porky_lib 0.6.0 → 0.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +26 -26
- data/SECURITY.md +5 -0
- data/lib/porky_lib/symmetric.rb +89 -0
- data/lib/porky_lib/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 53ca6a913c5a5f9c9a71bb22032a31caecba2a460aff2e03fae6ac7fcfa93f54
|
4
|
+
data.tar.gz: '0978ad17a78ee37962a36d563ea08061f9e8d8ee84ec838c9e31295a27883764'
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f05acefd1344c4ca9003fe0388084709dd6bcb8bc21899c00cdc37dae0575a02dd16dec2e5d05de7f8ab7096fc8dc7676a8f759ff6a84f0bc328ad2567fd46e0
|
7
|
+
data.tar.gz: 9399aa25b56b4bfbbbfcb4904eab7a5609c67d6304c6803b3b14b101b03cceb4ddc4e56870e3106fcca2b691eda7163ab196396e63125fc1b7de176b974572c2
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
porky_lib (0.6.
|
4
|
+
porky_lib (0.6.1)
|
5
5
|
aws-sdk-kms
|
6
6
|
aws-sdk-s3
|
7
7
|
msgpack
|
@@ -12,20 +12,20 @@ GEM
|
|
12
12
|
remote: https://rubygems.org/
|
13
13
|
specs:
|
14
14
|
ast (2.4.0)
|
15
|
-
aws-eventstream (1.0.
|
16
|
-
aws-partitions (1.
|
17
|
-
aws-sdk-core (3.
|
15
|
+
aws-eventstream (1.0.3)
|
16
|
+
aws-partitions (1.193.0)
|
17
|
+
aws-sdk-core (3.61.1)
|
18
18
|
aws-eventstream (~> 1.0, >= 1.0.2)
|
19
19
|
aws-partitions (~> 1.0)
|
20
20
|
aws-sigv4 (~> 1.1)
|
21
21
|
jmespath (~> 1.0)
|
22
|
-
aws-sdk-kms (1.
|
23
|
-
aws-sdk-core (~> 3, >= 3.
|
22
|
+
aws-sdk-kms (1.24.0)
|
23
|
+
aws-sdk-core (~> 3, >= 3.61.1)
|
24
24
|
aws-sigv4 (~> 1.1)
|
25
|
-
aws-sdk-s3 (1.
|
26
|
-
aws-sdk-core (~> 3, >= 3.
|
25
|
+
aws-sdk-s3 (1.46.0)
|
26
|
+
aws-sdk-core (~> 3, >= 3.61.1)
|
27
27
|
aws-sdk-kms (~> 1)
|
28
|
-
aws-sigv4 (~> 1.
|
28
|
+
aws-sigv4 (~> 1.1)
|
29
29
|
aws-sigv4 (1.1.0)
|
30
30
|
aws-eventstream (~> 1.0, >= 1.0.2)
|
31
31
|
bundler-audit (0.6.1)
|
@@ -37,17 +37,17 @@ GEM
|
|
37
37
|
simplecov
|
38
38
|
url
|
39
39
|
diff-lcs (1.3)
|
40
|
-
docile (1.3.
|
40
|
+
docile (1.3.2)
|
41
41
|
ffi (1.10.0)
|
42
|
-
jaro_winkler (1.5.
|
42
|
+
jaro_winkler (1.5.3)
|
43
43
|
jmespath (1.4.0)
|
44
44
|
json (2.2.0)
|
45
|
-
msgpack (1.
|
45
|
+
msgpack (1.3.1)
|
46
46
|
parallel (1.17.0)
|
47
47
|
parser (2.6.3.0)
|
48
48
|
ast (~> 2.4.0)
|
49
49
|
rainbow (3.0.0)
|
50
|
-
rake (12.3.
|
50
|
+
rake (12.3.3)
|
51
51
|
rbnacl (5.0.0)
|
52
52
|
ffi
|
53
53
|
rbnacl-libsodium (1.0.16)
|
@@ -63,33 +63,33 @@ GEM
|
|
63
63
|
rspec-expectations (3.8.2)
|
64
64
|
diff-lcs (>= 1.2.0, < 2.0)
|
65
65
|
rspec-support (~> 3.8.0)
|
66
|
-
rspec-mocks (3.8.
