rubygems-update 0.9.4 → 0.9.5

data/lib/rubygems/remote_fetcher.rb

@@ -1,15 +1,8 @@
 require 'net/http'
 require 'uri'
-require 'yaml'
-require 'zlib'
 
 require 'rubygems'
-require 'rubygems/user_interaction'
-
-##
-# Represents an error communicating via HTTP.
-
-class Gem::RemoteSourceException < Gem::Exception; end
+require 'rubygems/gem_open_uri'
 
 ##
 # RemoteFetcher handles the details of fetching gems and gem information from
@@ -40,7 +33,8 @@ class Gem::RemoteFetcher
       case proxy
       when :no_proxy then nil
       when nil then get_proxy_from_env
-      else URI.parse(proxy.to_str)
+      when URI::HTTP then proxy
+      else URI.parse(proxy)
       end
   end
 
@@ -51,28 +45,41 @@ class Gem::RemoteFetcher
     end
   rescue Timeout::Error
     raise FetchError, "timed out fetching #{uri}"
-  rescue IOError, SocketError, SystemCallError => e
-    raise FetchError, "#{e.class} reading #{uri}"
-  rescue
-    old_uri = uri
-    uri = uri.downcase
-    retry if old_uri != uri
-    raise
+  rescue OpenURI::HTTPError, IOError, SocketError, SystemCallError => e
+    raise FetchError, "#{e.class}: #{e} reading #{uri}"
   end
 
   # Returns the size of +uri+ in bytes.
   def fetch_size(uri)
-    return File.size(get_file_uri_path(uri)) if file_uri?(uri)
-    require 'net/http'
-    require 'uri'
-    u = URI.parse(uri)
-    raise ArgumentError, 'uri is not an HTTP URI' unless URI::HTTP === u
-    http = connect_to(u.host, u.port)
-    resp = http.head(u.request_uri)
-    raise Gem::RemoteSourceException, "HTTP Response #{resp.code}" if resp.code !~ /^2/
-    resp['content-length'].to_i
+    return File.size(get_file_uri_path(uri)) if file_uri? uri
+
+    uri = URI.parse uri unless URI::Generic === uri
+
+    raise ArgumentError, 'uri is not an HTTP URI' unless URI::HTTP === uri
+
+    http = connect_to uri.host, uri.port
+
+    request = Net::HTTP::Head.new uri.request_uri
+
+    request.basic_auth unescape(uri.user), unescape(uri.password) unless
+      uri.user.nil? or uri.user.empty?
+
+    resp = http.request request
+
+    if resp.code !~ /^2/ then
+      raise Gem::RemoteSourceException,
+            "HTTP Response #{resp.code} fetching #{uri}"
+    end
+
+    if resp['content-length'] then
+      return resp['content-length'].to_i
+    else
+      resp = http.get uri.request_uri
+      return resp.body.size
+    end
+
   rescue SocketError, SystemCallError, Timeout::Error => e
-    raise FetchError, "#{e.message}(#{e.class})"
+    raise FetchError, "#{e.message} (#{e.class})"
   end
 
   private
@@ -90,12 +97,17 @@ class Gem::RemoteFetcher
   # Returns an HTTP proxy URI if one is set in the environment variables.
   def get_proxy_from_env
     env_proxy = ENV['http_proxy'] || ENV['HTTP_PROXY']
-    uri = env_proxy ? URI.parse(env_proxy) : nil
+
+    return nil if env_proxy.nil? or env_proxy.empty?
+
+    uri = URI.parse env_proxy
+
     if uri and uri.user.nil? and uri.password.nil? then
       # Probably we have http_proxy_* variables?
       uri.user = escape(ENV['http_proxy_user'] || ENV['HTTP_PROXY_USER'])
       uri.password = escape(ENV['http_proxy_pass'] || ENV['HTTP_PROXY_PASS'])
     end
+
     uri
   end
 
@@ -116,12 +128,11 @@ class Gem::RemoteFetcher
   # Read the data from the (source based) URI, but if it is a file:// URI,
   # read from the filesystem instead.
   def open_uri_or_path(uri, &block)
-    require 'rubygems/gem_open_uri'
     if file_uri?(uri)
       open(get_file_uri_path(uri), &block)
     else
       connection_options = {
-        "User-Agent" => "RubyGems/#{Gem::RubyGemsVersion}"
+        "User-Agent" => "RubyGems/#{Gem::RubyGemsVersion} #{Gem::Platform.local}"
       }
 
       if @proxy_uri
@@ -129,6 +140,12 @@ class Gem::RemoteFetcher
         connection_options[:proxy_http_basic_authentication] = [http_proxy_url, unescape(@proxy_uri.user)||'', unescape(@proxy_uri.password)||'']
       end
 
+      uri = URI.parse uri unless URI::Generic === uri
+      unless uri.nil? || uri.user.nil? || uri.user.empty? then
+        connection_options[:http_basic_authentication] =
+          [unescape(uri.user), unescape(uri.password)]
+      end
+
       open(uri, connection_options, &block)
     end
   end

data/lib/rubygems/remote_installer.rb

@@ -5,19 +5,12 @@
 #++
 
 require 'fileutils'
-require 'yaml'
 
 require 'rubygems'
 require 'rubygems/installer'
 require 'rubygems/source_info_cache'
 
-require 'sources'
-
 module Gem
-  class DependencyError < Gem::Exception; end
-  class GemNotFoundException < Gem::Exception; end
-  class RemoteInstallationCancelled < Gem::Exception; end
-  class RemoteInstallationSkipped < Gem::Exception; end
 
   class RemoteInstaller
 
@@ -36,21 +29,21 @@ module Gem
       @source_index_hash = nil
     end
 
-    # This method will install package_name onto the local system.  
+    # This method will install package_name onto the local system.
     #
     # gem_name::
     #   [String] Name of the Gem to install
     #
     # version_requirement::
-    #   [default = "> 0.0.0"] Gem version requirement to install
+    #   [default = ">= 0"] Gem version requirement to install
     #
     # Returns::
-    #   an array of Gem::Specification objects, one for each gem installed. 
+    #   an array of Gem::Specification objects, one for each gem installed.
     #
-    def install(gem_name, version_requirement = "> 0.0.0", force=false,
-                install_dir=Gem.dir, install_stub=true)
+    def install(gem_name, version_requirement = Gem::Requirement.default,
+                force = false, install_dir = Gem.dir)
       unless version_requirement.respond_to?(:satisfied_by?)
-        version_requirement = Version::Requirement.new [version_requirement]
+        version_requirement = Gem::Requirement.new [version_requirement]
       end
       installed_gems = []
       begin
@@ -65,9 +58,9 @@ module Gem
         download_gem(destination_file, source, spec)
 
         installer = new_installer(destination_file)
-        installed_gems.unshift installer.install(force, install_dir, install_stub)
+        installed_gems.unshift installer.install(force, install_dir)
       rescue RemoteInstallationSkipped => e
-        puts e.message
+        alert_error e.message
       end
       installed_gems.flatten
     end
@@ -82,7 +75,7 @@ module Gem
       end
       @source_index_hash
     end
-    
+
     # Finds the Gem::Specification objects and the corresponding source URI
     # for gems matching +gem_name+ and +version_requirement+
     def specs_n_sources_matching(gem_name, version_requirement)
@@ -157,7 +150,7 @@ module Gem
 
