Module: Gem::Security
- Defined in:
- lib/rubygems/security.rb,
lib/rubygems/security_option.rb,
lib/rubygems/security/policies.rb,
lib/rubygems/commands/unpack_command.rb
Overview
forward-declare
Defined Under Namespace
Classes: Exception, Policy, Signer, TrustDir
Constant Summary collapse
- DIGEST_NAME =
Used internally to select the signing digest from all computed digests
'SHA256'
- KEY_ALGORITHM =
Algorithm for creating the key pair used to sign gems
if defined?(OpenSSL::PKey::RSA) OpenSSL::PKey::RSA end
- KEY_LENGTH =
Length of keys created by KEY_ALGORITHM
3072
- KEY_CIPHER =
Cipher used to encrypt the key pair used to sign gems. Must be in the list returned by OpenSSL::Cipher.ciphers
OpenSSL::Cipher.new('AES-256-CBC')
- ONE_DAY =
One day in seconds
86400
- ONE_YEAR =
One year in seconds
ONE_DAY * 365
- EXTENSIONS =
The default set of extensions are:
-
The certificate is not a certificate authority
-
The key for the certificate may be used for key and data encipherment and digital signatures
-
The certificate contains a subject key identifier
-
{ 'basicConstraints' => 'CA:FALSE', 'keyUsage' => 'keyEncipherment,dataEncipherment,digitalSignature', 'subjectKeyIdentifier' => 'hash', }.freeze
- NoSecurity =
No security policy: all package signature checks are disabled.
Policy.new( 'No Security', :verify_data => false, :verify_signer => false, :verify_chain => false, :verify_root => false, :only_trusted => false, :only_signed => false )
- AlmostNoSecurity =
AlmostNo security policy: only verify that the signing certificate is the one that actually signed the data. Make no attempt to verify the signing certificate chain.
This policy is basically useless. better than nothing, but can still be easily spoofed, and is not recommended.
Policy.new( 'Almost No Security', :verify_data => true, :verify_signer => false, :verify_chain => false, :verify_root => false, :only_trusted => false, :only_signed => false )
- LowSecurity =
Low security policy: only verify that the signing certificate is actually the gem signer, and that the signing certificate is valid.
This policy is better than nothing, but can still be easily spoofed, and is not recommended.
Policy.new( 'Low Security', :verify_data => true, :verify_signer => true, :verify_chain => false, :verify_root => false, :only_trusted => false, :only_signed => false )
- MediumSecurity =
Medium security policy: verify the signing certificate, verify the signing certificate chain all the way to the root certificate, and only trust root certificates that we have explicitly allowed trust for.
This security policy is reasonable, but it allows unsigned packages, so a malicious person could simply delete the package signature and pass the gem off as unsigned.
Policy.new( 'Medium Security', :verify_data => true, :verify_signer => true, :verify_chain => true, :verify_root => true, :only_trusted => true, :only_signed => false )
- HighSecurity =
High security policy: only allow signed gems to be installed, verify the signing certificate, verify the signing certificate chain all the way to the root certificate, and only trust root certificates that we have explicitly allowed trust for.
This security policy is significantly more difficult to bypass, and offers a reasonable guarantee that the contents of the gem have not been altered.
