pkcs7-cryptographer 0.2.2 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cf8d46e30794182b24393965b11655facc02bd6597a0856e59516b5b185f2ea1
-  data.tar.gz: 0564d998860e51680e422ae8c87768145458a44ae891e6683754436db7fcb38f
+  metadata.gz: d8e03b7542f2787153a2243935c5a0c748abae6fec0e066ce08ee158f21cf75f
+  data.tar.gz: 25baf89c080fb55f909e3d92d22e1ec05810e2ed91d00d47e83e0f6460c75f32
 SHA512:
-  metadata.gz: 1cce85246daad30252c7db7fa69a48c430069ebb06f7a4c27a410363f64d0182abcd46fd256960e6b13e01642ea581a5d1688d2e4ccd52635810c12e7628520d
-  data.tar.gz: 3a6c09eeb65e4a7fa3d406cc98d9673ccbc253dace154a2ef90ae612bc6c3129f29fe12f03cac7a643887efcd475557229c56bdf8cf93261de6edfd1e78fa4f7
+  metadata.gz: 527dc589baa95742d7b81d825373efac10f136791f5d97e4970565a3e01e5e5f2c004731d13b59150174858865c295b93ffb8e8210c9ebb714eb0d9840254935
+  data.tar.gz: 4e5595dca5adeb1daa3b58a00aeaeb463011c6e86e2a2036a1ba4afeba1268d141d8cf04212be08abdd287636aa6838a1bde49ad0ddd17ea6e647a1718b30895

data/.rubocop.yml

@@ -22,4 +22,7 @@ RSpec/MultipleMemoizedHelpers:
   Enabled: false
 
 RSpec/NestedGroups:
-  Max: 4
+  Max: 6
+
+RSpec/ExampleLength:
+  Max: 10

data/Gemfile.lock

@@ -1,15 +1,26 @@
 PATH
   remote: .
   specs:
-    pkcs7-cryptographer (0.2.2)
+    pkcs7-cryptographer (1.1.1)
+      activesupport (>= 6.1.4.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
+    activesupport (6.1.4.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
     ast (2.4.2)
     coderay (1.1.3)
+    concurrent-ruby (1.1.9)
     diff-lcs (1.4.4)
+    i18n (1.8.10)
+      concurrent-ruby (~> 1.0)
     method_source (1.0.0)
+    minitest (5.14.4)
     parallel (1.20.1)
     parser (3.0.0.0)
       ast (~> 2.4.1)
@@ -50,7 +61,11 @@ GEM
       rubocop (~> 1.0)
       rubocop-ast (>= 1.1.0)
     ruby-progressbar (1.11.0)
+    timecop (0.9.4)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
     unicode-display_width (2.0.0)
+    zeitwerk (2.4.2)
 
 PLATFORMS
   x86_64-darwin-19
@@ -64,6 +79,7 @@ DEPENDENCIES
   rubocop (= 1.12.0)
   rubocop-rake (= 0.5.1)
   rubocop-rspec (= 2.2.0)
+  timecop (= 0.9.4)
 
 BUNDLED WITH
    2.2.3

data/README.md

@@ -4,13 +4,12 @@
 ![main workflow](https://github.com/dmuneras/pkcs7-cryptographer/actions/workflows/main.yml/badge.svg)
 
 
-
-Cryptographer is an small utility to encrypt and decrypt messages
+Cryptographer is an small utility to encrypt, sign and decrypt messages
 using PKCS7.
 
