chef-encrypted-attributes 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 17b97315e38f6e17547fb5686b485d628c84b40e
-  data.tar.gz: c475bd6e9f5631ffa0727cc2685938fa3263c611
+  metadata.gz: e1bb2baddf0f4e35d5b5fb127fd7ce2df1c28612
+  data.tar.gz: 92504e332a6b3ae5a15746f727149fa7e6c9fcc2
 SHA512:
-  metadata.gz: a24fde54be4cd23dd3215095a7d72f54c25589b3282dbf364569f11cb8e4f98dd92a41219d3962968456f0d5213984bbde841fca33025f404e426f7f9a8a1d42
-  data.tar.gz: ddd03f1b5e9b6a61b6c6d4dbde9239410094130d146b72a19a6024f7d7639159303b7337733bb2999e4d27211c5e8696f14862bfd67eb83253fe650682046f5d
+  metadata.gz: 919dff2768d33583bdedcf661865091c494b0e6a9a5823fe0aebed15bfa2db812c9c82c5647084f811f93c6b688cb37d314b2686c949f7a6a38fe9685934dfef
+  data.tar.gz: f802b87b39e85e74b402acb3ffbae41f5d3c3e51e0eb862b3b09c4692dbc1551b0a37f57a9fced0f03f6b8007c0a56f028ccd17d3a043cb7e3fac34ee7953c82

checksums.yaml.gz.sig

@@ -0,0 +1,2 @@
+�πw������Q11
 3I/�s�<<�1e�3e�����B���H���r}̏��ࣖxcrqB}E
��(�ɵ�-+F�6b����M©zҼߖ)g8�x�TeX̨1�Z�+�TM�^�{G_�!�5��x�Gl������&4n�sZⰭ�� ����7d�o��b����^]�jJ�9�mrm���S���X�)
+N�[ِ�ƥOd�P]!P.�

data/API.md

@@ -41,7 +41,7 @@ Returns `true` if the encrypted attribute has been updated, `false` if not.
 
 An exception is thrown if there is any error in the updating process.
 
-### Chef::EncryptedAttribute.exists?(hs)
+### Chef::EncryptedAttribute.exist?(hs)
 
 Checks whether an encrypted attribute exists.
 
@@ -86,7 +86,7 @@ An exception is thrown if there is any error in the updating process.
 
 This method **requires admin privileges**. So in most cases, cannot be used from cookbooks.
 
-### Chef::EncryptedAttribute.exists_on_node?(name, attr_ary [, config])
+### Chef::EncryptedAttribute.exist_on_node?(name, attr_ary [, config])
 
 Checks whether an encrypted attribute exists in a remote node.
 
@@ -102,9 +102,11 @@ All the methods read the default configuration from the `Chef::Config[:encrypted
 
 If the configuration value to be merged is an array or a hash (for example `keys`), the method argument configuration value has preference over the global configuration. Arrays and hashes are not merged.
 
-Both `Chef::Config[:encrypted_attributes]` and methods `config` parameter should be a hash which may have any of the following keys:
+Both `Chef::Config[:encrypted_attributes]` and method's `config` parameter should be a hash which may have any of the following keys:
 
