跳过至内容 跳过至搜索

一个 256-GCM 密码。

默认情况下,它将使用随机初始化向量。 对于确定性加密,它将使用要加密的文本和密钥的 SHA-256 哈希值。

参见 Encryptor

方法
D
E
I
K
N

常量

CIPHER_TYPE = "aes-256-gcm"
 

类公共方法

iv_length()

来源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb, line 22
def iv_length
  OpenSSL::Cipher.new(CIPHER_TYPE).iv_len
end

key_length()

来源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb, line 18
def key_length
  OpenSSL::Cipher.new(CIPHER_TYPE).key_len
end

new(secret, deterministic: false)

当不提供 iv 时,它将在每次加密操作时生成一个随机 iv(默认操作,建议的操作)

来源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb, line 29
def initialize(secret, deterministic: false)
  @secret = secret
  @deterministic = deterministic
end

实例公共方法

decrypt(encrypted_message)

来源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb, line 55
def decrypt(encrypted_message)
  encrypted_data = encrypted_message.payload
  iv = encrypted_message.headers.iv
  auth_tag = encrypted_message.headers.auth_tag

  # Currently the OpenSSL bindings do not raise an error if auth_tag is
  # truncated, which would allow an attacker to easily forge it. See
  # https://github.com/ruby/openssl/issues/63
  raise ActiveRecord::Encryption::Errors::EncryptedContentIntegrity if auth_tag.nil? || auth_tag.bytes.length != 16

  cipher = OpenSSL::Cipher.new(CIPHER_TYPE)

  cipher.decrypt
  cipher.key = @secret
  cipher.iv = iv

  cipher.auth_tag = auth_tag
  cipher.auth_data = ""

  decrypted_data = encrypted_data.empty? ? encrypted_data : cipher.update(encrypted_data)
  decrypted_data << cipher.final

  decrypted_data
rescue OpenSSL::Cipher::CipherError, TypeError, ArgumentError
  raise ActiveRecord::Encryption::Errors::Decryption
end

encrypt(clear_text)

来源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb, line 34
def encrypt(clear_text)
  # This code is extracted from +ActiveSupport::MessageEncryptor+. Not using it directly because we want to control
  # the message format and only serialize things once at the +ActiveRecord::Encryption::Message+ level. Also, this
  # cipher is prepared to deal with deterministic/non deterministic encryption modes.

  cipher = OpenSSL::Cipher.new(CIPHER_TYPE)
  cipher.encrypt
  cipher.key = @secret

  iv = generate_iv(cipher, clear_text)
  cipher.iv = iv

  encrypted_data = clear_text.empty? ? clear_text.dup : cipher.update(clear_text)
  encrypted_data << cipher.final

  ActiveRecord::Encryption::Message.new(payload: encrypted_data).tap do |message|
    message.headers.iv = iv
    message.headers.auth_tag = cipher.auth_tag
  end
end