class Hiera::Backend::Eyaml::Encryptors::Pkcs7

Public Class Methods

create_keys() click to toggle source
# File lib/hiera/backend/eyaml/encryptors/pkcs7.rb, line 58
def self.create_keys

  # Try to do equivalent of:
  # openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'

  public_key = self.option :public_key
  private_key = self.option :private_key
  subject = self.option :subject

  key = OpenSSL::PKey::RSA.new(2048)
  Utils.ensure_key_dir_exists private_key
  Utils.write_important_file :filename => private_key, :content => key.to_pem, :mode => 0600

  cert = OpenSSL::X509::Certificate.new()
  cert.subject = OpenSSL::X509::Name.parse(subject)
  cert.serial = 1
  cert.version = 2
  cert.not_before = Time.now
  cert.not_after = if 1.size == 8       # 64bit
    Time.now + 50 * 365 * 24 * 60 * 60
  else                                  # 32bit
    Time.at(0x7fffffff)
  end
  cert.public_key = key.public_key

  ef = OpenSSL::X509::ExtensionFactory.new
  ef.subject_certificate = cert
  ef.issuer_certificate = cert
  cert.extensions = [
    ef.create_extension("basicConstraints","CA:TRUE", true),
    ef.create_extension("subjectKeyIdentifier", "hash"),
  ]
  cert.add_extension ef.create_extension("authorityKeyIdentifier",
                                         "keyid:always,issuer:always")

  cert.sign key, OpenSSL::Digest::SHA1.new

  Utils.ensure_key_dir_exists public_key
  Utils.write_important_file :filename => public_key, :content => cert.to_pem
  Utils.info "Keys created OK"

end
decrypt(ciphertext) click to toggle source
# File lib/hiera/backend/eyaml/encryptors/pkcs7.rb, line 40
def self.decrypt ciphertext

  public_key = self.option :public_key
  private_key = self.option :private_key
  raise StandardError, "pkcs7_public_key is not defined" unless public_key
  raise StandardError, "pkcs7_private_key is not defined" unless private_key

  private_key_pem = File.read private_key
  private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )

  public_key_pem = File.read public_key
  public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )

  pkcs7 = OpenSSL::PKCS7.new( ciphertext )
  pkcs7.decrypt(private_key_rsa, public_key_x509)

end
encrypt(plaintext) click to toggle source
# File lib/hiera/backend/eyaml/encryptors/pkcs7.rb, line 27
def self.encrypt plaintext

  public_key = self.option :public_key
  raise StandardError, "pkcs7_public_key is not defined" unless public_key

  public_key_pem = File.read public_key 
  public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )

  cipher = OpenSSL::Cipher::AES.new(256, :CBC)
  OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
  
end