 PKCS7 is used to store signed and encrypted data.This specific implementation
-uses aes-256-cbc as chipher in the encryption process. If you want to read more
-information about the involved data structures and theory around this,
+uses `aes-256-cbc` as chipher in the encryption process. If you want to read
+more information about the involved data structures and theory around this,
 please visit:
 
 - https://ruby-doc.org/stdlib-3.0.0/libdoc/openssl/rdoc/OpenSSL.html
@@ -37,6 +36,8 @@ Or install it yourself as:
 ```
 ## Usage
 
+### Using bare PKCS7::Cryptographer
+
 After installing the gem you will have the `PKCS7::Cryptographer` available.
 
 `PKCS7::Cryptographer` is a class that provides two public methods:
@@ -44,12 +45,13 @@ After installing the gem you will have the `PKCS7::Cryptographer` available.
 - `sign_and_encrypt`
 - `decrypt_and_verify`
 
-Read the following examples to get a better undertanding:
+If you want to use the barebones cryptographer, you can. Please look at the
+following example:
 
 
-### Using bare PKCS7::Cryptographer
 
 ```ruby
+  require 'pkcs7/cryptographer'
 
   # This script assumes you have a read_file method to read the certificates and
   # keys.
@@ -71,7 +73,7 @@ Read the following examples to get a better undertanding:
   # Only the client can read the message since the required public
   # certificate to read it is the client certificate.
 
-  # It could be read if the CA_STORE of the reader has certificate of the
+  # It could be read if the CA_STORE of the reader has the certificate of the
   # CA that signed the client certificate as trusted.
 
   cryptographer = PKCS7::Cryptographer.new
@@ -84,6 +86,8 @@ Read the following examples to get a better undertanding:
     public_certificate: CLIENT_CERTIFICATE
   )
 
+  # encrypted_data is a PEM formatted string
+
   # READ MESSAGE IN CLIENT
   # ----------------------------------------------------------------------------
   # Store of trusted certificates
@@ -103,8 +107,16 @@ Read the following examples to get a better undertanding:
 
 ### Using PKCS7::Cryptographer::Entity
 
+There is a possibility to use entities to communicate using encrypted data. In
+order to use it you have to import the entities implementation.
+
+Please look at the following example:
+
 ```ruby
 
+  require 'pkcs7/cryptographer'
+  require 'pkcs7/cryptographer/entity'
+
   # This script assumes you have a read_file method to read the certificates and
   # keys. If you have any question about how to generate the keys/certificates
   # check this post: https://mariadb.com/kb/en/certificate-creation-with-openssl/
@@ -129,24 +141,62 @@ Read the following examples to get a better undertanding:
   )
 
   client_entity = PKCS7::Cryptographer::Entity.new(
-    certificate: CLIENT_CERTIFICATE,
+    certificate: CLIENT_CERTIFICATE
   )
 
   # SEND MESSAGE TO THE CLIENT
   # ----------------------------------------------------------------------------
   data = "Victor Ibarbo"
-  encrypted_data = ca_entity.encrypt_data(data: data, to: client_entity)
+  encrypted_data = ca_entity.encrypt_data(data: data, receiver: client_entity)
 
   # READ MESSAGE IN CLIENT
   # ----------------------------------------------------------------------------
   decrypted_data = client_entity.decrypt_data(
     data: encrypted_data,
-    from: ca_entity
+    sender: ca_entity
   )
 
   # decrypted_data returns: "Victor Ibarbo"
 ```
 
+When using entities, all the complexity of knowing which PKI credentials to
+send to the cryptographer dissapears. You only need to initialize the
+entities and use the methods to indicate to whom the message will be sent.
+
+If you want to verify if certain entity you defined "trust" another one, use the
+`trustable_entity?(<the other entity>)`.
+
+```ruby
+  ca_entity = PKCS7::Cryptographer::Entity.new(
+    key: CA_KEY,
+    certificate: CA_CERTIFICATE,
+    ca_store: CA_STORE
+  )
+
+  client_entity = PKCS7::Cryptographer::Entity.new(
+    certificate: CLIENT_CERTIFICATE
+  )
+
+  ca_entity.trustable_entity?(client_entity)
+
+  # Returns true because the client certificate was signed by the root
+  # certificate of the ca_authority.
+```
+
+When sending data to an entity, you will most of the time initialize the entity
+only with the `certificate` keyword arguments. So, initializing a receiver will
+most of the time looks like this:
+
+```ruby
+  client_entity = PKCS7::Cryptographer::Entity.new(
+    certificate: CLIENT_CERTIFICATE
+  )
+```
+
+The entity above can't encrypt messages or decrypt them, if you want to decrypt
+and encrypt the entity should have its the key (private key), certificate and
+the list of trusted certificates of the entity (ca_store).
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run

data/lib/pkcs7/cryptographer/entity.rb

@@ -32,24 +32,24 @@ module PKCS7
         @ca_store.verify(entity.certificate)
       end
 
-      def encrypt_data(data:, to:)
-        perform_safely(to) do
+      def encrypt_data(data:, receiver:)
+        perform_safely(receiver) do
           @cryptographer.sign_and_encrypt(
             data: data,
             key: @key,
             certificate: @certificate,
-            public_certificate: to.certificate
+            public_certificate: receiver.certificate
           )
         end
       end
 
-      def decrypt_data(data:, from:)
-        perform_safely(from) do
+      def decrypt_data(data:, sender:)
+        perform_safely(sender) do
           @cryptographer.decrypt_and_verify(
             data: data,
             key: @key,
             certificate: @certificate,
-            public_certificate: from.certificate,
+            public_certificate: sender.certificate,
             ca_store: @ca_store
           )
         end
@@ -61,7 +61,8 @@ module PKCS7
 
       def perform_safely(entity)
         return false unless trustable_entity?(entity)
-        return false unless @key.present?
+        return false unless @key
+
         yield
       end
     end

data/lib/pkcs7/cryptographer/initializers.rb

@@ -8,6 +8,11 @@ module PKCS7
     # certificate, key or encrypted message string.
     ###
     module Initializers
+      # PRIVATE METHODS
+      # ------------------------------------------------------------------------
+
+      private
+
       def x509_certificate(certificate)
         wrap_in_class_or_return(certificate, OpenSSL::X509::Certificate)
       end
@@ -16,6 +21,10 @@ module PKCS7
         wrap_in_class_or_return(key, OpenSSL::PKey::RSA)
       end
 
+      def certificate_signing_request(request)
+        wrap_in_class_or_return(request, OpenSSL::X509::Request)
+      end
+
       def pkcs7(pkcs7)
         wrap_in_class_or_return(pkcs7, OpenSSL::PKCS7)
       end

data/lib/pkcs7/cryptographer/version.rb

@@ -2,6 +2,6 @@
 
 module PKCS7
   class Cryptographer
-    VERSION = "0.2.2"
+    VERSION = "1.1.1"
   end
 end

data/lib/pkcs7/cryptographer.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "openssl"
+require "active_support/all"
 require_relative "cryptographer/version"
 require_relative "cryptographer/initializers"
 
@@ -17,6 +18,10 @@ module PKCS7
   class Cryptographer
     include PKCS7::Cryptographer::Initializers
 
+    # CONSTANS
+    # --------------------------------------------------------------------------
+    CYPHER_ALGORITHM = "aes-256-cbc"
+
     # PUBLIC METHODS
     # --------------------------------------------------------------------------
 
@@ -39,12 +44,7 @@ module PKCS7
       certificate = x509_certificate(certificate)
       public_certificate = x509_certificate(public_certificate)
       signed_data = OpenSSL::PKCS7.sign(certificate, key, data)
-
-      encrypted_data = OpenSSL::PKCS7.encrypt(
-        [public_certificate],
-        signed_data.to_pem,
-        OpenSSL::Cipher.new("aes-256-cbc")
-      )
+      encrypted_data = encrypt(public_certificate, signed_data)
 
       encrypted_data.to_pem
     end
@@ -72,11 +72,85 @@ module PKCS7
       public_certificate = x509_certificate(public_certificate)
       encrypted_data = pkcs7(data)
       decrypted_data = encrypted_data.decrypt(key, certificate)
+
       signed_data = OpenSSL::PKCS7.new(decrypted_data)
+      verified = verified_signature?(signed_data, public_certificate, ca_store)
 
