tcrypto_java 0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b351db73e6d40dcdf0107f31640c1fd781c232b1766974cc2b06942070df824c
+  data.tar.gz: b43c75df02d215325cb8b3719deb2e61da04e1b56aa30e91e65f3225f4474044
+SHA512:
+  metadata.gz: e107434dd46f95f9ca89146866cc5fed3ee1d6fa08a8b66a57dd968efe8edf8db2b0b477f5f7d82ffd3e159328a3721c13a2643c9a4db59c6f8f7e28e1ce2858
+  data.tar.gz: 8ceeb05241ef117600d7f4bebeb794c0a2ad197b573d386bd65b63d09bad343a905f3b54c8b23140b2a842d4c76dbe607f6c7bc3249091ad562ed9084ca41b74

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+tags
+

data/Gemfile

@@ -0,0 +1,15 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in tcrypto_java.gemspec
+gemspec
+
+gem "rake", "~> 12.0"
+
+gem 'pkernel', path: '../../pkernel/pkernel'
+gem 'pkernel_jce', path: '../../pkernel/pkernel_jce'
+
+gem 'gcrypto', path: '../../gcrypto/gcrypto'
+gem 'gcrypto_jce', path: '../../gcrypto/gcrypto_jce'
+
+# gem 'gcrypto_tag', path: '../gcrypto_tag'
+# gem 'gcrypto_tag_java', path: '../gcrypto_tag_java'

data/Gemfile.lock

@@ -0,0 +1,66 @@
+PATH
+  remote: ../../gcrypto/gcrypto_jce
+  specs:
+    gcrypto_jce (0.2)
+      activesupport
+      pkernel
+      pkernel_jce
+      tlogger
+
+PATH
+  remote: ../../gcrypto/gcrypto
+  specs:
+    gcrypto (0.2)
+      pkernel
+      tlogger
+
+PATH
+  remote: ../../pkernel/pkernel_jce
+  specs:
+    pkernel_jce (0.3)
+      activesupport
+      tlogger
+
+PATH
+  remote: ../../pkernel/pkernel
+  specs:
+    pkernel (0.2)
+      tlogger
+
+PATH
+  remote: .
+  specs:
+    tcrypto_java (0.1.0)
+      tlogger
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (5.2.4.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    concurrent-ruby (1.1.6)
+    i18n (1.8.2)
+      concurrent-ruby (~> 1.0)
+    minitest (5.14.0)
+    rake (12.3.3)
+    thread_safe (0.3.6-java)
+    tlogger (0.8.0)
+    tzinfo (1.2.6)
+      thread_safe (~> 0.1)
+
+PLATFORMS
+  java
+
+DEPENDENCIES
+  gcrypto!
+  gcrypto_jce!
+  pkernel!
+  pkernel_jce!
+  rake (~> 12.0)
+  tcrypto_java!
+
+BUNDLED WITH
+   2.1.4

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Chris Liaw
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,40 @@
+# TcryptoJava
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/tcrypto_java`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+TODO: Delete this and the text above, and describe your gem
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'tcrypto_java'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install tcrypto_java
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/tcrypto_java.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "tcrypto_java"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/tcrypto_java.rb

