porky_lib 0.6.0 → 0.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e9fc0377b60b55e6f387143be5826f6d07ec548168b22dca37eab9a083bff4df
-  data.tar.gz: 2a4c7a8a622bf52d4789df58f1d4c4a2db0705dea5b6e4eb9790a84bbf97f37f
+  metadata.gz: 53ca6a913c5a5f9c9a71bb22032a31caecba2a460aff2e03fae6ac7fcfa93f54
+  data.tar.gz: '0978ad17a78ee37962a36d563ea08061f9e8d8ee84ec838c9e31295a27883764'
 SHA512:
-  metadata.gz: 7969589afe6815aa4579759bc16946d549311c692b68aa8414dc4ffa8074a99de53b466a69dd42f500e9539185be112bdf7f4153db8053aa58be6da499e2755f
-  data.tar.gz: 2494291f740c2ed15f3bdef5fa15a35a434e2b881d7262a077edfa1947505181656cd58bbc647b7efccce24fdce7e46b1fd4dbdc2957710d76c22a291d4cfe18
+  metadata.gz: f05acefd1344c4ca9003fe0388084709dd6bcb8bc21899c00cdc37dae0575a02dd16dec2e5d05de7f8ab7096fc8dc7676a8f759ff6a84f0bc328ad2567fd46e0
+  data.tar.gz: 9399aa25b56b4bfbbbfcb4904eab7a5609c67d6304c6803b3b14b101b03cceb4ddc4e56870e3106fcca2b691eda7163ab196396e63125fc1b7de176b974572c2

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    porky_lib (0.6.0)
+    porky_lib (0.6.1)
       aws-sdk-kms
       aws-sdk-s3
       msgpack
@@ -12,20 +12,20 @@ GEM
   remote: https://rubygems.org/
   specs:
     ast (2.4.0)
-    aws-eventstream (1.0.2)
-    aws-partitions (1.151.0)
-    aws-sdk-core (3.48.4)
+    aws-eventstream (1.0.3)
+    aws-partitions (1.193.0)
+    aws-sdk-core (3.61.1)
       aws-eventstream (~> 1.0, >= 1.0.2)
       aws-partitions (~> 1.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-kms (1.17.0)
-      aws-sdk-core (~> 3, >= 3.48.2)
+    aws-sdk-kms (1.24.0)
+      aws-sdk-core (~> 3, >= 3.61.1)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.36.1)
-      aws-sdk-core (~> 3, >= 3.48.2)
+    aws-sdk-s3 (1.46.0)
+      aws-sdk-core (~> 3, >= 3.61.1)
       aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.0)
+      aws-sigv4 (~> 1.1)
     aws-sigv4 (1.1.0)
       aws-eventstream (~> 1.0, >= 1.0.2)
     bundler-audit (0.6.1)
@@ -37,17 +37,17 @@ GEM
       simplecov
       url
     diff-lcs (1.3)
-    docile (1.3.1)
+    docile (1.3.2)
     ffi (1.10.0)
-    jaro_winkler (1.5.2)
+    jaro_winkler (1.5.3)
     jmespath (1.4.0)
     json (2.2.0)
-    msgpack (1.2.10)
+    msgpack (1.3.1)
     parallel (1.17.0)
     parser (2.6.3.0)
       ast (~> 2.4.0)
     rainbow (3.0.0)
-    rake (12.3.2)
+    rake (12.3.3)
     rbnacl (5.0.0)
       ffi
     rbnacl-libsodium (1.0.16)
@@ -63,33 +63,33 @@ GEM
     rspec-expectations (3.8.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+    rspec-mocks (3.8.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.8.0)
-    rspec-support (3.8.0)
+    rspec-support (3.8.2)
     rspec_junit_formatter (0.4.1)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (0.68.0)
+    rubocop (0.74.0)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
-      parser (>= 2.5, != 2.5.1.1)
+      parser (>= 2.6)
       rainbow (>= 2.2.2, < 4.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 1.6)
-    rubocop-performance (1.1.0)
-      rubocop (>= 0.67.0)
-    rubocop-rspec (1.32.0)
+      unicode-display_width (>= 1.4.0, < 1.7)
+    rubocop-performance (1.4.1)
+      rubocop (>= 0.71.0)
+    rubocop-rspec (1.35.0)
       rubocop (>= 0.60.0)
-    rubocop_runner (2.1.0)
-    ruby-progressbar (1.10.0)
-    simplecov (0.16.1)
+    rubocop_runner (2.2.0)
+    ruby-progressbar (1.10.1)
+    simplecov (0.17.0)
       docile (~> 1.1)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
     thor (0.20.3)
     timecop (0.9.1)
-    unicode-display_width (1.5.0)
+    unicode-display_width (1.6.0)
     url (0.3.2)
 
