secure_conf 1.1.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 2e3c76b854e1a1f9928b858a30e35323dd7d149d
-  data.tar.gz: 565f358aeaf3fce3a0102a3f734861769824daaa
+SHA256:
+  metadata.gz: 977af3cdc7abe1fce0989ac7ed1e8cfc9d91c4008458638888ec71a4b0129152
+  data.tar.gz: 22e451c7ab83a730c57011b0423e079c6634fd92ab4770ca570287220fca4d91
 SHA512:
-  metadata.gz: 6633e4d0d35351ef51838d2c4cc6bd31c25ce94c2ddb29c53c87a21125f22b1598c9271b50c50b60e1e73e9bc27daceb0d930497b49d7fe6dd352afaa316c105
-  data.tar.gz: c724cd2b2dc2416914b46871667386c042b0f5f23e9af7c4395d6f80ccdd91f771c61b6277240169189323e79670f1aa821bc3b4b81a63de29105b67bdd14a0b
+  metadata.gz: 55ee00fef2d53f1a27fc6a7e5ffbed08522701bdf6250665d9b8a5dce65fadaf252b0fd3a02a1817055c168e53a43f6b46775a7c2a92d722a83d9e45ba3dc428
+  data.tar.gz: 5b43c21c28fdedd803a80ab73dd37de6fda28af5b6e0c6226819c43948dd8ef53816af63c212896a206112b0e7c1f183db416ac8c9bb274ecb0909103cf4b9f8

data/README.md

@@ -20,7 +20,7 @@ Or install it yourself as:
 
 ## Usage
 
-    path = File.expand_path("config.yml", File.dirname(__FILE__))
+    path = File.expand_path("secure.yml", File.dirname(__FILE__))
     config = SecureConf::Config.new(path)
     
     config["enc:id"] = "yoshida-eth0"

data/exe/secure_conf.rb

@@ -3,35 +3,33 @@
 $LOAD_PATH << File.expand_path("../lib", File.dirname(__FILE__))
 
 require 'secure_conf'
-
-method = (ARGV[0]||"").to_sym
-path = ARGV[1]
-key = ARGV[2]
-value = ARGV[3]
+require 'optparse'
 
 class SecureConfCmd
 
-  def initialize(path)
-    @path = path
+  def initialize(storage_path, privatekey_path=nil)
+    @storage_path = File.expand_path(storage_path)
+    @privatekey_path = File.expand_path(privatekey_path)
   end
 
   def config
     unless @config
-      unless @path
-        raise "path is required."
-      end
-      #unless File.file?(@path)
-      #  raise "path is not found."
+      #unless File.file?(@storage_path)
+      #  raise "storage_path is not exist: #{@storage_path}"
       #end
 
-      @config = SecureConf::Config.new(@path, auto_commit: true)
+      unless File.file?(@privatekey_path)
+        raise "privatekey_path is not exist: #{@privatekey_path}"
+      end
+
+      pkey = File.open(@privatekey_path, "r") {|f| f.read}
+
+      @config = SecureConf::Config.new(@storage_path, encripter: SecureConf::Encrypter.new(pkey), auto_commit: true)
     end
     @config
   end
 
   def read(key)
-    raise "key is required." unless key
-
     val = config[key]
 
     puts "read"
@@ -40,9 +38,6 @@ class SecureConfCmd
   end
 
   def write(key, value)
-    raise "key is required." unless key
-    raise "value is required." unless value
-
     puts "write"
     puts "  key: #{key}"
     puts "  val: #{value}"
@@ -51,32 +46,76 @@ class SecureConfCmd
   end
 
   def delete(key)
-    raise "key is required." unless key
-
     puts "delete"
     puts "  key: #{key}"
     config.delete(key)
     puts "delete ok."
   end
+end
+
 
