saro-dat 1.0.0 → 4.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8a79bc8cd93aba476a9f69fef214dd4a0ba9275a4bc93bebb4e1e4e78f36bb19
-  data.tar.gz: 8a16197d29b030c965f8a9e30d80fc7decad1d94be60272b3ef22734e1eeb042
+  metadata.gz: 1bc8964419d2aa39030dbec0e990d8a22d1fa29a8f8eec15235f69e70fa81054
+  data.tar.gz: e2fb45d1bbb981ea6745fab4661db4f1db41063fe73bc147cd33276c60e4a0fa
 SHA512:
-  metadata.gz: b9fa121db64bb0f59429e543ef49efa921afdd8a87eeb52a232352a9bc09dcd77f33898fa89dbe1031adc1d28bdd575f8c997deaf15265c804668a4e9ac2ea7b
-  data.tar.gz: fc15628f82a197628bb41e686392d7b815bb1b39d2146fbd27bab85209ab8351362239dd6c98aa2de3ef214db943e6b0112b0c0a20de693481241e2e788da8b9
+  metadata.gz: c306baa43850bc77ebd33a2c1717f1aaac63ca0c98b538da28cb8ca064e0ed475b0c2e866fee5b47700a49009c085621c5b21f1b989041028e0a481112092590
+  data.tar.gz: c75ede02ecff59c9e18a85116247eb3bae95c594940f8fedec457434a8f9c9dc9690667d1be103cb4abf03b18c483997a9f0fe4b6adbbb3f3e19c644ad9e66e2

data/.gitignore

@@ -1,6 +1,7 @@
 
 /.bundle/
 /vendor/bundle/
+
 /Gemfile.lock
 /saro-dat-*.gem
 

data/.idea/saro-dat.iml

@@ -13,8 +13,9 @@
     <orderEntry type="sourceFolder" forTests="false" />
     <orderEntry type="library" scope="PROVIDED" name="base64 (v0.3.0, rbenv: 4.0.5) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="benchmark (v0.5.0, rbenv: 4.0.5) [gem]" level="application" />
-    <orderEntry type="library" scope="PROVIDED" name="bundler (v4.0.10, rbenv: 4.0.5) [gem]" level="application" />
-    <orderEntry type="library" scope="PROVIDED" name="concurrent-ruby (v1.3.6, rbenv: 4.0.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="bundler (v4.0.12, rbenv: 4.0.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="concurrent-ruby (v1.3.7, rbenv: 4.0.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="logger (v1.7.0, rbenv: 4.0.5) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="minitest (v5.27.0, rbenv: 4.0.5) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="openssl (v4.0.2, rbenv: 4.0.5) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="parallel (v2.1.0, rbenv: 4.0.5) [gem]" level="application" />

data/PUBLISH.md

@@ -9,7 +9,7 @@ bundle install
 ```
 gem build saro-dat.gemspec
 gem signin
-gem push saro-dat-1.0.0.gem
+gem push saro-dat-4.3.0.gem
 ```
 
 ## install
@@ -23,10 +23,16 @@ source ~/.zshrc
 # - mac
 
 rbenv install -l
-rbenv install 2.7.8
 rbenv install 4.0.5
 rbenv local 4.0.5
 rbenv rehash
 
 ruby -v
 ```
+
+
+## install test
+```
+bundle add saro-dat
+bundle install
+```

data/README.md

@@ -4,22 +4,27 @@
 
 ### [DAT Run Online](https://dat.saro.me)
 
-### [What is DAT](https://dat.saro.me/--/intro)
+### [What is DAT](https://dat.saro.me/intro)
 
-### [Example](https://dat.saro.me/--/libs/gems-saro-dat)
+### [Example](https://dat.saro.me/libs/gems-saro-dat)
 
-## support signature algorithm
-| name   | algorithm  |
-|--------|------------|
-| P256   | secp256r1  |
-| P384   | secp384r1  |
-| P521   | secp521r1  |
+## Support algorithm
+### Signature
+| name            | note                  |
+|-----------------|-----------------------|
+| ECDSA-P256      | = secp256r1           |
+| ECDSA-P384      | = secp384r1           |
+| ECDSA-P521      | = secp521r1           |
+| HMAC-SHA256-MFS | = 256Bit Fixed Secret |
+| HMAC-SHA384-MFS | = 384Bit Fixed Secret |
+| HMAC-SHA512-MFS | = 512Bit Fixed Secret |
+- MFS : Maximum(Same Bit) Fixed Secret
 
-## support crypto algorithm
-| name       | algorithm                   |
-|------------|-----------------------------|
-| AES128GCMN | aes-128-gcm n(nonce + body) |
-| AES256GCMN | aes-256-cbc n(nonce + body) |
+### Crypto
+| name       | note                          |
+|------------|-------------------------------|
+| IV-AES128-GCM | (IV=NONCE:96BIT) + AES128 GCM |
+| IV-AES256-GCM | (IV=NONCE:96BIT) + AES256 GCM |
 
 
 # Performance
@@ -29,34 +34,58 @@
 ```
 Testing started at ...
