robocap-decryption-sdk 1.0.0

data/lib/robocap/sdk/rsa_oaep.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'securerandom'
+require_relative 'config'
+require_relative 'errors'
+
+module Robocap
+  module SDK
+    module RSAOAEP
+      module_function
+
+      def cipher_len_for_key(key)
+        key.n.num_bytes
+      end
+
+      def wrap_key(plaintext, public_key, plain_len:, cipher_len: nil)
+        unless plaintext.bytesize == plain_len
+          raise ArgumentError, "plaintext must be #{plain_len} bytes (got #{plaintext.bytesize})"
+        end
+        expected = cipher_len || cipher_len_for_key(public_key)
+        ciphertext = public_key.encrypt(
+          plaintext,
+          rsa_padding_mode: 'oaep',
+          rsa_oaep_md: 'sha256',
+          rsa_mgf1_md: 'sha256',
+        )
+        unless ciphertext.bytesize == expected
+          raise ArgumentError, "RSA ciphertext length #{ciphertext.bytesize} != #{expected}"
+        end
+        ciphertext
+      end
+
+      def unwrap_key(ciphertext, private_key,
+                     plain_len:, cipher_len: nil,
+                     decode_error: ErrorCode::ERR_K2_DECODE,
+                     length_error: ErrorCode::ERR_K2_PLAINTEXT_LENGTH)
+        expected = cipher_len || cipher_len_for_key(private_key)
+        unless ciphertext.bytesize == expected
+          raise Error.new(code: decode_error, message: "RSA ciphertext must be #{expected} bytes")
+        end
+        plaintext = begin
+          private_key.decrypt(
+            ciphertext,
+            rsa_padding_mode: 'oaep',
+            rsa_oaep_md: 'sha256',
+            rsa_mgf1_md: 'sha256',
+          )
+        rescue OpenSSL::PKey::PKeyError, OpenSSL::PKey::RSAError => exc
+          raise Error.new(code: decode_error, message: 'RSA-OAEP unwrap failed', detail: { reason: exc.message })
+        end
+        unless plaintext.bytesize == plain_len
+          raise Error.new(code: length_error, message: "Decrypted key length #{plaintext.bytesize} != #{plain_len}")
+        end
+        plaintext
+      end
+
+      def wrap_aes_key(device_aes, public_key)
+        wrap_key(
+          device_aes, public_key,
+          plain_len: Config::AES_KEY_BYTES,
+          cipher_len: Config::RSA_CIPHERTEXT_BYTES,
+        )
+      end
+
+      def unwrap_aes_key(ciphertext, private_key)
+        unwrap_key(
+          ciphertext, private_key,
+          plain_len: Config::AES_KEY_BYTES,
+          cipher_len: Config::RSA_CIPHERTEXT_BYTES,
+        )
+      end
+
+      def wrap_cek(cek, public_key)
+        wrap_key(
+          cek, public_key,
+          plain_len: Config::CEK_BYTES,
+          cipher_len: Config::RSA_2048_CIPHERTEXT_BYTES,
+        )
+      end
+
+      def unwrap_cek(ciphertext, private_key)
+        unwrap_key(
+          ciphertext, private_key,
+          plain_len: Config::CEK_BYTES,
+          cipher_len: Config::RSA_2048_CIPHERTEXT_BYTES,
+          decode_error: ErrorCode::ERR_CENC_CEKA_WRAP,
+          length_error: ErrorCode::ERR_CENC_CEKA_LENGTH,
+        )
+      end
+    end
+  end
+end

