File Coverage

blib/lib/Crypt/NamedKeys.pm

Criterion	Covered	Total	%
statement	81	82	98.7
branch	22	32	68.7
condition	8	11	72.7
subroutine	18	18	100.0
pod	6	6	100.0
total	135	149	90.6

line	stmt	bran	cond	sub	pod	time	code
1							package Crypt::NamedKeys;
2
3	2			2		93741	use Moo;
	2					24635
	2					12
4
5							=head1 NAME
6
7							Crypt::NamedKeys - A Crypt::CBC wrapper with key rotation support
8
9							=head1 SYNOPSYS
10
11							use Crypt::NamedKeys;
12							my $crypt = Crypt::NamedKeys->new(keyname => 'href');
13							my $encrypted = $crypt->encrypt_data(data => $href);
14							my $restored_href = $crypt->decrypt_data(
15							data => $encrypted->{data},
16							mac => $encrypted->{mac},
17							);
18
19							=head1 DESCRIPTION
20
21							This module provides functions to serialize data for transfer via non-protected
22							channels with encryption and data integrity protection. The module tracks key
23							number used to encrypt information so that keys can be rotated without making
24							data unreadable.
25
26							=head1 CONFIGURATION AND KEY ROTATION
27
28							The keys are stored in the keyfile, configurable as below. Keys are numbered
29							starting at 1. Numbers must never be reused. Typically key rotation will be
30							done in several steps, each with its own rollout. These steps MUST be done as
31							separate releases because otherwise keys may not be available to decrypt data,
32							and so things may not work.
33
34							=head2 keyfile location
35
36							The keyfile can be set using the keyfile($path) function. There is no default.
37
38							=head2 keyfile format
39
40							The format of the keyfile is YAML, following a basic structure of
41
42							keyname:
43							[keyhashdef]
44
45							so for example:
46
47							cryptedfeed:
48							default_keynum: 9
49							none: queith7eeTh0teejaichoodobooX9ceechee9Sai9gauChiengaeraew3aDiehei
50							1: aePh8ahBaNg1bee6ohj3er5cuzeepoophai1oogohpoixothah4AuYiongu4ahta
51							2: oht1eep8uxoo1eeshaSaemee9aem5chahqueu0Aedaa7eeXae9aeghe5umoNah6a
52							3: chigh4veifoofe0Vohphee4ohkaef9giz2iaje2ahF4ohboSh6ifaiNgohwohchi
53							4: Ahphahmisaingo5Ietheangeegi5ia1uuF9taerooShaitoh1Eophig3ohziejet
54							5: oe5wi2equee6FeiZohjah2peas6Ahquohniefeimai0beip2waxeizoo1OhthohN
55							6: eigaezee3CeuC8phae4giph6Miqu6piy3Eideipahticesheij7se9eecai9fiez
56							7: DuuGhohViGh0Sheihahr6ce4Phuin7ahpaiSa5jaiphie3eiz8oa3dohrohghuow
57							8: ahfoniemah4boemeN8seJ7hohhualeetei7aegohhai5ohwahlohnah2Ee2Ewal1
58							9: Ceixei4shelohxee1ohdoochuliebael1kae8eit0Geeth1so9fohZi0cohs8go4
59							10: boreiDe0shueNgie7shai7ooc1yaeveiKeihuox0xahp1hai8phe7aephiel2oob
60
61							In general we assume key spefications to use numeric keys within the named
62							key hash. This makes key rotation a lot easier and prevents reusing key
63							numbers.
64
65							Key names may not contain = or -.
66
67							All keys listed can be used for decryption (with the special 'none' key used if
68							no key number is specified in the cyphertex), but by default only the default
69							keynumber (default_keynum, in this case 9) is used for encrypting.
70
71							The keynumber is specified in the resulting cyphertext so we know which key
72							to use for decrypting the cyphertext even if we don't try to decrypt it. This
73							allows:
74
75							=over
76
77							=item Key checking
78
79							If you store cyphertext in your rdbms, you can check which keys are used before
80							you remove decryption support for a key.
