123456789_123456789_123456789_123456789_123456789_

Class: Gem::Security::TrustDir

Relationships & Source Files
Inherits: Object
Defined in: lib/rubygems/security/trust_dir.rb

Overview

The TrustDir manages the trusted certificates for gem signature verification.

Constant Summary

Class Method Summary

Instance Attribute Summary

  • #dir readonly

    The directory where trusted certificates will be stored.

Instance Method Summary

Constructor Details

.new(dir, permissions = DEFAULT_PERMISSIONS) ⇒ TrustDir

Creates a new TrustDir using #dir where the directory and file permissions will be checked according to permissions

[ GitHub ] 

  


# File 'lib/rubygems/security/trust_dir.rb', line 25



def initialize(dir, permissions = DEFAULT_PERMISSIONS)
  @dir = dir
  @permissions = permissions

  @digester = Gem::Security.create_digest
end


  







Instance Attribute Details



  

    #dir   (readonly)
  



  

    

The directory where trusted certificates will be stored.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/security/trust_dir.rb', line 19



attr_reader :dir


  







Instance Method Details



  

    #cert_path(certificate)  
  



  

    

Returns the path to the trusted certificate


  



  [ GitHub ]


  

  


# File 'lib/rubygems/security/trust_dir.rb', line 35



def cert_path(certificate)
  name_path certificate.subject
end


  








  

    #each_certificate  
  



  

    

Enumerates trusted certificates.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/security/trust_dir.rb', line 42



def each_certificate
  return enum_for __method__ unless block_given?

  glob = File.join @dir, "*.pem"

  Dir[glob].each do |certificate_file|
    certificate = load_certificate certificate_file

    yield certificate, certificate_file
  rescue OpenSSL::X509::CertificateError
    next # HACK: warn
  end
end


  








  

    #issuer_of(certificate)  
  



  

    

Returns the issuer certificate of the given certificate if it exists in the trust directory.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/security/trust_dir.rb', line 60



def issuer_of(certificate)
  path = name_path certificate.issuer

  return unless File.exist? path

  load_certificate path
end


  








  

    #load_certificate(certificate_file)  
  



  

    

Loads the given certificate_file


  



  [ GitHub ]


  

  


# File 'lib/rubygems/security/trust_dir.rb', line 80



def load_certificate(certificate_file)
  pem = File.read certificate_file

  OpenSSL::X509::Certificate.new pem
end


  








  

    #name_path(name)  
  



  

    

Returns the path to the trusted certificate with the given ASN.1 name


  



  [ GitHub ]


  

  


# File 'lib/rubygems/security/trust_dir.rb', line 71



def name_path(name)
  digest = @digester.hexdigest name.to_s

  File.join @dir, "cert-#{digest}.pem"
end


  








  

    #trust_cert(certificate)  
  



  

    

Add a certificate to trusted certificate list.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/security/trust_dir.rb', line 89



def trust_cert(certificate)
  verify

  destination = cert_path certificate

  File.open destination, "wb", 0o600 do |io|
    io.write certificate.to_pem
    io.chmod(@permissions[:trusted_cert])
  end
end


  








  

    #verify  
  



  

    

Make sure the trust directory exists.  If it does exist, make sure it’s actually a directory.  If not, then create it with the appropriate permissions.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/security/trust_dir.rb', line 105



def verify
  require "fileutils"
  if File.exist? @dir
    raise Gem::Security::Exception,
      "trust directory #{@dir} is not a directory" unless
        File.directory? @dir

    FileUtils.chmod 0o700, @dir
  else
    FileUtils.mkdir_p @dir, mode: @permissions[:trust_dir]
  end
end