paperback 0.0.2

data/README.md

@@ -0,0 +1,38 @@
+# Paperback
+
+[![Gem Version](https://badge.fury.io/rb/paperback.svg)](https://rubygems.org/gems/paperback)
+[![Build status](https://travis-ci.org/ab/paperback.svg)](https://travis-ci.org/ab/paperback)
+[![Code Climate](https://codeclimate.com/github/ab/paperback.svg)](https://codeclimate.com/github/ab/paperback)
+[![Inline Docs](http://inch-ci.org/github/ab/paperback.svg?branch=master)](http://www.rubydoc.info/github/ab/paperback/master)
+
+*Paperback* is a library that facilitates the creation of paper offline backups
+of small amounts of important data, such as encryption keys.
+
+It is designed to be used for long-term paper storage. Arbitrary data to be
+backed up is encoded  using QR codes and
+[sixword](https://github.com/ab/sixword) English text.
+
+By default, the backup data is GPG-encrypted with a symmetric passphrase to
+avoid exposing data to the printer (or scanner, assuming you cover the
+passphrase when scanning).
+
+## Usage
+
+Typical usage will be through the `paperback` executable.
+
+```sh
+# Back up the content in data.key
+paperback data.key out.pdf
+```
+
+### More complex patterns
+
+See the [YARD documentation](http://www.rubydoc.info/github/ab/paperback/master).
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,15 @@
+require 'bundler/gem_tasks'
+require 'bundler/setup'
+require 'rspec/core/rake_task'
+
+task :default do
+  sh 'rake -T'
+end
+
+RSpec::Core::RakeTask.new(:spec)
+
+def alias_task(alias_task, original)
+  desc "Alias for rake #{original}"
+  task alias_task, Rake.application[original].arg_names => original
+end
+alias_task(:test, :spec)

data/bin/paperback

@@ -0,0 +1,76 @@
+#!/usr/bin/env ruby
+$VERBOSE = true
+
+require 'optparse'
+require_relative '../lib/paperback'
+
+BaseName = File.basename($0)
+
+def main
+  options = {}
+
+  optparse = OptionParser.new do |opts|
+    opts.banner = <<-EOM
+usage: #{BaseName} [OPTION]... INPUT OUT_PDF
+
+Create a printable PDF backup of INPUT file and write to OUT_PDF. The saved PDF
+file will be suitable for printing. By default, the paper backup will contain
+the input data encoded as a QR code for ease of scanning and as sixword-encoded
+English text for more natural paper printing.
+
+In order to prevent the input content from being exposed to the printer, by
+default, the input content will be encrypted with a symmetric passphrase that
+is echoed to the terminal. There will be a placeholder in the PDF where you can
+manually add the passphrase by hand and pen.
+
+For example:
+
+    # Create a backup of secret.key in backup.pdf
+    #{BaseName} secret.key backup.pdf
+
+Options:
+    EOM
+
+    opts.on('-h', '--help', 'Display this message', ' ') do
+      STDERR.puts opts, ''
+      exit 0
+    end
+    opts.on('--version', 'Print version number', ' ') do
+      puts 'paperback ' + Paperback::VERSION
+      exit 0
+    end
+    opts.on('-v', '--verbose', 'Be more verbose', ' ') do
+      Paperback.log_level -= 1
+    end
+
+    #
+
+    opts.on('--no-encrypt', 'Skip encryption of input') do |val|
+      options[:encrypt] = val
+    end
+
+    opts.on('-c', '--comment TEXT', 'Add TEXT comment to output') do |val|
+      options[:comment] = val
+    end
+
+    opts.on('--passphrase-out FILE',
+            'Write generated passphrase to FILE') do |val|
+      options[:passphrase_file] = val
+    end
+  end
+
+  optparse.parse!
+
+  case ARGV.length
+  when 2
+    options[:input] = ARGV.fetch(0)
+    options[:output] = ARGV.fetch(1)
+  else
+    STDERR.puts optparse, ''
+    exit 1
+  end
+
+  Paperback::CLI.create_backup(**options)
+end
+
+main