81
82							=item Orderly key rotation
83
84							You can add a key, and later depricate it, managing the transition (and perhaps
85							even using logging to know when the old key is no longer needed).
86
87							=back
88
89							=head2 Step 1: Adding a New Key
90
91							In many cases you need to be able to add and remove keys without requiring that
92							everything gets the new keys at the same time. For example if you have multiple
93							production systems, they are likely to get updated in series, and if you expect
94							that everyone gets the keys at the same time, timing issues may occur.
95
96							For this reason, we recommend breaking up the encryption key rollout into a
97							number of steps. The first one is making sure that everyone can use the
98							new key to decrypt before anyone uses it to encrypt.
99
100							The first release is by adding a new key so that it is available for decryption.
101
102							For example, in the keyfile suppose one has:
103
104							mykey:
105							default_keynum: 1
106							none: rsdfagtiaueIUPOIUYHH
107							1: rsdfagtiaueIUPOIUYHH
108
109							We might add another line
110
111							2: IRvswqerituq-HPIOHJHGdeewrwyugfrGRSe3eyy6te
112
113							Once this file is released, the key number 2 will be available globally for
114							decryption purposes, but everything will still be encrypted using key number 1.
115
116							This means it is safe then to go onto the second step.
117
118							=head2 Step 2: Setting the new key as default
119
120							Once the new keys have been released, the next step is to change the default
121							keynumber. Data encrypted in this way will be available even to servers waiting
122							to be updated because the keys have previously been rolled out. To do this,
123							simply change the default_keynum:
124
125							mykey:
126							default_keynum: 1
127							1: rsdfagtiaueIUPOIUYHH
128							2: IRvswqerituq-HPIOHJHGdeewrwyugfrGRSe3eyy6te
129
130							becomes:
131
132							mykey:
133							default_keynum: 2
134							1: rsdfagtiaueIUPOIUYHH
135							2: IRvswqerituq-HPIOHJHGdeewrwyugfrGRSe3eyy6te
136
137							Now all new data will be encrypted using keynumber 2.
138
139							=head2 Step 3: Retiring the old key
140
141							Once the old key is no longer being used, it can be retired by deleting the
142							row.
143
144							=head2 The Special 'none' keynum
145
146							For aes keys before the key versioning was introduced, there is no keynum
147							associated with the cyphertext, so we use this key.
148
149							=cut
150
151	2			2		2466	use Carp;
	2					5
	2					167
152	2			2		1659	use Crypt::CBC;
	2					7776
	2					61
153	2			2		4676	use Digest::SHA qw(hmac_sha256_base64 sha256);
	2					6676
	2					170
154	2			2		1391	use JSON;
	2					25817
	2					12
155	2			2		1282	use MIME::Base64;
	2					1189
	2					141
156	2			2		1159	use String::Compare::ConstantTime;
	2					964
	2					100
157	2			2		1930	use Try::Tiny;
	2					3038
	2					171
158	2			2		1169	use YAML::XS;
	2					6017
	2					2533
159
160
161							our $VERSION = '1.1.1';
162
163							=head1 CONFIGURATION PARAMETERS
164
165							=head2 $Crypt::NamedKeys::Escape_Eq;
166
167							Set to true, using local or not, if you want to encode with - instead of =
168
169							Note that on decryption both are handled.
170
171							=cut
172
173							our $Escape_Eq = 0;
174
175							=head1 PROPERTIES
176
177							=head2 keynum
178
179							Defaults to the default keynumber specified in the keyfile (for encryption)
180
181							=cut
182
183							has keynum => (
184							is => 'ro',
185							lazy => 1,
186							builder => '_default_keynum',
187							);
