mobile-secrets 0.0.8 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dac63b4dd181e9c103b09d3731c278027b824efd3d111df3d1bdb9ef643916c9
-  data.tar.gz: aa9fb1acc5d381192bc6aa407e922fc3c2d07071cb881b5bcd5c8b05bb0759d6
+  metadata.gz: 6bfbc5bc8fa622ef393019dc29b77d0067e329ed7dffb68f966ed659265dc221
+  data.tar.gz: 199b3c9c305fc0de836e589dddd36fdd694362a2cff6b2b7ac55719c6f044f7d
 SHA512:
-  metadata.gz: ca7520a8970dcf937921463be547a72a1a7a47d992fc3ee91926f213de358ced059694d1b479c54ff8eb43838a253f2d41f32ec3df9faddd92bc45d24fd80ca9
-  data.tar.gz: 6bbbff40235f340cd8138ab9f33295b1f3dba98fee4cb835bd1ad299edda38b131b85766f1a563e74e31952a722fd32038a21449f0ef4be84002813a2de468fa
+  metadata.gz: c48011bde102a1994bd6e4766bc8aef593c33a3fc84448d69727987802272de54165cc9e7059a00c711aaf0c0274372a7a79cca7005e218d5dd3192e8ca2f44d
+  data.tar.gz: e67c2c5e894ce0a29487957b976e3f30f023939302a1074ca3cc289ae50df18a77b13d1d1ae5dc7885973a47311b3585bc3ec6b221c0368d46737c97a850c729

data/lib/mobile-secrets.rb

@@ -20,15 +20,16 @@ module MobileSecrets
 
     def options
       opt = ""
-      opt << "--init-gpg PATH \t\tInitialize GPG in the directory.\n"
-      opt << "--create-template \t\tCreates a template yml file to configure the MobileSecrets\n"
-      opt << "--import SECRETS_PATH \t\tAdds MobileSecrets to GPG secrets\n"
-      opt << "--export PATH \t\t\tCreates source file with obfuscated secrets at given PATH\n"
-      opt << "--encrypt-file FILE PASSWORD \tEncrypt a single file with AES\n"
-      opt << "--usage \t\t\tManual for using MobileSecrets.\n\n"
+      opt << "--init-gpg PATH \t\t\tInitialize GPG in the directory.\n"
+      opt << "--create-template \t\t\tCreates a template yml file to configure the MobileSecrets\n"
+      opt << "--import SECRETS_PATH \t\t\tAdds MobileSecrets to GPG secrets\n"
+      opt << "--export PATH opt: ENCRYPTED_FILE_PATH \tCreates source file with obfuscated secrets at given PATH\n"
+      opt << "--encrypt-file FILE PASSWORD \t\tEncrypt a single file with AES\n"
+      opt << "--empty PATH \t\t\t\tGenerates a Secrets file without any data in it\n"
+      opt << "--usage \t\t\t\tManual for using MobileSecrets.\n\n"
       opt << "Examples:\n"
       opt << "--import \"./MobileSecrets.yml\"\n"
-      opt << "--export \"./Project/Src\"\n"
+      opt << "--export \"./Project/Src\\n"
       opt << "--init-gpg \".\""
       opt
     end
@@ -49,22 +50,31 @@ module MobileSecrets
         FileUtils.cp("#{__dir__}/../lib/resources/example.yml", "#{Dir.pwd}#{File::SEPARATOR}MobileSecrets.yml")
       when "--export"
         return print_options if argv_1 == nil
+        encrypted_file_path = argv_2 ||= "secrets.gpg"
 
         secrets_handler = MobileSecrets::SecretsHandler.new
-        secrets_handler.export_secrets argv_1
+        secrets_handler.export_secrets argv_1, argv_2
       when "--init-gpg"
         return print_options if argv_1 == nil
 