data/lib/paperback.rb

@@ -0,0 +1,32 @@
+require 'logger'
+
+# Paperback is a library for creating paper backups of sensitive data.
+module Paperback
+  def self.log
+    return @log if @log
+    @log = Logger.new(STDERR)
+    @log.progname = self.name
+    @log.level = log_level
+    @log
+  end
+
+  def self.class_log(klass, stream=STDERR)
+    log = Logger.new(stream)
+    log.progname = klass.name
+    log.level = log_level
+    log
+  end
+
+  def self.log_level
+    @log_level ||= Logger::INFO
+  end
+
+  def self.log_level=(val)
+    @log_level = val
+  end
+end
+
+require_relative 'paperback/version'
+require_relative 'paperback/cli'
+require_relative 'paperback/document'
+require_relative 'paperback/preparer'

data/lib/paperback/cli.rb

@@ -0,0 +1,12 @@
+module Paperback
+  module CLI
+    def self.create_backup(input:, output:, encrypt: true, qr_base64: true,
+                           qr_level: :l, comment: nil, passphrase_file: nil)
+      prep = Paperback::Preparer.new(filename: input, encrypt: encrypt,
+                                     qr_base64: qr_base64, qr_level: qr_level,
+                                     passphrase_file: passphrase_file,
+                                     comment: comment)
+      prep.render(output_filename: output)
+    end
+  end
+end

data/lib/paperback/document.rb

@@ -0,0 +1,174 @@
+require 'prawn'
+
+# Main class for creating and rendering PDFs
+module Paperback; class Document
+  attr_reader :pdf, :debug
+
+  def initialize(debug: false)
+    log.debug('Document#initialize')
+    @debug = debug
+    @pdf = Prawn::Document.new
+  end
+
+  def log
+    @log ||= Paperback.class_log(self.class)
+  end
+
+  def render(output_file:, draw_opts:)
+    log.info('Rendering PDF')
+
+    # Create all the PDF content
+    draw_paperback(**draw_opts)
+
+    # Render to output file
+    log.info("Writing PDF to #{output_file.inspect}")
+    pdf.render_file(output_file)
+  end
+
+  # High level method to draw the paperback content on the pdf document
+  def draw_paperback(qr_code:, sixword_lines:, sixword_bytes:,
+                     labels:, passphrase_sha: nil, passphrase_len: nil)
+    unless qr_code.is_a?(RQRCode::QRCode)
+      raise ArgumentError.new('qr_code must be RQRCode::QRCode')
+    end
+
+    # Header & QR code page
+    pdf.font('Times-Roman')
+
+    debug_draw_axes
+
+    draw_header(labels: labels, passphrase_sha: passphrase_sha,
+                passphrase_len: passphrase_len)
+
+    add_newline
+
+    draw_qr_code(qr_modules: qr_code.modules)
+
+    pdf.stroke_color '000000'
+    pdf.fill_color '000000'
+
+    # Sixword page
+
+    pdf.start_new_page
+
+    draw_sixword(lines: sixword_lines, sixword_bytes: sixword_bytes)
+
+    pdf.number_pages('<page> of <total>', align: :right,
+                     at: [pdf.bounds.right - 100, -2])
+  end
+
+  # If in debug mode, draw axes on the page to assist with layout
+  def debug_draw_axes
+    return unless debug
+    pdf.float { pdf.stroke_axis }
+  end
+
+  # Move cursor down by one line
+  def add_newline
+    pdf.move_down(pdf.font_size)
