[CHEF-3616] add cipher field to edbi metadata

Adds "cipher" to the metadata fields for encrypted data bag items. This
enables user-configurable ciphers in the future. Cipher is still
hard-coded to aes-256-cbc for now.

1 files changed, 16 insertions, 1 deletions

diff --git a/lib/chef/encrypted_data_bag_item.rb b/lib/chef/encrypted_data_bag_item.rb
index 8d6ae7a023..79e6019bdc 100644
--- a/lib/chef/encrypted_data_bag_item.rb
+++ b/lib/chef/encrypted_data_bag_item.rb
@@ -57,6 +57,9 @@ class Chef::EncryptedDataBagItem
   class DecryptionFailure < StandardError
   end
 
+  class UnsupportedCipher < StandardError
+  end
+
   # Implementation class for converting plaintext data bag item values to an
   # encrypted value, including any necessary wrappers and metadata.
   class Encryptor
@@ -85,7 +88,8 @@ class Chef::EncryptedDataBagItem
       {
         "encrypted_data" => encrypted_data,
         "iv" => Base64.encode64(iv),
-        "version" => 1
+        "version" => 1,
+        "cipher" => ALGORITHM
       }
     end
 
@@ -194,6 +198,7 @@ class Chef::EncryptedDataBagItem
 
       def openssl_decryptor
         @openssl_decryptor ||= begin
+          assert_valid_cipher!
           d = OpenSSL::Cipher::Cipher.new(ALGORITHM)
           d.decrypt
           d.key = Digest::SHA256.digest(key)
@@ -202,6 +207,16 @@ class Chef::EncryptedDataBagItem
         end
       end
 
+      def assert_valid_cipher!
+        # In the future, chef may support configurable ciphers. For now, only
+        # aes-256-cbc is supported.
+        requested_cipher = @encrypted_data["cipher"]
+        unless requested_cipher == ALGORITHM
+          raise UnsupportedCipher,
+            "Cipher '#{requested_cipher}' is not supported by this version of Chef. Available ciphers: ['#{ALGORITHM}']"
+        end
+      end
+
     end
 
     class Version0Decryptor