philiprehberger-crypt 0.3.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9b8b7e1b7ba025acb109315c7917651f67b9645ef6abc1f7699dbe4e471020b2
-  data.tar.gz: 988b00641592540f69b355896dd6d524f7369830f93a33ad450909e4260671a2
+  metadata.gz: 789ed3adf81e8d52a357a47e485833197aa236ecfd9f66a941648e711bf40133
+  data.tar.gz: aa18d2c620b46d7a098843988684da63897b51d38373acdaaf8cafb594ced84b
 SHA512:
-  metadata.gz: 85775a37db94d000bd73b20ed1d403e6dc5b891e38600860aea6ce0087c1c45d680886b3efc5212258b4f9132a691e7d52a92d1b2e824c935a698737f3590591
-  data.tar.gz: 799433a04830123ffe629edaf5460dcad49f477e48108c66c7cbb1bbfb7c7611e78c9cf77f97cd7211de060b036d93eec7119e49cd7b1626f9af8a7aff47864e
+  metadata.gz: 8c6780048c0399326833092b4af23fb7dcd50162675e85eba91b279f7767f5693259f9a8aea780393fe60516a86e3835e6bc27b70098bd51765d24186f0bbb63
+  data.tar.gz: a744e5db314581c1d8f78a30487a1374a2cfe074c7cbc3b6294cb598fe65425b015eb425e4b3b9e745be618a6b8a3c9b1116acb4fd139e39d543b8592ab1da2a

data/CHANGELOG.md

@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.5.0] - 2026-05-01
+
+### Added
+- `Crypt.fingerprint(key)` — produces a short, stable identifier for a key (first 16 hex chars of `SHA-256(key)`). Stable across raw and hex key representations. Useful for log lines, key-id headers, and key rotation audits without leaking key material.
+
+## [0.4.0] - 2026-04-15
+
+### Added
+- `hash_and_hmac(data, key:, algorithm:)` to compute both a hash and HMAC signature in a single call
+
 ## [0.3.0] - 2026-04-09
 
 ### Added

data/README.md

@@ -106,6 +106,28 @@ Philiprehberger::Crypt.hmac_verify("payload", signature: signature, key: key)
 # => true
 ```
 
+### Combined Hash and HMAC
+
+```ruby
+key = Philiprehberger::Crypt.random_hex(16)
+result = Philiprehberger::Crypt.hash_and_hmac('payload', key: key)
+# => { hash: '...', hmac: '...' }
+
+result = Philiprehberger::Crypt.hash_and_hmac('payload', key: key, algorithm: :sha512)
+```
+
+### Key Fingerprint
+
+Generate a short, safe identifier for a key — stable, hex-encoded, and never reveals the key itself.
+Use it in log lines, key-id headers, and key rotation audits.
+
+```ruby
+key = Philiprehberger::Crypt.random_hex(16)
+
+Philiprehberger::Crypt.fingerprint(key)  # => "a3f4b2c1d8e9f0a1"
+# Same value for raw and hex representations of the same key
+```
+
 ### Secure Comparison
 
 ```ruby
@@ -130,7 +152,9 @@ Philiprehberger::Crypt.secure_compare(token_a, token_b)
 | `.random_hex(n)` | Generate a hex-encoded random string (2*n characters) |
 | `.random_bytes(n)` | Generate n cryptographically secure random bytes |
 | `.hash(data, algorithm:)` | Compute hex digest (SHA-256, SHA-384, or SHA-512) |
+| `.hash_and_hmac(data, key:, algorithm:)` | Compute hash and HMAC signature in one call |
 | `.secure_compare(a, b)` | Constant-time string comparison |
+| `.fingerprint(key)` | 16-char hex identifier (`SHA-256(key)[0,16]`) safe for logs and key-id headers |
 | `DecryptionError` | Raised when decryption fails |
 
 ## Development

data/lib/philiprehberger/crypt/version.rb

@@ -2,6 +2,6 @@
 
 module Philiprehberger
   module Crypt
-    VERSION = '0.3.0'
+    VERSION = '0.5.0'
   end
 end

data/lib/philiprehberger/crypt.rb

@@ -153,6 +153,22 @@ module Philiprehberger
       OpenSSL::Digest.new(algo).hexdigest(data.to_s)
     end
 
+    # Compute both a cryptographic hash and HMAC signature of data in one call.
+    #
+    # Delegates to {.hash} and {.hmac} using the same algorithm for both.
+    #
+    # @param data [String] the data to hash and sign
+    # @param key [String] the HMAC secret key
+    # @param algorithm [Symbol] hash algorithm (:sha256, :sha384, or :sha512)
+    # @return [Hash] with :hash (hex digest) and :hmac (hex HMAC signature)
+    # @raise [ArgumentError] if algorithm is unsupported
+    def self.hash_and_hmac(data, key:, algorithm: :sha256)
+      {
+        hash: hash(data, algorithm: algorithm),
+        hmac: hmac(data, key: key, algorithm: algorithm)
+      }
+    end
+
     # Re-encrypt data with a new key.
     #
     # @param encrypted [String] Base64-encoded encrypted data from {.encrypt}
@@ -213,6 +229,19 @@ module Philiprehberger
       OpenSSL.fixed_length_secure_compare(a, b)
     end
 
+    # Produce a short, stable identifier for a key without leaking key material.
+    #
+    # Returns the first 16 hex characters of `SHA-256(normalized_key)`. Stable
+    # across raw and hex representations of the same key. Useful for log lines
+    # ("encrypted with key #{Crypt.fingerprint(k)}"), key-id headers, and key
+    # rotation audits.
+    #
+    # @param key [String] a 32-byte raw or 64-character hex key
+    # @return [String] 16-character lowercase hex identifier
+    def self.fingerprint(key)
+      OpenSSL::Digest::SHA256.hexdigest(normalize_key(key))[0, 16]
+    end
+
     # @api private
     def self.normalize_key(key)
       return key if key.bytesize == KEY_LENGTH

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: philiprehberger-crypt
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Philip Rehberger
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-04-09 00:00:00.000000000 Z
+date: 2026-05-01 00:00:00.000000000 Z
 dependencies: []
 description: A high-level encryption toolkit providing AES-256-GCM encryption and
   decryption, key rotation, envelope encryption, PBKDF2 key derivation, secure random