diff --git a/3rdparty b/3rdparty index 099e537a03d16..3faef8dfa15d0 160000 --- a/3rdparty +++ b/3rdparty @@ -1 +1 @@ -Subproject commit 099e537a03d162302c2366f7d53088d5bf623c4c +Subproject commit 3faef8dfa15d0b946759bdb888d5b245de6fb524 diff --git a/apps/files_external/lib/Lib/Storage/SFTP.php b/apps/files_external/lib/Lib/Storage/SFTP.php index ec788c3bad72e..5f3d02dfd0aee 100644 --- a/apps/files_external/lib/Lib/Storage/SFTP.php +++ b/apps/files_external/lib/Lib/Storage/SFTP.php @@ -141,6 +141,7 @@ public function getConnection() { $login = false; foreach ($this->auth as $auth) { + /** @psalm-suppress TooManyArguments */ $login = $this->client->login($this->user, $auth); if ($login === true) { break; diff --git a/lib/private/Installer.php b/lib/private/Installer.php index 6dfc9a5f0bb26..2a0fdab87ffbc 100644 --- a/lib/private/Installer.php +++ b/lib/private/Installer.php @@ -215,6 +215,18 @@ public function updateAppstoreApp($appId, $allowUnstable = false) { return false; } + /** + * Split the certificate file in individual certs + * + * @param string $cert + * @return string[] + */ + private function splitCerts(string $cert): array { + preg_match_all('([\-]{3,}[\S\ ]+?[\-]{3,}[\S\s]+?[\-]{3,}[\S\ ]+?[\-]{3,})', $cert, $matches); + + return $matches[0]; + } + /** * Downloads an app and puts it into the app directory * @@ -231,12 +243,18 @@ public function downloadApp($appId, $allowUnstable = false) { if ($app['id'] === $appId) { // Load the certificate $certificate = new X509(); - $certificate->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt')); + $rootCrt = file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'); + $rootCrts = $this->splitCerts($rootCrt); + foreach ($rootCrts as $rootCrt) { + $certificate->loadCA($rootCrt); + } $loadedCertificate = $certificate->loadX509($app['certificate']); // Verify if the certificate has been revoked $crl = new X509(); - $crl->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt')); + foreach ($rootCrts as $rootCrt) { + $crl->loadCA($rootCrt); + } $crl->loadCRL(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crl')); if ($crl->validateSignature() !== true) { throw new \Exception('Could not validate CRL signature'); diff --git a/lib/private/IntegrityCheck/Checker.php b/lib/private/IntegrityCheck/Checker.php index fc28d0e73934a..122fac8927fc5 100644 --- a/lib/private/IntegrityCheck/Checker.php +++ b/lib/private/IntegrityCheck/Checker.php @@ -299,6 +299,18 @@ public function writeCoreSignature(X509 $certificate, } } + /** + * Split the certificate file in individual certs + * + * @param string $cert + * @return string[] + */ + private function splitCerts(string $cert): array { + preg_match_all('([\-]{3,}[\S\ ]+?[\-]{3,}[\S\s]+?[\-]{3,}[\S\ ]+?[\-]{3,})', $cert, $matches); + + return $matches[0]; + } + /** * Verifies the signature for the specified path. * @@ -333,7 +345,11 @@ private function verify(string $signaturePath, string $basePath, string $certifi // Check if certificate is signed by Nextcloud Root Authority $x509 = new \phpseclib\File\X509(); $rootCertificatePublicKey = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/root.crt'); - $x509->loadCA($rootCertificatePublicKey); + + $rootCerts = $this->splitCerts($rootCertificatePublicKey); + foreach ($rootCerts as $rootCert) { + $x509->loadCA($rootCert); + } $x509->loadX509($certificate); if (!$x509->validateSignature()) { throw new InvalidSignatureException('Certificate is not valid.');