symmetric-encryption 4.1.0.beta1 → 4.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/symmetric_encryption/cipher.rb +9 -2
- data/lib/symmetric_encryption/cli.rb +13 -6
- data/lib/symmetric_encryption/config.rb +9 -6
- data/lib/symmetric_encryption/encoder.rb +6 -0
- data/lib/symmetric_encryption/extensions/mongoid/encrypted.rb +1 -0
- data/lib/symmetric_encryption/generator.rb +1 -1
- data/lib/symmetric_encryption/header.rb +7 -5
- data/lib/symmetric_encryption/key.rb +2 -0
- data/lib/symmetric_encryption/keystore/aws.rb +9 -9
- data/lib/symmetric_encryption/keystore/environment.rb +3 -2
- data/lib/symmetric_encryption/keystore/file.rb +1 -1
- data/lib/symmetric_encryption/keystore/memory.rb +1 -1
- data/lib/symmetric_encryption/keystore.rb +15 -16
- data/lib/symmetric_encryption/railtie.rb +7 -2
- data/lib/symmetric_encryption/railties/symmetric_encryption_validator.rb +1 -0
- data/lib/symmetric_encryption/reader.rb +50 -58
- data/lib/symmetric_encryption/symmetric_encryption.rb +2 -1
- data/lib/symmetric_encryption/utils/aws.rb +6 -4
- data/lib/symmetric_encryption/utils/re_encrypt_files.rb +2 -2
- data/lib/symmetric_encryption/version.rb +1 -1
- data/lib/symmetric_encryption/writer.rb +33 -27
- data/lib/symmetric_encryption.rb +26 -5
- data/test/active_record_test.rb +25 -25
- data/test/cipher_test.rb +3 -3
- data/test/header_test.rb +1 -1
- data/test/keystore/aws_test.rb +7 -7
- data/test/keystore/file_test.rb +1 -1
- data/test/keystore_test.rb +2 -2
- data/test/mongoid_test.rb +15 -15
- data/test/reader_test.rb +28 -8
- data/test/symmetric_encryption_test.rb +2 -2
- data/test/test_db.sqlite3 +0 -0
- data/test/utils/aws_test.rb +1 -2
- data/test/writer_test.rb +48 -46
- metadata +23 -23
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 825c28cf5b38d4cf22d26f4ed8196bbf1085ee0e09b372ab3c30aa055238902f
|
|
4
|
+
data.tar.gz: de736c34beb30c50e9316f0f85cade71b022caac4fe4ca94cc61c94d0c8fe1aa
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 711727ec509464e8807f798f82c4944c25f37a2cd48ec190c93f4f0134437887c8355fedf199157727ffd7faaa1023146fa95946ee6f2f9ec8a648426ec68f60
|
|
7
|
+
data.tar.gz: 834ae0b58bd0ca3011b846a94709203ac648a6cd341c5f86f18c82fa4b4c9b16abfc400af9d3c7c0f0348b4127db7c425de56345738bfde0de5dae97666a4031
|
|
@@ -133,8 +133,10 @@ module SymmetricEncryption
|
|
|
133
133
|
# compression
|
|
134
134
|
def encrypt(str, random_iv: false, compress: false, header: always_add_header)
|
|
135
135
|
return if str.nil?
|
|
136
|
+
|
|
136
137
|
str = str.to_s
|
|
137
138
|
return str if str.empty?
|
|
139
|
+
|
|
138
140
|
encrypted = binary_encrypt(str, random_iv: random_iv, compress: compress, header: header)
|
|
139
141
|
encode(encrypted)
|
|
140
142
|
end
|
|
@@ -161,6 +163,7 @@ module SymmetricEncryption
|
|
|
161
163
|
return unless decoded
|
|
162
164
|
|
|
163
165
|
return decoded if decoded.empty?
