Browse Source
Add support for CRL
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
pull/1940/head
Lukas Reschke
9 years ago
No known key found for this signature in database
GPG Key ID: B9F6980CF6E759B1
2 changed files with
38 additions and
4 deletions
-
lib/private/Installer.php
-
resources/codesigning/root.crl
|
|
|
@ -253,11 +253,31 @@ class Installer { |
|
|
|
$apps = $appFetcher->get(); |
|
|
|
foreach($apps as $app) { |
|
|
|
if($app['id'] === $appId) { |
|
|
|
// Load the certificate
|
|
|
|
$certificate = new X509(); |
|
|
|
$certificate->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt')); |
|
|
|
$loadedCertificate = $certificate->loadX509($app['certificate']); |
|
|
|
|
|
|
|
// Verify if the certificate has been revoked
|
|
|
|
$crl = new X509(); |
|
|
|
$crl->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt')); |
|
|
|
$crl->loadCRL(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crl')); |
|
|
|
if($crl->validateSignature() !== true) { |
|
|
|
throw new \Exception('Could not validate CRL signature'); |
|
|
|
} |
|
|
|
$csn = $loadedCertificate['tbsCertificate']['serialNumber']->toString(); |
|
|
|
$revoked = $crl->getRevoked($csn); |
|
|
|
if ($revoked !== false) { |
|
|
|
throw new \Exception( |
|
|
|
sprintf( |
|
|
|
'Certificate "%s" has been revoked', |
|
|
|
$csn |
|
|
|
) |
|
|
|
); |
|
|
|
} |
|
|
|
|
|
|
|
// Verify if the certificate has been issued by the Nextcloud Code Authority CA
|
|
|
|
$x509 = new X509(); |
|
|
|
$x509->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt')); |
|
|
|
$x509->loadX509($app['certificate']); |
|
|
|
if($x509->validateSignature() !== true) { |
|
|
|
if($certificate->validateSignature() !== true) { |
|
|
|
throw new \Exception( |
|
|
|
sprintf( |
|
|
|
'App with id %s has a certificate not issued by a trusted Code Signing Authority', |
|
|
|
|
|
|
|
@ -0,0 +1,14 @@ |
|
|
|
-----BEGIN X509 CRL----- |
|
|
|
MIICDTCB9gIBATANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJERTEbMBkGA1UE |
|
|
|
CAwSQmFkZW4tV3VlcnR0ZW1iZXJnMRcwFQYDVQQKDA5OZXh0Y2xvdWQgR21iSDE2 |
|
|
|
MDQGA1UEAwwtTmV4dGNsb3VkIENvZGUgU2lnbmluZyBJbnRlcm1lZGlhdGUgQXV0 |
|
|
|
aG9yaXR5Fw0xNjEwMTcxMjA5MjhaFw0yNjA4MjYxMjA5MjhaMBUwEwICEBAXDTE2 |
|
|
|
MTAxNzEyMDkxOVqgMDAuMB8GA1UdIwQYMBaAFG3qbqqpNyw8iS0XPv1G7sOeeO10 |
|
|
|
MAsGA1UdFAQEAgIQAzANBgkqhkiG9w0BAQsFAAOCAQEAZGJNwERFseCv6cS6bfmq |
|
|
|
hIIqHieG+/mp4kjqtk4mg8CEYZq/M0q2DMjh7xZUuflV3wadqTCDunDXoyUIV36K |
|
|
|
TwLsrREKGFqpSDsVgnX6IYeG0Sf7rnV5PYD2ODWfXrjp3yU7/Jgc2qjco11X5psV |
|
|
|
uUnqGDU7DoMwFB6GTTRXfjpCKn8SUtuETAEN013Ii6xXsfCJQTjzQaZByz/Xbypr |
|
|
|
sPfotQRfpAhhfjowK5B2ESjXePdNuFlPEAJ114HDJrI89dndIzus95N+3q2sm80T |
|
|
|
TFwdooAghAvVmABADC3GQ9bvQb9CUC14DQZJWesy/ps64fgKdXcnBhsX9uPJ7Fdb |
|
|
|
hQ== |
|
|
|
-----END X509 CRL----- |
