Make public key opt in decrypt when openssl gem >= 2.2.0

In PKCS7 RFC, the recipient certificate is not mandatory when decrypting. This is also how it is implemented in OpenSSL PKCS7_decrypt(). However, it is only since version 2.2.0 of ruby-openssl that it is possible to call OpenSSL::PKCS7#decrypt with only the private key. Ref: ruby/openssl#183 The issue of hiera-eyaml requiring the public key when decrypting has been brought before in #137, but ruby-openssl was yet patched.
voxpupuli · Apr 29, 2024 · c3b0cee · c3b0cee
1 parent c63f4af
commit c3b0cee
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/lib/hiera/backend/eyaml/encryptors/pkcs7.rb b/lib/hiera/backend/eyaml/encryptors/pkcs7.rb
@@ -50,8 +50,15 @@ def self.decrypt(ciphertext)
             private_key_pem = self.load_private_key_pem()
             private_key_rsa = OpenSSL::PKey::RSA.new(private_key_pem)
 
-            public_key_pem = self.load_public_key_pem()
-            public_key_x509 = OpenSSL::X509::Certificate.new(public_key_pem)
+            # Since ruby-openssl 2.2.0, it is possible to call OpenSSL::PKCS7#decrypt
+            # with the private key only. Reference:
+            # https://github.com/ruby/openssl/pull/183
+            if Gem.loaded_specs['openssl'].version >= Gem::Version::new('2.2.0')
+              public_key_x509 = nil
+            else
+              public_key_pem = self.load_public_key_pem()
+              public_key_x509 = OpenSSL::X509::Certificate.new(public_key_pem)
+            end
 
             pkcs7 = OpenSSL::PKCS7.new(ciphertext)
             pkcs7.decrypt(private_key_rsa, public_key_x509)