|
|
166
|
+
|
|
164
167
|
decrypted = binary_decrypt(decoded)
|
|
165
168
|
|
|
166
169
|
# Try to force result to UTF-8 encoding, but if it is not valid, force it back to Binary
|
|
@@ -178,6 +181,7 @@ module SymmetricEncryption
|
|
|
178
181
|
# Returned string is UTF8 encoded except for encoding :none
|
|
179
182
|
def encode(binary_string)
|
|
180
183
|
return binary_string if binary_string.nil? || (binary_string == '')
|
|
184
|
+
|
|
181
185
|
encoder.encode(binary_string)
|
|
182
186
|
end
|
|
183
187
|
|
|
@@ -187,6 +191,7 @@ module SymmetricEncryption
|
|
|
187
191
|
# Returned string is Binary encoded
|
|
188
192
|
def decode(encoded_string)
|
|
189
193
|
return encoded_string if encoded_string.nil? || (encoded_string == '')
|
|
194
|
+
|
|
190
195
|
encoder.decode(encoded_string)
|
|
191
196
|
end
|
|
192
197
|
|
|
@@ -243,6 +248,7 @@ module SymmetricEncryption
|
|
|
243
248
|
# See #encrypt to encrypt and encode the result as a string.
|
|
244
249
|
def binary_encrypt(str, random_iv: false, compress: false, header: always_add_header)
|
|
245
250
|
return if str.nil?
|
|
251
|
+
|
|
246
252
|
string = str.to_s
|
|
247
253
|
return string if string.empty?
|
|
248
254
|
|
|
@@ -300,6 +306,7 @@ module SymmetricEncryption
|
|
|
300
306
|
# is automatically set to the same UTF-8 or Binary encoding
|
|
301
307
|
def binary_decrypt(encrypted_string, header: Header.new)
|
|
302
308
|
return if encrypted_string.nil?
|
|
309
|
+
|
|
303
310
|
str = encrypted_string.to_s
|
|
304
311
|
str.force_encoding(SymmetricEncryption::BINARY_ENCODING)
|
|
305
312
|
return str if str.empty?
|
|
@@ -309,8 +316,8 @@ module SymmetricEncryption
|
|
|
309
316
|
|
|
310
317
|
openssl_cipher = ::OpenSSL::Cipher.new(header.cipher_name || cipher_name)
|
|
311
318
|
openssl_cipher.decrypt
|
|
312
|
-
openssl_cipher.key
|
|
313
|
-
if (iv
|
|
319
|
+
openssl_cipher.key = header.key || @key
|
|
320
|
+
if (iv = header.iv || @iv)
|
|
314
321
|
openssl_cipher.iv = iv
|
|
315
322
|
end
|
|
316
323
|
result = openssl_cipher.update(data)
|
|
@@ -70,7 +70,7 @@ module SymmetricEncryption
|
|
|
70
70
|
end
|
|
71
71
|
|
|
72
72
|
def parser
|
|
73
|
-
@parser
|
|
73
|
+
@parser ||= OptionParser.new do |opts|
|
|
74
74
|
opts.banner = <<~BANNER
|
|
75
75
|
Symmetric Encryption v#{VERSION}
|
|
76
76
|
|
|
@@ -99,10 +99,14 @@ module SymmetricEncryption
|
|
|
99
99
|
@prompt = true
|
|
100
100
|
end
|
|
101
101
|
|
|
102
|
-
opts.on '-z', '--compress', 'Compress encrypted output file.' do
|
|
102
|
+
opts.on '-z', '--compress', 'Compress encrypted output file. [Default for encrypting files]' do
|
|
103
103
|
@compress = true
|
|
104
104
|
end
|
|
105
105
|
|
|
106
|
+
opts.on '-Z', '--no-compress', 'Does not compress the output file. [Default for encrypting strings]' do
|
|
107
|
+
@compress = false
|
|
108
|
+
end
|
|
109
|
+
|
|
106
110
|
opts.on '-E', '--env ENVIRONMENT', "Environment to use in the config file. Default: SYMMETRIC_ENCRYPTION_ENV || RACK_ENV || RAILS_ENV || 'development'" do |environment|
|
|
107
111
|
@environment = environment
|
|
108
112
|
end
|
|
@@ -208,7 +212,7 @@ module SymmetricEncryption
|
|
|
208
212
|
|
|
209
213
|
config_file_does_not_exist!
