Module: Tripwire::Server::SealedToken

Defined in:

lib/tripwire/server/sealed_token.rb

Constant Summary

VERSION =

0x01

Class Method Summary

• .safe_verify_tripwire_token(sealed_token, secret_key = nil) ⇒ Object
• .verify_tripwire_token(sealed_token, secret_key = nil) ⇒ Object

Class Method Details

.safe_verify_tripwire_token(sealed_token, secret_key = nil) ⇒ Object

# File 'lib/tripwire/server/sealed_token.rb', line 45

def safe_verify_tripwire_token(sealed_token, secret_key = nil)
  { ok: true, data: verify_tripwire_token(sealed_token, secret_key) }
rescue ConfigurationError, TokenVerificationError => error
  { ok: false, error: error }
end

.verify_tripwire_token(sealed_token, secret_key = nil) ⇒ Object

# File 'lib/tripwire/server/sealed_token.rb', line 14

def verify_tripwire_token(sealed_token, secret_key = nil)
  CryptoSupport.ensure_supported_runtime!
  resolved_secret = secret_key || ENV["TRIPWIRE_SECRET_KEY"]
  raise ConfigurationError, "Missing Tripwire secret key. Pass secret_key explicitly or set TRIPWIRE_SECRET_KEY." if resolved_secret.nil? || resolved_secret.empty?

  raw = Base64.decode64(sealed_token)
  raise TokenVerificationError, "Tripwire token is too short." if raw.bytesize < 29

  version = raw.getbyte(0)
  raise TokenVerificationError, "Unsupported Tripwire token version: #{version}" if version != VERSION

  nonce = raw.byteslice(1, 12)
  ciphertext = raw.byteslice(13, raw.bytesize - 29)
  tag = raw.byteslice(raw.bytesize - 16, 16)

  cipher = OpenSSL::Cipher.new("aes-256-gcm")
  cipher.decrypt
  cipher.key = derive_key(resolved_secret)
  cipher.iv = nonce
  cipher.auth_tag = tag
  cipher.auth_data = ""

  compressed = cipher.update(ciphertext) + cipher.final
  payload = JSON.parse(Zlib::Inflate.inflate(compressed))
  deep_symbolize(payload)
rescue ConfigurationError, TokenVerificationError
  raise
rescue StandardError => error
  raise TokenVerificationError, "Failed to verify Tripwire token: #{error.message}"
end