scl 0.1.0

data/lib/scl/control/dh.rb

@@ -0,0 +1,84 @@
+require 'json'
+module Scl
+  module Control
+    class DH < ControllerModule
+
+      help <<-HELP,
+      syn. Step 1 of a diffie hellman exchange.
+      Generates a private and public key and der to be used to generate a symmetric key with a second party.
+
+        e.g
+          >> Using public key (Saves to [filename].enc by default, unless -o is used)
+          scl dh syn
+          scl dh syn -fbase64
+          scl dh syn -o ./dhell
+      HELP
+      def syn
+        syn = dh.syn
+        args.output_file ||= "dh-key-exchange"
+        controller.output(
+          Output.new(syn[:private].to_json, ".dh1.priv"),
+          Output.new(syn[:public].to_json, ".dh1.pub")
+        )
+      end
+
+      help <<-HELP,
+      ack. Step 2 of a diffie hellman exchange.
+      Requires the public output of step 1 (The der and public key)
+      Generates a private and public key and der to be used to generate a symmetric key with a second party.
+
+      The output [output_file].key contains the secret key generated by the DH exchange.
+      The public output [output_file].dh2.pub must be passed back to the first party to complete the exchange
+        e.g
+          >> Using public key (Saves to [filename].enc by default, unless -o is used)
+          scl dh ack ./dh-key-exchange.dh1.pub
+          scl dh ack ./dhell.dh1.pub -o ./dhell
+      HELP
+      def ack(file)
+        unless File.exists?(file)
+          raise ControlError.new("Couldn't find file containing part 1 of diffie hellman exchange: #{file}. File doesnt exist")
+        end
+        input = JSON.parse(input_decoder.decode(IO.read(file)))
+        ack  = dh.ack(der: input['der'], public_key: input['public_key'])
+        args.output_file ||= "dh-key-exchange"
+        controller.output(
+          Output.new(ack[:private].to_json, ".dh2.key"),
+          Output.new(ack[:public].to_json, ".dh2.pub")
+        )
+      end
+
+      help <<-HELP,
+      fin. Step 3 and final step of a diffie hellman exchange.
+      Requires the private output of step 1 (The der and private key) and the public key from step 2
+      Generates a secret key shared with the second party
+
+      The output [output_file].key contains the secret key generated by the DH exchange.
+
+        e.g
+          >> Using public key (Saves to [filename].enc by default, unless -o is used)
+          scl dh fin ./dh-key-exchange.dh1.priv ./dh-key-exchange.dh2.pub
+          scl dh fin ./dhell.dh1.priv ./dhell.dh2.pub -o ./dhell
+      HELP
+      def fin(dh1_priv, dh2_pub)
+        unless File.exists?(dh1_priv)
+          raise ControlError.new("Couldn't find file private portion of part 1 of diffie hellman exchange: #{dh1_priv}. File doesnt exist")
+        end
+        unless File.exists?(dh2_pub)
+          raise ControlError.new("Couldn't find file containing public portion of part 2 of diffie hellman exchange: #{dh2_pub}. File doesnt exist")
+        end
+        dh1 = JSON.parse(input_decoder.decode(IO.read(dh1_priv)))
+        dh2 = JSON.parse(input_decoder.decode(IO.read(dh2_pub)))
+        result = dh.fin(der: dh1['der'], private_key: dh1['private_key'], public_key: dh2['public_key'])
+        args.output_file ||= "dh-key-exchange"
+        controller.output(
+          Output.new(result[:private].to_json, ".dh1.key")
+        )
+      end
+
+      private
+        def dh
+          @dh ||= Scl::DH.new
+        end
+    end
+  end
+end

