opensecret 0.0.946 → 0.0.951

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f03e1b5d062560593f42736baf5a2af7794a4c0b
-  data.tar.gz: ed65d8e10bd446f1413d9e0473b7291ec01f34a6
+  metadata.gz: ca35c2727f92f764b83fae65d656062b95520ad6
+  data.tar.gz: 260748f11554e881116e6efd8c4d44c0cdb06284
 SHA512:
-  metadata.gz: 57989150d89ee5cc20d5950bd008b5bc97f4b23455dc690b66f791d1b3d1330a7550ce888715c73abf4bf43dd4ce80e409202c5393a7b32cc1bc41d75d97e047
-  data.tar.gz: 842b02b7f3a2fbf99fdd3c9d4acbeeabcf16bed137894cf8d2ad1cc4aed54f6d39975c2d16714e3d8e16eb62bc9271d2a2a60bee2d6bd12c954bfeef0b71cb3b
+  metadata.gz: 10f94cba6fe468750401a38846641c9dddce2258601d981b1fb26e5b2e88c7fea27edb10264ee070d3d4920c6ada9470e0a7b4cb3178a5f5c2a07facb186db1a
+  data.tar.gz: 35aa0ff66488c53859c245c10ba2d3aae348b56df4df90d94963241b190b8065f39f20bbfb63c119159f25488b8262f69f847fd1a3e715d3fe8df13954cbc921

data/lib/crypto/engineer.rb

@@ -20,7 +20,7 @@ module OpenSecret
     # --
     def self.machine_key human_password_length, mix_ratio
 
-      machine_raw_secret = engineer_password( human_password_length * ( mix_ratio + 1) )
+      machine_raw_secret = strong_key( human_password_length * ( mix_ratio + 1) )
       return machine_raw_secret[ 0..( human_password_length * mix_ratio - 1 ) ]
 
     end
@@ -30,7 +30,7 @@ module OpenSecret
     # -- Engineer a raw password that is similar (approximate) in
     # -- length to the integer parameter.
     # --
-    def self.engineer_password approx_length
+    def self.strong_key approx_length
 
       non_alphanum = SecureRandom.urlsafe_base64(approx_length);
       return non_alphanum.delete("-_")
@@ -39,12 +39,24 @@ module OpenSecret
 
 
 
-    # --
-    # -- Get a viable machine password taking into account the human
-    # -- password length and the specified mix_ratio.
-    # --
-    # -- machine password length = human password length * mix_ratio - 1
-    # --
+    # Amalgamate the parameter passwords using a specific mix ratio. This method
+    # produces cryptographically stronger secrets than algorithms that simply
+    # concatenate two string keys together. If knowledge of one key were gained, this
+    # amalgamation algorithm still provides extremely strong protection even when
+    # one of the keys has a single digit length.
+    #
+    # This +length constraint formula+ binds the two input strings together with
+    # the integer mix ratio.
+    #
+    # <tt>machine password length = human password length * mix_ratio - 1</tt>
+    #
+    # @param human_password [String] the first password (shorter one) to amalgamate
+    # @param machine_password [String] the second password (longer one) to amalgamate
+    # @param mix_ratio [Fixnum] the mix ratio that must be respected by the
+    #    previous two parameters.
+    # @return [String] an amalgamated (reproducible) union of the 2 parameter passwords
+    #
+    # @raise [ArgumentError] if the length constraint assertion does not hold true
     def self.get_amalgam_password human_password, machine_password, mix_ratio
 
       size_error_msg = "Human pass length times mix_ratio must equal machine pass length."

data/lib/extension/string.rb

@@ -57,6 +57,27 @@ class String
   end
 
 
+  # To hex converts this string to hexadecimal form and returns
+  # the result leaving this string unchanged.
+  # @return [String] hexadecimal representation of this string
+  def to_hex
+
+    return self.unpack("H*").first
+
+  end
+
+
+  # From hex converts this (assumed) hexadecimal string back into
+  # its normal string form and returns the result leaving this string
+  # unchanged.
+  # @return [String] string that matches the hexadecimal representation
+  def from_hex
+
+    return [self].pack("H*")
+
+  end
+
+
   # Flatten (lower) a camel cased string and add periods to
   # denote separation where the capital letters used to be.
   #
@@ -78,11 +99,30 @@ class String
   # - in  => BEAST
   # - out => b.e.a.s.t
   #
+  # == Flatten Class Names
+  #
+  # If the string comes in as a class name we can expect it to
+  # contain colons like the below examples.
+  #    This::That
+  #    ::That
+  #    This::That::TheOther
+  #
+  # So we find the last index of a colon and then continue as per
+  # the above with flattening the string.
+  #
   # @return [String] a flatten (period separated) version of this camel cased string
   def do_flatten
 
+    to_flatten_str = self
+
+    last_colon_index = to_flatten_str.rindex ":"
+    ends_with_colon = to_flatten_str[-1].eql? ":"
+    unless ( last_colon_index.nil? || ends_with_colon )
+      to_flatten_str = to_flatten_str[ (last_colon_index+1) .. -1 ]
+    end
+
     snapped_str = ""
-    self.each_char do |this_char|
+    to_flatten_str.each_char do |this_char|
       is_lower = "#{this_char}".is_all_lowercase?
       snapped_str += "." unless is_lower || snapped_str.empty?
       snapped_str += this_char.downcase

data/lib/factbase/facts.opensecret.io.ini

@@ -1,6 +1,7 @@
 
 [global]
 
