Class: Hiera::Backend::Eyaml::Encryptors::Pkcs7

Inherits:
Hiera::Backend::Eyaml::Encryptor show all
Defined in:
lib/hiera/backend/eyaml/encryptors/pkcs7.rb

Class Method Summary collapse

Methods inherited from Hiera::Backend::Eyaml::Encryptor

decode, encode, find

Class Method Details

.create_keysObject


98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# File 'lib/hiera/backend/eyaml/encryptors/pkcs7.rb', line 98

def self.create_keys

  # Try to do equivalent of:
  # openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'

  public_key = self.option :public_key
  private_key = self.option :private_key
  subject = self.option :subject
  keysize = self.option :keysize
  digest = self.option :digest

  key = OpenSSL::PKey::RSA.new(keysize)
  EncryptHelper.ensure_key_dir_exists private_key
  EncryptHelper.write_important_file :filename => private_key, :content => key.to_pem, :mode => 0600

  cert = OpenSSL::X509::Certificate.new()
  cert.subject = OpenSSL::X509::Name.parse(subject)
  cert.serial = 1
  cert.version = 2
  cert.not_before = Time.now
  cert.not_after = if 1.size == 8       # 64bit
    Time.now + 50 * 365 * 24 * 60 * 60
  else                                  # 32bit
    Time.at(0x7fffffff)
  end
  cert.public_key = key.public_key

  ef = OpenSSL::X509::ExtensionFactory.new
  ef.subject_certificate = cert
  ef.issuer_certificate = cert
  cert.extensions = [
    ef.create_extension("basicConstraints","CA:TRUE", true),
    ef.create_extension("subjectKeyIdentifier", "hash"),
  ]
  cert.add_extension ef.create_extension("authorityKeyIdentifier",
                                         "keyid:always,issuer:always")

  cert.sign key, OpenSSL::Digest.new(digest)

  EncryptHelper.ensure_key_dir_exists public_key
  EncryptHelper.write_important_file :filename => public_key, :content => cert.to_pem
  LoggingHelper.info "Keys created OK"

end

.decrypt(ciphertext) ⇒ Object

Raises:

  • (StandardError)

61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# File 'lib/hiera/backend/eyaml/encryptors/pkcs7.rb', line 61

def self.decrypt ciphertext

  LoggingHelper::trace 'PKCS7 decrypt'

  public_key = self.option :public_key
  private_key = self.option :private_key
  public_key_env_var = self.option :public_key_env_var
  private_key_env_var = self.option :private_key_env_var
  raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var
  raise StandardError, "pkcs7_private_key is not defined" unless private_key or private_key_env_var

  if public_key and public_key_env_var
    warn "both public_key and public_key_env_var specified, using public_key"
  end
  if private_key and private_key_env_var
    warn "both private_key and private_key_env_var specified, using private_key"
  end

  if private_key_env_var and ENV[private_key_env_var]
    private_key_pem = ENV[private_key_env_var]
  else
    private_key_pem = File.read private_key
  end
  private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )

  if public_key_env_var and ENV[public_key_env_var]
    public_key_pem = ENV[public_key_env_var]
  else
    public_key_pem = File.read public_key
  end
  public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )

  pkcs7 = OpenSSL::PKCS7.new( ciphertext )
  pkcs7.decrypt(private_key_rsa, public_key_x509)

end

.encrypt(plaintext) ⇒ Object

Raises:

  • (StandardError)

38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# File 'lib/hiera/backend/eyaml/encryptors/pkcs7.rb', line 38

def self.encrypt plaintext

  LoggingHelper::trace 'PKCS7 encrypt'

  public_key = self.option :public_key
  public_key_env_var = self.option :public_key_env_var
  raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var

  if public_key and public_key_env_var
    warn "both public_key and public_key_env_var specified, using public_key"
  end

  if public_key_env_var and ENV[public_key_env_var]
    public_key_pem = ENV[public_key_env_var]
  else
    public_key_pem = File.read public_key
  end
  public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )

  cipher = OpenSSL::Cipher::AES.new(256, :CBC)
  OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
end