         Dotgpg::Cli.new.init(argv_1)
       when "--import"
         return print_options if argv_1 == nil
-
+        gpg_file = argv_2 ||= "secrets.gpg"
         file = IO.read argv_1
-        MobileSecrets::SecretsHandler.new.encrypt "./secrets.gpg", file, nil
+        MobileSecrets::SecretsHandler.new.encrypt gpg_file, file, nil
       when "--encrypt-file"
         file = argv_1
         password = argv_2
         MobileSecrets::SecretsHandler.new.encrypt_file password, file, "#{file}.enc"
+      when "--empty"
+        return print_options if argv_1 == nil
+        file_path = argv_1
+        
+        MobileSecrets::SourceRenderer.new("swift").render_empty_template "#{file_path}/secrets.swift"
+      when "--edit"
+        return print_options if argv_1 == nil
+        exec("dotgpg", "edit", argv_1)
       when "--usage"
         puts usage
       else

data/lib/resources/SecretsSwift.erb

@@ -3,15 +3,17 @@
 //
 
 <% if should_decrypt_files %>import CommonCrypto<% end %>
+<% if algorithm == "AES-GCM" %>import CryptoKit<% end %>
 import Foundation
 
-class Secrets {
+// swiftlint:disable all
+<% if algorithm == "AES-GCM" %>@available(iOS 13.0, macOS 10.15, tvOS 13.0, watchOS 6.0, *)
+<% end %>final class Secrets: Sendable {
     static let standard = Secrets()
     private let bytes: [[UInt8]] = <%= secrets_array.to_s.gsub "],", "],\n                                   "%>
 <% if should_decrypt_files %>
     private let fileNames: [[UInt8]] = <%= file_names_array.to_s.gsub "],", "],\n                                       "%>
 <% end %>
-
     private init() {}
 
     func string(forKey key: String, password: String? = nil) -> String? {
@@ -23,6 +25,27 @@ class Secrets {
         return String(data: Data(value), encoding: .utf8)
     }
 
+<% if algorithm == "AES-GCM" %>
+    // AES-256-GCM decryption. Input layout: IV(12) + AuthTag(16) + Ciphertext(N)
+    private func decrypt(_ input: [UInt8], password: [UInt8]) -> [UInt8]? {
+        guard password.count == 32 else { return nil }
+        let ivSize = 12
+        let tagSize = 16
+        guard input.count > ivSize + tagSize else { return nil }
+        do {
+            let key = SymmetricKey(data: Data(password))
+            let nonce = try AES.GCM.Nonce(data: Data(input[0..<ivSize]))
+            let tag = Data(input[ivSize..<(ivSize + tagSize)])
+            let ciphertext = Data(input[(ivSize + tagSize)...])
+            let sealedBox = try AES.GCM.SealedBox(nonce: nonce, ciphertext: ciphertext, tag: tag)
+            let decrypted = try AES.GCM.open(sealedBox, using: key)
+            return [UInt8](decrypted)
+        } catch {
+            return nil
+        }
+    }
+<% else %>
+    // XOR-based deobfuscation. The key cycles over the password bytes.
     private func decrypt(_ input: [UInt8], password: [UInt8]) -> [UInt8]? {
         guard !password.isEmpty else { return nil }
         var output = [UInt8]()
@@ -31,7 +54,7 @@ class Secrets {
         }
         return output
     }
-
+<% end %>
 <% if should_decrypt_files %>
     func decryptFiles(bundle: Bundle = Bundle.main, password: String? = nil) throws {
         try fileNames.forEach({ (fileNameBytes) in
@@ -60,7 +83,7 @@ class Secrets {
         outputURL.appendPathComponent(fileName)
 
         do {
-            let aes = try AES(keyString: pwd)
+            let aes = try AESFileCipher(keyString: pwd)
             let decryptedString = try aes.decrypt(fileData)
             try decryptedString.write(to: outputURL, atomically: true, encoding: .utf8)
         } catch let e {
@@ -68,7 +91,8 @@ class Secrets {
         }
     }
 
-    struct AES {
+    // AES-256-CBC cipher used for decrypting .enc file resources.
+    private struct AESFileCipher {
         enum Error: Swift.Error {
             case invalidKeySize
             case encryptionFailed
@@ -78,7 +102,7 @@ class Secrets {
 
         private var key: Data
         private var ivSize: Int = kCCBlockSizeAES128
-        private let options: CCOptions  = CCOptions()
+        private let options: CCOptions = CCOptions(kCCOptionPKCS7Padding)
 
         init(keyString: String) throws {
             guard keyString.count == kCCKeySizeAES256 else {
@@ -103,10 +127,10 @@ class Secrets {
                                     throw Error.encryptionFailed
                             }
 
-                            let cryptStatus: CCCryptorStatus = CCCrypt( // Stateless, one-shot encrypt operation
+                            let cryptStatus: CCCryptorStatus = CCCrypt( // Stateless, one-shot decrypt operation
                                 CCOperation(kCCDecrypt),                // op: CCOperation
-                                CCAlgorithm(kCCAlgorithmAES),        // alg: CCAlgorithm
-                                options,                                // options: CCOptions
+                                CCAlgorithm(kCCAlgorithmAES),           // alg: CCAlgorithm
+                                options,                                // options: CCOptions (PKCS7 padding)
                                 keyBytesBaseAddress,                    // key: the "password"
                                 key.count,                              // keyLength: the "password" size
                                 dataToDecryptBytesBaseAddress,          // iv: Initialization Vector
@@ -134,6 +158,6 @@ class Secrets {
 
             return decryptedString
         }
-  }
+    }
 <% end %>
 }

data/lib/resources/SecretsSwiftEmpty.erb

@@ -0,0 +1,31 @@
+//
+//  Autogenerated file by Mobile Secrets
+//
+
+import Foundation
+
+// swiftlint:disable all
+class Secrets {
+    static let standard = Secrets()
+    private let bytes: [[UInt8]] = [[0]]
+
+    private init() {}
+
+    func string(forKey key: String, password: String? = nil) -> String? {
+        let pwdBytes = password == nil ? bytes[0] : password?.map({ c in c.asciiValue ?? 0 })
+        guard let index = bytes.firstIndex(where: { String(data: Data($0), encoding: .utf8) == key }),
+            let pwd = pwdBytes,
+            let value = decrypt(bytes[index + 1], password: pwd) else { return nil }
+
+        return String(data: Data(value), encoding: .utf8)
+    }
+
+    private func decrypt(_ input: [UInt8], password: [UInt8]) -> [UInt8]? {
+        guard !password.isEmpty else { return nil }
+        var output = [UInt8]()
+        for byte in input.enumerated() {
+            output.append(byte.element ^ password[byte.offset % password.count])
+        }
+        return output
+    }
+}

data/lib/resources/example.yml

@@ -1,17 +1,22 @@
 MobileSecrets:
   # hashKey: Key that will be used to hash the secret values.
   # For encrypting files the key needs to be 32 chars long as an AES standard.
-  hashKey: "KokoBelloKokoKokoBelloKokoKokoBe"
+  # When using alg: "AES-GCM" the key must also be exactly 32 characters.
+  hashKey: "REPLACE_THIS_32_CHAR_HASH_KEY___"
   # shouldIncludePassword: By default the password is saved in the code as a series of bytes, however it can also
   # be fetched from your API, saved in keychain and passed to the Secrets for improving the security.
   shouldIncludePassword: true
   # language: Swift is currently only supported language, Kotlin is coming soon.
   language: "Swift"
+  # alg: The algorithm used to obfuscate secret values. Options: "XOR" (default) or "AES-GCM".
+  # AES-GCM provides authenticated encryption and is stronger than XOR obfuscation.
+  # Note: AES-GCM requires hashKey to be exactly 32 characters and iOS 13+ / macOS 10.15+.
+  alg: "XOR"
   # Key-value dictionary for secrets. The key is then referenced in the code to get the secret.
   secrets:
-    googleMaps: "123123123"
-    firebase: "asdasdasd"
-    amazon: "asd123asd123"
+    googleMaps: "YOUR_GOOGLE_MAPS_KEY"
+    firebase: "YOUR_FIREBASE_KEY"
+    amazon: "YOUR_AMAZON_KEY"
   # Optional, remove files if you do not want to encrypt them
   files:
     - tmp.txt