-  def usage
-    lines = []
-    lines << "Usage:"
-    lines << "  #{File.basename($0)} method path [key [value]]"
-    lines << ""
-    lines << "  method:"
-    lines << "    read write delete"
-    lines << ""
-    lines << "  required args"
-    lines << "    read  : path key"
-    lines << "    write : path key value"
-    lines << "    delete: path key"
-    lines.join("\n")
+# default value
+privatekey_path = "~/.ssh/id_rsa"
+storage_path = "./secure.yml"
+method = nil
+key = nil
+value = nil
+
+# parser
+parser = OptionParser.new {|o|
+  o.banner = "Usage: #{File.basename($0)} [options] method [arguments]..."
+  o.on('--pkey privatekey_path', "PrivateKey file path (default: #{privatekey_path})") {|v| privatekey_path = v }
+  o.on('--storage storage_path', "Storage file path (default: #{storage_path})") {|v| storage_path = v }
+  o.on_tail(
+    "  methods usage:",
+    "    #{File.basename($0)} [options] read key",
+    "    #{File.basename($0)} [options] write key value",
+    "    #{File.basename($0)} [options] delete key",
+  )
+  o.version = SecureConf::VERSION
+}
+
+methods = {
+  read: 1,
+  write: 2,
+  delete: 1,
+}
+
+# parse argv
+begin
+  parser.parse!(ARGV)
+
+  # method
+  method = ARGV.shift
+  unless method
+    raise ""
+  end
+  method = method.to_sym
+  unless methods.include?(method)
+    raise "not found method: #{method}"
+  end
+
+  # method argc
+  unless ARGV.length==methods[method]
+    raise "wrong number of method arguments: method=#{method} given=#{ARGV.length} expected=#{methods[method]}"
+  end
+
+  # key value
+  key = ARGV[0]
+  value = ARGV[1]
+
+rescue => e
+  if 0<e.message.to_s.length
+    puts e.message
+    puts
   end
+  puts parser.help
+  exit(1)
 end
 
 
-cmd = SecureConfCmd.new(path)
+# execute
+cmd = SecureConfCmd.new(storage_path, privatekey_path)
 
 begin
   case method
@@ -86,13 +125,11 @@ begin
     cmd.write(key, value)
   when :delete
     cmd.delete(key)
-  else
-    puts cmd.usage
   end
 rescue => e
   puts e
   puts
-  puts cmd.usage
+  puts parser.help
 
   #puts e.backtrace.join("\n")
 end

data/lib/secure_conf/encrypter.rb

@@ -1,10 +1,11 @@
 require 'openssl'
 require 'base64'
+require 'secure_conf/openssh'
 
 module SecureConf
   class Encrypter
     def initialize(pkey=nil, pass=nil)
-      pkey ||= "~/.ssh/id_rsa"
+      pkey ||= File.open(File.expand_path("~/.ssh/id_rsa"), "r") {|f| f.read }
       self.pkey = [pkey, pass]
     end
 
@@ -13,15 +14,22 @@ module SecureConf
 
       case pk
       when OpenSSL::PKey::RSA
+        # OpenSSL private key object
         @pkey = pk
+      when OpenSSH::PKey
+        # OpenSSH private key object
+        @pkey = pk.to_openssl
       when String
-        pk2 = File.expand_path(pk)
-        if File.file?(pk2) && File.readable?(pk2)
-          pk = File.read(pk2)
+        pk = pk.strip
+        if pk.start_with?("-----BEGIN OPENSSH PRIVATE KEY-----") && pk.end_with?("-----END OPENSSH PRIVATE KEY-----")
+          # OpenSSH private pem string
+          @pkey = OpenSSH::PKey.new(pk).to_openssl
+        else
+          # OpenSSL private pem string
+          @pkey = OpenSSL::PKey::RSA.new(pk, pass)
         end
-
-        @pkey = OpenSSL::PKey::RSA.new(pk, pass)
       when Integer
+        # generate
         @pkey = OpenSSL::PKey::RSA.new(pk)
       end
     end

