From 760fd05e7cbb34b5380f87a87290deb790ae0aaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 6 May 2024 09:36:49 -0400 Subject: [PATCH 1/3] Remove public key requirement to decrypt OpenSSL::PKCS7.decrypt validates the recipient by comparing the serial number of the recipient certificate with the one bundled with the data. It also makes sure the public keys match. Since, the serial number is bundled with the data and the public key is bundled with the private key, we can generate on the fly a certificate object that satisfies PKCS7.decrypt and return the plain text. --- README.md | 2 +- lib/hiera/backend/eyaml/encryptors/pkcs7.rb | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 9b8c867..b15a715 100644 --- a/README.md +++ b/README.md @@ -143,7 +143,7 @@ Use the -l parameter to pass in a label for the encrypted value, ### Decryption -To decrypt something, you need the public_key and the private_key. +To decrypt something, you need the private_key. To test decryption you can also use the eyaml tool if you have both keys diff --git a/lib/hiera/backend/eyaml/encryptors/pkcs7.rb b/lib/hiera/backend/eyaml/encryptors/pkcs7.rb index becaafd..596963d 100644 --- a/lib/hiera/backend/eyaml/encryptors/pkcs7.rb +++ b/lib/hiera/backend/eyaml/encryptors/pkcs7.rb @@ -51,10 +51,12 @@ def self.decrypt(ciphertext) private_key_pem = load_private_key_pem private_key_rsa = OpenSSL::PKey::RSA.new(private_key_pem) - public_key_pem = load_public_key_pem - public_key_x509 = OpenSSL::X509::Certificate.new(public_key_pem) - pkcs7 = OpenSSL::PKCS7.new(ciphertext) + + public_key_x509 = OpenSSL::X509::Certificate.new + public_key_x509.serial = pkcs7.recipients[0].serial + public_key_x509.public_key = private_key_rsa.public_key + pkcs7.decrypt(private_key_rsa, public_key_x509) end From 2f60a4a1f3c20dbf12f52deae8f59731e5db5f27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Thu, 9 May 2024 11:51:56 -0400 Subject: [PATCH 2/3] Copy recipient info issuer in x509 when decrypting In case the keys have been not been generated with hiera-eyaml, the issuer info might be different than the default one generated by Ruby. This info have to match for decrypt to run without error. --- lib/hiera/backend/eyaml/encryptors/pkcs7.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/hiera/backend/eyaml/encryptors/pkcs7.rb b/lib/hiera/backend/eyaml/encryptors/pkcs7.rb index 596963d..eb1580d 100644 --- a/lib/hiera/backend/eyaml/encryptors/pkcs7.rb +++ b/lib/hiera/backend/eyaml/encryptors/pkcs7.rb @@ -55,6 +55,7 @@ def self.decrypt(ciphertext) public_key_x509 = OpenSSL::X509::Certificate.new public_key_x509.serial = pkcs7.recipients[0].serial + public_key_x509.issuer = pkcs7.recipients[0].issuer public_key_x509.public_key = private_key_rsa.public_key pkcs7.decrypt(private_key_rsa, public_key_x509) From d5f0fb85766d8a74141d7bfc99c23efc7aaad296 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Fri, 10 May 2024 09:22:32 -0400 Subject: [PATCH 3/3] Update README - decryption section Only the private key is now required to decrypt. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b15a715..028e4bc 100644 --- a/README.md +++ b/README.md @@ -145,7 +145,7 @@ Use the -l parameter to pass in a label for the encrypted value, To decrypt something, you need the private_key. -To test decryption you can also use the eyaml tool if you have both keys +To test decryption you can use the eyaml tool $ eyaml decrypt -f filename # Decrypt a file $ eyaml decrypt -s 'ENC[PKCS7,.....]' # Decrypt a string