RubyGems - ruby-paseto - Versions diffs - 0.1.0 - Mend

ruby-paseto 0.1.0

Files changed (116) hide show

checksums.yaml +7 -0
data/CHANGELOG.md +8 -0
data/CODE_OF_CONDUCT.md +84 -0
data/LICENSE.txt +21 -0
data/README.md +549 -0
data/lib/paseto/asn1/algorithm_identifier.rb +17 -0
data/lib/paseto/asn1/curve_private_key.rb +22 -0
data/lib/paseto/asn1/ec_private_key.rb +27 -0
data/lib/paseto/asn1/ecdsa_full_r.rb +26 -0
data/lib/paseto/asn1/ecdsa_sig_value.rb +23 -0
data/lib/paseto/asn1/ecdsa_signature.rb +49 -0
data/lib/paseto/asn1/ed25519_identifier.rb +15 -0
data/lib/paseto/asn1/named_curve.rb +17 -0
data/lib/paseto/asn1/one_asymmetric_key.rb +32 -0
data/lib/paseto/asn1/private_key.rb +17 -0
data/lib/paseto/asn1/private_key_algorithm_identifier.rb +17 -0
data/lib/paseto/asn1/public_key.rb +17 -0
data/lib/paseto/asn1/subject_public_key_info.rb +28 -0
data/lib/paseto/asn1.rb +101 -0
data/lib/paseto/asymmetric_key.rb +100 -0
data/lib/paseto/configuration/box.rb +23 -0
data/lib/paseto/configuration/decode_configuration.rb +68 -0
data/lib/paseto/configuration.rb +18 -0
data/lib/paseto/interface/i_d.rb +23 -0
data/lib/paseto/interface/key.rb +113 -0
data/lib/paseto/interface/pbkd.rb +83 -0
data/lib/paseto/interface/pie.rb +59 -0
data/lib/paseto/interface/pke.rb +86 -0
data/lib/paseto/interface/serializer.rb +19 -0
data/lib/paseto/interface/version.rb +161 -0
data/lib/paseto/interface/wrapper.rb +20 -0
data/lib/paseto/operations/i_d.rb +48 -0
data/lib/paseto/operations/id/i_dv3.rb +20 -0
data/lib/paseto/operations/id/i_dv4.rb +20 -0
data/lib/paseto/operations/pbkd/p_b_k_dv3.rb +85 -0
data/lib/paseto/operations/pbkd/p_b_k_dv4.rb +94 -0
data/lib/paseto/operations/pbkw.rb +73 -0
data/lib/paseto/operations/pke/p_k_ev3.rb +97 -0
data/lib/paseto/operations/pke/p_k_ev4.rb +95 -0
data/lib/paseto/operations/pke.rb +57 -0
data/lib/paseto/operations/wrap.rb +29 -0
data/lib/paseto/paserk.rb +55 -0
data/lib/paseto/paserk_types.rb +46 -0
data/lib/paseto/protocol/version3.rb +100 -0
data/lib/paseto/protocol/version4.rb +99 -0
data/lib/paseto/result.rb +9 -0
data/lib/paseto/serializer/optional_json.rb +30 -0
data/lib/paseto/serializer/raw.rb +23 -0
data/lib/paseto/sodium/curve_25519.rb +46 -0
data/lib/paseto/sodium/safe_ed25519_loader.rb +19 -0
data/lib/paseto/sodium/stream/base.rb +82 -0
data/lib/paseto/sodium/stream/x_cha_cha20_xor.rb +31 -0
data/lib/paseto/sodium.rb +5 -0
data/lib/paseto/symmetric_key.rb +119 -0
data/lib/paseto/token.rb +127 -0
data/lib/paseto/token_types.rb +29 -0
data/lib/paseto/util.rb +105 -0
data/lib/paseto/v3/local.rb +63 -0
