Module: Gem::PqTlsPolicy::CertificateSignature
- Defined in:
- lib/rubygems_pq_tls_policy/certificate_signature.rb
Defined Under Namespace
Classes: Verdict
Constant Summary collapse
- ML_DSA_SIGNATURES =
{ "2.16.840.1.101.3.4.3.17" => "ML-DSA-44", "2.16.840.1.101.3.4.3.18" => "ML-DSA-65", "2.16.840.1.101.3.4.3.19" => "ML-DSA-87", "ML-DSA-44" => "ML-DSA-44", "ML-DSA-65" => "ML-DSA-65", "ML-DSA-87" => "ML-DSA-87" }.freeze
Class Method Summary collapse
- .evaluate(chain, config) ⇒ Object
- .normalized_signature_algorithm(cert, allowed:) ⇒ Object
- .observed_signature_algorithm(cert) ⇒ Object
- .pq_signature?(cert, allowed:) ⇒ Boolean
- .signature_oid(cert) ⇒ Object
Class Method Details
.evaluate(chain, config) ⇒ Object
23 24 25 26 27 28 29 30 31 32 33 |
# File 'lib/rubygems_pq_tls_policy/certificate_signature.rb', line 23 def evaluate(chain, config) certs = Array(chain).compact results = certs.map { |cert| inspect_certificate(cert, config.allowed_cert_signature_algorithms) } selected_results = select_results(results, config.cert_signature_scope) Verdict.new( scope: config.cert_signature_scope, algorithms: results.map { |result| result[:observed] }, compliant: compliant?(selected_results, config.cert_signature_scope) ) end |
.normalized_signature_algorithm(cert, allowed:) ⇒ Object
39 40 41 42 43 44 45 46 47 48 |
# File 'lib/rubygems_pq_tls_policy/certificate_signature.rb', line 39 def normalized_signature_algorithm(cert, allowed:) allowed = allowed.map(&:to_s) observed = [safe_signature_algorithm(cert), signature_oid(cert)].compact observed.each do |algorithm| normalized = ML_DSA_SIGNATURES[algorithm] || algorithm return normalized if allowed.include?(normalized) || allowed.include?(algorithm) end nil end |
.observed_signature_algorithm(cert) ⇒ Object
57 58 59 |
# File 'lib/rubygems_pq_tls_policy/certificate_signature.rb', line 57 def observed_signature_algorithm(cert) safe_signature_algorithm(cert) || signature_oid(cert) || "unknown" end |
.pq_signature?(cert, allowed:) ⇒ Boolean
35 36 37 |
# File 'lib/rubygems_pq_tls_policy/certificate_signature.rb', line 35 def pq_signature?(cert, allowed:) normalized_signature_algorithm(cert, allowed: allowed) != nil end |
.signature_oid(cert) ⇒ Object
50 51 52 53 54 55 |
# File 'lib/rubygems_pq_tls_policy/certificate_signature.rb', line 50 def signature_oid(cert) asn1 = OpenSSL::ASN1.decode(cert.to_der) asn1.value[1].value[0].oid rescue StandardError nil end |