@@ -0,0 +1,276 @@
+require "tcrypto_java/version"
+
+require 'tcrypto'
+
+require_relative 'tcrypto_java/crypto'
+
+
+module TcryptoJava
+  class Error < StandardError; end
+  # Your code goes here...
+
+  class Tcrypto::Cipher
+    extend TcryptoJava::Crypto
+    
+    def self.method_missing(mtd,*args,&block)
+      if TcryptoJava::Crypto.respond_to?(mtd)
+        TcryptoJava::Crypto.send(mtd,*args,&block)
+      else
+        super
+      end
+    end
+  end
+
+  # injecting TagProvider class
+  class Tcrypto::TagProvider
+
+    def self.envp_type(bin)
+      dec = decode(bin)
+      dec.each_slice(2) do |e,f|
+        if e.is_a?(org.bouncycastle.asn1.DERSequence)
+          dat = e.to_a
+          if dat[0].to_s == Tcrypto::Tag.value(:envp_header)
+            return Tcrypto::Tag.key(dat[1].to_s)
+          end
+        elsif e.is_a?(org.bouncycastle.asn1.ASN1ObjectIdentifier)
+          if e.to_s == Tcrypto::Tag.value(:envp_header)
+            return Tcrypto::Tag.key(f.to_s)
+          end
+        else
+          raise TcryptoJava::Error, "Not a recognized tag? #{e.class}"
+        end
+      end
+
+      raise GcryptTag::Error, "Header not found"
+    end
+
+    def self.encode_id
+      encode(:oid,"#{Tcrypto::ENCODER_ID}.1")
+    end
+
+    def self.encode(type, val, opts = { }, &block)
+      case type
+      when :oid
+        org.bouncycastle.asn1.ASN1ObjectIdentifier.new(val)
+      when :octet_str, :bin
+        if not val.is_a?(Java::byte[])
+          val = val.encoded
+        end
+        org.bouncycastle.asn1.DEROctetString.new(val)
+      when :str, :utf8_str
+        org.bouncycastle.asn1.DERUTF8String.new(val)
+      when :pstr, :printable_str
+        org.bouncycastle.asn1.DERPrintableString.new(val)
+      when :vstr, :visible_str
+        org.bouncycastle.asn1.DERVisibleString.new(val)
+      when :nstr, :numeric_str
+        org.bouncycastle.asn1.DERNumericString.new(val)
+      when :int
+        org.bouncycastle.asn1.DERInteger.new(val)
+      when :seq
+        v = org.bouncycastle.asn1.ASN1EncodableVector.new
+        val.each do |vv|
+          v.add(vv)
+        end
+        org.bouncycastle.asn1.DERSequence.new(v)
+      when :date, :datetime, :time
+        org.bouncycastle.asn1.DERUTCTime.new(val)
+      when :long_content_write
+        # special case...
+        # derived from actual code of writing long asn1 code to a file
+        res = { }
+        raise TcryptoJava::Error, "Source to write long content is not available" if val[:src].nil?
+
+        srcHash = val[:src]
+        if not srcHash[:file_is].nil?
+          TcryptoJava::GConf.instance.glog.debug "Encrypted source is file"
+          src = srcHash[:file_is]
+          srcLen = srcHash[:file].length if not srcHash[:file].nil?
+        elsif not srcHash[:bin_is].nil?
+          TcryptoJava::GConf.instance.glog.debug "Encrypted source is memory buffer"
+          src = srcHash[:bin_is]
+          srcLen = srcHash[:bin].length if not srcHash[:bin].nil?
+        else
+          raise TcryptoJava::Error, "Source is unknown for long content write"
+        end
+
+        if val[:dest].nil?
+          TcryptoJava::GConf.instance.glog.debug "Staging output not given. Internal generation of output."
+          if val[:temp_dir].nil? or val[:temp_dir].empty?
+            tmpPayloadFile = java.io.File.createTempFile('payload_',nil)
+          else
+            Tcrypto::GConf.instance.glog.debug "temp_dir is defined: #{val[:temp_dir]}"
+            tmpPayloadFile = java.io.File.new(val[:temp_dir],"payload_#{SecureRandom.uuid}.tmp")
+          end
+          
+          Tcrypto::GConf.instance.glog.debug "Payload staging temp file created : #{tmpPayloadFile.absolute_path}"
+          tmpPayloadFile.deleteOnExit if not val[:auto_remove_staging].nil? and val[:auto_remove_staging]
+          os = java.io.FileOutputStream.new(tmpPayloadFile) 
+          res[:payload_path] = tmpPayloadFile.absolute_path
+        else
+          if val[:dest].is_a?(java.io.OutputStream)
+            TcryptoJava::GConf.instance.glog.debug "Given staging output is an OutputStream. Directly use the object."
+            os = val[:dest]
+          elsif val[:dest].is_a?(String)
+            TcryptoJava::GConf.instance.glog.debug "Staging output gave by application to be at #{val[:dest]}"
+            # assume is file path?
+            f = java.io.File.new(val[:dest])
+            raise TcryptoJava::Error, "Cannot write destination to a directory [#{f.absolute_path}]" if f.is_directory?
