Fix intergrity checker

* Set salt length to 0
  See https://tools.ietf.org/html/rfc3447#page-38
* Fix tests for new phpunit

diff --git a/lib/private/IntegrityCheck/Checker.php b/lib/private/IntegrityCheck/Checker.php
index e6eeaec73497db5e34445ff0219ea872cb722574..1db20772b4ea918e2da355d056bf3bd758103a8c 100644 (file)
--- a/lib/private/IntegrityCheck/Checker.php
+++ b/lib/private/IntegrityCheck/Checker.php
@@ -249,6 +249,8 @@ class Checker {
 
                $privateKey->setSignatureMode(RSA::SIGNATURE_PSS);
                $privateKey->setMGFHash('sha512');
+               // See https://tools.ietf.org/html/rfc3447#page-38
+               $privateKey->setSaltLength(0);
                $signature = $privateKey->sign(json_encode($hashes));
 
                return [
@@ -343,7 +345,7 @@ class Checker {
                // Verify if certificate has proper CN. "core" CN is always trusted.
                if($x509->getDN(X509::DN_OPENSSL)['CN'] !== $certificateCN && $x509->getDN(X509::DN_OPENSSL)['CN'] !== 'core') {
                        throw new InvalidSignatureException(
-                                       sprintf('Certificate is not valid for required scope. (Requested: %s, current: %s)', $certificateCN, $x509->getDN(true))
+                                       sprintf('Certificate is not valid for required scope. (Requested: %s, current: CN=%s)', $certificateCN, $x509->getDN(true)['CN'])
                        );
                }
 
@@ -352,6 +354,8 @@ class Checker {
                $rsa->loadKey($x509->currentCert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey']);
                $rsa->setSignatureMode(RSA::SIGNATURE_PSS);
                $rsa->setMGFHash('sha512');
+               // See https://tools.ietf.org/html/rfc3447#page-38
+               $rsa->setSaltLength(0);
                if(!$rsa->verify(json_encode($expectedHashes), $signature)) {
                        throw new InvalidSignatureException('Signature could not get verified.');
                }