Module: Gem::Security
- Defined in:
- lib/rubygems/security.rb,
lib/rubygems/security/policies.rb,
lib/rubygems/install_update_options.rb
Overview
forward-declare
Defined Under Namespace
Classes: Exception, Policy, Signer, TrustDir
Constant Summary collapse
- DIGEST_ALGORITHM =
Digest algorithm used to sign gems
if defined?(OpenSSL::Digest) then OpenSSL::Digest::SHA1 end
- DIGEST_NAME =
Used internally to select the signing digest from all computed digests
if DIGEST_ALGORITHM then DIGEST_ALGORITHM.new.name end
- KEY_ALGORITHM =
Algorithm for creating the key pair used to sign gems
if defined?(OpenSSL::PKey) then OpenSSL::PKey::RSA end
- KEY_LENGTH =
Length of keys created by KEY_ALGORITHM
2048
- KEY_CIPHER =
Cipher used to encrypt the key pair used to sign gems. Must be in the list returned by OpenSSL::Cipher.ciphers
OpenSSL::Cipher.new('AES-256-CBC')
- ONE_YEAR =
One year in seconds
86400 * 365
- EXTENSIONS =
The default set of extensions are:
-
The certificate is not a certificate authority
-
The key for the certificate may be used for key and data encipherment and digital signatures
-
The certificate contains a subject key identifier
-
{ 'basicConstraints' => 'CA:FALSE', 'keyUsage' => 'keyEncipherment,dataEncipherment,digitalSignature', 'subjectKeyIdentifier' => 'hash', }
- NoSecurity =
No security policy: all package signature checks are disabled.
Policy.new( 'No Security', :verify_data => false, :verify_signer => false, :verify_chain => false, :verify_root => false, :only_trusted => false, :only_signed => false )
- AlmostNoSecurity =
AlmostNo security policy: only verify that the signing certificate is the one that actually signed the data. Make no attempt to verify the signing certificate chain.
This policy is basically useless. better than nothing, but can still be easily spoofed, and is not recommended.
Policy.new( 'Almost No Security', :verify_data => true, :verify_signer => false, :verify_chain => false, :verify_root => false, :only_trusted => false, :only_signed => false )
- LowSecurity =
Low security policy: only verify that the signing certificate is actually the gem signer, and that the signing certificate is valid.
This policy is better than nothing, but can still be easily spoofed, and is not recommended.
Policy.new( 'Low Security', :verify_data => true, :verify_signer => true, :verify_chain => false, :verify_root => false, :only_trusted => false, :only_signed => false )
- MediumSecurity =
Medium security policy: verify the signing certificate, verify the signing certificate chain all the way to the root certificate, and only trust root certificates that we have explicitly allowed trust for.
This security policy is reasonable, but it allows unsigned packages, so a malicious person could simply delete the package signature and pass the gem off as unsigned.
Policy.new( 'Medium Security', :verify_data => true, :verify_signer => true, :verify_chain => true, :verify_root => true, :only_trusted => true, :only_signed => false )
- HighSecurity =
High security policy: only allow signed gems to be installed, verify the signing certificate, verify the signing certificate chain all the way to the root certificate, and only trust root certificates that we have explicitly allowed trust for.
This security policy is significantly more difficult to bypass, and offers a reasonable guarantee that the contents of the gem have not been altered.
