keystores 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0ecbd40c0a3022aeae1e8f6257e96160909008e5
-  data.tar.gz: c6d278eca9d05a4ca80c0cfa96274b6c3ddfcab4
+  metadata.gz: c2cf8155852be0f372803bf45bc5eac1a4ea467e
+  data.tar.gz: ff0423f51a7a95deb0ae2e2fbff565a9e4c95366
 SHA512:
-  metadata.gz: 16f5d801475e7d1e13c64648c73205fc02e7fd9364354f95e0c714dd94a7b8724169582e9fca2b01ffe492a696aa2534b0a213c9322c41191dc8557d963f9d8a
-  data.tar.gz: 67d510a0f27ef57792e6e6e1fda4dfcde58f5d70db3be421caaea5360dee55de39a396e1c3c097361534687275938074d48b9e7461599ffe7a06e819f0bd7454
+  metadata.gz: e46edf529317b03d78a96065d079dcd528a645ead5487e33363209ee6661fd3760cdfa4f1c4138e58c86c2e6e81bfb2e78649e463c994af1b9ba14508dd57b3d
+  data.tar.gz: 4650005587aff20f7c16e0a8fa4627047dcff2b45d91b13b96ccc3310e65c3456472cfcc051a78e262e277e0bd3b422f979c05b4b60a98ec3f327128a4c72329

data/JAVA_KEY_STORE_README.md

@@ -0,0 +1,58 @@
+Java Key Store
+==============
+
+There are quite a few pieces that go into implementing a Java key store that we had to roll ourselves
+
+## Encrypted private key info
+
+[Keystores::Jks::EncryptedPrivateKeyInfo](lib/keystores/jks/encrypted_private_key_info.rb)
+
+PKCS#8 defines the following syntax for an encrypted private key:
+
+```
+EncryptedPrivateKeyInfo ::=  SEQUENCE {
+     encryptionAlgorithm   AlgorithmIdentifier,
+     encryptedData   OCTET STRING }
+```
+
+Java's implementation actually encodes the following:
+
+```
+EncryptedPrivateKeyInfo ::=  SEQUENCE {
+     SEQUENCE {
+     null,
+     encryptionAlgorithm   AlgorithmIdentifier},
+     encryptedData   OCTET STRING }
+```
+
+For some reason, they wrap the PKCS8 sequence in another sequence, and throw a null in there for good measure.
+
+## Key protector
+
+[Keystores::Jks::KeyProtector](lib/keystores/jks/key_protector.rb)
+
+This class is pretty much a direct port of `sun.security.provider.KeyProtector`.
+It implements a proprietary PBE of sorts.
+
+TODO, I would like to implement this as a proper `OpenSSL::Cipher` object.
+
+## PKCS8 Key
+
+This file cracks open the `OpenSSL::PKey` classes and enables them to both parse and encode keys
+in PKCS#8 format. This is implemented for `EC`, `RSA`, and `DSA` keys.
+
+### Parsing
+
+Parsing is implemented as replacing the original `initialize` method with one that converts the DER
+encoded key to PEM, and then calls the original `initialize` method. This is because for some reason,
+the built in `OpenSSL::PKey` object constructors can parse a PEM encoded PKCS8 key just fine, but it
+blows up on a DER encoded key.
+
+This provides a method `OpenSSL::PKey.pkcs8_parse` that parses the ASN.1 encoded key structure, extracts
+the key type, and returns the correct `OpenSSL::PKey` object.
+
+### Encoding
+
+This provides a method `OpenSSL::PKey::{RSA,DSA,EC}.to_pkcs8` that encodes each key type into its correct
+PKCS#8 format. The Ruby OpenSSL wrapper doesn't give you access to PKCS8 capabilities in OpenSSL, and even if
+it did, not all versions of openssl that are packaged with ruby implement PKCS8 encoding.

data/README.md

@@ -1,7 +1,8 @@
 # Keystores
 
 This gem provides ruby implementations of different key stores. This was primarily created to provide the ability
-to use many of the good Java key stores from ruby.
+to use many of the good Java key stores from ruby. This gem adds the key stores to the OpenSSL module structure,
+since that is where the `OpenSSL::PKCS12` keystore lives.
 
