slosilo 1.0.0 → 2.2.1

data/lib/slosilo.rb

@@ -1,3 +1,4 @@
+require "slosilo/jwt"
 require "slosilo/version"
 require "slosilo/keystore"
 require "slosilo/symmetric"

data/lib/slosilo/adapters/sequel_adapter.rb

@@ -14,7 +14,7 @@ module Slosilo
       def create_model
         model = Sequel::Model(:slosilo_keystore)
         model.unrestrict_primary_key
-        model.attr_encrypted :key if secure?
+        model.attr_encrypted(:key, aad: :id) if secure?
         model
       end
       

data/lib/slosilo/attr_encrypted.rb

@@ -5,21 +5,44 @@ module Slosilo
   # so we encrypt sensitive attributes before storing them
   module EncryptedAttributes
     module ClassMethods
+
+      # @param options [Hash]
+      # @option :aad [#to_proc, #to_s]  Provide additional authenticated data for
+      #   encryption.  This should be something unique to the instance having
+      #   this attribute, such as a primary key; this will ensure that an attacker can't swap
+      #   values around -- trying to decrypt value with a different auth data will fail.
+      #   This means you have to be able to recover it in order to decrypt attributes.
+      #   The following values are accepted:
+      #
+      #   * Something proc-ish: will be called with self each time auth data is needed.
+      #   * Something stringish: will be to_s-d and used for all instances as auth data.
+      #     Note that this will only prevent swapping in data using another string.
+      #
+      #   The recommended way to use this option is to pass a proc-ish that identifies the record.
+      #   Note the proc-ish can be a simple method name; for example in case of a Sequel::Model:
+      #       attr_encrypted :secret, aad: :pk
       def attr_encrypted *a
+        options = a.last.is_a?(Hash) ? a.pop : {}
+        aad = options[:aad]
+        # note nil.to_s is "", which is exactly the right thing
+        auth_data = aad.respond_to?(:to_proc) ? aad.to_proc : proc{ |_| aad.to_s }
+        raise ":aad proc must take one argument" unless auth_data.arity.abs == 1 # take abs to allow *args arity, -1
+
         # push a module onto the inheritance hierarchy
         # this allows calling super in classes
         include(accessors = Module.new)
         accessors.module_eval do 
           a.each do |attr|
             define_method "#{attr}=" do |value|
-              super(EncryptedAttributes.encrypt value)
+              super(EncryptedAttributes.encrypt(value, aad: auth_data[self]))
             end
             define_method attr do
-              EncryptedAttributes.decrypt(super())
+              EncryptedAttributes.decrypt(super(), aad: auth_data[self])
             end
           end
         end
       end
+
     end
     
     def self.included base
@@ -27,14 +50,14 @@ module Slosilo
     end
 
     class << self
-      def encrypt value
+      def encrypt value, opts={}
         return nil unless value
-        cipher.encrypt value, key: key
+        cipher.encrypt value, key: key, aad: opts[:aad]
       end
       
-      def decrypt ctxt
+      def decrypt ctxt, opts={}
         return nil unless ctxt
-        cipher.decrypt ctxt, key: key
+        cipher.decrypt ctxt, key: key, aad: opts[:aad]
       end
 
       def key

data/lib/slosilo/errors.rb

@@ -8,5 +8,8 @@ module Slosilo
         super
       end
     end
+
+    class TokenValidationError < Error
+    end
   end
 end