     # Install all the given dependencies.  Returns an array of
     # Gem::Specification objects, one for each dependency installed.
-    # 
+    #
     # TODO: For now, we recursively install, but this is not the right
     # way to do things (e.g.  if a package fails to download, we
     # shouldn't install anything).
@@ -193,7 +186,7 @@ module Gem
         out.write(body)
       end
     end
-    
+
     def new_installer(gem)
       return Installer.new(gem, @options)
     end

data/lib/rubygems/requirement.rb

@@ -0,0 +1,157 @@
+#--
+# Copyright 2006 by Chad Fowler, Rich Kilmer, Jim Weirich and others.
+# All rights reserved.
+# See LICENSE.txt for permissions.
+#++
+
+require 'rubygems/version'
+
+##
+# Requirement version includes a prefaced comparator in addition
+# to a version number.
+#
+# A Requirement object can actually contain multiple, er,
+# requirements, as in (> 1.2, < 2.0).
+class Gem::Requirement
+
+  include Comparable
+
+  OPS = {
+    "="  =>  lambda { |v, r| v == r },
+    "!=" =>  lambda { |v, r| v != r },
+    ">"  =>  lambda { |v, r| v > r },
+    "<"  =>  lambda { |v, r| v < r },
+    ">=" =>  lambda { |v, r| v >= r },
+    "<=" =>  lambda { |v, r| v <= r },
+    "~>" =>  lambda { |v, r| v >= r && v < r.bump }
+  }
+
+  OP_RE = /#{OPS.keys.map{ |k| Regexp.quote k }.join '|'}/o
+
+  ##
+  # Factory method to create a Gem::Requirement object.  Input may be a
+  # Version, a String, or nil.  Intended to simplify client code.
+  #
+  # If the input is "weird", the default version requirement is returned.
+  #
+  def self.create(input)
+    case input
+    when Gem::Requirement then
+      input
+    when Gem::Version, Array then
+      new input
+    else
+      if input.respond_to? :to_str then
+        self.new [input.to_str]
+      else
+        self.default
+      end
+    end
+  end
+
+  ##
+  # A default "version requirement" can surely _only_ be '>= 0'.
+  #--
+  # This comment once said:
+  #
+  # "A default "version requirement" can surely _only_ be '> 0'."
+  def self.default
+    self.new ['>= 0']
+  end
+
+  ##
+  # Constructs a Requirement from +requirements+ which can be a String, a
+  # Gem::Version, or an Array of those.  See parse for details on the
+  # formatting of requirement strings.
+  def initialize(requirements)
+    @requirements = case requirements
+                    when Array then
+                      requirements.map do |requirement|
+                        parse(requirement)
+                      end
+                    else
+                      [parse(requirements)]
+                    end
+    @version = nil   # Avoid warnings.
+  end
+
+  # Marshal raw requirements, rather than the full object
+  def marshal_dump
+    [@requirements]
+  end
+
+  # Load custom marshal format
+  def marshal_load(array)
+    @requirements = array[0]
+    @version = nil
+  end
+
+  def to_s # :nodoc:
+    as_list.join(", ")
+  end
+
+  def as_list
+    normalize
+    @requirements.collect { |req|
+      "#{req[0]} #{req[1]}"
+    }
+  end
+
+  def normalize
+    return if not defined? @version or @version.nil?
+    @requirements = [parse(@version)]
+    @nums = nil
+    @version = nil
+    @op = nil
+  end
+
+  ##
+  # Is the requirement satifised by +version+.
+  #
+  # version:: [Gem::Version] the version to compare against
+  # return:: [Boolean] true if this requirement is satisfied by
+  #          the version, otherwise false
+  #
+  def satisfied_by?(version)
+    normalize
+    @requirements.all? { |op, rv| satisfy?(op, version, rv) }
+  end
+
+  ##
+  # Is "version op required_version" satisfied?
+  #
+  def satisfy?(op, version, required_version)
+    OPS[op].call(version, required_version)
+  end
+
+  ##
+  # Parse the version requirement obj returning the operator and version.
+  #
+  # The requirement can be a String or a Gem::Version.  A String can be an
+  # operator (<, <=, =, =>, >, !=, ~>), a version number, or both, operator
+  # first.
+  def parse(obj)
+    case obj
+    when /^\s*(#{OP_RE})\s*([0-9.]+)\s*$/o then
+      [$1, Gem::Version.new($2)]
+    when /^\s*([0-9.]+)\s*$/ then
+      ['=', Gem::Version.new($1)]
+    when /^\s*(#{OP_RE})\s*$/o then
+      [$1, Gem::Version.new('0')]
+    when Gem::Version then
+      ['=', obj]
+    else
+      fail ArgumentError, "Illformed requirement [#{obj.inspect}]"
+    end
+  end
+
+  def <=>(other)
+    to_s <=> other.to_s
+  end
+
+  def hash # :nodoc:
+    to_s.hash
+  end
+
+end
+

data/lib/rubygems/rubygems_version.rb

@@ -2,5 +2,5 @@
 # This file is auto-generated by build scripts.
 # See:  rake update_version
 module Gem
-  RubyGemsVersion = '0.9.4'
+  RubyGemsVersion = '0.9.5'
 end

data/lib/rubygems/security.rb

@@ -1,527 +1,785 @@
-#!/usr/bin/env ruby
 #--
 # Copyright 2006 by Chad Fowler, Rich Kilmer, Jim Weirich and others.
 # All rights reserved.
 # See LICENSE.txt for permissions.
 #++
 
-
 require 'rubygems/gem_openssl'
 
