Class: PorkyLib::Symmetric

Inherits:
Object
  • Object
show all
Includes:
Singleton
Defined in:
lib/porky_lib/symmetric.rb

Constant Summary collapse

CMK_KEY_ORIGIN = 
'AWS_KMS'
CMK_KEY_USAGE = 
'ENCRYPT_DECRYPT'
SYMMETRIC_KEY_SPEC = 
'AES_256'

Instance Method Summary collapse

Instance Method Details

#clientObject 



15
16
17
18
 
# File 'lib/porky_lib/symmetric.rb', line 15

def client
  require 'porky_lib/aws/kms/client' if PorkyLib::Config.config[:aws_client_mock]
  @client ||= Aws::KMS::Client.new
end

#cmk_alias_exists?(key_alias) ⇒ Boolean

Returns:

  • (Boolean) 


33
34
35
36
37
38
39
40
 
# File 'lib/porky_lib/symmetric.rb', line 33

def cmk_alias_exists?(key_alias)
  alias_list = client.list_aliases.to_h[:aliases]
  alias_list.each do |item|
    return true if item[:alias_name] == key_alias
  end

  false
end

#create_alias(key_id, key_alias) ⇒ Object 



46
47
48
 
# File 'lib/porky_lib/symmetric.rb', line 46

def create_alias(key_id, key_alias)
  client.create_alias(target_key_id: key_id, alias_name: key_alias)
end

#create_key(tags, key_alias = nil, key_rotation_enabled = true) ⇒ Object 



20
21
22
23
24
25
26
27
28
29
30
31
 
# File 'lib/porky_lib/symmetric.rb', line 20

def create_key(tags, key_alias = nil, key_rotation_enabled = true)
  resp = client.create_key(key_usage: CMK_KEY_USAGE, origin: CMK_KEY_ORIGIN, tags: tags)
  key_id = resp.to_h[:key_metadata][:key_id]

  # Enable automatic key rotation for the newly created CMK
  enable_key_rotation(key_id) if key_rotation_enabled

  # Create an alias for the newly created CMK
  create_alias(key_id, key_alias) if key_alias

  key_id
end

#decrypt(ciphertext_dek, ciphertext, nonce, encryption_context = nil) ⇒ Object 



90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
 
# File 'lib/porky_lib/symmetric.rb', line 90

def decrypt(ciphertext_dek, ciphertext, nonce, encryption_context = nil)
  return if ciphertext.nil? || ciphertext_dek.nil? || nonce.nil?

  # Decrypt the data encryption key
  plaintext_key = decrypt_data_encryption_key(ciphertext_dek, encryption_context)
  secret_box = RbNaCl::SecretBox.new(plaintext_key)

  should_reencrypt = false
  begin
    # Decrypt the message
    message = secret_box.decrypt(nonce, ciphertext)
  rescue RbNaCl::CryptoError
    # For backwards compatibility due to a code error in a previous release
    plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize))
    message = secret_box.decrypt(nonce, ciphertext)
    should_reencrypt = true
  end

  # Securely delete the plaintext value from memory
  plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize))

  [message, should_reencrypt]
end

#decrypt_data_encryption_key(ciphertext_key, encryption_context = nil) ⇒ Object 



58
59
60
61
62
63
 
# File 'lib/porky_lib/symmetric.rb', line 58

def decrypt_data_encryption_key(ciphertext_key, encryption_context = nil)
  return client.decrypt(ciphertext_blob: ciphertext_key, encryption_context: encryption_context).plaintext if encryption_context

  resp = client.decrypt(ciphertext_blob: ciphertext_key)
  resp.plaintext
end

#decrypt_with_benchmark(ciphertext_dek, ciphertext, nonce, encryption_context = nil) ⇒ Object 



155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
 
# File 'lib/porky_lib/symmetric.rb', line 155

def decrypt_with_benchmark(ciphertext_dek, ciphertext, nonce, encryption_context = nil)
  return if ciphertext.nil? || ciphertext_dek.nil? || nonce.nil?

