Merge pull request #378 from cmd-ntrf/new_decrypt

Remove public key requirement to decrypt
voxpupuli · May 10, 2024 · 607a47d · 607a47d
2 parents 0dce4f0 + d5f0fb8
commit 607a47d
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -143,9 +143,9 @@ Use the -l parameter to pass in a label for the encrypted value,
 
 ### Decryption
 
-To decrypt something, you need the public_key and the private_key.
+To decrypt something, you need the private_key.
 
-To test decryption you can also use the eyaml tool if you have both keys
+To test decryption you can use the eyaml tool
 
     $ eyaml decrypt -f filename               # Decrypt a file
     $ eyaml decrypt -s 'ENC[PKCS7,.....]'     # Decrypt a string

diff --git a/lib/hiera/backend/eyaml/encryptors/pkcs7.rb b/lib/hiera/backend/eyaml/encryptors/pkcs7.rb
@@ -51,10 +51,13 @@ def self.decrypt(ciphertext)
             private_key_pem = load_private_key_pem
             private_key_rsa = OpenSSL::PKey::RSA.new(private_key_pem)
 
-            public_key_pem = load_public_key_pem
-            public_key_x509 = OpenSSL::X509::Certificate.new(public_key_pem)
-
             pkcs7 = OpenSSL::PKCS7.new(ciphertext)
+
+            public_key_x509 = OpenSSL::X509::Certificate.new
+            public_key_x509.serial = pkcs7.recipients[0].serial
+            public_key_x509.issuer = pkcs7.recipients[0].issuer
+            public_key_x509.public_key = private_key_rsa.public_key
+
             pkcs7.decrypt(private_key_rsa, public_key_x509)
           end