diff --git a/lib/private/IntegrityCheck/Checker.php b/lib/private/IntegrityCheck/Checker.php index 1a2257c65ff1d..3e8bef34e17da 100644 --- a/lib/private/IntegrityCheck/Checker.php +++ b/lib/private/IntegrityCheck/Checker.php @@ -243,17 +243,17 @@ private function createSignatureData(array $hashes, $privateKey->setHash('sha1'); // See https://tools.ietf.org/html/rfc3447#page-38 $privateKey->setSaltLength(0); - $signature = $privateKey->sign(json_encode($hashes)); + $sha1signature = $privateKey->sign(json_encode($hashes)); $privateKey->setHash('sha512'); - $newSignature = $privateKey->sign(json_encode($hashes)); + $sha512signature = $privateKey->sign(json_encode($hashes)); return [ 'hashes' => $hashes, - 'signature' => base64_encode($signature), + 'signature' => base64_encode($sha1signature), 'signatures' => [ - 'sha1' => base64_encode($signature), - 'sha512' => base64_encode($newSignature), + 'sha1' => base64_encode($sha1signature), + 'sha512' => base64_encode($sha512signature), ], 'certificate' => $certificate->saveX509($certificate->currentCert), ]; @@ -324,11 +324,12 @@ public function writeCoreSignature(X509 $certificate, * @param string $signaturePath * @param string $basePath * @param string $certificateCN + * @param string|null $forceHash * @return array * @throws InvalidSignatureException * @throws \Exception */ - private function verify(string $signaturePath, string $basePath, string $certificateCN, bool $forceNewHash = false): array { + private function verify(string $signaturePath, string $basePath, string $certificateCN, ?string $forceHash = null): array { if (!$this->isCodeCheckEnforced()) { return []; } @@ -370,10 +371,10 @@ private function verify(string $signaturePath, string $basePath, string $certifi // See https://tools.ietf.org/html/rfc3447#page-38 $rsa->setSaltLength(0); - if ($forceNewHash || isset($signatureData['signatures'])) { + if ($forceHash && isset($signatureData['signatures'][$forceHash])) { // Check the sha512 hash - $rsa->setHash('sha512'); - if (!$rsa->verify(json_encode($expectedHashes), base64_decode($signatureData['signatures']['sha512']))) { + $rsa->setHash($forceHash); + if (!$rsa->verify(json_encode($expectedHashes), base64_decode($signatureData['signatures'][$forceHash]))) { throw new InvalidSignatureException('Signature could not get verified.'); } } else { @@ -527,16 +528,16 @@ public function verifyAppSignature(string $appId, string $path = ''): array { } $minVersion = $this->infoParser->getMinVersion($path . '/appinfo/info.xml'); - $forceNewHashed = false; - if ($minVersion >= 21) { - $forceNewHashed = true; + $forceHash = null; + if ($minVersion >= 22) { + $forceHash = 'sha512'; } $result = $this->verify( $path . '/appinfo/signature.json', $path, $appId, - $forceNewHashed + $forceHash ); } catch (\Exception $e) { $result = [ @@ -587,7 +588,7 @@ public function verifyCoreSignature(): array { $this->environmentHelper->getServerRoot() . '/core/signature.json', $this->environmentHelper->getServerRoot(), 'core', - true + 'sha512' ); } catch (\Exception $e) { $result = [ diff --git a/lib/private/IntegrityCheck/Helpers/InfoParser.php b/lib/private/IntegrityCheck/Helpers/InfoParser.php index 91fe64b37445a..5c10b5ca5dfe6 100644 --- a/lib/private/IntegrityCheck/Helpers/InfoParser.php +++ b/lib/private/IntegrityCheck/Helpers/InfoParser.php @@ -1,4 +1,5 @@