@@ -16,37 +16,41 @@ def initialize(cek = nil, iv = nil)
1616 def encrypt ( cleartext , authenticated_data )
1717 raise JWE ::BadCEK . new ( "The supplied key is invalid. Required length: #{ key_length } " ) if cek . length != key_length
1818
19- cipher . encrypt
20- cipher . key = enc_key
21- cipher . iv = iv
19+ ciphertext = cipher_round ( :encrypt , iv , cleartext )
2220
23- ciphertext = cipher . update ( cleartext ) + cipher . final
24- length = [ authenticated_data . length * 8 ] . pack ( 'Q>' ) # 64bit big endian
25-
26- to_sign = authenticated_data + iv + ciphertext + length
27- signature = OpenSSL ::HMAC . digest ( OpenSSL ::Digest . new ( hash_name ) , mac_key , to_sign )
28- self . tag = signature [ 0 ...mac_key . length ]
21+ signature = generate_tag ( authenticated_data , iv , ciphertext )
22+ self . tag = signature
2923
3024 ciphertext
3125 end
3226
3327 def decrypt ( ciphertext , authenticated_data )
34- raise JWE ::BadCEK . new ( "The supplied key is invalid. Required length: #{ key_length } " ) if cek . length != key_length
28+ raise JWE ::BadCEK , "The supplied key is invalid. Required length: #{ key_length } " if cek . length != key_length
3529
36- length = [ authenticated_data . length * 8 ] . pack ( 'Q>' ) # 64bit big endian
37- to_sign = authenticated_data + iv + ciphertext + length
38- signature = OpenSSL ::HMAC . digest ( OpenSSL ::Digest . new ( hash_name ) , mac_key , to_sign )
39- if signature [ 0 ...mac_key . length ] != tag
40- raise JWE ::InvalidData . new ( 'Authentication tag verification failed' )
30+ signature = generate_tag ( authenticated_data , iv , ciphertext )
31+ if signature != tag
32+ raise JWE ::InvalidData , 'Authentication tag verification failed'
4133 end
4234
43- cipher . decrypt
35+ cipher_round ( :decrypt , iv , ciphertext )
36+ rescue OpenSSL ::Cipher ::CipherError
37+ raise JWE ::InvalidData , 'Invalid ciphertext or authentication tag'
38+ end
39+
40+ def cipher_round ( direction , iv , data )
41+ cipher . send ( direction )
4442 cipher . key = enc_key
4543 cipher . iv = iv
4644
47- cipher . update ( ciphertext ) + cipher . final
48- rescue OpenSSL ::Cipher ::CipherError
49- raise JWE ::InvalidData . new ( 'Invalid ciphertext or authentication tag' )
45+ cipher . update ( data ) + cipher . final
46+ end
47+
48+ def generate_tag ( authenticated_data , iv , ciphertext )
49+ length = [ authenticated_data . length * 8 ] . pack ( 'Q>' ) # 64bit big endian
50+ to_sign = authenticated_data + iv + ciphertext + length
51+ signature = OpenSSL ::HMAC . digest ( OpenSSL ::Digest . new ( hash_name ) , mac_key , to_sign )
52+
53+ signature [ 0 ...mac_key . length ]
5054 end
5155
5256 def iv
0 commit comments