DssSecretLib

Scripting Forums Code Exchange
#1

The “Do Shell Script Secret Library” implements 5 user-friendly handlers for working with the command line tool “openssl”. They provide basic encryption for AppleScript users:
EncryptText( plain text, password )
DecryptText( coded text, password )
EncryptFile( file to encrypt, save to file, password )
DecryptFile( file to encrypt, save to file, password )
FingerPrintText( text ) → “message digest” value

OS version: OS X

--	Project : Do Shell Script Secret Library (DssSecretLib)
--	Version : 1.0
--	  Files : DssSecretLib 100.applescript
--	          DssSecretLib.scpt
--
--	Author : Arthur Knapp
--	 Email : a d m i r a l n o v i a {at} y a h o o . c o m
--	         a d m i r a l n o v i a {at}     m a c . c o m
--
--	API :
--		EncryptText(    plain text, password ) --> encrypted text,   in Base64 encoding
--		DecryptText( encypted text, password ) -->     plain text, from Base64 encoding
--
--		EncryptFile( inFile, outFile, password )
--		DecryptFile( inFile, outFile, password )
--		--
--		--	 inFile == existing alias, pathstring, Unix-path, or Finder object
--		--	outFile == existing OR pathstring or Unix-path for new file
--
--		FingerPrintText( text ) --> "message digest" string
--
--		Helpers:
--			DssFile( file specifier ) --> quoted form of Unix path
--
--	Details :
--		echo 'plain text' | openssl enc -bf -e -pass pass:'my password' -salt -a
--		echo 'coded text' | openssl enc -bf -d -pass pass:'my password' -salt -a
--		                    openssl enc -bf -e -pass pass:'my password' -salt -a -in 'file' -out 'file'
--		                    openssl enc -bf -d -pass pass:'my password' -salt -a -in 'file' -out 'file'
--		echo 'plain text' | openssl dgst -sha1 -hex
--
--		The "echo" comand places its argument into standard output.
--
--		The pipe "|" operator passes the standard output of one process
--		to the standard input of another process.
--
--		The openssl command implements a large number of security operations,
--		with a bewildering number of options. Don't bother with the
--		incomprehensible "man" page: look up a good tutorial on the Internet.
--
--		"enc" sets openssl into encryption mode, while "dgst" places it into
--		"message digest" mode.
--
--		The man page says "A beginner is advised to just use a strong block
--		cipher in CBC mode such as bf or des3." The "-bf" indicates the
--		Blowfish algorithm in CBC mode.
--
--		The man page says, "The digest of choice for all new applications is SHA1."
--		The "-sha1" indicates the Secure Hash Algorithm - Version 1.0.
--
--		"-e" is encryption, "-d" is decryption.
--
--		"-pass" is only one of several ways to indicate the password. The man
--		page also indicades that this isn't the most secure way, since there
--		are utilites that can "read" everything that happens on the command
--		line, (such as 'ps').
--
--		The man page says "ALWAYS use -salt", whatever the heck that is.
--
--		"-a" indicates the use of Base64 encoding. For encryption, the encrypted
--		result is Base64 encoded. For decryption, the data is first decoded from
--		Base64 before it is decrypted.
--
--		"-in" and "-out" indicate the file to be encrypted/decrypted and where
--		to save the results. They can both point to the same file, and -out
--		can be a path to a file not yet created.
--
--		The man page says that Blowfish uses a 128 bit key (16 bytes), while
--		other Internet resources state that it can use a key anywhere from
--		32 to 448 bits (4 to 56 bytes). This doesn't seem to effect the
--		password length that you can send to the openssl command, however.
--		As a matter of fact, the "openssl enc" command seems to work even
--		with an empty string:
--
--			echo 'plain text' | ¬
--			openssl enc -bf -e -pass pass:'' -salt -a | ¬
--			openssl enc -bf -d -pass pass:'' -salt -a
--
--		returns 'plain text'.