188
189							=head2 keyname
190
191							The name of the key in the keyfile.
192
193							=cut
194
195							has keyname => (
196							is => 'ro',
197							required => 1,
198							);
199
200							my $keyfile;
201
202							=head1 METHODS AND FUNCTIONS
203
204							=cut
205							=head2 Crypt::NamedKeys->keyfile($path)
206
207							Can also be called as Crypt::NamedKeys::keyfile($path)
208
209							Sets the path of the keyfile. It does not load or reload it (that is done on
210							demand or by reload_keyfile() below
211
212							=cut
213
214							sub keyfile {
215	1			1	1	2270	my $file = shift;
216	1	50				4	$file = shift if $file eq __PACKAGE__;
217	1	50				4	return $keyfile unless $file;
218	1					3	$keyfile = $file;
219							}
220
221							my $keyhash;
222
223							my $get_keyhash = sub {
224							return $keyhash if $keyhash;
225							reload_keyhash();
226							return $keyhash;
227							};
228
229							=head2 reload_keyhash
230
231							Can be called as an object method or function (i.e.
232							Crypt::NamedKeys::reload_keyhash()
233
234							Loads or reloads the keyfile. Can be used via event handlers to reload
235							confguration as needed
236
237							=cut
238
239							sub reload_keyhash {
240	1	50		1	1	3	croak 'No keyfile defined (use keyfile() to set)' unless $keyfile;
241	1					5	$keyhash = YAML::XS::LoadFile($keyfile);
242	1					175	return scalar keys %$keyhash;
243							}
244
245							my $get_secret = sub {
246							my %args = @_;
247							croak 'No key name specified' unless $args{keyname};
248							croak 'No key number specified' unless $args{keynum};
249							my $keytab = &$get_keyhash()->{$args{keyname}};
250							return $keytab->{$args{keynum}};
251							};
252
253							sub _default_keynum {
254	2			2		356	my $self = shift;
255	2					7	my $keytab = &$get_keyhash()->{$self->keyname};
256	2	50				8	warn 'No default key found for ' . $self->keyname
257							unless $keytab->{default_keynum};
258	2					11	return $keytab->{default_keynum};
259							}
260
261							my $mac_secret = sub {
262							my %args = @_;
263							return sha256(&$get_secret(@_)); ## nocritic
264							};
265
266							=head2 $self->encrypt_data(data => $data)
267
268							Serialize I<$data> to JSON, encrypt it, and encode as base64. Also compute HMAC
269							code for the encrypted data. Returns hash reference with 'data' and 'mac'
270							elements.
271
272							Args include
273
274							=over
275
276							=item data
277
278							Data structure reference to be encrypted
279
280							=item cypher
281
282							Cypher to use (default: Rijndael)
283
284							=back
285
286							=cut
287
288							sub encrypt_data {
289	6			6	1	3587	my ($self, %args) = @_;
290	6	100	100			77	croak "data argument is required and must be a reference" unless $args{data} and ref $args{data};
291	4					53	my $json_data = encode_json($args{data});
292	3		50			16	my $cypher = $args{cypher} \|\| 'Rijndael';
293							# Crypt::CBC generates random 8 bytes salt that it uses to
294							# derive IV and encryption key from $args{secret}. It uses
295							# the same algorythm as OpenSSL, the output is identical to
296							# openssl enc -e -aes-256-cbc -k $args{secret} -salt
297	3					62	my $cbc = Crypt::CBC->new(
298							-key => &$get_secret(
299							keyname => $self->keyname,
300							keynum => $self->keynum,
301							),
302							-cipher => $cypher,
303							-salt => 1,
304							);
305	3					1554	my $data = encode_base64($cbc->encrypt($json_data), '');
306	3					3086	my $mac = hmac_sha256_base64(
307							$data,
308							&$mac_secret(
309							keyname => $self->keyname,
310							keynum => $self->keynum
311							));
312	3	50				10	$data =~ s/=/-/g if $Escape_Eq;
313	3	50				9	$mac =~ s/=/-/g if $Escape_Eq;
314							return {
315	3					54	data => $self->keynum . '*' . $data,
316							mac => $mac,
317							};
318							}
319
320							=head2 $self->decrypt_data(data => $data, mac => $mac)
321
322							Decrypt data encrypted using I. First checks HMAC code for data.
323							If data was not tampered, decrypts it and decodes from JSON. Returns data, or
324							undef if decryption failed.