|
66
|
+
rspec-mocks (3.8.1)
|
67
67
|
diff-lcs (>= 1.2.0, < 2.0)
|
68
68
|
rspec-support (~> 3.8.0)
|
69
|
-
rspec-support (3.8.
|
69
|
+
rspec-support (3.8.2)
|
70
70
|
rspec_junit_formatter (0.4.1)
|
71
71
|
rspec-core (>= 2, < 4, != 2.12.0)
|
72
|
-
rubocop (0.
|
72
|
+
rubocop (0.74.0)
|
73
73
|
jaro_winkler (~> 1.5.1)
|
74
74
|
parallel (~> 1.10)
|
75
|
-
parser (>= 2.
|
75
|
+
parser (>= 2.6)
|
76
76
|
rainbow (>= 2.2.2, < 4.0)
|
77
77
|
ruby-progressbar (~> 1.7)
|
78
|
-
unicode-display_width (>= 1.4.0, < 1.
|
79
|
-
rubocop-performance (1.1
|
80
|
-
rubocop (>= 0.
|
81
|
-
rubocop-rspec (1.
|
78
|
+
unicode-display_width (>= 1.4.0, < 1.7)
|
79
|
+
rubocop-performance (1.4.1)
|
80
|
+
rubocop (>= 0.71.0)
|
81
|
+
rubocop-rspec (1.35.0)
|
82
82
|
rubocop (>= 0.60.0)
|
83
|
-
rubocop_runner (2.
|
84
|
-
ruby-progressbar (1.10.
|
85
|
-
simplecov (0.
|
83
|
+
rubocop_runner (2.2.0)
|
84
|
+
ruby-progressbar (1.10.1)
|
85
|
+
simplecov (0.17.0)
|
86
86
|
docile (~> 1.1)
|
87
87
|
json (>= 1.8, < 3)
|
88
88
|
simplecov-html (~> 0.10.0)
|
89
89
|
simplecov-html (0.10.2)
|
90
90
|
thor (0.20.3)
|
91
91
|
timecop (0.9.1)
|
92
|
-
unicode-display_width (1.
|
92
|
+
unicode-display_width (1.6.0)
|
93
93
|
url (0.3.2)
|
94
94
|
|
95
95
|
PLATFORMS
|
@@ -122,4 +122,4 @@ RUBY VERSION
|
|
122
122
|
ruby 2.6.3p62
|
123
123
|
|
124
124
|
BUNDLED WITH
|
125
|
-
2.0.
|
125
|
+
2.0.2
|
data/SECURITY.md
ADDED
data/lib/porky_lib/symmetric.rb
CHANGED
@@ -3,6 +3,7 @@
|
|
3
3
|
require 'aws-sdk-kms'
|
4
4
|
require 'rbnacl/libsodium'
|
5
5
|
require 'singleton'
|
6
|
+
require 'benchmark'
|
6
7
|
|
7
8
|
class PorkyLib::Symmetric
|
8
9
|
include Singleton
|
@@ -110,7 +111,95 @@ class PorkyLib::Symmetric
|
|
110
111
|
[message, should_reencrypt]
|
111
112
|
end
|
112
113
|
|
114
|
+
def encrypt_with_benchmark(data, cmk_key_id, ciphertext_dek = nil, encryption_context = nil)
|
115
|
+
return if data.nil? || cmk_key_id.nil?
|
116
|
+
|
117
|
+
encryption_statistics = {}
|
118
|
+
|
119
|
+
# Generate a new data encryption key or decrypt existing key, if provided
|
120
|
+
if ciphertext_dek
|
121
|
+
plaintext_key = benchmark_block(encryption_statistics, :decrypt_key) do
|
122
|
+
decrypt_data_encryption_key(ciphertext_dek, encryption_context)
|
123
|
+
end
|
124
|
+
|
125
|
+
ciphertext_key = ciphertext_dek
|
126
|
+
else
|
127
|
+
plaintext_key, ciphertext_key = benchmark_block(encryption_statistics, :generate_key) do
|
128
|
+
generate_data_encryption_key(cmk_key_id, encryption_context)
|
129
|
+
end
|
130
|
+
end
|
131
|
+
|
132
|
+
nonce, ciphertext = benchmark_block(encryption_statistics, :encrypt) do
|
133
|
+
# Initialize the box
|
134
|
+
secret_box = RbNaCl::SecretBox.new(plaintext_key)