+            TcryptoJava::GConf.instance.glog.debug "Opening given path #{f.absolute_path} for payload staging"
+            os = java.io.FileOutputStream.new(f)
+            res[:payload_path] = f.absolute_path
+          else
+            raise TcryptoJava::Error, "Unsupported staging output #{val[:dest]}"
+          end
+        end
+        
+        gos = org.bouncycastle.asn1.DERSequenceGenerator.new(os)
+        val[:header].each do |h|
+          gos.addObject(h)
+        end
+        gos.getRawOutputStream.flush
+        
+        longOut = org.bouncycastle.asn1.BEROctetStringGenerator.new(gos.getRawOutputStream)
+       
+        srcLen = -1 if srcLen.nil?
+        
+        bufSize = val[:bufSize] || 102400
+        outOs = longOut.getOctetOutputStream(Java::byte[bufSize].new)
+        buf = Java::byte[bufSize].new
+        total = 0
+        while((read = src.read(buf,0,buf.length)) != -1)
+          if block
+            block.call(:before_write, { buf: buf, from: 0, len: read, total: srcLen })
+          end
+          outOs.write(buf,0,read)
+          total += read
+          #Tcrypto::GConf.instance.glog.debug "Copied #{read} bytes to final output (Total : #{total})"
+        end
+
+        outOs.flush
+        # write the octet string ending tag
+        outOs.close
+        
+        # write the sequence ending tag
+        gos.close
+
+        os.close
+
+        #org.bouncycastle.asn1.BEROctetStringGenerator.new(os)
+        #org.bouncycastle.asn1.DERSequenceGenerator.new(os)
+        #org.bouncycastle.asn1.DEROutputStream.new(os)
+        #org.bouncycastle.asn1.ASN1OutputStream.new(os)
+        
+        res
+
+      when :long_content_read
+        is = val
+        raise TcryptoJava::Error, "Long content (read) requires upstream input stream is given." if val.nil?
+        raise TcryptoJava::Error, "Given val is not input stream." if not val.is_a?(java.io.InputStream)
+
+        org.bouncycastle.asn1.ASN1InputStream.new(is)
+
+      else
+        raise TcryptoJava::Error, "Unknown type '#{type}' to encode"
+      end
+    end
+
+    def self.encode_timestamp(v = java.util.Calendar.getInstance.time)
+      self.encode(:datetime, v)
+    end
+
+    def self.decode(bin)
+      ais = org.bouncycastle.asn1.ASN1InputStream.new(bin)
+      res = ais.readObject
+      if res.is_a?(org.bouncycastle.asn1.DLSequence)
+        res = res.to_a
+      else
+        res
+      end
+
+      res
+    end
+
+    def self.value(tag, opts = { })
+      if not tag.nil?
+        case tag
+        when org.bouncycastle.asn1.ASN1ObjectIdentifier
+          tag.id
+        when org.bouncycastle.asn1.DEROctetString
+          tag.octets
+        when org.bouncycastle.asn1.BEROctetString
+          tag.octet_stream
+        when org.bouncycastle.asn1.ASN1Integer
+          tag.value
+        when org.bouncycastle.asn1.DLSequence
+          tag.to_a
+        when org.bouncycastle.asn1.DERUTF8String, org.bouncycastle.asn1.DERPrintableString, org.bouncycastle.asn1.DERVisibleString
+          tag.to_s
+        when org.bouncycastle.asn1.DERNumericString
+          "#{tag.to_i}"
+        when org.bouncycastle.asn1.DERUTCTime, org.bouncycastle.asn1.ASN1UTCTime
+          tag.adjusted_date
+        else
+          raise TcryptoJava::Error, "Unknown type '#{tag.class}'"
+        end
+      end
+    end
+
+    def self.to_string(buf, opts = { })
+      if not buf.nil?
+        case buf
+        when Java::byte[]
+          String.from_java_bytes(buf)
+        when String
+          buf
+        else
+          raise TcryptoJava::Error, "Unknown type to conver to string #{buf}"
+        end
+      else
+        ""
+      end
+    end
+
+    def self.to_bin(out, opts = { })
+      self.to_format(out, opts)
+    end
+
+    def self.to_format(out, opts = { })
+      if not (out.nil?)
+        
+        case out
+        when org.bouncycastle.asn1.ASN1Encodable
+
+          if not (opts.nil? or opts.empty?)
+
+            case opts[:to_format]
+            when :der
+              out.encoded
+            when :pem
+            when :b64
+            else
+              out.encoded
+            end
+          else
+            out.encoded
+          end
+          
+        when String
+          out.to_java.getBytes
+        else
+          out
+        end
+
+      else
+        out
+      end
+
+    end
+    # end to_format
+
+  end
+  #
+  # end Tcrypto::TagProvider
+  #
+
+end

