Class: Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor

Inherits:

Version1Encryptor

Object
Version1Encryptor
Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor

show all

Includes:: Assertions

Defined in:: lib/chef/encrypted_data_bag_item/encryptor.rb

Instance Attribute Summary

Attributes inherited from Version1Encryptor

#key, #plaintext_data

Class Method Summary collapse

.encryptor_keys ⇒ Object

Instance Method Summary collapse

#algorithm ⇒ Object

Returns the used encryption algorithm.
#auth_tag ⇒ Object

Returns a wrapped and encrypted version of plaintext_data suitable for Returns the auth_tag.
#encrypted_data ⇒ Object

Encrypts, Base64 encodes serialized_data and gets the authentication tag.
#for_encrypted_item ⇒ Object

Returns a wrapped and encrypted version of plaintext_data suitable for using as the value in an encrypted data bag item.
#initialize(plaintext_data, key, iv = nil) ⇒ Version3Encryptor constructor

A new instance of Version3Encryptor.
#openssl_encryptor ⇒ Object

Generates (and memoizes) an OpenSSL::Cipher object and configures it for the specified iv and encryption key using AEAD.

Methods included from Assertions

#assert_aead_requirements_met!, #assert_format_version_acceptable!, #assert_requirements_met!, #assert_valid_cipher!

Methods inherited from Version1Encryptor

#iv, #serialized_data

Constructor Details

#initialize(plaintext_data, key, iv = nil) ⇒ `Version3Encryptor`

Returns a new instance of Version3Encryptor.

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 165

def initialize(plaintext_data, key, iv = nil)
  super
  assert_aead_requirements_met!(algorithm)
  @auth_tag = nil
end

Class Method Details

.encryptor_keys ⇒ `Object`



219
220
221

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 219

def self.encryptor_keys
  super + %w{ auth_tag }
end

Instance Method Details

#algorithm ⇒ `Object`

Returns the used encryption algorithm



184
185
186

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 184

def algorithm
  AEAD_ALGORITHM
end

#auth_tag ⇒ `Object`

Returns a wrapped and encrypted version of plaintext_data suitable for Returns the auth_tag.

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 190

def auth_tag
  # Generated auth_tag comes from OpenSSL::Cipher#auth_tag
  # This must be generated after the data is encrypted
  if @auth_tag.nil?
    raise EncryptionFailure, "Internal Error: GCM authentication tag read before encryption"
  end

  @auth_tag
end

#encrypted_data ⇒ `Object`

Encrypts, Base64 encodes serialized_data and gets the authentication tag

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 211

def encrypted_data
  @encrypted_data ||= begin
    enc_data_b64 = super
    @auth_tag = openssl_encryptor.auth_tag
    enc_data_b64
  end
end

#for_encrypted_item ⇒ `Object`

Returns a wrapped and encrypted version of plaintext_data suitable for using as the value in an encrypted data bag item.

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 173

def for_encrypted_item
  {
    "encrypted_data" => encrypted_data,
    "iv" => Base64.encode64(iv),
    "auth_tag" => Base64.encode64(auth_tag),
    "version" => 3,
    "cipher" => algorithm,
  }
end

#openssl_encryptor ⇒ `Object`

Generates (and memoizes) an OpenSSL::Cipher object and configures it for the specified iv and encryption key using AEAD

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 202

def openssl_encryptor
  @openssl_encryptor ||= begin
    encryptor = super
    encryptor.auth_data = ""
    encryptor
  end
end