Add ActiveSupport::KeyGenerator as a simple wrapper around PBKDF2

This will be used to derive keys from the secret and a salt, in order to allow us to do things like encrypted cookie stores without using the secret for multiple purposes directly.
2022-11-09 12:12:34 -05:00 · 2012-07-04 12:37:31 +12:00 · 2012-07-04 12:37:31 +12:00 · def2ccb8e3
commit def2ccb8e3
parent a6cfd33865
3 changed files with 56 additions and 0 deletions
--- a/activesupport/lib/active_support.rb
+++ b/activesupport/lib/active_support.rb
@ -48,6 +48,7 @@ module ActiveSupport
    autoload :Gzip
    autoload :Inflector
    autoload :JSON
+    autoload :KeyGenerator
    autoload :MessageEncryptor
    autoload :MessageVerifier
    autoload :Multibyte
--- a/activesupport/lib/active_support/key_generator.rb
+++ b/activesupport/lib/active_support/key_generator.rb
@ -0,0 +1,23 @@
+require 'openssl'
+
+module ActiveSupport
+  # KeyGenerator is a simple wrapper around OpenSSL's implementation of PBKDF2
+  # It can be used to derive a number of keys for various purposes from a given secret.
+  # This lets rails applications have a single secure secret, but avoid reusing that
+  # key in multiple incompatible contexts.
+  class KeyGenerator
+    def initialize(secret, options = {})
+      @secret = secret
+      # The default iterations are higher than required for our key derivation uses
+      # on the off chance someone uses this for password storage
+      @iterations = options[:iterations] || 2**16
+    end
+
+    # Returns a derived key suitable for use.  The default key_size is chosen
+    # to be compatible with the default settings of ActiveSupport::MessageVerifier.
+    # i.e. OpenSSL::Digest::SHA1#block_length
+    def generate_key(salt, key_size=64)
+      OpenSSL::PKCS5.pbkdf2_hmac_sha1(@secret, salt, @iterations, key_size)
+    end
+  end
+end
--- a/activesupport/test/key_generator_test.rb
+++ b/activesupport/test/key_generator_test.rb
@ -0,0 +1,32 @@
+require 'abstract_unit'
+
+begin
+  require 'openssl'
+  OpenSSL::PKCS5
+rescue LoadError, NameError
+  $stderr.puts "Skipping KeyGenerator test: broken OpenSSL install"
+else
+
+require 'active_support/time'
+require 'active_support/json'
+
+class KeyGeneratorTest < ActiveSupport::TestCase
+  def setup
+    @secret    = SecureRandom.hex(64)
+    @generator = ActiveSupport::KeyGenerator.new(@secret, :iterations=>2)
+  end
+
+  test "Generating a key of the default length" do
+    derived_key = @generator.generate_key("some_salt")
+    assert_kind_of String, derived_key
+    assert_equal OpenSSL::Digest::SHA1.new.block_length, derived_key.length, "Should have generated a key of the default size"
+  end
+
+  test "Generating a key of an alternative length" do
+    derived_key = @generator.generate_key("some_salt", 32)
+    assert_kind_of String, derived_key
+    assert_equal 32, derived_key.length, "Should have generated a key of the right size"
+  end
+end
+
+end