 Performance Test (Plain, Secure)
-Plain: orSsnyfSfREmqzSp25qVE0XEXHBa1FgprEq75OBss5MH61jnWXMYypt4GOOLC6ZF29XUJapVv5X3p2gzBG5fLREFRqJdMaKrZoFi
-Secure: 8SkeUWIcp3Q2I104LgCpDZ4CZ6Uwd21j2QPerHtw5RRN2kPns6wwxjdipCCt5l9QdforbqqjQu5BfevfeC1id6OlBjPPHcF9oMpb
+Plain: CcMjua0RA8I27be6W2lYMBmk5OcPrV8mu3ybrVwBOB2pEPbtfrvH0h0Z0VBhG1ID4zu51sDKxZZGFoku9TzrcPJLbb0ObRiF3NIF
+Secure: EEYEOjriFkidJ8lKpYPkt1fwS01sZuJ7ysgCWd7XyarZfP6yrxkR9rciiJSUpuPZlBt0moFlKb0n2ZDivhvxLNjmO1eT8KjzhLlA
 
 --- Multi-Thread ---
-P256 AES128GCMN Issue * 10000 : 158ms
-P256 AES128GCMN Parse * 10000 : 201ms
-P256 AES256GCMN Issue * 10000 : 154ms
-P256 AES256GCMN Parse * 10000 : 187ms
-P384 AES128GCMN Issue * 10000 : 288ms
-P384 AES128GCMN Parse * 10000 : 450ms
-P384 AES256GCMN Issue * 10000 : 268ms
-P384 AES256GCMN Parse * 10000 : 613ms
-P521 AES128GCMN Issue * 10000 : 405ms
-P521 AES128GCMN Parse * 10000 : 553ms
-P521 AES256GCMN Issue * 10000 : 370ms
-P521 AES256GCMN Parse * 10000 : 609ms
+HMAC-SHA256-MFS IV-AES128-GCM Issue * 10000 : 141ms
+HMAC-SHA256-MFS IV-AES128-GCM Parse * 10000 : 148ms
+HMAC-SHA256-MFS IV-AES256-GCM Issue * 10000 : 126ms
+HMAC-SHA256-MFS IV-AES256-GCM Parse * 10000 : 161ms
+HMAC-SHA384-MFS IV-AES128-GCM Issue * 10000 : 162ms
+HMAC-SHA384-MFS IV-AES128-GCM Parse * 10000 : 155ms
+HMAC-SHA384-MFS IV-AES256-GCM Issue * 10000 : 126ms
+HMAC-SHA384-MFS IV-AES256-GCM Parse * 10000 : 146ms
+HMAC-SHA512-MFS IV-AES128-GCM Issue * 10000 : 124ms
+HMAC-SHA512-MFS IV-AES128-GCM Parse * 10000 : 132ms
+HMAC-SHA512-MFS IV-AES256-GCM Issue * 10000 : 128ms
+HMAC-SHA512-MFS IV-AES256-GCM Parse * 10000 : 149ms
+ECDSA-P256 IV-AES128-GCM Issue * 10000 : 171ms
+ECDSA-P256 IV-AES128-GCM Parse * 10000 : 188ms
+ECDSA-P256 IV-AES256-GCM Issue * 10000 : 158ms
+ECDSA-P256 IV-AES256-GCM Parse * 10000 : 188ms
+ECDSA-P384 IV-AES128-GCM Issue * 10000 : 260ms
+ECDSA-P384 IV-AES128-GCM Parse * 10000 : 422ms
+ECDSA-P384 IV-AES256-GCM Issue * 10000 : 259ms
+ECDSA-P384 IV-AES256-GCM Parse * 10000 : 415ms
+ECDSA-P521 IV-AES128-GCM Issue * 10000 : 307ms
+ECDSA-P521 IV-AES128-GCM Parse * 10000 : 475ms
+ECDSA-P521 IV-AES256-GCM Issue * 10000 : 311ms
+ECDSA-P521 IV-AES256-GCM Parse * 10000 : 481ms
 
 --- Single-Thread ---
-P256 AES128GCMN Issue * 10000 : 200ms
-P256 AES128GCMN Parse * 10000 : 415ms
-P256 AES256GCMN Issue * 10000 : 199ms
-P256 AES256GCMN Parse * 10000 : 406ms
-P384 AES128GCMN Issue * 10000 : 1054ms
-P384 AES128GCMN Parse * 10000 : 2151ms
-P384 AES256GCMN Issue * 10000 : 1053ms
-P384 AES256GCMN Parse * 10000 : 2163ms
-P521 AES128GCMN Issue * 10000 : 1420ms
-P521 AES128GCMN Parse * 10000 : 2414ms
-P521 AES256GCMN Issue * 10000 : 1420ms
-P521 AES256GCMN Parse * 10000 : 2458ms
+HMAC-SHA256-MFS IV-AES128-GCM Issue * 10000 : 64ms
+HMAC-SHA256-MFS IV-AES128-GCM Parse * 10000 : 65ms
+HMAC-SHA256-MFS IV-AES256-GCM Issue * 10000 : 60ms
+HMAC-SHA256-MFS IV-AES256-GCM Parse * 10000 : 68ms
+HMAC-SHA384-MFS IV-AES128-GCM Issue * 10000 : 66ms
