From 32ce1170f3b34a908f1e3984a27490a9dd9569b4 Mon Sep 17 00:00:00 2001 From: Joshua Priddle Date: Wed, 13 Dec 2017 12:01:24 -0500 Subject: [PATCH] Replace AesNew provider with ActiveSupport::MessageEncryptor --- .travis.yml | 12 ++--- Appraisals | 5 ++ README.md | 45 ++++++++++++---- crypt_keeper.gemspec | 3 +- gemfiles/activerecord_5_0.gemfile | 8 +++ gemfiles/activerecord_5_1.gemfile | 4 +- lib/crypt_keeper.rb | 2 +- lib/crypt_keeper/helper.rb | 1 + lib/crypt_keeper/model.rb | 2 +- lib/crypt_keeper/provider/active_support.rb | 51 ++++++++++++++++++ lib/crypt_keeper/provider/aes_new.rb | 53 ------------------- lib/crypt_keeper/provider/mysql_aes_new.rb | 2 +- lib/crypt_keeper/provider/postgres_pgp.rb | 2 +- .../provider/postgres_pgp_public_key.rb | 2 +- spec/crypt_keeper/model_spec.rb | 10 ++-- .../provider/active_support_spec.rb | 37 +++++++++++++ spec/crypt_keeper/provider/aes_new_spec.rb | 41 -------------- 17 files changed, 155 insertions(+), 125 deletions(-) create mode 100644 gemfiles/activerecord_5_0.gemfile create mode 100644 lib/crypt_keeper/provider/active_support.rb delete mode 100644 lib/crypt_keeper/provider/aes_new.rb create mode 100644 spec/crypt_keeper/provider/active_support_spec.rb delete mode 100644 spec/crypt_keeper/provider/aes_new_spec.rb diff --git a/.travis.yml b/.travis.yml index 19ff64c..99ff615 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,19 +1,15 @@ language: ruby rvm: - - 2.1.10 - - 2.2.5 - - 2.3.1 + - 2.2.7 + - 2.3.4 + - 2.4.1 gemfile: - gemfiles/activerecord_4_2.gemfile + - gemfiles/activerecord_5_0.gemfile - gemfiles/activerecord_5_1.gemfile -matrix: - exclude: - - gemfile: gemfiles/activerecord_5_1.gemfile - rvm: 2.1.10 - addons: postgresql: 9.3 diff --git a/Appraisals b/Appraisals index 64788ea..81e88fc 100644 --- a/Appraisals +++ b/Appraisals @@ -7,3 +7,8 @@ appraise "activerecord_5_0" do gem "activerecord", "~> 5.0.0" gem "activesupport", "~> 5.0.0" end + +appraise "activerecord_5_1" do + gem "activerecord", "~> 5.1.0" + gem "activesupport", "~> 5.1.0" +end diff --git a/README.md b/README.md index 2f38422..b705b00 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ is a simple class that does 3 things. Note: Any options defined using `crypt_keeper` will be passed to `new` as a hash. -You can see an AES example [here](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/provider/aes_new.rb). +You can see an example [here](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/provider/active_support.rb). ## Why? @@ -27,7 +27,7 @@ simple that *just works*. ```ruby class MyModel < ActiveRecord::Base - crypt_keeper :field, :other_field, :encryptor => :aes_new, :key => 'super_good_password', salt: 'salt' + crypt_keeper :field, :other_field, encryptor: :active_support, key: 'super_good_password', salt: 'salt' end model = MyModel.new(field: 'sometext') @@ -53,7 +53,7 @@ You can force an encoding on the plaintext before encryption and after decryptio ```ruby class MyModel < ActiveRecord::Base - crypt_keeper :field, :other_field, :encryptor => :aes_new, :key => 'super_good_password', salt: 'salt', :encoding => 'UTF-8' + crypt_keeper :field, :other_field, encryptor: :active_support, key: 'super_good_password', salt: 'salt', encoding: 'UTF-8' end model = MyModel.new(field: 'Tromsø') @@ -68,7 +68,7 @@ If you are working with an existing table you would like to encrypt, you must us ```ruby class MyExistingModel < ActiveRecord::Base - crypt_keeper :field, :other_field, :encryptor => :aes_new, :key => 'super_good_password', salt: 'salt' + crypt_keeper :field, :other_field, encryptor: :active_support, key: 'super_good_password', salt: 'salt' end MyExistingModel.encrypt_table! @@ -78,10 +78,10 @@ Running `encrypt_table!