From 2f60a4a1f3c20dbf12f52deae8f59731e5db5f27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Thu, 9 May 2024 11:51:56 -0400 Subject: [PATCH] Copy recipient info issuer in x509 when decrypting In case the keys have been not been generated with hiera-eyaml, the issuer info might be different than the default one generated by Ruby. This info have to match for decrypt to run without error. --- lib/hiera/backend/eyaml/encryptors/pkcs7.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/hiera/backend/eyaml/encryptors/pkcs7.rb b/lib/hiera/backend/eyaml/encryptors/pkcs7.rb index 596963d..eb1580d 100644 --- a/lib/hiera/backend/eyaml/encryptors/pkcs7.rb +++ b/lib/hiera/backend/eyaml/encryptors/pkcs7.rb @@ -55,6 +55,7 @@ def self.decrypt(ciphertext) public_key_x509 = OpenSSL::X509::Certificate.new public_key_x509.serial = pkcs7.recipients[0].serial + public_key_x509.issuer = pkcs7.recipients[0].issuer public_key_x509.public_key = private_key_rsa.public_key pkcs7.decrypt(private_key_rsa, public_key_x509)