on EncryptText(str, passwd)
	return do shell script ("echo " & str's quoted form & ¬
		" | openssl enc -bf -e -pass pass:" & passwd's quoted form & " -salt -a")
end EncryptText

on DecryptText(str, passwd)
	return do shell script ("echo " & str's quoted form & ¬
		" | openssl enc -bf -d -pass pass:" & passwd's quoted form & " -salt -a")
end DecryptText

on EncryptFile(inFile, outFile, passwd)
	set inFile to DssFile(inFile)
	set outFile to DssFile(outFile)
	return do shell script ("openssl enc -bf -e -pass pass:" & passwd's quoted form & ¬
		" -salt -a -in " & inFile & " -out " & outFile)
end EncryptFile

on DecryptFile(inFile, outFile, passwd)
	set inFile to DssFile(inFile)
	set outFile to DssFile(outFile)
	return do shell script ("openssl enc -bf -d -pass pass:" & passwd's quoted form & ¬
		" -salt -a -in " & inFile & " -out " & outFile)
end DecryptFile

on FingerPrintText(str)
	return do shell script ("echo " & str's quoted form & " | openssl dgst -sha1 -hex")
end FingerPrintText

on DssFile(f)
	--
	--	f == Mac path, Unix path, alias, or Finder object
	--
	if (f's class = string) and (f contains "/") then
		return f's quoted form
	else
		return ((f as string)'s POSIX path)'s quoted form
	end if
end DssFile
#2

The “Do Shell Script Secret Library” implements 5 user-friendly handlers for working with the command line tool “openssl”. They provide basic encryption for AppleScript users:
EncryptText( plain text, password )
DecryptText( coded text, password )
EncryptFile( file to encrypt, save to file, password )
DecryptFile( file to encrypt, save to file, password )
FingerPrintText( text ) → “message digest” value

OS version: OS X


--	Project : Do Shell Script Secret Library (DssSecretLib)
--	Version : 1.1
--	  Files : DssSecretLib 110.applescript
--	          DssSecretLib.scpt
--
--	Author : Arthur Knapp
--	 Email : a d m i r a l n o v i a {at} m a c . c o m
--
--	API :
--		EncryptText(    plain text, password ) --> encrypted text,   in Base64 encoding
--		DecryptText( encypted text, password ) -->     plain text, from Base64 encoding
--
--		EncryptFile( inFile, outFile, password )
--		DecryptFile( inFile, outFile, password )
--		--
--		--	 inFile == existing alias, pathstring, Unix-path, or Finder object
--		--	outFile == existing OR pathstring or Unix-path for new file
--
--		FingerPrintText( text ) --> "message digest" string
--
--		Base64Encode( text )
--		Base64Decode( base64 text )
--
--		QuotedPrintableEncode( text )
--		QuotedPrintableDecode( mime text )
--
--		Helpers:
--			DssFile( file specifier ) --> quoted form of Unix path
--
--	Details :
--		echo 'plain text' | openssl enc -bf -e -pass pass:'my password' -salt -a
--		echo 'coded text' | openssl enc -bf -d -pass pass:'my password' -salt -a
--		                    openssl enc -bf -e -pass pass:'my password' -salt -a -in 'file' -out 'file'
--		                    openssl enc -bf -d -pass pass:'my password' -salt -a -in 'file' -out 'file'
--		echo 'plain text' | openssl dgst -sha1 -hex
--
--		The "echo" comand places its argument into standard output.
--
--		The pipe "|" operator passes the standard output of one process
--		to the standard input of another process.
--
--		The openssl command implements a large number of security operations,
--		with a bewildering number of options. Don't bother with the
--		incomprehensible "man" page: look up a good tutorial on the Internet.
--
--		"enc" sets openssl into encryption mode, while "dgst" places it into
--		"message digest" mode.
--
--		The man page says "A beginner is advised to just use a strong block
--		cipher in CBC mode such as bf or des3." The "-bf" indicates the
--		Blowfish algorithm in CBC mode.
--
--		The man page says, "The digest of choice for all new applications is SHA1."
--		The "-sha1" indicates the Secure Hash Algorithm - Version 1.0.
--
--		"-e" is encryption, "-d" is decryption.
--
--		"-pass" is only one of several ways to indicate the password. The man
--		page also indicades that this isn't the most secure way, since there
--		are utilites that can "read" everything that happens on the command
--		line, (such as 'ps').
--
--		The man page says "ALWAYS use -salt", whatever the heck that is.
--
--		"-a" indicates the use of Base64 encoding. For encryption, the encrypted
--		result is Base64 encoded. For decryption, the data is first decoded from
--		Base64 before it is decrypted.
--
--		"-in" and "-out" indicate the file to be encrypted/decrypted and where
--		to save the results. They can both point to the same file, and -out
--		can be a path to a file not yet created.
--
--		The man page says that Blowfish uses a 128 bit key (16 bytes), while
--		other Internet resources state that it can use a key anywhere from
--		32 to 448 bits (4 to 56 bytes). This doesn't seem to effect the
--		password length that you can send to the openssl command, however.
--		As a matter of fact, the "openssl enc" command seems to work even
--		with an empty string:
--
--			echo 'plain text' | ¬
--			openssl enc -bf -e -pass pass:'' -salt -a | ¬
--			openssl enc -bf -d -pass pass:'' -salt -a
--
--		returns 'plain text'.
--
--	History :
--
--		v1.0.0										2004.06.09
--			- Posted to the Code Exchange on MacScripter.net.
--
--
--		v1.1.0										2004.06.10
--			- Added the MIME encoding handlers for Base64 and Quoted-Printable.
--
--													2006.03.23
--			- Reposting to MacScripter, both to update with the MIME
--			  handlers and to reclaim my post from user "Trash Man".

