Class: Gem::Security::TrustDir

Inherits:
Object
  • Object
show all
Defined in:
lib/rubygems/security/trust_dir.rb

Overview

The TrustDir manages the trusted certificates for gem signature verification.

Constant Summary collapse

DEFAULT_PERMISSIONS =

Default permissions for the trust directory and its contents

{
  :trust_dir    => 0700,
  :trusted_cert => 0600,
}.freeze

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(dir, permissions = DEFAULT_PERMISSIONS) ⇒ TrustDir

Creates a new TrustDir using dir where the directory and file permissions will be checked according to permissions



24
25
26
27
28
29
 
# File 'lib/rubygems/security/trust_dir.rb', line 24

def initialize(dir, permissions = DEFAULT_PERMISSIONS)
  @dir = dir
  @permissions = permissions

  @digester = Gem::Security.create_digest
end

Instance Attribute Details

#dirObject (readonly)

The directory where trusted certificates will be stored.



18
19
20
 
# File 'lib/rubygems/security/trust_dir.rb', line 18

def dir
  @dir
end

Instance Method Details

#cert_path(certificate) ⇒ Object

Returns the path to the trusted certificate



34
35
36
 
# File 'lib/rubygems/security/trust_dir.rb', line 34

def cert_path(certificate)
  name_path certificate.subject
end

#each_certificateObject

Enumerates trusted certificates.



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
# File 'lib/rubygems/security/trust_dir.rb', line 41

def each_certificate
  return enum_for __method__ unless block_given?

  glob = File.join @dir, '*.pem'

  Dir[glob].each do |certificate_file|
    begin
      certificate = load_certificate certificate_file

      yield certificate, certificate_file
    rescue OpenSSL::X509::CertificateError
      next # HACK warn
    end
  end
end

#issuer_of(certificate) ⇒ Object

Returns the issuer certificate of the given certificate if it exists in the trust directory.



61
62
63
64
65
66
67
 
# File 'lib/rubygems/security/trust_dir.rb', line 61

def issuer_of(certificate)
  path = name_path certificate.issuer

  return unless File.exist? path

  load_certificate path
end

#load_certificate(certificate_file) ⇒ Object

Loads the given certificate_file



81
82
83
84
85
 
# File 'lib/rubygems/security/trust_dir.rb', line 81

def load_certificate(certificate_file)
  pem = File.read certificate_file

  OpenSSL::X509::Certificate.new pem
end

#name_path(name) ⇒ Object

Returns the path to the trusted certificate with the given ASN.1 name



72
73
74
75
76
 
# File 'lib/rubygems/security/trust_dir.rb', line 72

def name_path(name)
  digest = @digester.hexdigest name.to_s

  File.join @dir, "cert-#{digest}.pem"
end

#trust_cert(certificate) ⇒ Object

Add a certificate to trusted certificate list.



90
91
92
93
94
95
96
97
98
99
 
# File 'lib/rubygems/security/trust_dir.rb', line 90

def trust_cert(certificate)
  verify

  destination = cert_path certificate

  File.open destination, 'wb', 0600 do |io|
    io.write certificate.to_pem
    io.chmod(@permissions[:trusted_cert])
  end
end

#verifyObject

Make sure the trust directory exists. If it does exist, make sure it’s actually a directory. If not, then create it with the appropriate permissions.



106
107
108
109
110
111
112
113
114
115
116
117
 
# File 'lib/rubygems/security/trust_dir.rb', line 106

def verify
  require 'fileutils'
  if File.exist? @dir
    raise Gem::Security::Exception,
      "trust directory #{@dir} is not a directory" unless
        File.directory? @dir

    FileUtils.chmod 0700, @dir
  else
    FileUtils.mkdir_p @dir, :mode => @permissions[:trust_dir]
  end
end