dumplingmiku/ubicloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
alpine
ubicloud/rhizome/host/lib/storage_key_encryption.rb
Jeremy Evans e59d71e2f6 Restore Ruby 3.2 syntax to rhizome 
Ubuntu 22.04 VmHosts use Ruby 3.0, and Ubunutu 24.04 use Ruby 3.2,
so 3.4 syntax would break either.  This was theoretically an issue
before, but I'm guessing there were no significant syntax changes
between 3.0 and 3.2 that Rubocop's rewriting would break.

This commits a rhizome/.rubocop.yml file that inherits the default
configuration, and overrides TargetRubyVersion.
2025-04-26 08:34:47 +09:00

67 lines
2.1 KiB
Ruby
Raw Permalink Blame History

# frozen_string_literal: true
require_relative "../../common/lib/util"
require "openssl"
require "base64"
class StorageKeyEncryption
def initialize(key_encryption_cipher)
@key_encryption_cipher = key_encryption_cipher
end
def write_encrypted_dek(key_file, data_encryption_key)
File.open(key_file, "w") {
_1.write(JSON.pretty_generate({
cipher: data_encryption_key[:cipher],
key: wrap_key(data_encryption_key[:key]),
key2: wrap_key(data_encryption_key[:key2])
}))
fsync_or_fail(_1)
}
end
def read_encrypted_dek(key_file)
data_encryption_key = JSON.parse(File.read(key_file))
{
cipher: data_encryption_key["cipher"],
key: unwrap_key(data_encryption_key["key"]),
key2: unwrap_key(data_encryption_key["key2"])
}
end
def wrap_key(key)
algorithm = @key_encryption_cipher["algorithm"]
fail "currently only aes-256-gcm is supported" unless algorithm == "aes-256-gcm"
cipher = OpenSSL::Cipher.new(algorithm)
cipher.encrypt
cipher.key = Base64.decode64(@key_encryption_cipher["key"])
cipher.iv = Base64.decode64(@key_encryption_cipher["init_vector"])
cipher.auth_data = @key_encryption_cipher["auth_data"]
[
Base64.encode64(cipher.update(key) + cipher.final),
Base64.encode64(cipher.auth_tag)
]
end
def unwrap_key(encrypted_key)
algorithm = @key_encryption_cipher["algorithm"]
fail "currently only aes-256-gcm is supported" unless algorithm == "aes-256-gcm"
decipher = OpenSSL::Cipher.new(algorithm)
decipher.decrypt
decipher.key = Base64.decode64(@key_encryption_cipher["key"])
decipher.iv = Base64.decode64(@key_encryption_cipher["init_vector"])
decipher.auth_data = @key_encryption_cipher["auth_data"]
auth_tag = Base64.decode64(encrypted_key[1])
# We reject if auth_tag length is not the spec maximum (16), see
# https://github.com/ruby/openssl/issues/63 for more details.
fail "Invalid auth_tag size: #{auth_tag.bytesize}" unless auth_tag.bytesize == 16
decipher.auth_tag = auth_tag
decipher.update(Base64.decode64(encrypted_key[0])) + decipher.final
end
end
Reference in New Issue View Git Blame Copy Permalink