Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove non-essential public certificate attributes #380

Merged
merged 1 commit into from
May 10, 2024
Merged

Remove non-essential public certificate attributes #380

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 6 additions & 25 deletions lib/hiera/backend/eyaml/encryptors/pkcs7.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,9 @@ class Pkcs7 < Encryptor
type: :string, },
public_key_env_var: { desc: 'Name of environment variable to read public key from',
type: :string, },
subject: { desc: 'Subject to use for certificate when creating keys',
type: :string,
default: '/', },
keysize: { desc: 'Key size used for encryption',
type: :integer,
default: 2048, },
digest: { desc: 'Hash function used for PKCS7',
type: :string,
default: 'SHA256', },
}

self.tag = 'PKCS7'
Expand Down Expand Up @@ -57,42 +51,29 @@ def self.decrypt(ciphertext)
end

def self.create_keys
# Try to do equivalent of:
# openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'
# Do equivalent of:
# openssl req -x509 -nodes -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -batch

public_key = option :public_key
private_key = option :private_key
subject = option :subject
keysize = option :keysize
digest = option :digest

key = OpenSSL::PKey::RSA.new(keysize)
EncryptHelper.ensure_key_dir_exists private_key
EncryptHelper.write_important_file filename: private_key, content: key.to_pem, mode: 0o600

cert = OpenSSL::X509::Certificate.new
cert.subject = OpenSSL::X509::Name.parse(subject)
cert.serial = 1
cert.version = 2
# In JRuby implementation of openssl, not_before and not_after
# are required to sign cert with key and digest. Signing the
# certificate is only required for Ruby 2.7 to call cert.to_pem.
cert.not_before = Time.now
cert.not_after = if 1.size == 8 # 64bit
Time.now + (50 * 365 * 24 * 60 * 60)
else # 32bit
Time.at(0x7fffffff)
end
cert.public_key = key.public_key

ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = cert
ef.issuer_certificate = cert
cert.extensions = [
ef.create_extension('basicConstraints', 'CA:TRUE', true),
ef.create_extension('subjectKeyIdentifier', 'hash'),
]
cert.add_extension ef.create_extension('authorityKeyIdentifier',
'keyid:always,issuer:always')

cert.sign key, OpenSSL::Digest.new(digest)
cert.sign key, OpenSSL::Digest.new('SHA256')

EncryptHelper.ensure_key_dir_exists public_key
EncryptHelper.write_important_file filename: public_key, content: cert.to_pem
Expand Down