-module Gem
-  module SSL
+# = Signed Gems README
+#
+# == Table of Contents
+# * Overview
+# * Walkthrough
+# * Command-Line Options
+# * OpenSSL Reference
+# * Bugs/TODO
+# * About the Author
+#
+# == Overview
+#
+# Gem::Security implements cryptographic signatures in RubyGems.  The section
+# below is a step-by-step guide to using signed gems and generating your own.
+#
+# == Walkthrough
+#
+# In order to start signing your gems, you'll need to build a private key and
+# a self-signed certificate.  Here's how:
+#
+#   # build a private key and certificate for gemmaster@example.com
+#   $ gem cert --build gemmaster@example.com
+#
+# This could take anywhere from 5 seconds to 10 minutes, depending on the
+# speed of your computer (public key algorithms aren't exactly the speediest
+# crypto algorithms in the world).  When it's finished, you'll see the files
+# "gem-private_key.pem" and "gem-public_cert.pem" in the current directory.
+#
+# First things first: take the "gem-private_key.pem" file and move it
+# somewhere private, preferably a directory only you have access to, a floppy
+# (yuck!), a CD-ROM, or something comparably secure.  Keep your private key
+# hidden; if it's compromised, someone can sign packages as you (note: PKI has
+# ways of mitigating the risk of stolen keys; more on that later).
+#
+# Now, let's sign an existing gem.  I'll be using my Imlib2-Ruby bindings, but
+# you can use whatever gem you'd like.  Open up your existing gemspec file and
+# add the following lines:
+#
+#   # signing key and certificate chain
+#   s.signing_key = '/mnt/floppy/gem-private_key.pem'
+#   s.cert_chain  = ['gem-public_cert.pem']
+#
+# (Be sure to replace "/mnt/floppy" with the ultra-secret path to your private
+# key).
+#
+# After that, go ahead and build your gem as usual.  Congratulations, you've
+# just built your first signed gem!  If you peek inside your gem file, you'll
+# see a couple of new files have been added:
+#
+#   $ tar tf tar tf Imlib2-Ruby-0.5.0.gem
+#   data.tar.gz
+#   data.tar.gz.sig
+#   metadata.gz
+#   metadata.gz.sig
+#
+# Now let's verify the signature.  Go ahead and install the gem, but add the
+# following options: "-P HighSecurity", like this:
+#
+#   # install the gem with using the security policy "HighSecurity"
+#   $ sudo gem install Imlib2-Ruby-0.5.0.gem -P HighSecurity
+#
+# The -P option sets your security policy -- we'll talk about that in just a
+# minute.  Eh, what's this?
+#
+#   Attempting local installation of 'Imlib2-Ruby-0.5.0.gem'
+#   ERROR:  Error installing gem Imlib2-Ruby-0.5.0.gem[.gem]: Couldn't
+#   verify data signature: Untrusted Signing Chain Root: cert =
+#   '/CN=gemmaster/DC=example/DC=com', error = 'path
+#   "/root/.rubygems/trust/cert-15dbb43a6edf6a70a85d4e784e2e45312cff7030.pem"
+#   does not exist'
+#
+# The culprit here is the security policy.  RubyGems has several different
+# security policies.  Let's take a short break and go over the security
+# policies.  Here's a list of the available security policies, and a brief
+# description of each one:
+#
+# * NoSecurity - Well, no security at all.  Signed packages are treated like
+#   unsigned packages.
+# * LowSecurity - Pretty much no security.  If a package is signed then
+#   RubyGems will make sure the signature matches the signing
+#   certificate, and that the signing certificate hasn't expired, but
+#   that's it.  A malicious user could easily circumvent this kind of
+#   security.
+# * MediumSecurity - Better than LowSecurity and NoSecurity, but still
+#   fallible.  Package contents are verified against the signing
+#   certificate, and the signing certificate is checked for validity,
+#   and checked against the rest of the certificate chain (if you don't
+#   know what a certificate chain is, stay tuned, we'll get to that).
+#   The biggest improvement over LowSecurity is that MediumSecurity
+#   won't install packages that are signed by untrusted sources.
+#   Unfortunately, MediumSecurity still isn't totally secure -- a
+#   malicious user can still unpack the gem, strip the signatures, and
+#   distribute the gem unsigned.
+# * HighSecurity - Here's the bugger that got us into this mess.
+#   The HighSecurity policy is identical to the MediumSecurity policy,
+#   except that it does not allow unsigned gems.  A malicious user
+#   doesn't have a whole lot of options here; he can't modify the
+#   package contents without invalidating the signature, and he can't
+#   modify or remove signature or the signing certificate chain, or
+#   RubyGems will simply refuse to install the package.  Oh well, maybe
+#   he'll have better luck causing problems for CPAN users instead :).
+#
+# So, the reason RubyGems refused to install our shiny new signed gem was
+# because it was from an untrusted source.  Well, my code is infallible
+# (hah!), so I'm going to add myself as a trusted source.
+#
+# Here's how:
+#
+#     # add trusted certificate
+#     gem cert --add gem-public_cert.pem
+#
+# I've added my public certificate as a trusted source.  Now I can install
+# packages signed my private key without any hassle.  Let's try the install
+# command above again:
+#
+#   # install the gem with using the HighSecurity policy (and this time
+#   # without any shenanigans)
+#   $ sudo gem install Imlib2-Ruby-0.5.0.gem -P HighSecurity
+#
+# This time RubyGems should accept your signed package and begin installing.
+# While you're waiting for RubyGems to work it's magic, have a look at some of
+# the other security commands:
+#
+#   Usage: gem cert [options]
+#
+#   Options:
+#     -a, --add CERT          Add a trusted certificate.
+#     -l, --list              List trusted certificates.
+#     -r, --remove STRING     Remove trusted certificates containing STRING.
+#     -b, --build EMAIL_ADDR  Build private key and self-signed certificate
+#                             for EMAIL_ADDR.
+#     -C, --certificate CERT  Certificate for --sign command.
+#     -K, --private-key KEY   Private key for --sign command.
+#     -s, --sign NEWCERT      Sign a certificate with my key and certificate.
+#
+# (By the way, you can pull up this list any time you'd like by typing "gem
+# cert --help")
+#
+# Hmm.  We've already covered the "--build" option, and the "--add", "--list",
+# and "--remove" commands seem fairly straightforward; they allow you to add,
+# list, and remove the certificates in your trusted certificate list.  But
+# what's with this "--sign" option?
+#
+# To answer that question, let's take a look at "certificate chains", a
+# concept I mentioned earlier.  There are a couple of problems with
+# self-signed certificates: first of all, self-signed certificates don't offer
+# a whole lot of security.  Sure, the certificate says Yukihiro Matsumoto, but
+# how do I know it was actually generated and signed by matz himself unless he
+# gave me the certificate in person?
+#
+# The second problem is scalability.  Sure, if there are 50 gem authors, then
+# I have 50 trusted certificates, no problem.  What if there are 500 gem
+# authors?  1000?  Having to constantly add new trusted certificates is a
+# pain, and it actually makes the trust system less secure by encouraging
+# RubyGems users to blindly trust new certificates.
+#
+# Here's where certificate chains come in.  A certificate chain establishes an
+# arbitrarily long chain of trust between an issuing certificate and a child
+# certificate.  So instead of trusting certificates on a per-developer basis,
+# we use the PKI concept of certificate chains to build a logical hierarchy of
+# trust.  Here's a hypothetical example of a trust hierarchy based (roughly)
+# on geography:
+#
+#
+#                         --------------------------
+#                         | rubygems@rubyforge.org |
+#                         --------------------------
+#                                     |
+#                   -----------------------------------
+#                   |                                 |
+#       ----------------------------    -----------------------------
+#       | seattle.rb@zenspider.com |    | dcrubyists@richkilmer.com |
+#       ----------------------------    -----------------------------
+#            |                |                 |             |
+#     ---------------   ----------------   -----------   --------------
+#     | alf@seattle |   | bob@portland |   | pabs@dc |   | tomcope@dc |
+#     ---------------   ----------------   -----------   --------------
+#
+#
+# Now, rather than having 4 trusted certificates (one for alf@seattle,
+# bob@portland, pabs@dc, and tomecope@dc), a user could actually get by with 1
+# certificate: the "rubygems@rubyforge.org" certificate.  Here's how it works:
+#
+# I install "Alf2000-Ruby-0.1.0.gem", a package signed by "alf@seattle".  I've
+# never heard of "alf@seattle", but his certificate has a valid signature from
+# the "seattle.rb@zenspider.com" certificate, which in turn has a valid
+# signature from the "rubygems@rubyforge.org" certificate.  Voila!  At this
+# point, it's much more reasonable for me to trust a package signed by
+# "alf@seattle", because I can establish a chain to "rubygems@rubyforge.org",
+# which I do trust.
+#
+# And the "--sign" option allows all this to happen.  A developer creates
+# their build certificate with the "--build" option, then has their
+# certificate signed by taking it with them to their next regional Ruby meetup
+# (in our hypothetical example), and it's signed there by the person holding
+# the regional RubyGems signing certificate, which is signed at the next
+# RubyConf by the holder of the top-level RubyGems certificate.  At each point
+# the issuer runs the same command:
+#
+#   # sign a certificate with the specified key and certificate
+#   # (note that this modifies client_cert.pem!)
+#   $ gem cert -K /mnt/floppy/issuer-priv_key.pem -C issuer-pub_cert.pem
+#      --sign client_cert.pem
+#
+# Then the holder of issued certificate (in this case, our buddy
+# "alf@seattle"), can start using this signed certificate to sign RubyGems.
+# By the way, in order to let everyone else know about his new fancy signed
+# certificate, "alf@seattle" would change his gemspec file to look like this:
+#
+#   # signing key (still kept in an undisclosed location!)
+#   s.signing_key = '/mnt/floppy/alf-private_key.pem'
+#   
+#   # certificate chain (includes the issuer certificate now too)
+#   s.cert_chain  = ['/home/alf/doc/seattlerb-public_cert.pem',
+#                    '/home/alf/doc/alf_at_seattle-public_cert.pem']
+#
+# Obviously, this RubyGems trust infrastructure doesn't exist yet.  Also, in
+# the "real world" issuers actually generate the child certificate from a
+# certificate request, rather than sign an existing certificate.  And our
+# hypothetical infrastructure is missing a certificate revocation system.
+# These are that can be fixed in the future...
+#
+# I'm sure your new signed gem has finished installing by now (unless you're
+# installing rails and all it's dependencies, that is ;D).  At this point you
+# should know how to do all of these new and interesting things:
+#
+# * build a gem signing key and certificate
+# * modify your existing gems to support signing
+# * adjust your security policy
+# * modify your trusted certificate list
+# * sign a certificate
+#
+# If you've got any questions, feel free to contact me at the email address
+# below.  The next couple of sections
+#
+#
+# == Command-Line Options
+#
+# Here's a brief summary of the certificate-related command line options:
+#
+#   gem install
+#     -P, --trust-policy POLICY        Specify gem trust policy.
+#
+#   gem cert
+#     -a, --add CERT                   Add a trusted certificate.
+#     -l, --list                       List trusted certificates.
+#     -r, --remove STRING              Remove trusted certificates containing
+#                                      STRING.
+#     -b, --build EMAIL_ADDR           Build private key and self-signed
+#                                      certificate for EMAIL_ADDR.
+#     -C, --certificate CERT           Certificate for --sign command.
+#     -K, --private-key KEY            Private key for --sign command.
+#     -s, --sign NEWCERT               Sign a certificate with my key and
+#                                      certificate.
+#
+# A more detailed description of each options is available in the walkthrough
+# above.
+#
+#
+# == OpenSSL Reference
+#
+# The .pem files generated by --build and --sign are just basic OpenSSL PEM
+# files.  Here's a couple of useful commands for manipulating them:
+#
+#   # convert a PEM format X509 certificate into DER format:
+#   # (note: Windows .cer files are X509 certificates in DER format)
+#   $ openssl x509 -in input.pem -outform der -out output.der
+#   
+#   # print out the certificate in a human-readable format:
+#   $ openssl x509 -in input.pem -noout -text
+#
+# And you can do the same thing with the private key file as well:
+#
+#   # convert a PEM format RSA key into DER format:
+#   $ openssl rsa -in input_key.pem -outform der -out output_key.der
+#   
+#   # print out the key in a human readable format:
+#   $ openssl rsa -in input_key.pem -noout -text
+#
+# == Bugs/TODO
+#
+# * There's no way to define a system-wide trust list.
+# * custom security policies (from a YAML file, etc)
+# * Simple method to generate a signed certificate request
+# * Support for OCSP, SCVP, CRLs, or some other form of cert
+#   status check (list is in order of preference)
+# * Support for encrypted private keys
+# * Some sort of semi-formal trust hierarchy (see long-winded explanation
+#   above)
+# * Path discovery (for gem certificate chains that don't have a self-signed
+#   root) -- by the way, since we don't have this, THE ROOT OF THE CERTIFICATE
+#   CHAIN MUST BE SELF SIGNED if Policy#verify_root is true (and it is for the
+#   MediumSecurity and HighSecurity policies)
+# * Better explanation of X509 naming (ie, we don't have to use email
+#   addresses)
+# * Possible alternate signing mechanisms (eg, via PGP).  this could be done
+#   pretty easily by adding a :signing_type attribute to the gemspec, then add
+#   the necessary support in other places
+# * Honor AIA field (see note about OCSP above)
+# * Maybe honor restriction extensions?
+# * Might be better to store the certificate chain as a PKCS#7 or PKCS#12
+#   file, instead of an array embedded in the metadata.  ideas?
+# * Possibly embed signature and key algorithms into metadata (right now
+#   they're assumed to be the same as what's set in Gem::Security::OPT)
+#
+# == About the Author
+#
+# Paul Duncan <pabs@pablotron.org>
+# http://pablotron.org/
+
+module Gem::Security
+
+  class Exception < Exception; end
 
-    # We make our own versions of the constants here.  This allows us
-    # to reference the constants, even though some systems might not
-    # have SSL installed in the Ruby core package.
-    #
-    # These constants are only used during load time.  At runtime, any
-    # method that makes a direct reference to SSL software must be
-    # protected with a Gem.ensure_ssl_available call.
-    #
-    if Gem.ssl_available?
-      PKEY_RSA = OpenSSL::PKey::RSA
-      DIGEST_SHA1 = OpenSSL::Digest::SHA1
-    else
-      PKEY_RSA = :rsa
-      DIGEST_SHA1 = :sha1
-    end
-  end
-end
-
-module OpenSSL # :nodoc:
-  module X509 # :nodoc:
-    class Certificate
-      #
-      # Check the validity of this certificate.  
-      #
-      def check_validity(issuer_cert = nil, time = Time.now)
-        ret = if @not_before && @not_before > time
-          [false, :expired, "not valid before '#@not_before'"]
-        elsif @not_after && @not_after < time
-          [false, :expired, "not valid after '#@not_after'"]
-        elsif issuer_cert && !verify(issuer_cert.public_key)
-          [false, :issuer, "#{issuer_cert.subject} is not issuer"]
-        else
-          [true, :ok, 'Valid certificate']
-        end
-
-        # return hash
-        { :is_valid => ret[0], :error => ret[1], :desc => ret[2] }
-      end
-    end
-  end
-end
+  #
+  # default options for most of the methods below
+  #
+  OPT = {
+    # private key options
+    :key_algo   => Gem::SSL::PKEY_RSA,
+    :key_size   => 2048,
+
+    # public cert options
+    :cert_age   => 365 * 24 * 3600, # 1 year
+    :dgst_algo  => Gem::SSL::DIGEST_SHA1,
+
+    # x509 certificate extensions
+    :cert_exts  => {
+      'basicConstraints'      => 'CA:FALSE',
+      'subjectKeyIdentifier'  => 'hash',
+      'keyUsage'              => 'keyEncipherment,dataEncipherment,digitalSignature',
+  },
+
+  # save the key and cert to a file in build_self_signed_cert()?
+  :save_key   => true,
+  :save_cert  => true,
+
+  # if you define either of these, then they'll be used instead of
+  # the output_fmt macro below
+  :save_key_path => nil,
+  :save_cert_path => nil,
+
+  # output name format for self-signed certs
+  :output_fmt => 'gem-%s.pem',
+  :munge_re   => Regexp.new(/[^a-z0-9_.-]+/),
+
+  # output directory for trusted certificate checksums
+  :trust_dir => File::join(Gem.user_home, '.gem', 'trust'),
+
+  # default permissions for trust directory and certs
+  :perms => {
+    :trust_dir      => 0700,
+    :trusted_cert   => 0600,
+    :signing_cert   => 0600,
+    :signing_key    => 0600,
+  },
+  }
 
