diff options
author | Lukas Reschke <lukas@statuscode.ch> | 2016-10-28 12:46:02 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@statuscode.ch> | 2016-10-31 17:17:46 +0100 |
commit | 3e6dd86ee4d22b2cdb7f8403b3939c7839698c48 (patch) | |
tree | ea7fb96f85e8e6790afa601fe9bf1de9475257f8 /lib/private/Installer.php | |
parent | 0e2aee2be6c34ea428f884e61887534f67e0bcbe (diff) | |
download | nextcloud-server-3e6dd86ee4d22b2cdb7f8403b3939c7839698c48.tar.gz nextcloud-server-3e6dd86ee4d22b2cdb7f8403b3939c7839698c48.zip |
Add support for CRL
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'lib/private/Installer.php')
-rw-r--r-- | lib/private/Installer.php | 28 |
1 files changed, 24 insertions, 4 deletions
diff --git a/lib/private/Installer.php b/lib/private/Installer.php index d3510c51716..58a91bb7972 100644 --- a/lib/private/Installer.php +++ b/lib/private/Installer.php @@ -253,11 +253,31 @@ class Installer { $apps = $appFetcher->get(); foreach($apps as $app) { if($app['id'] === $appId) { + // Load the certificate + $certificate = new X509(); + $certificate->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt')); + $loadedCertificate = $certificate->loadX509($app['certificate']); + + // Verify if the certificate has been revoked + $crl = new X509(); + $crl->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt')); + $crl->loadCRL(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crl')); + if($crl->validateSignature() !== true) { + throw new \Exception('Could not validate CRL signature'); + } + $csn = $loadedCertificate['tbsCertificate']['serialNumber']->toString(); + $revoked = $crl->getRevoked($csn); + if ($revoked !== false) { + throw new \Exception( + sprintf( + 'Certificate "%s" has been revoked', + $csn + ) + ); + } + // Verify if the certificate has been issued by the Nextcloud Code Authority CA - $x509 = new X509(); - $x509->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt')); - $x509->loadX509($app['certificate']); - if($x509->validateSignature() !== true) { + if($certificate->validateSignature() !== true) { throw new \Exception( sprintf( 'App with id %s has a certificate not issued by a trusted Code Signing Authority', |