Class: Hiera::Backend::Eyaml::Encryptors::Pkcs7

Inherits:
Hiera::Backend::Eyaml::Encryptor show all
Defined in:
lib/hiera/backend/eyaml/encryptors/pkcs7.rb

Class Method Summary collapse

Methods inherited from Hiera::Backend::Eyaml::Encryptor

decode, encode, find

Class Method Details

.create_keysObject


59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# File 'lib/hiera/backend/eyaml/encryptors/pkcs7.rb', line 59

def self.create_keys

  # Try to do equivalent of:
  # openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'

  public_key = self.option :public_key
  private_key = self.option :private_key
  subject = self.option :subject

  key = OpenSSL::PKey::RSA.new(2048)
  EncryptHelper.ensure_key_dir_exists private_key
  EncryptHelper.write_important_file :filename => private_key, :content => key.to_pem, :mode => 0600

  cert = OpenSSL::X509::Certificate.new()
  cert.subject = OpenSSL::X509::Name.parse(subject)
  cert.serial = 1
  cert.version = 2
  cert.not_before = Time.now
  cert.not_after = if 1.size == 8       # 64bit
    Time.now + 50 * 365 * 24 * 60 * 60
  else                                  # 32bit
    Time.at(0x7fffffff)
  end
  cert.public_key = key.public_key

  ef = OpenSSL::X509::ExtensionFactory.new
  ef.subject_certificate = cert
  ef.issuer_certificate = cert
  cert.extensions = [
    ef.create_extension("basicConstraints","CA:TRUE", true),
    ef.create_extension("subjectKeyIdentifier", "hash"),
  ]
  cert.add_extension ef.create_extension("authorityKeyIdentifier",
                                         "keyid:always,issuer:always")

  cert.sign key, OpenSSL::Digest::SHA1.new

  EncryptHelper.ensure_key_dir_exists public_key
  EncryptHelper.write_important_file :filename => public_key, :content => cert.to_pem
  LoggingHelper.info "Keys created OK"

end

.decrypt(ciphertext) ⇒ Object

Raises:

  • (StandardError)

41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# File 'lib/hiera/backend/eyaml/encryptors/pkcs7.rb', line 41

def self.decrypt ciphertext

  public_key = self.option :public_key
  private_key = self.option :private_key
  raise StandardError, "pkcs7_public_key is not defined" unless public_key
  raise StandardError, "pkcs7_private_key is not defined" unless private_key

  private_key_pem = File.read private_key
  private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )

  public_key_pem = File.read public_key
  public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )

  pkcs7 = OpenSSL::PKCS7.new( ciphertext )
  pkcs7.decrypt(private_key_rsa, public_key_x509)

end

.encrypt(plaintext) ⇒ Object

Raises:

  • (StandardError)

28
29
30
31
32
33
34
35
36
37
38
39
# File 'lib/hiera/backend/eyaml/encryptors/pkcs7.rb', line 28

def self.encrypt plaintext

  public_key = self.option :public_key
  raise StandardError, "pkcs7_public_key is not defined" unless public_key

  public_key_pem = File.read public_key 
  public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )

  cipher = OpenSSL::Cipher::AES.new(256, :CBC)
  OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
  
end