data/lib/slosilo/jwt.rb

@@ -0,0 +1,122 @@
+require 'json'
+
+module Slosilo
+  # A JWT-formatted Slosilo token.
+  # @note This is not intended to be a general-purpose JWT implementation.
+  class JWT
+    # Create a new unsigned token with the given claims.
+    # @param claims [#to_h] claims to embed in this token.
+    def initialize claims = {}
+      @claims = JSONHash[claims]
+    end
+
+    # Parse a token in compact representation
+    def self.parse_compact raw
+      load *raw.split('.', 3).map(&Base64.method(:urlsafe_decode64))
+    end
+
+    # Parse a token in JSON representation.
+    # @note only single signature is currently supported.
+    def self.parse_json raw
+      raw = JSON.load raw unless raw.respond_to? :to_h
+      parts = raw.to_h.values_at(*%w(protected payload signature))
+      fail ArgumentError, "input not a complete JWT" unless parts.all?
+      load *parts.map(&Base64.method(:urlsafe_decode64))
+    end
+
+    # Add a signature.
+    # @note currently only a single signature is handled;
+    # the token will be frozen after this operation.
+    def add_signature header, &sign
+      @claims = canonicalize_claims.freeze
+      @header = JSONHash[header].freeze
+      @signature = sign[string_to_sign].freeze
+      freeze
+    end
+
+    def string_to_sign
+      [header, claims].map(&method(:encode)).join '.'
+    end
+
+    # Returns the JSON serialization of this JWT.
+    def to_json *a
+      {
+        protected: encode(header),
+        payload: encode(claims),
+        signature: encode(signature)
+      }.to_json *a
+    end
+
+    # Returns the compact serialization of this JWT.
+    def to_s
+      [header, claims, signature].map(&method(:encode)).join('.')
+    end
+
+    attr_accessor :claims, :header, :signature
+
+    private
+
+    # Create a JWT token object from existing header, payload, and signature strings.
+    # @param header [#to_s] URLbase64-encoded representation of the protected header
+    # @param payload [#to_s] URLbase64-encoded representation of the token payload
+    # @param signature [#to_s] URLbase64-encoded representation of the signature
+    def self.load header, payload, signature
+      self.new(JSONHash.load payload).tap do |token|
+        token.header = JSONHash.load header
+        token.signature = signature.to_s.freeze
+        token.freeze
+      end
+    end
+
+    def canonicalize_claims
+      claims[:iat] = Time.now unless claims.include? :iat
+      claims[:iat] = claims[:iat].to_time.to_i
+      claims[:exp] = claims[:exp].to_time.to_i if claims.include? :exp
+      JSONHash[claims.to_a]
+    end
+
+    # Convenience method to make the above code clearer.
+    # Converts to string and urlbase64-encodes.
+    def encode s
+      Base64.urlsafe_encode64 s.to_s
+    end
+
+    # a hash with a possibly frozen JSON stringification
+    class JSONHash < Hash
+      def to_s
+        @repr || to_json
+      end
+
+      def freeze
+        @repr = to_json.freeze
+        super
+      end
+
+      def self.load raw
+        self[JSON.load raw.to_s].tap do |h|
+          h.send :repr=, raw
+        end
+      end
+
+      private
+
+      def repr= raw
+        @repr = raw.freeze
+        freeze
+      end
+    end
+  end
+
+  # Try to convert by detecting token representation and parsing
+  def self.JWT raw
+    if raw.is_a? JWT
+      raw
+    elsif raw.respond_to?(:to_h) || raw =~ /\A\s*\{/
+      JWT.parse_json raw
+    else
+      JWT.parse_compact raw
+    end
+  rescue
+    raise ArgumentError, "invalid value for JWT(): #{raw.inspect}"
+  end
+end

data/lib/slosilo/key.rb

@@ -3,6 +3,8 @@ require 'json'
 require 'base64'
 require 'time'
 
