summaryrefslogtreecommitdiffstats
path: root/lib/private/Installer.php
diff options
context:
space:
mode:
authorLukas Reschke <lukas@statuscode.ch>2016-10-28 12:46:02 +0200
committerLukas Reschke <lukas@statuscode.ch>2016-10-31 17:17:46 +0100
commit3e6dd86ee4d22b2cdb7f8403b3939c7839698c48 (patch)
treeea7fb96f85e8e6790afa601fe9bf1de9475257f8 /lib/private/Installer.php
parent0e2aee2be6c34ea428f884e61887534f67e0bcbe (diff)
downloadnextcloud-server-3e6dd86ee4d22b2cdb7f8403b3939c7839698c48.tar.gz
nextcloud-server-3e6dd86ee4d22b2cdb7f8403b3939c7839698c48.zip
Add support for CRL
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'lib/private/Installer.php')
-rw-r--r--lib/private/Installer.php28
1 files changed, 24 insertions, 4 deletions
diff --git a/lib/private/Installer.php b/lib/private/Installer.php
index d3510c51716..58a91bb7972 100644
--- a/lib/private/Installer.php
+++ b/lib/private/Installer.php
@@ -253,11 +253,31 @@ class Installer {
$apps = $appFetcher->get();
foreach($apps as $app) {
if($app['id'] === $appId) {
+ // Load the certificate
+ $certificate = new X509();
+ $certificate->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'));
+ $loadedCertificate = $certificate->loadX509($app['certificate']);
+
+ // Verify if the certificate has been revoked
+ $crl = new X509();
+ $crl->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'));
+ $crl->loadCRL(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crl'));
+ if($crl->validateSignature() !== true) {
+ throw new \Exception('Could not validate CRL signature');
+ }
+ $csn = $loadedCertificate['tbsCertificate']['serialNumber']->toString();
+ $revoked = $crl->getRevoked($csn);
+ if ($revoked !== false) {
+ throw new \Exception(
+ sprintf(
+ 'Certificate "%s" has been revoked',
+ $csn
+ )
+ );
+ }
+
// Verify if the certificate has been issued by the Nextcloud Code Authority CA
- $x509 = new X509();
- $x509->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'));
- $x509->loadX509($app['certificate']);
- if($x509->validateSignature() !== true) {
+ if($certificate->validateSignature() !== true) {
throw new \Exception(
sprintf(
'App with id %s has a certificate not issued by a trusted Code Signing Authority',