Method: ActiveRecord::Encryption::Cipher::Aes256Gcm#decrypt

Defined in:
activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb

#decrypt(encrypted_message) ⇒ Object 



55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 
# File 'activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb', line 55

def decrypt(encrypted_message)
  encrypted_data = encrypted_message.payload
  iv = encrypted_message.headers.iv
  auth_tag = encrypted_message.headers.auth_tag

  # Currently the OpenSSL bindings do not raise an error if auth_tag is
  # truncated, which would allow an attacker to easily forge it. See
  # https://github.com/ruby/openssl/issues/63
  raise ActiveRecord::Encryption::Errors::EncryptedContentIntegrity if auth_tag.nil? || auth_tag.bytes.length != 16

  cipher = OpenSSL::Cipher.new(CIPHER_TYPE)

  cipher.decrypt
  cipher.key = @secret
  cipher.iv = iv

  cipher.auth_tag = auth_tag
  cipher.auth_data = ""

  decrypted_data = encrypted_data.empty? ? encrypted_data : cipher.update(encrypted_data)
  decrypted_data << cipher.final

  decrypted_data
rescue OpenSSL::Cipher::CipherError, TypeError, ArgumentError
  raise ActiveRecord::Encryption::Errors::Decryption
end