+require 'slosilo/errors'
+
 module Slosilo
   class Key
     def initialize raw_key = nil
@@ -13,6 +15,10 @@ module Slosilo
       else
         OpenSSL::PKey::RSA.new 2048
       end
+    rescue OpenSSL::PKey::PKeyError => e
+      # old openssl versions used to report ArgumentError
+      # which arguably makes more sense here, so reraise as that
+      raise ArgumentError, e, e.backtrace
     end
     
     attr_reader :key
@@ -71,14 +77,80 @@ module Slosilo
       token["key"] = fingerprint
       token
     end
+
+    JWT_ALGORITHM = 'conjur.org/slosilo/v2'.freeze
+
+    # Issue a JWT with the given claims.
+    # `iat` (issued at) claim is automatically added.
+    # Other interesting claims you can give are:
+    # - `sub` - token subject, for example a user name;
+    # - `exp` - expiration time (absolute);
+    # - `cidr` (Conjur extension) - array of CIDR masks that are accepted to
+    #   make requests that bear this token
+    def issue_jwt claims
+      token = Slosilo::JWT.new claims
+      token.add_signature \
+          alg: JWT_ALGORITHM,
+          kid: fingerprint,
+          &method(:sign)
+      token.freeze
+    end
+
+    DEFAULT_EXPIRATION = 8 * 60
     
-    def token_valid? token, expiry = 8 * 60
+    def token_valid? token, expiry = DEFAULT_EXPIRATION
+      return jwt_valid? token if token.respond_to? :header
       token = token.clone
       expected_key = token.delete "key"
       return false if (expected_key and (expected_key != fingerprint))
       signature = Base64::urlsafe_decode64(token.delete "signature")
       (Time.parse(token["timestamp"]) + expiry > Time.now) && verify_signature(token, signature)
     end
+
+    # Validate a JWT.
+    #
+    # Convenience method calling #validate_jwt and returning false if an
+    # exception is raised.
+    #
+    # @param token [JWT] pre-parsed token to verify
+    # @return [Boolean]
+    def jwt_valid? token
+      validate_jwt token
+      true
+    rescue
+      false
+    end
+
+    # Validate a JWT.
+    #
+    # First checks whether algorithm is 'conjur.org/slosilo/v2' and the key id
+    # matches this key's fingerprint. Then verifies if the token is not expired,
+    # as indicated by the `exp` claim; in its absence tokens are assumed to
+    # expire in `iat` + 8 minutes.
+    #
+    # If those checks pass, finally the signature is verified.
+    #
+    # @raises TokenValidationError if any of the checks fail.
+    #
+    # @note It's the responsibility of the caller to examine other claims
+    # included in the token; consideration needs to be given to handling
+    # unrecognized claims.
+    #
+    # @param token [JWT] pre-parsed token to verify
+    def validate_jwt token
+      def err msg
+        raise Error::TokenValidationError, msg, caller
+      end
+
+      header = token.header
+      err 'unrecognized algorithm' unless header['alg'] == JWT_ALGORITHM
+      err 'mismatched key' if (kid = header['kid']) && kid != fingerprint
+      iat = Time.at token.claims['iat'] || err('unknown issuing time')
+      exp = Time.at token.claims['exp'] || (iat + DEFAULT_EXPIRATION)
+      err 'token expired' if exp <= Time.now
+      err 'invalid signature' unless verify_signature token.string_to_sign, token.signature
+      true
+    end
     
     def sign_string value
       salt = shake_salt
@@ -86,7 +158,7 @@ module Slosilo
     end
     
     def fingerprint
-      @fingerprint ||= OpenSSL::Digest::MD5.hexdigest key.public_key.to_der
+      @fingerprint ||= OpenSSL::Digest::SHA256.hexdigest key.public_key.to_der
     end
 
     def == other
@@ -114,7 +186,7 @@ module Slosilo
     # Note that this is currently somewhat shallow stringification -- 
     # to implement originating tokens we may need to make it deeper.
     def stringify value
-      case value
+      string = case value
       when Hash
         value.to_a.sort.to_json
       when String
@@ -122,6 +194,17 @@ module Slosilo
       else
         value.to_json
       end
+
+      # Make sure that the string is ascii_8bit (i.e. raw bytes), and represents
+      # the utf-8 encoding of the string.  This accomplishes two things: it normalizes
+      # the representation of the string at the byte level (so we don't have an error if
+      # one username is submitted as ISO-whatever, and the next as UTF-16), and it prevents
+      # an incompatible encoding error when we concatenate it with the salt.
+      if string.encoding != Encoding::ASCII_8BIT
+        string.encode(Encoding::UTF_8).force_encoding(Encoding::ASCII_8BIT)
+      else
+        string
+      end
     end
     
     def shake_salt

data/lib/slosilo/keystore.rb

@@ -59,15 +59,26 @@ module Slosilo
       keystore.any? { |k| k.token_valid? token }
     end
     
