nofxx-nanite 0.4.1.2

data/lib/nanite/reaper.rb

@@ -0,0 +1,38 @@
+module Nanite
+  class Reaper
+
+    def initialize(frequency=2)
+      @timeouts = {}
+      EM.add_periodic_timer(frequency) { EM.next_tick { reap } }
+    end
+
+    def timeout(token, seconds, &blk)
+      @timeouts[token] = {:timestamp => Time.now + seconds, :seconds => seconds, :callback => blk}
+    end
+
+    def reset_with_autoregister_hack(token,seconds,&blk)
+      unless @timeouts[token]
+        timeout(token, seconds, &blk)
+      end
+      reset(token)
+    end
+
+    def reset(token)
+      @timeouts[token][:timestamp] = Time.now + @timeouts[token][:seconds]
+    end
+
+    private
+
+    def reap
+      time = Time.now
+      @timeouts.reject! do |token, data|
+        if time > data[:timestamp]
+          data[:callback].call
+          true
+        else
+          false
+        end
+      end
+    end
+  end
+end

data/lib/nanite/security/cached_certificate_store_proxy.rb

@@ -0,0 +1,24 @@
+module Nanite
+
+  # Proxy to actual certificate store which caches results in an LRU
+  # cache.
+  class CachedCertificateStoreProxy
+    
+    # Initialize cache proxy with given certificate store.
+    def initialize(store)
+      @signer_cache = CertificateCache.new
+      @store = store
+    end
+    
+    # Results from 'get_recipients' are not cached
+    def get_recipients(obj)
+      @store.get_recipients(obj)
+    end
+
+    # Check cache for signer certificate
+    def get_signer(id)
+      @signer_cache.get(id) { @store.get_signer(id) }
+    end
+
+  end  
+end

data/lib/nanite/security/certificate.rb

@@ -0,0 +1,55 @@
+module Nanite
+
+  # X.509 Certificate management
+  class Certificate
+    
+    # Underlying OpenSSL cert
+    attr_accessor :raw_cert
+  
+    # Generate a signed X.509 certificate
+    #
+    # Arguments:
+    #  - key: RsaKeyPair, key pair used to sign certificate
+    #  - issuer: DistinguishedName, certificate issuer
+    #  - subject: DistinguishedName, certificate subject
+    #  - valid_for: Time in seconds before certificate expires (10 years by default)
+    def initialize(key, issuer, subject, valid_for = 3600*24*365*10)
+      @raw_cert = OpenSSL::X509::Certificate.new
+      @raw_cert.version = 2
+      @raw_cert.serial = 1
+      @raw_cert.subject = subject.to_x509
+      @raw_cert.issuer = issuer.to_x509
+      @raw_cert.public_key = key.to_public.raw_key
+      @raw_cert.not_before = Time.now
+      @raw_cert.not_after = Time.now + valid_for
+      @raw_cert.sign(key.raw_key, OpenSSL::Digest::SHA1.new)
+    end
+    
+    # Load certificate from file
+    def self.load(file)
+      from_data(File.new(file))
+    end
+    
+    # Initialize with raw certificate
+    def self.from_data(data)
+      cert = OpenSSL::X509::Certificate.new(data)
+      res = Certificate.allocate
+      res.instance_variable_set(:@raw_cert, cert)
+      res
+    end
+    
+    # Save certificate to file in PEM format
+    def save(file)
+      File.open(file, "w") do |f|
+        f.write(@raw_cert.to_pem)
+      end
+    end
+    
+    # Certificate data in PEM format
+    def data
+      @raw_cert.to_pem
+    end
+    alias :to_s :data
+
+  end
+end

