Class: Gem::Commands::CertCommand

Inherits:

Gem::Command

• Object
• Gem::Command
• Gem::Commands::CertCommand

Defined in:

lib/rubygems/commands/cert_command.rb

Instance Attribute Summary

Attributes inherited from Gem::Command

#command, #defaults, #options, #program_name, #summary

Instance Method Summary

• #add_certificate(certificate) ⇒ Object

  :nodoc:.

• #build(email) ⇒ Object
• #build_cert(email, key) ⇒ Object

  :nodoc:.

• #build_key ⇒ Object

  :nodoc:.

• #certificates_matching(filter) ⇒ Object
• #check_openssl ⇒ Object
• #description ⇒ Object

  :nodoc:.

• #execute ⇒ Object
• #initialize ⇒ CertCommand constructor

  A new instance of CertCommand.

• #list_certificates_matching(filter) ⇒ Object

  :nodoc:.

• #load_default_cert ⇒ Object
• #load_default_key ⇒ Object
• #load_defaults ⇒ Object

  :nodoc:.

• #open_cert(certificate_file) ⇒ Object
• #open_private_key(key_file) ⇒ Object
• #re_sign_cert(cert, cert_path, private_key) ⇒ Object
• #remove_certificates_matching(filter) ⇒ Object

  :nodoc:.

• #sign(cert_file) ⇒ Object
• #sign_certificates ⇒ Object

  :nodoc:.

Methods inherited from Gem::Command

add_common_option, #add_extra_args, #add_option, add_specific_extra_args, #arguments, #begins?, build_args, build_args=, #check_deprecated_options, common_options, #defaults_str, #deprecate_option, #deprecated?, extra_args, extra_args=, #get_all_gem_names, #get_all_gem_names_and_versions, #get_one_gem_name, #get_one_optional_argument, #handle_options, #handles?, #invoke, #invoke_with_build_args, #merge_options, #remove_option, #show_help, #show_lookup_failure, specific_extra_args, specific_extra_args_hash, specific_extra_args_hash=, #usage, #when_invoked

Methods included from UserInteraction

#alert, #alert_error, #alert_warning, #ask, #ask_for_password, #ask_yes_no, #choose_from_list, #say, #terminate_interaction, #verbose

Methods included from DefaultUserInteraction

ui, #ui, ui=, #ui=, use_ui, #use_ui

Methods included from Text

#clean_text, #format_text, #levenshtein_distance, #min3, #truncate_text

Constructor Details

#initialize ⇒ CertCommand

Returns a new instance of CertCommand.

# File 'lib/rubygems/commands/cert_command.rb', line 6

def initialize
  super 'cert', 'Manage RubyGems certificates and signing settings',
        :add => [], :remove => [], :list => [], :build => [], :sign => []

  add_option('-a', '--add CERT',
             'Add a trusted certificate.') do |cert_file, options|
    options[:add] << open_cert(cert_file)
  end

  add_option('-l', '--list [FILTER]',
             'List trusted certificates where the',
             'subject contains FILTER') do |filter, options|
    filter ||= ''

    options[:list] << filter
  end

  add_option('-r', '--remove FILTER',
             'Remove trusted certificates where the',
             'subject contains FILTER') do |filter, options|
    options[:remove] << filter
  end

  add_option('-b', '--build EMAIL_ADDR',
             'Build private key and self-signed',
             'certificate for EMAIL_ADDR') do |email_address, options|
    options[:build] << email_address
  end

  add_option('-C', '--certificate CERT',
             'Signing certificate for --sign') do |cert_file, options|
    options[:issuer_cert] = open_cert(cert_file)
    options[:issuer_cert_file] = cert_file
  end

  add_option('-K', '--private-key KEY',
             'Key for --sign or --build') do |key_file, options|
    options[:key] = open_private_key(key_file)
  end

  add_option('-s', '--sign CERT',
             'Signs CERT with the key from -K',
             'and the certificate from -C') do |cert_file, options|
    raise OptionParser::InvalidArgument, "#{cert_file}: does not exist" unless
      File.file? cert_file

    options[:sign] << cert_file
  end

  add_option('-d', '--days NUMBER_OF_DAYS',
             'Days before the certificate expires') do |days, options|
    options[:expiration_length_days] = days.to_i
  end

  add_option('-R', '--re-sign',
             'Re-signs the certificate from -C with the key from -K') do |resign, options|
    options[:resign] = resign
  end
end