+    # Looks up the signer by public key fingerprint and checks the validity
+    # of the signature. If the token is JWT, exp and/or iat claims are also
+    # verified; the caller is responsible for validating any other claims.
     def token_signer token
-      key, id = keystore.get_by_fingerprint token['key']
+      begin
+        # see if maybe it's a JWT
+        token = JWT token
+        fingerprint = token.header['kid']
+      rescue ArgumentError
+        fingerprint = token['key']
+      end
+
+      key, id = keystore.get_by_fingerprint fingerprint
       if key && key.token_valid?(token)
         return id
       else
         return nil
       end
     end
-    
+
     attr_accessor :adapter
     
     private

data/lib/slosilo/symmetric.rb

@@ -1,25 +1,40 @@
 module Slosilo
   class Symmetric
+    VERSION_MAGIC = 'G'
+    TAG_LENGTH = 16
+
     def initialize
-      @cipher = OpenSSL::Cipher.new 'AES-256-CBC'
+      @cipher = OpenSSL::Cipher.new 'aes-256-gcm' # NB: has to be lower case for whatever reason.
     end
-    
+
+    # This lets us do a final sanity check in migrations from older encryption versions
+    def cipher_name
+      @cipher.name
+    end
+
     def encrypt plaintext, opts = {}
       @cipher.reset
       @cipher.encrypt
-      @cipher.key = opts[:key]
+      @cipher.key = (opts[:key] or raise("missing :key option"))
       @cipher.iv = iv = random_iv
-      ctxt = @cipher.update(plaintext)
-      iv + ctxt + @cipher.final
+      @cipher.auth_data = opts[:aad] || "" # Nothing good happens if you set this to nil, or don't set it at all
+      ctext = @cipher.update(plaintext) + @cipher.final
+      tag = @cipher.auth_tag(TAG_LENGTH)
+      "#{VERSION_MAGIC}#{tag}#{iv}#{ctext}"
     end
-    
+
     def decrypt ciphertext, opts = {}
+      version, tag, iv, ctext = unpack ciphertext
+
+      raise "Invalid version magic: expected #{VERSION_MAGIC} but was #{version}" unless version == VERSION_MAGIC
+
       @cipher.reset
       @cipher.decrypt
       @cipher.key = opts[:key]
-      @cipher.iv, ctxt = ciphertext.unpack("a#{@cipher.iv_len}a*")
-      ptxt = @cipher.update(ctxt)
-      ptxt + @cipher.final
+      @cipher.iv = iv
+      @cipher.auth_tag = tag
+      @cipher.auth_data = opts[:aad] || ""
+      @cipher.update(ctext) + @cipher.final
     end
     
     def random_iv
@@ -29,5 +44,11 @@ module Slosilo
     def random_key
       @cipher.random_key
     end
+
+    private
+    # return tag, iv, ctext
+    def unpack msg
+      msg.unpack "aa#{TAG_LENGTH}a#{@cipher.iv_len}a*"
+    end
   end
 end

data/lib/slosilo/version.rb

@@ -1,3 +1,3 @@
 module Slosilo
-  VERSION = "1.0.0"
+  VERSION = "2.2.1"
 end

data/publish-rubygem.sh

@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+docker pull registry.tld/conjurinc/publish-rubygem
+
+docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
+
+summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
+  docker run --rm --env-file @SUMMONENVFILE -v "$(pwd)":/opt/src \
+  registry.tld/conjurinc/publish-rubygem slosilo
+
+docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd