ubiq-security 1.0.0 → 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +4 -6
- data/lib/ubiq-security.rb +5 -6
- data/lib/ubiq/algo.rb +44 -40
- data/lib/ubiq/auth.rb +72 -71
- data/lib/ubiq/credentials.rb +75 -65
- data/lib/ubiq/decrypt.rb +220 -210
- data/lib/ubiq/encrypt.rb +156 -146
- data/lib/ubiq/host.rb +1 -1
- data/lib/ubiq/version.rb +1 -2
- metadata +1 -1
data/lib/ubiq/decrypt.rb
CHANGED
|
@@ -13,256 +13,266 @@
|
|
|
13
13
|
#
|
|
14
14
|
# https://ubiqsecurity.com/legal
|
|
15
15
|
#
|
|
16
|
+
|
|
17
|
+
# frozen_string_literal: true
|
|
18
|
+
|
|
16
19
|
require 'rb-readline'
|
|
17
20
|
require 'byebug'
|
|
18
21
|
require 'httparty'
|
|
19
|
-
require
|
|
22
|
+
require 'active_support/all'
|
|
20
23
|
require_relative './auth.rb'
|
|
21
24
|
require_relative './algo.rb'
|
|
22
25
|
require_relative './encrypt.rb'
|
|
23
26
|
require 'webrick'
|
|
24
27
|
|
|
28
|
+
# Ubiq Security Modules for encrypting / decrypting data
|
|
25
29
|
module Ubiq
|
|
30
|
+
# Class to provide data decryption, either as a simple
|
|
31
|
+
# single function call or as a piecewise where the
|
|
32
|
+
# entire data element isn't available at once or is
|
|
33
|
+
# too large to process in a single call.
|
|
34
|
+
class Decryption
|
|
35
|
+
def initialize(creds)
|
|
36
|
+
# Initialize the decryption module object
|
|
37
|
+
# Set the credentials in instance varibales to be used among methods
|
|
38
|
+
# the server to which to make the request
|
|
39
|
+
raise 'Some of your credentials are missing, please check!' unless validate_creds(creds)
|
|
26
40
|
|
|
27
|
-
|
|
28
|
-
def initialize(creds)
|
|
29
|
-
# Initialize the decryption module object
|
|
30
|
-
# Set the credentials in instance varibales to be used among methods
|
|
31
|
-
# the server to which to make the request
|
|
32
|
-
raise RuntimeError, 'Some of your credentials are missing, please check!' if !validate_creds(creds)
|
|
33
|
-
@host = creds.host.blank? ? UBIQ_HOST : creds.host
|
|
41
|
+
@host = creds.host.blank? ? UBIQ_HOST : creds.host
|
|
34
42
|
|
|
35
|
-
|
|
36
|
-
|
|
43
|
+
# The client's public API key (used to identify the client to the server
|
|
44
|
+
@papi = creds.access_key_id
|
|
37
45
|
|
|
38
|
-
|
|
39
|
-
|
|
46
|
+
# The client's secret API key (used to authenticate HTTP requests)
|
|
47
|
+
@sapi = creds.secret_signing_key
|
|
40
48
|
|
|
41
|
-
|
|
42
|
-
|
|
49
|
+
# The client's secret RSA encryption key/password (used to decrypt the
|
|
50
|
+
# client's RSA key from the server). This key is not retained by this object.
|
|
51
|
+
@srsa = creds.secret_crypto_access_key
|
|
43
52
|
|
|
44
|
-
|
|
45
|
-
|
|
53
|
+
@decryption_ready = true
|
|
54
|
+
@decryption_started = false
|
|
46
55
|
|
|
47
|
-
|
|
56
|
+
end
|
|
48
57
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
58
|
+
def endpoint_base
|
|
59
|
+
@host + '/api/v0'
|
|
60
|
+
end
|
|
52
61
|
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
62
|
+
def endpoint
|
|
63
|
+
'/api/v0/decryption/key'
