passw3rd 0.2.3 → 0.2.5

data/History.txt

@@ -1,10 +1,14 @@
+=== 0.2.5
+
+Kill this project. It's not a good idea to use this. This is bad crypto.
+
 === 0.2.1 / 2011-11-8
 
 Added option to fail silently.  Pretty common need in a Rails environment.
 
 === 0.2.0 / 2011-11-5
 
-Added acceptance tests as a contract for future features.  
+Added acceptance tests as a contract for future features.
 Collapsed the KeyLoader class, eliminated the KeyPair class.  If for some reason you referenced those classes, things will break.  But you wouldn't do that, would you?
 More testing goodness.
 

data/README.md

@@ -1,8 +1,19 @@
-![Build status](https://secure.travis-ci.org/oreoshake/passw3rd.png)
+[![Build Status](https://secure.travis-ci.org/oreoshake/passw3rd.png)](http://travis-ci.org/oreoshake/passw3rd)
 
-It's only failing because it can't find the system ruby.  If you have a solution, checkout bin/passw3rd please :)
+Danger
+------------------------------------------------------------------------------
+Just an FYI, this library promotes "bad crypto". I'm not a cryptographer so you'll see a lot of "maybes" and "probably"s. The
+potential problem lies in the fact that the IV is reused for all values. I'm under the impression that IV
+reuse can lead to the key being revealed. The possibility of this attack rises
+with each encrypted value encountered. ActiveSupport's encryptor supports per-value IVs,
+but that's probably still not enough as the values aren't authenticated in any way.
+
+There is an issue open to fix this ([#32](https://github.com/oreoshake/passw3rd/issues/32)), 
+but I just haven't had the time. Even worse, there will need to be a migration path from the old to the new.
+
+If you are using this to store 5-20 passwords, you're probably OK. It's better than nothing in this case.
 
-It will still work on your machine.
+If you are using this to store a ton of records, you probably should use another encryption method.
 
 Introduction
 ------------------------------------------------------------------------------
@@ -21,7 +32,7 @@ Some advantages of keeping credentials out of source code are:
    all instances.
 6. Leaving credentials in source code leads to poor password management in
    general. If changing a credential requires you to change code, you are less
-   likely to want to do it. 
+   likely to want to do it.
 
 
 Status
@@ -29,6 +40,91 @@ Status
 
 This project is IN PROGRESS. File bugs and feature requests.
 
