Stop using deprecated OpenSSL::Digest constants

Merged: https://github.com/ruby/ruby/pull/3379

lib/rubygems/package.rb

@@ -358,12 +358,7 @@ EOM
                  end
 
     algorithms.each do |algorithm|
-      digester =
+      digester = Gem::Security.create_digest(algorithm)
-        if defined?(OpenSSL::Digest)
-          OpenSSL::Digest.new algorithm
-        else
-          Digest.const_get(algorithm).new
-        end
 
       digester << entry.read(16384) until entry.eof?
 

lib/rubygems/package/tar_writer.rb

@@ -140,8 +140,7 @@ class Gem::Package::TarWriter
         if digest.respond_to? :name
           digest.name
         else
-          /::([^:]+)$/ =~ digest_algorithm.name
+          digest_algorithm.class.name[/::([^:]+)\z/, 1]
-          $1
         end
 
       [digest_name, digest]
@@ -169,7 +168,7 @@ class Gem::Package::TarWriter
   def add_file_signed(name, mode, signer)
     digest_algorithms = [
       signer.digest_algorithm,
-      Digest::SHA512,
+      Digest::SHA512.new,
     ].compact.uniq
 
     digests = add_file_digest name, mode, digest_algorithms do |io|

lib/rubygems/security.rb

@@ -338,27 +338,16 @@ module Gem::Security
 
   class Exception < Gem::Exception; end
 
-  ##
-  # Digest algorithm used to sign gems
-
-  DIGEST_ALGORITHM =
-    if defined?(OpenSSL::Digest::SHA256)
-      OpenSSL::Digest::SHA256
-    elsif defined?(OpenSSL::Digest::SHA1)
-      OpenSSL::Digest::SHA1
-    else
-      require 'digest'
-      Digest::SHA512
-    end
-
   ##
   # Used internally to select the signing digest from all computed digests
 
   DIGEST_NAME = # :nodoc:
-    if DIGEST_ALGORITHM.method_defined? :name
+    if defined?(OpenSSL::Digest::SHA256)
-      DIGEST_ALGORITHM.new.name
+      'SHA256'
+    elsif defined?(OpenSSL::Digest::SHA1)
+      'SHA1'
     else
-      DIGEST_ALGORITHM.name[/::([^:]+)\z/, 1]
+      'SHA512'
     end
 
   ##
@@ -467,6 +456,22 @@ module Gem::Security
     sign certificate, key, certificate, age, extensions, serial
   end
 
+  ##
+  # Creates a new digest instance using the specified +algorithm+. The default
+  # is SHA256.
+
+  if defined?(OpenSSL::Digest)
+    def self.create_digest(algorithm = DIGEST_NAME)
+      OpenSSL::Digest.new(algorithm)
+    end
+  else
+    require 'digest'
+
+    def self.create_digest(algorithm = DIGEST_NAME)
+      Digest.const_get(algorithm).new
+    end
+  end
+
   ##
   # Creates a new key pair of the specified +length+ and +algorithm+.  The
   # default is a 3072 bit RSA key.
@@ -528,7 +533,7 @@ module Gem::Security
 
   ##
   # Sign the public key from +certificate+ with the +signing_key+ and
-  # +signing_cert+, using the Gem::Security::DIGEST_ALGORITHM.  Uses the
+  # +signing_cert+, using the Gem::Security::DIGEST_NAME.  Uses the
   # default certificate validity range and extensions.
   #
   # Returns the newly signed certificate.
@@ -555,7 +560,7 @@ module Gem::Security
     signed = create_cert signee_subject, signee_key, age, extensions, serial
     signed.issuer = signing_cert.subject
 
-    signed.sign signing_key, Gem::Security::DIGEST_ALGORITHM.new
+    signed.sign signing_key, Gem::Security::DIGEST_NAME
   end
 
   ##

lib/rubygems/security/policy.rb

@@ -75,7 +75,7 @@ class Gem::Security::Policy
 
   def check_data(public_key, digest, signature, data)
     raise Gem::Security::Exception, "invalid signature" unless
-      public_key.verify digest.new, signature, data.digest
+      public_key.verify digest, signature, data.digest
 
     true
   end
@@ -223,7 +223,7 @@ class Gem::Security::Policy
     end
 
     opt       = @opt
-    digester  = Gem::Security::DIGEST_ALGORITHM
+    digester  = Gem::Security.create_digest
     trust_dir = opt[:trust_dir]
     time      = Time.now
 

lib/rubygems/security/signer.rb

@@ -80,8 +80,8 @@ class Gem::Security::Signer
       @cert_chain = [default_cert] if File.exist? default_cert
     end
 
-    @digest_algorithm = Gem::Security::DIGEST_ALGORITHM
     @digest_name      = Gem::Security::DIGEST_NAME
+    @digest_algorithm = Gem::Security.create_digest(@digest_name)
 
     if @key && !@key.is_a?(OpenSSL::PKey::RSA)
       @key = OpenSSL::PKey::RSA.new(File.read(@key), @passphrase)

lib/rubygems/security/trust_dir.rb

@@ -25,7 +25,7 @@ class Gem::Security::TrustDir
     @dir = dir
     @permissions = permissions
 
-    @digester = Gem::Security::DIGEST_ALGORITHM
+    @digester = Gem::Security.create_digest
   end
 
   ##

test/rubygems/test_gem_package.rb

@@ -1018,7 +1018,7 @@ class TestGemPackage < Gem::Package::TarTestCase
         bogus_data = Gem::Util.gzip 'hello'
         fake_signer = Class.new do
           def digest_name; 'SHA512'; end
-          def digest_algorithm; Digest(:SHA512); end
+          def digest_algorithm; Digest(:SHA512).new; end
           def key; 'key'; end
           def sign(*); 'fake_sig'; end
         end

test/rubygems/test_gem_package_tar_writer.rb

@@ -71,7 +71,7 @@ class TestGemPackageTarWriter < Gem::Package::TarTestCase
   end
 
   def test_add_file_digest
-    digest_algorithms = Digest::SHA1, Digest::SHA512
+    digest_algorithms = Digest::SHA1.new, Digest::SHA512.new
 
     Time.stub :now, Time.at(1458518157) do
       digests = @tar_writer.add_file_digest 'x', 0644, digest_algorithms do |io|
@@ -94,7 +94,7 @@ class TestGemPackageTarWriter < Gem::Package::TarTestCase
   end
 
   def test_add_file_digest_multiple
-    digest_algorithms = [Digest::SHA1, Digest::SHA512]
+    digest_algorithms = [Digest::SHA1.new, Digest::SHA512.new]
 
     Time.stub :now, Time.at(1458518157) do
       digests = @tar_writer.add_file_digest 'x', 0644, digest_algorithms do |io|

test/rubygems/test_gem_security_policy.rb

@@ -32,7 +32,7 @@ class TestGemSecurityPolicy < Gem::TestCase
       s.files = %w[lib/code.rb]
     end
 
-    @digest = Gem::Security::DIGEST_ALGORITHM
+    @digest = OpenSSL::Digest.new Gem::Security::DIGEST_NAME
     @trust_dir = Gem::Security.trust_dir.dir # HACK use the object
 
     @no        = Gem::Security::NoSecurity
@@ -395,13 +395,11 @@ class TestGemSecurityPolicy < Gem::TestCase
   def test_verify_wrong_digest_type
     Gem::Security.trust_dir.trust_cert PUBLIC_CERT
 
-    sha512 = OpenSSL::Digest::SHA512
+    data = OpenSSL::Digest.new('SHA512')
-
-    data = sha512.new
     data << 'hello'
 
     digests    = { 'SHA512' => { 0 => data } }
-    signature  = PRIVATE_KEY.sign sha512.new, data.digest
+    signature  = PRIVATE_KEY.sign 'sha512', data.digest
     signatures = { 0 => signature }
 
     e = assert_raises Gem::Security::Exception do
@@ -480,7 +478,7 @@ class TestGemSecurityPolicy < Gem::TestCase
     def s.full_name() 'metadata.gz' end
 
     digests = package.digest s
-    digests[Gem::Security::DIGEST_NAME]['data.tar.gz'] = @digest.new 'hello'
+    digests[Gem::Security::DIGEST_NAME]['data.tar.gz'] = @digest.hexdigest 'hello'
 
     metadata_gz_digest = digests[Gem::Security::DIGEST_NAME]['metadata.gz']
 
@@ -509,7 +507,7 @@ class TestGemSecurityPolicy < Gem::TestCase
     def s.full_name() 'metadata.gz' end
 
     digests = package.digest s
-    digests[Gem::Security::DIGEST_NAME]['data.tar.gz'] = @digest.new 'hello'
+    digests[Gem::Security::DIGEST_NAME]['data.tar.gz'] = @digest.hexdigest 'hello'
 
     assert_raises Gem::Security::Exception do
       @high.verify_signatures @spec, digests, {}

test/rubygems/test_gem_security_trust_dir.rb

@@ -17,7 +17,7 @@ class TestGemSecurityTrustDir < Gem::TestCase
   end
 
   def test_cert_path
-    digest = Gem::Security::DIGEST_ALGORITHM.hexdigest PUBLIC_CERT.subject.to_s
+    digest = OpenSSL::Digest.hexdigest Gem::Security::DIGEST_NAME, PUBLIC_CERT.subject.to_s
 
     expected = File.join @dest_dir, "cert-#{digest}.pem"
 
@@ -41,7 +41,7 @@ class TestGemSecurityTrustDir < Gem::TestCase
   end
 
   def test_name_path
-    digest = Gem::Security::DIGEST_ALGORITHM.hexdigest PUBLIC_CERT.subject.to_s
+    digest = OpenSSL::Digest.hexdigest Gem::Security::DIGEST_NAME, PUBLIC_CERT.subject.to_s
 
     expected = File.join @dest_dir, "cert-#{digest}.pem"