Class: Gem::Security::Policy

Inherits:
Object
  • Object
show all
Defined in:
lib/rubygems/security.rb,
lib/rubygems/install_update_options.rb

Overview

:nodoc:

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(policy = {}, opt = {}) ⇒ Policy

Create a new Gem::Security::Policy object with the given mode and options.



414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
 
# File 'lib/rubygems/security.rb', line 414

def initialize(policy = {}, opt = {})
  # set options
  @opt = Gem::Security::OPT.merge(opt)

  # build policy
  policy.each_pair do |key, val|
    case key
    when :verify_data   then @verify_data   = val
    when :verify_signer then @verify_signer = val
    when :verify_chain  then @verify_chain  = val
    when :verify_root   then @verify_root   = val
    when :only_trusted  then @only_trusted  = val
    when :only_signed   then @only_signed   = val
    end
  end
end

Instance Attribute Details

#only_signedObject

Returns the value of attribute only_signed



407
408
409
 
# File 'lib/rubygems/security.rb', line 407

def only_signed
  @only_signed
end

#only_trustedObject

Returns the value of attribute only_trusted



407
408
409
 
# File 'lib/rubygems/security.rb', line 407

def only_trusted
  @only_trusted
end

#verify_chainObject

Returns the value of attribute verify_chain



407
408
409
 
# File 'lib/rubygems/security.rb', line 407

def verify_chain
  @verify_chain
end

#verify_dataObject

Returns the value of attribute verify_data



407
408
409
 
# File 'lib/rubygems/security.rb', line 407

def verify_data
  @verify_data
end

#verify_rootObject

Returns the value of attribute verify_root



407
408
409
 
# File 'lib/rubygems/security.rb', line 407

def verify_root
  @verify_root
end

#verify_signerObject

Returns the value of attribute verify_signer



407
408
409
 
# File 'lib/rubygems/security.rb', line 407

def verify_signer
  @verify_signer
end

Class Method Details

.trusted_cert_path(cert, opt = {}) ⇒ Object

Get the path to the file for this cert.



434
435
436
437
438
439
440
441
442
443
444
445
446
 
# File 'lib/rubygems/security.rb', line 434

def self.trusted_cert_path(cert, opt = {})
  opt = Gem::Security::OPT.merge(opt)

  # get digest algorithm, calculate checksum of root.subject
  algo = opt[:dgst_algo]
  dgst = algo.hexdigest(cert.subject.to_s)

  # build path to trusted cert file
  name = "cert-#{dgst}.pem"

  # join and return path components
  File::join(opt[:trust_dir], name)
end

Instance Method Details

#verify_gem(signature, data, chain, time = Time.now) ⇒ Object

Verify that the gem data with the given signature and signing chain matched this security policy at the specified time.



452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
 
# File 'lib/rubygems/security.rb', line 452

def verify_gem(signature, data, chain, time = Time.now)
  Gem.ensure_ssl_available
  cert_class = OpenSSL::X509::Certificate
  exc = Gem::Security::Exception
  chain ||= []

  chain = chain.map{ |str| cert_class.new(str) }
  signer, ch_len = chain[-1], chain.size

  # make sure signature is valid
  if @verify_data
    # get digest algorithm (TODO: this should be configurable)
    dgst = @opt[:dgst_algo]

    # verify the data signature (this is the most important part, so don't
    # screw it up :D)
    v = signer.public_key.verify(dgst.new, signature, data)
    raise exc, "Invalid Gem Signature" unless v

    # make sure the signer is valid
    if @verify_signer
      # make sure the signing cert is valid right now
      v = signer.check_validity(nil, time)
      raise exc, "Invalid Signature: #{v[:desc]}" unless v[:is_valid]
    end
  end

  # make sure the certificate chain is valid
  if @verify_chain
    # iterate down over the chain and verify each certificate against it's
    # issuer
    (ch_len - 1).downto(1) do |i|
      issuer, cert = chain[i - 1, 2]
      v = cert.check_validity(issuer, time)
      raise exc, "%s: cert = '%s', error = '%s'" % [
          'Invalid Signing Chain', cert.subject, v[:desc]
      ] unless v[:is_valid]
    end

    # verify root of chain
    if @verify_root
      # make sure root is self-signed
      root = chain[0]
      raise exc, "%s: %s (subject = '%s', issuer = '%s')" % [
          'Invalid Signing Chain Root',
          'Subject does not match Issuer for Gem Signing Chain',
          root.subject.to_s,
          root.issuer.to_s,
      ] unless root.issuer.to_s == root.subject.to_s

      # make sure root is valid
      v = root.check_validity(root, time)
      raise exc, "%s: cert = '%s', error = '%s'" % [
          'Invalid Signing Chain Root', root.subject, v[:desc]
      ] unless v[:is_valid]

      # verify that the chain root is trusted
      if @only_trusted
        # get digest algorithm, calculate checksum of root.subject
        algo = @opt[:dgst_algo]
        path = Gem::Security::Policy.trusted_cert_path(root, @opt)

        # check to make sure trusted path exists
        raise exc, "%s: cert = '%s', error = '%s'" % [
            'Untrusted Signing Chain Root',
            root.subject.to_s,
            "path \"#{path}\" does not exist",
        ] unless File.exist?(path)

        # load calculate digest from saved cert file
        save_cert = OpenSSL::X509::Certificate.new(File.read(path))
        save_dgst = algo.digest(save_cert.public_key.to_s)

        # create digest of public key
        pkey_str = root.public_key.to_s
        cert_dgst = algo.digest(pkey_str)

        # now compare the two digests, raise exception
        # if they don't match
        raise exc, "%s: %s (saved = '%s', root = '%s')" % [
            'Invalid Signing Chain Root',
            "Saved checksum doesn't match root checksum",
            save_dgst, cert_dgst,
        ] unless save_dgst == cert_dgst
      end
    end

    # return the signing chain
    chain.map { |cert| cert.subject }
  end
end