mobile-secrets 0.0.9 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f4f08928281f7ec09b0f307fde69ac6a240fc006cdb398741b94b94906952f6
-  data.tar.gz: 2b28b5fccdd4b442bf229733eaad00e170baee9e4c5505a925761f947929bda8
+  metadata.gz: 6bfbc5bc8fa622ef393019dc29b77d0067e329ed7dffb68f966ed659265dc221
+  data.tar.gz: 199b3c9c305fc0de836e589dddd36fdd694362a2cff6b2b7ac55719c6f044f7d
 SHA512:
-  metadata.gz: 2f7805f87c8cf0713394b29e4f40da1654661ea736640de9fb59f95b8aff7e2928b5941a67f993af709c3b31cb62f4d1f1fbcbca88bd856303b05ddb9966ed13
-  data.tar.gz: 693fabe5ec237be1fcaf50ca841b60df85dccde3d017bf97e059cffe8ad6b216e8656be7ebef97688fb6e25318e93bfd36cbc09b2752fbd69ba42d39be1f72a3
+  metadata.gz: c48011bde102a1994bd6e4766bc8aef593c33a3fc84448d69727987802272de54165cc9e7059a00c711aaf0c0274372a7a79cca7005e218d5dd3192e8ca2f44d
+  data.tar.gz: e67c2c5e894ce0a29487957b976e3f30f023939302a1074ca3cc289ae50df18a77b13d1d1ae5dc7885973a47311b3585bc3ec6b221c0368d46737c97a850c729

data/lib/mobile-secrets.rb

@@ -74,7 +74,7 @@ module MobileSecrets
         MobileSecrets::SourceRenderer.new("swift").render_empty_template "#{file_path}/secrets.swift"
       when "--edit"
         return print_options if argv_1 == nil
-        exec("dotgpg edit #{argv_1}")
+        exec("dotgpg", "edit", argv_1)
       when "--usage"
         puts usage
       else

data/lib/resources/SecretsSwift.erb

@@ -3,16 +3,17 @@
 //
 
 <% if should_decrypt_files %>import CommonCrypto<% end %>
+<% if algorithm == "AES-GCM" %>import CryptoKit<% end %>
 import Foundation
 
 // swiftlint:disable all
-class Secrets {
+<% if algorithm == "AES-GCM" %>@available(iOS 13.0, macOS 10.15, tvOS 13.0, watchOS 6.0, *)
+<% end %>final class Secrets: Sendable {
     static let standard = Secrets()
     private let bytes: [[UInt8]] = <%= secrets_array.to_s.gsub "],", "],\n                                   "%>
 <% if should_decrypt_files %>
     private let fileNames: [[UInt8]] = <%= file_names_array.to_s.gsub "],", "],\n                                       "%>
 <% end %>
-
     private init() {}
 
     func string(forKey key: String, password: String? = nil) -> String? {
@@ -24,6 +25,27 @@ class Secrets {
         return String(data: Data(value), encoding: .utf8)
     }
 
+<% if algorithm == "AES-GCM" %>
+    // AES-256-GCM decryption. Input layout: IV(12) + AuthTag(16) + Ciphertext(N)
+    private func decrypt(_ input: [UInt8], password: [UInt8]) -> [UInt8]? {
+        guard password.count == 32 else { return nil }
+        let ivSize = 12
+        let tagSize = 16
+        guard input.count > ivSize + tagSize else { return nil }
+        do {
+            let key = SymmetricKey(data: Data(password))
+            let nonce = try AES.GCM.Nonce(data: Data(input[0..<ivSize]))
+            let tag = Data(input[ivSize..<(ivSize + tagSize)])
+            let ciphertext = Data(input[(ivSize + tagSize)...])
+            let sealedBox = try AES.GCM.SealedBox(nonce: nonce, ciphertext: ciphertext, tag: tag)
+            let decrypted = try AES.GCM.open(sealedBox, using: key)
+            return [UInt8](decrypted)
+        } catch {
+            return nil
+        }
+    }
+<% else %>
+    // XOR-based deobfuscation. The key cycles over the password bytes.
     private func decrypt(_ input: [UInt8], password: [UInt8]) -> [UInt8]? {
         guard !password.isEmpty else { return nil }
         var output = [UInt8]()
@@ -32,7 +54,7 @@ class Secrets {
         }
         return output
     }
-
+<% end %>
 <% if should_decrypt_files %>
     func decryptFiles(bundle: Bundle = Bundle.main, password: String? = nil) throws {
         try fileNames.forEach({ (fileNameBytes) in
@@ -61,7 +83,7 @@ class Secrets {
         outputURL.appendPathComponent(fileName)
 
         do {
-            let aes = try AES(keyString: pwd)
+            let aes = try AESFileCipher(keyString: pwd)
             let decryptedString = try aes.decrypt(fileData)
             try decryptedString.write(to: outputURL, atomically: true, encoding: .utf8)
         } catch let e {
@@ -69,7 +91,8 @@ class Secrets {
         }
     }
 