` will encrypt all rows in the database using the encrypt ## Supported Available Encryptors -There are four supported encryptors: `aes_new`, `mysql_aes_new`, `postgres_pgp`, `postgres_pgp_public_key`. +There are four supported encryptors: `active_support`, `mysql_aes_new`, `postgres_pgp`, `postgres_pgp_public_key`. -* [AES New](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/provider/aes_new.rb) - * Encryption is peformed using AES-256 via OpenSSL. +* [ActiveSupport](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/provider/active_support.rb) + * Encryption is performed using [ActiveSupport::MessageEncryptor](http://api.rubyonrails.org/classes/ActiveSupport/MessageEncryptor.html) * Passphrases are derived using [PBKDF2](http://en.wikipedia.org/wiki/PBKDF2) * [MySQL AES New](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/provider/mysql_aes_new.rb) @@ -111,8 +111,8 @@ There are four supported encryptors: `aes_new`, `mysql_aes_new`, `postgres_pgp`, ## Searching Searching ciphertext is a complex problem that varies depending on the encryption algorithm you choose. All of the bundled providers include search support, but they have some caveats. -* AES - * The Ruby implementation of AES uses a random initialization vector. The same plaintext encrypted multiple times will have different output each time for the ciphertext. Since this is the case, it is not possible to search leveraging the database. Database rows will need to be filtered in memory. It is suggested that you use a scope or ActiveRecord batches to narrow the results before seaching them. +* ActiveSupport::MessageEncryptor + * ActiveSupport's MessageEncryptor uses a random initialization vector when generating keys. The same plaintext encrypted multiple times will have different output each time for the ciphertext. Since this is the case, it is not possible to search leveraging the database. Database rows will need to be filtered in memory. It is suggested that you use a scope or ActiveRecord batches to narrow the results before seaching them. * Mysql AES * Surprisingly, MySQL's implementation of AES does not use a random initialization vector. The column containing the ciphertext can be indexed and searched quickly. @@ -157,10 +157,35 @@ as a string or an underscored symbol ```ruby class MyModel < ActiveRecord::Base - crypt_keeper :field, :other_field, :encryptor => :my_encryptor, :key => 'super_good_password' + crypt_keeper :field, :other_field, encryptor: :my_encryptor, key: 'super_good_password' end ``` +## Migrating from CryptKeeper 1.x to 2.0 + +CryptKeeper 2.0 removes the AES encryptor due to security issues in the +underlying AES gem. If you were previously using the `aes_new` encryptor, you +will need to follow these instructions to reencrypt your data. + +The general migration path is as follows: + +1. Enable maintenance mode in any live apps +2. Backup database +3. Decrypt tables: TableName.decrypt_table! +4. Update to 2.0.0.rc1 in your app. Update the encryptor to use :active_support +5. Encrypt tables: `TableName.encrypt_table!` +6. Verify data can be decrypted: `TableName.first` +7. Disable maintenance mode if necessary + +In case you experience problems, the rollback procedure is as follows: + +1. Enable maintenance mode +2. Backup database again +3. Restore first database dump, from before CryptKeeper 2.0.0.rc1 +4. Verify data can be decrypted +5. Disable maintenance mode +6. Let us know what happened :( + ## Requirements CryptKeeper has been tested against ActiveRecord 4.2 and 5.0 using Ruby diff --git a/crypt_keeper.gemspec b/crypt_keeper.gemspec index bd8e606..dac4d05 100644 --- a/crypt_keeper.gemspec +++ b/crypt_keeper.gemspec @@ -16,9 +16,10 @@ Gem::Specification.new do |gem| gem.require_paths = ["lib"] gem.version = CryptKeeper::VERSION + gem.post_install_message = "WARNING: CryptKeeper 2.0 contains breaking changes and may require you to reencrypt your data! Please view the README at https://github.com/jmazzi/crypt_keeper for more information." + gem.add_runtime_dependency 'activerecord', '>= 4.2', '< 5.2' gem.add_runtime_dependency 'activesupport', '>= 4.2', '< 5.2' - gem.add_runtime_dependency 'aes', '~> 0.5.0' gem.add_runtime_dependency 'armor', '~> 0.0.2' gem.add_development_dependency 'rspec', '~> 3.5.0' diff --git a/gemfiles/activerecord_5_0.gemfile b/gemfiles/activerecord_5_0.gemfile new file mode 100644 index 0000000..a06e237 --- /dev/null +++ b/gemfiles/activerecord_5_0.gemfile @@ -0,0 +1,8 @@ +# This file was generated by Appraisal + +source "https://rubygems.org" + +gem "activerecord", "~> 5.0.0" +gem "activesupport", "~> 5.0.0" + +gemspec :path => "../" diff --git a/gemfiles/activerecord_5_1.gemfile b/gemfiles/activerecord_5_1.gemfile index e70b16b..6354054 100644 --- a/gemfiles/activerecord_5_1.gemfile +++ b/gemfiles/activerecord_5_1.gemfile @@ -2,7 +2,7 @@ source "https://rubygems.org" -gem "activerecord", "~> 5.1" -gem "activesupport", "~> 5.1" +gem "activerecord", "~> 5.1.0" +gem "activesupport", "~> 5.1.0" gemspec :path => "../" diff --git a/lib/crypt_keeper.rb b/lib/crypt_keeper.rb index 7306f66..5d4da35 100644 --- a/lib/crypt_keeper.rb +++ b/lib/crypt_keeper.rb @@ -4,7 +4,7 @@ require 'crypt_keeper/model' require 'crypt_keeper/helper' require 'crypt_keeper/provider/base' -require 'crypt_keeper/provider/aes_new' +require 'crypt_keeper/provider/active_support' require 'crypt_keeper/provider/mysql_aes_new' require 'crypt_keeper/provider/postgres_base' require 'crypt_keeper/provider/postgres_pgp' diff --git a/lib/crypt_keeper/helper.rb b/lib/crypt_keeper/helper.rb index 8085b6a..0188242 100644 --- a/lib/crypt_keeper/helper.rb +++ b/lib/crypt_keeper/helper.rb @@ -40,6 +40,7 @@ def execute_sql(query, new_transaction: false) module DigestPassphrase def digest_passphrase(key, salt) + require "armor" raise ArgumentError.new("Missing :key") if key.blank? raise ArgumentError.new("Missing :salt") if salt.blank? ::Armor.digest(key, salt) diff --git a/lib/crypt_keeper/model.rb b/lib/crypt_keeper/model.rb index 581d945..2a1a491 100644 --- a/lib/crypt_keeper/model.rb +++ b/lib/crypt_keeper/model.rb @@ -3,7 +3,7 @@ module CryptKeeper module Model - extend ActiveSupport::Concern + extend ::ActiveSupport::Concern # Public: Ensures that each field exist and is of type text. This prevents # encrypted data from being truncated. diff --git a/lib/crypt_keeper/provider/active_support.rb b/lib/crypt_keeper/provider/active_support.rb new file mode 100644 index 0000000..ee0e4d6 --- /dev/null +++ b/lib/crypt_keeper/provider/active_support.rb @@ -0,0 +1,51 @@ +require "active_support/message_encryptor" + +module CryptKeeper + module Provider + class ActiveSupport < Base + attr_reader :encryptor + + # Public: Initializes the encryptor + # + # options - A hash, :key and :salt are required + # + # Returns nothing. + def initialize(options = {}) + key = options.fetch(:key) + salt = options.fetch(:salt) + + @encryptor = ::ActiveSupport::MessageEncryptor.new \ + ::ActiveSupport::KeyGenerator.new(key).generate_key(salt, 32) + end + + # Public: Encrypts a string + # + # value - Plaintext value + # + # Returns an encrypted string + def encrypt(value) + encryptor.encrypt_and_sign(value) + end + + # Public: Decrypts a string + # + # value - Cipher text + # + # Returns a plaintext string + def decrypt(value) + encryptor.decrypt_and_verify(value) + end + + # Public: Searches the table + # + # records - ActiveRecord::Relation + # field - Field