Key Generator
KeyGenerator is a simple wrapper around OpenSSLβs implementation of PBKDF2. It can be used to derive a number of keys for various purposes from a given secret. This lets Rails applications have a single secure secret, but avoid reusing that key in multiple incompatible contexts.
Methods
Class Public methods
hash_digest_class()
π Source code
# File activesupport/lib/active_support/key_generator.rb, line 23
def hash_digest_class
@hash_digest_class ||= OpenSSL::Digest::SHA1
endhash_digest_class=(klass)
π Source code
# File activesupport/lib/active_support/key_generator.rb, line 15
def hash_digest_class=(klass)
if klass.kind_of?(Class) && klass < OpenSSL::Digest
@hash_digest_class = klass
else
raise ArgumentError, "#{klass} is expected to be an OpenSSL::Digest subclass"
end
endnew(secret, options = {})
π Source code
# File activesupport/lib/active_support/key_generator.rb, line 28
def initialize(secret, options = {})
@secret = secret
# The default iterations are higher than required for our key derivation uses
# on the off chance someone uses this for password storage
@iterations = options[:iterations] || 2**16
# Also allow configuration here so people can use this to build a rotation
# scheme when switching the digest class.
@hash_digest_class = options[:hash_digest_class] || self.class.hash_digest_class
endInstance Public methods
generate_key(salt, key_size = 64)
Returns a derived key suitable for use. The default key_size is chosen to be compatible with the default settings of ActiveSupport::MessageVerifier. i.e. OpenSSL::Digest::SHA1#block_length
π Source code
# File activesupport/lib/active_support/key_generator.rb, line 41
def generate_key(salt, key_size = 64)
OpenSSL::PKCS5.pbkdf2_hmac(@secret, salt, @iterations, key_size, @hash_digest_class.new)
end