-    struct AES {
+    // AES-256-CBC cipher used for decrypting .enc file resources.
+    private struct AESFileCipher {
         enum Error: Swift.Error {
             case invalidKeySize
             case encryptionFailed
@@ -79,7 +102,7 @@ class Secrets {
 
         private var key: Data
         private var ivSize: Int = kCCBlockSizeAES128
-        private let options: CCOptions  = CCOptions()
+        private let options: CCOptions = CCOptions(kCCOptionPKCS7Padding)
 
         init(keyString: String) throws {
             guard keyString.count == kCCKeySizeAES256 else {
@@ -104,10 +127,10 @@ class Secrets {
                                     throw Error.encryptionFailed
                             }
 
-                            let cryptStatus: CCCryptorStatus = CCCrypt( // Stateless, one-shot encrypt operation
+                            let cryptStatus: CCCryptorStatus = CCCrypt( // Stateless, one-shot decrypt operation
                                 CCOperation(kCCDecrypt),                // op: CCOperation
-                                CCAlgorithm(kCCAlgorithmAES),        // alg: CCAlgorithm
-                                options,                                // options: CCOptions
+                                CCAlgorithm(kCCAlgorithmAES),           // alg: CCAlgorithm
+                                options,                                // options: CCOptions (PKCS7 padding)
                                 keyBytesBaseAddress,                    // key: the "password"
                                 key.count,                              // keyLength: the "password" size
                                 dataToDecryptBytesBaseAddress,          // iv: Initialization Vector
@@ -135,6 +158,6 @@ class Secrets {
 
             return decryptedString
         }
-  }
+    }
 <% end %>
 }

data/lib/resources/example.yml

@@ -1,17 +1,22 @@
 MobileSecrets:
   # hashKey: Key that will be used to hash the secret values.
   # For encrypting files the key needs to be 32 chars long as an AES standard.
-  hashKey: "KokoBelloKokoKokoBelloKokoKokoBe"
+  # When using alg: "AES-GCM" the key must also be exactly 32 characters.
+  hashKey: "REPLACE_THIS_32_CHAR_HASH_KEY___"
   # shouldIncludePassword: By default the password is saved in the code as a series of bytes, however it can also
   # be fetched from your API, saved in keychain and passed to the Secrets for improving the security.
   shouldIncludePassword: true
   # language: Swift is currently only supported language, Kotlin is coming soon.
   language: "Swift"
+  # alg: The algorithm used to obfuscate secret values. Options: "XOR" (default) or "AES-GCM".
+  # AES-GCM provides authenticated encryption and is stronger than XOR obfuscation.
+  # Note: AES-GCM requires hashKey to be exactly 32 characters and iOS 13+ / macOS 10.15+.
+  alg: "XOR"
   # Key-value dictionary for secrets. The key is then referenced in the code to get the secret.
   secrets:
-    googleMaps: "123123123"
-    firebase: "asdasdasd"
-    amazon: "asd123asd123"
+    googleMaps: "YOUR_GOOGLE_MAPS_KEY"
+    firebase: "YOUR_FIREBASE_KEY"
+    amazon: "YOUR_AMAZON_KEY"
   # Optional, remove files if you do not want to encrypt them
   files:
     - tmp.txt

data/lib/src/secrets_handler.rb

@@ -1,5 +1,7 @@
 require "dotgpg"
 require "yaml"
+require "openssl"
+require "stringio"
 
 require_relative '../src/obfuscator'
 require_relative '../src/file_handler'
@@ -8,39 +10,52 @@ require_relative '../src/source_renderer'
 module MobileSecrets
   class SecretsHandler
 
+    SUPPORTED_ALGORITHMS = %w[XOR AES-GCM].freeze
+
     def export_secrets path, from_encrypted_file_name
       decrypted_config = decrypt_secrets(from_encrypted_file_name)
-      file_names_bytes, secrets_bytes = process_yaml_config decrypted_config
+      file_names_bytes, secrets_bytes, algorithm = process_yaml_config decrypted_config
 
       renderer = MobileSecrets::SourceRenderer.new "swift"
-      renderer.render_template secrets_bytes, file_names_bytes, "#{path}/secrets.swift"
+      renderer.render_template secrets_bytes, file_names_bytes, "#{path}/secrets.swift", algorithm
       decrypted_config
     end
 
