Merge pull request #4051 from vpodzime/master-cf_keycrypt

cf keycrypt attempt #2+

Author: vpodzime

.gitignore

@@ -35,6 +35,7 @@ stamp-h1
 /cf-check/Makefile
 /cf-execd/Makefile
 /cf-key/Makefile
+/cf-keycrypt/Makefile
 /cf-monitord/Makefile
 /cf-net/Makefile
 /cf-promises/Makefile
@@ -92,6 +93,8 @@ stamp-h1
 /cf-runagent/cf-runagent.exe
 /cf-net/cf-net
 /cf-net/cf-net.exe
+/cf-keycrypt/cf-keycrypt
+/cf-keycrypt/cf-keycrypt.exe
 /cf-serverd/cf-serverd
 /cf-serverd/cf-serverd.exe
 /cf-testd/cf-testd

Makefile.am

@@ -43,6 +43,7 @@ SUBDIRS = \
 	cf-testd \
 	cf-upgrade \
 	cf-net \
+	cf-keycrypt \
 	misc \
 	ext \
 	examples \

cf-keycrypt/Makefile.am

@@ -0,0 +1,51 @@
+#
+#  Copyright (C) CFEngine AS
+#
+#  This file is part of CFEngine 3 - written and maintained by CFEngine AS.
+#
+#  This program is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU General Public License as published by the
+#  Free Software Foundation; version 3.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA
+#
+# To the extent this program is licensed as part of the Enterprise
+# versions of CFEngine, the applicable Commercial Open Source License
+# (COSL) may apply to this file if you as a licensee so wish it. See
+# included file COSL.txt.
+#
+noinst_LTLIBRARIES = libcf-keycrypt.la
+
+AM_CPPFLAGS = -I$(srcdir)/../libpromises -I$(srcdir)/../libntech/libutils \
+	-I$(srcdir)/../libcfnet \
+	$(OPENSSL_CPPFLAGS) \
+	$(PCRE_CPPFLAGS) \
+	$(ENTERPRISE_CPPFLAGS)
+
+AM_CFLAGS = @CFLAGS@ \
+	$(OPENSSL_CFLAGS) \
+	$(ENTERPRISE_CFLAGS)
+
+libcf_keycrypt_la_LIBADD = ../libpromises/libpromises.la
+
+libcf_keycrypt_la_SOURCES = cf-keycrypt.c
+
+if !BUILTIN_EXTENSIONS
+ bin_PROGRAMS = cf-keycrypt
+ cf_keycrypt_LDADD = libcf-keycrypt.la
+ cf_keycrypt_SOURCES =
+endif
+
+CLEANFILES = *.gcno *.gcda
+
+#
+# Some basic clean ups
+#
+MOSTLYCLEANFILES = *~ *.orig *.rej

cf-keycrypt/README.md

@@ -0,0 +1,44 @@
+# cf-keycrypt
+
+*cf-keycrypt* is a utility for encrypting sensitive data for use on
+CFEngine-managed hosts. It is using the existing CFEngine key pairs for strong
+cryptography based on the combination of RSA and AES ciphers.
+
+## File format
+
+The file format used by *cf-keycrypt* has the following schema:
+
+```
+  ------------
+  | Headers  |
+  ------------
+  | AES IV   |
+  ------------
+  | AES key  |
+  ------------
+  | data     |
+  ------------
+```
+
+The header format is similar to HTTP headers -- colon-separated key-value pairs
+each on one line:
+
+`Key: Value\n`
+
+The header section is terminated by a blank line.
+
+Supported headers are:
+
+  * `Version` (required) -- version of the file format to allow backwards
+                            compatibility
+
+The AES initialization vector is 16 bytes long (256 bits) and serves the purpose
+of the seed for the CBC (Cipher Block Chain) mode of operation of the AES
+cipher.
+
+The AES key is a randomly generated AES key encrypted by the specific RSA public
+key and is as long as the RSA public key, currently 256 bytes (2048 bits).
+
+The future versions of *cf-keycrypt* are expected to support more headers,
+multiple keys (encryption for multiple hosts in a single file) and varying key
+sizes.