summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBart de Water <496367+bdewater@users.noreply.github.com>2020-06-28 14:39:26 -0400
committerHiroshi SHIBATA <hsbt@ruby-lang.org>2020-07-31 21:07:19 +0900
commit8161cf85ba4f9091176536bcac9107879e4293a1 (patch)
treed737649bae49f26bff646e2868608e2aa91ef2bb
parente7b6e0ff5823c422cd3e508d2b7104a91a2e36f6 (diff)
Stop using deprecated OpenSSL::Digest constants
Notes
Notes: Merged: https://github.com/ruby/ruby/pull/3379
-rw-r--r--lib/rubygems/package.rb7
-rw-r--r--lib/rubygems/package/tar_writer.rb5
-rw-r--r--lib/rubygems/security.rb41
-rw-r--r--lib/rubygems/security/policy.rb4
-rw-r--r--lib/rubygems/security/signer.rb2
-rw-r--r--lib/rubygems/security/trust_dir.rb2
-rw-r--r--test/rubygems/test_gem_package.rb2
-rw-r--r--test/rubygems/test_gem_package_tar_writer.rb4
-rw-r--r--test/rubygems/test_gem_security_policy.rb12
-rw-r--r--test/rubygems/test_gem_security_trust_dir.rb4
10 files changed, 40 insertions, 43 deletions
diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb
index 426d33c..53ae696 100644
--- a/lib/rubygems/package.rb
+++ b/lib/rubygems/package.rb
@@ -358,12 +358,7 @@ EOM
end
algorithms.each do |algorithm|
- digester =
- if defined?(OpenSSL::Digest)
- OpenSSL::Digest.new algorithm
- else
- Digest.const_get(algorithm).new
- end
+ digester = Gem::Security.create_digest(algorithm)
digester << entry.read(16384) until entry.eof?
diff --git a/lib/rubygems/package/tar_writer.rb b/lib/rubygems/package/tar_writer.rb
index 87c7dc6..3abfb0c 100644
--- a/lib/rubygems/package/tar_writer.rb
+++ b/lib/rubygems/package/tar_writer.rb
@@ -140,8 +140,7 @@ class Gem::Package::TarWriter
if digest.respond_to? :name
digest.name
else
- /::([^:]+)$/ =~ digest_algorithm.name
- $1
+ digest_algorithm.class.name[/::([^:]+)\z/, 1]
end
[digest_name, digest]
@@ -169,7 +168,7 @@ class Gem::Package::TarWriter
def add_file_signed(name, mode, signer)
digest_algorithms = [
signer.digest_algorithm,
- Digest::SHA512,
+ Digest::SHA512.new,
].compact.uniq
digests = add_file_digest name, mode, digest_algorithms do |io|
diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb
index 8c86896..64fb4c0 100644
--- a/lib/rubygems/security.rb
+++ b/lib/rubygems/security.rb
@@ -339,26 +339,15 @@ module Gem::Security
class Exception < Gem::Exception; end
##
- # Digest algorithm used to sign gems
-
- DIGEST_ALGORITHM =
- if defined?(OpenSSL::Digest::SHA256)
- OpenSSL::Digest::SHA256
- elsif defined?(OpenSSL::Digest::SHA1)
- OpenSSL::Digest::SHA1
- else
- require 'digest'
- Digest::SHA512
- end
-
- ##
# Used internally to select the signing digest from all computed digests
DIGEST_NAME = # :nodoc:
- if DIGEST_ALGORITHM.method_defined? :name
- DIGEST_ALGORITHM.new.name
+ if defined?(OpenSSL::Digest::SHA256)
+ 'SHA256'
+ elsif defined?(OpenSSL::Digest::SHA1)
+ 'SHA1'
else
- DIGEST_ALGORITHM.name[/::([^:]+)\z/, 1]
+ 'SHA512'
end
##
@@ -468,6 +457,22 @@ module Gem::Security
end
##
+ # Creates a new digest instance using the specified +algorithm+. The default
+ # is SHA256.
+
+ if defined?(OpenSSL::Digest)
+ def self.create_digest(algorithm = DIGEST_NAME)
+ OpenSSL::Digest.new(algorithm)
+ end
+ else
+ require 'digest'
+
+ def self.create_digest(algorithm = DIGEST_NAME)
+ Digest.const_get(algorithm).new
+ end
+ end
+
+ ##
# Creates a new key pair of the specified +length+ and +algorithm+. The
# default is a 3072 bit RSA key.
@@ -528,7 +533,7 @@ module Gem::Security
##
# Sign the public key from +certificate+ with the +signing_key+ and
- # +signing_cert+, using the Gem::Security::DIGEST_ALGORITHM. Uses the
+ # +signing_cert+, using the Gem::Security::DIGEST_NAME. Uses the
# default certificate validity range and extensions.
#
# Returns the newly signed certificate.
@@ -555,7 +560,7 @@ module Gem::Security
signed = create_cert signee_subject, signee_key, age, extensions, serial
signed.issuer = signing_cert.subject
- signed.sign signing_key, Gem::Security::DIGEST_ALGORITHM.new
+ signed.sign signing_key, Gem::Security::DIGEST_NAME
end
##
diff --git a/lib/rubygems/security/policy.rb b/lib/rubygems/security/policy.rb
index 0783fe3..db457f1 100644
--- a/lib/rubygems/security/policy.rb
+++ b/lib/rubygems/security/policy.rb
@@ -75,7 +75,7 @@ class Gem::Security::Policy
def check_data(public_key, digest, signature, data)
raise Gem::Security::Exception, "invalid signature" unless
- public_key.verify digest.new, signature, data.digest
+ public_key.verify digest, signature, data.digest
true
end
@@ -223,7 +223,7 @@ class Gem::Security::Policy
end
opt = @opt
- digester = Gem::Security::DIGEST_ALGORITHM
+ digester = Gem::Security.create_digest
trust_dir = opt[:trust_dir]
time = Time.now
diff --git a/lib/rubygems/security/signer.rb b/lib/rubygems/security/signer.rb
index d1da3f2..89200f9 100644
--- a/lib/rubygems/security/signer.rb
+++ b/lib/rubygems/security/signer.rb
@@ -80,8 +80,8 @@ class Gem::Security::Signer
@cert_chain = [default_cert] if File.exist? default_cert
end
- @digest_algorithm = Gem::Security::DIGEST_ALGORITHM
@digest_name = Gem::Security::DIGEST_NAME
+ @digest_algorithm = Gem::Security.create_digest(@digest_name)
if @key && !@key.is_a?(OpenSSL::PKey::RSA)
@key = OpenSSL::PKey::RSA.new(File.read(@key), @passphrase)
diff --git a/lib/rubygems/security/trust_dir.rb b/lib/rubygems/security/trust_dir.rb
index 9016b0c..1d93cea 100644
--- a/lib/rubygems/security/trust_dir.rb
+++ b/lib/rubygems/security/trust_dir.rb
@@ -25,7 +25,7 @@ class Gem::Security::TrustDir
@dir = dir
@permissions = permissions
- @digester = Gem::Security::DIGEST_ALGORITHM
+ @digester = Gem::Security.create_digest
end
##
diff --git a/test/rubygems/test_gem_package.rb b/test/rubygems/test_gem_package.rb
index adf11a1..3a97a85 100644
--- a/test/rubygems/test_gem_package.rb
+++ b/test/rubygems/test_gem_package.rb
@@ -1018,7 +1018,7 @@ class TestGemPackage < Gem::Package::TarTestCase
bogus_data = Gem::Util.gzip 'hello'
fake_signer = Class.new do
def digest_name; 'SHA512'; end
- def digest_algorithm; Digest(:SHA512); end
+ def digest_algorithm; Digest(:SHA512).new; end
def key; 'key'; end
def sign(*); 'fake_sig'; end
end
diff --git a/test/rubygems/test_gem_package_tar_writer.rb b/test/rubygems/test_gem_package_tar_writer.rb
index 9a3feca..e31efdd 100644
--- a/test/rubygems/test_gem_package_tar_writer.rb
+++ b/test/rubygems/test_gem_package_tar_writer.rb
@@ -71,7 +71,7 @@ class TestGemPackageTarWriter < Gem::Package::TarTestCase
end
def test_add_file_digest
- digest_algorithms = Digest::SHA1, Digest::SHA512
+ digest_algorithms = Digest::SHA1.new, Digest::SHA512.new
Time.stub :now, Time.at(1458518157) do
digests = @tar_writer.add_file_digest 'x', 0644, digest_algorithms do |io|
@@ -94,7 +94,7 @@ class TestGemPackageTarWriter < Gem::Package::TarTestCase
end
def test_add_file_digest_multiple
- digest_algorithms = [Digest::SHA1, Digest::SHA512]
+ digest_algorithms = [Digest::SHA1.new, Digest::SHA512.new]
Time.stub :now, Time.at(1458518157) do
digests = @tar_writer.add_file_digest 'x', 0644, digest_algorithms do |io|
diff --git a/test/rubygems/test_gem_security_policy.rb b/test/rubygems/test_gem_security_policy.rb
index 4d5d9bb..86100d7 100644
--- a/test/rubygems/test_gem_security_policy.rb
+++ b/test/rubygems/test_gem_security_policy.rb
@@ -32,7 +32,7 @@ class TestGemSecurityPolicy < Gem::TestCase
s.files = %w[lib/code.rb]
end
- @digest = Gem::Security::DIGEST_ALGORITHM
+ @digest = OpenSSL::Digest.new Gem::Security::DIGEST_NAME
@trust_dir = Gem::Security.trust_dir.dir # HACK use the object
@no = Gem::Security::NoSecurity
@@ -395,13 +395,11 @@ class TestGemSecurityPolicy < Gem::TestCase
def test_verify_wrong_digest_type
Gem::Security.trust_dir.trust_cert PUBLIC_CERT
- sha512 = OpenSSL::Digest::SHA512
-
- data = sha512.new
+ data = OpenSSL::Digest.new('SHA512')
data << 'hello'
digests = { 'SHA512' => { 0 => data } }
- signature = PRIVATE_KEY.sign sha512.new, data.digest
+ signature = PRIVATE_KEY.sign 'sha512', data.digest
signatures = { 0 => signature }
e = assert_raises Gem::Security::Exception do
@@ -480,7 +478,7 @@ class TestGemSecurityPolicy < Gem::TestCase
def s.full_name() 'metadata.gz' end
digests = package.digest s
- digests[Gem::Security::DIGEST_NAME]['data.tar.gz'] = @digest.new 'hello'
+ digests[Gem::Security::DIGEST_NAME]['data.tar.gz'] = @digest.hexdigest 'hello'
metadata_gz_digest = digests[Gem::Security::DIGEST_NAME]['metadata.gz']
@@ -509,7 +507,7 @@ class TestGemSecurityPolicy < Gem::TestCase
def s.full_name() 'metadata.gz' end
digests = package.digest s
- digests[Gem::Security::DIGEST_NAME]['data.tar.gz'] = @digest.new 'hello'
+ digests[Gem::Security::DIGEST_NAME]['data.tar.gz'] = @digest.hexdigest 'hello'
assert_raises Gem::Security::Exception do
@high.verify_signatures @spec, digests, {}
diff --git a/test/rubygems/test_gem_security_trust_dir.rb b/test/rubygems/test_gem_security_trust_dir.rb
index 9a40f85..64871f7 100644
--- a/test/rubygems/test_gem_security_trust_dir.rb
+++ b/test/rubygems/test_gem_security_trust_dir.rb
@@ -17,7 +17,7 @@ class TestGemSecurityTrustDir < Gem::TestCase
end
def test_cert_path
- digest = Gem::Security::DIGEST_ALGORITHM.hexdigest PUBLIC_CERT.subject.to_s
+ digest = OpenSSL::Digest.hexdigest Gem::Security::DIGEST_NAME, PUBLIC_CERT.subject.to_s
expected = File.join @dest_dir, "cert-#{digest}.pem"
@@ -41,7 +41,7 @@ class TestGemSecurityTrustDir < Gem::TestCase
end
def test_name_path
- digest = Gem::Security::DIGEST_ALGORITHM.hexdigest PUBLIC_CERT.subject.to_s
+ digest = OpenSSL::Digest.hexdigest Gem::Security::DIGEST_NAME, PUBLIC_CERT.subject.to_s
expected = File.join @dest_dir, "cert-#{digest}.pem"