From 8161cf85ba4f9091176536bcac9107879e4293a1 Mon Sep 17 00:00:00 2001 From: Bart de Water <496367+bdewater@users.noreply.github.com> Date: Sun, 28 Jun 2020 14:39:26 -0400 Subject: [PATCH] Stop using deprecated OpenSSL::Digest constants --- lib/rubygems/package.rb | 7 +--- lib/rubygems/package/tar_writer.rb | 5 +-- lib/rubygems/security.rb | 41 +++++++++++--------- lib/rubygems/security/policy.rb | 4 +- lib/rubygems/security/signer.rb | 2 +- lib/rubygems/security/trust_dir.rb | 2 +- test/rubygems/test_gem_package.rb | 2 +- test/rubygems/test_gem_package_tar_writer.rb | 4 +- test/rubygems/test_gem_security_policy.rb | 12 +++--- test/rubygems/test_gem_security_trust_dir.rb | 4 +- 10 files changed, 40 insertions(+), 43 deletions(-) diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb index 426d33cdcf..53ae696e97 100644 --- a/lib/rubygems/package.rb +++ b/lib/rubygems/package.rb @@ -358,12 +358,7 @@ EOM end algorithms.each do |algorithm| - digester = - if defined?(OpenSSL::Digest) - OpenSSL::Digest.new algorithm - else - Digest.const_get(algorithm).new - end + digester = Gem::Security.create_digest(algorithm) digester << entry.read(16384) until entry.eof? diff --git a/lib/rubygems/package/tar_writer.rb b/lib/rubygems/package/tar_writer.rb index 87c7dc6076..3abfb0ca2c 100644 --- a/lib/rubygems/package/tar_writer.rb +++ b/lib/rubygems/package/tar_writer.rb @@ -140,8 +140,7 @@ class Gem::Package::TarWriter if digest.respond_to? :name digest.name else - /::([^:]+)$/ =~ digest_algorithm.name - $1 + digest_algorithm.class.name[/::([^:]+)\z/, 1] end [digest_name, digest] @@ -169,7 +168,7 @@ class Gem::Package::TarWriter def add_file_signed(name, mode, signer) digest_algorithms = [ signer.digest_algorithm, - Digest::SHA512, + Digest::SHA512.new, ].compact.uniq digests = add_file_digest name, mode, digest_algorithms do |io| diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb index 8c86896fef..64fb4c0f83 100644 --- a/lib/rubygems/security.rb +++ b/lib/rubygems/security.rb @@ -338,27 +338,16 @@ module Gem::Security class Exception < Gem::Exception; end - ## - # Digest algorithm used to sign gems - - DIGEST_ALGORITHM = - if defined?(OpenSSL::Digest::SHA256) - OpenSSL::Digest::SHA256 - elsif defined?(OpenSSL::Digest::SHA1) - OpenSSL::Digest::SHA1 - else - require 'digest' - Digest::SHA512 - end - ## # Used internally to select the signing digest from all computed digests DIGEST_NAME = # :nodoc: - if DIGEST_ALGORITHM.method_defined? :name - DIGEST_ALGORITHM.new.name + if defined?(OpenSSL::Digest::SHA256) + 'SHA256' + elsif defined?(OpenSSL::Digest::SHA1) + 'SHA1' else - DIGEST_ALGORITHM.name[/::([^:]+)\z/, 1] + 'SHA512' end ## @@ -467,6 +456,22 @@ module Gem::Security sign certificate, key, certificate, age, extensions, serial end + ## + # Creates a new digest instance using the specified +algorithm+. The default + # is SHA256. + + if defined?