opensecret 0.0.951 → 0.0.957

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ca35c2727f92f764b83fae65d656062b95520ad6
-  data.tar.gz: 260748f11554e881116e6efd8c4d44c0cdb06284
+  metadata.gz: 9681f58d24288c4f1b13d0b83187dff72f9909f5
+  data.tar.gz: 850a7fc15a960497f1f6b209d7f30a9c1b26b2fd
 SHA512:
-  metadata.gz: 10f94cba6fe468750401a38846641c9dddce2258601d981b1fb26e5b2e88c7fea27edb10264ee070d3d4920c6ada9470e0a7b4cb3178a5f5c2a07facb186db1a
-  data.tar.gz: 35aa0ff66488c53859c245c10ba2d3aae348b56df4df90d94963241b190b8065f39f20bbfb63c119159f25488b8262f69f847fd1a3e715d3fe8df13954cbc921
+  metadata.gz: a3e87ecc9eaf58507d26d92ab6665a3cc4f5f0ea86a1b577b685394af57e6c8db0b2271d399eb9100beb3acf301e863ee43c17a3a7f58751626f6a5264ffbb38
+  data.tar.gz: 626b3bbdc2becea5b6d1dfa4eefac208a8dca4d33504598e0e7d6bef6a05629188a2cae69edb981a21db8b6fca1bc2e7af9ed1d3a421b26bfe071f061c3c9dbc

data/lib/extension/array.rb

@@ -12,6 +12,35 @@
 class Array
 
 
+  # The returned string is a result of a union (join) of all the
+  # (expected) string array elements followed by the <b>deletion</b>
+  # of <b>all <em>non</em> alphanumeric characters</b>.
+  #
+  # <b>Disambiguating the String for Cross Platform Use</b>
+  #
+  # This behaviour is typically used for transforming text that is
+  # about to be signed or digested (hashed). Removing all the non
+  # alpha-numeric characters disambiguates the string.
+  #
+  # An example is the exclusion of line ending characters which in
+  # Windows are different from Linux.
+  #
+  # This disambiguation means that signing functions will return the
+  # same result on widely variant platfoms like Windows vs CoreOS.
+  #
+  # @return [String]
+  #    Returns the alphanumeric union of the strings within this array.
+  #
+  # @raise [ArgumentError]
+  #    if the array is nil or empty. Also an error will be thrown if
+  #    the array contains objects that cannot be naturally converted
+  #    to a string.
+  def alphanumeric_union
+    raise ArgumentError, "Cannot do alphanumeric union on an empty array." if self.empty?
+    return self.join.to_alphanumeric
+  end
+
+
   # Log the array using our logging mixin by printing every array
   # item into its own log line. In most cases we (the array) are
   # a list of strings, however if not, each item's to_string method

data/lib/extension/string.rb

@@ -12,6 +12,37 @@
 class String
 
 
+  # Return a new string matching this one with every non alpha-numeric
+  # character removed. This string is left unchanged.
+  #
+  # Spaces, hyphens, underscores, periods are all removed. The only
+  # characters left standing belong to a set of 62 and are
+  #
+  # - a to z
+  # - A to Z
+  # - 0 to 9
+  #
+  # @return [String]
+  #    Remove any character that is not alphanumeric, a to z, A to Z
+  #    and 0 to 9 and return a new string leaving this one unchanged.
+  def to_alphanumeric
+    return self.delete("^A-Za-z0-9")
+  end
+
+
+  # Find the length of this string and return a string that is the
+  # concatenated union of this string and its integer length.
+  # If this string is empty a string of length one ie "0" will be
+  # returned.
+  #
+  # @return [String]
+  #    Return this string with a cheeky integer tagged onto the end
+  #    that represents the (pre-concat) length of the string.
+  def concat_length
+    return self + "#{self.length}"
+  end
+
+
   # Get the text [in between] this and that delimeter [exclusively].
   # Exclusively means the returned text [does not] include either of
   # the matched delimeters (although an unmatched instance of [this]

data/lib/factbase/facts.opensecret.io.ini

@@ -8,19 +8,27 @@ root.domain     =  devopswiki.co.uk
 env.var.name    =  SECRET_MATERIAL
 ratio           =  rb>> 3
 bit.key.size    =  rb>> 8192
-key.cipher      =  rb>> OpenSSL::Cipher.new 'AES-256-CBC'
-secret.keydir   =  rb>> OpenSession::Attributes.instance.get_value @s[:name], "safe"
-email.address   =  rb>> OpenSession::Attributes.instance.get_value @s[:name], "email"
+key.cipher      =  rb>> OpenSSL::Cipher::AES256.new(:CBC)
+secret.keydir   =  rb>> OpenSession::Attributes.instance.get_value @s[:name], @s[:name], "safe"
+email.address   =  rb>> OpenSession::Attributes.instance.get_value @s[:name], @s[:name], "email"
 safe.user       =  rb>> File.join @s[:secret_keydir], @s[:email_address]
 master.dirname  =  master.keys
 master.dirpath  =  rb>> File.join @s[:safe_user], @s[:master_dirname]
-master.pub.name =  master.public.key.x.os.txt
-master.prv.name =  master.private.key.x.os.txt
-master.pub.key  =  rb>> File.join @s[:master_dirpath], @s[:master_pub_name]
+
+master.sig.file =  master.signature.os.txt
+########### -----> master.pub.name =  master.public.key.os.txt
+master.prv.name =  master.private.key.xx.txt
+master.sig.path =  rb>> File.join @s[:master_dirpath], @s[:master_sig_file]
+########### -----> master.pub.key  =  rb>> File.join @s[:master_dirpath], @s[:master_pub_name]
 master.prv.key  =  rb>> File.join @s[:master_dirpath], @s[:master_prv_name]
 
-machine.key.x   =  machine.key.x
+stamp.key       =  stamp
+stamp.14        =  rb>> OpenSession::Stamp.yyjjj_hhmm_sst
+stamp.23        =  rb>> OpenSession::Stamp.yyjjj_hhmm_ss_nanosec
+
+machine.key.x   =  os.x
 separator.a     =  %$os$%
+publickey.id    =  public.key
 
 repo.name       =  material_data
 
@@ -32,8 +40,8 @@ prompt.2        =  Re-enter that Password
 open.name       =  session
 open.dirname    =  session.material
 open.dirpath    =  rb>> File.join @f[:global][:safe_user], @s[:open_dirname]
-open.idlen      =  9
-open.keylen     =  96
+open.idlen      =  rb>> 10
+open.keylen     =  rb>> 56
 open.idname     =  session.id
 open.keyname    =  session.key
 open.pathname   =  session.path

data/lib/notepad/blow.rb

@@ -10,19 +10,75 @@
 class Trial
 
 
+  def self.certify
+
+    require 'openssl'
+    require "base64"
+
+    key = OpenSSL::PKey::RSA.new(1024)
+    public_key = key.public_key
+
+    subject = "/C=BE/O=Test/OU=Test/CN=Test"
+
+    cert = OpenSSL::X509::Certificate.new
+    cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
+    cert.not_before = Time.now
+    cert.not_after = Time.now + 365 * 24 * 60 * 60
+    cert.public_key = public_key
+    cert.serial = 0x0
+    cert.version = 2
+
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = cert
+    ef.issuer_certificate = cert
+    cert.extensions = [
+      ef.create_extension("basicConstraints","CA:TRUE", true),
+      ef.create_extension("subjectKeyIdentifier", "hash"),
+      # ef.create_extension("keyUsage", "cRLSign,keyCertSign", true),
+    ]
+    cert.add_extension ef.create_extension("authorityKeyIdentifier",
+                                           "keyid:always,issuer:always")
+
+    cert.sign key, OpenSSL::Digest::SHA1.new
+
+    puts cert.to_pem
+
+  end
+
+
+##### ----->  Trial.certify
+
+
   def self.crypt
 
     require 'openssl'
     require "base64"
 
-    key = OpenSSL::PKey::RSA.new(8192)
+=begin
+    puts ""
+    puts Time.now.strftime "%9N"
+    puts Time.now.strftime "%12N"
+    puts Time.now.strftime "%15N"
+    puts Time.now.strftime "%18N"
+    puts ""
+    exit
+=end
+
+## --------------------------------------------------------------------------------------------
+## --------------------------------------------------------------------------------------------
+
+    key = OpenSSL::PKey::RSA.new(2048)
 
 
 payload = "55fff4c5895bb247676c6edd2307f17c665305457b3bcfcd985c398246b8780f54e337252c5407afd4895a5e3a2415fce5b703a483da3edc88739cb7787262a19d69fb9416f900fed797c046aaec83b8e15b14edb032ed76535def8ada77108936e5442a839d4078048ca01449a6acd7315c9b7a7b8802dba0c83eb4c13e21b1051efa77a420a3ffd3cbf1fa13182933a0503f23cce95b68787081f3af33c69049657bdbf1fd30d79f108d604faad1fbee198a3e2c1b28cdddf7ebb84b6b0c1d3e9b47665bd96d7df8407e11d00e4d9275e805c7b9e61b6739802d6d87ac8283ef92a593ed53db2096cd1dc9496307f40942cc3d54a7c864ede71e0b192ce152"
 
+    puts ""
+    puts ""
+    puts public_key_text = key.public_key.to_pem
     puts ""
     puts "Payload size is #{payload.length}"
     puts ""
+=begin
     puts ""
     puts encrypted_string = key.public_encrypt( payload, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
     puts ""
@@ -38,9 +94,55 @@ payload = "55fff4c5895bb247676c6edd2307f17c665305457b3bcfcd985c398246b8780f54e33
     puts ""
     puts encrypted_string.unpack("H*").first
     puts ""
-    puts key.private_decrypt(encrypted_string, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
     puts ""
-
+    puts "Padding => #{OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING}"
+    puts ""
+    puts key.private_decrypt( encrypted_string, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING )
+    puts ""
+=end
+    email_address = "bob@hotmail.com"
+    time_stamp = "5th.April.2020.20:21pm"
+
+    secured_privatekey = key.export( OpenSSL::Cipher::AES256.new(:CBC), "secret12345abcde" )
+
+
+    second_key = OpenSSL::PKey::RSA.new(2048)
+    second_public_key_text = second_key.public_key.to_pem
+
+    context_string_dirty = secured_privatekey + public_key_text + email_address + time_stamp
+    context_string_clean = context_string_dirty.delete("^A-Za-z0-9")
+    context_string_clean += context_string_clean.length.to_s
+####    context_signature_str = Base64.encode64(second_key.sign OpenSSL::Digest::SHA256.new, context_string_clean)
+    context_signature_str = Base64.encode64(key.sign OpenSSL::Digest::SHA256.new, context_string_clean)
+
+
+## --------------------------------------------------------------------------------------------
+## --------------------------------------------------------------------------------------------
+
+    reinstated_key = OpenSSL::PKey::RSA.new "#{public_key_text}"
+###    reinstated_key = OpenSSL::PKey::RSA.new "#{second_public_key_text}"
+    raw_signature_text = Base64.decode64(context_signature_str)
+    is_valid = reinstated_key.public_key.verify OpenSSL::Digest::SHA256.new, raw_signature_text, (context_string_clean)
+    raise ArgumentError, "Keys not validated" unless is_valid
+
+## --------------------------------------------------------------------------------------------
+## --------------------------------------------------------------------------------------------
+
+    puts "======================================================================================"
+    puts "======================================================================================"
+    puts context_string_dirty
+    puts "======================================================================================"
+    puts "======================================================================================"
+    puts context_string_clean
+    puts "======================================================================================"
+    puts "======================================================================================"
+    puts context_signature_str
+    puts "======================================================================================"
+    puts "======================================================================================"
+    puts "Keys Are Valid => #{is_valid}"
+    puts "======================================================================================"
+    puts "======================================================================================"
+    puts ""
 
   end
 
@@ -55,8 +157,9 @@ HNkUjWaFoI5dPTRUUymyf7uKMaXFhiIZaOq+ZYj4TWPN92qv6ANTd3pRvVa3
 S+aQSOX7q3FkKIOc5yfWLushGAMSwidgH1kzLvocCf+SSWH5BY3zTb7NAGjW
 =end
 
-###  Trial.crypt
-###  exit
+# -------->
+# -------->  Trial.crypt
+# -------->
 
   def try
 

data/lib/opensecret.rb

@@ -32,7 +32,9 @@ OpenSession::RecursivelyRequire.now( __FILE__ )
 #
 class CliInterpreter < Thor
 
-  log.info(x) {"Wake up loggers."}
+  OpenSession::Session.instance.context = "opensecret"
+  log.info(x) {"opensecret session initiated at [#{OpenSession::Stamp.yyjjj_hhmm_sst}]." }
+  log.info(x) {"opensecret session context is [#{OpenSession::Session.instance.context}]." }
 
   #
   # This class option allows every CLI call the option to include
@@ -55,12 +57,36 @@ class CliInterpreter < Thor
 
 
   # Description of the open "wake-up" call.
-  desc "open", "open up a conduit for adding, subtracting and swapping secrets for a future commit."
+  desc "open CONTEXT_PATH", "CONTEXT_PATH context path to the family of secrets to be created."
 
   # Open up a conduit from which we can add, subtract, update and list secrets
   # before they are committed (and pushed) into permanent locked storage.
-  def open
-    OpenSecret::Open.new.flow_of_events
+  #
+  # @param context_path [String] the path to USB key for storing encrypted keys
+  def open context_path
+
+    open_uc = OpenSecret::Open.new
+    open_uc.context_path = context_path
+    open_uc.flow_of_events
+
+  end
+
+
+  # Description of the put secret command.
+  desc "put <secret_id> <secret_value>", "put secret like login/username into opened context."
+
+  # Put a secret with an id like login/username and a value like joebloggs into the
+  # context (eg work/laptop) that was opened with the open command.
+  #
+  # @param secret_id [String] the id of the secret to put into the opened context
+  # @param secret_value [String] the value of the secret to put into the opened context
+  def put secret_id, secret_value
+
+    put_uc = OpenSecret::Put.new
+    put_uc.secret_id = secret_id
+    put_uc.secret_value = secret_value
+    put_uc.flow_of_events
+
   end
 
 
@@ -120,7 +146,7 @@ class CliInterpreter < Thor
       abort "The tiniest (externally accessible) email address [a@b.cd] has 6 characters."
     end
     
-    OpenSession::Attributes.stash "opensecret", "email", email_address
+    OpenSession::Attributes.stash "opensecret", "opensecret", "email", email_address
 
   end
 
@@ -147,7 +173,7 @@ class CliInterpreter < Thor
       abort "4 characters is the minimum domain name length."
     end
 
-    OpenSession::Attributes.stash "opensecret", "store", store_url.strip
+    OpenSession::Attributes.stash "opensecret", "opensecret", "store", store_url.strip
 
 ###    if( File.exists?( store_url ) && !(File.directory? store_url) )
 ###      abort "The store url path cannot be a file => #{store_url}"

data/lib/plugins/cipher.rb

@@ -6,7 +6,7 @@ module OpenSecret
   require "base64"
 
 
-  # An {OpenSecret::Cipher} is a base class that enables cipher varieties
+  # {OpenSecret::Cipher} is a base class that enables cipher varieties
   # to be plugged and played with minimal effort. This Cipher implements much
   # of the use case functionality - all extension classes need to do, is
   # to subclass and implement only the core behaviour that define its identity.
@@ -28,6 +28,7 @@ module OpenSecret
   # with a powerful symmetric encryption algorithm which could be any one of the
   # leading ciphers such as TwoFish or the Advanced Encryption Standard (AES).
   #
+  #
   # == How to Implement a Cipher
   #
   # Extend this base class to inherit lots of +unexciting+ functionality
@@ -40,9 +41,8 @@ module OpenSecret
   # - handles +exceptions+ and +malicious input detection+ and incubation
   # - +_performs the asymmetric encryption_+ of the cipher's symmetrically encrypted output
   #
-  # -------------------------------------
-  # What Behaviour Must Ciphers Implement
-  # -------------------------------------
+  #
+  # == What Behaviour Must Ciphers Implement
   #
   # Ciphers bring the cryptographic mathematics and implementation algorithms
   # to the table. So when at home they must implement
@@ -62,7 +62,7 @@ module OpenSecret
     # of 8 (or 16) and a common +right pad with spaces+ strategy is employed
     # as a workaround. opensecret does it diferently.
     #
-    # == No Space Padding? | Why Not?
+    # == Why isn't Space Padding Used?
     #
     # If opensecret padded plaintext (ending in one or more spaces) with
     # spaces, the decrypt phase (after right stripping spaces) would return
@@ -87,7 +87,7 @@ module OpenSecret
 
     # An unusual string that glues together an encryption dictionary and
     # a chunk of base64 encoded and encrypted ciphertext.
-    # The string must be unusual enough to ensure it dos not occur within
+    # The string must be unusual enough to ensure it does not occur within
     # the dictionary metadata keys or values.
     INNER_GLUE_STRING = "\n<-|@| <  || opensecret inner crypt material axis ||  > |@|->\n\n"
 
@@ -155,7 +155,7 @@ module OpenSecret
       unified_material = unify_hash_and_text crypted_payload
       blowfish_cryptor = Blowfish.new
       outer_crypt_key = OpenSecret::Engineer.strong_key( 128 )
-      crypted_material = blowfish_cryptor.do_encrypt_with_key unified_material, outer_crypt_key
+      crypted_material = blowfish_cryptor.encryptor unified_material, outer_crypt_key
       crypted_cryptkey = do_asymmetric_encryption public_key_text, outer_crypt_key
       locked_up_string = unify_text_and_text crypted_cryptkey, crypted_material
 

data/lib/plugins/ciphers/blowfish.rb

@@ -23,45 +23,38 @@ module OpenSecret
     BLOWFISH_BLOCK_LEN = 8
 
 
-    # This method provides the Blowfish algorithm but we reserve the
-    # right to enforce upon it an encryption key of our choosing.
+    # Encrypt the (plain) text parameter using the symmetric encryption key
+    # specified in the second parameter and return the base64 encoded
+    # representation of the cipher text.
     #
-    # The key length need not be a multiple of 8 - however it is advisable
-    # to use {Digest::SHA256.digest} to produce a strong 32 character key.
+    # Blowfish is a block cipher meaning it needs both the key and the plain
+    # text inputted to conform to a divisible block length.
     #
-    # == Multiples of 8 | Plain Text Length
+    # Don't worry about this block length requirement as this encrption method
+    # takes care of it and its sister method {self.decryptor} will also perform
+    # the correct reversal activities to give you back the original plain text.
     #
-    # Blowfish constrains plain text lengths to multiples of 8 but we
-    # do NOT walk the common +space padding+ road.
+    # {Base64.encode64} facilitates the ciphertext encoding returning text that
+    # is safe to write to a file.
     #
-    # == No Space Padding? | Why Not?
+    # @param plain_text [String]
+    #    This parameter should be the non-nil text to encrypt using Blowfish.
+    #    Before encryption the text will be padded using a text string from
+    #    the {OpenSecret::Cipher::TEXT_PADDER} constant until it results in
+    #    a string with the required block length.
     #
-    # Many ciphers (like Blowfish) constrains plain text lengths to multiples
-    # of 8 (or 16) and a common +right pad with spaces+ strategy is employed
-    # as a workaround.
+    # @param encryption_key [String]
+    #    send a long strong unencoded key which does not have to be a multiple of
+    #    eight even though the algorithm demands it. Before the encryption this key
+    #    will be passed through a digest using behaviour from {Digest::SHA256.digest}
     #
-    # If opensecret padded plaintext (ending in one or more spaces) with
-    # spaces, the decrypt phase (after right stripping spaces) would return
-    # plain text string +shorter than the original+.
-    #
-    # == So How is Padding Done?
-    #
-    # Instead of single space padding - opensecret uses an unlikely 7 character
-    # delimiter which is repeated until the multiple is reached.
-    #
-    # Please see {OpenSecret::Cipher::PLAIN_TEXT_DELIMITER} for the definition
-    # of the constant delimiter.
-    #
-    # == Key Length Error
-    #
-    # Short keys receive a <tt>key length too short</tt> error from the
-    # {OpenSSL::Cipher} class namely {OpenSSL::Cipher::CipherError}.
-    #
-    # @param plain_text [String] the text to encrypt using Blowfish
-    # @param encryption_key [String] strong unencoded (32 character key)
+    #    This behaviour returns a key whose length is a multiple of eight.
     #
     # @return [String] base64 representation of blowfish crypted ciphertext
-    def do_encrypt_with_key plain_text, encryption_key
+    #
+    # @raise [OpenSSL::Cipher::CipherError]
+    #    An (encryption) <tt>key length too short</tt> error is raised for short keys.
+    def encryptor plain_text, encryption_key
 
       shortkey_msg = "The #{encryption_key.length} character encryption key is too short."
       raise ArgumentError, shortkey_msg unless encryption_key.length > 8
@@ -73,148 +66,61 @@ module OpenSecret
 
       blowfish_encryptor = OpenSSL::Cipher.new(OpenSecret::Blowfish::BLOWFISH_CIPHER_ID).encrypt
       blowfish_encryptor.key = raw_stretched_key
+      encrypted_lines = blowfish_encryptor.update(block_txt) << blowfish_encryptor.final
 
-      return Base64.encode64( blowfish_encryptor.update(block_txt) << blowfish_encryptor.final )
+      return Base64.encode64( encrypted_lines ).chomp
 
     end
 
 
-=begin
-puts "Plain Text            => #{sentence}"
-puts "Plain Text Length     => #{sentence.length}"
-puts "Multiple 8 Text       => [#{multiple8}]"
-puts "Multiple 8 Length     => [#{multiple8.length}]"
-puts "Encrypted Text Length => #{encrypted_text.length}"
-######### puts "Encrypted Text        => #{encrypted_text}"
-puts "Base64 Encrypted Text => #{base64_encrypted_text}"
-
-dbf = OpenSSL::Cipher.new("BF-ECB").decrypt
-dbf.key = the_key
-debase64_text = Base64.decode64( base64_encrypted_text )
-decrypted_text = dbf.update(debase64_text) << dbf.final
-
-puts "Decrypted Text        => #{decrypted_text}"
-=end
-
-
-
-
-    # Use the AES 256 bit block cipher and a robust strong random key plus
-    # initialization vector (IV) to symmetrically encrypt the plain text.
+    # Decrypt the cipher text parameter using the symmetric decryption key
+    # specified in the second parameter. The cipher text is expected to be
+    # base64 encoded as per our sister method {self.encryptor}.
     #
-    # Add these key/value pairs to @encryption_dictionary instance map.
+    # Its okay to use a bespoke encryptor - just ensure you encode the result
+    # and override the padding constant.
     #
-    # - <tt>symmetric.cipher</tt> - the algorithm used to encrypt and decrypt
-    # - <tt>encryption.key</tt> - hex encoded key for encrypting and decrypting
-    # - <tt>initialize.vector</tt> - the initialization vector known as a IV (four)
+    # Blowfish is a block cipher meaning it needs both the key and the plain
+    # text inputted to conform to a divisible block length.
     #
-    # @param plain_text [String] the plain (or base64 encoded) text to encrypt
-    # @return [String] the symmetrically encrypted cipher text
-    def do_symmetric_encryption plain_text
-
-      @cipher_name = "aes-256-cbc"
-
-      crypt_cipher = OpenSSL::Cipher.new @cipher_name
-      crypt_cipher.encrypt( plain_text )
-
-      @encryption_dictionary = {
-        @@symmetric_cipher_keyname => @cipher_name,
-        @@encryption_key_keyname => crypt_cipher.random_key.unpack("H*").first,
-        @@initialize_vector_keyname => crypt_cipher.random_iv.unpack("H*").first
-      }
-
-      Base64.encode64( crypt_cipher.update + crypt_cipher.final )
-
-    end
-
-
-    # Use the AES 256 bit block cipher together with the encryption key
-    # and initialization vector (iv) sitting in the encryption_dictionary,
-    # to symmetrically decrypt the parameter cipher text.
+    # Don't worry about this block length requirement as this decrption method
+    # takes care of the reversing the activities carried out by {self.encryptor}.
     #
-    # == Pre-Condition | Encryption Dictionary
+    # @param cipher_text [String]
+    #    This incoming cipher text should be encoded using {Base64.encode64}
+    #    and it will be +chomped and stripped upon receipt+ followed by
+    #    decryption using the Blowfish algorithm.
     #
-    # This method requires the <tt>@encryption_dictionary</tt> instance
-    # variable to have been set and to contain (amongst others)
+    # @param decryption_key [String]
+    #    Send the same key that was used during the encryption phase. The encryption
+    #    phase passed the key through the {Digest::SHA256.digest} digest so here
+    #    the decryption does the exact same thing.
     #
-    # - the <tt>encryption.key</tt> - hex encoded key for encrypting and decrypting
-    # - and <tt>initialize.vector</tt> - the initialization vector known as a IV (four)
+    #    The digest processing guarantees a symmetric key whose length conforms to
+    #    the multiple of eight block length requirement.
     #
-    # @param cipher_text [String] the base64 encoded cipher text to decrypt
-    # @return [String] decrypted plain text from symmetric key and cipher text
-    def do_symmetric_decryption cipher_text
-
-      abort "Implement AES 256 decryption in aes-256"
+    # @return [String]
+    #    After decoding and decryption the plain text string will still be padded,
+    #    +but not with spaces+. The unlikely to occur padding string constant used
+    #    is the {OpenSecret::Cipher::TEXT_PADDER}.
+    #
+    #    If the plaintext ended with spaces these would be preserved. After padder
+    #    removal any trailing spaces will be preserved in the returned plain text.
+    #
+    def decryptor cipher_text, decryption_key
 
-    end
+      decoded_text = Base64.decode64(cipher_text.chomp.strip)
+      digested_key = Digest::SHA256.digest decryption_key
 
+      decrypt_tool = OpenSSL::Cipher.new(OpenSecret::Blowfish::BLOWFISH_CIPHER_ID).decrypt
+      decrypt_tool.key = digested_key
 
+      padded_plaintxt = decrypt_tool.update(decoded_text) << decrypt_tool.final
+      pad_begin_index = padded_plaintxt.index OpenSecret::Cipher::TEXT_PADDER
+      return padded_plaintxt if pad_begin_index.nil?
+      return padded_plaintxt[ 0 .. (pad_begin_index-1) ]
 
-=begin
-encode_cipher = OpenSSL::Cipher.new('aes-256-cbc')
-encode_cipher.encrypt # We are encrypting
-key = encode_cipher.random_key
-iv = encode_cipher.random_iv
-hex_key = key.unpack("H*").first
-hex_iv = iv.unpack("H*").first
-
-line1 = "1>> This is secret number one over here with at @ and squiggle~ and round brakets().\n"
-line2 = "2>> secret number two with colon and semi :; angular <> qmarks ??.\n"
-line3 = "3>> secret number 3 fwd slash / and backslash twice \\ and pipe || and excla !!\n"
-line4 = "4>> secret 4 with pound ££ dollar $$ percent %% hat ^^ ampr && stars **\n"
-line5 = "5>> secret 5 with hyphens - and underscore __ and plus ++ and equal == and sqBs [[]].\n"
-line6 = "6>> secret 6 with double quote \"from here to here\" and \' single quotes\'.\n"
-line7 = "7>> secret 7 with periods .... and hashes #####\n"
-
-crypt_text = ""
-crypt_text += encode_cipher.update line1
-crypt_text += encode_cipher.update line2
-crypt_text += encode_cipher.update line3
-crypt_text += encode_cipher.update line4
-crypt_text += encode_cipher.update line5
-crypt_text += encode_cipher.update line6
-crypt_text += encode_cipher.update line7
-crypt_text += encode_cipher.final
-coded_crypt_text = Base64.encode64(crypt_text)
-
-puts ""
-puts "The key is #{hex_key}"
-puts "The IV is #{hex_iv}"
-puts "========================"
-puts "The Cipher Text is Below"
-puts "========================"
-puts coded_crypt_text
-puts "========================"
-puts crypt_text
-puts "========================"
-puts "========================"
-puts "========================"
-puts line1 + line2 + line3 + line4 + line5 + line6 + line7
-puts "========================"
-puts "========================"
-puts "========================"
-puts ""
-puts ""
-
-unencoded_crypt_text = Base64.decode64(coded_crypt_text)
-decode_cipher = OpenSSL::Cipher.new('aes-256-cbc')
-
-decode_cipher.decrypt
-decode_cipher.key = [hex_key].pack("H*")
-decode_cipher.iv = [hex_iv].pack("H*")
-first_part = decode_cipher.update( Base64.decode64(coded_crypt_text) )
-second_part = ""
-second_part << decode_cipher.final
-
-puts "========================"
-puts "Decrypted Text is Below"
-puts "========================"
-puts first_part
-puts "========================"
-puts second_part
-puts "========================"
-puts ""
-=end
+    end
 
 
   end