Commit 88c7d32e authored by Thong Kuah's avatar Thong Kuah

Merge branch 'fix/smime-scope' into 'master'

Remove the OpenSSL include within SMIME email signing

See merge request gitlab-org/gitlab!23642
parents f678f585 9d491ac4
---
title: Remove the OpenSSL include within SMIME email signing
merge_request: 23642
author: Roger Meier
type: fixed
...@@ -4,8 +4,6 @@ module Gitlab ...@@ -4,8 +4,6 @@ module Gitlab
module Email module Email
module Smime module Smime
class Certificate class Certificate
include OpenSSL
attr_reader :key, :cert attr_reader :key, :cert
def key_string def key_string
...@@ -17,8 +15,8 @@ module Gitlab ...@@ -17,8 +15,8 @@ module Gitlab
end end
def self.from_strings(key_string, cert_string) def self.from_strings(key_string, cert_string)
key = PKey::RSA.new(key_string) key = OpenSSL::PKey::RSA.new(key_string)
cert = X509::Certificate.new(cert_string) cert = OpenSSL::X509::Certificate.new(cert_string)
new(key, cert) new(key, cert)
end end
......
...@@ -7,20 +7,18 @@ module Gitlab ...@@ -7,20 +7,18 @@ module Gitlab
module Smime module Smime
# Tooling for signing and verifying data with SMIME # Tooling for signing and verifying data with SMIME
class Signer class Signer
include OpenSSL
def self.sign(cert:, key:, data:) def self.sign(cert:, key:, data:)
signed_data = PKCS7.sign(cert, key, data, nil, PKCS7::DETACHED) signed_data = OpenSSL::PKCS7.sign(cert, key, data, nil, OpenSSL::PKCS7::DETACHED)
PKCS7.write_smime(signed_data) OpenSSL::PKCS7.write_smime(signed_data)
end end
# return nil if data cannot be verified, otherwise the signed content data # return nil if data cannot be verified, otherwise the signed content data
def self.verify_signature(cert:, ca_cert: nil, signed_data:) def self.verify_signature(cert:, ca_cert: nil, signed_data:)
store = X509::Store.new store = OpenSSL::X509::Store.new
store.set_default_paths store.set_default_paths
store.add_cert(ca_cert) if ca_cert store.add_cert(ca_cert) if ca_cert
signed_smime = PKCS7.read_smime(signed_data) signed_smime = OpenSSL::PKCS7.read_smime(signed_data)
signed_smime if signed_smime.verify([cert], store) signed_smime if signed_smime.verify([cert], store)
end end
end end
......
# frozen_string_literal: true # frozen_string_literal: true
module SmimeHelper module SmimeHelper
include OpenSSL
INFINITE_EXPIRY = 1000.years INFINITE_EXPIRY = 1000.years
SHORT_EXPIRY = 30.minutes SHORT_EXPIRY = 30.minutes
...@@ -20,12 +18,12 @@ module SmimeHelper ...@@ -20,12 +18,12 @@ module SmimeHelper
public_key = key.public_key public_key = key.public_key
subject = if certificate_authority subject = if certificate_authority
X509::Name.parse("/CN=EU") OpenSSL::X509::Name.parse("/CN=EU")
else else
X509::Name.parse("/CN=#{email_address}") OpenSSL::X509::Name.parse("/CN=#{email_address}")
end end
cert = X509::Certificate.new cert = OpenSSL::X509::Certificate.new
cert.subject = subject cert.subject = subject
cert.issuer = signed_by&.fetch(:cert, nil)&.subject || subject cert.issuer = signed_by&.fetch(:cert, nil)&.subject || subject
...@@ -36,7 +34,7 @@ module SmimeHelper ...@@ -36,7 +34,7 @@ module SmimeHelper
cert.serial = 0x0 cert.serial = 0x0
cert.version = 2 cert.version = 2
extension_factory = X509::ExtensionFactory.new extension_factory = OpenSSL::X509::ExtensionFactory.new
if certificate_authority if certificate_authority
extension_factory.subject_certificate = cert extension_factory.subject_certificate = cert
extension_factory.issuer_certificate = cert extension_factory.issuer_certificate = cert
...@@ -50,7 +48,7 @@ module SmimeHelper ...@@ -50,7 +48,7 @@ module SmimeHelper
cert.add_extension(extension_factory.create_extension('extendedKeyUsage', 'clientAuth,emailProtection', false)) cert.add_extension(extension_factory.create_extension('extendedKeyUsage', 'clientAuth,emailProtection', false))
end end
cert.sign(signed_by&.fetch(:key, nil) || key, Digest::SHA256.new) cert.sign(signed_by&.fetch(:key, nil) || key, OpenSSL::Digest::SHA256.new)
{ key: key, cert: cert } { key: key, cert: cert }
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment