opensecret 0.0.957 → 0.0.959

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9681f58d24288c4f1b13d0b83187dff72f9909f5
-  data.tar.gz: 850a7fc15a960497f1f6b209d7f30a9c1b26b2fd
+  metadata.gz: ced0dc3656c2318960d7c747cd24e8eacb189224
+  data.tar.gz: dcca8f54f93da21ef00d6fbbdba0e8975ac7ddca
 SHA512:
-  metadata.gz: a3e87ecc9eaf58507d26d92ab6665a3cc4f5f0ea86a1b577b685394af57e6c8db0b2271d399eb9100beb3acf301e863ee43c17a3a7f58751626f6a5264ffbb38
-  data.tar.gz: 626b3bbdc2becea5b6d1dfa4eefac208a8dca4d33504598e0e7d6bef6a05629188a2cae69edb981a21db8b6fca1bc2e7af9ed1d3a421b26bfe071f061c3c9dbc
+  metadata.gz: 219cd0fe00537778fb1364d6a214856bea94be3196e399177bbcbd912ffab087dda9bb01fb906ad1fd7f078f15f27b9d1c24d82894fb1790f592e838487aa10e
+  data.tar.gz: 2ba3881642795bf29de00431cbd7926b664b3d0a0031f18eb17b2dc5d79d282f8df7ccb32559720e614be52229e2ec8eb59b924282b88596960ab10fa52bc8cf

data/lib/factbase/facts.opensecret.io.ini

@@ -16,10 +16,8 @@ master.dirname  =  master.keys
 master.dirpath  =  rb>> File.join @s[:safe_user], @s[:master_dirname]
 
 master.sig.file =  master.signature.os.txt
-########### -----> master.pub.name =  master.public.key.os.txt
 master.prv.name =  master.private.key.xx.txt
 master.sig.path =  rb>> File.join @s[:master_dirpath], @s[:master_sig_file]
-########### -----> master.pub.key  =  rb>> File.join @s[:master_dirpath], @s[:master_pub_name]
 master.prv.key  =  rb>> File.join @s[:master_dirpath], @s[:master_prv_name]
 
 stamp.key       =  stamp

data/lib/notepad/blow.rb

@@ -9,6 +9,18 @@
 
 class Trial
 
+  def self.ciphername
+
+    require 'openssl'
+    require "base64"
+
+    crypt_cipher = OpenSSL::Cipher::AES256.new(:CBC)
+    puts "Cipher Name => #{crypt_cipher.class.name}"
+
+  end
+
+Trial.ciphername
+
 
   def self.certify
 
@@ -82,7 +94,7 @@ payload = "55fff4c5895bb247676c6edd2307f17c665305457b3bcfcd985c398246b8780f54e33
     puts ""
     puts encrypted_string = key.public_encrypt( payload, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
     puts ""
-    puts base64text = Base64.encode64(encrypted_string)
+    puts base64text = Base64.urlsafe_encode64(encrypted_string)
     puts ""
     puts signature = key.sign(OpenSSL::Digest::SHA256.new, payload )    
     puts ""
@@ -112,8 +124,8 @@ payload = "55fff4c5895bb247676c6edd2307f17c665305457b3bcfcd985c398246b8780f54e33
     context_string_dirty = secured_privatekey + public_key_text + email_address + time_stamp
     context_string_clean = context_string_dirty.delete("^A-Za-z0-9")
     context_string_clean += context_string_clean.length.to_s
-####    context_signature_str = Base64.encode64(second_key.sign OpenSSL::Digest::SHA256.new, context_string_clean)
-    context_signature_str = Base64.encode64(key.sign OpenSSL::Digest::SHA256.new, context_string_clean)
+####    context_signature_str = Base64.urlsafe_encode64(second_key.sign OpenSSL::Digest::SHA256.new, context_string_clean)
+    context_signature_str = Base64.urlsafe_encode64(key.sign OpenSSL::Digest::SHA256.new, context_string_clean)
 
 
 ## --------------------------------------------------------------------------------------------
@@ -121,7 +133,7 @@ payload = "55fff4c5895bb247676c6edd2307f17c665305457b3bcfcd985c398246b8780f54e33
 
     reinstated_key = OpenSSL::PKey::RSA.new "#{public_key_text}"
 ###    reinstated_key = OpenSSL::PKey::RSA.new "#{second_public_key_text}"
-    raw_signature_text = Base64.decode64(context_signature_str)
+    raw_signature_text = Base64.urlsafe_decode64(context_signature_str)
     is_valid = reinstated_key.public_key.verify OpenSSL::Digest::SHA256.new, raw_signature_text, (context_string_clean)
     raise ArgumentError, "Keys not validated" unless is_valid
 

data/lib/opensecret.rb

@@ -56,6 +56,15 @@ class CliInterpreter < Thor
   end
 
 
+  # Description of the lock use case command line call.
+  desc "lock", "Lock away the (secret stuffed) envelope into key and crypt stores."
+
+  # Lock away the (secret stuffed) envelope into key and crypt stores.
+  def lock
+    OpenSecret::Lock.new.flow_of_events
+  end
+
+
   # Description of the open "wake-up" call.
   desc "open CONTEXT_PATH", "CONTEXT_PATH context path to the family of secrets to be created."
 

data/lib/plugins/cipher.rb

@@ -28,7 +28,6 @@ module OpenSecret
   # with a powerful symmetric encryption algorithm which could be any one of the
   # leading ciphers such as TwoFish or the Advanced Encryption Standard (AES).
   #
-  #
   # == How to Implement a Cipher
   #
   # Extend this base class to inherit lots of +unexciting+ functionality
@@ -100,10 +99,23 @@ module OpenSecret
     # Text header for key-value pairs hash map that will be serialized.
     DICTIONARY = "dictionary"
 
+    # Name for the class of cipher employed.
+    DICT_CIPHER_NAME = "cipher.class"
+
+    # Name for the {Base64} encoded symmetric (lock/unlock) crypt key.
+    DICT_CRYPT_KEY = "encryption.key"
+
+    # Name for the {Base64} encoded plain text digest.
+    DICT_PLAINTEXT_DIGEST = "plaintext.digest"
+
+    # Name for the {Base64} encoded crypt material digest.
+    DICT_MATERIAL_DIGEST = "cipher.digest"
 
-    @@symmetric_cipher_keyname = "symmetric.cipher"
-    @@encryption_key_keyname = "encryption.key"
-    @@payload_signature_keyname = "payload.signature"
+    # Name for the plain text initialization vector (iv).
+    DICT_INIT_VECTOR = "crypt.init.vector"
+
+    # Name for the {Base64} encoded crypted cipher text.
+    DICT_CIPHER_TEXT = "cipher.text"
 
 
     # The cipher constructor instantiates the encryption dictionary which
@@ -131,40 +143,30 @@ module OpenSecret
     # and rejecting malicious content.
     #
     # @param public_key_text [String] textual portion of an {OpenSSL::PKey::RSA}
-    #    public key that does not carry the private key as this method and its
-    #    compatriots do not need to know the private key to do their work.
+    #    public key. There is no need for an asymmetric encryption agent to know
+    #    the asymmetic private key.
     #
     # @param payload_text [String] plaintext (or base64 encoded) text to encrypt
-    # @param payload_signature [String] signature of payload verifiable with public key
     #
     # @return [String] doubly (symmetric and asymmetric) encrypted cipher text
-    def encrypt_it public_key_text, payload_text, payload_signature
-
-      asymmetric_key = OpenSSL::PKey::RSA.new public_key_text
+    def encrypt_it public_key_text, payload_text
 
-      signature_valid = asymmetric_key.verify(
-        OpenSSL::Digest::SHA256.new,
-        payload_signature,
-        payload_text
-      )
-
-      raise ArgumentError, "Payload not verified by the signature." unless signature_valid
-      @dictionary[@@payload_signature_keyname] = payload_signature.to_hex
       crypted_payload = do_symmetric_encryption payload_text
 
+#########      puts JSON.pretty_generate(@dictionary)
+
       unified_material = unify_hash_and_text crypted_payload
-      blowfish_cryptor = Blowfish.new
       outer_crypt_key = OpenSecret::Engineer.strong_key( 128 )
-      crypted_material = blowfish_cryptor.encryptor unified_material, outer_crypt_key
       crypted_cryptkey = do_asymmetric_encryption public_key_text, outer_crypt_key
-      locked_up_string = unify_text_and_text crypted_cryptkey, crypted_material
+      crypted_material = Base64.encode64(Blowfish.new.encryptor unified_material, outer_crypt_key)
+      locked_ciphertxt = unify_text_and_text crypted_cryptkey, crypted_material
 
-      return locked_up_string
+      return locked_ciphertxt
 
     end
 
 
-    # Thismethod takes the textual public key lacking the private key portion
+    # This method takes the textual public key lacking the private key portion
     # as it is not needed, and encrypts the secret text with it.
     # It returns a Base64 encoded version of they encrypted text.
     #

data/lib/plugins/ciphers/aes-256.rb

@@ -7,7 +7,7 @@ module OpenSecret
   # {OpenSecret::Cipher} base class in order to implement plug and play
   # symmetric encryption.
   #
-  # == Aes256 Symmetric Encrypt/Decrypt Dictionary
+  # == Aes256 Symmetric Encrypt/Decrypt
   #
   # To facilitate decryption - this cipher produces a key/value pair
   # dictionary which will be stored along with the ciphertext itself.
@@ -51,16 +51,20 @@ module OpenSecret
     # @return [String] the symmetrically encrypted cipher text
     def do_symmetric_encryption plain_text
 
-      @cipher_name = "aes-256-cbc"
-
-      crypt_cipher = OpenSSL::Cipher.new @cipher_name
+      crypt_cipher = OpenSSL::Cipher::AES256.new(:CBC)
       crypt_cipher.encrypt
 