|
135
|
+
|
136
|
+
# First, make a nonce: A single-use value never repeated under the same key
|
137
|
+
# The nonce isn't secret, and can be sent with the ciphertext.
|
138
|
+
# The cipher instance has a nonce_bytes method for determining how many bytes should be in a nonce
|
139
|
+
nonce = RbNaCl::Random.random_bytes(secret_box.nonce_bytes)
|
140
|
+
|
141
|
+
# Encrypt a message with SecretBox
|
142
|
+
ciphertext = secret_box.encrypt(nonce, data)
|
143
|
+
|
144
|
+
[nonce, ciphertext]
|
145
|
+
end
|
146
|
+
|
147
|
+
benchmark_block(encryption_statistics, :clear_key) do
|
148
|
+
# Securely delete the plaintext value from memory
|
149
|
+
plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize))
|
150
|
+
end
|
151
|
+
|
152
|
+
[ciphertext_key, ciphertext, nonce, encryption_statistics]
|
153
|
+
end
|
154
|
+
|
155
|
+
def decrypt_with_benchmark(ciphertext_dek, ciphertext, nonce, encryption_context = nil)
|
156
|
+
return if ciphertext.nil? || ciphertext_dek.nil? || nonce.nil?
|
157
|
+
|
158
|
+
encryption_statistics = {}
|
159
|
+
|
160
|
+
plaintext_key = benchmark_block(encryption_statistics, :decrypt_key) do
|
161
|
+
# Decrypt the data encryption key
|
162
|
+
decrypt_data_encryption_key(ciphertext_dek, encryption_context)
|
163
|
+
end
|
164
|
+
|
165
|
+
message, should_reencrypt = benchmark_block(encryption_statistics, :decrypt) do
|
166
|
+
secret_box = RbNaCl::SecretBox.new(plaintext_key)
|
167
|
+
|
168
|
+
should_reencrypt = false
|
169
|
+
begin
|
170
|
+
# Decrypt the message
|
171
|
+
message = secret_box.decrypt(nonce, ciphertext)
|
172
|
+
rescue RbNaCl::CryptoError
|
173
|
+
# For backwards compatibility due to a code error in a previous release
|
174
|
+
plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize))
|
175
|
+
message = secret_box.decrypt(nonce, ciphertext)
|
176
|
+
should_reencrypt = true
|
177
|
+
end
|
178
|
+
|
179
|
+
[message, should_reencrypt, encryption_statistics]
|
180
|
+
end
|
181
|
+
|
182
|
+
benchmark_block(encryption_statistics, :clear_key) do
|
183
|
+
# Securely delete the plaintext value from memory
|
184
|
+
plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize))
|
185
|
+
end
|
186
|
+
|
187
|
+
[message, should_reencrypt, encryption_statistics]
|
188
|
+
end
|
189
|
+
|
113
190
|
def secure_delete_plaintext_key(length)
|
114
191
|
"\0" * length
|
115
192
|
end
|
193
|
+
|
194
|
+
private
|
195
|
+
|
196
|
+
def benchmark_block(statistics, stat_label)
|
197
|
+
results = nil
|
198
|
+
|
199
|
+
measurement = Benchmark.measure { results = yield }
|
200
|
+
|
201
|
+
statistics[stat_label] = measurement
|
202
|
+
|
203
|
+
results
|
204
|
+
end
|
116
205
|
end
|
data/lib/porky_lib/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: porky_lib
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.6.
|
4
|
+
version: 0.6.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Greg Fletcher
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-08-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-kms
|
@@ -378,6 +378,7 @@ files:
|
|
378
378
|
- Gemfile.lock
|
379
379
|
- README.md
|
380
380
|
- Rakefile
|
381
|
+
- SECURITY.md
|
381
382
|
- bin/console
|
382
383
|
- bin/setup
|
383
384
|
- lib/porky_lib.rb
|