data/lib/paseto/v3/public.rb +204 -0
data/lib/paseto/v4/local.rb +56 -0
data/lib/paseto/v4/public.rb +169 -0
data/lib/paseto/validator.rb +154 -0
data/lib/paseto/verifiers/footer.rb +30 -0
data/lib/paseto/verifiers/payload.rb +42 -0
data/lib/paseto/verify.rb +48 -0
data/lib/paseto/version.rb +6 -0
data/lib/paseto/versions.rb +25 -0
data/lib/paseto/wrappers/pie/pie_v3.rb +72 -0
data/lib/paseto/wrappers/pie/pie_v4.rb +72 -0
data/lib/paseto/wrappers/pie.rb +71 -0
data/lib/paseto.rb +99 -0
data/paseto.gemspec +58 -0
data/sorbet/config +3 -0
data/sorbet/rbi/annotations/rainbow.rbi +269 -0
data/sorbet/rbi/gems/ast@2.4.2.rbi +584 -0
data/sorbet/rbi/gems/diff-lcs@1.5.0.rbi +1083 -0
data/sorbet/rbi/gems/docile@1.4.0.rbi +376 -0
data/sorbet/rbi/gems/ffi@1.15.5.rbi +1994 -0
data/sorbet/rbi/gems/io-console@0.5.11.rbi +8 -0
data/sorbet/rbi/gems/irb@1.5.1.rbi +342 -0
data/sorbet/rbi/gems/json@2.6.3.rbi +1541 -0
data/sorbet/rbi/gems/multi_json@1.15.0.rbi +267 -0
data/sorbet/rbi/gems/netrc@0.11.0.rbi +158 -0
data/sorbet/rbi/gems/oj@3.13.23.rbi +603 -0
data/sorbet/rbi/gems/openssl@3.0.1.rbi +1735 -0
data/sorbet/rbi/gems/parallel@1.22.1.rbi +277 -0
data/sorbet/rbi/gems/rainbow@3.1.1.rbi +407 -0
data/sorbet/rbi/gems/rake@13.0.6.rbi +3021 -0
data/sorbet/rbi/gems/rbnacl@7.1.1.rbi +3218 -0
data/sorbet/rbi/gems/regexp_parser@2.6.1.rbi +3481 -0
data/sorbet/rbi/gems/reline@0.3.1.rbi +8 -0
data/sorbet/rbi/gems/rexml@3.2.5.rbi +4717 -0
data/sorbet/rbi/gems/rspec-core@3.12.0.rbi +10887 -0
data/sorbet/rbi/gems/rspec-expectations@3.12.0.rbi +8090 -0
data/sorbet/rbi/gems/rspec-mocks@3.12.0.rbi +5300 -0
data/sorbet/rbi/gems/rspec-support@3.12.0.rbi +1617 -0
data/sorbet/rbi/gems/rspec@3.12.0.rbi +88 -0
data/sorbet/rbi/gems/ruby-progressbar@1.11.0.rbi +1239 -0
data/sorbet/rbi/gems/simplecov-html@0.12.3.rbi +219 -0
data/sorbet/rbi/gems/simplecov@0.21.2.rbi +2135 -0
data/sorbet/rbi/gems/simplecov_json_formatter@0.1.4.rbi +8 -0
data/sorbet/rbi/gems/thor@1.2.1.rbi +3956 -0
data/sorbet/rbi/gems/timecop@0.9.6.rbi +350 -0
data/sorbet/rbi/gems/unicode-display_width@2.3.0.rbi +48 -0
data/sorbet/rbi/gems/webrick@1.7.0.rbi +2555 -0
data/sorbet/rbi/gems/yard-sorbet@0.7.0.rbi +391 -0
data/sorbet/rbi/gems/yard@0.9.28.rbi +17816 -0
data/sorbet/rbi/gems/zeitwerk@2.6.6.rbi +950 -0
data/sorbet/rbi/shims/multi_json.rbi +19 -0
data/sorbet/rbi/shims/openssl.rbi +111 -0
data/sorbet/rbi/shims/rbnacl.rbi +65 -0
data/sorbet/rbi/shims/zeitwerk.rbi +6 -0
data/sorbet/rbi/todo.rbi +7 -0
data/sorbet/tapioca/config.yml +30 -0
data/sorbet/tapioca/require.rb +12 -0
metadata +376 -0

