diff options
author | drbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2012-11-29 06:52:18 +0000 |
---|---|---|
committer | drbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2012-11-29 06:52:18 +0000 |
commit | 9694bb8cac12969300692dac5a1cf7aa4e3a46cd (patch) | |
tree | c3cb423d701f7049ba9382de052e2a937cd1302d /lib/rubygems/commands/cert_command.rb | |
parent | 3f606b7063fc7a8b191556365ad343a314719a8d (diff) | |
download | ruby-9694bb8cac12969300692dac5a1cf7aa4e3a46cd.tar.gz |
* lib/rubygems*: Updated to RubyGems 2.0
* test/rubygems*: ditto.
* common.mk (prelude): Updated for RubyGems 2.0 source rearrangement.
* tool/change_maker.rb: Allow invalid UTF-8 characters in source
files.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@37976 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'lib/rubygems/commands/cert_command.rb')
-rw-r--r-- | lib/rubygems/commands/cert_command.rb | 256 |
1 files changed, 199 insertions, 57 deletions
diff --git a/lib/rubygems/commands/cert_command.rb b/lib/rubygems/commands/cert_command.rb index b416b3863d..371ab403c6 100644 --- a/lib/rubygems/commands/cert_command.rb +++ b/lib/rubygems/commands/cert_command.rb @@ -4,82 +4,224 @@ require 'rubygems/security' class Gem::Commands::CertCommand < Gem::Command def initialize - super 'cert', 'Manage RubyGems certificates and signing settings' - - add_option('-a', '--add CERT', - 'Add a trusted certificate.') do |value, options| - cert = OpenSSL::X509::Certificate.new(File.read(value)) - Gem::Security.add_trusted_cert(cert) - say "Added '#{cert.subject.to_s}'" - end - - add_option('-l', '--list', - 'List trusted certificates.') do |value, options| - glob_str = File::join(Gem::Security::OPT[:trust_dir], '*.pem') - Dir::glob(glob_str) do |path| - begin - cert = OpenSSL::X509::Certificate.new(File.read(path)) - # this could probably be formatted more gracefully - say cert.subject.to_s - rescue OpenSSL::X509::CertificateError - next - end + super 'cert', 'Manage RubyGems certificates and signing settings', + :add => [], :remove => [], :list => [], :build => [], :sign => [] + + OptionParser.accept OpenSSL::X509::Certificate do |certificate| + begin + OpenSSL::X509::Certificate.new File.read certificate + rescue Errno::ENOENT + raise OptionParser::InvalidArgument, "#{certificate}: does not exist" + rescue OpenSSL::X509::CertificateError + raise OptionParser::InvalidArgument, + "#{certificate}: invalid X509 certificate" end end - add_option('-r', '--remove STRING', - 'Remove trusted certificates containing', - 'STRING.') do |value, options| - trust_dir = Gem::Security::OPT[:trust_dir] - glob_str = File::join(trust_dir, '*.pem') - - Dir::glob(glob_str) do |path| - begin - cert = OpenSSL::X509::Certificate.new(File.read(path)) - if cert.subject.to_s.downcase.index(value) - say "Removed '#{cert.subject.to_s}'" - File.unlink(path) - end - rescue OpenSSL::X509::CertificateError - next - end + OptionParser.accept OpenSSL::PKey::RSA do |key_file| + begin + key = OpenSSL::PKey::RSA.new File.read key_file + rescue Errno::ENOENT + raise OptionParser::InvalidArgument, "#{key_file}: does not exist" + rescue OpenSSL::PKey::RSAError + raise OptionParser::InvalidArgument, "#{key_file}: invalid RSA key" end + + raise OptionParser::InvalidArgument, + "#{key_file}: private key not found" unless key.private? + + key + end + + add_option('-a', '--add CERT', OpenSSL::X509::Certificate, + 'Add a trusted certificate.') do |cert, options| + options[:add] << cert + end + + add_option('-l', '--list [FILTER]', + 'List trusted certificates where the', + 'subject contains FILTER') do |filter, options| + filter ||= '' + + options[:list] << filter + end + + add_option('-r', '--remove FILTER', + 'Remove trusted certificates where the', + 'subject contains FILTER') do |filter, options| + options[:remove] << filter end add_option('-b', '--build EMAIL_ADDR', 'Build private key and self-signed', - 'certificate for EMAIL_ADDR.') do |value, options| - vals = Gem::Security.build_self_signed_cert(value) - FileUtils.chmod 0600, vals[:key_path] - say "Public Cert: #{vals[:cert_path]}" - say "Private Key: #{vals[:key_path]}" - say "Don't forget to move the key file to somewhere private..." + 'certificate for EMAIL_ADDR') do |email_address, options| + options[:build] << email_address end - add_option('-C', '--certificate CERT', - 'Certificate for --sign command.') do |value, options| - cert = OpenSSL::X509::Certificate.new(File.read(value)) + add_option('-C', '--certificate CERT', OpenSSL::X509::Certificate, + 'Signing certificate for --sign') do |cert, options| options[:issuer_cert] = cert end - add_option('-K', '--private-key KEY', - 'Private key for --sign command.') do |value, options| - key = OpenSSL::PKey::RSA.new(File.read(value)) - options[:issuer_key] = key + add_option('-K', '--private-key KEY', OpenSSL::PKey::RSA, + 'Key for --sign or --build') do |key, options| + options[:key] = key end - add_option('-s', '--sign NEWCERT', - 'Sign a certificate with my key and', - 'certificate.') do |value, options| - cert = OpenSSL::X509::Certificate.new(File.read(value)) - my_cert = options[:issuer_cert] - my_key = options[:issuer_key] - cert = Gem::Security.sign_cert(cert, my_key, my_cert) - File.open(value, 'wb') { |file| file.write(cert.to_pem) } + add_option('-s', '--sign CERT', + 'Signs CERT with the key from -K', + 'and the certificate from -C') do |cert_file, options| + raise OptionParser::InvalidArgument, "#{cert_file}: does not exist" unless + File.file? cert_file + + options[:sign] << cert_file end end def execute + options[:add].each do |certificate| + Gem::Security.trust_dir.trust_cert certificate + + say "Added '#{certificate.subject}'" + end + + options[:remove].each do |filter| + certificates_matching filter do |certificate, path| + FileUtils.rm path + say "Removed '#{certificate.subject}'" + end + end + + options[:list].each do |filter| + certificates_matching filter do |certificate, _| + # this could probably be formatted more gracefully + say certificate.subject.to_s + end + end + + options[:build].each do |name| + build name + end + + unless options[:sign].empty? then + load_default_cert unless options[:issuer_cert] + load_default_key unless options[:key] + end + + options[:sign].each do |cert_file| + sign cert_file + end + end + + def build name + key = options[:key] || Gem::Security.create_key + + cert = Gem::Security.create_cert_email name, key + + key_path = Gem::Security.write key, "gem-private_key.pem" + cert_path = Gem::Security.write cert, "gem-public_cert.pem" + + say "Certificate: #{cert_path}" + say "Private Key: #{key_path}" + say "Don't forget to move the key file to somewhere private!" + end + + def certificates_matching filter + return enum_for __method__, filter unless block_given? + + Gem::Security.trusted_certificates.select do |certificate, _| + subject = certificate.subject.to_s + subject.downcase.index filter + end.sort_by do |certificate, _| + certificate.subject.to_a.map { |name, data,| [name, data] } + end.each do |certificate, path| + yield certificate, path + end + end + + def description # :nodoc: + <<-EOF +The cert command manages signing keys and certificates for creating signed +gems. Your signing certificate and private key are typically stored in +~/.gem/gem-public_cert.pem and ~/.gem/gem-private_key.pem respectively. + +To build a certificate for signing gems: + + gem cert --build you@example + +If you already have an RSA key, or are creating a new certificate for an +existing key: + + gem cert --build you@example --private-key /path/to/key.pem + +If you wish to trust a certificate you can add it to the trust list with: + + gem cert --add /path/to/cert.pem + +You can list trusted certificates with: + + gem cert --list + +or: + + gem cert --list cert_subject_substring + +If you wish to remove a previously trusted certificate: + + gem cert --remove cert_subject_substring + +To sign another gem author's certificate: + + gem cert --sign /path/to/other_cert.pem + +For further reading on signing gems see `ri Gem::Security`. + EOF + end + + def load_default_cert + cert_file = File.join Gem.user_home, 'gem-public_cert.pem' + cert = File.read cert_file + options[:issuer_cert] = OpenSSL::X509::Certificate.new cert + rescue Errno::ENOENT + alert_error \ + "--certificate not specified and ~/.gem/gem-public_cert.pem does not exist" + + terminate_interaction 1 + rescue OpenSSL::X509::CertificateError + alert_error \ + "--certificate not specified and ~/.gem/gem-public_cert.pem is not valid" + + terminate_interaction 1 + end + + def load_default_key + key_file = File.join Gem.user_home, 'gem-private_key.pem' + key = File.read key_file + options[:key] = OpenSSL::PKey::RSA.new key + rescue Errno::ENOENT + alert_error \ + "--private-key not specified and ~/.gem/gem-private_key.pem does not exist" + + terminate_interaction 1 + rescue OpenSSL::PKey::RSAError + alert_error \ + "--private-key not specified and ~/.gem/gem-private_key.pem is not valid" + + terminate_interaction 1 + end + + def sign cert_file + cert = File.read cert_file + cert = OpenSSL::X509::Certificate.new cert + + permissions = File.stat(cert_file).mode & 0777 + + issuer_cert = options[:issuer_cert] + issuer_key = options[:key] + + cert = Gem::Security.sign cert, issuer_key, issuer_cert + + Gem::Security.write cert, cert_file, permissions end end |