trocla-ruby2 0.4.0

data/lib/trocla/default_config.yaml

@@ -0,0 +1,47 @@
+---
+store: :moneta
+store_options:
+  adapter: :YAML
+  adapter_options:
+    :file: '/tmp/trocla.yaml'
+
+encryption: :none
+options:
+    random: true
+    length: 16
+    charset: default
+
+profiles:
+  rootpw:
+    charset: consolesafe
+    length: 32
+  mysql:
+    charset: shellsafe
+    length: 32
+  login:
+    charset: consolesafe
+    length: 16
+  x509veryverylong:
+    # 15 years
+    days: 5475
+    # 5475 days
+    expires: 466560000
+  x509verylong:
+    # 10 years
+    days: 3650
+    # 3600 days
+    expires: 311040000
+  x509long:
+    # 5 years
+    days: 1825
+    # 1800 days
+    expires: 155520000
+  x509auto:
+    days: 40
+    # 30 days
+    expires: 2592000
+  x509short:
+    days: 2
+    # 1 day
+    expires: 86400
+

data/lib/trocla/encryptions.rb

@@ -0,0 +1,54 @@
+class Trocla::Encryptions
+
+  class Base
+    attr_reader :trocla, :config
+    def initialize(config, trocla)
+      @trocla = trocla
+      @config = config
+    end
+
+    def encrypt(value)
+      raise NoMethodError.new("#{self.class.name} needs to implement 'encrypt()'")
+    end
+
+    def decrypt(value)
+      raise NoMethodError.new("#{self.class.name} needs to implement 'decrypt()'")
+    end
+  end
+
+  class << self
+    def [](enc)
+      encryptions[enc.to_s.downcase]
+    end
+
+    def all
+      Dir[ path '*' ].collect do |enc|
+        File.basename(enc, '.rb').downcase
+      end
+    end
+
+    def available?(encryption)
+      all.include?(encryption.to_s.downcase)
+    end
+
+    private
+    def encryptions
+      @@encryptions ||= Hash.new do |hash, encryption|
+        encryption = encryption.to_s.downcase
+        if File.exists?( path encryption )
+          require "trocla/encryptions/#{encryption}"
+          class_name = "Trocla::Encryptions::#{encryption.capitalize}"
+          hash[encryption] = (eval class_name)
+        else
+          raise "Encryption #{encryption} is not supported!"
+        end
+      end
+    end
+
+    def path(encryption)
+      File.expand_path(
+        File.join(File.dirname(__FILE__), 'encryptions', "#{encryption}.rb")
+      )
+    end
+  end
+end

data/lib/trocla/encryptions/none.rb

@@ -0,0 +1,10 @@
+class Trocla::Encryptions::None < Trocla::Encryptions::Base
+  def encrypt(value)
+    value
+  end
+
+  def decrypt(value)
+    value
+  end
+end
+

data/lib/trocla/encryptions/ssl.rb

@@ -0,0 +1,51 @@
+require 'openssl'
+require 'base64'
+
+class Trocla::Encryptions::Ssl < Trocla::Encryptions::Base
+  def encrypt(value)
+    ciphertext = ''
+    value.scan(/.{0,#{chunksize}}/m).each do |chunk|
+      ciphertext += Base64.encode64(public_key.public_encrypt(chunk)).gsub("\n",'')+"\n" if chunk
+    end
+    ciphertext
+  end
+
+  def decrypt(value)
+    plaintext = ''
+    value.split(/\n/).each do |line|
+      plaintext += private_key.private_decrypt(Base64.decode64(line)) if line
+    end
+    plaintext
+  end
+
+  private
+
+  def chunksize
+      public_key.n.num_bytes - 11
+  end
+
+  def private_key
+      @private_key ||= begin
+        file = require_option(:private_key)
+        OpenSSL::PKey::RSA.new(File.read(file), nil)
+      end
+  end
+
+  def public_key
+      @public_key ||= begin
+        file = require_option(:public_key)
+        OpenSSL::PKey::RSA.new(File.read(file), nil)
+      end
+  end
+
+  def option(key)
+    config[key]
+  end
+
+  def require_option(key)
+    val = option(key)
+    raise "Config error: 'ssl_options' => :#{key} is not defined" if val.nil?
+    val
+  end
+end
+

