Project

General

Profile

CryptoProject

Current specification and documentation: https://github.com/emboss/krypt/wiki

A project for new ruby crypto library.

Status: project building

Motivation

From implementation point of view.

  • crypto primitives independence of OpenSSL
  • more code in Ruby for flexibility

Martin Boßlet is going to talk about this project as a part of his presentation at RubyConf 2011. http://rubyconf.org/presentations/38

Ruby OpenSSL: Present, Future and why it matters
30 Sep 11:15 (2nd day)

Goals

  • keep the good parts, improve the rest
  • specification for the "minimal API"
  • documentation
  • ideally just replace 'OpenSSL::' by 'Crypto::'
  • security by default
  • K I S S - simple default, but fully configurable
  • forbid dangerous configuration (well, not really)

other useful additions (if-possible)

  • integration of “secure storage”
  • engine integration (PKCS#11, ...)

Strategy

  • Take existing implementation
    • Iterate API (API for user) design through 2 implementations
      • An implementation based on ossl+OpenSSL
      • An implementation based on jruby-ossl+JCE (for JRuby)
    • Design SPI (API for engine; NSS, PKCS#11) later
      • Make it work and release as soon as possible
  • Replace it step by step
    • Graceful migration from ossl
      • Existing scripts which use basic ossl feature should work with just replacing OpenSSL -> Crypto
      • [1] is what I and gotoyuzo talked about the hierarchy in August.
  • Using DER as universal serialization format
  • release as a gem first
    • gem name? (crypt and crypto are not available on rubygems.org)

Implementation

  • Asn1::Template
    • > 50% of current ext/openssl is about ASN.1
      • use Asn1::Template by emboss
      • more code in Ruby
  • crypto primitives
    • flesh out minimal API to support crypto primitives: Cipher / Digest / ASN1 / RSA / DSA / ECC
      class ASN1
        def self.decode(der)
        end
      
        def self.to_der
        end
      
        ...
      end
    • multiple implementations of this minimal API possible
      • OpenSSL
      • jruby-ossl/JCE
      • Mozilla NSS ?
      • GNU gcrypt ?
      • CAPI (Windows) ?
      • CommonCrypto (OS X) ?
  • use Asn1::Template and the minimal API to implement the rest

Class hierarchy

  • Crypto
    • ASN1
    • Cipher
    • CMS
      • EncryptedData
      • SignedData
    • Digest
    • HMAC
    • OCSP
    • PKey
      • RSA
      • DSA
      • DH
    • PKCS7 (-> CMS::SignedData)
    • PKCS12
    • Random
    • SSL
      • SSLSocket
      • SSLServer
    • Timestamp
    • X509
      • Certificate
      • CRL
      • Name
      • Request

Who?

Those who are interested in participating, please contact us.