diff options
Diffstat (limited to 'activesupport/lib/active_support/message_encryptor.rb')
-rw-r--r-- | activesupport/lib/active_support/message_encryptor.rb | 42 |
1 files changed, 22 insertions, 20 deletions
diff --git a/activesupport/lib/active_support/message_encryptor.rb b/activesupport/lib/active_support/message_encryptor.rb index ada2e79ccb..580267708c 100644 --- a/activesupport/lib/active_support/message_encryptor.rb +++ b/activesupport/lib/active_support/message_encryptor.rb @@ -2,18 +2,19 @@ require 'openssl' require 'base64' module ActiveSupport - # MessageEncryptor is a simple way to encrypt values which get stored somewhere - # you don't trust. + # MessageEncryptor is a simple way to encrypt values which get stored + # somewhere you don't trust. # - # The cipher text and initialization vector are base64 encoded and returned to you. + # The cipher text and initialization vector are base64 encoded and returned + # to you. # - # This can be used in situations similar to the <tt>MessageVerifier</tt>, but where you don't - # want users to be able to determine the value of the payload. + # This can be used in situations similar to the <tt>MessageVerifier</tt>, but + # where you don't want users to be able to determine the value of the payload. # - # key = OpenSSL::Digest::SHA256.new('password').digest # => "\x89\xE0\x156\xAC..." - # crypt = ActiveSupport::MessageEncryptor.new(key) # => #<ActiveSupport::MessageEncryptor ...> - # encrypted_data = crypt.encrypt_and_sign('my secret data') # => "NlFBTTMwOUV5UlA1QlNEN2xkY2d6eThYWWh..." - # crypt.decrypt_and_verify(encrypted_data) # => "my secret data" + # key = OpenSSL::Digest::SHA256.new('password').digest # => "\x89\xE0\x156\xAC..." + # crypt = ActiveSupport::MessageEncryptor.new(key) # => #<ActiveSupport::MessageEncryptor ...> + # encrypted_data = crypt.encrypt_and_sign('my secret data') # => "NlFBTTMwOUV5UlA1QlNEN2xkY2d6eThYWWh..." + # crypt.decrypt_and_verify(encrypted_data) # => "my secret data" class MessageEncryptor module NullSerializer #:nodoc: def self.load(value) @@ -28,15 +29,16 @@ module ActiveSupport class InvalidMessage < StandardError; end OpenSSLCipherError = OpenSSL::Cipher.const_defined?(:CipherError) ? OpenSSL::Cipher::CipherError : OpenSSL::CipherError - # Initialize a new MessageEncryptor. - # +secret+ must be at least as long as the cipher key size. For the default 'aes-256-cbc' cipher, - # this is 256 bits. If you are using a user-entered secret, you can generate a suitable key with - # <tt>OpenSSL::Digest::SHA256.new(user_secret).digest</tt> or similar. + # Initialize a new MessageEncryptor. +secret+ must be at least as long as + # the cipher key size. For the default 'aes-256-cbc' cipher, this is 256 + # bits. If you are using a user-entered secret, you can generate a suitable + # key with <tt>OpenSSL::Digest::SHA256.new(user_secret).digest</tt> or + # similar. # # Options: - # * <tt>:cipher</tt> - Cipher to use. Can be any cipher returned by <tt>OpenSSL::Cipher.ciphers</tt>. Default is 'aes-256-cbc' - # * <tt>:serializer</tt> - Object serializer to use. Default is +Marshal+. - # + # * <tt>:cipher</tt> - Cipher to use. Can be any cipher returned by + # <tt>OpenSSL::Cipher.ciphers</tt>. Default is 'aes-256-cbc'. + # * <tt>:serializer</tt> - Object serializer to use. Default is +Marshal+. def initialize(secret, options = {}) @secret = secret @cipher = options[:cipher] || 'aes-256-cbc' @@ -44,14 +46,14 @@ module ActiveSupport @serializer = options[:serializer] || Marshal end - # Encrypt and sign a message. We need to sign the message in order to avoid padding attacks. - # Reference: http://www.limited-entropy.com/padding-oracle-attacks + # Encrypt and sign a message. We need to sign the message in order to avoid + # padding attacks. Reference: http://www.limited-entropy.com/padding-oracle-attacks. def encrypt_and_sign(value) verifier.generate(_encrypt(value)) end - # Decrypt and verify a message. We need to verify the message in order to avoid padding attacks. - # Reference: http://www.limited-entropy.com/padding-oracle-attacks + # Decrypt and verify a message. We need to verify the message in order to + # avoid padding attacks. Reference: http://www.limited-entropy.com/padding-oracle-attacks. def decrypt_and_verify(value) _decrypt(verifier.verify(value)) end |