symmetric-encryption 4.3.1 → 4.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Rakefile +9 -9
- data/bin/symmetric-encryption +1 -1
- data/lib/symmetric-encryption.rb +1 -1
- data/lib/symmetric_encryption.rb +9 -9
- data/lib/symmetric_encryption/active_record/attr_encrypted.rb +1 -1
- data/lib/symmetric_encryption/cipher.rb +14 -10
- data/lib/symmetric_encryption/cli.rb +51 -51
- data/lib/symmetric_encryption/coerce.rb +3 -3
- data/lib/symmetric_encryption/config.rb +27 -26
- data/lib/symmetric_encryption/core.rb +22 -22
- data/lib/symmetric_encryption/encoder.rb +8 -8
- data/lib/symmetric_encryption/generator.rb +7 -3
- data/lib/symmetric_encryption/header.rb +12 -12
- data/lib/symmetric_encryption/key.rb +1 -1
- data/lib/symmetric_encryption/keystore.rb +20 -20
- data/lib/symmetric_encryption/keystore/aws.rb +6 -6
- data/lib/symmetric_encryption/keystore/environment.rb +4 -4
- data/lib/symmetric_encryption/keystore/file.rb +17 -3
- data/lib/symmetric_encryption/keystore/gcp.rb +6 -6
- data/lib/symmetric_encryption/keystore/heroku.rb +1 -1
- data/lib/symmetric_encryption/keystore/memory.rb +1 -1
- data/lib/symmetric_encryption/railtie.rb +6 -6
- data/lib/symmetric_encryption/railties/mongoid_encrypted.rb +3 -3
- data/lib/symmetric_encryption/railties/symmetric_encryption_validator.rb +1 -1
- data/lib/symmetric_encryption/reader.rb +13 -13
- data/lib/symmetric_encryption/rsa_key.rb +1 -1
- data/lib/symmetric_encryption/symmetric_encryption.rb +23 -17
- data/lib/symmetric_encryption/utils/aws.rb +8 -8
- data/lib/symmetric_encryption/utils/files.rb +3 -3
- data/lib/symmetric_encryption/utils/re_encrypt_files.rb +5 -5
- data/lib/symmetric_encryption/version.rb +1 -1
- data/lib/symmetric_encryption/writer.rb +17 -11
- metadata +3 -3
@@ -14,7 +14,7 @@ module SymmetricEncryption
|
|
14
14
|
# Coerce given value into given type
|
15
15
|
# Does not coerce json or yaml values
|
16
16
|
def self.coerce(value, type, from_type = nil)
|
17
|
-
return value if value.nil? || (value ==
|
17
|
+
return value if value.nil? || (value == "")
|
18
18
|
|
19
19
|
from_type ||= value.class
|
20
20
|
case type
|
@@ -32,7 +32,7 @@ module SymmetricEncryption
|
|
32
32
|
# Note: if the type is :string, then the value is returned as is, and the
|
33
33
|
# coercible gem is not used at all.
|
34
34
|
def self.coerce_from_string(value, type)
|
35
|
-
return value if value.nil? || (value ==
|
35
|
+
return value if value.nil? || (value == "")
|
36
36
|
|
37
37
|
case type
|
38
38
|
when :string
|
@@ -50,7 +50,7 @@ module SymmetricEncryption
|
|
50
50
|
# Note: if the type is :string, and value is not nil, then #to_s is called
|
51
51
|
# on the value and the coercible gem is not used at all.
|
52
52
|
def self.coerce_to_string(value, type)
|
53
|
-
return value if value.nil? || (value ==
|
53
|
+
return value if value.nil? || (value == "")
|
54
54
|
|
55
55
|
case type
|
56
56
|
when :string
|
@@ -1,5 +1,5 @@
|
|
1
|
-
require
|
2
|
-
require
|
1
|
+
require "erb"
|
2
|
+
require "yaml"
|
3
3
|
module SymmetricEncryption
|
4
4
|
class Config
|
5
5
|
attr_reader :file_name, :env
|
@@ -38,12 +38,12 @@ module SymmetricEncryption
|
|
38
38
|
config = deep_stringify_keys(config)
|
39
39
|
|
40
40
|
FileUtils.mkdir_p(File.dirname(file_name))
|
41
|
-
File.open(file_name,
|
42
|
-
f.puts
|
43
|
-
f.puts
|
44
|
-
f.puts
|
45
|
-
f.puts
|
46
|
-
f.puts
|
41
|
+
File.open(file_name, "w") do |f|
|
42
|
+
f.puts "# This file was auto generated by symmetric-encryption."
