Conversation
Any message can be signed now in JSON Web Signature (JWS) with JSON Web Token (JWT) Claims set as its payload. The JWT Claims set contains 'pld' - the message, 'exp' - expiration and 'for' - purpose of the message. Now, a message can be expired on time internally and it can also be given a purpose so that evildoers are not able to misuse one message in place of other. JWT Claims is not fully implemented yet as per the spec here: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-13#section-4 This is just a basic implementation of JWT and JWS which could be extended in future.
Any message can now be encrypted as well as authenticated in JSON Web Encryption (JWE) with JSON Web Token (JWT) Claims set as its payload. The Authenticated Encryption with Additional Data (AEAD) modes implemented are AES-GCM ( Galois/Counter Mode) and AES-CBC (Cipher Block Chaining). The JWT implementation is as explained in MessageVerifier. Only Direct Key Encryption is implemented as of now. The implementation can be enhanced in future. Standard JWE spec: https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40. Special thanks to https://github.com/gregbeech/sandal and https://github.com/nov/json-jwt for reference.
|
Thanks for the pull request, and welcome! The Rails team is excited to review your changes, and you should hear from @chancancode (or someone else) soon. If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes. Please see the contribution instructions for more information. |
|
Hey 👋, Just a reminder that this won't make it in time for 5.0. This domain is still super complex, so I won't have time to look more into it until after 5.0 is done. Do look for places to simplify and clarify the code on your own meanwhile. Keep pushing forward! ❤️ |
| def decrypt(encrypted_message) | ||
| parts = encrypted_message.split('.') | ||
| auth_data = parts.shift | ||
| encrypted_key, iv, ciphertext, auth_tag = parts.map { |a| decode a } |
There was a problem hiding this comment.
Hi there! Looks like we've been doing similar work (#25874) 😄 you'll want to check the auth_tag length here and add a test for it.
|
Any updates on this? This looks awesome :) |
|
Won't be getting time to work on this until after 5.1 😢 — but there's always 5.2! 😄 |
|
@kaspth this would be useful to replace ActiveStorage::VerifiedKeyWithExpiration. Any chances this will make it into 5.2 ? |
|
@cristianbica That's indeed the idea. We're working on it here: #29599 @sbhatore thanks for all the work, Siddharth! |
@kaspth Lets switch to this pull request for future reference and additions. It contains both Signing and Encryption related work 😄 !!