class Gem::Commands::CertCommand

Public Class Methods

Calls superclass method Gem::Command::new
# File lib/rubygems/commands/cert_command.rb, line 7
def initialize
  super "cert", "Manage RubyGems certificates and signing settings",
        add: [], remove: [], list: [], build: [], sign: []

  add_option("-a", "--add CERT",
             "Add a trusted certificate.") do |cert_file, options|
    options[:add] << open_cert(cert_file)
  end

  add_option("-l", "--list [FILTER]",
             "List trusted certificates where the",
             "subject contains FILTER") do |filter, options|
    filter ||= ""

    options[:list] << filter
  end

  add_option("-r", "--remove FILTER",
             "Remove trusted certificates where the",
             "subject contains FILTER") do |filter, options|
    options[:remove] << filter
  end

  add_option("-b", "--build EMAIL_ADDR",
             "Build private key and self-signed",
             "certificate for EMAIL_ADDR") do |email_address, options|
    options[:build] << email_address
  end

  add_option("-C", "--certificate CERT",
             "Signing certificate for --sign") do |cert_file, options|
    options[:issuer_cert] = open_cert(cert_file)
    options[:issuer_cert_file] = cert_file
  end

  add_option("-K", "--private-key KEY",
             "Key for --sign or --build") do |key_file, options|
    options[:key] = open_private_key(key_file)
  end

  add_option("-A", "--key-algorithm ALGORITHM",
             "Select which key algorithm to use for --build") do |algorithm, options|
    options[:key_algorithm] = algorithm
  end

  add_option("-s", "--sign CERT",
             "Signs CERT with the key from -K",
             "and the certificate from -C") do |cert_file, options|
    raise Gem::OptionParser::InvalidArgument, "#{cert_file}: does not exist" unless
      File.file? cert_file

    options[:sign] << cert_file
  end

  add_option("-d", "--days NUMBER_OF_DAYS",
             "Days before the certificate expires") do |days, options|
    options[:expiration_length_days] = days.to_i
  end

  add_option("-R", "--re-sign",
             "Re-signs the certificate from -C with the key from -K") do |resign, options|
    options[:resign] = resign
  end
end

Public Instance Methods

# File lib/rubygems/commands/cert_command.rb, line 138
def build(email)
  unless valid_email?(email)
    raise Gem::CommandLineError, "Invalid email address #{email}"
  end

  key, key_path = build_key
  cert_path = build_cert email, key

  say "Certificate: #{cert_path}"

  if key_path
    say "Private Key: #{key_path}"
    say "Don't forget to move the key file to somewhere private!"
  end
end
# File lib/rubygems/commands/cert_command.rb, line 186
def certificates_matching(filter)
  return enum_for __method__, filter unless block_given?

  Gem::Security.trusted_certificates.select do |certificate, _|
    subject = certificate.subject.to_s
    subject.downcase.index filter
  end.sort_by do |certificate, _|
    certificate.subject.to_a.map {|name, data,| [name, data] }
  end.each do |certificate, path|
    yield certificate, path
  end
end
# File lib/rubygems/commands/cert_command.rb, line 78
def check_openssl
  return if Gem::HAVE_OPENSSL

  alert_error "OpenSSL library is required for the cert command"
  terminate_interaction 1
end
# File lib/rubygems/commands/cert_command.rb, line 108
def execute
  check_openssl

  options[:add].each do |certificate|
    add_certificate certificate
  end

  options[:remove].each do |filter|
    remove_certificates_matching filter
  end

  options[:list].each do |filter|
    list_certificates_matching filter
  end

  options[:build].each do |email|
    build email
  end

  if options[:resign]
    re_sign_cert(
      options[:issuer_cert],
      options[:issuer_cert_file],
      options[:key]
    )
  end

  sign_certificates unless options[:sign].empty?
end
# File lib/rubygems/commands/cert_command.rb, line 245
def load_default_cert
  cert_file = File.join Gem.default_cert_path
  cert = File.read cert_file
  options[:issuer_cert] = OpenSSL::X509::Certificate.new cert
rescue Errno::ENOENT
  alert_error \
    "--certificate not specified and ~/.gem/gem-public_cert.pem does not exist"

  terminate_interaction 1
rescue OpenSSL::X509::CertificateError
  alert_error \
    "--certificate not specified and ~/.gem/gem-public_cert.pem is not valid"

  terminate_interaction 1
end
# File lib/rubygems/commands/cert_command.rb, line 261
def load_default_key
  key_file = File.join Gem.default_key_path
  key = File.read key_file
  passphrase = ENV["GEM_PRIVATE_KEY_PASSPHRASE"]
  options[:key] = OpenSSL::PKey.read key, passphrase
rescue Errno::ENOENT
  alert_error \
    "--private-key not specified and ~/.gem/gem-private_key.pem does not exist"

  terminate_interaction 1
rescue OpenSSL::PKey::PKeyError
  alert_error \
    "--private-key not specified and ~/.gem/gem-private_key.pem is not valid"

  terminate_interaction 1
end
# File lib/rubygems/commands/cert_command.rb, line 85
def open_cert(certificate_file)
  check_openssl
  OpenSSL::X509::Certificate.new File.read certificate_file
rescue Errno::ENOENT
  raise Gem::OptionParser::InvalidArgument, "#{certificate_file}: does not exist"
rescue OpenSSL::X509::CertificateError
  raise Gem::OptionParser::InvalidArgument,
    "#{certificate_file}: invalid X509 certificate"
end
# File lib/rubygems/commands/cert_command.rb, line 95
def open_private_key(key_file)
  check_openssl
  passphrase = ENV["GEM_PRIVATE_KEY_PASSPHRASE"]
  key = OpenSSL::PKey.read File.read(key_file), passphrase
  raise Gem::OptionParser::InvalidArgument,
    "#{key_file}: private key not found" unless key.private?
  key
rescue Errno::ENOENT
  raise Gem::OptionParser::InvalidArgument, "#{key_file}: does not exist"
rescue OpenSSL::PKey::PKeyError, ArgumentError
  raise Gem::OptionParser::InvalidArgument, "#{key_file}: invalid RSA, DSA, or EC key"
end
# File lib/rubygems/commands/cert_command.rb, line 312
def re_sign_cert(cert, cert_path, private_key)
  Gem::Security::Signer.re_sign_cert(cert, cert_path, private_key) do |expired_cert_path, new_expired_cert_path|
    alert("Your certificate #{expired_cert_path} has been re-signed")
    alert("Your expired certificate will be located at: #{new_expired_cert_path}")
  end
end
# File lib/rubygems/commands/cert_command.rb, line 290
def sign(cert_file)
  cert = File.read cert_file
  cert = OpenSSL::X509::Certificate.new cert

  permissions = File.stat(cert_file).mode & 0o777

  issuer_cert = options[:issuer_cert]
  issuer_key = options[:key]

  cert = Gem::Security.sign cert, issuer_key, issuer_cert

  Gem::Security.write cert, cert_file, permissions
end