pws 0.9.2 → 1.0.0.pre.1

data/lib/pws/format/0.9.rb

@@ -0,0 +1,44 @@
+# encoding: ascii
+require_relative '../format'
+require 'openssl'
+
+class PWS
+  module Format
+    # PWS file format reader for versions before 1.0.0
+    module V0_9
+      class << self
+        def write(_,_={})
+          raise NotImplementedError, 'Writing the legacy 0.9 format is not supported'
+        end
+
+        def read(saved_data, options = {})
+          unmarshal(decrypt(saved_data, options))
+        rescue
+          fail NoAccess, %[Could not read the password safe!]
+        end
+        
+        def decrypt(saved_data, options = {})
+          iv, encrypted_data = saved_data.unpack('a16 a*')
+          PWS::Encryptor.decrypt(
+            encrypted_data,
+            key: sha(options[:password]),
+            iv:   iv,
+          )
+        end
+        
+        def unmarshal(unencrypted_data, options = {})
+          raw_data = Marshal.load(unencrypted_data)
+          application_data = raw_data[ raw_data[-1] ] # remove redundancy
+          Hash[application_data.map{ |k,v| [k, { password: v}] }] # patch to new internal format
+        end
+        
+        def sha(plaintext)
+          OpenSSL::Digest::SHA512.new(plaintext).digest
+        end
+        
+      end#self
+    end#V0_9
+  end
+end
+
+# J-_-L

data/lib/pws/format/1.0.rb

@@ -0,0 +1,183 @@
+# encoding: ascii
+
+require_relative '../format'
+require 'securerandom'
+require 'digest/hmac'
+require 'openssl'
+
+class PWS
+  module Format
+    # PWS file format for versions ~> 1.0.0
+    # see at bottom block for a short format description
+    module V1_0
+      TEMPLATE = 'a64 a16 N a64 a*'.freeze
+      DEFAULT_ITERATIONS =        80_000
+      MAX_ITERATIONS     =    10_000_000
+      MAX_ENTRY_LENGTH   = 4_294_967_295 # N
+    
+      class << self
+        def write(application_data, options = {})
+          encrypt(marshal(application_data), options)
+        end
+        
+        def encrypt(unencrypted_data, options = {})
+          raise ArgumentError, 'No password given' if \
+              !options[:password]
+
+          iterations = ( options[:iterations] || DEFAULT_ITERATIONS ).to_i
+          raise ArgumentError, 'Invalid iteration count given' if \
+              iterations > MAX_ITERATIONS || iterations < 2
+          
+          salt = SecureRandom.random_bytes(64)
+          iv  = Encryptor.random_iv
+          
+          encryption_key, hmac_key = kdf(
+            options[:password],
+            salt,
+            iterations,
+          ).unpack('a256 a256')
+          
+          sha = hmac(hmac_key, salt, iv, iterations, unencrypted_data)
+          
+          encrypted_data = Encryptor.encrypt(
+            unencrypted_data,
+            key: encryption_key,
+            iv:  iv,
+          )
+          
+          [salt, iv, iterations, sha, encrypted_data].pack(TEMPLATE) 
+        end
+        
+        def marshal(application_data, options = {})
+          number_of_dummy_bytes = 100_000 + SecureRandom.random_number(1_000_000)
+          ordered_data = application_data.to_a
+          [
+            number_of_dummy_bytes,
+            application_data.size,
+            SecureRandom.random_bytes(number_of_dummy_bytes) +
+            array_to_data_string(ordered_data.map{ |_, e| e[:password].to_s }) +
+            array_to_data_string(ordered_data.map{ |k, _| k.to_s }) +
+            array_to_data_string(ordered_data.map{ |_, e| e[:timestamp].to_i }) +
+            SecureRandom.random_bytes(100_000 + SecureRandom.random_number(1_000_000))
+          ].pack('N N a*')
+        end
+        
+        # - - -
+        
+        def read(encrypted_data, options = {})
+          unmarshal(decrypt(encrypted_data, options))
+        end
+        
+        def decrypt(saved_data, options = {})
+          raise ArgumentError, 'No password given' if \
+              !options[:password]
+          raise ArgumentError, 'No data given' if \
+              !saved_data || saved_data.empty?
+          salt, iv, iterations, sha, encrypted_data = saved_data.unpack(TEMPLATE)
+          
+          raise NoAccess, 'Password file invalid' if \
+              salt.size != 64             ||
+              iterations > MAX_ITERATIONS ||
+              iv.size != 16               ||
+              sha.size != 64
+              
+          encryption_key, hmac_key = kdf(
+            options[:password],
+            salt,
+            iterations,
+          ).unpack('a256 a256')
+          
+          begin
+            unencrypted_data = Encryptor.decrypt(
+              encrypted_data,
+              key: encryption_key,
+              iv:  iv,
+            )
+          rescue OpenSSL::Cipher::CipherError
+            raise NoAccess, 'Could not decrypt'
+          end
+          
+          raise NoAccess, 'Password file invalid' unless \
+              sha == hmac(hmac_key, salt, iv, iterations, unencrypted_data)
+              
+          unencrypted_data
+        end
+        
+        def unmarshal(saved_data, options = {})
+          number_of_dummy_bytes, data_size, raw_data = saved_data.unpack('N N a*')
+          i = number_of_dummy_bytes
+          passwords, names, timestamps = 3.times.map{
+            data_size.times.map{
+              next_element, i = get_next_data_string(raw_data, i)
+              next_element
+            }
+          }
+          Hash[
+            names.zip(
+              passwords.zip(timestamps).map{ |e,f|
+                { password: e.to_s, timestamp: f.to_i }
+              }
+            )
+          ]
+        end
+        
+        private
+        
+        def kdf(password, salt, iterations)
+          OpenSSL::PKCS5::pbkdf2_hmac(
+            password,
+            salt,
+            iterations,
+            512,
+            OpenSSL::Digest::SHA512.new,
+          )
+        end
+        
+        def hmac(key, *strings)
+          Digest::HMAC.new(key, Digest::SHA512).update(
+            strings.map(&:to_s).join
+          ).digest
+        end
+        
+        def array_to_data_string(array)
+          array.map{ |e|
+            e = e.to_s
+            s = e.bytesize
+            raise(ArgumentError, 'Entry too long') if s > MAX_ENTRY_LENGTH
+            [s, e].pack('N a*')
+          }.join
+        end
+        
+        def get_next_data_string(string, pos)
+          res_length = string[pos..pos+4].unpack('N')[0]
+          new_pos = pos + 4 + res_length
+          res = string[pos+4...new_pos].unpack('a*')[0]
+          
+          [res, new_pos]
+        end
+      end#self
+    end#V1_0
+  end
+end
+
+=begin ENCRYPTION FORMAT
+
+Bytes  Data            Description
+64     SALT            Randomly generated, used by kdf
+16     IV              Randomly generated, used by aes
+4      ITERATIONS      How often the password gets hashed by the kdf
+64     HMAC            On everything
+*      ENCRYPTED_DATA
+
+=end
+
+=begin MARSHAL FORMAT
+
+number of dummy bytes before real data
+dummy bytes
+passwords
+names
+timestamps
+dummy bytes
+
+=end

