From fcbbcacab4dc0178c7fdf1a61cfb81f922c60209 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Wed, 20 Jan 2021 10:56:06 +0100
Subject: [PATCH] Also load CA properly in integrity check

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/private/IntegrityCheck/Checker.php | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/lib/private/IntegrityCheck/Checker.php b/lib/private/IntegrityCheck/Checker.php
index fc28d0e7393..122fac8927f 100644
--- a/lib/private/IntegrityCheck/Checker.php
+++ b/lib/private/IntegrityCheck/Checker.php
@@ -299,6 +299,18 @@ class Checker {
 		}
 	}
 
+	/**
+	 * Split the certificate file in individual certs
+	 *
+	 * @param string $cert
+	 * @return string[]
+	 */
+	private function splitCerts(string $cert): array {
+		preg_match_all('([\-]{3,}[\S\ ]+?[\-]{3,}[\S\s]+?[\-]{3,}[\S\ ]+?[\-]{3,})', $cert, $matches);
+
+		return $matches[0];
+	}
+
 	/**
 	 * Verifies the signature for the specified path.
 	 *
@@ -333,7 +345,11 @@ class Checker {
 		// Check if certificate is signed by Nextcloud Root Authority
 		$x509 = new \phpseclib\File\X509();
 		$rootCertificatePublicKey = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/root.crt');
-		$x509->loadCA($rootCertificatePublicKey);
+
+		$rootCerts = $this->splitCerts($rootCertificatePublicKey);
+		foreach ($rootCerts as $rootCert) {
+			$x509->loadCA($rootCert);
+		}
 		$x509->loadX509($certificate);
 		if (!$x509->validateSignature()) {
 			throw new InvalidSignatureException('Certificate is not valid.');
-- 
GitLab