Class: Hiera::Backend::Eyaml::Encryptors::Pkcs7

Inherits:
Hiera::Backend::Eyaml::Encryptor show all
Defined in:
lib/hiera/backend/eyaml/encryptors/pkcs7.rb

Class Method Summary collapse

Methods inherited from Hiera::Backend::Eyaml::Encryptor

decode, encode, find

Class Method Details

.create_keysObject 



55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
 
# File 'lib/hiera/backend/eyaml/encryptors/pkcs7.rb', line 55

def self.create_keys

  # Try to do equivalent of:
  # openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'

  public_key = self.option :public_key
  private_key = self.option :private_key

  key = OpenSSL::PKey::RSA.new(2048)
  Utils.ensure_key_dir_exists private_key
  Utils.write_important_file :filename => private_key, :content => key.to_pem, :mode => 0600

  name = OpenSSL::X509::Name.parse("/")
  cert = OpenSSL::X509::Certificate.new()
  cert.serial = 0
  cert.version = 2
  cert.not_before = Time.now
  cert.not_after = Time.now + 50 * 365 * 24 * 60 * 60
  cert.public_key = key.public_key

  ef = OpenSSL::X509::ExtensionFactory.new
  ef.subject_certificate = cert
  ef.issuer_certificate = cert
  cert.extensions = [
    ef.create_extension("basicConstraints","CA:TRUE", true),
    ef.create_extension("subjectKeyIdentifier", "hash"),
  ]
  cert.add_extension ef.create_extension("authorityKeyIdentifier",
                                         "keyid:always,issuer:always")

  cert.sign key, OpenSSL::Digest::SHA1.new

  Utils.ensure_key_dir_exists public_key
  Utils.write_important_file :filename => public_key, :content => cert.to_pem
  puts "Keys created OK"

end

.decrypt(ciphertext) ⇒ Object

Raises:

  • (StandardError) 


37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'lib/hiera/backend/eyaml/encryptors/pkcs7.rb', line 37

def self.decrypt ciphertext

  public_key = self.option :public_key
  private_key = self.option :private_key
  raise StandardError, "pkcs7_public_key is not defined" unless public_key
  raise StandardError, "pkcs7_private_key is not defined" unless private_key

  private_key_pem = File.read private_key
  private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )

  public_key_pem = File.read public_key
  public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )

  pkcs7 = OpenSSL::PKCS7.new( ciphertext )
  pkcs7.decrypt(private_key_rsa, public_key_x509)

end

.encrypt(plaintext) ⇒ Object

Raises:

  • (StandardError) 


24
25
26
27
28
29
30
31
32
33
34
35
 
# File 'lib/hiera/backend/eyaml/encryptors/pkcs7.rb', line 24

def self.encrypt plaintext

  public_key = self.option :public_key
  raise StandardError, "pkcs7_public_key is not defined" unless public_key

  public_key_pem = File.read public_key 
  public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )

  cipher = OpenSSL::Cipher::AES.new(256, :CBC)
  OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
  
end