|
43
|
+
f.puts "# Recommend using symmetric-encryption to make changes."
|
44
|
+
f.puts "# For more info, run:"
|
45
|
+
f.puts "# symmetric-encryption --help"
|
46
|
+
f.puts "#"
|
47
47
|
f.write(config.to_yaml)
|
48
48
|
end
|
49
49
|
end
|
@@ -52,15 +52,15 @@ module SymmetricEncryption
|
|
52
52
|
#
|
53
53
|
# See: `.load!` for parameters.
|
54
54
|
def initialize(file_name: nil, env: nil)
|
55
|
-
env ||= defined?(Rails) ? Rails.env : ENV[
|
55
|
+
env ||= defined?(Rails) ? Rails.env : ENV["RACK_ENV"] || ENV["RAILS_ENV"] || "development"
|
56
56
|
|
57
57
|
unless file_name
|
58
|
-
root
|
59
|
-
file_name
|
60
|
-
if (env_var = ENV[
|
58
|
+
root = defined?(Rails) ? Rails.root : "."
|
59
|
+
file_name =
|
60
|
+
if (env_var = ENV["SYMMETRIC_ENCRYPTION_CONFIG"])
|
61
61
|
File.expand_path(env_var)
|
62
62
|
else
|
63
|
-
File.join(root,
|
63
|
+
File.join(root, "config", "symmetric-encryption.yml")
|
64
64
|
end
|
65
65
|
raise(ConfigError, "Cannot find config file: #{file_name}") unless File.exist?(file_name)
|
66
66
|
end
|
@@ -71,20 +71,21 @@ module SymmetricEncryption
|
|
71
71
|
|
72
72
|
# Returns [Hash] the configuration for the supplied environment.
|
73
73
|
def config
|
74
|
-
@config ||=
|
75
|
-
|
74
|
+
@config ||=
|
75
|
+
begin
|
76
|
+
raise(ConfigError, "Cannot find config file: #{file_name}") unless File.exist?(file_name)
|
76
77
|
|
77
|
-
|
78
|
-
|
78
|
+
env_config = YAML.load(ERB.new(File.new(file_name).read).result)[env]
|
79
|
+
raise(ConfigError, "Cannot find environment: #{env} in config file: #{file_name}") unless env_config
|
79
80
|
|
80
|
-
|
81
|
-
|
82
|
-
|
81
|
+
env_config = self.class.send(:deep_symbolize_keys, env_config)
|
82
|
+
self.class.send(:migrate_old_formats!, env_config)
|
83
|
+
end
|
83
84
|
end
|
84
85
|
|
85
86
|
# Returns [Array(SymmetricEncrytion::Cipher)] ciphers specified in the configuration file.
|
86
87
|
def ciphers
|
87
|
-
@ciphers ||= config[:ciphers].collect { |cipher_config| Cipher.from_config(cipher_config) }
|
88
|
+
@ciphers ||= config[:ciphers].collect { |cipher_config| Cipher.from_config(**cipher_config) }