Policy.new( 'High Security', :verify_data => true, :verify_signer => true, :verify_chain => true, :verify_root => true, :only_trusted => true, :only_signed => true )
- SigningPolicy =
Policy used to verify a certificate and key when signing a gem
Policy.new( 'Signing Policy', :verify_data => false, :verify_signer => true, :verify_chain => true, :verify_root => true, :only_trusted => false, :only_signed => false )
- Policies =
Hash of configured security policies
{ 'NoSecurity' => NoSecurity, 'AlmostNoSecurity' => AlmostNoSecurity, 'LowSecurity' => LowSecurity, 'MediumSecurity' => MediumSecurity, 'HighSecurity' => HighSecurity, # SigningPolicy is not intended for use by `gem -P` so do not list it }.freeze
Class Method Summary collapse
- .alt_name_or_x509_entry(certificate, x509_entry) ⇒ Object
-
.create_cert(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object
Creates an unsigned certificate for
subject
andkey
. -
.create_cert_email(email, key, age = ONE_YEAR, extensions = EXTENSIONS) ⇒ Object
Creates a self-signed certificate with an issuer and subject from
email
, a subject alternative name ofemail
and the givenextensions
for thekey
. -
.create_cert_self_signed(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object
Creates a self-signed certificate with an issuer and subject of
subject
and the givenextensions
for thekey
. - .create_digest(algorithm = DIGEST_NAME) ⇒ Object
-
.create_key(length = KEY_LENGTH, algorithm = KEY_ALGORITHM) ⇒ Object
Creates a new key pair of the specified
length
andalgorithm
. -
.email_to_name(email_address) ⇒ Object
Turns
email_address
into an OpenSSL::X509::Name. -
.re_sign(expired_certificate, private_key, age = ONE_YEAR, extensions = EXTENSIONS) ⇒ Object
Signs
expired_certificate
withprivate_key
if the keys match and the expired certificate was self-signed. -
.reset ⇒ Object
Resets the trust directory for verifying gems.
-
.sign(certificate, signing_key, signing_cert, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object
Sign the public key from
certificate
with thesigning_key
andsigning_cert
, using the Gem::Security::DIGEST_NAME. -
.trust_dir ⇒ Object
Returns a Gem::Security::TrustDir which wraps the directory where trusted certificates live.
-
.trusted_certificates(&block) ⇒ Object
Enumerates the trusted certificates via Gem::Security::TrustDir.
-
.write(pemmable, path, permissions = 0600, passphrase = nil, cipher = KEY_CIPHER) ⇒ Object
Writes
pemmable
, which must respond toto_pem
topath
with the givenpermissions
.
Class Method Details
.alt_name_or_x509_entry(certificate, x509_entry) ⇒ Object
383 384 385 386 387 388 389 390 391 |
# File 'lib/rubygems/security.rb', line 383 def self.alt_name_or_x509_entry(certificate, x509_entry) alt_name = certificate.extensions.find do |extension| extension.oid == "#{x509_entry}AltName" end return alt_name.value if alt_name certificate.send x509_entry end |
.create_cert(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object
Creates an unsigned certificate for subject
and key
. The lifetime of the key is from the current time to age
which defaults to one year.
The extensions
restrict the key to the indicated uses.
399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 |
# File 'lib/rubygems/security.rb', line 399 def self.create_cert(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) cert = OpenSSL::X509::Certificate.new cert.public_key = key.public_key cert.version = 2 cert.serial = serial cert.not_before = Time.now cert.not_after = Time.now + age cert.subject = subject ef = OpenSSL::X509::ExtensionFactory.new nil, cert cert.extensions = extensions.map do |ext_name, value| ef.create_extension ext_name, value end cert end |
.create_cert_email(email, key, age = ONE_YEAR, extensions = EXTENSIONS) ⇒ Object
Creates a self-signed certificate with an issuer and subject from email
, a subject alternative name of email
and the given extensions
for the key
.
426 427 428 429 430 431 432 |
# File 'lib/rubygems/security.rb', line 426 def self.create_cert_email(email, key, age = ONE_YEAR, extensions = EXTENSIONS) subject = email_to_name email extensions = extensions.merge "subjectAltName" => "email:#{email}" create_cert_self_signed subject, key, age, extensions end |
.create_cert_self_signed(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object
Creates a self-signed certificate with an issuer and subject of subject
and the given extensions
for the key
.
438 439 440 441 442 443 |
# File 'lib/rubygems/security.rb', line 438 def self.create_cert_self_signed(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) certificate = create_cert subject, key, age, extensions sign certificate, key, certificate, age, extensions, serial end |
.create_digest(algorithm = DIGEST_NAME) ⇒ Object
450 451 452 |
# File 'lib/rubygems/security.rb', line 450 def self.create_digest(algorithm = DIGEST_NAME) OpenSSL::Digest.new(algorithm) end |
.create_key(length = KEY_LENGTH, algorithm = KEY_ALGORITHM) ⇒ Object
Creates a new key pair of the specified length
and algorithm
. The default is a 3072 bit RSA key.