-* `:version` - `EncryptedMash` format version to use, by default `1` is used which is considered best.
+* `:version` - `EncryptedMash` format version to use, by default `1` is used which is recommended. The version `2` uses [GCM](http://en.wikipedia.org/wiki/Galois/Counter_Mode) and probably should be considered the most secure, but it is disabled by default because it has some more requirements:
+ * Ruby `>= 2`.
+ * OpenSSL `>= 1.0.1`.
 * `:partial_search` - Whether to use Chef Server partial search, enabled by default. It may not work in some old versions of Chef Server.
 * `:client_search` - Search query for clients allowed to read the encrypted attribute. Can be a simple string or an array of queries to be *OR*-ed.
 * `:users` - Array of user names to be allowed to read the encrypted attribute(s). `"*"` to allow access to all users. Keep in mind that only admin clients or admin users are allowed to read user public keys. It is **not recommended** to use this from cookbooks unless you know what you are doing.
@@ -125,6 +127,13 @@ To disable Partial Search locally:
 ftp_pass = Chef::EncryptedAttribute.load(node["myapp"]["ftp_password"], { :partial_search => false })
 ```
 
+To use protocol version 2 globally, which uses [GCM](http://en.wikipedia.org/wiki/Galois/Counter_Mode):
+
+```ruby
+Chef::Config[:encrypted_attributes][:version] = 2
+# ...
+```
+
 If you want to use knife to work with encrypted attributes, surely you will need to save your Chef User public keys in a Data Bag (there is no need to encrypt them because they are public) and add them to the `:keys` configuration option. See the [Example Using User Keys Data Bag](README.md#example-using-user-keys-data-bag) in the README for more information on this.
 
 ## Caches

data/CHANGELOG.md

@@ -2,6 +2,18 @@
 
 This file is used to list changes made in each version of `chef-encrypted-attributes`.
 
+## 0.2.0:
+
+* Deprecate `#exists?` methods in favor of `#exist?` methods
+* Fixed all RSpec deprecation warnings
+* Added Protocol Version 2 (*disabled by default*): uses [GCM](http://en.wikipedia.org/wiki/Galois/Counter_Mode) as in [Chef 12 Encrypted Data Bags Version 3](https://github.com/opscode/chef/pull/1591).
+ * Added `RequirementsFailure` exception
+* README, CONTRIBUTING, TODO: multiple documentation improvements
+ * Added some security related sections to the README
+* Added email GPG key
+* Added gem signing certificate
+* gemspec: added dev dependency versions with pessimistic operator
+
 ## 0.1.1:
 
 * gemspec: replaced open-ended chef dependency by `~> 11.4`

data/INTERNAL.md

@@ -110,3 +110,57 @@ Data to calculate the HMAC from
 * The data used to calculate the HMAC is the encrypted data, not the clear text data (**Encrypt-then-MAC**).
 * The secret used to calculate the HMAC is not the same as the secret used to encrypt the data.
 * The secret used to calculate the HMAC is shared inside `encrypted_secret` field with the data secret.
+
+### EncryptedMash::Version2
+
+Uses public key cryptography (PKI) to encrypt a shared secret. Then this shared secret is used to encrypt the data using [GCM](http://en.wikipedia.org/wiki/Galois/Counter_Mode).
+
+* This protocol version is based on the [Chef 12 Encrypted Data Bags Version 3 implementation](https://github.com/opscode/chef/pull/1591).
+* To use it, the following **special requirements** must be met:
+ * Ruby `>= 2`.
+ * OpenSSL `>= 1.0.1`.
+* This implementation can be improved, is not optimized either for performance or for space.
+* Every time the `EncryptedAttribute` is updated, all the shared secrets are regenerated.
+
+#### EncryptedMash::Version2 Structure
+
+If you try to read this encrypted attribute structure, you can see a *Mash* attribute with the following content:
+
+```
+EncryptedMash
+├── chef_type: "encrypted_attribute" (string).
+├── x_json_class: The used `EncryptedMash` version class name (string).
+├── encrypted_data
+│   ├── cipher: The used PKI algorithm, "aes-256-gcm" (string).
+│   ├── data: PKI encrypted data (base64).
+│   ├── auth_tag: GCM authentication tag (base64).
+│   └── iv: Initialization vector (in base64).
+└── encrypted_secret
+    ├── pub_key_hash1: The shared secret encrypted for the public key 1 (base64).
+    ├── pub_key_hash2: The shared secret encrypted for the public key 2 (base64).
+    └── ...
+```
+
+* `x_json_class` field is used, with the `x_` prefix, to be easily integrated with Chef in the future.
+
+##### EncryptedMash[encrypted_data][data]
+
+The data inside `encrypted_data` is symmetrically encrypted using the secret shared key. The data is converted to *JSON* before the encryption, then encrypted and finally encoded in *base64*. By default, the `"aes-256-gcm"` algorithm is used for encryption.
+
+After decryption, the *JSON* has the following structure:
+
+```
+└── encrypted_data
+    └── data (symmetrically encrypted JSON in base64)
+        └── content: attribute content as a Mash.
+```
+
+* In the future, this structure may contain some metadata like default configuration values.
+
+##### EncryptedMash[encrypted_secret][pub_key_hash1]
+
+The `public_key_hash1` key value is the *SHA1* of the public key used for encryption.
+
+Its content is the encrypted shared secret in *raw*. The encryption is done using the *RSA* algorithm (PKI).
+
+After decryption, you find the the shared secret in *raw* (in *Version1* this is a *JSON* in *base64*).

data/README.md

@@ -19,6 +19,9 @@ Node clients with read access can be specified using a `client_search` query. In
 * Ruby `>= 1.9`
 * Chef Client `~> 11.4`
 * yajl-ruby `~> 1.1` (included with Chef)
+* If you want to use protocol version 2 to use [GCM](http://en.wikipedia.org/wiki/Galois/Counter_Mode) (disabled by default):
+ * Ruby `>= 2`.
+ * OpenSSL `>= 1.0.1`.
 
 ## Usage in Recipes
 
@@ -41,7 +44,7 @@ require "chef-encrypted-attributes"
 
 Chef::Recipe.send(:include, Opscode::OpenSSL::Password) # include the #secure_password method
 
-if Chef::EncryptedAttribute.exists?(node["myapp"]["ftp_password"])
+if Chef::EncryptedAttribute.exist?(node["myapp"]["ftp_password"])
   # update with the new keys
   Chef::EncryptedAttribute.update(node.set["myapp"]["ftp_password"])
 
@@ -69,7 +72,7 @@ require "chef-encrypted-attributes"
 # Allow all webapp nodes to read the attributes encrypted by me
 Chef::Config[:encrypted_attributes][:client_search] = "role:webapp"
 
-if Chef::EncryptedAttribute.exists?(node["myapp"]["encrypted_data"])
+if Chef::EncryptedAttribute.exist?(node["myapp"]["encrypted_data"])
   # when can used #load here as above if we need the `encrypted_data` outside this `if`
 
   # update with the new keys
@@ -87,14 +90,14 @@ Then we can read this attribute from another allowed node (a `"role:webapp"` nod
 chef_gem "chef-encrypted-attributes"
 require "chef-encrypted-attributes"
 
-if Chef::EncryptedAttribute.exists_on_node?("random.example.com", ["myapp", "encrypted_data"])
+if Chef::EncryptedAttribute.exist_on_node?("random.example.com", ["myapp", "encrypted_data"])
   data = Chef::EncryptedAttribute.load_from_node("random.example.com", ["myapp", "encrypted_data"])
 
   # use `data` for something here ...
 end
 ```
 