|
88
89
|
end
|
89
90
|
|
90
91
|
# Iterate through the Hash symbolizing all keys.
|
@@ -129,22 +130,22 @@ module SymmetricEncryption
|
|
129
130
|
def self.migrate_old_formats!(config)
|
130
131
|
# Inline single cipher before :ciphers
|
131
132
|
unless config.key?(:ciphers)
|
132
|
-
inline_cipher
|
133
|
+
inline_cipher = {}
|
133
134
|
config.keys.each { |key| inline_cipher[key] = config.delete(key) }
|
134
|
-
config[:ciphers]
|
135
|
+
config[:ciphers] = [inline_cipher]
|
135
136
|
end
|
136
137
|
|
137
138
|
# Copy Old :private_rsa_key into each ciphers config
|
138
139
|
# Cipher.from_config replaces it with the RSA Kek
|
139
140
|
if config[:private_rsa_key]
|
140
|
-
private_rsa_key
|
141
|
+
private_rsa_key = config.delete(:private_rsa_key)
|
141
142
|
config[:ciphers].each { |cipher| cipher[:private_rsa_key] = private_rsa_key }
|
142
143
|
end
|
143
144
|
|
144
145
|
# Old :cipher_name
|
145
146
|
config[:ciphers].each do |cipher|
|
146
147
|
if (old_key_name_cipher = cipher.delete(:cipher))
|
147
|
-
cipher[:cipher_name]
|
148
|
+
cipher[:cipher_name] = old_key_name_cipher
|
148
149
|
end
|
149
150
|
|
150
151
|
# Only temporarily used during v4 Beta process
|
@@ -155,7 +156,7 @@ module SymmetricEncryption
|
|
155
156
|
# encrypted_key: <%= ENV['VAR'] %>
|
156
157
|
if cipher.key?(:encrypted_key) && cipher[:encrypted_key].nil?
|
157
158
|
cipher[:key_env_var] = :placeholder
|
158
|
-
puts
|
159
|
+
puts "WARNING: :encrypted_key resolved to nil. Please see the migrated config file for the new option :key_env_var."
|
159
160
|
end
|
160
161
|
end
|
161
162
|
config
|
@@ -1,34 +1,34 @@
|
|
1
1
|
# Used for compression
|
2
|
-
require
|
2
|
+
require "zlib"
|
3
3
|
# Used to coerce data types between string and their actual types
|
4
|
-
require
|
4
|
+
require "coercible"
|
5
5
|
|
6
|
-
require
|
7
|
-
require
|
8
|
-
require
|
9
|
-
require
|
6
|
+
require "symmetric_encryption/version"
|
7
|
+
require "symmetric_encryption/cipher"
|
8
|
+
require "symmetric_encryption/symmetric_encryption"
|
9
|
+
require "symmetric_encryption/exception"
|
10
10
|
|
11
11
|
# @formatter:off
|
12
12
|
module SymmetricEncryption
|
13
|
-
autoload :Coerce,
|
14
|
-
autoload :Config,
|
15
|
-
autoload :Encoder,
|
16
|
-
autoload :EncryptedStringType,
|
17
|
-
autoload :Generator,
|
18
|
-
autoload :Header,
|
19
|
-
autoload :Key,
|
20
|
-
autoload :Reader,
|
21
|
-
autoload :RSAKey,
|
22
|
-
autoload :Writer,
|
23
|
-
autoload :CLI,
|
24
|
-
autoload :Keystore,
|
13
|
+
autoload :Coerce, "symmetric_encryption/coerce"
|
14
|
+
autoload :Config, "symmetric_encryption/config"
|
15
|
+
autoload :Encoder, "symmetric_encryption/encoder"
|
16
|
+
autoload :EncryptedStringType, "symmetric_encryption/types/encrypted_string_type"
|
17
|
+
autoload :Generator, "symmetric_encryption/generator"
|
18
|
+
autoload :Header, "symmetric_encryption/header"
|
19
|
+
autoload :Key, "symmetric_encryption/key"
|
20
|
+
autoload :Reader, "symmetric_encryption/reader"
|
21
|
+
autoload :RSAKey, "symmetric_encryption/rsa_key"
|
22
|
+
autoload :Writer, "symmetric_encryption/writer"
|
23
|
+
autoload :CLI, "symmetric_encryption/cli"
|
24
|
+
autoload :Keystore, "symmetric_encryption/keystore"
|
25
25
|
module ActiveRecord
|
26
|
-
autoload :EncryptedAttribute,
|
26
|
+
autoload :EncryptedAttribute, "symmetric_encryption/active_record/encrypted_attribute"
|
27
27
|
end
|
28
28
|
module Utils
|
29
|
-
autoload :Aws,
|
30
|
-
autoload :Files,
|
31
|
-
autoload :ReEncryptFiles,
