Skip to content

Commit

Permalink
Retrieve certificate serial number for data when decrypting
Browse files Browse the repository at this point in the history
  • Loading branch information
cmd-ntrf committed May 2, 2024
1 parent 123169a commit 57cdc1b
Showing 1 changed file with 3 additions and 8 deletions.
11 changes: 3 additions & 8 deletions lib/hiera/backend/eyaml/encryptors/pkcs7.rb
Original file line number Diff line number Diff line change
Expand Up @@ -26,19 +26,13 @@ class Pkcs7 < Encryptor
}

self.tag = 'PKCS7'
# The public certificate serial could be any number,
# but the tests encrypted data were signed with a certificate with the
# serial number 0. It was later changed to 1 in f9fde79,
# but tests data were not re-generated.
X509_SERIAL_NUMBER = 0

def self.encrypt(plaintext)
LoggingHelper.trace 'PKCS7 encrypt'

public_key_pem = self.load_public_key_pem()
public_key_rsa = OpenSSL::PKey::RSA.new(public_key_pem)
public_key_x509 = OpenSSL::X509::Certificate.new
public_key_x509.serial = Pkcs7::X509_SERIAL_NUMBER
public_key_x509.public_key = public_key_rsa.public_key

cipher = OpenSSL::Cipher.new('aes-256-cbc')
Expand All @@ -51,18 +45,19 @@ def self.decrypt(ciphertext)
private_key_pem = self.load_private_key_pem()
private_key_rsa = OpenSSL::PKey::RSA.new(private_key_pem)

pkcs7 = OpenSSL::PKCS7.new(ciphertext)

# Since ruby-openssl 2.2.0, it is possible to call OpenSSL::PKCS7#decrypt
# with the private key only. Reference:
# https://github.com/ruby/openssl/pull/183
if Gem::Version::new(OpenSSL::VERSION) >= Gem::Version::new('2.2.0')
public_key_x509 = nil
else
public_key_x509 = OpenSSL::X509::Certificate.new
public_key_x509.serial = Pkcs7::X509_SERIAL_NUMBER
public_key_x509.serial = pkcs7.recipients[0].serial
public_key_x509.public_key = private_key_rsa.public_key
end

pkcs7 = OpenSSL::PKCS7.new(ciphertext)
pkcs7.decrypt(private_key_rsa, public_key_x509)
end

Expand Down

0 comments on commit 57cdc1b

Please sign in to comment.