Instance Method Details

#add_certificate(certificate) ⇒ Object

:nodoc:

# File 'lib/rubygems/commands/cert_command.rb', line 66

def add_certificate(certificate) # :nodoc:
  Gem::Security.trust_dir.trust_cert certificate

  say "Added '#{certificate.subject}'"
end

#build(email) ⇒ Object

# File 'lib/rubygems/commands/cert_command.rb', line 132

def build(email)
  if !valid_email?(email)
    raise Gem::CommandLineError, "Invalid email address #{email}"
  end

  key, key_path = build_key
  cert_path = build_cert email, key

  say "Certificate: #{cert_path}"

  if key_path
    say "Private Key: #{key_path}"
    say "Don't forget to move the key file to somewhere private!"
  end
end

#build_cert(email, key) ⇒ Object

:nodoc:

# File 'lib/rubygems/commands/cert_command.rb', line 148

def build_cert(email, key) # :nodoc:
  expiration_length_days = options[:expiration_length_days] ||
    Gem.configuration.cert_expiration_length_days

  cert = Gem::Security.create_cert_email(
    email,
    key,
    (Gem::Security::ONE_DAY * expiration_length_days)
  )

  Gem::Security.write cert, "gem-public_cert.pem"
end

#build_key ⇒ Object

:nodoc:

Raises:

• (Gem::CommandLineError)

# File 'lib/rubygems/commands/cert_command.rb', line 161

def build_key # :nodoc:
  return options[:key] if options[:key]

  passphrase = ask_for_password 'Passphrase for your Private Key:'
  say "\n"

  passphrase_confirmation = ask_for_password 'Please repeat the passphrase for your Private Key:'
  say "\n"

  raise Gem::CommandLineError,
        "Passphrase and passphrase confirmation don't match" unless passphrase == passphrase_confirmation

  key      = Gem::Security.create_key
  key_path = Gem::Security.write key, "gem-private_key.pem", 0600, passphrase

  return key, key_path
end

#certificates_matching(filter) ⇒ Object

# File 'lib/rubygems/commands/cert_command.rb', line 179

def certificates_matching(filter)
  return enum_for __method__, filter unless block_given?

  Gem::Security.trusted_certificates.select do |certificate, _|
    subject = certificate.subject.to_s
    subject.downcase.index filter
  end.sort_by do |certificate, _|
    certificate.subject.to_a.map {|name, data,| [name, data] }
  end.each do |certificate, path|
    yield certificate, path
  end
end

#check_openssl ⇒ Object

# File 'lib/rubygems/commands/cert_command.rb', line 72

def check_openssl
  return if Gem::HAVE_OPENSSL

  alert_error "OpenSSL library is required for the cert command"
  terminate_interaction 1
end

#description ⇒ Object

:nodoc:

# File 'lib/rubygems/commands/cert_command.rb', line 192

def description # :nodoc:
  <<-EOF
The cert command manages signing keys and certificates for creating signed
gems.  Your signing certificate and private key are typically stored in
~/.gem/gem-public_cert.pem and ~/.gem/gem-private_key.pem respectively.

To build a certificate for signing gems:

gem cert --build you@example

If you already have an RSA key, or are creating a new certificate for an
existing key:

gem cert --build you@example --private-key /path/to/key.pem

If you wish to trust a certificate you can add it to the trust list with:

gem cert --add /path/to/cert.pem

You can list trusted certificates with:

gem cert --list

or:

gem cert --list cert_subject_substring

If you wish to remove a previously trusted certificate:

gem cert --remove cert_subject_substring

To sign another gem author's certificate:

gem cert --sign /path/to/other_cert.pem

For further reading on signing gems see `ri Gem::Security`.
  EOF
end

#execute ⇒ Object

# File 'lib/rubygems/commands/cert_command.rb', line 102

def execute
  check_openssl

  options[:add].each do |certificate|
    add_certificate certificate
  end

  options[:remove].each do |filter|
    remove_certificates_matching filter
  end

  options[:list].each do |filter|
    list_certificates_matching filter
  end

  options[:build].each do |email|
    build email
  end

  if options[:resign]
    re_sign_cert(
      options[:issuer_cert],
      options[:issuer_cert_file],
      options[:key]
    )
  end

  sign_certificates unless options[:sign].empty?
end

#list_certificates_matching(filter) ⇒ Object

:nodoc:

# File 'lib/rubygems/commands/cert_command.rb', line 231

def list_certificates_matching(filter) # :nodoc:
  certificates_matching filter do |certificate, _|
    # this could probably be formatted more gracefully
    say certificate.subject.to_s
  end
end

