diff options
Diffstat (limited to 'trunk/lib/rubygems/security.rb')
-rw-r--r-- | trunk/lib/rubygems/security.rb | 786 |
1 files changed, 0 insertions, 786 deletions
diff --git a/trunk/lib/rubygems/security.rb b/trunk/lib/rubygems/security.rb deleted file mode 100644 index abf3cf4a6a..0000000000 --- a/trunk/lib/rubygems/security.rb +++ /dev/null @@ -1,786 +0,0 @@ -#-- -# Copyright 2006 by Chad Fowler, Rich Kilmer, Jim Weirich and others. -# All rights reserved. -# See LICENSE.txt for permissions. -#++ - -require 'rubygems' -require 'rubygems/gem_openssl' - -# = Signed Gems README -# -# == Table of Contents -# * Overview -# * Walkthrough -# * Command-Line Options -# * OpenSSL Reference -# * Bugs/TODO -# * About the Author -# -# == Overview -# -# Gem::Security implements cryptographic signatures in RubyGems. The section -# below is a step-by-step guide to using signed gems and generating your own. -# -# == Walkthrough -# -# In order to start signing your gems, you'll need to build a private key and -# a self-signed certificate. Here's how: -# -# # build a private key and certificate for gemmaster@example.com -# $ gem cert --build gemmaster@example.com -# -# This could take anywhere from 5 seconds to 10 minutes, depending on the -# speed of your computer (public key algorithms aren't exactly the speediest -# crypto algorithms in the world). When it's finished, you'll see the files -# "gem-private_key.pem" and "gem-public_cert.pem" in the current directory. -# -# First things first: take the "gem-private_key.pem" file and move it -# somewhere private, preferably a directory only you have access to, a floppy -# (yuck!), a CD-ROM, or something comparably secure. Keep your private key -# hidden; if it's compromised, someone can sign packages as you (note: PKI has -# ways of mitigating the risk of stolen keys; more on that later). -# -# Now, let's sign an existing gem. I'll be using my Imlib2-Ruby bindings, but -# you can use whatever gem you'd like. Open up your existing gemspec file and -# add the following lines: -# -# # signing key and certificate chain -# s.signing_key = '/mnt/floppy/gem-private_key.pem' -# s.cert_chain = ['gem-public_cert.pem'] -# -# (Be sure to replace "/mnt/floppy" with the ultra-secret path to your private -# key). -# -# After that, go ahead and build your gem as usual. Congratulations, you've -# just built your first signed gem! If you peek inside your gem file, you'll -# see a couple of new files have been added: -# -# $ tar tf tar tf Imlib2-Ruby-0.5.0.gem -# data.tar.gz -# data.tar.gz.sig -# metadata.gz -# metadata.gz.sig -# -# Now let's verify the signature. Go ahead and install the gem, but add the -# following options: "-P HighSecurity", like this: -# -# # install the gem with using the security policy "HighSecurity" -# $ sudo gem install Imlib2-Ruby-0.5.0.gem -P HighSecurity -# -# The -P option sets your security policy -- we'll talk about that in just a -# minute. Eh, what's this? -# -# Attempting local installation of 'Imlib2-Ruby-0.5.0.gem' -# ERROR: Error installing gem Imlib2-Ruby-0.5.0.gem[.gem]: Couldn't -# verify data signature: Untrusted Signing Chain Root: cert = -# '/CN=gemmaster/DC=example/DC=com', error = 'path -# "/root/.rubygems/trust/cert-15dbb43a6edf6a70a85d4e784e2e45312cff7030.pem" -# does not exist' -# -# The culprit here is the security policy. RubyGems has several different -# security policies. Let's take a short break and go over the security -# policies. Here's a list of the available security policies, and a brief -# description of each one: -# -# * NoSecurity - Well, no security at all. Signed packages are treated like -# unsigned packages. -# * LowSecurity - Pretty much no security. If a package is signed then -# RubyGems will make sure the signature matches the signing -# certificate, and that the signing certificate hasn't expired, but -# that's it. A malicious user could easily circumvent this