tss 0.1.1 → 0.2.0

data/bin/tss

@@ -2,6 +2,9 @@
 # encoding: utf-8
 
 require 'tss'
-require 'tss/cli'
+require 'tss/cli_version'
+require 'tss/cli_common'
+require 'tss/cli_split'
+require 'tss/cli_combine'
 
 TSS::CLI.start

data/lib/tss/cli_combine.rb

@@ -0,0 +1,136 @@
+require 'thor'
+
+# Command Line Interface (CLI)
+# See also, `bin/tss` executable.
+module TSS
+  class CLI < Thor
+    include Thor::Actions
+
+    method_option :input_file, :aliases => '-I', :banner => 'input_file', :type => :string, :desc => 'A filename to read shares from'
+    method_option :output_file, :aliases => '-O', :banner => 'output_file', :type => :string, :desc => 'A filename to write the recovered secret to'
+
+    desc 'combine', 'Enter shares to recover a split secret'
+
+    long_desc <<-LONGDESC
+      `tss combine` will take as input a number of shares that were generated
+      using the `tss split` command. Shares can be provided
+      using one of three different input methods; STDIN, a path to a file,
+      or when prompted for them interactively.
+
+      You can enter shares one by one, or from a text file of shares. If the
+      shares are successfully combined to recover a secret, the secret and
+      some metadata will be written to STDOUT or a file.
+
+      Optional Params:
+
+      input_file :
+      Provide the path to a file containing shares. Any lines in the file not
+      beginning with `tss~` and matching the pattern expected for shares will be
+      ignored. Leading and trailing whitespace or any other text will be ignored
+      as long as the shares are each on a line by themselves.
+
+      output_file :
+      Provide the path to a file where you would like to write any recovered
+      secret, instead of to STDOUT. When this option is provided the output file
+      will contain only the secret itself. Some metadata, including the hash digest
+      of the secret, will be written to STDOUT. Running `sha1sum` or `sha256sum`
+      on the output file should provide a digest matching that of the secret
+      when it was originally split.
+
+      Example w/ options:
+
+      $ tss combine -I shares.txt -O secret.txt
+    LONGDESC
+
+    # rubocop:disable CyclomaticComplexity
+    def combine
+      log('Starting combine')
+      log("options : #{options.inspect}")
+      shares = []
+
+      # There are three ways to pass in shares. STDIN, by specifying
+      # `--input-file`, and in response to being prompted and entering shares
+      # line by line.
+
+      # STDIN
+      # Usage : echo 'foo bar baz' | bundle exec bin/tss split | bundle exec bin/tss combine
+      unless STDIN.tty?
+        $stdin.each_line do |line|
+          line = line.strip
+          exit_if_binary!(line)
+
+          if line.start_with?('tss~') && line.match(Util::HUMAN_SHARE_RE)
+            shares << line
+          else
+            log("Skipping invalid share file line : #{line}")
+          end
+        end
+      end
+
+      # Read from an Input File
+      if STDIN.tty? && options[:input_file]
+        log("Input file specified : #{options[:input_file]}")
+
+        if File.exist?(options[:input_file])
+          log("Input file found : #{options[:input_file]}")
+
+          file = File.open(options[:input_file], 'r')
+          while !file.eof?
+             line = file.readline.strip
+             exit_if_binary!(line)
+
+             if line.start_with?('tss~') && line.match(Util::HUMAN_SHARE_RE)
+               shares << line
+             else
+               log("Skipping invalid share file line : #{line}")
+             end
+          end
+        else
+          err("Filename '#{options[:input_file]}' does not exist.")
+          exit(1)
+        end
+      end
+
+      # Enter shares in response to a prompt.
+      if STDIN.tty? && options[:input_file].blank?
+        say('Enter shares, one per line, and a dot (.) on a line by itself to finish :')
+        last_ans = nil
+        until last_ans == '.'
+          last_ans = ask('share> ').strip
+          exit_if_binary!(last_ans)
+
+          if last_ans != '.' && last_ans.start_with?('tss~') && last_ans.match(Util::HUMAN_SHARE_RE)
+            shares << last_ans
+          end
+        end
+      end
+
+      begin
+        sec = TSS.combine(shares: shares)
+
+        say('')
+        say('RECOVERED SECRET METADATA')
+        say('*************************')
+        say("hash : #{sec[:hash]}")
+        say("hash_alg : #{sec[:hash_alg]}")
+        say("identifier : #{sec[:identifier]}")
+        say("process_time : #{sec[:process_time]}ms")
+        say("threshold : #{sec[:threshold]}")
+
+        # Write the secret to a file or STDOUT. The hash of the file checked
+        # using sha1sum or sha256sum should match the hash of the original
+        # secret when it was split.
+        if options[:output_file].present?
+          say("secret file : [#{options[:output_file]}]")
+          File.open(options[:output_file], 'w'){ |somefile| somefile.puts sec[:secret] }
+        else
+          say('secret :')
+          say(sec[:secret])
+        end
+      rescue TSS::Error => e
+        err("#{e.class} : #{e.message}")
+      end
+    end
+    # rubocop:enable CyclomaticComplexity
+  end
+end

