From ee5b9c27b987ea09c320e114e18d5d0aa7762d06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Thu, 2 May 2024 11:38:47 -0400 Subject: [PATCH] Retrieve certificate serial number for data when decrypting --- lib/hiera/backend/eyaml/encryptors/pkcs7.rb | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/lib/hiera/backend/eyaml/encryptors/pkcs7.rb b/lib/hiera/backend/eyaml/encryptors/pkcs7.rb index b4b780e..f9a20af 100644 --- a/lib/hiera/backend/eyaml/encryptors/pkcs7.rb +++ b/lib/hiera/backend/eyaml/encryptors/pkcs7.rb @@ -26,11 +26,6 @@ class Pkcs7 < Encryptor } self.tag = 'PKCS7' - # The public certificate serial could be any number, - # but the tests encrypted data were signed with a certificate with the - # serial number 0. It was later changed to 1 in f9fde79, - # but tests data were not re-generated. - X509_SERIAL_NUMBER = 0 def self.encrypt(plaintext) LoggingHelper.trace 'PKCS7 encrypt' @@ -38,7 +33,6 @@ def self.encrypt(plaintext) public_key_pem = self.load_public_key_pem() public_key_rsa = OpenSSL::PKey::RSA.new(public_key_pem) public_key_x509 = OpenSSL::X509::Certificate.new - public_key_x509.serial = Pkcs7::X509_SERIAL_NUMBER public_key_x509.public_key = public_key_rsa.public_key cipher = OpenSSL::Cipher.new('aes-256-cbc') @@ -51,6 +45,8 @@ def self.decrypt(ciphertext) private_key_pem = self.load_private_key_pem() private_key_rsa = OpenSSL::PKey::RSA.new(private_key_pem) + pkcs7 = OpenSSL::PKCS7.new(ciphertext) + # Since ruby-openssl 2.2.0, it is possible to call OpenSSL::PKCS7#decrypt # with the private key only. Reference: # https://github.com/ruby/openssl/pull/183 @@ -58,11 +54,10 @@ def self.decrypt(ciphertext) public_key_x509 = nil else public_key_x509 = OpenSSL::X509::Certificate.new - public_key_x509.serial = Pkcs7::X509_SERIAL_NUMBER + public_key_x509.serial = pkcs7.recipients[0].serial public_key_x509.public_key = private_key_rsa.public_key end - pkcs7 = OpenSSL::PKCS7.new(ciphertext) pkcs7.decrypt(private_key_rsa, public_key_x509) end