|
|
64
|
+
end
|
|
56
65
|
|
|
57
|
-
|
|
58
|
-
|
|
66
|
+
def begin
|
|
67
|
+
# Begin the decryption process
|
|
59
68
|
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
+
# This interface does not take any cipher text in its arguments
|
|
70
|
+
# in an attempt to maintain an API that corresponds to the
|
|
71
|
+
# encryption object. In doing so, the work that can take place
|
|
72
|
+
# in this function is limited. without any data, there is no
|
|
73
|
+
# way to determine which key is in use or decrypt any data.
|
|
74
|
+
#
|
|
75
|
+
# this function simply throws an error if starting an decryption
|
|
76
|
+
# while one is already in progress, and initializes the internal
|
|
77
|
+
# buffer
|
|
69
78
|
|
|
70
|
-
|
|
79
|
+
raise 'Decryption is not ready' unless @decryption_ready
|
|
71
80
|
|
|
72
|
-
|
|
81
|
+
raise 'Decryption Already Started' if @decryption_started
|
|
73
82
|
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
83
|
+
raise 'Decryption already in progress' if @key.present? && @key.key?('dec')
|
|
84
|
+
|
|
85
|
+
@decryption_started = true
|
|
86
|
+
@data = ''
|
|
87
|
+
end
|
|
78
88
|
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
#
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
#
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
89
|
+
def update(data)
|
|
90
|
+
# Decryption of cipher text is performed here
|
|
91
|
+
# Cipher text must be passed to this function in the order in which
|
|
92
|
+
# it was output from the encryption.update function.
|
|
93
|
+
|
|
94
|
+
# Each encryption has a header on it that identifies the algorithm
|
|
95
|
+
# used and an encryption of the data key that was used to encrypt
|
|
96
|
+
# the original plain text. there is no guarantee how much of that
|
|
97
|
+
# data will be passed to this function or how many times this
|
|
98
|
+
# function will be called to process all of the data. to that end,
|
|
99
|
+
# this function buffers data internally, when it is unable to
|
|
100
|
+
# process it.
|
|
101
|
+
#
|
|
102
|
+
# The function buffers data internally until the entire header is
|
|
103
|
+
# received. once the header has been received, the encrypted data
|
|
104
|
+
# key is sent to the server for decryption. after the header has
|
|
105
|
+
# been successfully handled, this function always decrypts all of
|
|
106
|
+
# the data in its internal buffer *except* for however many bytes
|
|
107
|
+
# are specified by the algorithm's tag size. see the end() function
|
|
108
|
+
# for details.
|
|
109
|
+
|
|
110
|
+
raise 'Decryption is not Started' unless @decryption_started
|
|
111
|
+
|
|
112
|
+
# Append the incoming data in the internal data buffer
|
|
113
|
+
@data += data
|
|
114
|
+
|
|
115
|
+
# if there is no key or 'dec' member of key, then the code is
|
|
116
|
+
# still trying to build a complete header
|
|
117
|
+
if !@key.present? || !@key.key?('dec')
|
|
118
|
+
struct_length = [1, 1, 1, 1, 1].pack('CCCCn').length
|
|
119
|
+
packed_struct = @data[0...struct_length]
|
|
120
|
+
|
|
121
|
+
# Does the buffer contain enough of the header to
|
|
122
|
+
# determine the lengths of the initialization vector
|
|
123
|
+
# and the key?
|
|
124
|
+
if @data.length > struct_length
|
|
125
|
+
# Unpack the values packed in encryption
|
|
126
|
+
version, flag_for_later, algorithm_id, iv_length, key_length = packed_struct.unpack('CCCCn')
|
|
127
|
+
|
|
128
|
+
# verify flag and version are 0
|
|
129
|
+
raise 'invalid encryption header' if (version != 0) || (flag_for_later != 0)
|
|
130
|
+
|
|
131
|
+
# Does the buffer contain the entire header?
|
|
132
|
+
if @data.length > struct_length + iv_length + key_length
|
|
133
|
+
# Extract the initialization vector
|
|
134
|
+
iv = @data[struct_length...iv_length + struct_length]
|
|
135
|
+
# Extract the encryped key
|
|
136
|
+
encrypted_key = @data[struct_length + iv_length...key_length + struct_length + iv_length]
|
|
137
|
+
# Remove the header from the buffer
|
|
138
|
+
@data = @data[struct_length + iv_length + key_length..-1]
|
|
139
|
+
|
|
140
|
+
# generate a local identifier for the key
|
|
141
|
+
hash_sha512 = OpenSSL::Digest::SHA512.new
|
|
142
|
+
hash_sha512 << encrypted_key
|
|
143
|
+
client_id = hash_sha512.digest
|
|
144
|
+
|
|
145
|
+
if @key.present?