(OpenSSL::Digest) + def self.create_digest(algorithm = DIGEST_NAME) + OpenSSL::Digest.new(algorithm) + end + else + require 'digest' + + def self.create_digest(algorithm = DIGEST_NAME) + Digest.const_get(algorithm).new + end + end + ## # Creates a new key pair of the specified +length+ and +algorithm+. The # default is a 3072 bit RSA key. @@ -528,7 +533,7 @@ module Gem::Security ## # Sign the public key from +certificate+ with the +signing_key+ and - # +signing_cert+, using the Gem::Security::DIGEST_ALGORITHM. Uses the + # +signing_cert+, using the Gem::Security::DIGEST_NAME. Uses the # default certificate validity range and extensions. # # Returns the newly signed certificate. @@ -555,7 +560,7 @@ module Gem::Security signed = create_cert signee_subject, signee_key, age, extensions, serial signed.issuer = signing_cert.subject - signed.sign signing_key, Gem::Security::DIGEST_ALGORITHM.new + signed.sign signing_key, Gem::Security::DIGEST_NAME end ## diff --git a/lib/rubygems/security/policy.rb b/lib/rubygems/security/policy.rb index 0783fe326f..db457f1ff9 100644 --- a/lib/rubygems/security/policy.rb +++ b/lib/rubygems/security/policy.rb @@ -75,7 +75,7 @@ class Gem::Security::Policy def check_data(public_key, digest, signature, data) raise Gem::Security::Exception, "invalid signature" unless - public_key.verify digest.new, signature, data.digest + public_key.verify digest, signature, data.digest true end @@ -223,7 +223,7 @@ class Gem::Security::Policy end opt = @opt - digester = Gem::Security::DIGEST_ALGORITHM + digester = Gem::Security.create_digest trust_dir = opt[:trust_dir] time = Time.now diff --git a/lib/rubygems/security/signer.rb b/lib/rubygems/security/signer.rb index d1da3f2766..89200f9e38 100644 --- a/lib/rubygems/security/signer.rb +++ b/lib/rubygems/security/signer.rb @@ -80,8 +80,8 @@ class Gem::Security::Signer @cert_chain = [default_cert] if File.exist? default_cert end - @digest_algorithm = Gem::Security::DIGEST_ALGORITHM @digest_name = Gem::Security::DIGEST_NAME + @digest_algorithm = Gem::Security.create_digest(@digest_name) if @key && !@key.is_a?(OpenSSL::PKey::RSA) @key = OpenSSL::PKey::RSA.new(File.read(@key), @passphrase) diff --git a/lib/rubygems/security/trust_dir.rb b/lib/rubygems/security/trust_dir.rb index 9016b0c92e..1d93ceabd1 100644 --- a/lib/rubygems/security/trust_dir.rb +++ b/lib/rubygems/security/trust_dir.rb @@ -25,7 +25,7 @@ class Gem::Security::TrustDir @dir = dir @permissions = permissions - @digester = Gem::Security::DIGEST_ALGORITHM + @digester = Gem::Security.create_digest end ## diff --git a/test/rubygems/test_gem_package.rb b/test/rubygems/test_gem_package.rb index adf11a1941..3a97a85a74 100644 --- a/test/rubygems/test_gem_package.rb +++ b/test/rubygems/test_gem_package.rb @@ -1018,7 +1018,7 @@ class TestGemPackage < Gem::Package::TarTestCase bogus_data = Gem::Util.gzip 'hello' fake_signer = Class.new do def digest_name; 'SHA512'; end - def digest_algorithm; Digest(:SHA512); end + def digest_algorithm; Digest(:SHA512).new; end def key; 'key'; end def sign(*); 'fake_sig'; end end diff --git a/test/rubygems/test_gem_package_tar_writer.rb b/test/rubygems/test_gem_package_tar_writer.rb index 9a3feca269..e31efdd55f 100644 --- a/test/rubygems/test_gem_package_tar_writer.rb +++ b/test/rubygems/test_gem_package_tar_writer.rb @@ -71,7 +71,7 @@ class TestGemPackageTarWriter < Gem::Package::TarTestCase end def test_add_file_digest - digest_algorithms = Digest::SHA1, Digest::SHA512 + digest_algorithms = Digest::SHA1.new, Digest::SHA512.new Time.stub :now, Time.at(1458518157) do digests = @tar_writer.add_file_digest 'x', 0644, digest_algorithms do |io| @@ -94,7 +94,7 @@ class TestGemPackageTarWriter < Gem::Package::TarTestCase end def test_add_file_digest_multiple - digest_algorithms = [Digest::SHA1, Digest::SHA512] + digest_algorithms = [Digest::SHA1.new, Digest::SHA512.new] Time.stub :now, Time.at(1458518157) do digests = @tar_writer.add_file_digest 'x', 0644, digest_algorithms do |io| diff --git a/test/rubygems/test_gem_security_policy.rb b/test/rubygems/test_gem_security_policy.rb index 4d5d9bbe33..86100d7c74 100644 --- a/test/rubygems/test_gem_security_policy.rb +++ b/test/rubygems/test_gem_security_policy.rb @@ -32,7 +32,7 @@ class TestGemSecurityPolicy < Gem::TestCase s.files = %w[lib/code.rb] end - @digest = Gem::Security::DIGEST_ALGORITHM + @digest = OpenSSL::Digest.new Gem::Security::DIGEST_NAME @trust_dir = Gem::Security.trust_dir.dir # HACK use the object @no = Gem::Security::NoSecurity @@ -395,13 +395,11 @@ class TestGemSecurityPolicy < Gem::TestCase def test_verify_wrong_digest_type Gem::Security.trust_dir.trust_cert PUBLIC_CERT - sha512 = OpenSSL::Digest::SHA512 - - data = sha512.new + data = OpenSSL::Digest.new('SHA512') data << 'hello' digests = { 'SHA512' => { 0 => data } } - signature = PRIVATE_KEY.sign sha512.new, data.digest + signature = PRIVATE_KEY.sign 'sha512', data.digest signatures = { 0 => signature } e = assert_raises Gem::Security::Exception do @@ -480,7 +478,7 @@ class TestGemSecurityPolicy < Gem::TestCase def s.full_name() 'metadata.gz' end digests = package.digest s - digests[Gem::Security::DIGEST_NAME]['data.tar.gz'] = @digest.new 'hello' + digests[Gem::Security::DIGEST_NAME]['data.tar.gz'] = @digest.hexdigest 'hello' metadata_gz_digest = digests[Gem::Security::DIGEST_NAME]['metadata.gz'] @@ -509,7 +507,7 @@ class TestGemSecurityPolicy < Gem::TestCase def s.full_name() 'metadata.gz' end digests = package.digest s - digests[Gem::Security::DIGEST_NAME]['data.tar.gz'] = @digest.new 'hello' + digests[Gem::Security::DIGEST_NAME]['data.tar.gz'] = @digest.hexdigest 'hello' assert_raises Gem::Security::Exception do @high.verify_signatures @spec, digests, {} diff --git a/test/rubygems/test_gem_security_trust_dir.rb b/test/rubygems/test_gem_security_trust_dir.rb index 9a40f85eb6..64871f7bd3 100644 --- a/test/rubygems/test_gem_security_trust_dir.rb +++ b/test/rubygems/test_gem_security_trust_dir.rb @@ -17,7 +17,7 @@ class TestGemSecurityTrustDir < Gem::TestCase end def test_cert_path - digest = Gem::Security::DIGEST_ALGORITHM.hexdigest PUBLIC_CERT.subject.to_s + digest = OpenSSL::Digest.hexdigest Gem::Security::DIGEST_NAME, PUBLIC_CERT.subject.to_s expected = File.join @dest_dir, "cert-#{digest}.pem" @@ -41,7 +41,7 @@ class TestGemSecurityTrustDir < Gem::TestCase end def test_name_path - digest = Gem::Security::DIGEST_ALGORITHM.hexdigest PUBLIC_CERT.subject.to_s + digest = OpenSSL::Digest.hexdigest Gem::Security::DIGEST_NAME, PUBLIC_CERT.subject.to_s expected = File.join @dest_dir, "cert-#{digest}.pem"