saro-dat 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 8a79bc8cd93aba476a9f69fef214dd4a0ba9275a4bc93bebb4e1e4e78f36bb19
+  data.tar.gz: 8a16197d29b030c965f8a9e30d80fc7decad1d94be60272b3ef22734e1eeb042
+SHA512:
+  metadata.gz: b9fa121db64bb0f59429e543ef49efa921afdd8a87eeb52a232352a9bc09dcd77f33898fa89dbe1031adc1d28bdd575f8c997deaf15265c804668a4e9ac2ea7b
+  data.tar.gz: fc15628f82a197628bb41e686392d7b815bb1b39d2146fbd27bab85209ab8351362239dd6c98aa2de3ef214db943e6b0112b0c0a20de693481241e2e788da8b9

data/.gitignore

@@ -0,0 +1,16 @@
+
+/.bundle/
+/vendor/bundle/
+/Gemfile.lock
+/saro-dat-*.gem
+
+/pkg/
+/doc/
+.yardoc/
+
+
+### VS Code ###
+.vscode/
+
+### Mac OS ###
+.DS_Store

data/.idea/.gitignore

@@ -0,0 +1,10 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/
+# Ignored default folder with query files
+/queries/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml

data/.idea/modules.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/saro-dat.iml" filepath="$PROJECT_DIR$/.idea/saro-dat.iml" />
+    </modules>
+  </component>
+</project>

data/.idea/saro-dat.iml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="RUBY_MODULE" version="4">
+  <component name="ModuleRunConfigurationManager">
+    <shared />
+  </component>
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$">
+      <sourceFolder url="file://$MODULE_DIR$/features" isTestSource="true" />
+      <sourceFolder url="file://$MODULE_DIR$/spec" isTestSource="true" />
+      <sourceFolder url="file://$MODULE_DIR$/test" isTestSource="true" />
+    </content>
+    <orderEntry type="jdk" jdkName="rbenv: 4.0.5" jdkType="RUBY_SDK" />
+    <orderEntry type="sourceFolder" forTests="false" />
+    <orderEntry type="library" scope="PROVIDED" name="base64 (v0.3.0, rbenv: 4.0.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="benchmark (v0.5.0, rbenv: 4.0.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="bundler (v4.0.10, rbenv: 4.0.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="concurrent-ruby (v1.3.6, rbenv: 4.0.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="minitest (v5.27.0, rbenv: 4.0.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="openssl (v4.0.2, rbenv: 4.0.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="parallel (v2.1.0, rbenv: 4.0.5) [gem]" level="application" />
+  </component>
+</module>

data/.ruby-version

@@ -0,0 +1 @@
+4.0.5

data/Gemfile

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,39 @@
+PATH
+  remote: .
+  specs:
+    saro-dat (1.0.0)
+      base64
+      concurrent-ruby (~> 1.3.6)
+      openssl (~> 4.0.2)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    base64 (0.3.0)
+    benchmark (0.5.0)
+    concurrent-ruby (1.3.6)
+    minitest (5.27.0)
+    openssl (4.0.2)
+    parallel (2.1.0)
+
+PLATFORMS
+  arm64-darwin-25
+  ruby
+
+DEPENDENCIES
+  benchmark
+  minitest (~> 5.0)
+  parallel
+  saro-dat!
+
+CHECKSUMS
+  base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
+  benchmark (0.5.0) sha256=465df122341aedcb81a2a24b4d3bd19b6c67c1530713fd533f3ff034e419236c
+  concurrent-ruby (1.3.6) sha256=6b56837e1e7e5292f9864f34b69c5a2cbc75c0cf5338f1ce9903d10fa762d5ab
+  minitest (5.27.0) sha256=2d3b17f8a36fe7801c1adcffdbc38233b938eb0b4966e97a6739055a45fa77d5
+  openssl (4.0.2) sha256=1037ad2868ae58df9ad917891c0c0f9815a1172f6846d4bcdd508e4c2ee747c2
+  parallel (2.1.0) sha256=b35258865c2e31134c5ecb708beaaf6772adf9d5efae28e93e99260877b09356
+  saro-dat (1.0.0)
+
+BUNDLED WITH
+  4.0.10