+Examples
+------------------------------------------------------------------------------
+Command line use
+    Generate key/iv in current directory by default
+
+        $ passw3rd -g
+        generated keys in /Users/user
+
+        $ passw3rd -g ~/Desktop/
+        generated keys in /Users/user/Desktop/
+
+    Create a password file
+
+        $ passw3rd -e foobar_app
+        Enter the password:
+        Wrote password to /Users/neilmatatall/foobar_app
+        $ passw3rd -e foobar_app -p ~/Desktop/
+        Enter the password:
+        Wrote password to /Users/neilmatatall/Desktop/foobar_app
+
+    Read a password file
+
+        $ passw3rd -d foobar_app
+        The password is: asdf
+        $ passw3rd -d foobar_app -p ~/Desktop/
+        The password is: asdf
+------------------------------------------------------------------------------
+
+Options
+------------------------------------------------------------------------------
+Common options per read/write operation
+
+        -d, --decrypt PATH_TO_PASSWORD   Path to password file
+        -e, --encrypt PASSWORD_FILE      Write the password to this location
+        -k, --key-dir KEY_PATH           Use the keys specificed in this directory for encryption or decryption (default is current directory)
+        -p, --password-dir PATH          Read and write password files to this directory (default is current directory)
+
+Only used when generating keys
+
+        -g, --generate-key [PATH]        generate key/iv and store in PATH, defaults to the current directory
+
+Key rotation: simple
+------------------------------------------------------------------------------
+
+    $ rake rotate_keys[~/passwords,~/passwords,aes-256-cbc]
+
+------------------------------------------------------------------------------
+Ruby on Rails config/database.yml
+
+Example configuration in boot.rb:
+
+    ENV['passw3rd-cipher_name'] = 'aes-256-cbc'
+    if %w{production staging}.include? ENV['RAILS_ENV']
+      ENV['passw3rd-password_file_dir'] = File.expand_path('../../passwords/production', __FILE__)
+      ENV['passw3rd-key_file_dir'] = File.expand_path('../../passwords/production', __FILE__)
+    else
+      ENV['passw3rd-password_file_dir'] = File.expand_path('../../passwords', __FILE__)
+      ENV['passw3rd-key_file_dir'] = File.expand_path('../../passwords', __FILE__)
+    end
+
+Then remove passwords from config files and source code
+
+    Before:
+
+    development:
+      adapter: mysql
+      database: rails_development
+      username: root
+      password: my super secret password
+
+
+    After:
+
+    development:
+      adapter: mysql
+      database: rails_development
+      username: root
+      password: <%= Passw3rd::PasswordService.get_password('foobar_app') %>
+
+------------------------------------------------------------------------------
+OpenSSL command line
+
+    $ openssl enc -e -aes-256-cbc -K `cat ~/.passw3rd-encryptionKey`  -iv `cat ~/.passw3rd-encryptionIV` -in README.md -out test.out
+    $ openssl enc -d -aes-256-cbc -K `cat ~/.passw3rd-encryptionKey`  -iv `cat ~/.passw3rd-encryptionIV` -out README.md -in test.out
+
 
 License
 ------------------------------------------------------------------------------

data/lib/passw3rd/password_client.rb

@@ -56,7 +56,7 @@ module Passw3rd
 
     # decrypt password_file using the key/IV in key_path
     if mode == "decrypt"
-      decrypted =::Passw3rd::PasswordService.get_password(password_file, :key_path => key_path)
+      decrypted =::Passw3rd::PasswordService.get_password(password_file, :key_path => key_path, :force => true)
       puts "The password is: #{decrypted}"
     end
 

data/lib/passw3rd/password_service.rb

@@ -5,7 +5,7 @@ module Passw3rd
   IV_FILE = ".passw3rd-encryptionIV"
   # more preferred ciphers first
   APPROVED_CIPHERS = %w{aes-256-cbc aes-256-cfb aes-128-cbc aes-128-cfb}
-  
+
   class PasswordService
 
     class << self
@@ -38,39 +38,23 @@ module Passw3rd
       encoded_password = read_file(uri)
       decrypt(encoded_password, options[:key_path])
     rescue => e
-      raise ArgumentError, "Could not decrypt passw3rd file #{password_file} - #{e}" if options[:force]
+      raise e, "Could not decrypt passw3rd file #{password_file} - #{e}" if options[:force]
     end
 
     def self.write_password_file(password, output_path, key_path = self.key_file_dir)
       enc_password = encrypt(password, key_path)
-      base64pw = Base64.encode64(enc_password) 
+      base64pw = Base64.encode64(enc_password)
       path = File.join(password_file_dir, output_path)
       write_file(path, base64pw)
       path
     end
 
     def self.encrypt(password, key_path = self.key_file_dir)
-      raise ArgumentError, "password cannot be blank" if password.to_s.empty?
-
-      cipher = cipher_setup(:encrypt, key_path)
-      begin
-        e = cipher.update(password)
-        e << cipher.final
-      rescue OpenSSL::Cipher::CipherError => err
-        puts "Couldn't encrypt password."
-        raise err
-      end
+      raise "Don't use this library. It's bad crypto. Don't even listen to my recommendations."
     end
 
