diff --git a/runelite-client/src/main/java/net/runelite/client/rs/ClientLoader.java b/runelite-client/src/main/java/net/runelite/client/rs/ClientLoader.java index 51f987e1fb..108cd7db02 100644 --- a/runelite-client/src/main/java/net/runelite/client/rs/ClientLoader.java +++ b/runelite-client/src/main/java/net/runelite/client/rs/ClientLoader.java @@ -259,7 +259,10 @@ public class ClientLoader implements Supplier private void updateVanilla(RSConfig config) throws IOException, VerificationException { - Certificate[] jagexCertificateChain = getJagexCertificateChain(); + Certificate[][] jagexCertificateChains = { + loadCertificateChain("jagex.crt"), + loadCertificateChain("jagex2021.crt") + }; // Get the mtime of the first thing in the vanilla cache // we check this against what the server gives us to let us skip downloading and patching the whole thing @@ -276,7 +279,7 @@ public class ClientLoader implements Supplier JarEntry je = vanillaCacheTest.getNextJarEntry(); if (je != null) { - verifyJarEntry(je, jagexCertificateChain); + verifyJarEntry(je, jagexCertificateChains); vanillaCacheMTime = je.getLastModifiedTime().toMillis(); } else @@ -355,7 +358,7 @@ public class ClientLoader implements Supplier } networkJIS.skip(Long.MAX_VALUE); - verifyJarEntry(je, jagexCertificateChain); + verifyJarEntry(je, jagexCertificateChains); long vanillaClientMTime = je.getLastModifiedTime().toMillis(); if (!vanillaCacheIsInvalid && vanillaClientMTime != vanillaCacheMTime) { @@ -372,7 +375,7 @@ public class ClientLoader implements Supplier { // as with the request stream, its important to not early close vanilla too JarInputStream vanillaCacheTest = new JarInputStream(Channels.newInputStream(vanilla)); - verifyWholeJar(vanillaCacheTest, jagexCertificateChain); + verifyWholeJar(vanillaCacheTest, jagexCertificateChains); } catch (Exception e) { @@ -388,7 +391,7 @@ public class ClientLoader implements Supplier OutputStream out = Channels.newOutputStream(vanilla); out.write(preRead.toByteArray()); copyStream.setOut(out); - verifyWholeJar(networkJIS, jagexCertificateChain); + verifyWholeJar(networkJIS, jagexCertificateChains); copyStream.skip(Long.MAX_VALUE); // write the trailer to the file too out.flush(); vanilla.truncate(vanilla.position()); @@ -557,9 +560,9 @@ public class ClientLoader implements Supplier return rs; } - private static Certificate[] getJagexCertificateChain() + private static Certificate[] loadCertificateChain(String name) { - try (InputStream in = ClientLoader.class.getResourceAsStream("jagex.crt")) + try (InputStream in = ClientLoader.class.getResourceAsStream(name)) { CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); Collection certificates = certificateFactory.generateCertificates(in); @@ -571,28 +574,33 @@ public class ClientLoader implements Supplier } } - private void verifyJarEntry(JarEntry je, Certificate[] certs) throws VerificationException + private void verifyJarEntry(JarEntry je, Certificate[][] chains) throws VerificationException { - switch (je.getName()) + if (je.getName().equals("META-INF/JAGEXLTD.SF") || je.getName().equals("META-INF/JAGEXLTD.RSA")) { - case "META-INF/JAGEXLTD.SF": - case "META-INF/JAGEXLTD.RSA": - // You can't sign the signing files - return; - default: - if (!Arrays.equals(je.getCertificates(), certs)) - { - throw new VerificationException("Unable to verify jar entry: " + je.getName()); - } + // You can't sign the signing files + return; } + + // Jar entry must match one of the trusted certificate chains + Certificate[] entryCertificates = je.getCertificates(); + for (Certificate[] chain : chains) + { + if (Arrays.equals(entryCertificates, chain)) + { + return; + } + } + + throw new VerificationException("Unable to verify jar entry: " + je.getName()); } - private void verifyWholeJar(JarInputStream jis, Certificate[] certs) throws IOException, VerificationException + private void verifyWholeJar(JarInputStream jis, Certificate[][] chains) throws IOException, VerificationException { for (JarEntry je; (je = jis.getNextJarEntry()) != null; ) { jis.skip(Long.MAX_VALUE); - verifyJarEntry(je, certs); + verifyJarEntry(je, chains); } } } diff --git a/runelite-client/src/main/resources/net/runelite/client/rs/jagex2021.crt b/runelite-client/src/main/resources/net/runelite/client/rs/jagex2021.crt new file mode 100644 index 0000000000..39a381c29e --- /dev/null +++ b/runelite-client/src/main/resources/net/runelite/client/rs/jagex2021.crt @@ -0,0 +1,83 @@ +-----BEGIN CERTIFICATE----- +MIIFXjCCBEagAwIBAgIQe8nov0sYXAw/4Qpi35irpzANBgkqhkiG9w0BAQsFADBM +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSYwJAYDVQQDEx10 +aGF3dGUgU0hBMjU2IENvZGUgU2lnbmluZyBDQTAeFw0yMTEwMjEwMDAwMDBaFw0y +MjEwMTkyMzU5NTlaMEkxCzAJBgNVBAYTAkdCMRIwEAYDVQQHEwlDYW1icmlkZ2Ux +EjAQBgNVBAoTCUphZ2V4IEx0ZDESMBAGA1UEAxMJSmFnZXggTHRkMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArDT2DqhgDbCSihEH67vHsOokbTmLeuco +z8ApWGKgyZGdO73l0YmXzco/N681xCP8SFr1chfwc9H+mS9QB/3Tp51wqLjb7U9A +IYmQVcnJNw3glZrRzBlZJCKSbcMFUQ++0+WLzKZKY/ZW8xGsu6GsUdxLadOt90pr +Ak4SrgM02PU0RfmqyEs037ezuzyR0dMYOdTHM01l1h8M2GFD9IWrqwazDcdBUpKX +KSW1nFOmSaF7TtQTq6dIHBlXE5Y2Zob/XYCYotP/3yI3XL3QEWsjF/wkTRJr5WCC +MGgWRezNf5WaE+S431+cs70FEufD32iKsOjHhbddX9qFfHXgLaAfoozNiLCCRdS4 +gaRMD6USF6T0MbWKpe43KtBukYXHZ37bW9etwEDTo23J0TBiFPHZPpKhaEo7BcZU +eS1vTH41Bf0Siv3RkP/r5b+mkLgiqINUr+GVrcGnbpDHsvCs5UBX9kLm4EIDwB5m +PlgJV85Ou5cFYvxZZyRW1IrKHXsKIWsheRTFBnij6sJr/PKZcTWBEeSxXpk6nGnE +mNRrNV+GEVwHBltC2ReCYcu2khXVcPF9qnfCfzEkHRUNFm8QkKwbLpeyqG4923Pa ++YcPK0wEJHm5t3Mv+1u8kL6SOWm37h5Z9HRLsd7N4JFXHglqVgy3BPm77oKG6XXj +WrSquVvZG1ECAwEAAaOCAT0wggE5MB0GA1UdDgQWBBQUS46z2oXY4BEoFq6JU6kM +wCHD6DAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDAYDVR0T +AQH/BAIwADA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRw +Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDov +L3RsLnN5bWNiLmNvbS90bC5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzAB +hhNodHRwOi8vdGwuc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vdGwuc3lt +Y2IuY29tL3RsLmNydDAfBgNVHSMEGDAWgBRXhptUuL6mKYrk9sLiExiJhc3ctzAN +BgkqhkiG9w0BAQsFAAOCAQEAlAYVi6THkvr28AN8ExBmTYJKkZV5bDEhc55V2Ncf +a0J/v4pzFEnZoPKQBoRcxIZtY/c1Pr7NorGt3bkmBA8tc4Ni59US9OeGE9D9XYw3 +WTOD0Cl40u+bV5dTim2fU2iQy18CtZzJsn+oXa4KHcCPl4+zZ4OLX2kPyxcSBce4 +9vzXbBg0CMj1bh3HVrB93r3pLFCJtYJutPKeZjQfapst6mQddGqIY4ghmOEhH/Sf +qEno2Q0WYd4KHuynGfjdcmcNkntdkBvzQ5yaL55zjpQIXhg0dnaQxF+NuBwX6mXz +R0sshmSJfKy9hr0IYCO422uSwB1cDZ3IZnk/nR9JpVRPRQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEmTCCA4GgAwIBAgIQcaC3NpXdsa/COyuaGO5UyzANBgkqhkiG9w0BAQsFADCB +qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf +Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw +MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV +BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTMxMjEwMDAwMDAwWhcNMjMx +MjA5MjM1OTU5WjBMMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMu +MSYwJAYDVQQDEx10aGF3dGUgU0hBMjU2IENvZGUgU2lnbmluZyBDQTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtVAkwXBenQZsP8KK3TwP7v4Ol+1B72 +qhuRRv31Fu2YB1P6uocbfZ4fASerudJnyrcQJVP0476bkLjtI1xC72QlWOWIIhq+ +9ceu9b6KsRERkxoiqXRpwXS2aIengzD5ZPGx4zg+9NbB/BL+c1cXNVeK3VCNA/hm +zcp2gxPI1w5xHeRjyboX+NG55IjSLCjIISANQbcL4i/CgOaIe1Nsw0RjgX9oR4wr +Ks9b9IxJYbpphf1rAHgFJmkTMIA4TvFaVcnFUNaqOIlHQ1z+TXOlScWTaf53lpqv +84wOV7oz2Q7GQtMDd8S7Oa2R+fP3llw6ZKbtJ1fB6EDzU/K+KTT+X/kCAwEAAaOC +ARcwggETMC8GCCsGAQUFBwEBBCMwITAfBggrBgEFBQcwAYYTaHR0cDovL3QyLnN5 +bWNiLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQrMCkwJ6AloCOGIWh0 +dHA6Ly90MS5zeW1jYi5jb20vVGhhd3RlUENBLmNybDAdBgNVHSUEFjAUBggrBgEF +BQcDAgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgEGMCkGA1UdEQQiMCCkHjAcMRow +GAYDVQQDExFTeW1hbnRlY1BLSS0xLTU2ODAdBgNVHQ4EFgQUV4abVLi+pimK5PbC +4hMYiYXN3LcwHwYDVR0jBBgwFoAUe1tFz6/Oy3r9MZIaarbzRutXSFAwDQYJKoZI +hvcNAQELBQADggEBACQ79degNhPHQ/7wCYdo0ZgxbhLkPx4flntrTB6HnovFbKOx +DHtQktWBnLGPLCm37vmRBbmOQfEs9tBZLZjgueqAAUdAlbg9nQO9ebs1tq2cTCf2 +Z0UQycW8h05Ve9KHu93cMO/G1GzMmTVtHOBg081ojylZS4mWCEbJjvx1T8XcCcxO +J4tEzQe8rATgtTOlh5/03XMMkeoSgW/jdfAetZNsRBfVPpfJvQcsVncfhd1G6L/e +LIGUo/flt6fBN591ylV3TV42KcqF2EVBcld1wHlb+jQQBm1kIEK3OsgfHUZkAl/G +R77wxDooVNr2Hk+aohlDpG9J+PxeQiAohItHIG4= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB +qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf +Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw +MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV +BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw +NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j +LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG +A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl +IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs +W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta +3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk +6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6 +Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J +NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA +MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP +r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU +DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz +YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX +xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2 +/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/ +LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7 +jVaMaA== +-----END CERTIFICATE----- \ No newline at end of file