-      @dictionary[@@symmetric_cipher_keyname] = @cipher_name
-      @dictionary[@@encryption_key_keyname] = crypt_cipher.random_key.to_hex
-      @dictionary[@@initialize_vector_keyname] = crypt_cipher.random_iv.to_hex
+      @dictionary[DICT_CIPHER_NAME] = crypt_cipher.class.name
+      @dictionary[DICT_CRYPT_KEY] = Base64.urlsafe_encode64 crypt_cipher.random_key
+      @dictionary[DICT_INIT_VECTOR] = Base64.urlsafe_encode64 crypt_cipher.random_iv
+      @dictionary[DICT_PLAINTEXT_DIGEST] = Base64.urlsafe_encode64(Digest::SHA256.digest(plain_text))
+
+      cipher_text = crypt_cipher.update( plain_text ) + crypt_cipher.final
+
+      @dictionary[DICT_CIPHER_TEXT] = Base64.urlsafe_encode64( cipher_text )
+      @dictionary[DICT_MATERIAL_DIGEST] = Base64.urlsafe_encode64(Digest::SHA256.digest(cipher_text))
 
-      return Base64.encode64( crypt_cipher.update( plain_text ) + crypt_cipher.final )
+      return cipher_text
 
     end
 
@@ -69,7 +73,7 @@ module OpenSecret
     # and initialization vector (iv) sitting in the encryption_dictionary,
     # to symmetrically decrypt the parameter cipher text.
     #
-    # == Pre-Condition | Encryption Dictionary
+    # == Pre-Condition | Encryption ...
     #
     # This method requires the <tt>@dictionary</tt> instance
     # variable to have been set and to contain (amongst others)
@@ -112,7 +116,7 @@ crypt_text += encode_cipher.update line5
 crypt_text += encode_cipher.update line6
 crypt_text += encode_cipher.update line7
 crypt_text += encode_cipher.final
-coded_crypt_text = Base64.encode64(crypt_text)
+coded_crypt_text = Base64.urlsafe_encode64(crypt_text)
 
 puts ""
 puts "The key is #{hex_key}"
@@ -133,13 +137,13 @@ puts "========================"
 puts ""
 puts ""
 
-unencoded_crypt_text = Base64.decode64(coded_crypt_text)
+unencoded_crypt_text = Base64.urlsafe_decode64(coded_crypt_text)
 decode_cipher = OpenSSL::Cipher.new('aes-256-cbc')
 
 decode_cipher.decrypt
 decode_cipher.key = [hex_key].pack("H*")
 decode_cipher.iv = [hex_iv].pack("H*")
-first_part = decode_cipher.update( Base64.decode64(coded_crypt_text) )
+first_part = decode_cipher.update( Base64.urlsafe_decode64(coded_crypt_text) )
 second_part = ""
 second_part << decode_cipher.final
 

data/lib/plugins/ciphers/blowfish.rb

@@ -34,7 +34,7 @@ module OpenSecret
     # takes care of it and its sister method {self.decryptor} will also perform
     # the correct reversal activities to give you back the original plain text.
     #
-    # {Base64.encode64} facilitates the ciphertext encoding returning text that
+    # {Base64.urlsafe_encode64} facilitates the ciphertext encoding returning text that
     # is safe to write to a file.
     #
     # @param plain_text [String]
@@ -66,16 +66,14 @@ module OpenSecret
 
       blowfish_encryptor = OpenSSL::Cipher.new(OpenSecret::Blowfish::BLOWFISH_CIPHER_ID).encrypt
       blowfish_encryptor.key = raw_stretched_key
-      encrypted_lines = blowfish_encryptor.update(block_txt) << blowfish_encryptor.final
-
-      return Base64.encode64( encrypted_lines ).chomp
+      return blowfish_encryptor.update(block_txt) << blowfish_encryptor.final
 
     end
 
 
     # Decrypt the cipher text parameter using the symmetric decryption key
-    # specified in the second parameter. The cipher text is expected to be
-    # base64 encoded as per our sister method {self.encryptor}.
+    # specified in the second parameter. The cipher text is expected to have
+    # already been decoded if necessary.
     #
     # Its okay to use a bespoke encryptor - just ensure you encode the result
     # and override the padding constant.
@@ -87,8 +85,8 @@ module OpenSecret
     # takes care of the reversing the activities carried out by {self.encryptor}.
     #
     # @param cipher_text [String]
-    #    This incoming cipher text should be encoded using {Base64.encode64}
-    #    and it will be +chomped and stripped upon receipt+ followed by
+    #    This incoming cipher text should already be encoded but it
+    #    will <b>chomped and stripped upon receipt</b> followed by
     #    decryption using the Blowfish algorithm.
     #
     # @param decryption_key [String]
@@ -109,13 +107,12 @@ module OpenSecret
     #
     def decryptor cipher_text, decryption_key
 
-      decoded_text = Base64.decode64(cipher_text.chomp.strip)
       digested_key = Digest::SHA256.digest decryption_key
 
       decrypt_tool = OpenSSL::Cipher.new(OpenSecret::Blowfish::BLOWFISH_CIPHER_ID).decrypt
       decrypt_tool.key = digested_key
 