+name            =  opensecret
 min.passwd.len  =  rb>> 6
 nickname        =  godzilla
 root.domain     =  devopswiki.co.uk
@@ -8,21 +9,31 @@ env.var.name    =  SECRET_MATERIAL
 ratio           =  rb>> 3
 bit.key.size    =  rb>> 8192
 key.cipher      =  rb>> OpenSSL::Cipher.new 'AES-256-CBC'
-secret.keyname  =  master.private.key.crypt.txt
-secret.keydir   =  rb>> OpenSession::Attributes.instance.get_value "opensecret", "safe"
-secret.keypath  =  rb>> File.join @s[:secret_keydir], @s[:secret_keyname]
+secret.keydir   =  rb>> OpenSession::Attributes.instance.get_value @s[:name], "safe"
+email.address   =  rb>> OpenSession::Attributes.instance.get_value @s[:name], "email"
+safe.user       =  rb>> File.join @s[:secret_keydir], @s[:email_address]
+master.dirname  =  master.keys
+master.dirpath  =  rb>> File.join @s[:safe_user], @s[:master_dirname]
+master.pub.name =  master.public.key.x.os.txt
+master.prv.name =  master.private.key.x.os.txt
+master.pub.key  =  rb>> File.join @s[:master_dirpath], @s[:master_pub_name]
+master.prv.key  =  rb>> File.join @s[:master_dirpath], @s[:master_prv_name]
 
-repo.name       =  material_data
-
-## local.gitrepo   =  rb>> File.join @i[:dir], @s[:repo_name]
+machine.key.x   =  machine.key.x
+separator.a     =  %$os$%
 
-## public.gitrepo  =  https://www.eco-platform.co.uk/content/material.data.git
-## public.dirname  =  public_keys
-## public.keyroute =  rb>> File.join @s[:root_domain], @s[:public_dirname]
-## public.keydir   =  rb>> File.join @s[:local_gitrepo], @s[:public_keyroute]
-## public.keyname  =  rb>> "public_key." + @s[:nickname] + dot + @s[:root_domain] + ".txt"
-## public.keypath  =  rb>> File.join @s[:public_keydir], @s[:public_keyname]
+repo.name       =  material_data
 
 prompt.1        =  Enter a Robust Password
 prompt.2        =  Re-enter that Password
 
+[open]
+
+open.name       =  session
+open.dirname    =  session.material
+open.dirpath    =  rb>> File.join @f[:global][:safe_user], @s[:open_dirname]
+open.idlen      =  9
+open.keylen     =  96
+open.idname     =  session.id
+open.keyname    =  session.key
+open.pathname   =  session.path

data/lib/notepad/blow.rb

@@ -6,9 +6,87 @@
 ## Trial and Error Scratch-Pad ##
 ## ########################### ##
 
-x = "messagess"
 
-x += "x" until x.bytesize % 8 == 0
+class Trial
 
-puts "Now x string is [#{x}]."
-puts "x is now [#{x.length}] characters long."
+
+  def self.crypt
+
+    require 'openssl'
+    require "base64"
+
+    key = OpenSSL::PKey::RSA.new(8192)
+
+
+payload = "55fff4c5895bb247676c6edd2307f17c665305457b3bcfcd985c398246b8780f54e337252c5407afd4895a5e3a2415fce5b703a483da3edc88739cb7787262a19d69fb9416f900fed797c046aaec83b8e15b14edb032ed76535def8ada77108936e5442a839d4078048ca01449a6acd7315c9b7a7b8802dba0c83eb4c13e21b1051efa77a420a3ffd3cbf1fa13182933a0503f23cce95b68787081f3af33c69049657bdbf1fd30d79f108d604faad1fbee198a3e2c1b28cdddf7ebb84b6b0c1d3e9b47665bd96d7df8407e11d00e4d9275e805c7b9e61b6739802d6d87ac8283ef92a593ed53db2096cd1dc9496307f40942cc3d54a7c864ede71e0b192ce152"
+
+    puts ""
+    puts "Payload size is #{payload.length}"
+    puts ""
+    puts ""
+    puts encrypted_string = key.public_encrypt( payload, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+    puts ""
+    puts base64text = Base64.encode64(encrypted_string)
+    puts ""
+    puts signature = key.sign(OpenSSL::Digest::SHA256.new, payload )    
+    puts ""
+    puts hex_data = signature.unpack("H*").first
+    puts ""
+    puts "Length is #{hex_data.length}"
+    puts ""
+    puts key.public_key.verify(OpenSSL::Digest::SHA256.new, signature, payload)
+    puts ""
+    puts encrypted_string.unpack("H*").first
+    puts ""
+    puts key.private_decrypt(encrypted_string, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+    puts ""
+
+
+  end
+
+=begin
+ddGKDqfhF6HnkJuIdTECZk7J7E9xx9LiYRDywCdIuDxYQQs+if+3qxP37+ah
+HwGYgjxpIjqS9slhLOveVexSeHUD4DCbjHW2AlMsaUxwoSY0UfgzrO+2LDG9
+tyizUYA6n8a+vBzJqRFP2BW7/AxwP0jm0yADWwBOGFL1+g==
+
+<-|@| <  || opensecret outer crypt material axis ||  > |@|->
+
+HNkUjWaFoI5dPTRUUymyf7uKMaXFhiIZaOq+ZYj4TWPN92qv6ANTd3pRvVa3
+S+aQSOX7q3FkKIOc5yfWLushGAMSwidgH1kzLvocCf+SSWH5BY3zTb7NAGjW
+=end
+
+###  Trial.crypt
+###  exit
+
+  def try
+
+    require "pp"
+    require "inifile"
+    new_map = { "string1" => "value1", "string2" => "value2" }
+
+    ini_pairs = IniFile.new
+    ini_pairs["dictionary"] = new_map
+
+    puts ""
+    puts ini_pairs.to_s
+    puts ""
+
+
+    puts "--------------------"
+    puts new_map
+    puts "--------------------"
+    puts "#{pp new_map}"
+    puts "--------------------"
+    puts "#{new_map.to_s}"
+    puts "--------------------"
+    puts ""
+
+    ## x = "messagess"
+    ## x += "x" until x.bytesize % 8 == 0
+
+    ## puts "Now x string is [#{x}]."
+    ## puts "x is now [#{x.length}] characters long."
+
+  end
+
+end

