1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
module Rails
# A class for creating random secret keys. This class will do its best to create a
# random secret key that's as secure as possible, using whatever methods are
# available on the current platform. For example:
#
# generator = Rails::SecretKeyGenerator("some unique identifier, such as the application name")
# generator.generate_secret # => "f3f1be90053fa851... (some long string)"
class SecretKeyGenerator
GENERATORS = [ :secure_random, :win32_api, :urandom, :openssl, :prng ].freeze
def initialize(identifier)
@identifier = identifier
end
# Generate a random secret key with the best possible method available on
# the current platform.
def generate_secret
generator = GENERATORS.find do |g|
self.class.send("supports_#{g}?")
end
send("generate_secret_with_#{generator}")
end
# Generate a random secret key by using the Win32 API. Raises LoadError
# if the current platform cannot make use of the Win32 API. Raises
# SystemCallError if some other error occurred.
def generate_secret_with_win32_api
# Following code is based on David Garamond's GUID library for Ruby.
require 'Win32API'
crypt_acquire_context = Win32API.new("advapi32", "CryptAcquireContext",
'PPPII', 'L')
crypt_gen_random = Win32API.new("advapi32", "CryptGenRandom",
'LIP', 'L')
crypt_release_context = Win32API.new("advapi32", "CryptReleaseContext",
'LI', 'L')
prov_rsa_full = 1
crypt_verifycontext = 0xF0000000
hProvStr = " " * 4
if crypt_acquire_context.call(hProvStr, nil, nil, prov_rsa_full,
crypt_verifycontext) == 0
raise SystemCallError, "CryptAcquireContext failed: #{lastWin32ErrorMessage}"
end
hProv, = hProvStr.unpack('L')
bytes = " " * 64
if crypt_gen_random.call(hProv, bytes.size, bytes) == 0
raise SystemCallError, "CryptGenRandom failed: #{lastWin32ErrorMessage}"
end
if crypt_release_context.call(hProv, 0) == 0
raise SystemCallError, "CryptReleaseContext failed: #{lastWin32ErrorMessage}"
end
bytes.unpack("H*")[0]
end
# Generate a random secret key with Ruby 1.9's SecureRandom module.
# Raises LoadError if the current Ruby version does not support
# SecureRandom.
def generate_secret_with_secure_random
require 'securerandom'
return SecureRandom.hex(64)
end
# Generate a random secret key with OpenSSL. If OpenSSL is not
# already loaded, then this method will attempt to load it.
# LoadError will be raised if that fails.
def generate_secret_with_openssl
require 'openssl'
if !File.exist?("/dev/urandom")
# OpenSSL transparently seeds the random number generator with
# data from /dev/urandom. On platforms where that is not
# available, such as Windows, we have to provide OpenSSL with
# our own seed. Unfortunately there's no way to provide a
# secure seed without OS support, so we'll have to do with
# rand() and Time.now.usec().
OpenSSL::Random.seed(rand(0).to_s + Time.now.usec.to_s)
end
data = OpenSSL::BN.rand(2048, -1, false).to_s
if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00908000
OpenSSL::Digest::SHA512.new(data).hexdigest
else
generate_secret_with_prng
end
end
# Generate a random secret key with /dev/urandom.
# Raises SystemCallError on failure.
def generate_secret_with_urandom
return File.read("/dev/urandom", 64).unpack("H*")[0]
end
# Generate a random secret key with Ruby's pseudo random number generator,
# as well as some environment information.
#
# This is the least cryptographically secure way to generate a secret key,
# and should be avoided whenever possible.
def generate_secret_with_prng
require 'digest/sha2'
sha = Digest::SHA2.new(512)
now = Time.now
sha << now.to_s
sha << String(now.usec)
sha << String(rand(0))
sha << String($$)
sha << @identifier
return sha.hexdigest
end
private
def lastWin32ErrorMessage
# Following code is based on David Garamond's GUID library for Ruby.
get_last_error = Win32API.new("kernel32", "GetLastError", '', 'L')
format_message = Win32API.new("kernel32", "FormatMessageA",
'LPLLPLPPPPPPPP', 'L')
format_message_ignore_inserts = 0x00000200
format_message_from_system = 0x00001000
code = get_last_error.call
msg = "\0" * 1024
len = format_message.call(format_message_ignore_inserts +
format_message_from_system, 0,
code, 0, msg, 1024, nil, nil,
nil, nil, nil, nil, nil, nil)
msg[0, len].tr("\r", '').chomp
end
def self.supports_secure_random?
begin
require 'securerandom'
true
rescue LoadError
false
end
end
def self.supports_win32_api?
return false unless RUBY_PLATFORM =~ /(:?mswin|mingw)/
begin
require 'Win32API'
true
rescue LoadError
false
end
end
def self.supports_urandom?
File.exist?('/dev/urandom')
end
def self.supports_openssl?
begin
require 'openssl'
true
rescue LoadError
false
end
end
def self.supports_prng?
true
end
end
end
|
