File: C:/Ruby27-x64/share/doc/ruby/html/Gem/Security/Policy.html
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>class Gem::Security::Policy - RDoc Documentation</title>
<script type="text/javascript">
var rdoc_rel_prefix = "../../";
var index_rel_prefix = "../../";
</script>
<script src="../../js/navigation.js" defer></script>
<script src="../../js/search.js" defer></script>
<script src="../../js/search_index.js" defer></script>
<script src="../../js/searcher.js" defer></script>
<script src="../../js/darkfish.js" defer></script>
<link href="../../css/fonts.css" rel="stylesheet">
<link href="../../css/rdoc.css" rel="stylesheet">
<body id="top" role="document" class="class">
<nav role="navigation">
<div id="project-navigation">
<div id="home-section" role="region" title="Quick navigation" class="nav-section">
<h2>
<a href="../../index.html" rel="home">Home</a>
</h2>
<div id="table-of-contents-navigation">
<a href="../../table_of_contents.html#pages">Pages</a>
<a href="../../table_of_contents.html#classes">Classes</a>
<a href="../../table_of_contents.html#methods">Methods</a>
</div>
</div>
<div id="search-section" role="search" class="project-section initially-hidden">
<form action="#" method="get" accept-charset="utf-8">
<div id="search-field-wrapper">
<input id="search-field" role="combobox" aria-label="Search"
aria-autocomplete="list" aria-controls="search-results"
type="text" name="search" placeholder="Search" spellcheck="false"
title="Type to search, Up and Down to navigate, Enter to load">
</div>
<ul id="search-results" aria-label="Search Results"
aria-busy="false" aria-expanded="false"
aria-atomic="false" class="initially-hidden"></ul>
</form>
</div>
</div>
<div id="class-metadata">
<div id="parent-class-section" class="nav-section">
<h3>Parent</h3>
<p class="link"><a href="../../Object.html">Object</a>
</div>
<div id="includes-section" class="nav-section">
<h3>Included Modules</h3>
<ul class="link-list">
<li><a class="include" href="../UserInteraction.html">Gem::UserInteraction</a>
</ul>
</div>
<!-- Method Quickref -->
<div id="method-list-section" class="nav-section">
<h3>Methods</h3>
<ul class="link-list" role="directory">
<li ><a href="#method-c-new">::new</a>
<li ><a href="#method-i-check_cert">#check_cert</a>
<li ><a href="#method-i-check_chain">#check_chain</a>
<li ><a href="#method-i-check_data">#check_data</a>
<li ><a href="#method-i-check_key">#check_key</a>
<li ><a href="#method-i-check_root">#check_root</a>
<li ><a href="#method-i-check_trust">#check_trust</a>
<li ><a href="#method-i-verify">#verify</a>
<li ><a href="#method-i-verify_signatures">#verify_signatures</a>
</ul>
</div>
</div>
</nav>
<main role="main" aria-labelledby="class-Gem::Security::Policy">
<h1 id="class-Gem::Security::Policy" class="class">
class Gem::Security::Policy
</h1>
<section class="description">
<p>A <a href="Policy.html"><code>Gem::Security::Policy</code></a> object encapsulates the settings for verifying signed gem files. This is the base class. You can either declare an instance of this or use one of the preset security policies in Gem::Security::Policies.</p>
</section>
<section id="5Buntitled-5D" class="documentation-section">
<section class="attribute-method-details" class="method-section">
<header>
<h3>Attributes</h3>
</header>
<div id="attribute-i-name" class="method-detail">
<div class="method-heading attribute-method-heading">
<span class="method-name">name</span><span
class="attribute-access-type">[R]</span>
</div>
<div class="method-description">
</div>
</div>
<div id="attribute-i-only_signed" class="method-detail">
<div class="method-heading attribute-method-heading">
<span class="method-name">only_signed</span><span
class="attribute-access-type">[RW]</span>
</div>
<div class="method-description">
</div>
</div>
<div id="attribute-i-only_trusted" class="method-detail">
<div class="method-heading attribute-method-heading">
<span class="method-name">only_trusted</span><span
class="attribute-access-type">[RW]</span>
</div>
<div class="method-description">
</div>
</div>
<div id="attribute-i-to_s" class="method-detail">
<div class="method-heading attribute-method-heading">
<span class="method-name">to_s</span><span
class="attribute-access-type">[R]</span>
</div>
<div class="method-description">
</div>
</div>
<div id="attribute-i-verify_chain" class="method-detail">
<div class="method-heading attribute-method-heading">
<span class="method-name">verify_chain</span><span
class="attribute-access-type">[RW]</span>
</div>
<div class="method-description">
</div>
</div>
<div id="attribute-i-verify_data" class="method-detail">
