.upcase
+      end
+
+      @mode
+    end
+    # end mode
+
+    def finalize
+      IoUtils.attempt_zeroise(@key) if not @key.nil?
+      IoUtils.attempt_zeroise(@iv) if not @iv.nil?
+    end
+    # end finalize
+
+  end
+  # end class AES
+end
+# end SecretKeyCryptoContext::AES
+
+module GcryptoJce
+ 
+  module SecretKeyCrypto
+ 
+    def encrypt(opts = { })
+     
+      is = IoUtils.load_input(opts)
+      spec = opts[:crypto_context]
+
+      if spec.nil?
+        raise GcryptoJce::Error, "Crypto context is not given for secret key encryption"
+      end
+
+      os = IoUtils.prep_output(opts)
+      #outFile = opts[:outFile]
+      #if not (outFile.nil? or outFile.empty?)
+      #  GcryptoJce::GConf.instance.glog.debug "File output for result"
+      #  os = java.io.FileOutputStream.new(outFile)
+      #else
+      #  GcryptoJce::GConf.instance.glog.debug "Buffer output for result"
+      #  os = java.io.ByteArrayOutputStream.new
+      #end 
+
+      if not spec.key_provider.nil?
+        prov = GcryptoJce::Provider.add_provider(spec.key_provider)
+        GcryptoJce::GConf.instance.glog.debug "Cipher spec : #{spec.to_java_cipher_spec}"
+        c = javax.crypto.Cipher.getInstance(spec.to_java_cipher_spec, prov)
+      else
+        GcryptoJce::GConf.instance.glog.debug "Cipher spec : #{spec.to_java_cipher_spec}"
+        c = javax.crypto.Cipher.getInstance(spec.to_java_cipher_spec)
+      end
+    
+      algoParam = spec.algo_params_spec
+      if algoParam.nil?
+        GcryptoJce::GConf.instance.glog.debug "With nil algo params"
+        c.init(javax.crypto.Cipher::ENCRYPT_MODE, spec.key)
+      else
+        GcryptoJce::GConf.instance.glog.debug "With algo params : #{algoParam}"
+        c.init(javax.crypto.Cipher::ENCRYPT_MODE, spec.key, algoParam)
+      end 
+
+      # special for GCM mode
+      if spec.mode == "GCM"
+        addAuthData = opts[:addAuthData]
+        if not addAuthData.nil?
+          case addAuthData
+          when Java::byte[]
+            c.updateAAD(addAuthData)
+          when String
+            c.updateAAD(addAuthData.to_java.getBytes)
+          when Java::char[]
+            cc.updateAAD(String.from_java_bytes(addAuthData).to_java.getBytes)
+          else
+            raise GcryptoJce::Error, "Addtional authenticated data given is not string, byte[] or char[]."
+          end
+        end
+      end
+      # end special data for GCM
+      
+      begin
+        bufConf = opts[:int_buf] || { }
+        total = 0
+        IoUtils.read_chunk(is, bufConf) do |buf, from, len|
+          os.write(c.update(buf, from, len))
+          total += len
+          GcryptoJce::GConf.instance.glog.debug "Processed #{NumberHelper.number_to_human_size(total)}"
+        end
+
+        os.write(c.doFinal)
+      rescue Exception
+      ensure
+        begin
+          is.close
+          os.flush
+          os.close
+        rescue Exception
+        end
+      end
+
+      IoUtils.return_if_buffer(os)
+      #if outFile.nil? or outFile.empty?
+      #  os.toByteArray
+      #end
+      
+    end
+    # 
+    # end encrypt
+    #
+
+    def decrypt(opts = { })
+      
+      is = IoUtils.load_input(opts)
+      spec = opts[:crypto_context]
+      if spec.nil?
+        raise GcryptoJce::Error, "Crypto context is not given for secret key decryption"
+      end
+
+      #outFile = opts[:outFile]
+      #if not (outFile.nil? or outFile.empty?)
+      #  os = java.io.FileOutputStream.new(outFile)
+      #else
+      #  os = java.io.ByteArrayOutputStream.new
+      #end
+      os = IoUtils.prep_output(opts)
+      
+      if not spec.key_provider.nil?