-module Gem
   #
-  # Security: a set of methods, classes, and security policies for
-  # checking the validity of signed gem files.
+  # A Gem::Security::Policy object encapsulates the settings for verifying
+  # signed gem files.  This is the base class.  You can either declare an
+  # instance of this or use one of the preset security policies below.
   #
-  module Security
-    class Exception < Exception; end
-  
-    #
-    # default options for most of the methods below
-    #
-    OPT = {
-      # private key options
-      :key_algo   => Gem::SSL::PKEY_RSA,
-      :key_size   => 2048,
-
-      # public cert options
-      :cert_age   => 365 * 24 * 3600, # 1 year
-      :dgst_algo  => Gem::SSL::DIGEST_SHA1,
-
-      # x509 certificate extensions
-      :cert_exts  => {
-        'basicConstraints'      => 'CA:FALSE',
-        'subjectKeyIdentifier'  => 'hash',
-        'keyUsage'              => 'keyEncipherment,dataEncipherment,digitalSignature',
-      },
-
-      # save the key and cert to a file in build_self_signed_cert()?
-      :save_key   => true,
-      :save_cert  => true,
-
-      # if you define either of these, then they'll be used instead of
-      # the output_fmt macro below
-      :save_key_path => nil,
-      :save_cert_path => nil,
-
-      # output name format for self-signed certs
-      :output_fmt => 'gem-%s.pem',
-      :munge_re   => Regexp.new(/[^a-z0-9_.-]+/),
-
-      # output directory for trusted certificate checksums
-      :trust_dir => File::join(Gem.user_home, '.gem', 'trust'),
-
-      # default permissions for trust directory and certs
-      :perms => {
-        :trust_dir      => 0700,
-        :trusted_cert   => 0600,
-        :signing_cert   => 0600,
-        :signing_key    => 0600,
-      },
-    }
+  class Policy
+    attr_accessor :verify_data, :verify_signer, :verify_chain,
+      :verify_root, :only_trusted, :only_signed
 
     #
-    # A Gem::Security::Policy object encapsulates the settings for
-    # verifying signed gem files.  This is the base class.  You can
-    # either declare an instance of this or use one of the preset
-    # security policies below.
+    # Create a new Gem::Security::Policy object with the given mode and
+    # options.
     #
-    class Policy
-      attr_accessor :verify_data, :verify_signer, :verify_chain, 
-                    :verify_root, :only_trusted, :only_signed
-
-      #
-      # Create a new Gem::Security::Policy object with the given mode
-      # and options.
-      #
-      def initialize(policy = {}, opt = {})
-        # set options
-        @opt = Gem::Security::OPT.merge(opt)
-
-        # build policy
-        policy.each_pair do |key, val|
-          case key
-            when :verify_data   then @verify_data   = val
-            when :verify_signer then @verify_signer = val
-            when :verify_chain  then @verify_chain  = val
-            when :verify_root   then @verify_root   = val
-            when :only_trusted  then @only_trusted  = val
-            when :only_signed   then @only_signed   = val
-          end
+    def initialize(policy = {}, opt = {})
+      # set options
+      @opt = Gem::Security::OPT.merge(opt)
+
+      # build policy
+      policy.each_pair do |key, val|
+        case key
+        when :verify_data   then @verify_data   = val
+        when :verify_signer then @verify_signer = val
+        when :verify_chain  then @verify_chain  = val
+        when :verify_root   then @verify_root   = val
+        when :only_trusted  then @only_trusted  = val
+        when :only_signed   then @only_signed   = val
         end
       end
+    end
 
-      #
-      # Get the path to the file for this cert.
-      #
-      def self.trusted_cert_path(cert, opt = {})
-        opt = Gem::Security::OPT.merge(opt)
+    #
+    # Get the path to the file for this cert.
+    #
+    def self.trusted_cert_path(cert, opt = {})
+      opt = Gem::Security::OPT.merge(opt)
 
-        # get digest algorithm, calculate checksum of root.subject
-        algo = opt[:dgst_algo]
-        dgst = algo.hexdigest(cert.subject.to_s)
+      # get digest algorithm, calculate checksum of root.subject
+      algo = opt[:dgst_algo]
+      dgst = algo.hexdigest(cert.subject.to_s)
 
-        # build path to trusted cert file
-        name = "cert-#{dgst}.pem"
+      # build path to trusted cert file
+      name = "cert-#{dgst}.pem"
 
-        # join and return path components
-        File::join(opt[:trust_dir], name)
-      end
+      # join and return path components
+      File::join(opt[:trust_dir], name)
+    end
 
-      #
-      # Verify that the gem data with the given signature and signing
-      # chain matched this security policy at the specified time.
-      #
-      def verify_gem(signature, data, chain, time = Time.now)
-        Gem.ensure_ssl_available
-        cert_class = OpenSSL::X509::Certificate
-        exc = Gem::Security::Exception
-        chain ||= []
-
-        chain = chain.map{ |str| cert_class.new(str) }
-        signer, ch_len = chain[-1], chain.size
-
-        # make sure signature is valid
-        if @verify_data
-          # get digest algorithm (TODO: this should be configurable)
-          dgst = @opt[:dgst_algo]
-
-          # verify the data signature (this is the most important part,
-          # so don't screw it up :D)
-          v = signer.public_key.verify(dgst.new, signature, data)
-          raise exc, "Invalid Gem Signature" unless v
-          
-          # make sure the signer is valid
-          if @verify_signer
-            # make sure the signing cert is valid right now
-            v = signer.check_validity(nil, time)
-            raise exc, "Invalid Signature: #{v[:desc]}" unless v[:is_valid]
-          end
+    #
+    # Verify that the gem data with the given signature and signing chain
+    # matched this security policy at the specified time.
+    #
+    def verify_gem(signature, data, chain, time = Time.now)
+      Gem.ensure_ssl_available
+      cert_class = OpenSSL::X509::Certificate
+      exc = Gem::Security::Exception
+      chain ||= []
+
+      chain = chain.map{ |str| cert_class.new(str) }
+      signer, ch_len = chain[-1], chain.size
+
+      # make sure signature is valid
+      if @verify_data
+        # get digest algorithm (TODO: this should be configurable)
+        dgst = @opt[:dgst_algo]
+
+        # verify the data signature (this is the most important part, so don't
+        # screw it up :D)
+        v = signer.public_key.verify(dgst.new, signature, data)
+        raise exc, "Invalid Gem Signature" unless v
+
+        # make sure the signer is valid
+        if @verify_signer
+          # make sure the signing cert is valid right now
+          v = signer.check_validity(nil, time)
+          raise exc, "Invalid Signature: #{v[:desc]}" unless v[:is_valid]
         end
+      end
 