on EncryptText(str, passwd)
	return do shell script ("echo " & str's quoted form & ¬
		" | openssl enc -bf -e -pass pass:" & passwd's quoted form & " -salt -a")
end EncryptText

on DecryptText(str, passwd)
	return do shell script ("echo " & str's quoted form & ¬
		" | openssl enc -bf -d -pass pass:" & passwd's quoted form & " -salt -a")
end DecryptText

on EncryptFile(inFile, outFile, passwd)
	set inFile to DssFile(inFile)
	set outFile to DssFile(outFile)
	return do shell script ("openssl enc -bf -e -pass pass:" & passwd's quoted form & ¬
		" -salt -a -in " & inFile & " -out " & outFile)
end EncryptFile

on DecryptFile(inFile, outFile, passwd)
	set inFile to DssFile(inFile)
	set outFile to DssFile(outFile)
	return do shell script ("openssl enc -bf -d -pass pass:" & passwd's quoted form & ¬
		" -salt -a -in " & inFile & " -out " & outFile)
end DecryptFile

on FingerPrintText(str)
	return do shell script ("echo " & str's quoted form & " | openssl dgst -sha1 -hex")
end FingerPrintText

on Base64Encode(str)
	return do shell script ("echo " & str's quoted form & " | openssl enc -base64 -e")
end Base64Encode

on Base64Decode(str)
	return do shell script ("echo " & str's quoted form & " | openssl enc -base64 -d")
end Base64Decode

on QuotedPrintableEncode(str)
	--
	--	I couldn't find an installed Darwin comand line tool that implements
	--	quoted-printable MIME encoding. I suspect that it may be ineffiecent
	--	to call the perl interpreter for such a simple operation, but I'm not
	--	aware of any alternatives, (other than third-party command line tools).
	--
	return do shell script ("echo " & str's quoted form & ¬
		" | perl -e 'use MIME::QuotedPrint; print( encode_qp( <STDIN> ) )'")
end QuotedPrintableEncode

on QuotedPrintableDecode(str)
	return do shell script ("echo " & str's quoted form & ¬
		" | perl -e 'use MIME::QuotedPrint; print( decode_qp( <STDIN> ) )'")
end QuotedPrintableDecode

on DssFile(f)
	--
	--	f == Mac path, Unix path, alias, or Finder object
	--
	if (f's class = string) and (f contains "/") then
		return f's quoted form
	else
		return ((f as string)'s POSIX path)'s quoted form
	end if
end DssFile