+  end
+
+  def draw_header(labels:, passphrase_sha:, passphrase_len:,
+                  repo_url: 'https://github.com/ab/paperback')
+
+    intro = [
+      "This is a paper backup produced by `paperback`. ",
+      "<u><link href='#{repo_url}'>#{repo_url}</link></u>",
+    ].join
+    pdf.text(intro, inline_format: true)
+    add_newline
+
+    label_pad = labels.keys.map(&:length).max + 1
+
+    unless passphrase_sha && passphrase_len
+      labels['Encrypted'] = 'no'
+    end
+
+    pdf.font('Courier') do
+      labels.each_pair do |k, v|
+        pdf.text("#{(k + ':').ljust(label_pad)} #{v}")
+      end
+
+      if passphrase_sha
+        pdf.text("SHA256(passphrase)[0...16]: #{passphrase_sha}")
+      end
+    end
+
+    add_newline
+
+    if passphrase_len
+      pdf.font('Helvetica') do
+        pdf.font_size(12.8) do
+          pdf.text('Passphrase: ' + '_ ' * passphrase_len)
+        end
+      end
+
+      pdf.move_down(8)
+      pdf.indent(72) do
+        pdf.text('Be sure to cover the passphrase when scanning the QR code!')
+      end
+    end
+  end
+
+  # @param [Array<String>] lines An array of sixword sentences to print
+  # @param [Integer] columns The number of text columns on the page
+  # @param [Integer] hunks_per_row The number of 6-word sentences per line
+  # @param [Integer] sixword_bytes Bytesize of the sixword encoded data
+  def draw_sixword(lines:, sixword_bytes:, columns: 3, hunks_per_row: 1)
+    debug_draw_axes
+
+    numbered = lines.each_slice(hunks_per_row).each_with_index.map { |row, i|
+      "#{i * hunks_per_row + 1}: #{row.map(&:strip).join('. ')}"
+    }
+
+    header = [
+      "This sixword text encodes #{sixword_bytes} bytes in #{lines.length}",
+      " six-word sentences.",
+      " Decode with `sixword -d`"
+    ].join
+
+    pdf.font('Times-Roman') do
+      pdf.text(header)
+      add_newline
+    end
+
+    pdf.column_box([0, pdf.cursor], columns: columns, width: pdf.bounds.width) do
+      pdf.font('Times-Roman') do
+        pdf.font_size(11) do
+          pdf.text(numbered.join("\n"))
+        end
+      end
+    end
+  end
+
+  def draw_qr_code(qr_modules:)
+    qr_height = pdf.cursor # entire rest of page
+    qr_width = pdf.bounds.width # entire page width
+
+    # number of modules plus 2 for quiet area
+    qr_code_size = qr_modules.length + 2
+
+    pixel_height = qr_height / qr_code_size
+    pixel_width = qr_width / qr_code_size
+
+    pdf.bounding_box([0, pdf.cursor], width: qr_width, height: qr_height) do
+      if debug
+        pdf.stroke_color('888888')
+        pdf.stroke_bounds
+      end
+
+      qr_modules.each do |row|
+        pdf.move_down(pixel_height)
+
+        row.each_with_index do |pixel_val, col_i|
+          pdf.stroke do
+            pdf.stroke_color(pixel_val ? '000000' : 'ffffff')
+            pdf.fill_color(pixel_val ? '000000' : 'ffffff')
+            xy = [(col_i + 1) * pixel_width, pdf.cursor]
+            pdf.fill_and_stroke_rectangle(xy, pixel_width, pixel_height)
+          end
+        end
+      end
+    end
+  end
+end; end

