* ext/openssl/ossl_pkcs5.c: New module.

* ext/openssl/ossl_{cipher,digest,pkcs7,pkcs12}.c:
  Remove redundant module namespace.

* ext/openssl/lib/openssl/{cipher,digest}.rb
  Add backwards compatibile classes for rearranged classes.

* ext/openssl/ossl_{pkcs7,pkcs12}.c: Add documentation.



git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@12148 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,15 @@
+Thu Apr  5 14:58:49 2007  Technorama Ltd. <oss-ruby@technorama.net>
+	* ext/openssl/ossl_pkcs5.c: New module.
+
+	* ext/openssl/ossl_{cipher,digest,pkcs7,pkcs12}.c:
+	  Remove redundant module namespace.
+
+	* ext/openssl/lib/openssl/{cipher,digest}.rb
+	  Add backwards compatibile classes for rearranged classes.
+
+	* ext/openssl/ossl_{pkcs7,pkcs12}.c: Add documentation.
+
+
 Thu Apr  5 00:42:48 2007  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* error.c (rb_notimplement), io.c (pipe_open): removed definite

ext/openssl/extconf.rb

@@ -83,6 +83,8 @@ have_func("HMAC_CTX_cleanup")
 have_func("HMAC_CTX_copy")
 have_func("HMAC_CTX_init")
 have_func("PEM_def_callback")
+have_func("PKCS5_PBKDF2_HMAC")
+have_func("PKCS5_PBKDF2_HMAC_SHA1")
 have_func("X509V3_set_nconf")
 have_func("X509V3_EXT_nconf_nid")
 have_func("X509_CRL_add0_revoked")

ext/openssl/lib/openssl/cipher.rb

@@ -19,7 +19,7 @@
 #require 'openssl'
 
 module OpenSSL
-  module Cipher
+  class Cipher
     %w(AES CAST5 BF DES IDEA RC2 RC4 RC5).each{|name|
       klass = Class.new(Cipher){
         define_method(:initialize){|*args|
@@ -41,22 +41,25 @@ module OpenSSL
       const_set("AES#{keylen}", klass)
     }
 
-    class Cipher
-      # Generate, set, and return a random key.
-      # You must call cipher.encrypt or cipher.decrypt before calling this method.
-      def random_key
-        str = OpenSSL::Random.random_bytes(self.key_len)
-        self.key = str
-        return str
-      end
+    # Generate, set, and return a random key.
+    # You must call cipher.encrypt or cipher.decrypt before calling this method.
+    def random_key
+      str = OpenSSL::Random.random_bytes(self.key_len)
+      self.key = str
+      return str
+    end
 
-      # Generate, set, and return a random iv.
-      # You must call cipher.encrypt or cipher.decrypt before calling this method.
-      def random_iv
-        str = OpenSSL::Random.random_bytes(self.iv_len)
-        self.iv = str
-        return str
-      end
+    # Generate, set, and return a random iv.
+    # You must call cipher.encrypt or cipher.decrypt before calling this method.
+    def random_iv
+      str = OpenSSL::Random.random_bytes(self.iv_len)
+      self.iv = str
+      return str
+    end
+
+    # This class is only provided for backwards compatibility.  Use OpenSSL::Digest in the future.
+    class Cipher < Cipher
+      # add warning
     end
   end # Cipher
 end # OpenSSL

ext/openssl/lib/openssl/digest.rb

@@ -19,7 +19,7 @@
 #require 'openssl'
 
 module OpenSSL
-  module Digest
+  class Digest
 
     alg = %w(DSS DSS1 MD2 MD4 MD5 MDC2 RIPEMD160 SHA SHA1)
     if OPENSSL_VERSION_NUMBER > 0x00908000
@@ -44,6 +44,11 @@ module OpenSSL
       const_set(name, klass)
     }
 
