philiprehberger-crypt 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 729568e235734cb24966a439a89fce1a60beb0b038e0877c79e560d05e868181
-  data.tar.gz: 40f7525b5099b714325e50e9f76c2b62d5b1372c9e9070ebd4d5de415db8de35
+  metadata.gz: 789ed3adf81e8d52a357a47e485833197aa236ecfd9f66a941648e711bf40133
+  data.tar.gz: aa18d2c620b46d7a098843988684da63897b51d38373acdaaf8cafb594ced84b
 SHA512:
-  metadata.gz: cf168c01c0ede877a026e8f99cb09dbbd3a7c3e6179bcee8df55691034de5f543721d9ec4ff6fbe9e1a3b81da11040239d434c837756a537f21a722df5663b7a
-  data.tar.gz: ae4945305e6f818f5c1250629fd065ed000c9836480ffe7de2af42d2e3f27018c8ebfc5925773fdcf0b30af8e35ac58bce6c9d736bb5e40fee6edb6038bf57b8
+  metadata.gz: 8c6780048c0399326833092b4af23fb7dcd50162675e85eba91b279f7767f5693259f9a8aea780393fe60516a86e3835e6bc27b70098bd51765d24186f0bbb63
+  data.tar.gz: a744e5db314581c1d8f78a30487a1374a2cfe074c7cbc3b6294cb598fe65425b015eb425e4b3b9e745be618a6b8a3c9b1116acb4fd139e39d543b8592ab1da2a

data/CHANGELOG.md

@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.5.0] - 2026-05-01
+
+### Added
+- `Crypt.fingerprint(key)` — produces a short, stable identifier for a key (first 16 hex chars of `SHA-256(key)`). Stable across raw and hex key representations. Useful for log lines, key-id headers, and key rotation audits without leaking key material.
+
 ## [0.4.0] - 2026-04-15
 
 ### Added

data/README.md

@@ -116,6 +116,18 @@ result = Philiprehberger::Crypt.hash_and_hmac('payload', key: key)
 result = Philiprehberger::Crypt.hash_and_hmac('payload', key: key, algorithm: :sha512)
 ```
 
+### Key Fingerprint
+
+Generate a short, safe identifier for a key — stable, hex-encoded, and never reveals the key itself.
+Use it in log lines, key-id headers, and key rotation audits.
+
+```ruby
+key = Philiprehberger::Crypt.random_hex(16)
+
+Philiprehberger::Crypt.fingerprint(key)  # => "a3f4b2c1d8e9f0a1"
+# Same value for raw and hex representations of the same key
+```
+
 ### Secure Comparison
 
 ```ruby
@@ -142,6 +154,7 @@ Philiprehberger::Crypt.secure_compare(token_a, token_b)
 | `.hash(data, algorithm:)` | Compute hex digest (SHA-256, SHA-384, or SHA-512) |
 | `.hash_and_hmac(data, key:, algorithm:)` | Compute hash and HMAC signature in one call |
 | `.secure_compare(a, b)` | Constant-time string comparison |
+| `.fingerprint(key)` | 16-char hex identifier (`SHA-256(key)[0,16]`) safe for logs and key-id headers |
 | `DecryptionError` | Raised when decryption fails |
 
 ## Development

data/lib/philiprehberger/crypt/version.rb

@@ -2,6 +2,6 @@
 
 module Philiprehberger
   module Crypt
-    VERSION = '0.4.0'
+    VERSION = '0.5.0'
   end
 end

data/lib/philiprehberger/crypt.rb

@@ -229,6 +229,19 @@ module Philiprehberger
       OpenSSL.fixed_length_secure_compare(a, b)
     end
 
+    # Produce a short, stable identifier for a key without leaking key material.
+    #
+    # Returns the first 16 hex characters of `SHA-256(normalized_key)`. Stable
+    # across raw and hex representations of the same key. Useful for log lines
+    # ("encrypted with key #{Crypt.fingerprint(k)}"), key-id headers, and key
+    # rotation audits.
+    #
+    # @param key [String] a 32-byte raw or 64-character hex key
+    # @return [String] 16-character lowercase hex identifier
+    def self.fingerprint(key)
+      OpenSSL::Digest::SHA256.hexdigest(normalize_key(key))[0, 16]
+    end
+
     # @api private
     def self.normalize_key(key)
       return key if key.bytesize == KEY_LENGTH

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: philiprehberger-crypt
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Philip Rehberger
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-04-15 00:00:00.000000000 Z
+date: 2026-05-01 00:00:00.000000000 Z
 dependencies: []
 description: A high-level encryption toolkit providing AES-256-GCM encryption and
   decryption, key rotation, envelope encryption, PBKDF2 key derivation, secure random