data/lib/scl/control/digest.rb

@@ -0,0 +1,90 @@
+module Scl
+  module Control
+    class Digest < ControllerModule
+
+      help <<-HELP,
+      sign. Signs a file using a support hash algorithm. Defaults to sha256
+        e.g
+          scl digest sign /path/to/file
+          scl digest sign /path/to/file -o stdout
+          scl digest sign /path/to/file -d sha512
+      HELP
+      def sign(input_file)
+        signature = Scl::Digest.digest(args.digest || 'sha256', read_file(input_file, "File to sign"))
+        args.output_file ||= input_file
+        args.output_format ||= 'binary'
+        controller.output(
+          Output.new(signature, ".sig")
+        )
+      end
+
+      help <<-HELP,
+      verify
+        e.g.
+          scl digest verify file signature
+          scl digest verify file signature -d sha512
+      HELP
+      def verify(input_file, signature_file)
+        signature = Scl::Digest.digest(args.digest || 'sha256', read_file(input_file, "File to verify"))
+        args.input_format ||= 'binary'
+        if signature == input_decoder.decode(read_file(signature_file, "Signature"))
+          exit(0)
+        else
+          exit(1)
+        end
+      end
+
+      help <<-HELP,
+      hmac. Generates an HMAC for a file, can be given an optional key or alternately one will be
+      generated for you. Keep hold of this key for verifying signatures in the future
+        e.g.
+          scl hmac file            # Generates both a digest and a secure random key
+          scl hmac file -k keyfile # Generates a digest using an existing key
+          scl hmac file -d sha512  # Provide alternate digest algorithm
+      HELP
+      def hmac(input_file)
+        input_key = args.key_path ?
+          read_file(args.key_path) :
+          nil
+        signature, key = Scl::Digest.hmac(args.digest || 'sha256', read_file(input_file, "File to sign"), input_key)
+        args.output_file ||= input_file
+        args.output_format ||= 'binary'
+        controller.output(
+          Output.new(signature, ".sig"),
+          input_key ? nil : Output.new(key, '.key')
+        )
+      end
+
+      help <<-HELP,
+      hmac. Verifies the contents of a file match an HMAC signature (using a given key)
+        e.g.
+          scl hmac_verify file signature -k keyfile
+      HELP
+      def hmac_verify(input_file, signature_file)
+        args.input_format ||= 'binary'
+        key = input_decoder.decode(read_file(args.key_path, 'HMAC Key file', 'Use -k'))
+        data = read_file(input_file, "File to verify")
+        signature, key = Scl::Digest.hmac(args.digest || 'sha256', data, key)
+        if signature == input_decoder.decode(read_file(signature_file, "Signature"))
+          exit(0)
+        else
+          exit(1)
+        end
+      end
+
+      help <<-HELP,
+      list. List supported hash algorithms
+        e.g.
+        scl digest list
+      HELP
+      def list
+        puts OpenSSL::Digest.constants.reject{|x| x.to_s =~ /Error/ }
+      end
+
+      private
+        def ss
+          @ss ||= Scl::SecretShare.new(args.min_shares.to_i, args.num_shares.to_i)
+        end
+    end
+  end
+end

data/lib/scl/control/output.rb

@@ -0,0 +1,14 @@
+module Scl
+  module Control
+    class Output
+      attr_reader :content
+      def initialize(content, suffix)
+        @content, @suffix = content, suffix
+      end
+
+      def file(path)
+        File.join("#{path.gsub(%r(#{@suffix.gsub('.','\.')}$),'')}#{@suffix}")
+      end
+    end
+  end
+end