Policy.new( 'High Security', :verify_data => true, :verify_signer => true, :verify_chain => true, :verify_root => true, :only_trusted => true, :only_signed => true )
- SigningPolicy =
Policy used to verify a certificate and key when signing a gem
Policy.new( 'Signing Policy', :verify_data => false, :verify_signer => true, :verify_chain => true, :verify_root => true, :only_trusted => false, :only_signed => false )
- Policies =
Hash of configured security policies
{ 'NoSecurity' => NoSecurity, 'AlmostNoSecurity' => AlmostNoSecurity, 'LowSecurity' => LowSecurity, 'MediumSecurity' => MediumSecurity, 'HighSecurity' => HighSecurity, # SigningPolicy is not intended for use by `gem -P` so do not list it }
Class Method Summary collapse
- .alt_name_or_x509_entry(certificate, x509_entry) ⇒ Object
-
.create_cert(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object
Creates an unsigned certificate for
subject
andkey
. -
.create_cert_email(email, key, age = ONE_YEAR, extensions = EXTENSIONS) ⇒ Object
Creates a self-signed certificate with an issuer and subject from
email
, a subject alternative name ofemail
and the givenextensions
for thekey
. -
.create_cert_self_signed(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object
Creates a self-signed certificate with an issuer and subject of
subject
and the givenextensions
for thekey
. -
.create_key(length = KEY_LENGTH, algorithm = KEY_ALGORITHM) ⇒ Object
Creates a new key pair of the specified
length
andalgorithm
. -
.email_to_name(email_address) ⇒ Object
Turns
email_address
into an OpenSSL::X509::Name. -
.re_sign(expired_certificate, private_key, age = ONE_YEAR, extensions = EXTENSIONS) ⇒ Object
Signs
expired_certificate
withprivate_key
if the keys match and the expired certificate was self-signed. -
.reset ⇒ Object
Resets the trust directory for verifying gems.
-
.sign(certificate, signing_key, signing_cert, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object
Sign the public key from
certificate
with thesigning_key
andsigning_cert
, using the Gem::Security::DIGEST_ALGORITHM. -
.trust_dir ⇒ Object
Returns a Gem::Security::TrustDir which wraps the directory where trusted certificates live.
-
.trusted_certificates(&block) ⇒ Object
Enumerates the trusted certificates via Gem::Security::TrustDir.
-
.write(pemmable, path, permissions = 0600, passphrase = nil, cipher = KEY_CIPHER) ⇒ Object
Writes
pemmable
, which must respond toto_pem
topath
with the givenpermissions
.
Class Method Details
.alt_name_or_x509_entry(certificate, x509_entry) ⇒ Object
393 394 395 396 397 398 399 400 401 |
# File 'lib/rubygems/security.rb', line 393 def self.alt_name_or_x509_entry certificate, x509_entry alt_name = certificate.extensions.find do |extension| extension.oid == "#{x509_entry}AltName" end return alt_name.value if alt_name certificate.send x509_entry end |
.create_cert(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object
Creates an unsigned certificate for subject
and key
. The lifetime of the key is from the current time to age
which defaults to one year.
The extensions
restrict the key to the indicated uses.
409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 |
# File 'lib/rubygems/security.rb', line 409 def self.create_cert subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1 cert = OpenSSL::X509::Certificate.new cert.public_key = key.public_key cert.version = 2 cert.serial = serial cert.not_before = Time.now cert.not_after = Time.now + age cert.subject = subject ef = OpenSSL::X509::ExtensionFactory.new nil, cert cert.extensions = extensions.map do |ext_name, value| ef.create_extension ext_name, value end cert end |
.create_cert_email(email, key, age = ONE_YEAR, extensions = EXTENSIONS) ⇒ Object
Creates a self-signed certificate with an issuer and subject from email
, a subject alternative name of email
and the given extensions
for the key
.
436 437 438 439 440 441 442 |
# File 'lib/rubygems/security.rb', line 436 def self.create_cert_email email, key, age = ONE_YEAR, extensions = EXTENSIONS subject = email_to_name email extensions = extensions.merge "subjectAltName" => "email:#{email}" create_cert_self_signed subject, key, age, extensions end |
.create_cert_self_signed(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object
Creates a self-signed certificate with an issuer and subject of subject
and the given extensions
for the key
.
448 449 450 451 452 453 |
# File 'lib/rubygems/security.rb', line 448 def self.create_cert_self_signed subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1 certificate = create_cert subject, key, age, extensions sign certificate, key, certificate, age, extensions, serial end |
.create_key(length = KEY_LENGTH, algorithm = KEY_ALGORITHM) ⇒ Object
Creates a new key pair of the specified length
and algorithm
. The default is a 2048 bit RSA key.
