Class: Bolt::Plugin::Pkcs7
Class Method Summary
collapse
Instance Method Summary
collapse
#decode, #encode, #hooks, #secret_decrypt, #secret_encrypt, #validate_resolve_reference
Constructor Details
#initialize(config:, context:, **_opts) ⇒ Pkcs7
Returns a new instance of Pkcs7.
28
29
30
31
32
33
34
|
# File 'lib/bolt/plugin/pkcs7.rb', line 28
def initialize(config:, context:, **_opts)
self.class.validate_config(config)
require 'openssl'
@context = context
@options = config || {}
@logger = Logging.logger[self]
end
|
Class Method Details
.validate_config(config = {}) ⇒ Object
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
# File 'lib/bolt/plugin/pkcs7.rb', line 9
def self.validate_config(config = {})
known_keys = %w[private-key public-key keysize]
known_keys.each do |key|
unless key.is_a? String
raise Bolt::ValidationError, "Invalid config for pkcs7 plugin: '#{key}' is not a String"
end
end
config.keys.each do |key|
unless known_keys.include?(key)
raise Bolt::ValidationError, "Unpexpected key in pkcs7 plugin config: #{key}"
end
end
end
|
Instance Method Details
#boltdir ⇒ Object
36
37
38
|
# File 'lib/bolt/plugin/pkcs7.rb', line 36
def boltdir
@context.boltdir
end
|
#decrypt_value(ciphertext) ⇒ Object
72
73
74
75
|
# File 'lib/bolt/plugin/pkcs7.rb', line 72
def decrypt_value(ciphertext)
pkcs7 = OpenSSL::PKCS7.new(ciphertext)
pkcs7.decrypt(private_key, public_key)
end
|
#encrypt_value(plaintext) ⇒ Object
The following implementations are intended to be compatible with hiera-eyaml
67
68
69
70
|
# File 'lib/bolt/plugin/pkcs7.rb', line 67
def encrypt_value(plaintext)
cipher = OpenSSL::Cipher::AES.new(256, :CBC)
OpenSSL::PKCS7.encrypt([public_key], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
end
|
#keysize ⇒ Object
62
63
64
|
# File 'lib/bolt/plugin/pkcs7.rb', line 62
def keysize
@options['keysize'] || 2048
end
|
#name ⇒ Object
24
25
26
|
# File 'lib/bolt/plugin/pkcs7.rb', line 24
def name
'pkcs7'
end
|
#private_key ⇒ Object
47
48
49
|
# File 'lib/bolt/plugin/pkcs7.rb', line 47
def private_key
@private_key ||= OpenSSL::PKey::RSA.new(File.read(private_key_path))
end
|
#private_key_path ⇒ Object
40
41
42
43
44
45
|
# File 'lib/bolt/plugin/pkcs7.rb', line 40
def private_key_path
path = @options['private-key'] || 'keys/private_key.pkcs7.pem'
path = File.expand_path(path, boltdir)
@logger.debug("Using private-key: #{path}")
path
end
|
#public_key ⇒ Object
58
59
60
|
# File 'lib/bolt/plugin/pkcs7.rb', line 58
def public_key
@public_key ||= OpenSSL::X509::Certificate.new(File.read(public_key_path))
end
|
#public_key_path ⇒ Object
51
52
53
54
55
56
|
# File 'lib/bolt/plugin/pkcs7.rb', line 51
def public_key_path
path = @options['public-key'] || 'keys/public_key.pkcs7.pem'
path = File.expand_path(path, boltdir)
@logger.debug("Using public-key: #{path}")
path
end
|
#secret_createkeys ⇒ Object
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
# File 'lib/bolt/plugin/pkcs7.rb', line 77
def secret_createkeys
key = OpenSSL::PKey::RSA.new(keysize)
cert = OpenSSL::X509::Certificate.new
cert.subject = OpenSSL::X509::Name.parse('/')
cert.serial = 1
cert.version = 2
cert.not_before = Time.now
cert.not_after = Time.now + 50 * 365 * 24 * 60 * 60
cert.public_key = key.public_key
cert.sign(key, OpenSSL::Digest.new('SHA512'))
@logger.warn("Overwriting private-key '#{private_key_path}'") if File.exist?(private_key_path)
@logger.warn("Overwriting public-key '#{public_key_path}'") if File.exist?(public_key_path)
private_keydir = File.dirname(private_key_path)
FileUtils.mkdir_p(private_keydir) unless File.exist?(private_keydir)
FileUtils.touch(private_key_path)
File.chmod(0o600, private_key_path)
File.write(private_key_path, key.to_pem)
public_keydir = File.dirname(public_key_path)
FileUtils.mkdir_p(public_keydir) unless File.exist?(public_keydir)
File.write(public_key_path, cert.to_pem)
end
|