data/lib/tss/cli_common.rb

@@ -0,0 +1,40 @@
+require 'thor'
+
+# Command Line Interface (CLI)
+# See also, `bin/tss` executable.
+module TSS
+  class CLI < Thor
+
+    class_option :verbose, :type => :boolean, :aliases => '-v', :desc => 'Display additional logging output'
+
+    no_commands do
+      # rubocop:disable CyclomaticComplexity
+      def exit_if_binary!(str)
+        str.each_byte { |c|
+          # OK, 9 (TAB), 10 (CR), 13 (LF), >=32 for normal ASCII
+          # Usage of anything other than 10, 13, and 32-126 ASCII decimal codes
+          # looks as though contents are binary and not standard text.
+          if c < 9 || (c > 10 && c < 13) || (c > 13 && c < 32) || c == 127
+            err('STDIN secret appears to contain binary data.')
+            exit(1)
+          end
+        }
+
+        unless ['UTF-8', 'US-ASCII'].include?(str.encoding.name)
+          err('STDIN secret has a non UTF-8 or US-ASCII encoding.')
+          exit(1)
+        end
+      end
+      # rubocop:enable CyclomaticComplexity
+
+      def log(str)
+        say_status(:log, "#{Time.now.utc.iso8601} : #{str}", :white) if options[:verbose]
+      end
+
+      def err(str)
+        say_status(:error, "#{Time.now.utc.iso8601} : #{str}", :red)
+      end
+    end
+
+  end
+end

