Make public key opt in decrypt when openssl gem >= 2.2.0 #364

cmd-ntrf · 2024-04-29T14:51:51Z

In PKCS7 RFC, the recipient certificate is not mandatory when decrypting. This is also how it is implemented in OpenSSL PKCS7_decrypt(). However, it is only since version 2.2.0 of ruby-openssl that it is possible to call OpenSSL::PKCS7#decrypt with only the private key. Ref: ruby/openssl#183

The issue of hiera-eyaml requiring the public key when decrypting has been brought before in #137, but ruby-openssl was yet patched.

In PKCS7 RFC, the recipient certificate is not mandatory when decrypting. This is also how it is implemented in OpenSSL PKCS7_decrypt(). However, it is only since version 2.2.0 of ruby-openssl that it is possible to call OpenSSL::PKCS7#decrypt with only the private key. Ref: ruby/openssl#183 The issue of hiera-eyaml requiring the public key when decrypting has been brought before in voxpupuli#137, but ruby-openssl was yet patched.

cmd-ntrf · 2024-05-06T14:53:02Z

Superseded by #378

cmd-ntrf marked this pull request as draft April 29, 2024 15:03

cmd-ntrf force-pushed the opt_publickey branch from c3b0cee to a2c0a40 Compare April 29, 2024 16:01

cmd-ntrf marked this pull request as ready for review April 29, 2024 16:04

This was referenced Apr 29, 2024

Providing the Puppet hieradata encryption keys as a terraform variable ComputeCanada/magic_castle#260

Closed

Make public_key.pkcs7.pem a RSA public key instead of a X509 certificate #367

Closed

cmd-ntrf closed this May 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Make public key opt in decrypt when openssl gem >= 2.2.0 #364

Make public key opt in decrypt when openssl gem >= 2.2.0 #364

cmd-ntrf commented Apr 29, 2024

cmd-ntrf commented May 6, 2024

Make public key opt in decrypt when openssl gem >= 2.2.0 #364

Make public key opt in decrypt when openssl gem >= 2.2.0 #364

Conversation

cmd-ntrf commented Apr 29, 2024

cmd-ntrf commented May 6, 2024