debian-mirror-gitlab/lib/gitlab/email/smime/signer.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

41 lines
1.6 KiB
Ruby
Raw Normal View History

2019-12-04 20:38:33 +05:30
# frozen_string_literal: true
require 'openssl'
module Gitlab
module Email
module Smime
# Tooling for signing and verifying data with SMIME
class Signer
2020-05-24 23:13:21 +05:30
# The `ca_certs` parameter, if provided, is an array of CA certificates
# that will be attached in the signature together with the main `cert`.
# This will be typically intermediate CAs
def self.sign(cert:, key:, ca_certs: nil, data:)
signed_data = OpenSSL::PKCS7.sign(cert, key, data, Array.wrap(ca_certs), OpenSSL::PKCS7::DETACHED)
2020-03-09 13:42:32 +05:30
OpenSSL::PKCS7.write_smime(signed_data)
2019-12-04 20:38:33 +05:30
end
2020-05-24 23:13:21 +05:30
# Return nil if data cannot be verified, otherwise the signed content data
#
# Be careful with the `ca_certs` parameter, it will implicitly trust all the CAs
# in the array by creating a trusted store, stopping validation at the first match
# This is relevant when using intermediate CAs, `ca_certs` should only
# include the trusted, root CA
def self.verify_signature(ca_certs: nil, signed_data:)
2020-03-09 13:42:32 +05:30
store = OpenSSL::X509::Store.new
2019-12-04 20:38:33 +05:30
store.set_default_paths
2020-05-24 23:13:21 +05:30
Array.wrap(ca_certs).compact.each { |ca_cert| store.add_cert(ca_cert) }
2019-12-04 20:38:33 +05:30
2020-03-09 13:42:32 +05:30
signed_smime = OpenSSL::PKCS7.read_smime(signed_data)
2020-05-24 23:13:21 +05:30
# The S/MIME certificate(s) are included in the message and the trusted
# CAs are in the store parameter, so we pass no certs as parameters
# to `PKCS7.verify`
# See https://www.openssl.org/docs/manmaster/man3/PKCS7_verify.html
signed_smime if signed_smime.verify(nil, store)
2019-12-04 20:38:33 +05:30
end
end
end
end
end