trustworthy 0.1.0 → 0.2.0

data/spec/trustworthy/settings_spec.rb

@@ -2,80 +2,75 @@ require 'spec_helper'
 
 describe Trustworthy::Settings do
   before(:each) do
-    SCrypt::Engine.stub(:generate_salt).and_return('400$8$1b$3e31f076a3226825')
-    Trustworthy::Random.stub(:bytes).and_return(Trustworthy::TestValues::InitializationVector)
-
-    key = Trustworthy::Key.new(BigDecimal.new('2'), BigDecimal.new('3'))
-    @settings = Trustworthy::Settings.new
+    SCrypt::Engine.stub(:generate_salt).and_return(TestValues::Salt)
+    AEAD::Cipher::AES_256_CBC_HMAC_SHA_256.stub(:generate_nonce).and_return(TestValues::InitializationVector)
   end
 
-  describe 'add_key' do
-    it 'encrypts and signs the key with the password' do
-      key = Trustworthy::Key.new(BigDecimal.new('2'), BigDecimal.new('3'))
-      settings = Trustworthy::Settings.new
-      settings.add_key(key, 'user', 'password1')
-      settings.keys['user']['salt'].should == '400$8$1b$3e31f076a3226825'
-      settings.keys['user']['authentication'].should == ['20c274efc68a460568853cc4be586183012769a312549d1aa57e29a36ec1503d'].pack('H*')
-      settings.keys['user']['ciphertext'].should == ['39164ec082fb8b7336d3c5500af99dcb17d2e60496ed553dfab4b05c568aa926'].pack('H*')
+  around(:each) do |example|
+    within_construct do |construct|
+      construct.file(TestValues::SettingsFile)
+      example.run
     end
   end
 
-  describe 'add_secret' do
-    it 'adds a secret file name with an environment' do
-      settings = Trustworthy::Settings.new
-      settings.add_secret('foo', 'foo.enc')
-      settings.secrets['foo'].should == 'foo.enc'
-    end
-  end
+  describe 'self.open' do
+    it 'should read and write the key information to a file' do
+      Trustworthy::Settings.open(TestValues::SettingsFile) do |settings|
+        key = Trustworthy::Key.new(BigDecimal.new('2'), BigDecimal.new('3'))
+        settings.add_key(key, 'user', 'password1')
+      end
 
-  describe 'unlock_key' do
-    it 'verifies and decrypts the key with the password' do
-      key = Trustworthy::Key.new(BigDecimal.new('2'), BigDecimal.new('3'))
-      settings = Trustworthy::Settings.new
-      settings.add_key(key, 'user', 'password1')
-      unlocked_key = settings.unlock_key('user', 'password1')
-      unlocked_key.x.should == BigDecimal.new('2')
-      unlocked_key.y.should == BigDecimal.new('3')
+      Trustworthy::Settings.open(TestValues::SettingsFile) do |settings|
+        found_key = settings.find_key('user')
+        found_key['salt'].should == TestValues::Salt
+        found_key['encrypted_point'].should == TestValues::EncryptedPoint
+      end
     end
-  end
 
+    it 'should preserve the contents if an exception is raised' do
+      Trustworthy::Settings.open(TestValues::SettingsFile) do |settings|
+        key = Trustworthy::Key.new(BigDecimal.new('2'), BigDecimal.new('3'))
+        settings.add_key(key, 'user', 'password1')
+      end
 
-  describe 'write' do
-    it 'writes key information to the given file' do
-      key = Trustworthy::Key.new(BigDecimal.new('2'), BigDecimal.new('3'))
-      settings = Trustworthy::Settings.new
-      settings.add_key(key, 'user', 'password1')
-      FakeFS do
-        settings.write('settings.yml')
+      expect do
+        Trustworthy::Settings.open(TestValues::SettingsFile) do |settings|
+          key = Trustworthy::Key.new(BigDecimal.new('2'), BigDecimal.new('3'))
+          settings.add_key(key, 'user', 'password2')
+          settings.add_key(key, 'missing', 'password')
+          raise 'boom'
+        end
+      end.to raise_error
 
-        data = File.read('settings.yml')
-        yaml = YAML.load(data)
-        yaml['keys']['user']['salt'].should == '400$8$1b$3e31f076a3226825'
-        yaml['keys']['user']['authentication'].should == ['20c274efc68a460568853cc4be586183012769a312549d1aa57e29a36ec1503d'].pack('H*')
-        yaml['keys']['user']['ciphertext'].should == ['39164ec082fb8b7336d3c5500af99dcb17d2e60496ed553dfab4b05c568aa926'].pack('H*')
+      Trustworthy::Settings.open(TestValues::SettingsFile) do |settings|
+        settings.find_key('missing').should be_nil
+        found_key = settings.find_key('user')
+        found_key['salt'].should == TestValues::Salt
+        found_key['encrypted_point'].should == TestValues::EncryptedPoint
       end
     end
   end
 