459 460 461 |
# File 'lib/rubygems/security.rb', line 459 def self.create_key length = KEY_LENGTH, algorithm = KEY_ALGORITHM algorithm.new length end |
.email_to_name(email_address) ⇒ Object
Turns email_address
into an OpenSSL::X509::Name
466 467 468 469 470 471 472 473 474 475 476 |
# File 'lib/rubygems/security.rb', line 466 def self.email_to_name email_address email_address = email_address.gsub(/[^\[email protected]]+/i, '_') cn, dcs = email_address.split '@' dcs = dcs.split '.' name = "CN=#{cn}/#{dcs.map { |dc| "DC=#{dc}" }.join '/'}" OpenSSL::X509::Name.parse name end |
.re_sign(expired_certificate, private_key, age = ONE_YEAR, extensions = EXTENSIONS) ⇒ Object
Signs expired_certificate
with private_key
if the keys match and the expired certificate was self-signed. – TODO increment serial
484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 |
# File 'lib/rubygems/security.rb', line 484 def self.re_sign expired_certificate, private_key, age = ONE_YEAR, extensions = EXTENSIONS raise Gem::Security::Exception, "incorrect signing key for re-signing " + "#{expired_certificate.subject}" unless expired_certificate.public_key.to_pem == private_key.public_key.to_pem unless expired_certificate.subject.to_s == expired_certificate.issuer.to_s then subject = alt_name_or_x509_entry expired_certificate, :subject issuer = alt_name_or_x509_entry expired_certificate, :issuer raise Gem::Security::Exception, "#{subject} is not self-signed, contact #{issuer} " + "to obtain a valid certificate" end serial = expired_certificate.serial + 1 create_cert_self_signed(expired_certificate.subject, private_key, age, extensions, serial) end |
.reset ⇒ Object
Resets the trust directory for verifying gems.
510 511 512 |
# File 'lib/rubygems/security.rb', line 510 def self.reset @trust_dir = nil end |
.sign(certificate, signing_key, signing_cert, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object
Sign the public key from certificate
with the signing_key
and signing_cert
, using the Gem::Security::DIGEST_ALGORITHM. Uses the default certificate validity range and extensions.
Returns the newly signed certificate.
521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 |
# File 'lib/rubygems/security.rb', line 521 def self.sign certificate, signing_key, signing_cert, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1 signee_subject = certificate.subject signee_key = certificate.public_key alt_name = certificate.extensions.find do |extension| extension.oid == 'subjectAltName' end extensions = extensions.merge 'subjectAltName' => alt_name.value if alt_name issuer_alt_name = signing_cert.extensions.find do |extension| extension.oid == 'subjectAltName' end extensions = extensions.merge 'issuerAltName' => issuer_alt_name.value if issuer_alt_name signed = create_cert signee_subject, signee_key, age, extensions, serial signed.issuer = signing_cert.subject signed.sign signing_key, Gem::Security::DIGEST_ALGORITHM.new end |
.trust_dir ⇒ Object
Returns a Gem::Security::TrustDir which wraps the directory where trusted certificates live.
550 551 552 553 554 555 556 |
# File 'lib/rubygems/security.rb', line 550 def self.trust_dir return @trust_dir if @trust_dir dir = File.join Gem.user_home, '.gem', 'trust' @trust_dir ||= Gem::Security::TrustDir.new dir end |
.trusted_certificates(&block) ⇒ Object
Enumerates the trusted certificates via Gem::Security::TrustDir.
561 562 563 |
# File 'lib/rubygems/security.rb', line 561 def self.trusted_certificates &block trust_dir.each_certificate(&block) end |
.write(pemmable, path, permissions = 0600, passphrase = nil, cipher = KEY_CIPHER) ⇒ Object
Writes pemmable
, which must respond to to_pem
to path
with the given permissions
. If passed cipher
and passphrase
those arguments will be passed to to_pem
.
570 571 572 573 574 575 576 577 578 579 580 581 582 |
# File 'lib/rubygems/security.rb', line 570 def self.write pemmable, path, = 0600, passphrase = nil, cipher = KEY_CIPHER path = File. path open path, 'wb', do |io| if passphrase and cipher io.write pemmable.to_pem cipher, passphrase else io.write pemmable.to_pem end end path end |