pkcs7-cryptographer 0.1.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c3b2d20fdc0a9804d2e748fbb952795720231ac668903f8e7bc3843194147c5f
-  data.tar.gz: 8fe66251f456e340ef033201d4e865920780c89d5c46fc16af49095eb9a373b9
+  metadata.gz: a02040b2706a005f695860704e338946e5cb68c6dcbf92fc7a2bb9c17b9425b2
+  data.tar.gz: 52a840fb9394002e9400e31a0d4960b0fefcfcab4466ce2535c3afcd2915932a
 SHA512:
-  metadata.gz: e7285b506e68a68533b7623d83d54a8ab2335505c10fe161784ea6040207fe935890f02e44745b49568605d8fb81653a5ab2b6db1dea59374f666b0103e0076c
-  data.tar.gz: 89710d821aa0f16cc5e695d2506718738b5c8c05f3a7bbfb76eb7ef333cbe4abf604016616ca09487150fb8827aad1c0cf0670c4164f659666576b2dd73402a1
+  metadata.gz: 83d51e4785b3eff57409208a09956c29826e2dde08c75a7b87e340f70b129f2f80614b4c5792e159618354ae97059eff2febd58a01ce08c460758fba0feb9e52
+  data.tar.gz: 139e5b0e31cdfeed9c67468f92a21dc2f9f36bc3f207fe941df54194e199f43b2681e79072b5e1ea67f33696dd5422c4bf34595377845ea579cccb22487f85fe

data/.rubocop.yml

@@ -1,6 +1,9 @@
+require:
+  - rubocop-rake
+  - rubocop-rspec
+
 AllCops:
   NewCops: enable
-  SuggestExtensions: false
 Style/StringLiterals:
   Enabled: true
   EnforcedStyle: double_quotes
@@ -13,4 +16,13 @@ Layout/LineLength:
   Max: 80
 
 Metrics/BlockLength:
-  IgnoredMethods: ['describe', 'context']
+  IgnoredMethods: ['describe', 'context']
+
+RSpec/MultipleMemoizedHelpers:
+  Enabled: false
+
+RSpec/NestedGroups:
+  Max: 6
+
+RSpec/ExampleLength:
+  Max: 10

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    pkcs7-cryptographer (0.1.0)
+    pkcs7-cryptographer (1.0.1)
 
 GEM
   remote: https://rubygems.org/
@@ -33,19 +33,24 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.10.0)
     rspec-support (3.10.2)
-    rubocop (0.93.1)
+    rubocop (1.12.0)
       parallel (~> 1.10)
-      parser (>= 2.7.1.5)
+      parser (>= 3.0.0.0)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8)
+      regexp_parser (>= 1.8, < 3.0)
       rexml
-      rubocop-ast (>= 0.6.0)
+      rubocop-ast (>= 1.2.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 2.0)
+      unicode-display_width (>= 1.4.0, < 3.0)
     rubocop-ast (1.4.1)
       parser (>= 2.7.1.5)
+    rubocop-rake (0.5.1)
+      rubocop
+    rubocop-rspec (2.2.0)
+      rubocop (~> 1.0)
+      rubocop-ast (>= 1.1.0)
     ruby-progressbar (1.11.0)
-    unicode-display_width (1.7.0)
+    unicode-display_width (2.0.0)
 
 PLATFORMS
   x86_64-darwin-19
@@ -56,7 +61,9 @@ DEPENDENCIES
   pry
   rake (~> 13.0)
   rspec (~> 3.2)
-  rubocop (~> 0.80)
+  rubocop (= 1.12.0)
+  rubocop-rake (= 0.5.1)
+  rubocop-rspec (= 2.2.0)
 
 BUNDLED WITH
    2.2.3

data/README.md

@@ -1,11 +1,16 @@
 # PKCS7::Cryptographer
 
-Cryptographer is an small utility that allows to encrypt and decrypt messages
+[![Gem Version](https://badge.fury.io/rb/pkcs7-cryptographer.svg)](https://badge.fury.io/rb/pkcs7-cryptographer)
+![main workflow](https://github.com/dmuneras/pkcs7-cryptographer/actions/workflows/main.yml/badge.svg)
+
+
+Cryptographer is an small utility to encrypt, sign and decrypt messages
 using PKCS7.
 