data/lib/scl/control/rsa.rb

@@ -0,0 +1,161 @@
+module Scl
+  module Control
+    class RSA < ControllerModule
+
+      help <<-HELP,
+      Generates an RSA keypair
+        e.g
+          >> Generates a key-pair and prints to stdout
+          $ scl rsa generate
+
+          >> Generates a key-pair and saves to the filesystem
+          $ scl rsa generate -o /path/to/file
+      HELP
+      def generate
+        begin
+          result = Scl::RSA.generate(args.key_size)
+          controller.output(
+            Output.new(result.public.export, '.pub'),
+            Output.new(result.private.export, '.priv')
+          )
+        rescue StandardError => e
+          raise ControlError.new("Couldn't generate key of size #{args.key_size}")
+        end
+      end
+
+      help <<-HELP,
+      Signs a file using an RSA private key.
+      This file can then be verified using the corresponding public-key or the same private-key
+        e.g
+          >> Sign [file] using private key
+          $ scl rsa sign file -Z /path/to/private/key
+      HELP
+      def sign(file)
+        unless args.private_key_file
+          raise ControlError.new("Please provide a private key file (-Z or --priv) use --help to find out more")
+        end
+        unless File.exists?(args.private_key_file)
+          raise ControlError.new("Private key file #{args.private_key_file} doesnt exist")
+        end
+        unless File.exists?(file)
+          raise ControlError.new("Couldn't find file to sign: #{file}. File doesnt exist")
+        end
+
+        private_key = load_key(args.private_key_file)
+        signature = private_key.sign(IO.read(file))
+        args.output_file ||= file
+        controller.output(
+          Output.new(signature, ".sig")
+        )
+      end
+
+      help <<-HELP,
+      Verifies a file matches a signature for an RSA private key
+      Verification can be performed using the corresponding public-key or the same private-key that generated the signature
+        e.g
+
+          >> Verify [file] using public key
+          $ scl rsa verify -p /path/to/private/key file file.sig
+          $ scl rsa verify --pub-key /path/to/private/key file file.sig
+
+          >> Verify [file] using private key
+          $ scl rsa verify -Z /path/to/private/key file file.sig
+      HELP
+      def verify(file, signature="#{file}.sig")
+        key_file = args.public_key_file || args.private_key_file
+        unless key_file
+          raise ControlError.new("Please provide a private or public key file (-p --pub-key, -Z or --priv-key) use --help to find out more")
+        end
+        unless File.exists?(key_file)
+          raise ControlError.new("Key file #{key_file} doesnt exist")
+        end
+        unless File.exists?(file)
+          raise ControlError.new("Couldn't find file to verify: #{file}. File doesnt exist")
+        end
+        unless File.exists?(signature)
+          raise ControlError.new("Couldn't find signature to verify: #{signature}. File doesnt exist")
+        end
+        key = load_key(key_file)
+        if key.verify(input_decoder.decode(IO.read(signature)), IO.read(file))
+          exit(0)
+        else
+          exit(1)
+        end
+      end
+
+      help <<-HELP,
+      Encrypts a file.
+        e.g
+          >> Using public key (Saves to [filename].enc by default, unless -o is used)
+          scl rsa encrypt -p /path/to/public_key /path/to/file
+          scl rsa encrypt --pub-key /path/to/public_key /path/to/file
+
+          >> Using public key (Saves to [filename].enc by default, unless -o is used)
+          scl rsa encrypt -Z /path/to/private_key /path/to/file
+          scl rsa encrypt --priv-key /path/to/private_key /path/to/file
+      HELP
+      def encrypt(file)
+        key_file = args.public_key_file || args.private_key_file
+        unless key_file
+          raise ControlError.new("Please provide a private or public key file (-p --pub-key, -Z or --priv-key) use --help to find out more")
+        end
+        unless File.exists?(key_file)
+          raise ControlError.new("Key file #{key_file} doesnt exist")
+        end
+        unless File.exists?(file)
+          raise ControlError.new("Couldn't find file to verify: #{file}. File doesnt exist")
+        end
+        key = load_key(key_file)
+        encrypted = key.encrypt(IO.read(file))
+        args.output_file ||= file
+        controller.output(
+          Output.new(encrypted, '.enc')
+        )
+      end
+
+      help <<-HELP,
+      Decrypts a file.
+        e.g
+          >> Using public key (Writes to stdout unless -o is used)
+          scl rsa decrypt -p /path/to/public_key /path/to/file.enc
+          scl rsa decrypt --pub-key /path/to/public_key /path/to/file.enc
+
+          >> Using public key (Writes to stdout unless -o is used)
+          scl rsa decrypt -Z /path/to/private_key /path/to/file.enc
+          scl rsa decrypt --priv-key /path/to/private_key /path/to/file.enc
+      HELP
+      def decrypt(file)
+        key_file = args.public_key_file || args.private_key_file
+        unless key_file
+          raise ControlError.new("Please provide a private or public key file (-p --pub-key, -Z or --priv-key) use --help to find out more")
+        end
+        unless File.exists?(key_file)
+          raise ControlError.new("Key file #{key_file} doesnt exist")
+        end
+        unless File.exists?(file)
+          raise ControlError.new("Couldn't find file to verify: #{file}. File doesnt exist")
+        end
+        key = load_key(key_file)
+        decrypted = key.decrypt(input_decoder.decode(IO.read(file)))
+        args.output_format = 'binary'
+        controller.output(
+          Output.new(decrypted, '')
+        )
+      end
+
+      private
+        def load_key(key_file)
+          raw_input     = IO.read(key_file)
+          puts "Decoding key using #{input_decoder.name}" if args.verbose
+          decoded_input = key_coder.decode(raw_input)
+          puts "Constructing new RSA key using decoded input" if args.verbose
+          begin
+            pkey = OpenSSL::PKey::RSA.new(decoded_input)
+            Scl::RSA::Key.new(pkey)
+          rescue StandardError => e
+            raise ControlError.new("Unable to construct key from decoded input #{e.message}")
+          end
+        end
+    end
+  end
+end