name to match + # criteria - Value to match + # + # Returns an Enumerable + def search(records, field, criteria) + records.select { |record| record[field] == criteria } + end + end + end +end diff --git a/lib/crypt_keeper/provider/aes_new.rb b/lib/crypt_keeper/provider/aes_new.rb deleted file mode 100644 index 5b10bef..0000000 --- a/lib/crypt_keeper/provider/aes_new.rb +++ /dev/null @@ -1,53 +0,0 @@ -require 'aes' -require 'armor' - -module CryptKeeper - module Provider - class AesNew < Base - include CryptKeeper::Helper::DigestPassphrase - - # Public: The encryption key - attr_accessor :key - - # Public: Initializes the class - # - # options - A hash of options. :key and :salt are required - def initialize(options = {}) - @key = digest_passphrase(options[:key], options[:salt]) - end - - # Public: Encrypt a string - # - # Note: nil and empty strings are not encryptable with AES. - # When they are encountered, the orignal value is returned. - # Otherwise, returns the encrypted string - # - # Returns a String - def encrypt(value) - AES.encrypt(value, key) - end - - # Public: Decrypt a string - # - # Note: nil and empty strings are not encryptable with AES (and thus cannot be decrypted). - # When they are encountered, the orignal value is returned. - # Otherwise, returns the decrypted string - # - # Returns a String - def decrypt(value) - AES.decrypt(value, key) - end - - # Public: Search for a record - # - # record - An ActiveRecord collection - # field - The field to search - # criteria - A string to search with - # - # Returns an Enumerable - def search(records, field, criteria) - records.select { |record| record[field] == criteria } - end - end - end -end diff --git a/lib/crypt_keeper/provider/mysql_aes_new.rb b/lib/crypt_keeper/provider/mysql_aes_new.rb index f8e1a6b..aba3919 100644 --- a/lib/crypt_keeper/provider/mysql_aes_new.rb +++ b/lib/crypt_keeper/provider/mysql_aes_new.rb @@ -12,7 +12,7 @@ class MysqlAesNew < Base # # options - A hash, :key and :salt are required def initialize(options = {}) - ActiveSupport.run_load_hooks(:crypt_keeper_mysql_aes_log, self) + ::ActiveSupport.run_load_hooks(:crypt_keeper_mysql_aes_log, self) @key = digest_passphrase(options[:key], options[:salt]) end diff --git a/lib/crypt_keeper/provider/postgres_pgp.rb b/lib/crypt_keeper/provider/postgres_pgp.rb index a653817..e1022cf 100644 --- a/lib/crypt_keeper/provider/postgres_pgp.rb +++ b/lib/crypt_keeper/provider/postgres_pgp.rb @@ -8,7 +8,7 @@ class PostgresPgp < PostgresBase # # options - A hash, :key is required def initialize(options = {}) - ActiveSupport.run_load_hooks(:crypt_keeper_postgres_pgp_log, self) + ::ActiveSupport.run_load_hooks(:crypt_keeper_postgres_pgp_log, self) @key = options.fetch(:key) do raise ArgumentError, "Missing :key" diff --git a/lib/crypt_keeper/provider/postgres_pgp_public_key.rb b/lib/crypt_keeper/provider/postgres_pgp_public_key.rb index a2e5f6c..1224a7e 100644 --- a/lib/crypt_keeper/provider/postgres_pgp_public_key.rb +++ b/lib/crypt_keeper/provider/postgres_pgp_public_key.rb @@ -4,7 +4,7 @@ class PostgresPgpPublicKey < PostgresBase attr_accessor :key def initialize(options = {}) - ActiveSupport.run_load_hooks(:crypt_keeper_postgres_pgp_log, self) + ::ActiveSupport.run_load_hooks(:crypt_keeper_postgres_pgp_log, self) @key = options.fetch(:key) do raise ArgumentError, "Missing :key" diff --git a/spec/crypt_keeper/model_spec.rb b/spec/crypt_keeper/model_spec.rb index e3f2597..ca690f6 100644 --- a/spec/crypt_keeper/model_spec.rb +++ b/spec/crypt_keeper/model_spec.rb @@ -120,7 +120,7 @@ end context "Encodings" do - subject { create_encrypted_model :storage, key: 'tool', salt: 'salt', encryptor: :aes_new, encoding: 'utf-8' } + subject { create_encrypted_model :storage, key: 'tool', salt: 'salt', encryptor: :active_support, encoding: 'utf-8' } it "forces the encoding on decrypt" do record = subject.create!(storage: 'Tromsø') @@ -137,7 +137,7 @@ end context "Initial Table Encryption" do - subject { create_encrypted_model :storage, key: 'tool', salt: 'salt', encryptor: :aes_new } + subject { create_encrypted_model :storage, key: 'tool', salt: 'salt', encryptor: :active_support } before do subject.delete_all @@ -146,14 +146,14 @@ end it "encrypts the table" do - expect { subject.first(5).map(&:storage) }.to raise_error(OpenSSL::Cipher::CipherError) + expect { subject.first(5).map(&:storage) }.to raise_error(ActiveSupport::MessageVerifier::InvalidSignature) subject.encrypt_table! expect { subject.first(5).map(&:storage) }.not_to raise_error end end context "Table Decryption (Reverse of Initial Table Encryption)" do - subject { create_encrypted_model :storage, key: 'tool', salt: 'salt', encryptor: :aes_new } + subject { create_encrypted_model :storage, key: 'tool', salt: 'salt', encryptor: :active_support } let!(:storage_entries) { 5.times.map { |i| "testing#{i}" } } before do @@ -168,7 +168,7 @@ end context "Missing Attributes" do - subject { create_encrypted_model :storage, key: 'tool', salt: 'salt', encryptor: :aes_new, encoding: 'utf-8' } + subject { create_encrypted_model :storage, key: 'tool', salt: 'salt', encryptor: :active_support, encoding: 'utf-8' } it "doesn't attempt decryption of missing attributes" do subject.create!(storage: 'blah') diff --git a/spec/crypt_keeper/provider/active_support_spec.rb b/spec/crypt_keeper/provider/active_support_spec.rb new file mode 100644 index 0000000..4c800ad --- /dev/null +++ b/spec/crypt_keeper/provider/active_support_spec.rb @@ -0,0 +1,37 @@ +require 'spec_helper' + +describe CryptKeeper::Provider::ActiveSupport do + subject { described_class.new(key: 'cake', salt: 'salt') } + + let :plaintext do + "string" + end + + let :encrypted do + subject.encrypt plaintext + end + + let :decrypted do + subject.decrypt encrypted + end + + describe "#encrypt" do + specify { expect(encrypted).to_not eq(plaintext) } + specify { expect(encrypted).to_not be_blank } + end + + describe "#decrypt" do + specify { expect(decrypted).to eq(plaintext) } + specify { expect(decrypted).to_not be_blank } + end + + describe "#search" do + let :records do + [{ name: 'Bob' }, { name: 'Tim' }] + end + + it "finds the matching record" do + expect(subject.search(records, :name, 'Bob')).to eql([records.first]) + end + end +end diff --git a/spec/crypt_keeper/provider/aes_new_spec.rb b/spec/crypt_keeper/provider/aes_new_spec.rb deleted file mode 100644 index 5b09bc4..0000000 --- a/spec/crypt_keeper/provider/aes_new_spec.rb +++ /dev/null @@ -1,41 +0,0 @@ -require 'spec_helper' - -describe CryptKeeper::Provider::AesNew do - subject { described_class.new(key: 'cake', salt: 'salt') } - - describe "#initialize" do - let(:digested_key) do - ::Armor.digest('cake', 'salt') - end - - specify { expect(subject.key).to eq(digested_key) } - specify { expect { described_class.new }.to raise_error(ArgumentError, "Missing :key") } - end - - describe "#encrypt" do - let(:encrypted) do - subject.encrypt 'string' - end - - specify { expect(encrypted).to_not eq('string') } - specify { expect(encrypted).to_not be_blank } - end - - describe "#decrypt" do - let(:decrypted) do - subject.decrypt "V02ebRU2wLk25AizasROVg==$kE+IpRaUNdBfYqR+WjMqvA==" - end - - specify { expect(decrypted).to eq('string') } - end - - describe "#search" do - let(:records) do - [{ name: 'Bob' }, { name: 'Tim' }] - end - - it "finds the matching record" do - expect(subject.search(records, :name, 'Bob')).to eql([records.first]) - end - end -end