From 4373afeae107852e9feb9fe0c152c608add561eb Mon Sep 17 00:00:00 2001
From: Christoph Wurst <christoph@winzerhof-wurst.at>
Date: Tue, 19 Jan 2021 17:34:38 +0100
Subject: [PATCH 1/3] Bump phpseclib/phpseclib from 2.0.25 to 2.0.30

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
---
 3rdparty                                     | 2 +-
 apps/files_external/lib/Lib/Storage/SFTP.php | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/3rdparty b/3rdparty
index 099e537a03..3faef8dfa1 160000
--- a/3rdparty
+++ b/3rdparty
@@ -1 +1 @@
-Subproject commit 099e537a03d162302c2366f7d53088d5bf623c4c
+Subproject commit 3faef8dfa15d0b946759bdb888d5b245de6fb524
diff --git a/apps/files_external/lib/Lib/Storage/SFTP.php b/apps/files_external/lib/Lib/Storage/SFTP.php
index ec788c3bad..5f3d02dfd0 100644
--- a/apps/files_external/lib/Lib/Storage/SFTP.php
+++ b/apps/files_external/lib/Lib/Storage/SFTP.php
@@ -141,6 +141,7 @@ class SFTP extends \OC\Files\Storage\Common {
 
 		$login = false;
 		foreach ($this->auth as $auth) {
+			/** @psalm-suppress TooManyArguments */
 			$login = $this->client->login($this->user, $auth);
 			if ($login === true) {
 				break;

From d751fedffb110aca956e9f786cd9ecdafdfa6ecd Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Wed, 20 Jan 2021 10:46:06 +0100
Subject: [PATCH 2/3] phpsec lib can't parse multiple certs in one go

So we have to split it manually and do it ourselves

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/private/Installer.php | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/lib/private/Installer.php b/lib/private/Installer.php
index 6dfc9a5f0b..2a0fdab87f 100644
--- a/lib/private/Installer.php
+++ b/lib/private/Installer.php
@@ -215,6 +215,18 @@ class Installer {
 		return false;
 	}
 
+	/**
+	 * Split the certificate file in individual certs
+	 *
+	 * @param string $cert
+	 * @return string[]
+	 */
+	private function splitCerts(string $cert): array {
+		preg_match_all('([\-]{3,}[\S\ ]+?[\-]{3,}[\S\s]+?[\-]{3,}[\S\ ]+?[\-]{3,})', $cert, $matches);
+
+		return $matches[0];
+	}
+
 	/**
 	 * Downloads an app and puts it into the app directory
 	 *
@@ -231,12 +243,18 @@ class Installer {
 			if ($app['id'] === $appId) {
 				// Load the certificate
 				$certificate = new X509();
-				$certificate->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'));
+				$rootCrt = file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt');
+				$rootCrts = $this->splitCerts($rootCrt);
+				foreach ($rootCrts as $rootCrt) {
+					$certificate->loadCA($rootCrt);
+				}
 				$loadedCertificate = $certificate->loadX509($app['certificate']);
 
 				// Verify if the certificate has been revoked
 				$crl = new X509();
-				$crl->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'));
+				foreach ($rootCrts as $rootCrt) {
+					$crl->loadCA($rootCrt);
+				}
 				$crl->loadCRL(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crl'));
 				if ($crl->validateSignature() !== true) {
 					throw new \Exception('Could not validate CRL signature');

From fcbbcacab4dc0178c7fdf1a61cfb81f922c60209 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Wed, 20 Jan 2021 10:56:06 +0100
Subject: [PATCH 3/3] Also load CA properly in integrity check

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/private/IntegrityCheck/Checker.php | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/lib/private/IntegrityCheck/Checker.php b/lib/private/IntegrityCheck/Checker.php
index fc28d0e739..122fac8927 100644
--- a/lib/private/IntegrityCheck/Checker.php
+++ b/lib/private/IntegrityCheck/Checker.php
@@ -299,6 +299,18 @@ class Checker {
 		}
 	}
 
+	/**
+	 * Split the certificate file in individual certs
+	 *
+	 * @param string $cert
+	 * @return string[]
+	 */
+	private function splitCerts(string $cert): array {
+		preg_match_all('([\-]{3,}[\S\ ]+?[\-]{3,}[\S\s]+?[\-]{3,}[\S\ ]+?[\-]{3,})', $cert, $matches);
+
+		return $matches[0];
+	}
+
 	/**
 	 * Verifies the signature for the specified path.
 	 *
@@ -333,7 +345,11 @@ class Checker {
 		// Check if certificate is signed by Nextcloud Root Authority
 		$x509 = new \phpseclib\File\X509();
 		$rootCertificatePublicKey = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/root.crt');
-		$x509->loadCA($rootCertificatePublicKey);
+
+		$rootCerts = $this->splitCerts($rootCertificatePublicKey);
+		foreach ($rootCerts as $rootCert) {
+			$x509->loadCA($rootCert);
+		}
 		$x509->loadX509($certificate);
 		if (!$x509->validateSignature()) {
 			throw new InvalidSignatureException('Certificate is not valid.');