data/lib/nanite/security/certificate_cache.rb

@@ -0,0 +1,66 @@
+module Nanite
+
+  # Implements a simple LRU cache: items that are the least accessed are
+  # deleted first.
+  class CertificateCache
+
+    # Max number of items to keep in memory
+    DEFAULT_CACHE_MAX_COUNT = 100
+
+    # Initialize cache
+    def initialize(max_count = DEFAULT_CACHE_MAX_COUNT)
+      @items = {}
+      @list = []
+      @max_count = max_count
+    end
+    
+    # Add item to cache
+    def put(key, item)
+      if @items.include?(key)
+        delete(key)
+      end
+      if @list.size == @max_count
+        delete(@list.first)
+      end
+      @items[key] = item
+      @list.push(key)
+      item
+    end
+    alias :[]= :put
+    
+    # Retrieve item from cache
+    # Store item returned by given block if any
+    def get(key)
+      if @items.include?(key)
+        @list.each_index do |i|
+          if @list[i] == key
+            @list.delete_at(i)
+            break
+          end
+        end
+        @list.push(key)
+        @items[key]
+      else
+        return nil unless block_given?
+         self[key] = yield
+      end
+    end
+    alias :[] :get
+    
+    # Delete item from cache
+    def delete(key)
+      c = @items[key]
+      if c
+        @items.delete(key)
+        @list.each_index do |i|
+  	      if @list[i] == key
+  	        @list.delete_at(i)
+  	        break
+  	      end
+        end
+        c
+      end
+    end
+
+  end
+end

data/lib/nanite/security/distinguished_name.rb

@@ -0,0 +1,34 @@
+module Nanite
+
+  # Build X.509 compliant distinguished names
+  # Distinghuished names are used to desccribe both a certificate issuer and
+  # subject.
+  class DistinguishedName
+    
+    # Initialize distinguished name from hash
+    # e.g.:
+    #   { 'C'  => 'US',
+    #     'ST' => 'California',
+    #     'L'  => 'Santa Barbara',
+    #     'O'  => 'RightScale',
+    #     'OU' => 'Certification Services',
+    #     'CN' => 'rightscale.com/emailAddress=cert@rightscale.com' }
+    #
+    def initialize(hash)
+      @value = hash
+    end
+    
+    # Conversion to OpenSSL X509 DN
+    def to_x509
+      if @value
+        OpenSSL::X509::Name.new(@value.to_a, OpenSSL::X509::Name::OBJECT_TYPE_TEMPLATE)
+      end
+    end
+
+    # Human readable form
+    def to_s
+      '/' + @value.to_a.collect { |p| p.join('=') }.join('/') if @value
+    end
+    
+  end
+end

data/lib/nanite/security/encrypted_document.rb

@@ -0,0 +1,46 @@
+module Nanite
+
+  # Represents a signed an encrypted document that can be later decrypted using
+  # the right private key and whose signature can be verified using the right
+  # cert.
+  # This class can be used both to encrypt and sign data and to then check the
+  # signature and decrypt an encrypted document.
+  class EncryptedDocument
+  
+    # Encrypt and sign data using certificate and key pair.
+    #
+    # Arguments:
+    #  - 'data':   Data to be encrypted
+    #  - 'certs':  Recipient certificates (certificates corresponding to private
+    #              keys that may be used to decrypt data)
+    #  - 'cipher': Cipher used for encryption, AES 256 CBC by default
+    #
+    def initialize(data, certs, cipher = 'AES-256-CBC')
+      cipher = OpenSSL::Cipher::Cipher.new(cipher)
+      certs = [ certs ] unless certs.respond_to?(:collect)
+      raw_certs = certs.collect { |c| c.raw_cert }
+      @pkcs7 = OpenSSL::PKCS7.encrypt(raw_certs, data, cipher, OpenSSL::PKCS7::BINARY)
+    end
+
+    # Initialize from encrypted data.
+    def self.from_data(encrypted_data)
+      doc = EncryptedDocument.allocate
+      doc.instance_variable_set(:@pkcs7, Nanite::PKCS7.new(encrypted_data))
+      doc
+    end
+    
+    # Encrypted data using DER format
+    def encrypted_data
+      @pkcs7.to_pem
+    end
+    
+    # Decrypted data
+    #
+    # Arguments:
+    #   - 'key':  Key used for decryption
+    #   - 'cert': Certificate to use for decryption
+    def decrypted_data(key, cert)
+      @pkcs7.decrypt(key.raw_key, cert.raw_cert)
+    end
+  end
+end

