class Chef::EncryptedDataBagItem::Decryptor::Version2Decryptor

Public Instance Methods

decrypted_data() click to toggle source
# File lib/chef/encrypted_data_bag_item/decryptor.rb, line 171
def decrypted_data
  validate_hmac! unless @decrypted_data
  super
end
validate_hmac!() click to toggle source
# File lib/chef/encrypted_data_bag_item/decryptor.rb, line 176
def validate_hmac!
  digest = OpenSSL::Digest.new("sha256")
  raw_hmac = OpenSSL::HMAC.digest(digest, key, @encrypted_data["encrypted_data"])

  if candidate_hmac_matches?(raw_hmac)
    true
  else
    raise DecryptionFailure, "Error decrypting data bag value: invalid hmac. Most likely the provided key is incorrect"
  end
end

Private Instance Methods

candidate_hmac_matches?(expected_hmac) click to toggle source
# File lib/chef/encrypted_data_bag_item/decryptor.rb, line 189
def candidate_hmac_matches?(expected_hmac)
  return false unless @encrypted_data["hmac"]
  expected_bytes = expected_hmac.bytes.to_a
  candidate_hmac_bytes = Base64.decode64(@encrypted_data["hmac"]).bytes.to_a
  valid = expected_bytes.size ^ candidate_hmac_bytes.size
  expected_bytes.zip(candidate_hmac_bytes) { |x, y| valid |= x ^ y.to_i }
  valid == 0
end