class Gem::Security::TrustDir

TrustDir 管理 gem 签名验证的受信任证书。

常量

DEFAULT_PERMISSIONS: 信任目录及其内容的默认权限

属性

dir[R]

将存储受信任证书的目录。

公共类方法

new(dir, permissions = DEFAULT_PERMISSIONS) 点击切换源代码

创建一个新的 TrustDir，使用 dir，其中将根据 permissions 检查目录和文件权限。

# File rubygems/security/trust_dir.rb, line 25
def initialize(dir, permissions = DEFAULT_PERMISSIONS)
  @dir = dir
  @permissions = permissions

  @digester = Gem::Security.create_digest
end

公共实例方法

cert_path(certificate) 点击切换源代码

返回受信任的 certificate 的路径

# File rubygems/security/trust_dir.rb, line 35
def cert_path(certificate)
  name_path certificate.subject
end

each_certificate() { |certificate, certificate_file| ... } 点击切换源代码

枚举受信任的证书。

# File rubygems/security/trust_dir.rb, line 42
def each_certificate
  return enum_for __method__ unless block_given?

  glob = File.join @dir, "*.pem"

  Dir[glob].each do |certificate_file|
    certificate = load_certificate certificate_file

    yield certificate, certificate_file
  rescue OpenSSL::X509::CertificateError
    next # HACK: warn
  end
end

issuer_of(certificate) 点击切换源代码

如果信任目录中存在，则返回给定 certificate 的颁发者证书。

# File rubygems/security/trust_dir.rb, line 60
def issuer_of(certificate)
  path = name_path certificate.issuer

  return unless File.exist? path

  load_certificate path
end

load_certificate(certificate_file) 点击切换源代码

加载给定的 certificate_file

# File rubygems/security/trust_dir.rb, line 80
def load_certificate(certificate_file)
  pem = File.read certificate_file

  OpenSSL::X509::Certificate.new pem
end

name_path(name) 点击切换源代码

返回具有给定 ASN.1 name 的受信任证书的路径

# File rubygems/security/trust_dir.rb, line 71
def name_path(name)
  digest = @digester.hexdigest name.to_s

  File.join @dir, "cert-#{digest}.pem"
end

trust_cert(certificate) 点击切换源代码

将证书添加到受信任的证书列表。

# File rubygems/security/trust_dir.rb, line 89
def trust_cert(certificate)
  verify

  destination = cert_path certificate

  File.open destination, "wb", 0o600 do |io|
    io.write certificate.to_pem
    io.chmod(@permissions[:trusted_cert])
  end
end

verify() 点击切换源代码

确保信任目录存在。如果存在，请确保它实际上是一个目录。如果不是，则使用适当的权限创建它。

# File rubygems/security/trust_dir.rb, line 105
def verify
  require "fileutils"
  if File.exist? @dir
    raise Gem::Security::Exception,
      "trust directory #{@dir} is not a directory" unless
        File.directory? @dir

    FileUtils.chmod 0o700, @dir
  else
    FileUtils.mkdir_p @dir, mode: @permissions[:trust_dir]
  end
end