|
29
|
+
autoload :Aws, "symmetric_encryption/utils/aws"
|
30
|
+
autoload :Files, "symmetric_encryption/utils/files"
|
31
|
+
autoload :ReEncryptFiles, "symmetric_encryption/utils/re_encrypt_files"
|
32
32
|
end
|
33
33
|
end
|
34
34
|
# @formatter:on
|
@@ -35,14 +35,14 @@ module SymmetricEncryption
|
|
35
35
|
|
36
36
|
class Base64
|
37
37
|
def encode(binary_string)
|
38
|
-
return binary_string if binary_string.nil? || (binary_string ==
|
38
|
+
return binary_string if binary_string.nil? || (binary_string == "")
|
39
39
|
|
40
40
|
encoded_string = ::Base64.encode64(binary_string)
|
41
41
|
encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
|
42
42
|
end
|
43
43
|
|
44
44
|
def decode(encoded_string)
|
45
|
-
return encoded_string if encoded_string.nil? || (encoded_string ==
|
45
|
+
return encoded_string if encoded_string.nil? || (encoded_string == "")
|
46
46
|
|
47
47
|
decoded_string = ::Base64.decode64(encoded_string)
|
48
48
|
decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
|
@@ -51,14 +51,14 @@ module SymmetricEncryption
|
|
51
51
|
|
52
52
|
class Base64Strict
|
53
53
|
def encode(binary_string)
|
54
|
-
return binary_string if binary_string.nil? || (binary_string ==
|
54
|
+
return binary_string if binary_string.nil? || (binary_string == "")
|
55
55
|
|
56
56
|
encoded_string = ::Base64.strict_encode64(binary_string)
|
57
57
|
encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
|
58
58
|
end
|
59
59
|
|
60
60
|
def decode(encoded_string)
|
61
|
-
return encoded_string if encoded_string.nil? || (encoded_string ==
|
61
|
+
return encoded_string if encoded_string.nil? || (encoded_string == "")
|
62
62
|
|
63
63
|
decoded_string = ::Base64.decode64(encoded_string)
|
64
64
|
decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
|
@@ -67,16 +67,16 @@ module SymmetricEncryption
|
|
67
67
|
|
68
68
|
class Base16
|
69
69
|
def encode(binary_string)
|
70
|
-
return binary_string if binary_string.nil? || (binary_string ==
|
70
|
+
return binary_string if binary_string.nil? || (binary_string == "")
|
71
71
|
|
72
|
-
encoded_string = binary_string.to_s.unpack(
|
72
|
+
encoded_string = binary_string.to_s.unpack("H*").first
|
73
73
|
encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
|
74
74
|
end
|
75
75
|
|
76
76
|
def decode(encoded_string)
|
77
|
-
return encoded_string if encoded_string.nil? || (encoded_string ==
|
77
|
+
return encoded_string if encoded_string.nil? || (encoded_string == "")
|
78
78
|
|
79
|
-
decoded_string = [encoded_string].pack(
|
79
|
+
decoded_string = [encoded_string].pack("H*")
|
80
80
|
decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
|
81
81
|
end
|
82
82
|
end
|
@@ -8,11 +8,15 @@ module SymmetricEncryption
|
|
8
8
|
compress = options.delete(:compress) || false
|
9
9
|
type = options.delete(:type) || :string
|
10
10
|
|
11
|
-
|
12
|
-
|
11
|
+
unless options.empty?
|
12
|
+
raise(ArgumentError, "SymmetricEncryption Invalid options #{options.inspect} when encrypting '#{decrypted_name}'")
|
13
|
+
end
|
14
|
+
unless SymmetricEncryption::COERCION_TYPES.include?(type)
|
15
|
+
raise(ArgumentError, "Invalid type: #{type.inspect}. Valid types: #{SymmetricEncryption::COERCION_TYPES.inspect}")
|
16
|
+
end
|
13
17
|
|
14
18
|
if model.const_defined?(:EncryptedAttributes, _search_ancestors = false)
|
15
|
-
mod
|
19
|
+
mod = model.const_get(:EncryptedAttributes)
|
16
20
|
else
|
17
21
|
mod = model.const_set(:EncryptedAttributes, Module.new)
|
18
22
|
model.send(:include, mod)
