chore(encryption): rotate key with new default digest (SHA256)

This commit is contained in:
Colin Darie 2024-08-22 16:59:50 +02:00
parent 98ff68f923
commit 3ac671576b
No known key found for this signature in database
GPG key ID: 4FB865FDBCA4BCC4
2 changed files with 89 additions and 0 deletions

View file

@ -7,6 +7,10 @@ class EncryptionService
password = Rails.application.secrets.secret_key_base password = Rails.application.secrets.secret_key_base
key = ActiveSupport::KeyGenerator.new(password).generate_key(salt, len) key = ActiveSupport::KeyGenerator.new(password).generate_key(salt, len)
@encryptor = ActiveSupport::MessageEncryptor.new(key) @encryptor = ActiveSupport::MessageEncryptor.new(key)
# Remove after all encrypted attributes have been rotated.
legacy_key = ActiveSupport::KeyGenerator.new(password, hash_digest_class: OpenSSL::Digest::SHA1).generate_key(salt, len)
@encryptor.rotate legacy_key
end end
def encrypt(value) def encrypt(value)

View file

@ -41,4 +41,89 @@ describe EncryptionService do
it { expect { subject }.to raise_exception StandardError } it { expect { subject }.to raise_exception StandardError }
end end
end end
describe "key rotation" do
let(:password) { Rails.application.secrets.secret_key_base }
let(:salt) { Rails.application.secrets.encryption_service_salt }
let(:len) { ActiveSupport::MessageEncryptor.key_len }
let(:value) { "Sensitive information" }
let(:legacy_key) do
ActiveSupport::KeyGenerator.new(password, hash_digest_class: OpenSSL::Digest::SHA1)
.generate_key(salt, len)
end
let(:new_key) do
ActiveSupport::KeyGenerator.new(password)
.generate_key(salt, len)
end
let(:legacy_encryptor) { ActiveSupport::MessageEncryptor.new(legacy_key) }
let(:new_encryptor) { ActiveSupport::MessageEncryptor.new(new_key) }
describe "#decrypt" do
subject { EncryptionService.new.decrypt(encrypted_value) }
context "with a value encrypted using the legacy SHA1-based key" do
let(:encrypted_value) { legacy_encryptor.encrypt_and_sign(value) }
it "successfully decrypts the value" do
expect(subject).to eq(value)
end
end
context "with a value encrypted using the new SHA256-based key" do
let(:encrypted_value) { new_encryptor.encrypt_and_sign(value) }
it "successfully decrypts the value" do
expect(subject).to eq(value)
end
end
end
describe "transition from legacy to new encryption" do
let(:legacy_service) do
legacy_encryption_service = EncryptionService.new
legacy_encryption_service.instance_variable_set(:@encryptor, legacy_encryptor)
legacy_encryption_service
end
let(:new_service) { EncryptionService.new }
it "can decrypt values encrypted with the legacy key" do
legacy_encrypted = legacy_service.encrypt(value)
expect(new_service.decrypt(legacy_encrypted)).to eq(value)
end
it "uses the new key for new encryptions" do
new_encrypted = new_service.encrypt(value)
expect { legacy_encryptor.decrypt_and_verify(new_encrypted) }
.to raise_error(ActiveSupport::MessageEncryptor::InvalidMessage)
expect(new_encryptor.decrypt_and_verify(new_encrypted)).to eq(value)
end
end
describe "backwards compatibility" do
let(:value) { "Important data" }
let(:old_service) do # Test with a service encrypting data without rotation mechanism
Class.new do
def initialize(key)
@encryptor = ActiveSupport::MessageEncryptor.new(key)
end
def encrypt(value)
@encryptor.encrypt_and_sign(value)
end
end
end
it "can decrypt values from a hypothetical old version without rotation" do
old_key = ActiveSupport::KeyGenerator.new(password, hash_digest_class: OpenSSL::Digest::SHA1)
.generate_key(salt, len)
old_encrypted = old_service.new(old_key).encrypt(value)
expect(EncryptionService.new.decrypt(old_encrypted)).to eq(value)
end
end
end
end end