Class: Quonfig::Encryption

Inherits:

Object

• Object
• Quonfig::Encryption

Defined in:

lib/quonfig/encryption.rb

Constant Summary

CIPHER_TYPE =

32/12

"aes-256-gcm"

SEPARATOR =

"--"

AUTH_TAG_LENGTH =

16

Class Method Summary

• .generate_new_hex_key ⇒ Object

  Hexadecimal format ensures that generated keys are representable with plain text.

• .generate_random_key ⇒ Object
• .key_length ⇒ Object

Instance Method Summary

• #decrypt(encrypted_string) ⇒ Object
• #encrypt(clear_text) ⇒ Object
• #initialize(key_string_hex) ⇒ Encryption constructor

  A new instance of Encryption.

Constructor Details

#initialize(key_string_hex) ⇒ Encryption

Returns a new instance of Encryption.

# File 'lib/quonfig/encryption.rb', line 18

def initialize(key_string_hex)
  @key = [key_string_hex].pack("H*")
end

Class Method Details

.generate_new_hex_key ⇒ Object

Hexadecimal format ensures that generated keys are representable with plain text

To convert back to the original string with the desired length:

[ value ].pack("H*")

# File 'lib/quonfig/encryption.rb', line 14

def self.generate_new_hex_key
  generate_random_key.unpack("H*")[0]
end

.generate_random_key ⇒ Object

# File 'lib/quonfig/encryption.rb', line 66

def self.generate_random_key
  SecureRandom.random_bytes(key_length)
end

.key_length ⇒ Object

# File 'lib/quonfig/encryption.rb', line 70

def self.key_length
  OpenSSL::Cipher.new(CIPHER_TYPE).key_len
end

Instance Method Details

#decrypt(encrypted_string) ⇒ Object

# File 'lib/quonfig/encryption.rb', line 41

def decrypt(encrypted_string)
  encrypted_data, iv, auth_tag = encrypted_string.split(SEPARATOR).map { |p| [p].pack("H*") }
  
  # Currently the OpenSSL bindings do not raise an error if auth_tag is
  # truncated, which would allow an attacker to easily forge it. See
  # https://github.com/ruby/openssl/issues/63
  if auth_tag.bytesize != AUTH_TAG_LENGTH
    raise "truncated auth_tag"
  end

  cipher = OpenSSL::Cipher.new(CIPHER_TYPE)
  cipher.decrypt
  cipher.key = @key
  cipher.iv = iv
  
  cipher.auth_tag = auth_tag
 
  # and decrypt it
  decrypted = cipher.update(encrypted_data)
  decrypted << cipher.final
  decrypted
end

#encrypt(clear_text) ⇒ Object

# File 'lib/quonfig/encryption.rb', line 22

def encrypt(clear_text)
  cipher = OpenSSL::Cipher.new(CIPHER_TYPE)
  cipher.encrypt
  iv = cipher.random_iv

  # load them into the cipher
  cipher.key = @key
  cipher.iv = iv
  cipher.auth_data = ""

  # encrypt the message
  encrypted = cipher.update(clear_text)
  encrypted << cipher.final
  tag = cipher.auth_tag
  
  # pack and join
  [encrypted, iv, tag].map { |p| p.unpack("H*")[0] }.join(SEPARATOR)
end