+    # This class is only provided for backwards compatibility.  Use OpenSSL::Digest in the future.
+    class Digest < Digest
+      # add warning
+    end
+
   end # Digest
 end # OpenSSL
 

ext/openssl/ossl.c

@@ -473,6 +473,7 @@ Init_openssl()
     Init_ossl_ns_spki();
     Init_ossl_pkcs12();
     Init_ossl_pkcs7();
+    Init_ossl_pkcs5();
     Init_ossl_pkey();
     Init_ossl_rand();
     Init_ossl_ssl();

ext/openssl/ossl_cipher.c

@@ -26,7 +26,6 @@
 /*
  * Classes
  */
-VALUE mCipher;
 VALUE cCipher;
 VALUE eCipherError;
 
@@ -540,13 +539,12 @@ Init_ossl_cipher(void)
 #if 0 /* let rdoc know about mOSSL */
     mOSSL = rb_define_module("OpenSSL");
 #endif
-    mCipher = rb_define_module_under(mOSSL, "Cipher");
-    eCipherError = rb_define_class_under(mOSSL, "CipherError", eOSSLError);
-    cCipher = rb_define_class_under(mCipher, "Cipher", rb_cObject);
+    cCipher = rb_define_class_under(mOSSL, "Cipher", rb_cObject);
+    eCipherError = rb_define_class_under(cCipher, "CipherError", eOSSLError);
 
     rb_define_alloc_func(cCipher, ossl_cipher_alloc);
     rb_define_copy_func(cCipher, ossl_cipher_copy);
-    rb_define_module_function(mCipher, "ciphers", ossl_s_ciphers, 0);
+    rb_define_module_function(cCipher, "ciphers", ossl_s_ciphers, 0);
     rb_define_method(cCipher, "initialize", ossl_cipher_initialize, 1);
     rb_define_method(cCipher, "reset", ossl_cipher_reset, 0);
     rb_define_method(cCipher, "encrypt", ossl_cipher_encrypt, -1);

ext/openssl/ossl_cipher.h

@@ -11,7 +11,6 @@
 #if !defined(_OSSL_CIPHER_H_)
 #define _OSSL_CIPHER_H_
 
-extern VALUE mCipher;
 extern VALUE cCipher;
 extern VALUE eCipherError;
 

ext/openssl/ossl_digest.c

@@ -24,7 +24,6 @@
 /*
  * Classes
  */
-VALUE mDigest;
 VALUE cDigest;
 VALUE eDigestError;
 
@@ -321,11 +320,8 @@ Init_ossl_digest()
     mOSSL = rb_define_module("OpenSSL");
 #endif
 
-    mDigest = rb_define_module_under(mOSSL, "Digest");
-	
-    eDigestError = rb_define_class_under(mDigest, "DigestError", eOSSLError);
-	
-    cDigest = rb_define_class_under(mDigest, "Digest", rb_cObject);
+    cDigest = rb_define_class_under(mOSSL, "Digest", rb_cObject);
+    eDigestError = rb_define_class_under(cDigest, "DigestError", eOSSLError);
 	
     rb_define_alloc_func(cDigest, ossl_digest_alloc);
     rb_define_singleton_method(cDigest, "digest", ossl_digest_s_digest, 2);

ext/openssl/ossl_digest.h

@@ -11,7 +11,6 @@
 #if !defined(_OSSL_DIGEST_H_)
 #define _OSSL_DIGEST_H_
 
-extern VALUE mDigest;
 extern VALUE cDigest;
 extern VALUE eDigestError;
 

ext/openssl/ossl_pkcs12.c

@@ -30,7 +30,6 @@
 /*
  * Classes
  */
-VALUE mPKCS12;
 VALUE cPKCS12;
 VALUE ePKCS12Error;
 
