Class: Chef::EncryptedAttribute::EncryptedMash::Version0

Inherits:
Chef::EncryptedAttribute::EncryptedMash show all
Defined in:
lib/chef/encrypted_attribute/encrypted_mash/version0.rb

Overview

EncryptedMash Version0 format: using RSA without shared secret.

This is the first version, considered old. Uses public key cryptography (PKI) to encrypt the data. There is no shared secret or HMAC for data integrity checking.

EncryptedMash::Version0 Structure

If you try to read this encrypted attribute structure, you can see a Chef::Mash attribute with the following content:

EncryptedMash
└── encrypted_data
    ├── pub_key_hash1: The data encrypted using PKI for the public key 1
    │     (base64)
    ├── pub_key_hash2: The data encrypted using PKI for the public key 2
    │     (base64)
    └── ...

The public_key_hash1 key value is the SHA1 of the public key used for encryption.

Its content is the data encoded in JSON, then encrypted with the public key, and finally encoded in base64. The encryption is done using the RSA algorithm (PKI).

See Also:

Direct Known Subclasses

Version1

Constant Summary

Constants inherited from Chef::EncryptedAttribute::EncryptedMash

CHEF_TYPE, CHEF_TYPE_VALUE, JSON_CLASS, VERSION_PREFIX

Instance Method Summary collapse

Methods inherited from Chef::EncryptedAttribute::EncryptedMash

create, exist?, exists?, #for_json, #initialize, json_create, string_to_klass, #to_json, #update_from!, version_klass

Constructor Details

This class inherits a constructor from Chef::EncryptedAttribute::EncryptedMash

Instance Method Details

#can_be_decrypted_by?(keys) ⇒ Boolean

Checks if the current Chef::EncryptedAttribute::EncryptedMash can be decrypted by all of the provided keys.

Parameters:

  • keys (Array<OpenSSL::PKey::RSA>)

    list of public keys.

Returns:

  • (Boolean)

    true if all keys can decrypt the data.

Raises:



102
103
104
105
 
# File 'lib/chef/encrypted_attribute/encrypted_mash/version0.rb', line 102

def can_be_decrypted_by?(keys)
  return false unless encrypted?
  data_can_be_decrypted_by_keys?(self['encrypted_data'], keys)
end

#decrypt(key) ⇒ Mixed

Decrypts the current Chef::EncryptedAttribute::EncryptedMash object.

Parameters:

  • key (String, OpenSSL::PKey::RSA)

    RSA private key used to decrypt.

Returns:

  • (Mixed)

    the value decrypted.

Raises:



88
89
90
91
92
93
 
# File 'lib/chef/encrypted_attribute/encrypted_mash/version0.rb', line 88

def decrypt(key)
  key = parse_decryption_key(key)
  value_json = rsa_decrypt_multi_key(self['encrypted_data'], key)
  json_decode(value_json)
  # we avoid saving the decrypted value, only return it
end

#encrypt(value, public_keys) ⇒ EncryptedMash

Encrypts data inside the current Chef::EncryptedAttribute::EncryptedMash object.

Parameters:

  • value (Mixed)

    value to encrypt, will be converted to JSON.

  • public_keys (Array<String, OpenSSL::PKey::RSA>)

    publics keys that will be able to decrypt the Chef::EncryptedAttribute::EncryptedMash.

Returns:

Raises:



71
72
73
74
75
76
77
 
# File 'lib/chef/encrypted_attribute/encrypted_mash/version0.rb', line 71

def encrypt(value, public_keys)
  value_json = json_encode(value)
  public_keys = parse_public_keys(public_keys)
  self['encrypted_data'] =
    rsa_encrypt_multi_key(value_json, public_keys)
  self
end

#needs_update?(keys) ⇒ Boolean

Checks if the current Chef::EncryptedAttribute::EncryptedMash needs to be re-encrypted.

This usually happends when new keys are provided or some keys are removed from the previous encryption process.

In other words, this method checks all key can decrypt the data and only those keys.

Parameters:

  • keys (Array<String, OpenSSL::PKey::RSA>)

    list of RSA public keys.

Returns:

  • (Boolean)

    true if all keys can decrypt the data and only those keys can decrypt the data.

Raises:



121
122
123
124
125
 
# File 'lib/chef/encrypted_attribute/encrypted_mash/version0.rb', line 121

def needs_update?(keys)
  keys = parse_public_keys(keys)
  !can_be_decrypted_by?(keys) ||
    self['encrypted_data'].keys.count != keys.count
end