Class: Hiera::Backend::Eyaml::Encryptors::Pkcs7
- Inherits:
-
Hiera::Backend::Eyaml::Encryptor
- Object
- Hiera::Backend::Eyaml::Encryptor
- Hiera::Backend::Eyaml::Encryptors::Pkcs7
- Defined in:
- lib/hiera/backend/eyaml/encryptors/pkcs7.rb
Class Method Summary collapse
Methods inherited from Hiera::Backend::Eyaml::Encryptor
Class Method Details
.create_keys ⇒ Object
98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 |
# File 'lib/hiera/backend/eyaml/encryptors/pkcs7.rb', line 98 def self.create_keys # Try to do equivalent of: # openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/' public_key = self.option :public_key private_key = self.option :private_key subject = self.option :subject keysize = self.option :keysize digest = self.option :digest key = OpenSSL::PKey::RSA.new(keysize) EncryptHelper.ensure_key_dir_exists private_key EncryptHelper.write_important_file :filename => private_key, :content => key.to_pem, :mode => 0600 cert = OpenSSL::X509::Certificate.new() cert.subject = OpenSSL::X509::Name.parse(subject) cert.serial = 1 cert.version = 2 cert.not_before = Time.now cert.not_after = if 1.size == 8 # 64bit Time.now + 50 * 365 * 24 * 60 * 60 else # 32bit Time.at(0x7fffffff) end cert.public_key = key.public_key ef = OpenSSL::X509::ExtensionFactory.new ef.subject_certificate = cert ef.issuer_certificate = cert cert.extensions = [ ef.create_extension("basicConstraints","CA:TRUE", true), ef.create_extension("subjectKeyIdentifier", "hash"), ] cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") cert.sign key, OpenSSL::Digest.new(digest) EncryptHelper.ensure_key_dir_exists public_key EncryptHelper.write_important_file :filename => public_key, :content => cert.to_pem LoggingHelper.info "Keys created OK" end |
.decrypt(ciphertext) ⇒ Object
61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 |
# File 'lib/hiera/backend/eyaml/encryptors/pkcs7.rb', line 61 def self.decrypt ciphertext LoggingHelper::trace 'PKCS7 decrypt' public_key = self.option :public_key private_key = self.option :private_key public_key_env_var = self.option :public_key_env_var private_key_env_var = self.option :private_key_env_var raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var raise StandardError, "pkcs7_private_key is not defined" unless private_key or private_key_env_var if public_key and public_key_env_var warn "both public_key and public_key_env_var specified, using public_key" end if private_key and private_key_env_var warn "both private_key and private_key_env_var specified, using private_key" end if private_key_env_var and ENV[private_key_env_var] private_key_pem = ENV[private_key_env_var] else private_key_pem = File.read private_key end private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem ) if public_key_env_var and ENV[public_key_env_var] public_key_pem = ENV[public_key_env_var] else public_key_pem = File.read public_key end public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem ) pkcs7 = OpenSSL::PKCS7.new( ciphertext ) pkcs7.decrypt(private_key_rsa, public_key_x509) end |
.encrypt(plaintext) ⇒ Object
38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# File 'lib/hiera/backend/eyaml/encryptors/pkcs7.rb', line 38 def self.encrypt plaintext LoggingHelper::trace 'PKCS7 encrypt' public_key = self.option :public_key public_key_env_var = self.option :public_key_env_var raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var if public_key and public_key_env_var warn "both public_key and public_key_env_var specified, using public_key" end if public_key_env_var and ENV[public_key_env_var] public_key_pem = ENV[public_key_env_var] else public_key_pem = File.read public_key end public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem ) cipher = OpenSSL::Cipher::AES.new(256, :CBC) OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der end |