  encryption_statistics = {}

  plaintext_key = benchmark_block(encryption_statistics, :decrypt_key) do
    # Decrypt the data encryption key
    decrypt_data_encryption_key(ciphertext_dek, encryption_context)
  end

  message, should_reencrypt = benchmark_block(encryption_statistics, :decrypt) do
    secret_box = RbNaCl::SecretBox.new(plaintext_key)

    should_reencrypt = false
    begin
      # Decrypt the message
      message = secret_box.decrypt(nonce, ciphertext)
    rescue RbNaCl::CryptoError
      # For backwards compatibility due to a code error in a previous release
      plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize))
      message = secret_box.decrypt(nonce, ciphertext)
      should_reencrypt = true
    end

    [message, should_reencrypt, encryption_statistics]
  end

  benchmark_block(encryption_statistics, :clear_key) do
    # Securely delete the plaintext value from memory
    plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize))
  end

  [message, should_reencrypt, encryption_statistics]
end

#decrypt_with_key(ciphertext, plaintext_key, nonce) ⇒ Object 



214
215
216
217
218
219
220
221
222
223
224
225
226
 
# File 'lib/porky_lib/symmetric.rb', line 214

def decrypt_with_key(ciphertext, plaintext_key, nonce)
  # Initialize the box
  secret_box = RbNaCl::SecretBox.new(plaintext_key)

  # Decrypt the message
  plaintext = secret_box.decrypt(nonce, ciphertext)

  result = OpenStruct.new

  result.plaintext = plaintext

  result
end

#decrypt_with_key_with_benchmark(ciphertext, plaintext_key, nonce) ⇒ Object 



255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
 
# File 'lib/porky_lib/symmetric.rb', line 255

def decrypt_with_key_with_benchmark(ciphertext, plaintext_key, nonce)
  encryption_statistics = {}

  plaintext = benchmark_block(encryption_statistics, :decrypt) do
    secret_box = RbNaCl::SecretBox.new(plaintext_key)

    # Decrypt the message
    plaintext = secret_box.decrypt(nonce, ciphertext)

    plaintext
  end

  result = OpenStruct.new

  result.plaintext = plaintext
  result.statistics = encryption_statistics

  result
end

#enable_key_rotation(key_id) ⇒ Object 



42
43
44
 
# File 'lib/porky_lib/symmetric.rb', line 42

def enable_key_rotation(key_id)
  client.enable_key_rotation(key_id: key_id)
end

#encrypt(data, cmk_key_id, ciphertext_dek = nil, encryption_context = nil) ⇒ Object 



65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
# File 'lib/porky_lib/symmetric.rb', line 65

def encrypt(data, cmk_key_id, ciphertext_dek = nil, encryption_context = nil)
  return if data.nil? || cmk_key_id.nil?

  # Generate a new data encryption key or decrypt existing key, if provided
  plaintext_key = decrypt_data_encryption_key(ciphertext_dek, encryption_context) if ciphertext_dek
  ciphertext_key = ciphertext_dek if ciphertext_dek
  plaintext_key, ciphertext_key = generate_data_encryption_key(cmk_key_id, encryption_context) unless ciphertext_dek

  # Initialize the box
  secret_box = RbNaCl::SecretBox.new(plaintext_key)

  # First, make a nonce: A single-use value never repeated under the same key
  # The nonce isn't secret, and can be sent with the ciphertext.
  # The cipher instance has a nonce_bytes method for determining how many bytes should be in a nonce
  nonce = RbNaCl::Random.random_bytes(secret_box.nonce_bytes)

  # Encrypt a message with SecretBox
  ciphertext = secret_box.encrypt(nonce, data)

  # Securely delete the plaintext value from memory
  plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize))

  [ciphertext_key, ciphertext, nonce]
end

#encrypt_with_benchmark(data, cmk_key_id, ciphertext_dek = nil, encryption_context = nil) ⇒ Object 



114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
 
# File 'lib/porky_lib/symmetric.rb', line 114

def encrypt_with_benchmark(data, cmk_key_id, ciphertext_dek = nil, encryption_context = nil)
  return if data.nil? || cmk_key_id.nil?