-PKCS7 is used to store signed and encrypted data.It uses aes-256-cbc
-as chipher in the encryption process. If you want to read more information about
-the involved data structures and theory around this, please visit:
+PKCS7 is used to store signed and encrypted data.This specific implementation
+uses `aes-256-cbc` as chipher in the encryption process. If you want to read
+more information about the involved data structures and theory around this,
+please visit:
 
 - https://ruby-doc.org/stdlib-3.0.0/libdoc/openssl/rdoc/OpenSSL.html
 - https://tools.ietf.org/html/rfc5652
@@ -20,30 +25,39 @@ gem 'pkcs7-cryptographer'
 
 And then execute:
 
+```sh
   $ bundle install
+```
 
 Or install it yourself as:
 
+```sh
   $ gem install pkcs7-cryptographer
-
+```
 ## Usage
 
+### Using bare PKCS7::Cryptographer
+
 After installing the gem you will have the `PKCS7::Cryptographer` available.
 
-`PKCS7::Cryptographer` is a class that provides to public methods:
+`PKCS7::Cryptographer` is a class that provides two public methods:
 
 - `sign_and_encrypt`
 - `decrypt_and_verify`
 
-Read the following example to get a better undertanding:
+If you want to use the barebones cryptographer, you can. Please look at the
+following example:
+
+
 
 ```ruby
+  require 'pkcs7/cryptographer'
 
   # This script assumes you have a read_file method to read the certificates and
   # keys.
 
-  # What we are going to do is sign an encrypt a message from the CA Authority
-  # and read it from the Client:
+  # What we are going to do is signing an encrypting a message from the CA
+  # Authority and read it from the Client:
 
   # Certificate Authority PKI data
   CA_KEY = read_file("ca.key")
@@ -59,9 +73,11 @@ Read the following example to get a better undertanding:
   # Only the client can read the message since the required public
   # certificate to read it is the client certificate.
 
-  # It could be read if the CA_STORE of the reader has certificate of the
+  # It could be read if the CA_STORE of the reader has the certificate of the
   # CA that signed the client certificate as trusted.
 
+  cryptographer = PKCS7::Cryptographer.new
+
   # Client <------------------------- CA Authority API
   encrypted_data = cryptographer.sign_and_encrypt(
     data: "Atletico Nacional de Medellin",
@@ -70,6 +86,8 @@ Read the following example to get a better undertanding:
     public_certificate: CLIENT_CERTIFICATE
   )
 
+  # encrypted_data is a PEM formatted string
+
   # READ MESSAGE IN CLIENT
   # ----------------------------------------------------------------------------
   # Store of trusted certificates
@@ -87,6 +105,98 @@ Read the following example to get a better undertanding:
   # decrypted_data returns: "Atletico Nacional de Medellin"
 ```
 
+### Using PKCS7::Cryptographer::Entity
+
+There is a possibility to use entities to communicate using encrypted data. In
+order to use it you have to import the entities implementation.
+
+Please look at the following example:
+
+```ruby
+
+  require 'pkcs7/cryptographer'
+  require 'pkcs7/cryptographer/entity'
+
+  # This script assumes you have a read_file method to read the certificates and
+  # keys. If you have any question about how to generate the keys/certificates
+  # check this post: https://mariadb.com/kb/en/certificate-creation-with-openssl/
+
+  # What we are going to do is sending a message from the CA Authority and read
+  # it from the Client:
+
+  # Certificate Authority PKI data
+  CA_KEY = read_file("ca.key")
+  CA_CERTIFICATE = read_file("ca.crt")
+
+  # Client PKI data
+  CLIENT_CERTIFICATE = read_file("client.crt")
+
+  CA_STORE = OpenSSL::X509::Store.new
+  CA_STORE.add_cert(OpenSSL::X509::Certificate.new(CA_CERTIFICATE))
+
+  ca_entity = PKCS7::Cryptographer::Entity.new(
+    key: CA_KEY,
+    certificate: CA_CERTIFICATE,
+    ca_store: CA_STORE
+  )
+
+  client_entity = PKCS7::Cryptographer::Entity.new(
+    certificate: CLIENT_CERTIFICATE
+  )
+
+  # SEND MESSAGE TO THE CLIENT
+  # ----------------------------------------------------------------------------
+  data = "Victor Ibarbo"
+  encrypted_data = ca_entity.encrypt_data(data: data, receiver: client_entity)
+
+  # READ MESSAGE IN CLIENT
+  # ----------------------------------------------------------------------------
+  decrypted_data = client_entity.decrypt_data(
+    data: encrypted_data,
+    sender: ca_entity
+  )
+
+  # decrypted_data returns: "Victor Ibarbo"
+```
+
+When using entities, all the complexity of knowing which PKI credentials to
+send to the cryptographer dissapears. You only need to initialize the
+entities and use the methods to indicate to whom the message will be sent.
+
+If you want to verify if certain entity you defined "trust" another one, use the
+`trustable_entity?(<the other entity>)`.
+
+```ruby
+  ca_entity = PKCS7::Cryptographer::Entity.new(
+    key: CA_KEY,
+    certificate: CA_CERTIFICATE,
+    ca_store: CA_STORE
+  )
+
+  client_entity = PKCS7::Cryptographer::Entity.new(
+    certificate: CLIENT_CERTIFICATE
+  )
+
+  ca_entity.trustable_entity?(client_entity)
+
+  # Returns true because the client certificate was signed by the root
+  # certificate of the ca_authority.
+```
+
+When sending data to an entity, you will most of the time initialize the entity
+only with the `certificate` keyword arguments. So, initializing a receiver will
+most of the time looks like this:
+
+```ruby
+  client_entity = PKCS7::Cryptographer::Entity.new(
+    certificate: CLIENT_CERTIFICATE
+  )
+```
+
+The entity above can't encrypt messages or decrypt them, if you want to decrypt
+and encrypt the entity should have its the key (private key), certificate and
+the list of trusted certificates of the entity (ca_store).
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run