data/lib/trocla/formats.rb

@@ -0,0 +1,54 @@
+class Trocla::Formats
+
+  class Base
+    attr_reader :trocla
+    def initialize(trocla)
+      @trocla = trocla
+    end
+    def render(output,render_options={})
+      output
+    end
+    def expensive?
+      self.class.expensive?
+    end
+    class << self
+      def expensive(is_expensive)
+        @expensive = is_expensive
+      end
+      def expensive?
+        @expensive == true
+      end
+    end
+  end
+
+  class << self
+    def [](format)
+      formats[format.downcase]
+    end
+
+    def all
+      Dir[File.expand_path(File.join(File.dirname(__FILE__),'formats','*.rb'))].collect{|f| File.basename(f,'.rb').downcase }
+    end
+
+    def available?(format)
+      all.include?(format.downcase)
+    end
+
+    private
+    def formats
+      @@formats ||= Hash.new do |hash, format|
+        format = format.downcase
+        if File.exists?(path(format))
+          require "trocla/formats/#{format}"
+          hash[format] = (eval "Trocla::Formats::#{format.capitalize}")
+        else
+          raise "Format #{format} is not supported!"
+        end
+      end
+    end
+
+    def path(format)
+      File.expand_path(File.join(File.dirname(__FILE__),'formats',"#{format}.rb"))
+    end
+  end
+end

data/lib/trocla/formats/bcrypt.rb

@@ -0,0 +1,7 @@
+class Trocla::Formats::Bcrypt < Trocla::Formats::Base
+  expensive true
+  require 'bcrypt'
+  def format(plain_password,options={})
+    BCrypt::Password.create(plain_password, :cost => options['cost']||BCrypt::Engine.cost).to_s
+  end
+end

data/lib/trocla/formats/md5crypt.rb

@@ -0,0 +1,6 @@
+# salted crypt
+class Trocla::Formats::Md5crypt < Trocla::Formats::Base
+  def format(plain_password,options={})
+     plain_password.crypt('$1$' << Trocla::Util.salt << '$')
+  end
+end

data/lib/trocla/formats/mysql.rb

@@ -0,0 +1,6 @@
+class Trocla::Formats::Mysql < Trocla::Formats::Base
+  require 'digest/sha1'
+  def format(plain_password,options={})
+    "*" + Digest::SHA1.hexdigest(Digest::SHA1.digest(plain_password)).upcase
+  end
+end

data/lib/trocla/formats/pgsql.rb

@@ -0,0 +1,7 @@
+class Trocla::Formats::Pgsql < Trocla::Formats::Base
+  require 'digest/md5'
+  def format(plain_password,options={})
+    raise "You need pass the username as an option to use this format" unless options['username'] 
+    "md5" + Digest::MD5.hexdigest(plain_password + options['username'])
+  end
+end

data/lib/trocla/formats/plain.rb

@@ -0,0 +1,7 @@
+class Trocla::Formats::Plain < Trocla::Formats::Base
+  
+  def format(plain_password,options={})
+    plain_password
+  end
+  
+end

data/lib/trocla/formats/sha1.rb

@@ -0,0 +1,7 @@
+class Trocla::Formats::Sha1 < Trocla::Formats::Base
+  require 'digest/sha1'
+  require 'base64'
+  def format(plain_password,options={})
+    '{SHA}' + Base64.encode64(Digest::SHA1.digest(plain_password))
+  end
+end

data/lib/trocla/formats/sha256crypt.rb

@@ -0,0 +1,6 @@
+# salted crypt
+class Trocla::Formats::Sha256crypt < Trocla::Formats::Base
+  def format(plain_password,options={})
+     plain_password.crypt('$5$' << Trocla::Util.salt << '$')
+  end
+end

data/lib/trocla/formats/sha512crypt.rb

@@ -0,0 +1,6 @@
+# salted crypt
+class Trocla::Formats::Sha512crypt < Trocla::Formats::Base
+  def format(plain_password,options={})
+     plain_password.crypt('$6$' << Trocla::Util.salt << '$')
+  end
+end

data/lib/trocla/formats/ssha.rb

@@ -0,0 +1,9 @@
+# salted crypt
+require 'base64'
+require 'digest'
+class Trocla::Formats::Ssha < Trocla::Formats::Base
+  def format(plain_password,options={})
+     salt = options['salt'] || Trocla::Util.salt(16)
+     "{SSHA}"+Base64.encode64("#{Digest::SHA1.digest("#{plain_password}#{salt}")}#{salt}").chomp
+  end
+end