data/lib/scl/control/sss.rb

@@ -0,0 +1,48 @@
+module Scl
+  module Control
+    class SSS < ControllerModule
+
+      help <<-HELP,
+      generate. Generate a set of shares for a shared secret
+      Arguments are the total number of shares to generate, and the number of shares required to unlock
+      the secret.
+        e.g
+          scl sss generate -m 3 -n 5
+          scl sss generate --min-shares=11 --num-shares=14 -o output_file
+
+      Large secrets are encoded using multiple blocks, which can create large shares.
+      An alternative, more space efficient approach to this is to encode a shorter key using secret sharing,
+      and to then encrypt the large secret using this key and a block-cipher
+
+      HELP
+      def generate(input_file)
+        raise ControlError.new("Min-shares must be a positive integer") unless args.min_shares.to_i > 0
+        raise ControlError.new("Num-shares must be a positive integer") unless args.num_shares.to_i > 0
+        raise ControlError.new('Num shares must be larger than or equal to min shares') unless args.num_shares.to_i >= args.min_shares.to_i
+        input = read_file(input_file)
+        args.output_file ||= input_file
+        controller.output(
+          Output.new(ss.generate(input).join("\n"), ".shares")
+        )
+      end
+
+      help <<-HELP,
+      combine. Combines a set of shares for a shared secret
+      Expects as an argument a file of "\n" separate secret shares
+        e.g
+          scl sss combine shares.txt
+      HELP
+      def combine(input_file)
+        shares = read_file(input_file).split("\n")
+        controller.output(
+          Output.new(Scl::SecretShare.combine(shares), ".sec")
+        )
+      end
+
+      private
+        def ss
+          @ss ||= Scl::SecretShare.new(args.min_shares.to_i, args.num_shares.to_i)
+        end
+    end
+  end
+end

data/lib/scl/control.rb

@@ -0,0 +1,14 @@
+require 'scl/control/output'
+require 'scl/control/controller'
+require 'scl/control/controller_module'
+require 'scl/control/aes'
+require 'scl/control/rsa'
+require 'scl/control/sss'
+require 'scl/control/dh'
+require 'scl/control/digest'
+
+module Scl
+  module Control
+    class ControlError < StandardError; end
+  end
+end

data/lib/scl/dh.rb

@@ -0,0 +1,52 @@
+module Scl
+  require 'base64'
+  class DH
+    attr_reader :encoder
+
+    def initialize(encoder: Format::BASE64)
+      @encoder = encoder
+    end
+    # :0> syn        = Scl::DH.new.syn
+    # :1> ack        = Scl::DH.new.ack(syn[:public])
+    # :2> shared_key1 = Scl::DH.new.fin(syn[:private].merge(ack[:public]))[:private][:shared_key]
+    # :3> shared_key2 = ack[:private][:shared_key]
+    def syn(length: 512)
+      dh = OpenSSL::PKey::DH.new(length)
+      {
+        private: {
+          der:         encoder.encode(dh.public_key.to_der),
+          private_key: encoder.encode(dh.priv_key.to_s(16))
+        },
+        public: {
+          der:        encoder.encode(dh.public_key.to_der),
+          public_key: encoder.encode(dh.pub_key.to_s(16))
+        }
+      }
+    end
+
+    def ack(der:, public_key:)
+      dh = OpenSSL::PKey::DH.new(encoder.decode(der))
+      dh.generate_key!
+      shared_key = dh.compute_key(OpenSSL::BN.new(encoder.decode(public_key), 16))
+      {
+        private: {
+          shared_key: encoder.encode(shared_key)
+        },
+        public: {
+          public_key: encoder.encode(dh.pub_key.to_s(16))
+        }
+      }
+    end
+
+    def fin(private_key:, der:, public_key:)
+      dh = OpenSSL::PKey::DH.new(encoder.decode(der))
+      dh.priv_key        = OpenSSL::BN.new(encoder.decode(private_key), 16)
+      shared_key = dh.compute_key(OpenSSL::BN.new(encoder.decode(public_key), 16))
+      {
+        private: {
+          shared_key: encoder.encode(shared_key)
+        }
+      }
+    end
+  end
+end