 ## Installation
 
@@ -31,6 +32,8 @@ The certificate and key objects that these keystores return and expect are `Open
 
 #### Java Key Store (jks) format
 
+[Detailed documentation](JAVA_KEY_STORE_README.md)
+
 ##### Reading
 
 This gem supports reading trusted certificate entries and private key entries. It can read
@@ -39,8 +42,8 @@ and decrypt RSA, DSA, and EC keys.
 Example usage:
 
 ```
-require 'keystores/java_keystore'
-keystore = Keystores::JavaKeystore.new
+require 'keystores'
+keystore = OpenSSL::JKS.new
 
 # Load can take any IO object, or a path to a file
 key_store_password = 'keystores'

data/keystores.gemspec

@@ -9,8 +9,9 @@ Gem::Specification.new do |spec|
   spec.authors       = ['Ryan Larson']
   spec.email         = ['ryan.mango.larson@gmail.com']
 
-  spec.summary       = 'This gem allows applications to interact with different types of keystores'
-  spec.description   = spec.summary
+  spec.summary       = 'This gem allows applications to interact with java key stores'
+  spec.description   = 'This gem allows you to interact with java key stores in pure ruby. Keys and Certificates are' +
+                       ' represented as OpenSSL objects'
   spec.homepage      = 'https://github.com/rylarson/keystores'
   spec.license       = 'MIT'
 

data/lib/keystores.rb

@@ -1,5 +1,6 @@
-require "keystores/version"
+require 'keystores/java_key_store'
 
-module Keystores
-  # Your code goes here...
+module OpenSSL
+  # Alias the key store implementations in the OpenSSL module structure
+  class JKS < Keystores::JavaKeystore; end
 end

data/lib/keystores/jks/encrypted_private_key_info.rb

@@ -13,6 +13,13 @@ module Keystores
     class EncryptedPrivateKeyInfo
       attr_accessor :encrypted_data, :algorithm, :encoded
 
+      # You can pass either an ASN.1 encryptedPrivateKeyInfo object
+      # or the encrypted bytes and the encryption algorithm.
+      #
+      # @param [Hash] opts
+      # @option opts [String] :encoded The ASN.1 encoded encrypted private key info
+      # @option opts [String] :algorithm The encryption algorithm
+      # @option opts [String] :encrypted_data The encrypted key bytes
       def initialize(opts = {})
         # Parses from encoded private key
         if opts.has_key?(:encoded)

data/lib/keystores/jks/key_protector.rb

@@ -48,7 +48,8 @@ require 'keystores/jks/encrypted_private_key_info'
 # Then concatenate the password with the recovered key, and compare with the
 # last length(digest(p, P)) bytes of R. If they match, the recovered key is
 # indeed the same key as the original key.
-
+#
+# TODO, implement this as an OpenSSL PBE Cipher
 module Keystores
   module Jks
     class KeyProtector

data/lib/keystores/jks/pkcs8_key.rb

@@ -47,7 +47,7 @@ module OpenSSL
       #
       # We currently ignore the optional parameters and publicKey fields.
       # We encode the parameters are as part of the curve name,
-      # not in the private key structure.We do this because Java expects things
+      # not in the private key structure. We do this because Java expects things
       # to be encoded this way
       def encode_private_key
         version = OpenSSL::ASN1::Integer.new(OpenSSL::BN.new('1'))
@@ -141,7 +141,6 @@ module OpenSSL
     # Parse the correct type of OpenSSL::PKey from a der encoded PKCS8 private key
     def self.pkcs8_parse(der_bytes)
       key_type = extract_key_type(der_bytes)
-      # pem = der_to_pem(der_bytes)
       OpenSSL::PKey.const_get(key_type).new(der_bytes)
     end
 

data/lib/keystores/version.rb

@@ -1,3 +1,3 @@
 module Keystores
-  VERSION = '0.1.0'
+  VERSION = '0.2.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: keystores
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Ryan Larson
@@ -66,7 +66,8 @@ dependencies:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
-description: This gem allows applications to interact with different types of keystores
+description: This gem allows you to interact with java key stores in pure ruby. Keys
+  and Certificates are represented as OpenSSL objects
 email:
 - ryan.mango.larson@gmail.com
 executables: []
@@ -77,6 +78,7 @@ files:
 - .rspec
 - .travis.yml
 - Gemfile
+- JAVA_KEY_STORE_README.md
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -111,5 +113,5 @@ rubyforge_project:
 rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
-summary: This gem allows applications to interact with different types of keystores
+summary: This gem allows applications to interact with java key stores
 test_files: []