-  describe 'self.load' do
-    it 'loads the key information from the given file' do
-      FakeFS do
-        File.open('settings.yml', 'w') do |file|
-          file.write(<<-EOF)
-keys:
-  user:
-    salt: 400$8$1b$3e31f076a3226825
-    ciphertext: !binary |-
-      ORZOwIL7i3M208VQCvmdyxfS5gSW7VU9+rSwXFaKqSY=
-    authentication: !binary |-
-      IMJ078aKRgVohTzEvlhhgwEnaaMSVJ0apX4po27BUD0=
-EOF
-        end
+  describe 'add_key' do
+    it 'should encrypt the key with the password' do |settings|
+      Trustworthy::Settings.open(TestValues::SettingsFile) do |settings|
+        key = Trustworthy::Key.new(BigDecimal.new('2'), BigDecimal.new('3'))
+        settings.add_key(key, 'user', 'password1')
+        found_key = settings.find_key('user')
+        found_key['salt'].should == TestValues::Salt
+        found_key['encrypted_point'].should == TestValues::EncryptedPoint
+      end
+    end
+  end
 
-        settings = Trustworthy::Settings.load('settings.yml')
-        settings.keys['user']['salt'].should == '400$8$1b$3e31f076a3226825'
-        settings.keys['user']['authentication'].should == ['20c274efc68a460568853cc4be586183012769a312549d1aa57e29a36ec1503d'].pack('H*')
-        settings.keys['user']['ciphertext'].should == ['39164ec082fb8b7336d3c5500af99dcb17d2e60496ed553dfab4b05c568aa926'].pack('H*')
+  describe 'unlock_key' do
+    it 'should decrypt the key with the password' do
+      Trustworthy::Settings.open(TestValues::SettingsFile) do |settings|
+        key = Trustworthy::Key.new(BigDecimal.new('2'), BigDecimal.new('3'))
+        settings.add_key(key, 'user', 'password1')
+        unlocked_key = settings.unlock_key('user', 'password1')
+        unlocked_key.x.should == BigDecimal.new('2')
+        unlocked_key.y.should == BigDecimal.new('3')
       end
     end
   end

metadata

@@ -1,68 +1,60 @@
 --- !ruby/object:Gem::Specification
 name: trustworthy
 version: !ruby/object:Gem::Version
-  version: 0.1.0
-  prerelease: 
+  version: 0.2.0
 platform: ruby
 authors:
 - John Downey
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-08-17 00:00:00.000000000 Z
+date: 2013-03-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: commander
+  name: aead
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '4.1'
+        version: '1.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '4.1'
+        version: '1.6'
 - !ruby/object:Gem::Dependency
-  name: hkdf
+  name: highline
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 0.1.0
+        version: '1.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 0.1.0
+        version: '1.6'
 - !ruby/object:Gem::Dependency
-  name: posix-spawn
+  name: hkdf
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 0.3.6
+        version: 0.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 0.3.6
+        version: 0.2.0
 - !ruby/object:Gem::Dependency
   name: scrypt
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -70,62 +62,55 @@ dependencies:
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.1'
 - !ruby/object:Gem::Dependency
-  name: fakefs
+  name: test-construct
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - '='
       - !ruby/object:Gem::Version
-        version: 0.4.0
+        version: 1.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - '='
       - !ruby/object:Gem::Version
-        version: 0.4.0
+        version: 1.2.0
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - '='
       - !ruby/object:Gem::Version
-        version: '2.11'
+        version: '2.13'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - '='
       - !ruby/object:Gem::Version
-        version: '2.11'
+        version: '2.13'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 10.0.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 10.0.3
 description: Implements a special case (k = 2) of Adi Shamir's secret sharing algorithm.
-  This allows secret files to be encrypted on disk but loaded into a process on start
-  if two keys are available.
+  This allows secret files to be encrypted on disk and require two secret holders
+  to decrypt it.
 email:
 - jdowney@gmail.com
 executables:
@@ -133,7 +118,13 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- lib/trustworthy/crypto.rb
+- lib/trustworthy/cli/add_key.rb
+- lib/trustworthy/cli/command.rb
+- lib/trustworthy/cli/decrypt.rb
+- lib/trustworthy/cli/encrypt.rb
+- lib/trustworthy/cli/helpers.rb
+- lib/trustworthy/cli/init.rb
+- lib/trustworthy/cli.rb
 - lib/trustworthy/key.rb
 - lib/trustworthy/master_key.rb
 - lib/trustworthy/random.rb
@@ -141,7 +132,11 @@ files:
 - lib/trustworthy/version.rb
 - lib/trustworthy.rb
 - spec/spec_helper.rb
-- spec/trustworthy/crypto_spec.rb
+- spec/trustworthy/cli/add_key_spec.rb
+- spec/trustworthy/cli/command_spec.rb
+- spec/trustworthy/cli/decrypt_spec.rb
+- spec/trustworthy/cli/encrypt_spec.rb
+- spec/trustworthy/cli/init_spec.rb
 - spec/trustworthy/key_spec.rb
 - spec/trustworthy/master_key_spec.rb
 - spec/trustworthy/random_spec.rb
@@ -149,32 +144,36 @@ files:
 - bin/trustworthy
 - README.md
 homepage: http://github.com/jtdowney/trustworthy
-licenses: []
+licenses:
+- MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 2.0.1
 signing_key: 
-specification_version: 3
-summary: Launch processes while keeping secrets encrypted on disk
+specification_version: 4
+summary: Encrypt and decrypt files with multiple key holders
 test_files:
 - spec/spec_helper.rb
-- spec/trustworthy/crypto_spec.rb
+- spec/trustworthy/cli/add_key_spec.rb
+- spec/trustworthy/cli/command_spec.rb
+- spec/trustworthy/cli/decrypt_spec.rb
+- spec/trustworthy/cli/encrypt_spec.rb
+- spec/trustworthy/cli/init_spec.rb
 - spec/trustworthy/key_spec.rb
 - spec/trustworthy/master_key_spec.rb
 - spec/trustworthy/random_spec.rb

