client loader: add new jagex certificate

runelite-client/src/main/java/net/runelite/client/rs/ClientLoader.java

@@ -259,7 +259,10 @@ public class ClientLoader implements Supplier<Applet>
 
 	private void updateVanilla(RSConfig config) throws IOException, VerificationException
 	{
-		Certificate[] jagexCertificateChain = getJagexCertificateChain();
+		Certificate[][] jagexCertificateChains = {
+			loadCertificateChain("jagex.crt"),
+			loadCertificateChain("jagex2021.crt")
+		};
 
 		// Get the mtime of the first thing in the vanilla cache
 		// we check this against what the server gives us to let us skip downloading and patching the whole thing
@@ -276,7 +279,7 @@ public class ClientLoader implements Supplier<Applet>
 				JarEntry je = vanillaCacheTest.getNextJarEntry();
 				if (je != null)
 				{
-					verifyJarEntry(je, jagexCertificateChain);
+					verifyJarEntry(je, jagexCertificateChains);
 					vanillaCacheMTime = je.getLastModifiedTime().toMillis();
 				}
 				else
@@ -355,7 +358,7 @@ public class ClientLoader implements Supplier<Applet>
 						}
 
 						networkJIS.skip(Long.MAX_VALUE);
-						verifyJarEntry(je, jagexCertificateChain);
+						verifyJarEntry(je, jagexCertificateChains);
 						long vanillaClientMTime = je.getLastModifiedTime().toMillis();
 						if (!vanillaCacheIsInvalid && vanillaClientMTime != vanillaCacheMTime)
 						{
@@ -372,7 +375,7 @@ public class ClientLoader implements Supplier<Applet>
 						{
 							// as with the request stream, its important to not early close vanilla too
 							JarInputStream vanillaCacheTest = new JarInputStream(Channels.newInputStream(vanilla));
-							verifyWholeJar(vanillaCacheTest, jagexCertificateChain);
+							verifyWholeJar(vanillaCacheTest, jagexCertificateChains);
 						}
 						catch (Exception e)
 						{
@@ -388,7 +391,7 @@ public class ClientLoader implements Supplier<Applet>
 						OutputStream out = Channels.newOutputStream(vanilla);
 						out.write(preRead.toByteArray());
 						copyStream.setOut(out);
-						verifyWholeJar(networkJIS, jagexCertificateChain);
+						verifyWholeJar(networkJIS, jagexCertificateChains);
 						copyStream.skip(Long.MAX_VALUE); // write the trailer to the file too
 						out.flush();
 						vanilla.truncate(vanilla.position());
@@ -557,9 +560,9 @@ public class ClientLoader implements Supplier<Applet>
 		return rs;
 	}
 
-	private static Certificate[] getJagexCertificateChain()
+	private static Certificate[] loadCertificateChain(String name)
 	{
-		try (InputStream in = ClientLoader.class.getResourceAsStream("jagex.crt"))
+		try (InputStream in = ClientLoader.class.getResourceAsStream(name))
 		{
 			CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
 			Collection<? extends Certificate> certificates = certificateFactory.generateCertificates(in);
@@ -571,28 +574,33 @@ public class ClientLoader implements Supplier<Applet>
 		}
 	}
 
-	private void verifyJarEntry(JarEntry je, Certificate[] certs) throws VerificationException
+	private void verifyJarEntry(JarEntry je, Certificate[][] chains) throws VerificationException
 	{
-		switch (je.getName())
+		if (je.getName().equals("META-INF/JAGEXLTD.SF") || je.getName().equals("META-INF/JAGEXLTD.RSA"))
 		{
-			case "META-INF/JAGEXLTD.SF":
-			case "META-INF/JAGEXLTD.RSA":
-				// You can't sign the signing files
-				return;
-			default:
-				if (!Arrays.equals(je.getCertificates(), certs))
-				{
-					throw new VerificationException("Unable to verify jar entry: " + je.getName());
-				}
+			// You can't sign the signing files
+			return;
 		}
+
+		// Jar entry must match one of the trusted certificate chains
+		Certificate[] entryCertificates = je.getCertificates();
+		for (Certificate[] chain : chains)
+		{
+			if (Arrays.equals(entryCertificates, chain))
+			{
+				return;
+			}
+		}
+
+		throw new VerificationException("Unable to verify jar entry: " + je.getName());
 	}
 
-	private void verifyWholeJar(JarInputStream jis, Certificate[] certs) throws IOException, VerificationException
+	private void verifyWholeJar(JarInputStream jis, Certificate[][] chains) throws IOException, VerificationException
 	{
 		for (JarEntry je; (je = jis.getNextJarEntry()) != null; )
 		{
 			jis.skip(Long.MAX_VALUE);
-			verifyJarEntry(je, certs);
+			verifyJarEntry(je, chains);
 		}
 	}
 }

runelite-client/src/main/resources/net/runelite/client/rs/jagex2021.crt

@@ -0,0 +1,83 @@
+-----BEGIN CERTIFICATE-----
+MIIFXjCCBEagAwIBAgIQe8nov0sYXAw/4Qpi35irpzANBgkqhkiG9w0BAQsFADBM
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSYwJAYDVQQDEx10
+aGF3dGUgU0hBMjU2IENvZGUgU2lnbmluZyBDQTAeFw0yMTEwMjEwMDAwMDBaFw0y
+MjEwMTkyMzU5NTlaMEkxCzAJBgNVBAYTAkdCMRIwEAYDVQQHEwlDYW1icmlkZ2Ux
+EjAQBgNVBAoTCUphZ2V4IEx0ZDESMBAGA1UEAxMJSmFnZXggTHRkMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArDT2DqhgDbCSihEH67vHsOokbTmLeuco
+z8ApWGKgyZGdO73l0YmXzco/N681xCP8SFr1chfwc9H+mS9QB/3Tp51wqLjb7U9A
+IYmQVcnJNw3glZrRzBlZJCKSbcMFUQ++0+WLzKZKY/ZW8xGsu6GsUdxLadOt90pr
+Ak4SrgM02PU0RfmqyEs037ezuzyR0dMYOdTHM01l1h8M2GFD9IWrqwazDcdBUpKX
+KSW1nFOmSaF7TtQTq6dIHBlXE5Y2Zob/XYCYotP/3yI3XL3QEWsjF/wkTRJr5WCC
+MGgWRezNf5WaE+S431+cs70FEufD32iKsOjHhbddX9qFfHXgLaAfoozNiLCCRdS4
+gaRMD6USF6T0MbWKpe43KtBukYXHZ37bW9etwEDTo23J0TBiFPHZPpKhaEo7BcZU
+eS1vTH41Bf0Siv3RkP/r5b+mkLgiqINUr+GVrcGnbpDHsvCs5UBX9kLm4EIDwB5m
+PlgJV85Ou5cFYvxZZyRW1IrKHXsKIWsheRTFBnij6sJr/PKZcTWBEeSxXpk6nGnE
+mNRrNV+GEVwHBltC2ReCYcu2khXVcPF9qnfCfzEkHRUNFm8QkKwbLpeyqG4923Pa
++YcPK0wEJHm5t3Mv+1u8kL6SOWm37h5Z9HRLsd7N4JFXHglqVgy3BPm77oKG6XXj
+WrSquVvZG1ECAwEAAaOCAT0wggE5MB0GA1UdDgQWBBQUS46z2oXY4BEoFq6JU6kM
+wCHD6DAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDAYDVR0T
+AQH/BAIwADA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRw
+Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDov
+L3RsLnN5bWNiLmNvbS90bC5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzAB
+hhNodHRwOi8vdGwuc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vdGwuc3lt
+Y2IuY29tL3RsLmNydDAfBgNVHSMEGDAWgBRXhptUuL6mKYrk9sLiExiJhc3ctzAN
+BgkqhkiG9w0BAQsFAAOCAQEAlAYVi6THkvr28AN8ExBmTYJKkZV5bDEhc55V2Ncf
+a0J/v4pzFEnZoPKQBoRcxIZtY/c1Pr7NorGt3bkmBA8tc4Ni59US9OeGE9D9XYw3
+WTOD0Cl40u+bV5dTim2fU2iQy18CtZzJsn+oXa4KHcCPl4+zZ4OLX2kPyxcSBce4
+9vzXbBg0CMj1bh3HVrB93r3pLFCJtYJutPKeZjQfapst6mQddGqIY4ghmOEhH/Sf
+qEno2Q0WYd4KHuynGfjdcmcNkntdkBvzQ5yaL55zjpQIXhg0dnaQxF+NuBwX6mXz
+R0sshmSJfKy9hr0IYCO422uSwB1cDZ3IZnk/nR9JpVRPRQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEmTCCA4GgAwIBAgIQcaC3NpXdsa/COyuaGO5UyzANBgkqhkiG9w0BAQsFADCB
+qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
+Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
+MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
+BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTMxMjEwMDAwMDAwWhcNMjMx
+MjA5MjM1OTU5WjBMMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMu
+MSYwJAYDVQQDEx10aGF3dGUgU0hBMjU2IENvZGUgU2lnbmluZyBDQTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtVAkwXBenQZsP8KK3TwP7v4Ol+1B72
+qhuRRv31Fu2YB1P6uocbfZ4fASerudJnyrcQJVP0476bkLjtI1xC72QlWOWIIhq+
+9ceu9b6KsRERkxoiqXRpwXS2aIengzD5ZPGx4zg+9NbB/BL+c1cXNVeK3VCNA/hm
+zcp2gxPI1w5xHeRjyboX+NG55IjSLCjIISANQbcL4i/CgOaIe1Nsw0RjgX9oR4wr
+Ks9b9IxJYbpphf1rAHgFJmkTMIA4TvFaVcnFUNaqOIlHQ1z+TXOlScWTaf53lpqv
+84wOV7oz2Q7GQtMDd8S7Oa2R+fP3llw6ZKbtJ1fB6EDzU/K+KTT+X/kCAwEAAaOC
+ARcwggETMC8GCCsGAQUFBwEBBCMwITAfBggrBgEFBQcwAYYTaHR0cDovL3QyLnN5
+bWNiLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6AloCOGIWh0
+dHA6Ly90MS5zeW1jYi5jb20vVGhhd3RlUENBLmNybDAdBgNVHSUEFjAUBggrBgEF
+BQcDAgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgEGMCkGA1UdEQQiMCCkHjAcMRow
+GAYDVQQDExFTeW1hbnRlY1BLSS0xLTU2ODAdBgNVHQ4EFgQUV4abVLi+pimK5PbC
+4hMYiYXN3LcwHwYDVR0jBBgwFoAUe1tFz6/Oy3r9MZIaarbzRutXSFAwDQYJKoZI
+hvcNAQELBQADggEBACQ79degNhPHQ/7wCYdo0ZgxbhLkPx4flntrTB6HnovFbKOx
+DHtQktWBnLGPLCm37vmRBbmOQfEs9tBZLZjgueqAAUdAlbg9nQO9ebs1tq2cTCf2
+Z0UQycW8h05Ve9KHu93cMO/G1GzMmTVtHOBg081ojylZS4mWCEbJjvx1T8XcCcxO
+J4tEzQe8rATgtTOlh5/03XMMkeoSgW/jdfAetZNsRBfVPpfJvQcsVncfhd1G6L/e
+LIGUo/flt6fBN591ylV3TV42KcqF2EVBcld1wHlb+jQQBm1kIEK3OsgfHUZkAl/G
+R77wxDooVNr2Hk+aohlDpG9J+PxeQiAohItHIG4=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
+qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
+Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
+MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
+BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw
+NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j
+LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG
+A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl
+IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs
+W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta
+3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk
+6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6
+Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J
+NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA
+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP
+r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU
+DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz
+YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX
+xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2
+/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/
+LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7
+jVaMaA==
+-----END CERTIFICATE-----