Class: OpenSSL::CMAC
- Inherits:
-
Object
- Object
- OpenSSL::CMAC
- Defined in:
- lib/openssl/cmac.rb,
lib/openssl/cmac/version.rb
Overview
Abstract from tools.ietf.org/html/rfc4493:
The National Institute of Standards and Technology (NIST) has recently specified the Cipher-based Message Authentication Code (CMAC), which is equivalent to the One-Key CBC MAC1 (OMAC1) submitted by Iwata and Kurosawa. This memo specifies an authentication algorithm based on CMAC with the 128-bit Advanced Encryption Standard (AES). This new authentication algorithm is named AES-CMAC. The purpose of this document is to make the AES-CMAC algorithm conveniently available to the Internet Community.
tools.ietf.org/html/rfc4494 reduces the length of the result from 16 to 12 Byte.
tools.ietf.org/html/rfc4615 allows to use variable key sizes.
Constant Summary collapse
- VERSION =
'2.0.1'
Class Method Summary collapse
-
.ciphers ⇒ [String]
Searches for supported algorithms within OpenSSL.
-
.digest(cipher, key, data, length = 16) ⇒ String
Returns the authentication code as a binary string.
Instance Method Summary collapse
-
#<<(data) ⇒ Object
Alias for: update.
-
#block_length ⇒ Number
Returns the block length of the used cipher algorithm.
-
#digest(length = 16) ⇒ Object
Returns the authentication code an instance represents as a binary string.
-
#digest_max_length ⇒ Number
Returns the maximum length of the resulting digest.
-
#initialize(cipher, key = '') ⇒ Object
constructor
Returns an instance of OpenSSL::CMAC set with the cipher algorithm and key to be used.
-
#key=(key) ⇒ Object
Returns self as it was when it was first initialized with new key, with all processed data cleared from it.
-
#name ⇒ String
Returns the name of the used authentication code algorithm.
-
#reset ⇒ Object
Returns self as it was when it was first initialized, with all processed data cleared from it.
-
#update(data) ⇒ Object
Returns self updated with the message to be authenticated.
Constructor Details
#initialize(cipher, key = '') ⇒ Object
Returns an instance of OpenSSL::CMAC set with the cipher algorithm and key to be used. The instance represents the initial state of the message authentication code before any data has been processed. To process data with it, use the instance method update with your data as an argument.
56 57 58 59 60 61 62 63 64 65 66 |
# File 'lib/openssl/cmac.rb', line 56 def initialize(cipher, key = '') unless CMAC.ciphers.include?(cipher.upcase) fail CMACError, "unsupported cipher algorithm (#{cipher})" end @keys = [] @buffer = ''.force_encoding('ASCII-8BIT') @cipher = OpenSSL::Cipher.new("#{cipher.upcase}-128-CBC") self.key = key unless key == '' end |
Class Method Details
.ciphers ⇒ [String]
Searches for supported algorithms within OpenSSL
28 29 30 |
# File 'lib/openssl/cmac.rb', line 28 def self.ciphers @ciphers ||= OpenSSL::Cipher.ciphers.select { |c| c.match(/-128-CBC$/i) }.map { |e| e[0..-9].upcase }.uniq end |
.digest(cipher, key, data, length = 16) ⇒ String
Returns the authentication code as a binary string. The cipher parameter must be an entry of OpenSSL::CMAC.ciphers.
41 42 43 |
# File 'lib/openssl/cmac.rb', line 41 def self.digest(cipher, key, data, length = 16) CMAC.new(cipher, key).update(data).digest(length) end |
Instance Method Details
#<<(data) ⇒ Object
Alias for: update
96 97 98 |
# File 'lib/openssl/cmac.rb', line 96 def <<(data) update(data) end |
#block_length ⇒ Number
Returns the block length of the used cipher algorithm.
103 104 105 |
# File 'lib/openssl/cmac.rb', line 103 def block_length 16 end |
#digest(length = 16) ⇒ Object
Returns the authentication code an instance represents as a binary string.
150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 |
# File 'lib/openssl/cmac.rb', line 150 def digest(length = 16) fail CMACError, 'no key is set' if @keys[0].nil? fail CMACError, 'no key is set' unless length.between?(1, 16) block = @buffer.bytes @buffer.clear k = @keys[block.length == 16 ? 1 : 2].dup i = block.length.times { |t| k[t] ^= block[t] } k[i] ^= 0x80 if i < 16 mac = @cipher.update(k.pack('C*')) + @cipher.final @cipher.reset @cipher.encrypt @cipher.key = @keys[0] # Each block is 16-bytes and the last block will always be PKCS#7 padding # which we want to discard. Take the last block prior to the padding for # the MAC. mac[-32...(-32 + length)] end |
#digest_max_length ⇒ Number
Returns the maximum length of the resulting digest.
110 111 112 |
# File 'lib/openssl/cmac.rb', line 110 def digest_max_length 16 end |
#key=(key) ⇒ Object
Returns self as it was when it was first initialized with new key, with all processed data cleared from it.
74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
# File 'lib/openssl/cmac.rb', line 74 def key=(key) reset key = CMAC.digest('AES', "\x00" * 16, key, 16) unless key.b.length == 16 @keys[0] = key.dup @cipher.key = @keys[0] cipher = OpenSSL::Cipher.new(@cipher.name) cipher.encrypt cipher.key = @keys[0] k = (cipher.update("\x00" * 16) + cipher.final).bytes[0...16] 1.upto(2) do |i| k = k.pack('C*').unpack('B*')[0] msb = k.slice!(0) k = [k, '0'].pack('B*').bytes k[15] ^= 0x87 if msb == '1' @keys[i] = k.dup end self end |
#name ⇒ String
Returns the name of the used authentication code algorithm.
117 118 119 |
# File 'lib/openssl/cmac.rb', line 117 def name "CMAC with #{@cipher.name[0..-9]}" end |
#reset ⇒ Object
Returns self as it was when it was first initialized, with all processed data cleared from it.
125 126 127 128 129 130 131 |
# File 'lib/openssl/cmac.rb', line 125 def reset @keys.clear @buffer.clear @cipher.reset unless @keys[0].nil? @cipher.encrypt self end |
#update(data) ⇒ Object
Returns self updated with the message to be authenticated. Can be called repeatedly with chunks of the message.
139 140 141 142 143 144 145 |
# File 'lib/openssl/cmac.rb', line 139 def update(data) fail CMACError, 'no key is set' if @keys[0].nil? @buffer += data @cipher.update(@buffer.slice!(0...16)) while @buffer.length > 16 self end |