data/lib/nanite/security/rsa_key_pair.rb

@@ -0,0 +1,53 @@
+module Nanite
+
+  # Allows generating RSA key pairs and extracting public key component
+  # Note: Creating a RSA key pair can take a fair amount of time (seconds)
+  class RsaKeyPair
+    
+    DEFAULT_LENGTH = 2048
+
+    # Underlying OpenSSL keys
+    attr_reader :raw_key
+
+    # Create new RSA key pair using 'length' bits
+    def initialize(length = DEFAULT_LENGTH)
+      @raw_key = OpenSSL::PKey::RSA.generate(length)
+    end
+
+    # Does key pair include private key?
+    def has_private?
+      raw_key.private?
+    end
+    
+    # New RsaKeyPair instance with identical public key but no private key
+    def to_public
+      RsaKeyPair.from_data(raw_key.public_key.to_pem)
+    end
+    
+    # Key material in PEM format
+    def data
+      raw_key.to_pem
+    end
+    alias :to_s :data
+    
+    # Load key pair previously serialized via 'data'    
+    def self.from_data(data)
+      res = RsaKeyPair.allocate
+      res.instance_variable_set(:@raw_key, OpenSSL::PKey::RSA.new(data)) 
+      res
+    end
+
+    # Load key from file
+    def self.load(file)
+      from_data(File.read(file))
+    end
+    
+    # Save key to file in PEM format
+    def save(file)
+      File.open(file, "w") do |f|
+        f.write(@raw_key.to_pem)
+      end
+    end
+
+  end
+end

data/lib/nanite/security/secure_serializer.rb

@@ -0,0 +1,68 @@
+module Nanite
+  
+  # Serializer implementation which secures messages by using
+  # X.509 certificate sigining.
+  class SecureSerializer
+    
+    # Initialize serializer, must be called prior to using it.
+    #
+    #  - 'identity':   Identity associated with serialized messages
+    #  - 'cert':       Certificate used to sign and decrypt serialized messages
+    #  - 'key':        Private key corresponding to 'cert'
+    #  - 'store':      Certificate store. Exposes certificates used for
+    #                  encryption and signature validation.
+    #  - 'encrypt':    Whether data should be signed and encrypted ('true')
+    #                  or just signed ('false'), 'true' by default.
+    #
+    def self.init(identity, cert, key, store, encrypt = true)
+      @identity = identity
+      @cert = cert
+      @key = key
+      @store = store
+      @encrypt = encrypt
+    end
+    
+    # Was serializer initialized?
+    def self.initialized?
+      @identity && @cert && @key && @store
+    end
+
+    # Serialize message and sign it using X.509 certificate
+    def self.dump(obj)
+      raise "Missing certificate identity" unless @identity
+      raise "Missing certificate" unless @cert
+      raise "Missing certificate key" unless @key
+      raise "Missing certificate store" unless @store || !@encrypt
+      json = obj.to_json
+      if @encrypt
+        certs = @store.get_recipients(obj)
+        json = EncryptedDocument.new(json, certs).encrypted_data if certs
+      end
+      sig = Signature.new(json, @cert, @key)
+      { 'id' => @identity, 'data' => json, 'signature' => sig.data, 'encrypted' => !certs.nil? }.to_json
+    end
+    
+    # Unserialize data using certificate store
+    def self.load(json)
+      begin
+        raise "Missing certificate store" unless @store
+        raise "Missing certificate" unless @cert || !@encrypt
+        raise "Missing certificate key" unless @key || !@encrypt
+        data = JSON.load(json)
+        sig = Signature.from_data(data['signature'])
+        certs = @store.get_signer(data['id'])
+        raise "Could not find a cert for signer #{data['id']}" unless certs
+        certs = [ certs ] unless certs.respond_to?(:each)
+        jsn = data['data'] if certs.any? { |c| sig.match?(c) }
+        if jsn && @encrypt && data['encrypted']
+          jsn = EncryptedDocument.from_data(jsn).decrypted_data(@key, @cert)
+        end
+        JSON.load(jsn) if jsn
+      rescue Exception => e
+        Nanite::Log.error("Loading of secure packet failed: #{e.message}\n#{e.backtrace.join("\n")}")
+        raise
+      end
+    end
+       
+  end
+end