@@ -49,32 +48,85 @@ ossl_pkcs12_s_allocate(VALUE klass)
     return obj;
 }
 
+/*
+ * call-seq:
+ *    PKCS12.create(pass, name, key, cert [, ca, [, key_pbe [, cert_pbe [, key_iter [, mac_iter [, keytype]]]]]])
+ *
+ * === Parameters
+ * * +pass+ - string
+ * * +name+ - A string describing the key.
+ * * +key+ - Any PKey.
+ * * +cert+ - A X509::Certificate.
+ * * * The public_key portion of the certificate must contain a valid public key.
+ * * * The not_before and not_after fields must be filled in.
+ * * +ca+ - An optional array of X509::Certificate's.
+ * * +key_pbe+ - string
+ * * +cert_pbe+ - string
+ * * +key_iter+ - integer
+ * * +mac_iter+ - integer
+ * * +keytype+ - An integer representing an MSIE specific extension.
+ *
+ * Any optional arguments may be supplied as nil to preserve the OpenSSL defaults.
+ *
+ * See the OpenSSL documentation for PKCS12_create().
+ */
 static VALUE
 ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self)
 {
-    VALUE pass, name, pkey, cert, ca;
+    VALUE pass, name, pkey, cert, ca, key_nid, cert_nid, key_iter, mac_iter, keytype;
     VALUE obj;
     char *passphrase, *friendlyname;
     EVP_PKEY *key;
     X509 *x509;
     STACK_OF(X509) *x509s;
+    int nkey = 0, ncert = 0, kiter = 0, miter = 0, ktype = 0;
     PKCS12 *p12;
     
-    rb_scan_args(argc, argv, "41", &pass, &name, &pkey, &cert, &ca);
+    rb_scan_args(argc, argv, "46", &pass, &name, &pkey, &cert, &ca, &key_nid, &cert_nid, &key_iter, &mac_iter, &keytype);
     passphrase = NIL_P(pass) ? NULL : StringValuePtr(pass);
     friendlyname = NIL_P(name) ? NULL : StringValuePtr(name);
     key = GetPKeyPtr(pkey);
     x509 = GetX509CertPtr(cert);
     x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca);
+/* TODO: make a VALUE to nid function */
+    if (!NIL_P(key_nid)) {
+        if ((nkey = OBJ_txt2nid(StringValuePtr(key_nid))) == NID_undef)
+            rb_raise(rb_eArgError, "Unknown PBE algorithm %s", StringValuePtr(key_nid));
+    }
+    if (!NIL_P(cert_nid)) {
+        if ((ncert = OBJ_txt2nid(StringValuePtr(cert_nid))) == NID_undef)
+            rb_raise(rb_eArgError, "Unknown PBE algorithm %s", StringValuePtr(cert_nid));
+    }
+    if (!NIL_P(key_iter))
+        kiter = NUM2INT(key_iter);
+    if (!NIL_P(mac_iter))
+        miter = NUM2INT(mac_iter);
+    if (!NIL_P(keytype))
+        ktype = NUM2INT(keytype);
+
     p12 = PKCS12_create(passphrase, friendlyname, key, x509, x509s,
-                        0, 0, 0, 0, 0);
+                        nkey, ncert, kiter, miter, ktype);
     sk_X509_pop_free(x509s, X509_free);
     if(!p12) ossl_raise(ePKCS12Error, NULL);
     WrapPKCS12(cPKCS12, obj, p12);
 
+    ossl_pkcs12_set_key(obj, pkey);
+    ossl_pkcs12_set_cert(obj, cert);
+    ossl_pkcs12_set_ca_certs(obj, ca);
+
     return obj;
 }
 
+/*
+ * call-seq:
+ *    PKCS12.new -> pkcs12
+ *    PKCS12.new(str) -> pkcs12
+ *    PKCS12.new(str, pass) -> pkcs12
+ *
+ * === Parameters
+ * * +str+ - Must be a DER encoded PKCS12 string.
+ * * +pass+ - string
+ */
 static VALUE
 ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self)
 {
@@ -94,7 +146,7 @@ ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self)
 