-        # make sure the certificate chain is valid
-        if @verify_chain
-          # iterate down over the chain and verify each certificate
-          # against it's issuer
-          (ch_len - 1).downto(1) do |i|
-            issuer, cert = chain[i - 1, 2]
-            v = cert.check_validity(issuer, time)
-            raise exc, "%s: cert = '%s', error = '%s'" % [
-              'Invalid Signing Chain', cert.subject, v[:desc] 
-            ] unless v[:is_valid]
-          end
+      # make sure the certificate chain is valid
+      if @verify_chain
+        # iterate down over the chain and verify each certificate against it's
+        # issuer
+        (ch_len - 1).downto(1) do |i|
+          issuer, cert = chain[i - 1, 2]
+          v = cert.check_validity(issuer, time)
+          raise exc, "%s: cert = '%s', error = '%s'" % [
+              'Invalid Signing Chain', cert.subject, v[:desc]
+          ] unless v[:is_valid]
+        end
 
-          # verify root of chain
-          if @verify_root
-            # make sure root is self-signed
-            root = chain[0]
-            raise exc, "%s: %s (subject = '%s', issuer = '%s')" % [
-              'Invalid Signing Chain Root', 
+        # verify root of chain
+        if @verify_root
+          # make sure root is self-signed
+          root = chain[0]
+          raise exc, "%s: %s (subject = '%s', issuer = '%s')" % [
+              'Invalid Signing Chain Root',
               'Subject does not match Issuer for Gem Signing Chain',
               root.subject.to_s,
               root.issuer.to_s,
-            ] unless root.issuer.to_s == root.subject.to_s
+          ] unless root.issuer.to_s == root.subject.to_s
 
-            # make sure root is valid
-            v = root.check_validity(root, time)
-            raise exc, "%s: cert = '%s', error = '%s'" % [
-              'Invalid Signing Chain Root', root.subject, v[:desc] 
-            ] unless v[:is_valid]
+          # make sure root is valid
+          v = root.check_validity(root, time)
+          raise exc, "%s: cert = '%s', error = '%s'" % [
+              'Invalid Signing Chain Root', root.subject, v[:desc]
+          ] unless v[:is_valid]
 
-            # verify that the chain root is trusted
-            if @only_trusted
-              # get digest algorithm, calculate checksum of root.subject
-              algo = @opt[:dgst_algo]
-              path = Gem::Security::Policy.trusted_cert_path(root, @opt)
+          # verify that the chain root is trusted
+          if @only_trusted
+            # get digest algorithm, calculate checksum of root.subject
+            algo = @opt[:dgst_algo]
+            path = Gem::Security::Policy.trusted_cert_path(root, @opt)
 
-              # check to make sure trusted path exists
-              raise exc, "%s: cert = '%s', error = '%s'" % [
+            # check to make sure trusted path exists
+            raise exc, "%s: cert = '%s', error = '%s'" % [
                 'Untrusted Signing Chain Root',
                 root.subject.to_s,
                 "path \"#{path}\" does not exist",
-              ] unless File.exist?(path)
+            ] unless File.exist?(path)
 
-              # load calculate digest from saved cert file
-              save_cert = OpenSSL::X509::Certificate.new(File.read(path))
-              save_dgst = algo.digest(save_cert.public_key.to_s)
+            # load calculate digest from saved cert file
+            save_cert = OpenSSL::X509::Certificate.new(File.read(path))
+            save_dgst = algo.digest(save_cert.public_key.to_s)
 
-              # create digest of public key
-              pkey_str = root.public_key.to_s
-              cert_dgst = algo.digest(pkey_str)
+            # create digest of public key
+            pkey_str = root.public_key.to_s
+            cert_dgst = algo.digest(pkey_str)
 
-              # now compare the two digests, raise exception
-              # if they don't match
-              raise exc, "%s: %s (saved = '%s', root = '%s')" % [
+            # now compare the two digests, raise exception
+            # if they don't match
+            raise exc, "%s: %s (saved = '%s', root = '%s')" % [
                 'Invalid Signing Chain Root',
                 "Saved checksum doesn't match root checksum",
                 save_dgst, cert_dgst,
-              ] unless save_dgst == cert_dgst
-            end
+            ] unless save_dgst == cert_dgst
           end
-
-          # return the signing chain
-          chain.map { |cert| cert.subject } 
         end
+
+        # return the signing chain
+        chain.map { |cert| cert.subject }
       end
     end
+  end
 
-    #
-    # No security policy: all package signature checks are disabled.
-    #
-    NoSecurity = Policy.new({
-      :verify_data      => false,
-      :verify_signer    => false,
-      :verify_chain     => false,
-      :verify_root      => false,
-      :only_trusted     => false,
-      :only_signed      => false,
-    })
+  #
+  # No security policy: all package signature checks are disabled.
+  #
+  NoSecurity = Policy.new(
+    :verify_data      => false,
+    :verify_signer    => false,
+    :verify_chain     => false,
+    :verify_root      => false,
+    :only_trusted     => false,
+    :only_signed      => false
+  )
 
-    #
-    # AlmostNo security policy: only verify that the signing certificate
-    # is the one that actually signed the data.  Make no attempt to
-    # verify the signing certificate chain.
-    #
-    # This policy is basically useless. better than nothing, but can still be easily
-    # spoofed, and is not recommended.
-    #
-    AlmostNoSecurity = Policy.new({
-      :verify_data      => true,
-      :verify_signer    => false,
-      :verify_chain     => false,
-      :verify_root      => false,
-      :only_trusted     => false,
-      :only_signed      => false,
-    })
-    
-    #
-    # Low security policy: only verify that the signing certificate is
-    # actually the gem signer, and that the signing certificate is 
-    # valid.
-    #
-    # This policy is better than nothing, but can still be easily
-    # spoofed, and is not recommended.
-    #
-    LowSecurity = Policy.new({
-      :verify_data      => true,
-      :verify_signer    => true,
-      :verify_chain     => false,
-      :verify_root      => false,
-      :only_trusted     => false,
-      :only_signed      => false,
-    })
-    
-    #
-    # Medium security policy: verify the signing certificate, verify the
-    # signing certificate chain all the way to the root certificate, and
-    # only trust root certificates that we have explicity allowed trust
-    # for.
-    #
-    # This security policy is reasonable, but it allows unsigned
-    # packages, so a malicious person could simply delete the package
-    # signature and pass the gem off as unsigned. 
-    #
-    MediumSecurity = Policy.new({
-      :verify_data      => true,
-      :verify_signer    => true,
-      :verify_chain     => true,
-      :verify_root      => true,
-      :only_trusted     => true,
-      :only_signed      => false,
-    })
-    
-    #
-    # High security policy: only allow signed gems to be installed,
-    # verify the signing certificate, verify the signing certificate
-    # chain all the way to the root certificate, and only trust root
-    # certificates that we have explicity allowed trust for.
-    #
-    # This security policy is significantly more difficult to bypass,
-    # and offers a reasonable guarantee that the contents of the gem
-    # have not been altered.
-    #
-    HighSecurity = Policy.new({
-      :verify_data      => true,
-      :verify_signer    => true,
-      :verify_chain     => true,
-      :verify_root      => true,
-      :only_trusted     => true,
-      :only_signed      => true,
-    })
-    
-    #
-    # Sign the cert cert with @signing_key and @signing_cert, using the
-    # digest algorithm opt[:dgst_algo]. Returns the newly signed
-    # certificate.
-    #
-    def self.sign_cert(cert, signing_key, signing_cert, opt = {})
-      opt = OPT.merge(opt)
+  #
+  # AlmostNo security policy: only verify that the signing certificate is the
+  # one that actually signed the data.  Make no attempt to verify the signing
+  # certificate chain.
+  #
+  # This policy is basically useless. better than nothing, but can still be
+  # easily spoofed, and is not recommended.
+  #
+  AlmostNoSecurity = Policy.new(
+    :verify_data      => true,
+    :verify_signer    => false,
+    :verify_chain     => false,
+    :verify_root      => false,
+    :only_trusted     => false,
+    :only_signed      => false
+  )
 
-      # set up issuer information
-      cert.issuer = signing_cert.subject
-      cert.sign(signing_key, opt[:dgst_algo].new)
+  #
+  # Low security policy: only verify that the signing certificate is actually
+  # the gem signer, and that the signing certificate is valid.
+  #
+  # This policy is better than nothing, but can still be easily spoofed, and
+  # is not recommended.
+  #
+  LowSecurity = Policy.new(
+    :verify_data      => true,
+    :verify_signer    => true,
+    :verify_chain     => false,
+    :verify_root      => false,
+    :only_trusted     => false,
+    :only_signed      => false
+  )
 
-      cert
-    end
-    
-    #
-    # Make sure the trust directory exists.  If it does exist, make sure
-    # it's actually a directory.  If not, then create it with the
-    # appropriate permissions.
-    #
-    def self.verify_trust_dir(path, perms)
-      # if the directory exists, then make sure it is in fact a
-      # directory.  if it doesn't exist, then create it with the
-      # appropriate permissions
-      if File.exist?(path)
-        # verify that the trust directory is actually a directory
-        unless File.directory?(path)
-          err = "trust directory #{path} isn't a directory"
-          raise Gem::Security::Exception, err
-        end
-      else
-        # trust directory doesn't exist, so create it with 
-        # permissions
-        FileUtils.mkdir_p(path)
-        FileUtils.chmod(perms, path)
+  #
+  # Medium security policy: verify the signing certificate, verify the signing
+  # certificate chain all the way to the root certificate, and only trust root
+  # certificates that we have explicity allowed trust for.
+  #
+  # This security policy is reasonable, but it allows unsigned packages, so a
+  # malicious person could simply delete the package signature and pass the
+  # gem off as unsigned.
+  #
+  MediumSecurity = Policy.new(
+    :verify_data      => true,
+    :verify_signer    => true,
+    :verify_chain     => true,
+    :verify_root      => true,
+    :only_trusted     => true,
+    :only_signed      => false
+  )
+
+  #
+  # High security policy: only allow signed gems to be installed, verify the
+  # signing certificate, verify the signing certificate chain all the way to
+  # the root certificate, and only trust root certificates that we have
+  # explicity allowed trust for.
+  #
+  # This security policy is significantly more difficult to bypass, and offers
+  # a reasonable guarantee that the contents of the gem have not been altered.
+  #
+  HighSecurity = Policy.new(
+    :verify_data      => true,
+    :verify_signer    => true,
+    :verify_chain     => true,
+    :verify_root      => true,
+    :only_trusted     => true,
+    :only_signed      => true
+  )
+
+  #
+  # Hash of configured security policies
+  #
+  Policies = {
+    'NoSecurity'       => NoSecurity,
+    'AlmostNoSecurity' => AlmostNoSecurity,
+    'LowSecurity'      => LowSecurity,
+    'MediumSecurity'   => MediumSecurity,
+    'HighSecurity'     => HighSecurity,
+  }
+
+  #
+  # Sign the cert cert with @signing_key and @signing_cert, using the digest
+  # algorithm opt[:dgst_algo]. Returns the newly signed certificate.
+  #
+  def self.sign_cert(cert, signing_key, signing_cert, opt = {})
+    opt = OPT.merge(opt)
+
+    # set up issuer information
+    cert.issuer = signing_cert.subject
+    cert.sign(signing_key, opt[:dgst_algo].new)
+
+    cert
+  end
+
+  #
+  # Make sure the trust directory exists.  If it does exist, make sure it's
+  # actually a directory.  If not, then create it with the appropriate
+  # permissions.
+  #
+  def self.verify_trust_dir(path, perms)
+    # if the directory exists, then make sure it is in fact a directory.  if
+    # it doesn't exist, then create it with the appropriate permissions
+    if File.exist?(path)
+      # verify that the trust directory is actually a directory
+      unless File.directory?(path)
+        err = "trust directory #{path} isn't a directory"
+        raise Gem::Security::Exception, err
       end
+    else
+      # trust directory doesn't exist, so create it with permissions
+      FileUtils.mkdir_p(path)
+      FileUtils.chmod(perms, path)
     end
+  end
 
-    #
-    # Build a certificate from the given DN and private key.
-    # 
-    def self.build_cert(name, key, opt = {})
-      Gem.ensure_ssl_available
-      opt = OPT.merge(opt)
-
-      # create new cert
-      ret = OpenSSL::X509::Certificate.new
-
-      # populate cert attributes
-      ret.version = 2
-      ret.serial = 0
-      ret.public_key = key.public_key
-      ret.not_before = Time.now
-      ret.not_after = Time.now + opt[:cert_age]
-      ret.subject = name
-
-      # add certificate extensions
-      ef = OpenSSL::X509::ExtensionFactory.new(nil, ret)
-      ret.extensions = opt[:cert_exts].map { |k, v| ef.create_extension(k, v) }
-        
-      # sign cert
-      i_key, i_cert = opt[:issuer_key] || key, opt[:issuer_cert] || ret
-      ret = sign_cert(ret, i_key, i_cert, opt)
-        
-      # return cert
-      ret
-    end
+  #
+  # Build a certificate from the given DN and private key.
+  #
+  def self.build_cert(name, key, opt = {})
+    Gem.ensure_ssl_available
+    opt = OPT.merge(opt)
+
+    # create new cert
+    ret = OpenSSL::X509::Certificate.new
+
+    # populate cert attributes
+    ret.version = 2
+    ret.serial = 0
+    ret.public_key = key.public_key
+    ret.not_before = Time.now
+    ret.not_after = Time.now + opt[:cert_age]
+    ret.subject = name
+
+    # add certificate extensions
+    ef = OpenSSL::X509::ExtensionFactory.new(nil, ret)
+    ret.extensions = opt[:cert_exts].map { |k, v| ef.create_extension(k, v) }
+
+    # sign cert
+    i_key, i_cert = opt[:issuer_key] || key, opt[:issuer_cert] || ret
+    ret = sign_cert(ret, i_key, i_cert, opt)
+
+    # return cert
+    ret
+  end
 
-    #
-    # Build a self-signed certificate for the given email address.
-    #
-    def self.build_self_signed_cert(email_addr, opt = {})
-      Gem.ensure_ssl_available
-      opt = OPT.merge(opt)
-      path = { :key => nil, :cert => nil }
-
-      # split email address up
-      cn, dcs = email_addr.split('@')
-      dcs = dcs.split('.')
-
-      # munge email CN and DCs
-      cn = cn.gsub(opt[:munge_re], '_')
-      dcs = dcs.map { |dc| dc.gsub(opt[:munge_re], '_') }
-      
-      # create DN
-      name = "CN=#{cn}/" << dcs.map { |dc| "DC=#{dc}" }.join('/')
-      name = OpenSSL::X509::Name::parse(name)
-
-      # build private key
-      key = opt[:key_algo].new(opt[:key_size])
-
-      # method name pretty much says it all :)
-      verify_trust_dir(opt[:trust_dir], opt[:perms][:trust_dir])
-
-      # if we're saving the key, then write it out
-      if opt[:save_key]
-        path[:key] = opt[:save_key_path] || (opt[:output_fmt] % 'private_key')
-        File.open(path[:key], 'wb') do |file| 
-          file.chmod(opt[:perms][:signing_key])
-          file.write(key.to_pem) 
-        end
-      end
-      
-      # build self-signed public cert from key
-      cert = build_cert(name, key, opt)
-
-      # if we're saving the cert, then write it out
-      if opt[:save_cert]
-        path[:cert] = opt[:save_cert_path] || (opt[:output_fmt] % 'public_cert')
-        File.open(path[:cert], 'wb') do |file| 
-          file.chmod(opt[:perms][:signing_cert])
-          file.write(cert.to_pem)
-        end
+  #
+  # Build a self-signed certificate for the given email address.
+  #
+  def self.build_self_signed_cert(email_addr, opt = {})
+    Gem.ensure_ssl_available
+    opt = OPT.merge(opt)
+    path = { :key => nil, :cert => nil }
+
+    # split email address up
+    cn, dcs = email_addr.split('@')
+    dcs = dcs.split('.')
+
+    # munge email CN and DCs
+    cn = cn.gsub(opt[:munge_re], '_')
+    dcs = dcs.map { |dc| dc.gsub(opt[:munge_re], '_') }
+
+    # create DN
+    name = "CN=#{cn}/" << dcs.map { |dc| "DC=#{dc}" }.join('/')
+    name = OpenSSL::X509::Name::parse(name)
+
+    # build private key
+    key = opt[:key_algo].new(opt[:key_size])
+
+    # method name pretty much says it all :)
+    verify_trust_dir(opt[:trust_dir], opt[:perms][:trust_dir])
+
+    # if we're saving the key, then write it out
+    if opt[:save_key]
+      path[:key] = opt[:save_key_path] || (opt[:output_fmt] % 'private_key')
+      File.open(path[:key], 'wb') do |file|
+        file.chmod(opt[:perms][:signing_key])
+        file.write(key.to_pem)
       end
+    end
+
+    # build self-signed public cert from key
+    cert = build_cert(name, key, opt)
 
-      # return key, cert, and paths (if applicable)
-      { :key => key, :cert => cert, 
-        :key_path => path[:key], :cert_path => path[:cert] }
+    # if we're saving the cert, then write it out
+    if opt[:save_cert]
+      path[:cert] = opt[:save_cert_path] || (opt[:output_fmt] % 'public_cert')
+      File.open(path[:cert], 'wb') do |file|
+        file.chmod(opt[:perms][:signing_cert])
+        file.write(cert.to_pem)
+      end
     end
 
-    #
-    # Add certificate to trusted cert list.
-    #
-    # Note: At the moment these are stored in OPT[:trust_dir], although
-    # that directory may change in the future.
-    #
-    def self.add_trusted_cert(cert, opt = {})
-      opt = OPT.merge(opt)
+    # return key, cert, and paths (if applicable)
+    { :key => key, :cert => cert,
+      :key_path => path[:key], :cert_path => path[:cert] }
+  end
 
-      # get destination path 
-      path = Gem::Security::Policy.trusted_cert_path(cert, opt)
+  #
+  # Add certificate to trusted cert list.
+  #
+  # Note: At the moment these are stored in OPT[:trust_dir], although that
+  # directory may change in the future.
+  #
+  def self.add_trusted_cert(cert, opt = {})
+    opt = OPT.merge(opt)
 
-      # verify trust directory (can't write to nowhere, you know)
-      verify_trust_dir(opt[:trust_dir], opt[:perms][:trust_dir])
+    # get destination path
+    path = Gem::Security::Policy.trusted_cert_path(cert, opt)
 
-      # write cert to output file
-      File.open(path, 'wb') do |file| 
-        file.chmod(opt[:perms][:trusted_cert])
-        file.write(cert.to_pem)
-      end
+    # verify trust directory (can't write to nowhere, you know)
+    verify_trust_dir(opt[:trust_dir], opt[:perms][:trust_dir])
 
-      # return nil
-      nil
+    # write cert to output file
+    File.open(path, 'wb') do |file|
+      file.chmod(opt[:perms][:trusted_cert])
+      file.write(cert.to_pem)
     end
 
-    #
-    # Basic OpenSSL-based package signing class.
-    # 
-    class Signer
-      attr_accessor :key, :cert_chain
-
-      def initialize(key, cert_chain)
-        Gem.ensure_ssl_available
-        @algo = Gem::Security::OPT[:dgst_algo]
-        @key, @cert_chain = key, cert_chain
-        
-        # check key, if it's a file, and if it's key, leave it alone
-        if @key && !@key.kind_of?(OpenSSL::PKey::PKey)
-          @key = OpenSSL::PKey::RSA.new(File.read(@key))
-        end
+    # return nil
+    nil
+  end
 
-        # check cert chain, if it's a file, load it, if it's cert data, convert
-        # it into a cert object, and if it's a cert object, leave it alone
-        if @cert_chain
-          @cert_chain = @cert_chain.map do |cert|
-            # check cert, if it's a file, load it, if it's cert data,
-            # convert it into a cert object, and if it's a cert object,
-            # leave it alone
-            if cert && !cert.kind_of?(OpenSSL::X509::Certificate)
-              cert = File.read(cert) if File::exist?(cert)
-              cert = OpenSSL::X509::Certificate.new(cert)
-            end
-            cert
-          end
-        end
+  #
+  # Basic OpenSSL-based package signing class.
+  #
+  class Signer
+    attr_accessor :key, :cert_chain
+
+    def initialize(key, cert_chain)
+      Gem.ensure_ssl_available
+      @algo = Gem::Security::OPT[:dgst_algo]
+      @key, @cert_chain = key, cert_chain
+
+      # check key, if it's a file, and if it's key, leave it alone
+      if @key && !@key.kind_of?(OpenSSL::PKey::PKey)
+        @key = OpenSSL::PKey::RSA.new(File.read(@key))
       end
 
-      #
-      # Sign data with given digest algorithm
-      #
-      def sign(data)
-        @key.sign(@algo.new, data)
+      # check cert chain, if it's a file, load it, if it's cert data, convert
+      # it into a cert object, and if it's a cert object, leave it alone
+      if @cert_chain
+        @cert_chain = @cert_chain.map do |cert|
+          # check cert, if it's a file, load it, if it's cert data, convert it
+          # into a cert object, and if it's a cert object, leave it alone
+          if cert && !cert.kind_of?(OpenSSL::X509::Certificate)
+            cert = File.read(cert) if File::exist?(cert)
+            cert = OpenSSL::X509::Certificate.new(cert)
+          end
+          cert
+        end
       end
+    end
 
-      # moved to security policy (see above)
-      # def verify(sig, data)
-      #  @cert.public_key.verify(@algo.new, sig, data)
-      # end
+    #
+    # Sign data with given digest algorithm
+    #
+    def sign(data)
+      @key.sign(@algo.new, data)
     end
+
   end
 end
+