-**Note:** Be careful when using `#exists_on_node?` and `#load_from_node` and remember passing the attribute path to read as **Array of Strings** ~~instead of using `node[...]` (which points to the local node)~~.
+**Note:** Be careful when using `#exist_on_node?` and `#load_from_node` and remember passing the attribute path to read as **Array of Strings** ~~instead of using `node[...]` (which points to the local node)~~.
 
 ### Example Using User Keys Data Bag
 
@@ -124,7 +127,7 @@ chef_users.delete("id") # remove the data bag "id" to avoid to confuse it with a
 Chef::Log.debug("Admin users able to read the Encrypted Attributes: #{chef_users.keys.inspect}")
 Chef::Config[:encrypted_attributes][:keys] = chef_users.values
 
-# if Chef::EncryptedAttribute.exists_on_node?(...)
+# if Chef::EncryptedAttribute.exist_on_node?(...)
 #   Chef::EncryptedAttribute.update(...)
 # else
 #   node.set[...][...] = Chef::EncryptedAttribute.create(...)
@@ -254,7 +257,7 @@ For example:
     <td>&nbsp;</td>
     <td>--encrypted-attribute-version</td>
     <td>Encrypted Attribute protocol version to use</td>
-    <td>"0", "1" <em>(default)</em></td>
+    <td>"0", "1" <em>(default)</em>, "2"</td>
     <td>create, edit, update</td>
   </tr>
   <tr>
@@ -298,18 +301,52 @@ For example:
 
 See the [INTERNAL.md](INTERNAL.md) file for a more low level documentation.
 
+## Using Signed Gems
+
+The `chef-encrypted-attributes` gem is cryptographically signed by Onddo Labs's certificate, which identifies as *team@onddo.com*. You can obtain the official signature here:
+
+    https://raw.github.com/onddo/chef-encrypted-attributes/master/certs/team_onddo.crt
+
+To be sure the gem you install has not been tampered with:
+
+    $ gem cert --add <(curl -Ls https://raw.github.com/onddo/chef-encrypted-attributes/master/certs/team_onddo.crt)
+    $ gem install chef-encrypted-attributes -P MediumSecurity
+
+The *MediumSecurity* trust profile will verify signed gems, but allow the installation of unsigned dependencies. This is necessary because not all of `chef-encrypted-attributes`'s dependencies are signed, so we cannot use *HighSecurity*.
+
+We recommend to remove our certificate after the gem has been successfully verified and installed:
+
+    $ gem cert --remove '/cn=team/dc=onddo/dc=com'
+
+## Security Notes
+
+All the cryptographic systems and algorithms used by `chef-encrypted-attributes` are carefully described in the [internal documentation](INTERNAL.md) for public review. The code was originally based on *Encrypted Data Bags* and [chef-vault](https://github.com/Nordstrom/chef-vault) implementations, then improved.
+
+Still, this gem should be considered experimental until audited by professional cryptographers.
+
+## Reporting Security Problems
+
+If you have discovered a bug in `chef-encrypted-attributes` of a sensitive nature, i.e.  one which can compromise the security of `chef-encrypted-attributes` users, you can report it securely by sending a GPG encrypted message. Please use the following key:
+
+    https://raw.github.com/onddo/chef-encrypted-attributes/master/zuazo.gpg
+
+The key fingerprint is (or should be):
+
+    8EFA 5B17 7275 5F1F 42B2  26B4 8E18 8B67 9DE1 9468
+
+## Testing
+
+See [TESTING.md](TESTING.md).
+
 ## Contributing
 
-1. Fork the repository on Github.
-2. Create a named feature branch (like `add_component_x`).
-3. Write tests for your change.
-4. Write your change.
-5. Run the tests, ensuring they all pass (try as much as possible not to reduce coverage).
-6. Submit a Pull Request using Github.
+Please do not hesitate to [open an issue](https://github.com/onddo/chef-encrypted-attributes/issues/new) with any questions or problems.
+
+See [CONTRIBUTING.md](CONTRIBUTING.md).
 
-See the [TESTING.md](TESTING.md) file to know how to run the tests properly.
+## TODO
 
-You can also see the [TODO.md](TODO.md) file if you're looking for inspiration.
+See [TODO.md](TODO.md).
 