     def self.decrypt(cipher_text, key_path = self.key_file_dir)
-      cipher = cipher_setup(:decrypt, key_path)
-      begin
-        d = cipher.update(cipher_text)
-        d << cipher.final
-      rescue OpenSSL::Cipher::CipherError => err
-        puts "Couldn't decrypt password #{cipher_text}.  Are you using the right keys (#{key_path})?"
-        raise err
-      end
+      raise "Don't use this library. It's bad crypto. Don't even listen to my recommendations."
     end
 
     def self.rotate_keys(args = {})
@@ -97,7 +81,7 @@ module Passw3rd
 
       passwords.each do |password|
         full_path = File.join(::Passw3rd::PasswordService.password_file_dir, password[:file])
-        ::Passw3rd::PasswordService.write_password_file(password[:clear_password], password[:file])    
+        ::Passw3rd::PasswordService.write_password_file(password[:clear_password], password[:file])
         puts "Wrote new password to #{full_path}"
       end
     end
@@ -105,7 +89,7 @@ module Passw3rd
     def self.create_key_iv_file(path = nil)
       unless path
         path = ::Passw3rd::PasswordService.key_file_dir
-      end    
+      end
 
       # d'oh!
       cipher = OpenSSL::Cipher::Cipher.new(::Passw3rd::PasswordService.cipher_name)
@@ -121,17 +105,17 @@ module Passw3rd
       end
       path
     end
-    
+
     def self.key_path(path= self.key_file_dir)
       File.join(path || self.key_file_dir, KEY_FILE)
     end
-    
+
     def self.iv_path(path = ::Passw3rd::PasswordService.key_file_dir)
       File.join(path || self.key_file_dir, IV_FILE)
-    end      
+    end
 
     protected
-    
+
     def self.load_key(path = ::Passw3rd::PasswordService.key_file_dir)
       begin
         key = IO.readlines(File.expand_path(self.key_path(path)))[0]
@@ -142,11 +126,11 @@ module Passw3rd
       end
 
       {:key => [key].pack("H*"), :iv => [iv].pack("H*")}
-    end    
+    end
 
-    def self.cipher_setup(method, key_path)
+    def self.cipher_setup(method, key_path, cipher_override = nil)
       pair = self.load_key(key_path)
-      cipher = OpenSSL::Cipher::Cipher.new(cipher_name)
+      cipher = OpenSSL::Cipher::Cipher.new(cipher_override || cipher_name)
       cipher.send(method)
       cipher.key = pair[:key]
       cipher.iv = pair[:iv]
@@ -168,5 +152,11 @@ module Passw3rd
     def self.write_file path, value
       open(path, 'w') { |f| f.write value }
     end
+
+    def self.do_decrypt(cipher_text, key_path, cipher)
+      cipher = cipher_setup(:decrypt, key_path, cipher)
+      d = cipher.update(cipher_text)
+      d << cipher.final
+    end
   end
 end

data/lib/passw3rd/version.rb

@@ -1,3 +1,3 @@
 module Passw3rd
-  Version = VERSION = '0.2.3'
+  Version = VERSION = '0.2.5'
 end

data/test/password_service_test.rb

@@ -14,6 +14,20 @@ class PasswordServiceTest < Test::Unit::TestCase
     ::Passw3rd::PasswordService.password_file_dir = path
     ::Passw3rd::PasswordService.create_key_iv_file
   end
+
+  def test_detect_cipher
+    ::Passw3rd::PasswordService.cipher_name = ::Passw3rd::APPROVED_CIPHERS.last
+    setup_sandbox
+
+    enc = ::Passw3rd::PasswordService.encrypt(@random_string)
+    dec = ::Passw3rd::PasswordService.decrypt(enc)
+
+    ::Passw3rd::PasswordService.cipher_name = ::Passw3rd::APPROVED_CIPHERS.first
+
+    assert_raise(OpenSSL::Cipher::CipherError) do 
+      ::Passw3rd::PasswordService.decrypt(enc)    
+    end
+  end
   
   def test_enc_dec
     setup_sandbox
@@ -83,4 +97,6 @@ class PasswordServiceTest < Test::Unit::TestCase
 