data/lib/nanite/security/signature.rb

@@ -0,0 +1,46 @@
+if defined?(OpenSSL::PKCS7::PKCS7)
+  Nanite::PKCS7 = OpenSSL::PKCS7::PKCS7
+else
+  Nanite::PKCS7 = OpenSSL::PKCS7
+end
+
+module Nanite
+
+  # Signature that can be validated against certificates
+  class Signature
+    
+    FLAGS = OpenSSL::PKCS7::NOCERTS || OpenSSL::PKCS7::BINARY || OpenSSL::PKCS7::NOATTR || OpenSSL::PKCS7::NOSMIMECAP || OpenSSL::PKCS7::DETACH
+
+    # Create signature using certificate and key pair.
+    #
+    # Arguments:
+    #  - 'data': Data to be signed
+    #  - 'cert': Certificate used for signature
+    #  - 'key':  RsaKeyPair used for signature
+    #
+    def initialize(data, cert, key)
+      @p7 = OpenSSL::PKCS7.sign(cert.raw_cert, key.raw_key, data, [], FLAGS)
+      @store = OpenSSL::X509::Store.new
+    end
+    
+    # Load signature previously serialized via 'data'
+    def self.from_data(data)
+      sig = Signature.allocate
+      sig.instance_variable_set(:@p7, Nanite::PKCS7.new(data))
+      sig.instance_variable_set(:@store, OpenSSL::X509::Store.new)
+      sig
+    end
+
+    # 'true' if signature was created using given cert, 'false' otherwise
+    def match?(cert)
+      @p7.verify([cert.raw_cert], @store, nil, OpenSSL::PKCS7::NOVERIFY)
+    end
+
+    # Signature in PEM format
+    def data
+      @p7.to_pem
+    end
+    alias :to_s :data
+
+  end
+end

data/lib/nanite/security/static_certificate_store.rb

@@ -0,0 +1,35 @@
+module Nanite
+
+  # Simple certificate store, serves a static set of certificates.
+  class StaticCertificateStore
+    
+    # Initialize store:
+    #
+    #  - Signer certificates are used when loading data to check the digital
+    #    signature. The signature associated with the serialized data needs
+    #    to match with one of the signer certificates for loading to succeed.
+    #
+    #  - Recipient certificates are used when serializing data for encryption.
+    #    Loading the data can only be done through serializers that have been
+    #    initialized with a certificate that's in the recipient certificates if
+    #    encryption is enabled.
+    #
+    def initialize(signer_certs, recipients_certs)
+      signer_certs = [ signer_certs ] unless signer_certs.respond_to?(:each)
+      @signer_certs = signer_certs 
+      recipients_certs = [ recipients_certs ] unless recipients_certs.respond_to?(:each)
+      @recipients_certs = recipients_certs
+    end
+    
+    # Retrieve signer certificate for given id
+    def get_signer(identity)
+      @signer_certs
+    end
+
+    # Recipient certificate(s) that will be able to decrypt the serialized data
+    def get_recipients(obj)
+      @recipients_certs
+    end
+    
+  end  
+end