2012-12-13 08:47:33 -05:00
|
|
|
require 'thread_safe'
|
2012-07-03 20:37:31 -04:00
|
|
|
require 'openssl'
|
|
|
|
|
|
|
|
module ActiveSupport
|
|
|
|
# KeyGenerator is a simple wrapper around OpenSSL's implementation of PBKDF2
|
|
|
|
# It can be used to derive a number of keys for various purposes from a given secret.
|
|
|
|
# This lets rails applications have a single secure secret, but avoid reusing that
|
|
|
|
# key in multiple incompatible contexts.
|
|
|
|
class KeyGenerator
|
|
|
|
def initialize(secret, options = {})
|
|
|
|
@secret = secret
|
|
|
|
# The default iterations are higher than required for our key derivation uses
|
|
|
|
# on the off chance someone uses this for password storage
|
|
|
|
@iterations = options[:iterations] || 2**16
|
|
|
|
end
|
|
|
|
|
|
|
|
# Returns a derived key suitable for use. The default key_size is chosen
|
|
|
|
# to be compatible with the default settings of ActiveSupport::MessageVerifier.
|
|
|
|
# i.e. OpenSSL::Digest::SHA1#block_length
|
|
|
|
def generate_key(salt, key_size=64)
|
|
|
|
OpenSSL::PKCS5.pbkdf2_hmac_sha1(@secret, salt, @iterations, key_size)
|
|
|
|
end
|
|
|
|
end
|
2012-10-30 23:06:46 -04:00
|
|
|
|
2012-11-15 20:06:44 -05:00
|
|
|
# CachingKeyGenerator is a wrapper around KeyGenerator which allows users to avoid
|
|
|
|
# re-executing the key generation process when it's called using the same salt and
|
|
|
|
# key_size
|
2012-11-01 18:23:21 -04:00
|
|
|
class CachingKeyGenerator
|
|
|
|
def initialize(key_generator)
|
|
|
|
@key_generator = key_generator
|
2012-12-13 08:47:33 -05:00
|
|
|
@cache_keys = ThreadSafe::Cache.new
|
2012-11-01 18:23:21 -04:00
|
|
|
end
|
|
|
|
|
2012-11-15 20:06:44 -05:00
|
|
|
# Returns a derived key suitable for use. The default key_size is chosen
|
|
|
|
# to be compatible with the default settings of ActiveSupport::MessageVerifier.
|
|
|
|
# i.e. OpenSSL::Digest::SHA1#block_length
|
2012-11-01 18:23:21 -04:00
|
|
|
def generate_key(salt, key_size=64)
|
2012-12-13 08:47:33 -05:00
|
|
|
@cache_keys["#{salt}#{key_size}"] ||= @key_generator.generate_key(salt, key_size)
|
2012-11-01 18:23:21 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2012-11-15 20:01:29 -05:00
|
|
|
class DummyKeyGenerator # :nodoc:
|
2012-11-02 09:03:18 -04:00
|
|
|
SECRET_MIN_LENGTH = 30 # Characters
|
|
|
|
|
2012-10-30 23:06:46 -04:00
|
|
|
def initialize(secret)
|
2012-11-02 09:03:18 -04:00
|
|
|
ensure_secret_secure(secret)
|
2012-10-30 23:06:46 -04:00
|
|
|
@secret = secret
|
|
|
|
end
|
|
|
|
|
|
|
|
def generate_key(salt)
|
|
|
|
@secret
|
|
|
|
end
|
2012-11-02 09:03:18 -04:00
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
# To prevent users from using something insecure like "Password" we make sure that the
|
|
|
|
# secret they've provided is at least 30 characters in length.
|
|
|
|
def ensure_secret_secure(secret)
|
|
|
|
if secret.blank?
|
|
|
|
raise ArgumentError, "A secret is required to generate an " +
|
|
|
|
"integrity hash for cookie session data. Use " +
|
2012-11-02 18:27:51 -04:00
|
|
|
"config.secret_key_base = \"some secret phrase of at " +
|
2012-11-02 09:03:18 -04:00
|
|
|
"least #{SECRET_MIN_LENGTH} characters\"" +
|
|
|
|
"in config/initializers/secret_token.rb"
|
|
|
|
end
|
|
|
|
|
|
|
|
if secret.length < SECRET_MIN_LENGTH
|
|
|
|
raise ArgumentError, "Secret should be something secure, " +
|
|
|
|
"like \"#{SecureRandom.hex(16)}\". The value you " +
|
|
|
|
"provided, \"#{secret}\", is shorter than the minimum length " +
|
|
|
|
"of #{SECRET_MIN_LENGTH} characters"
|
|
|
|
end
|
|
|
|
end
|
2012-10-30 23:06:46 -04:00
|
|
|
end
|
2012-07-03 20:37:31 -04:00
|
|
|
end
|