diff options
| author | drbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2013-08-26 20:24:51 +0000 |
|---|---|---|
| committer | drbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2013-08-26 20:24:51 +0000 |
| commit | e487a7f53cffbadf0bf15ff169c9cb5898503250 (patch) | |
| tree | eaa80eb4ced6fcdcc8b327d1cc5e47f66703fd1b /lib/rubygems/security | |
| parent | cddd93a57568966b416e300529bdffc0c7e87b51 (diff) | |
| download | ruby-e487a7f53cffbadf0bf15ff169c9cb5898503250.tar.gz | |
* lib/rubygems: Import RubyGems 2.1.0 Release Candidate
* test/rubygems: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42693 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'lib/rubygems/security')
| -rw-r--r-- | lib/rubygems/security/policy.rb | 5 | ||||
| -rw-r--r-- | lib/rubygems/security/signer.rb | 20 |
2 files changed, 24 insertions, 1 deletions
diff --git a/lib/rubygems/security/policy.rb b/lib/rubygems/security/policy.rb index 98e41b812c..7238b2e477 100644 --- a/lib/rubygems/security/policy.rb +++ b/lib/rubygems/security/policy.rb @@ -213,6 +213,9 @@ class Gem::Security::Policy if @only_signed then raise Gem::Security::Exception, "unsigned gems are not allowed by the #{name} policy" + elsif digests.empty? then + # lack of signatures is irrelevant if there is nothing to check + # against else alert_warning "#{full_name} is not signed" end @@ -246,6 +249,8 @@ class Gem::Security::Policy if @only_trusted then check_trust chain, digester, trust_dir + elsif signatures.empty? and digests.empty? then + # trust is irrelevant if there's no signatures to verify else alert_warning "#{subject signer} is not trusted for #{full_name}" end diff --git a/lib/rubygems/security/signer.rb b/lib/rubygems/security/signer.rb index 231f2fe604..bb1eae7cf2 100644 --- a/lib/rubygems/security/signer.rb +++ b/lib/rubygems/security/signer.rb @@ -63,6 +63,22 @@ class Gem::Security::Signer end ## + # Extracts the full name of +cert+. If the certificate has a subjectAltName + # this value is preferred, otherwise the subject is used. + + def extract_name cert # :nodoc: + subject_alt_name = cert.extensions.find { |e| 'subjectAltName' == e.oid } + + if subject_alt_name then + /\Aemail:/ =~ subject_alt_name.value + + $' || subject_alt_name.value + else + cert.subject + end + end + + ## # Loads any missing issuers in the cert chain from the trusted certificates. # # If the issuer does not exist it is ignored as it will be checked later. @@ -89,7 +105,9 @@ class Gem::Security::Signer re_sign_key end - Gem::Security::SigningPolicy.verify @cert_chain, @key + full_name = extract_name @cert_chain.last + + Gem::Security::SigningPolicy.verify @cert_chain, @key, {}, {}, full_name @key.sign @digest_algorithm.new, data end |