diff options
| author | Vincent Petry <pvince81@owncloud.com> | 2016-07-13 17:05:21 +0300 |
|---|---|---|
| committer | Thomas Müller <DeepDiver1975@users.noreply.github.com> | 2016-07-13 17:05:21 +0300 |
| commit | fb2d27366a16658459fd772c49e98c569cf65473 (patch) | |
| tree | 54b997bfd022dfa40618d8aa6a6e66c7003610d3 /lib | |
| parent | ec2e6ce202c2af79fa911ebb61a04af9d9f67b01 (diff) | |
[stable9] Adding certificate revocation list and validate if the app certificate is revoked (#25469)
* Adding certificate revocation list and validate if the app certificate is revoked
* Check integrity of a signed app in any case on installation
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/installer.php | 2 | ||||
| -rw-r--r-- | lib/private/integritycheck/checker.php | 24 |
2 files changed, 23 insertions, 3 deletions
diff --git a/lib/private/installer.php b/lib/private/installer.php index f1d4d551786..56d7c36a013 100644 --- a/lib/private/installer.php +++ b/lib/private/installer.php @@ -358,7 +358,7 @@ class OC_Installer{ $appBelongingToId = $info['id']; $previouslySigned = 'false'; } - if($data['appdata']['level'] === OC_App::officialApp || $previouslySigned === 'true') { + if (file_exists($extractDir . '/appinfo/signature.json') || $previouslySigned === 'true') { \OC::$server->getConfig()->setAppValue($appBelongingToId, 'signed', 'true'); $integrityResult = \OC::$server->getIntegrityCodeChecker()->verifyAppSignature( $appBelongingToId, diff --git a/lib/private/integritycheck/checker.php b/lib/private/integritycheck/checker.php index b991f66e22e..b98e6759405 100644 --- a/lib/private/integritycheck/checker.php +++ b/lib/private/integritycheck/checker.php @@ -322,10 +322,30 @@ class Checker { $x509 = new \phpseclib\File\X509(); $rootCertificatePublicKey = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/root.crt'); $x509->loadCA($rootCertificatePublicKey); - $x509->loadX509($certificate); + $loadedCertificate = $x509->loadX509($certificate); if(!$x509->validateSignature()) { - throw new InvalidSignatureException('Certificate is not valid.'); + throw new InvalidSignatureException('App Certificate is not valid.'); } + + // Check if the certificate has been revoked + $crlFileContent = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/intermediate.crl.pem'); + if ($crlFileContent && strlen($crlFileContent) > 0) { + $crl = new \phpseclib\File\X509(); + $crl->loadCA($rootCertificatePublicKey); + $crl->loadCRL($crlFileContent); + if(!$crl->validateSignature()) { + throw new InvalidSignatureException('Certificate Revocation List is not valid.'); + } + // Get the certificate's serial number. + $csn = $loadedCertificate['tbsCertificate']['serialNumber']->toString(); + + // Check certificate revocation status. + $revoked = $crl->getRevoked($csn); + if ($revoked) { + throw new InvalidSignatureException('Certificate has been revoked.'); + } + } + // Verify if certificate has proper CN. "core" CN is always trusted. if($x509->getDN(X509::DN_OPENSSL)['CN'] !== $certificateCN && $x509->getDN(X509::DN_OPENSSL)['CN'] !== 'core') { throw new InvalidSignatureException( |