Use an options hash to specify digest/cipher algorithm and a serializer for MessageVerifier and MessageEncryptor.
This commit is contained in:
Willem van Bergen
parent
2d30d4cb88
commit
41fea03342
@ -13,12 +13,15 @@ class MessageEncryptor
|
|||||||
class InvalidMessage < StandardError; end
|
class InvalidMessage < StandardError; end
|
||||||
OpenSSLCipherError = OpenSSL::Cipher.const_defined?(:CipherError) ? OpenSSL::Cipher::CipherError : OpenSSL::CipherError
|
OpenSSLCipherError = OpenSSL::Cipher.const_defined?(:CipherError) ? OpenSSL::Cipher::CipherError : OpenSSL::CipherError
|
||||||
|
|
||||||
attr_accessor :serializer
|
def initialize(secret, options = {})
|
||||||
|
unless options.is_a?(Hash)
|
||||||
|
ActiveSupport::Deprecation.warn "The second parameter should be an options hash. Use :cipher => 'algorithm' to sepcify the cipher algorithm."
|
||||||
|
options = { :cipher => options }
|
||||||
|
end
|
||||||
|
|
||||||
def initialize(secret, cipher = 'aes-256-cbc', serializer = Marshal)
|
|
||||||
@secret = secret
|
@secret = secret
|
||||||
@cipher = cipher
|
@cipher = options[:cipher] || 'aes-256-cbc'
|
||||||
@serializer = serializer
|
@serializer = options[:serializer] || Marshal
|
||||||
end
|
end
|
||||||
|
|
||||||
def encrypt(value)
|
def encrypt(value)
|
||||||
@ -30,7 +33,7 @@ def encrypt(value)
|
|||||||
cipher.key = @secret
|
cipher.key = @secret
|
||||||
cipher.iv = iv
|
cipher.iv = iv
|
||||||
|
|
||||||
encrypted_data = cipher.update(serializer.dump(value))
|
encrypted_data = cipher.update(@serializer.dump(value))
|
||||||
encrypted_data << cipher.final
|
encrypted_data << cipher.final
|
||||||
|
|
||||||
[encrypted_data, iv].map {|v| ActiveSupport::Base64.encode64s(v)}.join("--")
|
[encrypted_data, iv].map {|v| ActiveSupport::Base64.encode64s(v)}.join("--")
|
||||||
@ -47,7 +50,7 @@ def decrypt(encrypted_message)
|
|||||||
decrypted_data = cipher.update(encrypted_data)
|
decrypted_data = cipher.update(encrypted_data)
|
||||||
decrypted_data << cipher.final
|
decrypted_data << cipher.final
|
||||||
|
|
||||||
serializer.load(decrypted_data)
|
@serializer.load(decrypted_data)
|
||||||
rescue OpenSSLCipherError, TypeError
|
rescue OpenSSLCipherError, TypeError
|
||||||
raise InvalidMessage
|
raise InvalidMessage
|
||||||
end
|
end
|
||||||
|
|||||||
@ -26,12 +26,15 @@ module ActiveSupport
|
|||||||
class MessageVerifier
|
class MessageVerifier
|
||||||
class InvalidSignature < StandardError; end
|
class InvalidSignature < StandardError; end
|
||||||
|
|
||||||
attr_accessor :serializer
|
def initialize(secret, options = {})
|
||||||
|
unless options.is_a?(Hash)
|
||||||
|
ActiveSupport::Deprecation.warn "The second parameter should be an options hash. Use :digest => 'algorithm' to sepcify the digest algorithm."
|
||||||
|
options = { :digest => options }
|
||||||
|
end
|
||||||
|
|
||||||
def initialize(secret, digest = 'SHA1', serializer = Marshal)
|
|
||||||
@secret = secret
|
@secret = secret
|
||||||
@digest = digest
|
@digest = options[:digest] || 'SHA1'
|
||||||
@serializer = serializer
|
@serializer = options[:serializer] || Marshal
|
||||||
end
|
end
|
||||||
|
|
||||||
def verify(signed_message)
|
def verify(signed_message)
|
||||||
@ -39,14 +42,14 @@ def verify(signed_message)
|
|||||||
|
|
||||||
data, digest = signed_message.split("--")
|
data, digest = signed_message.split("--")
|
||||||
if data.present? && digest.present? && secure_compare(digest, generate_digest(data))
|
if data.present? && digest.present? && secure_compare(digest, generate_digest(data))
|
||||||
serializer.load(ActiveSupport::Base64.decode64(data))
|
@serializer.load(ActiveSupport::Base64.decode64(data))
|
||||||
else
|
else
|
||||||
raise InvalidSignature
|
raise InvalidSignature
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def generate(value)
|
def generate(value)
|
||||||
data = ActiveSupport::Base64.encode64s(serializer.dump(value))
|
data = ActiveSupport::Base64.encode64s(@serializer.dump(value))
|
||||||
"#{data}--#{generate_digest(data)}"
|
"#{data}--#{generate_digest(data)}"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|||||||
@ -52,9 +52,9 @@ def test_signed_round_tripping
|
|||||||
end
|
end
|
||||||
|
|
||||||
def test_alternative_serialization_method
|
def test_alternative_serialization_method
|
||||||
@encryptor.serializer = JSONSerializer.new
|
encryptor = ActiveSupport::MessageEncryptor.new(SecureRandom.hex(64), :serializer => JSONSerializer.new)
|
||||||
message = @encryptor.encrypt_and_sign({ :foo => 123, 'bar' => Time.utc(2010) })
|
message = encryptor.encrypt_and_sign({ :foo => 123, 'bar' => Time.utc(2010) })
|
||||||
assert_equal @encryptor.decrypt_and_verify(message), { "foo" => 123, "bar" => "2010-01-01T00:00:00Z" }
|
assert_equal encryptor.decrypt_and_verify(message), { "foo" => 123, "bar" => "2010-01-01T00:00:00Z" }
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|||||||
@ -45,9 +45,9 @@ def test_tampered_data_raises
|
|||||||
end
|
end
|
||||||
|
|
||||||
def test_alternative_serialization_method
|
def test_alternative_serialization_method
|
||||||
@verifier.serializer = JSONSerializer.new
|
verifier = ActiveSupport::MessageVerifier.new("Hey, I'm a secret!", :serializer => JSONSerializer.new)
|
||||||
message = @verifier.generate({ :foo => 123, 'bar' => Time.utc(2010) })
|
message = verifier.generate({ :foo => 123, 'bar' => Time.utc(2010) })
|
||||||
assert_equal @verifier.verify(message), { "foo" => 123, "bar" => "2010-01-01T00:00:00Z" }
|
assert_equal verifier.verify(message), { "foo" => 123, "bar" => "2010-01-01T00:00:00Z" }
|
||||||
end
|
end
|
||||||
|
|
||||||
def assert_not_verified(message)
|
def assert_not_verified(message)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user