data/lib/tcrypto_java/crypto.rb

@@ -0,0 +1,540 @@
+
+require 'pkernel'
+require 'pkernel_jce'
+
+require 'gcrypto'
+require 'gcrypto_jce'
+
+require 'tcrypto'
+
+require_relative 'io_utils'
+require_relative 'global'
+
+module TcryptoJava
+  module Crypto
+    
+    # 
+    # encrypt()
+    # 
+    def encrypt(opts = { })
+ 
+      rcpts = opts[:recipients]
+      if rcpts.nil? or rcpts.empty?
+        raise Tcrypto::Error, "No recipients given to encrypt" 
+      end
+      
+      # 
+      # Generate session key for encryption
+      #
+      sessKey = opts[:session_key]
+      if sessKey.nil?
+        # generate session key...
+        cc = Gcrypto::CryptoContext.instance(:aes)
+        cc.mode = "GCM"
+        cc.random_iv
+        cc.random_key
+        sessKey = cc
+      else
+        # TODO: user provided session key?
+        TcryptoJava::GConf.instance.glog.error "User given session key is not yet supported."  
+        cc = Gcrypto::CryptoContext.instance(:aes)
+        cc.mode = "GCM"
+        cc.random_iv
+        cc.random_key
+        sessKey = cc
+      end
+      # 
+      # session key generated!
+      #
+      
+      #
+      # Generate session key for data integrity check
+      # Security wise, using different key for different purpose
+      # has its objectives... So make new key then...
+      #
+      macKey = Gcrypto::CryptoContext.instance(:aes)
+      macKey.mode = "GCM"
+      macKey.random_iv
+      macKey.random_key
+      # 
+      # MAC session key generated
+      #
+
+      # 
+      # Create the encrypted key structure for recipients
+      # 
+      keys = []
+      keys << Tcrypto::TagProvider.encode(:bin, Gcrypto::SecretKey.dump(sessKey.key))
+      keys << Tcrypto::TagProvider.encode(:bin, Gcrypto::SecretKey.dump(macKey.key))
+      keysSeq = Tcrypto::TagProvider.encode(:seq, keys)
+      keysBin = Tcrypto::TagProvider.to_bin(keysSeq)
+      # 
+
+      # 
+      # Construct recipient list 
+      # 
+      rcp = []
+      rcpts.each do |re|
+        if re.is_a?(Tcrypto::PasswordRecipient) #re.is_a?(String)
+          # password
+          if re.password.nil? or re.password.empty? or re.challenge.nil? or re.challenge.empty?
+            raise Tcrypto::Error, "Challenge and Password must present"
+          end
+          
+          pc = Gcrypto::CryptoContext.instance(:aes)
+          pc.mode = "GCM"
+          pc.derive_key(re.password)
+          enc = Gcrypto::SecretKeyCrypto.encrypt({ bin: keysBin, crypto_context: pc })
+          rcp << Tcrypto::CryptoHeader::PassRecipient.new(enc,pc,re)
+
+        elsif Pkernel::Certificate.is_cert_object?(re)
+          # X509 certificate
+          TcryptoJava::GConf.instance.glog.error "Found certificate recipient"
+          #enc = Gcrypto::KeyPairCrypto.encrypt({ bin: Gcrypto::SecretKey.dump(sessKey.key), recipient: re }) 
+          enc = Gcrypto::KeyPairCrypto.encrypt({ bin: keysBin, recipient: re }) 
+          rcp << Tcrypto::CryptoHeader::CertRecipient.new(enc,re)
+          
+        elsif Pkernel::KeyPair.is_public_key?(re)
+          # public key
+          TcryptoJava::GConf.instance.glog.error "Found public key recipient."
+          enc = Gcrypto::KeyPairCrypto.encrypt({ bin: keysBin, recipient: re }) 
+          rcp << Tcrypto::CryptoHeader::PublicKeyRecipient.new(enc,re)
+          
+        elsif re.is_a?(Gcrypto::CryptoContext) #Gcrypto::SecretKey.is_secret_key?(re)
+          # crypto context... could be hardware key...
+          enc = Gcrypto::SecretKeyCrypto.encrypt({ bin: keysBin, crypto_context: re })
+          rcp << Tcrypto::CryptoHeader::SymKeyRecipient.new(enc, re)
+          
+        else
+          raise TcryptoJava::Error, "Unknown recipient type #{re.class}"
+        end
+      end 
+      # 
+      # Recipient list done...
+      #
+
+      # check if data signing is defined...
+      #sid = opts[:identity]
+      #sign = nil
+      #if not sid.nil?
+      #  # data signing activated...
+      #  sign = Gcrypto::KeyPairCrypto.sign_init({ identity: sid })
+      #end
+      
+      # 
+      # construct parameter to encrypt the payload...
+      #
+      encPara = { crypto_context: sessKey }
+      if not opts[:file].nil?
+        encPara[:file] = opts[:file]
+        # if input is file, temporary content output also in file
+        #encPara[:outFile] = java.io.File.new(java.lang.System.getProperty('java.io.tmpdir'),SecureRandom.uuid).absolute_path
+        encPara[:outFile] = java.io.File.createTempFile('enc_',nil).absolute_path
+        #encPara[:outFile].deleteOnExit
+      elsif not opts[:bin].nil?
+        encPara[:bin] = opts[:bin]
+      else
+        raise Tcrypto::Error, "No input given for tc encryption."