data/lib/paperback/preparer.rb

@@ -0,0 +1,206 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'digest/sha2'
+require 'securerandom'
+
+require 'rqrcode'
+require 'sixword'
+require 'subprocess'
+
+module Paperback
+  # Class wrapping functions to prepare data for paperback storage, including
+  # QR code and sixword encoding.
+  class Preparer
+    attr_reader :data
+    attr_reader :labels
+    attr_reader :qr_base64
+    attr_reader :encrypt
+    attr_reader :passphrase_file
+
+    def initialize(filename:, encrypt: true, qr_base64: false, qr_level: nil,
+                   comment: nil, passphrase_file: nil)
+
+      log.debug('Preparer#initialize')
+
+      log.info("Reading #{filename.inspect}")
+      plain_data = File.read(filename)
+
+      log.debug("Read #{plain_data.bytesize} bytes")
+
+      @encrypt = encrypt
+
+      if encrypt
+        @data = self.class.gpg_encrypt(filename: filename, password: passphrase)
+      else
+        @data = plain_data
+      end
+      @sha256 = Digest::SHA256.hexdigest(plain_data)
+
+      @qr_base64 = qr_base64
+      @qr_level = qr_level
+
+      @passphrase_file = passphrase_file
+
+      @labels = {}
+      @labels['Filename'] = filename
+      @labels['Backed up'] = Time.now.to_s
+
+      stat = File.stat(filename)
+      @labels['Mtime'] = stat.mtime
+      @labels['Bytes'] = plain_data.bytesize
+      @labels['Comment'] = comment if comment
+
+      @labels['SHA256'] = Digest::SHA256.hexdigest(plain_data)
+
+      @document = Paperback::Document.new
+    end
+
+    def log
+      @log ||= Paperback.class_log(self.class)
+    end
+    def self.log
+      @log ||= Paperback.class_log(self)
+    end
+
+    def render(output_filename:)
+      log.debug('Preparer#render')
+
+      opts = {
+        labels: labels,
+        qr_code: qr_code,
+        sixword_lines: sixword_lines,
+        sixword_bytes: data.bytesize,
+      }
+
+      if encrypt
+        opts[:passphrase_sha] = self.class.truncated_sha256(passphrase)
+        opts[:passphrase_len] = passphrase.length
+        if passphrase_file
+          File.open(passphrase_file, File::CREAT|File::EXCL|File::WRONLY,
+                   0400) do |f|
+            f.write(passphrase)
+          end
+          log.info("Wrote passphrase to #{passphrase_file.inspect}")
+        end
+      end
+
+      @document.render(output_file: output_filename, draw_opts: opts)
+
+      log.info('Render complete')
+
+      if encrypt && !passphrase_file
+        puts "Passphrase: #{passphrase}"
+      end
+    end
+
+    def passphrase
+      raise "Can't have passphrase without encrypt" unless encrypt
+      @passphrase ||= self.class.random_passphrase
+    end
+
+    PassChars = [*'a'..'z', *'A'..'Z', *'0'..'9'].freeze
+
+    def self.random_passphrase(entropy_bits: 256, char_set: PassChars)
+      chars_needed = (entropy_bits / Math.log2(char_set.length)).ceil
+      (0...chars_needed).map {
+        PassChars.fetch(SecureRandom.random_number(char_set.length))
+      }.join
+    end
+
+    # Compute a truncated SHA256 digest
+    def self.truncated_sha256(content)
+      Digest::SHA256.hexdigest(content)[0...16]
+    end
+
+    def self.gpg_encrypt(filename:, password:)
+      cmd = %w[
+        gpg -c -o - --batch --cipher-algo aes256 --passphrase-fd 0 --
+      ] + [filename]
+      out = nil
+
+      log.debug('+ ' + cmd.join(' '))
+      Subprocess.check_call(cmd, stdin: Subprocess::PIPE,
+                            stdout: Subprocess::PIPE) do |p|
+        out, _err = p.communicate(password)
+      end
+
+      out
+    end
+
+    def self.gpg_ascii_enarmor(data, strip_comments: true)
+      cmd = %w[gpg --batch --enarmor]
+      out = nil
+
+      log.debug('+ ' + cmd.join(' '))
+      Subprocess.check_call(cmd, stdin: Subprocess::PIPE,
+                            stdout: Subprocess::PIPE) do |p|
+        out, _err = p.communicate(data)
+      end
+
+      if strip_comments
+        out = out.each_line.select { |l| !l.start_with?('Comment: ') }.join
+      end
+
+      out
+    end
+
+    def self.gpg_ascii_dearmor(data)
+      cmd = %w[gpg --batch --dearmor]
+      out = nil
+
+      log.debug('+ ' + cmd.join(' '))
+      Subprocess.check_call(cmd, stdin: Subprocess::PIPE,
+                            stdout: Subprocess::PIPE) do |p|
+        out, _err = p.communicate(data)
+      end
+
+      out
+    end
+
+    private
+
+    def qr_code
+      @qr_code ||= qr_code!
+    end
+
+    def qr_code!
+      log.info('Generating QR code')
+
+      # Base64 encode data prior to QR encoding as requested
+      if qr_base64
+        if encrypt
+          # If data is already GPG encrypted, use GPG's base64 armor
+          input = self.class.gpg_ascii_enarmor(data)
+        else
+          # Otherwise do plain Base64
+          input = Base64.encode64(data)
+        end
+      else
+        input = data
+      end
+
+      # If QR level not specified, pick highest level of redundancy possible
+      # given the size of the input, up to Q (25% redundancy)
+      unless @qr_level
+        if input.bytesize <= 1663
+          @qr_level = :q
+        elsif input.bytesize <= 2331
+          @qr_level = :m
+        else
+          @qr_level = :l
+        end
+      end
+
+      log.debug("qr_level: #{@qr_level.inspect}")
+      RQRCode::QRCode.new(input, level: @qr_level)
+    end
+
+    def sixword_lines
+      log.info('Encoding with Sixword')
+      @sixword_lines ||=
+        Sixword.pad_encode_to_sentences(data).map(&:downcase)
+    end
+
+  end
+end