+HMAC-SHA384-MFS IV-AES128-GCM Parse * 10000 : 83ms
+HMAC-SHA384-MFS IV-AES256-GCM Issue * 10000 : 64ms
+HMAC-SHA384-MFS IV-AES256-GCM Parse * 10000 : 67ms
+HMAC-SHA512-MFS IV-AES128-GCM Issue * 10000 : 62ms
+HMAC-SHA512-MFS IV-AES128-GCM Parse * 10000 : 67ms
+HMAC-SHA512-MFS IV-AES256-GCM Issue * 10000 : 66ms
+HMAC-SHA512-MFS IV-AES256-GCM Parse * 10000 : 68ms
+ECDSA-P256 IV-AES128-GCM Issue * 10000 : 192ms
+ECDSA-P256 IV-AES128-GCM Parse * 10000 : 403ms
+ECDSA-P256 IV-AES256-GCM Issue * 10000 : 188ms
+ECDSA-P256 IV-AES256-GCM Parse * 10000 : 404ms
+ECDSA-P384 IV-AES128-GCM Issue * 10000 : 1049ms
+ECDSA-P384 IV-AES128-GCM Parse * 10000 : 2157ms
+ECDSA-P384 IV-AES256-GCM Issue * 10000 : 1060ms
+ECDSA-P384 IV-AES256-GCM Parse * 10000 : 2155ms
+ECDSA-P521 IV-AES128-GCM Issue * 10000 : 1374ms
+ECDSA-P521 IV-AES128-GCM Parse * 10000 : 2428ms
+ECDSA-P521 IV-AES256-GCM Issue * 10000 : 1368ms
+ECDSA-P521 IV-AES256-GCM Parse * 10000 : 2417ms
 ```

data/lib/saro/dat/crypto.rb

@@ -7,8 +7,8 @@ require_relative 'util'
 module Saro
   module Dat
     class DatCryptoAlgorithm
-      AES128GCMN = "AES128GCMN"
-      AES256GCMN = "AES256GCMN"
+      AES128GCMN = "IV-AES128-GCM"
+      AES256GCMN = "IV-AES256-GCM"
 
       def self.all
         [AES128GCMN, AES256GCMN]
@@ -16,8 +16,8 @@ module Saro
     end
 
     CRYPTO_CONFIG = {
-      "AES128GCMN" => { name: "aes-128-gcm", length: 16 },
-      "AES256GCMN" => { name: "aes-256-gcm", length: 32 }
+      "IV-AES128-GCM" => { name: "aes-128-gcm", length: 16 },
+      "IV-AES256-GCM" => { name: "aes-256-gcm", length: 32 }
     }.freeze
 
     def self.get_crypto_config(algorithm)
@@ -26,7 +26,7 @@ module Saro
       raise ArgumentError, "Unsupported DAT Crypto Algorithm: #{algorithm}"
     end
 
-    class DatCryptoKey
+    class DatCrypto
       attr_reader :algorithm
 
       def initialize(algorithm, key_bytes, config = nil)
@@ -41,12 +41,13 @@ module Saro
         new(algorithm, key_bytes, config)
       end
 
-      def self.imports(algorithm, raw)
-        new(algorithm, raw)
+      def self.imports(algorithm, base64_str)
+        key_bytes = Saro::Dat::Util.decode_base64_url(base64_str)
+        new(algorithm, key_bytes)
       end
 
       def exports
-        @key_bytes
+        Saro::Dat::Util.encode_base64_url_str(@key_bytes)
       end
 
       def encrypt(data)
@@ -87,13 +88,9 @@ module Saro
         cipher.iv = nonce
         cipher.auth_tag = tag
 
-        begin
-          res = cipher.update(ciphertext) + cipher.final
-          res.force_encoding('BINARY')
-          res
-        rescue OpenSSL::Cipher::CipherError => e
-          raise ArgumentError, "Decryption failed: #{e.message}"
-        end
+        res = cipher.update(ciphertext) + cipher.final
+        res.force_encoding('BINARY')
+        res
       end
     end
   end

data/lib/saro/dat/dat.rb

@@ -38,11 +38,13 @@ module Saro
         new(value)
       end
 
-      def expired?
