hiera-eyaml-twofac 0.3 → 0.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/hiera/backend/eyaml/encryptors/twofac.rb +37 -15
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ee075aedba335060e3ca7d6a9209105c87801988
|
|
4
|
+
data.tar.gz: 3d1a095f318e3715e7b2a9a2d9b8ad7ab8184f31
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5493ced52740a2c20f27ebc2a7a3472abd57889c893a213b9e34d1a6585aaced6ed472221c6eef41678b34a5fd2a02ea1e5d523d7f8740c08ce788400fc91ef8
|
|
7
|
+
data.tar.gz: 3b4d678c1ec331cb30306d20bebf1c7be6258644a9095a0415e2b0c4dcc222b08b29bd9c12d75c72ec616b89d1fe54016c1c2e23e92da927e379ca0dae70bdb9
|
|
@@ -13,7 +13,7 @@ class Hiera
|
|
|
13
13
|
|
|
14
14
|
class Twofac < Encryptor
|
|
15
15
|
|
|
16
|
-
VERSION = "0.
|
|
16
|
+
VERSION = "0.4"
|
|
17
17
|
|
|
18
18
|
self.tag = "TWOFAC"
|
|
19
19
|
self.options = {
|
|
@@ -46,13 +46,20 @@ class Hiera
|
|
|
46
46
|
|
|
47
47
|
def self.decrypt ciphertext
|
|
48
48
|
|
|
49
|
-
password = Hiera::Backend::Eyaml::Encryptors::TwofacUtils::Password.obtain
|
|
50
|
-
|
|
51
49
|
#TODO: delegate this to original pkcs7 plugin
|
|
52
50
|
public_key = self.option :twofac_public_key
|
|
53
51
|
private_key = self.option :twofac_private_key
|
|
54
52
|
raise StandardError, "twofac_public_key is not defined" unless public_key
|
|
55
53
|
raise StandardError, "twofac_private_key is not defined" unless private_key
|
|
54
|
+
raise StandardError, "Keyfile #{private_key} does not exist" unless File.file? private_key
|
|
55
|
+
raise StandardError, "Keyfile #{public_key} does not exist" unless File.file? public_key
|
|
56
|
+
|
|
57
|
+
public_key_pem = File.read public_key
|
|
58
|
+
begin
|
|
59
|
+
public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
|
|
60
|
+
rescue
|
|
61
|
+
raise StandardError, "Certificate #{public_key} is not an x509 certificate"
|
|
62
|
+
end
|
|
56
63
|
|
|
57
64
|
begin
|
|
58
65
|
private_key_input = File.read private_key
|
|
@@ -66,21 +73,34 @@ class Hiera
|
|
|
66
73
|
|
|
67
74
|
begin
|
|
68
75
|
private_key_base64 = private_key_input.split('-----BEGIN TWOFAC KEY-----')[1].split('-----END TWOFAC KEY-----')[0]
|
|
76
|
+
rescue
|
|
77
|
+
raise StandardError, "Keyfile #{private_key} has malformed delimeters"
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
begin
|
|
69
81
|
private_key_aes = Base64.decode64(private_key_base64)
|
|
82
|
+
rescue
|
|
83
|
+
raise StandardError, "Keyfile #{private_key} is wrongly encoded"
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
password = Hiera::Backend::Eyaml::Encryptors::TwofacUtils::Password.obtain
|
|
87
|
+
begin
|
|
70
88
|
private_key_pem = aes_decrypt( password, private_key_aes)
|
|
71
|
-
private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
|
|
72
89
|
rescue
|
|
73
90
|
password = ""
|
|
74
|
-
|
|
75
|
-
|
|
91
|
+
private_key_pem = ""
|
|
92
|
+
raise StandardError, "Keyfile #{private_key} cannot be AES decrypted"
|
|
93
|
+
end
|
|
94
|
+
password = ""
|
|
95
|
+
|
|
96
|
+
begin
|
|
97
|
+
private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
|
|
98
|
+
rescue
|
|
76
99
|
private_key_pem = ""
|
|
77
100
|
private_key_rsa = ""
|
|
78
101
|
raise StandardError, "Unable to decrypt keyfile #{private_key} with password"
|
|
79
102
|
end
|
|
80
103
|
|
|
81
|
-
public_key_pem = File.read public_key
|
|
82
|
-
public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
|
|
83
|
-
|
|
84
104
|
begin
|
|
85
105
|
pkcs7 = OpenSSL::PKCS7.new( ciphertext )
|
|
86
106
|
pkcs7.decrypt(private_key_rsa, public_key_x509)
|
|
@@ -92,7 +112,6 @@ class Hiera
|
|
|
92
112
|
|
|
93
113
|
def self.create_keys
|
|
94
114
|
|
|
95
|
-
password = Hiera::Backend::Eyaml::Encryptors::TwofacUtils::Password.obtain
|
|
96
115
|
|
|
97
116
|
#TODO: delegate this to original pkcs7 plugin
|
|
98
117
|
|
|
@@ -106,17 +125,20 @@ class Hiera
|
|
|
106
125
|
key = OpenSSL::PKey::RSA.new(2048)
|
|
107
126
|
Utils.ensure_key_dir_exists private_key
|
|
108
127
|
pem_data = key.to_pem
|
|
109
|
-
aes_data = aes_encrypt( password, pem_data )
|
|
110
|
-
base64_data = Base64.encode64(aes_data).strip
|
|
111
|
-
output_data = ["-----BEGIN TWOFAC KEY-----", base64_data, "-----END TWOFAC KEY-----"].join("\n")
|
|
112
|
-
|
|
113
|
-
Utils.write_important_file :filename => private_key, :content => output_data, :mode => 0600
|
|
114
128
|
|
|
129
|
+
password = Hiera::Backend::Eyaml::Encryptors::TwofacUtils::Password.obtain
|
|
130
|
+
aes_data = aes_encrypt( password, pem_data )
|
|
115
131
|
password = ""
|
|
116
132
|
pem_data = ""
|
|
133
|
+
|
|
134
|
+
base64_data = Base64.encode64(aes_data).strip
|
|
117
135
|
aes_data = ""
|
|
136
|
+
|
|
137
|
+
output_data = ["-----BEGIN TWOFAC KEY-----", base64_data, "-----END TWOFAC KEY-----"].join("\n")
|
|
118
138
|
base64_data = ""
|
|
119
139
|
|
|
140
|
+
Utils.write_important_file :filename => private_key, :content => output_data, :mode => 0600
|
|
141
|
+
|
|
120
142
|
cert = OpenSSL::X509::Certificate.new()
|
|
121
143
|
cert.subject = OpenSSL::X509::Name.parse(subject)
|
|
122
144
|
cert.serial = 1
|