+      end
+
+
+      # 
+      # Initiate keyed-HMAC operation for plain text
+      #
+      macCtx = Gcrypto::SecretKeyCrypto.sign_init({ crypto_context: macKey })
+      
+      # 
+      # Encrypt output with session key
+      #
+      enc = Gcrypto::SecretKeyCrypto.encrypt(encPara) do |ops, para|
+        
+        if ops == :before_enc
+          # Sign data along the way if it is defined
+          #if not sign.nil? 
+          #  Gcrypto::KeyPairCrypto.sign_update(sign, para)
+          #end
+
+          Gcrypto::SecretKeyCrypto.sign_update(macCtx, para)
+        end
+
+      end
+      # 
+      # data encryption with session key done
+      #
+
+      mac = Gcrypto::SecretKeyCrypto.sign_finalize(macCtx) 
+      #signature = nil
+      #if not sign.nil?
+      #  signature = Gcrypto::KeyPairCrypto.sign_finalize(sign)
+      #end
+      # 
+      # end encryption with session key
+      #
+
+      # recipient shall be in header
+      encodePara = { recipients: rcp }
+      # signature shall be in header
+      #encodePara[:signature] = signature if not signature.nil?
+      encodePara[:mac] = mac
+      # payload is payload
+      if encPara[:outFile].nil?
+        encodePara[:payload] = { bin: enc }
+      else
+        encodePara[:payload] = { file: encPara[:outFile] }
+      end
+      
+      # crypto context
+      encodePara[:crypto_context] = cc
+      encodePara[:mac_context] = macKey
+      encodePara[:auto_remove_staging] = opts[:auto_remove_staging]
+      encodePara[:temp_dir] = opts[:temp_dir]
+      encodePara[:staging_path] = opts[:staging_path]
+
+      # 
+      # Setting final completed/combined output destination
+      #
+      outFile = opts[:outFile]
+      if outFile.nil? or outFile.empty?
+        out = java.io.ByteArrayOutputStream.new
+      else
+        Tcrypto::GConf.instance.glog.debug "Setting final combined output file #{outFile}"
+        out = java.io.FileOutputStream.new(outFile)
+      end
+
+      # returns header and payload as seperate fields
+      res = Tcrypto.encode(:crypto, encodePara, { out: out })
+      
+      if outFile.nil? or outFile.empty?
+        res[:bin] = out.toByteArray
+      else
+        out.flush
+        out.close
+        
+        res[:file] = outFile
+      end
+
+      res
+    end
+    # end encrypt()
+    
+    
+    # decrypt()
+    def decrypt(opts = { }, &block)
+
+      raise Tcrypto::Error, "No input given for tagged decryption" if opts.nil? or opts.empty?
+      is = IoUtils.load_input(opts)
+
+      # 
+      # read header section from the input
+      # 
+      header = Tcrypto::CryptoHeaderEngine.decode(is) 
+      TcryptoJava::GConf.instance.glog.debug "Header decoded successfully"
+
+      # 
+      # Read Section 2...
+      #
+      headerMisc = Tcrypto::CryptoHeaderEngine.decode(is)
+      TcryptoJava::GConf.instance.glog.debug "Header misc decoded successfully"
+      # 
+      # Done section 2 is in...
+      #
+
+      # decryption material
+      id = opts[:identity]
+      raise Tcrypto::Error, "No decryption material given via key :identity" if id.nil?
+
+      if id.is_a?(Pkernel::Identity)
+        idType = :identity
+      elsif id.is_a?(Gcrypto::CryptoContext) 
+        idType = :secret_key
+      elsif id.is_a?(Tcrypto::PasswordRecipient) #(String)
+        idType = :password
+      else
+        raise Tcrypto::Error, "Unsupported decryption material #{id}"
+      end
+
+      foundRecp = nil
+      header[:recipients].each do |recp|
+        if recp[:type] == :crypto_cert_recp and (idType == :identity)
+          if id.certificate.nil?
+          else
+            if Pkernel::Certificate.is_equal?(recp[:cert],id.certificate)
+              TcryptoJava::GConf.instance.glog.debug "Given certificate matches cert recp from header"
+              foundRecp = recp 
+              break
+            end
+          end
+        elsif recp[:type] == :crypto_symkey_recp and (idType == :secret_key)
+          TcryptoJava::GConf.instance.glog.debug "Given symkey matches symkey recp from header"
+          recp[:crypto_context] = id
+          foundRecp = recp
+          break
+        elsif recp[:type] == :crypto_pass_recp and (idType == :password)
+          # decode password recipient!
+          begin
+            if (id.challenge.nil? or id.challenge.empty?)
+              if block
+                id.challenge = block.call(:prompt_challenge, { })
+              else
+                raise Tcrypto::Error, "Challenge is not given. Either pass in via Tcrypto::PasswordRecipient or provide a block which response to key :prompt_challenge"
+              end
+            end
+
