PageRenderTime 47ms CodeModel.GetById 21ms RepoModel.GetById 0ms app.codeStats 0ms

/util/update_bundled_ca_certificates.rb

https://github.com/technicalpickles/rubygems
Ruby | 136 lines | 105 code | 29 blank | 2 comment | 7 complexity | 40b2a4c89ba7adc813696ebd4fa44f95 MD5 | raw file
    

  1. # frozen_string_literal: true
    2. 

  2. require 'net/http'
    3. 

  3. require 'openssl'
    4. 

  4. require 'fileutils'
    5. 

  5. 

  6. URIS = [
    7. 

  7.   URI('https://rubygems.org'),
    8. 

  8.   URI('https://www.rubygems.org'),
    9. 

  9.   URI('https://index.rubygems.org'),
    10. 

  10.   URI('https://staging.rubygems.org'),
    11. 

  11. ].freeze
    12. 

  12. 

  13. HOSTNAMES_TO_MAP = [
    14. 

  14.   'rubygems.org',
    15. 

  15. ].freeze
    16. 

  16. 

  17. def connect_to(uri, store)
    18. 

  18.   # None of the URIs are IPv6, so URI::Generic#hostname(ruby 1.9.3+) isn't needed
    19. 

  19.   http = Net::HTTP.new uri.host, uri.port
    20. 

  20. 

  21.   http.use_ssl = uri.scheme.downcase == 'https'
    22. 

  22.   http.ssl_version = :TLSv1_2
    23. 

  23.   http.verify_mode = OpenSSL::SSL::VERIFY_PEER
    24. 

  24.   http.cert_store = store
    25. 

  25. 

  26.   http.get '/'
    27. 

  27. 

  28.   true
    29. 

  29. rescue OpenSSL::SSL::SSLError
    30. 

  30.   false
    31. 

  31. end
    32. 

  32. 

  33. def load_certificates(io)
    34. 

  34.   cert_texts =
    35. 

  35.     io.read.scan(/^-{5}BEGIN CERTIFICATE-{5}.*?^-{5}END CERTIFICATE-{5}/m)
    36. 

  36. 

  37.   cert_texts.map do |cert_text|
    38. 

  38.     OpenSSL::X509::Certificate.new cert_text
    39. 

  39.   end
    40. 

  40. end
    41. 

  41. 

  42. def show_certificates(certificates)
    43. 

  43.   certificates.each do |certificate|
    44. 

  44.     p certificate.subject.to_a
    45. 

  45.   end
    46. 

  46. end
    47. 

  47. 

  48. def store_for(certificates)
    49. 

  49.   store = OpenSSL::X509::Store.new
    50. 

  50.   certificates.each do |certificate|
    51. 

  51.     store.add_cert certificate
    52. 

  52.   end
    53. 

  53. 

  54.   store
    55. 

  55. end
    56. 

  56. 

  57. def test_certificates(certificates, uri)
    58. 

  58.   1.upto certificates.length do |n|
    59. 

  59.     puts "combinations of #{n} certificates"
    60. 

  60.     certificates.combination(n).each do |combination|
    61. 

  61.       match = test_uri uri, combination
    62. 

  62. 

  63.       if match
    64. 

  64.         $needed_combinations << match
    65. 

  65.         puts
    66. 

  66.         puts match.map {|certificate| certificate.subject }
    67. 

  67.         return
    68. 

  68.       else
    69. 

  69.         print '.'
    70. 

  70.       end
    71. 

  71.     end
    72. 

  72.     puts
    73. 

  73.   end
    74. 

  74. end
    75. 

  75. 

  76. def test_uri(uri, certificates)
    77. 

  77.   store = store_for certificates
    78. 

  78. 

  79.   verified = connect_to uri, store
    80. 

  80. 

  81.   return certificates if verified
    82. 

  82. 

  83.   nil
    84. 

  84. end
    85. 

  85. 

  86. def hostname_certificate_mapping(certificates)
    87. 

  87.   mapping = {}
    88. 

  88.   HOSTNAMES_TO_MAP.each do |hostname|
    89. 

  89.     uri = URI("https://#{hostname}")
    90. 

  90.     certificates.each do |cert|
    91. 

  91.       match = test_uri uri, [cert]
    92. 

  92.       mapping[hostname] = cert if match && !mapping.values.include?(cert)
    93. 

  93.     end
    94. 

  94.   end
    95. 

  95.   mapping
    96. 

  96. end
    97. 

  97. 

  98. def write_certificates(certificates)
    99. 

  99.   mapping = hostname_certificate_mapping(certificates)
    100. 

  100.   mapping.each do |hostname, certificate|
    101. 

  101.     subject = certificate.subject.to_a
    102. 

  102.     name = (subject.assoc('CN') || subject.assoc('OU'))[1]
    103. 

  103.     name = name.delete ' .-'
    104. 

  104. 

  105.     FileUtils.mkdir_p("lib/rubygems/ssl_certs/#{hostname}")
    106. 

  106.     destination = "lib/rubygems/ssl_certs/#{hostname}/#{name}.pem"
    107. 

  107. 

  108.     warn "overwriting certificate #{name}" if File.exist? destination
    109. 

  109. 

  110.     File.open destination, 'w' do |io|
    111. 

  111.       io.write certificate.to_pem
    112. 

  112.     end
    113. 

  113.   end
    114. 

  114. end
    115. 

  115. 

  116. io =
    117. 

  117.   if ARGV.empty?
    118. 

  118.     File.open OpenSSL::X509::DEFAULT_CERT_FILE
    119. 

  119.   else
    120. 

  120.     ARGF
    121. 

  121.   end
    122. 

  122. 

  123. certificates = load_certificates io
    124. 

  124. puts "loaded #{certificates.length} certificates"
    125. 

  125. 

  126. $needed_combinations = []
    127. 

  127. 

  128. URIS.each do |uri|
    129. 

  129.   puts uri
    130. 

  130. 

  131.   test_certificates certificates, uri
    132. 

  132. end
    133. 

  133. 

  134. needed = $needed_combinations.flatten.uniq
    135. 

  135. 

  136. write_certificates needed
    137. 

  137.