     pkey = cert = ca = Qnil;
     if(!PKCS12_parse((PKCS12*)DATA_PTR(self), passphrase, &key, &x509, &x509s))
-	ossl_raise(ePKCS12Error, NULL);
+	ossl_raise(ePKCS12Error, "PKCS12_parse");
     pkey = rb_protect((VALUE(*)_((VALUE)))ossl_pkey_new, (VALUE)key,
 		      &st); /* NO DUP */
     if(st) goto err;
@@ -140,10 +192,14 @@ ossl_pkcs12_to_der(VALUE self)
 void
 Init_ossl_pkcs12()
 {
-    mPKCS12 = rb_define_module_under(mOSSL, "PKCS12");
-    cPKCS12 = rb_define_class_under(mPKCS12, "PKCS12", rb_cObject);
-    ePKCS12Error = rb_define_class_under(mPKCS12, "PKCS12Error", eOSSLError);
-    rb_define_module_function(mPKCS12, "create", ossl_pkcs12_s_create, -1);
+    /*
+     * Defines a file format commonly used to store private keys with
+     * accompanying public key certificates, protected with a password-based
+     * symmetric key.
+     */
+    cPKCS12 = rb_define_class_under(mOSSL, "PKCS12", rb_cObject);
+    ePKCS12Error = rb_define_class_under(cPKCS12, "PKCS12Error", eOSSLError);
+    rb_define_singleton_method(cPKCS12, "create", ossl_pkcs12_s_create, -1);
 
     rb_define_alloc_func(cPKCS12, ossl_pkcs12_s_allocate);
     rb_attr(cPKCS12, rb_intern("key"), 1, 0, Qfalse);

ext/openssl/ossl_pkcs12.h

@@ -6,7 +6,6 @@
 #if !defined(_OSSL_PKCS12_H_)
 #define _OSSL_PKCS12_H_
 
-extern VALUE mPKCS12;
 extern VALUE cPKCS12;
 extern VALUE ePKCS12Error;
 

ext/openssl/ossl_pkcs5.c

@@ -0,0 +1,96 @@
+/*
+ * $Id$
+ * Copyright (C) 2007 Technorama Ltd. <oss-ruby@technorama.net>
+ */
+#include "ossl.h"
+
+VALUE mPKCS5;
+VALUE ePKCS5;
+
+/*
+ * call-seq:
+ *    PKCS5.pbkdf2_hmac(pass, salt, iter, keylen, digest) => string
+ *
+ * === Parameters
+ * * +pass+ - string
+ * * +salt+ - string
+ * * +iter+ - integer - should be greater than 1000.  2000 is better.
+ * * +keylen+ - integer
+ * * +digest+ - a string or OpenSSL::Digest object.
+ *
+ * Available in OpenSSL 0.9.9?.
+ *
+ * Digests other than SHA1 may not be supported by other cryptography libraries.
+ */
+static VALUE
+ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE keylen, VALUE digest)
+{
+#ifdef HAVE_PKCS5_PBKDF2_HMAC
+    VALUE str;
+    const EVP_MD md;
+    int len = NUM2INT(keylen);
+
+    StringValue(pass);
+    StringValue(salt);
+    md = GetDigestPtr(digest);
+
+    str = rb_str_new(0, len);
+
+    if (PKCS5_PBKDF2_HMAC(RSTRING_PTR(pass), RSTRING_LEN(pass), RSTRING_PTR(salt), RSTRING_LEN(salt), NUM2INT(iter), md, len, RSTRING_PTR(str)) != 1)
+        ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC");
+
+    return str;
+#else
+    rb_notimplement();
+#endif
+}
+
+
+/*
+ * call-seq:
+ *    PKCS5.pbkdf2_hmac_sha1(pass, salt, iter, keylen) => string
+ *
+ * === Parameters
+ * * +pass+ - string
+ * * +salt+ - string
+ * * +iter+ - integer - should be greater than 1000.  2000 is better.
+ * * +keylen+ - integer
+ *
+ * This method is available almost any version OpenSSL.
+ *
+ * Conforms to rfc2898.
+ */
+static VALUE
+ossl_pkcs5_pbkdf2_hmac_sha1(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE keylen)
+{
+#ifdef HAVE_PKCS5_PBKDF2_HMAC_SHA1
+    VALUE str;
+    int len = NUM2INT(keylen);
+
+    StringValue(pass);
+    StringValue(salt);
+
+    str = rb_str_new(0, len);
+
+    if (PKCS5_PBKDF2_HMAC_SHA1(RSTRING_PTR(pass), RSTRING_LEN(pass), RSTRING_PTR(salt), RSTRING_LEN(salt), NUM2INT(iter), len, RSTRING_PTR(str)) != 1)
+        ossl_raise(ePKCS5, "PKCS5_PBKDF2_HMAC_SHA1");
+
+    return str;
+#else
+    rb_notimplement();
+#endif
+}
+
+void
+Init_ossl_pkcs5()
+{
+    /*
+     * Password-based Encryption
+     *
+     */
+    mPKCS5 = rb_define_module_under(mOSSL, "PKCS5");
+    ePKCS5 = rb_define_class_under(mPKCS5, "PKCS5Error", eOSSLError);
+
+    rb_define_module_function(mPKCS5, "pbkdf2_hmac", ossl_pkcs5_pbkdf2_hmac, 5);
+    rb_define_module_function(mPKCS5, "pbkdf2_hmac_sha1", ossl_pkcs5_pbkdf2_hmac_sha1, 4);
+}