<div class="method-heading attribute-method-heading">
<span class="method-name">verify_data</span><span
class="attribute-access-type">[RW]</span>
</div>
<div class="method-description">
</div>
</div>
<div id="attribute-i-verify_root" class="method-detail">
<div class="method-heading attribute-method-heading">
<span class="method-name">verify_root</span><span
class="attribute-access-type">[RW]</span>
</div>
<div class="method-description">
</div>
</div>
<div id="attribute-i-verify_signer" class="method-detail">
<div class="method-heading attribute-method-heading">
<span class="method-name">verify_signer</span><span
class="attribute-access-type">[RW]</span>
</div>
<div class="method-description">
</div>
</div>
</section>
<section id="public-class-5Buntitled-5D-method-details" class="method-section">
<header>
<h3>Public Class Methods</h3>
</header>
<div id="method-c-new" class="method-detail ">
<div class="method-heading">
<span class="method-name">new</span><span
class="method-args">(name, policy = {}, opt = {})</span>
<span class="method-click-advice">click to toggle source</span>
</div>
<div class="method-description">
<p>Create a new <a href="Policy.html"><code>Gem::Security::Policy</code></a> object with the given mode and options.</p>
<div class="method-source-code" id="new-source">
<pre><span class="ruby-comment"># File lib/rubygems/security/policy.rb, line 27</span>
<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">initialize</span>(<span class="ruby-identifier">name</span>, <span class="ruby-identifier">policy</span> = {}, <span class="ruby-identifier">opt</span> = {})
<span class="ruby-identifier">require</span> <span class="ruby-string">'openssl'</span>
<span class="ruby-ivar">@name</span> = <span class="ruby-identifier">name</span>
<span class="ruby-ivar">@opt</span> = <span class="ruby-identifier">opt</span>
<span class="ruby-comment"># Default to security</span>
<span class="ruby-ivar">@only_signed</span> = <span class="ruby-keyword">true</span>
<span class="ruby-ivar">@only_trusted</span> = <span class="ruby-keyword">true</span>
<span class="ruby-ivar">@verify_chain</span> = <span class="ruby-keyword">true</span>
<span class="ruby-ivar">@verify_data</span> = <span class="ruby-keyword">true</span>
<span class="ruby-ivar">@verify_root</span> = <span class="ruby-keyword">true</span>
<span class="ruby-ivar">@verify_signer</span> = <span class="ruby-keyword">true</span>
<span class="ruby-identifier">policy</span>.<span class="ruby-identifier">each_pair</span> <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">key</span>, <span class="ruby-identifier">val</span><span class="ruby-operator">|</span>
<span class="ruby-keyword">case</span> <span class="ruby-identifier">key</span>
<span class="ruby-keyword">when</span> <span class="ruby-value">:verify_data</span> <span class="ruby-keyword">then</span> <span class="ruby-ivar">@verify_data</span> = <span class="ruby-identifier">val</span>
<span class="ruby-keyword">when</span> <span class="ruby-value">:verify_signer</span> <span class="ruby-keyword">then</span> <span class="ruby-ivar">@verify_signer</span> = <span class="ruby-identifier">val</span>
<span class="ruby-keyword">when</span> <span class="ruby-value">:verify_chain</span> <span class="ruby-keyword">then</span> <span class="ruby-ivar">@verify_chain</span> = <span class="ruby-identifier">val</span>
<span class="ruby-keyword">when</span> <span class="ruby-value">:verify_root</span> <span class="ruby-keyword">then</span> <span class="ruby-ivar">@verify_root</span> = <span class="ruby-identifier">val</span>
<span class="ruby-keyword">when</span> <span class="ruby-value">:only_trusted</span> <span class="ruby-keyword">then</span> <span class="ruby-ivar">@only_trusted</span> = <span class="ruby-identifier">val</span>
<span class="ruby-keyword">when</span> <span class="ruby-value">:only_signed</span> <span class="ruby-keyword">then</span> <span class="ruby-ivar">@only_signed</span> = <span class="ruby-identifier">val</span>
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">end</span></pre>
</div>
</div>
</div>
</section>
<section id="public-instance-5Buntitled-5D-method-details" class="method-section">
<header>
<h3>Public Instance Methods</h3>
</header>
<div id="method-i-check_cert" class="method-detail ">
<div class="method-heading">
<span class="method-name">check_cert</span><span
class="method-args">(signer, issuer, time)</span>
<span class="method-click-advice">click to toggle source</span>
</div>
<div class="method-description">
