Enhance signature algorithm for code signatures

lib/composer/composer/autoload_classmap.php

@@ -1156,6 +1156,7 @@
     'OC\\IntegrityCheck\\Helpers\\AppLocator' => $baseDir . '/lib/private/IntegrityCheck/Helpers/AppLocator.php',
     'OC\\IntegrityCheck\\Helpers\\EnvironmentHelper' => $baseDir . '/lib/private/IntegrityCheck/Helpers/EnvironmentHelper.php',
     'OC\\IntegrityCheck\\Helpers\\FileAccessHelper' => $baseDir . '/lib/private/IntegrityCheck/Helpers/FileAccessHelper.php',
+    'OC\\IntegrityCheck\\Helpers\\InfoParser' => $baseDir . '/lib/private/IntegrityCheck/Helpers/InfoParser.php',
     'OC\\IntegrityCheck\\Iterator\\ExcludeFileByNameFilterIterator' => $baseDir . '/lib/private/IntegrityCheck/Iterator/ExcludeFileByNameFilterIterator.php',
     'OC\\IntegrityCheck\\Iterator\\ExcludeFoldersByPathFilterIterator' => $baseDir . '/lib/private/IntegrityCheck/Iterator/ExcludeFoldersByPathFilterIterator.php',
     'OC\\L10N\\Factory' => $baseDir . '/lib/private/L10N/Factory.php',

lib/composer/composer/autoload_static.php

@@ -1185,6 +1185,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
         'OC\\IntegrityCheck\\Helpers\\AppLocator' => __DIR__ . '/../../..' . '/lib/private/IntegrityCheck/Helpers/AppLocator.php',
         'OC\\IntegrityCheck\\Helpers\\EnvironmentHelper' => __DIR__ . '/../../..' . '/lib/private/IntegrityCheck/Helpers/EnvironmentHelper.php',
         'OC\\IntegrityCheck\\Helpers\\FileAccessHelper' => __DIR__ . '/../../..' . '/lib/private/IntegrityCheck/Helpers/FileAccessHelper.php',
+        'OC\\IntegrityCheck\\Helpers\\InfoParser' => __DIR__ . '/../../..' . '/lib/private/IntegrityCheck/Helpers/InfoParser.php',
         'OC\\IntegrityCheck\\Iterator\\ExcludeFileByNameFilterIterator' => __DIR__ . '/../../..' . '/lib/private/IntegrityCheck/Iterator/ExcludeFileByNameFilterIterator.php',
         'OC\\IntegrityCheck\\Iterator\\ExcludeFoldersByPathFilterIterator' => __DIR__ . '/../../..' . '/lib/private/IntegrityCheck/Iterator/ExcludeFoldersByPathFilterIterator.php',
         'OC\\L10N\\Factory' => __DIR__ . '/../../..' . '/lib/private/L10N/Factory.php',

lib/private/IntegrityCheck/Checker.php

@@ -37,6 +37,7 @@
 use OC\IntegrityCheck\Helpers\AppLocator;
 use OC\IntegrityCheck\Helpers\EnvironmentHelper;
 use OC\IntegrityCheck\Helpers\FileAccessHelper;
+use OC\IntegrityCheck\Helpers\InfoParser;
 use OC\IntegrityCheck\Iterator\ExcludeFileByNameFilterIterator;
 use OC\IntegrityCheck\Iterator\ExcludeFoldersByPathFilterIterator;
 use OCP\App\IAppManager;
@@ -76,6 +77,8 @@ class Checker {
 	private $tempManager;
 	/** @var IMimeTypeDetector */
 	private $mimeTypeDetector;
+	/** @var InfoParser */
+	private $infoParser;
 
 	/**
 	 * @param EnvironmentHelper $environmentHelper
@@ -89,6 +92,7 @@ class Checker {
 	 */
 	public function __construct(EnvironmentHelper $environmentHelper,
 								FileAccessHelper $fileAccessHelper,
+								InfoParser $infoParser,
 								AppLocator $appLocator,
 								IConfig $config = null,
 								ICacheFactory $cacheFactory,
@@ -103,6 +107,7 @@ public function __construct(EnvironmentHelper $environmentHelper,
 		$this->appManager = $appManager;
 		$this->tempManager = $tempManager;
 		$this->mimeTypeDetector = $mimeTypeDetector;
+		$this->infoParser = $infoParser;
 	}
 
