Class: OpenSSL::Digest
Relationships & Source Files | |
Namespace Children | |
Classes:
| |
Exceptions:
| |
Extension / Inclusion / Inheritance Descendants | |
Subclasses:
|
|
Inherits: | Object |
Defined in: | ext/openssl/ossl_digest.c, ext/openssl/ossl_digest.c, ext/openssl/lib/openssl/digest.rb |
Overview
Digest
allows you to compute message digests (sometimes interchangeably called “hashes”) of arbitrary data that are cryptographically secure, i.e. a Digest
implements a secure one-way function.
One-way functions offer some useful properties. E.g
. given two distinct inputs the probability that both yield the same output is highly unlikely. Combined with the fact that every message digest algorithm has a fixed-length output of just a few bytes, digests are often used to create unique identifiers for arbitrary data. A common example is the creation of a unique id for binary documents that are stored in a database.
Another useful characteristic of one-way functions (and thus the name) is that given a digest there is no indication about the original data that produced it, i.e. the only way to identify the original input is to “brute-force” through every possible combination of inputs.
These characteristics make one-way functions also ideal companions for public key signature algorithms: instead of signing an entire document, first a hash of the document is produced with a considerably faster message digest algorithm and only the few bytes of its output need to be signed using the slower public key algorithm. To validate the integrity of a signed document, it suffices to re-compute the hash and verify that it is equal to that in the signature.
Among the supported message digest algorithms are:
-
SHA, SHA1, SHA224, SHA256, SHA384 and SHA512
-
MD2, MD4, MDC2 and MD5
-
RIPEMD160
-
DSS, DSS1 (Pseudo algorithms to be used for DSA signatures. DSS is equal to SHA and DSS1 is equal to SHA1)
For each of these algorithms, there is a sub-class of Digest
that can be instantiated as simply as e.g.
digest = OpenSSL::Digest::SHA1.new
Mapping between Digest class and sn/ln
The sn (short names) and ln (long names) are defined in <openssl/object.h> and <openssl/obj_mac.h>. They are textual representations of ASN.1
OBJECT IDENTIFIERs. Each supported digest algorithm has an OBJECT IDENTIFIER associated to it and those again have short/long names assigned to them. E.g
. the OBJECT IDENTIFIER for SHA-1 is 1.3.14.3.2.26 and its sn is “SHA1” and its ln is “sha1”.
MD2
-
sn: MD2
-
ln: md2
MD4
-
sn: MD4
-
ln: md4
MD5
-
sn: MD5
-
ln: md5
SHA
-
sn: SHA
-
ln: SHA
SHA-1
-
sn: SHA1
-
ln: sha1
SHA-224
-
sn: SHA224
-
ln: sha224
SHA-256
-
sn: SHA256
-
ln: sha256
SHA-384
-
sn: SHA384
-
ln: sha384
SHA-512
-
sn: SHA512
-
ln: sha512
“Breaking” a message digest algorithm means defying its one-way function characteristics, i.e. producing a collision or finding a way to get to the original data by means that are more efficient than brute-forcing etc. Most of the supported digest algorithms can be considered broken in this sense, even the very popular MD5 and SHA1 algorithms. Should security be your highest concern, then you should probably rely on SHA224, SHA256, SHA384 or SHA512.
Hashing a file
data = File.read('document')
sha256 = OpenSSL::Digest::SHA256.new
digest = sha256.digest(data)
Hashing several pieces of data at once
data1 = File.read('file1')
data2 = File.read('file2')
data3 = File.read('file3')
sha256 = OpenSSL::Digest::SHA256.new
sha256 << data1
sha256 << data2
sha256 << data3
digest = sha256.digest
Reuse a Digest instance
data1 = File.read('file1')
sha256 = OpenSSL::Digest::SHA256.new
digest1 = sha256.digest(data1)
data2 = File.read('file2')
sha256.reset
digest2 = sha256.digest(data2)
Class Method Summary
-
.digest(name, data)
Return the hash value computed with name
Digest
. -
.new(string [, data]) ⇒ Digest
constructor
Creates a
Digest
instance based on string, which is either the ln (long name) or sn (short name) of a supported digest algorithm.
Instance Method Summary
-
#<<(string) ⇒ String
(also: #update)
Not every message digest can be computed in one single pass.
-
#block_length ⇒ Integer
Returns the block length of the digest algorithm, i.e. the length in bytes of an individual block.
-
#digest_length ⇒ Integer
Returns the output size of the digest, i.e. the length in bytes of the final message digest result.
- #initialize_copy(other)
-
#name ⇒ String
Returns the sn of this
Digest
algorithm. -
#reset ⇒ self
Resets the
Digest
in the sense that any #update that has been performed is abandoned and theDigest
is set to its initial state again. -
#update(string) ⇒ String
Alias for #<<.
- #finish ⇒ String private
Constructor Details
.new(string [, data]) ⇒ Digest
Creates a Digest
instance based on string, which is either the ln (long name) or sn (short name) of a supported digest algorithm.
