Class: Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor

Inherits:
Version1Encryptor show all
Includes:
Assertions
Defined in:
lib/chef/encrypted_data_bag_item/encryptor.rb

Instance Attribute Summary

Attributes inherited from Version1Encryptor

#key, #plaintext_data

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Assertions

#assert_aead_requirements_met!, #assert_format_version_acceptable!, #assert_requirements_met!, #assert_valid_cipher!

Methods inherited from Version1Encryptor

#iv, #serialized_data

Constructor Details

#initialize(plaintext_data, key, iv = nil) ⇒ Version3Encryptor

Returns a new instance of Version3Encryptor.



165
166
167
168
169
# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 165

def initialize(plaintext_data, key, iv = nil)
  super
  assert_aead_requirements_met!(algorithm)
  @auth_tag = nil
end

Class Method Details

.encryptor_keysObject



219
220
221
# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 219

def self.encryptor_keys
  super + %w{ auth_tag }
end

Instance Method Details

#algorithmObject

Returns the used encryption algorithm



184
185
186
# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 184

def algorithm
  AEAD_ALGORITHM
end

#auth_tagObject

Returns a wrapped and encrypted version of plaintext_data suitable for Returns the auth_tag.



190
191
192
193
194
195
196
197
198
# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 190

def auth_tag
  # Generated auth_tag comes from OpenSSL::Cipher#auth_tag
  # This must be generated after the data is encrypted
  if @auth_tag.nil?
    raise EncryptionFailure, "Internal Error: GCM authentication tag read before encryption"
  end

  @auth_tag
end

#encrypted_dataObject

Encrypts, Base64 encodes serialized_data and gets the authentication tag



211
212
213
214
215
216
217
# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 211

def encrypted_data
  @encrypted_data ||= begin
    enc_data_b64 = super
    @auth_tag = openssl_encryptor.auth_tag
    enc_data_b64
  end
end

#for_encrypted_itemObject

Returns a wrapped and encrypted version of plaintext_data suitable for using as the value in an encrypted data bag item.



173
174
175
176
177
178
179
180
181
# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 173

def for_encrypted_item
  {
    "encrypted_data" => encrypted_data,
    "iv" => Base64.encode64(iv),
    "auth_tag" => Base64.encode64(auth_tag),
    "version" => 3,
    "cipher" => algorithm,
  }
end

#openssl_encryptorObject

Generates (and memoizes) an OpenSSL::Cipher object and configures it for the specified iv and encryption key using AEAD



202
203
204
205
206
207
208
# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 202

def openssl_encryptor
  @openssl_encryptor ||= begin
    encryptor = super
    encryptor.auth_data = ""
    encryptor
  end
end