 ## License and Author
 

data/TESTING.md

@@ -17,28 +17,34 @@
 You can run some simple benchmarks, not at all realistic:
 
     $ rspec spec/benchmark/*
-                                                             user     system      total        real
-    Local EncryptedAttribute read (v=0)                  0.430000   0.000000   0.430000 (  0.428674)
-    Local EncryptedAttribute read (v=1)                  0.420000   0.010000   0.430000 (  0.433974)
-    Local EncryptedDataBag read                          0.010000   0.000000   0.010000 (  0.011308)
-    Remote EncryptedAttribute read (v=0)                 1.510000   0.050000   1.560000 (  1.567265)
-    Remote EncryptedAttribute read (v=1)                 1.500000   0.060000   1.560000 (  1.570522)
-    Remote EncryptedDataBag read                         0.930000   0.050000   0.980000 (  0.989036)
-    Local EncryptedAttribute write (v=0)                 0.060000   0.000000   0.060000 (  0.059326)
-    Local EncryptedAttribute write (v=1)                 0.090000   0.000000   0.090000 (  0.090731)
-    Local EncryptedDataBag write                         0.020000   0.000000   0.020000 (  0.016910)
-    Remote EncryptedAttribute write (v=0)                1.140000   0.080000   1.220000 (  1.218726)
-    Remote EncryptedAttribute write (v=1)                1.180000   0.070000   1.250000 (  1.259015)
-    Remote EncryptedDataBag write                        2.050000   0.150000   2.200000 (  2.208485)
-    Local EncryptedAttribute read/write (v=0)            0.560000   0.010000   0.570000 (  0.569158)
-    Local EncryptedAttribute read/write (v=1)            0.570000   0.010000   0.580000 (  0.589196)
-    Local EncryptedDataBag read/write                    0.980000   0.050000   1.030000 (  1.044585)
-    Remote EncryptedAttribute read/write (v=0)           2.720000   0.130000   2.850000 (  2.859289)
-    Remote EncryptedAttribute read/write (v=1)           2.660000   0.130000   2.790000 (  2.813521)
-    Remote EncryptedDataBag read/write                   3.110000   0.190000   3.300000 (  3.301053)
+                                                                 user     system      total        real
+    Local EncryptedAttribute read (v=0)                  0.410000   0.000000   0.410000 (  0.417956)
+    Local EncryptedAttribute read (v=1)                  0.390000   0.010000   0.400000 (  0.398934)
+    Local EncryptedAttribute read (v=2)                  0.420000   0.000000   0.420000 (  0.420211)
+    Local EncryptedDataBag read                          0.010000   0.000000   0.010000 (  0.011614)
+    Remote EncryptedAttribute read (v=0)                 1.480000   0.070000   1.550000 (  1.549856)
+    Remote EncryptedAttribute read (v=1)                 1.440000   0.060000   1.500000 (  1.486179)
+    Remote EncryptedAttribute read (v=2)                 1.510000   0.060000   1.570000 (  1.561124)
+    Remote EncryptedDataBag read                         0.970000   0.060000   1.030000 (  1.012260)
+    Local EncryptedAttribute write (v=0)                 0.090000   0.000000   0.090000 (  0.089210)
+    Local EncryptedAttribute write (v=1)                 0.090000   0.000000   0.090000 (  0.090442)
+    Local EncryptedAttribute write (v=2)                 0.060000   0.000000   0.060000 (  0.055671)
+    Local EncryptedDataBag write                         0.000000   0.000000   0.000000 (  0.012315)
+    Remote EncryptedAttribute write (v=0)                1.140000   0.050000   1.190000 (  1.179739)
+    Remote EncryptedAttribute write (v=1)                1.090000   0.090000   1.180000 (  1.161603)
+    Remote EncryptedAttribute write (v=2)                1.120000   0.060000   1.180000 (  1.159668)
+    Remote EncryptedDataBag write                        2.080000   0.090000   2.170000 (  2.146914)
+    Local EncryptedAttribute read/write (v=0)            0.550000   0.000000   0.550000 (  0.555362)
+    Local EncryptedAttribute read/write (v=1)            0.540000   0.010000   0.550000 (  0.550447)
+    Local EncryptedAttribute read/write (v=2)            0.570000   0.000000   0.570000 (  0.576107)
+    Local EncryptedDataBag read/write                    0.950000   0.050000   1.000000 (  0.979758)
+    Remote EncryptedAttribute read/write (v=0)           2.670000   0.100000   2.770000 (  2.746405)
+    Remote EncryptedAttribute read/write (v=1)           2.700000   0.090000   2.790000 (  2.758583)
+    Remote EncryptedAttribute read/write (v=2)           2.660000   0.110000   2.770000 (  2.752359)
+    Remote EncryptedDataBag read/write                   3.030000   0.140000   3.170000 (  3.125538)
     
-    Finished in 22 seconds
-    18 examples, 0 failures
+    Finished in 28.01 seconds
+    24 examples, 0 failures
 
 These benchmarks run 100 passes for each test.
 

data/TODO.md

@@ -9,9 +9,9 @@ TODO
 * Add Ruby `1.8` support?
 * Document the Ruby code.
 * Add more info/debug prints.
-* Space-optimized `EncryptedMash::Version2` class.
+* Space-optimized `EncryptedMash::Version3` class.
 * Tests: Add test helper functions (key generation, ApiClients including priv keys, Node creation...).
-* Tests: Add more tests for `EncryptedMash::Version1`.
+* Tests: Add more tests for `EncryptedMash::Version1` and `EncryptedMash::Version2`.
 * Tests: Add unit tests for `EncryptedAttribute`.
 * Tests: Add unit tests for all knife commands.
 * Tests: Tests `raise_error` always include regex.