-      padded_plaintxt = decrypt_tool.update(decoded_text) << decrypt_tool.final
+      padded_plaintxt = decrypt_tool.update(cipher_text) << decrypt_tool.final
       pad_begin_index = padded_plaintxt.index OpenSecret::Cipher::TEXT_PADDER
       return padded_plaintxt if pad_begin_index.nil?
       return padded_plaintxt[ 0 .. (pad_begin_index-1) ]

data/lib/plugins/envelope.rb

@@ -0,0 +1,116 @@
+#!/usr/bin/ruby
+# coding: utf-8
+
+module OpenSecret
+
+  require 'json'
+
+  # An envelope knows how to manipulate a JSON backed data structure
+  # (put, add etc) <b>after reading and then decrypting it</b> from a
+  # file and <b>before encrypting and then writing it</b> to a file.
+  #
+  # It provides behaviour to which we can create, append (add), update
+  # (change), read parts and delete essentially two structures
+  #
+  # - a collection of name/value pairs
+  # - an  ordered list of values
+  #
+  # == JSON is Not Exposed in the Interface
+  #
+  # An envelope doesn't expose the data format used in the implementation
+  # allowing this to be changed seamlessly to YAMl or other formats.
+  #
+  # == Symmetric Encryption and Decryption
+  #
+  # An envelope supports operations to <b>read from</b> and <b>write to</b>
+  # a known filepath and with a symmetric key it can
+  #
+  # - decrypt <b>after reading from</b> a file and
+  # - encrypt <b>before writing to</b> a (the same) file
+  #
+  # == Hashes as the Primary Data Structure
+  #
+  # Envelope extends {Hash} as the core data structure for holding
+  #
+  # - strings
+  # - arrays
+  # - other hashes
+  # - booleans
+  # - integers and floats
+  class Envelope < Hash
+
+
+    # Write the data in this envelope hash map into a file-system
+    # backed mirror whose path was specified in the {self.read} method.
+    #
+    # Technology for encryption at rest is supported by this dictionary
+    # and to this aim, please endeavour to post a robust symmetric
+    # encryption key.
+    #
+    # Calling this {self.write} method when the file at the prescribed path
+    # does not exist results in the directory structure being created
+    # (if necessary) and then the encrypted file being written.
+    #
+    # @param encryption_key [String]
+    #     encryption at rest is a given so this mandatory parameter must
+    #     contain a robust symmetric encryption key. The symmetric key will
+    #     be used for the decryption after the read. Note that the decryption
+    #     key does not linger meaning it isn't cached in an instance variable.
+    def write encryption_key
+
+      FileUtils.mkdir_p(File.dirname(@filepath))
+      cipher_text = Base64.encode64 Blowfish.new.encryptor( self.to_json, encryption_key )
+      File.write @filepath, cipher_text
+
+    end
+
+
+    # Read and inject into this envelope, the data structure found in a
+    # file at the path specified in the first parameter.
+    #
+    # Symmetric cryptography is mandatory for the envelope so we must
+    # <b>encrypt before writing</b> and <b>decrypt after reading</b>.
+    #
+    # An argument error will result if a suitable key is not provided.
+    #
+    # If the file does not exist (denoting the first read) all this method
+    # does is to stash the filepath as an instance variable and igore the
+    # decryption key which can be nil (or ommitted).
+    #
+    # @param the_filepath [String]
+    #     absolute path to the file which acts as the persistent mirror to
+    #     this data structure envelope.
+    #
+    # @param decryption_key [String]
+    #     encryption at rest is a given so this mandatory parameter must
+    #     contain a robust symmetric decryption key. The key will be used
+    #     for decryption after the read and it will not linger (ie not cached
+    #     as an instance variable).
+    #
+    # @raise [ArgumentError] if the decryption key is not robust enough.
+    def read the_filepath, decryption_key = nil
+
+      @filepath = the_filepath
+      return unless File.exists? @filepath
+
+      cipher_text = Base64.decode64( File.read( @filepath ).strip )
+      plain_text = OpenSecret::Blowfish.new.decryptor( cipher_text, decryption_key )
+
+      puts ""
+      puts "=== ============================"
+      puts "=== Envelope After Decryption"
+      puts "=== ============================"
+      puts plain_text
+      puts "=== ============================"
+      puts ""
+
+      data_structure = JSON.parse plain_text
+      self.merge! data_structure
+
+    end
+
+
+  end
+
+
+end

data/lib/plugins/secrets.uc.rb

@@ -0,0 +1,50 @@
+#!/usr/bin/ruby
+# coding: utf-8
+
+module OpenSecret
+
+  # The parent OpenSecret use case is designed to be extended by the cli
+  # (command line) use cases like {OpenSecret::Open}, {OpenSecret::Put} and
+  # {OpenSecret::Lock} because it describes behaviour common to at least two
+  # (but usually more) of the use cases.
+  #
+  # == Behaviour Reuse
+  #
+  # Behaviour that is reusable by any use case fits within {OpenSession::UseCase}
+  # whilst behaviour common to two or more {OpenSecret} use cases belongs here.
+  # Therefore the only behaviour in the named use case is detailed and must belong
+  # solely to it.
+  #
+  # == Fact Reuse
+  #
+  # Fact evaluation rules are born with reuse in mind. <b>Use case facts</b>
+  # are evaluated when they belong to either the class or its parent or any
+  # ancestors.
+  class SecretsUseCase < OpenSession::UseCase
+
+    @@context_name = "opensecret"
+
+    # Get the envelope that <b>was opened</b> by the open command but
+    # <b>not locked</b> with the lock command.
+    #
+    # @return [Envelope]
+    #    return the Envelope that has been opened. The state carried alongside an
+    #    open envelope is an id, an encryption key and a filepath all inside the
+    #    userhome configuration file.
+    def get_envelope
+
+      encrypt_key = OpenSession::Attributes.instance.get_value @@context_name, @c[:open][:open_name], @c[:open][:open_keyname]
+      rel_filepath = OpenSession::Attributes.instance.get_value @@context_name, @c[:open][:open_name], @c[:open][:open_pathname]
+
+      put_filepath = File.join @c[:open][:open_dirpath], rel_filepath
+      the_envelope = Envelope.new
+      the_envelope.read put_filepath, encrypt_key
+      return the_envelope
+
+    end
+
+
+  end
+
+
+end

