hiera-eyaml-twofac 0.3 → 0.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/hiera/backend/eyaml/encryptors/twofac.rb +37 -15
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ee075aedba335060e3ca7d6a9209105c87801988
|
|
4
|
+
data.tar.gz: 3d1a095f318e3715e7b2a9a2d9b8ad7ab8184f31
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5493ced52740a2c20f27ebc2a7a3472abd57889c893a213b9e34d1a6585aaced6ed472221c6eef41678b34a5fd2a02ea1e5d523d7f8740c08ce788400fc91ef8
|
|
7
|
+
data.tar.gz: 3b4d678c1ec331cb30306d20bebf1c7be6258644a9095a0415e2b0c4dcc222b08b29bd9c12d75c72ec616b89d1fe54016c1c2e23e92da927e379ca0dae70bdb9
|
|
@@ -13,7 +13,7 @@ class Hiera
|
|
|
13
13
|
|
|
14
14
|
class Twofac < Encryptor
|
|
15
15
|
|
|
16
|
-
VERSION = "0.
|
|
16
|
+
VERSION = "0.4"
|
|
17
17
|
|
|
18
18
|
self.tag = "TWOFAC"
|
|
19
19
|
self.options = {
|
|
@@ -46,13 +46,20 @@ class Hiera
|
|
|
46
46
|
|
|
47
47
|
def self.decrypt ciphertext
|
|
48
48
|
|
|
49
|
-
password = Hiera::Backend::Eyaml::Encryptors::TwofacUtils::Password.obtain
|
|
50
|
-
|
|
51
49
|
#TODO: delegate this to original pkcs7 plugin
|
|
52
50
|
public_key = self.option :twofac_public_key
|
|
53
51
|
private_key = self.option :twofac_private_key
|
|
54
52
|
raise StandardError, "twofac_public_key is not defined" unless public_key
|
|
55
53
|
raise StandardError, "twofac_private_key is not defined" unless private_key
|
|
54
|
+
raise StandardError, "Keyfile #{private_key} does not exist" unless File.file? private_key
|
|
55
|
+
raise StandardError, "Keyfile #{public_key} does not exist" unless File.file? public_key
|
|
56
|
+
|
|
57
|
+
public_key_pem = File.read public_key
|
|
58
|
+
begin
|
|
59
|
+
public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
|
|
60
|
+
rescue
|
|
61
|
+
raise StandardError, "Certificate #{public_key} is not an x509 certificate"
|
|
62
|
+
end
|
|
56
63
|
|
|
57
64
|
begin
|
|
58
65
|
private_key_input = File.read private_key
|
|
@@ -66,21 +73,34 @@ class Hiera
|
|
|
66
73
|
|
|
67
74
|
begin
|
|
68
75
|
private_key_base64 = private_key_input.split('-----BEGIN TWOFAC KEY-----')[1].split('-----END TWOFAC KEY-----')[0]
|
|
76
|
+
rescue
|
|
77
|
+
raise StandardError, "Keyfile #{private_key} has malformed delimeters"
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
begin
|
|
69
81
|
private_key_aes = Base64.decode64(private_key_base64)
|
|
82
|
+
rescue
|
|
83
|
+
raise StandardError, "Keyfile #{private_key} is wrongly encoded"
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
password = Hiera::Backend::Eyaml::Encryptors::TwofacUtils::Password.obtain
|
|
87
|
+
begin
|
|
70
88
|
private_key_pem = aes_decrypt( password, private_key_aes)
|
|
71
|
-
private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
|
|
72
89
|
rescue
|
|
73
90
|
password = ""
|
|
74
|
-
|
|
75
|
-
|
|
91
|
+
private_key_pem = ""
|
|
92
|
+
raise StandardError, "Keyfile #{private_key} cannot be AES decrypted"
|
|
93
|
+
end
|
|
94
|
+
password = ""
|
|
95
|
+
|
|
96
|
+
begin
|
|
97
|
+
private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
|
|
98
|
+
rescue
|
|
76
99
|
private_key_pem = ""
|
|
77
100
|
private_key_rsa = ""
|
|
78
101
|
raise StandardError, "Unable to decrypt keyfile #{private_key} with password"
|
|
79
102
|
end
|
|
80
103
|
|
|
81
|
-
public_key_pem = File.read public_key
|
|
82
|
-
public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
|
|
83
|
-
|
|
84
104
|
begin
|
|
85
105
|
pkcs7 = OpenSSL::PKCS7.new( ciphertext )
|
|
86
106
|
pkcs7.decrypt(private_key_rsa, public_key_x509)
|
|
@@ -92,7 +112,6 @@ class Hiera
|
|
|
92
112
|
|
|
93
113
|
def self.create_keys
|
|
94
114
|
|
|
95
|
-
password = Hiera::Backend::Eyaml::Encryptors::TwofacUtils::Password.obtain
|
|
96
115
|
|
|
97
116
|
#TODO: delegate this to original pkcs7 plugin
|
|
98
117
|
|
|
@@ -106,17 +125,20 @@ class Hiera
|
|
|
106
125
|
key = OpenSSL::PKey::RSA.new(2048)
|
|
107
126
|
Utils.ensure_key_dir_exists private_key
|
|
108
127
|
pem_data = key.to_pem
|
|
109
|
-
aes_data = aes_encrypt( password, pem_data )
|
|
110
|
-
base64_data = Base64.encode64(aes_data).strip
|
|
111
|
-
output_data = ["-----BEGIN TWOFAC KEY-----", base64_data, "-----END TWOFAC KEY-----"].join("\n")
|
|
112
|
-
|
|
113
|
-
Utils.write_important_file :filename => private_key, :content => output_data, :mode => 0600
|
|
114
128
|
|
|
129
|
+
password = Hiera::Backend::Eyaml::Encryptors::TwofacUtils::Password.obtain
|
|
130
|
+
aes_data = aes_encrypt( password, pem_data )
|
|
115
131
|
password = ""
|
|
116
132
|
pem_data = ""
|
|
133
|
+
|
|
134
|
+
base64_data = Base64.encode64(aes_data).strip
|
|
117
135
|
aes_data = ""
|
|
136
|
+
|
|
137
|
+
output_data = ["-----BEGIN TWOFAC KEY-----", base64_data, "-----END TWOFAC KEY-----"].join("\n")
|
|
118
138
|
base64_data = ""
|
|
119
139
|
|
|
140
|
+
Utils.write_important_file :filename => private_key, :content => output_data, :mode => 0600
|
|
141
|
+
|
|
120
142
|
cert = OpenSSL::X509::Certificate.new()
|
|
121
143
|
cert.subject = OpenSSL::X509::Name.parse(subject)
|
|
122
144
|
cert.serial = 1
|