diff options
author | Michael Koziarski <michael@koziarski.com> | 2012-07-04 12:37:31 +1200 |
---|---|---|
committer | Michael Koziarski <michael@koziarski.com> | 2012-10-01 14:22:19 +1300 |
commit | def2ccb8e3534e06ec1bb9c33aeee35a52b40138 (patch) | |
tree | d38907288811267ca37d9828afff26c0973226f9 /activesupport/lib/active_support/key_generator.rb | |
parent | a6cfd33865a11eefcb3431450c8f2ad2b2766066 (diff) | |
download | rails-def2ccb8e3534e06ec1bb9c33aeee35a52b40138.tar.gz rails-def2ccb8e3534e06ec1bb9c33aeee35a52b40138.tar.bz2 rails-def2ccb8e3534e06ec1bb9c33aeee35a52b40138.zip |
Add ActiveSupport::KeyGenerator as a simple wrapper around PBKDF2
This will be used to derive keys from the secret and a salt, in order to allow us to
do things like encrypted cookie stores without using the secret for multiple
purposes directly.
Diffstat (limited to 'activesupport/lib/active_support/key_generator.rb')
-rw-r--r-- | activesupport/lib/active_support/key_generator.rb | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/key_generator.rb b/activesupport/lib/active_support/key_generator.rb new file mode 100644 index 0000000000..04d170f801 --- /dev/null +++ b/activesupport/lib/active_support/key_generator.rb @@ -0,0 +1,23 @@ +require 'openssl' + +module ActiveSupport + # KeyGenerator is a simple wrapper around OpenSSL's implementation of PBKDF2 + # It can be used to derive a number of keys for various purposes from a given secret. + # This lets rails applications have a single secure secret, but avoid reusing that + # key in multiple incompatible contexts. + class KeyGenerator + def initialize(secret, options = {}) + @secret = secret + # The default iterations are higher than required for our key derivation uses + # on the off chance someone uses this for password storage + @iterations = options[:iterations] || 2**16 + end + + # Returns a derived key suitable for use. The default key_size is chosen + # to be compatible with the default settings of ActiveSupport::MessageVerifier. + # i.e. OpenSSL::Digest::SHA1#block_length + def generate_key(salt, key_size=64) + OpenSSL::PKCS5.pbkdf2_hmac_sha1(@secret, salt, @iterations, key_size) + end + end +end |