<p>Ensures that <code>signer</code> is valid for <code>time</code> and was signed by the <code>issuer</code>. If the <code>issuer</code> is <code>nil</code> no verification is performed.</p>
<div class="method-source-code" id="check_cert-source">
<pre><span class="ruby-comment"># File lib/rubygems/security/policy.rb, line 88</span>
<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">check_cert</span>(<span class="ruby-identifier">signer</span>, <span class="ruby-identifier">issuer</span>, <span class="ruby-identifier">time</span>)
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-string">'missing signing certificate'</span> <span class="ruby-keyword">unless</span>
<span class="ruby-identifier">signer</span>
<span class="ruby-identifier">message</span> = <span class="ruby-node">"certificate #{signer.subject}"</span>
<span class="ruby-keyword">if</span> <span class="ruby-identifier">not_before</span> = <span class="ruby-identifier">signer</span>.<span class="ruby-identifier">not_before</span> <span class="ruby-keyword">and</span> <span class="ruby-identifier">not_before</span> <span class="ruby-operator">></span> <span class="ruby-identifier">time</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>,
<span class="ruby-node">"#{message} not valid before #{not_before}"</span>
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">if</span> <span class="ruby-identifier">not_after</span> = <span class="ruby-identifier">signer</span>.<span class="ruby-identifier">not_after</span> <span class="ruby-keyword">and</span> <span class="ruby-identifier">not_after</span> <span class="ruby-operator"><</span> <span class="ruby-identifier">time</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-node">"#{message} not valid after #{not_after}"</span>
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">if</span> <span class="ruby-identifier">issuer</span> <span class="ruby-keyword">and</span> <span class="ruby-keyword">not</span> <span class="ruby-identifier">signer</span>.<span class="ruby-identifier">verify</span> <span class="ruby-identifier">issuer</span>.<span class="ruby-identifier">public_key</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>,
<span class="ruby-node">"#{message} was not issued by #{issuer.subject}"</span>
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">true</span>
<span class="ruby-keyword">end</span></pre>
</div>
</div>
</div>
<div id="method-i-check_chain" class="method-detail ">
<div class="method-heading">
<span class="method-name">check_chain</span><span
class="method-args">(chain, time)</span>
<span class="method-click-advice">click to toggle source</span>
</div>
<div class="method-description">
<p>Verifies each certificate in <code>chain</code> has signed the following certificate and is valid for the given <code>time</code>.</p>
<div class="method-source-code" id="check_chain-source">
<pre><span class="ruby-comment"># File lib/rubygems/security/policy.rb, line 58</span>
<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">check_chain</span>(<span class="ruby-identifier">chain</span>, <span class="ruby-identifier">time</span>)
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-string">'missing signing chain'</span> <span class="ruby-keyword">unless</span> <span class="ruby-identifier">chain</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-string">'empty signing chain'</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">chain</span>.<span class="ruby-identifier">empty?</span>
<span class="ruby-keyword">begin</span>
<span class="ruby-identifier">chain</span>.<span class="ruby-identifier">each_cons</span> <span class="ruby-value">2</span> <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">issuer</span>, <span class="ruby-identifier">cert</span><span class="ruby-operator">|</span>
<span class="ruby-identifier">check_cert</span> <span class="ruby-identifier">cert</span>, <span class="ruby-identifier">issuer</span>, <span class="ruby-identifier">time</span>
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">true</span>
<span class="ruby-keyword">rescue</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span> <span class="ruby-operator">=></span> <span class="ruby-identifier">e</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-node">"invalid signing chain: #{e.message}"</span>
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">end</span></pre>
</div>
</div>
</div>
<div id="method-i-check_data" class="method-detail ">
<div class="method-heading">
<span class="method-name">check_data</span><span
class="method-args">(public_key, digest, signature, data)</span>
<span class="method-click-advice">click to toggle source</span>
</div>
<div class="method-description">
<p>Verifies that <code>data</code> matches the <code>signature</code> created by <code>public_key</code> and the <code>digest</code> algorithm.</p>
<div class="method-source-code" id="check_data-source">
<pre><span class="ruby-comment"># File lib/rubygems/security/policy.rb, line 77</span>
<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">check_data</span>(<span class="ruby-identifier">public_key</span>, <span class="ruby-identifier">digest</span>, <span class="ruby-identifier">signature</span>, <span class="ruby-identifier">data</span>)
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-string">"invalid signature"</span> <span class="ruby-keyword">unless</span>
<span class="ruby-identifier">public_key</span>.<span class="ruby-identifier">verify</span> <span class="ruby-identifier">digest</span>.<span class="ruby-identifier">new</span>, <span class="ruby-identifier">signature</span>, <span class="ruby-identifier">data</span>.<span class="ruby-identifier">digest</span>
<span class="ruby-keyword">true</span>
<span class="ruby-keyword">end</span></pre>
</div>
</div>
</div>
<div id="method-i-check_key" class="method-detail ">
<div class="method-heading">
<span class="method-name">check_key</span><span
class="method-args">(signer, key)</span>
<span class="method-click-advice">click to toggle source</span>
</div>
<div class="method-description">
<p>Ensures the public key of <code>key</code> matches the public key in <code>signer</code></p>
<div class="method-source-code" id="check_key-source">
<pre><span class="ruby-comment"># File lib/rubygems/security/policy.rb, line 114</span>
<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">check_key</span>(<span class="ruby-identifier">signer</span>, <span class="ruby-identifier">key</span>)
<span class="ruby-keyword">unless</span> <span class="ruby-identifier">signer</span> <span class="ruby-keyword">and</span> <span class="ruby-identifier">key</span>
<span class="ruby-keyword">return</span> <span class="ruby-keyword">true</span> <span class="ruby-keyword">unless</span> <span class="ruby-ivar">@only_signed</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-string">'missing key or signature'</span>
<span class="ruby-keyword">end</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>,
<span class="ruby-node">"certificate #{signer.subject} does not match the signing key"</span> <span class="ruby-keyword">unless</span>
<span class="ruby-identifier">signer</span>.<span class="ruby-identifier">public_key</span>.<span class="ruby-identifier">to_pem</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">key</span>.<span class="ruby-identifier">public_key</span>.<span class="ruby-identifier">to_pem</span>
<span class="ruby-keyword">true</span>
<span class="ruby-keyword">end</span></pre>
</div>
</div>
</div>
<div id="method-i-check_root" class="method-detail ">
<div class="method-heading">
<span class="method-name">check_root</span><span
class="method-args">(chain, time)</span>
<span class="method-click-advice">click to toggle source</span>
</div>
<div class="method-description">
<p>Ensures the root certificate in <code>chain</code> is self-signed and valid for <code>time</code>.</p>
<div class="method-source-code" id="check_root-source">
<pre><span class="ruby-comment"># File lib/rubygems/security/policy.rb, line 132</span>
<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">check_root</span>(<span class="ruby-identifier">chain</span>, <span class="ruby-identifier">time</span>)
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-string">'missing signing chain'</span> <span class="ruby-keyword">unless</span> <span class="ruby-identifier">chain</span>
<span class="ruby-identifier">root</span> = <span class="ruby-identifier">chain</span>.<span class="ruby-identifier">first</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-string">'missing root certificate'</span> <span class="ruby-keyword">unless</span> <span class="ruby-identifier">root</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>,
<span class="ruby-node">"root certificate #{root.subject} is not self-signed "</span> <span class="ruby-operator">+</span>
<span class="ruby-node">"(issuer #{root.issuer})"</span> <span class="ruby-keyword">if</span>
<span class="ruby-identifier">root</span>.<span class="ruby-identifier">issuer</span>.<span class="ruby-identifier">to_s</span> <span class="ruby-operator">!=</span> <span class="ruby-identifier">root</span>.<span class="ruby-identifier">subject</span>.<span class="ruby-identifier">to_s</span> <span class="ruby-comment"># HACK to_s is for ruby 1.8</span>
<span class="ruby-identifier">check_cert</span> <span class="ruby-identifier">root</span>, <span class="ruby-identifier">root</span>, <span class="ruby-identifier">time</span>
<span class="ruby-keyword">end</span></pre>
</div>
</div>
</div>
<div id="method-i-check_trust" class="method-detail ">
<div class="method-heading">
<span class="method-name">check_trust</span><span
class="method-args">(chain, digester, trust_dir)</span>
<span class="method-click-advice">click to toggle source</span>
</div>
<div class="method-description">
<p>Ensures the root of <code>chain</code> has a trusted certificate in <code>trust_dir</code> and the digests of the two certificates match according to <code>digester</code></p>
<div class="method-source-code" id="check_trust-source">
<pre><span class="ruby-comment"># File lib/rubygems/security/policy.rb, line 151</span>
<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">check_trust</span>(<span class="ruby-identifier">chain</span>, <span class="ruby-identifier">digester</span>, <span class="ruby-identifier">trust_dir</span>)
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-string">'missing signing chain'</span> <span class="ruby-keyword">unless</span> <span class="ruby-identifier">chain</span>
<span class="ruby-identifier">root</span> = <span class="ruby-identifier">chain</span>.<span class="ruby-identifier">first</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-string">'missing root certificate'</span> <span class="ruby-keyword">unless</span> <span class="ruby-identifier">root</span>
<span class="ruby-identifier">path</span> = <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span>.<span class="ruby-identifier">trust_dir</span>.<span class="ruby-identifier">cert_path</span> <span class="ruby-identifier">root</span>
<span class="ruby-keyword">unless</span> <span class="ruby-constant">File</span>.<span class="ruby-identifier">exist?</span> <span class="ruby-identifier">path</span>
<span class="ruby-identifier">message</span> = <span class="ruby-node">"root cert #{root.subject} is not trusted"</span>.<span class="ruby-identifier">dup</span>
<span class="ruby-identifier">message</span> <span class="ruby-operator"><<</span> <span class="ruby-node">" (root of signing cert #{chain.last.subject})"</span> <span class="ruby-keyword">if</span>
<span class="ruby-identifier">chain</span>.<span class="ruby-identifier">length</span> <span class="ruby-operator">></span> <span class="ruby-value">1</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-identifier">message</span>
<span class="ruby-keyword">end</span>
<span class="ruby-identifier">save_cert</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">X509</span><span class="ruby-operator">::</span><span class="ruby-constant">Certificate</span>.<span class="ruby-identifier">new</span> <span class="ruby-constant">File</span>.<span class="ruby-identifier">read</span> <span class="ruby-identifier">path</span>
<span class="ruby-identifier">save_dgst</span> = <span class="ruby-identifier">digester</span>.<span class="ruby-identifier">digest</span> <span class="ruby-identifier">save_cert</span>.<span class="ruby-identifier">public_key</span>.<span class="ruby-identifier">to_s</span>
<span class="ruby-identifier">pkey_str</span> = <span class="ruby-identifier">root</span>.<span class="ruby-identifier">public_key</span>.<span class="ruby-identifier">to_s</span>
<span class="ruby-identifier">cert_dgst</span> = <span class="ruby-identifier">digester</span>.<span class="ruby-identifier">digest</span> <span class="ruby-identifier">pkey_str</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>,
<span class="ruby-node">"trusted root certificate #{root.subject} checksum "</span> <span class="ruby-operator">+</span>
<span class="ruby-string">"does not match signing root certificate checksum"</span> <span class="ruby-keyword">unless</span>
<span class="ruby-identifier">save_dgst</span> <span class="ruby-operator">==</span> <span class="ruby-identifier">cert_dgst</span>
<span class="ruby-keyword">true</span>
<span class="ruby-keyword">end</span></pre>
</div>
</div>
</div>
<div id="method-i-verify" class="method-detail ">
<div class="method-heading">
<span class="method-name">verify</span><span
class="method-args">(chain, key = nil, digests = {}, signatures = {}, full_name = '(unknown)')</span>
<span class="method-click-advice">click to toggle source</span>
</div>
<div class="method-description">
<p>For <code>full_name</code>, verifies the certificate <code>chain</code> is valid, the <code>digests</code> match the signatures <code>signatures</code> created by the signer depending on the <code>policy</code> settings.</p>