data/lib/pws/runner.rb

@@ -91,20 +91,39 @@ module PWS::Runner
 HELP
       else # redirect to safe
         if PWS.public_instance_methods(false).include?(action)
-          PWS.new(options).public_send(action, *arguments)
+          status = PWS.new(options).public_send(action, *arguments.map{ |a|
+            a.unpack('a*')[0] # ignore encoding
+          })
+          exit(status ? 0 : 2)
         else
-          pa "Unknown action: #{action}\nPlease see `pws --help` for a list of available commands!", :red
+          raise ArgumentError, "Unknown action: #{action}\nPlease see `pws --help` for a list of available commands!"
         end
       end
+    rescue PWS::NoLegacyAccess
+      pa "NO ACCESS", :red, :bold
+      pa 'The password safe you are trying to access migth be a version 0.9 password file', :red
+      pa 'If this is the case, you will need to convert it to a version 1.0 password file by calling:', :red
+      pa 'pws resave --in 0.9 --out 1.0', :red
+      exit(3)
     rescue PWS::NoAccess
       # pa $!.message.capitalize, :red, :bold
       pa "NO ACCESS", :red, :bold
+      exit(3)
     rescue ArgumentError
       pa $!.message.capitalize, :red
+      exit(4)
     rescue Interrupt
       system 'stty echo' if $stdin.tty? # ensure terminal's working
       pa "..canceled", :red
+      exit(5)
     end
+    
+    # exit status codes (not final, yet)
+    # 0 Success
+    # 2 Successfully run, but operation not successful
+    # 3 NoAccess
+    # 4 ArgumentError
+    # 5 Interrupt
   end
 end
 

data/lib/pws/version.rb

@@ -1,3 +1,3 @@
 class PWS
-  VERSION = '0.9.2'.dup
+  VERSION = '1.0.0.pre.1'
 end