325
326							=cut
327
328							sub decrypt_data {
329	12			12	1	8033	my ($self, %args) = @_;
330	12	100	100			80	croak "method requires data and mac arguments" unless $args{data} and $args{mac};
331							# if the data was tampered do not try to decrypt it
332
333	9					19	$args{data} =~ s/-/=/g;
334	9					10	$args{mac} =~ s/-/=/g;
335	9					33	my ($keynum, $cyphertext) = split /\*/, $args{data}, 2;
336
337	9	100				17	if (!$cyphertext) {
338	1					2	$cyphertext = $keynum;
339	1					3	$keynum = 'none';
340							}
341	9					28	my $secret = &$get_secret(
342							keynum => $keynum,
343							keyname => $self->keyname
344							);
345	9	50	33			33	return unless ($cyphertext and $secret);
346	9					20	my $msg_mac = hmac_sha256_base64(
347							$cyphertext,
348							&$mac_secret(
349							keynum => $keynum,
350							keyname => $self->keyname,
351							));
352	9	100				42	return unless String::Compare::ConstantTime::equals($msg_mac, $args{mac});
353
354	4					14	my $cbc = Crypt::CBC->new(
355							-key => &$get_secret(
356							keynum => $keynum,
357							keyname => $self->keyname
358							),
359							-cipher => 'Rijndael',
360							-salt => 1,
361							);
362	4					436	my $decrypted = $cbc->decrypt(decode_base64($cyphertext));
363	4	50				721	warn "Unable to decrypt $args{data} with keynum $keynum and keyname " . $self->keyname unless defined $decrypted;
364	4					39	my $data = decode_json($decrypted);
365	4					33	return $data;
366							}
367
368							=head2 $self->encrypt_payload(data => $data)
369
370							Encrypts data using I and returns result as a string including
371							both cyphertext and hmac in base-64 format. This can work on arbitrary data
372							structures, scalars, and references provided that the data can be serialized
373							as an attribute on a JSON document.
374
375							=cut
376
377							sub _to_payload {
378	2			2		4	my ($data) = @_;
379							return {
380	2					9	crypt_json_payload => $data,
381							crypt_json_version => $VERSION,
382							};
383							}
384
385							sub _from_payload {
386	4			4		6	my ($payload) = @_;
387	4	100				11	return unless defined $payload;
388	2	50				14	return $payload->{crypt_json_payload} if exists $payload->{crypt_json_payload};
389	0					0	return $payload;
390							}
391
392							sub encrypt_payload {
393	2			2	1	2927	my ($self, %args) = @_;
394	2					7	$args{data} = _to_payload($args{data});
395	2					8	my $enc = $self->encrypt_data(%args);
396	2					27	my $res = $enc->{data};
397	2					7	$res .= '.' . $enc->{mac};
398	2					8	return $res;
399							}
400
401							=head2 $self->decrypt_payload(value => $value)
402
403							Accepts payload encrypted with I, checks HMAC and decrypts
404							the value. Returns decripted value or undef if check or decryption has failed.
405
406							=cut
407
408							sub decrypt_payload {
409	5			5	1	3240	my ($self, %args) = @_;
410	5	50				14	return unless $args{value}; # nothing to decrypt
411	5	100				32	$args{value} =~ /^([A-Za-z0-9+\/]+[=-])\.([A-Za-z0-9+\/-=]+)$/ or return;
412	4					12	my ($data, $mac) = ($1, $2);
413	4					10	return _from_payload(
414							$self->decrypt_data(
415							data => $data,
416							mac => $mac,
417							));
418							}
419
420							1;