Add support for CRL

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

lib/private/Installer.php

@@ -253,11 +253,31 @@ class Installer {
 		$apps = $appFetcher->get();
 		foreach($apps as $app) {
 			if($app['id'] === $appId) {
+				// Load the certificate
+				$certificate = new X509();
+				$certificate->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'));
+				$loadedCertificate = $certificate->loadX509($app['certificate']);
+
+				// Verify if the certificate has been revoked
+				$crl = new X509();
+				$crl->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'));
+				$crl->loadCRL(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crl'));
+				if($crl->validateSignature() !== true) {
+					throw new \Exception('Could not validate CRL signature');
+				}
+				$csn = $loadedCertificate['tbsCertificate']['serialNumber']->toString();
+				$revoked = $crl->getRevoked($csn);
+				if ($revoked !== false) {
+					throw new \Exception(
+						sprintf(
+							'Certificate "%s" has been revoked',
+							$csn
+						)
+					);
+				}
+
 				// Verify if the certificate has been issued by the Nextcloud Code Authority CA
-				$x509 = new X509();
-				$x509->loadCA(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt'));
-				$x509->loadX509($app['certificate']);
-				if($x509->validateSignature() !== true) {
+				if($certificate->validateSignature() !== true) {
 					throw new \Exception(
 						sprintf(
 							'App with id %s has a certificate not issued by a trusted Code Signing Authority',

resources/codesigning/root.crl

@@ -0,0 +1,14 @@
+-----BEGIN X509 CRL-----
+MIICDTCB9gIBATANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJERTEbMBkGA1UE
+CAwSQmFkZW4tV3VlcnR0ZW1iZXJnMRcwFQYDVQQKDA5OZXh0Y2xvdWQgR21iSDE2
+MDQGA1UEAwwtTmV4dGNsb3VkIENvZGUgU2lnbmluZyBJbnRlcm1lZGlhdGUgQXV0
+aG9yaXR5Fw0xNjEwMTcxMjA5MjhaFw0yNjA4MjYxMjA5MjhaMBUwEwICEBAXDTE2
+MTAxNzEyMDkxOVqgMDAuMB8GA1UdIwQYMBaAFG3qbqqpNyw8iS0XPv1G7sOeeO10
+MAsGA1UdFAQEAgIQAzANBgkqhkiG9w0BAQsFAAOCAQEAZGJNwERFseCv6cS6bfmq
+hIIqHieG+/mp4kjqtk4mg8CEYZq/M0q2DMjh7xZUuflV3wadqTCDunDXoyUIV36K
+TwLsrREKGFqpSDsVgnX6IYeG0Sf7rnV5PYD2ODWfXrjp3yU7/Jgc2qjco11X5psV
+uUnqGDU7DoMwFB6GTTRXfjpCKn8SUtuETAEN013Ii6xXsfCJQTjzQaZByz/Xbypr
+sPfotQRfpAhhfjowK5B2ESjXePdNuFlPEAJ114HDJrI89dndIzus95N+3q2sm80T
+TFwdooAghAvVmABADC3GQ9bvQb9CUC14DQZJWesy/ps64fgKdXcnBhsX9uPJ7Fdb
+hQ==
+-----END X509 CRL-----