|
|
210
214
|
self.environments ||= %i[development test release production]
|
|
211
|
-
args
|
|
215
|
+
args = {
|
|
212
216
|
app_name: app_name,
|
|
213
217
|
environments: environments,
|
|
214
218
|
cipher_name: cipher_name
|
|
@@ -250,7 +254,8 @@ module SymmetricEncryption
|
|
|
250
254
|
config.each_pair do |env, cfg|
|
|
251
255
|
next if environments && !environments.include?(env.to_sym)
|
|
252
256
|
next unless ciphers = cfg[:ciphers]
|
|
253
|
-
|
|
257
|
+
|
|
258
|
+
highest = ciphers.max_by { |i| i[:version] }
|
|
254
259
|
ciphers.clear
|
|
255
260
|
ciphers << highest
|
|
256
261
|
end
|
|
@@ -264,7 +269,8 @@ module SymmetricEncryption
|
|
|
264
269
|
config.each_pair do |env, cfg|
|
|
265
270
|
next if environments && !environments.include?(env.to_sym)
|
|
266
271
|
next unless ciphers = cfg[:ciphers]
|
|
267
|
-
|
|
272
|
+
|
|
273
|
+
highest = ciphers.max_by { |i| i[:version] }
|
|
268
274
|
ciphers.delete(highest)
|
|
269
275
|
ciphers.unshift(highest)
|
|
270
276
|
end
|
|
@@ -312,7 +318,7 @@ module SymmetricEncryption
|
|
|
312
318
|
|
|
313
319
|
puts('Values do not match, please try again') if value1 != value2
|
|
314
320
|
end
|
|
315
|
-
|
|
321
|
+
compress = false if compress.nil?
|
|
316
322
|
encrypted = SymmetricEncryption.cipher(version).encrypt(value1, compress: compress)
|
|
317
323
|
output_file_name ? File.open(output_file_name, 'wb') { |f| f << encrypted } : puts("\n\nEncrypted: #{encrypted}\n\n")
|
|
318
324
|
end
|
|
@@ -334,6 +340,7 @@ module SymmetricEncryption
|
|
|
334
340
|
# Ensure that the config file does not already exist before generating a new one.
|
|
335
341
|
def config_file_does_not_exist!
|
|
336
342
|
return unless File.exist?(config_file_path)
|
|
343
|
+
|
|
337
344
|
puts "\nConfiguration file already exists, please move or rename: #{config_file_path}\n\n"
|
|
338
345
|
exit(-1)
|
|
339
346
|
end
|
|
@@ -53,8 +53,8 @@ module SymmetricEncryption
|
|
|
53
53
|
env ||= defined?(Rails) ? Rails.env : ENV['RACK_ENV'] || ENV['RAILS_ENV'] || 'development'
|
|
54
54
|
|
|
55
55
|
unless file_name
|
|
56
|
-
root
|
|
57
|
-
file_name
|
|
56
|
+
root = defined?(Rails) ? Rails.root : '.'
|
|
57
|
+
file_name =
|
|
58
58
|
if (env_var = ENV['SYMMETRIC_ENCRYPTION_CONFIG'])
|
|
59
59
|
File.expand_path(env_var)
|
|
60
60
|
else
|
|
@@ -101,6 +101,7 @@ module SymmetricEncryption
|
|
|
101
101
|
object
|
|
102
102
|
end
|
|
103
103
|
end
|
|
104
|
+
|
|
104
105
|
private_class_method :deep_symbolize_keys
|
|
105
106
|
|
|
106
107
|
# Iterate through the Hash symbolizing all keys.
|
|
@@ -119,28 +120,29 @@ module SymmetricEncryption
|
|
|
119
120
|
object
|
|
120
121
|
end
|
|
121
122
|
end
|
|
123
|
+
|
|
122
124
|
private_class_method :deep_stringify_keys
|
|
123
125
|
|
|
124
126
|
# Migrate old configuration format for this environment
|
|
125
127
|
def self.migrate_old_formats!(config)
|
|
126
128
|
# Inline single cipher before :ciphers
|
|
127
129
|
unless config.key?(:ciphers)
|
|
128
|
-
inline_cipher
|
|
130
|
+
inline_cipher = {}
|
|
129
131
|
config.keys.each { |key| inline_cipher[key] = config.delete(key) }
|
|
130
|
-
config[:ciphers]
|
|
132
|
+
config[:ciphers] = [inline_cipher]
|
|
131
133
|
end
|
|
132
134
|
|
|
133
135
|
# Copy Old :private_rsa_key into each ciphers config
|
|
134
136
|
# Cipher.from_config replaces it with the RSA Kek
|
|
135
137
|
if config[:private_rsa_key]
|
|
136
|
-
private_rsa_key
|
|
138
|
+
private_rsa_key = config.delete(:private_rsa_key)
|
|
137
139
|
config[:ciphers].each { |cipher| cipher[:private_rsa_key] = private_rsa_key }
|
|
138
140
|
end
|
|
139
141
|
|
|
140
142
|
# Old :cipher_name
|
|
141
143
|
config[:ciphers].each do |cipher|
|
|
142
144
|
if (old_key_name_cipher = cipher.delete(:cipher))
|
|
143
|
-
cipher[:cipher_name]
|
|
145
|
+
cipher[:cipher_name] = old_key_name_cipher
|
|
144
146
|
end
|
|
145
147
|
|
|
146
148
|
# Only temporarily used during v4 Beta process
|
|
@@ -156,6 +158,7 @@ module SymmetricEncryption
|
|
|
156
158
|
end
|
|
157
159
|
config
|
|
158
160
|
end
|
|
161
|
+
|
|
159
162
|
private_class_method :migrate_old_formats!
|
|
160
163
|
end
|
|
161
164
|
end
|
|
@@ -36,12 +36,14 @@ module SymmetricEncryption
|
|
|
36
36
|
class Base64
|
|
37
37
|
def encode(binary_string)
|
|
38
38
|
return binary_string if binary_string.nil? || (binary_string == '')
|
|
39
|
+
|
|
39
40
|
encoded_string = ::Base64.encode64(binary_string)
|
|
40
41
|
encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
|
|
41
42
|
end
|
|
42
43
|
|
|
43
44
|
def decode(encoded_string)
|
|
44
45
|
return encoded_string if encoded_string.nil? || (encoded_string == '')
|
|
46
|
+
|
|
45
47
|
decoded_string = ::Base64.decode64(encoded_string)
|
|
46
48
|
decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
|
|
47
49
|
end
|
|
@@ -50,12 +52,14 @@ module SymmetricEncryption
|
|
|
50
52
|
class Base64Strict
|
|
51
53
|
def encode(binary_string)
|
|
52
54
|
return binary_string if binary_string.nil? || (binary_string == '')
|
|
55
|
+
|
|
53
56
|
encoded_string = ::Base64.strict_encode64(binary_string)
|
|
54
57
|
encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
|
|
55
58
|
end
|
|
56
59
|
|
|
57
60
|
def decode(encoded_string)
|
|
58
61
|
return encoded_string if encoded_string.nil? || (encoded_string == '')
|
|
62
|
+
|
|
59
63
|
decoded_string = ::Base64.decode64(encoded_string)
|
|
60
64
|
decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
|
|
61
65
|
end
|
|
@@ -64,12 +68,14 @@ module SymmetricEncryption
|
|
|
64
68
|
class Base16
|
|
65
69
|
def encode(binary_string)
|
|
66
70
|
return binary_string if binary_string.nil? || (binary_string == '')
|
|
71
|
+
|
|
67
72
|
encoded_string = binary_string.to_s.unpack('H*').first
|
|