-      return false unless signed_data.verify([public_certificate], ca_store)
+      return false unless verified
 
       signed_data.data
     end
+
+    def sign_certificate(
+      csr:,
+      key:,
+      certificate:,
+      valid_until: Time.current + 10.years
+    )
+      valid_until.to_time.utc
+      check_csr(csr)
+
+      sign_csr(csr, key, certificate, valid_until)
+    end
+
+    private
+
+    def encrypt(
+      public_certificate,
+      signed_data,
+      cypher_algorithm = CYPHER_ALGORITHM
+    )
+      OpenSSL::PKCS7.encrypt(
+        [public_certificate],
+        signed_data.to_der,
+        OpenSSL::Cipher.new(cypher_algorithm),
+        OpenSSL::PKCS7::BINARY
+      )
+    end
+
+    def verified_signature?(signed_data, public_certificate, ca_store)
+      signed_data.verify(
+        [public_certificate],
+        ca_store,
+        nil,
+        OpenSSL::PKCS7::NOINTERN | OpenSSL::PKCS7::NOCHAIN
+      )
+    end
+
+    def check_csr(signing_request)
+      csr = OpenSSL::X509::Request.new signing_request
+      raise "CSR can not be verified" unless csr.verify(csr.public_key)
+    end
+
+    def sign_csr(request, key, issuer_certificate, valid_until)
+      request = certificate_signing_request(request)
+      key = rsa_key(key)
+      issuer_certificate = x509_certificate(issuer_certificate)
+
+      csr_cert = build_certificate_from_csr(
+        request,
+        issuer_certificate,
+        valid_until
+      )
+      csr_cert.sign(key, OpenSSL::Digest.new("SHA1")) # TODO: review this one
+      x509_certificate(csr_cert.to_pem)
+    end
+
+    def build_certificate_from_csr(
+      signing_request,
+      issuer_certificate,
+      valid_until
+    )
+      certificate = OpenSSL::X509::Certificate.new
+      certificate.serial = Time.now.to_i
+      certificate.version = 2 # TODO: Check what to put here
+      certificate.not_before = Time.current
+      certificate.not_after = valid_until
+      certificate.subject = signing_request.subject
+      certificate.public_key = signing_request.public_key
+      certificate.issuer = issuer_certificate.subject
+
+      certificate
+    end
   end
 end

data/pkcs7-cryptographer.gemspec

@@ -13,7 +13,7 @@ Gem::Specification.new do |spec|
     "Utility to encrypt and decrypt messages using OpenSSL::PKCS7"
   spec.homepage      = "https://github.com/dmuneras/pkcs7-cryptographer"
   spec.license       = "MIT"
-  spec.required_ruby_version = Gem::Requirement.new(">= 2.4.0")
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.5.0")
 
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = "https://github.com/dmuneras/pkcs7-cryptographer"
@@ -27,6 +27,8 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
+  spec.add_dependency "activesupport", ">= 6.1.4.1"
+
   spec.add_development_dependency "bundler", ">= 2"
   spec.add_development_dependency "pry"
   spec.add_development_dependency "rake", "~> 13.0"
@@ -34,4 +36,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rubocop", "1.12.0"
   spec.add_development_dependency "rubocop-rake", "0.5.1"
   spec.add_development_dependency "rubocop-rspec", "2.2.0"
+  spec.add_development_dependency "timecop", "0.9.4"
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: pkcs7-cryptographer
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 1.1.1
 platform: ruby
 authors:
 - Daniel Munera Sanchez
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-03-25 00:00:00.000000000 Z
+date: 2021-09-20 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.1.4.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.1.4.1
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -108,6 +122,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 2.2.0
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.9.4
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.9.4
 description: Utility to encrypt and decrypt messages using OpenSSL::PKCS7
 email:
 - dmunera119@gmail.com
@@ -146,7 +174,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.4.0
+      version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="