data/lib/chef/encrypted_attribute.rb

@@ -28,6 +28,7 @@ require 'chef/encrypted_attribute/remote_clients'
 require 'chef/encrypted_attribute/remote_users'
 require 'chef/encrypted_attribute/encrypted_mash/version0'
 require 'chef/encrypted_attribute/encrypted_mash/version1'
+require 'chef/encrypted_attribute/encrypted_mash/version2'
 
 Chef::Config[:encrypted_attributes] = Mash.new unless Chef::Config[:encrypted_attributes].kind_of?(Hash)
 
@@ -196,9 +197,9 @@ class Chef
       result
     end
 
-    def self.exists?(hs)
+    def self.exist?(hs)
       Chef::Log.debug("#{self.class.name}: Checking if Encrypted Attribute exists here: #{hs.to_s}")
-      result = EncryptedMash.exists?(hs)
+      result = EncryptedMash.exist?(hs)
       if result
         Chef::Log.debug("#{self.class.name}: Encrypted Attribute found.")
       else
@@ -207,11 +208,21 @@ class Chef
       result
     end
 
-    def self.exists_on_node?(name, attr_ary, c={})
+    def self.exists?(*args)
+      Chef::Log.warn("#{self.name}.exists? is deprecated in favor of #{self.name}.exist?.")
+      exist?(*args)
+    end
+
+    def self.exist_on_node?(name, attr_ary, c={})
       Chef::Log.debug("#{self.class.name}: Checking if Remote Encrypted Attribute exists on #{name}")
       remote_node = RemoteNode.new(name)
       node_attr = remote_node.load_attribute(attr_ary, self.config(c).partial_search)
-      Chef::EncryptedAttribute.exists?(node_attr)
+      Chef::EncryptedAttribute.exist?(node_attr)
+    end
+
+    def self.exists_on_node?(*args)
+      Chef::Log.warn("#{self.name}.exists_on_node? is deprecated in favor of #{self.name}.exist_on_node?.")
+      exist_on_node?(*args)
     end
 
   end

data/lib/chef/encrypted_attribute/assertions.rb

@@ -0,0 +1,36 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/encrypted_attribute/exceptions'
+
+class Chef
+  class EncryptedAttribute
+    module Assertions
+
+      def assert_aead_requirements_met!(algorithm)
+        unless OpenSSL::Cipher.method_defined?(:auth_data=)
+          raise RequirementsFailure, 'The used Encrypted Attributes protocol version requires Ruby >= 1.9'
+        end
+        unless OpenSSL::Cipher.ciphers.include?(algorithm)
+          raise RequirementsFailure, "The used Encrypted Attributes protocol version requires an OpenSSL version with \"#{algorithm}\" algorithm support"
+        end
+      end
+
+    end
+  end
+end

data/lib/chef/encrypted_attribute/encrypted_mash.rb

@@ -45,13 +45,18 @@ class Chef
         end
       end
 
-      def self.exists?(enc_hs)
+      def self.exist?(enc_hs)
         enc_hs.kind_of?(Hash) and
         enc_hs.has_key?(JSON_CLASS) and
         enc_hs[JSON_CLASS] =~ /^#{Regexp.escape(Module.nesting[1].name)}/ and
         enc_hs.has_key?(CHEF_TYPE) and enc_hs[CHEF_TYPE] == CHEF_TYPE_VALUE
       end
 
+      def self.exists?(*args)
+        Chef::Log.warn("#{self.name}.exists? is deprecated in favor of #{self.name}.exist?.")
+        exist?(*args)
+      end
+
       def self.create(version)
         klass = version_klass(version)
         klass.send(:new)
@@ -69,7 +74,7 @@ class Chef
 
       # Update the EncryptedMash from Hash
       def update_from!(enc_hs)
-        unless self.class.exists?(enc_hs)
+        unless self.class.exist?(enc_hs)
           raise UnacceptableEncryptedAttributeFormat, 'Trying to construct invalid encrypted attribute. Maybe it is not encrypted?'
         end
         enc_hs = enc_hs.dup