data/lib/opensecret.rb

@@ -54,6 +54,16 @@ class CliInterpreter < Thor
   end
 
 
+  # Description of the open "wake-up" call.
+  desc "open", "open up a conduit for adding, subtracting and swapping secrets for a future commit."
+
+  # Open up a conduit from which we can add, subtract, update and list secrets
+  # before they are committed (and pushed) into permanent locked storage.
+  def open
+    OpenSecret::Open.new.flow_of_events
+  end
+
+
   # Description of the mandatory safe and (safe directory) configuration.
   desc "safe SAFE_DIR", "SAFE_DIR full path to the (ideally USB key) storage location"
 

data/lib/plugins/cipher.rb

@@ -50,7 +50,7 @@ module OpenSecret
   # - <tt>do_symmetric_encryption(plain_text)</tt> - resulting in ciphertext
   # - <tt>do_symmetric_decryption(ciphertext, encryption_dictionary)</tt> &raquo; plaintext
   #
-  # and also set the <tt>@encryption_dictionary</tt> hash (map) of pertinent
+  # and also set the <tt>@dictionary</tt> hash (map) of pertinent
   # key/value pairs including the encryption algorithm, the encryption key and
   # the ciphertext signature to thwart any at-rest tampering.
   #
@@ -84,9 +84,36 @@ module OpenSecret
     #
     TEXT_PADDER = "<-|@|->"
 
+
+    # An unusual string that glues together an encryption dictionary and
+    # a chunk of base64 encoded and encrypted ciphertext.
+    # The string must be unusual enough to ensure it dos not occur within
+    # the dictionary metadata keys or values.
+    INNER_GLUE_STRING = "\n<-|@| <  || opensecret inner crypt material axis ||  > |@|->\n\n"
+
+
+    # An unusual string that glues together the asymmetrically encrypted outer
+    # encryption key  with the outer crypted text.
+    OUTER_GLUE_STRING = "\n<-|@| <  || opensecret outer crypt material axis ||  > |@|->\n\n"
+
+
+    # Text header for key-value pairs hash map that will be serialized.
+    DICTIONARY = "dictionary"
+
+
     @@symmetric_cipher_keyname = "symmetric.cipher"
     @@encryption_key_keyname = "encryption.key"
-    @@cipher_signature_keyname = "cipher.signature"
+    @@payload_signature_keyname = "payload.signature"
+
+
+    # The cipher constructor instantiates the encryption dictionary which
+    # will be collaboratively added to by the parent and child ciphers.
+    def initialize
+
+      @dictionary = {}
+
+    end
+
 
     # Ciphers use +symmetric algorithms+ to encrypt the given text, which
     # is then wrapped up along with the encryption key and other +metadata+
@@ -103,15 +130,55 @@ module OpenSecret
     # Every component in the pipeline bears the responsibility for nullifying
     # and rejecting malicious content.
     #
-    # @param public_key [String] used for encrypting the key/metadata bundle
-    # @param plain_text [String] the plain (or base64 encoded) text to encrypt
+    # @param public_key_text [String] textual portion of an {OpenSSL::PKey::RSA}
+    #    public key that does not carry the private key as this method and its
+    #    compatriots do not need to know the private key to do their work.
+    #
+    # @param payload_text [String] plaintext (or base64 encoded) text to encrypt
+    # @param payload_signature [String] signature of payload verifiable with public key
     #
     # @return [String] doubly (symmetric and asymmetric) encrypted cipher text
-    def encrypt_it public_key, plain_text
+    def encrypt_it public_key_text, payload_text, payload_signature
+
+      asymmetric_key = OpenSSL::PKey::RSA.new public_key_text
+
+      signature_valid = asymmetric_key.verify(
+        OpenSSL::Digest::SHA256.new,
+        payload_signature,
+        payload_text
+      )
 
