[#20073] - [POC] Validate extension update manifest signed with a certificated public key
- Closed
- 12 Feb 2020
- Medium
- Build: 3.10-dev
- # 20073
- Diff
- alikon:patch-96
- Success Hound No violations found. Woof! Details
- Failure continuous-integration/drone/pr Build is failing Details
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
- Success continuous-integration/appveyor/pr AppVeyor build succeeded Details
User tests: Successful: Unsuccessful:
Pull Request for Issue #19792 . (it cover only the extension update manifest signature/verification)
Summary of Changes
suppose we can trust joomla as a certification autority
so suppose joomla is able to produce a keypair (ca secret key, ca public key) in a very secure way and deliver the ca public key in the joomla code
an extension developer is able to produce his keypairs (developer secret key, developer public key)
the extension developer ask the joomla CA to sign his developer public key (digital certificate)
the joomla ca hash the developer public key and sign the digest with her secret key and give back to the developer the hashed/signed developer public key
the extension developer embed in his update extension manifest the developer public key , and the joomla ca signed developer public key
the extension developer sign the hash-384 of his update extension manifest with his developer private key lets call this signed digest manifest
the extension developer embed in his update extension manifest the signed digest manifest ,
the update verification process
get the developer public key and the signed digest manifest and the joomla ca signed developer public key from the extension update manifest
check if we can trust the developer public key against the joomla ca public key from the joomla code
remove <signature> from the extension update manifest
calculate the sha-384 of the extension update manifest
verify the manifest digest against the developer public key
Testing Instructions
-
Generate a keypairs for the JOOMLA! Certificate Autority (with this gist https://gist.github.com/alikon/db3356e8bdcc3c23968cec1179870302)
-
Generate a keypairs for the extension developer (with the same gist at point 0.)
-
Change the JOOMLA! Certificate Autority public key to the /site/administrator/components/com_installer/jcapk.xml with the one generated at step 0.
-
Ask to the JOOMLA! Certificate Autority to certificate your extension developer public key generated at step 1. (with this gist https://gist.github.com/alikon/f7e22c5f474637f4c1c815d9c5481a72)
-
Add to your extension update manifest your developer public key and your certificate
-
Generate your signed extension update manifest (with this gist https://gist.github.com/alikon/233d1111cdd2e0d0b1cec18596bbc152)
-
Publish it to your update server
should be something like this (i've used the com_patchtester manifest)
<?xml version="1.0" encoding="utf-8"?>
<updates>
<update>
<name>Patch Tester Component</name>
<description>Joomla! CMS Patch Tester Component</description>
<element>com_patchtester</element>
<type>component</type>
<version>2.0.1</version>
<client>administrator</client>
<infourl title="Patch Tester Component">https://github.com/joomla-extensions/patchtester/releases/tag/2.0.1</infourl>
<downloads>
<downloadurl type="full" format="zip">https://github.com/joomla-extensions/patchtester/releases/download/2.0.1/com_patchtester.zip</downloadurl>
</downloads>
<tags>
<tag>stable</tag>
</tags>
<targetplatform name="joomla" version="3.[56789]" />
</update>
<update>
<name>Patch Tester Component</name>
<description>Joomla! CMS Patch Tester Component</description>
<element>com_patchtester</element>
<type>component</type>
<version>3.0.0-beta4</version>
<client>administrator</client>
<infourl title="Patch Tester Component">http://localhost/test/</infourl>
<downloads>
<downloadurl type="full" format="zip">http://localhost/test/com_patchtester.tar.bz2</downloadurl>
</downloads>
<tags>
<tag>beta</tag>
</tags>
<targetplatform name="joomla" version="3.[789]" />
</update>
<publickey>6c46e9505ba78f9fb113b34dace5c095f69d1f693d5a087272cf6d470e5e15c9</publickey>
<certificate>06cf537b63314038f1a18a928805b40aa5fbe3d01eaf849eb0c5d624be0ef3587909dfb0e1fce12a66ff8c2bbfa769d516f1f1932aae3f515e5fe0f94dc39b00</certificate>
<signature>b003efd584e43d66daeaddd754ccd4c21f2a34270dccfcabcfa3d56f48c3eb822afd29a0981df2c42ff6ac0cf6dcafc1605ba2b9d1bce033f4245d32d137fd00</signature>
</updates>- In Extension->Manage->Update Select the extension update items and check-it clicking on the Verify button
Expected result
the extension update manifest is validated against developer public key wich is certificated by the Joomla CA
Actual result
no extension update manifest verification
Documentation Changes Required
the Joomla CA public key is showed on System->System Information
the extension update manifest verification
Extensions->Manage->Update
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_admin com_installer Language & Strings |
@alikon please take a look into the drone CS errors: http://ci.joomla.org/joomla/joomla-cms/4352/4 ;)
This is a proof of concept, not a production pull request. It doesn't really matter at this moment whether CI is passing.
| Labels |
Added:
?
?
|
||
travis&drone are happy now
i hope that even human people will be more happy now
franz-wohlkoenig
- | Category | Administration com_admin com_installer Language & Strings | ⇒ | Administration com_admin com_installer |
| Title |
|
||||||
| Title |
|
||||||
| Category | Administration com_admin com_installer | ⇒ | Administration com_admin com_installer Language & Strings |
| Labels |
Removed:
J3 Issue
|
||
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-02-12 19:36:27 |
| Closed_By | ⇒ | alikon |
@Quy i will do all the needed cs changes after and if we can get some consensus on the main concept
consider this for now as "workable playground"