data/lib/secure_conf/openssh.rb

@@ -0,0 +1,302 @@
+require 'stringio'
+require 'base64'
+require 'singleton'
+require 'openssl'
+
+module SecureConf
+  module OpenSSH
+    class PKey
+
+      def initialize(source)
+        if String===source
+          # pem string
+          @h = parse_pem(source)
+
+        elsif IO===source
+          # pem io
+          source = source.read
+          @h = parse_pem(source)
+
+        elsif source.respond_to?(:to_der)
+          # call to_der method
+          der = source.to_der
+          @h = parse_der(der)
+
+        else
+          # other
+          raise ArgumentError, "unsupported argument type: #{source.class.name}"
+        end
+      end
+
+      def parse_pem(pem)
+        pem = pem.strip
+        if !pem.start_with?("-----BEGIN OPENSSH PRIVATE KEY-----") || !pem.end_with?("-----END OPENSSH PRIVATE KEY-----")
+          raise FormatError, "invalid pem string"
+        end
+
+        pem = pem.gsub(/-----(?:BEGIN|END) OPENSSH PRIVATE KEY-----/, "").gsub(/[\r\n]/, "")
+        der = Base64::strict_decode64(pem)
+        parse_der(der)
+      end
+
+      # sshkey_private_to_blob2
+      # https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L3910
+      def parse_der(der)
+        bio = StringIO.new(der, "rb")
+        h = {}
+
+        # header
+        h[:header] = bio.read(15)
+        if h[:header]!="openssh-key-v1\0"
+          raise FormatError, "openssh header not found"
+        end
+
+        # ciphername
+        length = bio.read(4).unpack("N")[0]
+        h[:ciphername] = bio.read(length)
+        if h[:ciphername]!="none"
+          raise FormatError, "ciphername is not 'none': #{h[:ciphername]}"
+        end
+
+        # kdfname
+        length = bio.read(4).unpack("N")[0]
+        h[:kdfname] = bio.read(length)
+        if h[:kdfname]!="none"
+          raise FormatError, "kdfname is not 'none': #{h[:kdfname]}"
+        end
+
+        # kdf
+        length = bio.read(4).unpack("N")[0]
+        h[:kdf] = bio.read(length)
+        if h[:kdf]!=""
+          raise FormatError, "kdf is not empty: #{h[:kdfname]}"
+        end
+
+        # number of keys
+        h[:keys_num] = bio.read(4).unpack("N")[0]
+        if h[:keys_num]!=1
+          raise FormatError, "number of keys is not 1: #{h[:keys_num]}"
+        end
+
+        # public key
+        length = bio.read(4).unpack("N")[0]
+        publickey = bio.read(length)
+        h[:publickey] = parse_der_publickey(publickey)
+
+        # rnd+prv+comment+pad
+        length = bio.read(4).unpack("N")[0]
+        privatekey = bio.read(length)
+        h[:privatekey] = parse_der_privatekey(privatekey)
+
+        # check eof
+        if !bio.eof?
+          raise FormatError, "no eof"
+        end
+
+        h
+      end
+
+      # to_blob_buf
+      # https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L828
+      def parse_der_publickey(publickey)
+        bio = StringIO.new(publickey, "rb")
+        h = {}
+
+        # keytype
+        length = bio.read(4).unpack("N")[0]
+        h[:keytype] = bio.read(length)
+
+        # content
+        kt = Keytype.fetch(h[:keytype])
+        if !kt
+          raise UnsupportedError, "unsupported keytype: #{h[:keytype]}"
+        end
+        kt.parse_der_public_key_contents(h, bio)
+
+        # check eof
+        if !bio.eof?
+          raise FormatError, "publickey no eof"
+        end
+
+        h
+      end
+
+      # sshkey_private_serialize_opt
+      # https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L3230
+      def parse_der_privatekey(privatekey)
+        bio = StringIO.new(privatekey, "rb")
+        h = {}
+
+        # checksum
+        h[:checksum] = bio.read(8).unpack("NN")
+
+        # keytype
+        length = bio.read(4).unpack("N")[0]
+        h[:keytype] = bio.read(length)
+
+        # content
+        kt = Keytype.fetch(h[:keytype])
+        if !kt
+          raise UnsupportedError, "unsupported keytype: #{h[:keytype]}"
+        end
+        kt.parse_der_private_key_contents(h, bio)
+
+        # comment
+        length = bio.read(4).unpack("N")[0]
+        h[:comment] = bio.read(length)
+
+        # padding
+        h[:padding] = bio.read
+
+        # check eof
+        if !bio.eof?
+          raise FormatError, "privatekey no eof"
+        end
+
+        h
+      end
+
+      def keytype
+        Keytype.fetch(@h[:privatekey][:keytype])
+      end
+
+      def to_openssl
+        keytype.to_openssl(@h)
+      end
+
+      def to_openssl_pem
+        keytype.to_openssl_pem(@h)
+      end
+
+      def to_openssl_der
+        keytype.to_openssl_der(@h)
+      end
+    end
+
+    module Keytype
+      module Base
+        def support?(keytype)
+          raise Error, "not implemented error: #{self.class.name}.support?(keytype)"
+        end
+
+        def parse_der_public_key_contents(h, bio)
+          raise Error, "not implemented error: #{self.class.name}.parse_der_public_key_contents(h, bio)"
+        end
+
+        def parse_der_private_key_contents(h, bio)
+          raise Error, "not implemented error: #{self.class.name}.parse_der_private_key_contents(h, bio)"
+        end
+
+        def to_openssl(h)
+          raise Error, "not implemented error: #{self.class.name}.to_openssl(h)"
+        end
+
+        def to_openssl_pem(h)
+          raise Error, "not implemented error: #{self.class.name}.to_openssl_pem(h)"
+        end
+
+        def to_openssl_der(h)
+          raise Error, "not implemented error: #{self.class.name}.to_openssl_der(h)"
+        end
+      end
+
+      class RSA
+        include Singleton
+        include Base
+
+        def support?(keytype)
+          keytype=="ssh-rsa"
+        end
+
+        def parse_der_public_key_contents(h, bio)
+          # e pub0
+          length = bio.read(4).unpack("N")[0]
+          h[:e] = bio.read(length)
+
+          # n pub1
+          length = bio.read(4).unpack("N")[0]
+          h[:n] = bio.read(length)
+        end
+
+        def parse_der_private_key_contents(h, bio)
+          # n pub0
+          length = bio.read(4).unpack("N")[0]
+          h[:n] = bio.read(length)
+
+          # e pub1
+          length = bio.read(4).unpack("N")[0]
+          h[:e] = bio.read(length)
+
+          # d pri0
+          length = bio.read(4).unpack("N")[0]
+          h[:d] = bio.read(length)
+
+          # iqmp
+          length = bio.read(4).unpack("N")[0]
+          h[:iqmp] = bio.read(length)
+
+          # p
+          length = bio.read(4).unpack("N")[0]
+          h[:p] = bio.read(length)
+
+          # q
+          length = bio.read(4).unpack("N")[0]
+          h[:q] = bio.read(length)
+        end
+
+        def to_openssl(h)
+          pem = to_openssl_pem(h)
+          OpenSSL::PKey::RSA.new(pem)
+        end
+
+        def to_openssl_pem(h)
+          der = to_openssl_der(h)
+          b64 = Base64::strict_encode64(der)
+          lines = b64.scan(/.{1,64}/)
+
+          [
+            "-----BEGIN RSA PRIVATE KEY-----",
+            lines,
+            "-----END RSA PRIVATE KEY-----",
+          ].flatten.join("\n")
+        end
+
+        def to_openssl_der(h)
+          d = h[:privatekey][:d].unpack("H*")[0].to_i(16)
+          p = h[:privatekey][:p].unpack("H*")[0].to_i(16)
+          q = h[:privatekey][:q].unpack("H*")[0].to_i(16)
+
+          exponent1 = d % (p - 1)
+          exponent2 = d % (q - 1)
+
+          sequence = OpenSSL::ASN1::Sequence.new([
+            OpenSSL::ASN1::Integer.new(0),
+            OpenSSL::ASN1::Integer.new(h[:privatekey][:n].unpack("H*")[0].to_i(16)),
+            OpenSSL::ASN1::Integer.new(h[:privatekey][:e].unpack("H*")[0].to_i(16)),
+            OpenSSL::ASN1::Integer.new(h[:privatekey][:d].unpack("H*")[0].to_i(16)),
+            OpenSSL::ASN1::Integer.new(p),
+            OpenSSL::ASN1::Integer.new(q),
+            OpenSSL::ASN1::Integer.new(exponent1),
+            OpenSSL::ASN1::Integer.new(exponent2),
+            OpenSSL::ASN1::Integer.new(h[:privatekey][:iqmp].unpack("H*")[0].to_i(16)),
+          ]).to_der
+        end
+      end
+
+      KEYTYPES = [RSA.instance]
+
+      def self.fetch(keytype)
+        KEYTYPES.find {|kt| kt.support?(keytype)}
+      end
+    end
+
+    class Error < StandardError
+    end
+
+    class FormatError < Error
+    end
+
+    class UnsupportedError < Error
+    end
+  end
+end

data/lib/secure_conf/version.rb

@@ -1,3 +1,3 @@
 module SecureConf
-  VERSION = "1.1.0"
+  VERSION = "2.0.0"
 end

data/secure_conf.gemspec

@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_development_dependency "bundler", "~> 1.12"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 12.0"
   spec.add_development_dependency "rspec", "~> 3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_conf
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.0.0
 platform: ruby
 authors:
 - yoshida
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2017-07-13 00:00:00.000000000 Z
+date: 2022-04-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -75,6 +75,7 @@ files:
 - lib/secure_conf/core_ext.rb
 - lib/secure_conf/core_ext/string.rb
 - lib/secure_conf/encrypter.rb
+- lib/secure_conf/openssh.rb
 - lib/secure_conf/serializer.rb
 - lib/secure_conf/serializer/json.rb
 - lib/secure_conf/serializer/marshal.rb
@@ -86,7 +87,7 @@ homepage: https://github.com/yoshida-eth0/ruby-secure_conf
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -101,9 +102,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.1
-signing_key: 
+rubygems_version: 3.3.3
+signing_key:
 specification_version: 4
 summary: To encrypt the configuration value.
 test_files: []