<p>If <code>key</code> is given it is used to validate the signing certificate.</p>
<div class="method-source-code" id="verify-source">
<pre><span class="ruby-comment"># File lib/rubygems/security/policy.rb, line 211</span>
<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">verify</span>(<span class="ruby-identifier">chain</span>, <span class="ruby-identifier">key</span> = <span class="ruby-keyword">nil</span>, <span class="ruby-identifier">digests</span> = {}, <span class="ruby-identifier">signatures</span> = {},
<span class="ruby-identifier">full_name</span> = <span class="ruby-string">'(unknown)'</span>)
<span class="ruby-keyword">if</span> <span class="ruby-identifier">signatures</span>.<span class="ruby-identifier">empty?</span>
<span class="ruby-keyword">if</span> <span class="ruby-ivar">@only_signed</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>,
<span class="ruby-node">"unsigned gems are not allowed by the #{name} policy"</span>
<span class="ruby-keyword">elsif</span> <span class="ruby-identifier">digests</span>.<span class="ruby-identifier">empty?</span>
<span class="ruby-comment"># lack of signatures is irrelevant if there is nothing to check</span>
<span class="ruby-comment"># against</span>
<span class="ruby-keyword">else</span>
<span class="ruby-identifier">alert_warning</span> <span class="ruby-node">"#{full_name} is not signed"</span>
<span class="ruby-keyword">return</span>
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">end</span>
<span class="ruby-identifier">opt</span> = <span class="ruby-ivar">@opt</span>
<span class="ruby-identifier">digester</span> = <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">DIGEST_ALGORITHM</span>
<span class="ruby-identifier">trust_dir</span> = <span class="ruby-identifier">opt</span>[<span class="ruby-value">:trust_dir</span>]
<span class="ruby-identifier">time</span> = <span class="ruby-constant">Time</span>.<span class="ruby-identifier">now</span>
<span class="ruby-identifier">_</span>, <span class="ruby-identifier">signer_digests</span> = <span class="ruby-identifier">digests</span>.<span class="ruby-identifier">find</span> <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">algorithm</span>, <span class="ruby-identifier">file_digests</span><span class="ruby-operator">|</span>
<span class="ruby-identifier">file_digests</span>.<span class="ruby-identifier">values</span>.<span class="ruby-identifier">first</span>.<span class="ruby-identifier">name</span> <span class="ruby-operator">==</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">DIGEST_NAME</span>
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">if</span> <span class="ruby-ivar">@verify_data</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-string">'no digests provided (probable bug)'</span> <span class="ruby-keyword">if</span>
<span class="ruby-identifier">signer_digests</span>.<span class="ruby-identifier">nil?</span> <span class="ruby-keyword">or</span> <span class="ruby-identifier">signer_digests</span>.<span class="ruby-identifier">empty?</span>
<span class="ruby-keyword">else</span>
<span class="ruby-identifier">signer_digests</span> = {}
<span class="ruby-keyword">end</span>
<span class="ruby-identifier">signer</span> = <span class="ruby-identifier">chain</span>.<span class="ruby-identifier">last</span>
<span class="ruby-identifier">check_key</span> <span class="ruby-identifier">signer</span>, <span class="ruby-identifier">key</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">key</span>
<span class="ruby-identifier">check_cert</span> <span class="ruby-identifier">signer</span>, <span class="ruby-keyword">nil</span>, <span class="ruby-identifier">time</span> <span class="ruby-keyword">if</span> <span class="ruby-ivar">@verify_signer</span>
<span class="ruby-identifier">check_chain</span> <span class="ruby-identifier">chain</span>, <span class="ruby-identifier">time</span> <span class="ruby-keyword">if</span> <span class="ruby-ivar">@verify_chain</span>
<span class="ruby-identifier">check_root</span> <span class="ruby-identifier">chain</span>, <span class="ruby-identifier">time</span> <span class="ruby-keyword">if</span> <span class="ruby-ivar">@verify_root</span>
<span class="ruby-keyword">if</span> <span class="ruby-ivar">@only_trusted</span>
<span class="ruby-identifier">check_trust</span> <span class="ruby-identifier">chain</span>, <span class="ruby-identifier">digester</span>, <span class="ruby-identifier">trust_dir</span>
<span class="ruby-keyword">elsif</span> <span class="ruby-identifier">signatures</span>.<span class="ruby-identifier">empty?</span> <span class="ruby-keyword">and</span> <span class="ruby-identifier">digests</span>.<span class="ruby-identifier">empty?</span>
<span class="ruby-comment"># trust is irrelevant if there's no signatures to verify</span>
<span class="ruby-keyword">else</span>
<span class="ruby-identifier">alert_warning</span> <span class="ruby-node">"#{subject signer} is not trusted for #{full_name}"</span>
<span class="ruby-keyword">end</span>
<span class="ruby-identifier">signatures</span>.<span class="ruby-identifier">each</span> <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">file</span>, <span class="ruby-identifier">_</span><span class="ruby-operator">|</span>
<span class="ruby-identifier">digest</span> = <span class="ruby-identifier">signer_digests</span>[<span class="ruby-identifier">file</span>]
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-node">"missing digest for #{file}"</span> <span class="ruby-keyword">unless</span>
<span class="ruby-identifier">digest</span>
<span class="ruby-keyword">end</span>
<span class="ruby-identifier">signer_digests</span>.<span class="ruby-identifier">each</span> <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">file</span>, <span class="ruby-identifier">digest</span><span class="ruby-operator">|</span>
<span class="ruby-identifier">signature</span> = <span class="ruby-identifier">signatures</span>[<span class="ruby-identifier">file</span>]
<span class="ruby-identifier">raise</span> <span class="ruby-constant">Gem</span><span class="ruby-operator">::</span><span class="ruby-constant">Security</span><span class="ruby-operator">::</span><span class="ruby-constant">Exception</span>, <span class="ruby-node">"missing signature for #{file}"</span> <span class="ruby-keyword">unless</span>
<span class="ruby-identifier">signature</span>
<span class="ruby-identifier">check_data</span> <span class="ruby-identifier">signer</span>.<span class="ruby-identifier">public_key</span>, <span class="ruby-identifier">digester</span>, <span class="ruby-identifier">signature</span>, <span class="ruby-identifier">digest</span> <span class="ruby-keyword">if</span> <span class="ruby-ivar">@verify_data</span>
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">true</span>
<span class="ruby-keyword">end</span></pre>
</div>
</div>
</div>
<div id="method-i-verify_signatures" class="method-detail ">
<div class="method-heading">
<span class="method-name">verify_signatures</span><span
class="method-args">(spec, digests, signatures)</span>
<span class="method-click-advice">click to toggle source</span>
</div>
<div class="method-description">
<p>Extracts the certificate chain from the <code>spec</code> and calls <a href="Policy.html#method-i-verify"><code>verify</code></a> to ensure the signatures and certificate chain is valid according to the policy..</p>
<div class="method-source-code" id="verify_signatures-source">
<pre><span class="ruby-comment"># File lib/rubygems/security/policy.rb, line 283</span>
<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">verify_signatures</span>(<span class="ruby-identifier">spec</span>, <span class="ruby-identifier">digests</span>, <span class="ruby-identifier">signatures</span>)
<span class="ruby-identifier">chain</span> = <span class="ruby-identifier">spec</span>.<span class="ruby-identifier">cert_chain</span>.<span class="ruby-identifier">map</span> <span class="ruby-keyword">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">cert_pem</span><span class="ruby-operator">|</span>
<span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">X509</span><span class="ruby-operator">::</span><span class="ruby-constant">Certificate</span>.<span class="ruby-identifier">new</span> <span class="ruby-identifier">cert_pem</span>
<span class="ruby-keyword">end</span>
<span class="ruby-identifier">verify</span> <span class="ruby-identifier">chain</span>, <span class="ruby-keyword">nil</span>, <span class="ruby-identifier">digests</span>, <span class="ruby-identifier">signatures</span>, <span class="ruby-identifier">spec</span>.<span class="ruby-identifier">full_name</span>
<span class="ruby-keyword">true</span>
<span class="ruby-keyword">end</span></pre>
</div>
</div>
</div>
</section>
</section>
</main>
<footer id="validator-badges" role="contentinfo">
<p><a href="https://validator.w3.org/check/referer">Validate</a>
<p>Generated by <a href="https://ruby.github.io/rdoc/">RDoc</a> 6.2.1.1.
<p>Based on <a href="http://deveiate.org/projects/Darkfish-RDoc/">Darkfish</a> by <a href="http://deveiate.org">Michael Granger</a>.
</footer>