 	/**
@@ -235,13 +240,21 @@ private function createSignatureData(array $hashes,
 
 		$privateKey->setSignatureMode(RSA::SIGNATURE_PSS);
 		$privateKey->setMGFHash('sha512');
+		$privateKey->setHash('sha1');
 		// See https://tools.ietf.org/html/rfc3447#page-38
 		$privateKey->setSaltLength(0);
-		$signature = $privateKey->sign(json_encode($hashes));
+		$sha1signature = $privateKey->sign(json_encode($hashes));
+
+		$privateKey->setHash('sha512');
+		$sha512signature = $privateKey->sign(json_encode($hashes));
 
 		return [
 			'hashes' => $hashes,
-			'signature' => base64_encode($signature),
+			'signature' => base64_encode($sha1signature),
+			'signatures' => [
+				'sha1' => base64_encode($sha1signature),
+				'sha512' => base64_encode($sha512signature),
+			],
 			'certificate' => $certificate->saveX509($certificate->currentCert),
 		];
 	}
@@ -311,11 +324,12 @@ public function writeCoreSignature(X509 $certificate,
 	 * @param string $signaturePath
 	 * @param string $basePath
 	 * @param string $certificateCN
+	 * @param string|null $forceHash
 	 * @return array
 	 * @throws InvalidSignatureException
 	 * @throws \Exception
 	 */
-	private function verify(string $signaturePath, string $basePath, string $certificateCN): array {
+	private function verify(string $signaturePath, string $basePath, string $certificateCN, ?string $forceHash = null): array {
 		if (!$this->isCodeCheckEnforced()) {
 			return [];
 		}
@@ -332,7 +346,6 @@ private function verify(string $signaturePath, string $basePath, string $certifi
 
 		$expectedHashes = $signatureData['hashes'];
 		ksort($expectedHashes);
-		$signature = base64_decode($signatureData['signature']);
 		$certificate = $signatureData['certificate'];
 
 		// Check if certificate is signed by Nextcloud Root Authority
@@ -357,8 +370,19 @@ private function verify(string $signaturePath, string $basePath, string $certifi
 		$rsa->setMGFHash('sha512');
 		// See https://tools.ietf.org/html/rfc3447#page-38
 		$rsa->setSaltLength(0);
-		if (!$rsa->verify(json_encode($expectedHashes), $signature)) {
-			throw new InvalidSignatureException('Signature could not get verified.');
+
+		if ($forceHash && isset($signatureData['signatures'][$forceHash])) {
+			// Check the sha512 hash
+			$rsa->setHash($forceHash);
+			if (!$rsa->verify(json_encode($expectedHashes), base64_decode($signatureData['signatures'][$forceHash]))) {
+				throw new InvalidSignatureException('Signature could not get verified.');
+			}
+		} else {
+			// The default fallback with the sha1 hash
+			$rsa->setHash('sha1');
+			if (!$rsa->verify(json_encode($expectedHashes), base64_decode($signatureData['signature']))) {
+				throw new InvalidSignatureException('Signature could not get verified.');
+			}
 		}
 
 		// Fixes for the updater as shipped with ownCloud 9.0.x: The updater is
@@ -502,10 +526,18 @@ public function verifyAppSignature(string $appId, string $path = ''): array {
 			if ($path === '') {
 				$path = $this->appLocator->getAppPath($appId);
 			}
+
+			$minVersion = $this->infoParser->getMinVersion($path . '/appinfo/info.xml');
+			$forceHash = null;
+			if ($minVersion >= 22) {
+				$forceHash = 'sha512';
+			}
+
 			$result = $this->verify(
-					$path . '/appinfo/signature.json',
-					$path,
-					$appId
+				$path . '/appinfo/signature.json',
+				$path,
+				$appId,
+				$forceHash
 			);
 		} catch (\Exception $e) {
 			$result = [
@@ -553,9 +585,10 @@ public function verifyAppSignature(string $appId, string $path = ''): array {
 	public function verifyCoreSignature(): array {
 		try {
 			$result = $this->verify(
-					$this->environmentHelper->getServerRoot() . '/core/signature.json',
-					$this->environmentHelper->getServerRoot(),
-					'core'
+				$this->environmentHelper->getServerRoot() . '/core/signature.json',
+				$this->environmentHelper->getServerRoot(),
+				'core',
+				'sha512'
 			);
 		} catch (\Exception $e) {
 			$result = [

lib/private/IntegrityCheck/Helpers/InfoParser.php

@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2021, Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @author Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\IntegrityCheck\Helpers;
+
+use OC\App\InfoParser as RealParser;
+
+class InfoParser {
+	public function getMinVersion(string $infoPath): int {
+		$parser = new RealParser();
+		$result = $parser->parse($infoPath);
+
+		if (!isset($result['dependencies']['nextcloud']['@attributes']['min-version'])) {
+			throw new \Exception('Could not parse nextcloud dependency');
+		}
+
+		return (int)$result['dependencies']['nextcloud']['@attributes']['min-version'];
+	}
+}

lib/private/Server.php

@@ -103,6 +103,7 @@
 use OC\IntegrityCheck\Helpers\AppLocator;
 use OC\IntegrityCheck\Helpers\EnvironmentHelper;
 use OC\IntegrityCheck\Helpers\FileAccessHelper;
+use OC\IntegrityCheck\Helpers\InfoParser;
 use OC\Lock\DBLockingProvider;
 use OC\Lock\MemcacheLockingProvider;
 use OC\Lock\NoopLockingProvider;
@@ -938,6 +939,7 @@ public function __construct($webRoot, \OC\Config $config) {
 			return new Checker(
 				new EnvironmentHelper(),
 				new FileAccessHelper(),
+				new InfoParser(),
 				new AppLocator(),
 				$config,
 				$c->get(ICacheFactory::class),