 PLATFORMS
@@ -122,4 +122,4 @@ RUBY VERSION
    ruby 2.6.3p62
 
 BUNDLED WITH
-   2.0.1
+   2.0.2

data/SECURITY.md

@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+For reporting confirmed or suspected vulnerabilities, please refer to https://www.arioplatform.com/security.

data/lib/porky_lib/symmetric.rb

@@ -3,6 +3,7 @@
 require 'aws-sdk-kms'
 require 'rbnacl/libsodium'
 require 'singleton'
+require 'benchmark'
 
 class PorkyLib::Symmetric
   include Singleton
@@ -110,7 +111,95 @@ class PorkyLib::Symmetric
     [message, should_reencrypt]
   end
 
+  def encrypt_with_benchmark(data, cmk_key_id, ciphertext_dek = nil, encryption_context = nil)
+    return if data.nil? || cmk_key_id.nil?
+
+    encryption_statistics = {}
+
+    # Generate a new data encryption key or decrypt existing key, if provided
+    if ciphertext_dek
+      plaintext_key = benchmark_block(encryption_statistics, :decrypt_key) do
+        decrypt_data_encryption_key(ciphertext_dek, encryption_context)
+      end
+
+      ciphertext_key = ciphertext_dek
+    else
+      plaintext_key, ciphertext_key = benchmark_block(encryption_statistics, :generate_key) do
+        generate_data_encryption_key(cmk_key_id, encryption_context)
+      end
+    end
+
+    nonce, ciphertext = benchmark_block(encryption_statistics, :encrypt) do
+      # Initialize the box
+      secret_box = RbNaCl::SecretBox.new(plaintext_key)
+
+      # First, make a nonce: A single-use value never repeated under the same key
+      # The nonce isn't secret, and can be sent with the ciphertext.
+      # The cipher instance has a nonce_bytes method for determining how many bytes should be in a nonce
+      nonce = RbNaCl::Random.random_bytes(secret_box.nonce_bytes)
+
+      # Encrypt a message with SecretBox
+      ciphertext = secret_box.encrypt(nonce, data)
+
+      [nonce, ciphertext]
+    end
+
+    benchmark_block(encryption_statistics, :clear_key) do
+      # Securely delete the plaintext value from memory
+      plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize))
+    end
+
+    [ciphertext_key, ciphertext, nonce, encryption_statistics]
+  end
+
+  def decrypt_with_benchmark(ciphertext_dek, ciphertext, nonce, encryption_context = nil)
+    return if ciphertext.nil? || ciphertext_dek.nil? || nonce.nil?
+
+    encryption_statistics = {}
+
+    plaintext_key = benchmark_block(encryption_statistics, :decrypt_key) do
+      # Decrypt the data encryption key
+      decrypt_data_encryption_key(ciphertext_dek, encryption_context)
+    end
+
+    message, should_reencrypt = benchmark_block(encryption_statistics, :decrypt) do
+      secret_box = RbNaCl::SecretBox.new(plaintext_key)
+
+      should_reencrypt = false
+      begin
+        # Decrypt the message
+        message = secret_box.decrypt(nonce, ciphertext)
+      rescue RbNaCl::CryptoError
+        # For backwards compatibility due to a code error in a previous release
+        plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize))
+        message = secret_box.decrypt(nonce, ciphertext)
+        should_reencrypt = true
+      end
+
+      [message, should_reencrypt, encryption_statistics]
+    end
+
+    benchmark_block(encryption_statistics, :clear_key) do
+      # Securely delete the plaintext value from memory
+      plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize))
+    end
+
+    [message, should_reencrypt, encryption_statistics]
+  end
+
   def secure_delete_plaintext_key(length)
     "\0" * length
   end
+
+  private
+
+  def benchmark_block(statistics, stat_label)
+    results = nil
+
+    measurement = Benchmark.measure { results = yield }
+
+    statistics[stat_label] = measurement
+
+    results
+  end
 end

data/lib/porky_lib/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PorkyLib
-  VERSION = "0.6.0"
+  VERSION = "0.6.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: porky_lib
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.6.1
 platform: ruby
 authors:
 - Greg Fletcher
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-04-30 00:00:00.000000000 Z
+date: 2019-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-kms
@@ -378,6 +378,7 @@ files:
 - Gemfile.lock
 - README.md
 - Rakefile
+- SECURITY.md
 - bin/console
 - bin/setup
 - lib/porky_lib.rb