mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add support for CRL 

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
Lukas Reschke 2016-10-28 12:46:02 +02:00
parent 0e2aee2be6
commit 3e6dd86ee4
No known key found for this signature in database
GPG Key ID: B9F6980CF6E759B1
2 changed files with 38 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
lib/private/Installer.php
View File

@ -253,11 +253,31 @@ class Installer {
$apps = $appFetcher->get();
foreach($apps as $app) {
if($app['id'] === $appId) {
// Load the certificate
$certificate = new X509();
$certificate->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'));
$loadedCertificate = $certificate->loadX509($app['certificate']);
// Verify if the certificate has been revoked
$crl = new X509();
$crl->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'));
$crl->loadCRL(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crl'));
if($crl->validateSignature() !== true) {
throw new \Exception('Could not validate CRL signature');
}
$csn = $loadedCertificate['tbsCertificate']['serialNumber']->toString();
$revoked = $crl->getRevoked($csn);
if ($revoked !== false) {
throw new \Exception(
sprintf(
'Certificate "%s" has been revoked',
$csn
)
);
}
// Verify if the certificate has been issued by the Nextcloud Code Authority CA
$x509 = new X509();
$x509->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'));
$x509->loadX509($app['certificate']);
if($x509->validateSignature() !== true) {
if($certificate->validateSignature() !== true) {
throw new \Exception(
sprintf(
'App with id %s has a certificate not issued by a trusted Code Signing Authority',

14
resources/codesigning/root.crl Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN X509 CRL-----
MIICDTCB9gIBATANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJERTEbMBkGA1UE
CAwSQmFkZW4tV3VlcnR0ZW1iZXJnMRcwFQYDVQQKDA5OZXh0Y2xvdWQgR21iSDE2
MDQGA1UEAwwtTmV4dGNsb3VkIENvZGUgU2lnbmluZyBJbnRlcm1lZGlhdGUgQXV0
aG9yaXR5Fw0xNjEwMTcxMjA5MjhaFw0yNjA4MjYxMjA5MjhaMBUwEwICEBAXDTE2
MTAxNzEyMDkxOVqgMDAuMB8GA1UdIwQYMBaAFG3qbqqpNyw8iS0XPv1G7sOeeO10
MAsGA1UdFAQEAgIQAzANBgkqhkiG9w0BAQsFAAOCAQEAZGJNwERFseCv6cS6bfmq
hIIqHieG+/mp4kjqtk4mg8CEYZq/M0q2DMjh7xZUuflV3wadqTCDunDXoyUIV36K
TwLsrREKGFqpSDsVgnX6IYeG0Sf7rnV5PYD2ODWfXrjp3yU7/Jgc2qjco11X5psV
uUnqGDU7DoMwFB6GTTRXfjpCKn8SUtuETAEN013Ii6xXsfCJQTjzQaZByz/Xbypr
sPfotQRfpAhhfjowK5B2ESjXePdNuFlPEAJ114HDJrI89dndIzus95N+3q2sm80T
TFwdooAghAvVmABADC3GQ9bvQb9CUC14DQZJWesy/ps64fgKdXcnBhsX9uPJ7Fdb
hQ==
-----END X509 CRL-----