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 SARO Lab
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/PUBLISH.md

@@ -0,0 +1,32 @@
+## sync
+```shell
+rm -rf Gemfile.lock
+bundle install
+
+```
+
+## publish
+```
+gem build saro-dat.gemspec
+gem signin
+gem push saro-dat-1.0.0.gem
+```
+
+## install
+```
+# install
+brew install rbenv ruby-build
+
+# mac -
+echo 'eval "$(rbenv init -)"' >> ~/.zshrc
+source ~/.zshrc
+# - mac
+
+rbenv install -l
+rbenv install 2.7.8
+rbenv install 4.0.5
+rbenv local 4.0.5
+rbenv rehash
+
+ruby -v
+```

data/README.md

@@ -0,0 +1,62 @@
+# DAT - Distributed Access Token
+
+## Document
+
+### [DAT Run Online](https://dat.saro.me)
+
+### [What is DAT](https://dat.saro.me/--/intro)
+
+### [Example](https://dat.saro.me/--/libs/gems-saro-dat)
+
+## support signature algorithm
+| name   | algorithm  |
+|--------|------------|
+| P256   | secp256r1  |
+| P384   | secp384r1  |
+| P521   | secp521r1  |
+
+## support crypto algorithm
+| name       | algorithm                   |
+|------------|-----------------------------|
+| AES128GCMN | aes-128-gcm n(nonce + body) |
+| AES256GCMN | aes-256-cbc n(nonce + body) |
+
+
+# Performance
+- random plain and secure test
+- mac mini m4 2024 basic (10 core)
+- [test_bench.rb](test/test_bench.rb)
+```
+Testing started at ...
+Performance Test (Plain, Secure)
+Plain: orSsnyfSfREmqzSp25qVE0XEXHBa1FgprEq75OBss5MH61jnWXMYypt4GOOLC6ZF29XUJapVv5X3p2gzBG5fLREFRqJdMaKrZoFi
+Secure: 8SkeUWIcp3Q2I104LgCpDZ4CZ6Uwd21j2QPerHtw5RRN2kPns6wwxjdipCCt5l9QdforbqqjQu5BfevfeC1id6OlBjPPHcF9oMpb
+
+--- Multi-Thread ---
+P256 AES128GCMN Issue * 10000 : 158ms
+P256 AES128GCMN Parse * 10000 : 201ms
+P256 AES256GCMN Issue * 10000 : 154ms
+P256 AES256GCMN Parse * 10000 : 187ms
+P384 AES128GCMN Issue * 10000 : 288ms
+P384 AES128GCMN Parse * 10000 : 450ms
+P384 AES256GCMN Issue * 10000 : 268ms
+P384 AES256GCMN Parse * 10000 : 613ms
+P521 AES128GCMN Issue * 10000 : 405ms
+P521 AES128GCMN Parse * 10000 : 553ms
+P521 AES256GCMN Issue * 10000 : 370ms
+P521 AES256GCMN Parse * 10000 : 609ms
+
+--- Single-Thread ---
+P256 AES128GCMN Issue * 10000 : 200ms
+P256 AES128GCMN Parse * 10000 : 415ms
+P256 AES256GCMN Issue * 10000 : 199ms
+P256 AES256GCMN Parse * 10000 : 406ms
+P384 AES128GCMN Issue * 10000 : 1054ms
+P384 AES128GCMN Parse * 10000 : 2151ms
+P384 AES256GCMN Issue * 10000 : 1053ms
+P384 AES256GCMN Parse * 10000 : 2163ms
+P521 AES128GCMN Issue * 10000 : 1420ms
+P521 AES128GCMN Parse * 10000 : 2414ms
+P521 AES256GCMN Issue * 10000 : 1420ms
+P521 AES256GCMN Parse * 10000 : 2458ms
+```

data/lib/saro/dat/crypto.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'securerandom'
+require_relative 'util'
+
+module Saro
+  module Dat
+    class DatCryptoAlgorithm
+      AES128GCMN = "AES128GCMN"
+      AES256GCMN = "AES256GCMN"
+
+      def self.all
+        [AES128GCMN, AES256GCMN]
+      end
+    end
+
+    CRYPTO_CONFIG = {
+      "AES128GCMN" => { name: "aes-128-gcm", length: 16 },
+      "AES256GCMN" => { name: "aes-256-gcm", length: 32 }
+    }.freeze
+
+    def self.get_crypto_config(algorithm)
+      config = CRYPTO_CONFIG[algorithm]
+      return config if config
+      raise ArgumentError, "Unsupported DAT Crypto Algorithm: #{algorithm}"
+    end
+
+    class DatCryptoKey
+      attr_reader :algorithm
+
+      def initialize(algorithm, key_bytes, config = nil)
+        @config = config || Saro::Dat.get_crypto_config(algorithm)
+        @algorithm = algorithm
+        @key_bytes = key_bytes
+      end
+
+      def self.generate(algorithm)
+        config = Saro::Dat.get_crypto_config(algorithm)
+        key_bytes = OpenSSL::Random.random_bytes(config[:length])
+        new(algorithm, key_bytes, config)
+      end
+
+      def self.imports(algorithm, raw)
+        new(algorithm, raw)
+      end
+
+      def exports
+        @key_bytes
+      end
+
+      def encrypt(data)
+        data = data.encode('utf-8') if data.is_a?(String) && data.encoding != Encoding::BINARY
+        return "".b if data.nil? || data.empty?
+
+        cipher = OpenSSL::Cipher.new(@config[:name])
+        cipher.encrypt
+        cipher.key = @key_bytes
+        nonce = OpenSSL::Random.random_bytes(12)
+        cipher.iv_len = 12
+        cipher.iv = nonce
+        
+        ciphertext = cipher.update(data) + cipher.final
+        tag = cipher.auth_tag
+
+        nonce + ciphertext + tag
+      end
+
+      def decrypt(data)
+        if data.is_a?(String) && data.encoding != Encoding::BINARY
+          data = Saro::Dat::Util.decode_base64_url(data)
+        end
+        return "".b if data.nil? || data.empty?
+
+        if data.length <= 12 + 16 # nonce(12) + tag(16)
+          raise ArgumentError, "Invalid data length"
+        end
+
+        nonce = data[0, 12]
+        tag = data[-16, 16]
+        ciphertext = data[12...-16]
+
+        cipher = OpenSSL::Cipher.new(@config[:name])
+        cipher.decrypt
+        cipher.key = @key_bytes
+        cipher.iv_len = 12
+        cipher.iv = nonce
+        cipher.auth_tag = tag
+
+        begin
+          res = cipher.update(ciphertext) + cipher.final
+          res.force_encoding('BINARY')
+          res
+        rescue OpenSSL::Cipher::CipherError => e
+          raise ArgumentError, "Decryption failed: #{e.message}"
+        end
+      end
+    end
+  end
+end

data/lib/saro/dat/dat.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require_relative 'util'
+
+module Saro
+  module Dat
+    class Dat
+      attr_reader :dat, :expire, :cid, :plain, :secure, :signature, :format
+
+      def initialize(dat_str)
+        @dat = dat_str || ''
+        @format = false
+        @expire = 0
+        @cid = 0
+        @plain = "".b
+        @secure = "".b
+        @signature = "".b
+
+        if !@dat.empty?
+          parts = @dat.split('.')
+          if parts.length == 5
+            begin
+              @expire = parts[0].to_i
+              @cid = parts[1].to_i(16)
+              @plain = Saro::Dat::Util.decode_base64_url(parts[2])
+              @secure = Saro::Dat::Util.decode_base64_url(parts[3])
+              @signature = Saro::Dat::Util.decode_base64_url(parts[4])
+              @format = (!@signature.empty? && @expire >= 0)
+            rescue StandardError
+              @format = false
+            end
+          end
+        end
+      end
+
+      def self.from_value(value)
+        return value if value.is_a?(Dat)
+        new(value)
+      end
+
+      def expired?
+        return true unless @format
+        Time.now.to_i > @expire
+      end
+
+      def body_string
+        return "" unless @dat.include?('.')
+        @dat.rpartition('.').first
+      end
+    end
+
+    class DatPayload
+      attr_reader :plain_bytes, :secure_bytes
+
+      def initialize(plain, secure)
+        @plain_bytes = plain
+        @secure_bytes = secure
+      end
+
+      def plain
+        @plain_bytes.force_encoding('utf-8')
+      end
+
+      def secure
+        @secure_bytes.force_encoding('utf-8')
+      end
+
+      def to_s
+        "#{Saro::Dat::Util.encode_base64_url_str(@plain_bytes)} #{Saro::Dat::Util.encode_base64_url_str(@secure_bytes)}"
+      end
+
+      def to_unsafe_string
+        "#{plain} #{secure}"
+      end
+    end
+  end
+end

data/lib/saro/dat/dat_certificate.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require_relative 'crypto'
+require_relative 'signature'
+require_relative 'util'
+
+module Saro
+  module Dat
+    class DatCertificate
+      attr_reader :cid, :signature_key, :crypto_key, :dat_issue_begin, :dat_issue_end, :dat_ttl
+
+      def initialize(cid, signature_key, crypto_key, dat_issue_begin, dat_issue_end, dat_ttl)
+        @cid = cid
+        @signature_key = signature_key
+        @crypto_key = crypto_key
+        @dat_issue_begin = dat_issue_begin
+        @dat_issue_end = dat_issue_end
+        @dat_ttl = dat_ttl
+      end
+
+      def exports(option)
+        cid_hex = @cid.to_s(16)
+        sig_alg = @signature_key.algorithm
+        sig_key = @signature_key.exports(option)
+        cry_alg = @crypto_key.algorithm
+        cry_key = Saro::Dat::Util.encode_base64_url_str(@crypto_key.exports)
+
+        "#{cid_hex}.#{sig_alg}.#{sig_key}.#{cry_alg}.#{cry_key}.#{@dat_issue_begin}.#{@dat_issue_end}.#{@dat_ttl}"
+      end
+
+      def self.imports(format_str)
+        split = format_str.split(".")
+        raise ArgumentError, "Invalid Certificate format" if split.length != 8
+
+        cid = split[0].to_i(16)
+        sig_key = Saro::Dat::DatSignatureKey.imports(split[1], split[2])
+        cry_key = Saro::Dat::DatCryptoKey.imports(split[3], Saro::Dat::Util.decode_base64_url(split[4]))
+
+        new(
+          cid, sig_key, cry_key,
+          split[5].to_i, split[6].to_i, split[7].to_i
+        )
+      end
+
+      def issuable?
+        now = Time.now.to_i
+        has_signing_key? && @dat_issue_begin <= now && now <= @dat_issue_end
+      end
+
+      def expired?
+        Time.now.to_i > (@dat_issue_end + @dat_ttl)
+      end
+
+      def has_signing_key?
+        @signature_key.has_signing_key?
+      end
+    end
+  end
+end

data/lib/saro/dat/dat_manager.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+require 'concurrent-ruby'
+require 'set'
+require_relative 'dat_certificate'
+require_relative 'dat'
+require_relative 'signature'
+require_relative 'util'
+
+module Saro
+  module Dat
+    class DatManager
+      def initialize
+        @issuer = nil
+        @certificates = []
+        @lock = Concurrent::ReadWriteLock.new
+      end
+
+      def import_certificates(input_certs, clear: false)
+        @lock.with_write_lock do
+          certificates = clear ? [] : @certificates.dup
+          
+          before_cids = Set.new(certificates.map(&:cid))
+          seen_cids = Set.new
+
+          input_certs.each do |cert|
+            raise ArgumentError, "Duplicate CID: #{cert.cid}" if seen_cids.include?(cert.cid)
+            seen_cids.add(cert.cid)
+            next if cert.expired?
+            next if before_cids.include?(cert.cid)
+            
+            certificates << cert
+          end
+
+          certificates.sort_by!(&:dat_issue_end)
+          
+          # Find latest issuable certificate as issuer
+          issuer = certificates.reverse_each.find(&:issuable?)
+
+          @issuer = issuer
+          @certificates = certificates
+        end
+      end
+
+      def imports(format_str, clear: false)
+        certs = []
+        format_str.strip.split("\n").each do |line|
+          line = line.strip
+          next if line.empty?
+          certs << Saro::Dat::DatCertificate.imports(line)
+        end
+        import_certificates(certs, clear: clear)
+      end
+
+      def exports(option)
+        @lock.with_read_lock do
+          @certificates.map { |cert| cert.exports(option) }.join("\n")
+        end
+      end
+
+      def issue(plain, secure)
+        issuer = @lock.with_read_lock { @issuer }
+        raise RuntimeError, "Invalid DAT: Signing Key Does Not Exist" unless issuer
+        
+        self.class._issue(issuer, plain, secure)
+      end
+
+      def parse(dat_input)
+        dat = Saro::Dat::Dat.from_value(dat_input)
+        raise ArgumentError, "Invalid DAT: Format" unless dat.format
+
+        certificate = @lock.with_read_lock do
+          @certificates.find { |c| c.cid == dat.cid }
+        end
+        
+        raise ArgumentError, "Invalid DAT: CID(Certificate ID) Not Found" unless certificate
+        
+        self.class._parse(certificate, dat)
+      end
+
+      private
+
+      def self._issue(cert, plain, secure)
+        now = Time.now.to_i
+        expire = now + cert.dat_ttl
+        cid_hex = cert.cid.to_s(16)
+
+        plain_bytes = plain.is_a?(String) ? plain.encode('utf-8') : (plain || "".b)
+        plain_b64 = Saro::Dat::Util.encode_base64_url_str(plain_bytes)
+
+        encrypted_secure = cert.crypto_key.encrypt(secure)
+        secure_b64 = Saro::Dat::Util.encode_base64_url_str(encrypted_secure)
+
+        body = "#{expire}.#{cid_hex}.#{plain_b64}.#{secure_b64}"
+        signature = Saro::Dat::Util.encode_base64_url_str(cert.signature_key.sign(body))
+
+        "#{body}.#{signature}"
+      end
+
+      def self._parse(cert, dat_input)
+        dat = Saro::Dat::Dat.from_value(dat_input)
+        raise RuntimeError, "Invalid DAT: Format" unless dat.format
+        raise RuntimeError, "Invalid DAT: Expired" if dat.expired?
+
+        unless cert.signature_key.verify(dat.body_string, dat.signature)
+          raise RuntimeError, "Invalid DAT: Signature"
+        end
+
+        decrypted_secure = cert.crypto_key.decrypt(dat.secure)
+        Saro::Dat::DatPayload.new(dat.plain, decrypted_secure)
+      end
+    end
+  end
+end

data/lib/saro/dat/signature.rb

@@ -0,0 +1,226 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require_relative 'util'
+
+module Saro
+  module Dat
+    class DatSignatureAlgorithm
+      P256 = "P256"
+      P384 = "P384"
+      P521 = "P521"
+
+      def self.all
+        [P256, P384, P521]
+      end
+    end
+
+    class DatSignatureKeyExportOption
+      PAIR = "PAIR"
+      SIGNING = "SIGNING"
+      VERIFYING = "VERIFYING"
+    end
+
+    SIGNATURE_CONFIG = {
+      "P256" => { curve: "prime256v1", hash: "SHA256" },
+      "P384" => { curve: "secp384r1", hash: "SHA384" },
+      "P521" => { curve: "secp521r1", hash: "SHA512" }
+    }.freeze
+
+    def self.get_signature_config(algorithm)
+      config = SIGNATURE_CONFIG[algorithm]
+      return config if config
+      raise ArgumentError, "Unsupported DAT Crypto Algorithm: #{algorithm}"
+    end
+
+    CURVE_OIDS = {
+      "prime256v1" => "1.2.840.10045.3.1.7",
+      "secp384r1" => "1.3.132.0.34",
+      "secp521r1" => "1.3.132.0.35"
+    }.freeze
+
+    class DatSignatureKey
+      attr_reader :algorithm, :signing_key, :verifying_key
+
+      def initialize(algorithm, signing_key, verifying_key, config = nil)
+        @algorithm = algorithm
+        @signing_key = signing_key
+        @verifying_key = verifying_key
+        @config = config || Saro::Dat.get_signature_config(algorithm)
+      end
+
+      private_class_method def self.create_ec_key(curve_name, priv_bn = nil, pub_octet = nil)
+        if priv_bn
+          # EC Private Key structure (SEC1)
+          # ECPrivateKey ::= SEQUENCE {
+          #   version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+          #   privateKey     OCTET STRING,
+          #   parameters [0] EXPLICIT ECParameters {{ NamedCurve }} OPTIONAL,
+          #   publicKey  [1] EXPLICIT BIT STRING OPTIONAL
+          # }
+          group = OpenSSL::PKey::EC::Group.new(curve_name)
+          pub_octet ||= group.generator.mul(priv_bn).to_octet_string(:uncompressed)
+          
+          asn1 = OpenSSL::ASN1::Sequence.new([
+            OpenSSL::ASN1::Integer.new(1),
+            OpenSSL::ASN1::OctetString.new(priv_bn.to_s(2).rjust((group.degree + 7) / 8, "\x00".b)),
+            OpenSSL::ASN1::ASN1Data.new([OpenSSL::ASN1::ObjectId.new(curve_name)], 0, :CONTEXT_SPECIFIC),
+            OpenSSL::ASN1::ASN1Data.new([OpenSSL::ASN1::BitString.new(pub_octet)], 1, :CONTEXT_SPECIFIC)
+          ])
+          OpenSSL::PKey::EC.new(asn1.to_der)
+        elsif pub_octet
+          # SubjectPublicKeyInfo
+          # SEQUENCE {
+          #   SEQUENCE {
+          #     OBJECT IDENTIFIER id-ecPublicKey (1.2.840.10045.2.1)
+          #     OBJECT IDENTIFIER namedCurve
+          #   }
+          #   BIT STRING publicKey
+          # }
+          spki = OpenSSL::ASN1::Sequence.new([
+            OpenSSL::ASN1::Sequence.new([
+              OpenSSL::ASN1::ObjectId.new("id-ecPublicKey"),
+              OpenSSL::ASN1::ObjectId.new(curve_name)
+            ]),
+            OpenSSL::ASN1::BitString.new(pub_octet)
+          ])
+          OpenSSL::PKey::EC.new(spki.to_der)
+        else
+          raise ArgumentError, "Either private key or public key must be provided"
+        end
+      end
+
+      def self.generate(algorithm)
+        config = Saro::Dat.get_signature_config(algorithm)
+        key = OpenSSL::PKey::EC.generate(config[:curve])
+        new(algorithm, key, key, config)
+      end
+
+      def self.imports(algorithm, format_str)
+        config = Saro::Dat.get_signature_config(algorithm)
+        parts = format_str.split("~", -1)
+        
+        unless (1..2).cover?(parts.length)
+          raise ArgumentError, "Invalid DAT Signature Key Format: No keys found"
+        end
+
+        signing_key = nil
+        verifying_key = nil
+
+        if parts[0] && !parts[0].empty?
+          d_bytes = Saro::Dat::Util.decode_base64_url(parts[0])
+          d_value = OpenSSL::BN.new(d_bytes, 2)
+          
+          # Handle public key if provided in parts[1] for signing key as well