+            recp[:challenge_cc].key = Gcrypto::PBKDF2.derive(id.challenge, recp[:challenge_derive_key])[:key]
+            msgId = Gcrypto::SecretKeyCrypto.decrypt({ bin: recp[:challenge_nounce], crypto_context: recp[:challenge_cc] })
+            if Tcrypto::TagProvider.to_string(msgId) != header[:message_id]
+              raise Tcrypto::Error, "Password recipient challenge failed to be verified!"
+            end
+          rescue Exception => ex
+            if ex.message =~ /Tag mismatch/
+              raise Tcrypto::Error, "Password recipient challenge verification failed!"
+            else
+              raise Tcrypto::Error, ex
+            end
+          end 
+
+          begin
+
+            TcryptoJava::GConf.instance.glog.debug "Given password matches challenge from header"
+
+            if (id.password.nil? or id.password.empty?)
+              if block
+                id.password = block.call(:prompt_password, { })
+              else
+                raise Tcrypto::Error, "Password is not given. Either pass in via Tcrypto::PasswordRecipient or provide a block which response to key :prompt_password"
+              end
+            end
+
+            derivedKey = Gcrypto::PBKDF2.derive(id.password, recp[:derive_func])
+            recp[:crypto_context].key = derivedKey[:key]
+            foundRecp = recp
+            break
+          rescue Exception => ex
+            raise Tcrypto::Error, ex
+          end
+            
+        end
+      end
+
+      if foundRecp.nil?
+        TcryptoJava::GConf.instance.glog.debug "Given identity is not able to decrypt the data or not an intended recipient"
+        raise Tcrypto::Error, "Given identity is not able to decrypt the data or not an intended recipient"
+      else
+
+        TcryptoJava::GConf.instance.glog.debug "Given identity is capable to decrypt data."
+
+        # Ok, eligiable to decrypt... so decrypt the session key...
+        case idType
+        when :identity
+          keysBin = Gcrypto::KeyPairCrypto.decrypt({ enc_bin: foundRecp[:enc_key], identity: id })
+        when :password
+          keysBin = Gcrypto::SecretKeyCrypto.decrypt({ bin: foundRecp[:enc_key], crypto_context: foundRecp[:crypto_context] })
+        when :secret_key
+          keysBin = Gcrypto::SecretKeyCrypto.decrypt({ bin: foundRecp[:enc_key], crypto_context: foundRecp[:crypto_context] })
+        else
+          raise Tcrypto::Error, "Unsupported data decryption type #{idType}"
+        end
+
+        # keysBin has two keys...
+        keys = org.bouncycastle.asn1.ASN1InputStream.new(keysBin).readObject.to_a
+        # decode the keys
+        header[:crypto_context].key = Gcrypto::SecretKey.load({ bin: Tcrypto::TagProvider.value(keys[0]) })
+        header[:mac_context].key = Gcrypto::SecretKey.load({ bin: Tcrypto::TagProvider.value(keys[1]) })
+
+        # 
+        # read payload section from the input
+        #
+        Tcrypto::GConf.instance.glog.debug "Loading payload section..."
+        payload = Tcrypto::CryptoHeaderEngine.decode(is)
+
+        # 
+        # check if the header being changed unauthorised
+        #
+        if opts[:skip_header_integrity_check].nil? or opts[:skip_header_integrity_check] == false
+
+          if not (header[:bin].nil? and headerMisc[:header_sign].nil?)
+            # verify header signature first...
+            sign = Gcrypto::SecretKeyCrypto.sign({ bin: header[:bin], crypto_context: header[:crypto_context] })
+            if not java.util.Arrays.equals(sign, headerMisc[:header_sign])
+              raise Tcrypto::Error, "Header integrity check failed. The header info has been tampered."    
+            else
+              TcryptoJava::GConf.instance.glog.debug "Header integrity verified!"
+            end
+          end
+
+        end
+
+        ## got session key... proceed decrypt content!
+        begin
+          mac = Gcrypto::SecretKeyCrypto.verify_init( { crypto_context: header[:mac_context] } )
+
+          decPara = { crypto_context: header[:crypto_context] , bin: payload[:payload]  }
+          decPara[:outFile] = opts[:outFile] if not opts[:outFile].nil?
+          
+          plain = Gcrypto::SecretKeyCrypto.decrypt(decPara) do |ops, opts|
+            if ops == :after_dec
+              Gcrypto::SecretKeyCrypto.verify_update(mac, opts)
+            end
+          end
+
+          if not header[:data_sign].nil?
+
+            match = Gcrypto::SecretKeyCrypto.verify_finalize(mac, { mac: header[:data_sign] })
+            TcryptoJava::GConf.instance.glog.debug "Data integrity check status : #{match}"
+
+            if not match and opts[:skip_data_integrity_check] == true
+              # remove the generated output if data integrity failed...