data/lib/tss/cli_split.rb

@@ -0,0 +1,156 @@
+require 'thor'
+
+# Command Line Interface (CLI)
+# See also, `bin/tss` executable.
+module TSS
+  class CLI < Thor
+    include Thor::Actions
+
+    method_option :threshold, :aliases => '-t', :banner => 'threshold', :type => :numeric, :desc => '# of shares, of total, required to reconstruct a secret'
+    method_option :num_shares, :aliases => '-n', :banner => 'num_shares', :type => :numeric, :desc => '# of shares total that will be generated'
+    method_option :identifier, :aliases => '-i', :banner => 'identifier', :type => :string, :desc => 'A unique identifier string, 0-16 Bytes, [a-zA-Z0-9.-_]'
+    method_option :hash_alg, :aliases => '-h', :banner => 'hash_alg', :type => :string, :desc => 'A hash type for verification, NONE, SHA1, SHA256'
+    method_option :format, :aliases => '-f', :banner => 'format', :type => :string, :default => 'human', :desc => 'Share output format, binary or human'
+    method_option :pad_blocksize, :aliases => '-p', :banner => 'pad_blocksize', :type => :numeric, :desc => 'Block size # secrets will be left-padded to, 0-255'
+    method_option :input_file, :aliases => '-I', :banner => 'input_file', :type => :string, :desc => 'A filename to read the secret from'
+    method_option :output_file, :aliases => '-O', :banner => 'output_file', :type => :string, :desc => 'A filename to write the shares to'
+
+    desc 'split', 'Split a secret into shares that can be used to re-create the secret'
+
+    long_desc <<-LONGDESC
+      `tss split` will generate a set of Threshold Secret Sharing shares from
+      a SECRET provided. A secret to be split can be provided using one of three
+      different input methods; STDIN, a path to a file, or when prompted
+      for it interactively. In all cases the secret should be UTF-8 or
+      US-ASCII encoded text and be no larger than 65,535 Bytes (including header
+      and hash verification bytes).
+
+      Optional Params:
+
+      num_shares :
+      The number of total shares that will be generated.
+
+      threshold  :
+      The threshold is the number of shares required to
+      recreate a secret. This is always a subset of the total
+      shares.
+
+      identifier :
+      A unique identifier string that will be attached
+      to each share. It can be 0-16 Bytes long and use the
+      characters [a-zA-Z0-9.-_]
+
+      hash_alg :
+      One of NONE, SHA1, SHA256. The algorithm to use for a one-way hash of the secret that will be split along with the secret.
+
+      pad_blocksize :
+      An Integer, 0-255, that represents a multiple to which the secret will be padded. For example if pad_blocksize is set to 8, the secret 'abc' would be left-padded to '00000abc' (the padding char is not zero, that is just for illustration).
+
+      format :
+      Whether to output the shares as a binary octet string (RTSS), or as more human friendly URL safe Base 64 encoded text with some metadata.
+
+      input_file :
+      Provide the path to a file containing UTF-8 or US-ASCII text, the contents of which will be used as the secret.
+
+      output_file :
+      Provide the path to a file where you would like to write the shares, one per line, instead of to STDOUT.
+
+      Example w/ options:
+
+      $ tss split -t 3 -n 6 -i abc123 -h SHA256 -p 8 -f human
+
+      Enter your secret:
+
+      secret >  my secret
+
+      tss~v1~abc123~3~YWJjMTIzAAAAAAAAAAAAAAIDADEBQ-AQG3PuU4oT4qHOh2oJmu-vQwGE6O5hsGRBNtdAYauTIi7VoIdi5imWSrswDdRy
+      tss~v1~abc123~3~YWJjMTIzAAAAAAAAAAAAAAIDADECM0OK5TSamH3nubH3FJ2EGZ4Yux4eQC-mvcYY85oOe6ae3kpvVXjuRUDU1m6sX20X
+      tss~v1~abc123~3~YWJjMTIzAAAAAAAAAAAAAAIDADEDb7yF4Vhr1JqNe2Nc8IXo98hmKAxsqC3c_Mn3r3t60NxQMC22ate51StDOM-BImch
+      tss~v1~abc123~3~YWJjMTIzAAAAAAAAAAAAAAIDADEEIXU0FajldnRtEQMLK-ZYMO2MRa0NmkBFfNAOx7olbgXLkVbP9txXMDsdokblVwke
+      tss~v1~abc123~3~YWJjMTIzAAAAAAAAAAAAAAIDADEFfYo7EcQUOpMH09Ggz_403rvy1r9_ckI_Pd_hm1tRxX8FfzEWyXMAoFCKTOfIKgMo
+      tss~v1~abc123~3~YWJjMTIzAAAAAAAAAAAAAAIDADEGDSmh74Ng8WTziMGZXAm5XcpFLqDl2oP4MH24XhYf33IIg1WsPIyMAznI0DJUeLpN
+    LONGDESC
+
+    # rubocop:disable CyclomaticComplexity
+    def split
+      log('Starting split')
+      log('options : ' + options.inspect)
+      args = {}
+
+      # There are three ways to pass in the secret. STDIN, by specifying
+      # `--input-file`, and after being prompted and entering your secret
+      # line by line.
+
+      # STDIN
+      # Usage : echo 'foo bar baz' | bundle exec bin/tss split
+      unless STDIN.tty?
+        secret = $stdin.read
+        exit_if_binary!(secret)
+      end
+
+      # Read from an Input File
+      if STDIN.tty? && options[:input_file].present?
+        log("Input file specified : #{options[:input_file]}")
+
+        if File.exist?(options[:input_file])
+          log("Input file found : #{options[:input_file]}")
+          secret = File.open(options[:input_file], 'r'){ |file| file.read }
+          exit_if_binary!(secret)
+        else
+          err("Filename '#{options[:input_file]}' does not exist.")
+          exit(1)
+        end
+      end
+
+      # Enter a secret in response to a prompt.
+      if STDIN.tty? && options[:input_file].blank?
+        say('Enter your secret, enter a dot (.) on a line by itself to finish :')
+        last_ans = nil
+        secret = []
+
+        while last_ans != '.'
+          last_ans = ask('secret > ')
+          secret << last_ans unless last_ans == '.'
+        end
+
+        # Strip whitespace from the leading and trailing edge of the secret.
+        # Separate each line of the secret with newline, and add a trailing
+        # newline so the hash of a secret when it is created will match
+        # the hash of a file output when recombinging shares.
+        secret = secret.join("\n").strip + "\n"
+        exit_if_binary!(secret)
+      end
+
+      args[:secret]        = secret
+      args[:threshold]     = options[:threshold]     if options[:threshold]
+      args[:num_shares]    = options[:num_shares]    if options[:num_shares]
+      args[:identifier]    = options[:identifier]    if options[:identifier]
+      args[:hash_alg]      = options[:hash_alg]      if options[:hash_alg]
+      args[:pad_blocksize] = options[:pad_blocksize] if options[:pad_blocksize]
+      args[:format]        = options[:format]        if options[:format]
+
+      begin
+        log("Calling : TSS.split(#{args.inspect})")
+        shares = TSS.split(args)
+
+        if options[:output_file].present?
+          file_header  = "# THRESHOLD SECRET SHARING SHARES\n"
+          file_header << "# #{Time.now.utc.iso8601}\n"
+          file_header << "# https://github.com/grempe/tss-rb\n"
+          file_header << "\n\n"
+
+          File.open(options[:output_file], 'w') do |somefile|
+            somefile.puts file_header + shares.join("\n")
+          end
+          log("Process complete : Output file written : #{options[:output_file]}")
+        else
+          $stdout.puts shares.join("\n")
+          log('Process complete')
+        end
+      rescue TSS::Error => e
+        err("#{e.class} : #{e.message}")
+      end
+    end
+    # rubocop:enable CyclomaticComplexity
+  end
+end

data/lib/tss/cli_version.rb

@@ -0,0 +1,17 @@
+require 'thor'
+
+# Command Line Interface (CLI)
+# See also, `bin/tss` executable.
+module TSS
+  class CLI < Thor
+    desc 'version', 'tss version'
+
+    long_desc <<-LONGDESC
+      Display the current version of TSS
+    LONGDESC
+
+    def version
+      say("TSS #{TSS::VERSION}")
+    end
+  end
+end