data/lib/chef/encrypted_attribute/encrypted_mash/version1.rb

@@ -92,8 +92,8 @@ class Chef
           begin
             cipher = OpenSSL::Cipher.new(algo)
             cipher.encrypt
-            enc_value['iv'] = Base64.encode64(cipher.iv = cipher.random_iv)
             enc_value['secret'] = Base64.encode64(cipher.key = cipher.random_key)
+            enc_value['iv'] = Base64.encode64(cipher.iv = cipher.random_iv)
             enc_data = cipher.update(value) + cipher.final
           rescue OpenSSL::Cipher::CipherError => e
             raise EncryptionFailure, "#{e.class.name}: #{e.to_s}"
@@ -105,8 +105,9 @@ class Chef
         def symmetric_decrypt_value(enc_value, algo=SYMM_ALGORITHM)
           cipher = OpenSSL::Cipher.new(enc_value['cipher'] || algo) # TODO maybe it's better to ignore [cipher] ?
           cipher.decrypt
-          cipher.iv = Base64.decode64(enc_value['iv'])
+          # We must set key before iv: https://bugs.ruby-lang.org/issues/8221
           cipher.key = Base64.decode64(enc_value['secret'])
+          cipher.iv = Base64.decode64(enc_value['iv'])
           cipher.update(Base64.decode64(enc_value['data'])) + cipher.final
         rescue OpenSSL::Cipher::CipherError => e
           raise DecryptionFailure, "#{e.class.name}: #{e.to_s}"

data/lib/chef/encrypted_attribute/encrypted_mash/version2.rb

@@ -0,0 +1,104 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/encrypted_attribute/encrypted_mash/version0'
+require 'chef/encrypted_attribute/encrypted_mash/version1'
+require 'chef/encrypted_attribute/assertions'
+require 'chef/encrypted_attribute/exceptions'
+
+# Version2 format: using RSA with a shared secret and GCM
+class Chef
+  class EncryptedAttribute
+    class EncryptedMash
+      class Version2 < Chef::EncryptedAttribute::EncryptedMash::Version1
+        include Chef::EncryptedAttribute::Assertions
+
+        ALGORITHM = 'aes-256-gcm'
+
+        def initialize(enc_hs=nil)
+          assert_aead_requirements_met!(ALGORITHM)
+          super
+        end
+
+        def encrypt(value, public_keys)
+          value_json = json_encode(value)
+          public_keys = parse_public_keys(public_keys)
+          # encrypt the data
+          encrypted_data = symmetric_encrypt_value(value_json)
+          secret = encrypted_data.delete('secret') # should no include the secret in clear
+          self['encrypted_data'] = encrypted_data
+          # encrypt the shared secret
+          self['encrypted_secret'] = rsa_encrypt_multi_key(secret, public_keys)
+          self
+        end
+
+        def decrypt(key)
+          key = parse_decryption_key(key)
+          enc_value = self['encrypted_data'].dup
+          # decrypt the shared secret
+          enc_value['secret'] = rsa_decrypt_multi_key(self['encrypted_secret'], key)
+          # decrypt the data
+          value_json = symmetric_decrypt_value(enc_value)
+          json_decode(value_json)
+        end
+
+        protected
+
+        def encrypted?
+          Version0.instance_method(:encrypted?).bind(self).call and
+          self['encrypted_data'].has_key?('iv') and
+          self['encrypted_data']['iv'].kind_of?(String) and
+          self['encrypted_data'].has_key?('auth_tag') and
+          self['encrypted_data']['auth_tag'].kind_of?(String) and
+          self['encrypted_data'].has_key?('data') and
+          self['encrypted_data']['data'].kind_of?(String) and
+          self['encrypted_secret'].kind_of?(Hash)
+        end
+
+        def symmetric_encrypt_value(value, algo=ALGORITHM)
+          enc_value = Mash.new({ 'cipher' => algo })
+          begin
+            cipher = OpenSSL::Cipher.new(algo)
+            cipher.encrypt
+            enc_value['secret'] = cipher.key = cipher.random_key
+            enc_value['iv'] = Base64.encode64(cipher.iv = cipher.random_iv)
+            enc_data = cipher.update(value) + cipher.final
+            enc_value['auth_tag'] = Base64.encode64(cipher.auth_tag)
+          rescue OpenSSL::Cipher::CipherError => e
+            raise EncryptionFailure, "#{e.class.name}: #{e.to_s}"
+          end
+          enc_value['data'] = Base64.encode64(enc_data)
+          enc_value
+        end
+
+        def symmetric_decrypt_value(enc_value, algo=ALGORITHM)
+          cipher = OpenSSL::Cipher.new(enc_value['cipher'] || algo) # TODO maybe it's better to ignore [cipher] ?
+          cipher.decrypt
+          # We must set key before iv: https://bugs.ruby-lang.org/issues/8221
+          cipher.key = enc_value['secret']
+          cipher.iv = Base64.decode64(enc_value['iv'])
+          cipher.auth_tag = Base64.decode64(enc_value['auth_tag'])
+          cipher.update(Base64.decode64(enc_value['data'])) + cipher.final
+        rescue OpenSSL::Cipher::CipherError => e
+          raise DecryptionFailure, "#{e.class.name}: #{e.to_s}"
+        end
+
+      end
+    end
+  end
+end

data/lib/chef/encrypted_attribute/exceptions.rb

@@ -19,6 +19,7 @@
 class Chef
   class EncryptedAttribute
 
+    class RequirementsFailure < StandardError; end
     class UnsupportedEncryptedAttributeFormat < StandardError; end
     class UnacceptableEncryptedAttributeFormat < StandardError; end
     class DecryptionFailure < StandardError; end

data/lib/chef/encrypted_attribute/version.rb

@@ -18,6 +18,6 @@
 
 class Chef
   class EncryptedAttribute
-    VERSION = '0.1.1'
+    VERSION = '0.2.0'
   end
 end

data/lib/chef/knife/encrypted_attribute_create.rb

@@ -51,7 +51,7 @@ class Chef
         attr_ary = attribute_path_to_ary(attr_path)
 
