diff options
| author | Vincent Petry <pvince81@owncloud.com> | 2016-07-13 16:12:25 +0200 |
|---|---|---|
| committer | Thomas Müller <DeepDiver1975@users.noreply.github.com> | 2016-07-13 16:12:25 +0200 |
| commit | 084f46917a53e6997317283ac0d445a02740c974 (patch) | |
| tree | 056c6d992103202f716914121c136523c1c96428 /lib | |
| parent | 0daddd5866e51d58d0467da9b492a8456c794859 (diff) | |
| download | nextcloud-server-084f46917a53e6997317283ac0d445a02740c974.tar.gz nextcloud-server-084f46917a53e6997317283ac0d445a02740c974.zip | |
[stable9.1] Adding certificate revocation list and validate if the app certificate is revoked (#25468)
* Adding certificate revocation list and validate if the app certificate is revoked
* Check integrity of a signed app in any case on installation
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/Installer.php | 2 | ||||
| -rw-r--r-- | lib/private/IntegrityCheck/Checker.php | 24 |
2 files changed, 23 insertions, 3 deletions
diff --git a/lib/private/Installer.php b/lib/private/Installer.php index e8872c6662f..6e54d9e102a 100644 --- a/lib/private/Installer.php +++ b/lib/private/Installer.php @@ -367,7 +367,7 @@ class Installer { $appBelongingToId = $info['id']; $previouslySigned = 'false'; } - if($data['appdata']['level'] === OC_App::officialApp || $previouslySigned === 'true') { + if (file_exists($extractDir . '/appinfo/signature.json') || $previouslySigned === 'true') { \OC::$server->getConfig()->setAppValue($appBelongingToId, 'signed', 'true'); $integrityResult = \OC::$server->getIntegrityCodeChecker()->verifyAppSignature( $appBelongingToId, diff --git a/lib/private/IntegrityCheck/Checker.php b/lib/private/IntegrityCheck/Checker.php index 57127f280c4..d4038f85302 100644 --- a/lib/private/IntegrityCheck/Checker.php +++ b/lib/private/IntegrityCheck/Checker.php @@ -327,10 +327,30 @@ class Checker { $x509 = new \phpseclib\File\X509(); $rootCertificatePublicKey = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/root.crt'); $x509->loadCA($rootCertificatePublicKey); - $x509->loadX509($certificate); + $loadedCertificate = $x509->loadX509($certificate); if(!$x509->validateSignature()) { - throw new InvalidSignatureException('Certificate is not valid.'); + throw new InvalidSignatureException('App Certificate is not valid.'); } + + // Check if the certificate has been revoked + $crlFileContent = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/intermediate.crl.pem'); + if ($crlFileContent && strlen($crlFileContent) > 0) { + $crl = new \phpseclib\File\X509(); + $crl->loadCA($rootCertificatePublicKey); + $crl->loadCRL($crlFileContent); + if(!$crl->validateSignature()) { + throw new InvalidSignatureException('Certificate Revocation List is not valid.'); + } + // Get the certificate's serial number. + $csn = $loadedCertificate['tbsCertificate']['serialNumber']->toString(); + + // Check certificate revocation status. + $revoked = $crl->getRevoked($csn); + if ($revoked) { + throw new InvalidSignatureException('Certificate has been revoked.'); + } + } + // Verify if certificate has proper CN. "core" CN is always trusted. if($x509->getDN(X509::DN_OPENSSL)['CN'] !== $certificateCN && $x509->getDN(X509::DN_OPENSSL)['CN'] !== 'core') { throw new InvalidSignatureException( |