search

voxpupuli / hiera-eyaml

A backend for Hiera that provides per-value asymmetric encryption of sensitive data
MIT License
528 stars 132 forks source link

ECC PKCS7 keys do not work #255

Open robbat2 opened 6 years ago

robbat2 commented 6 years ago

I'm trying to use elliptic curve certs rather than RSA, and running into weirdness.

$ openssl ecparam -name prime256v1 -genkey  -out keys/private_key.pkcs7.pem
$ openssl req -x509 -nodes -days 100000 -key keys/private_key.pkcs7.pem -subj '/' -out keys/public_key.pkcs7.pem
$ eyaml encrypt -n pkcs7 -s testcase -v
[hiera-eyaml-core] Loaded config from /home/robbat2/.eyaml/config.yaml
[hiera-eyaml-core] error adding recipient
[hiera-eyaml-core] /usr/lib64/ruby/gems/2.3.0/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/encryptors/pkcs7.rb:37:in `encrypt'
                   /usr/lib64/ruby/gems/2.3.0/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/encryptors/pkcs7.rb:37:in `encrypt'
                   /usr/lib64/ruby/gems/2.3.0/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/subcommands/encrypt.rb:80:in `execute'
                   /usr/lib64/ruby/gems/2.3.0/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/CLI.rb:46:in `execute'
                   /usr/lib64/ruby/gems/2.3.0/gems/hiera-eyaml-2.1.0/bin/eyaml:21:in `<top (required)>'
                   /usr/bin/eyaml:9:in `load'
                   /usr/bin/eyaml:9:in `<main>'

If the key is generated as RSA instead, everything is fine:

$ openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout keys/private_key.pkcs7.pem -out keys/public_key.pkcs7.pem -subj '/'
$ eyaml encrypt -n pkcs7 -s testcase -v
[hiera-eyaml-core] Loaded config from /home/robbat2/.eyaml/config.yaml
string: ENC[PKCS7,MIIBgQY...=]
...
robbat2 commented 6 years ago

So this seems to be a shortcoming of OpenSSL. http://ruby-doc.org/stdlib-2.4.2/libdoc/openssl/rdoc/OpenSSL/PKCS7.html doesn't mention it at all, but digging deeper down, I found this: https://mta.openssl.org/pipermail/openssl-dev/2016-May/007241.html

None of the OpenSSL CMS utility/api is exposed via Ruby :-(

rnelson0 commented 6 years ago

@robbat2 That's unfortunate. Is it possible that the use of the newly released ruby 2.5 provides better hooks into openssl??

robbat2 commented 6 years ago

I checked, the OpenSSL gem doesn't support any of the CMS functions. On deeper inspection, I'm wondering if the SMIME (PCKS#7) & CMS structures are overkill for what we're doing. I'm going to see about exploring that as different encryption method.