Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove public key requirement to decrypt #378

Merged
merged 3 commits into from
May 10, 2024
Merged

Remove public key requirement to decrypt #378

merged 3 commits into from
May 10, 2024

Conversation

cmd-ntrf
Copy link
Contributor

@cmd-ntrf cmd-ntrf commented May 6, 2024

OpenSSL::PKCS7.decrypt validates the recipient by comparing the serial number of the recipient certificate with the one bundled with the data. It also makes sure the public keys match. Since, the serial number is bundled with the data and the public key is bundled with the private key, we can generate on the fly a certificate object that satisfies PKCS7.decrypt and return the plain text.

This was referenced May 6, 2024
Closed
Closed
Sharpie
Sharpie approved these changes May 7, 2024
View reviewed changes
Copy link

@Sharpie Sharpie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable to me 👍

bastelfreak
bastelfreak reviewed May 10, 2024
View reviewed changes
README.md Outdated Show resolved Hide resolved
@cmd-ntrf
Remove public key requirement to decrypt
760fd05 
OpenSSL::PKCS7.decrypt validates the recipient by comparing the
serial number of the recipient certificate with the one bundled
with the data. It also makes sure the public keys match. Since,
the serial number is bundled with the data and the public key
is bundled with the private key, we can generate on the fly
a certificate object that satisfies PKCS7.decrypt and return
the plain text.
@cmd-ntrf
Copy recipient info issuer in x509 when decrypting
2f60a4a 
In case the keys have been not been generated with
hiera-eyaml, the issuer info might be different than
the default one generated by Ruby. This info have to
match for decrypt to run without error.
@bastelfreak
Copy link
Member

@cmd-ntrf looks good so far, but can you take a look at the failing jruby CI job?

@cmd-ntrf
Copy link
Contributor Author

Yes, I'll have a look at the failing CI job. It looks like it started happening after the rebase.

@cmd-ntrf
Update README - decryption section
d5f0fb8 
Only the private key is now required to decrypt.
@cmd-ntrf
Copy link
Contributor Author

@bastelfreak: I was unable to reproduce the CI error in a separate environment, so I pushed force a change to my commit message, and now all tests are passing. So it was either cosmic rays flipping bits or a problem outside of this repo that is now fixed, but it looks like this PR is ready to merge.

@bastelfreak bastelfreak merged commit 607a47d into voxpupuli:master May 10, 2024
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bastelfreak bastelfreak bastelfreak left review comments

@Sharpie Sharpie Sharpie approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cmd-ntrf @bastelfreak @Sharpie