+      def expired
         return true unless @format
         Time.now.to_i > @expire
       end
 
+      alias_method :expired?, :expired
+
       def body_string
         return "" unless @dat.include?('.')
         @dat.rpartition('.').first

data/lib/saro/dat/dat_certificate.rb

@@ -7,53 +7,80 @@ require_relative 'util'
 module Saro
   module Dat
     class DatCertificate
-      attr_reader :cid, :signature_key, :crypto_key, :dat_issue_begin, :dat_issue_end, :dat_ttl
+      attr_reader :cid, :signature_key, :crypto_key, :dat_issuance_start_seconds, :dat_issuance_end_seconds, :dat_ttl_seconds
 
-      def initialize(cid, signature_key, crypto_key, dat_issue_begin, dat_issue_end, dat_ttl)
+      def initialize(cid, dat_issuance_start_seconds, dat_issuance_duration_seconds, dat_ttl_seconds, signature_key, crypto_key)
         @cid = cid
+        @dat_issuance_start_seconds = dat_issuance_start_seconds
+        @dat_issuance_end_seconds = dat_issuance_start_seconds + dat_issuance_duration_seconds
+        @dat_ttl_seconds = dat_ttl_seconds
         @signature_key = signature_key
         @crypto_key = crypto_key
-        @dat_issue_begin = dat_issue_begin
-        @dat_issue_end = dat_issue_end
-        @dat_ttl = dat_ttl
       end
 
-      def exports(option)
+      def exports(verify_only = false)
         cid_hex = @cid.to_s(16)
-        sig_alg = @signature_key.algorithm
-        sig_key = @signature_key.exports(option)
-        cry_alg = @crypto_key.algorithm
-        cry_key = Saro::Dat::Util.encode_base64_url_str(@crypto_key.exports)
+        dat_issuance_start_seconds = @dat_issuance_start_seconds.to_s
+        dat_issuance_duration_seconds = (@dat_issuance_end_seconds - @dat_issuance_start_seconds).to_s
+        dat_ttl_seconds = @dat_ttl_seconds.to_s
+        signature_algorithm = @signature_key.algorithm
+        crypto_algorithm = @crypto_key.algorithm
+        signature_key = @signature_key.exports(verify_only)
+        crypto_key = @crypto_key.exports
 
-        "#{cid_hex}.#{sig_alg}.#{sig_key}.#{cry_alg}.#{cry_key}.#{@dat_issue_begin}.#{@dat_issue_end}.#{@dat_ttl}"
+        "#{cid_hex}.#{dat_issuance_start_seconds}.#{dat_issuance_duration_seconds}.#{dat_ttl_seconds}.#{signature_algorithm}.#{crypto_algorithm}.#{signature_key}.#{crypto_key}"
+      end
+
+      def self.generate(cid, dat_issuance_start_seconds, dat_issuance_duration_seconds, dat_ttl_seconds, signature_algorithm, crypto_algorithm)
+        new(
+          cid, dat_issuance_start_seconds, dat_issuance_duration_seconds, dat_ttl_seconds,
+          Saro::Dat::DatSignature.generate(signature_algorithm),
+          Saro::Dat::DatCrypto.generate(crypto_algorithm)
+        )
       end
 
       def self.imports(format_str)
-        split = format_str.split(".")
-        raise ArgumentError, "Invalid Certificate format" if split.length != 8
+        parts = format_str.split(".")
+        raise ArgumentError, "Invalid Certificate format" if parts.length != 8
 
-        cid = split[0].to_i(16)
-        sig_key = Saro::Dat::DatSignatureKey.imports(split[1], split[2])
-        cry_key = Saro::Dat::DatCryptoKey.imports(split[3], Saro::Dat::Util.decode_base64_url(split[4]))
+        cid = parts[0].to_i(16)
+        dat_issuance_start_seconds = parts[1].to_i
+        dat_issuance_duration_seconds = parts[2].to_i
+        dat_ttl_seconds = parts[3].to_i
+        signature_algorithm = parts[4]
+        crypto_algorithm = parts[5]
+        signature_key = Saro::Dat::DatSignature.imports(signature_algorithm, parts[6])
+        crypto_key = Saro::Dat::DatCrypto.imports(crypto_algorithm, parts[7])
 
-        new(
-          cid, sig_key, cry_key,
-          split[5].to_i, split[6].to_i, split[7].to_i
-        )
+        new(cid, dat_issuance_start_seconds, dat_issuance_duration_seconds, dat_ttl_seconds, signature_key, crypto_key)
       end
 
-      def issuable?
+      def issuable
         now = Time.now.to_i
-        has_signing_key? && @dat_issue_begin <= now && now <= @dat_issue_end
+        signable && @dat_issuance_start_seconds <= now && now <= @dat_issuance_end_seconds
       end
 
-      def expired?
-        Time.now.to_i > (@dat_issue_end + @dat_ttl)
+      def expired
+        Time.now.to_i > (@dat_issuance_end_seconds + @dat_ttl_seconds)
       end
 
-      def has_signing_key?
-        @signature_key.has_signing_key?
+      def signable
+        @signature_key.signable
       end
+
+      def pair
+        @signature_key.pair
+      end
+
+      def support_verify_only
+        @signature_key.support_verify_only
+      end
+
+      # For Ruby conventions
+      alias_method :issuable?, :issuable
+      alias_method :expired?, :expired
+      alias_method :signable?, :signable
+      alias_method :pair?, :pair
     end
   end
 end

data/lib/saro/dat/dat_manager.rb

@@ -17,29 +17,32 @@ module Saro
       end
 
       def import_certificates(input_certs, clear: false)
+        renew_count = 0
         @lock.with_write_lock do
           certificates = clear ? [] : @certificates.dup
-          
+
           before_cids = Set.new(certificates.map(&:cid))
           seen_cids = Set.new
 
           input_certs.each do |cert|
             raise ArgumentError, "Duplicate CID: #{cert.cid}" if seen_cids.include?(cert.cid)
             seen_cids.add(cert.cid)
-            next if cert.expired?
+            next if cert.expired
             next if before_cids.include?(cert.cid)
             
             certificates << cert
+            renew_count += 1
           end
 
-          certificates.sort_by!(&:dat_issue_end)
+          certificates.sort_by!(&:dat_issuance_end_seconds)
           
           # Find latest issuable certificate as issuer
-          issuer = certificates.reverse_each.find(&:issuable?)
+          issuer = certificates.reverse_each.find(&:issuable)
 
           @issuer = issuer
           @certificates = certificates
         end
+        renew_count
       end
 
       def imports(format_str, clear: false)
@@ -52,9 +55,9 @@ module Saro
         import_certificates(certs, clear: clear)
       end
 
-      def exports(option)
+      def exports(verify_only = false)
         @lock.with_read_lock do
-          @certificates.map { |cert| cert.exports(option) }.join("\n")
+          @certificates.map { |cert| cert.exports(verify_only) }.join("\n")
         end
       end
 
@@ -82,7 +85,7 @@ module Saro
 
       def self._issue(cert, plain, secure)
         now = Time.now.to_i
-        expire = now + cert.dat_ttl
+        expire = now + cert.dat_ttl_seconds
         cid_hex = cert.cid.to_s(16)
 
         plain_bytes = plain.is_a?(String) ? plain.encode('utf-8') : (plain || "".b)

data/lib/saro/dat/signature.rb

@@ -6,25 +6,25 @@ require_relative 'util'
 module Saro
   module Dat
     class DatSignatureAlgorithm
-      P256 = "P256"
-      P384 = "P384"
-      P521 = "P521"
+      HMAC_SHA256_MFS = "HMAC-SHA256-MFS"
+      HMAC_SHA384_MFS = "HMAC-SHA384-MFS"
+      HMAC_SHA512_MFS = "HMAC-SHA512-MFS"
+      P256 = "ECDSA-P256"
+      P384 = "ECDSA-P384"
+      P521 = "ECDSA-P521"
 
       def self.all
-        [P256, P384, P521]
+        [HMAC_SHA256_MFS, HMAC_SHA384_MFS, HMAC_SHA512_MFS, P256, P384, P521]
       end
     end
 
-    class DatSignatureKeyExportOption
-      PAIR = "PAIR"
-      SIGNING = "SIGNING"
-      VERIFYING = "VERIFYING"
-    end
-
     SIGNATURE_CONFIG = {
-      "P256" => { curve: "prime256v1", hash: "SHA256" },
-      "P384" => { curve: "secp384r1", hash: "SHA384" },
-      "P521" => { curve: "secp521r1", hash: "SHA512" }
+      "HMAC-SHA256-MFS" => { name: "HMAC", hash: "SHA256", hmac_len: 32 },
+      "HMAC-SHA384-MFS" => { name: "HMAC", hash: "SHA384", hmac_len: 48 },
+      "HMAC-SHA512-MFS" => { name: "HMAC", hash: "SHA512", hmac_len: 64 },
+      "ECDSA-P256" => { name: "ECDSA", curve: "prime256v1", hash: "SHA256", private_len: 32, public_len: 65 },
+      "ECDSA-P384" => { name: "ECDSA", curve: "secp384r1", hash: "SHA384", private_len: 48, public_len: 97 },
+      "ECDSA-P521" => { name: "ECDSA", curve: "secp521r1", hash: "SHA512", private_len: 66, public_len: 133 }
     }.freeze
 
     def self.get_signature_config(algorithm)
@@ -33,13 +33,7 @@ module Saro
       raise ArgumentError, "Unsupported DAT Crypto Algorithm: #{algorithm}"
     end
 
-    CURVE_OIDS = {
-      "prime256v1" => "1.2.840.10045.3.1.7",
-      "secp384r1" => "1.3.132.0.34",
-      "secp521r1" => "1.3.132.0.35"
-    }.freeze
-
-    class DatSignatureKey
+    class DatSignature
       attr_reader :algorithm, :signing_key, :verifying_key
 
       def initialize(algorithm, signing_key, verifying_key, config = nil)
@@ -51,13 +45,6 @@ module Saro
 
       private_class_method def self.create_ec_key(curve_name, priv_bn = nil, pub_octet = nil)
         if priv_bn
-          # EC Private Key structure (SEC1)
-          # ECPrivateKey ::= SEQUENCE {
-          #   version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
-          #   privateKey     OCTET STRING,
-          #   parameters [0] EXPLICIT ECParameters {{ NamedCurve }} OPTIONAL,
-          #   publicKey  [1] EXPLICIT BIT STRING OPTIONAL
-          # }
           group = OpenSSL::PKey::EC::Group.new(curve_name)
           pub_octet ||= group.generator.mul(priv_bn).to_octet_string(:uncompressed)
           
@@ -69,14 +56,6 @@ module Saro
           ])
           OpenSSL::PKey::EC.new(asn1.to_der)
         elsif pub_octet
-          # SubjectPublicKeyInfo
-          # SEQUENCE {
-          #   SEQUENCE {
-          #     OBJECT IDENTIFIER id-ecPublicKey (1.2.840.10045.2.1)
-          #     OBJECT IDENTIFIER namedCurve
-          #   }
-          #   BIT STRING publicKey
-          # }
           spki = OpenSSL::ASN1::Sequence.new([
             OpenSSL::ASN1::Sequence.new([
               OpenSSL::ASN1::ObjectId.new("id-ecPublicKey"),
@@ -92,75 +71,68 @@ module Saro
 
       def self.generate(algorithm)
         config = Saro::Dat.get_signature_config(algorithm)
-        key = OpenSSL::PKey::EC.generate(config[:curve])
-        new(algorithm, key, key, config)
+        if config[:name] == "HMAC"
+          key = OpenSSL::Random.random_bytes(config[:hmac_len])
+          new(algorithm, key, key, config)
+        else
+          key = OpenSSL::PKey::EC.generate(config[:curve])
+          new(algorithm, key, key, config)
+        end
       end
 
-      def self.imports(algorithm, format_str)
+      def self.imports(algorithm, base64_str)
         config = Saro::Dat.get_signature_config(algorithm)
-        parts = format_str.split("~", -1)
-        
-        unless (1..2).cover?(parts.length)
-          raise ArgumentError, "Invalid DAT Signature Key Format: No keys found"
-        end
+        bytes_data = Saro::Dat::Util.decode_base64_url(base64_str)
 
-        signing_key = nil
-        verifying_key = nil
-
-        if parts[0] && !parts[0].empty?
-          d_bytes = Saro::Dat::Util.decode_base64_url(parts[0])
-          d_value = OpenSSL::BN.new(d_bytes, 2)
-          
-          # Handle public key if provided in parts[1] for signing key as well
-          v_octet = if parts.length == 2 && parts[1] && !parts[1].empty?
-                      Saro::Dat::Util.decode_base64_url(parts[1])
-                    end
-
-          signing_key = create_ec_key(config[:curve], d_value, v_octet)
-          verifying_key = signing_key
-        end
-
-        if parts.length == 2 && parts[1] && !parts[1].empty?
-          unless signing_key
-            public_bytes = Saro::Dat::Util.decode_base64_url(parts[1])
-            verifying_key = create_ec_key(config[:curve], nil, public_bytes)
+        if config[:name] == "HMAC"
+          if bytes_data.bytesize != config[:hmac_len]
+            raise ArgumentError, "Invalid HMAC key length: expected #{config[:hmac_len]}, got #{bytes_data.bytesize}"
+          end
+          new(algorithm, bytes_data, bytes_data, config)
+        else
+          private_len = config[:private_len]
+          public_len = config[:public_len]
+
+          signing_key = nil
+          verifying_key = nil
+
+          if bytes_data.bytesize == private_len + public_len
+            private_bytes = bytes_data[0, private_len]
+            public_bytes = bytes_data[private_len, public_len]
+            
+            d_value = OpenSSL::BN.new(private_bytes, 2)
+            signing_key = create_ec_key(config[:curve], d_value, public_bytes)
+            verifying_key = signing_key
+          elsif bytes_data.bytesize == public_len
+            verifying_key = create_ec_key(config[:curve], nil, bytes_data)
+          else
+            raise ArgumentError, "Invalid ECDSA key length"
           end
-        elsif !signing_key
-          raise ArgumentError, "Invalid DAT Signature Key Format: No keys found"
-        end
 
-        new(algorithm, signing_key, verifying_key, config)
+          new(algorithm, signing_key, verifying_key, config)
+        end
       end
 
-      def exports(option)
-        rv_parts = ["", ""]
+      def exports(verify_only = false)
+        if verify_only && !support_verify_only
+          raise ArgumentError, "#{config[:name]} does not supported verifying only key"
+        end
 
-        if [DatSignatureKeyExportOption::PAIR, DatSignatureKeyExportOption::SIGNING].include?(option)
-          if @signing_key&.private_key
+        if @config[:name] == "HMAC"
+          Saro::Dat::Util.encode_base64_url_str(@verifying_key)
+        else
+          if verify_only || !@signing_key&.private_key
+            public_bytes = @verifying_key.public_key.to_octet_string(:uncompressed)
+            Saro::Dat::Util.encode_base64_url_str(public_bytes)
+          else
             d_value = @signing_key.private_key
-            # Ensure fixed length padding
             curve_size = (@signing_key.group.degree + 7) / 8
             d_bytes = d_value.to_s(2).rjust(curve_size, "\x00".b)
-            rv_parts[0] = Saro::Dat::Util.encode_base64_url_str(d_bytes)
-          elsif option == DatSignatureKeyExportOption::SIGNING
-            raise ArgumentError, "Signature key is not supported - verifying only key"
+            
+            public_bytes = @verifying_key.public_key.to_octet_string(:uncompressed)
+            Saro::Dat::Util.encode_base64_url_str(d_bytes + public_bytes)
           end
         end
-
-        if [DatSignatureKeyExportOption::PAIR, DatSignatureKeyExportOption::VERIFYING].include?(option)
-          # Uncompressed point: 0x04 + R + S
-          public_bytes = @verifying_key.public_key.to_octet_string(:uncompressed)
-          rv_parts[1] = Saro::Dat::Util.encode_base64_url_str(public_bytes)
-        end
-
-        case option
-        when DatSignatureKeyExportOption::SIGNING
-          rv_parts[0]
-        when DatSignatureKeyExportOption::VERIFYING
-          "~#{rv_parts[1]}"
-        else
-          "#{rv_parts[0]}~#{rv_parts[1]}"
-        end
       end
 
       def sign(body)
@@ -168,10 +140,13 @@ module Saro
         body = body.encode('utf-8') if body.is_a?(String) && body.encoding != Encoding::BINARY
         raise ArgumentError, "Sign Error - body is empty" if body.nil? || body.empty?
 
-        digest = OpenSSL::Digest.new(@config[:hash])
-        signature_der = @signing_key.dsa_sign_asn1(digest.digest(body))
-        
-        der_to_raw_signature(signature_der)
+        if @config[:name] == "HMAC"
+          OpenSSL::HMAC.digest(@config[:hash], @signing_key, body)
+        else
+          digest = OpenSSL::Digest.new(@config[:hash])
+          signature_der = @signing_key.dsa_sign_asn1(digest.digest(body))
+          der_to_raw_signature(signature_der)
+        end
       end
 
       def verify(body, signature)
@@ -184,19 +159,37 @@ module Saro
                       signature
                     end
 
-        begin
-          der_sig = raw_to_der_signature(sig_bytes)
-          digest = OpenSSL::Digest.new(@config[:hash])
-          @verifying_key.dsa_verify_asn1(digest.digest(body), der_sig)
-        rescue StandardError
-          false
+        if @config[:name] == "HMAC"
+          begin
+            actual_sig = OpenSSL::HMAC.digest(@config[:hash], @verifying_key, body)
+            # Use fixed-time comparison if possible
+            return actual_sig == sig_bytes
+          rescue StandardError
+            return false
+          end
+        else
+          begin
+            der_sig = raw_to_der_signature(sig_bytes)
+            digest = OpenSSL::Digest.new(@config[:hash])
+            @verifying_key.dsa_verify_asn1(digest.digest(body), der_sig)
+          rescue StandardError
+            false
+          end
         end
       end
 
-      def has_signing_key?
+      def signable
         !@signing_key.nil?
       end
 
+      def pair
+        @config[:name] == "ECDSA"
+      end
+
+      def support_verify_only
+        @config[:name] == "ECDSA"
+      end
+
       private
 
       def der_to_raw_signature(signature_der)

data/lib/saro-dat.rb

@@ -6,6 +6,7 @@ require_relative 'saro/dat/signature'
 require_relative 'saro/dat/dat_certificate'
 require_relative 'saro/dat/dat'
 require_relative 'saro/dat/dat_manager'
+require_relative 'saro/dat/cms_manager'
 
 module Saro
   module Dat

data/saro-dat.gemspec

@@ -2,13 +2,13 @@
 
 Gem::Specification.new do |spec|
   spec.name          = "saro-dat"
-  spec.version       = "1.0.0"
+  spec.version       = "4.3.0"
   spec.authors       = ["marker"]
   spec.email         = ["j@saro.me"]
 
   spec.summary       = "DAT (Data Access Token) Ruby implementation"
   spec.description   = "Ported from Python dat library"
-  spec.homepage      = "https://dat.saro.me/--/libs/gems-saro-dat"
+  spec.homepage      = "https://dat.saro.me/libs/gems-saro-dat"
   spec.license       = "MIT"
   spec.required_ruby_version = ">= 2.7.0"
 
@@ -30,6 +30,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "concurrent-ruby", "~> 1.3.6"
   spec.add_dependency "openssl", "~> 4.0.2"
   spec.add_dependency "base64"
+  spec.add_dependency "logger"
 
   spec.add_development_dependency "minitest", "~> 5.0"
   spec.add_development_dependency "benchmark"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: saro-dat
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 4.3.0
 platform: ruby
 authors:
 - marker
@@ -51,6 +51,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: logger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -106,7 +120,6 @@ files:
 - ".idea/saro-dat.iml"
 - ".ruby-version"
 - Gemfile
-- Gemfile.lock
 - LICENSE
 - PUBLISH.md
 - README.md
@@ -118,11 +131,11 @@ files:
 - lib/saro/dat/signature.rb
 - lib/saro/dat/util.rb
 - saro-dat.gemspec
-homepage: https://dat.saro.me/--/libs/gems-saro-dat
+homepage: https://dat.saro.me/libs/gems-saro-dat
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://dat.saro.me/--/libs/gems-saro-dat
+  homepage_uri: https://dat.saro.me/libs/gems-saro-dat
   source_code_uri: https://github.com/saro-lab/dat-ruby
   changelog_uri: https://github.com/saro-lab/dat-ruby/blob/main/CHANGELOG.md
   keywords: dat, distributed, access, token, web, session, security, authentication
@@ -140,7 +153,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.10
+rubygems_version: 4.0.12
 specification_version: 4
 summary: DAT (Data Access Token) Ruby implementation
 test_files: []

data/Gemfile.lock

@@ -1,39 +0,0 @@
-PATH
-  remote: .
-  specs:
-    saro-dat (1.0.0)
-      base64
-      concurrent-ruby (~> 1.3.6)
-      openssl (~> 4.0.2)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    base64 (0.3.0)
-    benchmark (0.5.0)
-    concurrent-ruby (1.3.6)
-    minitest (5.27.0)
-    openssl (4.0.2)
-    parallel (2.1.0)
-
-PLATFORMS
-  arm64-darwin-25
-  ruby
-
-DEPENDENCIES
-  benchmark
-  minitest (~> 5.0)
-  parallel
-  saro-dat!
-
-CHECKSUMS
-  base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
-  benchmark (0.5.0) sha256=465df122341aedcb81a2a24b4d3bd19b6c67c1530713fd533f3ff034e419236c
-  concurrent-ruby (1.3.6) sha256=6b56837e1e7e5292f9864f34b69c5a2cbc75c0cf5338f1ce9903d10fa762d5ab
-  minitest (5.27.0) sha256=2d3b17f8a36fe7801c1adcffdbc38233b938eb0b4966e97a6739055a45fa77d5
-  openssl (4.0.2) sha256=1037ad2868ae58df9ad917891c0c0f9815a1172f6846d4bcdd508e4c2ee747c2
-  parallel (2.1.0) sha256=b35258865c2e31134c5ecb708beaaf6772adf9d5efae28e93e99260877b09356
-  saro-dat (1.0.0)
-
-BUNDLED WITH
-  4.0.10