         # check if the encrypted attribute already exists
-        if Chef::EncryptedAttribute.exists_on_node?(node_name, attr_ary)
+        if Chef::EncryptedAttribute.exist_on_node?(node_name, attr_ary)
           ui.fatal('Encrypted attribute already exists')
           exit 1
         end

data/lib/chef/knife/encrypted_attribute_delete.rb

@@ -54,7 +54,7 @@ class Chef
         end
 
         attr_ary = attribute_path_to_ary(attr_path)
-        if Chef::EncryptedAttribute.exists_on_node?(node_name, attr_ary)
+        if Chef::EncryptedAttribute.exist_on_node?(node_name, attr_ary)
           # TODO move this to lib/EncryptedAttribute
           unless config[:force] # try to read the attribute
             Chef::EncryptedAttribute.load_from_node(node_name, attr_ary)

data/lib/chef/knife/encrypted_attribute_edit.rb

@@ -51,7 +51,7 @@ class Chef
         attr_ary = attribute_path_to_ary(attr_path)
 
         # check if the encrypted attribute already exists
-        unless Chef::EncryptedAttribute.exists_on_node?(node_name, attr_ary)
+        unless Chef::EncryptedAttribute.exist_on_node?(node_name, attr_ary)
           ui.fatal('Encrypted attribute not found')
           exit 1
         end

data/lib/chef/knife/encrypted_attribute_show.rb

@@ -47,7 +47,7 @@ class Chef
 
         attr_ary = attribute_path_to_ary(attr_path)
 
-        unless Chef::EncryptedAttribute.exists_on_node?(node_name, attr_ary)
+        unless Chef::EncryptedAttribute.exist_on_node?(node_name, attr_ary)
           ui.fatal('Encrypted attribute not found')
           exit 1
         end

data/lib/chef/knife/encrypted_attribute_update.rb

@@ -46,7 +46,7 @@ class Chef
         attr_ary = attribute_path_to_ary(attr_path)
 
         # check if the encrypted attribute already exists
-        unless Chef::EncryptedAttribute.exists_on_node?(node_name, attr_ary)
+        unless Chef::EncryptedAttribute.exist_on_node?(node_name, attr_ary)
           ui.fatal('Encrypted attribute not found')
           exit 1
         end

data/spec/benchmark_helper.rb

@@ -18,7 +18,7 @@
 
 require 'rspec/autorun'
 require 'chef_zero/rspec'
-require 'chef_encrypted_attributes'
+require 'chef-encrypted-attributes'
 
 require 'support/silent_formatter'
 RSpec.configure do |config|

data/spec/spec_helper.rb

@@ -17,7 +17,7 @@
 #
 
 require 'simplecov'
-if ENV['TRAVIS'] and RUBY_VERSION >= '1.9.3'
+if ENV['TRAVIS'] and RUBY_VERSION >= '2.0'
   require 'coveralls'
   SimpleCov.formatter = Coveralls::SimpleCov::Formatter
 end
@@ -30,9 +30,17 @@ require 'chef/exceptions'
 
 require 'rspec/autorun'
 
+require 'support/platform_helpers'
+
 RSpec.configure do |config|
   config.order = 'random'
 
-  config.color_enabled = true
+  config.color = true
   config.tty = true
+
+  config.filter_run_excluding :ruby_gte_19 => true unless ruby_gte_19?
+  config.filter_run_excluding :ruby_gte_20 => true unless ruby_gte_20?
+  config.filter_run_excluding :ruby_gte_20_and_openssl_gte_101 => true unless (ruby_gte_20? && openssl_gte_101?)
+  config.filter_run_excluding :openssl_lt_101 => true unless openssl_lt_101?
+  config.filter_run_excluding :ruby_lt_20 => true unless ruby_lt_20?
 end

