module Darrrr::DefaultEncryptor

Public Class Methods

decrypt(ciphertext, _provider, _context = nil) click to toggle source

Decrypts the data

ciphertext: the byte array to be decrypted context: arbitrary data originally passed in via RecoveryToken#decode

returns a string

# File lib/darrrr/cryptors/default/default_encryptor.rb, line 24
def decrypt(ciphertext, _provider, _context = nil)
  EncryptedData.parse(ciphertext).decrypt
end
encrypt(data, _provider, _context = nil) click to toggle source

Encrypts the data in an opaque way

data: the secret to be encrypted context: arbitrary data originally passed in via Provider#seal

returns a byte array representation of the data

# File lib/darrrr/cryptors/default/default_encryptor.rb, line 14
def encrypt(data, _provider, _context = nil)
  EncryptedData.build(data).to_binary_s
end
sign(payload, key, _provider, context = nil) click to toggle source

payload: binary serialized recovery token (to_binary_s).

key: the private EC key used to sign the token context: arbitrary data originally passed in via Provider#seal

returns signature in ASN.1 DER r + s sequence

# File lib/darrrr/cryptors/default/default_encryptor.rb, line 35
def sign(payload, key, _provider, context = nil)
  digest = DIGEST.new.digest(payload)
  ec = OpenSSL::PKey::EC.new(Base64.strict_decode64(key))
  ec.dsa_sign_asn1(digest)
end
verify(payload, signature, key, _provider, _context = nil) click to toggle source

payload: token in binary form signature: signature of the binary token key: the EC public key used to verify the signature context: arbitrary data originally passed in via unseal

returns true if signature validates the payload

# File lib/darrrr/cryptors/default/default_encryptor.rb, line 47
def verify(payload, signature, key, _provider, _context = nil)
  public_key_hex = format_key(key)
  pkey = OpenSSL::PKey::EC.new(GROUP)
  public_key_bn = OpenSSL::BN.new(public_key_hex, 16)
  public_key = OpenSSL::PKey::EC::Point.new(GROUP, public_key_bn)
  pkey.public_key = public_key

  pkey.verify(DIGEST.new, signature, payload)
rescue OpenSSL::PKey::ECError, OpenSSL::PKey::PKeyError => e
  raise CryptoError, "Unable verify recovery token"
end

Private Class Methods

format_key(key) click to toggle source
# File lib/darrrr/cryptors/default/default_encryptor.rb, line 59
        def format_key(key)
  sequence, bit_string = OpenSSL::ASN1.decode(Base64.decode64(key)).value
  unless bit_string.try(:tag) == OpenSSL::ASN1::BIT_STRING
    raise CryptoError, "DER-encoded key did not contain a bit string"
  end
  bit_string.value.unpack("H*").first
rescue OpenSSL::ASN1::ASN1Error => e
  raise CryptoError, "Invalid public key format. The key must be in ASN.1 format. #{e.message}"
end