Module: Gem::Security

Defined in:

lib/rubygems/security.rb,
lib/rubygems/security/policies.rb,
lib/rubygems/install_update_options.rb

Overview

forward-declare

Defined Under Namespace

Classes: Exception, Policy, Signer, TrustDir

Constant Summary

DIGEST_ALGORITHM =

Digest algorithm used to sign gems

OpenSSL::Digest::SHA1

DIGEST_NAME =

Used internally to select the signing digest from all computed digests

DIGEST_ALGORITHM.new.name

KEY_ALGORITHM =

Algorithm for creating the key pair used to sign gems

OpenSSL::PKey::RSA

KEY_LENGTH =

Length of keys created by KEY_ALGORITHM

2048

ONE_YEAR =

One year in seconds

86400 * 365

EXTENSIONS =

The default set of extensions are:

• The certificate is not a certificate authority

• The key for the certificate may be used for key and data encipherment and digital signatures

• The certificate contains a subject key identifier

{
  'basicConstraints'     => 'CA:FALSE',
  'keyUsage'             =>
    'keyEncipherment,dataEncipherment,digitalSignature',
  'subjectKeyIdentifier' => 'hash',
}

NoSecurity =

No security policy: all package signature checks are disabled.

Policy.new(
  'No Security',
  :verify_data      => false,
  :verify_signer    => false,
  :verify_chain     => false,
  :verify_root      => false,
  :only_trusted     => false,
  :only_signed      => false
)

AlmostNoSecurity =

AlmostNo security policy: only verify that the signing certificate is the one that actually signed the data. Make no attempt to verify the signing certificate chain.

This policy is basically useless. better than nothing, but can still be easily spoofed, and is not recommended.

Policy.new(
  'Almost No Security',
  :verify_data      => true,
  :verify_signer    => false,
  :verify_chain     => false,
  :verify_root      => false,
  :only_trusted     => false,
  :only_signed      => false
)

LowSecurity =

Low security policy: only verify that the signing certificate is actually the gem signer, and that the signing certificate is valid.

This policy is better than nothing, but can still be easily spoofed, and is not recommended.

Policy.new(
  'Low Security',
  :verify_data      => true,
  :verify_signer    => true,
  :verify_chain     => false,
  :verify_root      => false,
  :only_trusted     => false,
  :only_signed      => false
)

MediumSecurity =

Medium security policy: verify the signing certificate, verify the signing certificate chain all the way to the root certificate, and only trust root certificates that we have explicitly allowed trust for.

This security policy is reasonable, but it allows unsigned packages, so a malicious person could simply delete the package signature and pass the gem off as unsigned.

Policy.new(
  'Medium Security',
  :verify_data      => true,
  :verify_signer    => true,
  :verify_chain     => true,
  :verify_root      => true,
  :only_trusted     => true,
  :only_signed      => false
)

HighSecurity =

High security policy: only allow signed gems to be installed, verify the signing certificate, verify the signing certificate chain all the way to the root certificate, and only trust root certificates that we have explicitly allowed trust for.

This security policy is significantly more difficult to bypass, and offers a reasonable guarantee that the contents of the gem have not been altered.

Policy.new(
  'High Security',
  :verify_data      => true,
  :verify_signer    => true,
  :verify_chain     => true,
  :verify_root      => true,
  :only_trusted     => true,
  :only_signed      => true
)

SigningPolicy =

Policy used to verify a certificate and key when signing a gem

Policy.new(
  'Signing Policy',
  :verify_data      => false,
  :verify_signer    => true,
  :verify_chain     => true,
  :verify_root      => true,
  :only_trusted     => false,
  :only_signed      => false
)

Policies =

Hash of configured security policies

{
  'NoSecurity'       => NoSecurity,
  'AlmostNoSecurity' => AlmostNoSecurity,
  'LowSecurity'      => LowSecurity,
  'MediumSecurity'   => MediumSecurity,
  'HighSecurity'     => HighSecurity,
  # SigningPolicy is not intended for use by `gem -P` so do not list it
}

Class Method Summary

• .alt_name_or_x509_entry(certificate, x509_entry) ⇒ Object
• .create_cert(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object

  Creates an unsigned certificate for subject and key.