data/lib/paseto/operations/pbkd/p_b_k_dv3.rb ADDED Viewed

@@ -0,0 +1,85 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  module Operations
+    module PBKD
+      class PBKDv3
+        extend T::Sig
+        include Interface::PBKD
+        sig { override.returns(Protocol::Version3) }
+        def self.protocol
+          Protocol::Version3.new
+        end
+        sig { params(password: String).void }
+        def initialize(password)
+          @password = password
+        end
+        sig do
+          override.params(
+            header: String,
+            pre_key: String,
+            salt: String,
+            nonce: String,
+            edk: String,
+            params: T::Hash[Symbol, Integer]
+          ).returns([String, String])
+        end
+        def authenticate(header:, pre_key:, salt:, nonce:, edk:, params:) # rubocop:disable Metrics/ParameterLists
+          iterations = Util.int_to_be32(T.must(params[:iterations]))
+          message = "#{salt}#{iterations}#{nonce}#{edk}"
+          ak = protocol.digest("#{Operations::PBKW::DOMAIN_SEPARATOR_AUTH}#{pre_key}")
+          tag = protocol.hmac("#{header}.#{message}", key: ak)
+          [message, tag]
+        end
+        sig { override.params(salt: String, params: T::Hash[Symbol, Integer]).returns(String) }
+        def pre_key(salt:, params:)
+          iterations = T.must(params[:iterations])
+          protocol.kdf(@password, salt: salt, length: 32, iterations: iterations)
+        end
+        sig { override.returns(String) }
+        def random_nonce
+          protocol.random(16)
+        end
+        sig { override.returns(String) }
+        def random_salt
+          protocol.random(32)
+        end
+        sig do
+          override.params(payload: String).returns(
+            {
+              salt: String,
+              nonce: String,
+              edk: String,
+              tag: String,
+              params: T::Hash[Symbol, Integer]
+            }
+          )
+        end
+        def decode(payload)
+          data = Util.decode64(payload)
+          edk_len = data.bytesize - 100
+          iterations = Util.be32_to_int(T.must(data.byteslice(32, 4)))
+          {
+            salt: T.must(data.byteslice(0, 32)),
+            nonce: T.must(data.byteslice(36, 16)),
+            edk: T.must(data.byteslice(52, edk_len)),
+            tag: T.must(data.byteslice(-48, 48)),
+            params: { iterations: iterations }
+          }
+        end
+      end
+    end
+  end
+end

data/lib/paseto/operations/pbkd/p_b_k_dv4.rb ADDED Viewed

@@ -0,0 +1,94 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  module Operations
+    module PBKD
+      class PBKDv4
+        extend T::Sig
+        include Interface::PBKD
+        sig { override.returns(Protocol::Version4) }
+        def self.protocol
+          Protocol::Version4.new
+        end
+        sig { params(password: String).void }
+        def initialize(password)
+          @password = password
+        end
+        sig do
+          override.params(
+            header: String,
+            pre_key: String,
+            salt: String,
+            nonce: String,
+            edk: String,
+            params: T::Hash[Symbol, Integer]
+          ).returns([String, String])
+        end
+        def authenticate(header:, pre_key:, salt:, nonce:, edk:, params:) # rubocop:disable Metrics/ParameterLists
+          memlimit_int = RbNaCl::PasswordHash::Argon2.memlimit_value(params[:memlimit])
+          opslimit_int = RbNaCl::PasswordHash::Argon2.opslimit_value(params[:opslimit])
+          memlimit = Util.int_to_be64(memlimit_int)
+          opslimit = Util.int_to_be32(opslimit_int)
+          para = Util.int_to_be32(1)
+          message = "#{salt}#{memlimit}#{opslimit}#{para}#{nonce}#{edk}"
+          ak = protocol.digest("#{Operations::PBKW::DOMAIN_SEPARATOR_AUTH}#{pre_key}", digest_size: 32)
+          tag = protocol.hmac("#{header}.#{message}", key: ak, digest_size: 32)
+          [message, tag]
+        end
+        sig { override.params(salt: String, params: T::Hash[Symbol, Integer]).returns(String) }
+        def pre_key(salt:, params:)
+          opslimit = T.must(params[:opslimit])
+          memlimit = T.must(params[:memlimit])
+          protocol.kdf(@password, salt: salt, length: 32, opslimit: opslimit, memlimit: memlimit)
+        end
+        sig { override.returns(String) }
+        def random_nonce
+          protocol.random(24)
+        end
+        sig { override.returns(String) }
+        def random_salt
+          protocol.random(16)
+        end
+        sig do
+          override.params(payload: String).returns(
+            {
+              salt: String,
+              nonce: String,
+              edk: String,
+              tag: String,
+              params: T::Hash[Symbol, Integer]
+            }
+          )
+        end
+        def decode(payload) # rubocop:disable Metrics/AbcSize
+          data = Util.decode64(payload)
+          edk_len = data.bytesize - 88
+          {
+            salt: T.must(data.byteslice(0, 16)),
+            nonce: T.must(data.byteslice(32, 24)),
+            edk: T.must(data.byteslice(56, edk_len)),
+            tag: T.must(data.byteslice(-32, 32)),
+            params: {
+              memlimit: Util.be64_to_int(T.must(data.byteslice(16, 8))),
+              opslimit: Util.be32_to_int(T.must(data.byteslice(24, 4))),
+              para: Util.be32_to_int(T.must(data.byteslice(28, 4)))
+            }
+          }
+        end
+      end
+    end
+  end
+end