68
73
|
encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
|
|
69
74
|
end
|
|
70
75
|
|
|
71
76
|
def decode(encoded_string)
|
|
72
77
|
return encoded_string if encoded_string.nil? || (encoded_string == '')
|
|
78
|
+
|
|
73
79
|
decoded_string = [encoded_string].pack('H*')
|
|
74
80
|
decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
|
|
75
81
|
end
|
|
@@ -12,7 +12,7 @@ module SymmetricEncryption
|
|
|
12
12
|
raise(ArgumentError, "Invalid type: #{type.inspect}. Valid types: #{SymmetricEncryption::COERCION_TYPES.inspect}") unless SymmetricEncryption::COERCION_TYPES.include?(type)
|
|
13
13
|
|
|
14
14
|
if model.const_defined?(:EncryptedAttributes, _search_ancestors = false)
|
|
15
|
-
mod
|
|
15
|
+
mod = model.const_get(:EncryptedAttributes)
|
|
16
16
|
else
|
|
17
17
|
mod = model.const_set(:EncryptedAttributes, Module.new)
|
|
18
18
|
model.send(:include, mod)
|
|
@@ -38,6 +38,7 @@ module SymmetricEncryption
|
|
|
38
38
|
# Note: The encoding of the supplied buffer is forced to binary if not already binary
|
|
39
39
|
def self.present?(buffer)
|
|
40
40
|
return false if buffer.nil? || (buffer == '')
|
|
41
|
+
|
|
41
42
|
buffer.force_encoding(SymmetricEncryption::BINARY_ENCODING)
|
|
42
43
|
buffer.start_with?(MAGIC_HEADER)
|
|
43
44
|
end
|
|
@@ -112,6 +113,7 @@ module SymmetricEncryption
|
|
|
112
113
|
def parse!(buffer)
|
|
113
114
|
offset = parse(buffer)
|
|
114
115
|
return if offset.zero?
|
|
116
|
+
|
|
115
117
|
buffer.slice!(0..offset - 1)
|
|
116
118
|
buffer
|
|
117
119
|
end
|
|
@@ -151,7 +153,7 @@ module SymmetricEncryption
|
|
|
151
153
|
|
|
152
154
|
# Remove header and extract flags
|
|
153
155
|
self.version = buffer.getbyte(offset)
|
|
154
|
-
offset
|
|
156
|
+
offset += 1
|
|
155
157
|
|
|
156
158
|
unless cipher
|
|
157
159
|
raise(
|
|
@@ -160,7 +162,7 @@ module SymmetricEncryption
|
|
|
160
162
|
)
|
|
161
163
|
end
|
|
162
164
|
|
|
163
|
-
flags
|
|
165
|
+
flags = buffer.getbyte(offset)
|
|
164
166
|
offset += 1
|
|
165
167
|
|
|
166
168
|
self.compress = (flags & FLAG_COMPRESSED) != 0
|
|
@@ -195,7 +197,7 @@ module SymmetricEncryption
|
|
|
195
197
|
|
|
196
198
|
# Returns [String] this header as a string
|
|
197
199
|
def to_s
|
|
198
|
-
flags
|
|
200
|
+
flags = 0
|
|
199
201
|
flags |= FLAG_COMPRESSED if compressed?
|
|
200
202
|
flags |= FLAG_IV if iv
|
|
201
203
|
flags |= FLAG_KEY if key
|
|
@@ -256,9 +258,9 @@ module SymmetricEncryption
|
|
|
256
258
|
# Exception when
|
|
257
259
|
# - offset exceeds length of buffer
|
|
258
260
|
# byteslice truncates when too long, but returns nil when start is beyond end of buffer
|
|
259
|
-
len
|
|
261
|
+
len = buffer.byteslice(offset, 2).unpack('v').first
|
|
260
262
|
offset += 2
|
|
261
|
-
out
|
|
263
|
+
out = buffer.byteslice(offset, len)
|
|
262
264
|
[out, offset + len]
|
|
263
265
|
end
|
|
264
266
|
end
|
|
@@ -11,6 +11,7 @@ module SymmetricEncryption
|
|
|
11
11
|
|
|
12
12
|
def encrypt(string)
|
|
13
13
|
return if string.nil?
|
|
14
|
+
|
|
14
15
|
string = string.to_s
|
|
15
16
|
return string if string.empty?
|
|
16
17
|
|
|
@@ -26,6 +27,7 @@ module SymmetricEncryption
|
|
|
26
27
|
|
|
27
28
|
def decrypt(encrypted_string)
|
|
28
29
|
return if encrypted_string.nil?
|
|
30
|
+
|
|
29
31
|
encrypted_string = encrypted_string.to_s
|
|
30
32
|
encrypted_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
|
|
31
33
|
return encrypted_string if encrypted_string.empty?