If data (a String) is given, it is used as the initial input to the Digest
instance, i.e.
digest = OpenSSL::Digest.new('sha256', 'digestdata')
is equivalent to
digest = OpenSSL::Digest.new('sha256')
digest.update('digestdata')
# File 'ext/openssl/ossl_digest.c', line 118
static VALUE ossl_digest_initialize(int argc, VALUE *argv, VALUE self) { EVP_MD_CTX *ctx; const EVP_MD *md; VALUE type, data; rb_scan_args(argc, argv, "11", &type, &data); md = ossl_evp_get_digestbyname(type); if (!NIL_P(data)) StringValue(data); TypedData_Get_Struct(self, EVP_MD_CTX, &ossl_digest_type, ctx); if (!ctx) { RTYPEDDATA_DATA(self) = ctx = EVP_MD_CTX_new(); if (!ctx) ossl_raise(eDigestError, "EVP_MD_CTX_new"); } if (!EVP_DigestInit_ex(ctx, md, NULL)) ossl_raise(eDigestError, "Digest initialization failed"); if (!NIL_P(data)) return ossl_digest_update(self, data); return self; }
Class Method Details
.digest(name, data)
Instance Method Details
#<<(string) ⇒ String
Also known as: #update
Not every message digest can be computed in one single pass. If a message digest is to be computed from several subsequent sources, then each may be passed individually to the Digest
instance.
Example
digest = OpenSSL::Digest::SHA256.new
digest.update('First input')
digest << 'Second input' # equivalent to digest.update('Second input')
result = digest.digest
# File 'ext/openssl/ossl_digest.c', line 201
VALUE ossl_digest_update(VALUE self, VALUE data) { EVP_MD_CTX *ctx; StringValue(data); GetDigest(self, ctx); if (!EVP_DigestUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data))) ossl_raise(eDigestError, "EVP_DigestUpdate"); return self; }
#block_length ⇒ Integer
Returns the block length of the digest algorithm, i.e. the length in bytes of an individual block. Most modern algorithms partition a message to be digested into a sequence of fix-sized blocks that are processed consecutively.
Example
digest = OpenSSL::Digest::SHA1.new
puts digest.block_length # => 64
# File 'ext/openssl/ossl_digest.c', line 300
static VALUE ossl_digest_block_length(VALUE self) { EVP_MD_CTX *ctx; GetDigest(self, ctx); return INT2NUM(EVP_MD_CTX_block_size(ctx)); }
#digest_length ⇒ Integer
# File 'ext/openssl/ossl_digest.c', line 277
static VALUE ossl_digest_size(VALUE self) { EVP_MD_CTX *ctx; GetDigest(self, ctx); return INT2NUM(EVP_MD_CTX_size(ctx)); }
#finish ⇒ String
(private)
# File 'ext/openssl/ossl_digest.c', line 220
static VALUE ossl_digest_finish(int argc, VALUE *argv, VALUE self) { EVP_MD_CTX *ctx; VALUE str; int out_len; GetDigest(self, ctx); rb_scan_args(argc, argv, "01", &str); out_len = EVP_MD_CTX_size(ctx); if (NIL_P(str)) { str = rb_str_new(NULL, out_len); } else { StringValue(str); rb_str_resize(str, out_len); } if (!EVP_DigestFinal_ex(ctx, (unsigned char *)RSTRING_PTR(str), NULL)) ossl_raise(eDigestError, "EVP_DigestFinal_ex"); return str; }
#initialize_copy(other)
[ GitHub ]# File 'ext/openssl/ossl_digest.c', line 143
static VALUE ossl_digest_copy(VALUE self, VALUE other) { EVP_MD_CTX *ctx1, *ctx2; rb_check_frozen(self); if (self == other) return self; TypedData_Get_Struct(self, EVP_MD_CTX, &ossl_digest_type, ctx1); if (!ctx1) { RTYPEDDATA_DATA(self) = ctx1 = EVP_MD_CTX_new(); if (!ctx1) ossl_raise(eDigestError, "EVP_MD_CTX_new"); } GetDigest(other, ctx2); if (!EVP_MD_CTX_copy(ctx1, ctx2)) { ossl_raise(eDigestError, NULL); } return self; }
#name ⇒ String
# File 'ext/openssl/ossl_digest.c', line 255
static VALUE ossl_digest_name(VALUE self) { EVP_MD_CTX *ctx; GetDigest(self, ctx); return rb_str_new2(EVP_MD_name(EVP_MD_CTX_md(ctx))); }
#reset ⇒ self
Resets the Digest
in the sense that any #update that has been performed is abandoned and the Digest
is set to its initial state again.
# File 'ext/openssl/ossl_digest.c', line 173
static VALUE ossl_digest_reset(VALUE self) { EVP_MD_CTX *ctx; GetDigest(self, ctx); if (EVP_DigestInit_ex(ctx, EVP_MD_CTX_md(ctx), NULL) != 1) { ossl_raise(eDigestError, "Digest initialization failed."); } return self; }
#<<(string) ⇒ String
#update(string) ⇒ String
String
#update(string) ⇒ String
Alias for #<<.