data/lib/paseto/operations/pbkw.rb ADDED Viewed

@@ -0,0 +1,73 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  module Operations
+    class PBKW
+      DOMAIN_SEPARATOR_ENCRYPT = T.let("\xFF", String)
+      DOMAIN_SEPARATOR_AUTH = T.let("\xFE", String)
+      extend T::Sig
+      sig { params(key: Interface::Key, password: String, options: T::Hash[Symbol, T.any(Integer, Symbol)]).returns(String) }
+      def self.pbkw(key, password, options = {})
+        new(key.protocol, password).encode(key, options)
+      end
+      sig { params(version: Interface::Version, password: String).void }
+      def initialize(version, password)
+        @coder = T.let(version.pbkw(password), Interface::PBKD)
+      end
+      sig { params(key: Interface::Key, options: T::Hash[Symbol, T.any(Integer, Symbol)]).returns(String) }
+      def encode(key, options)
+        raise LucidityError unless key.protocol == @coder.protocol
+        opts = default_options.merge(options)
+        h = key.pbkw_header
+        salt = @coder.random_salt
+        nonce = @coder.random_nonce
+        pre_key = @coder.pre_key(salt: salt, params: opts)
+        edk = @coder.crypt(payload: key.to_bytes, key: pre_key, nonce: nonce)
+        message, t = @coder.authenticate(header: h, pre_key: pre_key, salt: salt, nonce: nonce, edk: edk, params: opts)
+        data = Util.encode64("#{message}#{t}")
+        "#{h}.#{data}"
+      end
+      sig { params(paserk: String).returns(Interface::Key) }
+      def decode(paserk)
+        paserk.split('.') => [version, type, data]
+        raise LucidityError unless version == @coder.paserk_version
+        header = "#{version}.#{type}"
+        @coder.decode(data) => {salt:, nonce:, edk:, tag:, params:}
+        pre_key = @coder.pre_key(salt: salt, params: params)
+        _, t2 = @coder.authenticate(header: header, pre_key: pre_key, salt: salt, nonce: nonce, edk: edk, params: params)
+        raise InvalidAuthenticator unless Util.constant_compare(t2, tag)
+        ptk = @coder.crypt(payload: edk, key: pre_key, nonce: nonce)
+        PaserkTypes.deserialize(header).generate(ptk)
+      end
+      private
+      sig { returns({ iterations: Integer, memlimit: Symbol, opslimit: Symbol }) }
+      def default_options
+        {
+          iterations: 100_000,
+          memlimit: :interactive,
+          opslimit: :interactive
+        }
+      end
+    end
+  end
+end

