Class: WorkOS::Encryptors::AesGcm

Inherits:
Object
  • Object
show all
Defined in:
lib/workos/encryptors/aes_gcm.rb

Constant Summary collapse

SEAL_VERSION = 
0x01

Instance Method Summary collapse

Instance Method Details

#seal(data, key) ⇒ Object 



18
19
20
21
22
23
24
25
26
 
# File 'lib/workos/encryptors/aes_gcm.rb', line 18

def seal(data, key)
  json = data.is_a?(String) ? data : JSON.generate(data)
  cipher = OpenSSL::Cipher.new("aes-256-gcm").encrypt
  cipher.key = derive_key(key)
  iv = SecureRandom.random_bytes(12)
  cipher.iv = iv
  ciphertext = cipher.update(json) + cipher.final
  Base64.strict_encode64(SEAL_VERSION.chr + iv + cipher.auth_tag + ciphertext)
end

#unseal(sealed, key) ⇒ Object

Raises:

  • (ArgumentError) 


28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'lib/workos/encryptors/aes_gcm.rb', line 28

def unseal(sealed, key)
  raw = Base64.decode64(sealed.to_s)
  raise ArgumentError, "Sealed payload too short" if raw.bytesize < 1 + 12 + 16
  version = raw.byteslice(0, 1).bytes.first
  raise ArgumentError, "Unknown seal version: #{version}" unless version == SEAL_VERSION
  iv = raw.byteslice(1, 12)
  tag = raw.byteslice(13, 16)
  ciphertext = raw.byteslice(29, raw.bytesize - 29)
  cipher = OpenSSL::Cipher.new("aes-256-gcm").decrypt
  cipher.key = derive_key(key)
  cipher.iv = iv
  cipher.auth_tag = tag
  decoded = cipher.update(ciphertext) + cipher.final
  decoded.force_encoding(Encoding::UTF_8)
  begin
    JSON.parse(decoded)
  rescue JSON::ParserError
    decoded
  end
end