1 files changed, 78 insertions, 29 deletions

diff --git a/lib/rubygems/commands/cert_command.rb b/lib/rubygems/commands/cert_command.rb
index 5a9320f9c4..e417193bca 100644
--- a/lib/rubygems/commands/cert_command.rb
+++ b/lib/rubygems/commands/cert_command.rb
@@ -1,6 +1,11 @@
 require 'rubygems/command'
 require 'rubygems/security'
-require 'openssl'
+begin
+  require 'openssl'
+rescue LoadError => e
+  raise unless (e.respond_to?(:path) && e.path == 'openssl') ||
+               e.message =~ / -- openssl$/
+end
 
 class Gem::Commands::CertCommand < Gem::Command
 
@@ -21,7 +26,8 @@ class Gem::Commands::CertCommand < Gem::Command
 
     OptionParser.accept OpenSSL::PKey::RSA do |key_file|
       begin
-        key = OpenSSL::PKey::RSA.new File.read key_file
+        passphrase = ENV['GEM_PRIVATE_KEY_PASSPHRASE']
+        key = OpenSSL::PKey::RSA.new File.read(key_file), passphrase
       rescue Errno::ENOENT
         raise OptionParser::InvalidArgument, "#{key_file}: does not exist"
       rescue OpenSSL::PKey::RSAError
@@ -79,52 +85,67 @@ class Gem::Commands::CertCommand < Gem::Command
     end
   end
 
+  def add_certificate certificate # :nodoc:
+    Gem::Security.trust_dir.trust_cert certificate
+
+    say "Added '#{certificate.subject}'"
+  end
+
   def execute
     options[:add].each do |certificate|
-      Gem::Security.trust_dir.trust_cert certificate
-
-      say "Added '#{certificate.subject}'"
+      add_certificate certificate
     end
 
     options[:remove].each do |filter|
-      certificates_matching filter do |certificate, path|
-        FileUtils.rm path
-        say "Removed '#{certificate.subject}'"
-      end
+      remove_certificates_matching filter
     end
 
     options[:list].each do |filter|
-      certificates_matching filter do |certificate, _|
-        # this could probably be formatted more gracefully
-        say certificate.subject.to_s
-      end
+      list_certificates_matching filter
     end
 
     options[:build].each do |name|
       build name
     end
 
-    unless options[:sign].empty? then
-      load_default_cert unless options[:issuer_cert]
-      load_default_key  unless options[:key]
-    end
-
-    options[:sign].each do |cert_file|
-      sign cert_file
-    end
+    sign_certificates unless options[:sign].empty?
   end
 
   def build name
-    key = options[:key] || Gem::Security.create_key
+    key, key_path = build_key
+    cert_path = build_cert name, key
 
+    say "Certificate: #{cert_path}"
+
+    if key_path
+      say "Private Key: #{key_path}"
+      say "Don't forget to move the key file to somewhere private!"
+    end
+  end
+
+  def build_cert name, key # :nodoc:
     cert = Gem::Security.create_cert_email name, key
+    Gem::Security.write cert, "gem-public_cert.pem"
+  end
 
-    key_path  = Gem::Security.write key, "gem-private_key.pem"
-    cert_path = Gem::Security.write cert, "gem-public_cert.pem"
+  def build_key # :nodoc:
+    if options[:key] then
+      options[:key]
+    else
+      passphrase = ask_for_password 'Passphrase for your Private Key:'
+      say "\n"
 
-    say "Certificate: #{cert_path}"
-    say "Private Key: #{key_path}"
-    say "Don't forget to move the key file to somewhere private!"
+      passphrase_confirmation = ask_for_password 'Please repeat the passphrase for your Private Key:'
+      say "\n"
+
+      raise Gem::CommandLineError,
+            "Passphrase and passphrase confirmation don't match" unless passphrase == passphrase_confirmation
+
+      key      = Gem::Security.create_key
+      key_path = Gem::Security.write key, "gem-private_key.pem", 0600, passphrase
+
+      return key, key_path
+    end
   end
 
   def certificates_matching filter
@@ -179,6 +200,13 @@ For further reading on signing gems see `ri Gem::Security`.
     EOF
   end
 
+  def list_certificates_matching filter # :nodoc:
+    certificates_matching filter do |certificate, _|
+      # this could probably be formatted more gracefully
+      say certificate.subject.to_s
+    end
+  end
+
   def load_default_cert
     cert_file = File.join Gem.default_cert_path
     cert = File.read cert_file
@@ -198,7 +226,8 @@ For further reading on signing gems see `ri Gem::Security`.
   def load_default_key
     key_file = File.join Gem.default_key_path
     key = File.read key_file
-    options[:key] = OpenSSL::PKey::RSA.new key
+    passphrase = ENV['GEM_PRIVATE_KEY_PASSPHRASE']
+    options[:key] = OpenSSL::PKey::RSA.new key, passphrase
   rescue Errno::ENOENT
     alert_error \
       "--private-key not specified and ~/.gem/gem-private_key.pem does not exist"
@@ -211,6 +240,18 @@ For further reading on signing gems see `ri Gem::Security`.
     terminate_interaction 1
   end
 
+  def load_defaults # :nodoc:
+    load_default_cert unless options[:issuer_cert]
+    load_default_key  unless options[:key]
+  end
+
+  def remove_certificates_matching filter # :nodoc:
+    certificates_matching filter do |certificate, path|
+      FileUtils.rm path
+      say "Removed '#{certificate.subject}'"
+    end
+  end
+
   def sign cert_file
     cert = File.read cert_file
     cert = OpenSSL::X509::Certificate.new cert
@@ -225,5 +266,13 @@ For further reading on signing gems see `ri Gem::Security`.
     Gem::Security.write cert, cert_file, permissions
   end
 
-end
+  def sign_certificates # :nodoc:
+    load_defaults unless options[:sign].empty?
+
+    options[:sign].each do |cert_file|
+      sign cert_file
+    end
+  end
+
+end if defined?(OpenSSL::SSL)