-
-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove public key requirement to decrypt #378
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems reasonable to me 👍
OpenSSL::PKCS7.decrypt validates the recipient by comparing the serial number of the recipient certificate with the one bundled with the data. It also makes sure the public keys match. Since, the serial number is bundled with the data and the public key is bundled with the private key, we can generate on the fly a certificate object that satisfies PKCS7.decrypt and return the plain text.
In case the keys have been not been generated with hiera-eyaml, the issuer info might be different than the default one generated by Ruby. This info have to match for decrypt to run without error.
@cmd-ntrf looks good so far, but can you take a look at the failing jruby CI job? |
Yes, I'll have a look at the failing CI job. It looks like it started happening after the rebase. |
Only the private key is now required to decrypt.
@bastelfreak: I was unable to reproduce the CI error in a separate environment, so I pushed force a change to my commit message, and now all tests are passing. So it was either cosmic rays flipping bits or a problem outside of this repo that is now fixed, but it looks like this PR is ready to merge. |
OpenSSL::PKCS7.decrypt validates the recipient by comparing the serial number of the recipient certificate with the one bundled with the data. It also makes sure the public keys match. Since, the serial number is bundled with the data and the public key is bundled with the private key, we can generate on the fly a certificate object that satisfies PKCS7.decrypt and return the plain text.