data/lib/robocap/sdk/vault_layout.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'fileutils'
+require 'pathname'
+require 'tempfile'
+require_relative 'errors'
+
+module Robocap
+  module SDK
+    module VaultLayout
+      module_function
+
+      def ensure_private_dir(path)
+        path = Pathname(path)
+        FileUtils.mkdir_p(path)
+        File.chmod(0o700, path) unless Gem.win_platform?
+      end
+
+      def atomic_write_bytes(target, data)
+        target = Pathname(target)
+        tmp = nil
+        begin
+          ensure_private_dir(target.parent)
+          tmp = Tempfile.new(['.tmp_', ''], target.parent.to_s, binmode: true)
+          tmp.write(data)
+          tmp.flush
+          tmp.fsync rescue nil
+          tmp.close
+          File.rename(tmp.path, target.to_s)
+          tmp = nil
+        rescue SystemCallError => exc
+          raise Error.new(
+            code: ErrorCode::ERR_VAULT_IO,
+            message: "Failed to write #{target}",
+            detail: { path: target.to_s, reason: exc.message },
+          )
+        ensure
+          if tmp
+            tmp.close unless tmp.closed?
+            File.unlink(tmp.path) if File.exist?(tmp.path)
+          end
+        end
+      end
+
+      def atomic_write_text(target, text, encoding: 'UTF-8')
+        atomic_write_bytes(target, text.encode(encoding).b)
+      end
+    end
+  end
+end

data/lib/robocap/sdk/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Robocap
+  module SDK
+    VERSION = '1.0.0'
+  end
+end

data/lib/robocap/sdk.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require_relative 'sdk/version'
+require_relative 'sdk/config'
+require_relative 'sdk/errors'
+require_relative 'sdk/rsa_key_meta'
+require_relative 'sdk/rsa_oaep'
+require_relative 'sdk/vault_layout'
+require_relative 'sdk/key_vault'
+require_relative 'sdk/ffmpeg_cli'
+require_relative 'sdk/mp4_cenc'
+require_relative 'sdk/ownership'
+require_relative 'sdk/rsa_import'
+require_relative 'sdk/rsa_delete'
+require_relative 'sdk/decrypt_cenc'
+
+module Robocap
+  module SDK
+    module_function
+
+    def import_rsa_key_version(**kwargs)
+      RsaImport.call(**kwargs)
+    end
+
+    def delete_rsa_key_version(**kwargs)
+      RsaDelete.call(**kwargs)
+    end
+
+    def delete_rsa_key_dir(**kwargs)
+      RsaDelete.call_with_dir(**kwargs)
+    end
+
+    def decrypt_cenc_mp4(**kwargs)
+      DecryptCenc.call(**kwargs)
+    end
+
+    def verify_customer_private_key(**kwargs)
+      Ownership.verify(**kwargs)
+    end
+  end
+end

metadata

@@ -0,0 +1,99 @@
+--- !ruby/object:Gem::Specification
+name: robocap-decryption-sdk
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Frodobots
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.20'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.20'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+description: Ruby port of the Robocap CENC decryption SDK. Reads the same on-disk
+  vault and MP4 format as the Python SDK.
+executables:
+- robocap-decryption-sdk
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- exe/robocap-decryption-sdk
+- lib/robocap/sdk.rb
+- lib/robocap/sdk/cli.rb
+- lib/robocap/sdk/config.rb
+- lib/robocap/sdk/decrypt_cenc.rb
+- lib/robocap/sdk/errors.rb
+- lib/robocap/sdk/ffmpeg_cli.rb
+- lib/robocap/sdk/key_vault.rb
+- lib/robocap/sdk/mp4_cenc.rb
+- lib/robocap/sdk/ownership.rb
+- lib/robocap/sdk/rsa_delete.rb
+- lib/robocap/sdk/rsa_import.rb
+- lib/robocap/sdk/rsa_key_meta.rb
+- lib/robocap/sdk/rsa_oaep.rb
+- lib/robocap/sdk/vault_layout.rb
+- lib/robocap/sdk/version.rb
+homepage: https://github.com/frodobots-org/robocap-decryption-sdk
+licenses:
+- Nonstandard
+metadata: {}
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.7.2
+specification_version: 4
+summary: Offline import of RSA keys and decrypt of CENC-encrypted MP4 files.
+test_files: []