-      symmetric_ciphertext = do_symmetric_encryption plain_text
-      plain_paraphernalia = glue @encryption_dictionary, symmetric_ciphertext
-      return do_asymmetric_encryption public_key, plain_paraphernalia
+      raise ArgumentError, "Payload not verified by the signature." unless signature_valid
+      @dictionary[@@payload_signature_keyname] = payload_signature.to_hex
+      crypted_payload = do_symmetric_encryption payload_text
+
+      unified_material = unify_hash_and_text crypted_payload
+      blowfish_cryptor = Blowfish.new
+      outer_crypt_key = OpenSecret::Engineer.strong_key( 128 )
+      crypted_material = blowfish_cryptor.do_encrypt_with_key unified_material, outer_crypt_key
+      crypted_cryptkey = do_asymmetric_encryption public_key_text, outer_crypt_key
+      locked_up_string = unify_text_and_text crypted_cryptkey, crypted_material
+
+      return locked_up_string
+
+    end
+
+
+    # Thismethod takes the textual public key lacking the private key portion
+    # as it is not needed, and encrypts the secret text with it.
+    # It returns a Base64 encoded version of they encrypted text.
+    #
+    # The public key text must be compatible with {OpenSSL::PKey::RSA} as the
+    # class will be instantiated using the public key text.
+    #
+    # @param public_key_text [String] the textual portion of an RSA public key
+    # @param secret_text [String] secret text to encrypt with the public key
+    #
+    # @return [String] a Base64 encoded version of the encrypted secret text
+    def do_asymmetric_encryption public_key_text, secret_text
+
+      asymmetric_encrypt_key = OpenSSL::PKey::RSA.new public_key_text
+      Base64.encode64( asymmetric_encrypt_key.public_encrypt( secret_text[0..1012] ) )
 
     end
 
@@ -140,6 +207,62 @@ module OpenSecret
     end
 
 
+    # Serialize and then unite a hash map and a textual chunk using
+    # a known but unusual separator string in a manner that protects
+    # the content integrity during the serialize and extraction phases.
+    #
+    # == Why an Unusual Separator String
+    #
+    # The separator string must be unusual to make it unlikely for it
+    # to occur in any of the map's key value pairs nor indeed the chunk
+    # of text being glued. Were this to happen, the separate and reconstitute
+    # phase may not accurately return the same two entities we are employed
+    # to unite.
+    #
+    # == Hash (Map) Contents
+    #
+    # The map contents will effectively be serialized in a simplistic
+    # manner therefore the keys should all be strings and the value
+    # types restricted to
+    #
+    # - strings
+    # - integers and/or floating point numbers
+    # - booleans
+    #
+    # Binary text is not allowed neither in the map or the text chunk.
+    # Any binary should be base64 encoded before being passed to us.
+    #
+    # @param text_chunk [String] the text chunk to be glued at the bottom
+    #
+    # @return [String] serialized and glued together result of map plus text
+    def unify_hash_and_text text_chunk
+
+      nil_or_empty_hash = @dictionary.nil? || @dictionary.empty?
+      raise ArgumentError, "Cannot unify nil or empty metadata." if nil_or_empty_hash
+
+      ini_map = IniFile.new
+      ini_map[ DICTIONARY ] = @dictionary
+
+      return ini_map.to_s + INNER_GLUE_STRING + text_chunk
+
+    end
+
+
+
+    # Using an outer divider (glue) - attach the asymmetrically encrypted outer
+    # encryption key  with the outer encrypted text.
+    #
+    # @param crypt_material_x [String] asymmetrically encrypted (encoded) outer encryption key
+    # @param crypt_material_y [String] symmetrically encrypted inner metadata and payload crypt
+    #
+    # @return [String] concatenated result of the two crypt materials and divider string
+    def unify_text_and_text crypt_material_x, crypt_material_y
+
+      return crypt_material_x + OUTER_GLUE_STRING + crypt_material_y
+
+    end
+
+
 
     def encrypt_usecase public_key, secret_path, stores, plain_text
 

data/lib/plugins/ciphers/aes-256.rb

@@ -28,7 +28,7 @@ module OpenSecret
   # - <tt>do_symmetric_encryption(plain_text)</tt> - resulting in ciphertext
   # - <tt>do_symmetric_decryption(ciphertext, encryption_dictionary)</tt> &raquo; plaintext
   #
-  # and it also sets the <tt>@encryption_dictionary</tt> hash (map) of pertinent
+  # and it also sets the <tt>@dictionary</tt> hash (map) of pertinent
   # key/value pairs including the +encryption algorithm+ and +encryption key+.
   #
   # That's It. Cipher children can rely on the {OpenSecret::Cipher} parent to
@@ -41,7 +41,7 @@ module OpenSecret
     # Use the AES 256 bit block cipher and a robust strong random key plus
     # initialization vector (IV) to symmetrically encrypt the plain text.
     #
-    # Add these key/value pairs to @encryption_dictionary instance map.
+    # Add these key/value pairs to @dictionary instance map.
     #
     # - <tt>symmetric.cipher</tt> - the algorithm used to encrypt and decrypt
     # - <tt>encryption.key</tt> - hex encoded key for encrypting and decrypting
@@ -54,15 +54,13 @@ module OpenSecret
       @cipher_name = "aes-256-cbc"
 
       crypt_cipher = OpenSSL::Cipher.new @cipher_name
-      crypt_cipher.encrypt( plain_text )
+      crypt_cipher.encrypt
 
-      @encryption_dictionary = {
-        @@symmetric_cipher_keyname => @cipher_name,
-        @@encryption_key_keyname => crypt_cipher.random_key.unpack("H*").first,
-        @@initialize_vector_keyname => crypt_cipher.random_iv.unpack("H*").first
-      }
+      @dictionary[@@symmetric_cipher_keyname] = @cipher_name
+      @dictionary[@@encryption_key_keyname] = crypt_cipher.random_key.to_hex
+      @dictionary[@@initialize_vector_keyname] = crypt_cipher.random_iv.to_hex
 
-      Base64.encode64( crypt_cipher.update + crypt_cipher.final )
+      return Base64.encode64( crypt_cipher.update( plain_text ) + crypt_cipher.final )
 
     end
 
@@ -73,7 +71,7 @@ module OpenSecret
     #
     # == Pre-Condition | Encryption Dictionary
     #
-    # This method requires the <tt>@encryption_dictionary</tt> instance
+    # This method requires the <tt>@dictionary</tt> instance
     # variable to have been set and to contain (amongst others)
     #
     # - the <tt>encryption.key</tt> - hex encoded key for encrypting and decrypting

data/lib/plugins/ciphers/blowfish.rb

@@ -24,7 +24,7 @@ module OpenSecret
 
 
     # This method provides the Blowfish algorithm but we reserve the
-    # right to enforce upon it - an encryption key of our choosing.
+    # right to enforce upon it an encryption key of our choosing.
     #
     # The key length need not be a multiple of 8 - however it is advisable
     # to use {Digest::SHA256.digest} to produce a strong 32 character key.
@@ -68,13 +68,13 @@ module OpenSecret
       log.info(x) { "os blowfish request to encrypt plain text with provided key." }
 
       block_txt = plain_text
-      block_txt += ::Cipher::TEXT_PADDER until block_txt.bytesize % OpenSecret::Blowfish::BLOWFISH_BLOCK_LEN == 0
+      block_txt += OpenSecret::Cipher::TEXT_PADDER until block_txt.bytesize % OpenSecret::Blowfish::BLOWFISH_BLOCK_LEN == 0
       raw_stretched_key = Digest::SHA256.digest(encryption_key)
 
       blowfish_encryptor = OpenSSL::Cipher.new(OpenSecret::Blowfish::BLOWFISH_CIPHER_ID).encrypt
       blowfish_encryptor.key = raw_stretched_key
 
-      Base64.encode64( blowfish_encryptor.update(block_txt) << blowfish_encryptor.final )
+      return Base64.encode64( blowfish_encryptor.update(block_txt) << blowfish_encryptor.final )
 
     end
 

data/lib/plugins/usecase.rb

@@ -51,14 +51,13 @@ module OpenSession
 
         pre_validation
 
-      rescue OpenError::Error => e
+      rescue OpenError::CliError => e
 
         puts ""
         puts "Your command did not complete successfully."
         puts "Pre validation checks failed."
         puts ""
         puts "   => #{e.message}"
-####        puts "   => #{e.culprit}"
         puts ""
         abort e.message
       end
@@ -80,7 +79,7 @@ module OpenSession
 
         post_validation
 
-      rescue OpenError::Error => e
+      rescue OpenError::CliError => e
 
         puts ""
         puts "Your command did not complete successfully."
@@ -197,6 +196,7 @@ module OpenSession
       return if is_pre_init_usecase
 
       @ucid_str = self.class.name.do_flatten
+      log.info(x) { "Usecase class [self.class.name] converted to => #{@ucid_str}" }
       @ucid_sym = @ucid_str.gsub(".", "_").to_sym
 
       OpenSession::FactFind.instance.instantiate @ucid_str
@@ -204,9 +204,12 @@ module OpenSession
 
       @c = OpenSession::FactFind.instance.f
       @i = OpenSession::FactFind.instance.i
-      @p = OpenSession::FactFind.instance.f[@ucid_str]
+      @p = OpenSession::FactFind.instance.f[@ucid_sym]
+
+      log.info(x) { "assimilated [#{@p.length}] facts specific to the [#{@ucid_str}] use case." }
 
       @time_stamp = OpenSession::Stamp.instance
+
 =begin
     @eco_id_str = SnapFlat.do self.class.name
     @eco_id_sym = @eco_id_str.gsub(".", "_").to_sym

data/lib/plugins/usecases/init.rb

@@ -48,22 +48,24 @@ module OpenSecret
     # So in preparation to execute its modus operandi encryption,
     # decryption and (if required) transportation use cases opensecret will
     #
+    # - @todo copy the attributes file to the safestore AND delete it.
     # - +collect the human password+ (twice), verify robustness (and throw away asap)
     # - +manufacture workstation key+ that will be encrypted b4 it rests on machine
     # - +create amalgamated human/workstation password+ for locking the private key
     # - +create a long cryptographically strong symmetric encryption key+
     # - +encrypt workstation key+ into <tt>.opensecret/<email>/workstation.key.osx.txt</tt>
-
     # - +encrypt workstation encryption key+ with human password and email address
-    # - then write into <tt>safe</tt> under <tt>machine.password.key.cipher.txt</tt>
+    # - then write into the workstation opensecret config file under <tt>machine.key.crypt</tt>
+    # - @todo write machine.key.cipher copy the attributes file to the safestore AND delete it.
     # - +create a super 8,192 bit private/public key pair+
-    # - use +amalgamated password to encrypt the private key+
-    # - write to <tt><SAFE>/<email>/master.keys/master.private.key.crypt.txt</tt>
+    # - use +amalgamated password with AES 256 RSA to encrypt the private key+
+    # - write to <tt><SAFE>/<email>/master.keys/master.private.key.x.os.txt</tt>
+    # - use the +amalgamated password with Blowfish to encrypt the public key+
+    # - write to <tt><SAFE>/<email>/master.keys/master.public.key.x.os.txt</tt>
+
     # - +create robust salt+ for hashing the path to the (crypted) keys and ciphers
     # - use +public key to encrypt the salt+
     # - write crypted salt to <tt><SAFE>/<email>/master.keys/master.path.salt.crypt.txt</tt>
-    # - now +use the public key to encrypt itself+
-    # - write public key crypt to <tt><SAFE>/<email>/master.keys/master.public.key.crypt.txt</tt>
     # - +create the cryptographic keystore+ inside the safe
     #
     # Variables should be first zeroed and then deleted immediately after their last use.
@@ -105,32 +107,47 @@ module OpenSecret
       amalgam_key = Amalgam.passwords human_password, machine_key, @c[:global][:ratio]
       asymmetric_keys = OpenSSL::PKey::RSA.new @c[:global][:bit_key_size]
       secured_keytext = asymmetric_keys.export @c[:global][:key_cipher], amalgam_key
-      public_key_text = asymmetric_keys.public_key.to_pem
 
-      machine_key_crypt_key = human_password + "%$os$%" + @email_addr
+      machine_key_crypt_key = human_password + @c[:global][:separator_a] + @email_addr
       blowfish_cipher = OpenSecret::Blowfish.new()
-      machine_key_crypted = blowfish_cipher.do_encrypt_with_key machine_key, machine_key_crypt_key
+      machine_key_x = blowfish_cipher.do_encrypt_with_key machine_key, machine_key_crypt_key
+
+      OpenSession::Attributes.stash @c[:global][:name], @c[:global][:machine_key_x], machine_key_x
+      FileUtils.mkdir_p @c[:global][:master_dirpath]
+      File.write @c[:global][:master_prv_key], secured_keytext
+
+      public_key_text = asymmetric_keys.public_key.to_pem
+      public_key_crypt = Blowfish.new.do_encrypt_with_key public_key_text, amalgam_key
+      File.write @c[:global][:master_pub_key], public_key_crypt
+
+      payload_signature = asymmetric_keys.sign( OpenSSL::Digest::SHA256.new, public_key_text )
+
+      big_crypted_block = Aes256.new.encrypt_it(
+        public_key_text,
+        public_key_text,
+        payload_signature
+      )
 
       puts ""
-      puts "public key => #{public_key_text}"
-      puts "Carry on development in init.rb"
+      puts "=============="
+      puts "Crypted Block"
+      puts "=============="
       puts ""
-      puts "Machine Key Plain Text  => #{machine_key}"
-      puts "Machine Key Crypt Key   => #{machine_key_crypt_key}"
-      puts "Machine Key Cipher Text => #{machine_key_crypted}"
+      puts "#{big_crypted_block}"
+      puts ""
+      puts ""
+      puts "Carry on development in init.rb"
       puts ""
-      exit
-
 
-      Dir.mkdir @p[:secret_keydir] unless File.exists? @p[:secret_keydir]
-      File.write @p[:secret_keypath], secured_keytext
 
+=begin
       Crypto.print_secret_env_var @p[:env_var_name], machine_key
-
       GitFlow.do_clone_repo @p[:public_gitrepo], @p[:local_gitrepo]
       FileUtils.mkdir_p @p[:public_keydir]
       File.write @p[:public_keypath], public_key_text
       GitFlow.push @p[:local_gitrepo], @p[:public_keyname], @c[:time][:stamp]
+=end
+
 
 #    exit
 # key4_pem = File.read 'private.secure.pem'
@@ -142,7 +159,6 @@ module OpenSecret
 # print decrypted_text, "\n"
 
 
-
     end
 
 

data/lib/plugins/usecases/open.rb

@@ -0,0 +1,177 @@
+#!/usr/bin/ruby
+	
+module OpenSecret
+
+  require 'openssl'
+
+  # The <tt>open use case</tt> allows us to add (put), subtract (del)ete and list
+  # the secrets in a file (whether it exists or not). The file can then be locked.
+  # Lookout for the reopen command.
+  #
+  # If the file to open already exists a --with option (giving the master-secret)
+  # must be provided.
+  #
+  # == Observable Value
+  #
+  #     $ opensecret open home/wifi
+  #
+  # The observable value delivered by +[open]+ boils down to
+  #
+  # - an openkey (eg asdfx1234) and corresponding open encryption key
+  # - open encryption key written to <tt>~/.opensecret/open.keys/asdfx1234.x.txt</tt>
+  # - the opened path (ending in filename) written to session.cache base in [safe]
+  # - the INI string (were the file to be decrypted) would look like the below
+  #
+  #     [session]
+  #     base.path = home/wifi
+  #
+  class Open < OpenSession::UseCase
+
+    @@context_name = "opensecret"
+
+    # Execute the <tt>open use case</tt> activities which precedes the ability to
+    # to add (put), subtract (del)ete and list the secrets into the opened session file.
+    # The file can then be locked (committed and pushed to permanent crypted stores).
+    #
+    # If the file to open already exists a --with option (giving the master-secret)
+    # must be provided.
+    #
+    # == Observable Value
+    #
+    #     $ opensecret open home/wifi
+    #
+    # The observable value delivered by +[open]+ boils down to
+    #
+    # - a provisioned openkey (eg asdfx1234) and corresponding open encryption key
+    # - open encryption key written to <tt>~/.opensecret/open.keys/asdfx1234.x.txt</tt>
+    # - the opened path (ending in filename) written to session.cache base in [safe]
+    # - the INI string (were the file to be decrypted) would look like the below
+    #
+    #     [session]
+    #     base.path = home/wifi
+    #
+    # @example
+    #    home/wifi can be simply populated like this.
+    #
+    #    $ opensecret put bt/ssid g034gdf3455
+    #    $ opensecret put bt/password HRAsyf324g4DF
+    #
+    #    $ opensecret put virgin.media/ssid 345SDFS
+    #    $ opensecret put virgin.media/password HlksHRd043NjPO
+    #
+    #    $ opensecret file virgin.media/contract /home/joe/downloads/vm.contract.pdf
+    #
+    #    To encrypt (lock-down) these secrets we simply issue
+    #
+    #    $ opensecret close
+    #
+    def execute
+
+      FileUtils.mkdir_p @p[:open_dirpath]
+      open_id = Engineer.strong_key @p[:open_idlen]
+      open_key = Engineer.strong_key @p[:open_keylen]
+
+      OpenSession::Attributes.stash @p[:open_name], @p[:open_idname], open_id
+      OpenSession::Attributes.stash @p[:open_name], @p[:open_keyname], open_key
+      OpenSession::Attributes.stash @p[:open_name], @p[:open_pathname], open_path
+
+
+      exit
+
+
+      human_password = Collect.secret_text(
+        @c[:global][:min_passwd_len],
+        true,
+        @c[:global][:prompt_1],
+        @c[:global][:prompt_2]
+      )
+
+      machine_key = Engineer.machine_key human_password.length, @c[:global][:ratio]
+      amalgam_key = Amalgam.passwords human_password, machine_key, @c[:global][:ratio]
+      asymmetric_keys = OpenSSL::PKey::RSA.new @c[:global][:bit_key_size]
+      secured_keytext = asymmetric_keys.export @c[:global][:key_cipher], amalgam_key
+
+      machine_key_crypt_key = human_password + @c[:global][:separator_a] + @email_addr
+      blowfish_cipher = OpenSecret::Blowfish.new()
+      machine_key_x = blowfish_cipher.do_encrypt_with_key machine_key, machine_key_crypt_key
+
+      OpenSession::Attributes.stash @c[:global][:name], @c[:global][:machine_key_x], machine_key_x
+      FileUtils.mkdir_p @c[:global][:master_dirpath]
+      File.write @c[:global][:master_prv_key], secured_keytext
+
+      public_key_text = asymmetric_keys.public_key.to_pem
+      public_key_crypt = Blowfish.new.do_encrypt_with_key public_key_text, amalgam_key
+      File.write @c[:global][:master_pub_key], public_key_crypt
+
+      payload_signature = asymmetric_keys.sign( OpenSSL::Digest::SHA256.new, public_key_text )
+
+      big_crypted_block = Aes256.new.encrypt_it(
+        public_key_text,
+        public_key_text,
+        payload_signature
+      )
+
+      puts ""
+      puts "=============="
+      puts "Crypted Block"
+      puts "=============="
+      puts ""
+      puts "#{big_crypted_block}"
+      puts ""
+      puts ""
+      puts "Carry on development in init.rb"
+      puts ""
+
+
+=begin
+      Crypto.print_secret_env_var @p[:env_var_name], machine_key
+      GitFlow.do_clone_repo @p[:public_gitrepo], @p[:local_gitrepo]
+      FileUtils.mkdir_p @p[:public_keydir]
+      File.write @p[:public_keypath], public_key_text
+      GitFlow.push @p[:local_gitrepo], @p[:public_keyname], @c[:time][:stamp]
+=end
+
+
+#    exit
+# key4_pem = File.read 'private.secure.pem'
+# pass_phrase = 'superduperpasswordistoBeENTEREDRIGHT1234HereandRightNOW'
+# key4 = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
+# decrypted_text = key4.private_decrypt(Base64.decode64(encrypted_string))
+
+# print "\nHey we have done the decryption.\n", "\n"
+# print decrypted_text, "\n"
+
+
+    end
+
+
+    # Perform pre-conditional validations in preparation to executing the main flow
+    # of events for this use case. This method may throw the below exceptions.
+    #
+    # @raise [SafeDirNotConfigured] if the safe's url has not been configured
+    # @raise [EmailAddrNotConfigured] if the email address has not been configured
+    # @raise [StoreUrlNotConfigured] if the crypt store url is not configured
+    def pre_validation
+
+      @safe_path = OpenSession::Attributes.instance.get_value @@context_name, "safe"
+      safe_configured = File.exists?( @safe_path ) && File.directory?( @safe_path )
+      @err_msg = "[safe] storage not yet configured. Try =>] opensecret safe /folder/path"
+      raise SafeDirNotConfigured.new @err_msg, @safe_path unless safe_configured
+
+      @email_addr = OpenSession::Attributes.instance.get_value @@context_name, "email"
+      email_configured = !@email_addr.nil? && !@email_addr.empty? && @email_addr.length > 4
+      @err_msg = "viable [email address] not configured. Try =>] opensecret email joe@example.com"
+      raise EmailAddrNotConfigured.new @err_msg, @email_addr unless email_configured
+
+      @store_url = OpenSession::Attributes.instance.get_value @@context_name, "store"
+      store_configured = !@store_url.nil? && !@store_url.empty? && @store_url.length > 0
+      @err_msg = "crypt [store url] not configured. Try =>] opensecret store /path/to/crypt"
+      raise StoreUrlNotConfigured.new @err_msg, @store_url unless store_configured
+
+    end
+
+
+  end
+
+
+end