• .create_cert_email(email, key, age = ONE_YEAR, extensions = EXTENSIONS) ⇒ Object

  Creates a self-signed certificate with an issuer and subject from email, a subject alternative name of email and the given extensions for the key.

• .create_cert_self_signed(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object

  Creates a self-signed certificate with an issuer and subject of subject and the given extensions for the key.

• .create_key(length = KEY_LENGTH, algorithm = KEY_ALGORITHM) ⇒ Object

  Creates a new key pair of the specified length and algorithm.

• .email_to_name(email_address) ⇒ Object

  Turns email_address into an OpenSSL::X509::Name.

• .re_sign(expired_certificate, private_key, age = ONE_YEAR, extensions = EXTENSIONS) ⇒ Object

  Signs expired_certificate with private_key if the keys match and the expired certificate was self-signed.

• .reset ⇒ Object

  Resets the trust directory for verifying gems.

• .sign(certificate, signing_key, signing_cert, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object

  Sign the public key from certificate with the signing_key and signing_cert, using the Gem::Security::DIGEST_ALGORITHM.

• .trust_dir ⇒ Object

  Returns a Gem::Security::TrustDir which wraps the directory where trusted certificates live.

• .trusted_certificates(&block) ⇒ Object

  Enumerates the trusted certificates via Gem::Security::TrustDir.

• .write(pemmable, path, permissions = 0600) ⇒ Object

  Writes pemmable, which must respond to to_pem to path with the given permissions.

Class Method Details

.alt_name_or_x509_entry(certificate, x509_entry) ⇒ Object

# File 'lib/rubygems/security.rb', line 372

def self.alt_name_or_x509_entry certificate, x509_entry
  alt_name = certificate.extensions.find do |extension|
    extension.oid == "#{x509_entry}AltName"
  end

  return alt_name.value if alt_name

  certificate.send x509_entry
end

.create_cert(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object

Creates an unsigned certificate for subject and key. The lifetime of the key is from the current time to age which defaults to one year.

The extensions restrict the key to the indicated uses.

# File 'lib/rubygems/security.rb', line 388

def self.create_cert subject, key, age = ONE_YEAR, extensions = EXTENSIONS,
                     serial = 1
  cert = OpenSSL::X509::Certificate.new

  cert.public_key = key.public_key
  cert.version    = 2
  cert.serial     = serial

  cert.not_before = Time.now
  cert.not_after  = Time.now + age

  cert.subject    = subject

  ef = OpenSSL::X509::ExtensionFactory.new nil, cert

  cert.extensions = extensions.map do |ext_name, value|
    ef.create_extension ext_name, value
  end

  cert
end

.create_cert_email(email, key, age = ONE_YEAR, extensions = EXTENSIONS) ⇒ Object

Creates a self-signed certificate with an issuer and subject from email, a subject alternative name of email and the given extensions for the key.

# File 'lib/rubygems/security.rb', line 415

def self.create_cert_email email, key, age = ONE_YEAR, extensions = EXTENSIONS
  subject = email_to_name email

  extensions = extensions.merge "subjectAltName" => "email:#{email}"

  create_cert_self_signed subject, key, age, extensions
end

.create_cert_self_signed(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object

Creates a self-signed certificate with an issuer and subject of subject and the given extensions for the key.

# File 'lib/rubygems/security.rb', line 427

def self.create_cert_self_signed subject, key, age = ONE_YEAR,
                                 extensions = EXTENSIONS, serial = 1
  certificate = create_cert subject, key, age, extensions

  sign certificate, key, certificate, age, extensions, serial
end

.create_key(length = KEY_LENGTH, algorithm = KEY_ALGORITHM) ⇒ Object

Creates a new key pair of the specified length and algorithm. The default is a 2048 bit RSA key.