data/lib/trocla/formats/sshkey.rb

@@ -0,0 +1,46 @@
+require 'sshkey'
+
+class Trocla::Formats::Sshkey < Trocla::Formats::Base
+
+  expensive true
+
+  def format(plain_password,options={})
+
+    if plain_password.match(/-----BEGIN RSA PRIVATE KEY-----.*-----END RSA PRIVATE KEY/m)
+      # Import, validate ssh key
+      begin
+        sshkey = ::SSHKey.new(plain_password)
+      rescue Exception => e
+        raise "SSH key import failed: #{e.message}"
+      end
+      return sshkey.private_key + sshkey.ssh_public_key
+    end
+
+    type = options['type'] || 'rsa'
+    bits = options['bits'] || 2048
+
+    begin
+      sshkey = ::SSHKey.generate(
+        type:       type,
+        bits:       bits,
+        comment:    options['comment'],
+        passphrase: options['passphrase']
+      )
+    rescue Exception => e
+      raise "SSH key creation failed: #{e.message}"
+    end
+
+    sshkey.private_key + sshkey.ssh_public_key
+  end
+
+  def render(output,render_options={})
+    if render_options['privonly']
+      ::SSHKey.new(output).private_key
+    elsif render_options['pubonly']
+      ::SSHKey.new(output).ssh_public_key
+    else
+      super(output,render_options)
+    end
+  end
+
+end

data/lib/trocla/formats/x509.rb

@@ -0,0 +1,197 @@
+require 'openssl'
+class Trocla::Formats::X509 < Trocla::Formats::Base
+  expensive true
+  def format(plain_password,options={})
+
+    if plain_password.match(/-----BEGIN RSA PRIVATE KEY-----.*-----END RSA PRIVATE KEY-----.*-----BEGIN CERTIFICATE-----.*-----END CERTIFICATE-----/m)
+      # just an import, don't generate any new keys
+      return plain_password
+    end
+
+    cn = nil
+    if options['subject']
+      subject = options['subject']
+      if cna = OpenSSL::X509::Name.parse(subject).to_a.find{|e| e[0] == 'CN' }
+        cn = cna[1]
+      end
+    elsif options['CN']
+      subject = ''
+      cn = options['CN']
+      ['C','ST','L','O','OU','CN','emailAddress'].each do |field|
+        subject << "/#{field}=#{options[field]}" if options[field]
+      end
+    else
+      raise "You need to pass \"subject\" or \"CN\" as an option to use this format"
+    end
+    hash = options['hash'] || 'sha2'
+    sign_with = options['ca']
+    become_ca = options['become_ca'] || false
+    keysize = options['keysize'] || 4096
+    days = options['days'].nil? ? 365 : options['days'].to_i
+    name_constraints = Array(options['name_constraints'])
+    key_usages = options['key_usages']
+    key_usages = Array(key_usages) if key_usages
+
+    altnames = if become_ca || (an = options['altnames']) && Array(an).empty?
+      []
+    else
+      # ensure that we have the CN with us, but only if it
+      # it's like a hostname.
+      # This might have to be improved.
+      if cn.include?(' ')
+        Array(an).collect { |v| "DNS:#{v}" }.join(', ')
+      else
+        (["DNS:#{cn}"] + Array(an).collect { |v| "DNS:#{v}" }).uniq.join(', ')
+      end
+    end
+
+    begin
+      key = mkkey(keysize)
+    rescue Exception => e
+      puts e.backtrace
+      raise "Private key for #{subject} creation failed: #{e.message}"
+    end
+
+    cert = nil
+    if sign_with # certificate signed with CA
+      begin
+        ca_str = trocla.get_password(sign_with,'x509')
+        ca = OpenSSL::X509::Certificate.new(ca_str)
+        cakey = OpenSSL::PKey::RSA.new(ca_str)
+        caserial = getserial(sign_with)
+      rescue Exception => e
+        raise "Value of #{sign_with} can't be loaded as CA: #{e.message}"
+      end
+
+      begin
+        subj = OpenSSL::X509::Name.parse(subject)
+        request = mkreq(subj, key.public_key)
+        request.sign(key, signature(hash))
+      rescue Exception => e
+        raise "Certificate request #{subject} creation failed: #{e.message}"
+      end
+
+      begin
+        cert = mkcert(caserial, request.subject, ca, request.public_key, days,
+                        altnames, key_usages, name_constraints, become_ca)
+        cert.sign(cakey, signature(hash))
+        addserial(sign_with, caserial)
+      rescue Exception => e
+        raise "Certificate #{subject} signing failed: #{e.message}"
+      end
+    else # self-signed certificate
+      begin
+        subj = OpenSSL::X509::Name.parse(subject)
+        cert = mkcert(getserial(subj), subj, nil, key.public_key, days,
+                        altnames, key_usages, name_constraints, become_ca)
+        cert.sign(key, signature(hash))
+      rescue Exception => e
+        raise "Self-signed certificate #{subject} creation failed: #{e.message}"
+      end
+    end
+    key.to_pem + cert.to_pem
+  end
+
+  def render(output,render_options={})
+    if render_options['keyonly']
+      OpenSSL::PKey::RSA.new(output).to_pem
+    elsif render_options['certonly']
+      OpenSSL::X509::Certificate.new(output).to_pem
+    else
+      super(output,render_options)
+    end
+  end
+
+  private
+  # nice help: https://gist.github.com/mitfik/1922961
+
+  def signature(hash = 'sha2')
+    if hash == 'sha1'
+        OpenSSL::Digest::SHA1.new
+    elsif hash == 'sha224'
+        OpenSSL::Digest::SHA224.new
+    elsif hash == 'sha2' || hash == 'sha256'
+        OpenSSL::Digest::SHA256.new
+    elsif hash == 'sha384'
+        OpenSSL::Digest::SHA384.new
+    elsif hash == 'sha512'
+        OpenSSL::Digest::SHA512.new
+    else
+        raise "Unrecognized hash: #{hash}"
+    end
+  end
+
+  def mkkey(len)
+    OpenSSL::PKey::RSA.generate(len)
+  end
+
+  def mkreq(subject,public_key)
+    request = OpenSSL::X509::Request.new
+    request.subject = subject
+    request.public_key = public_key
+
+    request
+  end
+
+  def mkcert(serial,subject,issuer,public_key,days,altnames, key_usages = nil, name_constraints = [], become_ca = false)
+    cert = OpenSSL::X509::Certificate.new
+    issuer = cert if issuer == nil
+    cert.subject = subject
+    cert.issuer = issuer.subject
+    cert.not_before = Time.now
+    cert.not_after = Time.now + days * 24 * 60 * 60
+    cert.public_key = public_key
+    cert.serial = serial
+    cert.version = 2
+
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = cert
+    ef.issuer_certificate = issuer
+    cert.extensions = [ ef.create_extension("subjectKeyIdentifier", "hash") ]
+
+    if become_ca
+      cert.add_extension ef.create_extension("basicConstraints","CA:TRUE", true)
+      unless (ku = key_usages || ca_key_usages).empty?
+        cert.add_extension ef.create_extension("keyUsage", ku.join(', '), true)
+      end
+      if name_constraints && !name_constraints.empty?
+        cert.add_extension ef.create_extension("nameConstraints","permitted;DNS:#{name_constraints.join(',permitted;DNS:')}",true)
+      end
+    else
+      cert.add_extension ef.create_extension("subjectAltName", altnames, true) unless altnames.empty?
+      cert.add_extension ef.create_extension("basicConstraints","CA:FALSE", true)
+      unless (ku = key_usages || cert_key_usages).empty?
+        cert.add_extension ef.create_extension("keyUsage", ku.join(', '), true)
+      end
+    end
+    cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
+
+    cert
+  end
+
+  def getserial(ca)
+    newser = Trocla::Util.random_str(20,'hexadecimal').to_i(16)
+    all_serials(ca).include?(newser) ? getserial(ca) : newser
+  end
+
+  def all_serials(ca)
+    if allser = trocla.get_password("#{ca}_all_serials",'plain')
+      YAML.load(allser)
+    else
+      []
+    end
+  end
+
+  def addserial(ca,serial)
+    serials = all_serials(ca) << serial
+    trocla.set_password("#{ca}_all_serials",'plain',YAML.dump(serials))
+  end
+
+  def cert_key_usages
+    ['nonRepudiation', 'digitalSignature', 'keyEncipherment']
+  end
+  def ca_key_usages
+    ['keyCertSign', 'cRLSign', 'nonRepudiation',
+      'digitalSignature', 'keyEncipherment' ]
+  end
+end