Class: OpenSSL::CMAC

Inherits:
Object
  • Object
show all
Defined in:
lib/openssl/cmac.rb,
lib/openssl/cmac/version.rb

Overview

Abstract from tools.ietf.org/html/rfc4493:

The National Institute of Standards and Technology (NIST) has recently specified the Cipher-based Message Authentication Code (CMAC), which is equivalent to the One-Key CBC MAC1 (OMAC1) submitted by Iwata and Kurosawa. This memo specifies an authentication algorithm based on CMAC with the 128-bit Advanced Encryption Standard (AES). This new authentication algorithm is named AES-CMAC. The purpose of this document is to make the AES-CMAC algorithm conveniently available to the Internet Community.

tools.ietf.org/html/rfc4494 reduces the length of the result from 16 to 12 Byte.

tools.ietf.org/html/rfc4615 allows to use variable key sizes.

Constant Summary collapse

VERSION = 
'2.0.0'

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(cipher, key = '') ⇒ Object

Returns an instance of OpenSSL::CMAC set with the cipher algorithm and key to be used. The instance represents the initial state of the message authentication code before any data has been processed. To process data with it, use the instance method update with your data as an argument.

Parameters:

  • cipher (String)

    entry of OpenSSL::CMAC.ciphers

  • key (String) (defaults to: '')

    binary key string



58
59
60
61
62
63
64
65
66
67
68
 
# File 'lib/openssl/cmac.rb', line 58

def initialize(cipher, key = '')
  unless CMAC.ciphers.include?(cipher)
    fail CMACError, "unsupported cipher algorithm (#{cipher})"
  end

  @keys = []
  @buffer = ''.force_encoding('ASCII-8BIT')
  @cipher = OpenSSL::Cipher.new("#{cipher}-128-CBC")

  self.key = key unless key == ''
end

Class Method Details

.ciphers[String]

Searches for supported algorithms within OpenSSL

Returns:

  • ([String])

    supported algorithms



28
29
30
31
32
 
# File 'lib/openssl/cmac.rb', line 28

def self.ciphers
  l = OpenSSL::Cipher.ciphers.keep_if { |c| c.end_with?('-128-CBC') }
  l.length.times { |i| l[i] = l[i][0..-9] }
  l
end

.digest(cipher, key, data, length = 16) ⇒ String

Returns the authentication code as a binary string. The cipher parameter must be an entry of OpenSSL::CMAC.ciphers.

Parameters:

  • cipher (String)

    entry of OpenSSL::CMAC.ciphers

  • key (String)

    binary key string

  • data (String)

    binary data string

  • length (Number) (defaults to: 16)

    length of the authentication code

Returns:

  • (String)

    authentication code



43
44
45
 
# File 'lib/openssl/cmac.rb', line 43

def self.digest(cipher, key, data, length = 16)
  CMAC.new(cipher, key).update(data).digest(length)
end

Instance Method Details

#<<(data) ⇒ Object

Alias for: update



98
99
100
 
# File 'lib/openssl/cmac.rb', line 98

def <<(data)
  update(data)
end

#block_lengthNumber

Returns the block length of the used cipher algorithm.

Returns:

  • (Number)

    length of the used cipher algorithm



105
106
107
 
# File 'lib/openssl/cmac.rb', line 105

def block_length
  16
end

#digest(length = 16) ⇒ Object

Returns the authentication code an instance represents as a binary string.

Parameters:

  • length (Number) (defaults to: 16)

    length of the authentication code



152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
 
# File 'lib/openssl/cmac.rb', line 152

def digest(length = 16)
  fail CMACError, 'no key is set' if @keys[0].nil?
  fail CMACError, 'no key is set' unless length.between?(1, 16)

  block = @buffer.bytes
  @buffer.clear
  k = @keys[block.length == 16 ? 1 : 2].dup
  i = block.length.times { |t| k[t] ^= block[t] }
  k[i] ^= 0x80 if i < 16
  mac = @cipher.update(k.pack('C*'))
  @cipher.reset
  @cipher.encrypt
  @cipher.key = @keys[0]
  mac[0...length]
end

#digest_max_lengthNumber

Returns the maximum length of the resulting digest.

Returns:

  • (Number)

    maximum length of the resulting digest



112
113
114
 
# File 'lib/openssl/cmac.rb', line 112

def digest_max_length
  16
end

#key=(key) ⇒ Object

Returns self as it was when it was first initialized with new key, with all processed data cleared from it.

Parameters:

  • key (String)

    binary key string

Returns:

  • (Object)

    self with initial state and new key



76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
 
# File 'lib/openssl/cmac.rb', line 76

def key=(key)
  reset
  key = CMAC.digest('AES', "\x00" * 16, key, 16) unless key.b.length == 16

  @keys[0] = key.dup
  @cipher.key = @keys[0]

  cipher = OpenSSL::Cipher.new(@cipher.name)
  cipher.encrypt
  cipher.key = @keys[0]
  k = cipher.update("\x00" * 16).bytes
  1.upto(2) do |i|
    k = k.pack('C*').unpack('B*')[0]
    msb = k.slice!(0)
    k = [k, '0'].pack('B*').bytes
    k[15] ^= 0x87 if msb == '1'
    @keys[i] = k.dup
  end
  self
end

#nameString

Returns the name of the used authentication code algorithm.

Returns:

  • (String)

    name of the used authentication code algorithm



119
120
121
 
# File 'lib/openssl/cmac.rb', line 119

def name
  "CMAC with #{@cipher.name[0..-9]}"
end

#resetObject

Returns self as it was when it was first initialized, with all processed data cleared from it.

Returns:

  • (Object)

    self with initial state



127
128
129
130
131
132
133
 
# File 'lib/openssl/cmac.rb', line 127

def reset
  @keys.clear
  @buffer.clear
  @cipher.reset
  @cipher.encrypt
  self
end

#update(data) ⇒ Object

Returns self updated with the message to be authenticated. Can be called repeatedly with chunks of the message.

Parameters:

  • data (String)

    binary data string

Returns:

  • (Object)

    self with new state



141
142
143
144
145
146
147
 
# File 'lib/openssl/cmac.rb', line 141

def update(data)
  fail CMACError, 'no key is set' if @keys[0].nil?

  @buffer += data
  @cipher.update(@buffer.slice!(0...16)) while @buffer.length > 16
  self
end