Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'eyaml decrypt' requires public key #137

Closed
znorris opened this issue Feb 3, 2015 · 4 comments
Closed

'eyaml decrypt' requires public key #137

znorris opened this issue Feb 3, 2015 · 4 comments

Comments

@znorris
Copy link

znorris commented Feb 3, 2015

Attempting to run:

eyaml decrypt --pkcs7-private-key=/home/bob/eyaml_keys/private_key.pkcs7.pem -f common.yaml

results in an innapropriate error:

[hiera-eyaml-core] No such file or directory - ./keys/public_key.pkcs7.pem

I'm considering this error to be innappropriate as I've specified the path to the private key and eyaml should no longer be looking in the default directory of ./keys
However, if I include a path to the public key and run:

eyaml decrypt --pkcs7-private-key=/home/usereyaml_keys/private_key.pkcs7.pem --pkcs7-public-key=/home/user/eyaml_keys/public_key.pkcs7.pem -f common.yaml

The file will be decrypted. This is also an error to me as the public key should not be necessary to decrypt.
@elyscape
Copy link
Contributor

elyscape commented Feb 3, 2015

This is due to the way OpenSSL is designed, unfortunately. From the documentation for PKCS7_decrypt(3):

Although the recipients certificate is not needed to decrypt the data it is needed to locate the appropriate (of possible several) recipients in the PKCS#7 structure.

It might be possible to work around this by generating a new public certificate at decryption if one isn't available, but that's adding a lot of complication (not to mention latency; generating certificates is slow) for minimal gain.

@gtmtech
Copy link
Contributor

gtmtech commented Feb 3, 2015

Yes, when I implemented this, I noted that the public key and the private key are necessary to decrypt, and only the public key is necessary to encrypt. If you know otherwise, please let me know and will investigate

@znorris
Copy link
Author

znorris commented Feb 3, 2015

elyscape, Yes I see what you mean now. Thanks for the reference. Perhaps it's not worth generating again but I like the idea if the private key is found and the public isn't.
EDIT: I'll mark this as closed as it's not so much a bug as a concious decision not to re-generate that public key when it's mission.

@znorris znorris closed this as completed Feb 3, 2015
@antoinedeschenes
Copy link

antoinedeschenes commented Dec 19, 2017
edited
Loading

There must be a way to work this out, I'm able to decrypt hiera-eyaml encrypted keys with the openssl cli, just by adding BEGIN PKCS7, END PKCS7 headers to the message:

openssl smime -decrypt -in ~/encrypted-data -inform pem -inkey ~/private.pkcs7.pem

@cmd-ntrf cmd-ntrf mentioned this issue Apr 27, 2024
Closed
cmd-ntrf added a commit to cmd-ntrf/hiera-eyaml that referenced this issue Apr 29, 2024
@cmd-ntrf
Make public key opt in decrypt when openssl gem >= 2.2.0
c3b0cee 
In PKCS7 RFC, the recipient certificate is not mandatory when decrypting.
This is also how it is implemented in OpenSSL PKCS7_decrypt(). However,
it is only since version 2.2.0 of ruby-openssl that it is possible to
call OpenSSL::PKCS7#decrypt with only the private key.

Ref: ruby/openssl#183

The issue of hiera-eyaml requiring the public key when decrypting has
been brought before in voxpupuli#137, but ruby-openssl was yet patched.
@cmd-ntrf cmd-ntrf mentioned this issue Apr 29, 2024
Closed
cmd-ntrf added a commit to cmd-ntrf/hiera-eyaml that referenced this issue Apr 29, 2024
@cmd-ntrf
Make public key opt in decrypt when openssl gem >= 2.2.0
a2c0a40 
In PKCS7 RFC, the recipient certificate is not mandatory when decrypting.
This is also how it is implemented in OpenSSL PKCS7_decrypt(). However,
it is only since version 2.2.0 of ruby-openssl that it is possible to
call OpenSSL::PKCS7#decrypt with only the private key.

Ref: ruby/openssl#183

The issue of hiera-eyaml requiring the public key when decrypting has
been brought before in voxpupuli#137, but ruby-openssl was yet patched.
cmd-ntrf added a commit to cmd-ntrf/hiera-eyaml that referenced this issue May 1, 2024
@cmd-ntrf
Make public key opt in decrypt when openssl gem >= 2.2.0
768fb66 
In PKCS7 RFC, the recipient certificate is not mandatory when decrypting.
This is also how it is implemented in OpenSSL PKCS7_decrypt(). However,
it is only since version 2.2.0 of ruby-openssl that it is possible to
call OpenSSL::PKCS7#decrypt with only the private key.

Ref: ruby/openssl#183

The issue of hiera-eyaml requiring the public key when decrypting has
been brought before in voxpupuli#137, but ruby-openssl was yet patched.
cmd-ntrf added a commit to cmd-ntrf/hiera-eyaml that referenced this issue May 1, 2024
@cmd-ntrf
Make public key opt in decrypt when openssl gem >= 2.2.0
9c599aa 
In PKCS7 RFC, the recipient certificate is not mandatory when decrypting.
This is also how it is implemented in OpenSSL PKCS7_decrypt(). However,
it is only since version 2.2.0 of ruby-openssl that it is possible to
call OpenSSL::PKCS7#decrypt with only the private key.

Ref: ruby/openssl#183

The issue of hiera-eyaml requiring the public key when decrypting has
been brought before in voxpupuli#137, but ruby-openssl was yet patched.
@cmd-ntrf cmd-ntrf mentioned this issue May 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@elyscape @znorris @gtmtech @antoinedeschenes