Current File : //opt/alt/ruby31/share/rubygems/rubygems/commands/cert_command.rb
# frozen_string_literal: true
require_relative "../command"
require_relative "../security"
class Gem::Commands::CertCommand < Gem::Command
def initialize
super "cert", "Manage RubyGems certificates and signing settings",
:add => [], :remove => [], :list => [], :build => [], :sign => []
add_option("-a", "--add CERT",
"Add a trusted certificate.") do |cert_file, options|
options[:add] << open_cert(cert_file)
end
add_option("-l", "--list [FILTER]",
"List trusted certificates where the",
"subject contains FILTER") do |filter, options|
filter ||= ""
options[:list] << filter
end
add_option("-r", "--remove FILTER",
"Remove trusted certificates where the",
"subject contains FILTER") do |filter, options|
options[:remove] << filter
end
add_option("-b", "--build EMAIL_ADDR",
"Build private key and self-signed",
"certificate for EMAIL_ADDR") do |email_address, options|
options[:build] << email_address
end
add_option("-C", "--certificate CERT",
"Signing certificate for --sign") do |cert_file, options|
options[:issuer_cert] = open_cert(cert_file)
options[:issuer_cert_file] = cert_file
end
add_option("-K", "--private-key KEY",
"Key for --sign or --build") do |key_file, options|
options[:key] = open_private_key(key_file)
end
add_option("-A", "--key-algorithm ALGORITHM",
"Select which key algorithm to use for --build") do |algorithm, options|
options[:key_algorithm] = algorithm
end
add_option("-s", "--sign CERT",
"Signs CERT with the key from -K",
"and the certificate from -C") do |cert_file, options|
raise Gem::OptionParser::InvalidArgument, "#{cert_file}: does not exist" unless
File.file? cert_file
options[:sign] << cert_file
end
add_option("-d", "--days NUMBER_OF_DAYS",
"Days before the certificate expires") do |days, options|
options[:expiration_length_days] = days.to_i
end
add_option("-R", "--re-sign",
"Re-signs the certificate from -C with the key from -K") do |resign, options|
options[:resign] = resign
end
end
def add_certificate(certificate) # :nodoc:
Gem::Security.trust_dir.trust_cert certificate
say "Added '#{certificate.subject}'"
end
def check_openssl
return if Gem::HAVE_OPENSSL
alert_error "OpenSSL library is required for the cert command"
terminate_interaction 1
end
def open_cert(certificate_file)
check_openssl
OpenSSL::X509::Certificate.new File.read certificate_file
rescue Errno::ENOENT
raise Gem::OptionParser::InvalidArgument, "#{certificate_file}: does not exist"
rescue OpenSSL::X509::CertificateError
raise Gem::OptionParser::InvalidArgument,
"#{certificate_file}: invalid X509 certificate"
end
def open_private_key(key_file)
check_openssl
passphrase = ENV["GEM_PRIVATE_KEY_PASSPHRASE"]
key = OpenSSL::PKey.read File.read(key_file), passphrase
raise Gem::OptionParser::InvalidArgument,
"#{key_file}: private key not found" unless key.private?
key
rescue Errno::ENOENT
raise Gem::OptionParser::InvalidArgument, "#{key_file}: does not exist"
rescue OpenSSL::PKey::PKeyError, ArgumentError
raise Gem::OptionParser::InvalidArgument, "#{key_file}: invalid RSA, DSA, or EC key"
end
def execute
check_openssl
options[:add].each do |certificate|
add_certificate certificate
end
options[:remove].each do |filter|
remove_certificates_matching filter
end
options[:list].each do |filter|
list_certificates_matching filter
end
options[:build].each do |email|
build email
end
if options[:resign]
re_sign_cert(
options[:issuer_cert],
options[:issuer_cert_file],
options[:key]
)
end
sign_certificates unless options[:sign].empty?
end
def build(email)
if !valid_email?(email)
raise Gem::CommandLineError, "Invalid email address #{email}"
end
key, key_path = build_key
cert_path = build_cert email, key
say "Certificate: #{cert_path}"
if key_path
say "Private Key: #{key_path}"
say "Don't forget to move the key file to somewhere private!"
end
end
def build_cert(email, key) # :nodoc:
expiration_length_days = options[:expiration_length_days] ||
Gem.configuration.cert_expiration_length_days
cert = Gem::Security.create_cert_email(
email,
key,
(Gem::Security::ONE_DAY * expiration_length_days)
)
Gem::Security.write cert, "gem-public_cert.pem"
end
def build_key # :nodoc:
return options[:key] if options[:key]
passphrase = ask_for_password "Passphrase for your Private Key:"
say "\n"
passphrase_confirmation = ask_for_password "Please repeat the passphrase for your Private Key:"
say "\n"
raise Gem::CommandLineError,
"Passphrase and passphrase confirmation don't match" unless passphrase == passphrase_confirmation
algorithm = options[:key_algorithm] || Gem::Security::DEFAULT_KEY_ALGORITHM
key = Gem::Security.create_key(algorithm)
key_path = Gem::Security.write key, "gem-private_key.pem", 0600, passphrase
return key, key_path
end
def certificates_matching(filter)
return enum_for __method__, filter unless block_given?
Gem::Security.trusted_certificates.select do |certificate, _|
subject = certificate.subject.to_s
subject.downcase.index filter
end.sort_by do |certificate, _|
certificate.subject.to_a.map {|name, data,| [name, data] }
end.each do |certificate, path|
yield certificate, path
end
end
def description # :nodoc:
<<-EOF
The cert command manages signing keys and certificates for creating signed
gems. Your signing certificate and private key are typically stored in
~/.gem/gem-public_cert.pem and ~/.gem/gem-private_key.pem respectively.
To build a certificate for signing gems:
gem cert --build you@example
If you already have an RSA key, or are creating a new certificate for an
existing key:
gem cert --build you@example --private-key /path/to/key.pem
If you wish to trust a certificate you can add it to the trust list with:
gem cert --add /path/to/cert.pem
You can list trusted certificates with:
gem cert --list
or:
gem cert --list cert_subject_substring
If you wish to remove a previously trusted certificate:
gem cert --remove cert_subject_substring
To sign another gem author's certificate:
gem cert --sign /path/to/other_cert.pem
For further reading on signing gems see `ri Gem::Security`.
EOF
end
def list_certificates_matching(filter) # :nodoc:
certificates_matching filter do |certificate, _|
# this could probably be formatted more gracefully
say certificate.subject.to_s
end
end
def load_default_cert
cert_file = File.join Gem.default_cert_path
cert = File.read cert_file
options[:issuer_cert] = OpenSSL::X509::Certificate.new cert
rescue Errno::ENOENT
alert_error \
"--certificate not specified and ~/.gem/gem-public_cert.pem does not exist"
terminate_interaction 1
rescue OpenSSL::X509::CertificateError
alert_error \
"--certificate not specified and ~/.gem/gem-public_cert.pem is not valid"
terminate_interaction 1
end
def load_default_key
key_file = File.join Gem.default_key_path
key = File.read key_file
passphrase = ENV["GEM_PRIVATE_KEY_PASSPHRASE"]
options[:key] = OpenSSL::PKey.read key, passphrase
rescue Errno::ENOENT
alert_error \
"--private-key not specified and ~/.gem/gem-private_key.pem does not exist"
terminate_interaction 1
rescue OpenSSL::PKey::PKeyError
alert_error \
"--private-key not specified and ~/.gem/gem-private_key.pem is not valid"
terminate_interaction 1
end
def load_defaults # :nodoc:
load_default_cert unless options[:issuer_cert]
load_default_key unless options[:key]
end
def remove_certificates_matching(filter) # :nodoc:
certificates_matching filter do |certificate, path|
FileUtils.rm path
say "Removed '#{certificate.subject}'"
end
end
def sign(cert_file)
cert = File.read cert_file
cert = OpenSSL::X509::Certificate.new cert
permissions = File.stat(cert_file).mode & 0777
issuer_cert = options[:issuer_cert]
issuer_key = options[:key]
cert = Gem::Security.sign cert, issuer_key, issuer_cert
Gem::Security.write cert, cert_file, permissions
end
def sign_certificates # :nodoc:
load_defaults unless options[:sign].empty?
options[:sign].each do |cert_file|
sign cert_file
end
end
def re_sign_cert(cert, cert_path, private_key)
Gem::Security::Signer.re_sign_cert(cert, cert_path, private_key) do |expired_cert_path, new_expired_cert_path|
alert("Your certificate #{expired_cert_path} has been re-signed")
alert("Your expired certificate will be located at: #{new_expired_cert_path}")
end
end
private
def valid_email?(email)
# It's simple, but is all we need
email =~ /\A.+@.+\z/
end
end