summaryrefslogtreecommitdiffstats
path: root/lib/private/IntegrityCheck
diff options
context:
space:
mode:
authorLukas Reschke <lukas@statuscode.ch>2016-07-21 01:32:59 +0200
committerLukas Reschke <lukas@statuscode.ch>2016-07-21 01:34:11 +0200
commit977db0a1627a2ff55aea209170ca4c8a46d4f3e4 (patch)
tree03f8cb3bee463b07aae5b4088f0cdf5671204ebe /lib/private/IntegrityCheck
parentacb820ffb887778f9f3c78652b3a83f7198068be (diff)
downloadnextcloud-server-977db0a1627a2ff55aea209170ca4c8a46d4f3e4.tar.gz
nextcloud-server-977db0a1627a2ff55aea209170ca4c8a46d4f3e4.zip
Use proper certificates
Ports https://github.com/nextcloud/server/commit/bcf693539be82e872ba4d6cceb1f430a4bb841d9
Diffstat (limited to 'lib/private/IntegrityCheck')
-rw-r--r--lib/private/IntegrityCheck/Checker.php11
1 files changed, 9 insertions, 2 deletions
diff --git a/lib/private/IntegrityCheck/Checker.php b/lib/private/IntegrityCheck/Checker.php
index 57127f280c4..2af402196ae 100644
--- a/lib/private/IntegrityCheck/Checker.php
+++ b/lib/private/IntegrityCheck/Checker.php
@@ -323,13 +323,20 @@ class Checker {
$signature = base64_decode($signatureData['signature']);
$certificate = $signatureData['certificate'];
- // Check if certificate is signed by ownCloud Root Authority
+ // Check if certificate is signed by Nextcloud Root Authority
$x509 = new \phpseclib\File\X509();
$rootCertificatePublicKey = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/root.crt');
$x509->loadCA($rootCertificatePublicKey);
$x509->loadX509($certificate);
if(!$x509->validateSignature()) {
- throw new InvalidSignatureException('Certificate is not valid.');
+ // FIXME: Once Nextcloud has it's own appstore we should remove the ownCloud Root Authority from here
+ $x509 = new \phpseclib\File\X509();
+ $rootCertificatePublicKey = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/owncloud.crt');
+ $x509->loadCA($rootCertificatePublicKey);
+ $x509->loadX509($certificate);
+ if(!$x509->validateSignature()) {
+ throw new InvalidSignatureException('Certificate is not valid.');
+ }
}
// Verify if certificate has proper CN. "core" CN is always trusted.
if($x509->getDN(X509::DN_OPENSSL)['CN'] !== $certificateCN && $x509->getDN(X509::DN_OPENSSL)['CN'] !== 'core') {