#load_default_cert ⇒ Object

# File 'lib/rubygems/commands/cert_command.rb', line 238

def load_default_cert
  cert_file = File.join Gem.default_cert_path
  cert = File.read cert_file
  options[:issuer_cert] = OpenSSL::X509::Certificate.new cert
rescue Errno::ENOENT
  alert_error \
    "--certificate not specified and ~/.gem/gem-public_cert.pem does not exist"

  terminate_interaction 1
rescue OpenSSL::X509::CertificateError
  alert_error \
    "--certificate not specified and ~/.gem/gem-public_cert.pem is not valid"

  terminate_interaction 1
end

#load_default_key ⇒ Object

# File 'lib/rubygems/commands/cert_command.rb', line 254

def load_default_key
  key_file = File.join Gem.default_key_path
  key = File.read key_file
  passphrase = ENV['GEM_PRIVATE_KEY_PASSPHRASE']
  options[:key] = OpenSSL::PKey::RSA.new key, passphrase
rescue Errno::ENOENT
  alert_error \
    "--private-key not specified and ~/.gem/gem-private_key.pem does not exist"

  terminate_interaction 1
rescue OpenSSL::PKey::RSAError
  alert_error \
    "--private-key not specified and ~/.gem/gem-private_key.pem is not valid"

  terminate_interaction 1
end

#load_defaults ⇒ Object

:nodoc:

# File 'lib/rubygems/commands/cert_command.rb', line 271

def load_defaults # :nodoc:
  load_default_cert unless options[:issuer_cert]
  load_default_key  unless options[:key]
end

#open_cert(certificate_file) ⇒ Object

# File 'lib/rubygems/commands/cert_command.rb', line 79

def open_cert(certificate_file)
  check_openssl
  OpenSSL::X509::Certificate.new File.read certificate_file
rescue Errno::ENOENT
  raise OptionParser::InvalidArgument, "#{certificate_file}: does not exist"
rescue OpenSSL::X509::CertificateError
  raise OptionParser::InvalidArgument,
    "#{certificate_file}: invalid X509 certificate"
end

#open_private_key(key_file) ⇒ Object

# File 'lib/rubygems/commands/cert_command.rb', line 89

def open_private_key(key_file)
  check_openssl
  passphrase = ENV['GEM_PRIVATE_KEY_PASSPHRASE']
  key = OpenSSL::PKey::RSA.new File.read(key_file), passphrase
  raise OptionParser::InvalidArgument,
    "#{key_file}: private key not found" unless key.private?
  key
rescue Errno::ENOENT
  raise OptionParser::InvalidArgument, "#{key_file}: does not exist"
rescue OpenSSL::PKey::RSAError
  raise OptionParser::InvalidArgument, "#{key_file}: invalid RSA key"
end

#re_sign_cert(cert, cert_path, private_key) ⇒ Object

# File 'lib/rubygems/commands/cert_command.rb', line 305

def re_sign_cert(cert, cert_path, private_key)
  Gem::Security::Signer.re_sign_cert(cert, cert_path, private_key) do |expired_cert_path, new_expired_cert_path|
    alert("Your certificate #{expired_cert_path} has been re-signed")
    alert("Your expired certificate will be located at: #{new_expired_cert_path}")
  end
end

#remove_certificates_matching(filter) ⇒ Object

:nodoc:

# File 'lib/rubygems/commands/cert_command.rb', line 276

def remove_certificates_matching(filter) # :nodoc:
  certificates_matching filter do |certificate, path|
    FileUtils.rm path
    say "Removed '#{certificate.subject}'"
  end
end

#sign(cert_file) ⇒ Object

# File 'lib/rubygems/commands/cert_command.rb', line 283

def sign(cert_file)
  cert = File.read cert_file
  cert = OpenSSL::X509::Certificate.new cert

  permissions = File.stat(cert_file).mode & 0777

  issuer_cert = options[:issuer_cert]
  issuer_key = options[:key]

  cert = Gem::Security.sign cert, issuer_key, issuer_cert

  Gem::Security.write cert, cert_file, permissions
end

#sign_certificates ⇒ Object

:nodoc:

# File 'lib/rubygems/commands/cert_command.rb', line 297

def sign_certificates # :nodoc:
  load_defaults unless options[:sign].empty?

  options[:sign].each do |cert_file|
    sign cert_file
  end
end