From e5fa5c31d531d4bdc14af6a851b22a925834e917 Mon Sep 17 00:00:00 2001 From: Paul Holden Date: Thu, 22 Oct 2020 22:42:08 +0100 Subject: [PATCH] MDL-64723 tool_mobile: workaround for invalid certificate parsing. This is to account for specific server configuration that are affected by one of the following issues, which results in certificate signature algorithms being incorrectly parsed: * https://bugs.php.net/bug.php?id=77548 * https://github.com/curl/curl/issues/3706 --- admin/tool/mobile/classes/api.php | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/admin/tool/mobile/classes/api.php b/admin/tool/mobile/classes/api.php index 9ea41b0a816..45f0d259851 100644 --- a/admin/tool/mobile/classes/api.php +++ b/admin/tool/mobile/classes/api.php @@ -603,8 +603,21 @@ class api { $timenow = time(); $expectedissuer = null; foreach ($info['certinfo'] as $cert) { + + // Due to a bug in certain curl/openssl versions the signature algorithm isn't always correctly parsed. + // See https://github.com/curl/curl/issues/3706 for reference. + if (!array_key_exists('Signature Algorithm', $cert)) { + // The malformed field that does contain the algorithm we're looking for looks like the following: + // Signature Algorithm: . + preg_match('/\s+Signature Algorithm: (?[^\s]+)/', $cert['Public Key Algorithm'], $matches); + + $signaturealgorithm = $matches['algorithm'] ?? ''; + } else { + $signaturealgorithm = $cert['Signature Algorithm']; + } + // Check if the signature algorithm is weak (Android won't work with SHA-1). - if ($cert['Signature Algorithm'] == 'sha1WithRSAEncryption' || $cert['Signature Algorithm'] == 'sha1WithRSA') { + if ($signaturealgorithm == 'sha1WithRSAEncryption' || $signaturealgorithm == 'sha1WithRSA') { $warnings[] = ['insecurealgorithmwarning', 'tool_mobile']; } // Check certificate start date.