data/lib/trustworthy/crypto.rb

@@ -1,50 +0,0 @@
-module Trustworthy
-  class Crypto
-    def initialize(encryption_key, authentication_key)
-      @encryption_key = encryption_key
-      @authentication_key = authentication_key
-      @digest = OpenSSL::Digest.new('SHA256')
-      @cipher = OpenSSL::Cipher.new('AES-256-CBC')
-    end
-
-    def decrypt(ciphertext)
-      ciphertext.force_encoding('BINARY') if ciphertext.respond_to?(:force_encoding)
-      iv = ciphertext.slice(0..15)
-      ciphertext = ciphertext.slice(16..-1)
-      @cipher.decrypt
-      @cipher.key = @encryption_key
-      @cipher.iv = iv
-      @cipher.update(ciphertext) + @cipher.final
-    end
-
-    def encrypt(plaintext)
-      iv = Trustworthy::Random.bytes(16)
-      @cipher.encrypt
-      @cipher.key = @encryption_key
-      @cipher.iv = iv
-      ciphertext = @cipher.update(plaintext) + @cipher.final
-      iv + ciphertext
-    end
-
-    def sign(data)
-      OpenSSL::HMAC.digest(@digest, @authentication_key, data)
-    end
-
-    def valid_signature?(given_signature, data)
-      computed_signature = sign(data)
-      _secure_compare(given_signature, computed_signature)
-    end
-
-    def _secure_compare(a, b)
-      return false unless a.bytesize == b.bytesize
-
-      bytes = a.unpack("C#{a.bytesize}")
-
-      result = 0
-      b.each_byte do |byte|
-        result |= byte ^ bytes.shift
-      end
-      result == 0
-    end
-  end
-end

data/spec/trustworthy/crypto_spec.rb

@@ -1,42 +0,0 @@
-require 'spec_helper'
-
-describe Trustworthy::Crypto do
-  before(:each) do
-    @crypto = Trustworthy::Crypto.new(Trustworthy::TestValues::EncryptionKey, Trustworthy::TestValues::AuthenticationKey)
-  end
-
-  describe 'sign' do
-    it 'should sign the input using the authentication key' do
-      signature = @crypto.sign('foobar')
-      signature.should == ['f9e948d9259d35e729b14e370a7456ec4b22d2a0a1d5daa1accbeb54f414865e'].pack('H*')
-    end
-  end
-
-  describe 'valid_signature?' do
-    it 'should return true when the signature matches the data' do
-      given_signature = ['f9e948d9259d35e729b14e370a7456ec4b22d2a0a1d5daa1accbeb54f414865e'].pack('H*')
-      @crypto.should be_valid_signature(given_signature, 'foobar')
-    end
-
-    it 'should return false when the signature matches the data' do
-      given_signature = ['4d15a6427d6b56e07b819ff0a147dd8ff77b1b5fafd33f9071b0359755edde42'].pack('H*')
-      @crypto.should_not be_valid_signature(given_signature, 'foobar')
-    end
-  end
-
-  describe 'encrypt' do
-    it 'should encrypt the input using the encryption key' do
-      Trustworthy::Random.stub(:bytes).and_return(Trustworthy::TestValues::InitializationVector)
-      ciphertext = @crypto.encrypt('foobar')
-      ciphertext.should == ['39164ec082fb8b7336d3c5500af99dcbf3af2b0abd6f2ac79f1a76cb4e092a7c'].pack('H*')
-    end
-  end
-
-  describe 'decrypt' do
-    it 'should decrypt the input using the encryption key' do
-      ciphertext = ['39164ec082fb8b7336d3c5500af99dcbf3af2b0abd6f2ac79f1a76cb4e092a7c'].pack('H*')
-      plaintext = @crypto.decrypt(ciphertext)
-      plaintext.should == 'foobar'
-    end
-  end
-end