data/lib/src/secrets_handler.rb

@@ -1,5 +1,7 @@
 require "dotgpg"
 require "yaml"
+require "openssl"
+require "stringio"
 
 require_relative '../src/obfuscator'
 require_relative '../src/file_handler'
@@ -8,38 +10,52 @@ require_relative '../src/source_renderer'
 module MobileSecrets
   class SecretsHandler
 
-    def export_secrets path
-      decrypted_config = decrypt_secrets()
-      file_names_bytes, secrets_bytes = process_yaml_config decrypted_config
+    SUPPORTED_ALGORITHMS = %w[XOR AES-GCM].freeze
+
+    def export_secrets path, from_encrypted_file_name
+      decrypted_config = decrypt_secrets(from_encrypted_file_name)
+      file_names_bytes, secrets_bytes, algorithm = process_yaml_config decrypted_config
 
       renderer = MobileSecrets::SourceRenderer.new "swift"
-      renderer.render_template secrets_bytes, file_names_bytes, "#{path}/secrets.swift"
+      renderer.render_template secrets_bytes, file_names_bytes, "#{path}/secrets.swift", algorithm
+      decrypted_config
     end
 
     def process_yaml_config yaml_string
-      config = YAML.load(yaml_string)["MobileSecrets"]
+      config = YAML.safe_load(yaml_string)["MobileSecrets"]
       hash_key = config["hashKey"]
       secrets_dict = config["secrets"]
       files = config["files"]
       should_include_password = config["shouldIncludePassword"]
+      algorithm = (config["alg"] || "XOR").upcase
+
+      abort("Unsupported algorithm '#{algorithm}'. Valid options: #{SUPPORTED_ALGORITHMS.join(', ')}.") \
+        unless SUPPORTED_ALGORITHMS.include?(algorithm)
+      abort("hashKey must be exactly 32 characters for AES-GCM encryption.") \
+        if algorithm == "AES-GCM" && hash_key.length != 32
+
       secrets_bytes = should_include_password ? [hash_key.bytes] : []
       file_names_bytes = []
       obfuscator = MobileSecrets::Obfuscator.new hash_key
 
       secrets_dict.each do |key, value|
-        encrypted = obfuscator.obfuscate(value)
-        secrets_bytes << key.bytes << encrypted.bytes
+        if algorithm == "AES-GCM"
+          secrets_bytes << key.bytes << encrypt_aes_gcm(value.to_s, hash_key, key)
+        else
+          encrypted = obfuscator.obfuscate(value.to_s)
+          secrets_bytes << key.bytes << encrypted.bytes
+        end
       end
 
       if files
-        abort("Password must be 32 characters long for files encryption.") if hash_key.length != 32
+        abort("hashKey must be 32 characters long for files encryption.") if hash_key.length != 32
         files.each do |f|
           encrypt_file hash_key, f, "#{f}.enc"
           file_names_bytes << f.bytes
         end
       end
 
-      return file_names_bytes, secrets_bytes
+      return file_names_bytes, secrets_bytes, algorithm
     end
 
     def encrypt output_file_path, string, gpg_path
@@ -51,6 +67,7 @@ module MobileSecrets
 
     def encrypt_file password, file, output_file_path
       encryptor = FileHandler.new password
+      abort("Configuration contains file #{file} that cannot be found! Please check your mobile-secrets configuration or add the file into directory.") unless File.exist? file
       encrypted_content = encryptor.encrypt file
 
       File.open(output_file_path, "wb") { |f| f.write encrypted_content }
@@ -58,10 +75,28 @@ module MobileSecrets
 
     private
 
-    def decrypt_secrets
-      gpg = Dotgpg::Dir.new "#{Dir.pwd}/"
+    # Encrypts a secret value with AES-256-GCM using a deterministic IV.
+    # The IV is derived via HMAC-SHA256(key, "secret_name:value") truncated to 12 bytes,
+    # so identical inputs always produce identical ciphertext while ensuring that
+    # changing either the value or the secret name produces a different IV — preventing
+    # nonce reuse, which would be catastrophic for GCM authentication.
+    # Returns bytes laid out as: IV(12) + AuthTag(16) + Ciphertext(N)
+    def encrypt_aes_gcm(value, key_string, secret_name)
+      iv = OpenSSL::HMAC.digest('SHA256', key_string, "#{secret_name}:#{value}")[0, 12]
+      cipher = OpenSSL::Cipher::AES256.new(:GCM)
+      cipher.encrypt
+      cipher.iv = iv
+      cipher.key = key_string
+      cipher.auth_data = ""
+      ciphertext = cipher.update(value) + cipher.final
+      tag = cipher.auth_tag(16)
+      (iv + tag + ciphertext).bytes
+    end
+
+    def decrypt_secrets encrypted_file_name
+      gpg = Dotgpg::Dir.closest encrypted_file_name
       output = StringIO.new
-      gpg.decrypt "#{Dir.pwd}/secrets.gpg", output
+      gpg.decrypt "#{Dir.pwd}/#{encrypted_file_name}", output
       output.string
     end
 

data/lib/src/source_renderer.rb

@@ -8,7 +8,7 @@ module MobileSecrets
       @source_type = source_type.downcase
     end
 
-    def render_template secrets_bytes, file_names_bytes, output_file_path
+    def render_template secrets_bytes, file_names_bytes, output_file_path, algorithm = "XOR"
       template = ERB.new(File.read("#{__dir__}/../resources/SecretsSwift.erb"))
 
       case @source_type
@@ -16,7 +16,19 @@ module MobileSecrets
         File.open(output_file_path, "w") do |file|
            file.puts template.result_with_hash(secrets_array: secrets_bytes,
               file_names_array: file_names_bytes,
-              should_decrypt_files: file_names_bytes.length > 0)
+              should_decrypt_files: file_names_bytes.length > 0,
+              algorithm: algorithm)
+         end
+      end
+    end
+    
+    def render_empty_template output_file_path
+      template = File.read("#{__dir__}/../resources/SecretsSwiftEmpty.erb")
+
+      case @source_type
+      when "swift"
+        File.open(output_file_path, "w") do |file|
+           file.puts template
          end
       end
     end

metadata

@@ -1,12 +1,12 @@
 --- !ruby/object:Gem::Specification
 name: mobile-secrets
 version: !ruby/object:Gem::Version
-  version: 0.0.8
+  version: 0.1.0
 platform: ruby
 authors:
 - Cyril Cermak
 - Joerg Nestele
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
 date: 2019-09-27 00:00:00.000000000 Z
@@ -25,6 +25,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 0.7.0
+- !ruby/object:Gem::Dependency
+  name: minitest-reporters
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
 description: Handle mobile secrets the secure way with ease
 email: cyril.cermakk@gmail.com
 executables:
@@ -36,6 +50,7 @@ files:
 - bin/mobile-secrets
 - lib/mobile-secrets.rb
 - lib/resources/SecretsSwift.erb
+- lib/resources/SecretsSwiftEmpty.erb
 - lib/resources/example.yml
 - lib/src/file_handler.rb
 - lib/src/obfuscator.rb
@@ -45,7 +60,7 @@ homepage: https://github.com/CyrilCermak/mobile-secrets
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -60,8 +75,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
-signing_key: 
+rubygems_version: 3.4.10
+signing_key:
 specification_version: 4
 summary: mobile-secrets tool for handling your mobile secrets
 test_files: []