|
@@ -8,7 +8,7 @@ module SymmetricEncryption
|
|
8
8
|
class Header
|
9
9
|
# Encrypted data includes this header prior to encoding when
|
10
10
|
# `always_add_header` is true.
|
11
|
-
MAGIC_HEADER =
|
11
|
+
MAGIC_HEADER = "@EnC".force_encoding(SymmetricEncryption::BINARY_ENCODING)
|
12
12
|
MAGIC_HEADER_SIZE = MAGIC_HEADER.size
|
13
13
|
|
14
14
|
# [true|false] Whether to compress the data before encryption.
|
@@ -37,7 +37,7 @@ module SymmetricEncryption
|
|
37
37
|
# Returns whether the supplied buffer starts with a symmetric_encryption header
|
38
38
|
# Note: The encoding of the supplied buffer is forced to binary if not already binary
|
39
39
|
def self.present?(buffer)
|
40
|
-
return false if buffer.nil? || (buffer ==
|
40
|
+
return false if buffer.nil? || (buffer == "")
|
41
41
|
|
42
42
|
buffer.force_encoding(SymmetricEncryption::BINARY_ENCODING)
|
43
43
|
buffer.start_with?(MAGIC_HEADER)
|
@@ -122,7 +122,7 @@ module SymmetricEncryption
|
|
122
122
|
#
|
123
123
|
# Returns 0 if no header is present
|
124
124
|
def parse(buffer, offset = 0)
|
125
|
-
return 0 if buffer.nil? || (buffer ==
|
125
|
+
return 0 if buffer.nil? || (buffer == "") || (buffer.length <= MAGIC_HEADER_SIZE + 2)
|
126
126
|
|
127
127
|
# Symmetric Encryption Header
|
128
128
|
#
|
@@ -153,7 +153,7 @@ module SymmetricEncryption
|
|
153
153
|
|
154
154
|
# Remove header and extract flags
|
155
155
|
self.version = buffer.getbyte(offset)
|
156
|
-
offset
|
156
|
+
offset += 1
|
157
157
|
|
158
158
|
unless cipher
|
159
159
|
raise(
|
@@ -162,7 +162,7 @@ module SymmetricEncryption
|
|
162
162
|
)
|
163
163
|
end
|
164
164
|
|
165
|
-
flags
|
165
|
+
flags = buffer.getbyte(offset)
|
166
166
|
offset += 1
|
167
167
|
|
168
168
|
self.compress = (flags & FLAG_COMPRESSED) != 0
|
@@ -197,7 +197,7 @@ module SymmetricEncryption
|
|
197
197
|
|
198
198
|
# Returns [String] this header as a string
|
199
199
|
def to_s
|
200
|
-
flags
|
200
|
+
flags = 0
|
201
201
|
flags |= FLAG_COMPRESSED if compressed?
|
202
202
|
flags |= FLAG_IV if iv
|
203
203
|
flags |= FLAG_KEY if key
|
@@ -207,23 +207,23 @@ module SymmetricEncryption
|
|
207
207
|
header = "#{MAGIC_HEADER}#{version.chr(SymmetricEncryption::BINARY_ENCODING)}#{flags.chr(SymmetricEncryption::BINARY_ENCODING)}"
|
208
208
|
|
209
209
|
if iv
|
210
|
-
header << [iv.length].pack(
|
210
|
+
header << [iv.length].pack("v")
|
211
211
|
header << iv
|
212
212
|
end
|
213
213
|
|
214
214
|
if key
|
215
215
|
encrypted = cipher.binary_encrypt(key, header: false)
|
216
|
-
header << [encrypted.length].pack(
|
216
|
+
header << [encrypted.length].pack("v")
|
217
217
|
header << encrypted
|
218
218
|
end
|
219
219
|
|
220
220
|
if cipher_name
|
221
|
-
header << [cipher_name.length].pack(
|
221
|
+