data/bin/console

@@ -3,6 +3,7 @@
 
 require "bundler/setup"
 require "pkcs7/cryptographer"
+require "pkcs7/cryptographer/entity"
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.

data/lib/pkcs7/cryptographer.rb

@@ -2,6 +2,7 @@
 
 require "openssl"
 require_relative "cryptographer/version"
+require_relative "cryptographer/initializers"
 
 module PKCS7
   ###
@@ -14,6 +15,8 @@ module PKCS7
   # - https://tools.ietf.org/html/rfc5652
   ###
   class Cryptographer
+    include PKCS7::Cryptographer::Initializers
+
     # PUBLIC METHODS
     # --------------------------------------------------------------------------
 
@@ -36,12 +39,7 @@ module PKCS7
       certificate = x509_certificate(certificate)
       public_certificate = x509_certificate(public_certificate)
       signed_data = OpenSSL::PKCS7.sign(certificate, key, data)
-
-      encrypted_data = OpenSSL::PKCS7.encrypt(
-        [public_certificate],
-        signed_data.to_pem,
-        OpenSSL::Cipher.new("aes-256-cbc")
-      )
+      encrypted_data = encrypt(public_certificate, signed_data)
 
       encrypted_data.to_pem
     end
@@ -69,31 +67,33 @@ module PKCS7
       public_certificate = x509_certificate(public_certificate)
       encrypted_data = pkcs7(data)
       decrypted_data = encrypted_data.decrypt(key, certificate)
+
       signed_data = OpenSSL::PKCS7.new(decrypted_data)
+      verified = verified_signature?(signed_data, public_certificate, ca_store)
 
-      return false unless signed_data.verify([public_certificate], ca_store)
+      return false unless verified
 
       signed_data.data
     end
 
-    # PRIVATE METHODS
-    # --------------------------------------------------------------------------
     private
 
-    def x509_certificate(certificate)
-      wrap_in_class_or_return(certificate, OpenSSL::X509::Certificate)
-    end
-
-    def rsa_key(key)
-      wrap_in_class_or_return(key, OpenSSL::PKey::RSA)
-    end
-
-    def pkcs7(pkcs7)
-      wrap_in_class_or_return(pkcs7, OpenSSL::PKCS7)
+    def encrypt(public_certificate, signed_data)
+      OpenSSL::PKCS7.encrypt(
+        [public_certificate],
+        signed_data.to_der,
+        OpenSSL::Cipher.new("aes-256-cbc"),
+        OpenSSL::PKCS7::BINARY
+      )
     end
 
