Plugin Update: verify public key if the plugin already install

Change-Id: Ia3b3ec41994117af228a1ef595208fee165b0d3b

Plugin Update: verify public key if the plugin already install
df918256 · Xavier Jouslin de Noray · Sébastien Blin · dea87f57 · df918256 · df918256
Commit df918256 authored 1 year ago by Xavier Jouslin de Noray Committed by Sébastien Blin 1 year ago
--- a/src/plugin/jamipluginmanager.cpp
+++ b/src/plugin/jamipluginmanager.cpp
@@ -126,6 +126,30 @@ JamiPluginManager::getInstalledPlugins()
    return pluginsPaths;
 }

+bool
+JamiPluginManager::checkPluginCertificatePublicKey(const std::string& oldJplPath, const std::string& newJplPath)
+{
+    std::map<std::string, std::string> oldDetails = PluginUtils::parseManifestFile(PluginUtils::manifestPath(oldJplPath), oldJplPath);
+    if (
+        oldDetails.empty() ||
+        !std::filesystem::is_regular_file(oldJplPath + DIR_SEPARATOR_CH + oldDetails["id"] + ".crt") ||
+        !std::filesystem::is_regular_file(newJplPath)
+    )
+        return false;
+    try {
+        auto oldCert = PluginUtils::readPluginCertificate(oldJplPath, oldDetails["id"]);
+        auto newCert = PluginUtils::readPluginCertificateFromArchive(newJplPath);
+        if (!oldCert || !newCert) {
+            return false;
+        }
+        return oldCert->getPublicKey() == newCert->getPublicKey();
+    } catch (const std::exception& e) {
+        JAMI_ERR() << e.what();
+        return false;
+    }
+    return true;
+}
+
 bool
 JamiPluginManager::checkPluginCertificateValidity(dht::crypto::Certificate* cert)
 {
@@ -256,6 +280,8 @@ JamiPluginManager::installPlugin(const std::string& jplPath, bool force)
                } else {
                    std::string installedVersion = alreadyInstalledManifestMap.at("version");
                    if (version > installedVersion) {
+                        if(!checkPluginCertificatePublicKey(destinationDir, jplPath))
+                            return CERTIFICATE_VERIFICATION_FAILED;
                        r = uninstallPlugin(destinationDir);
                        if (r == SUCCESS) {
                            archiver::uncompressArchive(jplPath,

--- a/src/plugin/jamipluginmanager.h
+++ b/src/plugin/jamipluginmanager.h
@@ -79,6 +79,13 @@ public:
    */
    bool checkPluginCertificateValidity(dht::crypto::Certificate* cert);

+    /**
+     * @brief check if the if the public key of the certificate is the same as the public key in the new plugin
+     * @param oldJplPath, newJplPath
+     * return true if valid
+    */
+    bool checkPluginCertificatePublicKey(const std::string& oldJplPath, const std::string& newJplPath);
+
    /**
     * @brief check if all file are present in the signature file
     * @param jplPath