     FileUtils.rm_rf(dir)
   end
+
+
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: passw3rd
 version: !ruby/object:Gem::Version 
-  hash: 17
+  hash: 29
   prerelease: 
   segments: 
   - 0
   - 2
-  - 3
-  version: 0.2.3
+  - 5
+  version: 0.2.5
 platform: ruby
 authors: 
 - Neil Matatall
@@ -15,7 +15,8 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-11-16 00:00:00 Z
+date: 2014-09-06 00:00:00 -07:00
+default_executable: 
 dependencies: []
 
 description: Generate a key/iv file, generate passwords, and store encrypted files in source control, keep the key/iv safe!
@@ -30,7 +31,6 @@ extra_rdoc_files: []
 files: 
 - README.md
 - LICENSE
-- EXAMPLES.md
 - History.txt
 - lib/passw3rd/password_client.rb
 - lib/passw3rd/password_service.rb
@@ -40,6 +40,7 @@ files:
 - test/password_service_test.rb
 - spec/password_service_spec.rb
 - spec/spec_helper.rb
+has_rdoc: true
 homepage: https://github.com/oreoshake/passw3rd
 licenses: []
 
@@ -69,7 +70,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.8.10
+rubygems_version: 1.4.2
 signing_key: 
 specification_version: 3
 summary: A simple "keep the passwords out of source code and config files".

data/EXAMPLES.md

@@ -1,85 +0,0 @@
-------------------------------------------------------------------------------
-Command line use
- 
-    Generate key/iv in ~/ by default
- 
-        $ passw3rd -g
-        generated keys in /Users/user
- 
-        $ passw3rd -g ~/Desktop/
-        generated keys in /Users/user/Desktop/
- 
-    Create a password file
- 
-        $ passw3rd -e foobar_app
-        Enter the password: 
-        Wrote password to /Users/neilmatatall/foobar_app
-        $ passw3rd -e foobar_app -p ~/Desktop/
-        Enter the password: 
-        Wrote password to /Users/neilmatatall/Desktop/foobar_app
- 
-    Read a password file
- 
-        $ passw3rd -d foobar_app
-        The password is: asdf
-        $ passw3rd -d foobar_app -p ~/Desktop/
-        The password is: asdf
-------------------------------------------------------------------------------
-
-Key rotation: simple
-
-[passw3rd (gh-10-key_rotation *$)]$ rake rotate_keys[~/passwords,~/passwords,aes-256-cbc]
- 
- 
-------------------------------------------------------------------------------
-Manual JDBC Connection
- 
-    Before:
- 
-    Datasource ds = new Datasource();
-    ds.setPassword("suparSekret");
- 
-    After:
- 
-    Datasource ds = new Datasource();
-    ds.setPassword(PasswordService.getPassword(USER);
- 
-------------------------------------------------------------------------------
-Java properties file
- 
-    Before:
- 
-    password=suparSekret
- 
-    After:
- 
-    password=${password}
- 
-------------------------------------------------------------------------------
-Ruby on Rails config/database.yml
- 
-    initializer:
-    ::Passw3rd::PasswordService.password_file_dir = "passwords"
- 
-    Before:
- 
-    development:
-      adapter: mysql
-      database: rails_development
-      username: root
-      password: my super secret password
- 
- 
-    After:
- 
-    development:
-      adapter: mysql
-      database: rails_development
-      username: root
-      password: <%= PasswordService.get_password('foobar_app') -%>
- 
-------------------------------------------------------------------------------
-OpenSSL command line
- 
-    $ openssl enc -e -aes-256-cbc -K `cat ~/.passw3rd-encryptionKey`  -iv `cat ~/.passw3rd-encryptionIV` -in README.md -out test.out
-    $ openssl enc -d -aes-256-cbc -K `cat ~/.passw3rd-encryptionKey`  -iv `cat ~/.passw3rd-encryptionIV` -out README.md -in test.out