-    def wrap_in_class_or_return(data, klass)
-      data.instance_of?(klass) ? data : klass.new(data)
+    def verified_signature?(signed_data, public_certificate, ca_store)
+      signed_data.verify(
+        [public_certificate],
+        ca_store,
+        nil,
+        OpenSSL::PKCS7::NOINTERN | OpenSSL::PKCS7::NOCHAIN
+      )
     end
   end
 end

data/lib/pkcs7/cryptographer/entity.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require_relative "initializers"
+
+module PKCS7
+  class Cryptographer
+    ###
+    # Define an entity abel to decrypt or encrypt messages to send them to other
+    # entities. It uses a Cryptographer to do the dirty work and just provide a
+    # more human readable way to read an pass messages between trustable
+    # entities.
+    ###
+    class Entity
+      include PKCS7::Cryptographer::Initializers
+
+      attr_reader :certificate
+
+      # PUBLIC METHODS
+      # ------------------------------------------------------------------------
+      def initialize(
+        certificate:,
+        key: nil,
+        ca_store: OpenSSL::X509::Store.new
+      )
+        @key = key ? rsa_key(key) : nil
+        @certificate = x509_certificate(certificate)
+        @cryptographer = PKCS7::Cryptographer.new
+        @ca_store = ca_store
+      end
+
+      def trustable_entity?(entity)
+        @ca_store.verify(entity.certificate)
+      end
+
+      def encrypt_data(data:, receiver:)
+        perform_safely(receiver) do
+          @cryptographer.sign_and_encrypt(
+            data: data,
+            key: @key,
+            certificate: @certificate,
+            public_certificate: receiver.certificate
+          )
+        end
+      end
+
+      def decrypt_data(data:, sender:)
+        perform_safely(sender) do
+          @cryptographer.decrypt_and_verify(
+            data: data,
+            key: @key,
+            certificate: @certificate,
+            public_certificate: sender.certificate,
+            ca_store: @ca_store
+          )
+        end
+      end
+
+      # PRIVATE METHODS
+      # ------------------------------------------------------------------------
+      private
+
+      def perform_safely(entity)
+        return false unless trustable_entity?(entity)
+        return false unless @key
+
+        yield
+      end
+    end
+  end
+end

data/lib/pkcs7/cryptographer/initializers.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module PKCS7
+  class Cryptographer
+    ###
+    # Provides a set of methods to initialize OpenSSL objects if necessary. It
+    # allow consumers to pass either the OpenSSL ruby objects or the
+    # certificate, key or encrypted message string.
+    ###
+    module Initializers
+      # PRIVATE METHODS
+      # ------------------------------------------------------------------------
+
+      private
+
+      def x509_certificate(certificate)
+        wrap_in_class_or_return(certificate, OpenSSL::X509::Certificate)
+      end
+
+      def rsa_key(key)
+        wrap_in_class_or_return(key, OpenSSL::PKey::RSA)
+      end
+
+      def pkcs7(pkcs7)
+        wrap_in_class_or_return(pkcs7, OpenSSL::PKCS7)
+      end
+
+      def wrap_in_class_or_return(data, klass)
+        data.instance_of?(klass) ? data : klass.new(data)
+      end
+    end
+  end
+end

data/lib/pkcs7/cryptographer/version.rb

@@ -2,6 +2,6 @@
 
 module PKCS7
   class Cryptographer
-    VERSION = "0.1.0"
+    VERSION = "1.0.1"
   end
 end

data/pkcs7-cryptographer.gemspec

@@ -31,5 +31,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "pry"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.2"
-  spec.add_development_dependency "rubocop", "~> 0.80"
+  spec.add_development_dependency "rubocop", "1.12.0"
+  spec.add_development_dependency "rubocop-rake", "0.5.1"
+  spec.add_development_dependency "rubocop-rspec", "2.2.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pkcs7-cryptographer
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Daniel Munera Sanchez
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-03-24 00:00:00.000000000 Z
+date: 2021-04-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -70,16 +70,44 @@ dependencies:
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0.80'
+        version: 1.12.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.12.0
+- !ruby/object:Gem::Dependency
+  name: rubocop-rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.5.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.5.1
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.2.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0.80'
+        version: 2.2.0
 description: Utility to encrypt and decrypt messages using OpenSSL::PKCS7
 email:
 - dmunera119@gmail.com
@@ -100,6 +128,8 @@ files:
 - bin/console
 - bin/setup
 - lib/pkcs7/cryptographer.rb
+- lib/pkcs7/cryptographer/entity.rb
+- lib/pkcs7/cryptographer/initializers.rb
 - lib/pkcs7/cryptographer/version.rb
 - pkcs7-cryptographer.gemspec
 homepage: https://github.com/dmuneras/pkcs7-cryptographer