465 466 467 |
# File 'lib/rubygems/security.rb', line 465 def self.create_key(length = KEY_LENGTH, algorithm = KEY_ALGORITHM) algorithm.new length end |
.email_to_name(email_address) ⇒ Object
Turns email_address
into an OpenSSL::X509::Name
472 473 474 475 476 477 478 479 480 481 482 |
# File 'lib/rubygems/security.rb', line 472 def self.email_to_name(email_address) email_address = email_address.gsub(/[^\[email protected]]+/i, '_') cn, dcs = email_address.split '@' dcs = dcs.split '.' name = "CN=#{cn}/#{dcs.map {|dc| "DC=#{dc}" }.join '/'}" OpenSSL::X509::Name.parse name end |
.re_sign(expired_certificate, private_key, age = ONE_YEAR, extensions = EXTENSIONS) ⇒ Object
Signs expired_certificate
with private_key
if the keys match and the expired certificate was self-signed. – TODO increment serial
490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 |
# File 'lib/rubygems/security.rb', line 490 def self.re_sign(expired_certificate, private_key, age = ONE_YEAR, extensions = EXTENSIONS) raise Gem::Security::Exception, "incorrect signing key for re-signing " + "#{expired_certificate.subject}" unless expired_certificate.public_key.to_pem == private_key.public_key.to_pem unless expired_certificate.subject.to_s == expired_certificate.issuer.to_s subject = alt_name_or_x509_entry expired_certificate, :subject issuer = alt_name_or_x509_entry expired_certificate, :issuer raise Gem::Security::Exception, "#{subject} is not self-signed, contact #{issuer} " + "to obtain a valid certificate" end serial = expired_certificate.serial + 1 create_cert_self_signed(expired_certificate.subject, private_key, age, extensions, serial) end |
.reset ⇒ Object
Resets the trust directory for verifying gems.
516 517 518 |
# File 'lib/rubygems/security.rb', line 516 def self.reset @trust_dir = nil end |
.sign(certificate, signing_key, signing_cert, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) ⇒ Object
Sign the public key from certificate
with the signing_key
and signing_cert
, using the Gem::Security::DIGEST_NAME. Uses the default certificate validity range and extensions.
Returns the newly signed certificate.
527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 |
# File 'lib/rubygems/security.rb', line 527 def self.sign(certificate, signing_key, signing_cert, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1) signee_subject = certificate.subject signee_key = certificate.public_key alt_name = certificate.extensions.find do |extension| extension.oid == 'subjectAltName' end extensions = extensions.merge 'subjectAltName' => alt_name.value if alt_name issuer_alt_name = signing_cert.extensions.find do |extension| extension.oid == 'subjectAltName' end extensions = extensions.merge 'issuerAltName' => issuer_alt_name.value if issuer_alt_name signed = create_cert signee_subject, signee_key, age, extensions, serial signed.issuer = signing_cert.subject signed.sign signing_key, Gem::Security::DIGEST_NAME end |
.trust_dir ⇒ Object
Returns a Gem::Security::TrustDir which wraps the directory where trusted certificates live.
556 557 558 559 560 561 562 |
# File 'lib/rubygems/security.rb', line 556 def self.trust_dir return @trust_dir if @trust_dir dir = File.join Gem.user_home, '.gem', 'trust' @trust_dir ||= Gem::Security::TrustDir.new dir end |
.trusted_certificates(&block) ⇒ Object
Enumerates the trusted certificates via Gem::Security::TrustDir.
567 568 569 |
# File 'lib/rubygems/security.rb', line 567 def self.trusted_certificates(&block) trust_dir.each_certificate(&block) end |
.write(pemmable, path, permissions = 0600, passphrase = nil, cipher = KEY_CIPHER) ⇒ Object
Writes pemmable
, which must respond to to_pem
to path
with the given permissions
. If passed cipher
and passphrase
those arguments will be passed to to_pem
.
576 577 578 579 580 581 582 583 584 585 586 587 588 |
# File 'lib/rubygems/security.rb', line 576 def self.write(pemmable, path, = 0600, passphrase = nil, cipher = KEY_CIPHER) path = File. path File.open path, 'wb', do |io| if passphrase and cipher io.write pemmable.to_pem cipher, passphrase else io.write pemmable.to_pem end end path end |