Skip to content

Commit

Permalink
Add boolean check for signature
Browse files Browse the repository at this point in the history
  • Loading branch information
Tides committed Mar 7, 2024
1 parent ff18da2 commit 3805479
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 10 deletions.
2 changes: 1 addition & 1 deletion Obsidian.API/_Interfaces/IServerConfiguration.cs
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ public interface IServerConfiguration
/// <summary>
/// Determines where or not the server should load plugins that don't have a valid signature.
/// </summary>
public bool AllowUntrustedPlugins { get; set; }
public bool AllowUntrustedPlugins { get; set; } = true;

/// <summary>
/// Allows the server to advertise itself as a LAN server to devices on your network.
Expand Down
1 change: 0 additions & 1 deletion Obsidian/Plugins/PluginManager.cs
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,6 @@ public async Task LoadPluginsAsync()
waitingForDepend.Remove(canLoad);
}


if (pluginContainer.Plugin is null)
waitingForDepend.Add(pluginContainer);
}
Expand Down
20 changes: 13 additions & 7 deletions Obsidian/Plugins/PluginProviders/PackedPluginProvider.cs
Original file line number Diff line number Diff line change
Expand Up @@ -26,13 +26,16 @@ public sealed class PackedPluginProvider(PluginManager pluginManager, ILogger lo
var apiVersion = reader.ReadString();

var hash = reader.ReadBytes(SHA384.HashSizeInBytes);
var signature = reader.ReadBytes(SHA384.HashSizeInBits);
var isSigned = reader.ReadBoolean();

byte[]? signature = isSigned ? reader.ReadBytes(SHA384.HashSizeInBits) : null;

var dataLength = reader.ReadInt32();

var curPos = fs.Position;

//Don't load untrusted plugins
var isSigValid = await this.TryValidatePluginAsync(fs, hash, signature, path);
var isSigValid = await this.TryValidatePluginAsync(fs, hash, path, isSigned, signature);
if (!isSigValid)
return null;

Expand Down Expand Up @@ -113,7 +116,7 @@ internal PluginContainer HandlePlugin(PluginContainer pluginContainer, Assembly
/// Verifies the file hash and tries to validate the signature
/// </summary>
/// <returns></returns>
private async Task<bool> TryValidatePluginAsync(FileStream fs, byte[] hash, byte[] signature, string path)
private async Task<bool> TryValidatePluginAsync(FileStream fs, byte[] hash, string path, bool isSigned, byte[]? signature = null)
{
using (var sha384 = SHA384.Create())
{
Expand All @@ -126,19 +129,22 @@ private async Task<bool> TryValidatePluginAsync(FileStream fs, byte[] hash, byte
}
}

var deformatter = new RSAPKCS1SignatureDeformatter();
deformatter.SetHashAlgorithm("SHA384");

var isSigValid = true;
if (!this.pluginManager.server.Configuration.AllowUntrustedPlugins)
{
if (!isSigned)
return false;

var deformatter = new RSAPKCS1SignatureDeformatter();
deformatter.SetHashAlgorithm("SHA384");

using var rsa = RSA.Create();
foreach (var rsaParameter in this.pluginManager.AcceptedKeys)
{
rsa.ImportParameters(rsaParameter);
deformatter.SetKey(rsa);

isSigValid = deformatter.VerifySignature(hash, signature);
isSigValid = deformatter.VerifySignature(hash, signature!);

if (isSigValid)
break;
Expand Down
2 changes: 1 addition & 1 deletion SamplePlugin/SamplePlugin.csproj
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.0">
<ExcludeAssets>runtime</ExcludeAssets>
</PackageReference>
<PackageReference Include="Obsidian.MSBuild" Version="1.0.0-nightly-14" />
<PackageReference Include="Obsidian.MSBuild" Version="1.0.3-nightly.g4737df362d" />
</ItemGroup>

<ItemGroup>
Expand Down

0 comments on commit 3805479

Please sign in to comment.