|
|
@@ -70,22 +70,22 @@ module SymmetricEncryption
|
|
|
70
70
|
# iv: 'T80pYzD0E6e/bJCdjZ6TiQ=='
|
|
71
71
|
# }
|
|
72
72
|
def self.generate_data_key(version: 0,
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
73
|
+
regions: Utils::Aws::AWS_US_REGIONS,
|
|
74
|
+
dek: nil,
|
|
75
|
+
cipher_name:,
|
|
76
|
+
app_name:,
|
|
77
|
+
environment:,
|
|
78
|
+
key_path:)
|
|
79
79
|
|
|
80
80
|
# TODO: Also support generating environment variables instead of files.
|
|
81
81
|
|
|
82
82
|
version >= 255 ? (version = 1) : (version += 1)
|
|
83
|
-
regions
|
|
83
|
+
regions = Array(regions).dup
|
|
84
84
|
|
|
85
85
|
master_key_alias = master_key_alias(app_name, environment)
|
|
86
86
|
|
|
87
87
|
# File per region for holding the encrypted data key
|
|
88
|
-
key_files
|
|
88
|
+
key_files = regions.collect do |region|
|
|
89
89
|
file_name = "#{app_name}_#{environment}_#{region}_v#{version}.encrypted_key"
|
|
90
90
|
{region: region, file_name: ::File.join(key_path, file_name)}
|
|
91
91
|
end
|
|
@@ -146,7 +146,7 @@ module SymmetricEncryption
|
|
|
146
146
|
region = key_file[:region]
|
|
147
147
|
file_name = key_file[:file_name]
|
|
148
148
|
|
|
149
|
-
raise(ArgumentError,
|
|
149
|
+
raise(ArgumentError, 'region and file_name are mandatory for each key_file entry') unless region && file_name
|
|
150
150
|
|
|
151
151
|
encrypted_data_key = aws(region).encrypt(data_key)
|
|
152
152
|
encoded_dek = Base64.strict_encode64(encrypted_data_key)
|
|
@@ -10,7 +10,7 @@ module SymmetricEncryption
|
|
|
10
10
|
def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil)
|
|
11
11
|
version >= 255 ? (version = 1) : (version += 1)
|
|
12
12
|
|
|
13
|
-
kek
|
|
13
|
+
kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
|
|
14
14
|
dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
|
|
15
15
|
|
|
16
16
|
key_env_var = "#{app_name}_#{environment}_v#{version}".upcase.tr('-', '_')
|
|
@@ -41,6 +41,7 @@ module SymmetricEncryption
|
|
|
41
41
|
def read
|
|
42
42
|
encrypted = ENV[key_env_var]
|
|
43
43
|
raise "The Environment Variable #{key_env_var} must be set with the encrypted encryption key." unless encrypted
|
|
44
|
+
|
|
44
45
|
binary = encoder.decode(encrypted)
|
|
45
46
|
key_encrypting_key.decrypt(binary)
|
|
46
47
|
end
|
|
@@ -49,7 +50,7 @@ module SymmetricEncryption
|
|
|
49
50
|
def write(key)
|
|
50
51
|
encrypted_key = key_encrypting_key.encrypt(key)
|
|
51
52
|
puts "\n\n********************************************************************************"
|
|
52
|
-
puts
|
|
53
|
+
puts 'Set the environment variable as follows:'
|
|
53
54
|
puts " export #{key_env_var}=\"#{encoder.encode(encrypted_key)}\""
|
|
54
55
|
puts '********************************************************************************'
|
|
55
56
|
end
|
|
@@ -9,7 +9,7 @@ module SymmetricEncryption
|
|
|
9
9
|
def self.generate_data_key(key_path:, cipher_name:, app_name:, environment:, version: 0, dek: nil)
|
|
10
10
|
version >= 255 ? (version = 1) : (version += 1)
|
|
11
11
|
|
|
12
|
-
dek
|
|
12
|
+
dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
|
|
13
13
|
kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
|
|
14
14
|
kekek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
|
|
15
15
|
|
|
@@ -15,7 +15,7 @@ module SymmetricEncryption
|
|
|
15
15
|
def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil)
|
|
16
16
|
version >= 255 ? (version = 1) : (version += 1)
|
|
17
17
|
|
|
18
|
-
kek
|
|
18
|
+
kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
|
|
19
19
|
dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
|
|
20
20
|
|
|
21
21
|
encrypted_key = new(key_encrypting_key: kek).write(dek.key)
|
|
@@ -72,7 +72,7 @@ module SymmetricEncryption
|
|
|
72
72
|
|
|
73
73
|
keystore_class = keystore ? constantize_symbol(keystore) : keystore_for(config)
|
|
74
74
|
|
|
75
|
-
args
|
|
75
|
+
args = {
|
|
76
76
|
cipher_name: cipher_name,
|
|
77
77
|
app_name: app_name,
|
|
78
78
|
version: version,
|
|
@@ -104,7 +104,7 @@ module SymmetricEncryption
|
|
|
104
104
|
# Only generate new keys for keystore's that have a key encrypting key
|
|
105
105
|
next unless config[:key_encrypting_key]
|
|
106
106
|
|
|
107
|
-
version
|
|
107
|
+
version = config.delete(:version) || 1
|
|
108
108
|
version -= 1
|
|
109
109
|
|
|
110
110
|
always_add_header = config.delete(:always_add_header)
|
|
@@ -117,7 +117,7 @@ module SymmetricEncryption
|
|
|
117
117
|
cipher_name = key.cipher_name
|
|
118
118
|
keystore_class = keystore_for(config)
|
|
119
119
|
|
|
120
|
-
args
|
|
120
|
+
args = {
|
|
121
121
|
cipher_name: cipher_name,
|
|
122
122
|
app_name: app_name,
|
|
123
123
|
version: version,
|
|
@@ -141,14 +141,14 @@ module SymmetricEncryption
|
|
|
141
141
|
def self.dev_config
|
|
142
142
|
{
|
|
143
143
|
ciphers:
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
144
|
+
[
|
|
145
|
+
{
|
|
146
|
+
key: '1234567890ABCDEF',
|
|
147
|
+
iv: '1234567890ABCDEF',
|
|
148
|
+
cipher_name: 'aes-128-cbc',
|
|
149
|
+
version: 1
|
|
150
|
+
}
|
|
151
|
+
]
|
|
152
152
|
}
|
|
153
153
|
end
|
|
154
154
|
|
|
@@ -219,12 +219,12 @@ module SymmetricEncryption
|
|
|
219
219
|
|
|
220
220
|
# Migrate old encrypted_iv
|
|
221
221
|
if (encrypted_iv = config.delete(:encrypted_iv)) && private_rsa_key
|
|
222
|
-
encrypted_iv
|
|
223
|
-
config[:iv]
|
|
222
|
+
encrypted_iv = RSAKey.new(private_rsa_key).decrypt(encrypted_iv)
|
|
223
|
+
config[:iv] = ::Base64.decode64(encrypted_iv)
|
|
224
224
|
end
|
|
225
225
|
|
|
226
226
|
# Migrate old iv_filename
|
|
227
|
-
if (file_name
|
|
227
|
+
if (file_name = config.delete(:iv_filename)) && private_rsa_key
|
|
228
228
|
encrypted_iv = ::File.read(file_name)
|
|
229
229
|
config[:iv] = RSAKey.new(private_rsa_key).decrypt(encrypted_iv)
|
|
230
230
|
end
|
|
@@ -233,10 +233,9 @@ module SymmetricEncryption
|
|
|
233
233
|
config[:key_encrypting_key] = RSAKey.new(private_rsa_key) if private_rsa_key
|
|
234
234
|
|
|
235
235
|
# Migrate old encrypted_key to new binary format
|
|
236
|
-
if (encrypted_key
|
|
236
|
+
if (encrypted_key = config[:encrypted_key]) && private_rsa_key
|
|
237
237
|
config[:encrypted_key] = ::Base64.decode64(encrypted_key)
|
|
238
238
|
end
|
|
239
239
|
end
|
|
240
|
-
|
|
241
240
|
end
|
|
242
241
|
end
|