From c3b0ceef4c5e8044ef2f7bbdc4f769bf88717560 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 29 Apr 2024 10:38:52 -0400 Subject: [PATCH] Make public key opt in decrypt when openssl gem >= 2.2.0 In PKCS7 RFC, the recipient certificate is not mandatory when decrypting. This is also how it is implemented in OpenSSL PKCS7_decrypt(). However, it is only since version 2.2.0 of ruby-openssl that it is possible to call OpenSSL::PKCS7#decrypt with only the private key. Ref: https://github.com/ruby/openssl/pull/183 The issue of hiera-eyaml requiring the public key when decrypting has been brought before in #137, but ruby-openssl was yet patched. --- lib/hiera/backend/eyaml/encryptors/pkcs7.rb | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/lib/hiera/backend/eyaml/encryptors/pkcs7.rb b/lib/hiera/backend/eyaml/encryptors/pkcs7.rb index 9e4f65d..a577a23 100644 --- a/lib/hiera/backend/eyaml/encryptors/pkcs7.rb +++ b/lib/hiera/backend/eyaml/encryptors/pkcs7.rb @@ -50,8 +50,15 @@ def self.decrypt(ciphertext) private_key_pem = self.load_private_key_pem() private_key_rsa = OpenSSL::PKey::RSA.new(private_key_pem) - public_key_pem = self.load_public_key_pem() - public_key_x509 = OpenSSL::X509::Certificate.new(public_key_pem) + # Since ruby-openssl 2.2.0, it is possible to call OpenSSL::PKCS7#decrypt + # with the private key only. Reference: + # https://github.com/ruby/openssl/pull/183 + if Gem.loaded_specs['openssl'].version >= Gem::Version::new('2.2.0') + public_key_x509 = nil + else + public_key_pem = self.load_public_key_pem() + public_key_x509 = OpenSSL::X509::Certificate.new(public_key_pem) + end pkcs7 = OpenSSL::PKCS7.new(ciphertext) pkcs7.decrypt(private_key_rsa, public_key_x509)