Make public key opt in decrypt when openssl gem >= 2.2.0

voxpupuli / hiera-eyaml

A backend for Hiera that provides per-value asymmetric encryption of sensitive data

MIT License

527 stars 130 forks source link

Make public key opt in decrypt when openssl gem >= 2.2.0 #364

Closed cmd-ntrf closed 4 months ago

cmd-ntrf commented 5 months ago

In PKCS7 RFC, the recipient certificate is not mandatory when decrypting. This is also how it is implemented in OpenSSL PKCS7_decrypt(). However, it is only since version 2.2.0 of ruby-openssl that it is possible to call OpenSSL::PKCS7#decrypt with only the private key. Ref: https://github.com/ruby/openssl/pull/183

The issue of hiera-eyaml requiring the public key when decrypting has been brought before in #137, but ruby-openssl was yet patched.

cmd-ntrf commented 4 months ago

Superseded by https://github.com/voxpupuli/hiera-eyaml/pull/378