+              if not (decPara[:outFile].nil? or decPara[:outFile].empty?)
+                java.io.File.new(decPara[:outFile]).delete
+              end
+
+              plain = ""
+              
+              raise Tcrypto::Error, "Original data integrity has compromised!"
+            end
+
+          end
+
+          if opts[:outFile].nil?
+            plain
+          end
+
+        rescue Exception => ex
+          raise Tcrypto::Error, "Error decrypting payload. Error was: #{ex.message}. Probably incorrect key?"
+        end
+
+      end
+
+
+    end
+    # end decrypt()
+
+    def Crypto.are_files_equal?(opts = { })
+      if not opts.nil? and not opts[:files].nil? and opts[:files].length > 1
+        
+        equal = true
+        
+        prevRes = nil
+        opts[:files].each do |f|
+          # path expected...
+          res = Gcrypto::Digest.generate({ file: f })
+          if not prevRes.nil?
+            if not java.util.Arrays.is_equals(res, preRes)
+              equal = false
+              break
+            end
+          end
+        end
+
+        equal
+       
+      else
+        # if nothing sent to me or only single file sent to me
+        # then must be true since there would be no comparison
+        true 
+      end
+    end
+
+
+    def Crypto.equals?(first, second)
+      if first.nil? or second.nil?
+        true
+      else
+        begin
+          java.util.Arrays.equals(first,second)
+        rescue Exception => ex
+          raise TcryptoJava::Error, ex
+        end
+      end
+    end
+
+    # 
+    # utilities here is to assist crypto_header encode/decode operations
+    #
+    def Crypto.to_file(path)
+      IoUtils.to_file(path)      
+    end
+
+    def Crypto.to_input(buf)
+      { bin_is: java.io.ByteArrayInputStream.new(buf), bin: buf }
+    end
+
+    def Crypto.input_length(input)
+      if not input[:file].nil?
+        input[:file].length
+      elsif not input[:bin].nil?
+        input[:bin].length
+      else
+        raise TcryptoJava::Error, "Unknown input for length extraction #{input}"
+      end
+    end
+
+    def Crypto.copy_file_to_output(srcFile, output, opts = { }, &block)
+      raise TcryptoJava::Error, "Source file cannot be nil or empty" if srcFile.nil? or srcFile.empty?
+      raise TcryptoJava::Error, "Output cannot be nil" if output.nil?
+     
+      if srcFile.is_a?(java.io.InputStream)
+        src = srcFile
+      elsif srcFile.is_a?(String)
+        # assume is file path?
+        f = java.io.File.new(srcFile)
+        raise TcryptoJava::Error, "Cannot read source file from a directory [#{f.absolute_path}]" if f.is_directory?
+        raise TcryptoJava::Error, "Given file doesn't exist [#{f.absolute_path}]" if not f.exists
+        src = java.io.FileInputStream.new(f)
+      else
+        raise TcryptoJava::Error, "Unsupported source file type #{srcFile.class}"
+      end
+
+      if output.is_a?(java.io.OutputStream)
+        TcryptoJava::GConf.instance.glog.debug "Given output is an OutputStream. Direct use the object."
+        os = output
+      elsif output.is_a?(String)
+        # assume is file path?
+        f = java.io.File.new(output)
+        raise TcryptoJava::Error, "Cannot write output to a directory [#{f.absolute_path}]" if f.is_directory?
+        
+        TcryptoJava::GConf.instance.glog.debug "Opening given path #{f.absolute_path} to copy file into"
+        os = java.io.FileOutputStream.new(f)
+        
+      else
+        raise TcryptoJava::Error, "Unsupported destination type #{val[:dest].class}"
+      end
+
+      bufSize = opts[:bufSize] || 102400 
+      b = Java::byte[bufSize].new
+      while((read = src.read(b,0,b.length)) != -1)
+        if block
+          block.call(:before_write, { buf: b, from: 0, len: read })
+        end
+        
+        os.write(b,0,read)  
+      end
+      
+    end
+
+    def Crypto.load_file_into_memory(file, opts = { }, &block)
+      raise TcryptoJava::Error, "No file given" if file.nil?
+      f = java.io.File.new(file)
+      raise TcryptoJava::Error, "Given file #{f.absolute_path} does not exist" if not f.exists
+      raise TcryptoJava::Error, "Given file #{f.absolute_path} is a directory" if f.directory?
+      
+      total = f.length
+      bufSize = opts[:bufSize] || 102400 
+      b = Java::byte[bufSize].new
+      baos = java.io.ByteArrayOutputStream.new
+      processed = 0
+      fis = java.io.FileInputStream.new(f)
+      while((read = fis.read(b,0,b.length)) != -1)
+        baos.write(b,0,read)
+        processed += read
+      
+        block.call(:progress, { total: total, processed: processed }) if block
+      end
+
+      baos.toByteArray
+      
+    end
+    # end utilities
+
+  end 
+end