+          v_octet = if parts.length == 2 && parts[1] && !parts[1].empty?
+                      Saro::Dat::Util.decode_base64_url(parts[1])
+                    end
+
+          signing_key = create_ec_key(config[:curve], d_value, v_octet)
+          verifying_key = signing_key
+        end
+
+        if parts.length == 2 && parts[1] && !parts[1].empty?
+          unless signing_key
+            public_bytes = Saro::Dat::Util.decode_base64_url(parts[1])
+            verifying_key = create_ec_key(config[:curve], nil, public_bytes)
+          end
+        elsif !signing_key
+          raise ArgumentError, "Invalid DAT Signature Key Format: No keys found"
+        end
+
+        new(algorithm, signing_key, verifying_key, config)
+      end
+
+      def exports(option)
+        rv_parts = ["", ""]
+
+        if [DatSignatureKeyExportOption::PAIR, DatSignatureKeyExportOption::SIGNING].include?(option)
+          if @signing_key&.private_key
+            d_value = @signing_key.private_key
+            # Ensure fixed length padding
+            curve_size = (@signing_key.group.degree + 7) / 8
+            d_bytes = d_value.to_s(2).rjust(curve_size, "\x00".b)
+            rv_parts[0] = Saro::Dat::Util.encode_base64_url_str(d_bytes)
+          elsif option == DatSignatureKeyExportOption::SIGNING
+            raise ArgumentError, "Signature key is not supported - verifying only key"
+          end
+        end
+
+        if [DatSignatureKeyExportOption::PAIR, DatSignatureKeyExportOption::VERIFYING].include?(option)
+          # Uncompressed point: 0x04 + R + S
+          public_bytes = @verifying_key.public_key.to_octet_string(:uncompressed)
+          rv_parts[1] = Saro::Dat::Util.encode_base64_url_str(public_bytes)
+        end
+
+        case option
+        when DatSignatureKeyExportOption::SIGNING
+          rv_parts[0]
+        when DatSignatureKeyExportOption::VERIFYING
+          "~#{rv_parts[1]}"
+        else
+          "#{rv_parts[0]}~#{rv_parts[1]}"
+        end
+      end
+
+      def sign(body)
+        raise ArgumentError, "Signature key is not supported - verifying only key" unless @signing_key
+        body = body.encode('utf-8') if body.is_a?(String) && body.encoding != Encoding::BINARY
+        raise ArgumentError, "Sign Error - body is empty" if body.nil? || body.empty?
+
+        digest = OpenSSL::Digest.new(@config[:hash])
+        signature_der = @signing_key.dsa_sign_asn1(digest.digest(body))
+        
+        der_to_raw_signature(signature_der)
+      end
+
+      def verify(body, signature)
+        body = body.encode('utf-8') if body.is_a?(String) && body.encoding != Encoding::BINARY
+        return false if body.nil? || body.empty?
+
+        sig_bytes = if signature.is_a?(String) && signature.encoding != Encoding::BINARY
+                      Saro::Dat::Util.decode_base64_url(signature)
+                    else
+                      signature
+                    end
+
+        begin
+          der_sig = raw_to_der_signature(sig_bytes)
+          digest = OpenSSL::Digest.new(@config[:hash])
+          @verifying_key.dsa_verify_asn1(digest.digest(body), der_sig)
+        rescue StandardError
+          false
+        end
+      end
+
+      def has_signing_key?
+        !@signing_key.nil?
+      end
+
+      private
+
+      def der_to_raw_signature(signature_der)
+        asn1 = OpenSSL::ASN1.decode(signature_der)
+        r = asn1.value[0].value
+        s = asn1.value[1].value
+        
+        size = (@verifying_key.group.degree + 7) / 8
+        r_bytes = r.to_s(2).rjust(size, "\x00".b)
+        s_bytes = s.to_s(2).rjust(size, "\x00".b)
+        
+        r_bytes + s_bytes
+      end
+
+      def raw_to_der_signature(signature_raw)
+        size = signature_raw.length / 2
+        r = OpenSSL::BN.new(signature_raw[0, size], 2)
+        s = OpenSSL::BN.new(signature_raw[size, size], 2)
+        
+        r_asn1 = OpenSSL::ASN1::Integer.new(r)
+        s_asn1 = OpenSSL::ASN1::Integer.new(s)
+        
+        OpenSSL::ASN1::Sequence.new([r_asn1, s_asn1]).to_der
+      end
+    end
+  end
+end

data/lib/saro/dat/util.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require 'base64'
+
+module Saro
+  module Dat
+    module Util
+      module_function
+
+      def encode_base64_url(s)
+        return "".b if s.nil?
+        if s.is_a?(String)
+          return "".b if s.empty?
+          s = s.encode('utf-8') unless s.encoding == Encoding::BINARY
+        end
+        Base64.urlsafe_encode64(s, padding: false).b
+      end
+
+      def encode_base64_url_str(s)
+        encode_base64_url(s).force_encoding('ascii')
+      end
+
+      def decode_base64_url(s)
+        return "".b if s.nil?
+        if s.is_a?(String)
+          return "".b if s.empty?
+        end
+        
+        # More robust way for older Ruby
+        s = s.to_s.tr('-_', '+/')
+        rem = s.bytesize % 4
+        s += ("=" * (4 - rem)) if rem > 0
+
+        Base64.decode64(s).b
+      end
+
+      def decode_base64_url_str(s)
+        decode_base64_url(s).force_encoding('utf-8')
+      end
+    end
+  end
+end

data/lib/saro-dat.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require_relative 'saro/dat/util'
+require_relative 'saro/dat/crypto'
+require_relative 'saro/dat/signature'
+require_relative 'saro/dat/dat_certificate'
+require_relative 'saro/dat/dat'
+require_relative 'saro/dat/dat_manager'
+
+module Saro
+  module Dat
+    class Error < StandardError; end
+  end
+end

data/saro-dat.gemspec

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+Gem::Specification.new do |spec|
+  spec.name          = "saro-dat"
+  spec.version       = "1.0.0"
+  spec.authors       = ["marker"]
+  spec.email         = ["j@saro.me"]
+
+  spec.summary       = "DAT (Data Access Token) Ruby implementation"
+  spec.description   = "Ported from Python dat library"
+  spec.homepage      = "https://dat.saro.me/--/libs/gems-saro-dat"
+  spec.license       = "MIT"
+  spec.required_ruby_version = ">= 2.7.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/saro-lab/dat-ruby"
+  spec.metadata["changelog_uri"] = "https://github.com/saro-lab/dat-ruby/blob/main/CHANGELOG.md"
+
+  spec.metadata["keywords"] = "dat, distributed, access, token, web, session, security, authentication"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{\A(?:test|spec|features|_pypi)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "concurrent-ruby", "~> 1.3.6"
+  spec.add_dependency "openssl", "~> 4.0.2"
+  spec.add_dependency "base64"
+
+  spec.add_development_dependency "minitest", "~> 5.0"
+  spec.add_development_dependency "benchmark"
+  spec.add_development_dependency "parallel"
+end

metadata

@@ -0,0 +1,146 @@
+--- !ruby/object:Gem::Specification
+name: saro-dat
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- marker
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: concurrent-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.3.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.3.6
+- !ruby/object:Gem::Dependency
+  name: openssl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.0.2
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: benchmark
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: parallel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Ported from Python dat library
+email:
+- j@saro.me
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".idea/.gitignore"
+- ".idea/modules.xml"
+- ".idea/saro-dat.iml"
+- ".ruby-version"
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- PUBLISH.md
+- README.md
+- lib/saro-dat.rb
+- lib/saro/dat/crypto.rb
+- lib/saro/dat/dat.rb
+- lib/saro/dat/dat_certificate.rb
+- lib/saro/dat/dat_manager.rb
+- lib/saro/dat/signature.rb
+- lib/saro/dat/util.rb
+- saro-dat.gemspec
+homepage: https://dat.saro.me/--/libs/gems-saro-dat
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://dat.saro.me/--/libs/gems-saro-dat
+  source_code_uri: https://github.com/saro-lab/dat-ruby
+  changelog_uri: https://github.com/saro-lab/dat-ruby/blob/main/CHANGELOG.md
+  keywords: dat, distributed, access, token, web, session, security, authentication
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.10
+specification_version: 4
+summary: DAT (Data Access Token) Ruby implementation
+test_files: []