|
|
146
|
+
close if @key['client_id'] != client_id
|
|
136
147
|
end
|
|
137
|
-
end
|
|
138
148
|
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
149
|
+
# IF key object not exists, request a new one from the server
|
|
150
|
+
unless @key.present?
|
|
151
|
+
url = endpoint_base + '/decryption/key'
|
|
152
|
+
query = { encrypted_data_key: Base64.strict_encode64(encrypted_key) }
|
|
153
|
+
headers = Auth.build_headers(@papi, @sapi, endpoint, query, @host, 'post')
|
|
154
|
+
|
|
155
|
+
response = HTTParty.post(
|
|
156
|
+
url,
|
|
157
|
+
body: query.to_json,
|
|
158
|
+
headers: headers
|
|
159
|
+
)
|
|
160
|
+
|
|
161
|
+
# Response status is 200 OK
|
|
162
|
+
if response.code == WEBrick::HTTPStatus::RC_OK
|
|
163
|
+
@key = {}
|
|
164
|
+
@key['finger_print'] = response['key_fingerprint']
|
|
165
|
+
@key['client_id'] = client_id
|
|
166
|
+
@key['session'] = response['encryption_session']
|
|
167
|
+
|
|
168
|
+
@key['algorithm'] = 'aes-256-gcm'
|
|
169
|
+
|
|
170
|
+
encrypted_private_key = response['encrypted_private_key']
|
|
171
|
+
# Decrypt the encryped private key using SRSA
|
|
172
|
+
private_key = OpenSSL::PKey::RSA.new(encrypted_private_key, @srsa)
|
|
173
|
+
|
|
174
|
+
wrapped_data_key = response['wrapped_data_key']
|
|
175
|
+
# Decode WDK from base64 format
|
|
176
|
+
wdk = Base64.strict_decode64(wrapped_data_key)
|
|
177
|
+
# Use private key to decrypt the wrapped data key
|
|
178
|
+
dk = private_key.private_decrypt(wdk, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
|
|
179
|
+
|
|
180
|
+
@key['raw'] = dk
|
|
181
|
+
@key['uses'] = 0
|
|
182
|
+
else
|
|
183
|
+
# Raise the error if response is not 200
|
|
184
|
+
raise "HTTPError Response: Expected 201, got #{response.code}"
|
|
185
|
+
end
|
|
175
186
|
end
|
|
176
|
-
end
|
|
177
187
|
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
188
|
+
# If the key object exists, create a new decryptor
|
|
189
|
+
# with the initialization vector from the header and
|
|
190
|
+
# the decrypted key (which is either new from the
|
|
191
|
+
# server or cached from the previous decryption). in
|
|
192
|
+
# either case, increment the key usage
|
|
183
193
|
|
|
184
|
-
|
|
185
|
-
|
|
186
|
-
|
|
187
|
-
|
|
194
|
+
if @key.present?
|
|
195
|
+
@algo = Algo.new.get_algo(@key['algorithm'])
|
|
196
|
+
@key['dec'] = Algo.new.decryptor(@algo, @key['raw'], iv)
|
|
197
|
+
@key['uses'] += 1
|
|
198
|
+
end
|
|
188
199
|
end
|
|
189
200
|
end
|
|
190
201
|
end
|
|
191
|
-
end
|
|
192
202
|
|
|
193
|
-
|
|
194
|
-
|
|
195
|
-
|
|
196
|
-
|
|
197
|
-
|
|
198
|
-
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
203
|
+
# if the object has a key and a decryptor, then decrypt whatever
|
|
204
|
+
# data is in the buffer, less any data that needs to be saved to
|
|
205
|
+
# serve as the tag.
|
|
206
|
+
plain_text = ''
|
|
207
|
+
if @key.present? && @key.key?('dec')
|
|
208
|
+
size = @data.length - @algo[:tag_length]
|
|
209
|
+
if size.positive?
