Class: Bolt::Plugin::Pkcs7
Class Method Summary
collapse
Instance Method Summary
collapse
#decode, #encode, #hooks, #secret_decrypt, #secret_encrypt, #validate_inventory_config
Constructor Details
#initialize(boltdir, options) ⇒ Pkcs7
Returns a new instance of Pkcs7.
28
29
30
31
32
33
34
|
# File 'lib/bolt/plugin/pkcs7.rb', line 28
def initialize(boltdir, options)
self.class.validate_config(options)
require 'openssl'
@boltdir = boltdir
@options = options || {}
@logger = Logging.logger[self]
end
|
Class Method Details
.validate_config(config) ⇒ Object
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
# File 'lib/bolt/plugin/pkcs7.rb', line 9
def self.validate_config(config)
known_keys = %w[private-key public-key keysize]
known_keys.each do |key|
unless key.is_a? String
raise Bolt::ValidationError, "Invalid config for pkcs7 plugin: '#{key}' is not a String"
end
end
config.keys.each do |key|
unless known_keys.include?(key)
raise Bolt::ValidationError, "Unpexpected key in pkcs7 plugin config: #{key}"
end
end
end
|
Instance Method Details
#decrypt_value(ciphertext) ⇒ Object
68
69
70
71
|
# File 'lib/bolt/plugin/pkcs7.rb', line 68
def decrypt_value(ciphertext)
pkcs7 = OpenSSL::PKCS7.new(ciphertext)
pkcs7.decrypt(private_key, public_key)
end
|
#encrypt_value(plaintext) ⇒ Object
The following implementations are intended to be compatible with hiera-eyaml
63
64
65
66
|
# File 'lib/bolt/plugin/pkcs7.rb', line 63
def encrypt_value(plaintext)
cipher = OpenSSL::Cipher::AES.new(256, :CBC)
OpenSSL::PKCS7.encrypt([public_key], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
end
|
#keysize ⇒ Object
58
59
60
|
# File 'lib/bolt/plugin/pkcs7.rb', line 58
def keysize
@options['keysize'] || 2048
end
|
#name ⇒ Object
24
25
26
|
# File 'lib/bolt/plugin/pkcs7.rb', line 24
def name
'pkcs7'
end
|
#private_key ⇒ Object
43
44
45
|
# File 'lib/bolt/plugin/pkcs7.rb', line 43
def private_key
@private_key ||= OpenSSL::PKey::RSA.new(File.read(private_key_path))
end
|
#private_key_path ⇒ Object
36
37
38
39
40
41
|
# File 'lib/bolt/plugin/pkcs7.rb', line 36
def private_key_path
path = @options['private-key'] || 'keys/private_key.pkcs7.pem'
path = File.absolute_path(path, @boltdir)
@logger.debug("Using private-key: #{path}")
path
end
|
#public_key ⇒ Object
54
55
56
|
# File 'lib/bolt/plugin/pkcs7.rb', line 54
def public_key
@public_key ||= OpenSSL::X509::Certificate.new(File.read(public_key_path))
end
|
#public_key_path ⇒ Object
47
48
49
50
51
52
|
# File 'lib/bolt/plugin/pkcs7.rb', line 47
def public_key_path
path = @options['public-key'] || 'keys/public_key.pkcs7.pem'
path = File.absolute_path(path, @boltdir)
@logger.debug("Using public-key: #{path}")
path
end
|
#secret_createkeys ⇒ Object
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
# File 'lib/bolt/plugin/pkcs7.rb', line 73
def secret_createkeys
key = OpenSSL::PKey::RSA.new(keysize)
cert = OpenSSL::X509::Certificate.new
cert.subject = OpenSSL::X509::Name.parse('/')
cert.serial = 1
cert.version = 2
cert.not_before = Time.now
cert.not_after = Time.now + 50 * 365 * 24 * 60 * 60
cert.public_key = key.public_key
cert.sign(key, OpenSSL::Digest.new('SHA512'))
@logger.warn("Overwriting private-key '#{private_key_path}'") if File.exist?(private_key_path)
@logger.warn("Overwriting public-key '#{public_key_path}'") if File.exist?(public_key_path)
private_keydir = File.dirname(private_key_path)
FileUtils.mkdir_p(private_keydir) unless File.exist?(private_keydir)
FileUtils.touch(private_key_path)
File.chmod(0o600, private_key_path)
File.write(private_key_path, key.to_pem)
public_keydir = File.dirname(public_key_path)
FileUtils.mkdir_p(public_keydir) unless File.exist?(public_keydir)
File.write(public_key_path, cert.to_pem)
end
|