data/lib/tcrypto_java/global.rb

@@ -0,0 +1,27 @@
+
+require 'singleton'
+require 'tlogger'
+
+module TcryptoJava
+  class GConf
+    include Singleton
+    attr_reader :logger_params, :glog
+    def initialize
+      @logger_params = STDOUT
+      @glog = Tlogger.new(STDOUT)
+      @glog.tag = :tcrypto_java
+      @glog.show_source
+    end  
+
+    def java_version
+      if @java_ver.nil?
+        @java_ver = ENV_JAVA['java.version']
+      end
+      
+      @java_ver
+    end
+  end
+end
+
+
+

data/lib/tcrypto_java/io_utils.rb

@@ -0,0 +1,135 @@
+
+require_relative 'global'
+require 'active_support'
+class NumberHelper
+  extend ActiveSupport::NumberHelper
+end
+
+
+module TcryptoJava
+  module IoUtils
+   
+    def IoUtils.load_input(opts = { })
+      if opts.nil? or opts.empty?
+        raise TcryptoJava::Error, "No input given to load"
+      else
+        file = opts[:file]
+        bin = opts[:bin]
+        
+        if not (file.nil? or file.empty?)
+          fis = java.io.FileInputStream.new(file)
+          fis
+        elsif not bin.nil?
+          begin
+            bais = java.io.ByteArrayInputStream.new(bin.to_java_bytes)
+          rescue NoMethodError => e
+            bais = java.io.ByteArrayInputStream.new(bin)
+          end
+          bais
+        else
+          if not (opts[:input_optional].nil? and opts[:input_optional])
+            raise TcryptoJava::Error, "Neither file nor bin given to load input"
+          end
+        end
+      end
+    end
+    # 
+    # end load_input()
+    # 
+
+    def IoUtils.prep_output(opts = { })
+      
+      if opts.nil? or opts.empty?
+        raise TcryptoJava::Error, "No opts given to prep output"
+      else
+        file = opts[:outFile]
+        
+        if not (file.nil? or file.empty?)
+          fos = java.io.FileOutputStream.new(file)
+          fos
+        else
+          baos = java.io.ByteArrayOutputStream.new
+          baos
+        end
+      end
+      
+    end
+
+    def IoUtils.to_file(path)
+      
+      raise Tcrypto::Error, "Given path to convert to file object is nil or empty" if path.nil? or path.empty?
+      
+      file = java.io.File.new(path)
+      raise Tcrypto::Error, "Given input file not available [#{file.absolute_path}]" if not file.exists
+      raise Tcrypto::Error, "Given file path is a directory [#{file.absolute_path}]" if file.is_directory?
+
+      src = java.io.FileInputStream.new(file)
+
+      res = { file: file, file_is: src }
+      res
+    end
+
+    def IoUtils.return_if_buffer(os)
+      if os.java_kind_of?(java.io.ByteArrayOutputStream)
+        os.toByteArray
+      end
+    end
+
+    def IoUtils.read_chunk(is, opts = { },&block)
+
+      raise TcryptoJava::Error, "Cannot read chunk from nil input stream" if is.nil?
+      raise TcryptoJava::Error, "Block required for read_chunk" if not block
+
+      if not is.java_kind_of?(java.io.InputStream)
+        raise TcryptoJava::Error, "Cannot read from '#{is.class}' object"
+      end
+
+      bufLen = opts[:buffer_size] || 1024*1024
+      TcryptoJava::GConf.instance.glog.debug "read_chunk buffer size is #{NumberHelper.number_to_human_size(bufLen)}. Modifiable by caller app via key :in_buf -> :buffer_size"
+      
+      b = Java::byte[bufLen].new
+      while((read = is.read(b,0,b.length)) != -1)
+        block.call(b,0,read)
+      end
+    end
+    # 
+    # end read_chunk
+    # 
+
+    def IoUtils.file_to_memory_byte_array(path)
+      if path.nil? or path.empty?
+        raise TcryptoJava::Error, "Given path '#{path}' to load to memory is nil or empty"
+      else
+        f = java.io.File.new(path)
+        b = Java::byte[f.length].new
+        dis = java.io.DataInputStream.new(java.io.FileInputStream.new(f))
+        dis.readFully(b)
+        dis.close
+
+        b
+      end
+    end
+    # end file_to_memory_byte_array
+    #
+
+    def IoUtils.ensure_java_bytes(bin)
+      if not bin.java_kind_of?(Java::byte[])
+        bin.to_java_bytes
+      else
+        bin
+      end
+    end
+    # end ensure_java_bytes
+    #
+
+    def IoUtils.attempt_zeroise(var)
+      java.util.Arrays.fill(var, 0)
+    end
+  end
+  # end IoUtils
+  #
+
+end
+# end GcryptoJce
+# 
+

data/lib/tcrypto_java/version.rb

@@ -0,0 +1,3 @@
+module TcryptoJava
+  VERSION = "0.1"
+end

data/release.job

@@ -0,0 +1,53 @@
+
+
+job :release do
+
+  include_job :prompt_version
+  #ver = prompt "Please provide version for this release:", required: true
+  #set :releasing_version, ver
+
+  include_job :build
+  include_job :check_in 
+
+end
+
+job :prompt_version do
+  if get(:releasing_version) == nil
+    ver = prompt "Please provide version for this release:", required: true
+    set :releasing_version, ver
+  end
+end
+
+job :build do
+
+  dir File.dirname(__FILE__) 
+
+  include_job :prompt_version
+  
+  rubygem do
+    #publish build('alog.gemspec'), ignore_status: true #do |res|
+    build('tcrypto_java.gemspec') do |res|
+      publish(res, ignore_status: true) 
+    end
+  end
+  
+end
+
+
+job :check_in do
+  dir File.dirname(__FILE__) 
+  git do
+    commit
+    tag 
+    push 'origin', 'master'
+    #push 'git','master'
+  end
+end
+
+job :reinstall do
+  rubygem do
+    uninstall 'tcrypto_java' 
+    install 'tcrypto_java'
+  end
+end
+

data/tcrypto_java.gemspec

@@ -0,0 +1,31 @@
+require_relative 'lib/tcrypto_java/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "tcrypto_java"
+  spec.version       = TcryptoJava::VERSION
+  spec.authors       = ["Chris Liaw"]
+  spec.email         = ["chrisliaw@antrapol.com"]
+
+  spec.summary       = %q{}
+  spec.description   = %q{}
+  spec.homepage      = ""
+  spec.license       = "MIT"
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
+
+  # spec.metadata["allowed_push_host"] = "TODO: Set to 'http://mygemserver.com'"
+  #
+  # spec.metadata["homepage_uri"] = spec.homepage
+  # spec.metadata["source_code_uri"] = "TODO: Put your gem's public repo URL here."
+  # spec.metadata["changelog_uri"] = "TODO: Put your gem's CHANGELOG.md URL here."
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency 'tlogger'
+end

metadata

@@ -0,0 +1,73 @@
+--- !ruby/object:Gem::Specification
+name: tcrypto_java
+version: !ruby/object:Gem::Version
+  version: '0.1'
+platform: ruby
+authors:
+- Chris Liaw
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2020-03-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: tlogger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: ''
+email:
+- chrisliaw@antrapol.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/tcrypto_java.rb
+- lib/tcrypto_java/crypto.rb
+- lib/tcrypto_java/global.rb
+- lib/tcrypto_java/io_utils.rb
+- lib/tcrypto_java/version.rb
+- release.job
+- tcrypto_java.gemspec
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: ''
+test_files: []