data/lib/plugins/usecases/init.rb

@@ -32,7 +32,7 @@ module OpenSecret
   #
   # <b>opensecret</b> thwarts this by continual verification against an
   # encrypted <em>public key signature</em> aboard the workstation.
-  class Init < OpenSession::UseCase
+  class Init < SecretsUseCase
 
     attr_writer :safe_path, :email_addr, :store_url
     @@context_name = "opensecret"
@@ -83,18 +83,20 @@ module OpenSecret
       secured_keytext = asymmetric_keys.export @c[:global][:key_cipher], amalgam_key
 
       crypt_key_segments = [ human_password, @c[:global][:separator_a], @email_addr, @c[:global][:separator_a], @c[:global][:stamp_23] ]
+
       machine_key_crypt_key = crypt_key_segments.alphanumeric_union.concat_length
-      blowfish_cipher = OpenSecret::Blowfish.new()
-      machine_key_x = blowfish_cipher.encryptor machine_key, machine_key_crypt_key
-      public_key_text = asymmetric_keys.public_key.to_pem
+      machine_key_x = Base64.urlsafe_encode64(
+        Blowfish.new.encryptor(machine_key, machine_key_crypt_key)
+      )
+      public_key_64 = Base64.urlsafe_encode64 asymmetric_keys.public_key.to_pem
 
       OpenSession::Attributes.stash @c[:global][:name], @c[:global][:name], @c[:global][:machine_key_x], machine_key_x
       OpenSession::Attributes.stash @c[:global][:name], @c[:global][:name], @c[:global][:stamp_key], @c[:global][:stamp_23]
-      OpenSession::Attributes.stash @c[:global][:name], @c[:global][:name], @c[:global][:publickey_id], public_key_text.to_hex
+      OpenSession::Attributes.stash @c[:global][:name], @c[:global][:name], @c[:global][:publickey_id], public_key_64
 
-      to_sign_segments = [ secured_keytext, public_key_text, @email_addr, @c[:global][:stamp_23] ]
+      to_sign_segments = [ secured_keytext, public_key_64, @email_addr, @c[:global][:stamp_23] ]
       to_sign_packet = to_sign_segments.alphanumeric_union.concat_length
-      signature_string = Base64.encode64( asymmetric_keys.sign( OpenSSL::Digest::SHA256.new, to_sign_packet ) )
+      signature_string = Base64.urlsafe_encode64( asymmetric_keys.sign( OpenSSL::Digest::SHA256.new, to_sign_packet ) )
 
       FileUtils.mkdir_p @c[:global][:master_dirpath]
       File.write @c[:global][:master_prv_key], secured_keytext

data/lib/plugins/usecases/lock.rb

@@ -10,97 +10,110 @@ module OpenSecret
   #
   # The 3 core scenarios that this lock use case is equiped to handle are
   #
-  # - a new source » as yet uncommitted
-  # - an updated source » to overwrite
-  # - an empty source » to delete
+  # - a new source that is as yet uncommitted
+  # - updating (overwriting) an existing source
+  # - requiring the destination to be deleted
   #
-  # == Observable Value
+  # <b>Lock | Observable Value</b>
   #
-  #     $ opensecret lock
+  # The observable value after the lock use case has completed entails
+  #
+  # - a doubly encrypted data envelope placed in the backend store
+  # - a doubly encrypted private key placed in the frontend store
+  # - both stores sync'd with off-machine Git (S3, ...) mirrors
+  # - deletion of the (encrypted) envelope {Open}ed and stuffed with {Put}
+  # - deletion of {Open}ed session data to locate and decrypt envelope
   #
-  # The observable value for a new or updated secrets package is
+  # @example
   #
-  # - a doubly encrypted keyset within the safe keystore
-  # - a doubly encrypted secrets crypt in the backend crypt store
-  # - a crypt store sync'd with its off-machine Git (or S3, or ...) mirror
-  # - a public key that is verifid against its encrypted signature
-  # - deleted session material created (and encrypted) by the put use case
-  class Lock < OpenSession::UseCase
+  #     $ opensecret lock
+  #
+  class Lock < SecretsUseCase
 
     attr_writer :secret_id, :secret_value
     @@context_name = "opensecret"
 