  encryption_statistics = {}

  # Generate a new data encryption key or decrypt existing key, if provided
  if ciphertext_dek
    plaintext_key = benchmark_block(encryption_statistics, :decrypt_key) do
      decrypt_data_encryption_key(ciphertext_dek, encryption_context)
    end

    ciphertext_key = ciphertext_dek
  else
    plaintext_key, ciphertext_key = benchmark_block(encryption_statistics, :generate_key) do
      generate_data_encryption_key(cmk_key_id, encryption_context)
    end
  end

  nonce, ciphertext = benchmark_block(encryption_statistics, :encrypt) do
    # Initialize the box
    secret_box = RbNaCl::SecretBox.new(plaintext_key)

    # First, make a nonce: A single-use value never repeated under the same key
    # The nonce isn't secret, and can be sent with the ciphertext.
    # The cipher instance has a nonce_bytes method for determining how many bytes should be in a nonce
    nonce = RbNaCl::Random.random_bytes(secret_box.nonce_bytes)

    # Encrypt a message with SecretBox
    ciphertext = secret_box.encrypt(nonce, data)

    [nonce, ciphertext]
  end

  benchmark_block(encryption_statistics, :clear_key) do
    # Securely delete the plaintext value from memory
    plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize))
  end

  [ciphertext_key, ciphertext, nonce, encryption_statistics]
end

#encrypt_with_key(plaintext, plaintext_key) ⇒ Object 



194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
 
# File 'lib/porky_lib/symmetric.rb', line 194

def encrypt_with_key(plaintext, plaintext_key)
  # Initialize the box
  secret_box = RbNaCl::SecretBox.new(plaintext_key)

  # First, make a nonce: A single-use value never repeated under the same key
  # The nonce isn't secret, and can be sent with the ciphertext.
  # The cipher instance has a nonce_bytes method for determining how many bytes should be in a nonce
  nonce = RbNaCl::Random.random_bytes(secret_box.nonce_bytes)

  # Encrypt a message with SecretBox
  ciphertext = secret_box.encrypt(nonce, plaintext)

  result = OpenStruct.new

  result.ciphertext = ciphertext
  result.nonce = nonce

  result
end

#encrypt_with_key_with_benchmark(plaintext, plaintext_key) ⇒ Object 



228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
 
# File 'lib/porky_lib/symmetric.rb', line 228

def encrypt_with_key_with_benchmark(plaintext, plaintext_key)
  encryption_statistics = {}

  nonce, ciphertext = benchmark_block(encryption_statistics, :encrypt) do
    # Initialize the box
    secret_box = RbNaCl::SecretBox.new(plaintext_key)

    # First, make a nonce: A single-use value never repeated under the same key
    # The nonce isn't secret, and can be sent with the ciphertext.
    # The cipher instance has a nonce_bytes method for determining how many bytes should be in a nonce
    nonce = RbNaCl::Random.random_bytes(secret_box.nonce_bytes)

    # Encrypt a message with SecretBox
    ciphertext = secret_box.encrypt(nonce, plaintext)

    [nonce, ciphertext]
  end

  result = OpenStruct.new

  result.ciphertext = ciphertext
  result.nonce = nonce
  result.statistics = encryption_statistics

  result
end

#generate_data_encryption_key(cmk_key_id, encryption_context = nil) ⇒ Object 



50
51
52
53
54
55
56
 
# File 'lib/porky_lib/symmetric.rb', line 50

def generate_data_encryption_key(cmk_key_id, encryption_context = nil)
  resp = {}
  resp = client.generate_data_key(key_id: cmk_key_id, key_spec: SYMMETRIC_KEY_SPEC, encryption_context: encryption_context) if encryption_context
  resp = client.generate_data_key(key_id: cmk_key_id, key_spec: SYMMETRIC_KEY_SPEC) unless encryption_context

  [resp.plaintext, resp.ciphertext_blob]
end

#secure_delete_plaintext_key(length) ⇒ Object 



190
191
192
 
# File 'lib/porky_lib/symmetric.rb', line 190

def secure_delete_plaintext_key(length)
  "\0" * length
end