data/lib/using.txt

@@ -0,0 +1,145 @@
+
+==============================================================================================
+
+open office/laptop
+(or pull)
+
+put  login/username=myname
+put  login/password=mysecret
+list
+put  disk/password=anothersecret
+swap disk/password=bettersecret
+
+lock
+(or push)
+==============================================================================================
+
+
+open office/laptop --with=asdfasdflkhlkh
+(or pull)
+
+list
+get login
+get disk
+trash disk
+list
+get login/password
+
+lock
+(or push)
+==============================================================================================
+
+
+lock <<path/to/a/file.txt>>      ## locks (encrypts) the file in-place | you must delete it
+lock <<path/to/a/folder>> --zip  ## zips and encrypts folder (in-place) | you must delete it
+
+==============================================================================================
+
+Command => open office/laptop
+
+Effect1 => Creates in-memory INI string (see below) and writes (in effect2) to file
+Effect2 => Creates a an openkey eg asdfa234234234sfss and a long password.
+Effect3 => Creates a file  ../<<email>>/opened.files/office/laptop.asdfa234234234sfss.x.txt
+Effect4 => Puts long password in $HOME/.opensecret/session.keys/asdfa234234234sfss.x.txt
+
+-------------------------------------
+in-memory INI string
+-------------------------------------
+[opensecret]
+
+secret.path = office/laptop
+-------------------------------------
+
+Assert => no office/laptop exists before opening (if so prompt user to => trash office/laptop
+
+==============================================================================================
+
+Command => open office/laptop/login/fullname="Mr Blobby"
+
+Effect1 => Creates in-memory INI string (see below) and writes (in effect2) to file
+Effect2 => Creates a file  ../<<email>>/opened.files/office/laptop.asdfa234234234sfss.x.txt
+Effect3 => With its encrypt-key in $HOME/.opensecret/session.keys/asdfa234234234sfss.x.txt
+
+-------------------------------------
+in-memory INI string
+-------------------------------------
+[opensecret]
+
+secret.path = office/laptop
+
+[login]
+fullname = Mr Blobby
+-------------------------------------
+
+Assert => no office/laptop exists before opening (if so prompt user to => trash office/laptop
+
+
+
+                            inner_key
+		      outer_key
+                filename
+         foldername
+office/room2/rack6/server4/username
+
+
+
+
+open
+
+get session id as time string
+use 
+
+
+
+
+close
+
+
+
+
+
+lock wifi/password
+
+[keys]
+wifi = asdff234523
+password = dfgsdfgsfg
+
+
+asdff234523/dfgsdfgsfg
+
+[home]
+
+wifi=asdfasd
+alarm=fdghdfg
+safe1=3456hjk3h45
+safe2=2n34lijss
+
+======================================
+
+in asdfasd  (wifi)
+
+[home/wifi]
+
+ssid = 3452454
+password = 2452345
+
+
+office/room2/rack6/server4/username
+office/accounts/sage
+office/alarm/pin
+office/gmail/username
+
+
+[office]
+
+room2 = asddf345
+accounts = 9o8udfg
+alarm = 345ljdfg
+gmail = ldf2345
+
+
+[office/room2]
+
+rack6 = asdf234
+
+[office/room2]

data/lib/version.rb

@@ -1,3 +1,3 @@
 module OpenSecret
-  VERSION = "0.0.946"
+  VERSION = "0.0.951"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: opensecret
 version: !ruby/object:Gem::Version
-  version: 0.0.946
+  version: 0.0.951
 platform: ruby
 authors:
 - Apollo Akora
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-02-23 00:00:00.000000000 Z
+date: 2018-02-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inifile
@@ -143,12 +143,14 @@ files:
 - lib/plugins/usecase.rb
 - lib/plugins/usecases/init.rb
 - lib/plugins/usecases/on.rb
+- lib/plugins/usecases/open.rb
 - lib/plugins/usecases/safe.rb
 - lib/session/attributes.rb
 - lib/session/fact.finder.rb
 - lib/session/require.gem.rb
 - lib/session/time.stamp.rb
 - lib/session/user.home.rb
+- lib/using.txt
 - lib/version.rb
 - opensecret.gemspec
 homepage: https://www.eco-platform.co.uk