diff options
author | Diego Louzán <diego.louzan.ext@siemens.com> | 2019-07-10 22:40:28 +0300 |
---|---|---|
committer | Diego Louzán <diego.louzan.ext@siemens.com> | 2019-08-20 17:13:32 +0300 |
commit | 0dcb9d21efc1db97765d82ee39a0f0905ba945ba (patch) | |
tree | 48b0fa42bbe0186e28758ba496f45ef11972aed6 /lib/gitlab/email/smime | |
parent | d8966abd20c860d2f30141f3647f2b81f70b683d (diff) |
feat: SMIME signed notification emails
- Add mail interceptor the signs outgoing email with SMIME
- Add lib and helpers to work with SMIME data
- New configuration params for setting up SMIME key and cert files
Diffstat (limited to 'lib/gitlab/email/smime')
-rw-r--r-- | lib/gitlab/email/smime/certificate.rb | 36 | ||||
-rw-r--r-- | lib/gitlab/email/smime/signer.rb | 29 |
2 files changed, 65 insertions, 0 deletions
diff --git a/lib/gitlab/email/smime/certificate.rb b/lib/gitlab/email/smime/certificate.rb new file mode 100644 index 00000000000..b331c4ca19c --- /dev/null +++ b/lib/gitlab/email/smime/certificate.rb @@ -0,0 +1,36 @@ +# frozen_string_literal: true + +module Gitlab + module Email + module Smime + class Certificate + include OpenSSL + + attr_reader :key, :cert + + def key_string + @key.to_s + end + + def cert_string + @cert.to_pem + end + + def self.from_strings(key_string, cert_string) + key = PKey::RSA.new(key_string) + cert = X509::Certificate.new(cert_string) + new(key, cert) + end + + def self.from_files(key_path, cert_path) + from_strings(File.read(key_path), File.read(cert_path)) + end + + def initialize(key, cert) + @key = key + @cert = cert + end + end + end + end +end diff --git a/lib/gitlab/email/smime/signer.rb b/lib/gitlab/email/smime/signer.rb new file mode 100644 index 00000000000..2fa83014003 --- /dev/null +++ b/lib/gitlab/email/smime/signer.rb @@ -0,0 +1,29 @@ +# frozen_string_literal: true + +require 'openssl' + +module Gitlab + module Email + module Smime + # Tooling for signing and verifying data with SMIME + class Signer + include OpenSSL + + def self.sign(cert:, key:, data:) + signed_data = PKCS7.sign(cert, key, data, nil, PKCS7::DETACHED) + PKCS7.write_smime(signed_data) + end + + # return nil if data cannot be verified, otherwise the signed content data + def self.verify_signature(cert:, ca_cert: nil, signed_data:) + store = X509::Store.new + store.set_default_paths + store.add_cert(ca_cert) if ca_cert + + signed_smime = PKCS7.read_smime(signed_data) + signed_smime if signed_smime.verify([cert], store) + end + end + end + end +end |