diff options
author | Lukas Reschke <lukas@statuscode.ch> | 2016-07-21 01:32:59 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@statuscode.ch> | 2016-07-21 01:34:11 +0200 |
commit | 977db0a1627a2ff55aea209170ca4c8a46d4f3e4 (patch) | |
tree | 03f8cb3bee463b07aae5b4088f0cdf5671204ebe /lib/private/IntegrityCheck | |
parent | acb820ffb887778f9f3c78652b3a83f7198068be (diff) | |
download | nextcloud-server-977db0a1627a2ff55aea209170ca4c8a46d4f3e4.tar.gz nextcloud-server-977db0a1627a2ff55aea209170ca4c8a46d4f3e4.zip |
Use proper certificates
Ports https://github.com/nextcloud/server/commit/bcf693539be82e872ba4d6cceb1f430a4bb841d9
Diffstat (limited to 'lib/private/IntegrityCheck')
-rw-r--r-- | lib/private/IntegrityCheck/Checker.php | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/lib/private/IntegrityCheck/Checker.php b/lib/private/IntegrityCheck/Checker.php index 57127f280c4..2af402196ae 100644 --- a/lib/private/IntegrityCheck/Checker.php +++ b/lib/private/IntegrityCheck/Checker.php @@ -323,13 +323,20 @@ class Checker { $signature = base64_decode($signatureData['signature']); $certificate = $signatureData['certificate']; - // Check if certificate is signed by ownCloud Root Authority + // Check if certificate is signed by Nextcloud Root Authority $x509 = new \phpseclib\File\X509(); $rootCertificatePublicKey = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/root.crt'); $x509->loadCA($rootCertificatePublicKey); $x509->loadX509($certificate); if(!$x509->validateSignature()) { - throw new InvalidSignatureException('Certificate is not valid.'); + // FIXME: Once Nextcloud has it's own appstore we should remove the ownCloud Root Authority from here + $x509 = new \phpseclib\File\X509(); + $rootCertificatePublicKey = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/owncloud.crt'); + $x509->loadCA($rootCertificatePublicKey); + $x509->loadX509($certificate); + if(!$x509->validateSignature()) { + throw new InvalidSignatureException('Certificate is not valid.'); + } } // Verify if certificate has proper CN. "core" CN is always trusted. if($x509->getDN(X509::DN_OPENSSL)['CN'] !== $certificateCN && $x509->getDN(X509::DN_OPENSSL)['CN'] !== 'core') { |