     def process_yaml_config yaml_string
-      config = YAML.load(yaml_string)["MobileSecrets"]
+      config = YAML.safe_load(yaml_string)["MobileSecrets"]
       hash_key = config["hashKey"]
       secrets_dict = config["secrets"]
       files = config["files"]
       should_include_password = config["shouldIncludePassword"]
+      algorithm = (config["alg"] || "XOR").upcase
+
+      abort("Unsupported algorithm '#{algorithm}'. Valid options: #{SUPPORTED_ALGORITHMS.join(', ')}.") \
+        unless SUPPORTED_ALGORITHMS.include?(algorithm)
+      abort("hashKey must be exactly 32 characters for AES-GCM encryption.") \
+        if algorithm == "AES-GCM" && hash_key.length != 32
+
       secrets_bytes = should_include_password ? [hash_key.bytes] : []
       file_names_bytes = []
       obfuscator = MobileSecrets::Obfuscator.new hash_key
 
       secrets_dict.each do |key, value|
-        encrypted = obfuscator.obfuscate(value)
-        secrets_bytes << key.bytes << encrypted.bytes
+        if algorithm == "AES-GCM"
+          secrets_bytes << key.bytes << encrypt_aes_gcm(value.to_s, hash_key, key)
+        else
+          encrypted = obfuscator.obfuscate(value.to_s)
+          secrets_bytes << key.bytes << encrypted.bytes
+        end
       end
 
       if files
-        abort("Password must be 32 characters long for files encryption.") if hash_key.length != 32
+        abort("hashKey must be 32 characters long for files encryption.") if hash_key.length != 32
         files.each do |f|
           encrypt_file hash_key, f, "#{f}.enc"
           file_names_bytes << f.bytes
         end
       end
 
-      return file_names_bytes, secrets_bytes
+      return file_names_bytes, secrets_bytes, algorithm
     end
 
     def encrypt output_file_path, string, gpg_path
@@ -60,6 +75,24 @@ module MobileSecrets
 
     private
 
+    # Encrypts a secret value with AES-256-GCM using a deterministic IV.
+    # The IV is derived via HMAC-SHA256(key, "secret_name:value") truncated to 12 bytes,
+    # so identical inputs always produce identical ciphertext while ensuring that
+    # changing either the value or the secret name produces a different IV — preventing
+    # nonce reuse, which would be catastrophic for GCM authentication.
+    # Returns bytes laid out as: IV(12) + AuthTag(16) + Ciphertext(N)
+    def encrypt_aes_gcm(value, key_string, secret_name)
+      iv = OpenSSL::HMAC.digest('SHA256', key_string, "#{secret_name}:#{value}")[0, 12]
+      cipher = OpenSSL::Cipher::AES256.new(:GCM)
+      cipher.encrypt
+      cipher.iv = iv
+      cipher.key = key_string
+      cipher.auth_data = ""
+      ciphertext = cipher.update(value) + cipher.final
+      tag = cipher.auth_tag(16)
+      (iv + tag + ciphertext).bytes
+    end
+
     def decrypt_secrets encrypted_file_name
       gpg = Dotgpg::Dir.closest encrypted_file_name
       output = StringIO.new

data/lib/src/source_renderer.rb

@@ -8,7 +8,7 @@ module MobileSecrets
       @source_type = source_type.downcase
     end
 
-    def render_template secrets_bytes, file_names_bytes, output_file_path
+    def render_template secrets_bytes, file_names_bytes, output_file_path, algorithm = "XOR"
       template = ERB.new(File.read("#{__dir__}/../resources/SecretsSwift.erb"))
 
       case @source_type
@@ -16,7 +16,8 @@ module MobileSecrets
         File.open(output_file_path, "w") do |file|
            file.puts template.result_with_hash(secrets_array: secrets_bytes,
               file_names_array: file_names_bytes,
-              should_decrypt_files: file_names_bytes.length > 0)
+              should_decrypt_files: file_names_bytes.length > 0,
+              algorithm: algorithm)
          end
       end
     end

metadata

@@ -1,12 +1,12 @@
 --- !ruby/object:Gem::Specification
 name: mobile-secrets
 version: !ruby/object:Gem::Version
-  version: 0.0.9
+  version: 0.1.0
 platform: ruby
 authors:
 - Cyril Cermak
 - Joerg Nestele
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
 date: 2019-09-27 00:00:00.000000000 Z
@@ -25,6 +25,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 0.7.0
+- !ruby/object:Gem::Dependency
+  name: minitest-reporters
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
 description: Handle mobile secrets the secure way with ease
 email: cyril.cermakk@gmail.com
 executables:
@@ -46,7 +60,7 @@ homepage: https://github.com/CyrilCermak/mobile-secrets
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -61,8 +75,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.8
-signing_key: 
+rubygems_version: 3.4.10
+signing_key:
 specification_version: 4
 summary: mobile-secrets tool for handling your mobile secrets
 test_files: []