diff options
Diffstat (limited to 'lib/gitlab/email/smime/signer.rb')
| -rw-r--r-- | lib/gitlab/email/smime/signer.rb | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/lib/gitlab/email/smime/signer.rb b/lib/gitlab/email/smime/signer.rb index db03e383ecf..6a445730463 100644 --- a/lib/gitlab/email/smime/signer.rb +++ b/lib/gitlab/email/smime/signer.rb @@ -7,19 +7,32 @@ module Gitlab module Smime # Tooling for signing and verifying data with SMIME class Signer - def self.sign(cert:, key:, data:) - signed_data = OpenSSL::PKCS7.sign(cert, key, data, nil, OpenSSL::PKCS7::DETACHED) + # The `ca_certs` parameter, if provided, is an array of CA certificates + # that will be attached in the signature together with the main `cert`. + # This will be typically intermediate CAs + def self.sign(cert:, key:, ca_certs: nil, data:) + signed_data = OpenSSL::PKCS7.sign(cert, key, data, Array.wrap(ca_certs), OpenSSL::PKCS7::DETACHED) OpenSSL::PKCS7.write_smime(signed_data) end - # return nil if data cannot be verified, otherwise the signed content data - def self.verify_signature(cert:, ca_cert: nil, signed_data:) + # Return nil if data cannot be verified, otherwise the signed content data + # + # Be careful with the `ca_certs` parameter, it will implicitly trust all the CAs + # in the array by creating a trusted store, stopping validation at the first match + # This is relevant when using intermediate CAs, `ca_certs` should only + # include the trusted, root CA + def self.verify_signature(ca_certs: nil, signed_data:) store = OpenSSL::X509::Store.new store.set_default_paths - store.add_cert(ca_cert) if ca_cert + Array.wrap(ca_certs).compact.each { |ca_cert| store.add_cert(ca_cert) } signed_smime = OpenSSL::PKCS7.read_smime(signed_data) - signed_smime if signed_smime.verify([cert], store) + + # The S/MIME certificate(s) are included in the message and the trusted + # CAs are in the store parameter, so we pass no certs as parameters + # to `PKCS7.verify` + # See https://www.openssl.org/docs/manmaster/man3/PKCS7_verify.html + signed_smime if signed_smime.verify(nil, store) end end end |