ext/openssl/ossl_pkcs7.c

@@ -71,7 +71,6 @@
 /* 
  * Classes
  */
-VALUE mPKCS7;
 VALUE cPKCS7;
 VALUE cPKCS7Signer;
 VALUE cPKCS7Recipient;
@@ -134,7 +133,8 @@ DupPKCS7RecipientPtr(VALUE obj)
 }
 
 /*
- * Private
+ * call-seq:
+ *    PKCS7.read_smime(string) => pkcs7
  */
 static VALUE
 ossl_pkcs7_s_read_smime(VALUE klass, VALUE arg)
@@ -156,6 +156,10 @@ ossl_pkcs7_s_read_smime(VALUE klass, VALUE arg)
     return ret;
 }
 
+/*
+ * call-seq:
+ *    PKCS7.write_smime(pkcs7 [, data [, flags]]) => string
+ */
 static VALUE
 ossl_pkcs7_s_write_smime(int argc, VALUE *argv, VALUE klass)
 {
@@ -187,6 +191,10 @@ ossl_pkcs7_s_write_smime(int argc, VALUE *argv, VALUE klass)
     return str;
 }
 
+/*
+ * call-seq:
+ *    PKCS7.sign(cert, key, data, [, certs [, flags]]) => pkcs7
+ */
 static VALUE
 ossl_pkcs7_s_sign(int argc, VALUE *argv, VALUE klass)
 {
@@ -226,6 +234,10 @@ ossl_pkcs7_s_sign(int argc, VALUE *argv, VALUE klass)
     return ret;
 }
 
+/*
+ * call-seq:
+ *    PKCS7.encrypt(certs, data, [, cipher [, flags]]) => pkcs7
+ */
 static VALUE
 ossl_pkcs7_s_encrypt(int argc, VALUE *argv, VALUE klass)
 {
@@ -287,6 +299,13 @@ ossl_pkcs7_alloc(VALUE klass)
     return obj;
 }
 
+/*
+ * call-seq:
+ *    PKCS7.new => pkcs7
+ *    PKCS7.new(string) => pkcs7
+ *
+ * Many methods in this class aren't documented.
+ */
 static VALUE
 ossl_pkcs7_initialize(int argc, VALUE *argv, VALUE self)
 {
@@ -364,6 +383,10 @@ ossl_pkcs7_sym2typeid(VALUE sym)
     return ret;
 }
 
+/*
+ * call-seq:
+ *    pkcs7.type = type => type
+ */
 static VALUE
 ossl_pkcs7_set_type(VALUE self, VALUE type)
 {
@@ -376,6 +399,10 @@ ossl_pkcs7_set_type(VALUE self, VALUE type)
     return type;
 }
 