# File 'lib/rubygems/security.rb', line 438

def self.create_key length = KEY_LENGTH, algorithm = KEY_ALGORITHM
  algorithm.new length
end

.email_to_name(email_address) ⇒ Object

Turns email_address into an OpenSSL::X509::Name

# File 'lib/rubygems/security.rb', line 445

def self.email_to_name email_address
  email_address = email_address.gsub(/[^\w@.-]+/i, '_')

  cn, dcs = email_address.split '@'

  dcs = dcs.split '.'

  name = "CN=#{cn}/#{dcs.map { |dc| "DC=#{dc}" }.join '/'}"

  OpenSSL::X509::Name.parse name
end

.re_sign(expired_certificate, private_key, age = ONE_YEAR, extensions = EXTENSIONS) ⇒ Object

Signs expired_certificate with private_key if the keys match and the expired certificate was self-signed. – TODO increment serial

Raises:

• (Gem::Security::Exception)

# File 'lib/rubygems/security.rb', line 463

def self.re_sign expired_certificate, private_key, age = ONE_YEAR,
                 extensions = EXTENSIONS
  raise Gem::Security::Exception,
        "incorrect signing key for re-signing " +
        "#{expired_certificate.subject}" unless
    expired_certificate.public_key.to_pem == private_key.public_key.to_pem

  unless expired_certificate.subject.to_s ==
         expired_certificate.issuer.to_s then
    subject = alt_name_or_x509_entry expired_certificate, :subject
    issuer  = alt_name_or_x509_entry expired_certificate, :issuer

    raise Gem::Security::Exception,
          "#{subject} is not self-signed, contact #{issuer} " +
          "to obtain a valid certificate"
  end

  serial = expired_certificate.serial + 1

  create_cert_self_signed(expired_certificate.subject, private_key, age,
                          extensions, serial)
end

.reset ⇒ Object

Resets the trust directory for verifying gems.

# File 'lib/rubygems/security.rb', line 489

def self.reset
  @trust_dir = nil
end

.sign(certificate, signing_key, signing_cert, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object

Sign the public key from certificate with the signing_key and signing_cert, using the Gem::Security::DIGEST_ALGORITHM. Uses the default certificate validity range and extensions.

Returns the newly signed certificate.

# File 'lib/rubygems/security.rb', line 500

def self.sign certificate, signing_key, signing_cert,
              age = ONE_YEAR, extensions = EXTENSIONS, serial = 1
  signee_subject = certificate.subject
  signee_key     = certificate.public_key

  alt_name = certificate.extensions.find do |extension|
    extension.oid == 'subjectAltName'
  end

  extensions = extensions.merge 'subjectAltName' => alt_name.value if
    alt_name

  issuer_alt_name = signing_cert.extensions.find do |extension|
    extension.oid == 'subjectAltName'
  end

  extensions = extensions.merge 'issuerAltName' => issuer_alt_name.value if
    issuer_alt_name

  signed = create_cert signee_subject, signee_key, age, extensions, serial
  signed.issuer = signing_cert.subject

  signed.sign signing_key, Gem::Security::DIGEST_ALGORITHM.new
end

.trust_dir ⇒ Object

Returns a Gem::Security::TrustDir which wraps the directory where trusted certificates live.

# File 'lib/rubygems/security.rb', line 529

def self.trust_dir
  return @trust_dir if @trust_dir

  dir = File.join Gem.user_home, '.gem', 'trust'

  @trust_dir ||= Gem::Security::TrustDir.new dir
end

.trusted_certificates(&block) ⇒ Object

Enumerates the trusted certificates via Gem::Security::TrustDir.

# File 'lib/rubygems/security.rb', line 540

def self.trusted_certificates &block
  trust_dir.each_certificate(&block)
end

.write(pemmable, path, permissions = 0600) ⇒ Object

Writes pemmable, which must respond to to_pem to path with the given permissions.

# File 'lib/rubygems/security.rb', line 548

def self.write pemmable, path, permissions = 0600
  path = File.expand_path path

  open path, 'wb', permissions do |io|
    io.write pemmable.to_pem
  end

  path
end