data/lib/paseto/operations/pke/p_k_ev3.rb ADDED Viewed

@@ -0,0 +1,97 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  module Operations
+    class PKE
+      class PKEv3
+        extend T::Sig
+        include Interface::PKE
+        sig { override.params(esk: OpenSSL::PKey::EC).returns(String) }
+        def self.epk_bytes_from_esk(esk)
+          esk.public_key.to_octet_string(:compressed)
+        end
+        sig(:final) { override.returns(OpenSSL::PKey::EC) }
+        def self.generate_ephemeral_key
+          OpenSSL::PKey::EC.generate('secp384r1')
+        end
+        sig(:final) { override.returns(String) }
+        def self.header
+          'k3.seal.'
+        end
+        sig { override.returns(Protocol::Version3) }
+        def self.protocol
+          Protocol::Version3.new
+        end
+        sig { override.params(encoded_data: String).returns([String, OpenSSL::PKey::EC::Point, String]) }
+        def self.split(encoded_data)
+          data = Util.decode64(encoded_data)
+          t = T.must(data.slice(0, 48))
+          epk_bytes = T.must(data.slice(48, 49))
+          epk = OpenSSL::PKey::EC::Point.new(OpenSSL::PKey::EC::Group.new('secp384r1'), epk_bytes)
+          edk = T.must(data.slice(97, 32))
+          [t, epk, edk]
+        end
+        sig { params(sealing_key: AsymmetricKey).void }
+        def initialize(sealing_key)
+          raise LucidityError unless sealing_key.is_a? V3::Public
+          @sealing_key = T.let(sealing_key, V3::Public)
+          @pk = T.let(@sealing_key.public_bytes, String)
+        end
+        sig { override.params(message: String, ek: String, n: String).returns(SymmetricKey) }
+        def decrypt(message:, ek:, n:)
+          pdk = protocol.crypt(key: ek, nonce: n, payload: message)
+          V3::Local.new(ikm: pdk)
+        end
+        sig { override.params(xk: String, epk: OpenSSL::PKey::EC::Point).returns({ ek: String, n: String }) }
+        def derive_ek_n(xk:, epk:)
+          epk_bytes = epk.to_octet_string(:compressed)
+          x = protocol.digest("#{DOMAIN_SEPARATOR_ENCRYPT}#{header}#{xk}#{epk_bytes}#{@pk}")
+          ek = T.must(x[0, 32])
+          n = T.must(x[32, 16])
+          { ek: ek, n: n }
+        end
+        sig { override.params(xk: String, epk: OpenSSL::PKey::EC::Point).returns(String) }
+        def derive_ak(xk:, epk:)
+          epk_bytes = epk.to_octet_string(:compressed)
+          protocol.digest("#{DOMAIN_SEPARATOR_AUTH}#{header}#{xk}#{epk_bytes}#{@pk}")
+        end
+        sig { override.params(message: String, ek: String, n: String).returns(String) }
+        def encrypt(message:, ek:, n:)
+          protocol.crypt(payload: message, key: ek, nonce: n)
+        end
+        sig { override.params(ak: String, epk: OpenSSL::PKey::EC::Point, edk: String).returns(String) }
+        def tag(ak:, epk:, edk:)
+          epk_bytes = epk.to_octet_string(:compressed)
+          protocol.hmac("#{header}#{epk_bytes}#{edk}", key: ak)
+        end
+        private
+        sig { override.returns(Paseto::V3::Public) }
+        attr_reader :sealing_key
+      end
+    end
+  end
+end

data/lib/paseto/operations/pke/p_k_ev4.rb ADDED Viewed

@@ -0,0 +1,95 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  module Operations
+    class PKE
+      class PKEv4
+        extend T::Sig
+        include Interface::PKE
+        sig { override.params(esk: RbNaCl::PrivateKey).returns(String) }
+        def self.epk_bytes_from_esk(esk)
+          esk.public_key.to_bytes
+        end
+        sig(:final) { override.returns(RbNaCl::PrivateKey) }
+        def self.generate_ephemeral_key
+          RbNaCl::PrivateKey.generate
+        end
+        sig(:final) { override.returns(String) }
+        def self.header
+          'k4.seal.'
+        end
+        sig { override.returns(Protocol::Version4) }
+        def self.protocol
+          Protocol::Version4.new
+        end
+        sig { override.params(encoded_data: String).returns([String, RbNaCl::PublicKey, String]) }
+        def self.split(encoded_data)
+          data = Util.decode64(encoded_data)
+          t = T.must(data.slice(0, 32))
+          epk_bytes = T.must(data.slice(32, 32))
+          epk = RbNaCl::PublicKey.new(epk_bytes)
+          edk = T.must(data.slice(64, 32))
+          [t, epk, edk]
+        end
+        sig { params(sealing_key: AsymmetricKey).void }
+        def initialize(sealing_key)
+          raise LucidityError unless sealing_key.is_a? V4::Public
+          @sealing_key = T.let(sealing_key, V4::Public)
+          @pk = T.let(@sealing_key.x25519_public_key, RbNaCl::PublicKey)
+          @pk_bytes = T.let(@pk.to_bytes, String)
+        end
+        sig { override.params(message: String, ek: String, n: String).returns(SymmetricKey) }
+        def decrypt(message:, ek:, n:)
+          pdk = protocol.crypt(payload: message, key: ek, nonce: n)
+          V4::Local.new(ikm: pdk)
+        end
+        sig { override.params(xk: String, epk: RbNaCl::PublicKey).returns({ ek: String, n: String }) }
+        def derive_ek_n(xk:, epk:)
+          ek = protocol.digest(
+            "#{DOMAIN_SEPARATOR_ENCRYPT}#{header}#{xk}#{epk.to_bytes}#{@pk_bytes}",
+            digest_size: 32
+          )
+          n = protocol.digest("#{epk.to_bytes}#{@pk_bytes}", digest_size: 24)
+          { ek: ek, n: n }
+        end
+        sig { override.params(xk: String, epk: RbNaCl::PublicKey).returns(String) }
+        def derive_ak(xk:, epk:)
+          protocol.digest([DOMAIN_SEPARATOR_AUTH, header, xk, epk.to_bytes, @pk_bytes].join, digest_size: 32)
+        end
+        sig { override.params(message: String, ek: String, n: String).returns(String) }
+        def encrypt(message:, ek:, n:)
+          protocol.crypt(payload: message, key: ek, nonce: n)
+        end
+        sig { override.params(ak: String, epk: RbNaCl::PublicKey, edk: String).returns(String) }
+        def tag(ak:, epk:, edk:)
+          protocol.hmac("#{header}#{epk.to_bytes}#{edk}", key: ak, digest_size: 32)
+        end
+        private
+        sig { override.returns(Paseto::V4::Public) }
+        attr_reader :sealing_key
+      end
+    end
+  end
+end

