diff options
author | danielsdeleo <dan@opscode.com> | 2012-11-16 12:15:35 -0800 |
---|---|---|
committer | danielsdeleo <dan@opscode.com> | 2012-11-16 13:03:51 -0800 |
commit | 5e8fc1f50e692688b1301f5e5ed4f0241e6e8a55 (patch) | |
tree | 919ed148a39c768ab89e7d62656d269d78b4724f /lib/chef/encrypted_data_bag_item.rb | |
parent | 6e77b0a2552f989b24b6c986e3aaaa2b6d55fe60 (diff) | |
download | chef-5e8fc1f50e692688b1301f5e5ed4f0241e6e8a55.tar.gz |
[CHEF-3616] add cipher field to edbi metadata
Adds "cipher" to the metadata fields for encrypted data bag items. This
enables user-configurable ciphers in the future. Cipher is still
hard-coded to aes-256-cbc for now.
Diffstat (limited to 'lib/chef/encrypted_data_bag_item.rb')
-rw-r--r-- | lib/chef/encrypted_data_bag_item.rb | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/lib/chef/encrypted_data_bag_item.rb b/lib/chef/encrypted_data_bag_item.rb index 8d6ae7a023..79e6019bdc 100644 --- a/lib/chef/encrypted_data_bag_item.rb +++ b/lib/chef/encrypted_data_bag_item.rb @@ -57,6 +57,9 @@ class Chef::EncryptedDataBagItem class DecryptionFailure < StandardError end + class UnsupportedCipher < StandardError + end + # Implementation class for converting plaintext data bag item values to an # encrypted value, including any necessary wrappers and metadata. class Encryptor @@ -85,7 +88,8 @@ class Chef::EncryptedDataBagItem { "encrypted_data" => encrypted_data, "iv" => Base64.encode64(iv), - "version" => 1 + "version" => 1, + "cipher" => ALGORITHM } end @@ -194,6 +198,7 @@ class Chef::EncryptedDataBagItem def openssl_decryptor @openssl_decryptor ||= begin + assert_valid_cipher! d = OpenSSL::Cipher::Cipher.new(ALGORITHM) d.decrypt d.key = Digest::SHA256.digest(key) @@ -202,6 +207,16 @@ class Chef::EncryptedDataBagItem end end + def assert_valid_cipher! + # In the future, chef may support configurable ciphers. For now, only + # aes-256-cbc is supported. + requested_cipher = @encrypted_data["cipher"] + unless requested_cipher == ALGORITHM + raise UnsupportedCipher, + "Cipher '#{requested_cipher}' is not supported by this version of Chef. Available ciphers: ['#{ALGORITHM}']" + end + end + end class Version0Decryptor |