data/lib/scl/digest.rb

@@ -0,0 +1,29 @@
+module Scl
+  class Digest
+    def self.digest(digest, data)
+      if digest_exists?(digest)
+        OpenSSL::Digest.const_get(digest.upcase).new.hexdigest(data)
+      end
+    end
+
+    def self.hmac(digest, data, key=nil)
+      if digest_exists?(digest)
+        require 'securerandom'
+        key = key || SecureRandom.hex
+        [OpenSSL::HMAC.hexdigest(digest, key, data), key]
+      end
+    end
+
+    private
+      def self.digest_exists?(digest)
+        begin
+          OpenSSL::Digest.const_get(digest.upcase)
+        rescue NameError => e
+          puts "Couldn't get digest type. #{digest}"
+          puts "Try $ scl digest list  – for a list of supported digests"
+          return false
+        end
+        true
+      end
+  end
+end

data/lib/scl/formats/auto.rb

@@ -0,0 +1,23 @@
+module Scl
+  class Scl::Auto < Scl::Format
+    def encode(data)
+      sorted = (data.chars.map(&:ord).uniq.sort) - [10]
+      if sorted.first < 32 || sorted.max > 126
+        Scl::Format::BASE64.encode(data)
+      else
+        Scl::Format::BINARY.encode(data)
+      end
+    end
+
+    def decode(data)
+      png = Regexp.new("\x89PNG".force_encoding("binary"))
+      if /^#{png}/ === data
+        Scl::Format::QRCODE.decode(data)
+      elsif data[/[^A-Za-z0-9\+\/\n=]/]
+        Scl::Format::BINARY.decode(data)
+      else
+        Scl::Format::BASE64.decode(data)
+      end
+    end
+  end
+end

data/lib/scl/formats/base64.rb

@@ -0,0 +1,12 @@
+module Scl
+  class Scl::Base64 < Scl::Format
+    require 'base64'
+    def encode(data)
+      ::Base64.encode64(data)
+    end
+
+    def decode(data)
+      ::Base64.decode64(data)
+    end
+  end
+end

data/lib/scl/formats/binary.rb

@@ -0,0 +1,11 @@
+module Scl
+  class Scl::Binary < Scl::Format
+    def encode(data)
+      data
+    end
+
+    def decode(data)
+      data
+    end
+  end
+end

data/lib/scl/formats/format.rb

@@ -0,0 +1,44 @@
+module Scl
+  class Format
+    def output(filename, data)
+      IO.write(filename, encode(data))
+    end
+
+    def read(filename)
+      decode(IO.read(filename))
+    end
+
+    def encode(data)
+      raise "Must be implemented by subclass"
+    end
+
+    def decode(data)
+      raise "Must be implemented by subclass"
+    end
+
+    def name
+      self.class.name
+    end
+  end
+end
+
+require 'scl/formats/base64'
+require 'scl/formats/binary'
+require 'scl/formats/words'
+require 'scl/formats/auto'
+require 'scl/formats/hex'
+require 'scl/formats/qrcode'
+require 'scl/formats/stdout'
+
+module Scl
+  class Format
+
+    BASE64 = Scl::Base64.new
+    BINARY = Scl::Binary.new
+    WORDS  = Scl::Words.new
+    QRCODE = Scl::QRCode.new
+    HEX    = Scl::Hex.new
+    AUTO   = Scl::Auto.new
+    STDOUT = Scl::Stdout.new
+  end
+end

data/lib/scl/formats/hex.rb

@@ -0,0 +1,11 @@
+module Scl
+  class Scl::Hex < Scl::Format
+    def encode(data)
+      data.bytes.map{|x| x.to_s(16).rjust(2, ?0) }.join
+    end
+
+    def decode(data)
+      data.scan(/../).map{|s| s.to_i(16) }.map(&:chr).join
+    end
+  end
+end

data/lib/scl/formats/qrcode.rb

@@ -0,0 +1,11 @@
+module Scl
+  class Scl::QRCode < Scl::Format
+    def encode(data)
+      raise "Not implemented yet"
+    end
+
+    def decode(data)
+      raise "Not implemented yet"
+    end
+  end
+end

data/lib/scl/formats/stdout.rb

@@ -0,0 +1,11 @@
+module Scl
+  class Scl::Stdout < Scl::Format
+    def encode(data)
+      puts data
+    end
+
+    def decode(data)
+      data
+    end
+  end
+end