| Server IP : 66.29.132.122 / Your IP : 52.14.172.93 Web Server : LiteSpeed System : Linux business142.web-hosting.com 4.18.0-553.lve.el8.x86_64 #1 SMP Mon May 27 15:27:34 UTC 2024 x86_64 User : admazpex ( 531) PHP Version : 7.2.34 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : OFF | Pkexec : OFF Directory : /proc/self/root/opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/hiera-eyaml-3.4.0/lib/hiera/backend/eyaml/encryptors/ |
Upload File : |
require 'openssl'
require 'hiera/backend/eyaml/encryptor'
require 'hiera/backend/eyaml/encrypthelper'
require 'hiera/backend/eyaml/logginghelper'
require 'hiera/backend/eyaml/options'
class Hiera
module Backend
module Eyaml
module Encryptors
class Pkcs7 < Encryptor
self.options = {
:private_key => { :desc => "Path to private key",
:type => :string,
:default => "./keys/private_key.pkcs7.pem" },
:public_key => { :desc => "Path to public key",
:type => :string,
:default => "./keys/public_key.pkcs7.pem" },
:private_key_env_var => { :desc => "Name of environment variable to read private key from",
:type => :string },
:public_key_env_var => { :desc => "Name of environment variable to read public key from",
:type => :string },
:subject => { :desc => "Subject to use for certificate when creating keys",
:type => :string,
:default => "/" },
:keysize => { :desc => "Key size used for encryption",
:type => :integer,
:default => 2048 },
:digest => { :desc => "Hash function used for PKCS7",
:type => :string,
:default => "SHA256"},
}
self.tag = "PKCS7"
def self.encrypt plaintext
LoggingHelper::trace 'PKCS7 encrypt'
public_key = self.option :public_key
public_key_env_var = self.option :public_key_env_var
raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var
if public_key and public_key_env_var
warn "both public_key and public_key_env_var specified, using public_key"
end
if public_key_env_var and ENV[public_key_env_var]
public_key_pem = ENV[public_key_env_var]
else
public_key_pem = File.read public_key
end
public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
cipher = OpenSSL::Cipher::AES.new(256, :CBC)
OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
end
def self.decrypt ciphertext
LoggingHelper::trace 'PKCS7 decrypt'
public_key = self.option :public_key
private_key = self.option :private_key
public_key_env_var = self.option :public_key_env_var
private_key_env_var = self.option :private_key_env_var
raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var
raise StandardError, "pkcs7_private_key is not defined" unless private_key or private_key_env_var
if public_key and public_key_env_var
warn "both public_key and public_key_env_var specified, using public_key"
end
if private_key and private_key_env_var
warn "both private_key and private_key_env_var specified, using private_key"
end
if private_key_env_var and ENV[private_key_env_var]
private_key_pem = ENV[private_key_env_var]
else
private_key_pem = File.read private_key
end
private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
if public_key_env_var and ENV[public_key_env_var]
public_key_pem = ENV[public_key_env_var]
else
public_key_pem = File.read public_key
end
public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
pkcs7 = OpenSSL::PKCS7.new( ciphertext )
pkcs7.decrypt(private_key_rsa, public_key_x509)
end
def self.create_keys
# Try to do equivalent of:
# openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'
public_key = self.option :public_key
private_key = self.option :private_key
subject = self.option :subject
keysize = self.option :keysize
digest = self.option :digest
key = OpenSSL::PKey::RSA.new(keysize)
EncryptHelper.ensure_key_dir_exists private_key
EncryptHelper.write_important_file :filename => private_key, :content => key.to_pem, :mode => 0600
cert = OpenSSL::X509::Certificate.new()
cert.subject = OpenSSL::X509::Name.parse(subject)
cert.serial = 1
cert.version = 2
cert.not_before = Time.now
cert.not_after = if 1.size == 8 # 64bit
Time.now + 50 * 365 * 24 * 60 * 60
else # 32bit
Time.at(0x7fffffff)
end
cert.public_key = key.public_key
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = cert
ef.issuer_certificate = cert
cert.extensions = [
ef.create_extension("basicConstraints","CA:TRUE", true),
ef.create_extension("subjectKeyIdentifier", "hash"),
]
cert.add_extension ef.create_extension("authorityKeyIdentifier",
"keyid:always,issuer:always")
cert.sign key, OpenSSL::Digest.new(digest)
EncryptHelper.ensure_key_dir_exists public_key
EncryptHelper.write_important_file :filename => public_key, :content => cert.to_pem
LoggingHelper.info "Keys created OK"
end
end
end
end
end
end