+/*
+ * call-seq:
+ *    pkcs7.type => string or nil
+ */
 static VALUE
 ossl_pkcs7_get_type(VALUE self)
 {
@@ -926,15 +953,12 @@ ossl_pkcs7ri_get_enc_key(VALUE self)
 void
 Init_ossl_pkcs7()
 {
-    mPKCS7 = rb_define_module_under(mOSSL, "PKCS7");
-
-    ePKCS7Error = rb_define_class_under(mPKCS7, "PKCS7Error", eOSSLError);
-
-    cPKCS7 = rb_define_class_under(mPKCS7, "PKCS7", rb_cObject);
-    rb_define_singleton_method(mPKCS7, "read_smime", ossl_pkcs7_s_read_smime, 1);
-    rb_define_singleton_method(mPKCS7, "write_smime", ossl_pkcs7_s_write_smime, -1);
-    rb_define_singleton_method(mPKCS7, "sign",  ossl_pkcs7_s_sign, -1);
-    rb_define_singleton_method(mPKCS7, "encrypt", ossl_pkcs7_s_encrypt, -1);
+    cPKCS7 = rb_define_class_under(mOSSL, "PKCS7", rb_cObject);
+    ePKCS7Error = rb_define_class_under(cPKCS7, "PKCS7Error", eOSSLError);
+    rb_define_singleton_method(cPKCS7, "read_smime", ossl_pkcs7_s_read_smime, 1);
+    rb_define_singleton_method(cPKCS7, "write_smime", ossl_pkcs7_s_write_smime, -1);
+    rb_define_singleton_method(cPKCS7, "sign",  ossl_pkcs7_s_sign, -1);
+    rb_define_singleton_method(cPKCS7, "encrypt", ossl_pkcs7_s_encrypt, -1);
     rb_attr(cPKCS7, rb_intern("data"), 1, 0, Qfalse);
     rb_attr(cPKCS7, rb_intern("error_string"), 1, 1, Qfalse);
     rb_define_alloc_func(cPKCS7, ossl_pkcs7_alloc);
@@ -964,8 +988,8 @@ Init_ossl_pkcs7()
     rb_define_alias(cPKCS7,  "to_s", "to_pem");
     rb_define_method(cPKCS7, "to_der", ossl_pkcs7_to_der, 0);
 
-    cPKCS7Signer = rb_define_class_under(mPKCS7, "SignerInfo", rb_cObject);
-    rb_define_const(mPKCS7, "Signer", cPKCS7Signer);
+    cPKCS7Signer = rb_define_class_under(cPKCS7, "SignerInfo", rb_cObject);
+    rb_define_const(cPKCS7, "Signer", cPKCS7Signer);
     rb_define_alloc_func(cPKCS7Signer, ossl_pkcs7si_alloc);
     rb_define_method(cPKCS7Signer, "initialize", ossl_pkcs7si_initialize,3);
     rb_define_method(cPKCS7Signer, "issuer", ossl_pkcs7si_get_issuer, 0);
@@ -973,14 +997,14 @@ Init_ossl_pkcs7()
     rb_define_method(cPKCS7Signer, "serial", ossl_pkcs7si_get_serial,0);
     rb_define_method(cPKCS7Signer,"signed_time",ossl_pkcs7si_get_signed_time,0);
 
-    cPKCS7Recipient = rb_define_class_under(mPKCS7,"RecipientInfo",rb_cObject);
+    cPKCS7Recipient = rb_define_class_under(cPKCS7,"RecipientInfo",rb_cObject);
     rb_define_alloc_func(cPKCS7Recipient, ossl_pkcs7ri_alloc);
     rb_define_method(cPKCS7Recipient, "initialize", ossl_pkcs7ri_initialize,1); 
     rb_define_method(cPKCS7Recipient, "issuer", ossl_pkcs7ri_get_issuer,0);
     rb_define_method(cPKCS7Recipient, "serial", ossl_pkcs7ri_get_serial,0);
     rb_define_method(cPKCS7Recipient, "enc_key", ossl_pkcs7ri_get_enc_key,0); 
 
-#define DefPKCS7Const(x) rb_define_const(mPKCS7, #x, INT2NUM(PKCS7_##x))
+#define DefPKCS7Const(x) rb_define_const(cPKCS7, #x, INT2NUM(PKCS7_##x))
 
     DefPKCS7Const(TEXT);
     DefPKCS7Const(NOCERTS);

ext/openssl/ossl_pkcs7.h

@@ -11,7 +11,6 @@
 #if !defined(_OSSL_PKCS7_H_)
 #define _OSSL_PKCS7_H_
 
-extern VALUE mPKCS7;
 extern VALUE cPKCS7;
 extern VALUE cPKCS7Signer;
 extern VALUE cPKCS7Recipient;