+        prov = GcryptoJce::Provider.add_provider(spec.key_provider)
+        GcryptoJce::GConf.instance.glog.debug "Cipher spec : #{spec.to_java_cipher_spec}"
+        c = javax.crypto.Cipher.getInstance(spec.to_java_cipher_spec, prov)
+      else
+        GcryptoJce::GConf.instance.glog.debug "Cipher spec : #{spec.to_java_cipher_spec}"
+        c = javax.crypto.Cipher.getInstance(spec.to_java_cipher_spec)
+      end
+
+      algoParam = spec.algo_params_spec
+      if algoParam.nil?
+        GcryptoJce::GConf.instance.glog.debug "With nil algo params"
+        c.init(javax.crypto.Cipher::DECRYPT_MODE, spec.key)
+      else
+        GcryptoJce::GConf.instance.glog.debug "With algo params : #{algoParam}"
+        c.init(javax.crypto.Cipher::DECRYPT_MODE, spec.key, algoParam)
+      end 
+      
+      begin
+        bufConf = opts[:int_buf] || { }
+        total = 0
+        IoUtils.read_chunk(is, bufConf) do |buf, from, len|
+          os.write(c.update(buf, from, len))
+          total += len
+          GcryptoJce::GConf.instance.glog.debug "Processed #{NumberHelper.number_to_human_size(total)}"
+        end
+
+        os.write(c.doFinal)
+      rescue Exception
+      ensure
+        begin
+          is.close
+          os.flush
+          os.close
+        rescue Exception
+        end
+      end
+
+      IoUtils.return_if_buffer(os)
+      #if outFile.nil? or outFile.empty?
+      #  os.toByteArray
+      #end
+
+    end
+    # end decrypt()
+ 
+    # generate mac as signature using secret key
+    def sign(opts = { })
+
+      spec = opts[:crypto_context]
+      if spec.nil?
+        raise GcryptoJce::Error, "Crypto context is not given for secret key signing"
+      end
+
+      is = IoUtils.load_input(opts)
+      if not opts[:associatedData].nil?
+        dat = opts[:associatedData]
+        dat.merge!( { input_optional: true })
+        addIs = IoUtils.load_input(dat)
+      end
+      os = IoUtils.prep_output(opts)
+
+      hmacHash = opts[:hmacHash] || "SHA256"
+      hmacHashEng = "Hmac#{hmacHash}"
+      GcryptoJce::GConf.instance.glog.debug "Using '#{hmacHashEng}'"
+
+      if not spec.key_provider.nil?
+        prov = GcryptoJce::Provider.add_provider(spec.key_provider)
+        hmac = javax.crypto.Mac.getInstance(hmacHashEng, prov)
+      else
+        hmac = javax.crypto.Mac.getInstance(hmacHashEng)
+      end
+
+      hmac.init(spec.key)
+
+      begin
+        bufConf = opts[:int_buf] || { }
+        total = 0
+        IoUtils.read_chunk(is, bufConf) do |buf, from, len|
+          hmac.update(buf, from, len)
+          total += len
+          GcryptoJce::GConf.instance.glog.debug "Processed #{NumberHelper.number_to_human_size(total)}"
+        end
+
+        if not addIs.nil?
+          GcryptoJce::GConf.instance.glog.debug "Processing associated data"
+          IoUtils.read_chunk(addIs, bufConf) do |buf, from, len|
+            hmac.update(buf, from, len)
+            total += len
+            GcryptoJce::GConf.instance.glog.debug "Processed #{NumberHelper.number_to_human_size(total)}"
+          end
+        end
+
+        os.write(hmac.doFinal)
+      rescue Exception => ex
+      ensure
+        begin
+          is.close
+          os.flush
+          os.close
+        rescue Exception
+        end
+      end
+
+      IoUtils.return_if_buffer(os)
+      
+    end
+    # end sign()
+
+    def verify(opts = { })
+      
+      # mac value obtained by caller app
+      # must be in byte array value
+      mac = opts[:mac]
+      macBin = IoUtils.ensure_java_bytes(mac)
+      # calculate again based on input
+      refMac = sign(opts)
+      
+      # compare both byte array
+      # 
+      java.security.MessageDigest.isEqual(macBin, refMac)
+    end
+    # end verify()
+
+  end
+  # 
+  # end SecretKeyCrypto
+  #
+
+  class SecretKeyCryptoEngine
+    extend SecretKeyCrypto
+  end
+  
+end
+# 
+# end GcryptoJce
+#