Skip to content

Commit

Permalink
fix(pkcs7): refactor key loading
Browse files Browse the repository at this point in the history 
PKCS encrypt & decrypt had duplicate key loading logic with the same
validations. Refactor to a single function to load PEM from variable or
disk.

Signed-off-by: Robin H. Johnson <[email protected]>
  • Loading branch information
@robbat2
robbat2 committed Dec 25, 2023
1 parent a05c839 commit f77a580
Showing 1 changed file with 36 additions and 41 deletions.
77 changes: 36 additions & 41 deletions lib/hiera/backend/eyaml/encryptors/pkcs7.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,26 +33,11 @@ class Pkcs7 < Encryptor

self.tag = 'PKCS7'


def self.encrypt(plaintext)
LoggingHelper.trace 'PKCS7 encrypt'

public_key = option :public_key
public_key_env_var = option :public_key_env_var

if public_key and public_key_env_var
warn 'both public_key and public_key_env_var specified, using public_key_env_var'
end

if public_key_env_var
raise StandardError, "env #{public_key_env_var} is not set" unless ENV[public_key_env_var]
public_key_pem = ENV[public_key_env_var]
elsif public_key
raise StandardError, "file #{public_key} does not exist" unless File.exist? public_key
public_key_pem = File.read public_key
else
raise StandardError, 'pkcs7_public_key is not defined' unless public_key or public_key_env_var
end

public_key_pem = self.load_public_key_pem()
public_key_x509 = OpenSSL::X509::Certificate.new(public_key_pem)

cipher = OpenSSL::Cipher.new('aes-256-cbc')
Expand All @@ -62,32 +47,10 @@ def self.encrypt(plaintext)
def self.decrypt(ciphertext)
LoggingHelper.trace 'PKCS7 decrypt'

public_key = option :public_key
private_key = option :private_key
public_key_env_var = option :public_key_env_var
private_key_env_var = option :private_key_env_var
raise StandardError, 'pkcs7_public_key is not defined' unless public_key or public_key_env_var
raise StandardError, 'pkcs7_private_key is not defined' unless private_key or private_key_env_var

if public_key and public_key_env_var
warn 'both public_key and public_key_env_var specified, using public_key_env_var'
end
if private_key and private_key_env_var
warn 'both private_key and private_key_env_var specified, using private_key_env_var'
end

private_key_pem = if private_key_env_var and ENV[private_key_env_var]
ENV[private_key_env_var]
else
File.read private_key
end
private_key_pem = self.load_private_key_pem()
private_key_rsa = OpenSSL::PKey::RSA.new(private_key_pem)

public_key_pem = if public_key_env_var and ENV[public_key_env_var]
ENV[public_key_env_var]
else
File.read public_key
end
public_key_pem = self.load_public_key_pem()
public_key_x509 = OpenSSL::X509::Certificate.new(public_key_pem)

pkcs7 = OpenSSL::PKCS7.new(ciphertext)
Expand Down Expand Up @@ -136,6 +99,38 @@ def self.create_keys
EncryptHelper.write_important_file filename: public_key, content: cert.to_pem
LoggingHelper.info 'Keys created OK'
end

protected

def self.load_ANY_key_pem(optname_key, optname_env_var)
opt_key = option (optname_key.to_sym)
opt_key_env_var = option (optname_env_var.to_sym)

if opt_key and opt_key_env_var
warn "both #{optname_key} and #{optname_env_var} specified, using #{optname_env_var}"
end

if opt_key_env_var
raise StandardError, "env #{opt_key_env_var} is not set" unless ENV[opt_key_env_var]
opt_key_pem = ENV[opt_key_env_var]
elsif opt_key
raise StandardError, "file #{opt_key} does not exist" unless File.exist? opt_key
opt_key_pem = File.read opt_key
else
raise StandardError, "pkcs7_#{optname_key} is not defined" unless opt_key or opt_key_env_var
end

return opt_key_pem
end

def self.load_public_key_pem
return self.load_ANY_key_pem('public_key', 'public_key_env_var')
end

def self.load_private_key_pem
return self.load_ANY_key_pem('private_key', 'private_key_env_var')
end

end
end
end
Expand Down

0 comments on commit f77a580

Please sign in to comment.