crypton 0.1.0.pre1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 7d7a624e5d492cfe0734cdef077413c3be95976f
+  data.tar.gz: f1c76cefb9da0012925257cc169f6fe2cd5ef592
+SHA512:
+  metadata.gz: 8f07fb5c09f7c61459e80e0c62ca8aaed6aa99767cbd286bb00dc7975dd3bb603a079549129f0c6bc26312bcdcee20e605c1879bdbd022991f7e13b1b81511a0
+  data.tar.gz: 11287884aa9e5b08310e9d1c53a9b2f241199841398d2aca16239287440f2aba9448f1942f40747db87d04c1b224bf6794f2ea990c1f6e4fcc55d7fae8dd4da8

data/.gitignore

@@ -0,0 +1 @@
+Gemfile.lock

data/Gemfile

@@ -0,0 +1,3 @@
+source "https://rubygems.org"
+
+gemspec

data/README.md

@@ -0,0 +1,30 @@
+# Crypton
+
+Simple crypto.
+
+Very alpha. APIs will change.
+
+## Symmetric encryption
+
+Uses 256-bit AES in GCM mode. A key of suitable size is derived from the password provided.
+
+```ruby
+encrypted_message = Crypton::Symmetric.encrypt("some secret text", "p4ssw0rd")
+Crypton::Symmetric.decrypt(encrypted_message, "p4ssw0rd") == "some secret text"
+```
+
+## Encrypted Attributes
+
+A helper mixing for transparently encrypting attributes on models.
+
+```ruby
+class User
+  include Crypton::EncryptedAttributes
+  attr_accessor :encrypted_name
+  encrypted_attribute :name, password: ENV["NAME_ENCRYPTION_KEY"]
+end
+
+account = BankAccount.new
+account.name = "Ben Hur"          # encrypts "Ben Hur" and stores on encrypted_name
+assert account.name == "Ben Hur"  # decrypts encrypted_name to retrieve the value
+```

data/crypton.gemspec

@@ -0,0 +1,22 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'crypton/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "crypton"
+  spec.version       = Crypton::VERSION
+  spec.authors       = ["Harry Marr"]
+  spec.email         = ["engineering@gocardless.com"]
+  spec.description   = %q{Simple crypto}
+  spec.summary       = spec.description
+  spec.homepage      = "https://github.com/gocardless/crypton"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "rspec", "~> 3.1"
+end

data/lib/crypton.rb

@@ -0,0 +1 @@
+require 'crypton/symmetric'

data/lib/crypton/encrypted_attributes.rb

@@ -0,0 +1,26 @@
+require "crypton/symmetric"
+
+module Crypton
+  module EncryptedAttributes
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      def encrypted_attribute(name, password: nil)
+        raise AttributeError, "password must be specified" unless password
+        to_field = "encrypted_#{name}"
+
+        define_method("#{name}=") do |value|
+          send("#{to_field}=", Crypton::Symmetric.encrypt(value, password))
+        end
+
+        define_method(name) do
+          encrypted_value = send(to_field)
+          Crypton::Symmetric.decrypt(encrypted_value, password)
+        end
+      end
+    end
+  end
+end
+

data/lib/crypton/errors.rb

@@ -0,0 +1,3 @@
+module Crypton
+  class DecryptionError < StandardError; end
+end

data/lib/crypton/symmetric.rb

@@ -0,0 +1,68 @@
+require "openssl"
+require "base64"
+require "json"
+require "crypton/errors"
+
+module Crypton
+  module Symmetric
+    KEY_SIZE = 256
+    ALGORITHM = "aes-#{KEY_SIZE}-gcm"
+    KEY_DERIVATION_ROUNDS = 10000
+    SCHEME_NAME = "crypton.symmetric"
+
+    def self.encrypt(data, password)
+      salt = OpenSSL::Random.random_bytes(16)
+
+      cipher = OpenSSL::Cipher.new(ALGORITHM)
+      cipher.encrypt
+      cipher.key = derive_key(password, salt, KEY_DERIVATION_ROUNDS, KEY_SIZE)
+      iv = Base64.strict_encode64(cipher.random_iv)
+      cipher.auth_data = "" if cipher.authenticated?
+
+      cipher_text = cipher.update(data) + cipher.final
+
+      message = {
+        scheme: SCHEME_NAME,
+        algo: ALGORITHM,
+        key_size: KEY_SIZE,
+        kd_rounds: KEY_DERIVATION_ROUNDS,
+        salt: Base64.strict_encode64(salt),
+        iv: iv,
+        cipher_text: Base64.strict_encode64(cipher_text),
+      }
+      if cipher.authenticated?
+        message[:auth_tag] = Base64.strict_encode64(cipher.auth_tag)
+      end
+
+      JSON.generate(message)
+    end
+
+    def self.decrypt(encrypted_data, password)
+      message = JSON.parse(encrypted_data, symbolize_names: true)
+      key = derive_key(password, Base64.strict_decode64(message[:salt]),
+                       message[:kd_rounds], message[:key_size])
+
+      decipher = OpenSSL::Cipher.new(message[:algo])
+      decipher.decrypt
+      decipher.key = key
+      decipher.iv = Base64.strict_decode64(message[:iv])
+
+      if decipher.authenticated?
+        decipher.auth_tag = Base64.strict_decode64(message[:auth_tag])
+        decipher.auth_data = ""
+      end
+
+      cipher_text = Base64.strict_decode64(message[:cipher_text])
+      decipher.update(cipher_text) + decipher.final
+    rescue OpenSSL::Cipher::CipherError => err
+      raise DecryptionError, "Error decrypting message: #{err.message}"
+    end
+
+    def self.derive_key(password, salt, rounds, size)
+      # Size is provided in bits, then gets converted to bytes for OpenSSL
+      OpenSSL::PKCS5.pbkdf2_hmac_sha1(password, salt, rounds, size/8)
+    end
+
+    private_class_method :derive_key
+  end
+end

data/lib/crypton/version.rb

@@ -0,0 +1,3 @@
+module Crypton
+  VERSION = "0.1.0.pre1".freeze
+end

data/spec/crypton/encrypted_attributes_spec.rb

@@ -0,0 +1,40 @@
+require "spec_helper"
+require "crypton/encrypted_attributes"
+
+RSpec.describe Crypton::EncryptedAttributes do
+  let(:model) do
+    Class.new do
+      include Crypton::EncryptedAttributes
+      attr_accessor :encrypted_foo
+      encrypted_attribute :foo, password: "bar"
+    end
+  end
+
+  it "defines a reader method" do
+    expect(model.new).to respond_to(:foo)
+  end
+
+  it "defines a writer method" do
+    expect(model.new).to respond_to(:foo=)
+  end
+
+  let(:instance) { model.new }
+
+  describe "reader method" do
+    before { allow(Crypton::Symmetric).to receive(:encrypt) { "{...}" } }
+
+    it "encrypts and stores the value" do
+      instance.foo = "baz"
+      expect(instance.encrypted_foo).to eq("{...}")
+    end
+  end
+
+  describe "writer method" do
+    before { allow(Crypton::Symmetric).to receive(:decrypt) { "plaintext" } }
+
+    it "encrypts and stores the value" do
+      instance.encrypted_foo = "{...}"
+      expect(instance.foo).to eq("plaintext")
+    end
+  end
+end

data/spec/crypton/symmetric_spec.rb

@@ -0,0 +1,36 @@
+require "spec_helper"
+require "crypton/symmetric"
+
+RSpec.describe Crypton::Symmetric do
+  let(:message) { Crypton::Symmetric.encrypt("test", "s3cr3t") }
+
+  it "works end-to-end" do
+    expect(Crypton::Symmetric.decrypt(message, "s3cr3t")).to eq("test")
+  end
+
+  describe ".encrypt" do
+    it "generates a JSON-encoded message" do
+      expect { JSON.parse(message) }.to_not raise_error
+    end
+  end
+
+  describe ".decrypt" do
+    context "given an invalid password" do
+      it "fails" do
+        expect { Crypton::Symmetric.decrypt(message, "wrong password") }.
+          to raise_error(Crypton::DecryptionError)
+      end
+    end
+
+    context "given an invalid auth tag" do
+      let(:tampered_message) do
+        JSON.generate(JSON.parse(message).merge("auth_tag" => "0000"))
+      end
+
+      it "fails" do
+        expect { Crypton::Symmetric.decrypt(tampered_message, "s3cr3t") }.
+          to raise_error(Crypton::DecryptionError)
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,3 @@
+RSpec.configure do |config|
+  config.disable_monkey_patching!
+end

metadata

@@ -0,0 +1,73 @@
+--- !ruby/object:Gem::Specification
+name: crypton
+version: !ruby/object:Gem::Version
+  version: 0.1.0.pre1
+platform: ruby
+authors:
+- Harry Marr
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-01-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.1'
+description: Simple crypto
+email:
+- engineering@gocardless.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- README.md
+- crypton.gemspec
+- lib/crypton.rb
+- lib/crypton/encrypted_attributes.rb
+- lib/crypton/errors.rb
+- lib/crypton/symmetric.rb
+- lib/crypton/version.rb
+- spec/crypton/encrypted_attributes_spec.rb
+- spec/crypton/symmetric_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/gocardless/crypton
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>'
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.2
+signing_key: 
+specification_version: 4
+summary: Simple crypto
+test_files:
+- spec/crypton/encrypted_attributes_spec.rb
+- spec/crypton/symmetric_spec.rb
+- spec/spec_helper.rb