data/lib/paseto/operations/pke.rb ADDED Viewed

@@ -0,0 +1,57 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  module Operations
+    class PKE
+      extend T::Sig
+      sig { params(sealing_key: AsymmetricKey).void }
+      def initialize(sealing_key)
+        @sealing_key = sealing_key
+        @coder = T.let(@sealing_key.pke, Paseto::Interface::PKE)
+      end
+      sig { params(key: SymmetricKey).returns(String) }
+      def seal(key)
+        raise LucidityError unless key.protocol == @sealing_key.protocol
+        esk = @coder.generate_ephemeral_key
+        epk = esk.public_key
+        xk = @sealing_key.ecdh(esk)
+        @coder.derive_ek_n(xk: xk, epk: epk) => {ek:, n:}
+        edk = @coder.encrypt(message: key.to_bytes, ek: ek, n: n)
+        ak = @coder.derive_ak(xk: xk, epk: epk)
+        t = @coder.tag(ak: ak, epk: epk, edk: edk)
+        epk_bytes = @coder.epk_bytes_from_esk(esk)
+        data = Util.encode64("#{t}#{epk_bytes}#{edk}")
+        "#{@coder.header}#{data}"
+      end
+      sig { params(paserk: String).returns(Interface::Key) }
+      def unseal(paserk)
+        paserk.split('.') => [version, type, encoded_data]
+        raise LucidityError unless version == @sealing_key.paserk_version
+        raise LucidityError unless type == 'seal'
+        t, epk, edk = @coder.split(encoded_data)
+        xk = @sealing_key.ecdh(epk)
+        ak = @coder.derive_ak(xk: xk, epk: epk)
+        t2 = @coder.tag(ak: ak, epk: epk, edk: edk)
+        raise InvalidAuthenticator unless Util.constant_compare(t, t2)
+        @coder.derive_ek_n(xk: xk, epk: epk) => {ek:, n:}
+        @coder.decrypt(message: edk, ek: ek, n: n)
+      end
+    end
+  end
+end

data/lib/paseto/operations/wrap.rb ADDED Viewed

@@ -0,0 +1,29 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  module Operations
+    class Wrap
+      extend T::Sig
+      DOMAIN_SEPARATOR_AUTH = "\x81"
+      DOMAIN_SEPARATOR_ENCRYPT = "\x80"
+      sig { params(wrapping_key: SymmetricKey, paserk: [String, String, String, String]).returns(Interface::Key) }
+      def self.unwrap(wrapping_key, paserk)
+        case paserk
+        in [_, _, String => protocol, _] if protocol == 'pie'
+          Wrappers::PIE.new(wrapping_key).decode(paserk)
+        else
+          raise UnknownProtocol, protocol
+        end
+      end
+      sig { params(key: Interface::Key, wrapping_key: SymmetricKey, nonce: T.nilable(String)).returns(String) }
+      def self.wrap(key, wrapping_key:, nonce: nil)
+        Wrappers::PIE.new(wrapping_key).encode(key, nonce: nonce)
+      end
+    end
+  end
+end

data/lib/paseto/paserk.rb ADDED Viewed

@@ -0,0 +1,55 @@
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  module Paserk
+    extend T::Sig
+    extend T::Helpers
+    requires_ancestor { Kernel }
+    sig do
+      params(
+        paserk: String,
+        wrapping_key: T.nilable(SymmetricKey),
+        password: T.nilable(String),
+        unsealing_key: T.nilable(AsymmetricKey)
+      ).returns(T.untyped)
+    end
+    def self.from_paserk(paserk:, wrapping_key: nil, password: nil, unsealing_key: nil)
+      parts = paserk.split('.')
+      case parts
+      in [String => version, String => type, String => protocol, String => data] if wrapping_key
+        Operations::Wrap.unwrap(T.must(wrapping_key), [version, type, protocol, data])
+      in [String => version, String => type, String => data] if password
+        version = Versions.deserialize(version).instance
+        Operations::PBKW.new(version, T.must(password)).decode(paserk)
+      in [String => version, String => type, String => data] if unsealing_key
+        Operations::PKE.new(T.must(unsealing_key)).unseal(paserk)
+      in [String => version, String => type, String => data] if %w[local secret public].include?(type)
+        PaserkTypes.deserialize(paserk.rpartition('.').first).generate(Util.decode64(data))
+      else
+        raise UnknownOperation
+      end
+    end
+    sig { params(key: Interface::Key, wrapping_key: SymmetricKey, nonce: T.nilable(String)).returns(String) }
+    def self.wrap(key:, wrapping_key:, nonce: nil)
+      Operations::Wrap.wrap(key, wrapping_key: wrapping_key, nonce: nonce)
+    end
+    sig { params(key: Interface::Key, password: String, options: T::Hash[Symbol, T.any(Integer, Symbol)]).returns(String) }
+    def self.pbkw(key:, password:, options: {})
+      Operations::PBKW.pbkw(key, password, options)
+    end
+    sig { params(key: SymmetricKey, sealing_key: AsymmetricKey).returns(String) }
+    def self.seal(key:, sealing_key:)
+      Operations::PKE.new(sealing_key).seal(key)
+    end
+  end
+end

data/lib/paseto/paserk_types.rb ADDED Viewed

@@ -0,0 +1,46 @@
+# typed: true
+# frozen_string_literal: true
+module Paseto
+  class PaserkTypes < T::Enum
+    extend T::Sig
+    enums do
+      K3Local = new('k3.local')
+      K3Secret = new('k3.secret')
+      K3Public = new('k3.public')
+      K3LocalWrap = new('k3.local-wrap')
+      K3SecretWrap = new('k3.secret-wrap')
+      K3LocalPBKW = new('k3.local-pw')
+      K3SecretPBKW = new('k3.secret-pw')
+      K4Local = new('k4.local')
+      K4Secret = new('k4.secret')
+      K4Public = new('k4.public')
+      K4LocalWrap = new('k4.local-wrap')
+      K4SecretWrap = new('k4.secret-wrap')
+      K4LocalPBKW = new('k4.local-pw')
+      K4SecretPBKW = new('k4.secret-pw')
+    end
+    sig { params(input: String).returns(Interface::Key) }
+    def generate(input) # rubocop:disable Metrics/MethodLength
+      case self
+      in K3LocalWrap | K3LocalPBKW | K3Local if input.bytesize == 32
+        V3::Local.new(ikm: input)
+      in K3SecretWrap | K3SecretPBKW | K3Secret if input.bytesize == 48
+        V3::Public.from_scalar_bytes(input)
+      in K3Public
+        V3::Public.from_public_bytes(input)
+      in K4LocalWrap | K4LocalPBKW | K4Local if Paseto.rbnacl? && input.bytesize == 32
+        V4::Local.new(ikm: input)
+      in K4SecretWrap | K4SecretPBKW | K4Secret if Paseto.rbnacl? && input.bytesize == 64
+        V4::Public.from_keypair(input)
+      in K4Public
+        V4::Public.from_public_bytes(input)
+      else
+        raise InvalidKeyPair
+      end
+    end
+  end
+end