data/pws.gemspec

@@ -11,7 +11,7 @@ Gem::Specification.new do |s|
   s.email       = "mail@janlelis.de"
   s.homepage    = 'https://github.com/janlelis/pws'
   s.summary     = "pws is a cli password safe."
-  s.description = "pws is a command-line password safe. Please run `pws help` for usage information."
+  s.description = "pws is a command-line password safe. Please run `pws --help` for usage information."
   s.files = Dir.glob(%w[{lib,test}/**/*.rb bin/* [A-Z]*.{txt,rdoc} ext/**/*.{rb,c} features/**/*]) + %w{Rakefile pws.gemspec}
   s.extra_rdoc_files = ["README.md", "LICENSE"]
   s.license = 'MIT'
@@ -20,14 +20,20 @@ Gem::Specification.new do |s|
   s.add_dependency 'zucker',    '>= 12.1'
   s.add_dependency 'paint',     '>= 0.8.4'
   s.add_development_dependency 'rake'
-  s.add_development_dependency 'cucumber'
   s.add_development_dependency 'aruba'
-
+  s.add_development_dependency 'cucumber'
+  s.add_development_dependency 'rspec'
+  s.add_development_dependency 'guard-cucumber'
+  s.add_development_dependency 'guard-rspec'
+  s.add_development_dependency 'ripltools'
+  s.add_development_dependency 'irbtools'
+  # s.add_development_dependency 'ruby-debug19'
+  
   len = s.homepage.size
   s.post_install_message = \
-   ("       ┌── " + "info ".ljust(len-2,'%')                         + "─┐\n" +
+   ("       ┌── " + "info ".ljust(len-2,'─')                         + "─┐\n" +
     " J-_-L │ "   + s.homepage                                       + " │\n" +
-    "       ├── " + "usage ".ljust(len-2,'%')                        + "─┤\n" +
-    "       │ "   + "pws help".ljust(len,' ')                        + " │\n" +
-    "       └─"   + '─'*len                                          + "─┘").gsub('%', '─')
+    "       ├── " + "usage ".ljust(len-2,'─')                        + "─┤\n" +
+    "       │ "   + "pws --help".ljust(len,' ')                      + " │\n" +
+    "       └─"   + '─'*len                                          + "─┘")
 end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: pws
 version: !ruby/object:Gem::Version
-  version: 0.9.2
-  prerelease: 
+  version: 1.0.0.pre.1
+  prerelease: 6
 platform: ruby
 authors:
 - Jan Lelis
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-04-24 00:00:00.000000000 Z
+date: 2012-05-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: clipboard
@@ -75,6 +75,22 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: aruba
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: cucumber
   requirement: !ruby/object:Gem::Requirement
@@ -92,7 +108,39 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: aruba
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard-cucumber
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard-rspec
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
@@ -107,7 +155,39 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-description: pws is a command-line password safe. Please run `pws help` for usage
+- !ruby/object:Gem::Dependency
+  name: ripltools
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: irbtools
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: pws is a command-line password safe. Please run `pws --help` for usage
   information.
 email: mail@janlelis.de
 executables:
@@ -117,20 +197,26 @@ extra_rdoc_files:
 - README.md
 - LICENSE
 files:
+- lib/pws/format.rb
+- lib/pws/format/1.0.rb
+- lib/pws/format/0.9.rb
 - lib/pws/version.rb
 - lib/pws/encryptor.rb
 - lib/pws/runner.rb
 - lib/pws.rb
 - bin/pws
+- features/in-out.feature
+- features/update.feature
 - features/show.feature
-- features/access.feature
 - features/misc.feature
 - features/get.feature
 - features/master.feature
 - features/remove.feature
 - features/namespaces.feature
+- features/resave.feature
 - features/add.feature
 - features/support/env.rb
+- features/create.feature
 - features/rename.feature
 - features/generate.feature
 - features/step_definitions/pws_steps.rb
@@ -142,7 +228,7 @@ homepage: https://github.com/janlelis/pws
 licenses:
 - MIT
 post_install_message: ! "       ┌── info ─────────────────────────┐\n J-_-L │ https://github.com/janlelis/pws
-  │\n       ├── usage ────────────────────────┤\n       │ pws help                        │\n
+  │\n       ├── usage ────────────────────────┤\n       │ pws --help                      │\n
   \      └─────────────────────────────────┘"
 rdoc_options: []
 require_paths:
@@ -156,9 +242,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ! '>='
+  - - ! '>'
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.23
@@ -166,3 +252,4 @@ signing_key:
 specification_version: 3
 summary: pws is a cli password safe.
 test_files: []
+has_rdoc: