зеркало из https://github.com/nextcloud/server.git
Fix intergrity checker
* Set salt length to 0 See https://tools.ietf.org/html/rfc3447#page-38 * Fix tests for new phpunit
This commit is contained in:
Родитель
1937e6eb35
Коммит
fb4850ffa8
|
@ -249,6 +249,8 @@ class Checker {
|
|||
|
||||
$privateKey->setSignatureMode(RSA::SIGNATURE_PSS);
|
||||
$privateKey->setMGFHash('sha512');
|
||||
// See https://tools.ietf.org/html/rfc3447#page-38
|
||||
$privateKey->setSaltLength(0);
|
||||
$signature = $privateKey->sign(json_encode($hashes));
|
||||
|
||||
return [
|
||||
|
@ -343,7 +345,7 @@ class Checker {
|
|||
// Verify if certificate has proper CN. "core" CN is always trusted.
|
||||
if($x509->getDN(X509::DN_OPENSSL)['CN'] !== $certificateCN && $x509->getDN(X509::DN_OPENSSL)['CN'] !== 'core') {
|
||||
throw new InvalidSignatureException(
|
||||
sprintf('Certificate is not valid for required scope. (Requested: %s, current: %s)', $certificateCN, $x509->getDN(true))
|
||||
sprintf('Certificate is not valid for required scope. (Requested: %s, current: CN=%s)', $certificateCN, $x509->getDN(true)['CN'])
|
||||
);
|
||||
}
|
||||
|
||||
|
@ -352,6 +354,8 @@ class Checker {
|
|||
$rsa->loadKey($x509->currentCert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey']);
|
||||
$rsa->setSignatureMode(RSA::SIGNATURE_PSS);
|
||||
$rsa->setMGFHash('sha512');
|
||||
// See https://tools.ietf.org/html/rfc3447#page-38
|
||||
$rsa->setSaltLength(0);
|
||||
if(!$rsa->verify(json_encode($expectedHashes), $signature)) {
|
||||
throw new InvalidSignatureException('Signature could not get verified.');
|
||||
}
|
||||
|
|
Загрузка…
Ссылка в новой задаче