kind of -# security. -# * MediumSecurity - Better than LowSecurity and NoSecurity, but still -# fallible. Package contents are verified against the signing -# certificate, and the signing certificate is checked for validity, -# and checked against the rest of the certificate chain (if you don't -# know what a certificate chain is, stay tuned, we'll get to that). -# The biggest improvement over LowSecurity is that MediumSecurity -# won't install packages that are signed by untrusted sources. -# Unfortunately, MediumSecurity still isn't totally secure -- a -# malicious user can still unpack the gem, strip the signatures, and -# distribute the gem unsigned. -# * HighSecurity - Here's the bugger that got us into this mess. -# The HighSecurity policy is identical to the MediumSecurity policy, -# except that it does not allow unsigned gems. A malicious user -# doesn't have a whole lot of options here; he can't modify the -# package contents without invalidating the signature, and he can't -# modify or remove signature or the signing certificate chain, or -# RubyGems will simply refuse to install the package. Oh well, maybe -# he'll have better luck causing problems for CPAN users instead :). -# -# So, the reason RubyGems refused to install our shiny new signed gem was -# because it was from an untrusted source. Well, my code is infallible -# (hah!), so I'm going to add myself as a trusted source. -# -# Here's how: -# -# # add trusted certificate -# gem cert --add gem-public_cert.pem -# -# I've added my public certificate as a trusted source. Now I can install -# packages signed my private key without any hassle. Let's try the install -# command above again: -# -# # install the gem with using the HighSecurity policy (and this time -# # without any shenanigans) -# $ sudo gem install Imlib2-Ruby-0.5.0.gem -P HighSecurity -# -# This time RubyGems should accept your signed package and begin installing. -# While you're waiting for RubyGems to work it's magic, have a look at some of -# the other security commands: -# -# Usage: gem cert [options] -# -# Options: -# -a, --add CERT Add a trusted certificate. -# -l, --list List trusted certificates. -# -r, --remove STRING Remove trusted certificates containing STRING. -# -b, --build EMAIL_ADDR Build private key and self-signed certificate -# for EMAIL_ADDR. -# -C, --certificate CERT Certificate for --sign command. -# -K, --private-key KEY Private key for --sign command. -# -s, --sign NEWCERT Sign a certificate with my key and certificate. -# -# (By the way, you can pull up this list any time you'd like by typing "gem -# cert --help") -# -# Hmm. We've already covered the "--build" option, and the "--add", "--list", -# and "--remove" commands seem fairly straightforward; they allow you to add, -# list, and remove the certificates in your trusted certificate list. But -# what's with this "--sign" option? -# -# To answer that question, let's take a look at "certificate chains", a -# concept I mentioned earlier. There are a couple of problems with -# self-signed certificates: first of all, self-signed certificates don't offer -# a whole lot of security. Sure, the certificate says Yukihiro Matsumoto, but -# how do I know it was actually generated and signed by matz himself unless he -# gave me the certificate in person? -# -# The second problem is scalability. Sure, if there are 50 gem authors, then -# I have 50 trusted certificates, no problem. What if there are 500 gem -# authors? 1000? Having to constantly add new trusted certificates is a -# pain, and it actually makes the trust system less secure by encouraging -# RubyGems users to blindly trust new certificates. -# -# Here's where certificate chains come in. A certificate chain establishes an -# arbitrarily long chain of trust between an issuing certificate and a child -# certificate. So instead of trusting certificates on a per-developer basis, -# we use the PKI concept of certificate chains to build a logical hierarchy of -# trust. Here's a hypothetical example of a trust hierarchy based (roughly) -# on geography: -# -# -# -------------------------- -# | rubygems@rubyforge.org | -# -------------------------- -# | -# ----------------------------------- -# | | -# ---------------------------- ----------------------------- -# | seattle.rb@zenspider.com | | dcrubyists@richkilmer.com | -# ---------------------------- ----------------------------- -# | | | | -# --------------- ---------------- ----------- -------------- -# | alf@seattle | | bob@portland | | pabs@dc | | tomcope@dc | -# --------------- ---------------- ----------- -------------- -# -# -# Now, rather than having 4 trusted certificates (one for alf@seattle, -# bob@portland, pabs@dc, and tomecope@dc), a user could actually get by with 1 -# certificate: the "rubygems@rubyforge.org" certificate. Here's how it works: -# -# I install "Alf2000-Ruby-0.1.0.gem", a package signed by "alf@seattle". I've -# never heard of "alf@seattle", but his certificate has a valid signature from -# the "seattle.rb@zenspider.com" certificate, which in turn has a valid -# signature from the "rubygems@rubyforge.org" certificate. Voila! At this -# point, it's much more reasonable for me to trust a package signed by -# "alf@seattle", because I can establish a chain to "rubygems@rubyforge.org", -# which I do trust. -# -# And the "--sign" option allows all this to happen. A developer creates -# their build certificate with the "--build" option, then has their -# certificate signed by taking it with them to their next regional Ruby meetup -# (in our hypothetical example), and it's signed there by the person holding -# the regional RubyGems signing certificate, which is signed at the next -# RubyConf by the holder of the top-level RubyGems certificate. At each point -# the issuer runs the same command: -# -# # sign a certificate with the specified key and certificate -# # (note that this modifies client_cert.pem!) -# $ gem cert -K /mnt/floppy/issuer-priv_key.pem -C issuer-pub_cert.pem -# --sign client_cert.pem -# -# Then the holder of issued certificate (in this case, our buddy -# "alf@seattle"), can start using this signed certificate to sign RubyGems. -# By the way, in order to let everyone else know about his new fancy signed -# certificate, "alf@seattle" would change his gemspec file to look like this: -# -# # signing key (still kept in an undisclosed location!) -# s.signing_key = '/mnt/floppy/alf-private_key.pem' -# -# # certificate chain (includes the issuer certificate now too) -# s.cert_chain = ['/home/alf/doc/seattlerb-public_cert.pem', -# '/home/alf/doc/alf_at_seattle-public_cert.pem'] -# -# Obviously, this RubyGems trust infrastructure doesn't exist yet. Also, in -# the "real world" issuers actually generate the child certificate from a -# certificate request, rather than sign an existing certificate. And our -# hypothetical infrastructure is missing a certificate revocation system. -# These are that can be fixed in the future... -# -# I'm sure your new signed gem has finished installing by now (unless you're -# installing rails and all it's dependencies, that is ;D). At this point you -# should know how to do all of these new and interesting things: -# -# * build a gem signing key and certificate -# * modify your existing gems to support signing -# * adjust your security policy -# * modify your trusted certificate list -# * sign a certificate -# -# If you've got any questions, feel free to contact me at the email address -# below. The next couple of sections -# -# -# == Command-Line Options -# -# Here's a brief summary of the certificate-related command line options: -# -# gem install -# -P, --trust-policy POLICY Specify gem trust policy. -# -# gem cert -# -a, --add CERT Add a trusted certificate. -# -l, --list List trusted certificates. -# -r, --remove STRING Remove trusted certificates containing -# STRING. -# -b, --build EMAIL_ADDR Build private key and self-signed -# certificate for EMAIL_ADDR. -# -C, --certificate CERT Certificate for --sign command. -# -K, --private-key KEY Private key for --sign command. -# -s, --sign NEWCERT Sign a certificate with my key and -# certificate. -# -# A more detailed description of each options is available in the walkthrough -# above. -# -# -# == OpenSSL Reference -# -# The .pem files generated by --build and --sign are just basic OpenSSL PEM -# files. Here's a couple of useful commands for manipulating them: -# -# # convert a PEM format X509 certificate into DER format: -# # (note: Windows .cer files are X509 certificates in DER format) -# $ openssl x509 -in input.pem -outform der -out output.der -# -# # print out the certificate in a human-readable format: -# $ openssl x509 -in input.pem -noout -text -# -# And you can do the same thing with the private key file as well: -# -# # convert a PEM format RSA key into DER format: -# $ openssl rsa -in input_key.pem -outform der -out output_key.der -# -# # print out the key in a human readable format: -# $ openssl rsa -in input_key.pem -noout -text -# -# == Bugs/TODO -# -# * There's no way to define a system-wide trust list. -# * custom security policies (from a YAML file, etc) -# * Simple method to generate a signed certificate request -# * Support for OCSP, SCVP, CRLs, or some other form of cert -# status check (list is in order of preference) -# * Support for encrypted private keys -# * Some sort of semi-formal trust hierarchy (see long-winded explanation -# above) -# * Path discovery (for gem certificate chains that don't have a self-signed -# root) -- by the way, since we don't have this, THE ROOT OF THE CERTIFICATE -# CHAIN MUST BE SELF SIGNED if Policy#verify_root is true (and it is for the -# MediumSecurity and HighSecurity policies) -# * Better explanation of X509 naming (ie, we don't have to use email -# addresses) -# * Possible alternate signing mechanisms (eg, via PGP). this could be done -# pretty easily by adding a :signing_type attribute to the gemspec, then add -# the necessary support in other places -# * Honor AIA field (see note about OCSP above) -# * Maybe honor restriction extensions? -# * Might be better to store the certificate chain as a PKCS#7 or PKCS#12 -# file, instead of an array embedded in the metadata. ideas? -# * Possibly embed signature and key algorithms into metadata (right now -# they're assumed to be the same as what's set in Gem::Security::OPT) -# -# == About the Author -# -# Paul Duncan <pabs@pablotron.org> -# http://pablotron.org/ - -module Gem::Security - - class Exception < Gem::Exception; end - - # - # default options for most of the methods below - # - OPT = { - # private key options - :key_algo => Gem::SSL::PKEY_RSA, - :key_size => 2048, - - # public cert options - :cert_age => 365 * 24 * 3600, # 1 year - :dgst_algo => Gem::SSL::DIGEST_SHA1, - - # x509 certificate extensions - :cert_exts => { - 'basicConstraints' => 'CA:FALSE', - 'subjectKeyIdentifier' => 'hash', - 'keyUsage' => 'keyEncipherment,dataEncipherment,digitalSignature', - }, - - # save the key and cert to a file in build_self_signed_cert()? - :save_key => true, - :save_cert => true, - - # if you define either of these, then they'll be used instead of - # the output_fmt macro below - :save_key_path => nil, - :save_cert_path => nil, - - # output name format for self-signed certs - :output_fmt => 'gem-%s.pem', - :munge_re => Regexp.new(/[^a-z0-9_.-]+/), - - # output directory for trusted certificate checksums - :trust_dir => File::join(Gem.user_home, '.gem', 'trust'), - - # default permissions for trust directory and certs - :perms => { - :trust_dir => 0700, - :trusted_cert => 0600, - :signing_cert => 0600, - :signing_key => 0600, - }, - } - - # - # A Gem::Security::Policy object encapsulates the settings for verifying - # signed gem files. This is the base class. You can either declare an - # instance of this or use one of the preset security policies below. - # - class Policy - attr_accessor :verify_data, :verify_signer, :verify_chain, - :verify_root, :only_trusted, :only_signed - - # - # Create a new Gem::Security::Policy object with the given mode and - # options. - # - def initialize(policy = {}, opt = {}) - # set options - @opt = Gem::Security::OPT.merge(opt) - - # build policy - policy.each_pair do |key, val| - case key - when :verify_data then @verify_data = val - when :verify_signer then @verify_signer = val - when :verify_chain then @verify_chain = val - when :verify_root then @verify_root = val - when :only_trusted then @only_trusted = val - when :only_signed then @only_signed = val - end - end - end - - # - # Get the path to the file for this cert. - # - def self.trusted_cert_path(cert, opt = {}) - opt = Gem::Security::OPT.merge(opt) - - # get digest algorithm, calculate checksum of root.subject - algo = opt[:dgst_algo] - dgst = algo.hexdigest(cert.subject.to_s) - - # build path to trusted cert file - name = "cert-#{dgst}.pem" - - # join and return path components - File::join(opt[:trust_dir], name) - end - - # - # Verify that the gem data with the given signature and signing chain - # matched this security policy at the specified time. - # - def verify_gem(signature, data, chain, time = Time.now) - Gem.ensure_ssl_available - cert_class = OpenSSL::X509::Certificate - exc = Gem::Security::Exception - chain ||= [] - - chain = chain.map{ |str| cert_class.new(str) } - signer, ch_len = chain[-1], chain.size - - # make sure signature is valid - if @verify_data - # get digest algorithm (TODO: this should be configurable) - dgst = @opt[:dgst_algo] - - # verify the data signature (this is the most important part, so don't - # screw it up :D) - v = signer.public_key.verify(dgst.new, signature, data) - raise exc, "Invalid Gem Signature" unless v - - # make sure the signer is valid - if @verify_signer - # make sure the signing cert is valid right now - v = signer.check_validity(nil, time) - raise exc, "Invalid Signature: #{v[:desc]}" unless v[:is_valid] - end - end - - # make sure the certificate chain is valid - if @verify_chain - # iterate down over the chain and verify each certificate against it's - # issuer - (ch_len - 1).downto(1) do |i| - issuer, cert = chain[i - 1, 2] - v = cert.check_validity(issuer, time) - raise exc, "%s: cert = '%s', error = '%s'" % [ - 'Invalid Signing Chain', cert.subject, v[:desc] - ] unless v[:is_valid] - end - - # verify root of chain - if @verify_root - # make sure root is self-signed - root = chain[0] - raise exc, "%s: %s (subject = '%s', issuer = '%s')" % [ - 'Invalid Signing Chain Root', - 'Subject does not match Issuer for Gem Signing Chain', - root.subject.to_s, - root.issuer.to_s, - ] unless root.issuer.to_s == root.subject.to_s - - # make sure root is valid - v = root.check_validity(root, time) - raise exc, "%s: cert = '%s', error = '%s'" % [ - 'Invalid Signing Chain Root', root.subject, v[:desc] - ] unless v[:is_valid] - - # verify that the chain root is trusted - if @only_trusted - # get digest algorithm, calculate checksum of root.subject - algo = @opt[:dgst_algo] - path = Gem::Security::Policy.trusted_cert_path(root, @opt) - - # check to make sure trusted path exists - raise exc, "%s: cert = '%s', error = '%s'" % [ - 'Untrusted Signing Chain Root', - root.subject.to_s, - "path \"#{path}\" does not exist", - ] unless File.exist?(path) - - # load calculate digest from saved cert file - save_cert = OpenSSL::X509::Certificate.new(File.read(path)) - save_dgst = algo.digest(save_cert.public_key.to_s) - - # create digest of public key - pkey_str = root.public_key.to_s - cert_dgst = algo.digest(pkey_str) - - # now compare the two digests, raise exception - # if they don't match - raise exc, "%s: %s (saved = '%s', root = '%s')" % [ - 'Invalid Signing Chain Root', - "Saved checksum doesn't match root checksum", - save_dgst, cert_dgst, - ] unless save_dgst == cert_dgst - end - end - - # return the signing chain - chain.map { |cert| cert.subject } - end - end - end - - # - # No security policy: all package signature checks are disabled. - # - NoSecurity = Policy.new( - :verify_data => false, - :verify_signer => false, - :verify_chain => false, - :verify_root => false, - :only_trusted => false, - :only_signed => false - ) - - # - # AlmostNo security policy: only verify that the signing certificate is the - # one that actually signed the data. Make no attempt to verify the signing - # certificate chain. - # - # This policy is basically useless. better than nothing, but can still be - # easily spoofed, and is not recommended. - # - AlmostNoSecurity = Policy.new( - :verify_data => true, - :verify_signer => false, - :verify_chain => false, - :verify_root => false, - :only_trusted => false, - :only_signed => false - ) - - # - # Low security policy: only verify that the signing certificate is actually - # the gem signer, and that the signing certificate is valid. - # - # This policy is better than nothing, but can still be easily spoofed, and - # is not recommended. - # - LowSecurity = Policy.new( - :verify_data => true, - :verify_signer => true, - :verify_chain => false, - :verify_root => false, - :only_trusted => false, - :only_signed => false - ) - - # - # Medium security policy: verify the signing certificate, verify the signing - # certificate chain all the way to the root certificate, and only trust root - # certificates that we have explicitly allowed trust for. - # - # This security policy is reasonable, but it allows unsigned packages, so a - # malicious person could simply delete the package signature and pass the - # gem off as unsigned. - # - MediumSecurity = Policy.new( - :verify_data => true, - :verify_signer => true, - :verify_chain => true, - :verify_root => true, - :only_trusted => true, - :only_signed => false - ) - - # - # High security policy: only allow signed gems to be installed, verify the - # signing certificate, verify the signing certificate chain all the way to - # the root certificate, and only trust root certificates that we have - # explicitly allowed trust for. - # - # This security policy is significantly more difficult to bypass, and offers - # a reasonable guarantee that the contents of the gem have not been altered. - # - HighSecurity = Policy.new( - :verify_data => true, - :verify_signer => true, - :verify_chain => true, - :verify_root => true, - :only_trusted => true, - :only_signed => true - ) - - # - # Hash of configured security policies - # - Policies = { - 'NoSecurity' => NoSecurity, - 'AlmostNoSecurity' => AlmostNoSecurity, - 'LowSecurity' => LowSecurity, - 'MediumSecurity' => MediumSecurity, - 'HighSecurity' => HighSecurity, - } - - # - # Sign the cert cert with @signing_key and @signing_cert, using the digest - # algorithm opt[:dgst_algo]. Returns the newly signed certificate. - # - def self.sign_cert(cert, signing_key, signing_cert, opt = {}) - opt = OPT.merge(opt) - - # set up issuer information - cert.issuer = signing_cert.subject - cert.sign(signing_key, opt[:dgst_algo].new) - - cert - end - - # - # Make sure the trust directory exists. If it does exist, make sure it's - # actually a directory. If not, then create it with the appropriate - # permissions. - # - def self.verify_trust_dir(path, perms) - # if the directory exists, then make sure it is in fact a directory. if - # it doesn't exist, then create it with the appropriate permissions - if File.exist?(path) - # verify that the trust directory is actually a directory - unless File.directory?(path) - err = "trust directory #{path} isn't a directory" - raise Gem::Security::Exception, err - end - else - # trust directory doesn't exist, so create it with permissions - FileUtils.mkdir_p(path) - FileUtils.chmod(perms, path) - end - end - - # - # Build a certificate from the given DN and private key. - # - def self.build_cert(name, key, opt = {}) - Gem.ensure_ssl_available - opt = OPT.merge(opt) - - # create new cert - ret = OpenSSL::X509::Certificate.new - - # populate cert attributes - ret.version = 2 - ret.serial = 0 - ret.public_key = key.public_key - ret.not_before = Time.now - ret.not_after = Time.now + opt[:cert_age] - ret.subject = name - - # add certificate extensions - ef = OpenSSL::X509::ExtensionFactory.new(nil, ret) - ret.extensions = opt[:cert_exts].map { |k, v| ef.create_extension(k, v) } - - # sign cert - i_key, i_cert = opt[:issuer_key] || key, opt[:issuer_cert] || ret - ret = sign_cert(ret, i_key, i_cert, opt) - - # return cert - ret - end - - # - # Build a self-signed certificate for the given email address. - # - def self.build_self_signed_cert(email_addr, opt = {}) - Gem.ensure_ssl_available - opt = OPT.merge(opt) - path = { :key => nil, :cert => nil } - - # split email address up - cn, dcs = email_addr.split('@') - dcs = dcs.split('.') - - # munge email CN and DCs - cn = cn.gsub(opt[:munge_re], '_') - dcs = dcs.map { |dc| dc.gsub(opt[:munge_re], '_') } - - # create DN - name = "CN=#{cn}/" << dcs.map { |dc| "DC=#{dc}" }.join('/') - name = OpenSSL::X509::Name::parse(name) - - # build private key - key = opt[:key_algo].new(opt[:key_size]) - - # method name pretty much says it all :) - verify_trust_dir(opt[:trust_dir], opt[:perms][:trust_dir]) - - # if we're saving the key, then write it out - if opt[:save_key] - path[:key] = opt[:save_key_path] || (opt[:output_fmt] % 'private_key') - File.open(path[:key], 'wb') do |file| - file.chmod(opt[:perms][:signing_key]) - file.write(key.to_pem) - end - end - - # build self-signed public cert from key - cert = build_cert(name, key, opt) - - # if we're saving the cert, then write it out - if opt[:save_cert] - path[:cert] = opt[:save_cert_path] || (opt[:output_fmt] % 'public_cert') - File.open(path[:cert], 'wb') do |file| - file.chmod(opt[:perms][:signing_cert]) - file.write(cert.to_pem) - end - end - - # return key, cert, and paths (if applicable) - { :key => key, :cert => cert, - :key_path => path[:key], :cert_path => path[:cert] } - end - - # - # Add certificate to trusted cert list. - # - # Note: At the moment these are stored in OPT[:trust_dir], although that - # directory may change in the future. - # - def self.add_trusted_cert(cert, opt = {}) - opt = OPT.merge(opt) - - # get destination path - path = Gem::Security::Policy.trusted_cert_path(cert, opt) - - # verify trust directory (can't write to nowhere, you know) - verify_trust_dir(opt[:trust_dir], opt[:perms][:trust_dir]) - - # write cert to output file - File.open(path, 'wb') do |file| - file.chmod(opt[:perms][:trusted_cert]) - file.write(cert.to_pem) - end - - # return nil - nil - end - - # - # Basic OpenSSL-based package signing class. - # - class Signer - attr_accessor :key, :cert_chain - - def initialize(key, cert_chain) - Gem.ensure_ssl_available - @algo = Gem::Security::OPT[:dgst_algo] - @key, @cert_chain = key, cert_chain - - # check key, if it's a file, and if it's key, leave it alone - if @key && !@key.kind_of?(OpenSSL::PKey::PKey) - @key = OpenSSL::PKey::RSA.new(File.read(@key)) - end - - # check cert chain, if it's a file, load it, if it's cert data, convert - # it into a cert object, and if it's a cert object, leave it alone - if @cert_chain - @cert_chain = @cert_chain.map do |cert| - # check cert, if it's a file, load it, if it's cert data, convert it - # into a cert object, and if it's a cert object, leave it alone - if cert && !cert.kind_of?(OpenSSL::X509::Certificate) - cert = File.read(cert) if File::exist?(cert) - cert = OpenSSL::X509::Certificate.new(cert) - end - cert - end - end - end - - # - # Sign data with given digest algorithm - # - def sign(data) - @key.sign(@algo.new, data) - end - - end -end - |