Class: Bosh::Core::EncryptionHandler
- Inherits:
-
Object
- Object
- Bosh::Core::EncryptionHandler
show all
- Defined in:
- lib/bosh/core/encryption_handler.rb
Overview
Utility class for decrypting/encrypting Director/Agent message exchanges
Defined Under Namespace
Classes: CryptError, DecryptionError, SequenceNumberError, SessionError, SignatureError
Instance Attribute Summary collapse
Class Method Summary
collapse
Instance Method Summary
collapse
Constructor Details
Returns a new instance of EncryptionHandler.
28
29
30
31
32
33
34
35
36
37
|
# File 'lib/bosh/core/encryption_handler.rb', line 28
def initialize(id, credentials)
@id = id
crypt_key = credentials['crypt_key']
@cipher = Gibberish::AES.new(crypt_key)
@sign_key = credentials['sign_key']
@session_id = nil
@session_sequence_number = 0
initiate_sequence_number
end
|
Instance Attribute Details
#session_id ⇒ Object
Returns the value of attribute session_id.
26
27
28
|
# File 'lib/bosh/core/encryption_handler.rb', line 26
def session_id
@session_id
end
|
Class Method Details
.generate_credentials ⇒ Object
142
143
144
145
146
147
|
# File 'lib/bosh/core/encryption_handler.rb', line 142
def self.generate_credentials
%w(crypt_key sign_key).inject({}) do |credentials, key|
credentials[key] = SecureRandom.base64(48)
credentials
end
end
|
Instance Method Details
#constant_time_comparison(a, b) ⇒ Object
constant time comparison snagged from activesupport
100
101
102
103
104
105
106
|
# File 'lib/bosh/core/encryption_handler.rb', line 100
def constant_time_comparison(a, b)
return false unless a.bytesize == b.bytesize
l = a.unpack "C#{a.bytesize}"
res = 0
b.each_byte { |byte| res |= byte ^ l.shift }
res == 0
end
|
#decode(json) ⇒ Object
138
139
140
|
# File 'lib/bosh/core/encryption_handler.rb', line 138
def decode(json)
Yajl::Parser.new.parse(json)
end
|
#decrypt(encrypted_data) ⇒ Object
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
# File 'lib/bosh/core/encryption_handler.rb', line 67
def decrypt(encrypted_data)
begin
decrypted_data = @cipher.decrypt(encrypted_data)
rescue Exception => e
raise DecryptionError, e.inspect
end
data = Yajl::Parser.new.parse(decrypted_data)
verify_signature(data)
decoded_data = decode(data['json_data'])
verify_session(decoded_data)
decoded_data
end
|
#encode(data) ⇒ Object
134
135
136
|
# File 'lib/bosh/core/encryption_handler.rb', line 134
def encode(data)
Yajl::Encoder.encode(data)
end
|
#encrypt(data) ⇒ Object
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
# File 'lib/bosh/core/encryption_handler.rb', line 43
def encrypt(data)
raise ArgumentError unless data.is_a?(Hash)
start_session unless @session_id
encapsulated_data = data.dup
@sequence_number += 1
encapsulated_data['sequence_number'] = @sequence_number
encapsulated_data['client_id'] = @id
encapsulated_data['session_id'] = @session_id
signed_data = sign(encapsulated_data)
encrypted_data = @cipher.encrypt(encode(signed_data))
encrypted_data
end
|
#initiate_sequence_number ⇒ Object
39
40
41
|
# File 'lib/bosh/core/encryption_handler.rb', line 39
def initiate_sequence_number
@sequence_number = Time.now.to_i + SecureRandom.random_number(1 << 32)
end
|
#sign(encapsulated_data) ⇒ Object
60
61
62
63
64
65
|
# File 'lib/bosh/core/encryption_handler.rb', line 60
def sign(encapsulated_data)
data_json = encode(encapsulated_data)
hmac = signature(data_json)
signed_data = { 'hmac' => hmac, 'json_data' => data_json }
signed_data
end
|
#signature(sign_data) ⇒ Object
130
131
132
|
# File 'lib/bosh/core/encryption_handler.rb', line 130
def signature(sign_data)
Gibberish.HMAC(@sign_key, sign_data, { digest: :sha256 })
end
|
#start_session ⇒ Object
85
86
87
|
# File 'lib/bosh/core/encryption_handler.rb', line 85
def start_session
@session_id = SecureRandom.uuid
end
|
#verify_session(decrypted_data) ⇒ Object
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
# File 'lib/bosh/core/encryption_handler.rb', line 108
def verify_session(decrypted_data)
if @session_id.nil?
if !decrypted_data['session_id'].nil?
@session_id = decrypted_data['session_id']
else
raise SessionError, 'no session_id'
end
end
unless decrypted_data['session_id'] == @session_id
raise SessionError, 'session_id mismatch'
end
sender_sequence_number = decrypted_data['sequence_number'].to_i
if sender_sequence_number > @session_sequence_number
@session_sequence_number = sender_sequence_number
else
raise SequenceNumberError, 'invalid sequence number'
end
end
|
#verify_signature(data) ⇒ Object
89
90
91
92
93
94
95
96
97
|
# File 'lib/bosh/core/encryption_handler.rb', line 89
def verify_signature(data)
hmac = data['hmac']
json_data = data['json_data']
json_hmac = signature(json_data)
unless constant_time_comparison(hmac, json_hmac)
raise SignatureError, "Expected hmac (#{hmac}), got (#{json_hmac})"
end
end
|