 
-    # Execute the <tt>open use case</tt> activities which precedes the ability to
-    # to add (put), subtract (del)ete and list the secrets into the opened session file.
-    # The file can then be locked (committed and pushed to permanent crypted stores).
+    # The <tt>lock use case</tt> is called after {OpenSecret::Open} and {OpenSecret::Put}
+    # and its effect is to dispatch the doubly encrypted materrial to the configured storage
+    # platform, be it Git, S3, SSH or just an accessible file-system.
+    #
+    # <b>Main Flow of Events</b>
     #
-    # If the file to open already exists a --with option (giving the master-secret)
-    # must be provided.
+    # To seal the envelope built up by put, file and add amongst others requires
+    # that we
     #
-    # <b>Observable Value | Lock Use Case</b>
+    # - get the encrypted envelope
+    # - create a strong asymmetric key
+    # - lock the envelope using opensecret's double encrypt modus operandi
+    # - place the doubly encrypted result into the crypt store
+    # - lock the asymmetric key again with opensecret's double encrypt modus operandi
+    # - place the doubly encrypted result into the key store
     #
-    # The observable value for a new or updated secrets package is
+    # The second double lock of the crypted envelope is done with the public key
+    # aspect of an asymmetric key created here.
     #
-    # - a doubly encrypted keyset within the safe keystore
-    # - a doubly encrypted secrets crypt in the backend crypt store
-    # - a crypt store sync'd with its off-machine Git (or S3, or ...) mirror
-    # - a public key that is verifid against its encrypted signature
-    # - deleted session material created (and encrypted) by the put use case
+    # The second double lock of the crypted private key (created here) is done with
+    # the master public key created in the {Init.execute} use case main flow.
+    #
+    # <b>Lock | Observable Value</b>
+    #
+    # The observable value after the lock use case has completed entails
+    #
+    # - a doubly encrypted data envelope placed in the backend store
+    # - a doubly encrypted private key placed in the frontend store
+    # - both stores sync'd with off-machine Git (S3, ...) mirrors
+    # - deletion of the (encrypted) envelope {Open}ed and stuffed with {Put}
+    # - deletion of {Open}ed session data to locate and decrypt envelope
     def execute
 
-      session_id = OpenSession::Attributes.instance.get_value @@context_name, @c[:open][:open_name], @c[:open][:open_idname]
-      encrypt_key = OpenSession::Attributes.instance.get_value @@context_name, @c[:open][:open_name], @c[:open][:open_keyname]
-      rel_filepath = OpenSession::Attributes.instance.get_value @@context_name, @c[:open][:open_name], @c[:open][:open_pathname]
-
-      put_filepath = File.join @c[:open][:open_dirpath], rel_filepath
-
-      x_dictionary = OpenSession::Dictionary.new
-      x_dictionary.read put_filepath, true, encrypt_key
+      envelope = get_envelope
+      asym_key = OpenSSL::PKey::RSA.new @c[:global][:bit_key_size]
+      lockdown = Aes256.new.encrypt_it( asym_key.public_key.to_pem, envelope.to_json )
 
-      secret_ids = @secret_id.split("/")
-      if ( x_dictionary.has_key? secret_ids.first )
-        x_dictionary[secret_ids.first][secret_ids.last] = @secret_value
-      else
-        x_dictionary[secret_ids.first] = { secret_ids.last => @secret_value }
-      end
+      #### ###########################################
+      #### ###########################################
+      #### Now Give lockdown to the Backend Store
+      #### ###########################################
+      #### ###########################################
 
-      new_encryption_key = Engineer.strong_key @c[:open][:open_keylen]
-      OpenSession::Attributes.stash @@context_name, @c[:open][:open_name], @c[:open][:open_keyname], new_encryption_key
-      x_dictionary.write new_encryption_key
+      master_public_key = Base64.urlsafe_decode64( OpenSession::Attributes.instance.get_value @c[:global][:name], @c[:global][:name], "public.key" )
 
+      lockedup = Aes256.new.encrypt_it( master_public_key, asym_key.export )
 
-#############################################################################################
-#############################################################################################
+      puts "#### #############################"
+      puts "#### The Crypt Store Suitcase"
+      puts "#### #############################"
+      puts ""
+      puts lockdown
+      puts ""
+      puts "#### #############################"
+      puts "#### The Key Store Suitcase"
+      puts "#### #############################"
+      puts ""
+      puts lockedup
+      puts ""
+      puts "================================================================================================="
+      puts "Now Continue with Unencoding the public key and then locking down the above asym_key.export"
+      puts "================================================================================================="
+      puts ""
 
+      exit
 
 
+      locked_block = Aes256.new.encrypt_it( asym_key.public_key.to_pem, asym_key.export )
 
-#############################################################################################
-#############################################################################################
+      secured_keytext = asym_key.export
+##      public_key_text = asymmetric_keys.public_key.to_pem
 
 
-      public_key_crypt = Blowfish.new.encryptor public_key_text, amalgam_key
-      File.write @c[:global][:master_pub_key], public_key_crypt
+      Aes256.new.encrypt_it( "rubbish", secrets_dictionary.to_s )
 
-      payload_signature = asymmetric_keys.sign( OpenSSL::Digest::SHA256.new, public_key_text )
+      the_encrypted_stuff = Aes256.new.encrypt_it( "rubbish", )
 