metadata

@@ -1,14 +1,36 @@
 --- !ruby/object:Gem::Specification
 name: chef-encrypted-attributes
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Onddo Labs, SL.
 autorequire: 
 bindir: bin
-cert_chain: []
-date: 2014-05-23 00:00:00.000000000 Z
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDYDCCAkigAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQ0wCwYDVQQDDAR0ZWFt
+  MRUwEwYKCZImiZPyLGQBGRYFb25kZG8xEzARBgoJkiaJk/IsZAEZFgNjb20wHhcN
+  MTQwODExMDkxNDAzWhcNMTUwODExMDkxNDAzWjA7MQ0wCwYDVQQDDAR0ZWFtMRUw
+  EwYKCZImiZPyLGQBGRYFb25kZG8xEzARBgoJkiaJk/IsZAEZFgNjb20wggEiMA0G
+  CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrbcM9ZsRca5gEkpftR/J/Rem9JTAK
+  0cKHuEAKgp0QvHAceDRJNJ6LoXfeXP86fPL3kpHNQdbHFW/MGsynjeWg/c/8VbAR
+  W0L6MBUoBuSBN91GBoqHpka1qhMHA6QnUpUHFCOUhoA5oweZ8kDsHh/W2n//vZwr
+  DBcnf4wRzQeZl/I+Ral6gKZSImtMyo0W7TYQT2rMbvms0LoNMKZQ6Gpw9B2NoYtH
+  FYBt78LB771jRc/j5Sk9O2rm/Tnvl6HW2Pb6arwk9pd0A7KVYjJzmaBF5aqOMTml
+  ZDgelv7lLJyIQSASKnusmTlFehppplTHWQKfev6jfKXCepS/cD5EH1wfAgMBAAGj
+  bzBtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBQzPM4ZVw+kEtQm
+  4eA7AyE6s0gIUDAZBgNVHREEEjAQgQ50ZWFtQG9uZGRvLmNvbTAZBgNVHRIEEjAQ
+  gQ50ZWFtQG9uZGRvLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAZNdmm2OCr8wVxtj8
+  z9gnGVBWpHqE0+mPBsgsueOAhNzoqphOUGMn9JWvOQU3TwiUPHJN9QiOT92OpD0Z
+  UKN6ixyaqPhegRqGQQGTOC7d+l+E+mab3m6f96MyCxNuts8vEFqubs5rd+1E/NDb
+  ZpX7/1KENUo06s8Rpro8pPXh+CL8+177gcfkXzXBElXR6r5Tf8VSxrFPeLIRrdzs
+  AkPvQPEiZbg78ZKmVjcuokhXi1bzvjGVI0lMzW/JBO8GvjUyh4hl6HAfOgXMXpaz
+  cYe8PqNEkky7ugvF4zU3sB6TW+96XasuwDv1uJmyr35LF15U6Cs83+osMbAKJTmG
+  /vqKzw==
+  -----END CERTIFICATE-----
+date: 2014-08-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: yajl-ruby
@@ -42,30 +64,30 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '10.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '10.0'
 - !ruby/object:Gem::Dependency
   name: chef-zero
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rspec-core
   requirement: !ruby/object:Gem::Requirement
@@ -112,67 +134,69 @@ dependencies:
   name: coveralls
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.7'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.9'
 description: Chef plugin to add Node encrypted attributes support using client keys
 email: team@onddo.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- Rakefile
-- LICENSE
-- README.md
 - API.md
+- CHANGELOG.md
 - INTERNAL.md
+- LICENSE
+- README.md
+- Rakefile
 - TESTING.md
 - TODO.md
-- CHANGELOG.md
 - lib/chef-encrypted-attributes.rb
-- lib/chef/knife/core/encrypted_attribute_editor_options.rb
-- lib/chef/knife/core/config.rb
-- lib/chef/knife/encrypted_attribute_create.rb
-- lib/chef/knife/encrypted_attribute_show.rb
-- lib/chef/knife/encrypted_attribute_update.rb
-- lib/chef/knife/encrypted_attribute_delete.rb
-- lib/chef/knife/encrypted_attribute_edit.rb
-- lib/chef/encrypted_attribute/remote_users.rb
+- lib/chef/encrypted_attribute.rb
+- lib/chef/encrypted_attribute/assertions.rb
 - lib/chef/encrypted_attribute/cache_lru.rb
-- lib/chef/encrypted_attribute/search_helper.rb
 - lib/chef/encrypted_attribute/config.rb
-- lib/chef/encrypted_attribute/exceptions.rb
+- lib/chef/encrypted_attribute/encrypted_mash.rb
 - lib/chef/encrypted_attribute/encrypted_mash/version0.rb
 - lib/chef/encrypted_attribute/encrypted_mash/version1.rb
+- lib/chef/encrypted_attribute/encrypted_mash/version2.rb
+- lib/chef/encrypted_attribute/exceptions.rb
 - lib/chef/encrypted_attribute/local_node.rb
-- lib/chef/encrypted_attribute/encrypted_mash.rb
-- lib/chef/encrypted_attribute/version.rb
 - lib/chef/encrypted_attribute/remote_clients.rb
 - lib/chef/encrypted_attribute/remote_node.rb
-- lib/chef/encrypted_attribute.rb
-- spec/integration_helper.rb
+- lib/chef/encrypted_attribute/remote_users.rb
+- lib/chef/encrypted_attribute/search_helper.rb
+- lib/chef/encrypted_attribute/version.rb
+- lib/chef/knife/core/config.rb
+- lib/chef/knife/core/encrypted_attribute_editor_options.rb
+- lib/chef/knife/encrypted_attribute_create.rb
+- lib/chef/knife/encrypted_attribute_delete.rb
+- lib/chef/knife/encrypted_attribute_edit.rb
+- lib/chef/knife/encrypted_attribute_show.rb
+- lib/chef/knife/encrypted_attribute_update.rb
 - spec/benchmark_helper.rb
+- spec/integration_helper.rb
 - spec/spec_helper.rb
 homepage: http://onddo.github.io/chef-encrypted-attributes
 licenses:
@@ -194,7 +218,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.6
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Chef Encrypted Attributes