header << [cipher_name.length].pack("v")
|
222
222
|
header << cipher_name
|
223
223
|
end
|
224
224
|
|
225
225
|
if auth_tag
|
226
|
-
header << [auth_tag.length].pack(
|
226
|
+
header << [auth_tag.length].pack("v")
|
227
227
|
header << auth_tag
|
228
228
|
end
|
229
229
|
|
@@ -258,9 +258,9 @@ module SymmetricEncryption
|
|
258
258
|
# Exception when
|
259
259
|
# - offset exceeds length of buffer
|
260
260
|
# byteslice truncates when too long, but returns nil when start is beyond end of buffer
|
261
|
-
len
|
261
|
+
len = buffer.byteslice(offset, 2).unpack("v").first
|
262
262
|
offset += 2
|
263
|
-
out
|
263
|
+
out = buffer.byteslice(offset, len)
|
264
264
|
[out, offset + len]
|
265
265
|
end
|
266
266
|
end
|
@@ -3,7 +3,7 @@ module SymmetricEncryption
|
|
3
3
|
class Key
|
4
4
|
attr_reader :key, :iv, :cipher_name
|
5
5
|
|
6
|
-
def initialize(key: :random, iv: :random, cipher_name:
|
6
|
+
def initialize(key: :random, iv: :random, cipher_name: "aes-256-cbc")
|
7
7
|
@key = key == :random ? ::OpenSSL::Cipher.new(cipher_name).random_key : key
|
8
8
|
@iv = iv == :random ? ::OpenSSL::Cipher.new(cipher_name).random_iv : iv
|
9
9
|
@cipher_name = cipher_name
|
@@ -2,12 +2,12 @@ module SymmetricEncryption
|
|
2
2
|
# Encryption keys are secured in Keystores
|
3
3
|
module Keystore
|
4
4
|
# @formatter:off
|
5
|
-
autoload :Aws,
|
6
|
-
autoload :Environment,
|
7
|
-
autoload :Gcp,
|
8
|
-
autoload :File,
|
9
|
-
autoload :Heroku,
|
10
|
-
autoload :Memory,
|
5
|
+
autoload :Aws, "symmetric_encryption/keystore/aws"
|
6
|
+
autoload :Environment, "symmetric_encryption/keystore/environment"
|
7
|
+
autoload :Gcp, "symmetric_encryption/keystore/gcp"
|
8
|
+
autoload :File, "symmetric_encryption/keystore/file"
|
9
|
+
autoload :Heroku, "symmetric_encryption/keystore/heroku"
|
10
|
+
autoload :Memory, "symmetric_encryption/keystore/memory"
|
11
11
|
# @formatter:on
|
12
12
|
|
13
13
|
# Returns [Hash] a new keystore configuration after generating data keys for each environment.
|
@@ -69,7 +69,7 @@ module SymmetricEncryption
|
|
69
69
|
# Only generate new keys for keystore's that have a key encrypting key
|
70
70
|
next unless config[:key_encrypting_key] || config[:private_rsa_key]
|
71
71
|
|
72
|
-
cipher_name = config[:cipher_name] ||
|
72
|
+
cipher_name = config[:cipher_name] || "aes-256-cbc"
|
73
73
|
|
74
74
|
keystore_class = keystore ? constantize_symbol(keystore) : keystore_for(config)
|
75
75
|
|
@@ -80,7 +80,7 @@ module SymmetricEncryption
|
|
80
80
|
environment: environment
|
81
81
|
}
|
82
82
|
args[:key_path] = ::File.dirname(config[:key_filename]) if config.key?(:key_filename)
|
83
|
-
new_data_key = keystore_class.generate_data_key(args)
|
83
|
+
new_data_key = keystore_class.generate_data_key(**args)
|
84
84
|
|
85
85
|
# Add as second key so that key can be published now and only used in a later deploy.
|
86
86
|
if rolling_deploy
|
@@ -105,7 +105,7 @@ module SymmetricEncryption
|
|
105
105
|
# Only generate new keys for keystore's that have a key encrypting key
|
106
106
|
next unless config[:key_encrypting_key]
|
107
107
|
|
108
|
-
version
|
108
|
+
version = config.delete(:version) || 1
|
109
109
|
version -= 1
|
110
110
|
|
111
111
|
always_add_header = config.delete(:always_add_header)
|
@@ -144,9 +144,9 @@ module SymmetricEncryption
|
|
144
144
|
ciphers:
|
145
145
|
[
|
146
146
|
{
|
147
|
-
key:
|
148
|
-
iv:
|
149
|
-
cipher_name:
|
147
|
+
key: "1234567890ABCDEF",
|
148
|
+
iv: "1234567890ABCDEF",
|
149
|
+
cipher_name: "aes-128-cbc",
|
150
150
|
version: 1
|
151
151
|
}
|
152
152
|
]
|
@@ -156,7 +156,7 @@ module SymmetricEncryption
|
|
156
156
|
# Returns [Key] by recursively navigating the config tree.
|
157
157
|
#
|
158
158
|
# Supports N level deep key encrypting keys.
|
159
|
-
def self.read_key(key: nil, iv:, key_encrypting_key: nil, cipher_name:
|
159
|
+
def self.read_key(key: nil, iv:, key_encrypting_key: nil, cipher_name: "aes-256-cbc", keystore: nil, version: 0, **args)
|
160
160
|
if key_encrypting_key.is_a?(Hash)
|
161
161
|
# Recurse up the chain returning the parent key_encrypting_key
|
162
162
|
key_encrypting_key = read_key(cipher_name: cipher_name, **key_encrypting_key)
|
@@ -185,11 +185,11 @@ module SymmetricEncryption
|
|
185
185
|
elsif config[:key_env_var]
|
186
186
|
Keystore::Environment
|
187
187
|
else
|
188
|
-
raise(ArgumentError,
|
188
|
+
raise(ArgumentError, "Unknown keystore supplied in config")
|
189
189
|
end
|
190
190
|
end
|
191
191
|
|
192
|
-
def self.constantize_symbol(symbol, namespace =
|
192
|
+
def self.constantize_symbol(symbol, namespace = "SymmetricEncryption::Keystore")
|
193
193
|
klass = "#{namespace}::#{camelize(symbol.to_s)}"
|
194
194
|
begin
|
195
195
|
Object.const_get(klass)
|
@@ -203,7 +203,7 @@ module SymmetricEncryption
|
|
203
203
|
string = term.to_s
|
204
204
|
string = string.sub(/^[a-z\d]*/, &:capitalize)
|
205
205
|
string.gsub!(%r{(?:_|(/))([a-z\d]*)}i) { "#{Regexp.last_match(1)}#{Regexp.last_match(2).capitalize}" }
|
206
|
-
string.gsub!(
|
206
|
+
string.gsub!("/".freeze, "::".freeze)
|
207
207
|
string
|
208
208
|
end
|
209
209
|
|
@@ -220,12 +220,12 @@ module SymmetricEncryption
|
|
220
220
|
|
221
221
|
# Migrate old encrypted_iv
|
222
222
|
if (encrypted_iv = config.delete(:encrypted_iv)) && private_rsa_key
|
223
|
-
encrypted_iv
|
224
|
-
config[:iv]
|
223
|
+
encrypted_iv = RSAKey.new(private_rsa_key).decrypt(encrypted_iv)
|
224
|
+
config[:iv] = ::Base64.decode64(encrypted_iv)
|
225
225
|
end
|
226
226
|
|
227
227
|
# Migrate old iv_filename
|
228
|
-
if (file_name
|
228
|
+
if (file_name = config.delete(:iv_filename)) && private_rsa_key
|
229
229
|
encrypted_iv = ::File.read(file_name)
|
230
230
|
config[:iv] = RSAKey.new(private_rsa_key).decrypt(encrypted_iv)
|
231
231
|
end
|
@@ -234,7 +234,7 @@ module SymmetricEncryption
|
|
234
234
|
config[:key_encrypting_key] = RSAKey.new(private_rsa_key) if private_rsa_key
|
235
235
|
|
236
236
|
# Migrate old encrypted_key to new binary format
|
237
|
-
if (encrypted_key
|
237
|
+
if (encrypted_key = config[:encrypted_key]) && private_rsa_key
|
238
238
|
config[:encrypted_key] = ::Base64.decode64(encrypted_key)
|
239
239
|
end
|
240
240
|
end
|