|
|
210
|
+
plain_text = @key['dec'].update(@data[0..size - 1])
|
|
211
|
+
@data = @data[size..-1]
|
|
212
|
+
end
|
|
213
|
+
return plain_text
|
|
202
214
|
end
|
|
203
|
-
return plain_text
|
|
204
215
|
end
|
|
205
216
|
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
|
|
228
|
-
|
|
229
|
-
|
|
217
|
+
def end
|
|
218
|
+
raise 'Decryption is not Started' unless @decryption_started
|
|
219
|
+
|
|
220
|
+
# The update function always maintains tag-size bytes in
|
|
221
|
+
# the buffer because this function provides no data parameter.
|
|
222
|
+
# by the time the caller calls this function, all data must
|
|
223
|
+
# have already been input to the decryption object.
|
|
224
|
+
|
|
225
|
+
sz = @data.length - @algo[:tag_length]
|
|
226
|
+
|
|
227
|
+
raise 'Invalid Tag!' if sz.negative?
|
|
228
|
+
|
|
229
|
+
if sz.zero?
|
|
230
|
+
@key['dec'].auth_tag = @data
|
|
231
|
+
begin
|
|
232
|
+
pt = @key['dec'].final
|
|
233
|
+
# Delete the decryptor context
|
|
234
|
+
@key.delete('dec')
|
|
235
|
+
# Return the decrypted plain data
|
|
236
|
+
@decryption_started = false
|
|
237
|
+
return pt
|
|
238
|
+
rescue Exception
|
|
239
|
+
print 'Invalid cipher data or tag!'
|
|
240
|
+
return ''
|
|
241
|
+
end
|
|
230
242
|
end
|
|
231
|
-
end
|
|
232
|
-
end
|
|
243
|
+
end
|
|
233
244
|
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
|
|
238
|
-
if @key
|
|
239
|
-
|
|
240
|
-
|
|
241
|
-
|
|
242
|
-
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
249
|
-
|
|
245
|
+
def close
|
|
246
|
+
raise 'Decryption currently running' if @decryption_started
|
|
247
|
+
|
|
248
|
+
# Reset the internal state of the decryption object
|
|
249
|
+
if @key.present?
|
|
250
|
+
if @key['uses'].positive?
|
|
251
|
+
query_url = "#{endpoint}/#{@key['finger_print']}/#{@key['session']}"
|
|
252
|
+
url = "#{endpoint_base}/decryption/key/#{@key['finger_print']}/#{@key['session']}"
|
|
253
|
+
query = { uses: @key['uses'] }
|
|
254
|
+
headers = Auth.build_headers(@papi, @sapi, query_url, query, @host, 'patch')
|
|
255
|
+
response = HTTParty.patch(
|
|
256
|
+
url,
|
|
257
|
+
body: query.to_json,
|
|
258
|
+
headers: headers
|
|
259
|
+
)
|
|
260
|
+
remove_instance_variable(:@data)
|
|
261
|
+
remove_instance_variable(:@key)
|
|
262
|
+
end
|
|
250
263
|
end
|
|
251
264
|
end
|
|
252
265
|
end
|
|
253
266
|
|
|
254
|
-
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
|
|
262
|
-
|
|
263
|
-
|
|
267
|
+
def decrypt(creds, data)
|
|
268
|
+
begin
|
|
269
|
+
dec = Decryption.new(creds)
|
|
270
|
+
res = dec.begin + dec.update(data) + dec.end
|
|
271
|
+
dec.close
|
|
272
|
+
rescue StandardError
|
|
273
|
+
dec&.close
|
|
274
|
+
raise
|
|
275
|
+
end
|
|
276
|
+
return res
|
|
264
277
|
end
|
|
265
|
-
return res
|
|
266
|
-
|
|
267
|
-
end
|
|
268
278
|
end
|