-      big_crypted_block = Aes256.new.encrypt_it(
-        public_key_text,
-        public_key_text,
-        payload_signature
-      )
 
-      puts ""
-      puts "=============="
-      puts "Crypted Block"
-      puts "=============="
-      puts ""
-      puts "#{big_crypted_block}"
-      puts ""
-      puts ""
-      puts "Carry on development in init.rb"
-      puts ""
+#############################################################################################
+#############################################################################################
 
 
 =begin
@@ -116,7 +129,7 @@ module OpenSecret
 # key4_pem = File.read 'private.secure.pem'
 # pass_phrase = 'superduperpasswordistoBeENTEREDRIGHT1234HereandRightNOW'
 # key4 = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
-# decrypted_text = key4.private_decrypt(Base64.decode64(encrypted_string))
+# decrypted_text = key4.private_decrypt(Base64.urlsafe_decode64(encrypted_string))
 
 # print "\nHey we have done the decryption.\n", "\n"
 # print decrypted_text, "\n"
@@ -126,35 +139,6 @@ module OpenSecret
 #############################################################################################
 #############################################################################################
 
-
-      machine_key = Engineer.machine_key human_password.length, @c[:global][:ratio]
-      amalgam_key = Amalgam.passwords human_password, machine_key, @c[:global][:ratio]
-      asymmetric_keys = OpenSSL::PKey::RSA.new @c[:global][:bit_key_size]
-      secured_keytext = asymmetric_keys.export @c[:global][:key_cipher], amalgam_key
-
-      crypt_key_segments = [ human_password, @c[:global][:separator_a], @email_addr, @c[:global][:separator_a], @c[:global][:stamp_23] ]
-      machine_key_crypt_key = crypt_key_segments.alphanumeric_union.concat_length
-      blowfish_cipher = OpenSecret::Blowfish.new()
-      machine_key_x = blowfish_cipher.encryptor machine_key, machine_key_crypt_key
-      public_key_text = asymmetric_keys.public_key.to_pem
-
-      OpenSession::Attributes.stash @c[:global][:name], @c[:global][:name], @c[:global][:machine_key_x], machine_key_x
-      OpenSession::Attributes.stash @c[:global][:name], @c[:global][:name], @c[:global][:stamp_key], @c[:global][:stamp_23]
-      OpenSession::Attributes.stash @c[:global][:name], @c[:global][:name], @c[:global][:publickey_id], public_key_text.to_hex
-
-      to_sign_segments = [ secured_keytext, public_key_text, @email_addr, @c[:global][:stamp_23] ]
-      to_sign_packet = to_sign_segments.alphanumeric_union.concat_length
-      signature_string = Base64.encode64( asymmetric_keys.sign( OpenSSL::Digest::SHA256.new, to_sign_packet ) )
-
-      FileUtils.mkdir_p @c[:global][:master_dirpath]
-      File.write @c[:global][:master_prv_key], secured_keytext
-      File.write @c[:global][:master_sig_path], signature_string
-
-
-#############################################################################################
-#############################################################################################
-
-
     end
 
 

data/lib/plugins/usecases/open.rb

@@ -25,7 +25,7 @@ module OpenSecret
   #     [session]
   #     base.path = home/wifi
   #
-  class Open < OpenSession::UseCase
+  class Open < SecretsUseCase
 
     attr_writer :context_path
     @@context_name = "opensecret"

data/lib/plugins/usecases/put.rb

@@ -5,9 +5,9 @@ module OpenSecret
   require 'openssl'
 
   # The <b>put use case</b> follows <b>open</b> and it adds secrets into an
-  # <em>(encrypted at rest)</em> opened file. Put can be called many times to
-  # add secrets. Finally the <b>lock use case</b> commits all opened secrets
-  # into the configured storage engines.
+  # <em>(encrypted at rest)</em> <b>envelope</b>. Put can be called many times
+  # and when done, the <b>lock use case</b> can be called to commit all opened
+  # secrets into the configured storage engines.
   #
   # Calling <em>put</em> <b>before</b> calling open or <b>after</b> calling lock
   # is not allowed and will result in an error.
@@ -50,8 +50,7 @@ module OpenSecret
   #
   # @example
   #
-  #    $ opensecret email bill.clinton@example.com
-  #    $ opensecret init
+  #    $ opensecret init bill.clinton@example.com
   #    $ opensecret open my/friends
   #
   #    $ opensecret put monica/surname lewinsky
@@ -64,7 +63,15 @@ module OpenSecret
   #
   #    $ opensecret lock
   #
-  class Put < OpenSession::UseCase
+  # Soon follow up use cases will be unveiled, enabling us to
+  #
+  # - <b>get</b>
+  # - <b>read</b>
+  # - <b>list</b>
+  # - <b>look</b>
+  # - <b>peep</b> and
+  # - <b>peek</b>
+  class Put < SecretsUseCase
 
     attr_writer :secret_id, :secret_value
     @@context_name = "opensecret"
@@ -94,25 +101,18 @@ module OpenSecret
     # - a new session id and encryption key is generated and used to re-encrypt
     def execute
 
-      session_id = OpenSession::Attributes.instance.get_value @@context_name, @c[:open][:open_name], @c[:open][:open_idname]
-      encrypt_key = OpenSession::Attributes.instance.get_value @@context_name, @c[:open][:open_name], @c[:open][:open_keyname]
-      rel_filepath = OpenSession::Attributes.instance.get_value @@context_name, @c[:open][:open_name], @c[:open][:open_pathname]
-
-      put_filepath = File.join @c[:open][:open_dirpath], rel_filepath
-
-      x_dictionary = OpenSession::Dictionary.new
-      x_dictionary.read put_filepath, true, encrypt_key
+      envelope = get_envelope
 
       secret_ids = @secret_id.split("/")
-      if ( x_dictionary.has_key? secret_ids.first )
-        x_dictionary[secret_ids.first][secret_ids.last] = @secret_value
+      if ( envelope.has_key? secret_ids.first )
+        envelope[secret_ids.first][secret_ids.last] = @secret_value
       else
-        x_dictionary[secret_ids.first] = { secret_ids.last => @secret_value }
+        envelope[secret_ids.first] = { secret_ids.last => @secret_value }
       end
 
       new_encryption_key = Engineer.strong_key @c[:open][:open_keylen]
       OpenSession::Attributes.stash @@context_name, @c[:open][:open_name], @c[:open][:open_keyname], new_encryption_key
-      x_dictionary.write new_encryption_key
+      envelope.write new_encryption_key
 
     end
 

data/lib/plugins/usecases/safe.rb

@@ -14,7 +14,7 @@ module OpenSecret
   # Stash the path into the host machine's configuration file and proceed
   # to create the path directory chain if it does not already exist.
   #
-  class Safe < OpenSession::UseCase
+  class Safe < SecretsUseCase
 
     attr_writer :safe_path
     @@context_name = "opensecret"

data/lib/session/dictionary.rb

@@ -15,7 +15,7 @@ module OpenSession
   # - decrypt +after reading from+ a file
   # - encrypt +before writing to+ a file
   #
-  # Dictionary extends {Hash} in order to deliver on its core key value
+  # This dictionary extends {Hash} in order to deliver on its core key value
   # store, report and retrieve use cases.
   #
   # @example
@@ -80,13 +80,13 @@ module OpenSession
 
       puts ""
       puts "============================"
-      puts "Before Encryption Dictionary"
+      puts "Before Encryption"
       puts "============================"
       puts ini_string
       puts "============================"
       puts ""
 
-      ini_string = OpenSecret::Blowfish.new.encryptor(ini_string,encrypt_key) if @encrypt_at_rest
+      ini_string = Base64.encode64( OpenSecret::Blowfish.new.encryptor(ini_string,encrypt_key) ) if @encrypt_at_rest
 
       File.write @filepath, ini_string
 
@@ -127,12 +127,12 @@ module OpenSession
 
       file_contents = File.read( @filepath ).strip
       if @encrypt_at_rest then
-        file_contents = OpenSecret::Blowfish.new.decryptor( file_contents, decrypt_key )
+        file_contents = OpenSecret::Blowfish.new.decryptor( Base64.decode64(file_contents), decrypt_key )
       end
 
       puts ""
       puts "==========================="
-      puts "After Decryption Dictionary"
+      puts "After Decryption"
       puts "==========================="
       puts file_contents
       puts "==========================="

data/lib/using.txt

@@ -1,4 +1,6 @@
 
+
+
 ==============================================================================================
 
 open office/laptop

data/lib/version.rb

@@ -1,3 +1,3 @@
 module OpenSecret
-  VERSION = "0.0.957"
+  VERSION = "0.0.959"
 end

data/opensecret.gemspec

@@ -28,8 +28,8 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'thor'
 
   spec.add_development_dependency "bundler", "~> 1.16"
-  spec.add_development_dependency "rake", "~> 10.0"
-  spec.add_development_dependency "minitest", "~> 5.0"
+#### in standard library ==>  spec.add_development_dependency "rake", "~> 10.0"
+#### in standard library ==>  spec.add_development_dependency "minitest", "~> 5.0"
 
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: opensecret
 version: !ruby/object:Gem::Version
-  version: 0.0.957
+  version: 0.0.959
 platform: ruby
 authors:
 - Apollo Akora
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-04 00:00:00.000000000 Z
+date: 2018-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inifile
@@ -52,34 +52,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.16'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '10.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '10.0'
-- !ruby/object:Gem::Dependency
-  name: minitest
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '5.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '5.0'
 description: opensecret stashes uncrackable secrets into your Git, S3, DropBox, Google
   Drive and filesystems backends. You interface with its intuitive Linux, Windows,
   iOS front ends and it offers SDKs and plugins for Ruby, Python, Java, Jenkins, CodeShip,
@@ -127,6 +99,8 @@ files:
 - lib/plugins/cipher.rb
 - lib/plugins/ciphers/aes-256.rb
 - lib/plugins/ciphers/blowfish.rb
+- lib/plugins/envelope.rb
+- lib/plugins/secrets.uc.rb
 - lib/plugins/stores/store.rb
 - lib/plugins/usecase.rb
 - lib/plugins/usecases/init.rb