Add support for CRL

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

diff --git a/lib/private/Installer.php b/lib/private/Installer.php
index d3510c51716d9e865ad910265208dd8500e2e2da..58a91bb7972f2d434dea77d42eff3ac8ad8a4f05 100644 (file)
--- a/lib/private/Installer.php
+++ b/lib/private/Installer.php
@@ -253,11 +253,31 @@ class Installer {
                $apps = $appFetcher->get();
                foreach($apps as $app) {
                        if($app['id'] === $appId) {
+                               // Load the certificate
+                               $certificate = new X509();
+                               $certificate->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'));
+                               $loadedCertificate = $certificate->loadX509($app['certificate']);
+
+                               // Verify if the certificate has been revoked
+                               $crl = new X509();
+                               $crl->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'));
+                               $crl->loadCRL(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crl'));
+                               if($crl->validateSignature() !== true) {
+                                       throw new \Exception('Could not validate CRL signature');
+                               }
+                               $csn = $loadedCertificate['tbsCertificate']['serialNumber']->toString();
+                               $revoked = $crl->getRevoked($csn);
+                               if ($revoked !== false) {
+                                       throw new \Exception(
+                                               sprintf(
+                                                       'Certificate "%s" has been revoked',
+                                                       $csn
+                                               )
+                                       );
+                               }
+
                                // Verify if the certificate has been issued by the Nextcloud Code Authority CA
-                               $x509 = new X509();
-                               $x509->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'));
-                               $x509->loadX509($app['certificate']);
-                               if($x509->validateSignature() !== true) {
+                               if($certificate->validateSignature() !== true) {
                                        throw new \Exception(
                                                sprintf(
                                                        'App with id %s has a certificate not issued by a trusted Code Signing Authority',

diff --git a/resources/codesigning/root.crl b/resources/codesigning/root.crl
new file mode 100644 (file)
index 0000000..cb1b97f
--- /dev/null
+++ b/resources/codesigning/root.crl
@@ -0,0 +1,14 @@
+-----BEGIN X509 CRL-----
+MIICDTCB9gIBATANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJERTEbMBkGA1UE
+CAwSQmFkZW4tV3VlcnR0ZW1iZXJnMRcwFQYDVQQKDA5OZXh0Y2xvdWQgR21iSDE2
+MDQGA1UEAwwtTmV4dGNsb3VkIENvZGUgU2lnbmluZyBJbnRlcm1lZGlhdGUgQXV0
+aG9yaXR5Fw0xNjEwMTcxMjA5MjhaFw0yNjA4MjYxMjA5MjhaMBUwEwICEBAXDTE2
+MTAxNzEyMDkxOVqgMDAuMB8GA1UdIwQYMBaAFG3qbqqpNyw8iS0XPv1G7sOeeO10
+MAsGA1UdFAQEAgIQAzANBgkqhkiG9w0BAQsFAAOCAQEAZGJNwERFseCv6cS6bfmq
+hIIqHieG+/mp4kjqtk4mg8CEYZq/M0q2DMjh7xZUuflV3wadqTCDunDXoyUIV36K
+TwLsrREKGFqpSDsVgnX6IYeG0Sf7rnV5PYD2ODWfXrjp3yU7/Jgc2qjco11X5psV
+uUnqGDU7DoMwFB6GTTRXfjpCKn8SUtuETAEN013Ii6xXsfCJQTjzQaZByz/Xbypr
+sPfotQRfpAhhfjowK5B2ESjXePdNuFlPEAJ114HDJrI89dndIzus95N+3q2sm80T
+TFwdooAghAvVmABADC3GQ9bvQb9CUC14DQZJWesy/ps64fgKdXcnBhsX9uPJ7Fdb
+hQ==
+-----END X509 CRL-----
\ No newline at end of file